01-15 July 2015

Biometrics

US – FBI: Next Generation ID Doesn’t Use Social Media Profile Pics

The FBI has said its new facial-recognition software, dubbed the Next Generation Identification System, does not utilize photographs from social media sites but only “official images like driver’s license photos or mugshots.” The software, which uses biometrics like DNA and fingerprints, has met with criticism, but the agency merely aims to “narrow (suspects) down from essentially a pool of everybody to a smaller, maybe in single digits or a few more than 10, that gives the investigator a place to start,” said FBI Special Agent Patrick Dugan. [CBS Baltimore]

WW – MasterCard Experimenting with Facial Recognition

A new project by MasterCard is testing various biometric identifiers—including fingerprints and facial recognition—for authorizing financial transactions. Users would download the MasterCard app, look into their phone screens and blink once to authorize transactions. “The new generation, which is into selfies … I think they’ll find it cool. They’ll embrace it,” said MasterCard’s Ajay Bhalla, noting data would be securely transmitted to company servers. “From a privacy perspective, it’s awful—from a business perspective, I don’t understand why’d they accept that risk,” said Dragos Security’s Robert M. Lee. Nok Nok Labs’ Phillip Dunkelberger downplayed the concerns. “They’re storing an algorithm, not a picture of you. And I’m sure they’re doing all the appropriate stuff to guard it.” [CNN] Bhalla explained how it works in this video. [Information Week] See also: [How Mark Zuckerberg’s vision for telepathic communication could work]

WW – Churches Using Facial Recognition to Monitor Attendance

Churches are joining the widening group of entities using facial-recognition software to track people. In four months, approximately 30 churches around the world have started using a facial-recognition software called Churchix, according to Moshe Greenshpan, the CEO of Face-Six, which sells the technology. Churchix uses CCTV footage or photos to match churchgoers against a database of high-resolution pictures collected by a church. It can be used to monitor attendance, alert church officials if members stop coming to services or screen for people banned from the church, the report states. [RT]

Big Data

US – Work Group Reports on Big Data’s Potential Harms

Following President Barack Obama’s request that the Department of Health and Human Services look at how to best protect individual privacy while capitalizing on big data, the Health IT Policy Committee’s Privacy and Security Workgroup has come up with preliminary recommendations. The group’s co-chair, Stanley Crosley, presented the recommendations last week. “Patients should not be surprised or harmed by collections, uses or disclosures of their information,” Crosley said. “Nowhere is this more difficult than with big data.” The work group found that while some U.S. laws prohibit discriminatory uses of big data, some uses are actually expressly permitted. [HealthData Management] See also: [When your scale and fridge conspire to make you lose weight, the Internet of Things will have gone too far]

US – Data Mining’s Big Role in the 2016 Election

The 2016 election will be employing data mining in an unprecedented manner. Utilizing data from email-forwarding and social media, “these new methods are like switching from a hand-held Dustbuster to an industrial-strength Shop-Vac to suck that data up, and from a 1984 Macintosh to a 2015 MacPro to crunch it. So it has the potential to make the hair stand up on the napes of privacy-rights activists—and perhaps a lot of average voters,” the report continues. “There’s probably a fine line to walk: If you push it too far, it does look a little like the things that bother people most about the digital world: surveillance and invasion of privacy,” said Grinnell College’s Barbara Trish. [TNS]

Canada

CA – RCMP Quietly Stops Naming Victims, Citing Privacy Act

The RCMP has quietly stopped releasing the names of people who die in car crashes and other tragic accidents across Canada. The police force says it is following the Privacy Act. However, the RCMP will not disclose why it has started enforcing the policy now. In a written statement, an RCMP spokeswoman said there are exemptions under which personal information may be disclosed, including when:

  • The information is already publicly available (Section 69(2)).
  • Disclosure is necessary to further an investigation (Section 8(2)).
  • When in the opinion of the head of the institution, public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or disclosure would clearly benefit the individual to whom the information relates (Section 8(2)(m)).

David Fraser, privacy lawyer at McInnes Cooper, said: “There certainly haven’t been any legislative changes that have happened to our privacy laws that would cause this, nor have there been any significant findings from the privacy commissioner or any high-profile circumstances that I can think of that might have brought about this change in policy.” Fraser also doesn’t buy the sudden affection for the law. “Not disclosing the information very likely makes their jobs easier, and not having to ask the next of kin or the family to disclose whether they can disclose this information, it’s one less thing that they have to do. “It’s always easier — we see this across government — to just point to the privacy legislation as a reason to not do something … to not provide information to the media.” [CBC]

CA – Secret Deal Between Canada’s Spies and Border Guards Raises Concerns

A secret deal between Canada’s spies and border guards proposed more information sharing and joint operations without the need for political sign-off. A 2014 deal between the Canadian Security Intelligence Service (CSIS) and the Canada Border Services Agency (CBSA) proposed the two agencies be allowed to share information and resources without the prior approval of their political masters. “The Framework (Memorandum of Understanding) will also authorize (CSIS) to enter into more specific arrangements with CBSA, as required, without the necessity to seek your approval each time,” wrote CSIS director Michel Coulombe in a memo explaining the deal to Public Safety Minister Steven Blaney. Blaney’s office won’t say whether or not the deal has been approved. [The Star]

CA – Federal Election 2015: Groups Seek Court Order to Ease New Voter ID Rules

A left-leaning advocacy organization and a national student group will be in Ontario Superior Court hoping to relax voter identification rules for the looming federal election. The court factum prepared by the Council of Canadians and the Canadian Federation of Students argues that tens of thousands or more of eligible voters will be denied a ballot this October due to changes enacted last year by the Conservative government. The groups want the court to issue an interim injunction allowing Elections Canada to recognize as valid ID the voter identification cards that are mailed to everyone on the voters’ list. Some 400,000 Canadians used the voter identification cards in the 2011 election as part of a pilot project that Elections Canada wanted to expand to the whole country. Instead, the Harper government — citing fear of voter fraud — passed a new law that increases the ID requirements of would-be electors while ruling out the use of the Elections Canada mail-outs that tell people where to vote. Critics of the changes, including past and present chief electoral officers from across the country, say the strict ID rules will primarily impact the young, the elderly in care, students who move often, the homeless and natives on reserves — groups that might be less inclined to vote for the governing Conservatives. The court factum states that in some elections, as many as 95% of electors used a driver’s licence to vote. For the estimated 14% of Canadians over age 18 who don’t have a driver’s licence, photo ID that includes a name and home address is almost non-existent. Until 2007, Canadians who were on the list of electors were not required to show ID at the polls, but could simply state their name and address to be provided with a ballot. The Harper government brought in voter ID rules in 2007, then toughened them further with the 2014 Fair Elections Act. It also ended the practice of vouching, in which a voter with ID could attest for the identity and local residence of another elector. A study by former B.C. chief electoral officer Harry Neufeld found that about 120,000 people voted in 2011 after being vouched for, in addition to the 400,000 Canadians who used their voter identification cards as a piece of ID. Neufeld found no evidence of voter fraud. [The Huffington Post]

CA – Canadian Activists Turn to UN with Challenge to Anti-Terror Bill

The Bill increasing powers of spy agency and federal law enforcement has met with accusations it is too broad and infringes on rights to privacy and free speech. Opponents claim the bill is overly broad, lacks sufficient oversight for national security and law enforcement agencies and infringes on a series of rights, including the right to privacy and the right to freedom of speech. [The Guardian]

CA – Senate Report on Terrorism Shows Government’s Lack of Understanding of Muslim Canadians

Last week, a senate report on terrorism suggested the government help train and certify Canadian imams. Imagine the same call aimed at priests or rabbis. [Source] Canada’s anti-terrorism laws and taxes – what’s the connection? The increased sharing of confidential taxpayer information is consistent with a trend that continues to develop. For example, the Canadian and U.S. governments entered into an agreement to implement FATCA which requires Canadian financial institutions, under specified circumstances to provide account information to CRA and requires CRA, under specified circumstances, to in turn provide the information to the IRS. Similarly, in June of this year the Minister of National Revenue issued a news release announcing that she signed an international Multilateral Competent Authority Agreement which is described as “an important step towards implementing the Common Reporting Standard for the automatic exchange of financial account information with other tax jurisdictions.” According to the announcement, the Agreement is part of the government’s commitment to addressing international tax evasion and improving tax compliance. [Source]

CA – Secret Government Mass Surveillance Decried at Montreal Conference

Even though Snowden’s leaked secret documents sparked some changes to surveillance laws and caused outrage around the world, David Lyon (director of the Surveillance Studies Centre at Queen’s University) says the general public still isn’t angry enough because they have bought into the idea that governments need mass surveillance to keep us safe, and because they are so comfortable with the computers we rely on and the cameras that surround us. [Source]

CA – RTBF: BC Supreme Court Denies Injunction to Compel a Search Engine to Remove Search Results Worldwide

Although the Court found that Mr. Niemela may be able to establish that the words were defamatory, he would be unable to satisfy the second and third parts of the test. On the basis of the evidence presented, the Court found that Mr. Niemela had not established that he would suffer irreparable harm. First, the Court considered evidence from Google that 90% of searches for Mr. Niemela on its platforms originated from google.ca. The Court noted, that many of the searches, both on google.ca and google.com, likely originated from Mr. Niemela himself. Second, the Court found that there were other possible explanations for the decline in Mr. Niemela’s law practice: namely, a prominently displayed disciplinary history with the Law Society. Lastly, the Court was reluctant to make the Order as it could not be complied with. Legislation in the United States prevents Google from complying “with an order compelling it to block defamatory search results” due to the possible infringement on the right to free speech. [Source]

CA – Lost Student Loan Data Class-Action Lawsuit Expanded by Court

The Federal Court of Appeal has ordered the expansion of a class-action lawsuit brought by thousands of students after the government lost their personal loan data.And the lawyer representing the students says that decision could have far-reaching implications for other similar cases. The appeal court this week overturned a prior decision limiting the avenues the students had to pursue their case, on the grounds that they had failed to prove they actually suffered certain kinds of damage when the data was lost. A portable hard drive with information on 583,000 Canada Student Loans Program borrowers from 2000 to 2006 went missing in 2013 and has still not been found. But the appeal court overturned the decision, saying that in negligence and breach of confidence matters the specific details of damages don’t need to be proven before a class action can go ahead. Lawyer Ted Charney called the decision pioneering because for the first time the court has laid down legal markers for certifying class-action lawsuits around privacy breaches. The students are also suing for breach of contract and warranty, and the tort of intrusion upon seclusion — basically, invasion of privacy. The lost files include student names, social insurance numbers, dates of birth, contact information and loan balances, as well as the personal contact information of 250 department employees. Among the cases that could be impacted is a lawsuit being brought by users of a medical marijuana program who had their identifies exposed in a government mailing. [The Canadian Press via Toronto Star]

CA – Zurich Registers As Lobbyist Amid Data Breach Risk Concerns

In a filing with the Office of the Commissioner of Lobbying of Canada, Zurich Insurance indicated the subjects of its lobbying activity are Bill S-4 (the Digital Privacy Act), Bill C-59 (which implements some provisions of the budget tabled April 21) and Bill C-51 (the Anti-Terrorism Act), with respect to “identifying concerns for information breaches and mitigating such risks.” [Source] The requirements of complying with the Digital Privacy Act involves the challenge of keeping and maintaining “a record of every breach of security safeguards involving personal information under its control” as require by the law. [Viewpoint: Canada’s Digital Privacy Act Receives Royal Assent, but Breach Notification Provisions Lag Behind] [Knowing The Unknowable: The Challenge of Complying with the Digital Privacy Act] See also: [The Digital Privacy Act – part 1: the calm before the storm]

CA – Common Areas of Condos Subject to Privacy Rights: Ontario Top Court

Residents of condominiums have a reasonable expectation of privacy in the common areas of their buildings, Ontario’s top court has ruled. In upholding the acquittal of an accused drug trafficker, the Court of Appeal said police had breached his rights by snooping around the stairways, hallways and storage rooms of his 10-unit building without a warrant. “Some limits on police activity are necessary if privacy is to be protected,” the court stated. “The home is entitled to the greatest degree of protection from unreasonable search, and in my view, the police conduct in this case had a serious impact on the respondent’s privacy rights.” In challenging the acquittal, the Crown argued White had no reasonable expectation of privacy in the common areas of his multi-unit building, saying it would be perverse to make such areas a “zone of protection for criminal activity” that would undermine their safety and quality of residents’ lives. The Appeal Court disagreed. “There is nothing ‘perverse’ about providing a measure of privacy protection to the many Canadians who live in multi-unit dwellings,” the Appeal Court said. [GlobalNews] [The Canadian Press]

CA – Alberta Shredding of Government Documents Resumes After Review

Government staff in Alberta can start shredding documents again following a review into allegations that documents were improperly destroyed after the 44-year-old PC government was swept from office on May 5th. A memo was sent to government departments clearing the way for the resumption of shredding. The ban remains in place for the environment department however. Two months ago all departments were ordered to stop shredding until the new government could assume office. At that time Alberta’s Information and Privacy Commissioner and the province’s Public Interest Commissioner announced they were launching a joint investigation after receiving complaints that documents were improperly destroyed by the province’s department of Environment and Sustainable Resource Development. [CBC News]

CA – Toronto: City’s 311 Hotline Faces a New Challenge: Suicide Calls

Operators at the city-run hotline are used to fielding complaints about garbage pickup or potholes. Now they’re being trained to respond to distress calls from people considering suicide, which are up in the past six months. Gary Yorke, director of 311, attributes the influx to concerns about confidentiality. “In the last few months there has been a dramatic increase of those calls,” says Yorke. “When you call 911, you’re forced to make an official record of (the call) and the police are dispatched. So some people don’t necessarily want that articulated.” [Source]

CA – NL Privacy Commissioner Issues Video Surveillance Guidelines

A new set of guidelines released by the province’s information and privacy commissioner has Ed Ring wondering just how much video surveillance is considered too much. Ring said the guidelines apply to public bodies and spaces only, but he says the basic questions are universal. He said that even though more surveillance cameras are being installed at public buildings and in public spaces, there have been no complaints — and that worries him.. [CBC News]

Consumer

US – Survey: Millennials More Concerned About PI Loss than Revenge Porn

A MasterCard survey indicates that for 62% of Millennials, the thought of having personal information compromised is more egregious than the thought of naked photos being “leaked online.” “Today’s digital lifestyle means consumer concerns regarding safety and security have moved online,” said Robert Siciliano, an identity theft expert. “Information is the currency of the Millennial generation. It is far more important to them, in many cases, than most physical possessions or an image—even an embarrassing one,” the report continues. However, the same survey found that while information-security concern was high in this age group, 53% of Millennials fail to regularly update their passwords. [Reuters] [The Daily Beast: Are Surveys Asking the Wrong Questions?] SEE ALSO: [Opinion: A New Model for Consent]

WW – Ello Issues ‘Bill of Rights’ for Social Network Privacy and Transparency

Social networking side Ello has released a “Bill of Rights” with 10 articles to “serve as guiding principles for Ello” that the company believes “should extend to other companies.” “These rights would give users the ability to turn off data tracking … allow users to retain full control and ownership of posted content … the option to use a pseudonym and limit what personal information is required … and access to terms and conditions written in simple language,” the report states. “We believe these are the basic rights of every social media user in the world, on every social network,” Ello CEO Paul Budnitz said. [International Business Times] [How to see everyone who’s unfriended you on Facebook (and everywhere else, welp]

US – DMA: Secretive Brand Use of Consumer Data ‘Unsustainable’

A new report from the Direct Marketing Association (DMA) found brands need to be much clearer with consumers about how and why they collect data if they are to gain consumers’ trust. The report found trust was the most important factor for consumers deciding whether to share their personal information with a brand. Forty% of respondents said trust outweighed freebies, discounts or tailored offers. While to date brands have been relying on consumers’ tacit understanding of the benefits and drawbacks of handing over their information, the DMA report said this lack of total transparency is unsustainable. “Without trust, brands will not grow,” said DMA CEO Chris Combemale. [Marketing Magazine]

E-Government

UK – Privacy Campaigners Win Concessions in UK Surveillance Report

Privacy campaigners have secured significant concessions in a key report into surveillance by the British security agencies published last week. The 132-page report, A Democratic Licence To Operate, which former deputy prime minister said Nick Clegg commissioned last year in the wake of revelations by the US whistleblower Edward Snowden, acknowledges the importance of privacy concerns. The report affirms privacy as a human right and says that there are “inadequacies in both law and oversight that have helped create a credibility gap that has undermined public confidence”. The report proposes that the intelligence services retain the power to collect bulk communications data on the private lives of British citizens, but it also now concedes that privacy must be a consideration throughout the process. The report, written for the Royal United Services Institute (RUSI) by a panel that includes three former heads of UK intelligence agencies, also calls for an overhaul of existing legislation. Despite its concessions to the privacy lobby, the report overall is more favourable to the police and intelligence services than to the campaigners. Key points in the report include:

  • Its claim that the UK intelligence agencies are not knowingly acting illegally, though it leaves open past behaviour.
  • Its proposal that the security services retain the power to collect bulk communications data, one of the key concerns raised by Snowden.
  • Its acknowledgment that privacy concerns should be integral to considerations at the start of bulk data collection rather than left towards the end of the process.

Its proposal that judges rather than ministers take responsibility for authorising warrants related to criminal issues but that, subject to judicial review, ministers retain responsibility for warrants related to national security – something the intelligence agencies wanted. The report concludes: “Despite the disclosures made by Edward Snowden, we have seen no evidence that the British government knowingly acts illegally in intercepting private communications, or that the ability to collect data in bulk is used by the government to provide it with a perpetual window into the private lives of British citizens. “On the other hand, we have seen evidence that the present legal framework authorising the interception of communications is unclear, has not kept pace with developments in communications technology and does not serve either the government or members of the public satisfactorily. A new, comprehensive and clearer legal framework is required.” Clegg, who will be at the RUSI on Tuesday for the formal launch of the report, said: “We are now seeing an emerging consensus in favour of a new settlement, with clearer rules and stronger safeguards. I hope that this report, together with the recent report by David Anderson QC, can provide the basis for a stable new system that protects our security while doing much more to preserve the privacy of ordinary citizens online.” [Theguardian.com]

E-Mail

US – SEC Doesn’t Think Due Process Should Apply to Your Email Inbox

Although there are currently attempts underway in Congress, overwhelmingly supported by a broad bipartisan consensus, to amend ECPA by pushing for uniform search warrant requirements for all email communications, the Securities and Exchange Commission (SEC) has called for an agency-specific exemption that would allow them to be excused from meeting the burden of acquiring a warrant. Instead, as it outlined in a letter to the Senate Judiciary Committee, the SEC has argued that any reforms to ECPA should permit civil agencies to obtain this digital content, sans any warrant, from the third party service providers that host individuals’ email and social media accounts. This request is troubling, especially in light of the impending reform amendments meant to scale back ECPA’s powers. [Source] See also: R Street looks at the history of the Email Privacy Act, which aims to update the U.S. Electronic Communication Privacy Act of 1986. “It is possible email privacy is next on the ‘to-do list.’ There has been chatter on the Hill that the legislation could receive committee and House floor action in July,” the report states, and [CA – Porter Airlines Agrees To Pay $150,000 for Alleged Violations of CASL]

Encryption

US – FBI and DOJ Target New Enemy in Crypto Wars: Apple and Google

In some of the latest discussions in the long-running debate about the role default encryption plays in consumer products and the obstacles it presents to law enforcement, federal officials told the Senate Judiciary Committee they’d like Silicon Valley to come up with a solution to the so-called “going dark” issues around encrypted technology. [Privacy Tech] What Yates really meant was that she wants companies to stop providing end-to-end encryption, or find ways to circumvent it. Comey and Yates insisted that there must be some new technology that Silicon Valley could develop that would give them the access they want without risking strong encryption. But privacy and cryptology experts have insisted for years that this would be impossible without compromising overall security and opening holes for criminals to exploit. [FirstLook]

WW – Security Experts Oppose Govt Access to Encrypted Communication

An elite group of code makers and code breakers says in a new paper there is no viable technical solution that would allow American and British governments to gain “exceptional access” to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger. The 13 cryptographers, computer scientists and security specialists released the report a day before FBI Director James Comey Jr. and Sally Quillian Yates of the Justice Department are scheduled to testify before the Senate Judiciary Committee on concerns that new encryption technologies will prevent government agencies from monitoring criminals’ communications. [The New York Times] [FBI Director Says Scientists Are Wrong, Pitches Imaginary Solution to Encryption Dilemma]

US – News Site Begins Encrypting for Reader Privacy

The Washington Post began encrypting parts of its website this week, aiming to make it more difficult for hackers, government agencies and others to track readers’ habits, the publication reported on its blog. The added security will immediately apply to the Post’s homepage, stories on its national security page and technology policy blog. The rest of the site will be encrypted over coming months, the report states. “The biggest gain is letting users feel secure,” said Post CIO Shailesh Prakash. The ACLU’s Christopher Soghoian said, “The articles you read paint a picture of your life” and can reveal personal details including sexuality and political interests. [WashPost] [The Washington Post becomes first major news publisher to secure website]

US – MIT’s Bitcoin-Inspired ‘Enigma’ Lets Computers Mine Encrypted Data

Two Bitcoin entrepreneurs and the MIT Media Lab have revealed a prototype for a system called Enigma, which allows data to be encrypted in a way that it “can be shared with a third party and used in computations without it ever being decrypted.” Enigma would allow untrusted computers to “accurately run computations on sensitive data without putting the data at risk of hacker breaches or surveillance,” the report states. “The actual data is never revealed, neither to the outside nor to the computers running the computations inside,” said MIT Media Lab’s Guy Zyskind, one of Enigma’s co-creators. [Wired]

WW – Study Finds VPNs Exposing Personal Data

11 out of 14 virtual private network (VPN) providers are exposing personal information through a vulnerability linked to IPv6, according to a study by the UK’s Queen Mary University in London. Since the Snowden revelations, VPN providers have seen an increase in users, the report states, with those users often seeking to avoid mass surveillance or to circumvent censorship. “There are a variety of reasons why someone might want to hide their identity online, and it’s worrying that they might be vulnerable despite using a service that is specifically designed to protect them,” said Gareth Tyson, co-author of the study. [v3.co.uk]

EU Developments

EU – Passenger Data Retention System Ready for Take-Off, Says Parliament

As the EU moves to implement its airline passenger name record system, critics are concerned about its privacy implications. A European Parliament media release indicates the data is only from flights in and out of the EU and kept “only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and certain types of serious transnational crime.” Parliament’s Civil Liberties, Justice and Home Affairs Committee “quickly dealt with almost 900 amendments … before agreeing to enter negotiations on a final text with the European Commission and the Council of the EU,” the report states. “The Commission has still not produced evidence for the necessity and proportionality of an EU PNR scheme,” said MEP Jan-Philipp Albrecht. [IDG News Service]

EU – Stage Two of GDPR Trilogue Commences; Progress Made

Negotiators involved in the second round of trilogue negotiations to hammer out a finalized General Data Protection Regulation said progress was made. According to the report, a tentative agreement was reached on Chapter 5 and Article 3—sections that focus on territorial scope and international data transfers, respectively. Exceptions for national security proved to be a sticking point for negotiators this week, but “an avenue is clear for agreement,” sources said. The next trilogue meeting is scheduled for September 1 and may not find as much consensus, the report states. [The Register] [Unraveling the Mysteries of the Trilogues]

EU – Austrian Court Dismisses Facebook Suit; Schrems “Will Go to a Higher Court”

Activist Max Schrems’ suit alleging that Facebook’s “terms of service and data collection policies violate EU law and their consumer rights” was dismissed by Vienna District Court, which cited lack of jurisdiction and a blurring of personal and professional use of the service. “It is clear that the complainant is using the enormous media interest in his case against Facebook … for the sales of his book and his career, even if it was credible that this is a social-societal concern for the complainant,” said Judge Margot Slunsky-Jost Schrems said he “will go to a higher court … The court is simply passing the hot potato on.” [The Irish Times] [Wall Street Journal]

UK – “Snooper’s Charter” to Move Forward

British Prime Minister David Cameron will officially move forward with anti-terror surveillance legislation, once dubbed the “Snooper’s Charter.” “The question we must ask ourselves is whether … we are content to leave a safe space … for terrorists to communicate with each other,” Cameron said. “My answer is no, we should not be,” he continued. Tech company In.die has pledged to take its business elsewhere. “We’re not going to stay in a country where we might be forced to backdoor our products—and possibly not even be allowed to tell anyone about it,” the company said in a statement. [Politico]

EU – Privacy Advocate, NSA Critic Caspar Bowden Has Died

Privacy advocate Caspar Bowden has died, according to German site Netzpolitik.org. Bowden was well-known in the privacy community as an outspoken activist, concerned about mass government surveillance, even before the Snowden revelations broke. Bowden worked as Microsoft’s chief privacy advisor from 2002 to 2011. Fellow privacy advocate Justin Brookman said “Caspar was a dedicated and brilliant advocate and a deeply caring person. He knew as much about intelligence law as anyone I’ve ever met … He was one of the first to fully recognize just how the rise in cloud processing empowers state surveillance. He spent his life trying to protect individual liberty, and I will miss him.” [The Privacy Advisor] SEE ALSO: [Hustinx Awarded Honorary Degree from University of Edinburgh]

EU – Facebook Questions Use of ‘Right To Be Forgotten’ Ruling

Europe’s emerging country-by-country attitudes toward privacy regulation as opposed to the “one-stop shop” approach has Facebook frustrated. “A number of authorities in Europe are using that judgment to challenge the status quo that’s existed for many years,” said Stephen Deadman, global deputy chief privacy officer at Facebook. “We think they’re wrong. We think the model we have is right.” Deadman expressed support for a pan-European “super data regulator” for privacy. “There should be order within Europe and a single regulator that regulates you, not multiple regulators all trying to regulate everything in their own different ways,” Deadman said. The Belgian data protection commission recently sued Facebook over what it sees as a disregard for Belgian citizens’ private lives in terms of the social network’s tracking of users for advertising. Deadman said: “[Facebook] don’t agree that the Irish data protection authority isn’t doing its job. The academic report, which forms the foundation of [the Belgian privacy commission lawsuit], was not conducted by reviewing our practices, there was no interface with us, it was purely done without engagement with us or trying to find out the facts from Facebook.” [The Guardian] See also: [Hong Kong privacy watchdog’s order to remove names from website would create an ‘Orwellian memory hole’, says market analyst]

EU – BBC Anti-RTBF Actions Criticized

The BBC’s displeasure with the right to be forgotten and its subsequent republishing of 182 of its Google-delisted links “needs to be viewed with considerable caution,” indicating that Google had already found the links to be conduits to “personal information that is inaccurate, irrelevant or out of date and holds no public interest,” and that the site “misleadingly” promoted the links. “It was a deliberate journalistic choice that causes public shame and has not meaningfully contributed in any way to better policy making,” the report states, continuing, “It looks petulant, not constructive. And in some cases, it deceptively withholds crucial details … without also identifying that the original story has been modified simultaneously to remove the complainant’s name. So much for transparency.” [The Guardian]

EU – Other EU News

Facts & Stats

WW – Data Loss Affects Mergers and Acquisitions

In April and May in the U.S. alone, there were almost 2,000 mergers and acquisitions. In the Asia-Pacific region, mergers and acquisitions totaled $367.7 billion in the first half of 2015, and during the same period, activity increased by 37% in Europe. Data loss incidents at organizations can significantly change the value of an acquisition target. For example, a cybersecurity incident could mean a target’s intellectual property is no longer theirs alone. “Once a breach occurs, competitors could already have the most valuable data and it could impact the value of acquiring the company,” the report states. [FireEye] SEE ALSO”: In this Privacy Tracker exclusive, IAPP Westin Research Fellow Arielle Brown examines the wholesale transfer of consumer data in the context of corporate mergers, acquisitions and bankruptcy transactions and the “all-encompassing privacy policy” in the context of Section 5 of the FTC Act.

US – AAM Creating Smart Car Data-Sharing Center

The Alliance of Automobile Manufacturers (AAM) has announced it is creating an information-sharing and analysis center, ISAC, as a hub for car companies developing smart cars to “swap cybersecurity data and keep each other abreast of the latest hacking threats targeting vehicles.” The AAM, which is made up of 12 manufacturers, hopes to “further enhance the industry’s ongoing efforts to safeguard vehicle electronic systems and networks,” said AAM Vice President of Safety Robert Strassburger. ISAC is expected to open later this year, with governmental protection to “facilitate cybersecurity information sharing,” Strassburger added. [Fortune]

Filtering

UK – BBC Forgotten List ‘Sets Precedent’ A List of Removed Links Will be Published Every Month

David Jordan, head of editorial policy said “It’s impossible to have a meaningful debate if you’ve not got an idea about what’s being de-listed.” He said while it was up to individual media organisations to decide how best to be transparent with audiences over what has been removed, he felt the BBC had taken the lead “without being provocative”. He denied the suggestion that publishing the links was bringing more attention to those who had wanted to be forgotten. “It doesn’t make [the stories] more findable for anybody looking for a name,” he said. “What it does is give a sense of and a flavour of what kind of material is being delisted. That’s important.” [BBC]

Finance

US – Rand Paul Sues IRS Over Foreign Account Taxes, Disclosures

“On the most fundamental level, FATCA deprives individuals of the right to the privacy of their financial affairs,” according to the complaint. “On a practical level, FATCA is severely impinging on the ability of U.S. citizens to live and work abroad.” …Those accords, which didn’t get congressional approval, are unconstitutional because they exceed the president’s authority, Paul claims. He asked a judge to strike down the Canadian, Czech, Israeli and Swiss agreements. [Bloomberg] [Rand Paul Suit Blasts Foreign Banking Rules]

FOI

CA – New Canadian Telecom Transparency Rules Fall Short

Industry Canada has released new transparency reporting guidelines “to help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies, and regulatory authorities.” While the Privacy Commissioner of Canada lauded their release, the guidelines raise several significant concerns.

First, for rules purporting to enhance transparency, their development was surprisingly secretive. The Privacy Commissioner states that they were developed in consultation with the government and “industry stakeholders”, yet the public and privacy groups appear to have been excluded from the process. Given the importance of guidelines that are fundamentally about the rights of the public to know when their personal information is being disclosed, a secretive, exclusionary process badly taints the final result.

Second, the guidelines effectively create new limitations on the transparency where previously none existed. For example, TekSavvy’s transparency report provides specific aggregated number of disclosures (e.g. 52 requests for data on customer usage of devices in 2012 and 2013). The government guidelines prohibit specific disclosures where the number is less than 100, requiring companies to instead present a range of 0 – 100. The result is less transparency, not more. Moreover, the guidelines prohibit regional information (it must be Canada-wide) and their release must be delayed by at least six months from the time of the original request.

Third, the limits on transparency come without an appropriate regulatory or legal process. The government could have addressed the issue of transparency reporting within the Digital Privacy Act, which recently received royal assent. Indeed, the issue was repeatedly discussed during committee hearings. Yet by adopting a closed-door, non-transparent approach, the government has pushed new limitations on Internet and telecom companies without the opportunity for public comment or debate.

Fourth, disclosure under the guidelines is not mandated as the government has been careful to note that disclosure is merely an option. However, the law requires organizations to be open about their privacy practices, which arguably would include transparency reporting on personal information requests and disclosures. Further, individuals are entitled to demand that companies provide access to their information file, including details on how their personal information is used and whether it has been disclosed. By emphasizing the voluntary nature of the guidelines and declining to establish a clear legal requirement, the government may have actually weakened corporate transparency obligations. [Source]

US – New Federal Government App Solves the Wrong FOIA Problems, Poorly

The Department of Homeland Security (DHS) released its Freedom of Information Act (FOIA)-related mobile app to provide users with the ability to submit FOIA requests, check the status of requests and access resources. DHS said the app has reduced the FOIA complaint backlog by 20 percent. In its announcement of the app, DHS said it “is committed to transparency and accountability,” adding that the app aims to help modernize FOIA processes and improve the customer experience.” Privacy protections in the app make it more difficult to use. “On the one hand, in minimizing data collection from the app, the DHS Privacy Office is doing something laudable. On the other, it makes using it much more onerous,” the report states. [The Huffington Post]

Health / Medical

US – DHHS Settles With Hospital Over HIPAA Violation

After an information-sharing incident gone awry and a data breach, St. Elizabeth’s Medical Center faces a $218,400 settlement with the Department of Health and Human Services (DHHS) for failing to comply with the Health Insurance Portability and Accountability Act (HIPAA). “Organizations must pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications,” said DHHS Office for Civil Rights Director Jocelyn Samuels, adding, “In order to reduce potential risks … all workforce members must follow all policies and procedures.” A hospital spokesperson said, “St. Elizabeth’s has taken steps to ensure this will not happen again.” [The Boston Globe]

US – NFL Player’s Medical Records Go Public

ESPN’s Adam Schefter tweeted a photo of the New York Giants’ Jason Pierre-Paul’s medical records indicating he had a finger amputated after a July 4 accident, and critics of the move are calling it Health Insurance Portability and Accountability Act (HIPAA) violation. ESPN disagreed, tweeting in response, “HIPAA does not apply to news organizations.” The report states, “HIPAA originally was designed to provide workers access to health coverage when they change or lose jobs. But a key provision of the law defines policies designed to guard the privacy of patients.” [MarketWatch]  [Modern age leaves little room for athletes’ privacy]

US – Project Using Apple Watch for Remote Health Monitoring

Nebraska Medicine’s mHealth technology research project is using Apple Watch and related apps to study “the impact of remote health monitoring of chronically ill patients.” The $10 million project uses an Apple Watch-based app that allows patients and physicians to communicate and access data like test results and appointment information. “We want to push the envelope, but we want to do it in a way that is very, very safe, so we haven’t turned on every feature and we haven’t enabled every device to communicate with our electronic medical record,” said Chief Transformation Officer Michael Ash. “We are looking at each area, each app and even each vendor to make sure they are meeting HIPAA requirements and that they are demonstrating the ability to securely transmit their information back and forth.” [FierceMobile Healthcare]

CA – Govt. Prosecutes Health Workers for Snooping into Rob Ford’s Medical Records

Three Toronto hospital workers face prosecution for snooping into former Toronto Mayor Rob Ford’s medical records at the Princess Margaret Cancer Centre. If convicted, it will be the first successful health privacy prosecution in Ontario’s history. Information and Privacy Commissioner Brian Beamish said he could not comment on the prosecution because it was now before the courts. [Source] SEE ALSO: [CA – IPC Blog: Disclosing Disciplinary Action]

Horror Stories

US – Second OPM Breach Hits 21.5 Million; Director Resigns

In the biggest theft of U.S. government records in the nation’s history, the Office of Personnel Management (OPM) announced that the sensitive information of 21.5 million individuals was compromised in the second major hack of its IT systems this year. In the wake of the announcement, and after several calls for her resignation, OPM Director Katherine Archuleta resigned this week. Privacy Tech reports on the latest OPM announcement, Archuleta’s resignation, reaction from Capitol Hill and what the Obama administration is doing to help strengthen the country’s cyber-infrastructure. [Forbes] [ArsTechnica] [Source] [GovExec: Acting OPM Director Promises Better Breach Response] [Officials: OPM Has Yet To Notify 21.5 Million Affected By Breach] [NTEU Sues OPM Over Breach] [Union Files Class-Action Against OPM] SEE ALSO [Should Sony Have Seen It Coming?] [Brian Krebs: OPM Breach Timeline and Analysis] [Analysis: Why the OPM Breach Is So Bad]

US – St. Elizabeth’s to Pay $218,000 to Settle Privacy Charges

St. Elizabeth’s Medical Center will pay $218,400 in a settlement with the federal government for failing to comply with rules to safeguard private patient information. The Brighton hospital, owned by Steward Health Care System, also must adopt a “robust corrective action plan” to comply with federal laws in the future, the US Department of Health and Human Services said in a statement. The settlement concerns violations of HIPAA. It comes after federal regulators investigated a 2012 complaint that employees at St. Elizabeth’s used an Internet-based document sharing program to store health information of at least 498 patients. In August 2014, St. Elizabeth’s also reported a data breach involving information about 595 patients on a former employee’s personal laptop and flash drive. [bostonglobe.com] See also  [50 Cent must pay $5M to woman who sued over sex tape]

US – 25-Year-Old Sentenced to 13 Years in Court Ventures Breach

A Vietnamese man has been sentenced to 13 years in prison for his role in a breach involving 200 million personal records from Court Ventures, a subsidiary of credit-monitoring firm Experian. The Department of Justice said Hieu Minh Ngo, 25, was sentenced this week in the U.S. District Court of New Hampshire on charges including wire fraud and identity fraud. Ngo “tricked Court Ventures into giving him access to a personal records database by posing as a private investigator from Singapore,” the report states. Ngo was arrested in Guam in 2013 and had been selling personal information, including credit card numbers and Social Security numbers, since 2007. [IDG News Service]

US – Army National Guard Breached

Officials from the Army National Guard announced that current and former members’ private information might have been compromised in a breach that is unrelated to the Office of Personnel Management hack. “All current and former Army National Guard members since 2004 could be affected by this breach,” said National Guard Bureau Spokesman Maj. Earl Brown, noting files that contained personal information were “inadvertently transferred to a non-DoD-accredited data center by a contract employee.” He added the incident involved members’ names, Social Security numbers, dates of birth and home addresses. “After investigating the circumstances of these actions, and the information that was transferred, the Guard has determined, out of an abundance of caution, to inform current and past Guard personnel,” he noted. [Source]

US – Hospital Investigating Potential Leak of NFL Player’s Records

A Florida hospital has announced it will investigate the possible leak of a National Football League player’s medical record after it was tweeted out by an ESPN anchor. The anchor tweeted out a photo of the New York Giants’ Jason Pierre-Paul’s medical record after he had a finger amputated following a fireworks accident. Some media outlets said the records were leaked by an employee at Miami-based Jackson Memorial Hospital. Hospital CEO Carlos Migoya said the hospital has initiated an “aggressive internal investigation” into the allegations. “We do not tolerate violations of this kind,” he said. [Modern Healthcare]

US – Harvard University Acknowledges Breach

Harvard University says that the Faculty of Arts and Sciences and Central Information networks were breached and that system and email login credentials may have been compromised. The intrusion was discovered in mid-June, but the school chose to wait until mitigation work had begun before disclosing the incident. [SC Magazine] [The Register] [DarkReading]

US – Trump Hotel Properties Investigating Reports of Breach

A breach of the systems at Trump Hotel Properties has compromised payment card information. The breach was detected when a pattern of fraudulent transactions were traced to cards that had been used at the hotels. The attack may have begun in February 2015. The company has acknowledged the incident and says it is investigating. [Krebs] [BBC] [TheRegister]

US – Telecom Companies Fined for Poor Customer Data Security

Two US telecommunications companies will pay a combined US $3.5 million to resolve a Federal Communications Commission (FCC) investigation that found the companies stored customer data on servers that were unprotected and accessible from the Internet. The issue affects more than 300,000 customers of TerraCom and YourTel America. [ComputerWorld] [FCC.gov]

CA – Four Canadian Firms Hit by Criminal Group, Says Symantec

A criminal group has been systematically targeting large corporations — including four Canadian organizations — over the past three years to steal confidential information and intellectual property, warns Symantec. The security vendor said the group, which it has dubbed Butterfly, has hit 49 organizations in more than 20 countries including Twitter, Facebook, Apple, Microsoft and firms in the pharmaceutical, legal and oil and precious metals sectors. More details on the group are in this Symantec report. [IT World Canada] See also: [Walmart Canada Looks Into Possible Credit Card Data Breach] [Govt. Prosecutes Health Workers for Snooping Into Rob Ford’s Medical Records] [Small Canadian Gold Firm Suffers Computer Hack] [Hacking Team hacked: firm sold spying tools to repressive regimes, documents claim] [CBC News: Walmart Canada Shuts Online Photo Store After Possible Data Breach]

Identity Issues

WW – Surveys: Consumers Want Innovative Authentication

Two new surveys indicate consumer attraction to more sophisticated and innovative approaches to their online privacy beyond usernames and passwords. reports on Accenture’s Digital Trust in the IoT Era survey, which indicates “77% of digital consumers would be interested in alternatives to usernames and passwords,” while “60% of the 24,000 respondents across 24 countries believe usernames and passwords are cumbersome to use.” And the 2015 State of Consumer Privacy & Personalization, conducted by OnePoll and Gigya, found “consumers demanding increased privacy and personalization are now opening up to the idea of using more advanced authentication methods, like biometrics and payment providers like PayPal and Amazon.” [ZDNet]

WW – Start-Up Launches Campaign to Boost Two-Factor Authentication

In June, mobile identity company TeleSign commissioned a study on consumers’ concerns about online security and their exposure to breaches. It found that, amidst increasing breach reports, 80% of consumers are worried about their online security and 40% have experienced a security incident within the past year. It also found, however, that 73% of online accounts use duplicated passwords and more than half of consumers use five or fewer passwords across their entire online life. Given statistics like those, TeleSign has launched a campaign aimed at educating consumers on what it says is the future of mobile identity: two-factor authentication. [Source] [US – Is the SSN a De Facto National ID?]

WW – Bevy of Surveys Indicate Data Protection Woes

An Online Alliance survey of 1,000 company sites indicates 46% “were found vulnerable to known online security threats,” finding a specific trend of weakness in Internet of Things sites. These results come on the heels of an additional SANS Institute report suggesting, “Financial services organizations are still being breached too often, most frequently by those with insider access,” with 46% of respondents citing “abuse or misuse by internal employees or contractors.” In South Africa, Check Point Software Technologies’ Security Report found, “Mobile devices are the weak link in a company’s security chain,” and Romania’s Business Review reports that privacy pros now believe there isn’t a “one-size fits all” approach to security. [ITProPortal]

US – Parents Concerned About Data Collection

A survey from The Learning Curve indicates that while 75% of parents feel technology has enriched education, 79% are uneasy about the security of the data said technology gathers. “The fear is that the multibillion-dollar education technology industry that seeks to individualize learning and reduce dropout rates could also pose a threat to privacy, as a rush to commercialize student data could leave children tagged for life with indicators based on their childhood performance,” the report continues. “Technology has tremendous potential to improve the lives of students and teachers. But none of it will come to pass if we don’t set higher standards for student data security,” said Clever CEO Tyler Bosmeny. [The Intercept]

UK – The Verify Identity Scheme Puts Privacy Considerations Front and Centre

Conventional identity schemes, such as those that issue official “identity cards”, utilise data from official government databases to provide proof of the identity of an individual, ideally with a very high level of assurance. These databases in turn rely on data from civil registration systems (births, marriages, deaths) perhaps cross referenced against other official records (voter lists, driver licenses, tax records etc.). Such large databases of identity data are at risk of being hacked, as are databases containing key biographical information that can be used for identity verification purposes such as data used when applying for US government jobs that require security clearance. Additionally, these databases can help enable a surveillance state. The GOV.UK Verify service approaches identity policy very differently, drawing on the technology specific capabilities. Rather than focusing on maintaining a gold standard of identity data, in a centralised database, providing a single digital identity it takes a risk-based perspective on the whole identity transaction drawing on a broad range of (public and private) identity-related data, assessing the quality of validation and verification processes of that data and processing the data in a way that minimises privacy risks, although not necessarily perfectly. A series of certified identity providers work with Verify to provide the verification services to enable access to government services. Verification with an identity provider is a one-time activity. Once an individual has a verified identity, they can use it to access any government service linked to Verify. During the verification process, each identity provider draws on its own set of data sources to determine whether it has confidence in the identity claims made by the individual. The data sources cover evidence categories related to being a Citizen, Money and Living and can come from both public and private sources. Whilst no single piece of evidence is considered as proof of identity, when combined with other pieces of evidence (particularly from different categories) they can be used to determine a level of assurance as to the identity of an individual. Once a certain level of assurance is reached, the identity is verified and the individual can, for example, file their tax returns. Some government services (e.g. tax credits) require a lower level of assurance than filing tax returns and the Verify service has recently completed a trial of the use of a basic identity account that provides this lower level of assurance. The Verify service emerged from the 2010 coalition government as a response to concerns about the surveillance state. It includes various privacy enhancing mechanisms including data minimisation. For example, the verification process does not require identity providers to store details of an individual’s passport. Instead, all they need to store is whether, at the time of verification, the individual’s passport was valid. To ensure that these privacy principles are being followed in the design and operation of Verify, the Cabinet Office Privacy and Consumer Advisory Group (PCAG) has published a series of Identity Assurance principles that guide the operation of the Verify service. These nine principles place the user at the centre of identity assurance activities (“I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them”) and explicitly discuss data minimisation (“My interactions only use the minimum data necessary to meet my needs”) and the multiplicity of identity providers (“I can use and choose as many different identifiers or identity providers as I want to”) as well as explicitly considering consumer options for dispute resolution (“If I have a dispute, I can go to an independent Third Party for a resolution”). The Verify service is currently a beta service. [LSE (London School of Economics and Political Science)]

Intellectual Property

WW – Chorus Against ICANN Anti-Piracy Proposal Grows

There is growing opposition from women’s rights and privacy advocacy groups to an Internet Corporation for Assigned Names and Numbers (ICANN) proposal aimed at combating online piracy. A coalition—including celebrities and academics—sent ICANN a letter protesting the proposal that would require website operators to reveal users’ personal information. The letter argues the move will “physically endanger many domain owners and disproportionately impact those who come from marginalized communities.” Breakthrough VP for Communications Lynn Harris, a signatory of the letter, said, “I don’t want my personal information out there,” adding, “(This is) kind of like being doxxed by ICANN. I know the intent is not malicious, but a lot of people are sadly forced to work hard to keep their personal information private.” [BuzzFeed News]

US – IAPP Announces PLSC Winners

This year’s Privacy Law Scholars Conference featured some of the leading thinking in the field, and yet again the IAPP was proud to award $2,500 and a speaking role to those two papers voted as the best of the best. After a couple of years featuring co-written papers, this year we’ve awarded two single authors for work that on the one hand looks back at the history of the Social Security number and on the other offers a path toward a new and better form of consumer-protection regulation. [Full Story]

Internet / WWW

WW – Do Not Track 2.0 Working Draft Standard Published

The World Wide Web Consortium (W3C) has released a “Last Call Working Draft” for a proposed do-not-track (DNT) compliance standard. The road travelled by DNT has been a long and at times contentious one, but W3C Tracking Protection Group Co-Chair Justin Brookman says “the technical mechanism will soon be certified for widespread implementation.” [Privacy Perspectives] The city of Oakland, CA, has moved to pass legislation that specifies how law enforcement purchases surveillance equipment]

WW – UN to Appoint Special Rapporteur for Privacy

The United Nation’s Human Rights Council (HRC) will announce its appointment for a special rapporteur on the right to privacy. President of the Human Rights Council Joachim Ruecker announced that the HRC’s Consultative Group ranked first Katrin Nyman-Metcalf of Estonia, though “concerns were raised as to whether she was the best qualified candidate for this specific position.” As such, Ruecker recommends for the job the Consultative Group’s second-rank pick, Joseph Cannataci of Malta, “who has long-standing experience in the field of human rights.” A total of 30 candidates applied, including former German Data Protection Commissioner Peter Schaar and Dutch DPA Chairman Jacob Kohnstamm. [Full Story]

WW – Top Choice Blocked For U.N. Digital Privacy Investigator Post

Katrin Nyman-Metcalf was the candidate ranked first by a “consultative group” of five ambassadors – from Poland, Chile, Greece, Algeria and chaired by Saudi Arabia. But when it came to approving her appointment, Joachim Ruecker said he was over-ruling their choice and proposing the second-ranked candidate instead, Malta’s Joseph Cannataci. Nyman-Metcalf said …Ruecker had told her that civil society groups felt she was not “activist” enough. “It seemed in this criticism that he had received about me, these people who criticized me wanted somebody to wave a flag for (former U.S. security contractor Edward) Snowden,” she said.Nyman-Metcalf said she also found it bizarre that she had been criticized for saying there was no such thing as total privacy. [Reuters] [WW – Estonian blocked as UN’s first digital privacy investigator] [Slate: The U.N.’s New Digital Privacy Investigator Should Have Been Estonian]

WW – UAE Heads Global ‘Internet of Things’ Expert Group

The UAE was elected as the head of a new research committee for the Internet of Things (IoT) that was formed during a recent meeting of the International Telecommunication Union (ITU) in Geneva. The group focus is on implementing the Internet of Things to smart cities and communities in order to meet the needs of standardization of the IoT technologies. This will be achieved by creating a single platform combining engineers and experts from industry, telecom operators, ITU Member States and concerned organizations, to exchange visuals, examine the challenges and solutions while coming up with recommendations and unified global standards in this field. [TradeArabia News Service]

US – Lawmakers Want Internet Sites to Flag ‘Terrorist Activity’

Social media sites such as Twitter and YouTube would be required to report videos and other content posted by suspected terrorists to federal authorities under legislation approved this past week by the Senate Intelligence Committee. The measure, contained in the 2016 intelligence authorization, which still has to be voted on by the full Senate, is an effort to help intelligence and law enforcement officials detect threats from the Islamic State and other terrorist groups. It would not require companies to monitor their sites if they do not already do so, said a committee aide, who requested anonymity because the bill has not yet been filed. The measure applies to “electronic communication service providers,” which includes e-mail services such as Google and Yahoo. Companies such as Twitter have recently stepped up efforts to remove terrorist content in response to growing concerns that they have not done enough to stem the propaganda. Twitter removed 10,000 accounts over a two-day period in April. The bill, passed in a closed session Wednesday, is modeled after a federal law — the 2008 Protect Our Children Act — that requires online firms to report images of child pornography and to provide information identifying who uploaded the images to the National Center for Missing and Exploited Children. The center then forwards the information to the FBI or appropriate law enforcement agency. Google, Facebook and Twitter declined to comment on the measure, but industry officials privately called it a bad idea. “Asking Internet companies to proactively monitor people’s posts and messages would be the same thing as asking your telephone company to monitor and log all your phone calls, text messages, all your Internet browsing, all the sites you visit,” said one official, who spoke on the condition of anonymity because the provision is not yet public. “Considering the vast majority of people on these sites are not doing anything wrong, this type of monitoring would be considered by many to be an invasion of privacy. It would also be technically difficult.” [The Washington Post]

WW – Pinterest Updating Privacy Policy to Match Changes

Pinterest is revising its privacy policy to coincide with its move to include “buyable pins” and personalized “Promoted Pins” based on users’ activity. The site has indicated it plans to store credit card information, explaining, “We’ll save this info so you don’t have to type it in next time you make a purchase. We’ll also share this info with the seller, and they’ll treat it as if you bought from their website directly.” Pinterest said of its Promoted Pins that it hopes they will be “more relevant and useful to Pinners” and that it would include an opt-out function should users decide they are not interested in promoted material. [eCommerce Bytes]

WW – Powerful Coalition Letter Highlights Danger of ICANN’s New Domain Registration Proposal

Even without the ban on privacy for “commercial” websites, the proposal creates serious privacy problems for website owners. Accusations of copyright and trademark infringement are easy to make and easy to abuse, and the working group proposal doesn’t impose any consequences for false or abusive accusations. [EFF] [Google Hates ICANN’s Attempt to Eliminate Whois Privacy Calling it “Impractical & Ineffective] SEE also: [WW – Internet Runs out of New Addresses] and [Is IoT going to be squashed because of privacy concerns?] and [Internet of cars goes beyond self-driving vehicles]

Law Enforcement

CA – Halt to Warrantless Disclosures Not Hindering RCMP, Say Documents

An internal RCMP survey conducted months after the Supreme Court limited the police’s ability to access personal information without a warrant says the ruling has had no “significant negative effects” on operations. According to the documents, there is a general sentiment within the force that the court’s decision, known as Spencer, would cause investigative delays. But only 18% of Mounties responding to the survey said they had any difficulty obtaining a production order for sensitive information they previously got informally. “It appears that the biggest shift is that law enforcement is no longer able to rely on voluntary enforcement requests, and that the process of drafting and obtaining a production order or other judicial authorization is more time-consuming and rigorous,” reads the internal report, obtained by the Star under access to information law. The report also notes that while the number of warrantless requests has dropped sharply, there has been only a slight increase in production orders. The RCMP survey was conducted two months after the Spencer decision, and the report warns that the full impact will be known only in the coming years. The report recommends the RCMP begin to track data related to informal law enforcement requests for information, and how many production orders are sought by each division. Up to now, that data has not been tracked, which has led Privacy Commissioner Daniel Therrien’s office to conclude they could not investigate the RCMP’s use of warrantless requests. [Toronto Star]

Location

WW – Google Unveils New Suite of Beacon Products and Services

Google introduced several new products around Bluetooth Low Energy beacons that include an open beacon format, tools and APIs for building services on top of beacons. Google also unveiled a new service for developers looking to manage and monitor large beacon deployments. The so-called cornerstone of the new set of products is called the Eddystone format. Released on Github, the new format provides developers with a “more robust and extensible way” for working with beacons, the report states, noting the releases from Google allow it to compete with Apple iBeacon technology. [TechCrunch]

US – Car Companies Limiting Driver Data Shared With Tech Companies

Auto companies, increasingly collecting data about drivers through connected cars, are limiting the data they share via new systems that link smartphones to cars with technology partners Apple and Google. “We need to control access to that data,” said Don Butler, Ford’s executive director of connected vehicle and services, adding, “We need to protect our ability to create value” based on digital services built on vehicle data. GM told investors earlier this year it expects to see an additional $350 million in revenue over the next three years from the high-speed data connections it’s building into its cars. [Reuters]

Offshore

RU – Parliament Backs Sweeping RTBF Law

The Russian parliament has approved a bill that will require online search engines to remove search results about specific individuals at their request, regardless if the person is a public figure or not. Though somewhat similar to the EU’s right-to-be-forgotten concept, the Russian version has no balancing test for the public’s right to information. Individuals may request that search engines remove search results if the data about them is “no longer relevant,” the report states. Russia’s largest search engine Yandex said last month that such a law would impede “people’s access to important and reliable information,” while Russian lawmaker Leonid Levin defended the bill, saying it “will create an efficient tool for clamping down on blackmail and Internet bullying.” [NDTV] [RU – ‘Right to Be Forgotten’ Exposes Russia to Risks] [In Russia, Parliament has given its approval to an Internet privacy bill] [Russia’s Parliament has approved a bill that will require online search engines to remove search results about specific individuals at their request, regardless if the person is a public figure or not]

CN – China’s Cyber Security Law

A new draft law in China would give the government the authority to shut down Internet access during major “social security incidents.” The law would also require technology companies to ensure protection of user data. People would be required to register for services with their real names, and companies would be required to store user data within the country. [QZ.com] [Ars Technica] [The Register] [China Law Translate] [China Releases Draft of New Network Security Law: Implications for Data Privacy & Security] [China’s highest legislative body, the National People’s Congress, has released text of proposed national legislation that would bolster privacy protection, outlaw hacking activity and give authorities a mandate to control Internet access] [The Chinese government’s new National Security Law “calls for strengthened management over the web and tougher measures against online attacks, theft of secrets and the spread of illegal or harmful information”]

NZ – New Zealand Makes Internet ‘Trolling’ Illegal

Internet trolls face up to two years’ jail in New Zealand under a controversial new law which bans “harmful digital communications”. And under a parallel amendment to New Zealand’s Crimes Act, a person who tells another to kill themselves faces up to three years in prison. The law will help mitigate the harm caused by cyber-bulling and give victims a quick and effective means of redress, supporters said. But critics said the law harms free speech and its fine print could threaten public interest journalism in the country. Under the Harmful Digital Communications Act in effect from this week, anyone convicted of “causing harm by posting digital communication” faces two years in prison and a $50,000 (NZ) (£6,500) fine, while businesses face fines of up to $200,000 (NZ). Harmful communications can include truthful as well as false information, and “intimate visual recordings” such as nude or seminude pictures or video shared without permission. The bill was introduced after a public outcry over the horrific “Roast Busters” scandal, in which a group of teenage boys from Auckland was accused of sexually assaulting drunk, under age girls and boasting about the acts on social media. [The Telegraph] [New Zealand’s Harmful Digital Communications Act makes some changes to the scope of the Privacy Act, including closing a “revenge porn loophole where complainants’ ex-partners could distribute intimate photographs or videos without breaching the Privacy Act”]

NZ – Privacy Commissioner to Trial Corporate Transparency Reporting

“Transparency reporting has the potential to increase public awareness of the information gathering activities of law enforcement and security agencies and encouraging companies that hold the information to be open with consumers about the limitations of confidentiality, and the ways in which they cooperate with agents of the state. This year we intend to trial asking companies to keep a standardised record of requests for information from law enforcement agencies and to report this information to us. We will then publish this information.” – Privacy Commissioner John Edwards [Source] SEE ALSO: [As unmanned aircraft popularity burgeons, concerned parties like the New Zealand Privacy Commission and even drone experts believe that regulations like those due to be released next month are necessary]

HK – Time for Hong Kong’s privacy commissioner to go

Chiang has taken to advocating the disastrous “right to be forgotten” law of the European Union in the typically me-too mentality of the Hong Kong bureaucrats – he was for a long time postmaster general after all. In that spirit, he has been harassing people and websites that provide a genuine public service. His office, for example, is now fighting corporate governance advocate David Webb at the Administrative Appeals Board after Webb refused an order to redact the names of people who appeared in reports on three court judgments handed down between 2000 and 2002. Webb has rightly argued that publishing judgments is a judicial function, so personal data that appear in judgments should be exempt from data protection principles. It’s Chiang’s job to “keep private data private”, Webb pointed out, but “not to make public data private” [Source]

AU – OAIC to Be Left Without Statutory Officers

The Privacy Commissioner’s appointment expires this week, while the Australian Information Commissioner formally resigns on July 31, leaving the OAIC potentially without any statutory officers. The government will need to find a solution to avoid FOI chaos. [Source] SEE ALSO: [AU – The New South Wales Parliament’s Law and Justice Committee “has begun a fresh inquiry into the long-debated need for legal measures that would let Australians sue over serious breaches of their privacy.]

WW – Other Offshore News

Online Privacy

WW – W3C Publishes DNT Compliance Draft

The World Wide Web Consortium (W3C) has published a “Last Call Working Draft” for a proposed compliance standard that defines a set of practices for complying with users’ do-not-track (DNT) requests. While browsers currently have DNT functionality, “those headers don’t actually prevent anyone from tracking users,” the report continues. “Instead, the headers send a signal to publishers and ad networks—which are free to honor them or not.” The initiative, which has struggled to gain consensus since it began in 2011 , aims to ensure a common definition of DNT so that users can understand what an entity means when it claims adherence. “This eliminates the industry’s excuse of not knowing what the do-not-track signal means,” said Digital Content Next CEO Jason Kint. Comments on the draft are welcome to the W3C through October 7. [MediaPost]

EU – Google Updates Privacy Policy After DPA Threatens Fine

The Dutch Data Protection Authority (DPA) has announced Google “has improved its privacy policy” after the DPA threatened the company with a 15-million-euro fine. According to the DPA, Google has “updated the information on its privacy policy and now also asks new users’ permission to combine their personal data throughout Google services,” the report states. The DPA has not required Google to pay the fine, but it “may still face a fine of up to five million euros if it does not get permission of Google-users to combine their personal data by December,” the report states. [NL Times]

EU – RTBF Data Shows Types of Requests

Data gleaned from archived versions of Google’s transparency report revealed statistics related to right-to-be-forgotten takedown requests, potentially demonstrating that more than 95% of the takedown requests involved “everyday members of the public” and not criminals, politicians or other high-profile public figures. According to the report, more than 95% of the requests are related to private personal information and nearly half of those have been granted. Google said, “The data The Guardian found in our Transparency Report’s source code … was part of a test to figure out how we could best categorize requests. We discontinued that test in March because the data was not reliable enough for publication. We are however working on ways to improve our transparency reporting.” [The Guardian]

US – Group Wants Right To Be Forgotten for U.S.

A consumer watchdog is filing a formal complaint with the FTC arguing that, by not providing Americans with the same right-to-be-forgotten measures existent in the EU, Google is exercising an unfair and deceptive trade practice. In the complaint, the group urges the FTC to “investigate and act.” Consumer Watchdog Privacy Project Director John Simpson said, “Google holds itself out as so concerned about users’ privacy, but denies fundamental privacy protection—that’s deceptive.” [The Washington Post]

US – Researchers Find Platform Capable of Facilitating Discriminatory Practices

A new research paper suggests that Google “may lack the ability to keep discriminatory and privacy policy-violating advertisements off its services.” Three computer scientists from Carnegie Mellon University and the International Computer Science Institute found that Google’s AdSense platform “is capable of discriminating against women looking for employment and targeting consumers based on their health information,” the report states. The researchers built a tool called AdFisher and used more than 17,000 simulated user profiles to look at how different user traits would impact which ads they were served. In one experiment, ads for drug and alcohol rehabilitation centers were shown to accounts that had accessed substance abuse websites. [WIRED]

WW – Google: ICANN Proposal Unfair for Small Businesses, Individuals

Google says the proposal of the Internet Corporation for Assigned Names and Numbers (ICANN) aimed at combating online piracy by prohibiting commercial domain registrants from using proxy or privacy services is unfair to small businesses and individuals. Google says companies will still be able to use shell companies to hide ownership of domain names, but small businesses and individuals won’t be able to do the same. “Corporations, in particular, often use proxies or subsidiaries to provide local contacts … to provide privacy as in the case of law firms or ‘shell companies’ acting on behalf of their principals,” the company said in its comments, citing its own Charleston Road Registry. [The Domains]

WW – Berners-Lee Calls for Access to Research Data

World Wide Web founding father Tim Berners-Lee made comments regarding individuals’ rights to their digital data and the need for government transparency and researchable clinical data. “We may have a revolution where people are demanding their data back,” he said. “Consumers of the world need to make it very clear that they want control; they want access to their data, they want access to open government data.” He has also called for a bill of online rights that would be respected by both governments and businesses. Plus, he said, “Clinical data should be available to research by default,” adding, “It’s such a valuable thing; the medical community could do such valuable things with it.” [Bloomberg]

WW – Adobe Patches Critical Flash Vulnerability

Adobe has rushed out a patch for its Flash Player to address a vulnerability that had been leaked and was being used in active attacks. Users should update to Flash version 18.0.0.203 for Windows and Mac; version 11.2.202.481 for Linux; and version 13.0.0.302 for users on the extended support channel. The Flash plug in on Google Chrome and on Internet Explorer on Windows 8.x will be updated automatically. [ComputerWorld]

WW – Facebook CSO Calls for End to Flash

Facebook’s new chief security officer has said, via Twitter, that it’s time for Flash to go. Alex Stamos tweeted, “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.” Stamos became Facebook’s CSO in June after less than a year as CISO at Yahoo. Steve Jobs called for an end to Flash in 2010. [ZDNet] [CNET] [Second Flash Player zero-day exploit found in Hacking Team’s data]

WW – Social Media Network Wants Privacy in User’s Hands

Privacy activists have long complained that large social networks like YouTube, Twitter, Facebook and others use members’ private information without consent or transparency. But so far, there have been few alternatives. That’s something Bill Ottman is hoping to change. Ottman is the founder and CEO of a new social network called Minds.com, a social network that’s free, completely open-source coded, and fully encrypted. Still only a few weeks old, Minds has already received one high-profile vote of confidence from the privacy-centric hacker collective called Anonymous. [VOA] See also: [A Third of the World Is Using Social Media, But 90% Are Concerned About Privacy]

WW – A $200 Privacy Device Has Been Killed, and No One Knows Why

A security researcher has abruptly cancelled next month’s scheduled unveiling of a privacy device designed to mask Internet users’ physical locations. It’s a move that has both disappointed privacy advocates and aroused suspicions. Ben Caudill, a researcher with Rhino Security Labs, took the unusual step of saying he no longer plans to release the software or hardware schematics for his so-called ProxyHam box. He said the devices already created have been destroyed. Caudill has offered no explanation for the killing of the project, but he has reportedly ruled out both intellectual property disputes and Federal Communications Commission licensing concerns. That has left some people to speculate a secret government subpoena known as a National Security Letter is at play in the decision to kill the project. The ProxyHam device was able to mask the location of an Internet user by broadcasting on a 900MHz radio frequency so the owner could connect from up to 2.5 miles away from the source of the Internet connection. As a result, even if someone tracked down the location of an IP address, the user wouldn’t automatically be discovered. The box was billed as using open-source software and requiring less than $200 in hardware. It was scheduled to be the topic of a now-canceled talk at next month’s Defcon hacker conference in Las Vegas. Whatever the reason for the cancellation, it wouldn’t be hard for someone else with expertise in hardware to create a box that does exactly what Caudill described. So far, there’s no word of anyone offering to sit in for Caudill. [arstechnica.com] [CSO: The Implications of ProxyHam’s Sudden Disappearance]

Other Jurisdictions

KY – Kenya Establishes Regulations to Combat Cyber Crime

Kenya Communications Authority’s Francis Wangusi has announced a new set of regulations to fight cybercrime. The new rules will require all users of devices with wireless networking capability to register their devices with the Kenya Network Information Centre, the report states. The registry will allow Kenyan authorities to “be able to trace people using national identity cards that were registered and their phone numbers keyed in during registration” if the devices are associated with criminal activity on the Internet, Wangusi said. In addition, all Kenyan businesses will be required to host their websites within Kenya. [Ars Technica] [Kenya to require users of public Wi-Fi to register with government]

CN – China Mulls Privacy Protection, Further Curbs on Internet

The Chinese government’s newly minted National Security Law “calls for strengthened management over the web and tougher measures against online attacks, theft of secrets and the spread of illegal or harmful information.” “Externally speaking, the country must defend its sovereignty, as well as security and development interests, and … it must also maintain political security and social stability,” a spokeswoman said. “Companies worry that (the legislation) could undermine their ability to send encrypted emails or operate the kind of private corporate networks commonly used to secure communications,” the report states. Members of the Chinese public are worried that their right to speech may be further curtailed in the name of national security. China already has some of the most restrictive Internet controls. It blocks popular Web sites such as Twitter, Facebook, YouTube, Instagram and various Google services. Search results are severely filtered to scrub out information deemed offensive to the authorities, and online posts are routinely removed if they are considered to have potential to unsettle the public. [Source]

Privacy (US)

US – No-Harm-Big-Foul: The FTC’s Latest Overreach in Data Privacy

By enforcing the FTC act against trivial misstatements in privacy policies that nobody reads, the Commission has been able to put an increasingly large number of firms in the digital economy under 20-year orders. The orders often mandate intrusive monitoring and reporting. What’s more, the FTC can obtain substantial monetary penalties for order violations—just ask Google, which was hit with a $22.5 million fine for a misstatement on its FAQ page about how to disable cookies in Safari (which by all indications impacted nobody). [Source]

US – FCC Releases Declaratory Ruling on TCPA

A “sharply divided” FCC has issued its Telephone Consumer Protection Act (TCPA) Declaratory Ruling and Order with “a range of new statutory and policy pronouncements that have broad implications for businesses of all types that call or text consumers for informational or telemarketing purposes,” Laura Phillips and Eduardo Guzman of Drinker Biddle & Reath write. Key areas of the ruling include scope and definition of auto-dialers; consent and revocation of consent; treatment of text messaging and Internet-to-phone messaging, and service provider offering of call-blocking technology, they write, noting the FCC “states that the new interpretations of the TCPA are effective upon the release date of the Declaratory Ruling. Requests may be lodged, however, to stay its enforcement pending review.” [TCPA Blog]

US – Court Again Rejects Suit Against Google

Google users were blocked for a fourth time from suing the company by a judge that felt their claims of breach of personal privacy could not be proven. In this iteration of the suit, “plaintiffs focused on claims that Google violated its own privacy policy by disclosing to third parties the names, email addresses and account location of Android users,” the report continues. However, U.S. Magistrate Judge Paul Grewal found that there was a lack of evidence supporting the allegations, “especially as plaintiffs claim injury without alleging any actual disclosure to third parties from plaintiffs’ own devices,” he said. [Bloomberg Business]

US – ITIF Calls on Congress to Ban Revenge Porn

The Information Technology and Innovation Foundation (ITIF) is calling on Congress to ban revenge porn. The ITIF released a report entitled “Why and How Congress Should Outlaw Revenge Porn,” recommending Congress pass legislation like the bill Rep. Jackie Speier (D-CA) will release July 23 to ban photos of genitalia if a nonconsenting person is identifiable by face or name, as well as create a special FBI unit to provide immediate assistance to revenge porn victims and “direct the Department of Justice to work with the private sector on developing best practices for how online services can quickly remove nonconsensual pornography.” [The Hill] [NY Mag: Could Affirmative-Consent Model Stop Revenge Porn?]

US – FCC Reaches $3.5 Million Breach Settlement with Companies

The FCC Enforcement Bureau has announced a $3.5 million settlement with TerrCom, Inc., and YourTel American, Inc., to resolve an investigation into whether the companies failed to properly protect the confidentiality of personal information they received from more than 300,000 consumers. An investigation found the companies’ vendor stored consumers’ personal information on unprotected servers that were accessible over the Internet. “Consumers rightly expect that companies will take every reasonable precaution to protect their personal information,” said FCC Enforcement Bureau Chief Travis LeBlanc. In addition to the penalty, the companies will notify all consumers whose information was subject to unauthorized access and will provide complimentary credit monitoring services for all affected. [Full Story]

US – AGs to Congress: Don’t Preempt States’ Rights

The attorneys general (AGs) from the 47 states that have data breach notification laws sent Congressional leaders a letter urging them to not preempt states’ rights in investigating breaches. The AGs write that “any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.” Virginia AG William Sorrell said, “Given the almost constant stream of data security breaches, state attorneys general must be able to continue our robust enforcement of data breach laws,” adding, “A federal law is desirable but only if it maintains the strong consumer protection provisions in place in many states.” [The Hill]

US – Uber’s Targeted Messaging Draws Criticism

A targeted message from Uber to its Brooklyn, NY, users urging them to challenge New York City travel legislation has drawn criticism from users and a consumer security expert who feel that the move was a breach of privacy. “It is not uncommon to email riders and driver-partners based on neighborhood,” Uber has responded. Gary Miliefsky, CEO of SnoopWall, disagrees. “They need to know where you are for your ride, not to know who to send political documents to,” Miliefsky said. “Can we at least be upfront and clearer with the privacy risk we are putting customers at?” [CNBC]

US – White House Orders Immediate Adoption of Basic Security Measures

Following the news of breaches of the OPM’s networks that compromised security clearance data, the White House has ordered federal agencies to immediately adopt basic security practices. The required procedures include applying patches for critical flaws promptly; using anti-virus products and checking logs for attack indicators; deploying two-factor authentication; and strengthening controls for privileged users. [ComputerWorld] [The Register] [NextGov]

Privacy Enhancing Technologies (PETs)

UK – ICO Approves CA Technologies for BCRs

New York City-based CA Technologies has received approval of its binding corporate rules (BCRs) from UK Information Commissioner Christopher Graham. “Being one of the first technology companies to receive approval for our BCR is an incredible achievement and one that demonstrates that CA not only creates secure solutions but also implements the highest level of data privacy and protection as a matter of company policy,” said CA Technologies General Counsel Michael Bisignano. CA Technologies joins a growing list of companies choosing BCRs as a data-transfer mechanism. [Source]

WW – Uniting Privacy and Customization

“Computer scientists and legal experts from Trinity College Dublin and SFI’s ADAPT centre are working to marry two of cyberspace’s greatest desires” via “Privacy Paradigm,” an online privacy system that aims to both customize and protect data on popular sites and apps “so that users signing up would know exactly how private, or otherwise, their personal information would be.” “It’s a grand target we’re setting ourselves and the research is ongoing,” said Trinity Prof. Owen Conlan, “but the big-picture vision is to make the way online services use our personal—and often privacy-sensitive—information as transparent and easy to understand and manipulate as possible for ordinary users.” [Phys.org]

RFID / IoT

WW – Study: Users Don’t Totally Grasp IoT, But They Know Their Data Is Being Sold

An Altimeter Group study Consumer Perceptions of Privacy in the Internet of Things discovered that while 40% of consumers still have little understanding” regarding cookies and 87% of consumers are unsure of what the Internet of Things is, exactly, they have a fundamental understanding of “the data implications of fitness trackers, connected cars or connected home appliances. And most don’t like it,” adding that consumers’ chief concern is having their data sold. Jessica Groopman, who conducted the research, said, “It’s clear that there’s a communication and consent gap today. It isn’t smart for companies to move forward ruthlessly and relentlessly. It should be a bit more of a joint effort where companies educate consumers and get their opt in.” [Fortune]

Security

US – Increased Spending Not Improving US Government Cyber Security

Although the US federal government has increased spending on cyber security over the past few years, the government’s systems continue to experience serious attacks, such as those lunched against networks at the Office of Personnel Management (OPM), the Internal Revenue Service (IRS), and the State Department. Some of the increase in cyber security events can be attributed to privacy violations, lost and stolen devices, and attempted break-ins, and better incident awareness and detection. A recent survey found that government agencies are having trouble keeping up with changing threats and that incident response times have not changed. Agencies are also hiring contractors who are not equipped to interpret the data generated by the security tools the agencies have in place. [CSMonitor]

US – Cyber Sprint Could Reveal Many More Intrusions

The federal government could find many more cyber intrusions following the White House-initiated 30-day “cyber sprint.” Office of Management and Budget Chief Information Officer Tony Scott said, “I think it’s a realistic chance, and I think this is true no matter where you go … It’s not unique to the federal government.” The 30-day sprint is now completed, and, according to the report, Scott plans to publicly release which agencies have achieved the goals of getting up to speed on critical information-security protections. “Some will get there, and some won’t,” he said. “There’s probably no CIO in any federal agency now who wants to be the bottom of the list.” [Reuters] v[#AntiCanadaDay Attacks On Government Sites]

US – NTIA Announces First Cybersecurity Multi-Stakeholder Process

The National Telecommunications and Information Administration (NTIA) announced its first cybersecurity multi-stakeholder process will launch in September and focus on vulnerability research disclosure. The goal of the process will be to bring together security researchers, software vendors and “those interested in a more secure digital ecosystem to create common principles and best practices around the disclosure of and response to new security vulnerability information.” The multi-stakeholder process follows the Department of Commerce’s announcement in March of an initiative to address key cybersecurity issues facing the digital economy. [NTIA blog post]

US – Survey Finds Cybersecurity Viewed as Increasingly Important

A Healthcare Information and Management Systems Society survey indicates that 87% of healthcare professionals have used the last year to elevate the importance of cybersecurity, while an additional two-thirds of those surveyed have had a “significant security incident in the recent past.” “On average, the survey-takers’ organizations use 11 different technologies to try to secure their networks and data, in part because hackers, phishers and other scammers are getting more sophisticated,” the report states. Meanwhile, the healthcare profession doesn’t “have a system in place that is practical or financially viable at scale for securing medical devices, and innovation is essential.” [MedCity News]

WW – Darkode Cybercriminal Hacker Marketplace Shut Down

Investigators have shut down what they call the world’s largest-known English-language malware forum, an online marketplace called Darkode where cybercriminals bought and sold hacked databases, malicious software and other products that could cripple or steal information from computer systems, the Justice Department announced Wednesday. 12 people linked to the site have been charged. [Associated Press]

WW – Investors Pour $1.2 Billion into Security Start-Ups

Data breaches are resulting in more investment in cybersecurity companies. “Five years ago, it would have been a very hard sell,” said Max Krohn, cofounder of encryption start-up Keybase with Chris Coyne. “Probably, it would have been, ‘Sorry, no one cares about security, therefore this product doesn’t have much of a hope.’” Keybase, a new Dropbox-style file-sharing service that employs public-key encryption, has landed $10.8 million in funding from venture capital firm Andreessen Horowitz; UK big-data privacy start-up Privitar recently landed $1 million . Such investors “say they likely wouldn’t have invested in a company like Keybase even two years ago,” the report states, noting that in the first half of this year, “venture firms invested $1.2 billion in cybersecurity start-ups … up sharply from $771 million in 2013’s first half.” [The Wall Street Journal]

WW – Critical Security Controls Draft Available for Public Comment

The Center for Internet Security has released Critical Security Controls Draft Version 6c for public comment. Changes in this draft include the reprioritization of certain Controls due to the evolution of threat, the restructuring of some Controls for simplification, and better alignment with other frameworks, including the NIST Cybersecurity Framework. [CISecurity]

WW – Shared Passwords and No Accountability Plague Privileged Account Use

In its State of the Corporate Perimeter survey, a new survey out from Centrify found that nearly 60% of US IT decision-makers share access credentials with other employees at least somewhat often. Conducted among 200 of these decision-makers, the survey also found that 52% of US-based IT employees also shared credentials with contractors. About three-quarters of respondents estimate that more than 10% of employees have access to these kinds of privileged accounts, whether legitimately or through sharing. And over half of respondents in the US reported that it would be easy for a former employee to log in to access systems or data with old passwords. Unsurprisingly, 74% of those surveyed in the US reported that their organization needed to do a better job monitoring who is accessing data and 62% believe their organization has too many privileged users. The concern grows as new models in cloud and mobile computing have obliterated the corporate perimeter. As things stand, 92% of organizations in the US currently have some form of user monitoring in place. However, only a 56% have some sort of privileged identity management. Of those, nearly a third companies do not have someone formally analyzing or auditing how and when employees or contractors are performing privileged access to systems in the organization on at least a weekly basis. Even something as simple as updating passwords on a regular basis is only performed by about 58% of US organizations. [Dark Reading]

US – The FBI is Willing to Pay $4.2 Million to Get These Hackers

They aren’t the murderers, drug traffickers and rapists who usually are on the FBI’s lists, but cyber criminals are still some of agency’s most-wanted bad guys. The top five most-wanted cyber criminals, based on the amount of money offered for their capture and prosecution, are responsible for hundreds of millions of dollars in losses, according to FBI statistics, and authorities are willing to pay a combined $4.2 million for information leading to their arrest. [The Washington Post]

US – Why Webcam Indicator Lights Are Lousy Privacy Safeguards

A recent academic study found that few computer users notice indicator lights and even fewer realize that the camera is always recording when the light is on. The lack of awareness, say researchers, makes people more vulnerable to webcam spying. The webcam light is a type of privacy indicator, which is a notification that a user’s data is being collected in some way. Other privacy indicators include the green Secure Socket Layer lock in the website address bar that indicates a secure connection or the pop-up on a smartphone asking for consent to share your location with an app. “One of the big problems we see today is that it’s really hard to know how an application is using your data,” says Serge Egelman, a research scientist at UC Berkeley’s Department of Electrical Engineering and Computer Science. “Once you’ve granted access to it, it’s essentially gone.” Until better indicators are developed for the webcam, Portnoff and Egelman recommend placing a sticker over the webcam and using antivirus software. For other applications, pay attention to what permissions they ask for. [csmonitor.com]

Surveillance

UK – New Snowden Docs Revealed

The Intercept has released a new trove of documents accessed via the Edward Snowden leaks, providing a detailed look into the capabilities of the U.S. NSA program known as XKEYSCORE. First reported in 2013, the program is one of the agency’s “most powerful tools of mass surveillance” and “makes tracking someone’s Internet usage as easy as entering an email address,” the report states, adding the program “provides no built-in technology to prevent abuse.” [Full Story] Meanwhile, UK Prime Minister David Cameron doubled down on his promise to not “leave a safe space … for terrorists to communicate with each other.” Additionally, the Investigatory Powers Tribunal has found the UK’s GCHQ reportedly spied on Amnesty International’s private communications. The human rights organization called the agency’s actions “outrageous.”

UK – NSA Collecting Voice Calls, Photos, Passwords, and Much More After All

NSA documents leaked to the Guardian in 2013 described a covert program called XKeyscore, which involved a searchable database for intelligence analysts to scan intercepted data. Now, new documents show the breadth of this program and just what sort of data XKeyscore catalogs. According to a new report from The Intercept, the amount of data XKeyscore scoops up as well as the sort of data it collects is much larger than originally thought. Here are a few highlights from the new report: The XKeyescore database is “fed a constant flow of Internet traffic from fiber optic cables that make up the back of the world’s communication network, among other sources, for processing,” the new report writes. Its servers collect all of this data for up to five days, and store the metadata of this traffic for up to 45 days. Web traffic wasn’t XKeyscore’s only target. In fact, according to the documents posted by The Intercept, it was able to gather data like voice recordings. A list of the intercepted data included “pictures, documents, voice calls, webcam photos, web searches, advertising analytics traffic, social media traffic, botnet traffic, logged keystrokes, computer network exploitation (CNE) targeting, intercepted username and password pairs, file uploads to online services, Skype sessions and more.” How the search works is very advanced. The new documents detail ways that analysts can query the database for information on people based on location, nationality, and previous web traffic. XKeyscore was also used to help hack into computer networks for both the US and its spying allies. One document dated in 2009 claims that the program could be used to gain access into unencrypted networks. Using XKeyscore was reportedly insanely easy. “The amount of work an analyst has to perform to actually break into remote computers over the Internet seems ridiculously reduced — we are talking minutes, if not seconds,” security researcher Jonathan Brossard told The Intercept. “Simple. As easy as typing a few words in Google.” While XKeyscore has been known as an intelligence tool for years now, these new documents highlight just how advanced and far-reaching the program’s surveillance is. The NSA, in a statement to The Intercept, claims that all of its intelligence operations are “authorized by law.” It added, “NSA goes to great lengths to narrowly tailor and focus its signals intelligence operations on the collection of communications that are most likely to contain foreign intelligence or counterintelligence information.” [Source]

UK – Government’s Surveillance Plans Could Put Citizens, Economy and Entire Internet at Risk, Argue Leading Computing Experts

Proposals are ‘unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when internet vulnerabilities are causing extreme economic harm’, leading experts argue [Source] [Why We Must Fight the ‘Snoopers Charter’]

UK – Would an Encryption Ban Kill the UK’s Bitcoin Businesses?

Reports that the government’s plan would result in a ‘ban’ on PGP, Apple Messages or WhatsApp have been based on speculation so far. The government has not stated explicitly how it intends to handle the issue. Inserting backdoors into encrypted systems for government agencies, however, would effectively render them open since it would be impossible for the provider and end user to ever be certain their communications were not being monitored. …At this stage it is not clear whether the plan to ban encryption is even possible. The technology has been in the wild for decades now, and previous attempts to limit its use have been unsuccessful. The UK’s own Parliamentary Office of Science and Technology said in a briefing that a ban on encryption is “infeasible” from a technological standpoint – though its report is not binding on government decisions. [Source]

UK – Surveillance Report Makes Concessions to Privacy Lobby

Report in response to Edward Snowden’s revelations concedes privacy should be a greater concern in data collection and that current laws are outdated. The report proposes that the intelligence services retain the power to collect bulk communications data on the private lives of British citizens, but it also now concedes that privacy must be a consideration throughout the process. …There was vigorous debate between the former intelligence heads and privacy advocates over Snowden’s disclosures and whether British intelligence agencies had acted illegally. The intelligence agencies had wanted the report to give them a clean bill of health, but instead several caveats were added at the request of privacy advocates such as the inclusion of the word “knowingly” [Source]

UK – UK Government Now Says it is NOT Going to try to Ban Encryption

Business Insider has seen a letter sent from Baroness Shields, the minister for internet safety and security, to an MP in which Shields says “this government supports encryption, which helps keep people’s personal data and intellectual property safe from theft by cyber means. It is fundamental to our everyday use of the internet. Without the development of strong encryption allowing the secure transfer of banking details there would be no online commerce.” [Source]

UK – Mass Surveillance: My Part in the Reform of GCHQ and UK Intelligence Gathering

“When I sat down with an ex-minister, former security chiefs, internet execs and others, today’s report on oversight of bulk data collection seemed a long way off. Yet we did. The Royal United Services Institute panel was set up by Nick Clegg, the then deputy prime minister, in response to revelations from the US whistleblower Edward Snowden about the scale of intrusion by US and British intelligence agencies into private lives. Our remit: to look at the legality, effectiveness and privacy implications of government surveillance; how it might be reformed; and how intelligence gathering could maintain its capabilities in the digital age. It wasn’t easy and there were several times when I thought I would be writing a minority report with one or two of the panel members. But in the end we reached consensus: the report – published today – proposes that the security services continue with bulk collection of communications data, but with improved oversight and safeguards. [Source]

UK – Review Clears UK Spies of Illegal Surveillance, Says Laws Need Overhaul

“We have seen no evidence that the British government knowingly acts illegally in intercepting private communications or that the ability to collect data in bulk is used by the government to provide it with a perpetual window into the private lives of British citizens,” the ISR concluded. “On the other hand, we have seen evidence that the present legal framework authorising the interception of communications is unclear, has not kept pace with developments in communications technology, and does not serve either the government or members of the public satisfactorily.” [Source]

US – New Privacy Debate Focuses on Government Access to Emails, Texts, Calls

The power, which comes from Section 702 of the 2008 FISA Amendments Act, was supposed to be aimed at foreign nationals living outside the USA but has ended up being used to collect massive amounts of personal communication from Americans. That data, which can also include photos, texts and instant messages, can be gathered by U.S. intelligence agencies without a warrant as long as it crosses the U.S. border electronically at some point. Given the fluid nature of electronic communications and data storage, that happens all the time …A majority of House members agreed, voting 255-174 in June for legislation by Massie and Rep. Zoe Lofgren, D-Calif., to prohibit intelligence agencies from using federal funds to search the data they collect under Section 702 for information about Americans. …But security hawks in Congress and the Obama administration are pushing back, vowing to fight any effort to weaken government surveillance programs at a time when terrorist threats from the Islamic State and other terrorist groups are on the rise. [Source] See also: [Spying on the Internet is Orders of Magnitude More Invasive Than Phone Metadata ] [It’s Not Just the NSA — the IRS Is Reading Your Emails Too ]

US – NSA Collection Fight Will Return to Second Circuit

Instead of clarifying the matter, Congress sparked another controversy with the passage of the USA Freedom Act, which gave the government a 180-day transition period before it goes into effect on Nov. 29. The government interpreted this clause as giving the NSA a window to continue with the same program that the Second Circuit had recently found illegal. Late last month, a judge from the Foreign Intelligence Surveillance Court endorsed that view, and the ACLU immediately vowed to return to New York to continue its fight. [Source]

US – Court Asked to Kill Off NSA’s ‘Zombie Dragnet’ of Americans’ Bulk Phone Data

Its (ACLU) major contention in support of the requested injunction is that despite the Freedom Act’s provision for a transition period, the underlying law authorizing the bulk surveillance remains the same Patriot Act provisions that the second circuit held do not justify the NSA phone-records collection. “There is no sound reason to accord this language a different meaning now than the court accorded it in May. [The Patriot Act] did not authorize bulk collection in May, and it does not authorize it now,” reads the ACLU brief. [The Guardian]

US – USA FREEDOM Act: Protector of Civil Liberties or Window Dressing?

In the month since Congress’ action, however, debate has continued about whether the USA FREEDOM Act actually curtailed government surveillance programs or whether it is mere window dressing. …the weeks since June 2 have seen a more measured and increasingly negative view of the real impact of the act. Several commentators have argued that the NSA’s bulk telephone collection program is only one minor NSA surveillance program and that too many others run by the government remain intact. Freedom Watch’s founder Larry Klayman called the act a “sham,” arguing that the NSA—and the Central Intelligence Agency (CIA)—will “do as they please” in surveillance activities. InfoWorld’s security columnist Roger A. Grimes argued that under the USA FREEDOM Act, only a “small part of a single NSA data collection program was barely modified,” while “nearly every other NSA program is intact.” Other commentators have described the act as “Orwellian,” “Inscrutable,” and “a Virtual Scam.” [Source]

US – EPIC Calls on FTC, DOJ for Inquest

The Electronic Privacy Information Center (EPIC) wrote to the FTC and DoJ to formally request an investigation of Google, Samsung, Mattel and other companies’ “always on” devices in an attempt to identify and curtail potential privacy issue. EPIC cited among its items of concern everything from Barbie dolls that record voices to Samsung’s smart TV. The letter asks “whether the products store people’s communications and whether security measures like encryption are in place to protect the recorded data,” the report states. Among the target companies and government agencies, only Samsung and home camera-maker Canary Connect have responded, the report states. [CIO]

US – Advocates Cynical as NTIA Drone Talks Approach

On August 3, the National Telecommunication and Information Administration (NTIA) will meet with privacy groups in an effort to understand the regulatory privacy measures necessary for drones. This is the third iteration of talks of this nature, which thus far have ended without consensus and with privacy groups leaving frustrated. “Consumer and privacy groups don’t have confidence in the process,” said Center for Digital Democracy Executive Director Jeffrey Chester. “Protecting privacy from the use of drones requires a serious effort that the NTIA has so far failed to demonstrate.” [PCWorld]

WW – Surveillance Company Hacked

Hacking Team (HT), a controversial surveillance technology developer, was itself hacked over the weekend. The company has been criticized by digital activists in the past for allegedly supplying repressive governments with powerful surveillance technology, potentially used to spy on political dissenters, human rights activists and journalists. On Sunday, the company’s Twitter handle was hacked and included several screen shots of stolen data, including the user names and passwords of company executives. According to the report, approximately 400 gigabytes of data was stolen from the firm. The ACLU’s Christopher Soghoian said the data “dump includes an .xls spreadsheet listing every government client, when they first bought HT and revenue to date.” [PCWorld]

US – Hacking Team Leak Indicates FBI Dealings, TOR Circumvention

A 400 gigabyte online “document dump” of data stolen from spyware organization Hacking Team highlights the technology developer’s alleged dealings with the FBI and other groups. One of the hacked spreadsheets indicates the FBI has paid Hacking Team more than $773,226 since 2011 “for services related to the Hacking Team product known as ‘Remote Control Service,’ which is also marketed under the name ‘Galileo,’” the report states. Another document discusses Hacking Team’s ability to bypass the HTTP strict transport security mechanisms designed to make HTTPS website encryption more reliable and secure. “Our solution is the only way to intercept TOR traffic at the moment,” the document said. [Ars Technica]

WW – Alibi App Lets Smartphones Record Video, Audio, Location 24/7

It could be an argument with a friend over what was said, an uncomfortable interaction with a co-worker or a routine police stop that turns sour. These are the kinds of situations that leave people wishing they could hit rewind on their lives and re-watch the situation to prove they were in the right. A new smartphone app could be that reliable witness. Alibi works in the background to record audio, video and location 24 hours a day, seven days a week, to document what really happened when there are conflicting accounts. Users download the app onto their smartphones. They only have to start it up once and Alibi will continuously work in the background to record audio, video and location. After the app records for one hour all of the data is automatically deleted. None of the recordings are stored by the company. If someone finds themselves in a situation where they want the data saved after an encounter, users can open the app and hit save. Alibi will save the last hour of recordings and hide the file on the person’s phone so it cannot be tampered with by anyone else. [CBC News]

NZ – New Drone Rules Protect Home Privacy

New drone regulations come into effect on August 1, banning the small aircraft from flying over houses without the property owner’s consent. “The Privacy Commission has only received one complaint to date, but it’s hard to tell how many the police have fielded to date because they don’t really much about it, they’ve got no policy.” Part of the reason for the lack of complaints was because of the lack of regulations concerning drones. The most significant new rule that will come into effect in August is that drone operators will have to gain the consent of property owners before flying over their house and people who they fly over. “That covers things like sporting events, music events… unless there is an exemption obtained by the Civil Aviation Authority, they can’t cover those events without the consent of every single person they will fly over.” The rules are prompted by both privacy and security concerns, says Mr Iorns. “That comes down to a safety consideration – we don’t want drones of up to 15kgs dropping out of the sky and landing on people’s heads.” [3news.co.nz]

US – Oakland Seeks Control of Law Enforcement Surveillance

Fed up with unwarranted spying by police, residents of the California port city of Oakland are pushing back by developing the first enforceable city legislation to regulate the purchase and use of surveillance equipment by law enforcement agencies. If approved, the legislation could make Oakland a national trailblazer for privacy rights campaigners alarmed at the rise of cameras, “stingrays” and other surveillance technologies used by law enforcement. Activists are hopeful that in the coming months the city council and mayor’s office will appoint members of a privacy advisory committee to draft a city ordinance on surveillance. They say this will be a big win for residents and a significant change from 2013, when the Oakland police, fire and port officials proposed to use $2m in federal grant money to expand a surveillance program from the port of Oakland to the entire city. [The Guardian]

UK – Body-Worn Cameras Pose Data Protection and Privacy Concerns, Warns CCTV Commissioner

The rise of body-worn cameras poses serious data protection and privacy concerns for the public, according to the UK government’s surveillance camera commissioner. Tony Porter noted that while police use of body warn cameras, such as by the Metropolitan Police, is governed by strict rules and regulations, other organisations that use the technology lack the same oversight. “I’m talking about door supervisors at night clubs, traffic enforcement officers and environmental officers,” he said. As such, Porter said questions need to be asked about training, data security and who has access to recordings of the public. Porter also discussed the UK’s automatic number plate recognition (ANPR) system which captures around 27 million images every day. The commissioner questioned the transparency surrounding the number of ANPR cameras that currently exist. Porter is currently reviewing the operation of the Surveillance Camera Code of Practice and will present his findings to home secretary Theresa May later this year. The code was introduced in 2013 to curb the excessive use of cameras for surveillance by increasing numbers of private and public sector organisations and an updated version was issed in 2014 by the Information Commissioner’s Office. [v3.co.uk] See also: [A new Florida law “shields the footage taken by police body cameras from public view.” The new measure includes a privacy exception preventing the disclosure of such videos, including those taken in homes, at hospitals or at the scenes of medical emergencies]

UK – Home Secretary Named “Internet Villain” for Surveillance Powers Push

Congratulations, Theresa May! The internet hates you. The British cabinet secretary in charge of home affairs, policing, and counter-terrorism received a gong, part of the annual UK Internet Industry Awards, for “forging ahead with communications data legislation that would significantly increase capabilities without adequate consultation with industry and civil society.” Privacy International, a civil liberties group, picked up the award on her behalf. The home secretary, who unshackled from her Liberal Democrat coalition partners following a surprise majority victory earlier this year, is pushing ahead with a rapid expansion of the UK’s investigatory and law enforcement powers. The so-called “snoopers’ charter” would allow police and intelligence agencies to grab British phone and email records to prevent terrorism. But the bill has been pushed through parliament with almost no consultation with phone and internet providers who will be affected the most. The “snoopers’ charter” bill is due before parliament in the coming months, though no specific date has been set. [zdnet.com] [EU – Head of EU data protection says trading privacy for security is a “false fad” ]

Telecom / TV

US – Paypal Walks Back Its Controversial Robocalling Policy

PayPal is changing its tune on sending you automated phone calls and text messages in the face of pushback from regulators and consumers. The company is again amending its user agreement just two days before its updated policies were to take effect. Under the changes, PayPal promises not to robocall you unless you’ve previously given the company your prior, express written consent. That means it also won’t require users to opt-in to receiving robocalls as a condition of continuing to use the mobile payments service. And the company is also clarifying its user agreement to state that PayPal will primarily use robocalling to “detect, investigate and protect our customers from fraud” or to notify users about account activity. That’s a significant turnaround from its previous proposed revisions, which required that all customers agree to accept robocalls if they wanted to keep using PayPal. The proposal sparked letters from concerned lawmakers and even the Federal Communications Commission, which has strict rules about robocalling and telemarketing. [The Washington Post]

US Government Programs

US – New Docs Shed Light on EO 12333; Former NSA GC Discusses Privacy

The Christian Science Monitor’s Passcode reports on a slew of documents released by the ACLU about Executive Order (EO) 12333. Signed by President Ronald Regan in 1981 and strictly run under the executive branch, EO 12333 permits the Central Intelligence Agency (CIA) to collect foreign Internet communications in bulk. However, the documents show that the CIA can direct the NSA or FBI to conduct domestic surveillance on its behalf. Meanwhile, former NSA General Counsel Rajesh De discusses the role privacy plays in the agency, saying it is highly regulated and that the Foreign Intelligence Surveillance Act “is anything but a rubber stamp.” [Full Story]

US – Poitras Suing Over Unanswered FOIA Requests

Filmmaker Laura Poitras is suing the U.S. government after receiving no response to her Freedom of Information Act requests for documents pertaining to the government’s targeting of Poitras at U.S. and foreign airports, The Intercept reports. Poitras was searched, interrogated and detained more than 50 times over six years. Officials seized her notebooks, laptop, cell phone and other personal items. “I’m filing this lawsuit because the government uses the U.S. border to bypass the rule of law,” said Poitras in a statement. The filmmaker, who won an Oscar for Citizenfour, said she hopes the suit will also bring attention to those who are less well known but are also harassed at the border. [Full Story]

US – CFPB Wants Companies to Build In Privacy

As private-sector corporations move to streamline their online payment processes, making them faster and more convenient for customers, the Consumer Financial Protection Bureau (CFPB) has released its guiding principles for organizations to protect consumers. “Companies developing new financial technologies should be building systems from the outset with consumer protections in mind,” said CFPB Director Richard Cordray. “It is a lot easier to build something right from the start than it is to retrofit it. The CFPB will continue our work to help ensure that financial services marketplaces are safe and transparent for consumers.” [Full Story]

US – FTC Announces Data Security Education Initiative

The FTC announced a new initiative aimed at educating businesses on data security best practices. The agency also announced a series of workshops to help flesh out specific data security needs for start-ups and small- to medium-sized organizations. The “Start with Security” initiative also includes new guidance for businesses . “Promoting good data security practices has long been a priority of for the FTC,” said FTC Bureau of Consumer Protection Director Jessica Rich in a press release. “The new Start with Security initiative shares lessons from the FTC’s 54 data security cases,” she noted, adding, “Although we bring cases when businesses put data at risk, we’d much rather help companies avoid problems in the first place.” [Full Story]

US Legislation

US – Recover Act Aims to Assist OPM Breach Victims

Nine House Democrats have unveiled the Recover Act, a bill that would provide “lifetime identify-theft monitoring” for the millions of victims of the recent Office of Personnel Management (OPM) breaches. “Much of the OPM data is lifetime and permanent background information that cannot be changed like a credit card number,” said Rep. Eleanor Holmes Norton (D-DC), whose bill is a companion to one from Sen. Ben Cardin (D-MD). The bill has support from National Treasury Employees Union President Colleen Kelly, who said it “will go a long way toward protecting individuals from ID theft problems stemming from these devastating data breaches.” [The Hill]

US – 21st Century Cures Bill Passes House

The House of Representatives passed the 21st Century Cures bill, which “contains a controversial provision calling for significant changes to the HIPAA Privacy Rule.” The House approved the bill by a 344 to 77 vote, the report states, noting, “Among the 309-page bill’s many provisions is a proposal that the Secretary of Health and Human Services ‘revise or clarify’ the HIPAA Privacy Rule’s provisions on the use and disclosure of protected health information (PHI) for research purposes.” Patient authorization would not be needed to use PHI for research “if only covered entities or business associates, as defined under HIPAA, are involved in exchanging and using the data,” the report states. [Gov Info Security]

US – Bill Calls for 30-Day Notification for “Sensitive” Data Breaches

Rep. David Cicilline (D-RI) introduced The Consumer Privacy Protection Act as a companion bill to a Senate bill from Sen. Patrick Leahy (D-VT). The bill, which would apply to companies with information about more than 10,000 customers, would require them to notify consumers within 30 days if hackers obtain “sensitive information” and implement security procedures to, in part, minimize the amount of sensitive information they collect. Chris Lewis of Public Knowledge said it creates “a strong federal standard of privacy protections” without preempting more stringent state laws, while the Direct Marketing Association supports a national data breach bill that would preempt state legislation. This week, 47 state AGs wrote to Congress urging it not to pass laws that would preempt state rights. [MediaPost]

US – Senate Intelligence Committee to Push Bill for Site Reporting

The Senate Intelligence Committee will file a bill mandating that if an “electronic communication service provider” has knowledge of terrorist activity on its site, it must report the activity to authorities. The bill has already catalyzed privacy and First Amendment concerns. “Considering the vast majority of people on these sites are not doing anything wrong, this type of monitoring would be considered by many to be an invasion of privacy. It would also be technically difficult,” said one industry official, who requested anonymity. Others disagree. “Ultimately this is a higher-tech version of ‘See something, say something.’ And in that sense, I believe that there is value,” said Leidos Executive Vice President, Michael Leiter. [The Washington Post]

US – Legislators Say It’s Time for Section 702 to Go

Critics of Section 702 of the 2008 FISA Amendments Act are urging Congress to revise it. The act makes data, “which can also include photos, texts and instant messages,” viewable sans-warrant by law enforcement “as long as it crosses the U.S. border electronically at some point,” the report continues. “It’s really troubling, and it’s a clear violation of the Fourth-Amendment prohibition against unreasonable searches and seizures,” said Rep. Thomas Massie (R-KY). The call for a revision has majority support in the House, but security officials disagree. “These queries can, among other things, enable analysts to identify terrorist plots,” countered National Intelligence Director James Clapper. [USA Today] Critics of Section 702 of the 2008 FISA Amendments Act, including Rep. Thomas Massie (R-KY), who said the act is “really troubling, and it’s a clear violation of the Fourth-Amendment prohibition against unreasonable searches and seizures,” are urging Congress to revise it.

US – States Tighten Data Security Laws

Washington, Oregon, Wyoming, Illinois, and North Dakota have updated their data breach laws this year, and Alabama is on its way to becoming the 48th state to adopt such legislation in the wake of unprecedented data breaches in healthcare, finance, and retail. [Source] [2015 Data Breach Legislation Six Month Review: Many Proposals, Few Changes] Attorneys general from the 47 states that have data breach notification laws have sent Congressional leaders a letter urging them to not preempt states’ rights in investigating breaches.

US – Other Legislative News

Workplace Privacy

CA – Arbitration Decision Rules Employer Not Vicariously Liable for Employee’s Privacy Breach

A recent decision of the Ontario Grievance Settlement Board raises the interesting question of an employer’s vicarious liability for an employee’s privacy breach. Vicarious liability occurs when the law holds one person responsible for the misconduct of another because of their relationship. The most common relationship giving rise to vicarious liability is the employer and employee relationship. In Ontario Public Service Employees Union v. Ontario 2015 CanLii 19325 [ON GSB] one employee (“Employee X”) inappropriately accessed the employment insurance file of a co-worker (“Ms. M”) who was away from the workplace due to sickness. The inappropriate access took place during work hours and Employee X discussed Ms. M’s personal information with other employees. There was no work reason for Employee X to be accessing Ms. M’s EI file. The Employer had appropriate policies in place that prohibited the use of the Employer’s IT resources for unacceptable activities and was proactive when hiring new employees to instruct them in connection with their obligations to keep information private. Upon being made aware of the unauthorized accesses to Ms. M’s EI file the Union representing Ms. M filed a grievance. During the hearing of the grievance the Union put the Employer on notice that it would bring a motion before the Grievance Settlement Board to determine the effect of the tort of intrusion upon seclusion to the disposition of the grievance. After reviewing the law in relation to vicarious liability in the employment context and the evidence pertaining to the incident, including the Employer’s hiring practices and the Employer’s privacy policies, the Board concluded that the Employer was not vicariously liable for the actions of Employee X. The Board was of the view that the “wrongful act” of snooping in Ms. M’s EI file was not sufficiently related to conduct authorized by the Employer to attract vicarious liability. Employee X’s actions were viewed by the Board as being the actions of a rogue employee who, for her own purposes accessed Ms. M’s EI file. It was not an action that could be seen to “further the employer’s aims”. The actions were done without the employer’s sanction or knowledge. The Board accepted the Employer’s evidence that it knew nothing of the intrusion until being told of it by a co-worker of Ms. M. Upon learning of the intrusion the Employer took immediate action to investigate and manage the issue. The evidence indicated that Employee X had received a significant suspension. The decision, although good news for the Employer, did not leave Ms. M without a remedy. Like the plaintiff in Jones v. Tsige, Ms. M would still be permitted to sue Employee X at common law for damages for the tort of intrusion upon seclusion as a result of her unauthorized snooping. [Cox and Palmer Law Publications]

+++

16-30 June 2015

Biometrics

US – Privacy Groups Walk Out of NTIA Facial Recognition Talks

Nearly two years into talks on developing a voluntary code of conduct for the commercial use of facial-recognition technology, several privacy advocacy groups have walked out in protest. “At a base minimum, people should be able to walk down a public street without fear that companies they’ve never heard of are tracking their every movement—and identifying them by name—using facial-recognition technology,” the groups wrote in a joint statement . “Unfortunately, we have been unable to obtain agreement even with that basic, specific premise.” The National Telecommunications and Information Administration’s Juliana Gruenwald said the agency was disappointed in the departure, but added it “will continue to facilitate meetings on this topic for those stakeholders who want to participate.” [The New York Times] [Facebook Unveils New Technology: Fortune examines Facebook’s new service called Moments , suggesting it expands the use of the social network’s “powerful ‘faceprint’ technology.”] [Source]

US –Company Must Pay $2.2 Million in Forced DNA Testing Case

A jury has ruled that Georgia-based Atlas Logistics must pay two employees a combined $2.2 million for forcing them to submit to a cheek swab to determine if their DNA was a match to feces being left throughout the warehouse facility. Atlas Logistics claimed the “genetic information” involved wasn’t covered by the Genetic Information Nondiscrimination Act, arguing the act excludes analysis of DNA, RNA chromosomes and other matter if they don’t reveal an individual’s propensity for disease. But U.S. District Judge Amy Totenberg “refused to toss the case,” the report states, ruling the “plain meaning of the statute’s text” was satisfactory for the case to go forward. [Ars Technica]

US – Class-Action Filed Against Shutterly

A Chicago man has filed a class-action lawsuit in an Illinois federal court claiming photo-service Shutterfly is violating a law that restricts how companies collect biometric data. Brian Norberg says he has never used Shutterfly, but someone else uploaded his photo to the site and tagged it with his name, leading to him being added to a database without his consent. The suit seeks $1,000 to $5,000 “for every Illinois resident” whose face was added to the Shutterfly database without permission. [Fortune]

US – Will Advanced Facial Recognition Quell Privacy Fears?

Fortune examines Facebook’s new service called Moments , suggesting it expands the use of the social network’s “powerful ‘faceprint’ technology.” The facial-recognition technology has 83% accuracy at identifying users. And it doesn’t need to see your face to identify you, which the company argues will assuage privacy concerns. Facebook’s Yann LeCunn “imagines such a tool would be useful for the privacy-conscious—alerting someone whenever a photo of themselves, however obscured, pops up on the Internet,” the report states. Not everyone agrees. The Christian Science Monitor suggests that “once a face is converted to data points and made machine-readable, it ceases being a public-facing part of ourselves that we voluntarily expose to others. It becomes a resource that others control.” [New Scientist] [Think it’s cool Facebook can auto-tag you in pics? So does the government] [Technology is growing accustomed to our face]

UK – Police to Scan Concert Crowds with Facial Recognition

Police in a UK county are going to use facial recognition technology to surveil an upcoming concert. The Leicestershire Police, responding to a Freedom of Information request filed by reporters at The Register, said that surveillance cameras positioned at the Download Festival will scan faces of attendees and compare them to a local mugshot database. It’s a policing strategy that’s on the rise in the UK, but it has also been subject to some intense scrutiny. English and Welsh police have faced criticisms over their uploading of the mugshots of innocent people to a national database, and more recently Police Scotland has had to deal with some PR issues having been compelled to disclose its own such practices. But such systems are undeniably useful to police; earlier this year the head of Scotland Yard went so far as to call on British citizens to install their own CCTV security in their homes so that police could use facial recognition technology in the event of a burglary or other such incident. [Source] See also: [Churches are using facial recognition software to spy on members]

WW – Auto Company Considering Brain-Monitoring Tech

Jaguar hopes to utilize “brain-monitoring technology” to improve car safety. “These research projects are investigating how we could exploit this for the benefit of our customers and other road users,” said Jaguar’s Wolfgang Epple. The company views this step as a conduit between self-driving cars and the current state of affairs. “The car may have to hand off control to a driver at some point, and it’s critical to know if the driver is ready,” the report states, noting the company is also interested in “monitoring its drivers’ health” and is “testing a ‘medical-grade sensor’ that can be embedded in a seat and monitor heart rate and breathing through vibrations.” [The Verge]

Canada

CA – PIPEDA Changes Finally Pass

Parliament has finally amended the Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”). The Digital Privacy Act (the “DPA”), which amends PIPEDA, received royal assent on June 18, 2015. Significant changes to PIPEDA include:

  1. Breach Reporting

Under the DPA, organizations will be required to notify the Office of the Privacy Commissioner of Canada (the “OPC”) and affected individuals of a breach of security safeguards.  Furthermore, organizations will be required to keep a record of all data breaches (whether or not they meet the harm threshold), and must report all breaches to the OPC upon request. Knowingly failing to report or record a breach will be an offence punishable by fines of up to C$100,000. The provisions of the DPA relating to privacy breaches have not yet come into force, but will become mandatory once the associated regulations have been enacted.

  1. Amendment to the definition of “personal information” and new provisions respecting “business contact information”

Previously “personal information” excluded certain information about an employee of an organization. Now “personal information” includes any information about an identifiable individual. However, a new definition of business contact information has been added to PIPEDA, and such information is excluded from the application of Part 1 of the Act.

  1. Changes to Consent

The DPA amends PIPEDA to explicitly state that consent is only valid if it is reasonable to expect that the individual would understand the nature, purposes and consequences of the collection, use or disclosure of his/her personal information. In addition, new exceptions to PIPEDA consent requirements have been introduced, which apply to:

  • PI in witnesses statements related to insurance claims.
  • PI produced by an individual in the course of his/her employment, business or profession.
  • Disclosure for the purposes of communicating with the next of kin or authorized representative of an injured, ill or deceased individual.
  1. Changes affecting employee privacy

The DPA introduces exceptions to the consent requirements in PIPEDA where collection, use or disclosure of personal information is necessary to establish, manage or terminate an employment relationship. However, notice must still be provided to the individual. PIPEDA has also been amended to clarify that it applies to job applicants. However, it is important to remember that PIPEDA only applies to employees and applicants of federally-regulated employers.

  1. Business Transactions

The DPA introduces exceptions to the consent requirements in PIPEDA in the context of business transactions (broadly defined), provided that certain conditions are met.

  1. Compliance Agreements

The DPA amends PIPEDA to explicitly allow the OPC to enter into compliance agreements with organizations. Such agreements may contain any terms that the OPC considers necessary to ensure compliance with Part 1 of the Act. [Source]

CA – The Digital Privacy Act: What You Need To Know Now

Parliament has passed the Digital Privacy Act, or Bill S-4. “The act received Royal Assent on June 18, with some amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) going into force immediately,” Timothy Banks writes, adding, “These are the first major amendments to PIPEDA since it was enacted 15 years ago.” And while the mandate requiring breach reporting to the Office of the Privacy Commissioner is not yet in effect, Banks notes, “there are still a number of amendments that are important for organizations to consider now” and provides a “cheat-sheet” of key amendments. [Privacy Tracker]

CA – Canada’s Mandatory Breach Notification and More

The Digital Privacy Act, or Bill S-4, makes a number of important amendments to the Personal Information Protection and Electronic Documents Act, most of which are now in force. In this web conference, hear from Fasken Martineau DuMoulin Partner Alex Cameron, who has written on the changes to the law , and from Peggy Byrne, managing counsel and privacy for CIBC Legal Department, about the key changes and their potential impacts for all organizations handling personal information about Canadians. Topics to be covered during the July 23 web conference include mandatory breach notification, mandatory record-keeping, new consent and disclosure requirements and penalties, enforcement and reputational considerations. [Full Story] [Toronto Star’s View: Lift veil of secrecy on detainee deaths in Border Services custody]

CA – Spies Wanted Mere Tweaks, Government Launched Privacy Overhaul

The Conservative government alarmed privacy advocates by overhauling the law to give Canada’s spy agency easier access to federal data, even though the spies themselves said greater information-sharing could be done under existing laws, newly released documents show. In a presentation to federal deputy ministers last year, the Canadian Security Intelligence Service said “significant improvements” to the sharing of national-security information were possible within the “existing legislative framework.” Earlier this year the government introduced an omnibus security bill that included the Security of Canada Information Sharing Act, intended to remove legal barriers that prevented or delayed the exchange of relevant files. The legislation, which recently received royal assent, permits the sharing of information about activity that undermines the security of Canada, something law professors Craig Forcese and Kent Roach called “a new and astonishingly broad concept.” Privacy commissioner Daniel Therrien denounced the scope as “clearly excessive,” saying it could make available all federally held information about someone of interest to as many as 17 government departments and agencies with responsibilities for national security. The government still hasn’t made a case for dismantling barriers to information-sharing, said Carmen Cheung, senior counsel at the B.C. Civil Liberties Association. [Source] [Canada: How the budget bill quietly reshapes privacy law: Geist] [CA – Human Rights Tribunal finds Ottawa retaliated against First Nations Child Rights Worker]

CA – Snowden Leaks Hurt Canada, Spy Agency CSE Says

Canada’s electronic spy agency says leaks by former U.S. intelligence contractor Edward Snowden have “diminished the advantage” it enjoyed over terrorists and other targets, both in the short term and — of more concern — well into the future. In newly released briefing notes, the Communications Security Establishment says Snowden’s disclosures about CSE’s intelligence capabilities and those of its allies “have a cumulative detrimental effect” on its operations. The CSE spokesman declined to provide specific examples of damage to back assertion that the leaks are undermining Canada’s attempts to fight terrorism, but said the continuing publication of sensitive material was “rendering techniques and methods less effective.” [Source] [CA – The False Choice Between Security And Privacy] See also: [Schneier: China and Russia Almost Definitely Have the Snowden Docs]

CA – Ontario: Controversial Court Security Act Proclaimed Into Law

A new provincial law intended to increase security at courthouses and other facilities gives police overly broad powers and may even be unconstitutional, according to some Ontario lawyers. The government, however, is continuing to stand by the new law, insisting it doesn’t in fact provide police with any new powers at all.  The act’s most troubling feature, according to lawyers, is the fact it gives police the power to search the vehicles of people entering court premises without a warrant. Other lawyers express similar concerns. “They’ll get shot down by the Supreme Court on this,” says criminal defence lawyer Roots Gadhia. But Anthony Moustacalis, president of the Criminal Lawyers’ Association, says the act’s predecessor, the Public Works Protection Act, included a power to search the vehicle of a person entering any public work or building without a warrant. In a sense, then, the new act simply narrows that power, he suggests. [Law Times] [CA – Sensitive info used for ‘troubling’ targeted ads, watchdog warns]

SK – Non-Responses Concern Privacy Commissioner

After one year on the job, Saskatchewan’s privacy commissioner, Ron Kruzeniski, has proposed 35 amendments to significantly update more than two decades of provincial privacy and access to information legislation. The amendments are contained in the Office of the Saskatchewan Information and Privacy Commissioner’s (OIPC) annual report (It’s Time to Update) released this week. Kruzeniski also highlighted several concerns from the past year – including that public bodies did not respond to 25% of reports sent out with recommendations. In terms of the proposed amendments to the Freedom of Information and Protection of Privacy Act (FOIP) and the Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP), Kruzeniski identified three that stood out from the rest – mandatory reporting of privacy breaches, the duty to protect private information collected and including municipal police in the legislation. Kruzeniski noted that Saskatchewan is one of only two provinces (the other is P.E.I.) that don’t include municipal police forces in privacy and access to information legislation. The RCMP is included in federal privacy legislation. Other proposed amendments in the report include reducing a government institution’s allowed response time to 20 days from 30 days and including consultants, advisers and information technology specialists in privacy legislation to protect personal information they collect. [Source] :

CA – Class-Action Lawsuit Against Facebook Stopped by B.C. Court

BC’s top court has stopped a class-action lawsuit filed by a Vancouver woman against Facebook Inc. over a now-defunct advertising product. Deborah Douez alleged the product known as Sponsored Stories used the names and images of Facebook members without their consent, breaching Section 4 of B.C.’s Privacy Act. But her case pitted the law, requiring lawsuits filed under the Privacy Act to be heard in B.C. Supreme Court, against a clause in Facebook’s Terms of Use, requiring legal complaints against the company to be filed in Santa Clara County, Calif. A lower court judge sided with Douez in May 2014, ruling the Privacy Act overrode Facebook’s Terms of Use and certified the class-action lawsuit. However in a unanimous decision posted online, the B.C. Court of Appeal agreed with Facebook, ruling the judge made a mistake in interpreting the law and staying the class-action proceedings. [Source]

CA – Facebook Evidence Access Delaying Nova Scotia Court Cases

Facebook is all about instantly sharing your experiences, but one lawyer says the company isn’t as quick to share evidence for court cases. Legal aid lawyer Megan Longley says many of her cases involve comments or messages made on social media, but recovering that information from Facebook can be difficult. “The only way to access that would be through Facebook headquarters in California, which involves a court order at the national level in Canada that then gets sent to the States for disclosure orders,” says Longley, the managing lawyer of Nova Scotia Legal Aid’s youth justice office. That can take months, even up to a year, she says. [Source] [Winnipeg police accidentally broadcast lewd conversation from helicopter] [Camera with photos of 12 dead forgotten by B.C. coroner at bus stop: documents] [Beware Of Mortgage or Title Fraud] [How to Fraud-proof Your Home] [CRA Phone Scam Uses Fear of Tax Man to Swindle ‘Not So Smart’ Canadians]

CA – Canada’s Privacy Commissioner Not Satisfied with How Targeted Ads Work

Online Behavioural Advertising involves tracking consumers’ online activities, across sites and over time, in order to deliver advertisements targeted to the consumers’ apparent interests. In 2011, The Office of the Privacy Commissioner of Canada (OPC) issued guidelines to help the various organizations involved in OBA ensure that their practices are fair, transparent, and in accordance with PIPEDA. In a new report, the commissioner highlights the key:

  • Any collection or use of an individual’s web browsing activity must be done with that person’s knowledge and consent. Therefore, if an individual is not able to decline the tracking and targeting using an opt-out mechanism because there is no viable possibility for them to exert control over the technology used, or if doing so renders a service unusable, then organizations should not be employing that type of technology for online behavioural advertising purposes.

And the issue:

  • Previous observations of major websites and the ads they contain suggested that, while ads are often tailored based on past web activities, there may be little notice of OBA practices and no easy ability to opt out.

“Using simple testing methods, we were able to see that OBA is being used on just over half of the websites used for the research,” Canada’s privacy watchdog concluded in its report. “We observed multiple examples where ads were targeted based on prior online activities that were related to sensitive topics without opt-in consent. We found that the procedures for opting out of OBA were often unsatisfactory.” [Source] [Genetic testing company’s use of child’s image outrages mother Christine Hoos]

CA – Advertisers React to OPC Online Behavioural Advertising Study

More than one in 10 behavior-based ads related to personal topics like divorce, bankruptcy, and pregnancy failed to comply with federal privacy guidelines, a new study shows. According to guidelines from the Office of the Privacy Commissioner of Canada (OPC), targeted digital ads involving sensitive personal information should require consumers to opt in if they want to receive such advertising. Yet 34 of the 300 targeted ads tracked in an OPC study required users to opt out, even though they dealt with that type of information. Overwhelmingly, however, the study shows Canadian advertisers are jumping onboard a new program to give consumers more information and control regarding behavior-based ads. Although almost all of the targeted ads studied by the OPC featured Ad Choices icons, the OPC report concludes that “using the Ad Choices icon (is) often difficult.” Sometimes the icons were hard to see, placed very far away from ads, led to a foreign Ad Choices site or required several steps to opt out of behavior-based ads. In April, Bell Canada responded to criticism from OPC by announcing plans to replace its behavior-based ad program – which automatically tracked customers’ mobile browsing habits – with an opt in version instead. Also in April, research by the Canadian Marketing Association found that 33% of Canadians are comfortable with OBA if the advertiser is transparent about it and gives them a chance to opt out (scroll to the bottom of this article for an infographic with this research). That rises to 41% for consumers aged 18 to 24 and hits 42% for all ages if the consumer understands how the Ad Choices icon works.  [Source]

CA – Canadian Government Websites Under Cyber Attack: Clement

The federal government says its websites were under a cyber attack this week, which affected email and Internet access. Treasury Board of Canada president Tony Clement tweeted, The websites were affected by a denial of service attack, designed to make a computer or network incapable of providing normal services to its users. He didn’t say who was responsible for taking sites, including justice.gc.ca, csis.gc.ca, Canada.ca and news.gc.ca, offline shortly after 12 p.m. Nor did he say how long the outage would last. Service for those four sites were restored later Wednesday afternoon. But sporadic outages continued. [Source]

CA – Ontario to Regulate Controversial Police Stops, Known as Carding

Ontario will regulate but not ban police street checks, a controversial tactic known in Toronto as carding and a practice critics say amounts to racial profiling. It’s not acceptable for police to stop and question a member of a racialized community for no reason then to record that person’s information in a database, Community Safety Minister Yasir Naqvi said. But when asked why he wouldn’t eliminate police street checks altogether, Naqvi said it’s important both for police to be able to engage with the communities and that they’re able to investigate any suspicious activity. [Source]

CA – Elections Canada Warns Voters About New ID Req’ts For 2015 Election

Elections Canada is urging all voters who may be missing appropriate identification to get their paperwork done in the few months remaining before the country goes to the polls. The list of acceptable forms of identification voters can use when they cast their ballots this Oct. 19, however, is quite long. The controversial Fair Elections Act the Conservative government introduced last year did away with the practice of vouching, which allowed someone with required identification to vouch for someone who did not at a polling station on the day of the vote. The legislation also removed the ability to use a voter identification card as a way to prove where one lives. [Source]

CA – Watchdog Alleges Conservatives Pressed for Speedy Gun Registry Deletion

Bureaucrats felt pressured to speed the destruction of the long-gun registry from the senior ranks of the Conservative government, the public service, and the national police force, Canada’s information watchdog alleges in new court documents. The allegations, the result of a lengthy investigation by Information Commissioner Suzanne Legault, are expected to form part of the basis for a court challenge alleging the deletion of the data violated Canadians’ charter rights. The sworn affidavit suggests public servants were ordered to speed up the deletion of the long-gun data, including backups, after Legault’s office told the Conservative government that copies must be kept for an outstanding access to information request and investigation. [Source]

CA – Changes to Ontario’s Health Privacy Laws Deserve Wide Support: Editorial

Time to chalk up a significant victory for the privacy of patients in Ontario. Health Minister Eric Hoskins has done the right thing by bringing in sweeping legal changes that will allow authorities to prosecute snoopers more easily and require hospitals to declare breaches of patient privacy. These reforms, announced this week, come after months of reporting by the Star’s Olivia Carville that showed gaping holes in the rules intended to keep patients’ health information confidential. Most strikingly, Ontario’s Personal Health Information Protection Act (PHIPA) has resulted in exactly zero successful prosecutions after more than a decade in force — even though the provincial privacy commissioner receives reports of hundreds of health-related privacy violations every year. Now the government plans to overhaul the law to get rid of some of the biggest obstacles to enforcement. It will do away with the six-month deadline to lay charges under the act, making it easier for investigators to gather sufficient evidence for a successful prosecution. And the maximum fine for those violating patients’ privacy will be doubled from $50,000 to $100,000. In addition, Ontario’s hospitals will be required to report all breaches of patient privacy to regulatory colleges and the privacy commissioner. Until now, hospitals were allowed to handle violations internally, making it impossible to track the size of the problem across the province or fix breakdowns in the system. [Source] :

CA – Privacy Watchdog Raises Awareness of Court Decisions Indexed Online

Canada’s privacy watchdog says it was the power of persuasion that helped get results for more than two dozen Canadians who had details of their legal troubles posted on a Romanian website. Daniel Therrien, the federal Privacy Commissioner, wrote in his annual report to Parliament last week that the Office of the Privacy Commissioner (OPC) received 27 complaints in 2014 about the website, which republishes court decisions from several jurisdictions with a large focus on Canada. Mr. Therrien said an absolute ban on indexing court rulings “would get into territory similar to conversations in Europe about the ‘right to be forgotten,’ which puts into play the need to ensure as much privacy as possible.” He said the OPC is studying the “right to be forgotten” in the Canadian context and plans to release a discussion paper on the topic within the year. [Source]

CA – Ontario Allows Real Estate Documents to Be Signed Electronically

Ontario is making the process of buying or selling a home easier by allowing real estate documents to be signed electronically. Effective July 1, 2015, changes to the Electronic Commerce Act will make electronic signatures legally equivalent to signatures on paper documents for real estate transactions. Under current rules, when a home or property is sold, dozens of hard copy documents such as offers and agreements of sale, must be signed by hand. Allowing these transactions to be signed electronically will also make it easier to send documents electronically and save time for anyone buying or selling property, especially when the two parties are separated by distance. [Source]

Consumer

US – Privacy Tops Consumer Concerns About Tech Innovation

According to Edelman’s Earned Brand survey, privacy tops the list of reasons consumers across the globe—and specifically in Germany, the U.S. and Australia—have misgivings about innovation. Concerns regarding the environment and personal security are next on the list, the report states. “Marketers are missing out on a simple truth: Acceptance of innovation cannot be bought; it must be earned,” said Edelman President and CEO Richard Edelman. “As marketers, we need to evolve our playbook if we want to succeed. We have to address consumers’ fears before we have the permission to sell. Marketing, at the moment, is making it worse.” [Full Story]

US – Report Suggests Young People May Abandon Social Media If Privacy Breaches Continue

With all of the revelations of data snooping and privacy violations at the hands of government agencies and clandestine hacker groups, a new report suggests young people are having buyer’s remorse regarding the amount of social media accounts they’ve poured their life details into. In a report released this week (oddly) by USA Network, survey data shows that 55% of young people would eschew social media entirely “if they could start fresh.” Additionally, if major breaches of their privacy were to continue, 75% of young people said they were at least “somewhat likely” to deactivate their personal social media accounts, with 23% saying they were “highly likely” to do so. Young Americans’ sense of privacy online has been so violated that most of them believe that it’s safer to store their personal data in a box than in the cloud. Indeed, the survey said that physical filing systems were actually listed as the “most trusted” personal data storage method for young people. [Source]

US – Survey: Product Execs Out of Touch with Consumer Expectations

Many consumer product (CP) industry executives may be out of touch with consumers’ opinions on the importance of data security and privacy. That’s according to an online survey by Deloitte of 2,001 U.S. consumers and 70 CP industry executives, in which 80% of respondents said they’re more likely to purchase from CP executives they believe protect their personal information, and 72% said they avoid purchasing from companies that they believe take insufficient measures to protect it. “Many consumer product companies do not seem positioned to gain consumer trust based on their current data privacy and security strategies, policies and systems,” report states. [CFO Journal]

US – 84% of Americans Want Immediate Breach Notification

A new poll released by the Zix Corporation reveals that 84% of Americans want to be notified immediately after their personal information is breached. The poll surveyed 500 individuals between the ages of 18 to 75 to assess their views and knowledge of data breaches and whether they would change their shopping habits as a result. Ninety-two percent of those surveyed said companies should be required to notify their entire customer base no matter the size of the breach. “As the survey confirms, acknowledgement and opening a clear and honest line of communication can go a long way in rebuilding consumer trust,” said ZixCorp CEO Rick Spurr. [Full Story]

US – Privacy and Young Adults: A Complicated Relationship

A USA Network survey that found 55% of young adults would “eschew social media entirely if they could ‘start fresh’“ illustrates what some see as the inconsistency between what young adults say they feel about social media privacy and how they act online. While the survey indicates young adults trust filing cabinets more than the cloud and 75% of respondents were “‘somewhat likely’ to deactivate their personal social media accounts” if breaches continue, the report also cites a Pew Research study that found young adults were “more willing than older Americans to let companies use their personal data for commercial purposes, in exchange for the social-networking functions they value.” [Tech Crunch]

E-Government

UK – Verify Programme Contains “Severe Privacy and Security Problems”

The UK government has been forced to deny allegations that its identity assurance service, Gov.uk Verify, is littered with security problems and could be used to spy on citizens. According to a research paper titled Toward Mending Two Nation-Scale Brokered Identification Systems, the service has “severe privacy and security problems” and a major flaw within its architecture that could be used to undertake mass surveillance. The main problem lies with the hub that acts as a go-between for government departments, identity providers and citizens. Verify was created by the Government Digital Service as a way for the public to prove who they are when needing to access government services online. The uptake of the service has been slow. The authors of the report claimed that Verify suffers “from serious privacy and security shortcomings, fail[s] to comply with privacy-preserving guidelines they are meant to follow, and may actually degrade user privacy.” “Notably, the hub can link interactions of the same user across different service providers and has visibility over private identifiable information of citizens. In case of malicious compromise it is also able to undetectably impersonate users,” the report said. But the government has hit back at the allegations and denied that Verify could be used in mass surveillance. “Gov.uk Verify does not allow for mass surveillance. It does not have any other connection with or ability to monitor people or their data,” it said in a blog post. The researcher said that the service could be improved by recommending that “a formal framework for brokered authentication be devised” and that such a framework would “integrate all the security, privacy and auditability properties at stake, while considering an adversarial model in which any party, including the hub, may be compromised and/or collude with other parties.” [Source]

Farmers Want EPA Suit Revived

Following a federal district court’s dismissal of a case filed against the Environmental Protection Agency (EPA) upholding the validity of the EPA’s public release of personal information about farmers and their families, the American Farm Bureau Federation (AFBF) and the National Pork Producers Council filed a brief with the U.S. Court of Appeals for the Eighth Circuit calling the release unlawful. The groups have asked the Court of Appeals to reverse the district court’s decision. The case involves the EPA’s release of a database—including home addresses, GPS coordinates and email addresses—of tens of thousands of farmers and their families in 2013. [The National Law Review]

E-Mail

CA – Report Suggests Law Goes Beyond What CSIS Wanted

Information found in a “heavily censored” copy of a 2014 presentation and memo to the Canadian Security Intelligence Service (CSIS) that indicates CSIS believed “significant improvements” to information-sharing could occur in the “existing legislative framework.” However, legislation that “recently received Royal Assent permits the sharing of information about activity that undermines the security of Canada,” the report states, noting Privacy Commissioner Daniel Therrien is among those who have raised concerns. Therrien “denounced the scope as ‘clearly excessive,’ saying it could make available all federally held information about someone of interest to as many as 17 government departments and agencies with responsibilities for national security,” the report states. [The Canadian Press]

CA – PEI Gets New Privacy Commissioner—Kind Of

Prince Edward Island (PEI) is getting a new privacy commissioner. Karen Rose has been chosen by the legislative management to be appointed PEI information and privacy commissioner, the report states. She was actually the province’s first privacy commissioner in 2002, but she left the post in 2005 citing personal reasons. Rose will replace Maria MacDonald, whose five-year term has expired. “The commissioner will accept appeals … from applicants or third parties who are not satisfied with the response they receive from a public body as a result of an access to information request made under the Freedom of Information and Protection of Privacy Act,” the government site for the commissioner states. [The Guardian]

CA – Supreme Court Rules in Favor of Facebook

A Supreme Court judge has upheld a BC Court of Appeal ruling in favor of Facebook in a 2014 case alleging it used member information “to endorse certain products without their consent.” While the initial suit claimed that Facebook’s actions violated Section 4 of BC’s Privacy Act, the BC Court of Appeal ruled unanimously that the judge’s 2014 interpretation of the law was erroneous. “Section 4 is a rule of subject matter competence that, like all BC law, applies only in BC. California courts determine for themselves, using California law, whether they have territorial competence over any given proceeding,” said Chief Justice Robert James Bauman. “We are pleased with the court’s ruling that our terms are fair and apply to all users,” Facebook said. [Digital Journal]

CA – Saskatchewan Commissioner’s Annual Report Includes Concern About “Non-Responses”

A report released Monday indicates Saskatchewan Privacy Commissioner Ron Kruzeniski’s 35 amendments for provincial privacy laws, including “mandatory reporting of privacy breaches, the duty to protect private information collected and including municipal police in the legislation,” have been met with 25% unresponsiveness from public bodies. “Kruzeniski said the non-responses could involve a misunderstanding or confusion over changes in his office’s procedures,” the report states, noting the office “is prepared to allow another year to clarify its expectations,” but if the non-responsiveness number doesn’t decrease, the commissioner “would be concerned that a ‘blatant disregard’ of the legislation was occurring.” Meanwhile, CBC News discusses other areas of Kruzeniski’s report, including why he feels provincial privacy law is “outdated.” [The Star Phoenix]

CA – Alberta’s PIPA Review to Begin

The Alberta government has initiated its review of the province’s Personal Information Protection Act (PIPA). The review will be conducted by the Standing Committee on Families and Communities, the report states, noting the law is slated for automatic review beginning on July 1 and then every six years. PIPA “will go to a legislative committee this fall, they’ll make recommendations that come back to the ministry,” Service Alberta Minister Deron Bilous said. “It’s a way to keep the (law) current and relevant and to ensure that we’re protecting Albertans’ privacy.” Alberta’s Freedom of Information and Protection of Privacy Act has been under review since 2012, the report states. [Edmonton Journal]

Electronic Records

US – Fitbit Tracking Data Comes Up in Another Court Case

When you wear Fitbit or any other fitness tracker and smartwatch, you not only monitor your physical activities, you also collect data about yourself — data that can apparently be used against you in investigations. In Lancaster, Pennsylvania cops responded to a 911 call by a woman who claimed she was raped by a home invader. The woman told the police she woke up around midnight with the stranger on top of her, and that she lost her tracker while struggling against her assailant. However, authorities found her Fitbit, which recorded her as active, awake and walking around all night. Combined with the evidence that was missing (tracks outside in the snow from boots she said the attacker was wearing, or any sign of them inside), an investigation led to her facing misdemeanor charges. [Source]

WW – Insurer Monitoring Your Heart Rate? Allstate’s Patent Makes It Possible

Northbrook-based Allstate, which last month floated the idea of one day selling the information it collects from policyholders’ connected cars, was issued a patent earlier this month for a driving-behavior database that it said might be useful for health insurers, lenders, credit-rating agencies, marketers and potential employers. Allstate’s patent also said the invention has the potential to evaluate drivers’ physiological data, including heart rate, blood pressure and electrocardiogram signals, which could be recorded from steering wheel sensors. Allstate’s patent acknowledged that use of the data might be subject to terms of agreement with the operator of the vehicle. [Source]

WW – Here’s What You Get With BBM’s $1 Privacy Subscription

BlackBerry has also updated the BBM messaging app and has started to roll out the feature to users of Android, BlackBerry 10, and the iOS. The most notable change brought by the update is the new Privacy and Control subscription which shall replace the previous Timed and Retracted Messages subscription. Privacy and Control, as the name implies, is designed to allow users to have more control on the messages that they share through BBM. It promises to add more security to the parties involved in a conversation as they no longer have to worry whether their messages have been captured through screenshot or have been shared with the wrong people. In the new feature, messages are sent with no names and no profile pictures. The chat also ends automatically in just a short period of time. This way, user identities are kept private since no one would know who said what except of course for those who were actually involved in the conversation. The Private Chat feature will be bundled with the newly rolled out Privacy and Control Subscription. For only $0.99 a month, users are getting Private Chat, Timed messages and pictures, Retract messages and pictures and Edit Message. The latter is also a newly added feature to the subscription wherein users are allowed to retract their message, change the content, and then send the message all over. [Source] See also: [BlackBerry/Cisco partnership to push healthcare towards digital age]

Encryption

WW – More Sites Go All-HTTPS

Reddit has announced that starting June 29, it will refuse plaintext HTTP traffic. Last September, reddit allowed HTTPS connections for users who turned the feature on or used something like HTTPS Everywhere, the report states. Reddit is the latest to make the switch; it joins such sites as Wikipedia, which made the announcement less than a week ago, and Netflix. In addition, the White House Office of Management and Budget issued the “HTTPS-Only Standard directive,” which requires all publicly accessible federal websites and web services to use only HTTPS. “We genuinely value the privacy of the people who trust reddit as a platform for open communication,” reddit’s Heather Wilson said. [Ars Technica]

US – Free Digital Certificate Project

The Let’s Encrypt Project wants to increase the use of encryption on websites by offering free digital certificates. A corporation backed by technology companies, including Mozilla, Akamai, Cisco, and the Electronic Frontier Foundation (EFF), runs the project. Let’s Encrypt expects to release the first certificates in July. [ComputerWorld] [Encryption Would Not Have Protected Secret Federal Data Says DH]

EU Developments

EU – Belgium Takes Facebook to Court Over Privacy Breaches and User Tracking

The Belgian privacy commission is taking Facebook to court for its alleged “trampling” over Belgian and European privacy law. The lawsuit will be heard in a Brussels court after a report and an opinion published by the Belgian privacy watchdog that detailed Facebook’s alleged breaches of European privacy law, including the tracking of non-users and logged out users for advertising purposes. Facebook treats its users’ private lives without respect and that needs tackling, according to Willem Debeuckelaere, president of the Belgian privacy commission, who said at the time of the report that it was “make or break time”. The privacy commission has no power to fine Facebook, but threatened legal action backed by the Belgian prosecution service should the US-owned social network fail to address the report’s concerns. That threat has now been carried out. The European commission recently warned that EU citizens should close their Facebook accounts if they want to keep their information private from US security services, after finding that current Safe Harbour legislation does not protect citizen’s data. Facebook was also recently ordered by a Vienna court to respond to a class action data privacy lawsuit that was filed against Facebook in Austria by privacy activist and lawyer Max Schrems, which is seeking damages of €500 (£397) per plaintiff for alleged data protection violations. [Source] [EU – Isabelle Falque-Pierrotin: Privacy Needs to Be the Default, Not an Option] [The digital revolution is coming for us, but is it friend or foe? ]

EU – Thank Latvia: Council Gets Past Objections for GDPR Approach

After three and a half years of intense negotiations, EU ministers finally agreed to a general approach on their version of the proposed General Data Protection Regulation at a meeting of the Justice and Home Affairs Council in Luxembourg. John Bowman, former DAPIX negotiator for the UK, outlines the objections the Council had to overcome and what are likely to be the main sticking points as the privacy legislation everyone’s following now moves to the trilogue stage. [Privacy Perspectives]

WW – “Revenge Porn” Searches Axed

Google’s move to delist “revenge porn” from its search engines is a healthy step forward for the right to be forgotten. “Google has shown that the world won’t be knocked off its axis if the company goes beyond protecting financially relevant information … and takes aggressive steps to remove links to socially relevant information that can harm autonomy, reputation and emotional well-being,” the report continues. Governments and corporations share a duty to “invest in data protection rights,” the report states, noting those rights “will evolve through information-specific categories” and it’s less about being totally forgotten but rather made “obscure” online. [The Guardian]

US – Dixon: “We Will Be the Lead” Regulator of U.S. Tech Firms

Comments by Irish Data Protection Commissioner Helen Dixon on the role her office will play in regulating U.S. technology companies. “Ireland will be the leading regulator when dealing with U.S. tech companies,” she said. “We want to work actively with other regulators. But we will be the lead.” Dixon’s strong comments come the same day Ireland’s Office of the Data Protection Commission (DPC) released its annual report detailing its activities in 2014. The DPC is expected to audit Adobe, Yahoo and Apple this year, the report states. “We are responsible for millions of users,” Dixon said. “The companies accept pushback from us. They want to be compliant.” [The New York Times]

EU – EU Data Privacy Reform Moves Toward End Game

Ministers from the EU agreed to begin negotiations with the European Parliament over a comprehensive update to the union’s data privacy rules. The new regulations would give Europeans more rights in controlling what happens with their personal data, and give firms handling that data more responsibility for protecting it. After agreeing on a compromise common position on the draft, member states gave the Latvian Presidency of the Council of the EU the mandate to commence so-called trilogue negotiations. As it is a regulation rather than a directive, member states would have less flexibility in how they apply the new law nationally, meaning a higher level of harmonization across countries. The regulation would force companies processing personal data to prove that the data subjects have given their explicit consent. Multinationals would need to appoint independent data protection officers to ensure compliance. The potential fines for data protection violations could be as high as 2 percent of annual worldwide turnover. Depending on the company in question, this would be much higher than the fines that are currently levied. One of the most controversial aspects of the new regulation is that of liability for breaches. Under the current system, if a bank using a cloud provider to handle its customers’ data were to suffer a breach, the customer would only be able to sue the bank. Under the GDPR, the customer would be able to sue both the bank and the cloud provider. Another contentious issue that will surface during the trilogue discussions is the right of citizens to have their data erased. The UK is concerned that this may clash with the right to free expression. [Source]

EU – First Trilogue Meeting Begins

The three major institutions charged with creating the next generation of EU data protection law started discussions in the first of a series of trilogue meetings to finalize the proposed General Data Protection Regulation (GDPR). Several EU countries are concerned about the GDPR, including Cyprus, Italy, Belgium and Poland. Austria said it will not support a law that lowers data protection from existing standards. Leaders from the European Commission and European Parliament as well as negotiators from member states shared their thoughts during a press conference this morning, and the Alliance of Liberals and Democrats in the European Parliament shared its conditions for the EU data protection reform. [The Register]

EU – Numbers Indicate Google Tops EC Lobbying Efforts

According to figures published by Transparency International, Google and its lobbyists have had more meetings with European Commission officials than any other single company. Google lobbyists have had 32 meetings between December and June, the report states, topped only by BusinessEurope, which has 67 member companies spanning industries and including Microsoft, Facebook, IBM, Oracle and Samsung Electronics. The data shows more than three-quarters of lobbyists in that timespan were corporate; 18% were NGOs, and two percent were local authorities. The analysis “shows more clearly which companies have the greatest opportunity to influence decision-making,” the report states. [CIO Online]

EU – WP29’s Falque-Pierrotin on Key Digital Privacy, Security Issues

Isabelle Falque-Pierrotin of the Article 29 Working Party and the CNIL talks about delisting, the CNIL’s case against Google and making privacy the default. Asked what the most important digital privacy and security issue is, Falque-Pierrotin first lists “making security issues represented as really important and as a priority for all of the stakeholders. I’m not sure that’s the case right now.” And, she continues, it is important to “convince people that data protection is not against innovation and growth; on the contrary, data protection contributes to confidence. It is a key factor in the digital environment.” [Wired]

EU – New French Law Draws U.S. Comparisons

The French government’s plan to augment its anti-terror surveillance is being compared to the USA PATRIOT Act. “France’s ruling socialist government rushed through the bill earlier this year, shortly after the Islamist militant attacks in Paris in which 17 people were killed over three days,” the report states. While the law won’t be finalized until it is proven constitutional, it passed “by a simple show of hands from deputies in France’s National Assembly,” forgoing “the need for judicial warrants to use an array of spying devices including cameras, phone taps and hidden microphones,” the report continues. Earlier this week, however, the French government called revelations of eavesdropping by the U.S. government on the private conversations of senior French leaders “unacceptable.” [DW]

EU — A Look at France’s Digital Ambition Report

The French National Digital Council has released a report containing 70 proposals for the future of the digital economy in France and Europe. “The report follows a nationwide consultation of the major stakeholders, which has also sparked a debate on various issues relating to the digital economy such as how to regulate digital platforms and how to boost the competitiveness of French start-up companies,” Olivier Proust analyzes the report’s key proposals. He notes the French government also plans to “introduce a ‘Digital Bill’ before the French National Assembly in the fall aimed at regulating the use of the Internet as well as stimulating innovation and fostering growth in the digital economy.” [Full Story]

EU – WP29 Weighs In on the GDPR Trilogue Process

As the EU continues to buzz about the beginning of the trilogue negotiations and the final stage of the arduous process of bringing the General Data Protection Regulation (GDPR) to fruition, the Article 29 Working Party (WP29) has now weighed in with its thoughts on the final stages of what is likely to be historic legislation. Jedidiah Bracy and Sam Pfeifle write about those thoughts, which take the form of three letters to deeply involved members of the Commission, Council and Parliament. The letters include a hard line on government access to citizen data, a nuanced approach to a “one-stop shop” and an endorsement of a broad definition of personally identifying information. Further, the WP29 provides a 24-page document that outlines its specific problems with current versions of the GDPR text. [Privacy Tracker]

EU – Other News

Facts & Stats

US – Theft Accounts for More Than Half of “Wall of Shame” Breaches

Roughly 52% of breaches posted on the Department of Health and Human Services’ Office for Civil Rights’ “wall of shame” were the result of theft. Unencrypted devices appeared to be the most consistent source of recent trouble. “Although we’ve seen some large hacking attacks, they are aimed at higher-profile organizations than the more typical provider organization,” The Marblehead Group’s Kate Borten said. “Attackers know that these organizations have a very high volume of valuable data. But I continue to believe that unencrypted PHI on devices and media that are lost or stolen is the most common breach scenario affecting organizations of any size.” [Gov Info Security]

US – Results of 2015 Online Trust Audit Mixed

The 2015 Online Trust Audit and Honor Roll found 54% of government websites to have “inadequate domain, brand and consumer protection.” All is not completely doom and gloom, however. The audit found 42% of government sites, such as the White House, FTC and FDIC, worthy of the honor roll, having “the highest average privacy score across evaluated industries.” The audit states that its primary goal “is to help drive the adoption of best practices and provide prescriptive tools and resources to aid companies.” [Washington Business Journal]

US – OPM Says Hack Could Cost $19 Million

In the first of three consecutive hearings on Capitol Hill this week, OPM Director Katherine Archuleta testified in front of the Senate Appropriations Committee. Archuleta said the breach of the 4.2 million individuals—which is only part of the total number of those whose records have been compromised—will cost at least $19 million. “I am as upset as (those affected) are about what happened and what these perpetrators have done with our data,” Archuleta said. Financial Services and General Government Subcommittee Chairman John Boozman (R-AR) said, “The problem is something much greater than a lack of resources.” Relatedly, The Wall Street Journal reports that semantics may have initially obfuscated the true scope of the OPM breach. [CSM Passcode] [It gets worse: Two Federal OPM hacks affected up to 18 million]

Filtering

EU – ECHR Finds Website Liable for Anonymous User Comments

In what some are calling a surprise decision, the European Court of Human Rights has found that Estonian news website Delfi can be held responsible for anonymous comments on its site. Access Senior Policy Counsel Peter Micek said the ruling has “dramatically shifted the Internet away from the free expression and privacy protections that created the Internet as we know it.” Media Legal Defence Initiative has summarized the reasoning behind the court’s decision. Digital Rights Ireland Chairman TJ McIntyre said the decision “doesn’t directly require any change in national or EU law,” but indirectly, “it may be influential in further development of the law in a way which undermines freedom of expression.” [Ars Technica]

Finance

WW – Feature Aims to Make Bitcoin Transactions Private

Though Bitcoin is often thought of as a private way of transacting currency, privacy issues remain, according to Blockstream Cofounder Greg Maxwell, who said an onlooker can reveal the identities of bitcoin users and determine an individual’s financial history. “You can leak this information to everyone, and they just have to attach your name to one address,” Maxwell said. As a result, Blockstream has created its Confidential Transaction feature in its Sidechain Element projects. The feature aims to hide the content of a given transaction as well as the destination and amount. [Bitcoin News Service]

US – Banks to Roll Out Real-Time Payments

Bank-owned digital payments network clearXchange announced this week that it will roll out over the next year a real-time payments platform available to all U.S. consumers who have a bank account.  All of clearXchange’s member institutions, which includes five of the six largest U.S. banks as well as several regional banking institutions, are expected to offer real-time payments to their customers, clearXchange says in a statement. The network, formed in 2011, enables banks to provide person-to-person, business-to-consumer and government-to-consumer payments. The network is equally owned by Bank of America, Capital One, JPMorgan Chase and Wells Fargo. None of the banks that own the network responded to Information Security Media Group’s request for comment. [Source]

WW – Bitcoin Big Bang Takes Anonymity Out of Transactions

The Bitcoin Big Bang project and the work of Elliptic exposing anti-money-laundering activity within the bitcoin space. The company has created an interactive data visualization of historic and real-time transactions that are public by default. Elliptic’s goal, according to CEO James Smith, is to expose criminal activity and bring bitcoin into the mainstream. “If digital currency is to take its legitimate place in the enterprise, it inevitably must step out of the shadows of the Dark Web,” he said. The company’s ability to track financial transactions should be an “eye opener” to those who think it’s all conducted anonymously, the report states. Smith said, “increased privacy does not necessarily have to equate to more freedom for criminals.” [Inside Bitcoin]

FOI

US – EFF Releases New “Who’s-Got-Your-Back” Privacy Report

The Electronic Frontier Foundation (EFF) has released its fifth data privacy report grading how well companies protect user data and how transparent they are about requests from governments. The EFF said that over the course of the last four years, companies are trending toward more transparency, but its latest report evaluates criteria more tightly. Adobe, Apple, CREDOmobile, Dropbox, Sonic.net, Wikimedia, WordPress.com and Yahoo all received the maximum five-star rating based on following “industry-accepted best practices”; informing users of “government data demands”; disclosing data-retention policies and “government content removal requests,” and having “pro-user public policy” and opposing “backdoors” to encrypted communications. [TechCrunch]

US – Amazon Releases Transparency Report

The fact that Amazon’s cloud computing services are used by 17 government agencies is spurring rumors that government interference is to blame for Amazon’s relative tardiness in releasing a transparency report. The company, however, has dismissed the allegations. “Where we need to act publicly to protect customers, we do. Amazon never participated in the NSA’s PRISM program,” Stephen Schmidt, Amazon Web Services CISO, wrote in blog post. “We have repeatedly challenged government subpoenas for customer information that we believed were overbroad, winning decisions that have helped to set the legal standards for protecting customer speech and privacy interests.” [PC Mag]

CA – Oldest Active Federal Access-to-Information Requests Stretch Back 6 Years

According to data collected as part of a Liberal question in the House of Commons, Justice Canada is the federal department with the longest running, active access-to-information request — an unfulfilled inquiry that dates back more than six years. Under the Access to Information Act passed by Parliament, departments are supposed to respond to requests for government records within 30 days, although in practice long delays have become routine. [Source]

Genetics

US – Mystery Pooper: Firm to pay $2.2M Over Forced DNA Testing for Workers

A federal jury has concluded that an Atlanta grocery warehousing firm must pay two employees a combined $2.2 million for forcing them to submit to a buccal cheek swab to determine if their DNA was a match to feces being left throughout the facility. Employees Jack Lowe and Dennis Reynolds declined a combined $200,000 settlement offer from Atlas Logistics Group Retail Services. Instead, they forged ahead with the first damages trial resulting from 2008 civil rights legislation that generally bars employers from using individuals’ “genetic information” when making hiring, firing, job placement, or promotion decisions.  The two plaintiffs were singled out because their work schedules coincided with the timing and location of what the court termed the “defecation episodes.” The warehouse firm hired Speckin Forensic Laboratories to perform the buccal swab samples of the plaintiffs to compare them against the fecal matter left on site. Speckin recommended Short Tandem Repeat (STR) analysis. The tests cleared Lowe and Reynolds. [Source]

Health / Medical

US – Pharmacy Merger Creates Privacy Questions

CVS’s acquisition of Target’s pharmacy is rife with “some extremely likely data security and privacy problems and HIPAA horrors.” “Screaming in one track is Target’s collection of highly sensitive personal prescription and medical history, one of the largest in the world, while barreling in on the other track we have Target’s employees, who have little incentive to carefully follow data transfer protocols now that the data is about to be taken over by another company,” the report states. Chief among concerns is the way the data will be transferred and how, with double the amount of handlers, security will be guaranteed. California’s health insurance exchange is embarking on a data-collection project for all Affordable Care Act members. [Computerworld] See also: [CA – The Privacy of Transitioning Individuals’ Health Records Could Be at Risk]

US – FDA Using Online Forum to Track Drug Failures

The Food and Drug Administration (FDA) is partnering with PatientsLikeMe.com to track negative effects from prescriptive drugs. PatientsLikeMe is a forum for individuals to compare treatment experiences and seek advice. “With 350,000 users  logging 28 million data points on more than 2,500 conditions, the site bills itself as the largest digital patient community in the world … The company has already collected data on 110,000 adverse events from 1,000 medicines that the FDA will now be able to access,” the report states. PatientsLikeMe has partnered with other organizations in the past, including the National Institutes of Health and the Centers for Disease Control and Prevention. [International Business Times]

US – Behind-the-Scenes Government System Keeps Data ‘Indefinitely’ on Those Seeking Health Coverage

A government data warehouse stores personal information forever on millions of people who seek coverage under President Barack Obama’s health care law, including those who open an account on HealthCare.gov but don’t sign up for coverage. “A basic privacy principle is that you don’t retain data any longer than you have to,” said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation. “The more data you keep, the more harm an attacker or unauthorized person can do.” The health care system, known as MIDAS, is described on a federal website as the “perpetual central repository” for information that the Affordable Care Act authorizes federal agencies to collect. “Data in MIDAS is maintained indefinitely at this time,” says another document, a government privacy assessment dated Jan. 15. [Source]

Horror Stories

US – OPM Breach Could Affect 32 Million; IG Says Plans Destined To Fail

Officials from the Office of Personnel Management (OPM) and other federal agencies as well as two vendors appeared before a House Oversight committee Wednesday to answer questions about the massive breaches of government employee data. A day after a more sober Senate Appropriations hearing, things once again heated up as House representatives grilled OPM leadership about their security precautions and choice of vendor to handle notification and credit monitoring, even at points calling for the resignation of OPM leadership. This Privacy Tech post covers the latest, including the possibility of 32 million records at risk and comments by the Office of the Inspector General about its assessment of the OPM’s handling of the crisis. [Full Story]

US – OPM Hack Quadruples; Diplomats to Query Chinese Officials

The total number of individuals affected by the hacks of the Office of Personnel Management (OPM) has officially quadrupled to 18 million, up from initial reports of 4.2 million. Additionally, the National Archives and Records Administration (NARA) has detected similar cyber-intrusion activities in its network, but the adversaries do not appear to have as deep access into NARA’s network as they did into the OPM systems. This post for Privacy Tech continues to follow the latest fallout from what is surely one of the most damaging data breaches in U.S. history. [Full Story]

US – OPM: Attackers Had Access to OPM Database for a Year

The attackers who breached the security of a database at the US Office of Personnel Management (OPM) had access to the data for at least a year. The database holds information gathered for national security clearances. [WashPost] [ComputerWorld]

US – OPM: Fraud Protection Service Security Concerns

People whose personal information was compromised have complained that they have been required to provide sensitive personal information to the company that will provide fraud protection services to verify their identities. And there appears to be some question about whether or not this information is being or will be shared. [NextGov]

US  — OPM: Breach Affected Two Different Systems

Two different systems were breached at OPM: the Electronic Official Personnel Folder system and the central database for EPIC, the software suite that OPM’s Federal Investigative Service uses to gather information for employee background investigations. [Ars Technica] [A Department of Homeland Security Official said that encryption would not have helped protect the data exposed in the OPM breach because the intruders managed to obtain valid user credentials] and [House Committee Chairman Jason Chaffetz (R-Utah) called on the president to fire OPM officials, saying “If we want a different result, we’re going to have to have different people.”]

US – Legacy Systems Are Not the Only Reason for OPM Breach

Office of Personnel Management (OPM) officials pointed to legacy systems as a central reason for the attacks on the OPM’s network. While it is true that the older systems do not support adequate encryption and other methods of data protection, other factors, including a lack of adequate talent, poor network design, and focusing on security reactively rather than proactively, contributed to the breaches as well. [ZDNet]

US – “Flash Audit” Continues OPM’s Bad Week

The story of the hack into the Office of Personnel Management (OPM) continues to be written this week, with news of a “flash audit” by the Office of the Inspector General that revealed “serious concerns” about a major IT systems overhaul at the OPM that is already underway but “has not yet addressed several critical project-management requirements.” Jedidiah Bracy examines the continuing problems at OPM and the ways in which the scope of the breach continues to expand. [Privacy Tech] [US – Millions More Affected by OPM Breach]

US – WEDI Releases Data Breach How-To

The Workgroup for Electronic Data Interchange (WEDI) has released Perspectives on Cybersecurity in Healthcare, a report discussing how healthcare organizations can best “mitigate, discover and respond” to data breach threats. “The risk of cyberattacks is no longer limited to the IT desk—it is a key business issue that must be addressed by executive leadership teams in order to build that culture of prevention,” said WEDI CEO and President Devin Jopp. WEDI-amassed statistics indicate urgency is necessary. “In the first four months of 2015 alone, more than 99 million healthcare records have already been exposed through 93 separate attacks,”the WEDI document states. [FierceHealthIT]

US – Companies Facing Consequences for Privacy Faux Paus

A judge has refused to dismiss a suit against Sony Pictures Entertainment by former employees and victims of last year’s massive breach that alleges the corporation did not exercise privacy due diligence. In other courtroom news, LinkedIn recently agreed to settle for $13 million and update privacy protocols after allegedly manipulating preexisting profiles to woo new users, and a Home Depot stockholder is suing to inspect company records “to determine whether Home Depot management breached its fiduciary duties by failing to adequately secure payment information on its data systems.” [Bloomberg Business]

WW – LastPass Servers Hacked; Data Strongly Encrypted

Password-protection cloud service LastPass announced its servers have been compromised by hackers. Compromised data included hashed passwords, cryptographic salts, password reminders and email addresses. In a blog post , LastPass CEO Joe Siegrist said his company’s encryption protections will be difficult for the hackers to breach. He wrote, “We are confident that our encryption measures are sufficient to protect the vast majority of users,” adding, “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.” [Ars Technica] [Hulk Hogan is fighting for the privacy of the world’s sex tapes] [US – Nude photos of Australian women shared on US website] [The Houston Astros were an easy hacking target: Someone reportedly reused an old password] [UK – Three exposed Brit’s privates with sloppy survey code]

WW – WhatsApp Comes Up Short Protecting User Data, Privacy Watchdog Says

WhatsApp lags behind its consumer tech peers when it comes to protecting user data from government requests, according to a prominent privacy advocacy group. In its annual Who Has Your Back? report, the Electronic Frontier Foundation awarded WhatsApp just one out of four stars when evaluating it across various categories concerning data protection. According to the EFF, WhatsApp doesn’t publish a transparency report detailing requests it’s received from the government, doesn’t promise to provide users advance notice of government data requests and doesn’t disclose its data retention policies. The messaging app does oppose creating purposeful security weaknesses known as backdoors that let government officials stealthily gather user data. Opposition to backdoor policies has become common among consumer the tech giants. [Source]  [Ten low-tech ways to protect your privacy online] [Non-creepy social networks make it to your smartphone]

Identity Issues

US – Schumer Wants Credit-Reporting Firms to do More

Sen. Charles Schumer (D-NY) has written to major credit-reporting firms requesting a “system that will notify consumers when someone is trying to get a loan or other type of credit in their name” with an option to immediately freeze their credit. “Too many people have faced the reality of learning that someone else has opened new lines of credit in their names only once their score has already been run into the ground,” Schumer wrote. The Consumer Data Industry Association has said there is an established window for threat notification and “the industry has measures in place that provide consumer protections,” the report states. [The Wall Street Journal]

CA – CancerLinQ, Privacy Analytics Working Together on Patient Data

Privacy Analytics has announced it is teaming with CancerLinQ in an effort to de-identify cancer patient data on a large scale for research purposes, stressing that adhering to privacy regulation will be paramount. “Privacy Analytics is providing CancerLinQ with software and training that will allow CancerLinQ to responsibly de-identify patient data through a proven, risk-based methodology,” the firm’s announcement states. This will allow CancerLinQ to provide oncologists with reports “that can be customized for each specific use case and objective while protecting patient privacy.” Healthcare providers will now have access to “critical patient data from electronic health records that they would not have historically been able to access and analyze through traditional methods,” said Privacy Analytics CEO Khaled El Emam. [Full Story]

US – Online Banking Provider to Use Emoji Passwords

An online banking service provider plans to use emojis as passwords. On Monday, UK-based Intelligent Environments announced it will move toward the “world’s first emoji-only passcode,” giving users a choice of 44 different emoji representations to combine into passwords. The company argues the system will be more secure than number-only PINs and passwords because it has “480 times more permutations using emojis over traditional four-digit passcodes.” IE Managing Director of Engagement David Weber said, “Our research shows 64 percent of millennials regularly communicate only using emojis.” However, Carnegie Mellon Prof. Lorrie Cranor called the move a “gimmick,” adding, “I’m not sure that it will make a difference as far as security goes.” [NPR]

Internet / WWW

WW – U.N. Sends Peacekeeping Forces to Internet of Things War

The United Nations is joining the melee for a single “internet of things” (IoT) standard. The UN-run International Telecommunications Union (ITU) has created a new “study group” that will develop international standards for the technology to enable low-power communications between machines and sensor networks. Study Group 20 will be officially called “IoT and its applications, including smart cities and communities,” and will focus first on “standards that leverage IoT technologies to address urban-development challenges.” It hopes to come up with a full end-to-end architecture for IoT, and so allow for full interoperability of both applications and datasets. Even with the weight of the United Nations behind it, the ITU faces an uphill battle. At the moment, IoT is almost defined by the fact that there are a wide range of competing standards. [Source]

WW – Potential ICANN Policy Change Creates Privacy Concerns

The Electronic Frontier Foundation (EFF) is reporting that a policy being considered by ICANN, the global domain name authority, could make it easier for third parties to discover the contact information of website owners. The impetus for the potential policy change came from U.S. entertainment companies that want “tools to discover the identities of website owners whom they want to accuse of copyright and trademark infringement, preferably without a court order,” the EFF states. According to Threat Post, smaller websites appear to be the most affected. “The limited value of this change is manifestly outweighed by the risks to website owners who will suffer a higher risk of harassment, intimidation and identity theft,” the EFF notes. [Source]

Law Enforcement

US – City May Veto Police Data-Sharing Plan

The privacy concerns of Charlotte, NC, police may keep the Charlotte City Council from voting in favor of sharing data as part of a White House initiative to create greater transparency and accountability for law enforcement. If the motion is approved, the data would be shared with University of Chicago researchers who have promised to anonymize relevant data and store information securely. Some are still unsure, however. “I think we need to put it in abeyance until they totally understand what the point of it is and the purpose of it is,” said Charlotte Councilwoman Claire Green Fallon. [USA Today]

Online Privacy

EU – France Orders Google to Scrub Search Globally in Right to Be Forgotten Requests

We do not care if a URL’s got a .fr, a .uk or a .com glued to the end, the French data protection agency told Google – if a European makes a legitimate request to be forgotten in search results, make it so on all your search engines in all countries.  CNIL said in its news release that it’s received hundreds of complaints following Google’s refusals to carry out delisting. According to its latest transparency report, last updated on Friday 12 June, Google had received a total of 269,314 removal requests, had evaluated 977,948 URLs, and had removed 41.3% of those URLs. CNIL sized up the complaints it’s received from those whom Google had declined to forget and says that it requested that Google delist several results – not just based on the extension on the URL, it said, but on all results from the whole search engine. [Source]

WW – Facebook’s ‘Moments’ App Lets You Privately Sync Camera Roll Photos With Your Friends

“With a phone at everyone’s fingertips, the moments in our lives are captured by a new kind of photographer: our friends. It’s hard to get the photos your friends have taken of you, and everyone always insists on taking that same group shot with multiple phones to ensure they get a copy. Even if you do end up getting some of your friends’ photos, it’s difficult to keep them all organized in one place on your phone,” said Facebook product manager Will Ruben. The Moments app groups the photos based on the date and the specific friends that are in each photo. Facebook uses facial recognition to determine which of your friends are in each of the photos. Once your photos are grouped, the Moments app asks you if you want to sync the group of photos with the friends it identified. If the app forgot to include one of your friends, then you can manually edit the individuals that you want to sync the photos with. The photos that you share using Moments are private and do not post to the News Feed during the syncing process. However, the Moments app lets you save the synced photos to your camera roll, send them to Facebook Messenger friends, post it to your Facebook or Instagram news feeds and SMS / WhatsApp message it to your contacts. If your friends do not have the Moments app yet, they will get a preview of the synced photos that you have sent in Facebook Messenger. And if you accidentally synced photos with someone, then there is an option to “unsync” individual photos or delete the group of photos. [Source]

WW – Major Mac Flaw Spills Passwords on Apple Devices

Apple claims that its “Keychain” software lets people securely store their passwords on their Macs. As it turns out, hackers can pull the keys off the chain. A crucial flaw found in Macs allows a malicious app to snatch the passwords from your Keychain — or even directly from other apps. That exposes the passwords to your iCloud account, notes, photos, email, banking, social media — everything. Indiana University computer science professor XiaoFeng Wang and his team of researchers found several ways a bad app could “cross over” into other apps. The researchers found that malicious software could slip into the Apple Keychain, delete old passwords, and wait for you to retype them in. When you do, it grabs them. They also found an issue with the way Apple categorizes Mac programs with a unique ID, called a BID. Hackers could assign an email app’s BID to a piece of malware, then get scooped up into a “trusted” group of programs. The Indiana University team analyzed the top 1,612 Mac apps, and found that 89% of them were susceptible to these kinds of attacks. [Source]

WW – Apple Wants To Know If You Use Protection

New features on Apple’s pre-installed “Health” app will allow users to track their sexual activity, namely whether or not they used protection and the time of day they had sex. The new Health app, which already tracks other health information like fitness and nutrition data, will be available on iOS 9, which is set to come out later this year, and will also include the ability to track other reproductive health metrics like menstruation and ovulation cycles. You can choose to store your data solely on your device without backing it up to the cloud. But Apple also let’s you choose to share your data with your doctor or anonymously with researchers. Apple is also set to release “HealthKit,” which will pool data entered into various health and fitness apps. “It just might be the beginning of a health revolution,” Apple’s Website reads. Or it could be a great way to put personal information at risk and provide hackers nuanced and specific information. [Source]

US – Advocacy Group Petitions FCC on DNT

Consumer Watchdog has announced it is petitioning the Federal Communications Commission (FCC) in an attempt to legally enforce do-not-track compliance with “edge provider” sites like Google and Facebook. “Ensuring that ISPs respect their customers’ privacy is important, but privacy rules covering companies like Google and Facebook are also necessary if people are going to trust the Internet,” said Consumer Watchdog Privacy Project Director John Simpson. “The FCC clearly has the authority it needs and must do everything it can to build that trust if it is to succeed in promoting timely broadband deployment.” [Full Story] [Emma Watson’s next movie will tackle online privacy]

WW – Potential ICANN Policy Change Creates Privacy Concerns

The Electronic Frontier Foundation (EFF) is reporting that a policy being considered by ICANN, the global domain name authority, could make it easier for third parties to discover the contact information of website owners. The impetus for the potential policy change came from U.S. entertainment companies that want “tools to discover the identities of website owners whom they want to accuse of copyright and trademark infringement, preferably without a court order,” the EFF states. According to Threat Post, smaller websites appear to be the most affected. “The limited value of this change is manifestly outweighed by the risks to website owners who will suffer a higher risk of harassment, intimidation and identity theft,” the EFF notes. [Source]

CA – OPC Releases Updated Report on Online Behavioural Advertising

The Technology Analysis Branch of the Office of the Privacy Commissioner has released its Online Behavioural Advertising (OBA) Follow Up Research Project. The report highlights the OPC’s 2011 guidelines for OBA, noting, “If these conditions and restrictions are not met, and an organization wishes to continue to use OBA, then explicit consent is required.” The report also notes in its overview that while the guidelines were shared widely and “an industry-led self-regulatory program was subsequently launched, advertising practices may not be consistent.” “While the advertising industry has made progress in giving consumers more choice about the ads that target them based on their search and browsing behaviour online, some of those ads are still getting a little too personal.” [Source] [Globe & Mail]

WW – Apple Moves to Prevent Accessing Apps for Ads

Apple will no longer share app data, “which is akin to web-browsing history,” with developers for tailoring ads to its users. Apps and social networks “have sometimes drawn on data about other apps that are already installed” on phones to determine what ads to show users, the report states, noting, for example, if a user “has downloaded a lot of games, including ones that cost money, they may be shown an ad for a paid game that they don’t already have.” The move to discontinue the “increasingly popular practice” is a part of Apple’s effort “to appear more privacy-friendly,” the report states. This may affect Twitter’s recent announcement that it would allow ad targeting based on downloaded apps. [The Information]

WW – Will Privacy Regulation Impact Facebook’s Revenue?

Research from eMarketer indicates the EU’s “mounting probes of Facebook’s privacy policies” could adversely affect the social network’s ability to release new features and increase advertising revenue. “Government privacy watchdogs from France, Spain and Italy have in recent weeks joined a group of regulators investigating the social networking company’s privacy controls,” the report states, “doubling the number of European countries analyzing the way Facebook handles the personal information and connections gleaned from more than 300 million users in Europe.” Given those actions, “It’s difficult to imagine Facebook increasing its revenue from Western Europe significantly,” eMarketer noted in its research. [The Wall Street Journal]

US – Business Opposed to TCPA Update

Business groups believe updates to the Telephone Consumer Protection Act (TCPA) have “overstepped.” The new rules “create new restrictions on important, time-sensitive, non-telemarketing communications, which go way beyond the intent of Congress when it passed the TCPA,” note the U.S. Chamber of Commerce’s Lisa Rickard and William Kovacs. [Katy on the Hill]

Study Finds Most Consumers Concerned About What Marketers Know

A University of Pennsylvania study indicates 84%- of consumers want “more control over what marketers can learn about them.” “Americans don’t think the trade-off of their data for personalized services is a fair deal,” said IAPP VP of Research and Education Omer Tene. [Ad Exchanger]

WW – The Dark Side of Proxy Servers

One researcher tested nearly 450 open web proxies and found that 79 percent forced users to load pages in http://, or unencrypted mode, which means that the proxy owners could view the traffic in plain text. In addition, 16% of the proxy servers were found to be injecting ads into the content. [Krebs] [Blog haschek] [The Dark Web as You Know It Is a Myth]

US – The Fight Against Revenge Porn Hits the Mainstream

The last week has been a good one for those who have been fighting against the online phenomenon known as revenge porn, or nonconsensual pornography. On Friday, Google announced it will honor takedown requests of sexually explicit images from victims who did not consent to their posting. That was immediately followed up by news that Rep. Jackie Speier (D-CA) plans to announce the first-ever federal legislation against revenge porn. Plus, the issue is reaching popular culture: On Sunday, Last Week Tonight with John Oliver dedicated the majority of its episode to cyber-harassment and revenge porn. This post looks into the developments and what they mean for tech companies, and includes provided comments from University of Miami School of Law Prof. Mary Anne Franks. [Privacy Perspectives] [Low-tech ways you can protect your privacy online] [How to Defeat ‘Revenge Porn’: First, Recognize It’s About Privacy, Not Revenge]  [John Oliver exposes what the Internet does to women]

Other Jurisdictions

RU – Parliament Gives RTBF Bill Initial Approval

The lower house of the Russian Parliament, the State Duma, on Tuesday gave initial approval to legislation requiring search engines to remove outdated or irrelevant personal data upon request from users. The bill, which resembles the EU’s right-to-be-forgotten concept, has some—including the country’s largest search engine, Yandex—concerned it could drive censorship and diminish information valuable to the public interest. Unlike the EU’s version, the Russian bill would require sites to delete data even if the information is in the public’s interest. Yandex said, “The limitations introduced by this bill reflect an imbalance between private and public interests,” adding, “This bill impedes people’s access to important and reliable information or makes it impossible to obtain such information.” [Reuters] [AU – How will Australia’s anti-piracy law affect you? ] SEE ALSO: [The lower house of the Russian Parliament has given initial approval to legislation requiring search engines to remove outdated or irrelevant personal data upon request from users.\

CO – Colombia DPA Issues Accountability Guidelines

Colombia’s Superintendence of Industry and Commerce (SIC) has launched the Colombian Accountability Guidelines—the first of their kind in Latin America. The result of a multi-stakeholder process, the aim of the document is to help companies implement Colombia’s Data Protection Regulation of 2012. While the guidelines aren’t binding, companies that implement their provisions are, under the law, to be looked upon more favorably in the case of a SIC investigation or enforcement action than those who don’t. José Alejandro Bermúdez Durana, deputy superintendent for data protection for SIC, says he hopes other Latin American countries will adopt Colombia’s proactive approach to incentivizing companies to create strong data protection regimes. [The Privacy Advisor] Colombia’s Superintendence of Industry and Commerce (SIC) has launched the Colombian Accountability Guidelines—the first of their kind in Latin America.

AU – Skoolbag App Gaining Popularity in New Zealand amid Privacy Concerns

An app that alerts parents to school emergencies, and tells them the date of the college disco, is gaining in popularity, despite warnings from privacy watchdogs about the safety of the data it collects. Skoolbag is the brainchild of an Australian parent Andrew Tsousis, who wanted a better way of communicating with his child’s school. It is now used by 34 schools in New Zealand and 2000 worldwide, and provides information on cancellations, school notices, school contact information, timetables, absences and parent contact details. However, the Australian privacy commission recently warned of the dangers of the inappropriate disclosure of the mountains of data being collected by Skoolbag and apps like it. [Source] See also: [Chinese Hackers Circumvent Popular Web Privacy Tools] China’s telecommunications regulator, the Ministry of Industry and Information Technology, has promulgated a new regulation aimed at cracking down on spam messages, Scott Livingston writes.

Privacy (US)

US – Supreme Court Deems Hotel Registry Rule Unconstitutional

In a 5-4 decision, the Supreme Court struck down a Los Angeles city ordinance requiring hotel operators to show a list of registered guests to the police on demand. The court held that the guest registry law violated the Fourth Amendment’s protection against unreasonable searches because it did not give hotel managers the chance to seek a ruling from a judge or magistrate before complying with police requests. Justice Sonia Sotomayor wrote for the majority that the law opened up hotel and motel owners and their guests to potentially limitless harassment because an owner who refused to give registry access to an authority “can be arrested on the spot.” [Politico]

US – EPIC Files Complaint with FTC Over Uber’s Privacy Policy

The Electronic Privacy Information Center (EPIC) has filed a complaint with the FTC regarding Uber’s new privacy policy, which permits the company to use cell phones to track users even if they’re not currently employing Uber’s services. “The complaint asks the FTC to investigate Uber’s business practices, stop the company from collecting user location data ‘when it is unnecessary for the provision of the service,’ halt Uber’s collection of user contact list information and investigate other companies that engage in similar practices, among other things.” A statement released on EPIC’s website cites “Uber’s history of misusing customer data as one of many reasons the commission must act.” [USA Today]

US – Federal CIO Backs OPM Director; Senators Press for Details

After a tough day of questioning from a House oversight panel on Wednesday, Office of Personnel Management (OPM) leadership and other government officials testified in front of the Senate Committee on Homeland Security and Government Affairs to further clarify the extent of the biggest theft of government records in U.S. history. In this post, Jedidiah Bracy reports on the hearing and includes a brief timeline of the various hacks to the OPM, KeyPoint and USIS based on testimony from witnesses. [Privacy Tech]

US – Will USA FREEDOM Act Help Restore Cross-Border Trust?

The enactment of the USA FREEDOM Act made headlines in the U.S. and beyond. However, as the Hogan Lovells Privacy Team explains in this post, “the impact that the surveillance reform legislation may have on cross-border data transfers could turn out to be newsworthy as well.” The post summarizes some of the important elements of the legislation—including how the act reforms the Foreign Intelligence Surveillance Court operations by requiring it to make important decisions, orders and opinions public—and explores the USA FREEDOM Act’s potential to influence more than government surveillance practices. [Privacy Tracker]

US – Google, Viacom Argue Lack of Standing

Google and Viacom are urging courts to reject attempts to revive a previously dismissed suit that claims Nick.com violated privacy laws and used information gleaned from the site to track users under the age of 13. The suit alleges the companies violated the Video Privacy Protection Act and utilized cookies inappropriately, while Google and Viacom see no harm done. Viacom has said, “Nick.com users lack ‘standing’ to sue, because they weren’t injured by the alleged tracking,” the report states. Viacom pointed out the users “argued that Viacom used anonymous data about their Internet activity to facilitate the delivery of the very advertising that makes Viacom’s websites available for free to them and the rest of the public.” [MediaPost] [CVS’s Target deal: Prescription for a privacy disaster]

WW – Experian Releases Breach Legislation Whitepaper

Experian Data Breach Resolution has released a whitepaper on the current state of legislation that shapes how companies must prepare for and respond to data breaches. “Currently, companies face a segmented system of state- and sector-specific data breach laws. At the same time, policy-makers in the European Union, Australia and Brazil are considering new approaches to data breach notification that could impact businesses that engage in global commerce,” Experian notes in its announcement of the new research. “Organizations must ensure they understand and are meeting both the legal requirements and expectations of regulators to protect consumers in the event of a data breach,” said Experian’s Michael Bruemmer. [Full Story] [US – Why Data Privacy Is a Real Campaign Issue in 2016]

US – Globetrotters Changing Data-Collection Methods

The Harlem Globetrotters basketball team will change its method of collecting information from newsletter subscribers, according to a Better Business Bureau (BBB) unit. The basketball exhibition team’s website invites visitors to subscribe to an email newsletter by entering their names, email addresses and ZIP codes. In a section for kids’ games, subscribers were required to check a box stating, “You are 13 or older.” But the BBB’s Children’s Advertising Review Unit said that procedure didn’t comply with children’s privacy guidelines, which require operators of sites directed at children to conduct age-screen in a “neutral” way, the report states. [MediaPost]

US – Committee Hears from Advocates, Industry on Drone Regs

Amazon is among those that don’t want drone regulations handled on a state-by-state basis. “Uniform federal rules must apply,” Amazon VP of Global Public Policy Paul Misener told a congressional committee. Privacy advocates, meanwhile, argue drones pose serious potential security concerns, especially since law enforcement use of drones has yet to be regulated. “Here is a nightmare scenario for civil liberties: a network of law enforcement UAS (unmanned aircraft systems) with sensors capable of identifying and tracking individuals monitors populated outdoor areas on a constant, pervasive basis for generalized public safety purposes,” said the Center for Democracy & Technology’s Harley Geiger. “This may seem an unlikely future to some. However, few existing laws would stand in the way.” [BuzzFeed]

WW – Nymity Releases Legal Compliance Tool

Nymity has unveiled a legal compliance requirements solution for privacy officers and lawyers. Nymity LawTables allows users to analyze and visualize compliance requirements across multiple jurisdictions; identity and compare common legal requirements; understand which rules of law require evidence, and reduce privacy risk. The solution allows privacy officers to map accountability to compliance, build tables to demonstrate compliance and map BCRs to laws, among other features. “For years, privacy officers have been asking for a simple way to compare legal requirements,” said Nymity’s Terry McQuay, adding, “After extensive research by our team of privacy and data protection experts, we have met this objective.” [Full Story]

WW – Controversy Over Uber’s Plan to Track User’s Locations When App Isn’t Running

Changes to Uber’s privacy policy, set to go into effect July 15, would allow the ridesharing app to track its users’ location data even when the app isn’t running. But the company is now facing legal troubles over the proposed changes. The U.S.-based Electronic Privacy Information Center (EPIC) submitted a complaint to the U.S. FTC citing concerns over the new data tracking policy, first outlined by Uber in May. The updated privacy policy would allow the app to collect location data about customers when the user’s GPS is turned off, or the app isn’t being used. Uber’s new policy would also allow the app to access the user’s contacts, in order to send special offers to the user’s friends and family. “This collection of users’ information far exceeds what customers expect from the transportation service,” read the complaint submitted by EPIC. “Users would not expect the company to collect location information when customers are not actively using the app.” However, Uber has also made it clear that users will be able to opt out of location tracking features. EPIC argues that forcing users to opt out “places an unreasonable burden on consumers.”  [Source]

US – Top Court Throws Out Ordinance Giving Police Access to Hotel Records

The U.S. Supreme Court ruled that a Los Angeles ordinance that lets police view hotel guest registries without a warrant violates the privacy rights of business owners, taking away what the city called a vital tool to fight prostitution and other crimes. In a 5-4 decision, the justices upheld an appeals court ruling that struck down the ordinance, saying it infringed upon hotel operators’ rights under the U.S. Constitution’s Fourth Amendment protections against unlawful searches and seizures. More than 100 other jurisdictions across the United States have similar laws that could be affected by the court’s ruling, the city’s lawyers said in court papers. [Source]

Privacy Enhancing Technologies (PETs)

New Offerings Emphasize Privacy

New social media offerings, Bill Ottman’s Minds.com and Facebook companion app Moments, are completely different in functionality and purpose but are united by the same thing: They plan to stay out of their users’ lives. Minds.com functions similarly to Facebook but places explicit emphasis on privacy by encrypting user messages and information in a way that its competitor does not. “The funny thing about Facebook’s privacy situation is they say, ‘Oh, we have all these privacy settings,’ but they don’t have the option for, ‘Hey, Facebook, I don’t want you  seeing my data,’“ Ottman said. International Business Times]

Remote Identification / IoT

WW — W3C’s Auto Division Creating Task Force

The Automotive Working Group, one of W3C’s divisions tasked with creating web standards for the automotive industry to use in smart cars, has announced the creation of a special task force to deal with security and privacy issues. “Many industry reports have confirmed that a significant majority of consumers want safe and secure access to the web from their connected car,” an official announcement states. “We hear this need resonating loudly in the automotive industry.” The task force’s activity will mainly address security-related concerns, but user privacy is also a focus. The group will consider how technologies handle user data, privacy rights and opt-in sharing agreements, the report states. [Softpedia]

US – Car Data “Pre-Standards” to Be Released

Auto Alliance will publish a list of “pre-standards” for the automotive industry regarding its current and future use of in-car data. With an initial release planned for January 1, the standards look to create “a fundamental set of expectations for the collection, use and sharing of vehicle data” and ensure “sensitive personal information” such as location and biometrics “is subject to opt-in selection when data is to be used for marketing or shared with third parties for their own use,” the report states. The standards also aim to make sure “there are restrictions on disclosure of geolocation information to the government.” [eWeek]

Security

WW – Survey Finds Decision-Making Disconnect

The Ponemon Institute and Fidelis Cybersecurity’s Defining the Gap: The Cybersecurity Governance Survey indicates a “disturbing rift in cybersecurity knowledge between those who make decisions and manage the budgets and those who have to implement and manage the security measures.” “Cybersecurity is a critical issue for boards, but many members lack the necessary knowledge to properly address the challenges and are even unaware when breaches occur,” Fidelis noted in its announcement of the survey. “Further widening the gap, IT security professionals lack confidence in the board’s understanding of the cyber risks their organizations face, leading to a breakdown of trust and communication between the two groups.” Meanwhile, Infor COO Pam Murphy writes for Diginomica about her perspectives on cloud security. [CSO Online]

WW – Wearable Fitness Trackers Tested for Data Leakage and Poor Security

Independent IT security testing authority AV-Test.org has put nine different fitness trackers under the microscope, in order to explore how well they are protecting users’ data. In its investigation, AV-Test.org researchers examined nine fitness wristbands – Acer Liquid Leap, Fitbit Charge, Garmin Vivosmart, Huawei TalkBand B1, Jawbone Up24, LG Lifeband Touch FB84, Polar Loop, Sony Smartband Talk SWR30, Withings Pulse Ox – and found some big differences when it came to their security model. There are a variety of issues raised by the investigation, including that many fitness trackers appear to make it too easy for an unauthorised smartphone to connect to the wristband. Additionally, some of the products failed to properly authenticate that the smartphone app communicating them was legitimate, opening the door for abuse. [Source]

WW – Collaboration Key to Defense

Representatives from the government, military and academia met at the U.S. Army War College to discuss how best to tackle a large-scale technological attack, deciding that partnerships across the sectors is the best form of defense. “We have to avoid any notion of ‘my turf versus your turf’ because the problem is only going to be solved by collaboration,” said Penn State University Prof. Thomas Arminio. George Mason University Center for Infrastructure Protection & Homeland Security Director Mark Troutman agreed. “You do not want this to be a military approach,” he said. “We are Americans. We secure ourselves at the end of the day with an active and engaged citizenry.” [Government Technology]

US – NSA, GCHQ Targeted Anti-Virus Firms

In the latest leak of Snowden-acquired documents, reveals that the U.S. National Security Agency and UK Government Communications Headquarters (GCHQ) reverse-engineered software products and monitored the web and email communications of anti-virus software manufacturers, including Kaspersky Lab, particularly. “Spy agencies seem to be engaged in a digital game of cat and mouse with anti-virus companies,” the report states. “The U.S. and UK have aggressively probed for weaknesses in software deployed by the companies, which have themselves exposed sophisticated state-sponsored malware.” All of the documents supporting these conclusions are here. In related news, GCHQ was found to have illegally monitored two international human rights groups in a case triggered by earlier Snowden revelations. [The Intercept]

US – NSA and GCHQ Sought to Reverse Engineer Security Software

Intelligence agencies in the US and UK made efforts to reverse engineer antivirus and security software, as it hindered their secret investigations. The report is based on documents leaked from the NSA. It appears that the agency and GCHQ focused their efforts on companies including Kaspersky Lab, F-Secure, Avast, Eset, BitDefender, and CheckPoint. [FirstLook] [Wired] [ComputerWorld] [DarkReading]

WW – Software Applications Have on Average 24 Vulnerabilities Inherited from Buggy Components

Many commercial software companies and enterprise in-house developers are churning out applications that are insecure by design due to the rapid and often uncontrolled use of open-source components. Even worse, these software makers wouldn’t be able to tell which of their applications are affected by a known component flaw even if they wanted to because of poor inventory practices. Last year, large software and financial services companies downloaded 240,757 components on average from one of the largest public repositories of open-source Java components. Over 15,000 of those components, or 7.5 percent, had known vulnerabilities, according to Sonatype, the company that manages the repository. [Source]

WW – Irony Alert: Password-Storing Company Is Hacked

No one’s safe from hackers — not even LastPass, a company that stores people’s passwords. LastPass lets people store passwords online so they can access them all with a single master password.  You’re storing all your eggs in one basket. That could be a problem.  This week, LastPass announced that hackers broke into its computer system and got access to user email addresses, password reminders, and encrypted versions of people’s master passwords.  [Source]

Surveillance

WW – Samsung Addresses Bugging Vulnerability

Researchers at the Black Hat conference in London demonstrated a potentially damaging security vulnerability in Samsung phones, which could have affected up to 600 million devices around the globe. Today, Samsung reached out to Privacy Tech to note it is currently addressing concerns and will unroll security updates in the coming days. This post looks into the updates, how someone acting on the vulnerability would have taken a rare confluence of events and the growing importance of hacker culture in helping companies fix security bugs. [Privacy Tech] [WW – Samsung and LG smartwatches leave sensitive data open to hackers]

WW – Samsung Bug Could Affect 600 Million Phones

A newly discovered vulnerability that could allow adversaries to monitor Samsung smartphone cameras and microphones, read text messages and install malicious apps, potentially affecting 600 million phones around the world. Researchers demonstrated how it works at the annual Black Hat conference in London, UK. The bug resides in an update mechanism for a customized version of Swiftkey that’s available on Samsung Galaxy S6, S5 and other models, the report states. As of now, there is not much users can do to prevent attacks other than avoiding unsecured WiFi networks. Swiftkey officials said, “We take reports of this manner very seriously and are currently investigating further.”  [Ars Technica]

WW – Researchers: LG, Samsung Watches Vulnerable to Hackers

Researchers at the University of New Haven have announced they were able to “easily” extract personal data, from contacts to health information, from LG and Samsung smart watches. “It was not very difficult to get the data, but expertise and research was required,” said Ibrahim Baggili, of New Haven’s Cyber Forensics Research and Education Group. By “poking around” the watches’ internal storage and the smartphones they were linked to, the researchers were able to readily uncover the data, according to V3, because the data was not properly encrypted. Both LG and Samsung say they are currently investigating the findings, which will be presented at a digital forensics conference in August. [Full Story]

WW – Google Eavesdropping Tool Installed on Computers Without Permission

Privacy campaigners and open source developers are up in arms over the secret installing of Google software which is capable of listening in on conversations held in front of a computer. First spotted by open source developers, the Chromium browser – the open source basis for Google’s Chrome – began remotely installing audio-snooping code that was capable of listening to users. It was designed to support Chrome’s new “OK, Google” hotword detection – which makes the computer respond when you talk to it – but was installed, and, some users have claimed, it is activated on computers without their permission. [Source] [The Guardian]

WW – Listening Tool Now Optional for Chromium Users

Amidst user consternation regarding Google Chromium’s listening software, Google has made the feature optional. While the service in question “uses the computer’s microphone to listen out for the ‘OK, Google’ hotword to trigger voice searches,” users were not given the ability to opt out, the report states. Some expressed concern “Google was downloading a ‘black box’ onto their machines that was not open source and therefore could not be verified to be doing what it said it was meant to do,” the report continues. “As of the newly landed r335874, Chromium builds, by default, will not download this module at all,” Google said in response, adding that if a user so chooses, the service can be obtained via the company’s web store. [Business Insider] [Take Control of Your Google Privacy]

US – In First Opportunity, FISA Court Declines Amicus Panel

Many privacy advocates lauded the portion of the new USA FREEDOM Act that created a new amicus panel of privacy advocates to be consulted by the Foreign Intelligence Surveillance Court when making decisions. However, the FISA Court declined to empanel anyone in making its first post-FREEDOM Act decision, and is allowing the National Security Agency’s bulk collection of call data to continue for six months until a new program of retention by telecom companies can get off the ground. Judge Dennis Saylor ruled that the decision was “sufficiently clear” that the privacy panel was unnecessary. Amie Stepanovich of Access countered, however, “It is the job of the amicus to raise issues that may not be readily apparent on first blush.” [National Journal]

US – Sun Microsystems CEO Talks Surveillance

Scott McNealy is known for his role as cofounder and long-serving CEO at Sun Microsystems, though some remember him for his statement on privacy back in 1999, when he called consumer privacy issues a “red herring,” saying, “You have zero privacy anyway. Get over it.” These days, McNealy is worried about government surveillance. “It doesn’t really bother me that Google and AT&T have information about me, because I can always switch to another provider,” McNealy said. But it’s a different story with government. “It scares me to death when the NSA or IRS know things about my personal life and how I vote,” he said. [IDG News Service]

Telecom / TV

US – Phone Scamming Up 30% Last Year: Report

Retail and finance call centre phone scamming in the US is up 30% according to research. The 2014 findings are based on some 86 million scam calls a month picked up by Pindrop Security in which attackers aimed to obtain personal information on potential victims. The phone security company says one in 2200 calls are fraudulent up from one in 2900 in 2013, topping US$9 million a year. The outfit’s annual report says that credit card processors have received the highest number of fraud calls and notes that regional legislation had no effect on the instance of crime. Technical support scams are unsurprisingly the most common type of phone fraud scam chalking up eight million calls a month, followed by small credit loans, and automotive insurance. The report says brokerages which hold the highest account values are fleeced an average of $15 million annually, while credit card issuers follow with 11 million, and banks trailing at $7.6 million.  [Source]

WW – IEEE and IETF Announce Successful Trials on WiFi Privacy Risks

IEEE has announced that the IEEE 802 LAN/MAN Standards Committee and the Internet Engineering Task Force (IETF) have successfully carried out three experimental trials addressing privacy risks associated with tracking globally unique media access control (MAC) addresses in WiFi networks. The IEEE study group was formed in 2014 and aims to develop a recommended practice based on the privacy issues related to IEEE 802 technologies. “From the onset, IEEE 802 and the IETF have shared a commitment to mitigate privacy risks for nontechnical users living in a world that increasingly offers constant connectivity,” said Juan Carlos Zuniga, chair of the privacy committee. [Full Story]

US – Sens. Want Paypal To Reconsider Robocall Policy

Paypal’s new user agreement is drawing heat from four Democratic senators who are calling on the company to reconsider a policy that would force users to receive robocalls and text messages. After July 1, consumers will be unable to opt out of the new terms if they still want to use PayPal services. “Consumers should not have to agree to submit themselves to intrusive robocalls in order to use a company’s service,” wrote Sens. Ed Markey (D-MA), Al Franken (D-MN), Ron Wyden (D-OR) and Robert Menendez (D-NJ) in a letter to PayPal’s president and CEO. [The Hill]

US Government Programs

US – FTC Proposes Gramm-Leach-Bliley Amendment

The FTC has proposed an amendment to its rules under the Gramm-Leach-Bliley Act to allow auto dealers that finance car purchases or provide car leases to provide online updates to consumers about their privacy policies as opposed to sending yearly updates by mail, according to an FTC press release. Under the proposed revision, auto dealers could provide consumers with the privacy policy solely online as long as they also notify consumers that it is available there on a yearly basis. Dealers would still be required to provide consumers with a written copy of the notice upon request, however. The proposed changes will be published in the Federal Register shortly. [Full Story]

WW – Wikileaks, Court Documents Shed More Light on U.S. Spying

The French government has called extensive eavesdropping by the U.S. Government, revealed by Wikileaks, on the private conversations of senior French leaders “unacceptable.” French President Francois Hollande called an emergency meeting of the Defense Council on Wednesday to discuss revelations published by French news website Mediapart and newspaper Liberation about U.S. National Security Agency surveillance. Meanwhile, newly unsealed court documents indicate the Obama administration fought a legal battle against Google “to secretly obtain” the email records of a security researcher associated with Wikileaks. [The New York Times]

US Legislation

The USA FREEDOM Act, FISA and the New Surveillance Landscape

President Barack Obama recently signed the USA FREEDOM Act into law. Hailed as the biggest intelligence reform in 40 years, the FREEDOM Act is considered the first major pro-privacy change to U.S. intelligence law since the original enactment of the Foreign Intelligence Surveillance Act in 1978 (FISA), writes Westin Research Center Fellow Arielle Brown. The USA FREEDOM Act ends the National Security Agency’s bulk collection of U.S. call metadata, among other things. Brown offers an analysis of the new act as well as a redlined version of FISA showing how the USA FREEDOM Act modifies existing law. [Full Story]

EU – Movement on Umbrella Agreement a Life Preserver for Safe Harbor?

A bipartisan bill introduced this week to provide the same data rights to Europeans that Americans have under the Privacy Act of 1974 has received acclaim on both sides of the political aisle. “The judicial redress issue is the last major sticking point in four-year negotiations over the creation of an ‘umbrella agreement’ for the protection of personal data transferred between law enforcement agencies in the U.S. and EU,” the report states. It would also address a major point of contention in the Safe Harbor negotiations . “Without this legislation, the umbrella agreement won’t be accepted,” said German MEP Jan Philipp Albrecht. “It’s parity we’re looking for,” said UK MEP Claude Moraes. “For this step to happen, and to have equivalence, is a very significant move.” Rep. Jim Sensenbrenner (R-WI) was equally pleased and “optimistic that it will be brought to a vote.” [Politico]

US – Other Legislative News

+++

01-15 June 2015

Biometrics

US – Privacy Concerns Over Facial Recognition Test Program at Border

The Department of Homeland Security is making a new push to find immigration violators. The three-month pilot project at Dulles is part of larger testing of biometric technology. This fall, customs agents will also begin collecting face and iris scans of people entering and returning from Mexico on foot from a San Diego border crossing. “Looking at things like iris or facial recognition helps us compare that person to the document and confirm their identity” to check against watch lists. But privacy rights advocates are concerned these test projects could lead to a slippery slope with law enforcement agencies eventually trying to using biometrics to track law abiding citizens. “This is really just the beginning,” warned Harley Geiger, Senior Counsel at the Center for Democracy and Technology. “The real concern is not so much this particular pilot program, it is that this particular pilot program is a step towards a larger program,” Geiger said. “Not just in ports of entry, but also in public places, mass transit systems throughout the domestic United States.” [CBS News] [CBSN]

CA – Biometric Data Collection Powers In Budget Bill Raise Concerns

The Canadian government wants to collect biometric information from more people entering Canada. It currently collects a digital photograph and 10 fingerprints to verify the identity of foreign nationals from 29 countries and one territory when they apply to temporarily visit, study or work in Canada. Canada’s privacy watchdog, Canadian Bar Association raise privacy concerns in submissions to Parliament. Daniel Therrien, Canada’s privacy watchdog, sent a letter to parliamentarians this week to ask about the extent of the changes following testimony by government officials. [Source] [Visitors to Canada who need visa will face biometric screening] [The Star: Ottawa Bankrolls New Screening for Visitors to Canada, New Money For CSIS] [Globe & Mail: Canada Vastly Expands Data Collection of Travellers, Boosts Spy Agency Budget]

CN – First Facial-Recognition Technology ATM Unveiled

China has the first automated teller machine (ATM) with facial-recognition technology. Anti-counterfeit technology experts says the technology should curb ATM-related crimes. The product has passed authorities’ certification and will soon be available on the market. It’s not yet known who will manufacture the ATMs and how facial data will be collected. Some have concerns about privacy and accuracy. [South China Morning Post]

WW – Start-Up Uses Mouse Patterns to Confirm Identity

An Israeli start-up uses “behavioral biometrics” to keep users safe from fraud online. BioCatch maps and logs the way a user habitually moves a computer mouse and then creates a profile. If a user deviates from the logged pattern, it’s clear the user isn’t who he or she claims to be, the report states. [The Tower]

WW – Could “Brainprints” Replace Passwords?

Researchers have found that the human brain’s response to certain words varies to such a degree that it may be possible to distinguish individual “brainprints,” or a unique identifying code. In a small experiment, researchers hooked an EEG to 45 volunteers to measure brain signal response to various words including FBI and DVD. A second computer-based experiment successfully re-identified individuals with 94% accuracy. Brainprints could provide continuous variation, a distinct advantage for authentication. “Passwords or fingerprints only provide a tool for one-off identification. Continuous verification … could in theory allow someone to interact with many computer systems simultaneously, or even with a variety of intelligent objects, without having to repeatedly enter passwords for each device.” [Fast Company]

US – Facial Recognition is Booming, But is it Legal?

Google Policy Fellow at the Center on Privacy and Technology Ben Sobel writes about facial recognition technology and its near ubiquity, in preparation for the next round in the NTIA’s bid for a facial recognition code of conduct. Used by everyone from law enforcement (including a new use by police in the UK ) to retailers to Facebook and Google, there seems to be little notice of the fact that the technology is illegal in both Illinois and Texas, Sobel writes, and a current case may bring definition to just what form of the technology is allowed. “If the law does apply,” he writes, “Facebook could be on the hook for significant financial penalties.” [Full Story]

Big Data

EU – Purpose Limitation Could Have a Limited Future

The latest Council version of the General Data Protection Regulation provides that personal data may be further processed by the same data controller even if the further purpose is incompatible with the original purpose ‘if the legitimate interest s of that controller or a third party override the interests of the data subject,’” state Profs. Lokke Moerel and Corien Prins. They note that the Article 29 Working Party and several NGOs are concerned such a development would render the limitation principle “meaningless and void,” but Moerel and Prins disagree. In a preview of their more in-depth whitepaper, Moerel and Prins argue the Council version “is the only feasible way to guarantee” personal data protection in an era of big data and the Internet of Things. [Privacy Perspectives] [EU Regulators Misunderstand Big Data]

CA – Canadian Political Parties are Embracing Big Data on the Campaign Trail

In recent years, the NDP and Liberals have been racing to catch up to the Conservatives’ ability to amass and analyze voter data. Gone are the days of volunteers standing on doorsteps with a clipboards and voters’ lists, ticking off likely supporters. The modern Liberal canvasser now carries a smart phone or tablet, loaded with the mini-VAN app. It was developed by U.S.-based NPG VAN and used to great effect by Barack Obama’s presidential campaigns. Each volunteer is trained to give a brief homily on why they support the party — the personal touch never gets old — and to then follow a script designed to elicit pertinent information, including party preference, willingness to take a lawn sign, issues of concern, email address and phone number. Responses, along with other information such as a voter’s preferred language, are punched into mini-VAN, which is linked to the party’s central database, Liberalist, where party headquarters can monitor the canvassers in real time. Information gathered by canvassers is combined with publicly available demographic data from the national census, polling results and other data mined from responses to party petitions, email blasts and online and social media campaigns to produce what Liberals refer to as analytics dashboards — complex digital graphs and charts. Dashboards range from a countrywide overview of Liberal prospects down to a microscopic look at voters in each postal code. Digital sliders on each dashboard allow organizers to input a host of demographic variables — age, religion, language, income, children, educational attainment, employment status and so on. [The Canadian Press]

US – Big Data Recommendations Coming Soon

Does the use of health data not covered by HIPAA need more oversight? That’s one of the questions being considered by the Privacy and Security Workgroup of the Health IT Policy Committee as it prepares its report on the use of big data in the healthcare industry. At a June 8 meeting, there was a great deal of discussion about how much transparency patients should have into things like the data generated by medical devices and proprietary algorithms used for decision-making. Deven McGraw, a partner in the healthcare practice of Manatt, Phelps & Phillips, LLP, and the workgroup’s chair, “admitted the workgroup has more questions than obvious answers and no consensus about areas of potential harm to consumers.” [Healthcare Informatics]

Canada

CA – Bill C-51 Passed By Senate, Despite Widespread Public Opposition

Bill C-51 passed the Senate on June 9 in a 44-28 vote despite Liberal members’ opposition, but those opposed have vowed to fight until it is repealed. Early reports on Twitter suggest that the bill passed with applause from Conservative senators, but OpenMedia has already launched its fightback against the legislation, vowing to call on leaders of all political parties to commit to repealing the legislation as part of their election platforms, after a total of 243,370 Canadians spoke out against it in the months leading up to the Senate’s vote. Speaking just hours before the vote, author Margaret Atwood said that if passed, “many people will continue to think the Senators are a bunch of overpaid, entitled, patronage-appointment rubber-stampers, despite the good work they have sometimes done. And the Ottawa Senators will consider changing their name.”…. Also taking action is lawyer and constitutional expert Rocco Galati, who said that he would contest the legislation in court if it passes. An extension of existing post 9/11 anti-terror laws, the legislation will make it easier for federal agencies to share information—that Galati said included foreign governments—as well as let police to preventatively arrest terror suspects or restrict their activities. The bill will also allow the public safety minister to add people to Canada’s no-fly list, ban promotion of terrorism, and permit the Canadian Security Intelligence Service disrupt potential security threats. [The National Observer]

CA – Conservative Groups’ Last Minute Plea to Harper: Stop C-51

The letter is signed by traditionally conservative organizations like the National Firearm Association and Free Dominion, as well more than fifty individuals. It was facilitated by OpenMedia, the group behind the public campaign against the anti-terror legislation. The groups warn Harper’s Bill C-51 will cost the Conservative Party at the polls. [Global News] [Why conservatives, libertarians and gun lobbyists oppose Bill C-51] [Who does anti-terror law threaten?]

CA – Senator Mobina Jaffer Differs With Party Leader and Slams Bill C-51

Jaffer, the first South Asian woman to hold the Canadian Senate post, along with other independent Liberal senators, plans to vote against the legislation citing concerns about rampant information sharing between 17 government agencies, a lack of oversight of that information sharing, the ability of judges to issue warrants for preventative arrest and detention, and an overly broad definition of terrorism that could entangle citizens engaged in civil disobedience, reported CBC News. [Source]

CA – National Security Agencies Too Secretive, Experts Tell Senate Open Caucus

‘In Canada, security is never part of federal elections, so this might be a good and unexpected outcome of our discussion around Bill C-51, however flawed the bill is and will prove to be,’ said University of Ottawa professor Wesley Wark. With regard to Bill C-51, many of the meeting’s witnesses agreed that the legislation will only entrench this culture of secrecy, and will even serve to worsen it in some cases. One provision of the bill would give CSIS the right to go to a Federal Court to seek permission to violate an individual’s Charter rights in order to collect information. This would occur behind closed doors, without the individual’s knowledge or even a special advocate to speak on their behalf. “I have never in my professional life seen a provision like this. It’s unconstitutional on its face,” Cavalluzzo said. “Apart from it being unconstitutional … it’s a secret process.” He went on to note that that 14 of the 17 agencies which will be receiving this information have no review mechanism. “What if they make a mistake? What is the citizen going to do?” [Hill Times] [Canada: The Tories have buried many things in omnibus bills]

CA – Torture Survivor Turned Author Voices Fears Over Bill C-51

“Bill C-51 is vague, reactionary, and open-ended, and it leaves citizens with very little protection. It was passed in the House [of Commons] with very little debate and has pushed its way to the Senate. Democracy is fragile, and when damaged, it is extremely difficult and costly to mend,” said Nemat, who wrote Prisoner of Tehran and After Tehran, detailing her experiences and their aftermath.” [National Observer] [What if C-51 is Just the Edge of a Slippery Slope? ]

CA – OpenMedia Crowd-Sources Anti-Surveillance Privacy Plan

We learned that the CSE spied on law-abiding Canadians using the free Wi-Fi at Pearson airport, and monitored their movements for weeks afterward. We learned that CSE is monitoring an astonishing 15 million file downloads a day, with Canadian Internet addresses among the targets. Even emails Canadians send to the government or their local MP are monitored — up to 400,000 a day according to CBC News. Just last week we discovered CSE targets widely-used mobile web browsers and app stores. Many of these activities are not authorized by a judge, but by secret ministerial directives like the ones MP Peter MacKay signed in 2011. CSE is not the only part of the government engaged in mass surveillance. Late last year, the feds sought contractors to build a new monitoring system that will collect and analyze what Canadians say on Facebook and other social media sites. As a result, the fear of getting caught in the government’s dragnet surveillance is one more and more Canadians may soon face. [Source]

CA – Eyes on the Spies: Canadians Deserve Accountability

The findings from our crowdsourcing process make clear that Canadians dislike excessive secrecy around government spying. There was strong support for a wide range of measures to improve the accountability, oversight and transparency of surveillance activities. Notably, 94.1% of Canadians want an all-party parliamentary committee to conduct a thorough review of Canada’s existing oversight mechanisms, and make recommendations for improvements. And 87.9%want independent bodies to oversee CSE and Canadian Security and Intelligence Service (CSIS), and issue regular reports to the public. [Source]

CA – Millions for Surveillance — Nickels for Privacy

The CSE’s official watchdog has a staff of just eight and an annual budget of only $2 million, yet it’s expected to keep tabs on a rapidly expanding spy agency with over 2,000 employees and an annual budget of over $820 million. CSIS also suffers from a severe oversight deficit. In fact, the government shut down the office of the CSIS inspector general, which was responsible for reviewing day-to-day CSIS activities. All that’s left now to oversee CSIS is the part-time, resource-starved Security Intelligence Review Committee (SIRC). Over the years, SIRC has repeatedly complained it has insufficient powers to hold CSIS accountable — complaints that the government has ignored. It’s no wonder that SIRC is now taking an average of three years to investigate complaints against CSIS. [Source]

CA – ‘You Could Be Branded Terrorists’: RCMP Officer to Demonstrators

“Whenever you’re attacking the Canadian economy you could be branded a terrorist, right?” the officer says a little bit later. “Which is not necessarily what’s going to happen, but it could happen.” It’s unknown whether “they” was in reference to the Conservative government, the Department of Justice or law enforcement brass. And it’s also unclear whether the officer was relaying his personal opinion about the bill or repeating interpretations and analysis from the media. [Source]

CA – Federal Politicians Limit Debate Time on Privacy Breach Notification Bill

Bill S-4 “would require organizations to keep records of data breaches of any kind,” [Privacy Commissioner] Therrien said at the time. “We will be able to review their records to determine whether or not appropriate breach notification has occurred, and it will allow us to determine trends generally on the issues so that better advice can be given to organizations and individuals.” …But Tamir Israel, staff lawyer for the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, told the committee his organization is “concerned that the standard for notifying the Privacy Commissioner is too high.” Israel contended at the time that it is “very useful to have notification directly to the Privacy Commissioner of a majority of breaches for tracking purposes and to generally improve incentives to adopt rigorous technical safeguards.” [Canadian Underwriter]

CA – Ontario Province Introduces Privacy Legislation for Healthcare Data

The government announced sweeping changes to provincial health privacy laws this week in a bid to deter health professionals from snooping into medical records. Speaking at a press conference in Queen’s Park, Health Minister Dr. Eric Hoskins said proposed changes to the Personal Health Information Protection Act (PHIPA) included mandatory reporting of all health-related privacy breaches to the Information and Privacy Commissioner. Hoskins said he was acting on every single recommendation he had received from privacy commissioner Brian Beamish to strengthen PHIPA. This announcement comes on the heels of a Star investigation that unveiled thousands of health-related privacy breaches have gone unreported to the privacy commissioner because of a legislative loophole allowing hospitals to handle these violations behind closed doors. The Star investigation also outlined how Ontario, which used to be at the forefront of health privacy laws in Canada, was now lagging behind other jurisdictions that have moved toward mandatory reporting of health privacy breaches. Hoskins said the proposed law changes would not only make it compulsory for Ontario hospitals to report every single health privacy breach to the commissioner, but they would also have to report all health professionals disciplined for snooping to their relevant regulatory college. Hoskins also said the government was proposing to remove “a serious barrier to prosecuting breaches of patient privacy” by eliminating the six month deadline to prosecute. Under the proposed changes, the fine for individuals caught snooping would be doubled from $50,000 to $100,000 and organizations from $250,000 to $500,000. [Source] [Privacy breaches often not due to technology failure: PLUS Canada speakers] [Tech firms need to use data ethically around the internet of things]

CA – Ontario Moves to Limit Police Sharing Non-Conviction Information

A proposed new law would prevent the inappropriate release of non-conviction or non-criminal mental health information. Under the act, non-conviction records such as withdrawn or dismissed charges, acquittals and findings of not criminally responsible by reason of mental disorder could only be disclosed through some vulnerable sector checks for people working or volunteering with children and seniors. Police will have to consider factors such as how long ago an incident took place, if the record relates to predatory behaviour around a vulnerable person and whether the records show a pattern of such behaviour before deciding whether to release those records in a vulnerable sector check. The Police Records Check Reform Act was met with widespread support, including the Canadian Mental Health Association, the Ontario Association of Chiefs of Police and the Canadian Civil Liberties Association. [The Star] [National Post] SEE ALSO: [Toronto: John Tory calls for full stop to carding, citing ‘eroded public trust’] [Toronto police Chief Mark Saunders defends lawful carding after mayor objects]

CA – Kent Enacts New ATIPPA Law

In early March, the independent review committee led by former Newfoundland premier Clyde Wells delivered a comprehensive report into the province’s access to information system, along with proposed legislation to completely overhaul it. Public Engagement Minister Steve Kent says the government is — mostly — ready for the new access to information law that was formally enacted on Monday. The new law has been rated as the strongest freedom of information legislation in the country. [Telegram]

CA – Manitoba to Allow Victims to Sue for Intimate Photos Distributed Without Consent

Manitoba has introduced a law that would allow victims who had intimate images distributed without their consent to claim damages and recoup any profits from the crime. Attorney General Gord Mackintosh said the law would be the first in Canada to make it easy for victims to sue for everything from an injunction to punitive damages. The province would also partner with the Canadian Centre for Child Protection to boost funding for its tipline, which helps remove intimate images from the Internet and links victims with support. Social media has made it easier to harass and shame a person with an intimate image, Mackintosh said. [The Winnipeg Free Press]

CA – Law, Privacy and Surveillance in Canada in the Post-Snowden Era

I am delighted to report that this week the University of Ottawa Press published Law, Privacy and Surveillance in Canada in the Post-Snowden Era, an effort by some of Canada’s leading privacy, security, and surveillance scholars to provide a Canadian-centric perspective on the issues. The book is available for purchase and is also available in its entirety as a free download under a Creative Commons licence. [Michael Geist] [Canadians Have Good Reason to Be Wary of the TPP: Geist] See also: Timothy Banks of Dentons Canada, explains the requirements that prevent data from leaving Canada]

CA – OPC’s New Priorities – Commissioner Therrien Provides an Overview

The OPC will address these priorities through exploration of technological solutions, promoting good privacy governance, and enhancing public education. Other strategies to address these priorities will involve addressing challenges relating to privacy in a borderless world and the way in which these priority issues affect vulnerable groups. [OPCC] [Daniel Therrien: Appearance before the Senate Standing Committee on Legal and Constitutional Affairs on Bill C-26, the Tougher Penalties for Child Predators Act]

CA – Penalties that do not Punish: The Canadian Anti Spam Legislation

If Compu-Finder had a valid due diligence defence resulting in a finding that they did not violate CASL, the reputational damage arising from headlines referring to million dollar penalties is hard to undo, if not impossible. Moreover, in light of the CASL legislation that permits penalties to be assessed prior to liability, a company that is exonerated would have no legal recourse to recover damages caused to its business reputation. Imagine if this were the process in regulatory offence procedure whereby the prosecutor announced that a company was charged with violating occupational health and safety law and in the same breath stated that the fine would be $1.1 millions. For a more extreme example, imagine a prosecutor stating to the media before a trial commenced that the sentence for a person charged with fraud should be seven years in the penitentiary. Such conduct would violate the presumption of innocence. Therein lies a key distinction. Administrative monetary penalties are not offences and do not attract Charter protection. [Global Compliance]

CA – Scarborough Hospital Privacy Breaches Lead to 19 Charges

Five people accused of criminal and securities offences over sale of new mothers’ confidential records. In all, the personal health information of nearly 14,000 maternity patients at Rouge Valley Health System may have been stolen and sold, including the more than 8,000 patients from its Scarborough site and a further 6,000 at its Ajax hospital. Ontario’s information and privacy commissioner reported in December that the hospitals had “failed to comply“ with their legal obligations to protect personal health information. [CBC]

CA – Ex-Privacy Commissioner Pans Bell’s Ill-Fated Ad Tracking Program

“We pay for Bell service and they’re gaining at the other end by driving ads to us that we don’t want,” Ann Cavoukian, Ontario’s former information and privacy commissioner, said during a panel Monday at the Canadian Telecom Summit. “That’s not a good model. Customers don’t like this, and I’m a Bell customer.” Bell was tracking every website a consumer viewed, every app opened, every television show watched and every call made. Through the contentious relevant advertising program (RAP), the telco would marry these insights and other long-compiled account details to create a profile of users, which would then be sold to fee-paying third parties so they could better target and match their advertising initiatives. [Source] SEE ALSO: [IT World: Cavoukian: Telus Shows How Big Data and Privacy Can Work Together] [Why privacy must be baked into the Internet of Things] and [RILEY, Thomas B. Riley Obituary]

Consumer

US – Consumers Don’t Back Privacy-Personalization Trade-Off

A majority of U.S. consumers do not think trading privacy for personalized services is a fair deal, citing a survey by the University of Pennsylvania’s Annenberg School for Communication where 55% of respondents said they disagreed or strongly disagreed it’s acceptable for stores to use shoppers’ information “to create a picture of me that improves the services they provide for me.” The study’s lead author said, “Companies are saying that people give up their data because they understand they are getting something for those data … But what is really going on is a sense of resignation,” adding, “Americans feel that they have no control over what companies do with their information or how they collect it.” [The New York Times] [Americans Resigned to Giving Up Their Privacy, Says Study] [The Online Privacy Lie Is Unraveling]

E-Government

US – OPM Data Breach: Raising Enforcement, Privacy Protection Questions

The government has an important responsibility to protect PI that it retains—whether that is the PI belonging to government employees retained by OPM, or financial information belonging to private citizens retained by IRS. But what are the consequences when government fails to protect information, as compared to when a corporation fails to protect information? The FTC and other government regulators are taking a hard look at, and in some cases bringing enforcement actions against, companies for inadequate data protection practices. (The issue of how the FTC decides to bring cases is itself an issue, as highlighted in this recent FOIA case filed against the agency). The question arises: what is the appropriate mechanism for ensuring that OPM or any other government agency is accountable for data protection? And who or what entity is in the position to judge whether government agencies’ data protection practices are adequate? [Source]

CA – IPC: Letter to the Treasury Board on the draft Open Data Directive

In this letter to the Deputy Minister Greg Orencsak, Treasury Board/Secretary of Treasury Board and Management Board of Cabinet, the Commissioner Brian Beamish congratulates the government for the release of the draft Open Data directive and offers his recommendations on the best ways to move forward on the Open Government initiative. His recommendations include:

  • Ensuring the protection of personal information is explicitly highlighted when opening new data sets.
  • Requiring de-identified data to be periodically reviewed so that it cannot be linked to individuals.
  • Direction on how to further open up access to the government procurement process and disclosure of contracts.
  • Requiring that descriptions of data sets are accessible and understand. [Text of letter] [Source]

E-Mail

WW – Facebook Supports Encrypted Emails

In a move designed to improve the security of email communications, Facebook has announced it is gradually rolling out a new feature that will allow users to encrypt messages sent from Facebook to a preferred email account. Users will be able to add OpenPGP public keys to their profiles allowing for end-to-end encryption. Public key management is not yet supported on mobile, but, the blog post states, “we are investigating ways to enable this.” Earlier this year Facebook announced that it will help fund the development of GnuPGP, an open source implementation of the OpenPGP standard. The company began encrypting all of its web traffic in 2013, making it harder for crooks and spies to eavesdrop on communications, and last year it added support for the anonymity tool Tor. Also, WhatsApp, the messaging company Facebook acquired last year, incorporated an encryption system from Open Whisper Systems into the Android version of its app last year. [New Facebook Feature Shows Actual Respect for Your Privacy] [Full Story] [Facebook Introduces PGP Encryption for Sensitive Emails]

US – MIIT Reg Provides Insight on User Consent

China’s telecommunications regulator, the Ministry of Industry and Information Technology (MIIT), has promulgated a new regulation aimed at cracking down on spam messages. Scott Livingston writes about the Administrative Provisions on Telecommunications Short Message Services that governs the sending of commercial solicitations by text or in-app messaging. “Although mainly targeting commercial solicitations, the SMS regulation provides additional guidance on the issue of ‘user consent’ that is likely to be of interest to companies involved in data collection activities in the Chinese mainland,” Livingston writes. The regulation “indicates that MIIT is taking a more sophisticated view of how consent is obtained,” he adds. [Full Story]

Electronic Records

US – Study: Privacy vs. Data Sharing: A “False Dichotomy”

Healthcare privacy and data sharing are not mutually exclusive, according to Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “I don’t want to set this up as a zero-sum game where in order to get privacy you have to abandon data sharing or in order to do data sharing you have to abandon privacy,” Samuels said, calling the idea that privacy and data sharing are always at odds a “false dichotomy.” Samuels also discussed how the OCR plans to employ audits “as a tool to get out in front of potential privacy and security problems before they occur.” [FierceHealthIT]

Encryption

WW – UN Report: Encryption is a Human Right

A new report from the United Nations states that encrypted communications are needed to protect freedom of opinion and expression and that encryption is a human right. UN Special Rapporteur David Kaye said encryption creates a “zone of privacy to protect opinion and belief.” He added, “The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality.” [The Intercept] See also: [Microsoft’s Top Lawyer Says Company Must Weigh Encryption Limits]

US – Gov’t Websites Must Switch to HTTPS Before 2017

The White House Office of Management and Budget (OMB) announced that all federal websites are now mandated to be encrypted under a secure connection. While policy-makers acknowledge that the switch to HTTPS only covers the connection and not the systems themselves, the OMB believes the move “will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature and create a stronger privacy standard government-wide,” the report states. The change, which has a deadline of December 31, 2016, aims to promote “better privacy standards for the entire browsing public.” [Source]

US – App Claims NSA-Proof Encryption

USMobile has released Android app Scambl3, an encryption tool “developed in collaboration with the NSA” that does not have a “backdoor” for law-enforcement monitoring. While the goal of the app is to afford smartphone users more comprehensive privacy—the company has vowed not to collect data gleaned from the app on its own servers—its security is such that it has garnered “a special U.S. export license” so as to keep it from the hands of countries with known terrorist activity. Jon Hanour, cofounder and president of USMobile, stands by Scrambl3’s abilities. “We believe the NSA cannot break our encryption,” he said. [Yahoo Tech]

US – Facebook Moves to Encrypt the Emails it Sends Users

With anti-surveillance, kill-that-damn-Patriot Act fever rising, both US and UK governments and law enforcement agencies have been gnashing their teeth over strong encryption, given that it scrambles communications for those who don’t have the correct key to decrypt them. For example, Apple and Google both annoyed US law enforcement by updating their mobile devices to have encryption turned on by default – a move that went “too far,” FBI Director James Comey said. With OpenPGP, Facebook aligns itself with all those annoying tech companies opting for strong encryption on their users’ communications. [Naked Security]

US – Recent Thefts Indicate Encryption Is a Must

After payroll processing organization Heartland Payment Systems had unencrypted computers stolen from its Californian headquarters—the second of such recent thefts—critics are calling for more comprehensive data protection that includes the “physical” elements as well as digital. This comes on the heels of a recent lawsuit from consumers allegedly affected in the Home Depot data breach, who claim the corporation had “overarching complacency when it came to data security.” Writes, “If you are responsible for or you work in security for an organization, be sure to review where your data actually is and map that to where you think that it should be.” [Forbes]

WW – Philip Zimmermann: King of Encryption Reveals His Fears for Privacy

Zimmermann and Snowden are 30 years apart in age, but their actions have framed the privacy debate. Zimmermann switched his focus from campaigning against nuclear weapons to pushing back on state snooping in 1991, when he released PGP for free over the internet in an act of political defiance. His protest helped prevent legislation which would have forced software companies to insert “backdoors” in their products, allowing the government to read encrypted messages. The creator of PGP has moved his mobile-encryption firm Silent Circle to Switzerland to be free of US mass surveillance. Here he explains why [Source]

AU – Crypto Party Craze: Australians Learning Encryption

A new kind of party craze has many Australians scrambling for invitations. Crypto parties, where people gather to learn online encryption, are attracting everyone from politicians, to business people, to activists. Two years after US spy agency contractor Edward Snowden leaked documents from the National Security Agency, exposing mass global internet surveillance, there is rapidly growing interest in protecting online activity. There have been crypto parties in Brazil, Germany and the UK, and more than a dozen have already been held in Australia. Apps like Wickr, Confide and WhatsApp have taken encryption out of the geek lab and to the masses. [Source]

EU Developments

EU – New EU-US Data Transfers Agreement Due Soon, Says US Official

EU and US officials should agree a new framework for the transfer of personal data by companies from the EU to the US “very, very soon”, a US official has said. The new agreement would replace the safe harbour framework which currently exists and facilitates the transfer of personal data from the EU to the US by US businesses. [Out-Law] [Reuters] [EU Justice Commissioner Vera Jourová has said European regulators are waiting for the U.S. to move on the use of personal data by its intelligence services before any further progress resumes on the future of the Safe Harbor agreement.]

EU – Fate of Safe Harbor in Limbo as EU Waits for U.S. to Budge

EU Justice Commissioner Vera Jourová has said European regulators are waiting for the U.S. to move on the use of personal data by its intelligence services before any further progress resumes on the future of the Safe Harbor agreement. Of the 13 recommendations sent to the U.S., two remain unfulfilled. “There, we’re still negotiating because we haven’t received satisfactory responses from the American side,” she said. European Data Protection Supervisor Giovanni Buttarelli said, “We are aware about the difficulties but at the same time, it’s time to have an answer from the U.S. side—on the commercial dimension and on the national security exception.” Additionally, U.S. Attorney General Loretta Lynch is meeting with Jourová and other EU officials Tuesday to discuss transatlantic cooperation. [EurActiv] See also: Jan Dhont and Alyssa Cervantes report on the European Court of Justice’s examination of a key question concerning the future of transborder data flows between the U.S. and EU.

EU – New Guidance on Processor BCRs Published by Art 29 WP

The Article 29 Working Party published new guidance on data processor BCRs, the significance of which “cannot be overstated.” That’s because the updated document offers guidance on how processor BCR companies should respond to government requests for access to data, a topic of great contention in Europe since the Snowden revelations. It puts companies in a catch-22, because it suggests companies receiving a government request for data put the request on hold and share with the relevant European DPA—something which may not be possible under foreign legal requirements. [Privacy and Information Law Blog] [Handling Government Data Requests Under Processor BCR]

EU – GDPR Trilogue Agenda Released

Group PPE has released a timetable for finishing up the European Parliament’s data protection reform, including an agenda for the highly anticipated trilogue process that details the proposed six-month schedule. This puts the proposed EU General Data Protection Regulation in the final stretch of what has surely been a marathon-like process. Hogan Lovells Partner Eduardo Ustaran breaks down the remaining hurdles and offers his predictions in this final stretch. Moving forward, “the challenges that lie ahead will be a real test of endurance,” he writes. [Source] [Privacy Perspectives] See also: In the context of French, Spanish, German and Dutch regulators’ investigations into Facebook’s practices, The New York Times reports on the increasingly complex questions surrounding regulation in the EU] [In a blog post for Hogan Lovells’ Chronicle of Data Protection, Partner Eduardo Ustaran examines the much-discussed one-stop-shop proposal]

EU – EU Governments in Disagreement Over Data Breach Liability Rules

EU governments are in disagreement over whether consumers should be able to sue businesses for damage they suffer as a result of a data breach even where those businesses are not responsible for the damage caused. The leaked papers also reveal that there is disagreement about whether data controllers and data processors should share the bill for damages where they are both responsible in part for non-compliant processing of personal data. This would require consumers to sue each of the businesses involved in that processing to recover from them what they each owe for the damage caused. [Out-Law]

EU – German Gov’t Proposes Telecom Data Retention Law

The draft data retention law unveiled on Wednesday would oblige providers to store call and Internet traffic metadata for a maximum of 10 weeks while location data would have to be stored for four weeks, the German government said. The measure is meant to help law enforcement agencies in their fight against terrorism and serious crime. According to the government, it strikes the right balance between freedom and security in the digital world. However, plans to retain metadata for these purposes are controversial in Germany and the draft law was immediately heavily criticized. [PC World] [Revised Data Retention Sought by Merkel Cabinet] [A draft German data retention law has been released, establishing new rules for telecommunications and Internet providers.] See also: The Guardian offers an outline of new surveillance powers proposed in the UK and what they would mean for businesses

EU – DPC Doubtful Proposal Is Constitutional

Data Protection Commissioner Andreas Voßhoff is criticizing the government’s bill on data retention, saying it not only amounts to a disproportionate violation of Germans’ basic civil rights but also those of other Europeans. Voßhoff wrote in a 31-page position paper that the government’s bill is “still not capable of” alleviating “considerable doubts regarding the general constitutionality” of data retention in telecommunications traffic, the report states. The bill would allow retention of all citizens’ telephone and Internet communications for 10 weeks. Voßhoff said the bill interferes with laws protecting the basic right to respect private and family life and protect personal data. [EurActiv]

UK – UK Intelligence Agencies Should Keep Mass Surveillance Powers: Report

UK intelligence agencies should be allowed to retain controversial intrusive powers to gather bulk communications data but ministers should be stripped of their powers to authorise surveillance warrants. That is the conclusion of a major report on British data laws published this week that proposes changes to the oversight of GCHQ and other intelligence agencies. The 373-page report, A Question of Trust, by David Anderson QC, also comes in response to revelations by the US whistleblower Edward Snowden about the scale of government surveillance disclosed two years ago. GCHQ will be happy to have retained its bulk collection powers while privacy campaigners will be dismayed. The privacy lobby will take comfort though in the shift on warrants to judicial control. The security agencies are likely to be relaxed about judicial control, which would bring the UK into line with the US and many other intelligence-gathering countries. As a direct consequence of the Snowden revelations, the report recommends that existing legislation on surveillance, the Regulation of Investigatory Powers Act (Ripa), be scrapped and fresh legislation drafted from scratch. The report by the official reviewer of counter-terrorism laws, was commissioned by David Cameron in July last year. The findings are likely to feed into proposed legislative changes on surveillance announced in the Queen’s speech. [The Guardian]

EU – GCHQ Uses Data Techniques Outlawed In US, Say Campaigners

Privacy International files legal claim and calls for end to harvesting of ‘bulk personal datasets’ by UK following last week’s passing of USA Freedom Act. The passing of the USA Freedom Act last week curtailed so-called “section 215” bulk collection of phone record metadata – information about who called whom, and timings, but not the content of conversations. It was a victory for the libertarian cause and a restriction of state surveillance powers. By contrast, UK privacy campaigners say, parliament’s Intelligence and Security Committee (ISC) has confirmed that GCHQ is still collecting datasets relating to “a wide range of individuals, the majority of whom are unlikely to be of intelligence interest.” [Source] [MPs Tom Watson and David Davis, with civil rights group Liberty, will petition the UK High Court in opposition to the Data Retention and Investigatory Powers Act, a measure that enabled the UK government to have “more surveillance power and Internet control” and allegedly competes with the European Convention on Human Rights] [Tim Berners-Lee Criticizes New Surveillance Plans of the British Government, Urges Britons to Fight the Snooper Charter]

UK – Legal Bid Over Personal Dataset Use

Privacy campaigners have launched a legal challenge against the use of large databases of personal information by Britain’s spy agencies. They are calling for watchdogs to intervene to end a technique which is seen as an “increasingly important investigative tool” for intelligence agencies. Privacy International said it lodged a claim at the Investigatory Powers Tribunal (IPT) objecting to the use of “bulk personal datasets” by MI5, MI6 and listening post GCHQ. They contain information which may be “extremely intrusive and sensitive” about “very large numbers of people, the majority of whom are of no legitimate intelligence interest whatsoever”, legal papers from the campaign group allege. Privacy International is calling on the IPT to declare the use of the datasets unlawful and issue an injunction blocking their future use. The Home Office said all surveillance activity is carried out in accordance with a “strict legal and policy framework”. Details about the use by security services of bulk personal databases emerged in a report by MPs earlier this year. The Intelligence and Security Committee (ISC) said they are “large databases containing personal information about a wide range of people” which vary in size from hundreds to millions of records. They are used to identify “subjects of interest” during the course of investigations, establish links and as a means of verifying information obtained through other sources. The report said GCHQ told the committee it considers bulk personal datasets to be an “increasingly important investigative tool” which is primarily used to “enrich” information already obtained through other techniques. [Source]

EU – What to Look Out for in Britain’s New Surveillance Bill

The government intends wholesale reform, but will it perpetuate a dark history of invasion of privacy or follow the US example, and end invasive surveillance? It is now clear that the government intends to pursue wholesale reform of surveillance law in the UK in the guise of the investigatory powers bill, which the government would like to see passed within a year. In some ways, this is a positive development: after two years of intense scrutiny by courts and committees, Britain’s legal framework for surveillance has been found desperately wanting, and a decision to overhaul surveillance law, rather than simply extend powers by attempting a revival of the snooper’s charter, raises the prospect that the government may be taking heed of some of the criticisms it has received. On the other hand, the investigatory powers bill could well turn out to be the government’s attempt to correct the technical legal failings of the current framework, insulating it from the inevitable criticism of the European court of human rights, while acquiring even more invasive surveillance powers. [Source]

EU – Senate Vote “Essentially Ensures” New Law

The French Senate has supported a new surveillance bill that would give intelligence agencies more freedom to monitor phones and email without a judge’s permission. By a vote of 251 to 68, the Senate took “a major step toward giving its spy agencies vast new powers in the wake of the deadly Charlie Hebdo attack,” the report states, noting the bill, which includes “a clause that would allow intelligence agencies to collect and analyze user metadata,” gives “law enforcement more power to monitor citizens without first going through the customary independent nine-person panel.” The Senate’s vote “essentially ensures the eventual adoption” of the legislation, the report states. [The Christian Science Monitor]

EU – Breach Notice Becomes Law in The Netherlands

Under the new law, the CBP will be have the authority to impose administrative fines ranging from E20,250 for relatively minor violations of the DPA to E810,000 for more serious violations. If the maximum fine is not deemed to be a suitable punishment, the CBP may also impose an administrative fine equal to 10% of the net annual turnover of the company in the preceding year. The law sets out specific circumstance in which the maximum fine may be imposed, but the imposition of the maximum fine requires the CBP to give the offender a warning to rectify the breach, a so called “binding instruction.” [DataProtectionLaw] [Data Guidance]

EU – CNIL to Investigate Data Privacy in Contactless Payments and Digital Health

The data protection authority in France is to review whether the use of contactless payments technology in the country respects consumers’ privacy. “CNIL is likely to be interested in the type of data that is being collected through contactless payments systems and whether the collection of that data is proportionate.” “CNIL will also want to ensure that sensitive payment data is not retained or is securely protected from hackers and that consumers’ right to object to the processing of their data via contactless payment systems is being observed.” “Data security in contactless payments is another issue CNIL will be concerned with and it will have a number of questions for companies about the steps they are taking to keep the sensitive account details of consumers private.” [Source] [France’s Data Protection Authority, the CNIL, has promised a focus on “contactless payments, Binding Corporate Rules and wellness and health devices and services” in the coming year, and it plans to inspect 550 organizations in 2015]

EU – CNIL Shows Regulatory Interest in Connected Cars and Smart Cities

The CNIL reported that it received over 5,000 complaints in 2014 and conducted over 400 investigations, including 146 remote investigations (the CNIL is empowered since March 2014 to conduct remote investigations). It also issued 62 cease and desist letters, ordered eight monetary fines and seven warnings in 2014. In addition, the CNIL revisited the actions it took in 2014, including the publication of “compliance packs” for certain industry sectors, such as the insurance sector (see our blog post of December 2014), the adoption of an accountability standard and the creation of a hub within the CNIL which is dedicated to BCRs. [Source]

EU – CNIL to Google: Delist on All Domains, or Else

The CNIL, France’s Data Protection Authority, has issued a report stating Google has not been universally removing links following the Court of Justice of the EU’s recognition of “the right to delisting” last year. “In this context, the president of the CNIL has put Google on notice to proceed, within a period 15 days, to the requested delisting on the whole data processing and thus on all extensions of the search engine,” the CNIL announced. Meanwhile, former UK GCHQ Director David Omand described Google as one of the few companies willing to work with intelligence agencies . Separately, Dan Shefet, the Danish lawyer who was able to have Google remove “defamatory information about him worldwide,” met with the EU to discuss ways to make the right-to-be-forgotten easier to implement, Reuters reports.[Full Story] SEE ALSO: Italy’s Data Protection Authority, the Garante, has issued a data protection handbook for employers to use as a tool in navigating privacy regulations that are applicable to the employment relationship.] [Italy’s new cookie policies came into effect last week]

Facts & Stats

US – Survey Indicates Change in Security Practices Need

The Informatica Corporation’s recently published survey, “The State of Data Security Intelligence ,” indicates that IT professionals are concerned about “escalating” privacy worries at work and the relative ineptitude of companies regarding data breaches, concluding there is a “need for consensus for data security intelligence.” The study involved more than 1,700 IT professionals, and 55% of those who “have had a breach in the past 12 months believe it could have been avoided if certain processes and intelligent technologies had been in place,” the report states. The findings indicate change is needed, said Larry Ponemon. “Organizations need to seriously consider adopting a data-centric security stance without delay. To do otherwise may soon be construed as negligence.” [Full Story]

US – Data Breach? Blame the CEO

A recent New York Stock Exchange and Veracode survey of 200 corporate directors finds that a majority of board executives place the blame for data breaches on CEOs over security teams, and the reason for doing so might be money. “That the directors are holding entire executive teams accountable ahead of security officers may reflect their acknowledgment that maintaining defenses costs time and money, and that higher-ups tend to hold the purse strings and set the priorities within organizations,” the report states. “Indeed, security officers can easily be hamstrung if they don’t receive the resources they need.” [Fortune]

CA – Cost of an Average Canadian Data Breach is $5.3 Million: Study

CSOs who need a weapon to convince management to up the IT security budget can throw this at them: The average cost to an organization of a data breach in Canada last year was just over CDN$5.3 million — about $2 million higher than the global average. That’s according to research conducted by the Ponemon Institute and sponsored by IBM, which looked at the actual costs of data loss or theft suffered by 21 Canadian companies in 11 industry sectors. The costs were based upon estimates provided by the organizations interviewed over a 10-month period. Ponemon acknowledges that the 21 companies sampled were not statistically representative of all companies here that suffered a breach last year. Note that’s an average cost: The study didn’t include organizations that lost over 100,000 records because they wouldn’t have been representative of most breaches. (The average number of lost records in the group was just over 20,400. The biggest number of lost records among the 21 firms studied was 74,550). Among the report’s highlights:

  • The biggest component of the CDN$250 per record cost of data breach in the studied companies was detection and escalation ($91). Post data breach response (ex-post response) and lost business were $67 and $84, respectively. Customer notification costs represented $8 per compromised record;
  • Certain industries had higher data breach costs. Financial, services, technology and energy had a per capita data breach cost substantially above the average $250. Public sector, education, and consumer organizations had a per capita cost well below that;
  • Malicious or criminal attacks caused the most data breaches. 52% of incidents involved a data theft (exfor criminal misuse. System glitch and employee negligence or human error both represented 24%of all data breaches;
  • Incident response teams and plans, extensive use of encryption, employee training programs, board-level involvement, CISO appointments, business continuity management and insurance protection decreased the per capita cost. However, third party involvement, lost or stolen devices, quick notification and engagement of consultants increased the cost.

The report was one of a series released last week covering Canada, U.S., the U.K., Germany, Australia, France, Brazil, Japan, Italy, India, and the Arabian region. [Source]

UK – Average Data Breach Costs £4.25M

An annual study from the Ponemon Institute and IBM found that the average cost per capita cost in a data breach increased to US$217 in 2015 from $201 in 2014. Plus, the average total cost of a data breach increased to $ 6.5 million from $5.8 million the prior year. The U.S. looked at 62 companies in 16 industry sectors after they experienced the loss or theft of protected personal data and then had to notify victims. The cost per record takes into account indirect costs, such as abnormal turnover or churn of customers, as well as direct costs caused by the breach itself, including technology investment and legal fees. Only $74 was attributed to direct costs. The study also noted, however, that not all records are seen as equal when stolen. Health records have an average cost of $398 each, whereas retail records cost $189 each. [SC Magazine]

UK – UK Firms Suffer More Data Breaches

The number and cost of data breaches suffered by British organisations have increased, a Government-commissioned report found. Nine in 10 large organisations reported being hit by an information security incident, an increase from 81% last year, research by professional services firm PwC found. Nearly three-quarters of smaller firms (74%) were affected by breaches, up from 60% a year earlier. The study also found that the average cost of the most serious incidents has jumped. The average is now between £1.46 million and £3.14 million. It means the higher end of the range has more than doubled from the £1.15 million recorded in the same report a year ago. Costs of breaches include business disruption, lost sales and recovery of assets. Incidents include infection by viruses or malicious software, theft or fraud involving computers, other breaches caused by staff and attacks by an unauthorised outsider. The report said there was a rise of more than a third (38%) in the number of external attacks on large organisations. These involved activities such as “penetration of networks”, denial of service attacks, phishing scams and identity theft. By contrast, frequent, large and unsophisticated attacks appear to be declining among the businesses surveyed. The report said the nature of the most serious incidents is changing to become “more targeted”. It added: “Small businesses should not presume that they will escape targeted attacks.” [BT News]

WW – Full Results of 2015 IAPP Salary Survey Released

With data from more than 1,300 privacy professionals around the world, the 2015 IAPP Salary Survey has information on compensation related to experience, industry, certification, geography and gender, along with historical trends, in the most extensive survey of the privacy profession we’ve ever done. Our executive summary, highlighting the major findings, is open to everyone, but only IAPP members have access to the full report, with more than 50 pages of statistics. [Full Story]

Filtering

US – Deleted Political Tweets Archive Disabled

A website that collected the deleted tweets of politicians was shuttered by Twitter last month. Access by Politwoops, which was funded by the Sunlight Foundation, to Twitter’s API was suspended because it contravened Twitter’s terms of service. A Twitter spokesman said, “We strongly support Sunlight’s mission of increasing transparency in politics and using civic tech and open data to hold government accountable to constituents, but preserving deleted Tweets violates our developer agreement,” adding, “Honoring the expectation of user privacy for all accounts is a priority for us, whether the user is anonymous or a member of Congress.” [Ars Technica] [Gawker]

Finance

US – Virtual Currencies Placed Under New Regulatory Requirements

The New York Department of Financial Services (NYDFS), an agency that regulates Wall Street, issued new rules that will place restrictions on financial firms wanting to use virtual currencies. NYDFS’s Benjamin Lawsky said, “We think regulation is important to the long-term health of the virtual currency industry,” adding, “Building trust and confidence among consumers is crucial for wider adoption. It also helps attract additional investment.” Financial firms using virtual currencies must obtain a “BitLicense” and keep detailed records of bitcoin transactions, the report states. “We simply want to make sure that we put in place guardrails that protect consumers and root out illicit activity—without stifling beneficial innovation,” Lawsky said. [The Hill]

US – Dear Banks: Protect Your Clients by Restricting Tellers

New York Attorney General (AG) Eric Schneiderman believes that the way to increase security at banks is to deny tellers the current “unfettered” access they have to client accounts, as such access can allow tellers to steal “customer data and money” with relative ease. The AG’s office “found that ‘insider wrongdoing’ such as the tellers’ crimes was the No. 3 cause of data breaches in New York, behind hacking and lost or stolen equipment,” the report states. “While teller-fraud cases often get overlooked because of the small dollar amounts involved,” Schneiderman feels that should not be a deterrent. “Bank customers are still at risk,” he said. [The Wall Street Journal]

CA – Canada’s Insurance Regulators Sign MOU to Share Industry Conduct Information

Four members of the Canadian Council of Insurance Regulators (CCIR), an inter-jurisdictional association of insurance regulators, announced on Monday that they have signed a memorandum of understanding (MOU) that “sets out the terms for cooperation and exchange of information across provincial and territorial jurisdictions” to make the process simpler and more effective. The MOU will address issues like risk surveillance, consistent handling of consumer complaints, commercial practices and protection of confidential information “CCIR members represent every province and territory, and it’s in all our interests to work more closely to ensure that we can cooperate and share information on Solvency Supervision and Market Conduct of Regulated Entities,” CCIR chair Patrick Déry said in a statement. “As a result, today we are signing a comprehensive MOU that will formalize information sharing and address issues like risk surveillance, consistent handling of consumer complaints, commercial practices and protection of confidential information.” Déry said in the statement that the remaining CCIR members are expected to join their counterparts in British Columbia, Alberta, Ontario and Quebec and sign on to this new MOU in the “coming months.” The CCIR signatories have agreed to share information needed to coordinate regulation of insurance companies that carry on business in more than one province of territory. The MOU also provides specific protocols for the sharing of confidential information. All provinces and territories conduct investigations into consumer complaints about insurance practices, but the MOU will also allow jurisdictions to share in “broader market and risk analysis.” [Canadian Underwriters]

US – RadioShack Bankruptcy Case Highlights Value of Consumer Data

This case serves as an important reminder that companies must think about these types of issues on a regular basis as they conduct business. Companies must carefully consider the promises they make to consumers, particularly promises that may be overbroad and short sided or, at worst, untrue. Moreover, companies acquiring or investing in other companies should carefully consider the privacy issues surrounding consumer data, particularly if consumer data is a key asset in the deal. [InfoLaw]

FOI

CA – Freedom of Information Laws a Poor Match for Secretive Governments

Advocates say lengthy delays, obfuscation and retroactive laws are defeating transparency. B.C. Privacy Commissioner Elizabeth Denham has raised concerns about the timeliness of responses and an increase in cases where no record could be found in response to a request — no email, text or paper trail. The Federal Court of Appeal recently chastised the Department of National Defence for telling someone it would take more than three years to respond to a request. And federal Information Commissioner Suzanne Legault has warned against amendments to the Access to Information Act that would retroactively protect RCMP from prosecution for destroying long-gun registry records. If anything, she argues, the act needs tougher penalties along with greater access. “Access to information held by government is critical to the functioning of a modern democracy,” Legault said in press conference in March. “However, in reality, an act that was intended to shine a light on the decisions and operations of government has become a shield against transparency.” [CBC]

CA – Four Things to Know About Highway of Tears Scandal

It’s a scandal that has the potential to rock Christy Clark’s supremacy in B.C. A former legislative staffer claims the Liberal government routinely circumvents Freedom of Information laws by deleting sensitive documents and emails. When Tim Duncan questioned the practice, he said he was told: “It’s like in the West Wing. You do whatever it takes to win.” Duncan, who used to work for the province’s Transportation Minister, Todd Stone, came forward last week. In a letter to the province’s privacy commissioner, he claims his colleagues deleted emails pertaining to the infamous Highway of Tears. [National Post]

Genetics

US – Men Win Case Under Genetic Discrimination Law

The first case tried under a law preventing employers and insurers from discriminating against people with genes that increase their risks for costly diseases. The case, however, involved two men who sued their employer after the company asked to take a DNA test in an effort to find a match for feces that someone had nefariously been leaving around their work facility. The men, who were cleared of any wrongdoing when the DNA did not match, were subjected to humiliating jokes, the report states. A judge ruled in favor of the men, ruling the test falls under the Genetic Information Nondiscrimination Act. [The New York Times]

US – Cops Use DNA Analysis to Prove Waiter Spit in Customer’s Drink

A New York man who suspected that a restaurant waiter had spit into his drink got the law involved and investigators were able to determine who spit into the drink using DNA analysis, according to court documents. [Source]

Health / Medical

US – HIPAA Violation Results in 10-Year Sentence

The recent sentencing of two individuals in Alaska to 10 and two years in prison, respectively, illustrates the power of the HITECH provision and that HIPAA crimes have serious consequences in the eyes of the law. While the maximum punishment for HIPAA-related crimes is 10 years and cases thus far in the U.S. haven’t been frequent, 2009’s HITECH law permits big punishments. “The HITECH Act amended the criminal provision to more explicitly permit prosecutors to go after anyone who improperly obtains or discloses health information, even if not part of a covered entity.” [Gov Info Security]

US – Two-Thirds of Doctors Reluctant to Share Health Data with Patients

The polling question was simple. Should patients have access to their entire medical record – including MD notes, any audio recordings, etc…?  For many, the response by over 2,300 physicians came as no real surprise.

  • 49% ? Access to all records should only be given on a case-by-case basis
  • 34% ? Yes, Always
  • 17% ? No, Never

In effect, a full two-thirds (66%) were clearly reluctant to share health data with their patients. A significant 17% were completely opposed to the idea outright. [Forbes]

CA – Ontario MD Watchdog Becoming Less Secretive

Ontario’s medical watchdog has become less secretive about doctors who make mistakes and act improperly. In an effort to increase transparency and accountability, the College of Physicians and Surgeons of Ontario is now letting patients know when it has “orally cautioned” doctors. New measures, adopted by the regulator last week, also include calling on the province to get tougher with physicians who sexually abuse patients, calling for “mandatory revocation” of doctors’ licences in all cases of “physical sexual contact” with patients. In addition, it has plans to ponder whether it should report to police whenever a physician may have committed a crime, and whether gender-based restrictions are appropriate. [Toronto Star]

US – Social Media Policies Needed in Medical Offices

Medical offices need social media policies for their employees. With the advent of a constant social media presence, the ability for a HIPAA slip-up or breach of patient privacy via an employee’s personal account has grown. “Creating a social media policy to clarify the standards for permissible and prohibited content for both personal and professional social media is one way to protect your patients, your productivity and your business reputation,” the article states. Smaller offices are encouraged to mimic other preexisting healthcare privacy policies, “setting examples” of what is appropriate to post, and making it explicitly clear the consequences of a breach of protocol. [Healthcare IT News]

US – Health Sites Lack Proper Safeguards: Research

According to student research, online health resources like WebMD do not have adequate privacy controls for their search engines. The University of Pennsylvania’s Tim Libert discovered that symptoms typed into these engines were being sold to third parties. “There’s been some kind of chilling cases: companies selling lists of people who had been raped or people who had AIDS,” Libert said. “So there’s a market for this stuff.” The report also looks at the marked difference between patient treatment in real time and on websites. “Anything that is happening on the Web today is pretty much completely unregulated,” Libert said, noting that HIPAA, while a “pretty good law,” doesn’t necessarily translate online. [NPR]

Horror Stories

US – FBI Examining IRS Attack

The FBI will investigate the data breach at the Internal Revenue Service and is working “to determine the nature and scope of this matter,” while Dark Reading reports early information about the breach “is offering security food for thought to both public- and private-sector organizations. According to security pundits, the breach offers ample evidence of authentication weaknesses prevalent today and also shows how interconnected unrelated data breaches can really be.” [The Hill] [IRS Authentication Method Criticized] [The New York Times – IRS to Make Sweeping Changes Following Breach] [Government Executive: IRS Commissioner Says Budget Crunch Not to Blame for Breach]

US – Massive Cyber Attack Hits US Federal Workers, Probe Focuses on China

In the latest in a string of intrusions into US agencies’ high-tech systems, the US Office of Personnel Management (OPM) suffered what appeared to be one of the largest breaches of information ever on government workers. The office handles employee records and security clearances. A US law enforcement source said a “foreign entity or government” was believed to be behind the cyber attack. Authorities were looking into a possible Chinese connection, a source close to the matter said. [Source] [Federal Personnel Info Stolen Hackers Grab Data on 4 Million Workers] [The New York Times: Hackers May Have Obtained Names of Chinese With Ties to U.S.] [$21 million tab to taxpayers for clean up after massive Chinese hack of federal database]

US – OPM Breach: Unanswered Questions Scope, Attribution, Impact

The FBI has confirmed that it’s investigating the intrusion, which was revealed June 4 when the OPM posted a breach notification on its website. The office said it discovered the intrusion in April as it was continuing to update its information security defenses. Here are seven key questions related to this rapidly unfolding story. [Data Breach Today]

US – Union: OPM Breach Response “Abysmal Failure”

A union representing federal employees has criticized the Office of Personnel Management’s response to its massive data breach, calling it an “abysmal failure” and claiming it was much worse than disclosed. The American Federation of Government Employees says the breach allowed hackers to obtain data—including Social Security numbers—for every federal employee, every federal retiree and up to one million former federal employees. A Wired report looks at ways in which the breach has far graver repercussions than anyone could have thought. [The Wall Street Journal]

US – Gov’t Breach May Reach Beyond Federal Employees

The massive data breach that affected at least four million government employees may also involve private citizens’ personal data. Information about family, friends and even college roommates is often included on forms for federal background checks that “were, in their entirety, part of the stolen information,” meaning a “potential release of a staggering amount of information, affecting an exponential amount of people,” an official said. Some of the compromised data dates back to 1985. House Homeland Security Committee Chairman Michael McCaul (R-TX) described the breach as “the most significant breach of federal networks in U.S. history,” but two “privacy-minded” Senators are pushing back against calls from lawmakers to immediately pass a stalled cyber bill. [ABC News]

CA – Stolen Maternity Records Part of Larger Investigation

The alleged scheme to sell stolen maternity ward records to investment brokers so they could peddle RESPs to new mothers was much larger than previously believed, according to sworn police documents. After charging a former Rouge Valley Hospital clerk last November, this week the Ontario Securities Commission laid charges against another hospital employee and three financial salespeople. But the 290 page document summarizing the police investigation reveals that police were aware of at least 15 other RESP sales representatives and two other hospital employees involved — though they haven’t been charged. By the numbers

  • $11,420 – minimum amount police say three financial salespeople paid two nurses for the names of new mothers.
  • 14,450 – number of mothers contacted by Rouge Valley Hospital to inform them that their confidential patient information may have been stolen.
  • $1 – how much the nurse and clerk were allegedly paid per name.
  • $2.50 – the price for one name that one RESP salesperson charged when selling them to other sales representatives. [Source] [Nurses, financial execs charged in patient RESP scheme]

UK – Are Organizations Ready for Watershed Moment?

While there’s ample evidence to show that data breach incidents have risen markedly, they didn’t necessarily “garner the kind of media coverage that can help to increase organizations’ awareness and encourage them to take the risks seriously,” a new whitepaper from Experian reports. Data Breach Readiness 2.0 outlines this changing landscape, the future of data breaches and offers a “customer first” approach to data breach response that includes a focus on managing the impact on those affected, “recognizing that this is where all other impacts ultimately flow from.” The whitepaper also encourages regular testing of programs and plans to ensure all possible outcomes are covered. [Data Breach Readiness 2.0]

US – Looted Pharmacies Mean Privacy Concerns

Looted pharmacies in Baltimore, MD, are alerting customers that the labels on stolen prescription drugs are a potential privacy threat. While the stolen drugs’ labels do not disclose SSNs, they do contain information such as names and addresses, permitting thieves to refill the prescription at the original prescription-holder’s expense, amongst other acts of fraud. In the wake of this revelation, brands such as Rite Aid have sought the assistance of risk management firm Kroll in an attempt to protect customer privacy. Thus far, however, “There is no evidence that personal information found on stolen prescriptions has been used for fraud, pharmacy and law enforcement officials said,” the report states. [The Baltimore Sun]

US – Heartland Breached Again

Another breach at Heartland Payment Systems has affected their payroll customers. The company made a breach warranty promise earlier this year because it said it was “so confident in the security of its payment processing technology.” But a break-in at its California offices saw thieves make away with a large number of computers and other materials. State and federal law enforcement are involved in investigating. [Forbes]

AU – Adobe Breached Privacy Act Leaving 38 Million Customers Exposed

Adobe has agreed to allow an independent auditor to ensure it has taken sufficient to harden its systems following a cyber attack that left 38 million of its customers exposed to fraud in 2013. Australian Privacy Commissioner Timothy Pilgrim revealed that he had requested the audit after revealing the findings of inter-governmental report that led him to conclude that the software company breached the Privacy Act. Adobe had not responded to requests for comment on the findings but a spokeswoman for the Office of the Australian Information Commissioner (OAIC) confirmed that the software company had agreed to the measure. The breach, which took place when Adobe left an obsolete server containing personal information exposed to the internet for about three months, gave hackers access to a database containing massive amounts of sensitive information belonging to its Australian customers. It included email addresses, encrypted passwords and plain text password hints, and in about 135,000 cases encrypted card numbers and other payment information. Overall, the breach impacted 1.7 million Australians. [CSO Online]

US – Adobe Finalizes Settlement Details

Adobe will “improve its security measures and pay nearly $1.2 million in legal fees plus $5,000 per named plaintiff” to settle a class-action lawsuit stemming from a 2013 data breach. In that incident, Adobe customers’ payment card data and personal information were comprised. According to court the filing , “expert analysis concluded that although measures could have been taken to minimize or prevent the breach, there was little to no evidence that any of Adobe’s customers suffered identity theft or actual damages as a result of it,” the report states, noting the settlement is now subject to the approval of U.S. District Judge Lucy Koh. [SC Magazine]

WW – Other Horror Stores in the News

The Office of the Australian Information Commissioner has said it is gathering more information about the recent breach at Woolworths, and Sally Beauty issued a statement detailing what happened in its March data breach. ] | [Indian Music Service Breach affects 10 million Gaana.com users] | [Following a breach lawsuit, Cottage Healthcare System’s insurer “argues that it is not liable for the payout because Cottage did not provide adequate security for its documents, a clause the California hospital network agreed to when it signed the insurance policy“] [Laptop Containing Personal Information of Mod Employees Stolen From Motorway Services]

WW – Your Data is Showing:

Courts and consumers are faced with a quandary. Data leaked now could be used a decade or more hence, and both courts and individuals are left calculating probable future risk as well as current exposure. Consumers face limited options for protecting themselves. A telling measure of frustration is a syndrome that has been termed “data breach fatigue.” A third of people notified about a breach don’t take any action at all, according to a 2014 study by the Ponemon Institute. [First Look]

Identity Issues

US – Government’s Plans to Identify You Based on Your Tattoos

Tattoos aren’t just for rebels: 1 in 5 American adults have some ink, according to recent polls. And now the government is trying to beef up technology that can automatically identify people by their tattoos. The National Institute for Standards and Technology, a part of the Commerce Department that has taken the lead on evaluating biometrics, organized a “challenge” in which groups faced off to see who could deliver software and algorithms that identified tattoos most accurately. The event, sponsored by the FBI’s Biometric Center of Excellence, brought together researchers from academia and the private sector to test image recognition technology against five different scenarios.  [The Washington Post]

US – Electronic ID Pilot Begins

The government has begun distributing electronic identity (eID) cards “as a pilot project, a step to better protect citizens’ personal information from online leaks.” Developed by the Ministry of Public Security’s No.3 Research Industry, “the eID will be citizens’ second identity for use in cyberspace. It features a cryptographic algorithm technically impossible to hack and would only generate random strings once cracked,” the report states, noting it “could be loaded to bank cards, SIM cards and identity cards.” The eID “provides a person’s true identity” and could be used for online interactions that “involve financial security, property safety and privacy of Internet applications,” the report states. [Global News] [ReadWrite: Two-Factor Authentication a Workplace Necessity] [New Zealand: Expert perspectives on digital identity and privacy]

Internet / WWW

US – FTC Workshop Explores Privacy in the Sharing Economy

The rise of peer-to-peer networking and the burgeoning “sharing economy” was the topic at a FTC workshop in Washington, DC, where participants discussed whether there is need for new regulation. In a wide-ranging conversation covering rapidly changing business models, potential regulatory obligations and consumers’ increasing dependence on reputational feedback mechanisms, economists, industry representatives and academics hashed out what is clearly a complex but innovative sector of the modern economy. [Full Story]

WW – FPF Whitepaper Examines Privacy in the Sharing Economy

The Future of Privacy Forum (FPF) has released a whitepaper that focuses on the reputational, trust and privacy challenges users and providers face on management and accuracy of shared information. User Reputation: Building Trust and Addressing Privacy Issues in the Sharing Economy considers how reputation-building and trust are frequently essential assets to a successful peer-to-peer exchange and looks at issues surrounding identity, anonymity and the role of social network integration. Services like Uber, Airbnb and Etsy rely on online and mobile platforms and peer-to-peer sharing of reputational information, including reviews and recommendations. “If consumer access to services is dependent on ratings and reviews, consumers need transparency into how these systems work,” said the FPF’s Jules Polonetsky. [Full Story]

US – IAB: How Will FCC Jurisdiction Affect Us?

After a change in policy brought Internet broadband providers under the Federal Communications Commission’s (FCC) jurisdiction, the Interactive Advertising Bureau (IAB) “wants to clarify whether the net neutrality rules will result in new privacy restrictions.” Industry groups including the IAB met with the FCC to discuss the implications of the order on May 28, and while the outcome of the session was not disclosed in the report, the order itself indicates that broadband providers are certainly on the FCC’s radar. Providers “are in a position to obtain vast amounts of personal and proprietary information about their customers,” the order states, noting, “Absent appropriate privacy protections, use or disclosure of that information could be at odds with those customers’ interests.” [MediaPost]

WW – Lack of Privacy in Self-Driving Cars Means Greater Manufacturer Responsibility

The advent of the “self-driving car,” Jack Boeglin argues, “means that the more privacy and freedom motorists are willing to give up, the more that liability should flow to manufacturers, government entities and other third-parties.” The Wall Street Journal reports on Boeglin’s piece, which also suggests developers must acknowledge that the ideas of liability and privacy aren’t mutually exclusive. “Nearly all of the literature on self-driving cars explores either their impact on social values like freedom and privacy or the questions they pose for legal liability,” Boeglin writes. “These lines of inquiry have developed largely in isolation, with little effort to examine how they might intersect and inform each other.” [Yale Journal of Law & Technology]

WW – Audi: Cars Are “Second Living Rooms”—And Private

Comments by Audi Chief Executive Officer Rupert Stadler appear to indicate that German auto companies are using in-car privacy concerns as “an attempt to build rival platforms to challenge Google for market share in Internet-assisted motoring.” “The Internet, cookies and other data collectors are almost common courtesy,” Stadler said. “But a car today is a second living room-and that’s private.” Customers, Stadler said, “want to be in control of their data and not subject to monitoring. And we take this seriously,” he continued. These comments come on the heels of an explosion of industry fusion, evidenced by the year-old “Automobile Alliance” founded by Google and auto companies group-bidding for tech contracts. [Bloomberg Business] [Audi CEO Confronts Google’s Schmidt With Data-Protection Pledge]

WW – New Tech Reduces Time Between Breach Compromise and Discovery

Start-up Terbium Labs offers to help breached companies quickly discover their sensitive data on the so-called “Dark Web.” Founded by researchers from Johns Hopkins University, the company combines two technologies—one that crawls the Internet, the other that collects and stores sensitive data in encrypted form. Terbium Labs CEO Danny Rogers said, “When you can bring that breach detection time down from months to seconds or minutes, then you can really minimize the damage and reduce the risk of the data being out there in the first place.” [MIT Technology Review]

WW – Just How Much Shadow Data Is Out There?

Cloud security firm Elastica released new data, showing that millions of compliance violations and intellectual property leaks exist in cloud applications, unbeknownst to organizations, thanks to employees using “shadow IT” like Dropbox and other cloud services. The company estimates the average potential exposure to be more than $13 million per business. Another security vendor, Venafi, released results of a survey showing that most IT security pros don’t know how to, or don’t take the time to, replace encryption keys and credentials following a breach. Perhaps that’s why, CSO reports, many CIOs and CISOs are increasingly turning to specialized cybersecurity prevention and response firms to help them protect their enterprises. [Dark Reading]

Law Enforcement

UK – Police Request Private Data Access ‘Every Two Minutes’

Police forces in the UK made the equivalent of one request for communications data every two minutes between 2012 and 2015. Big Brother Watch reported that a total of 733,237 requests to access data were made by police between 1 January 2012 and 31 December 2014. That is equivalent to 670 requests a day, 28 requests an hour of one every two minutes. The report was based on Freedom of Information requests granted by every police force but one. Just 54,164 of the requests were denied internally, meaning that 92.6%were accepted. In 2014 alone just under 250,000 applications were made. The requests include any time that police officers ask to see the “who, where and when of any text, email, phone call or web search” the privacy group reported. “Despite persistent claims that the police’s access to Communications Data is diminishing, this report shows that the police are continuing to access vast amounts of data on citizens,” the group said. “It is clear from the reports’ findings that disparity exists amongst police forces on what is considered necessary and proportionate for a request for Communications Data and why a refusal for access is given.” “If law enforcement persists with calls for greater access, internal procedures will need to be clarified, transparency about the process published and independent judicial approval brought in as part of the authorisation process.” [Wired] [REPORT: UK Police Request Personal Data Every Two Minutes ]

US – Surveillance by FBI’s Fleet of Spy Planes Raises Privacy Questions

Surveillance by the FBI’s fleet of spy planes, which are registered to shell companies and fitted with tech capable of sucking up cellphone data from innocent Americans, raises serious privacy questions. … Dirtboxes work like Stingrays, which are in use by “over 46 agencies including law enforcement, the military, and intelligence agencies across 18 states and Washington D.C. for more than a decade.” A Stingray surveillance device lets law enforcement mimic a cell phone tower, track the position of users “who connect to it, and sometimes even intercept calls and Internet traffic, send fake texts, install spyware on a phone, and determine precise locations.” Dirtboxes can “sweep up identifying information about tens of thousands of cell phones in a single flight.” The low-flying aircraft, often equipped with video and sometimes cell-phone surveillance technology, are used without a judge’s approval. The FBI said the flights are employed for specific, ongoing investigations and not for bulk surveillance. In one 30-day period, the FBI flew above at least 30 U.S. cities in 11 states, the report states. “The FBI’s aviation program is not secret,” said spokesman Christopher Allen, but ACLU Senior Policy Analyst Jay Stanley said, “These are not your grandparents’ surveillance aircraft.”  [ComputerWorld] [Associated Press] [FBI Behind Mysterious Surveillance Aircraft Over U.S. Cities] See also: [Tech Pioneer Thinks Wearables Can Offset Privacy Concerns]

US – Hola VPN Used to Perform DDOS Attacks, Violate User Privacy

Researchers say that users should bid freemium service “adios.” The company doesn’t hide the fact that the Hola network is peer-to-peer. Users of the service form a large network, and Hola traffic is routed through this network, using the connections of other Hola users. This is great for Hola; it means that the company doesn’t need to operate points of presence in different countries in order to make traffic appear to originate in these countries. But this is very risky for end users. The example that Adios researchers give is a straightforward one: if you use Hola and someone else uses Hola to distribute child pornography, there’s a chance that they’ll do so using your Internet connection. This in turn could have the police kicking your door down. [Ars Technica]

Location

US – Verizon, NASA Team Up to Create Drone-Safety Technology

Verizon is developing technology with NASA to direct and monitor the growing number of civilian and commercial drones from its network of phone towers. According to documents obtained under the Freedom of Information Act, Verizon signed an agreement with NASA last year “to jointly explore whether cell towers … could support communications and surveillance of unmanned aerial systems at low altitudes,” the report states. The $500,000 project is underway at NASA’s research center. At the moment, there’s little to regulate where drones can fly, but NASA would like to develop technology that would “geo-fence” them. The project aims to uncover whether cell towers could help in that endeavor. [The Guardian]

Offshore

WW – Hong Kong Accountability Benchmarking Micro-Study Results Released

The Office of the Privacy Commissioner for Personal Data has released, with research firm Nymity, a study on how firms in Hong Kong are applying the principles of accountability in their privacy compliance programs. Privacy Commissioner Allan Chiang reports himself pleased with the findings: “It is gratifying to note that many organisations are taking privacy seriously and the subject is now on the agenda of their top management.” Without proper regulation, however, governments could use information to build what Chiang describes as a “dictatorship of data“ that obliterates the idea of individual control. “People could be arrested not because they have committed a crime but because big data analytics predict they are likely to commit one,” he said. [South China Morning Post]

Online Privacy

WW – Google Unveils Privacy Hub, Increases User Privacy Controls

Google continues to unveil new privacy features for users, including “My Account,” which serves as a hub for users’ privacy settings. The new feature aims to give users quick access to their privacy and security settings, tools to protect personal data and controls on what information is used by Google. Users have been able to control certain privacy settings for months or years, such as whether to save web browser and location history, which is also used in targeted advertising. But managing the controls is confusing and time consuming because the settings are in various places across the web that are not always easy to find. Now users will be able to use My Account, which provides a privacy checkup and security checkup, or lists where people can check off which data they want to be public and private. Google’s new website answers frequently asked questions, such as whether the company sells personal data and what information is given to advertisers. The rollout comes on the heels of newly increased app permissions for Android, which Google announced at its annual developer’s conference last week. The new system mirrors the app permissions on Apple’s iPhones, which do not allow apps to automatically access numerous types of data, such as location or phone contacts. [Reuters] [I really don’t want to give all of my photos to Google, but I’m going to do it anyway]

US – Microsoft Debuts Privacy Dashboard, Revises Privacy Statement

Microsoft announced its new privacy dashboard, a hub for all of Microsoft’s privacy documents and a one-stop shop for users to customize their privacy settings. In addition to the dashboard, the company revised its privacy statement  and service agreement with a more colloquial mindset. The goal of the revisions is to have “straightforward terms and policies that people can easily understand,” said Microsoft Deputy General Counsel Horatio Gutierrez. “The updates to Microsoft’s policies don’t seem to radically change anything that was previously there,” the report states. While the dashboard has launched, Microsoft’s new services agreement is set to go live August 1. [ITWorld]

US – Markey Calls for Internet “Erase Button” for Kids

Sen. Ed Markey (D-MA) wants websites to have an “erase button that parents can use to scrub personal information about their children from the Internet.” Markey is proposing the measure, called the Do Not Track Kids Act, as one of several updates he says are needed to amend the Children’s Online Privacy Protection Act. It would require Internet companies to gain parental consent before collecting personal and location data for anyone under the age of 13. Sens. Mark Kirk (R-IL) and Richard Blumenthal (D-CT) cosponsored the bill, and Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) introduced a companion bill in the House. [The Telegram]

WW – Twitter Now Offers Targeting Based on Downloaded Apps

Companies that make apps and would like to advertise them on Twitter can now target Twitter users based on the categories of apps installed on their mobile devices. Advertisers can now combine location, keyword and language information with data about whether a user has downloaded an app in categories like finance and productivity. According to the report, Twitter started tracking what other apps its users downloaded late last year, though users can opt out in the Twitter app settings. Twitter will also refrain from gathering information on app downloads if users have turned on services such as “Limit Ad Tracking” in iOS. [MediaPost]

WW – Firms Tout Privacy Credentials

Zettabox and “a growing number of European cloud computing providers trying to take on American competitors by playing up their privacy credentials.” Across the EU, cloud companies are “highlighting how they comply with Europe’s tough data protection rules,” the report states, noting the European Commission “is promoting a European cloud computing program as part of its recently released digital single market reforms to boost the region’s fledgling industry that has so far failed to compete” with the U.S. The report suggests the companies face an uphill battle against Internet giants, but notes a current Microsoft case may be a sign that U.S. companies “may yet struggle to comply” with EU data protection regulations. [The New York Times] See also: [Ann Cavoukian: Why privacy must be baked into the Internet of Things]

WW – Privacy Summit Divided Over Facebook Policies

At a recent Facebook summit, the best and brightest of privacy were “divided on nearly every topic at hand—including the definition of privacy itself.” However, discontent regarding Facebook’s advertising policies seems to be a unifying thread. Tech companies are “gobbling up everything they can learn about you and trying to monetize it,” said Apple’s Tim Cook. The solution? “Internet sites should allow their users to be the customers. I would, as I bet many others would, happily pay more than 20 cents per month for a Facebook or a Google that did not track me, upgraded its encryption and treated me as a customer whose preferences and privacy matter.” [The HIll]

WW – Paper Calls for Firefox Privacy Updates

Former Mozilla software engineer Monica Chew and computer scientist Georgios Kontaxis recently published a paper on the need for tracking protection in Firefox browsers, and support for the initiative is burgeoning, reports. “Tracking Protection in Firefox For Privacy and Performance“ indicates that tracking protection, a service that essentially does what its name suggests while speeding up load time, is currently an option for Firefox users but is difficult to activate and not an integral part of the browser’s functionality. The Electronic Frontier Foundation (EFF) agrees with the report’s findings. “We eagerly await the day that advertisers respect users’ requests for privacy and for browsers to implement their protections by default,” said the EFF’s Noah Swartz. [Threat Post]

WW – Apple CEO: Offer Customers the Best of Privacy and Security

During EPIC’s Champions of Freedom event in Washington, DC, Apple CEO Tim Cook spoke on security and guarding customer privacy and “protecting their right to encryption.” Cook said privacy and security aren’t trade-offs and people have a fundamental right to privacy. “The American people demand it; the constitution demands it; morality demands it,” Cook said. He also discussed consumers’ right to encryption. “Some in Washington are hoping to undermine the ability of ordinary citizens to encrypt their data. We think this is incredibly dangerous,” he said. For companies, he said, “We shouldn’t ask our customers to make a trade-off between privacy and security. We need to offer them the best of both.” [TechCrunch] [Apple’s Tim Cook Delivers Blistering Speech On Encryption, Privacy]

WW – Apple Unveils New iOS Based On Data Minimization

During its Worldwide Developers Conference, Apple unveiled its forthcoming operating system as well as a number of new features and products. Front-and-center for Apple’s privacy messaging was data minimization. Throughout the event, Apple Senior VP of Software Engineering Craig Federighi said data related to personalized services will stay on the respective devices and that users will have control. This post looks into the announcements and how data minimization is integrated into Apple’s forthcoming services. [Privacy Tech] [Wired] [Apple’s Latest Selling Point: How Little It Knows About You]

WW – Google Improves Privacy in New Android Services

Google unveiled a slew of new products and services, some of which aim to bolster security and privacy for users. Users will receive more fingerprint-related features as well as more controls over what data is accessed on their devices. Google will also offer more personalized services through Google Now, is taking a leap into virtual reality and has unveiled Project Brillo, which aims to make it easier for developers to build applications for Internet-of-Things technology such as smart homes . “We hope we can connect devices in a seamless and intuitive way,” said Google Senior VP of Products Sundar Pichai. [Bloomberg Business] [Google Centralizes Privacy and Security Controls On New Web Dashboard]

Other Jurisdictions

WW – Leaked Trade Deal Documents Raise Questions

Wikileaks has released 17 documents relating to the Trade in Services Agreement (TISA) currently under negotiation between the U.S., EU and 23 nations. According to the leak, the draft provisions mean countries could be barred from trying to control where their citizens’ personal data is held or whether it’s accessible from outside the country. But EU privacy regulations require companies to store EU citizens’ personal data locally to be sure they comply with the region’s laws. The deal, a sort of companion piece to the Transatlantic Trade and Investment Partnership, could be sped through Congress using what’s called Trade Promotion Authority. [Forbes]

IN – CyberSecurity Task Force Has Rocky Start

Security leaders in India are wary that the formation of the National Association of Software and Services Companies and Data Security Council of India‘s Cyber Security Task Force—a move to make India “a hub for cybersecurity solutions”—is in for a rocky start. While the goal to develop cybersecurity in the country and develop Indian roadmaps for its technological future is admirable, they argue, issues such as adequate financial backing and the input from experts is lacking. “A unique initiative, it focuses on making India secure,” one expert said, adding, “But what next? We must see local cybersecurity solutions being supported with soft funding and support from the government.” [Bank Info Security]

KR – Messaging App Acquires Path

Path, a social network designed for mobile devices, has been acquired by Daum Kakao—the maker of South Korean-based messaging app Kakao Talk. The acquisition adds Path’s 10-million active users to Daum Kakao’s 48 million. Path was once the subject of controversy resulting in an $800,000 fine from the U.S. FTC for collecting and storing data from users’ address books without permission. “Financial details of the acquisition were not revealed,” the report states. [CNet]

WW – Other Privacy News

Privacy (US)

US – President Obama Signs USA Freedom Act

Calling it “sensible reform legislation,” President Obama signed the USA Freedom Act hours after the Senate approved the legislation that would restrict the way the NSA collects information about Americans’ telephone calls. Senators, by a 67-to-32 vote, approved the bill after beating back three attempts by Senate Majority Leader Mitch McConnell, R-Ky., to amend the legislation, which would have diminished surveillance and transparency reforms. One amendment would have doubled to 12 months the time the NSA would have to end its existing metadata collection program. A second amendment would have changed the way independent advocates in secret surveillance courts would be treated. A third amendment would have required the director of national intelligence to certify that the new phone record system functions properly. The legislation replaces provisions in the Patriot Act, enacted after the 2001 terrorist attacks, that expired on June 1, including a section that the Obama and Bush administrations used to justify the bulk collection of metadata on Americans’ telephone conversations, which an appeals court earlier this year declared illegal, though it did not stop the program. Under the USA Freedom Act, the government, with a court order, could compel communications companies to turn over phone records of American citizens suspected of communicating with terrorists. Under the Patriot Act, the government retained the phone records, which the new law prohibits.Sen. Patrick Leahy, D-Vt., one of the bill’s Senate sponsors, characterized passage of the legislation as “an historic moment. … It’s the first major overhaul in government surveillance laws in decades and add significant privacy protections for the American people.” The USA Freedom Act received support from a number of privacy and civil liberties organizations, though the ACLU opposed it, saying it offered “incremental improvements over the dismal status quo” and did not go far enough to protect individuals’ privacy. Instead, the ACLU said the Patriot Act provisions should be left to expire. But Cindy Cohn, executive director of the Electronic Frontier Foundation, praised the Senate for passing the bill. “Technology users everywhere should celebrate, knowing that the NSA will be a little more hampered in its surveillance overreach, and both the NSA and the (secret) FISA court will be more transparent and accountable than it was before the USA Freedom Act,” she said. The USA Freedom Act would also renew several less controversial provisions of the Patriot Act that had expired, including one involving roving wiretaps that the FBI uses, after obtaining a warrant, to track terrorism suspects who often change cellphones, and a program to monitor so-called “lone-wolf” suspects who haven’t been linked to terrorist groups. [Source] SEE ALSO: [America Curbs State Snooping, Britain Gives the Green Light]

US – Swire: USA FREEDOM Act Is Biggest Intel Reform in 40 Years

Less than a week after the U.S. government enacted surveillance reform, Prof. Peter Swire writes, “I applaud the passage of the new law,” noting it’s “the biggest pro-privacy change to U.S. intelligence law since the original enactment of the Foreign Intelligence Surveillance Act in 1978.” Swire, who served as one of five members hand-picked by President Barack Obama to review U.S. intelligence programs in the wake of the Snowden revelations, discusses the close fit between the newly enacted USA FREEDOM Act and a number of the Review Group on Intelligence and Communications Technology recommendations. But reform should not stop here, Swire argues: More of the group’s recommendations should be considered. [Privacy Perspectives]

US – Judge Probes Destruction of Evidence in NSA Leak Prosecution

A federal judge is investigating allegations that the government may have improperly destroyed documents during the high-profile media leak investigation of NSA whistleblower Thomas Drake. U.S. Magistrate Judge Stephanie Gallagher’s inquiry was launched after Drake’s lawyers in April accused the Pentagon inspector general’s office of destroying possible evidence during Drake’s criminal prosecution, which ended almost four years ago. [Source]

US – Sanders Looks to Create Privacy Commission

Sen. Bernie Sanders (I-VT) hopes “to create a panel to investigate the impact of modern technology on privacy as part of an annual defense bill.” Sanders, who is seeking the Democratic presidential nomination in 2016, filed an amendment to the National Defense Authorization Act seeking the creation of a “commission on privacy rights in the Digital Age,” the report states, which would look at how the government and private companies collect and use data on American citizens. “There is a huge amount of information being collected on our individual lives ranging from where we go to the books we buy and the magazines we read. We need to have a discussion about that,” Sanders said. [The Hill]

US – New FTC CPO: Putting Our Money Where Our Mouth Is

Katie Brin might be relatively new as the FTC’s chief privacy officer, but her passion for privacy rights took root years ago. A law student at Berkeley, she was a member of the first-ever class at the Samuelson Law Technology and Policy clinic, then-headed by well-known scholar Deidre Mulligan. It was there she first tackled some of the most complex issues of our time, issues we’ve yet to resolve, like how evolving technology affects our ideas about free speech. In her first public interview, Brin talks about her goals for the office and just how “easy” it is to be CPO of the FTC. [Full Story]

US – Privacy Lawsuits Decline

While a few years ago “Internet privacy lawsuits were getting filed left and right … that stream appears to have dried up,” according to a report in The Recorder. In the Northern District of California, in cases where Apple, Google or Facebook were named as defendants, there were 29 lawsuits filed in 2010, 20 in 2011 and 30 in 2013. But in 2014, only four such suits were filed and in 2015, only one so far. [Ars Technica] SEE ALSO: [Judge Dismisses Breach Suit: Meanwhile, a county judge in Pennsylvania has dismissed a class-action lawsuit against Pittsburgh-based UPMC over a 2014 data breach in which 27,000 employees’ tax information was stolen]

US – FCC’s Wheeler Circulating Proposed TCPA Decision

FCC Chairman Tom Wheeler has announced a proposal to address the 20-plus “pending petitions seeking clarity regarding the scope requirements under the U.S. Telephone Consumer Protection Act (TCPA).” Under Wheeler’s proposal, the FCC would issue rulings including allowing consumers to “revoke their consent to receive automated ‘robocalls’ and texts in any reasonable way at any time” and prohibiting callers “from calling reassigned telephone numbers after one call,” the report states. The proposal also calls for the term “automatic telephone dialing system” to be interpreted under TCPA “to encompass any technology with the capacity to dial random or sequential numbers.” The proposal is scheduled for a vote at the FCC’s June 18 meeting. [Hogan Lovells’ Chronicle of Data Protection]

US – Clearing Browser History Can Be Deemed ‘Obstruction of Justice’

Boston Marathon bomber’s acquaintance could face 20 years in prison for deleting files. Next week, a 24-year-old man who knew Boston Marathon bombers Dzhokhar and Tamerlan Tsarnaev is scheduled to appear in U.S. Federal Court for sentencing on obstruction of justice charges related to the 2013 attacks. Khairullozhon Matanov, a former taxi driver, did not participate in or have any prior knowledge of the bombings, according to U.S. authorities. What could land him 20 more years in prison are the charges that he deleted video files from his computer and cleared his browser history in the days following the attacks. As a result of this alleged behaviour, Matanov was charged with one count of “Destruction, Alteration, and Falsification of Records, Documents, and a Tangible Object in a Federal Investigation” — which carries with it a penalty of up to 20 years in prison. Three more counts stemming from accusations that he lied to investigators about his activities and relationship with the Tsarnaev brothers carry a sentence of up to eight years in prison each. While he maintains his innocence, Matanov pleaded guilty to all charges against him earlier this year in hopes that U.S. District Judge William G. Young will accept his plea agreement for a lesser sentence of 30 months. [lSource]

WW – Airbnb Data at Center of Debate

“Housing activists, San Francisco policy-makers and Airbnb are in the midst of another showdown over short-term rental regulation,” noting data is one of the issues at the center of the debate. “Cities need to understand whether short-term rental inventory is expanding faster than they can produce housing stock,” the report states, noting, “Put another way: you would not A/B test changes to a software platform or interface without data, so why would you ask city policy-makers to A/B test regulatory changes in the dark?” By finding a way to utilize data without compromising privacy, “we can instead be more permissive on the front-end while at the same time introducing increased accountability through transparency,” said Union Square Venture’s Nick Grossman. [TechCrunch]

US – Uber Updates Its Privacy Policy to Restrict God View

After much scrutiny about its privacy practices, Uber Technologies has released a new and updated privacy policy. The policy is clearer about what Uber does with riders’ personal data, including tracking locations, reading text messages between riders and drivers and storing user address books. Hogan Lovells’ Harriet Pearson who led a privacy review of the company, said such data “actually wasn’t an issue. They had already addressed that at the time of our review.” Carnegie Mellon’s Lorrie Faith Cranor said the policy is written to protect Uber from liability: “This is a company that collects and uses a lot of data.” In a blog post, Uber’s Katherine Tassi said the company has doubled the size of the privacy team in the last few months. [Bloomberg Business]

US – PA Judge Squashes Breach Suit

A Pennsylvania judge recently rejected a class-action lawsuit filed by employees of the University of Pittsburgh Medical Center (UPMC) against UPMC for alleged negligence and breach of implied contract following a breach. The employees alleged their Social Security numbers, names, addresses, birthdates and salary information were stolen and used to file fraudulent tax returns and open fraudulent bank accounts. Judge R. Stanton Wettick, Jr., said Pennsylvania law doesn’t recognize a private right of action to recover actual damages as a result of a data breach and creating one would “overwhelm the state courts.” [Privacy Compliance & Data Security]

US – Styles: FERPA, HIPAA Don’t Take Equally Tough Stance

U.S. Department of Education CPO Kathleen Styles is concerned over what she sees as inconsistencies between FERPA and HIPAA. In a letter to Sen. Ron Wyden (D-OR) and Rep. Suzanne Bonamici (D-OR), following questions about an incident involving an Oregon college student’s health records , Styles noted “the possibility that FERPA may offer fewer confidentiality protections than the HIPAA Privacy Rule in the limited instances where institutions choose to share treatment records with their attorneys in conjunction with litigation between the student and the institution.” Her letter “confirms a gap in privacy that could allow school officials to inappropriately access students’ personal health records without their consent,” Wyden and Bonamici noted in statement. [HuffPost]

US – Other News

Privacy Enhancing Technologies (PETs)

EU – Privacy App Maker Files EC Complaint

The maker of a privacy app has lodged a complaint with the European Commission alleging “Google abused Android’s dominance of the European mobile market to unfairly favor its own privacy and security software over Disconnect’s app” by blocking its app from the Google Play app store. Disconnect, a privacy app founded by ex-Google employees, filed the complaint after its mobile app was pulled from the Google Play app store last year, the report states. Google removed the app because it threatened the company’s tracking and advertising business, according to the complaint. A spokesperson for the Commission’s competition office said it would assess the complaint. [ZDNet] See also [New Privacy App Takes a Page From NSA Technology]

WW – Creepy Dude Following Teens Online is Actually a Clever Web Privacy PSA

The retargeting online advertising technique is used to get young people to pay more attention to their privacy settings. In order to get teens to pay more attention to their online privacy settings and behaviors, child advocacy and safety group Innocence in Danger, with French agency Rosaparks, used ad retargeting on 200,000 teens to get this creepy dude to follow them around their favorite sites for a while. After 10 appearances, just enough time to give anyone the heebie-jeebies, the tagline appeared: “It’s not always this easy to see who’s following you around the Internet.” Forget just teens, this guy’s dead-eyed creep stare is enough to make anyone of any age do a thorough privacy setting evaluation. [Source]

WW – MIDDLE Aims to Balance Research, Privacy

Prof. Timothy Brick discusses the balance between researchers being encouraged to share data and participants’ concerns about who will have access to their information with PhysOrg. “Brick is working on a system called Maintained Individual Data, Distributed Likelihood Evaluation (MIDDLE) that changes the way data is collected and reported,” the report states. MIDDLE “will enable researchers to conduct studies and participants to keep control over their data,” the report states, noting Brick believes MIDDLE “will open the door for health or education studies previously made impossible or more difficult by the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).” [Full Story]

Security

US – NIST Releases Draft of Risk Management Framework

The National Institute of Standards and Technology has released a draft of its Privacy Risk Management Framework and is now inviting the public to comment on it. The draft report, NISTIR 8062, Privacy Risk Management for Federal Information Systems, “provides the basis for establishing a common vocabulary to facilitate better understanding of-and communication about-privacy risks and the effective implementation of privacy principles in federal information systems,” NIST states on its website. In its announcement, NIST notes it is “soliciting public comments on this draft to obtain further input on the proposed privacy risk management framework, and we expect to publish a final report based on this additional feedback.” Comments may be sent to privacyeng@nist.gov and until July 13. [Full Story] See also: [We Stand on the Brink of Global Cyber War, Warns Encryption Guru Bruce Schneier]

WW – How the Tech Behind Bitcoin Could Stop the Next Snowden

An Estonian company called Guardtime says it has a solution to that: using the same ideas that underpin the digital currency Bitcoin, the company says it can ensure no one can alter digital files, not even an organization’s most senior executives or IT managers. The idea is to stop the next Snowden in his tracks by making it impossible to tamper with data, such as the NSA log files, in secret. …Like IBM, Guardtime thinks the Internet of Things could be the killer application for the blockchain. As more and more connected devices gather data and store it in the cloud—and governments and private citizens alike create automated systems that respond to that data—ensuring data hasn’t been tampered with is crucial — especially if you have to trust outside vendors or hosting providers. [Wired] [Wired: Blockchain: The Next Big Thing in File Security?]

WW – Duqu 2.0 Espionage Malware Discovered

Kaspersky Lab says it has discovered a new, advanced persistent threat that appears to have been launched by the gang behind the Stuxnet and Duqu malware families. But while security vendors typically unearth intrusions in their customers’ networks, in this case Kaspersky’s own networks also fell victim to the attack campaign, thanks in part to attackers employing a zero-day Windows exploit. Those are the results of an investigation that Kaspersky Lab says it launched earlier this year, after discovering an internal cyber-intrusion and ultimately unearthing what it has dubbed Duqu 2.0, because the malware and attack platform is based on Duqu, which security researchers believe went dark in 2012. [Source]

IN – Programmer Finds Code Spying on Airtel Users, Gets Legal Notice

Indian Telecom major Airtel has been allegedly caught spying on users by injecting mysterious lines of codes into web browsers used to visit websites over its 3G network. The startling revelation came to light when activist and programmer Thejesh GN received a legal notice for exposing how Airtel inserts Javascript code and iframes into a user’s browsing session. Thejesh traced a mystery Javascript code during one of his own browsing sessions to network managed by Bharti Airtel and posted the findings on his twitter handle @thej and the GitHub repository. Soon after, Thejesh received a cease and desist order requesting him to take down the post by Israel based company Flash Networks. According to reports Airtel was allegedly using the mystery code so that it could track the data consumed by users. For this the telecom company had partnered with Ericsson. Ericsson was reportedly using Flash Network’s mobile solution to track user behavior. [Source]

WW – VPN Software May Be Rife With Privacy, Security Vulnerabilities

Researchers have found that popular virtual private network (VPN) provider Hola—a service that promises privacy and anonymity to its more than 47 million users worldwide—is “dangerously insecure,” reports. The VPN service contains flaws that allow for remote code execution and client tracking. Hola also sells access to its peer-to-peer network with very little oversight. The vulnerabilities are so bad, the researchers recommend that customers stop using the service right away. Since reports surfaced, Hola has altered some of it services, including the flaw that allowed for remote execution of code and client tracking. The researchers, however, contend there are deeper issues fundamental to how Hola is built that should worry users, including how traffic is routed through its peer-to-peer network. [Ars Technica]

WW – GoPro, Yelp Privacy Vulnerabilities Exposed

In two separate cases, privacy vulnerabilities have been found in GoPro cameras and Yelp’s “activity feeds.” A security firm has warned security settings are “too easy” for cybercriminals to circumvent. Pen Test Partners said it could access GoPro’s Hero4 camera—even though it appeared to be turned off—and watch and eavesdrop on users as well as view or delete existing videos. Pen Test Partner’s Ken Munro said a wireless connection to the device can unknowingly be left on, even after the power button has been turned off. GoPro has said it follows “industry-standard protocol called WPA2-PSK (pre-shared key) mode.” In a column for Fusion , Kashmir Hill discusses Yelp’s “activity feeds” and how they share information—including gender, age and hometown—with businesses. [BBC News]

US – Undercover DHS Tests Find Security Failures at US Airports

An internal investigation of the TSA revealed security failures at dozens of the nation’s busiest airports, where undercover investigators were able to smuggle mock explosives or banned weapons through checkpoints in 95% of trials. The series of tests were conducted by Homeland Security Red Teams who pose as passengers, setting out to beat the system. According to officials briefed on the results of a recent Homeland Security Inspector General’s report, TSA agents failed 67 out of 70 tests, with Red Team members repeatedly able to get potential weapons through checkpoints. More recently, the DHS inspector general’s office concluded a series of undercover tests targeting checked baggage screening at airports across the country. That review found “vulnerabilities” throughout the system, attributing them to human error and technological failures, according to a three-paragraph summary of the review released in September. In addition, the review determined that despite spending $540 million for checked baggage screening equipment and another $11 million for training since a previous review in 2009, the TSA failed to make any noticeable improvements in that time. [Source]

WW – Companies Overwhelmed With Security Alerts and False Positives

Companies are becoming overwhelmed with data about security alerts, and it’s hindering their ability to make informed decisions about data protection. That’s the finding of a report released by analytics firm Prelert. The firm surveyed over 200 tech professionals, including IT administrators and managers supporting the security function, along with information security professionals. 62% of respondents to the survey are seeing too many false positives, or are faced with too many alerts to handle. Security analytics is ranking high for customer satisfaction among enterprise security pros, according to the report. When asked what technologies offered the greatest perceived value compared to total cost of ownership, respondents ranked it joint highest with cloud data encryption and threat intelligence services. [Source] [How Do We Catch Cybercrime Kingpins?]

WW – Anti-Virus Software Lab Hacked; Spyware Detected at Nuclear Sites

Kaspersky Lab, an anti-virus software provider, says its own systems were recently compromised by hackers. The company said it believes the attack was designed to spy on its newest technologies and used up to three previously unknown techniques. However, data the hackers accessed was “in no way critical to the operation” of its products, the company said. Separately, Kaspersky Lab has said sophisticated spyware has infected computers at luxury hotels that are serving as venues for nuclear negotiations with Iran. The spyware is believed to be state-sponsored, the report states, but the extent of any possible data breach is not yet known. [BBC News]

Surveillance

WW – New Snowden Docs Reveal Warrantless Spying

A report reveals a program approved by the Department of Justice (DoJ) expanding the National Security Agency’s (NSA’s) ability to access the Internet traffic of American citizens. Based on documents provided by Edward Snowden, two DoJ memos approved the NSA’s ability to hunt for malicious actors by targeting suspicious Internet addresses and behavior. Stanford’s Jonathan Mayer said the program’s “a major policy decision about how to structure cybersecurity in the U.S. and not a conversation that has been had in public.” The government has defended the program as necessary to protect U.S. citizens from bad actors. Meanwhile, Edward Snowden wrote a column lauding the “power of an informed public … We are witnessing the emergence of a post-terror generation…” [ProPublica and The New York Times] See also: Overview of the UK’s proposed surveillance bill, the Investigatory Powers Bill.

WW – Pilots Fear Traffic Control Updates Could Be Privacy Threat

The Federal Aviation Administration’s (FAA) proposed “satellite-based traffic control network” has pilots of private jets concerned that the data could be used to track the location of famous passengers. “There is a huge appetite out there to track where these planes go,” said National Business Aviation Association (NBAA) Vice President of Regulatory and International Affairs Doug Carr. While the FAA acknowledges these concerns and “is considering allowing operators to change the broadcast codes at their discretion between trips,” the NBAA is asking for a stronger approach—such as encrypting the data—”so only the FAA and controllers would continue to have the means for real-time tracking,” the report states. [The Wall Street Journal] See also: [Drug Enforcement wiretaps triple in 9 years, agents avoid federal oversight]

US – FBI Wants Wiretap Access to Websites and Social Media

The FBI is asking lawmakers for a new wiretap law that would give it access to social media and other websites. The FBI’s Michael Steinbach said Congress should use the Communications Assistance for Law Enforcement Act as a model for new rules for Internet-based communications, adding, “We’re not looking at going through a back door or being nefarious; we’re talking about going to the company and asking for their assistance.” Agency Director James Comey first called for a CALEA rewrite to cover encrypted mobile phone data last October. [PC World]

US – N.S.A. Secretly Expands Internet Spying at U.S. Border

The disclosures, based on documents provided by Edward J. Snowden, the former N.S.A. contractor, and shared with The New York Times and ProPublica, come at a time of unprecedented cyberattacks on American financial institutions, businesses and government agencies, but also of greater scrutiny of secret legal justifications for broader government surveillance. While the Senate passed legislation this week limiting some of the N.S.A.’s authority, the measure involved provisions in the U.S.A. Patriot Act and did not apply to the warrantless wiretapping program. Government officials defended the N.S.A.’s monitoring of suspected hackers as necessary to shield Americans from the increasingly aggressive activities of foreign governments. But critics say it raises difficult trade-offs that should be subject to public debate. [New York Times] [Hackers Can Be Fought Without Violating Americans’ Rights] [Fears NSA Will Seek to Undermine Surveillance Reform] [Review: Bulk Data Collection Useful But Needs Oversight]

US – Thousands of Sites Block and Redirect Congress to Patriot Act Protest Page

As of Sunday night, 14,827 websites and counting were blocking IP addresses associated with the US Congress, redirecting visitors away from their sites and toward a page protesting mass surveillance. Rather than saying that Patriot Act-enabled mass surveillance is kaput, we should think of it more as being relegated to the ranks of the undead, ready to be resurrected with a bit of legal tweaking. During Sunday night’s debate, Senators Rand Paul and Ron Wyden scoffed at the idea of terrorist actions ever having been uncovered by the bulk data collection. In a show of bipartisan opposition to bulk data collection, both pointed to overwhelming support from constituents who want their liberties back. [Naked Security] [NY Times: Edward Snowden: The World Says No to Surveillance]

EU – Data Retention: German Government Tries Again

The retention of metadata from electronic communications has been on the political agenda throughout Europe for many years now. After the EU had passed a Directive on data retention, Germany first introduced a national law that forced telecommunication providers to store metadata from electronic communications in 2008. Two years later, the German Federal Constitutional Court (FCC) came to the conclusion that this law violated fundamental rights, and therefore declared it null and void. A decision from the Court of Justice of the European Union (CJEU) followed in 2014, rescinding the EU Directive entirely. While the European Commission, for the time being, has refrained from making another attempt at introducing a Directive, the German government is still hell-bent on bringing a national law on data retention into effect. [EDRI]

US – Franken Wants Answers on Flights

Sen. Al Franken (D-MN) sent a letter to U.S. Attorney General Loretta Lynch and FBI Director James Comey demanding answers on reports the FBI is flying surveillance flights in at least 30 cities.

US – Lawmakers Query Auto Companies on Privacy

Members of the House of Energy and Commerce Committee have written to car developers and the National Highway Transportation and Safety Administration to discover how they are planning to protect drivers from security breaches affecting cutting-edge car amenities. Led by Fred Upton (R-MI) and Frank Pallone (D-NJ), the legislators want “the agency and automakers to provide details on what they are doing to protect against cyber-vulnerabilities now—including how they test vehicles for such vulnerabilities while they are being designed and once they are on the road,” the report states. [The Washington Post]

Telecom / TV

US – Bulk Phone Collection Program Expires; Workarounds in Place

For the first time in the post-9/11 era, phone calls made by Americans will not be automatically collected by the National Security Agency (NSA). After a rare weekend session, the Senate did not renew three specific provisions in the USA PATRIOT Act, including the bulk collection of telephony data. In Sunday night’s session, which was described as “caustic,” Sen. Rand Paul (R-KY) blocked the extension. The Senate is expected to vote on a version of the USA FREEDOM Act, which has already passed the House, and send the compromise bill to President Barack Obama for his signature. As one workaround , the Justice Department can invoke the so-called “grandfather clause” to continue to use such powers for investigations that commenced prior to June 1. [The New York Times]

US – Phone Carriers Yet to Indicate How They’ll Handle New Law

After the historic enactment of surveillance reform, questions about how phone carriers will handle and retain customer phone records remain, and, so far, the phone carriers aren’t hinting at what they’ll do moving forward. There is no mandate within the USA FREEDOM Act specifying data retention obligations for phone companies. Stanford University’s Jennifer Granick said, “The phone companies may already have data retention obligations under the Communications Act, but there’s no additional obligation as a result of USA FREEDOM having passed.” There will be, however, an obligation to provide a “two-hop function,” identifying individuals two steps from a given target. “Now the phone companies will be the place where that analysis of who’s in contact with whom is taking place,” Granick said. [NPR]

US – House Aims to Block FCC Rules Until Courts Have Say

A House appropriations bill released this week states the $315 million granted to the Federal Communications Commission (FCC) may not be utilized to “implement, administer or enforce” its net neutrality rules until the courts resolve three outstanding cases with telecom companies. The rules, which were adopted earlier this year, “reclassify Internet providers as utilities. Supporters of the rules say the agency’s new powers under the law will allow it to stop the providers from giving preference to some content on their networks,” the report states, noting some suggest “standalone legislation that would limit the FCC’s power but still keep some net neutrality reforms.” [The Hill

US – In Defense of the NSA

Even as Sen. Rand Paul (R-KY) sues the U.S. federal government for continuing with the Section 215 program of domestic surveillance, more than one voice has chimed in supporting National Security Agency (NSA) surveillance efforts and opposing the direction of the USA FREEDOM Act. Alberto Gonzales, former attorney general in the George W. Bush administration, argues in USA Today that “more privacy can’t keep us safe“ and that measures put in place after 9/11 were both appropriate and constitutional. Further, he argues, it “remains to be seen” whether the USA FREEDOM Act is “truly a win for America.” Similarly, Walter Pincus, in The Washington Post, defends the recently revealed NSA practice of targeting foreign hackers, saying The New York Times and ProPublica left out important details about instructions for the NSA to avoid pursuing American hackers. [Full Story]

US Government Programs

U.S. Wants to Collect Bulk Call Records for Six More Months

The U.S. Department of Justice has filed to the Foreign Intelligence Surveillance Court for permission to continue the bulk collection of call records for another six months, as the new USA Freedom Act allows for this transition period. The filing, made public this week, was submitted to the court last Tuesday, the same day President Barack Obama approved as law the USA Freedom Act, which puts curbs on the bulk collection of domestic telephone records by the National Security Agency. The new legislation was passed by the Senate following the expiry at midnight of May 31 of the authorization of the bulk collection under section 215 of the Patriot Act. It leaves the phone records database in the hands of the telecommunications operators, while allowing a targeted search of the data by the National Security Agency for investigations. The U.S. Court of Appeals for the Second Circuit had ruled in an appeal filed by the American Civil Liberties Union and others that a district court in New York had erred in ruling that Section 215 authorizes the telephone metadata collection program. The telephone metadata program exceeds the scope of what Congress has authorized and therefore violates Section 215, Judge Gerard Lynch wrote on behalf of the three-judge panel. The appeals court vacated the earlier order of the U.S. District Court for the Southern District of New York and remanded the case to it for further proceedings in line with the new opinion. The DOJ said in its filing that it was evaluating its litigation options in view of the decision by the Second Circuit court, but added that rulings of the appeals court do “not constitute controlling precedent” for the FISC. On Friday, advocacy group FreedomWorks and Ken Cuccinelli, a former Virginia attorney general, asked the FISC to deny the government’s request to reinstitute or continue the metadata collection for another six months, particularly in the light of the decision of the Second Circuit. [Source]

US – Will Intelligence Bill “Hobble” PCLOB?

Civil liberties proponents are raising concerns that “a one-sentence provision tucked into an annual intelligence policy bill making its way through the House could hobble the Privacy and Civil Liberties Oversight Board (PCLOB).” The provision, which is included in the House’s Intelligence Authorization Act, would prohibit the PCLOB’s “access to information that an executive branch agency deems related to covert action.” The Cato Institute’s Patrick Eddington called the measure “way beyond troubling,” adding that limiting the PCLOB “is a mistake, because our problem isn’t too much information about whether or not these NSA and other related programs are out there—our problem is we don’t have nearly enough.” [The Hill]]

US – NIST Report Aims to Help Agencies Implement Privacy

National Institute of Standards and Technology (NIST) Senior Privacy Policy Advisor Naomi Lefkovitz says privacy engineering is “ripe to be embraced and incorporated into federal processes,” and has championed NIST’s Privacy Risk Management for Federal Information Systems, a draft report aimed at helping groups do just that. “Over the past several decades we’ve had a well-developed set of principles for how to address privacy,” Lefkovitz said. “But what we haven’t had are the tools that help bridge the implementation of those principals into protections that can be exhibited in information systems.” She calls the report “a communication and assessment tool for agencies.” [FierceGovernmentIT]

WW – Using Art to Explore “Hyper-Surveillance” and Secrets

Academy Award-winning documentarian Laura Poitras filmed famed dissidents Ai Weiwei and Jacob Appelbaum as they worked to create a piece of privacy-related art. The result? A meditation on “hyper-surveillance” and “secrets,” Poitras writes. While she filmed, Ai and Appelbaum worked to stuff pandas with shredded NSA documents leaked by Edward Snowden to Poitras and journalist Glenn Greenwald. The piece, entitled Panda to Panda, “playfully acknowledges and rejects state power” and is “the synthesis of two terms created by dissident cultures,” Poitras said. The work is rife with symbolic meaning and in-jokes; “panda” is Chinese slang for secret police, while the title itself references peer-to-peer communication. [The New York Times]

US Legislation

US – Senate Lets NSA Spying Expire

Sunday’s expiration is largely the fault of procedural hurdles, rather than genuine opposition in the Hill’s upper chamber. Although Paul’s staunch opposition requires the Senate to go through a series of procedural runarounds, the Freedom Act is likely to make it through the upper chamber next week. …”Congress now has the opportunity to build on this victory by making meaningful and lasting reforms to U.S. surveillance laws,” Sen. Ron Wyden (D-Ore.), a longtime NSA critic, said in a statement Sunday night. “After Republican leaders stalled for months in a failed attempt to rerun their old playbook for extending mass surveillance, they now have no excuse for not allowing a full debate on the USA Freedom Act as soon as possible. In my view this is the best way to bring new transparency and reforms to U.S. surveillance programs and to bring certainty to our intelligence agencies.” [HuffPost] [Senate lets NSA spy program lapse, at least for now] [Parts of Patriot Act Expire, Even As Senate Moves on Bill Limiting Surveillance] [NSA Loses Power to Collect Americans’ Phone Records] [Senate Votes To Turn NSA Spying Back On, But With Reforms] [Senate Shoots Down All Bad Amendments to the NSA Reform Bill] [Feds plot course to resume NSA spying] [Why the new USA Freedom Act is worthless] [NSA surveillance debate gives rise to bipartisan Civil Liberties Coalition]

US – Senate to Vote on USA FREEDOM Act

President Barack Obama signed into law the USA FREEDOM Act. The Senate let three provisions of the Patriot Act expire: Section 215, the section the government uses to collect phone and other business records in bulk, the “Lone Wolf provision,” and the “roving wiretap“ provision. Section 215 now—at least temporarily—reverts to its pre-Patriot Act form, which doesn’t permit any collection of financial or communications records, and requires the Government to provide “specific and articulable facts” supporting a reason to believe that the target is an agent of a foreign power. This is a good thing. And of course, the government still has plenty of tools to investigate national security cases. [EFF] [US News & World Report: Reflecting on USA PATRIOT ACT’s Legacy] [Let the Clock Run Out on the NSA] [Demand Your Senator Join Rand Paul’s Fight Against Mass Surveillance] [Rand Paul Got One (Huge) Thing Right ]

US – CISA Draws Support From Cyber Community

The Cybersecurity Information Sharing Act (CISA) has received the support of security experts who argue that legal protection for companies that disclose data breach details to the government will promote prevention and communication. “If a company gets attacked and releases that information, and everybody else is made aware of that, they can immediately protect themselves,” said the University at Buffalo’s Arun Vishwanath. Sen. Mitch McConnell (R-KY) has said the Senate will take up CISA as an amendment to the defense bill it is debating this week, the report states. [USA Today]

US – Dems: Don’t Include CISA in Defense Act

Following an announcement by Sen. Mitch McConnell (R-KY) that he planned to add the Cybersecurity Information Sharing Act (CISA) onto the National Defense Authorization Act (NDAA) as an amendment, the Senate’s Democratic leadership is urging him not to do that. The letter , which is signed by Sens. Harry Reid (D-NV), Dick Durbin (D-IL), Chuck Schumer (D-NY) and Patty Murray (D-WA), asks McConnell to “back down from his ‘ridiculous’ plan to attach” CISA to the NDAA, the report states, noting the NDAA is considered “must-pass” legislation. Including CISA in the NDAA “in a manner that allows neither debate nor amendment is ridiculous,” they wrote. [NationalJournal]

US – Senate Passes Cal-ECPA

The California Senate moved unanimously to approve the California Electronic Communications Privacy Act, or Cal-ECPA, a bill that prohibits law enforcement from seizing digital documents without a search warrant. Protected data includes cloud data, PINs, emails and smartphone information. The measure has garnered particular support from California-based tech companies such as Apple and Google as well as politicians and those in the privacy community. “Data is personal and can be regarded as private, thus search and seizure of this data should require authorization,” said John Casaretto, security consultant, in support of the Senate’s decision. [Silicon Angle] [Calif. Senate OKs Bill Calling for Warrants to Search Devices ]

US – Connecticut Moves to Strengthen Breach Laws

The Connecticut General Assembly has tightened the state’s data breach laws to include both a 90-day deadline by which breaches must be reported as well as a year of free identity theft protection for victims whose SSNs were unlawfully shared. Connecticut Attorney General George Jepsen has said “his office will continue to scrutinize breaches and to take enforcement action against companies that unreasonably delay notification, even if the breach is reported less than 90 days after it was discovered,” the report states. The updates, set to go into effect October 1, have generated a positive buzz. “We had a good law in place, and this makes it better,” Jepsen said. [Government Technology]

US – Oregon Passes Bill Protecting Sexual Assault Victims

Oregon Gov. Kate Brown has signed into law a bill protecting the confidentiality of victims of sexual assault on college campuses in the state. This bill means that Oregon now has “one of the strongest confidentiality protections for victims of sexual assault and domestic violence in the country.” The law ensures the confidentiality of conversations with victim advocates and allows victims to determine when and if the incident becomes public. Oregon Attorney General Ellen Rosenblum was a vocal supporter of the bill and continues to advocate for a proposed revenge porn bill and a law restricting gun ownership for domestic violence offenders. [KTVZ] See also Oregon state attorney general supporting a bill that aims to prohibit software vendors from advertising to or collecting and retaining data from students.

US – Wyoming Privacy Constitutional Amendment Could Return

Rothfuss said he believes the proposal was voted down last session because some thought it went too far while others thought it didn’t go far enough. The Wyoming Press Association also expressed concerns the amendment could be used to prevent public information, such as criminal records of public officials, from being released. Jim Angell, the executive director of the group, said he continues to worry the amendment could lead to unintended consequences. “While I understand the concerns (behind the need for the amendment), the potential for abuse is too big,” he said. [Trib.com]

US – Other News

Workplace Privacy

CA – Employee Terminated for Single Violation of Privacy Policy

In a recent decision, Steel v. Coast Capital Savings Credit Union, 2015 BCCA 127, the B.C. Court of Appeal upheld the termination of a long service employee who was terminated for a single violation of the employer’s privacy policy. This is the second decision this year in which the Court of Appeal has upheld the termination of a long-term employee for a single act of misconduct (see Roe v. British Columbia Ferry Services Ltd., 2015 BCCA 1). This decision is encouraging for employers who are faced with an employee who has engaged in actions that undermine the trust necessary for a working employment relationship. Such actions could include the violation of an important employment policy, particularly where the employee is in a position of trust. While the Court of Appeal did not address the level of trust required of employees in the banking industry, it also did not overturn the trial judge’s broad application of this principle. Thus, the question regarding extent of this obligation in this industry remains open. [Mondaq]

WW – Using Wearables to Monitor Staff Health

Companies are increasingly expected to embrace wearable devices for their ability to monitor workers wearing them. Market research firm Tractica predicts the market for corporate and industry customers of wearables will grow “with remarkable speed,” the report states. While such customers represent just one%of wearable device sales today, that number is expected to jump to 17% by 2020. “The single largest cost for employers is healthcare,” said Lindsey Irvine, director of strategic initiatives at Salesforce. “Yet 70% is attributed to things we can change, like diet and exercise and stress. What employers are looking for is a way to address that 70% cost curve.” [Forbes]

US – As States Regulate, Companies Must Look Across Borders

Connecticut became the 21st state to enact a social media privacy law. Without one federal privacy law, companies with employees across multiple states are required to stay abreast of which states require what. “There’s model legislation that to some extent has been followed, so most of these laws are similar, but they are not alike,” said attorney Howard Mavity. Most important for companies, Mavity said, is to know under which circumstances they are allowed to access employees’ social media accounts. [The Wall Street Journal]

+++

16-31 May 2015

Biometrics

WW – Facial-Recognition Software Addresses Privacy Concerns

Affectiva, a company that utilizes its facial-recognition software to measure reactions to advertisements and videos, addresses potential privacy concerns with its methods in a recent Advertising Age feature. While the company usually works with “opt-in” volunteers in a method akin to a focus group, it also places “huge emphasis on analyzing ads ‘in the wild,’” the article reports. Says Affectiva CEO Ken Denman, “We keep the metadata. We discard the image.” Unnamed Affectiva executives also confirmed that the company reserves its real-time analysis for “public venues” in which the individuals “are already being filmed.” [Full Story]

EU – Controversial Face Recognition Software Is Being Used by Police Scotland

IMAGES of hundreds of thousands of Scots are contained on a controversial facial recognition database that is being used by the national police force, raising fresh fears over civil liberties. Officers have admitted to using the special technology, which attempts to identity faces captured on CCTV and other images, on more than 400 occasions. In addition, Police Scotland said it has uploaded hundreds of thousands of mugshots onto a UK-wide police database used as a the main resource for facial recognition searches. Details of Police Scotland’s use of the technology were revealed in response to a Freedom of Information request. Independent watchdog Alastair MacGregor, the UK’s Biometrics Commissioner, has warned it may include hundreds of thousands of images of innocent people, raising questions about privacy. MPs on the Commons science and technology committee said they were “alarmed” to learn facial recognition technology could be used on pictures of innocent people. The database has continued to grow despite a High Court ruling in England which called on some forces to revise their procedures. [The Sunday Herald]

WW – Your Next Password Could Be Your Brain

According to New Scientist, researchers found that volunteers’ brains had a reaction to each of 75 acronyms (e.g., FBI, DVD) in a way that was unique to each individual. The difference between the volunteers’ brain reactions was enough for the system to pinpoint their identities with accuracy of up to 94%. The study, from Neurocomputing, is titled – appropriately enough – Brainprint. The work was done by a group of researchers from the Basque Center for Cognition and Binghamton University. This isn’t the first time that unique brain activity has been looked at as a potential authentication factor. [NakedSecurity]

US – Photos, Facial-Recognition and the Grocery Store Project

The Grocery Store Project  was created by Simon Høgsberg using one camera to photograph 97,000 people outside a supermarket over a 21-month period. “Then he used facial recognition software to create a pedestrian survey of the people rushing past for his interactive series,” the report states, which “documents the intersecting lives of people who pass by each other almost daily, and it creates a fascinating ‘map’ showing how these lives converge.” The project “weaves together 457 people who happened to walk in front of his lens.” In all, he’s “identified and named 11,000 individuals,” the report states, noting only two people “said they didn’t want to be photographed,” and if anyone asked, Høgsberg told them he was “making a visual analysis of the Danish culture.” [Wired]

Big Data

WW – Big Data and the Potential for Racism? CMU Fellows Plan to Find Out

Alessandro Acquisti, professor at Carnegie Mellon University, is using his tenure as a Carnegie Corporation fellow to study the negative effects of data tracking-such as racial profiling. Cited as impetus was an October research initiative that found job candidates who identified as Muslim online were considered less for employment opportunities in neighborhoods with a majority of Republican voters. “If the market for information is not carefully regulated, big data can lead to a serious imbalance of power between individuals, whose information can be so easily exploited for profit, at times even unbeknownst to individuals, and companies, organizations and governments that have the upper hand,” said Laura Brandimarte, who coauthored a paper with Acquisti. [Post-Gazette.com]

WW – Frick: Data Tracking Paints a Pretty—Not Fretful—Picture

The use of data for art can take the sting out of “Big Brother,” data artist Laurie Frick argues. Frick, who uses information gleaned from apps and personal journals to create her works, is among a rising coterie of artists who see data as a “metaphor for the human experience,” or more specifically, according to Frick, “an essential idea of who we are.” She tells The Atlantic, “I think people are at a point where they are sick of worrying about who is or isn’t tracking their data. I say, run toward the data. Take your data back and turn it into something meaningful.” [Source] [The Musician Who Sees Life Through the Prism of PRISM]

US – Online Trust Alliance to Lead IoT Initiative

The Online Trust Alliance (OTA) has announced it is leading an initiative to develop a security, privacy and sustainability trust framework for Internet of Things (IoT) devices. The framework aims to provide clarity and confidence to consumers and will initially focus on connected home and wearable/fitness technologies, according to a press release. OTA hopes to use the framework as the basis for a potential certification program for IoT devices and their manufacturers. OTA’s Craig Spiezle said because of the rapid development of IoT products on the market “we must ensure that security and privacy best practices are integrated to maximize consumer protection.” A working group meeting is scheduled for June 16. [Full Story]

WW – How to Increase Value, Mitigate Risk

Accenture reports how organizations can preserve and increase the potential of personal data using five principles of corporate digital responsibility: stewardship, transparency, empowerment, equity and inclusion. In a recent Accenture survey of nearly 600 businesses globally, 79% of respondents said their companies collect data directly from individuals—such as online customer accounts, for example—as well as from commercial or data-sharing partnerships, connected devices and third-party data suppliers. “This data generates benefits for both businesses and customers—chief among them being the ability to deliver better customer experiences, enter new markets and make products more innovative,” the report states, noting that, at the same time, regulations are changing and regulators are increasing their scrutiny of businesses’ data practices. [Full Story]

Canada

CA – Oppositions Mounting to Bill C-51

Bill C-51 is just one aspect of the alarming privacy deficit the government has created. In the last 12 months alone we’ve seen stunning revelations about how the government’s spy agency CSE is spying on Canadians’ private online activities, and even on private emails that Canadians send to Members of Parliament. And we’ve seen Justice Minister Peter MacKay’s Online Spying Bill C-13 become law, despite opposition from three in four Canadians. Enough is enough: if there was one message coming through loud and clear from participants in our crowdsourcing process, it’s that Canadians are sick and tired of the seemingly endless series of government attacks on their privacy. The OpenMedia “pro-privacy action plan“ has garnered the endorsement of a diverse group of advocacy and activist groups from across the ideological spectrum, including PEN Canada, the Canadian Constitution Foundation, Greenpeace and the National Firearms Association. And while he says that he hasn’t yet had the chance to review its findings in detail, federal privacy watchdog Daniel Therrien “welcomes” the initiative. “I believe it’s extremely important for Canadians to be involved in the debate around government surveillance and the kind of country we want,” he said in a written statement provided to CBC News. [Rabble: Liberals vs. liberties: Why Trudeau supports Bill C-51] [C-51: Crowdsourced report aims to stop Canada’s slide into ‘surveillance society’ Canada at a ‘tipping point,’ privacy advocates warn] [HuffPost: Could This Be the Antidote to Bill C-51?] . [Canada’s National Security Agencies Need Parliamentary Oversight] [Think anyone’s going to repeal C-51? Don’t hold your breath]

CA – Spy Agencies Target Mobile Phones, App Stores to Implant Spyware

Users of millions of smartphones put at risk by certain mobile browser gaps, Snowden file shows. The case raises questions about whether government agencies, even covert ones, should carry some responsibility for informing citizens of weaknesses they’ve unearthed in devices, operating systems and online infrastructure. Taking advantage of weaknesses in apps like UC Browser “may make sense from a very narrow national security mindset, but it happened at the expense of the privacy and security of hundreds of millions of users worldwide,” says Deibert. “Of course, the security agencies don’t [disclose the information],” says Deibert. “Instead, they harbour the vulnerability. They essentially weaponize it.” For his part, Geist argues that there is an expectation that the federal government will protect Canadians. “We should be troubled by the notion of our spy agencies — and in a sense our government — actively looking for vulnerabilities or weaknesses in the software that millions of people are using,” said Geist. [Source] [How CSE’s existence was first revealed by CBC TV] [Your government is spying on you online. Here’s what you can do about it]

CA – Canada Failing at Tracking Terrorist Financing

But FINTRAC will also need new oversight, the experts said. If it is tracking every single electronic funds transfer made through Canadian financial institutions, there is a greater risk of privacy breaches, as well as of FINTRAC acting unlawfully or ineffectively. Privacy audits have already shown that, even at the $10,000 threshold, some transactions were inappropriately flagged based solely on race, country of origin or age. And there currently is no independent oversight mechanism to make sure FINTRAC is good value-for-money or that it acts within the law. [Source] [Solicitor Client Privilege in Tax Matters]

CA – Expansion of PIPEDA in Budget Bill Raises Constitutional Questions

The Canadian government’s omnibus budget implementation bill (Bill C-59) has attracted attention for its inclusion of copyright term extension for sound recordings and the retroactive changes to the Access to Information Act. Another legislative reform buried within the bill is a significant change to PIPEDA. The bill adds a new Schedule 4 to PIPEDA, which allows the government to specify organizations in the schedule to which PIPEDA applies. Bill C-59 immediately adds one organization: the World Anti-Doping Agency (WADA), which is based in Montreal. Leaving aside the obvious problem of burying privacy reforms in a budget bill (in fact, privacy, copyright, and access to information all within a single bill with little or no study of those reforms), the change is a potential target for a constitutional challenge. While there have even been some questions about relying on trade and commerce for PIPEDA, particularly after the Supreme Court of Canada decision involving a national securities regulator, there has never been any doubt that PIPEDA applies solely to commercial activities (Privacy Commissioner interpretation bulletin) as that is essential for the constitutional basis for the law. The problem with the Bill C-59 change is that it seeks to extend PIPEDA to non-commercial activities. While PIPEDA provides clear rules for organizations in the context of commercial activity, it does not currently apply to organizations such as the World Anti-Doping Agency, an international, independent organization headquartered in Montreal. [Source]

CA – Ottawa Announces Plan to Monitor Prescription Drug Abuse

Health Minister Rona Ambrose said the government will give the Canadian Institute for Health Information nearly $4.3-million over five years to develop a co-ordinated national monitoring and surveillance program. …Several provinces, including Ontario and Nova Scotia, have created prescription monitoring programs, which typically target individuals who visit multiple doctors or pharmacies to get more opioids. The funding will help CIHI work with provinces to enhance data collection and analysis and create a national report on surveillance. [Globe & Mail]

CA – Crowdsourced Plan Aims to Tackle “Privacy Deficit”

OpenMedia’s David Christopher writes about the organization’s “crowd-sourced pro-privacy action plan,” launched this week. Privacy Commissioner Daniel Therrien has “welcomed” the initiative, CBC News reports. Canada’s Privacy Plan: A Crowdsourced Agenda for Tackling Canada’s Privacy Deficit begins with an introduction suggesting the country’s “growing privacy deficit has alarming consequences for our everyday lives. We’re at a tipping point where we need to decide whether to continue evolving into a surveillance society, or whether to rein in the government’s spying apparatus before more lives are ruined by information disclosures.” The plan includes “common sense” tips for strengthening privacy. [HuffPost] [Canadians to Spy Agencies: Get a Warrant!]

CA – Toronto Police Body Cameras Raise Privacy Concerns

Executive Director Sukanya Pillay of the Canadian Civil Liberties Association says body cameras can be a “good thing for accountability,” but they raise a number of questions that need to be addressed as part of the pilot project. …Pillay said there must be strict controls on how footage is recorded, stored, flagged and accessed in order to protect citizens captured on film. “Strict protocols have to be in place in order for it to serve the function of accountability,” she said. [CTV] [Toronto police start year-long pilot project to test body cameras for officers] [Globe & Mail: Police Start Pilot to Test Body-Worn Cameras]

CA – Manitoba Court Interprets Common Law Tort of Intrusion Upon Seclusion

The Manitoba Court of Appeal has held that the tort of intrusion upon seclusion may allow family members, who have suffered as a result of a breach of a privacy of another family member, to advance a claim in their own right. …It is likely too early to know the significance of the Court’s decision in Grant, as the courts in Manitoba have not yet truly examined if the tort of intrusion upon seclusion can be expanded to give family members of a victim an ability to advance the tort. However, it will be interesting to see how other jurisdictions apply the ultimate ruling in Grant. [Source] See also: [MB: Province readying to unseal adoption records next month]

CA – Ontario Decision Suggests Corporation Can Sue for Breach of Privacy

On February 19th, the Ontario Superior Court of Justice declined to strike a pleading that alleged a company unlawfully interfered with a competitor’s economic relations by receiving confidential information about a client (BC Cancer) that was sought after by both organizations. The Court held that the pleading was sustainable because BC Cancer had an arguable claim against the recipient organization based on the “intrusion upon seclusion” tort, suggesting that the tort is available to natural persons and corporations. As stressed by the Court, on a motion to strike a court errs on the side of permitting a novel but arguable claim to proceed to trial. [Source]

CA – IPC Publishes Privacy Impact Assessment (PIA) Guide

Ontario public sector institutions must meet high standards of care and trust whenever collecting, using and disclosing personal and other sensitive information. Any public institution considering new information technologies, systems, and program services which may affect privacy are strongly encouraged to complete a privacy impact assessment (PIA). A PIA is an organizational risk management tool and a process used to identify the effects of a given process or other activity upon an individual’s privacy. PIAs also serve to identify any risks to the institution. The IPC’s new guide, “Planning for Success“ provides institutions with step-by-step advice on how to carry out a PIA from beginning to end. The new guide will help institutions define scope, engage internal and external stakeholders, understand information flows, identify privacy solutions and prepare an effective PIA report. Beginning a PIA early in a project’s development provides a systematic basis for mitigating privacy risks at every step, and for documenting decisions for accountability and compliance purposes. [Source] [Guide]

Consumer

US – Report: Americans Don’t Trust Gov’t, Business to Protect Privacy

A new report from the Pew Research Center reveals that Americans don’t trust the government or companies to protect their privacy. Conducted online in 2014 and early 2015, the survey found that nine in 10 adults value controlling their personal information, but half said they felt they had little or no control of their data. Approximately two-thirds said government surveillance limits are inadequate. More than three-fourths said they did not trust advertisers to protect their data, and two-thirds said they had no confidence social media sites, search engines or video sites would do so either. Additionally, more than half said they did not want to be monitored in public or in the workplace. [New York Times] Another finding from the survey: a majority (65 per cent) of Americans do not believe there are adequate limits on “what telephone and Internet data the government can collect” as part of anti-terrorism efforts vs just under a third (31%) who do believe there are appropriate limits on the kinds of data gathered for these programs. Pew notes that respondents who are more aware of government online surveillance programs are considerably more likely to believe adequate safeguards are not in place; 74% of those who have heard “a lot” about these programs say limits are not adequate vs 62% who have heard only “a little” about the monitoring programs. [TechCrunch: Another Pew Privacy Report Flags Huge Public Mistrust]

US – Poll: Update the USA PATRIOT Act

As the USA PATRIOT Act’s expiration nears, polls conducted by the ACLU indicate that more than 80% of Americans across party lines are “concerned” about the bill’s privacy implications, while 60% of respondents support “revising” the bill to reflect said concern, Newsweek reports. “The poll results tell us that in order to be more reflective of the public’s views on surveillance and the PATRIOT Act, members of Congress should more fully support reforms,” says the ACLU’s legislative counsel, Neema Singh Guliani. [Newsweek]

US – NBCUniversal to Use Comcast Data to Tailor Ads

Critics—and lawmakers—are wary of NBCUniversal’s announcement it will utilize data from customers’ Comcast DVR boxes to tailor TV advertisements. NBC is calling the initiative an “audience targeting platform,” and the corporation is excited about the possibilities. Comcast said it is “not sharing personally identifiable information about its customers, but simply providing a software tool that allows programmers, like NBCUniversal, to run certain queries,” the report states. The Electronic Frontier Foundation’s Lee Tien said, “I would ask them, ‘How are you technically implementing that?’ Exactly what data is generated in the process, and then how do you process that data in a way that it does not or cannot reveal the things that you say that you’re not trying to reveal?” [International Business Times]

E-Government

US – NIST Putting Finishing Touches on Privacy Framework

The National Institute for Standards and Technology (NIST) is set to finalize an interagency report that will provide guidance for federal agencies on assessing and mitigating digital privacy risks. “Cybersecurity has come a long way in the last 10 years,” said NIST’s Sean Brooks, while “privacy has really lagged behind.” Brooks added that the framework aims to guide privacy initiatives from compliance to engineering and development staff “and even up to executive staff who are trying to deal with risks and make decisions about funding in order to mitigate those risks.” Transportation Department Chief Data Officer Dan Morgan said, “We can build all the beautiful digital services that we want, but if people don’t trust them, they’re not going to use them.” [Fierce Government IT]

US – IRS System Mined For Over 100,000 Taxpayer Records by Fraudsters

Apparently stolen data from other breaches was used to answer authentication questions. The Get Transcript application, a feature of the IRS’ site that allows taxpayers to download tax return and tax payment transaction data, was apparently targeted by financial fraudsters between February and mid-May. The service was shut down last week as the IRS investigated the activity, which may have been linked to the fraudulent filing of tax returns and transfer of tax refunds. Attempts were made to access over 200,000 accounts; roughly half failed because of incorrect information inputted during the IRS’ authentication process. [Source] [Hackers stole personal information from 104,000 taxpayers, IRS says]

E-Mail

CA – The Impact of Canadian Anti-Spam Legislation on Subscriber Rates

The hard truth? Without a doubt, marketers’ efforts to be CASL compliant hurt subscriber growth rates. …Unfortunately for marketers and consumers alike, spam is still a problem, even as subscriber growth is slowing down. Cloudmark’s most recent study was a real eye opener on the overall drop in Canadian spam and even legitimate email being sent. Sadly, we haven’t seen CASL truly protect Canadians as it was initially intended just yet, considering spam email to Canadians has stayed nearly consistent.

  • 37% reduction in spam originating in Canada, the majority of that going to the United States
  • 29% reduction in all email received by Canadians, spam and legitimate
  • -No significant change in the percentage of emails received by Canadians that were spam. [Source]

Electronic Records

US – EHealth Operators Waiting on Behavioral Health Guidance, Regulations

Providers, electronic health record developers and health-information exchange operators are “still waiting for new regulations or guidance on electronically handling highly sensitive behavioral health information.” The Substance Abuse and Mental Health Services Administration held a national listening session on possibly updating its rule protecting patients of federally funded drug and alcohol treatment centers, the report states. The rule is seen by some as a barrier to interoperability of healthcare information systems. But patient advocates say patient consent-the aspect that’s seen as a barrier to info-sharing-is an important aspect to the law. The listening session drew mixed comments on whether government should expand access to behavioral health information. [Modern Healthcare]

Encryption

WW – Finding Solutions for Encrypted Data in the Cloud

University of Wisconsin Prof. Thomas Ristenpart describes the traditionally dicey enterprise of encrypting data in the cloud without breaking cloud applications, likening it to pounding square pegs into round holes. “Back in 2009,” he writes, he and other researchers “flipped the problem around.” He and his team created “format-preserving encryption” that can “solve the key usability issues of making it easy to specify a ‘peg size’.” Ristenpart adds, “It’s gratifying to see emerging security technologies bring these types of academic breakthroughs to the cloud security market.” [Full Story]

US – DHS Secretary Warns of Post-Snowden Encryption Market

U.S. Homeland Security Secretary Jeh Johnson said disclosures from Edward Snowden on the NSA’s bulk surveillance programs have “changed the landscape” for encryption services, Politico reports. “We are concerned that with deeper and deeper encryption, the demands of the marketplace for greater cybersecurity, deeper encryption in basic communications … It’s making it harder for the FBI and state and local law enforcement to track crime, to track potential terrorist activity,” he said, adding, “We’ve got to find a solution to this, and we’re thinking about this very actively right now.” His remarks come after the House of Representatives voted to formally end the NSA’s bulk telephony data collection. [MSNBC]

WW – HTTPS Vulnerability Affects 10% of World’s Top Websites

Tens of thousands of HTTPS-protected websites—8.4% of the world’s top one million sites—as well as mail servers and other Internet services are currently vulnerable to a newly discovered attack that allows adversaries to eavesdrop on communications and downgrade encryption levels. The vulnerability, called Logjam, resides in the transport layer security protocol used by mail servers and websites to encrypt connections with users, the report states, and is a result of export restrictions mandated by the U.S. government in the 1990s so agencies could break foreign users’ encryption. “Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” said one researcher. [Ars Technica]

AU – Teaching Encryption Could Soon to Be Illegal in Australia

Under the Defence Trade Control Act (DTCA), Australians could face up to ten years in prison for teaching encryption. Criminal charges will go into effect next year. The new legislation will make it illegal for Australians to teach or provide information on encryption without having a permit. [Source]

WW – Logjam Flaw HTTPS-Crippling Attack Threatens Web And Mail Servers

Tens of thousands of HTTPS domains contain a vulnerability in the transport layer security protocol that the sites use to establish encrypted communications with users. The Logjam vulnerability can be exploited to access and modify data traveling through encrypted connections. The problem can be traced to export restrictions the US government imposed twenty years ago. [ZDNet] [Wired] [DarkReading] [Ars Technica] [Weakdh]

WW – Visa Increasing Bank Reimbursements After Breaches

Visa has agreed to increase pay to banking institutions when they have to reissue cards in the wake of data breaches. Visa will reimburse on a tier system, with more help going to community institutions than the larger brands. The reimbursements will work on an annual card-purchase volume. There’s been an ongoing debate between merchants and banking institutions over who should be held accountable for card fraud. While banks say retailers should be held accountable for expenses related to breaches in which they hold some responsibility, retailers say the interchange fees they pay to card brands to route transactions are meant to cover breach-related expenses. [Bank Info Security]

US –Tech Giants Don’t Want Police Access to Encrypted Phone Data

Tech behemoths including Apple and Google and leading cryptologists are urging President Obama to reject any government proposal that alters the security of smartphones and other communications devices so that law enforcement can view decrypted data. In a letter to be sent Tuesday and obtained by The Washington Post, a coalition of tech firms, security experts and others appeal to the White House to protect privacy rights as it considers how to address law enforcement’s need to access data that is increasingly encrypted. “Strong encryption is the cornerstone of the modern information economy’s security,” said the letter, signed by more than 140 tech companies, prominent technologists and civil society groups. [Source] [Apple, Google and More Bring Privacy Fears to Obama]

EU Developments

EU – Draft Text: Fines for RTBF Violations Would Increase

EU ambassadors have agreed to a draft text proposed by Latvia—which currently holds the rotating presidency of the EU—that would implement three levels of fines for businesses that violate the EU’s data protection overhaul. The levels range from one-half percent to two percent of an organization’s annual global turnover. Failure to “erase personal data in violation of the right to erasure and ‘to be forgotten’” would be included in the second category of a one-percent fine. If all of the sections of the reform proposal are agreed upon, EU ministers could endorse the entire text at their mid-June meetings, the report states, and trialogue discussions between member state representatives and the European Parliament would commence. [EurActiv]

EU – EU, APEC to Streamline BCR/CBPR Process

Winning approval for both binding corporate rules (BCRs) and cross-border privacy rules (CBPRs) takes significant work. But to demonstrate compliance, many of the administrative hurdles are the same. That’s why, as companies increasingly turn to BCRs and CBPRs as data transfer mechanisms, an EU/APEC working group has approved a plan for increased interoperability by making it easier for companies to comply with both BCRs and CBPRs all at once. “The idea is that organizations will be able to submit the single questionnaire to both EU DPAs, whose approval is needed for organizations to be granted BCRs, and to APEC Accountability Agents, whose approval is needed to be granted CBPRs.” [Full Story]

EU – Member States Calling for Transparency from Internet Giants

Ahead of a European Council meeting on proposed cybersecurity rules, France, Germany and Spain are hijacking the debate in hopes of using the rules to “boost control and surveillance over Internet companies, claiming they are critical to their economies and communication networks.” The proposal requests that Internet firms offer “greater transparency” to the EU and that firms outside the EU “report security breaches to national regulators in each member state,” similar to the burden placed on European telecom companies. “Nevertheless,” the report states, “the proposed rules will likely add to the long list of disputes pitting European authorities against U.S. tech firms.” [Politico]

EU – Belgium, Facebook and the Single Data Controller

The Belgian Privacy Commission published the first part of its recommendation after investigating Facebook’s data processing activities. Much of it justifies why Facebook is subject to Belgian law, it also reveals some important insight on the regulatory interpretation of the EU Data Protection Directive’s applicable law principles and highlights the growing concern around “forum shopping.” Tim Van Canneyt outlines the applicable law tests and offers measures multinationals can take in their approach to compliance with EU law, noting, “While it … makes sense to create an EU subsidiary to fulfill a data-controller role, it is not sufficient to simply ‘nominate’ one on paper.” [Privacy Tracker] Facebook Global Deputy Chief Privacy Officer Stephen Deadman says the one-stop-shop mechanism in the proposed General Data Protection Regulation is “in danger” and speaks from experience of the likely consequences for the EU if the one-stop shop is rejected or seriously watered down. Phil Lee says the General Data Protection Regulation will not prevent forum shopping because “businesses don’t choose their homes based on data protection alone.”

EU – Ireland Is Now Officially Twitter’s Global Legal Center

Following up on an announcement last month, Twitter officially made Ireland its global legal center. The move affects all non-U.S. Twitter users, according to a statement on the move. “It’s possible that Twitter may be anticipating a change in Safe Harbor because of recent developments and the direction European authorities are taking,” said Daragh O’Brien, adding, “If so, it would help them to have a single defined office.” The Office of the Irish Data Protection Commissioner (DPC) said it won’t have a new mountain of work, however, a separate Irish Independent report states. DPC Helen Dixon said that “even though Twitter users up to last week were signed up under ‘Twitter Inc.,’ we would always have seen ourselves as responsible.” [Irish Independent]

EU – New Telecom Law Proposed

In Germany, telecommunications and Internet companies “could once again be forced to store customer traffic and location metadata for police investigation purposes, five years after a previous data retention law was declared unconstitutional.” Under a draft data retention law released Wednesday, providers would be required “to store call and Internet traffic metadata for a maximum of 10 weeks while location data would have to be stored for four weeks,” the report states, noting German’s government believes “it strikes the right balance between freedom and security in the digital world.” [PCWorld]

UK – Just 1% of Public Would go to Information Commissioner’s Office

Almost half of the population don’t know who to go to for advice on protecting their personal data online. When asked who they would go to for advice on protecting their data, only 1% named the ICO while almost half (45%) of the 1,222 respondents said they ‘don’t know’, a poll by ComRes found. 35% said they would ask the Citizens Advice Bureau, 15% said they would search online while 13% would ask a lawyer. [ComputerWorld]

EU – Belgian Watchdog Raps Facebook for Treating Personal Data ‘With Contempt’

Facebook is facing a wave of probes by European regulators into its privacy practices. The Belgian report, which was released Friday, is part of a broader effort by privacy regulators in several European countries to examine new privacy policies Facebook implemented this year for use of data from its services, which include Instagram and WhatsApp, to target advertising. The review is being led by authorities in the Netherlands and includes watchdogs in France, Spain and Germany. Belgium’s Privacy Commission, in its 28-page report, said Facebook processes the personal data of its members as well as other Internet users “in secret,” without asking for consent or adequately explaining how the data would be used. [WSJ] [The Belgian Commission for the Protection of Privacy has released a lengthy “recommendation” that outlines its beliefs as to why it has competency to regulate Facebook.] [ECJ Ruling Could Invalidate Safe Harbor: Opinion] SEE ALSO [Belgian authorities have taken Skype to court because it refused to allow two suspects’ Skype calls to be tapped. Skype says it isn’t subject to wiretap legislation]

EU – Other News

Facts & Stats

WW – Salary Survey Released at Symposium

In conjunction with the IAPP Canada Privacy Symposium, the IAPP released the first regional breakout of its biennial Privacy Professionals Salary Survey. The report offers insight from about 200 Canadian privacy professionals on salary levels according to variables such as privacy experience, certifications, industry, size of organization, gender and more. The survey finds that the median salary for Canadian privacy professionals is $74,005, with the software and services industry topping the scales at $88,648. Also, take a look at data on recent raises and bonuses received and the differences in salaries related to position and acquiring a certification. [Full Story] See also: [Cost of data breaches increasing to average of $3.8 million, new Ponemon study says]

Filtering

EU – Google, Max Mosley Reach Settlement on Censored Images

Google and Max Mosley, formerly of Formula One, have settled a long-running legal dispute involving compromising images of the well-known UK figure that were published in 2008. Mosley had urged Google to automatically remove links to the images, but the company had argued that it should remove such links on a case-by-case basis. In many ways, the Mosley case previewed the EU’s so-called right-to-be-forgotten phenomenon. Terms of the deal between Google and Mosley have not been disclosed, but according to the report, suits filed by Mosley in Germany, France and the UK have all been settled. [The Wall Street Journal]

Finance

US – States Settle With Credit Bureaus on Consumer Reports

31 states have reached a settlement with credit bureaus Equifax, Experian and TransUnion requiring them to alter the way they handle consumers’ financial and credit history data. Topping the list of changes, the firms must provide the participating states with the lender names and other businesses that consistently share erroneous data. If the states see a spike in consumer complaints regarding inaccurate information, the state attorneys general (AGs) may have the option to investigate. The settlement is similar to one reached between the credit bureaus and the New York AG. Ohio AG Mike DeWine said complaints have risen in the past year, adding, credit bureaus “have a flawed system that cannot effectively work. Changing (that) behavior was (a) No. 1 priority.” [The Wall Street Journal] [ABC News: 31-State Deal Should Make Credit Report Errors Easier to Fix]

CA – Terrorist Activity Financing Indicators Published

Canadian businesses and reporting entities such as financial institutions generally have little experience with terrorist financing and what to look out for to comply with Anti-Money Laundering requirements. As part of the federal government’s broader intelligence efforts to counter these threats, Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has worked with Canadian law enforcement and national security partners to update indicators of terrorist activity financing – often effected though money laundering. Available for the first time publically, FINTRAC’s updated list highlights actions which could indicate money laundering activities. It red flags transactions where there could be reasonable grounds to suspect a terrorist activity financing offence. Indicators linked to Terrorist Activity Financing

  1. Client accesses accounts, and/or uses debit or credit cards in high-risk jurisdictions (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and / or political instability or known to support terrorist activities and organizations.
  2. Client identified by media or law enforcement as having travelled, attempted / intended to travel to high-risk jurisdictions (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and/or political instability or known to support terrorist activities and organizations.
  3. Client conducted travel-related purchases (e.g. purchase of airline tickets, travel visa, passport, etc.) linked to high-risk jurisdictions (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and/or political instability or known to support terrorist activities and organizations.
  4. The client mentions that they will be travelling to, are currently in, or have returned from, a high risk jurisdiction (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and/or political instability or known to support terrorist activities and organizations.
  5. Client depletes account(s) by way of cash withdrawal.
  6. Client or account activity indicates the sale of personal property / possessions.
  7. Individual/entity’s online presence supports violent extremism or radicalization.
  8. Client indicates planned cease date to account activity.
  9. Client utters threats of violence that could be of concern to national security / public safety.
  10. Sudden settlement of debt(s) or payments of debts by unrelated third party(ies).
  11. Law enforcement indicates to reporting entity the individual/entity may be relevant to a law enforcement and/or national security investigation.
  12. Client’s transactions involve individual(s) / entity(ies) identified by media or law enforcement as the subject of a terrorist financing or national security investigation.
  13. Client donates to a cause that is subject to derogatory publicly available information (crowdfunding initiative, charity, NPO, NGO, etc.).
  14. Client conducts uncharacteristic purchases (e.g. camping/outdoor equipment, weapons, ammonium nitrate, hydrogen peroxide, acetone, propane, etc.).
  15. A large number of email transfers between client and unrelated third party(ies).
  16. Client provides multiple variations of name, address, phone number or additional identifiers.
  17. The sudden conversion of financial assets to a virtual currency exchange or virtual currency intermediary that allows for increased anonymity.

For more information on reporting suspicious transaction reports to FINTRAC, click here to access the agency’s Suspicious Transactions guidelines. [Mondaq News]

CA – Bank Fails to Advise Credit Bureaus of Inaccurate Personal Information

It is important that all organizations and their employees be familiar with its privacy policies and implement them accordingly. Otherwise, the organization may be exposed to claims, such as in the case of Albayate v. Bank of Montreal, 2015 BCSC 69. In this case, the Bank changed Ms. Albayate’s mailing address in its computer system without her consent and authorization. As a result of this error, three envelopes containing Ms. Albayate’s Bank statements were sent to her ex-husband’s address (the evidence suggested that the letters were not opened by Mr. Albayate). The Bank also reported the inaccurate personal information to two credit bureaus, Equifax and TransUnion. When the Bank learned of its mistake, it promptly corrected the error on its computer system, but failed to advise the credit bureaus of this correction immediately as mandated by the Bank’s privacy policy. Although many of Ms. Albayate’s allegations were not accepted, she established her claim that the Bank breached her privacy rights under the Privacy Act, RSBC 1996, c 373 and the Bank breached its privacy policy, which formed part of the contract, with Ms. Albayate. [Mondaq]

WW – PCI: 5 New Security Requirements

New Task Force Created to Assist Smaller Merchants. Five best practices noted in version 3.0 of the PCI Data Security Standard will become requirements after June 30, and smaller merchants are likely to be the most affected. That’s because the new requirements relate to point-of-sale vulnerabilities that have commonly been linked to exploits at small and mid-sized businesses. The best practices, which were included when PCI-DSS version 3.0 was released in November 2013, state:

  1. Merchants should secure authentication and online session management, to help prevent the theft of online credentials;
  2. Third-party service providers with remote access to POS systems should use a unique passcode credential for each merchant customer;
  3. Service providers should confirm in writing that they are responsible for the security of cardholder data they store, process or transmit on behalf of the merchant;
  4. Merchants should regularly inspect POS devices to ensure they have not been “swapped” or tampered with to skim or collect card details;
  5. Merchants should conduct regular penetration testing through simulated device attack scenarios to exploit known and possible vulnerabilities.

The PCI Security Standards Council says merchants of all sizes are increasingly at risk, and that these requirements reflect areas all businesses should address.[Bank Information Security]

WW – Bitcoin Releases Privacy Rating Report

The Open Bitcoin Privacy Project (OBPP) has released what it’s calling the Spring 2015 Wallet Privacy Rating Report to assess the effectiveness of the top 10 most popular Bitcoin wallets in protecting users’ privacy. The wallets underwent 38 privacy tests that were grouped into five categories, and each test was assigned classifications in relation to usability, quality and feedback. Overall, Darkwallet ranked first among the major Bitcoin wallets and was the first to be “explicitly devoted to privacy as a primary design goal,” the report states. Armory ranked second, followed by Mycelium and Bitcoin Wallet. [CoinReport]

WW – Facts About FATCA, America’s Global Disclosure Law

FATCA requires foreign banks to reveal Americans with accounts over $50,000. Non-compliant institutions could be frozen out of U.S. markets, so everyone is complying. …More than 80 nations—including virtually all that matter—have agreed to the law. So far, over 77,000 foreign financial institutions (FFIs) have signed on too. Countries must throw their agreement behind the law or face dire repercussions. Even tax havens have joined up. The IRS has a searchable list of financial institutions. Countries on board are at FATCA – Archive. [Forbes] [NYT: An American Tax Nightmare] [Solicitor Client Privilege in Tax Matters]

CA – Thousands of CRA Employees Fell for Fake Phishing E-Mail Test

Over the first three months of this year, the agency’s security and internal-affairs division sent 16,000 employees an e-mail designed to replicate the potentially dangerous messages that are common to anyone with an e-mail account. …The result of the CRA’s test was that 78% of employees did not click on the link contained in phishing attempts. However, that means roughly 3,500 employees did fall for the scam, even though they were informed ahead of time that the test would take place. [Globe & Mail] See also: [What To Do When Your Nonprofit Becomes The Target Of A Phishing Scam]

FOI

CA – Yukon Gov’t Keeping Names, Salaries Private

The Yukon government is refusing to release names and specific salaries of public-sector workers that make more than $100,000. Currie Dixon, the minister responsible for the Yukon Public Service Commission, said in an announcement that doing so would violate the Yukon Access to Information and Protection of Privacy Act. The statement was made in response to a CBC inquiry related to a report on “sunshine lists” that noted, “Government is the top public-sector employer in Yukon, accounting for 40 % of the total jobs … It turns out a sunshine list is not a popular idea with either the territorial government or the union representing its employees.” [CBC] [Source]

US – Privacy Often Trumps Transparency With Police Shooting Videos

Across the country, law enforcement agencies are equipping police and patrol cars with cameras to capture interactions between officers and the public. But many of those police forces, like Gardena’s, do not release the recordings to the public, citing concerns about violating the privacy of officers and others shown in the recordings and the possibility of interfering with investigations. That approach has drawn criticism from some civil rights activists who say that the public release of recordings is crucial to holding police accountable — especially if the officers involved in the incidents are allowed to view the videos. [LA Times]

Health / Medical

US – House Committee Supports 21st Century Cures

In a move to hasten research “that could lead to the availability of promising medical treatments and devices,” the House Committee on Energy and Commence has voted unanimously in favor of the 21st Century Cures bill, which looks to remove the patient consent requirement for covered entities to use protected health information (PHI) for academic purposes. The move has raised concerns, however. “The patient control is being relaxed, yet it’s unclear to me where the data will go,” said the Center for Democracy & Technology’s Michelle de Moouy.

US – Bill Altering HIPAA Privacy Rule Advances Legislation

Legislation that requires significant changes to the HIPAA privacy regulations could result in “significant administrative hurdles and burdens,” Holtzman says. “For example, if there would be significant changes to when healthcare providers and health plans can use or disclose PHI, they would be required under existing regulations to update their notices of privacy practices,” he says. “As we saw with the implementation of the Omnibus Rule in 2013, there are significant costs in developing and distributing the notices.” If the legislation is approved, it could take some time for the privacy changes to affect healthcare providers and business associates. “If the bill is passed into law – always a big if – it provides HHS with a year to implement the law through regulations,” Greene notes. “Realistically, though, it may take far longer before HHS is able to publish a final rule.” [GovInfoSecurity]

WW – Health Organizations Cite Privacy as Top Concern

In the Office of the National Coordinator for Health IT’s recently published public comments on its draft for nationwide interoperability, health data privacy and security were top issues for several organizations. The office released Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap Draft Version 1.0 in January, and in the public comments, accepted through April 3, many agencies said they were in favor of interoperability and data exchanges but that providers “must be interoperable without sacrificing patient privacy in the process,” the report states. Intel submitted that privacy and security protections must be addressed holistically through “effective end-to-end security” to protect against exploitations like cybercrime. [HealthITSecurity]

US – HIPAA Audits to Continue

Privacy This Week reports the second phase of the Department of Health and Human Services Office for Civil Rights Health Insurance Portability and Accountability Act audits “is on its way.” [GovInfo Security]

US – DHS: Lapses in USCG Privacy Protocol Need Attention

The Department of Homeland Security is requesting that the U.S. Coast Guard (USCG) establish consistent processes for workers’ healthcare record security after audits found the current systems-or lack thereof-troubling. “USCG is limiting its ability to assess risks and mitigate potential for privacy or HIPAA breaches,” says Sondra McCauley, assistant inspector general for IT audits. The crux of the problem, says Chief Information Security officer Ariel Silverstone, CIPT, is that “it appears that no one functionary, even at the assistant commandant level, is responsible for privacy.” Suggested improvements range from increasing communication between HIPPA representatives and the USCG privacy officer to establishing “milestones to ensure the Coast Guard has contingency plans to safeguard privacy in the event of a disaster or emergency.” [Gov Info Security] [10 tips for creating a cybersecurity program]

US – $19 Million Breach Settlement Terminated

A $19 million settlement between Target and MasterCard has been terminated. The deal was originally announced in April and would have provided compensation to banks and credit unions that sued over Target’s breach, but the settlement fell through because not enough banks accepted the deal. In their suit, lawyers argued that the deal with MasterCard “was an attempt to undercut their claims for damages,” the report states. Plaintiffs’ lawyers said, “We are pleased that financial institutions have resoundingly rejected Target and MasterCard’s attempt to avoid fully reimbursing the losses suffered during one of the largest data breaches in U.S. history.” [Reuters]

CA – Privacy Commissioner Calls for Prosecution of Third Snooping Case

New figures show health privacy breaches are on the rise in Ontario as Brian Beamish recommends prosecuting another incident. This week, the privacy commissioner’s office released its 2014 annual report, showing that 439 health privacy breaches were reported last year, up from 407 the previous year.  But, because Ontario does not have a mandatory reporting requirement like that of most other jurisdictions in Canada, hospitals are not obliged to notify the commissioner of privacy breaches. That means those figures represent just the tip of the iceberg, Beamish has previously told the Star. [Source] See also: [The Star: Is enough being done to stop your health information from going public?]

CA – Ontario Privacy Commissioner Releases Annual Report

In his first annual report since becoming Commissioner, Brian Beamish expressed support for the adoption of new tools and offers assistance to Ontario institutions to ensure privacy protection and compliance with the law. In Charting a Course for the Future, the Commissioner examines the use of new technologies in programs being implemented across the province, such as electronic health records and body-worn cameras. He also recognizes the enormous possibilities and benefits of Open Government. The Commissioner offers three recommendations for the government to enhance the privacy of personal information and enable the public to access more government-held information. [Source]

US – Most Companies Take Over 6 Months to Detect Data Breaches

New research suggests the average financial or commercial business face multiple attacks per month — and it takes months for data breaches to be detected. According to a survey of 844 IT and IT security practitioners in the financial sector across the US and 14 countries within the EMEA region and 675 IT professionals in the same countries within the retail sector, both industries are struggling to cope with today’s threat landscape. Once a data breach occurs, it takes an average of 98 days for financial services companies to detect intrusion on their networks and 197 days in retail. [ZDNet] [Which States Have a Data Breach Notification Law?]

US – Study: Criminals Find Gold Mine in Easy-To-Access Healthcare Data

Criminals have set their sights on the information-rich healthcare sector, according to findings of the recently released Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute. According to the FBI, criminals are targeting the healthcare sector because individuals’ personal information, credit information and protected health information (PHI) are accessible in one place, which translates into a high return when monetized and sold. In fact, PHI records can fetch up to $60 to $70 each, as opposed to about $5 for credit cards. The Ponemon study found criminal attacks are up 125% in the last five years and the new leading cause of healthcare data breaches. This represents a major shift of data breach causes from accidental to intentional as criminals increasingly target and exploit healthcare data—particularly medical files and billing and insurance records. [Source]

US – Medical Center Rethinking Privacy Policies

After a University of Rochester Medical Center (URMC) nurse practitioner transferred to a new facility and took a list of URMC patients to her new employer without their consent, the center is reviewing its privacy policies. URMC CEO Mark Taubman acknowledges that the move was a breach of HIPAA and that reform is in order. “This is a wake-up call. This is a slap in the face saying, hey, there is a system problem here,” he said. “Sometimes you just don’t see these things until you get burned.” The nurse practitioner requested the list citing a desire to use the data as a way to “ensure continuity of care,” the report states. [The Democrat and Chronicle]

Horror Stories

US – Dating Site Hackers Expose Details of Millions of Users

Adult FriendFinder’s 3.9 million users’ sexual preferences and personal details were compromised after a hacker posted stolen data. Details of users’ sexual preferences – including whether they are gay or straight, and whether they are seeking extramarital affairs – has been compromised, along with email addresses, usernames, dates of birth, postcodes and the unique internet addresses of users’ computers. The dating site bills itself as a “thriving sex community” where users can share sensitive sexual information. [The Guardian] See also: [After Breach, Experts Question Security of Dating Sites] [San Bernardino: Thousands of people’s credit card info found on computers]

US – Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked

mSpy, a company that sells software that people can use to spy on others, has admitted that attackers broke into its systems and stole data. mSpy had initially denied allegations that its systems were breached. The company says that the breach affects 80,000 customers, not the 400,000 reported in earlier stories. The Tor-based site hosts several hundred gigabytes worth of data taken from mobile devices running mSpy’s products, including some four million events logged by the software. The message left by the unknown hackers who’ve claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions. [Krebs] [BBC] [More Evidence of mSpy Apathy Over Breach]

US – CareFirst BlueCross BlueShield Breach

CareFirst BlueCross BlueShield has acknowledged that an attack on one of its databases compromised the personally identifiable information of 1.1 million customers. The attack resembles those perpetrated on Anthem and Premera. The affected data include names, birth dates, email addresses, and insurance identification numbers. [Krebs] [ComputerWorld] [DarkReading] See also: [City of Oshawa reports privacy breach after 1,000 rec user e-mail addresses released] In Newfoundland and Labrador, a mailing error has led to a breach, and a fax error sent patient lab results to a business owner rather than to doctors. In Alberta, Calgary police had notebooks stolen from an off-duty vehicle and are now “notifying up to 400 people that their privacy may have been breached.” The Star reports on concerns in Ontario that the regulator for Ontario nurses “does not automatically alert police or Ontario’s privacy commissioner when it becomes aware of cases where nurses may have snooped into patient files.” [Full Story]

Identity Issues

WW – Microsoft Unveils Lockbox-Style Technology;

Microsoft’s research arm has announced a new technology that aims to protect cloud workloads. Last year, Microsoft announced its lockbox approach to safeguarding cloud data, which puts the customers in complete control of their data and requires consent before even Microsoft administrators can access it. The newly revealed Verifiable Confidential Cloud Computing technology takes a similar approach. [eWeek]

WW – Dropbox Certifies Under ISO Standard

Dropbox has announced it has achieved certification for ISO 27018. “We saw an opportunity to lead in this space and demonstrate our commitment to user trust,” said Patrick Heim, head of trust and security at Dropbox. See also: [UK porn industry preps for mandatory ID checks]

AU – Metadata is Personal Information, Says Privacy Commissioner

The Privacy Commissioner decided that Grubb’s network data was personal information. Under the Privacy Act …First, Grubb’s network data provided information about Grubb, because the data could be linked with other data held by Telstra’s networks and records to establish what websites he had visited, which was information about Grubb. Second, the Commissioner decided that Grubb’s identity could be reasonably ascertained from network data. By itself, network data such as cell tower location information or IP addresses contained nothing about Grubb’s identity. [Mondaq]

Internet / WWW

WW – IoT-Connected Toy Patents Generate “Creepy” Tag

A newly published patent detailing plans by Google for Internet-connected toys has generated concerns. Such products would act as an “anthropomorphic device” in the form of a “doll or toy that resembles a human, an animal, a mythical creature or an inanimate object,” the patent states. One would be a teddy bear that could control Internet-of-Things devices within the home through voice command or gestures. A spokesperson for Big Brother Watch described “the creepiness of the product for families,” adding, “Children’s toys should enable children to play in private and not be watched. It’s important that privacy and security by design is taken into consideration and is not an afterthought particularly when dealing with children.” [CNBC]

WW – Letter to Zuckerberg Critiques Internet.org

In an open letter to Facebook CEO Mark Zuckerberg, detractors of Internet.org-a program that aims to be a free, basic Internet provider for third-world countries-cite concerns about privacy and basic ideology that contravenes net neutrality, among others. “It is our belief that Facebook is … building a walled garden in which the world’s poorest people will only be able to access a limited set of insecure websites and services,” they write. The letter comes on the heels of an early release of Internet.org. “We and our critics share a common vision of helping more people gain access to the broadest possible range of experiences and services on the internet,” an Internet.org spokesperson said in response to the letter. [Mashable]

WW – Global Privacy Sweep Focusing on Children

The Global Privacy Enforcement Network plans to focus its 2015 international privacy sweep on the proliferation of websites and mobile applications targeted at children. The sweep involves 29 data protection authorities in 20 countries. “Children are more connected than ever before, and these platforms must bear that in mind when seeking potentially sensitive data such as name, location or e-mail address,” said Canadian Privacy Commissioner Daniel Therrien. “This is about protecting children. I can’t think of anything more important than that.” The sweep will assess whether the apps and websites examined collect personal information from children and the controls in place to limit that collection. [Source]

CA – Chartered Accountants Release Updated Privacy Toolkit

The Chartered Professional Accountants of Canada has published the second edition of The Canadian Privacy and Data Security Toolkit.

Law Enforcement

US – Advocacy Groups Release Law Enforcement Guidelines

A coalition of civil rights and privacy advocacy groups has released a set of guidelines urging lawmakers and law enforcement to curb the use of facial-recognition software and prohibit officers from viewing body-cam videos prior to filing their police reports. The groups also call for the video footage to be made publicly available and not under sole control of law enforcement. Meanwhile, [CNN]  See also: [Richmond Hill family traumatized by police raid on their home after falling victim to ‘swatting’ prank]

CA – Police Background Checks No Longer Include Mental Health Incidents

In a step forward for mental health rights, the Toronto Police Service will no longer release records of non-criminal mental health encounters with police — including suicide attempts or other psychological crises — to employers and community groups requesting background checks on potential employees or volunteers. Effective this week, the Toronto police force joins law enforcement agencies across Ontario and Canada halting a practice that civil rights and mental health groups have long been decrying as discrimination affecting a growing number of Canadians. Rights organizations including the Canadian Civil Liberties Association, the Ontario Human Rights Commission and the Information and Privacy Commissioner of Ontario have increasingly been sounding the alarm that Canadians with a history of mental illness — or even a single mental health episode that provoked a police response — have lost employment and volunteer opportunities due to the release of non-conviction mental health records. In a May 20 memo sent to community organizations working with children or vulnerable people, Toronto police announced that effective this week, groups making background checks under the “Vulnerable Sector Screening Program” will no longer receive information about mental health-related contact with police. Prior to the change, Toronto police released mental-health information when asked for it by groups hiring for positions ranging from teaching to coaching to volunteering and more. [The Toronto Star]

US – Obama Calls for Restricting Military Gear to Local Police

In effort to improve relations between police and communities, White House has announced new standards for federal programs in the aftermath of the Ferguson protests. Mr. Obama said police use of such equipment can send the wrong message by intimidating and alienating local residents. [WSJ]

US – Even the FBI Has Concerns About License Plate Readers

Newly released documents obtained by the ACLU indicate a debate within the FBI over the legality of collecting license plate data. A heavily redacted e-mail written by a senior vice president at Elsag North America, a major producer of the devices, indicates that the Office of General Counsel—or OGC, an internal legal advisory division within the FBI—”is still wrestling with [license plate recognition] privacy issues.” The executive notes that the FBI at that time had “stopped [the bureau’s] purchase” of the cameras “based on advice from the OGC.” [Bloomberg] Wired reports that the FBI’s Office of General Counsel has raised concerns, internally, about the agency’s use of automatic license plate readers (ALPRs). The ACLU’s Speech, Privacy and Technology Project, notes in a blog post that ALPRs “are a sophisticated way of tracking drivers’ locations, and when their data is aggregated over time, they can paint detailed pictures of people’s lives.” [Questions Remain About How To Use Data From License Plate Scanners] [License-Plate Scanners On the Rise]

Location

US – Package-Tracking Leads to a Dealer’s Home Address

A federal drug case that “has shed new light on how the USPS law enforcement unit uses something as simple as IP logs on the postal tracking website to investigate crimes.” In the Massachusetts case, which is ongoing, a suspected drug dealer “was found out simply by the digital trail he left on the USPS’ Track n’ Confirm website,” the report states, citing a court affidavit. The USPS’s Stephen Dowd wrote, “The USPS database reflected that an individual using a computer or other device with IP address 75.67.6.214 accessed the USPS Track ‘n Confirm website to track the progress of both the Florida Parcel and Bates Parcel #1.” [Ars Technica]

Offshore

AU – Australian Government Quietly Expands Access to Retained Data

The Department of Immigration and Border Protection has been granted the power to access the telecommunications data of all Australians after the government quietly amended legislation it passed just two months ago. Under the mandatory data-retention legislation, only a select number of government agencies can access the stored call records, assigned IP addresses, location information, and other telecommunications data for the purposes of investigating breaches of the law. When the Australian Labor Party announced that it would side with the government and pass mandatory data-retention legislation in March, the support came with a number of amendments to the legislation, designed to increase oversight and improve accountability over government access to the stored data. One of the accountability measures was to require the parliament to approve the addition of any new agencies to be allowed access to the stored data. The original legislation only required the attorney-general to add the agencies through regulation. Less than two months after the passage of the Bill, however, another agency has been quietly added to the list: Immigration and Border Protection. The amendment came in the Customs and Other Legislation Amendment (Australian Border Force) Bill 2015,passed by the Australian parliament as part of the overall Australian Border Force legislation to create a “single front-line operational border control and enforcement entity” in the department. The amendment was slammed by Greens communications spokesperson Scott Ludlam, who stated that it would be used by the agency to track down leaks of information from Australia’s offshore detention centres to journalists. “This is the first instance of scope creep. It gives me absolutely no pleasure to say ‘we told you so’, but we did; we said at the time of the data-retention debate that the Bill has scope creep written into it.” Ludlam said that the Bill side-stepped the approval of the Parliamentary Joint Committee of Intelligence and Security to get added to the list of approved agencies. [Source]

WW – Free Tool Reveals Mobile Apps Sending Unencrypted Data

A surprising amount of mobile data still crosses the Internet unencrypted, and a new free app is designed to show users what isn’t protected. The program, called Datapp, comes from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG), which last year showed popular Android applications such as Instagram, Grindr and OkCupid failed to safely store or transmit data. The reaction to that study prompted the group to create an application where people could test for themselves which applications don’t encrypt data and exactly what is exposed, said Ibrahim Baggili, UNHcFREG’s director. There are many security tools that can collect wireless data traffic, but they’re usually designed for people with some technical background. Datapp is essentially a traffic “sniffer,” along the lines of network traffic analysis tool Wireshark, but much simpler. [Source]

Online Privacy

US – FTC: “Enhancing Permissions Through Contextual Integrity”

In a new blog post, the FTC Division of Privacy and Identity Protection’s Nithan Sannappa writes that “improving the usability and efficacy of permission systems remain important challenges to address.” Sannappa examines how “mobile operating systems can help users make informed decisions regarding access requests and minimize information flows that defy user expectations.” [blog]

US – FTC Launches Workshop Paper on the Sharing Economy

The FTC has unveiled the agenda for next month’s workshop on The Sharing Economy: Issues Facing Platforms, Participants and Regulators , which will include panels focusing on market design and structure, trust mechanisms and the interplay between competition, consumer protection and regulation for both industry and policy. In other FTC news, Commissioner Joshua Wright expressed harsh words for the agency during a speech, saying recent Internet-of-Things and data-broker reports chose a more “anecdotal approach” over an “evidence-based” one.

WW – Parents Upload 973 Child Photos on Social Media by Age 5: Study

According to the research, carried out by online safety site The Parent Zone on behalf of safety campaign knowthenet, on average 973 photos are posted online by parents before their children turn five, despite 17% of parents admitting they had never checked their Facebook privacy settings. The research also claimed that almost half (46%) had only checked their settings once or twice, despite Facebook being the most common platform for photo-sharing. The campaign claims parents are running the risk of over-sharing and creating a digital footprint their child has no control over. The knowthenet campaign is being run by internet registry site Nominet, whose chief executive Russell Haworth said: ‘We all love to share those precious moments in our children’s lives with friends and family and sites like Facebook have made it easier than ever. [Daily Mail]

WW – Mozilla Moves to Browsing-Based Ad Tiles

Mozilla has launched a new program that aims to combine advertisements based on users’ browsing histories while also protecting their privacy. The “Suggested Tiles” program will allow an advertising service to see browsing histories to figure out users’ interests by comparing them to sets of URLs that align with certain categories. “With Suggested Tiles, we want to show the world that it is possible to do relevant advertising and content recommendations while still respecting users’ privacy and giving them control over their data,” said Mozilla VP of Content Services Darren Herman . The company also said it will not build user profiles and will not use cookies or other tracking tools. [TechCrunch]

WW – Browser’s Beta Version Features Increased Privacy

Following the release of its experimental browser last year, Russia’s Yandex has added a suite of new privacy-centric features. The company has switched the software from an alpha to a beta version and has made it the default for international users. In Russia, the browser will remain the experimental alternative to its older browser, but in international markets, users will have the option of private browsing-in part so the company can compete with Google, according to a Yandex spokesperson. Following the alpha release, increased privacy was one of the most requested improvements from users, especially those in Germany, Canada and the U.S. [TechCrunch] See also [Texas: High School Forces Student to Remove Online Photos Under Threat of Suspension] and [Photographer Snaps 100K Pictures in Front of One Shop]

WW – Google’s Internet-Connected Toys Patent Sparks Privacy Concerns

Google’s recently published patent for Internet-connected toys, which have microphones, cameras, speakers and motors, have sparked privacy concerns; the ‘creepy’ anthropomorphic devices might look like a doll or teddy bear, but some people believe it belongs ‘in a horror film’ and have visions of an IoT-version of Chucky. According to a recently published paper: “Treading Beyond the Iota of Fear: eDiscovery of the Internet of Things,” Google didn’t buy Nest “because the smartphone controlled thermostat was cool;” the company knows a great deal “about its users from scanning Gmail accounts and now it will know when individuals are statistically likely to leave their house.” And “by connecting multiple communication devices into a single automated ecosystem, one can create not only a very accurate data map about a person’s part and recent activity, but also dispense a sensory device – robotic or otherwise – to cater to the person’s anticipatory needs. But will you have control over your personal data map?” That paper talks about the legal eDiscovery aspects of the Internet of Things, looking forward at a time when your IoT devices and their data can be used against you in court. [ComputerWorld] [WW – How Google Now Avoids “Creepy,” Apple Aims To Compete]

Other Jurisdictions

SK – South Korea Mandates Spyware on Teens’ Phones

Korea Communications Commission, which has sweeping powers covering the telecommunications industry, passed a law mandating spyware on the mobile phones of anybody under the age of 18. Unlike countries with similar laws, such as Japan, parents can’t opt out, regardless of any (well-founded) privacy concerns. Not only is there no opt-out, but the law actually stipulates that mobile phone providers nag parents on a monthly basis until they comply. [NakedSecurity] [Prying parental eyes: Phone monitoring apps flourish in S. Korea, new rule orders installation]

WW – Other News

Privacy (US)

Markey Wants Info on Law Enforcement Data Requests

Sen. Edward Markey (D-MA) has sent letters to the seven major wireless carriers in the U.S., seeking information on the number of law enforcement requests each received in 2013 and 2014, according to a press release. Additionally, Markey wants to know what type of user data law enforcement has been requesting. “America is in the middle of an historic national debate about the legal, constitutional and privacy implications of the mass collection of our telephone information,” he said, adding, “As mobile phones have become 21st-century wallets, personal assistants and navigation devices—tracking each click we make and step we take—we need to know what information is being shared with law enforcement.” [Full Story]

US – Inspector General: DoJ, FBI Took 7 Years to Adopt Privacy Rules

A report from the Department of Justice (DoJ) Office of the Inspector General has revealed that for seven years, the DoJ and the FBI “failed to implement a provision requiring it to create privacy rules for use of an intelligence-gathering tool authorized by the USA PATRIOT Act.” Instead of adopting “minimization” procedures to protect privacy, the DoJ “adopted interim rules,” which the inspector general said “failed to provide FBI agents with specific guidance” on how long to keep “non-public” information about Americans. [WashPost]

US – UC Santa Cruz Announces Plans for Research Center

Lise Getoor, UC Santa Cruz’s Baskin School of Engineering’s associate dean of research, unveiled her plans for Data, Discovery and Decisions, a “data-driven discovery and decision-making” center for research that will also function as a “forum for researchers in the industry,” the university has announced. “The focus will be on the iterative process of going from data to discovery to decisions, which produces additional data that can be fed back into the process,” Getoor said. “We plan to focus especially on structured and heterogeneous data, such as the data generated by the Internet of Things, or any setting where you want to integrate disparate data from a variety of different sources,” she continued. [Full Story]

US – FTC: Companies That Self-Report Looked on More Favorably

The FTC advised companies in a blog post Wednesday that it looks positively on cooperation when conducting investigations into data security breaches. A company that reported a breach on its own and cooperated with law enforcement would be looked on “more favorably” than one that had not, the agency said. “In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach,” said Mark Eichorn, assistant director for privacy and identity protection. The post described what companies can expect when the FTC comes to investigate. [The Hill]

US – Settlement Reached: RadioShack Must Destroy Customer Data

A “coalition of 38 states” prevailed in ensuring that the newly bought-out RadioShack will not sell the greater part of its collection of customer data—including credit card information, Social Security numbers and phone numbers—but by mandate must destroy it. Texas Attorney General Ken Paxton was pleased with the ruling. “This settlement is a victory for consumer privacy nationwide,” he said. “The fact that 38 states joined together in this case reflects a growing understanding of the importance of safeguarding customer information, and we are pleased that General Wireless (the corporation that bought RadioShack) will continue to be bound by RadioShack’s existing privacy policy.” [Your Houston News] [Texas: Paxton announces agreement to protect consumer privacy in Radio Shack case] [Settlement Agreement] [Computerworld: FTC Weighs In on RadioShack Sale]

US – For Bankrupt Companies, Selling Customer Data Is Lucrative —and Risky

The FTC deems bankruptcy an exception to its prohibition on the selling of data, making said information a potential source of revenue—and liability—for dying companies. The idea is to balance a consumer’s privacy rights with the best interests of a debtor’s estate and its creditors in a bankruptcy proceeding, the report states, citing comments by the FTC’s Jamie Hine. Referencing comments by MIT’s Barbara Wixon, the report points out, “CIOs must remember their legal responsibility to keep privacy promises even while carrying out their responsibility to the business to maximize the value of corporate data.” [The Wall Street Journal]

US – Yahoo Loses Bid to Block Class-Action Suit

Yahoo has lost a bid to block a lawsuit filed on behalf of millions of Internet users that alleges wiretapping violations in the company’s scanning of email. U.S. District Judge Lucy Koh has granted class-action status to nonsubscribers of the email service “who claim the company mines data from their messaging for advertising purposes,” the report states. Last year, Koh refused to let a similar complaint against Google advance as a class-action. In the Yahoo case, Koh said the plaintiffs established a “real and immediate threat of repeated injury.” Yahoo has not commented on the ruling. [BloombergBusiness]

US – Uber Ups the Privacy Ante with New Hires

Sabrina Ross, formerly of Apple, is joining Uber’s privacy team in the midst of the company’s initiative to improve its privacy processes. “At Uber, she’ll specifically work on privacy aspects of regulatory and policy issues. She’ll also be reviewing the privacy practices of Uber’s partnerships with companies like Spotify, Starwood and American Express’” Ross will be joining the likes of Chief Security Officer Joe Sullivan and Managing Counsel Katherine Tassi, who previously served as Facebook’s head of data protection. The focus on privacy has, according to an Uber report, resulted in improvements. “Uber has dedicated significantly more resources to privacy than we have observed of other companies of its age, sector and size,” the review said. [Re/Code]

US – NAI Releases New Privacy Guidelines for Ad Technology

The Network Advertising Initiative (NAI) has released new guidelines for member companies that use non-cookie tracking technologies such as digital fingerprinting. Additionally, the NAI says members must also instruct their publishing partners—such as operators of websites where data is collected—to notify users about non-cookie tracking technology, the report states, and the NAI is currently developing an opt-out mechanism that will not rely on setting third-party cookies. Meanwhile, Adblock Plus has launched a browser for Android mobile devices, and a column for ZDNet defends the use of so-called ad-blocking technology. [MediaPost] Also commonly referred to as online behavioral advertising, IBA is online advertising tailored to consumers interests by companies promoting their products or services, accomplished by collecting consumer data across multiple web domains owned or operated by different entities, amassing consumer profiles, and then customizing ads based on the consumers’ interests and web usage patterns using cookie-based and non-cookie based technology. The NAI Code requires notice and choice with respect to IBA and imposes certain restrictions on members’ collection, use and transfer of data used for IBA. …The Guidance makes it very clear that “before a member may use non-cookie technology for IBA, the member must ensure that the requirements set forth in the Guidance have been adequately satisfied.” Although the Guidance is effective as of its publication on May 18, NAI members will have a grace period to implement policies and procedures to comply with the Guidance. [Source]

US – Tech Companies Urge Obama to Protect User Data

Major tech companies including Apple and Google and leading cryptologists are urging President Barack Obama to reject any government proposal that alters the security of smartphones and other communications devices so law enforcement can view decrypted data. A coalition of more than 140 tech companies, technologists and civil society groups sent a letter Tuesday to the White House asking it protect privacy as it considers law enforcement’s need to access data that is increasingly encrypted, the report states. “Strong encryption is the cornerstone of the modern information economy’s security,” the letter said. Law enforcement, meanwhile, has been warning about threats to public safety if they can’t access data. [WashPost]

US – FTC Settlement Highlights Risks of Publicizing Company Privacy Policies

Although Nomi Technologies, Inc. (“Nomi”) does not provide services to consumers, the majority reasoned that the Commission properly exercised its power to regulate deceptive acts or practices under Section 5 of the FTC Act (“Section 5”) because certain representations in Nomi’s consumer-facing online privacy policy—which Nomi was not required to post in the first place—allegedly turned out to be inaccurate. The decision thus serves as a stark warning to mobile and other companies as they contemplate whether and how to craft privacy policies that are available to the public. [JD Supra] [FTC Acts Less Like Chief Regulator, More Like Editor-In-Chief]

US – Supreme Court Overturns Ban on James Rhodes Autobiography

The judgment is the final step in a legal battle begun by Rhodes’ ex-wife, who applied for an injunction on the grounds that Rhodes’ graphic accounts of sexual abuse he had suffered as a child would cause psychological harm to his son, who has been diagnosed with Asperger’s syndrome, attention deficit hyperactivity order, dyspraxia and dysgraphia. …Rhodes’ lawyer, Tamsin Allen of London firm Bindmans, said: ‘In overturning the injunction, the Supreme Court has reaffirmed the fundamental importance of the freedom to speak the truth, even if the truth is brutal or shocking. …Robin Shaw, media law specialist at professional services firm Gordon Dadds, said: ‘If the court had prevented the book’s publication, the decision would have been regarded as a huge interference in the right to publish material about oneself and an extension of privacy laws by the back door.’ [Law Gazette]

US – Brookman to FTC: Let Us Decide If We’re Harmed

“Privacy law in the U.S. is weaker than in most places,” writes the Center for Democracy & Technology’s Justin Brookman, adding, “but hey, at least we’ve got Section 5.” Though it’s based on a law now 100 years old, he notes, it also acts as a baseline, of sorts, preventing consumer deception. “Recently, however,” Brookman writes, “even this weak standard has been called into question-by two sitting commissioners of the FTC, no less. Commissioners Maureen Ohlhausen and Joshua Wright have both indicated that the FTC shouldn’t bring deceptive practices cases against companies absent some objective assessment of consumer harm.” Brookman examines this recent development and describes why such an argument is “an extremely dangerous idea.” [Privacy Perspectives]

Privacy Enhancing Technologies (PETs)

WW – Software Firm Introduces Next Generation VoIP Solution

Ring is the next generation of the SFLphone project produced by Canadian-based open-source software firm Savoir-faire Linux aimed at giving users a secure VoIP solution. “Ring uses OpenDHT to connect users instead of a centralized SIP server system such as Asterisk,” the report states, which allows Ring “to bypass the server-client methodology by passing along user information to each other.” There’s a growing need for secure communications and “existing solutions are not secure,” the report states, noting services such as Skype and its competitor WhatsApp received poor scores in the Electronic Frontier Foundation’s Secure Messaging Scorecard. [TechRepublic]

WW – How One Social Network Built In Privacy by Design

In a product review, Think Privacy CEO Alexander Hanff discusses a new social networking site called the Krowd and how it has embraced and built in the principles of Privacy by Design to its services. Distinct from other social sites, Hanff explains, the Krowd runs on local networks where users can create various personas depending on the context of a given social situation. “You can define the Krowd as a dynamic, app-based social network limited to a specific location such as a conference, baseball game or university campus,” Hanff writes. In this post, Hanff describes how this new service works and the potential it could have for users seeking social connection with control. [Privacy Tech]

Remote Identification

WW – App Store Allows Third Parties to Access Driving Data

Automatic is opening an app store so its Bluetooth-enabled car adapter can interact with third parties. The car adapter and accompanying smartphone app allow users to track trips and fuel consumption or locate their parking spots. Now, the Automatic App Gallery will work with Android and iOS, aiming to encourage new apps. “We founded Automatic because we feel that cars weren’t and still aren’t living up to their full potential,” said Automatic Cofounder and CEO Thejo Kote. “They’re basically computers on wheels. They could be doing so much more.” Automatic’s platform uses encrypted and read-only data. [Engadget] see also: [iPhone users’ privacy at risk due to leaky Bluetooth technology]

Security

US – Medical Device Security Guidance for Developers

A paper titled “Building Code for Medical Device Software Security” offers guidance for developers. The purpose of the document “is not to assure that future medical devices can resist every imaginable attack, but rather to establish a consensus among experts … on a reasonable model code for the industry to apply.” [SC Magazine] [CyberSecurity]

WW – Password Security Questions Easy to Guess: Study

Google’s analysis of hundreds of millions of password security questions found that it would be easy for people intent on gaining access to someone’s account to do so. Guesses yielded correct results a surprising amount of the time. Google says that instead of adding more questions, but to update account information to provide a phone number or secondary email address to help prevent accounts from being taken over. [ABC] [GoogleUserContent] [How loving pizza is compromising your online security]

US – FBI: Data Breaches Up 400%; Workforce Needs to be “Doubled or Tripled”

James Trainor, acting assistant director of the FBI’s Cyber Division, said the agency used to learn about a new, large-scale data breach every two or three weeks. “Now, it is close to every two to three days,” Trainor also said the cybersecurity industry needs to “double or triple” its workforce in order to keep up with hacking threats. [The Hill] See also: [UK: Manchester car park lock hack leads to horn-blare hoo-ha]

US – RIMS Supports ‘Unified Standard’ for Cyber Privacy Breach Notification

As Canadian politicians debate a proposed privacy breach notification law, Risk and Insurance Management Society Inc. suggested it supports a “unified standard” south of the border, of rules mandating notification whenever a data security breach results in an unauthorized release of private personal information. “There are currently 47 different state data breach notification laws in place,” RIMS stated in a press release Tuesday of breach notification rules in the United States. “This has proven onerous for commercial insurance buyers whose organizations operate in multiple states and must comply with several different laws whenever a cyber-breach is experienced.” [Canadian Underwriter]

US – Cyber Security a Growing Concern for Financial Services Companies

Close to 50% of US financial institutions rank cyber security as their number one concern, according to a survey from the Depository Trust & Clearing Corporation (DTCC), topping geo-political risks and new regulations. The DTCC’s Systemic Risk Barometer Study compiled responses from 250 financial market participants. In last year’s report, just 24% of respondents ranked cyber security as their top concern. [SC Magazine] [Most Web sites have serious vulnerabilities, says report]

WW – System Aims to Produce Fake Passwords in Hacked Databases

Researchers have created a data protection system that would make it more difficult for hackers to obtain passwords from leaked databases. In a research paper submitted for consideration at the 2015 Annual Computer Security Applications Conference, the team of researchers unveiled ErsatzPasswords, which misleads hackers using brute force attacks to unlock hashed passwords. Purdue University’s Mohammed Almeshelkah said adversaries “will still be able to crack that file; however, the passwords they will get back are fake passwords or decoy passwords.” ErsatzPasswords adds an additional step to passwords when they are encrypted, making it impossible to restore them to the original plain-text form. [CIO]

US – Thieves Steal Funds Through Starbucks Mobile App

Thieves are exploiting a weakness in Starbucks’ mobile app to steal money from users’ bank accounts. The app can be used to pay at the coffee stores’ checkouts with smartphones and can also be set up to draw money from payment accounts to reload gift cards. The attackers have reportedly been breaking into Starbucks accounts to transfer money from bank accounts using the app’s auto-reload function. Thieves need only the username and password to access the accounts. Starbucks says their system has not been breached, but that the attacks are the result of breaches of access credentials elsewhere and affect people who reuse that information on multiple sites. Consumer advocate Bob Sullivan urges users to disable the auto-reload function. [BobSullivan] [SiliconRepublic] [SC Mag] [Krebs]

Smart Cards

US – More FERPA Amendments Proposed; Two New State Laws In Effect

While conversations continue around the Kline-Scott discussion draft to amend the Family Educational Rights and Privacy Act (FERPA), Sen. David Vitter (R-LA) has introduced a new FERPA amendment, and Sens. Edward Markey (D-MA) and Orrin Hatch (R-UT) have reintroduced a 2014 amendment. The Data Quality Campaign (DQC) provides this update on student privacy legislation in the U.S., noting that the Vitter bill “is alarmist in its approach to data and privacy and all but guts state Statewide Longitudinal Data Systems.” Also, get more information on the 178 bills DQC is tracking and two new state laws in Georgia and Maryland. [Privacy Tracker]

Surveillance

US – Gov’t to Vote on NSA Reform; EU Moves Toward More Spying

Sen. Mitch McConnell (R-KY) said he’ll allow a vote on an overhaul of U.S. surveillance programs, meaning the Senate is expected to vote this week on the USA FREEDOM Act, which gives the NSA six months to change its bulk-record collection methods. But, in The Christian Science Monitor, Rachel Brand of the Privacy and Civil Liberties Oversight Board shares concerns over losing Section 215, calling it “an essential investigative tool.” Separately, Bryan Cunningham writes for Politico about the trend toward new spying powers in the EU while the U.S. scales back. And Edward Snowden is the focus of a cover story in The New York Times as disagreements continue over the NSA documents he leaked. “The rest of the documents have been used as a kind of intelligence porn for the rest of the world-’Oooh, look at what NSA is doing,’” former NSA General Counsel Stewart Baker said. [The HIll]

US – Obama and Rand Paul Face Off Over the Patriot Act, Surveillance

Obama called on the Senate to approve a House-passed bill that would change the phone record collection program while renewing less controversial Patriot Act provisions that also expire at the end of the month. The Senate rejected the House bill by three votes last weekend and is on a break until Sunday, just hours before the spying powers are scheduled to expire. …Paul said the House bill supported by Obama, under which the records would be kept by the phone companies instead of the government, doesn’t go far enough to stop the NSA from getting the data. He argued that Obama should be shutting down the bulk collection of phone records. [Source] [NYTimes]

US – Franken Wants Law to Ban Tracking Apps

After hackers posted tracking app mSpy’s “sensitive data”—including text messages and “payment information”—online, Sen. Al Franken (D-MN) is once again urging Congress to pass legislation against such apps. “I believe every American has a fundamental right to privacy, which includes the right to control whether and with whom personal, sensitive information—including location data—is being shared,” Franken wrote. “Such apps not only operate in clear violation of fundamental privacy principles, but the serious danger they pose is well-documented.” The report notes mSpy itself has not yet confirmed the breach. [The Hill]

US – Pranksters Record Conversations to Spoof NSA Spying

Calling it a “pilot program” for the NSA, a group of provocateurs hid tape recorders under tables and benches around New York City to record random conversations and then published them on their website, wearealwayslistening.com. A message on the website states, “Eavesdropping on the population has revealed many saying, ‘I’m not doing anything wrong so who cares if the NSA tracks what I say and do?’ … We’ve started with NYC as a pilot program but hope to roll the initiative out all across The Homeland.” Those whose conversations were recorded had no knowledge they were being surveilled, the report states. [Wired]

US – Police Chiefs Group Offers Drone-Use Policy

Model law enforcement drone guidelines: No weapons, limit deployment, keep them in operator’s sight: Police agencies across the nation are increasingly using drones to improve public safety, but need clear operations policies and limits to win public trust, experts said at a law enforcement conference in San Diego. To that end, a model policy on use of drones – or “small unmanned aircraft systems” – was rolled out by the International Association of Chiefs of Police. The policy, which could be adopted or revised by any law agency, sets out specific procedures for deploying a drone, lists restrictions on its use, details how data would be retained or deleted and how operators should be trained. The International Association of Chiefs of Police set out drone-use guidelines for law agencies in 2012 and a committee spent the next three years developing the model policy. Among the rules:

  • Drone deployment must be authorized by an executive officer or supervisor.
  • Deployments would be to assess the scope of an incident, assist search and rescue, give aerial views for crowd control or temporary perimeter control, to document a crime or accident scene or assist tactical squads.
  • Drones would be used only by trained operators within line-of-sight of the device and other FAA rules.
  • Flights times, locations, missions and operators should be fully documented.
  • Drones should not be equipped with weapons.
  • Data should be downloaded securely and not erased or duplicated without written approval.
  • Agencies should consider notifying the public when the drone is being used. [Source]

US – Drones Boom Raises New Question: Who Owns Your Airspace?

17 states have passed laws to restrict use of craft, but where does private property begin? Many attorneys have cited that 1946 case as a looming dilemma for regulators and the drone industry. They say it poses tough legal questions, such as where does “navigable airspace” begin and the control of property owners end? “We weren’t forced to answer these questions and we absolutely will be now,” said John Villasenor, a public-policy professor at the University of California, Los Angeles. “And I’m quite sure that we collectively don’t have the answers yet.” [WSJ] See also: [The New Jersey Assembly has passed a bill requiring police, in most cases, to get warrants prior to using drones] [The Nevada Senate has passed AB239, which would create regulations for drone use in the state. The bill passed unanimously in the Assembly last month] [South Africa has a new law regulating the use of drones that includes requiring operators to have licenses and prohibiting them from flying drones within 50 meters of crowds] [The South African Civil Aviation Authority plans to introduce new regulations to govern drones; however, Claudia Eisenburg of Norton Rose Fulbright’s Johannesburg office says some of the requirements conflict with potential business applications] and [Here’s a security drone that follows you around (and takes video)] and [UK Criminals Use Drones To Case Burglary Prospects]

Telecom / TV

US – FCC Policy: Broadband Providers Must Adhere to Stricter Privacy Rules

The US Federal Communications Commission (FCC) is notifying Internet providers to let them know that they are now subject to stringent privacy regulations. These regulations are attributed to the FCC’s net neutrality rules. Broadband providers are subject to the same rules that protect landline phone service customer data. The providers cannot share customer information with other entities without express permission from the customer. [WashPost] [Factory reset memory wipe FAILS in 500 MEELLION Android [phones]] and [Liquor bottles now can talk to your cellphone]

US – FBI: We do Not Prevent Law Enforcement from Disclosing StingRay Use

The FBI has issued a statement regarding US law enforcement use of cell-site simulators, known colloquially as StingRay, the brand name of a particular device. Several recent lawsuits revealed that the FBI has a non-disclosure agreement with local law enforcement agencies and that in at least one case, local law enforcement was urged to drop a case rather than divulge details about the technology’s use. The recent statement from the FBI says that local law enforcement are not prevented from disclosing its use of StingRays, but that “the FBI’s concern is with protecting the law enforcement sensitive details regarding the tradecraft and capabilities of the device.” [ArsTechnica] [WashPost] [DocumentCloud]

CA – Rampant Telecom Surveillance Conducted With Little Transparency, Oversight

Citizen Lab study finds Canadian governments, telecoms lag other countries when it comes to transparency about surveillance. The report also criticizes the government’s “irresponsibility surrounding accountability” with respect to telecommunications surveillance. It warns that that could endanger the development of Canada’s digital economy and breed cynicism among citizens.  “Access to our private communications is incredibly sensitive,” said Christopher Parsons, lead author of the study and a postdoctoral researcher at Citizen Lab, which conducts research on information technology in the context of human rights and global security.  The report, funded by the Canadian Internet Registration Authority, showed Canadians recognize this and are very concerned.  But despite that, evidence suggests governments and law enforcement have been demanding millions of subscriber records from telecom firms in recent years. [CBC]

US – Broadband Industry Baffled By FCC Guidance

Some in the broadband industry are confused by the FCC’s guidance on privacy rules that broadband providers will be subject to starting next month. “I’m hesitating because we just found it stunningly unhelpful,” said one telecom lawyer. “And, you know, they’re sort of oblivious to the fact that for years now there’s been this ongoing debate and discussion in Washington and throughout the country on what does privacy mean, what are the core (tenets) of privacy,” the lawyer said, adding, ”to come out and say, ‘well just do that,’ it’s just laughable.” An FCC representative said the advisory was guidance about the agency’s thinking only and not evidence of a new rule or changes to already published rules. [The Hill]

US Government Programs

US – Rand Paul Speaks 11 Hours Against Patriot Act Renewal

Rand Paul spoke about the bulk collection of data. He spoke about civil forfeiture. He spoke about Section 213 of the Patriot Act, “this whole sneak-and-peek” that allows the government to come into a person’s house. He spoke about criminal justice. And spying. And a 1928 court case. And the Ninth Amendment. Every half-hour or so a new stenographer came over to stand by Paul’s desk, relieving the previous one. Most of all, Paul spoke about how the Patriot Act allows for the collection of bulk surveillance. “We should be in open rebellion, saying enough’s enough,” he said. “Where’s the outrage?” he asked. The chamber was nearly empty, save for a few staffers seated in the back and a security guard standing near the door. Five Senate pages sat on the steps of the dais, looking directly at Paul. One young woman twirled the end of her hair. A young man picked at his cuticles. [WashPost] [Republican presidential nominee Rand Paul attracts odd bedfellows in his talkathon] [NYT: Rand Paul’s Timely Takedown of the Patriot Act] [Rand Paul’s Senate ‘filibuster’: five great points he made about NSA surveillance] [After Rand Paul’s Sort-of Filibuster, What’s Next for Surveillance Reform?] [Rand Paul Speaks 11 Hours Against Patriot Act Renewal] [Patriot Act Phone Snooping Likely To Expire After Mcconnell Gambit Backfires] [Randstand: Republican Presidential Candidate Leads Bipartisan Opposition to Patriot Act] [Fight in Congress to Preserve NSA’s Metadata Program Comes to Naught] [NSA Surveillance Reform Bill Is A Sham That Violates Our Privacy] [National Journal: DoJ: Some NSA Programs Could Shut Down this Week]

US – Congress Pursues Deal on Phone Data Collection

The Senate left Washington with the government’s surveillance program in disarray after lawmakers mustered only 57 of the 60 votes needed to pass the House bill. The legislation would stop the N.S.A. from using a section of the Patriot Act to justify collecting reams of so-called metadata from phone companies — information that shows virtually every phone call, the numbers called and the times of the calls. Instead, the phone companies would hold those records, accessible to the N.S.A. through a search warrant. …Some leaders of the House Intelligence Committee, along with supporters in the Senate, hope they can assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in. [NY Times] [Obama Weighs Strategy as Data Laws Run Out]

US – Legislators Want PCLOB Strengthened

A bipartisan group of legislators wants to strengthen the Privacy and Civil Liberties Oversight Board (PCLOB). Sens. Ron Wyden (D-OR) and Tom Udall (D-NM) and Reps. Tulsi Gabbard (D-HI) and Trey Gowdy (R-SC) have introduced legislation “to expand the authority of the PCLOB and make its five board seats full-time positions,” the report states, noting that the Strengthening Privacy, Oversight and Transparency Act “would also give the PCLOB the ability to issue subpoenas without having to wait for the Justice Department.” Wyden said, “By giving the board a broader mandate and more authority, Congress can better protect the privacy and civil rights of law-abiding Americans.” [The Hill]

US – Warrantless Laptop Seizure at Borders Shouldn’t Be Rubber-Stamped, Rules Judge

“…The Court finds, under the totality of the unique circumstances of this case, that the imaging and search of the entire contents of Kim’s laptop, aided by specialized forensic software, for a period of unlimited duration and an examination of unlimited scope, for the purpose of gathering evidence in a pre-existing investigation, was supported by so little suspicion of ongoing or imminent criminal activity, and was so invasive of Kim’s privacy and so disconnected from not only the considerations underlying the breadth of the government’s authority to search at the border, but also the border itself, that it was unreasonable. Therefore, the motion to suppress the evidence …. will be granted.” Amy Berman Jackson, Federal judge, US District Court for Washington DC. [NakedSecurity] See also: [Canadian border security: Most travellers aren’t fully screened]

US Legislation

US – Experts Call for Data Collection Regulations

A lack of regulation for the data that products like smart watches and fitness trackers collect could translate into discrimination in the future and experts are calling for regulations, Computerworld reports. Santa Clara University’s Irina Raicu said, “The broader privacy concern is that information collected from various sources is increasingly being combined to create profiles from individual users and draw inferences about their future actions, preferences, etc.” Forrester’s Fatemeh Khatibloo said regulations are needed “to encompass … egregious and discriminatory uses of data.” She added, “It has to be a government role; I don’t think self-regulating trade bodies will do that effectively.” [Full Story]

US – HIPAA Revision Bill Passes Subcommittee

An amended version of the bipartisan 21st Century Cure Bill, which aims to advance medical innovation, has passed its first Congressional hurdle without any revisions to controversial provisions that would make significant changes to the Health Insurance Portability and Accountability Act Privacy Rule. On May 14, the House Energy and Commerce’s health subcommittee “approved a 302-page ‘markup,’ or amended, version of the 21st Century Cure bill,” which would penalize vendors of electronic health records who fail to meet standards for secure information-exchange, the report states. But some are displeased with the bill. David Holtzman of CynergisTek, for example, says the bill could result in “significant administrative hurdles and burdens.” [Gov Info Security]

US – FL Gov Signs “Revenge Porn” Law

Florida Gov. Rick Scott has signed legislation that makes posting “revenge porn” online a crime. Florida now joins another 16 U.S. states with similar laws. The “sexual cyberharassment” bill takes effect October 1, the report states, and “makes it a misdemeanor punishable by up to a year in jail to transmit nude pictures with identifying information about the subject of the images without that person’s consent.” The bill defines “cyberharassment” as distributing such images without consent and with the goal of “causing substantial emotional distress.” Additional offenses would be classified as felonies, the report states, and would carry penalties as high as five years in prison. [Reuters]

US – Student Privacy Bill Introduced; Markey and Hatch Push for FERPA Bill

Sen. David Vitter (R-LA) has introduced his own version of a student privacy bill, adding to the collection of those already drafted. Vitter’s Student Privacy Protection Act aims to give parents control over how their children’s data is released and used. “Parents are right to feel betrayed when schools collect and release information about their kids,” Vitter said in a statement. “This is real, sensitive information—and it doesn’t belong to some bureaucrat in Washington, DC.” Meanwhile, Sens. Ed Markey (D-MA) and Orrin Hatch (R-UT), wrote an op-ed why their school privacy bill is essential to children’s safety in the Digital Age. [The Hill] See also: [ON: Bishop Horden residential school survivors fight Ottawa in court]

US – Other US Legislative News

Workplace Privacy

CA – Employee Tracking Apps Raise Worker Privacy Questions

Privacy issues with employer tracking devices are increasingly coming to the fore, says David Fraser, partner at McInnes Cooper and a privacy law expert. …Canada’s privacy laws afford employers the right to monitor their workforce under certain circumstances, says Kirsten Thompson, the co-lead of McCarthy Tétrault law firm’s national cyber security, privacy and data protection group. …When companies decide to use such technology, they must have consent from their employees, who must understand what is being tracked and for what reason, she says. All companies should have a clear, easily available privacy policy that outlines their justification. …A company could argue that what its employees do outside of work can negatively impact their reputation, says Fraser. Employees would have to be aware that the monitoring is taking place beyond their shift, he says, and that the information gathered could be used to discipline them. Still, Fraser speculates that if a case similar to the Arias one appeared in Canada, the company would be told to “knock it off.” [CBC] [Vital to balance employee privacy with security: BC Commissioner] and [Employer is not vicariously liable for a rogue employee’s privacy breach]

+++

01-15 May 2015

Biometrics

US – NSA Converts Spoken Words into Searchable Text

Experts in speech recognition say that in the last decade or so, the pace of technological improvement has been explosive. As information storage became cheaper and more efficient, technology companies were able to store massive amounts of voice data on their servers, allowing them to continually update and improve the models. Enormous processors, tuned as “deep neural networks” that detect patterns like human brains do, produce much cleaner transcripts. And the Snowden documents show that the same kinds of leaps forward seen in commercial speech-to-text products have also been happening in secret at the NSA, fueled by the agency’s singular access to astronomical processing power and its own vast data archives. [Intercept] [FirstLook: Speech Recognition is NSA’s Best-Kept Open Secret]

US – Professor Invents Long-Range Iris Scanner

A Carnegie Mellon engineering professor says he has invented a long-range iris scanner to help police identify potential suspects before approaching them in cars. Prof. Marios Savvides says it is first-of-its-kind technology. “Fingerprints, they require you to touch something,” he said, adding, “Iris, we capture it at a distance, so we’re making the whole user experience much less intrusive, much more comfortable.” The technology works at distances between six and 12 meters and could replace government IDs at places such as airports, the report states. Savvides said people are already being tracked every day, and that “if someone really wanted to know what you were doing every moment of the day, they don’t need facial recognition or iris recognition to do that.” [The Atlantic]

WW – Your Poop Is the Latest Privacy Threat

Microbe populations on the skin and in the mouth tend to fluctuate over time, so their genetic signatures don’t stay the same. That’s partially because the skin and mouth are exposed, so they constantly pick up new microbes from other people or from the environment. It’s also because relatively few species live in these areas, so there’s not a lot of diversity to contribute to a really unique signature. But the same isn’t true of intestinal bacteria, researchers found. They were able to match the genetic signature of gut bacteria in stool samples to their owners 86 percent of the time, even including some people who had taken antibiotics in the interim. Over 500 species of bacteria live in the large intestine, and some of them are strains which are actually unique to each person. They’re pretty isolated from the outside environment, too, which means their genetic signature is more unique and less prone to change. [Source]

Big Data

US – FTC, CFPB to Keep Pressure on Big Data Firms

Officials from the FTC and the Consumer Financial Protection Bureau (CFPB) vowed to keep pressure on organizations handling personal data. The FTC’s Jessica Rich said, “One of the big messages that we want to send to businesses … is that there are indeed laws currently on the books that apply” to big data, while the CFPB’s Peggy Twohig said the agency has conducted “significant research” on consumer reporting. The FTC plans to release a report on discriminatory uses of data. [Law360]

UK – ‘Big Data’ Processing Justified on ‘Legitimate Interests’ Grounds: ICO

Businesses do not always need consumers’ consent to process their personal data contained in ‘big data’ sets, the Information Commissioner’s Office (ICO) has said. …businesses can rely on the so-called ‘legitimate interests’ ground to process personal data too. Businesses can rely on this provision providing their interests in processing personal data do not unduly prejudice the rights and freedoms of individuals. In the big data guidance it issued last July, the ICO said businesses must process personal data fairly and in a transparent manner when undertaking big data initiatives. The guidance explained the extent to which businesses can rely on consent previously given by consumers to the processing of their personal data when they identify a new use for the data. [Source] [Chief Data Officer: Insight Into A Crucial Role for The Exabyte Age]

WW – The Philosophy of Privacy: Why Surveillance Reduces Us to Objects

Using the internet can be seen as a trade-off: privacy for freedom. But the insidious and widespread invasion of that privacy by a security state is something different altogether. Partly for this reason, writers like Jeremy Rifkin have been saying that information privacy is a worn-out idea. On this view, the “internet of things“ exposes the value of privacy for what it is: an idiosyncrasy of the industrial age. So no wonder, the thought goes, we are willing to trade it away – not only for security, but for the increased freedom that comes with convenience. This argument rings true because in some ways it is true: we do, as a matter of fact, have more freedom because of the internet and its box of wonders. But like a lot of arguments that support the status quo, one catches a whiff of desperate rationalisation about it as well. In point of fact, there is a clear sense in which the increased transparency of our lives is not enhancing freedom but doing exactly the opposite – in ways that are often invisible. [Source]

Canada

CA – Commons Passes Controversial Anti-Terror Bill

The conservative government’s controversial antiterror legislation is one step closer to becoming law. Bill C-51 passed the House of Commons this week by a vote of 183 to 96 and now heads to the Senate for final passage. The government is expected to give royal assent within weeks, the report states. Bill C-51 has been criticized by privacy experts, including Canada’s privacy commissioner, for its broad information-sharing provisions, and is said to threaten civil liberties. [The Huffington Post Canada] The bill’s many critics believe it overreaches in two key regards. One is CSIS’s expanded mandate to take “reasonable and proportional” measures to actively disrupt suspected threats to national security at their inchoate “pre-criminal” stage – before the RCMP would typically mount a criminal investigation. The other is the broader sharing of Canadians’ personal information across government and privacy concerns. The bill also underreaches in crucial regards, say opponents. There is no expanded independent, civilian oversight of the newly empowered state security apparatus, which is increasingly intertwined. There is no provision for existing federal watchdogs to share operational information or conduct joint investigations. And attempts to impose three-year sunset clauses on some of the more contentious provisions were rejected by the Conservative majority. [Ottawa Citizen] [Ottawa Citizen: House of Commons Set to Hold Final Vote on Anti-Terror Bill] Canada Poised to Pass Anti-Terror Legislation Despite Widespread Outrage [The Guardian] [Sorry Liberals, ‘Oversight’ Won’t Fix Menace of a Terror Bill] Bill C-51: They Appear to Know Not What They Have Done : C-51 introduces a new crime of “advocacy” of terrorism offences (“in general”). We think this is a horrible, unnecessary and unconstitutional speech crime. But having insisted on an “advocacy” crime, you’d expect the government to be concerned about how the same word “advocacy” is used elsewhere in the same bill. But by simply dropping the word “lawful”, the new info-sharing Act seems to preclude application of the new information sharing powers in relation to any sort of advocacy, protest or dissent, no matter how criminal or indeed, how violent. And so government officials will now need to spend a lot of time wondering if, e.g., violent conduct really is “protest” or “advocacy” or “dissent”, and whether they can still use the Act in relation to such conduct. Officials will also need to sit around and ask “shall we read the carve-out in the info sharing Act (now reaching both lawful and unlawful “advocacy” or whatever character) as excluding information sharing related to the new ‘advocacy’ crime?” Officials will make it work: basically, they’ll just ignore the incoherence and jam the round peg into the square hole of nonsensical legislative language. And so, to do their jobs, they’ll just have to ignore the law, because (as Shakespeare would say) the law is a total ass. And the Privacy Commissioner, reviewing this work-around, would act very properly in tearing a strip off of these officials. [Source: Craig Forcese] The Senate Liberals’ leader, James Cowan, told The Huffington Post Canada he hasn’t spoken to Liberal Party Leader Justin Trudeau, who supported the bill in the Commons, but he expects most of the Liberal team in the upper chamber to oppose the bill. …Trudeau kicked all his senators out of the Liberal caucus last year and barred them from organizing for the federal party. Despite the surprise banishment, the 29 senators decided to keep calling themselves Liberals anyway. Cowan said he has always believed the Senate should be more independent, and he hopes Conservative senators might eventually follow suit. [HuffPost] [Globe & Mail: Liberal Senators To Vote Against Anti-Terror Bill Trudeau Supported]

CA – Bill S-4 – Proposed Amendments to PIPEDA

The Office of the Privacy Commissioner (OPC) supported the bill in its June 4, 2014, Submission to the Senate Standing Committee on Transport and Communication, stating that on the whole, the proposed amendments will strengthen the privacy rights of Canadians with respect to their interactions with private sector companies, improve accountability and provide incentives for organizations to comply with the law. In its Feb. 12, 2015, Submission to the Standing Committee on Industry, Science and Technology, the OPC endorsed its June 2014 submission, but provided additional comments in light of the seminal decision of the Supreme Court of Canada in R. v. Spencer. The OPC noted that carrying out a reasonable expectation of privacy analysis under PIPEDA is highly complex and contextual, leaving organizations in a state of uncertainty as to when they may or may not disclose personal information without a warrant. Therefore, the OPC urged the Committee to clarify when the common law policing powers to obtain information without a warrant can be used. [Mondaq]

CA – B.C. Premier Defends Bill 20 Amendments

Andrew Weaver, the B.C. Green Party MLA, said he didn’t support the change. “In fact, I don’t, to be perfectly honest, think that it is anybody’s business apart from the voter and the chief electoral officer to know who or who has not voted. That’s a matter of privacy.” B.C.’s Information and Privacy Commissioner agrees. In a letter released last month, Elizabeth Denham wrote that the amendment extends beyond the objective of increasing voter turnout and expressed the concern that “the proposed amendments would allow for other uses and expand the already broad ability of political parties to collect information about voter participation.” [Source]

CA – Quebec School Officials No Longer Allowed to Strip Search Students

Following high-profile case of 15-year-old girl searched at Quebec City school, report recommends that only police officers conduct such examinations. Fabienne Bouchard, a former prosecutor and retired lawyer hired to conduct the probe, wrote a school that has serious grounds to believe a student is involved in drug trafficking should call police instead of carrying out the search itself. “The recommendations are clear and the investigation was necessary to clarify the practice and to clarify the law around the practice,” Education Minister François Blais said. He added that schools and police will need to co-operate in the coming weeks to find a solution on how they should deal with drug trafficking. [Star]

CA – CASL Reduces Spam Received By Americans, But Not Canadians: Report

The unusual findings may be due to the cross-border nature of the spam industry in North America. According to Cloudmark, most spam email originating in Canada (78%) is bound for the U.S., and most of the spam Canadians received (53%) comes from the U.S. Since CASL, spam outbound from Canada has dropped dramatically. However, while email received in Canada overall has dropped by 29%, much of that was due to a sharp decline in legitimate email. The average percentage of email received by Canadians that is spam actually increased from 16.5 to 16.6%. According to Cloudmark, the stricter requirements for consent for marketing emails under CASL are behind the drop in legitimate email volume. [Source]

CA – CRA Can Now Share Tax Filings With 16 Government Agencies

Until now, the CRA has only had permission to share this information with three other agencies (CSIS, RCMP and FINTRAC) and only under very specific conditions. That list has grown to 16 in total and now includes Canada Border Services, the Canadian Armed Forces and Citizenship and Immigration among others. The more people that have access to taxpayer information under Bill C-51, the higher the risk of leaks, hacks and other foul play, according to Avner Levin, the director of Ryerson University’s Privacy Institute. The change in legislation is “unprecedented,” he says. “It’s snooping and meddling of the worst kind.” [MoneySense]

CA – Canada Joins Global Sweep of Kids’ Online Privacy

Investigators will be looking at whether apps and sites gather personal information on kids, and if they do, whether that information is limited to what’s necessary (to create an account, for example). They will also examine whether the apps and sites prompt users to involve a parent or guardian in any registration process; and whether they take measures to make privacy policies understandable to kids. That means not just using simple language, but also using graphics or even animated characters to guide them through the information and to encourage parental involvement. The sweep, which began Monday and runs through

CA – Sask. Privacy Commissioner Investigates Government Information Leak

Executive council, Saskatoon Health Region, Oliver Lodge and the Ministry of Health all under investigation aftercare aide’s personnel documents released to media. Bowden said the province’s release of the information to the media was an attempt to silence him. He also wants to know why details of the allegations against him were released from SHR to the provincial government and then the media before him. He said he received word of his suspension on April 16 but did not get a comprehensive list detailing the accusations against him until April 24, four days after Young sent the email to media. Bowden filed a complaint with the Office of the Information and Privacy Commissioner (OIPC) because he said his privacy was violated when the details of his personnel file were emailed to reporters. OPIC will make the final decision. The commissioner will investigate the executive council, Saskatoon Health Region, Oliver Lodge and the Ministry of Health. [Source] [Star Pheonix: Sask Privacy Commissioner Probes Premier’s Office]

CA – Manitoba Court Rules Family of Man Who Died During ER Wait Can Sue

Vilko Zbogar, one of the family’s lawyers, said the ruling has important implications for the evolution of charter law, as well as the family’s pursuit of justice. “This is absolutely a landmark ruling on charter interpretation and on privacy rights,” he said. …The Appeal Court also restored the family’s right to sue the Winnipeg Regional Health Authority for disclosing private health information about Sinclair after his death. [The Record]

CA – Impaired Driving Trial Hears Arguments on Whether Police Violated Privacy Rights

Defence lawyer Pierre Joyal argued that a hospital emergency room is a space where citizens have a certain expectation of privacy, and that police had no reason or right to be standing so close to Snider’s medical team when they overheard privileged information. Even if they did overhear it, he said, it should never have been used to start gathering evidence against his client. “The expression is ‘what happens in Vegas stays in Vegas.’ Well, what happens in the emergency room stays in the emergency room,” Joyal noted in his relatively brief address to the court. “Nothing justified (police officers) being there.” [Montreal Gazette]

CA – Canada’s Friendly Drone Laws

Addressing privacy concerns may be as simple as ensuring that existing laws encompass drones. This is the approach taken by Hong Kong in its recent guidelines.. Similarly, Canada’s Privacy Commissioner has opined that Canada’s existing privacy laws apply to drones. While “lateral surveillance”—private citizens surveilling other private citizens—is often not covered by privacy statutes, torts such as intrusion upon seclusion may fill that gap. [Mondaq]

CA – Premier Cites an Official’s ‘Lapse In Judgment’ in Release of Information

Wall said Monday the senior staff member has been removed from the file and has had an exemplary record otherwise. “What I had asked for is that general information be provided to the media on background,” he said. “The first email in my view met that test … a second email went to one reporter … that had specific information.” [Winnipeg Free Press]

CA – Other Privacy News

Consumer

US – Millennials Most Trusting of Generational Groups

Despite high-visibility data breaches, 44% of millennials in the U.S. believe “their personal information is kept private ‘all’ or ‘most of the time’ by the businesses or companies they do business with”—the highest of all major U.S. generational groups. The most skeptical generation is Americans aged 70 and older, with 29% believing their personal information is kept private all or most of the time and just over a third believing it’s kept private a little or none of the time. Generation X and baby boomers fall somewhere in between the two groups, “suggesting that expectations of personal privacy are age-related,” the report states. [Gallup]

US – DAA Sets Opt-Out Compliance Deadline for September

The Digital Advertising Alliance (DAA) announced that starting in September, “ad companies will have to allow people to opt out of receiving ads that are targeted based on data collected across mobile apps.” The self-regulatory group’s mobile privacy code, unveiled in 2013, requires ad networks and other companies to notify consumers about cross-app advertising and allow them to opt out via AppChoices, which the DAA released earlier this year. While the rules were announced nearly two years ago, a compliance deadline had not been set until now, the report states. “We give companies a reasonable amount of time to make sure that everything’s in order,” said the DAA’s Lou Mastria, [MediaPost]

E-Government

US – DARPA Aims to Automate Privacy-Protecting Sharing

The Defense Advanced Research Projects Agency (DARPA) plans to consider public proposals on ways for organizations to expedite data sharing while protecting personally identifiable information (PII). Known as Brandeis, the initiative aims to “break the tension” between data protection and finding value in sharing data. DARPA Program Manager John Launchbury said, “Rather than having to balance these public goods, Brandeis aims to build a third option: Enabling safe and predictable sharing of data while reliably preserving privacy.” Purdue University Computer Science Prof. Gene Spafford said, “The objective really is to find a way to transform or mask the data so it’s still useable but eliminate those windows of potential exposure.” [BankInfoSecurity]

AU – Privacy Report Card Warns of Public’s Big Data Concerns

The Australian privacy commissioner says the shift to a simpler, consolidated service delivery model featuring one-stop shops is “an opportunity to place privacy respectful practices at the heart of customer services and build trust with the community”. Coombs wants to see greater protection for data that is sent interstate by government agencies, the right to anonymity and pseudonymity “where lawful and practicable” and mandatory reporting of serious breaches, “particularly if this is introduced into Commonwealth legislation”. [Source]

US – New App Lets Users Send Video of Police to ACLU

The ACLU of California has released a new mobile app for smartphones that lets users automatically send videos of police directly to the advocacy organization. ACLU of Southern California Executive Director Hector Villagra said, “We want to multiply the number of cameras that can be trained on police officers at any time,” adding, “They need to know that anything they do could be seen by the entire world.” However, some are raising privacy concerns about the app. “Everyone wants to keep an eye on the police,” said Loyola Law Prof. Laurie Levenson. “But in these incidents, the police are interacting with an individual involved in the worst conduct of their lives … The ACLU needs to consider their privacy rights.” [Los Angeles Times]

E-Mail

CA – CASL Reduced Legitimate Email as Much as “Spam”: Cloudmark Study

Average monthly email volumes received by Cloudmark customers in Canada declined by 29%, but the percentage of received email that Cloudmark assessed as “spam” actually increased, albeit by an insignificant amount (from 16.5% to 16.6%). In other words, the proportionate impact of the legislation for Canadian recipients has been as high or higher on “legitimate” traffic as it has been on true “spam”. [Source]

CA – Privacy Commish: Guidance for Privacy Law and CASL Compliance

The Guide is a reminder that commercial messages are regulated by both CASL (which regulates the sending of commercial electronic messages) and Canadian privacy laws (which regulate the collection, use and disclosure of email addresses in the course of commercial activities). The Guide explains some of the basic Canadian privacy law requirements for commercial electronic marketing activities. Following is a summary: ? Accountability: An organization is accountable for how the organization and its service providers collect, use and disclose personal information (including email addresses) in the course of commercial activities. [Source]

Electronic Records

US – Activist Wants Google Settlement Tossed

An activist has filed papers in the Ninth Circuit Court of Appeals opposing a judge’s approval of Google’s recent $8.5 million settlement in a privacy lawsuit. Theodore Frank is founder of the Center for Class Action Fairness and previously asked a judge to reject the deal, arguing it would not benefit Google’s users.[MediaPost]

US – Plaintiffs Want Blue Cross Suit Back in State Court

Blue Cross of California customers who allege the health insurer’s data security practices put millions at risk by exposing their Social Security numbers have urged a federal judge to send their putative class-action back to state court, arguing federal courts lack jurisdiction since the plaintiffs are not seeking monetary damages.

Encryption

WW – Vint Cerf: Encryption Backdoors Are a Bad Idea

Recent calls by the FBI and other government officials for technology vendors to build encryption workarounds into their products is a bad idea, said Vint Cerf, who also said more users should encrypt their data and that the encryption backdoors the FBI and other law enforcement agencies are using will weaken online security. During a speech in Washington, DC, Cerf said because of the Internet’s myriad security challenges, more users and Internet service providers need to adopt measures like encryption, two-factor authentication and HTTP over SSL. He added that calls by law enforcement for technology vendors to build encryption workarounds into their products is a bad idea, the report states. “If you have a back door, somebody will find it,” he said, “and that somebody may be a bad guy.” [IDG News Service] [PC World]

US – Encryption Backdoor Legislation Looks Unlikely, For Now

The House Oversight and Government Reform Subcommittee on Information Technology held a hearing on encryption and law enforcement access to mobile devices. Though FBI Executive Assistant Director Amy Hess and Suffolk County (MA) District Attorney Daniel Conley testified on the need for law enforcement access to combat terrorism and criminal activity, there appeared to be little support from lawmakers. Rep. Ted Lieu (D-CA) said, “It is clear to me that creating a pathway for decryption only for good guys is technologically stupid, you just can’t do that.” Some remained optimistic, however, that a solution is possible. Rep. Will Hurd (R-TX) said, “I believe we can find a way to protect the privacy of law-abiding citizens and ensure that law enforcement have the tools they need to catch the bad guys.” Open Technology Institute’s Kevin Bankston said forcing U.S. businesses to install backdoors will drive away foreign customers and open the door for major breaches of personal information. [BankInfoSecurity]

EU Developments

EU – Digital Single Market Plans Unveiled

The EU has unveiled plans for a strategic Digital Single Market to help boost the region’s economy, better compete with U.S. technology firms and help “home-grown” start-ups. The 16 initiatives include reorganization of telecoms, cybersecurity and privacy. GE CEO Jeffrey Immelt said the single market “is a big deal” that “will add tremendously to competitiveness in the long term,” but critics caution Brussels may be putting “government officials in charge of how hugely popular online services are designed and implemented.” EU Digital Commissioner Gunther Oettinger said, “If you look at the platforms they have in the U.S., national data rules play an increasingly reduced role,” while Re/code offers several leaked documents and reports on what to expect from this latest initiative. [The Wall Street Journal] [Companies Urged To Prepare Themselves As Latest EU Data Law Proposals Threaten Digital Marketing Industry]

EU – Right to Redress for EU Citizens Pushes Data-Sharing Deal Forward

The EU and the U.S. are close to completing negotiations on a deal protecting personal data shared for law enforcement purposes such as terrorism investigations. The negotiations hit a point of contention because of a lack of legal redress for EU citizens in U.S. courts in cases where data may have been misused, while U.S. citizens have that right in the EU. But the Judicial Redress Act, introduced in the U.S. in March and aiming to giving citizens of U.S. allies the right to sue over data privacy in the U.S., has pushed things in the right direction, the report states. [Reuters]

EU – Lawmakers in France Move to Vastly Expand Surveillance

The provisions, as currently outlined, would allow the intelligence services to tap cellphones, read emails and force Internet companies to comply with requests to allow the government to sift through virtually all of their subscribers’ communications. Among the types of surveillance that the intelligence services would be able to carry out is bulk collection and analysis of metadata similar to that done by the United States’ National Security Agency. The intelligence services could also request the right to put hidden microphones in a room or on objects such as cars or in computers, or to place antennas to capture telephone conversations or mechanisms that capture text messages. Both French citizens and foreigners could be tapped. [New York Times] [France Set to Join the Spy Game]

EU – France Passes New Surveillance Law in Wake of Charlie Hebdo Attack

One of the most contentious elements of the bill is that it allows intelligence services to vacuum up metadata, which would then be subject to analysis for potentially suspicious behaviour. The metadata would be anonymous, but intelligence agents could follow up with a request to an independent panel for deeper surveillance that could yield the identity of users. Another controversial element is the so-called “black boxes” – or complex algorithms – that internet providers will be forced to install to flag up a succession of suspect behavioural patterns online, such as keywords used, sites visited and contacts made. Surveillance agencies will also be able to bug suspects’ homes with microphones and cameras and add keyloggers to their computers to track every keystroke. [The Guardian] [Familiar Swing to Security Over Privacy After Attacks in France] [France doubles down on their war on cash and passes next phase in war on privacy] Five Dangers of France’s New Snooping Laws: Basically the bill will allow the implementation of intrusive measures such as placing cameras and recording devices in private dwellings and install “keylogger” devices that record every key stroke on a targeted computer in real time. But without any independent checks and due diligence that an independent judge would normally provide. [Source]

EU – Germany is Accused of Spying on Friends

Within the past two weeks, the tide has turned. Ms. Merkel is back in the spotlight over spying. This time it is Germany‘s foreign intelligence service, known here as the B.N.D., that is being accused of monitoring European companies and perhaps individuals. Further, the reports said the spying was done at the behest of the National Security Agency, the United States intelligence organization. …The accusation was angrily rebutted by Gerhard Schindler, head of the B.N.D. He dismissed as “absolutely absurd” any suggestion that his agency was “a compliant tool” of the Americans. …The current flare-up started on April 23 when Der Spiegel reported that since at least 2008, a division of the B.N.D. had helped the NSA to spy on European and German interests, including the French-German enterprise European Aeronautic Defense and Space, now known as the Airbus Group. [New York Times] Pressure Mounts on Merkel to Explain German Role in N.S.A. Espionage: Ms. Merkel and other members of her conservative bloc have argued that the intelligence agreement is vital to protecting Germany’s 80 million or so citizens against Islamic terrorism and other threats. They have continued to defend the trans-Atlantic cooperation since the latest controversy erupted. But even conservatives have begun to express their weariness over what they characterize as repeated American attempts to use intelligence cooperation to spy on European institutions or firms in a way they say jeopardizes joint projects.

EU – Ireland Beefs Up Data Privacy Office

The agency, like counterparts in other EU states, regulates how companies deal with privacy issues—for instance, whether companies inappropriately send email advertising, collect too much information from customers or keep accurate records. The rules are generally tighter than in the U.S. Ireland’s data protection office was created in 1988, when only a handful of large, data-based firms had big operations in Europe. As companies flocked to Ireland, the agency’s resources didn’t keep up. Until this year, its only office has been above a convenience store in Portarlington, a town of less than 8,000 people more than an hour’s drive west of Dublin. [Wall Street Journal] [How Ireland’s Data Protection Czar Views Global Tech Firms]

EU – GDPR is the Biggest Threat to Business Continuity for a Decade

This time next spring, or earlier, there’s likely to be a mad panic within sales and marketing departments as companies struggle to beat the deadline for making significant changes to data protection and security or risk facing punitive fines equivalent to up to 5% of global turnover or E100m. Ahead of the GDPR, sales and marketing professionals should follow these top ten steps to ensure that their future marketing efforts within the EU will be compliant. [Source]

EU – Facebook Escapes DPA’s Fines for Now

Facebook has temporarily escaped daily fines over its revamped policy for users’ photos and data. The Dutch Data Protection Authority (DPA) said it lifted the threat of combined penalties totaling as much as 750,000 euros, the report states, “after Facebook agreed to provide information needed to weigh the next steps in the investigation announced in December.” The DPA stepped in last year after Facebook alerted users of changes to its policy in which it claimed the right to use their information and images for commercial purposes. The DPA sought a suspension of Facebook’s new policy pending an investigation or said it would face fines, and Facebook opted to go to court over the dispute. [Bloomberg]

EU – French Lower House Approves Expanded Surveillance Powers

The lower house of the French Parliament has overwhelmingly approved surveillance measures “that could give the authorities their most intrusive domestic spying abilities ever, with almost no judicial oversight.” The bill now moves to the upper chamber, where it is also expected to pass. Prime Minister Manuel Valls said, “The last intelligence law was done in 1991, when there were neither cell phones nor Internet.” The bill allows intelligence authorities access to cell phones and email; mandates service providers let government review virtually all subscriber data, and lets intelligence services carry out bulk collection and analysis of metadata. Paris Bar Association’s Pierre-Olivier Sur said it is “a sort of PATRIOT Act concerning the activities of each and every one.” [The New York Times] The New York Times offers an analysis of France’s move to vastly expand government surveillance powers in the name of public safety.

UK – Deputy PM Clegg Calls for Digital Bill of Rights

Deputy Prime Minister Nick Clegg has called for a new Digital Bill of Rights, initially called for after the Snowden revelations, to be introduced within six months of the new Parliament to “stop information about us being abused online, and to protect our right to freedom of speech.” Monty Munford writes that the 2015 Digital Rights Survey found that while the majority cited privacy concerns about their data, few took appropriate actions to protect it. It will take someone disproportionately famous who could make a Digital Bill of Rights a reality, Munford writes, citing none other than David Beckham. [The Telegraph] [GovInfoSecurity: The Privacy Impacts of the Elections]

UK – Theresa May to Revive Her ‘Snooper’s Charter’

Election results were barely in when the home secretary indicated the Tories will increase state surveillance powers, to the alarm of privacy campaigners. Speaking as early results indicated the Conservatives would form a government with a Commons majority, Theresa May said increased surveillance powers was “one very key example” of Tory policy that was blocked by the coalition arrangement with the Liberal Democrats in the previous government. May’s remarks alarmed privacy campaigners who fear a Conservative government will revive the controversial draft communications bill, which was beaten last year after the Lib Dems withdrew their support. That law, labelled a snooper’s charter, would have required internet and mobile phone companies to keep records of customers’ browsing activity, social media use, emails, voice calls, online gaming and text messages for a year. May said in a BBC interview: “David Cameron has already said, and I’ve said, that a Conservative government would be giving the security agencies and law enforcement agencies the powers that they need to ensure they’re keeping up to date as people communicate with communications data. [Guardian] [NY Times: David Cameron Seeks New Powers to Combat Extremism in Britain]

EU – ‘Right To Be Forgotten’: One Year On

Over the last 12 months, Google has processed 253,617 data removal requests, and agreed to just over 40 per cent of those. The legislation has received heavy criticism from a number of parties, including the House of Lords EU Committee, which described it as “unworkable and wrong”, and Wikipedia founder Jimmy Wales, who described it as “deeply immoral”. However, the UK’s data protection watchdog, the Information Commissioner’s Office (ICO), has defended the legislation, claiming that it has “raised awareness of people’s data protection rights” and that removal of links from search results “can have a real benefit”. [Telegraph]

EU – Other Privacy News

  • Maryland Law Prof. Frank Pasquale reacts to leaked documents from the office of EU Digital Commissioner Günther Oettinger in which the regulator called for “a central EU-wide body with the power to monitor platforms’ use of data, and to resolve disputes between the operators and the businesses they serve.” In this column for The Guardian, Pasquale writes, “This is far-sighted, important planning.”

Facts & Stats

US – Survey Suggests 70 Million Had PI Breached in 2014

A new survey projects that more than 70 million adults in the U.S. had their personal information compromised in 2014. The survey, which polled more than 3,000 American adults, found that while some incidents may have resulted from stolen credit cards, many stemmed from data breaches—and not only online. The survey found that 79% of those notified of a data breach were told by a brick-and-mortar store or a financial institution, the report states. Only 18% said the problem originated at an online retailer. “The study arguably highlights the need for stronger consumer protections,” the report states. [Consumer Reports]

WW – The Projected Cost of Those Breaches? $2.1 Trillion

A new study from Juniper Research reveals that data breaches will cost organizations more than $2 trillion during the next four years. The Future of Cybercrime & Security: Financial & Corporate Threats & Mitigation equates that to approximately 2.2% of global GDP or an average of $6 million per organization hit by a breach. “Typically the most expensive forms of cybercrime are data breaches,” the study states, adding, “those attacks which result in the criminals seizing business or personal records.” In separate research, the Ponemon Institute reveals that information technology assets are insured 39%- less than physical assets. The report states that “companies are reluctant to purchase cyber-insurance coverage” even though they foresee greater cyber risk. [IT Pro]

WW – IT Pros See Data Privacy as Top Concern

A new study conducted and released by Dimensional Research reveals that data privacy is now a top concern for IT professionals. According to The State of Data Privacy in 2015, 93% of businesses face data privacy challenges and 77% of businesses exceeding 5,000 employees are investing more into privacy in 2015. What’s more, 84% of the IT professionals surveyed said their focus on data privacy is escalating this year. A top concern for IT professionals is a lack of awareness among employees about existing privacy policies, followed by an insufficient budget to train employees. [BusinessSolutions]

US – The Rise of the Chief Data Officer is Upon Us

The rise of chief data officers (CDO), a reflection of “the central role that data now plays in every facet of society,” the report states. A 2015 study from IBM’s Center for Applied Insights that surveyed 250 chief information officers from large organizations found that 61% wanted their employers to recruit CDOs in the next year. “The emergence of chief data officers at major agencies and departments is a promising sign that the federal government continues to execute on President Obama’s open data vision and his 2013 executive order,” said Nick Sinai, former deputy U.S. chief technology officer. [TechRepublic]

Filtering

WW – Facebook Study Examines “Filter Bubble”

A study conducted by Facebook data scientists and published in Science contends the so-called “filter bubble“—the possibility that users create their own insular, online echo chambers—is not occurring on the social networking site. The peer-reviewed study looked at 10.1 million politically partisan American users and revealed that while their friend networks and the stories they read are, in fact, skewed toward their ideology, the effect is more limited than expected, the report states. Eli Pariser, who coined the term “filter bubble,” said the study “shows that the effects that I wrote about exist and are significant, but they’re smaller than I would have guessed.” The study has its critics, however, including Prof. Zeynep Tufekci. [The New York Times]

EU – RTBF Less of a Censorship Issue than Originally Thought?

Internet censorship concerns over the European Court of Justice’s decision in favor of the Right To Be Forgotten (RTBF) appear to be unfounded, new Reputation VIP data shows. While individuals are responding to the ability to strike personal information from search engines in large numbers—according to Google reports, the rate of request has been averaging 500 per day—findings illustrate that “invasion of privacy” serves as the catalyst for 58.7% of requests, followed by “damage to reputation” at 11.2%. Collectively, social media sites lead the charge for reported URLs at 20%. “Much of the criticism of the RTBF has centered on fears of criminals erasing bad behavior, leading to cries of censorship. But this data suggests those fears mischaracterize the mainstay of RTBF requests.” [TechCrunch]

Finance

US – Facts About FATCA, America’s Global Disclosure Law

FATCA requires foreign banks to reveal Americans with accounts over $50,000. Non-compliant institutions could be frozen out of U.S. markets, so everyone is complying. …More than 80 nations—including virtually all that matter—have agreed to the law. So far, over 77,000 foreign financial institutions (FFIs) have signed on too. Countries must throw their agreement behind the law or face dire repercussions. Even tax havens have joined up. The IRS has a searchable list of financial institutions. Countries on board are at FATCA – Archive. [Forbes] An American Tax Nightmare: There is no recourse and no appeal process. Those impacted are left with the choice of uprooting their families (including foreign spouses and children), careers and businesses to re-establish a life in the United States; or to make the painful decision to renounce their citizenship. Without significant and timely changes, that will only be the tip of the iceberg as foreign financial institutions continue their search for unprofitable American accounts. Remember, the vast majority of those renouncing citizenship are not wealthy tax evaders trading their passport for income tax savings; they are middle-class Americans, living overseas, fully compliant with their U.S. tax and reporting obligations. [NYTimes]

FOI

CA – Shredding at Legislature Prompts Privacy Commissioner to Weigh In

The commissioner’s office issued a news release, in part to answer questions raised by the public and media about shredding in the wake of the Tories’ defeat in the recent election. Following the NDP’s historic win, photos have been posted on social media of giant bags of shredded paper sitting outside legislature offices. That has led to concerns — or conspiracy theories — the PC government, which has been in power for 44 years, might be frantically discarding evidence of secrets, scandals or other valuable information that has been kept from the public eye. [Edmonton Journal]

US – School Districts, Nonprofit Team Up for Ed-Tech Rating System

More than 20 school districts have teamed up with Common Sense Media to establish a rating system for the privacy policies of educational-technology products. The “Common Sense Privacy Ratings Initiative” will be announced at a conference in June and operationalized later this year. It will likely use a color-coded key so schools can easily understand companies’ compliance with privacy standards. “There’s a lot of pressure on districts, from parents and legislators,” to ensure ed-tech tools comply with applicable laws, explained Omar Khan, the nonprofit’s chief product and technology officer, noting the privacy rating system is still being developed. [Education Week] [Edtech Privacy by Design: The Teacher as Privacy Entrepreneur]

Genetics

US – Microbiome DNA Raising Privacy Concerns

According to new scientific research, the microbiomes—what some call the “gut print”—in the human body can be used to uniquely identify individuals. The research suggests the possibility of identifying previously anonymous participants and revealing data including health, diet or ethnicity. The National Institutes of Health currently contains a publicly available trove of human DNA, the report also states, and Harvard’s Curtis Huttenhower notes, “Right now, it’s a little bit of a Wild West as far as microbiome data management goes … As the field develops, we need to make sure there’s realization that our microbiomes are highly unique.” Separately, Al Jazeera America asks whether DNA will be the next frontier in privacy. [Nature]

WW – Is DNA the Next Frontier In Privacy?

Obama has called for 1 million genomes to be sequenced, but government is mum on how it will protect genetic data. At a hearing about the Precision Medicine Initiative in front of the Senate Health, Education, Labor and Pensions Committee on May 5, Democratic Sen. Patty Murray of Washington state warned of the risks to privacy. “In the last few months we’ve seen serious security breaches impacting families’ personal health information, and that’s unacceptable,” she said. “We need to be aware that data is being created that cybercriminals will want to exploit, and that means we will need to develop a strategy to protect privacy that meets today’s challenges.” Collins responded that the White House, the NIH and the Office of the National Coordinator for Health Information Technology were all “deeply serious” about protecting the data of its volunteers. [Source]

Health / Medical

US – Bill Would Lift Patient Authorization Requirements

Some privacy experts are concerned with a draft bill that would weaken HIPAA privacy protections. The 21st Century Cures bill proposes the Department of Health and Human Services “revise or clarify” the HIPAA privacy rule’s provisions on the use and disclosure of protected health information (PHI) for research purposes. The bill would not require patient authorization for the release of PHI for research if covered entities or business associates are involved. David Holtzman, CIPP/G, said the provisions in the draft bill “roll back essential protections of the control that patients have over how their information is used and disclosed.” [Gov Info Security]

US – AHA: Privacy Rules Potential Deterrent to Telehealth Adoption

A report by the American Hospital Association (AHA) says health privacy regulations are one of the potential deterrents to telehealth adoption. “As telehealth utilization expands, however, myriad significant federal and state legal and regulatory issues will determine whether and how hospitals, health systems and other providers can offer specific telehealth services,” the AHA said. While telehealth technologies can create new electronic health information, they can also create operational challenges for hospitals aiming to stay compliant with state and federal rules. The AHA recommends hospitals update and adapt their data privacy and security practices to respond to the new risks telehealth technologies present. [HealthIT Security] See also: [ONC Guide to Privacy and Security of Electronic Health Information]

US – The Risks Increase for All Entities

Risks to healthcare IT security are growing. Every 60 seconds, 232 computers are infected with malware and 12 websites are successfully hacked, the report states. Plus, medical records are worth $60 on the black market, where credit card data is worth $20. “That makes us significant targets,” said Intermountain Healthcare CISO Karl West. Meanwhile, ID Experts President and Cofounder Rick Kam writes for Government Health IT why size doesn’t matter in health data breaches. For example, while large organizations used to be the primary targets, mid-sized organizations with presumably smaller cybersecurity budgets are now becoming targets. [Healthcare IT]

US – While Not ‘Back to the Drawing Board,’ Stage 3 MU Needs Revision

The Meaningful Use Stage 3 proposal, while mostly “beneficial,” isn’t without fault, finds the Office of the National Coordinator (ONC) Health Information Technology (HIT) Privacy & Security Workgroup. In its critiques, the group cites five necessary improvements, most specifically in the areas of “user guidance” on safe use and “patient access,” requesting the development of education materials for consumers as well as more sophisticated methods of identity protection, even “a need to certify patient-facing health applications.” The ONC was careful to recognize the extent of its requirements, and as such is offering assistance with revisions as the proposal moves forward, Healthitsecurity.com reports. [Source]

Horror Stories

US – Ponemon Study: Criminal Breaches Now Outnumber Accidents

According to the Ponemon Institute’s Fifth Annual Benchmark Study on Patient Privacy and Data Security, data breaches caused by criminals outnumbered accidental ones for the first time, CSO reports. “Over the five years, the percentage of incidents that occur due to criminal attacks versus negligence has increased by 125%,” said Larry Ponemon, CIPP/US, chairman and founder of the Ponemon Institute. In the last two years, “91% of healthcare organizations reported at least one breach; 39% reported two to five data breaches, and 40% had more than five data breaches,” the report states. And, Ponemon said, that could be undercounting. [Source]

US – Men Arrested for Harvesting Data

Two men alleged to have developed an app enabling criminals to harvest personal data from users of photo-sharing site Photobucket have been arrested. The app allowed users to access password-protected accounts containing private photos. It’s unknown how many users were affected. If found guilty, Brandon Bourret and Athanasios Andrianakis face a maximum of five years in prison and a $250,000 fine for computer fraud and an extra prison sentence of up to 10 years and another $250,000 if they are found guilty of two counts of access device fraud, the report states. The men were arrested in the U.S. [BBC News]

US – Judge Dismisses eBay Class-Action; Hospital Hacked

A federal judge has dismissed a class-action lawsuit filed against eBay following a 2014 data breach exposing encrypted passwords and personal information for 145 users. The suit alleged the breach resulted in economic damages for eBay users, including potential identity theft, but experts say plaintiffs would have had to prove actual or threatened injury to have been successful. Meanwhile, Massachusetts-based Partners HealthCare System is being criticized for allowing employees to send sensitive patient data via email after hackers gained access , and the official federal tally of major health data breaches shows the healthcare sector continues to be a growing target for hackers. [GovInfoSecurity]

WW – Who Should Pay for Breaches?

A recent study from Experian Data Breach Resolution and the Ponemon Institute from the perspective of “who should be responsible for securing payment systems and how effective their organization is in preparing for and responding to a payment card breach.” In detailing the results, the report states respondents indicate breach prevention is a growing priority. “Companies in the payments industry face a huge challenge keeping up with securing new technologies to protect customer data and with cybercriminals,” said Experian’s Michael Bruemmer. Meanwhile, PYMNTS reports on how a revised data breach notification law could exempt “minor cybersecurity breaches,” while breaches have spurred lobbying for the proposed Cybersecurity Information Sharing Act. [Help Net Security]

US – Sally Beauty Breached Again

Beauty products seller Sally Beauty has confirmed it’s suffered its second data breach in just over two years; a new independent report by Forrester Research discusses the ways firms are “exposing themselves to unnecessary risks” by using outdated approaches to verify employee access to data, and in ZDNet, Steve Wilson says it’s time to “turn up the heat on enterprise IT” to stop breaches from happening.

US – Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked

The Tor-based site hosts several hundred gigabytes worth of data taken from mobile devices running mSpy’s products, including some four million events logged by the software. The message left by the unknown hackers who’ve claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions. [Krebs]

Identity Issues

AU – Pilgrim: Metadata Is PI

After 22 months, journalist Ben Grubb should now be able to access his own metadata from Internet provider Telstra. That’s because Privacy Commissioner Timothy Pilgrim “has ruled that metadata is personal, finding that Telstra must hand over information it holds about a journalist, two years after he exercised his legal right to see his personal metadata.” However, the story may not be over. The Australian reports telcos are unhappy with the decision. “Australia’s telcos have reacted with dismay,” the report states, adding, “Telstra quickly announced an appeal, and Communications Alliance Chief John Stanton issued a statement saying the industry could not afford to apply such a policy.” [ABC]

Internet / WWW

WW – Global Privacy Sweep Focusing on Children

The Global Privacy Enforcement Network plans to focus its 2015 international privacy sweep on the proliferation of websites and mobile applications targeted at children. The sweep involves 29 data protection authorities in 20 countries. “Children are more connected than ever before, and these platforms must bear that in mind when seeking thanks potentially sensitive data such as name, location or e-mail address,” said Canadian Privacy Commissioner Daniel Therrien. “This is about protecting children. I can’t think of anything more important than that.” The sweep will assess whether the apps and websites examined collect personal information from children and the controls in place to limit that collection. [Source] [Majority of App Developers Contacted by OPC Commit to Improve Privacy Communications In Wake Of GPEN Sweep ]

WW – Facebook Project and Microsoft App Draw Criticisms

Facebook’s Internet.org initiative, aimed at bringing free basic Internet services to users in developing countries, is being described by critics as a “privacy nightmare” because users will be tracked on partner sites, the traffic will be unencrypted and data will be shared with third parties. Meanwhile, Web Security reports on privacy concerns related to Microsoft’s new app that guesses people’s ages and genders via an uploaded photograph. The app, which has had 210,000 images uploaded, now has users concerned about possible privacy breaches and Microsoft’s ability to use images across its services per its terms. Microsoft engineers have said the company neither stores nor uses the photos. [ITProPortal]

US – Online Trust Alliance to Lead IoT Initiative

The Online Trust Alliance (OTA) announced it is leading an initiative to develop a security, privacy and sustainability trust framework for Internet of Things (IoT) devices. The framework aims to provide clarity and confidence to consumers and will initially focus on connected home and wearable/fitness technologies, according to a press release. OTA hopes to use the framework as the basis for a potential certification program for IoT devices and their manufacturers. OTA’s Craig Spiezle said because of the rapid development of IoT products on the market “we must ensure that security and privacy best practices are integrated to maximize consumer protection.” A working group meeting is scheduled for June 16. [Source]

WW – As Sensors Shrink, Wearables Moving Toward “Disappearables”

While wearables may be the hot thing now, the subject of Article 29 Working Party, Federal Trade Commission and U.S. Congressional scrutiny, a new report says they will soon give way to “disappearables,” devices that are so small that they’ll be integrated in the ear, under the skin or woven into clothing. “In five years … everything we see now will absolutely be classified as toys,” says Nikolaj Hviid, who makes smart earbuds called the Dash, which are shaped as hearing aids and allow for music playing, phone calls and monitoring of health indicators. This shift is being driven by chips that use Bluetooth technology and are far smaller and less power hungry than previous versions. [Reuters]

Law Enforcement

US – New State Law Requires Warrants Before Stingray Deployment

Washington Gov. Jay Inslee has signed a bill into law that will require law enforcement to get a judge-approved warrant before deploying a stingray, or cell-site simulator. To obtain a warrant, police will have to disclose the device’s use to a judge and discard cell-phone data from those not associated with the specific investigation, the report states. The Center for Democracy & Technology’s Harley Geiger said the move exemplifies the increasing trend of state governments taking action in lieu of federal legislation. “Stingray technology is just one of many examples of domestic mass surveillance that has the public troubled,” Geiger said. [SC Magazine] SEE ALSO: California County Calls Off Stingray Purchase: Officials in Santa Clara County (California) have said no to the acquisition of cell-site simulator technology known as Stingray. The purchase was initially approved earlier this year, but a lengthy negotiation found the county was unable to reach an agreement with Harris Corporation, the device manufacturer. [Ars Technica]

US – Debt Collectors Linked to ALPR Lobby

In addition to the backing of police departments, automated license plate readers (ALPRs) also allegedly have the support of some in the financial industry. Journalist Lee Fang filed a records request in Rhode Island and found two letters of opposition to a proposed state law limiting how ALPR data is used and shared. One letter was written on behalf of the Rhode Island State Police; the other came from American Financial Services Association Senior Vice President Danielle Fagre Arlow, who wrote of “ALPR’s valuable role in our industry—the ability to identify and recover vehicles associated with owners who have defaulted on their loans and are not responding to good-faith efforts to contact them.” [The Intercept]

US – Justice Dept. Will Spend $20 Million on Police Body Cameras Nationwide

Federal officials plan to award nearly $20 million in funding to dozens of departments, about a third of them small law enforcement agencies. In addition, another $1 million will be set aside so that the Bureau of Justice Statistics can figure out how to study the actual impact of these cameras. [WashPost] The DOJ document which outlines eligibility for the grants states that law enforcement agencies will have to develop or build on a policy which includes the “Implementation of appropriate privacy policies that at a minimum addresses BWC program issues involving legal liabilities of release of information, civil rights, domestic violence, juveniles, and victims’ groups.” However, the document includes few specific details about what policies will have to include in order to be deemed to have addressed these issues. [CATO: We Should Be Wary of Federal Body Camera Funds] [USA Today: States, Civil Liberty Advocates Collide Over Police Body Camera Policy] See also: [Toronto Police Will Be Allowed to Turn Body Cameras Off, Won’t Record Carding]

Location

US – FTC Details Privacy “Trade-Offs” in Retail Tracking

In a new blog post, U.S. FTC Chief Technologist Ashkan Soltani shares a deep-dive into the emerging retail tracking landscape. “In light of the Commission’s proposed settlement with Nomi and the ongoing public debate,” Soltani writes, “I thought it would be worthwhile to describe how different retail tracking technologies work, and in my opinion, the specific trade-offs of each approach.” In addition to an overview of the landscape, Soltani provides an in-depth look at the various identifiers used, as well as how notice and choice are being offered. “Given the variety of approaches,” he adds, “there are a number of things that industry could do to alleviate the privacy concerns and address some of the gaps in consumer awareness.” [Blog]

Online Privacy

WW – IBM and Facebook Pair Up to Bolster Data-Fueled Advertising

IBM and Facebook have announced a partnership to use their “complementary strengths” to bolster data-fueled marketing efforts. “Our clients have urged us to bring Facebook into the equation because it is so important,” said Deepak Advani, general manager of IBM Commerce. “Facebook is where consumers spend a lot of their time.” The idea is that Facebook will benefit from IBM’s data analytics strengths while Facebook will provide insights on human behavior and preferences. “We both want to connect people with brands. Our objectives are very much aligned. And we share quite a few major clients,” said Blake Chandlee, Facebook’s vice president of partnerships. [The New York Times]

US – Researchers: Parents’ Social Posts Can Reveal Sensitive Personal Data

A new study reveals that one of the biggest threats to children’s online privacy could be parents. Researchers from New York University (NYU) Polytechnic School of Engineering and NYU Shanghai will release a paper demonstrating that parents’ online behavior can compromise their children’s privacy, particularly through posting photos of their children on social media. By analyzing such publicly available photos with public records, including voter registrations, the researchers found personal information about children, including their names, birthdays and home addresses. “By demonstrating just how much information can be gained about a child through adults’ online activities, we hope to spur parents to take precautions to minimize their children’s exposure online,” said Kevin Liu, one of the researchers. [Source]

WW – Google to Give Mobile Users “More Control”

Google is planning to give its mobile users more control over what information applications can access. An announcement that Google’s Android operating system is set to give users more detailed choices over what apps can access is expected this month. The change would bring it closer in line with Apple’s operating system, iOS, the report states, noting Google is seeking to attract users to its mobile services as they increasingly go online via wireless devices. A Google spokesperson declined to comment, according to the report. [BloombergBusiness]

Other Jurisdictions

CN – Draft National Security Law Aims for “Cyber Sovereignty”

Draft legislation proposed by the standing committee of the National People’s Congress would include a “cyberspace ‘sovereignty’ clause.” “The state establishes national Internet and information-security safeguard systems,” the draft states, “and protects national Internet space sovereignty, security and development interests.” Additionally, China must “achieve security and control in Internet and information core technology, key infrastructure and important data and information systems.” Earlier reports on the nationwide security legislation included powers for handling “harmful moral standards.” The draft also calls for strengthening the country’s banking infrastructure and for improvement to financial systems “to withstand international risks and shocks,” the report states. [Reuters]

AU – Framework Aims to Embed Privacy Culture in Australian Organisations

Australian Information Commissioner Timothy Pilgrim is encouraging organisations to embed sound privacy practice into their operations with the release of a new privacy management framework. In an assessment of the online privacy policies of 20 organisations operating in Australia, including Twitter, Microsoft, Instagram, and Westpac, the OAIC revealed that 55 percent of the organisations’ policies did not meet one or more of the basic content requirements under APP 1, which requires organisations and agencies to have a privacy policy that is clearly expressed and up to date. While all the policies assessed adequately described the kinds of personal information they collect and how it is collected, some did not outline how personal information could be accessed and corrected, said the OAIC. [ZDNet] See also: NSW Privacy Commissioner Elizabeth Coombs is calling for amendments to the state’s Privacy and Personal Information Protection Act, including mandatory breach notification.

AU – Australians Willing to Sacrifice Privacy for Security

Around 600 people were surveyed following last year’s synchronised anti-terrorism police raids. A similar number were surveyed following Sydney’s Lindt Cafe siege. Security measures ranked more than 50 per cent ‘acceptable’ in the surveys included internet monitoring, mandatory DNA record-keeping, facial recognition technology, biometric scanning at airports, national ID cards, access to all travel information, bomb detection for vehicles in parking areas and x-ray scanning at major events and transport terminals. “It seems Australians are fairly ready to trade off quite strong incursions into their personal privacy if they believe these will be effective in making their world safer,” said researcher Dr Simon Fifer. “As Australians, we like to think of ourselves as naturally a bit rebellious towards authority but our research is really not supporting that stereotype.” [Source]

Privacy (US)

US – Federal Court Rules NSA Bulk Surveillance Illegal

The Court of Appeals for the Second Circuit ruled today that the bulk collection of phone metadata by the National Security Agency is illegal. Instead of looking at the constitutionality of the program, the court ruled it went beyond the scope of what Congress intended when it passed the USA PATRIOT Act. The 97-page ruling concluded that a provision of the law allowing the Federal Bureau of Investigation to collect business records relevant to combating terrorism cannot legitimately lead to bulk surveillance of domestic phone records, the report states. “We do so comfortably in the full understanding that if Congress chooses to authorize such a far-reaching and unprecedented program, it has every opportunity to do so and to do so unambiguously,” the judges wrote. [The New York Times] [New York Times: Why the N.S.A. Isn’t Howling Over Restrictions]

US – Warrantless Laptop Seizure at Borders Disallowed, Rules Judge

“The Court finds, under the totality of the unique circumstances of this case, that the imaging and search of the entire contents of Kim’s laptop, aided by specialized forensic software, for a period of unlimited duration and an examination of unlimited scope, for the purpose of gathering evidence in a pre-existing investigation, was supported by so little suspicion of ongoing or imminent criminal activity, and was so invasive of Kim’s privacy and so disconnected from not only the considerations underlying the breadth of the government’s authority to search at the border, but also the border itself, that it was unreasonable. Therefore, the motion to suppress the evidence …. will be granted.” Amy Berman Jackson, Federal judge, US District Court for Washington DC, [NakedSecurity]

US – New Attorney General Expected to Pursue Microsoft Overseas

Newly appointed U.S. Attorney General Loretta Lynch will continue to back the Justice Department’s (DoJ) warrant compelling Microsoft to hand over customer data stored on servers in Ireland. Despite the change in leadership at the DoJ, a spokesperson said the agency’s position has “not changed.” Federal prosecutors have sought the customer data since December 2013, but Microsoft has refused to hand it over, arguing the warrant does not have jurisdiction over data stored in foreign data centers. The outcome of the case will have huge implications for U.S. technology companies. Oral arguments for the case are expected later this summer, but a date has not yet been set, the report states. [ZDNet]

US – Verizon-AOL Deal Raises Privacy Concerns

News that Verizon will purchase AOL for $4.4 billion has some privacy advocates concerned the move could give the company more personal information of customers for tailored advertising. In a note to investors, a telecom-industry analyst said, “We can envision a scenario in which Verizon leverages AOL’s ad-tech platform to target consumers and measure their engagement across traditional and digital video and measure and deliver interaction across its multiple devices, platforms and properties.” Public Knowledge Senior Vice President Harold Feld said “it raises extremely substantial and urgent privacy concerns.” Stanford University’s Johnathan Mayer said, “With this acquisition, Verizon appears to be tearing down the wall between telecommunications and personalized advertising.” [National Journal]

US – Facebook Privacy Team Restructure Has Washington Focus

Revisions in Facebook’s privacy team highlight its newfound interest in Washington, DC, as the corporation brings on former FCC Director Kevin Martin, while transferring current Facebook Chief Privacy Officer Erin Egan to serve as vice president of public policy in its Washington, DC, headquarters. “Facebook has become a major player in Washington in the past few years. The company spent more than $9 million on lobbying last year, ranking only behind Google when compared to other Internet companies, according to the Center for Responsive Politics.” [The HIll]

US – CPOs Increasingly Hired, Especially in Higher Education

Historically, the CPO was more likely to be found in the private sector rather than in higher education. But in the last few years, colleges and universities have begun hiring a growing number of CPOs because of data security and protection on campus. University of California, Berkeley CPO Lisa Ho says the “CPO role is expanding beyond the realm of preventing data breaches to represent a fundamental institutional value and priority.” She said as universities continue to face pressing privacy issues, CPOs will be called on to help balance an institution’s “multiple priorities, obligations and values.” [EDUCAUSE]

US – Apple, AT&T Object to RadioShack Sale of PII

Apple and AT&T have both formally objected to the potential sale of customer data as part of the RadioShack bankruptcy case. “In order to protect its customers’ personal information, Apple oversees the collection and use of customer information collected by its retail partners, including RadioShack,” Apple said in papers filed to a Delaware bankruptcy court, adding, “The reseller agreement between Apple and RadioShack protects information collected by RadioShack regarding purchasers of Apple products and prohibits the proposed sale of such information.” AT&T also filed an objection, noting a debtor “seemingly intends” to include consumer data acquired by selling AT&T devices, the report states. Meanwhile, a federal court ruled that Birch Communications does not have to hand over customer data to a copyright litigant. [Law360]

US – DoJ Issues Guidance and Best Practices for Cyber Incident Response

The Department of Justice (“DoJ”) guidance provides the following recommendations on measures to take in advance of any cyber intrusion or attack, with an eye toward minimizing the harm that could result from such an attack and the steps that an organization should take in responding to a cyber security incident. [Inside Privacy] …the guidance [also] sets out what companies should not do in the event of a cyberattack. A key warning here is that businesses should not “hack-back” or attempt to penetrate or damage an attacker’s systems. This warning is well taken—penetrating another system, even one believed to be involved in maliciously compromising a network, may expose individuals or business to criminal liability under the Federal Computer Fraud and Abuse Act, or to civil damages and penalties. [Breaking Down the DOJ Cybersecurity Unit’s Guidance on Responding to Cyberattacks]

US – The Rise of the Chief Data Officer is Upon Us

The rise of chief data officers (CDO), a reflection of “the central role that data now plays in every facet of society,” states a 2015 study from IBM’s Center for Applied Insights that surveyed 250 chief information officers from large organizations found that 61% wanted their employers to recruit CDOs in the next year. “The emergence of chief data officers at major agencies and departments is a promising sign that the federal government continues to execute on President Obama’s open data vision and his 2013 executive order,” said Nick Sinai, former deputy U.S. chief technology officer. [TechRepublic]

US – NY Assemblyman Wants DMV to Ask Permission Before Selling Data

A routine transaction at New York’s Department of Motor Vehicles in which drivers’ personal information is sold after they get their licenses or register their vehicles. The state sells the information to insurance companies, courts and employers who need to verify driving records—and also so drivers can be notified of recalls—and says strict rules govern how much data is provided and who may obtain it. But Assemblyman Kevin Cahill (R-Kingston) disagrees with the practice and is sponsoring a bill that would let drivers decide whether the data is sold. “You have to register your car, but you shouldn’t have to give away your information,” he said. [CBS2]

US – VCs: Data Privacy Affects Valuation, Ability to Raise Capital

Conventional wisdom says privacy isn’t in Silicon Valley’s DNA. Rather, it’s come up with a use for the data first, ask questions about whether you can actually use it later. But that’s changing. Venture capitalists (VCs) are now making data privacy a core part of doing due diligence; corporate boards are now asking privacy questions more frequently of young start-up ventures, and privacy-enhancing technology is a booming area for VC investment. Sam Pfeifle talks with investors and start-up founders about the new era of data privacy in start-up culture, where a good privacy program can affect everything from the initial capital raise to the exit strategy. [Privacy Advisor]

US – Commissioners Call FCC’s Privacy Approach “Prehistoric”

Two commissioners from the Federal Communications Commission (FCC) have said the agency’s approach to consumer broadband privacy is “prehistoric.” Federal Communications Commissioners Michael O’Rielly and Ajit Pai expressed their concerns about the potential rulemaking for how Internet service providers process consumer data in light of the recent net neutrality order. In discussing last month’s FCC workshop on broadband privacy, Pai said, “One of the takeaways I had … is nobody knows where we go from here … That is almost the very definition of regulatory uncertainty.” O’Rielly said, “I believe we are heading in a bad direction on privacy, and it will be bad for consumers going forward.” [Law 360] See also: Group Aims to Relax FCC Authority: The 21st Century Privacy Coalition, led by former Congresswoman Mary Bono and former FTC Chairman Jon Leibowitz, is lobbying Congress to pass the Data Security and Breach Notification Act. [National Journal ]

US – Former Investigator: Triversa Falsified Findings in LabMD Case

A former Triversa employee says the firm faked LabMD breach findings in order to provoke Federal Trade Commission (FTC) action against the cancer testing center. LabMD, which eventually closed its operations, faced a complaint by the FTC in 2013 over its data security practices. The complaint was based on breach information provided by Triversa; however, some—including a congressman—alleged that information was suspect. Now, a former Triversa investigator, Richard Wallace, indicated the company “routinely” and “deliberately” falsified security problems in an effort to pull in customers, the report states, and then threatened to report “breaches” to regulators if companies didn’t buy Triversa’s services. [SC Magazine]

US – Bombshell Testimony in FTC’s LabMD Case Breach Allegations

Wallace also testified that Tiversa had a “common practice” in attempting to drum up business of making it appear that other prospective clients’ data files were compromised on peer-to-peer networks and “spread” among IP addresses of known identity thieves. Those IP addresses, however, were actually for computers in criminal investigations that were already closed by law enforcement, and added to the Tiversa’s “data store” of records, Wallace testified. [GovInfoSecurity] [FTC] [GovInfoSecurity: FTC’s LabMD Case: The Next Steps Commission Won’t Call Rebuttal Witness] [SC Magazine: Former Tiversa Investigator Says Firm Faked Labmd Breach Findings] [CNN: Whistleblower Accuses Cybersecurity Company of Extorting Clients] [Law360: FTC Responds to LabMD Motion to Dismiss]

US – Google’s $8.5 Million Privacy Settlement Faces Appeal

Theodore Frank, founder of the Washington-based Center for Class Action Fairness questioned the choice of nonprofits slated to receive funds, arguing that some of them had relationships with Google as well as the lawyers representing the consumers. He pointed out that two of the plaintiffs’ lawyers were alumni of three schools slated to receive funds (Stanford, Harvard and Chicago-Kent College of Law) and that Google already donates money to Harvard, Stanford, AARP and Chicago-Kent. U.S. District Court Judge Edward Davila reportedly indicated that he was troubled by some of those points, saying at a hearing that the deal “doesn’t pass the smell test.” [MediaPost]

US – E-Verify in the States

E-Verify mandates vary considerably across states. Currently, Alabama, Arizona, Mississippi and South Carolina have across the board mandates for all employers. The state governments of Georgia, Utah, and North Carolina force all businesses with at least 10, 15, and 25 employees, respectively, to use E-Verify. Florida, Indiana, Missouri, Nebraska, Oklahoma, Pennsylvania and Texas mandate-Verify for public employees and state contractors, while Idaho and Virginia mandate E-Verify for public employees. The remaining states either have no state-wide mandates or, in the case of California, limit how E-Verify can be used by employers. [CATO]

US – Watchdog Attacks Airbnb ‘Unwarranted Intrusion Into Users’ Privacy’

Santa Monica-based Consumer Watchdog released a letter it sent to ShareBetter SF, a coalition of San Francisco groups that is hoping to qualify a city ballot initiative to impose stricter regulations and penalties on online short term rental platforms. Airbnb has raised similar concerns. “As written, your initiative is an unwarranted intrusion into users’ privacy and inappropriately requires the home sharing platform to do the enforcement work that should rightfully be done by the city,” the letter states, calling the initiative “antithetical to San Francisco’s core values.” …”It’s just a crazy blunt approach that is uncalled for,” Simpson said. [Source]

US – 147 Drone-related Bills in State Legislatures

More than a dozen states regulate when and whether a warrant is required before police use a drone to gather evidence, according to the ACLU. This year, 44 states are considering another 147 drone-related bills. Drone enthusiasts say the regulations are misguided and that their actions are misinterpreted by a nervous public unfamiliar with the technology and its promise. States already protect citizens against Peeping Toms regardless of the technology involved, said Brendan Schulman, an attorney who specializes in drones at Kramer Levin Naftalis and Frankel in New York. [Bloomberg] The Data Quality Campaign offers an update on U.S. federal and state student privacy bills, including the updated Student Digital Privacy and Parental Rights Act of 2015 and new bills in North Dakota and Virginia.

US – U.S. Senate Panel Raises Privacy Concerns in White House Hacking Incident

“Just like any entity that handles personally-identifiable information, the White House has a responsibility to notify Americans if the recent, or any future breach, results in a compromise,” the committee chairman, John Thune, said in a statement on Sunday accompanying the letter. “If such information has been lost, the White House still has a responsibility to victims even if it believes the hack was perpetrated by foreign spies and not cyber thieves,” Thune added. [Reuters]

US – Social Media Giants Not Privacy Monsters: Deloitte Report

“Social media gets a bad rap in the media around most things, and privacy settings and policy changes in particular. But in reality they performed quite well in terms of informing consumers about exactly what they are doing, what they are collecting, and how consumers can best protect themselves,” said Deloitte’s cyber risk expert Marta​ Ganko​. The researchers were also surprised that social media out-performed 10 other industries, including government, health and fitness, and technology, when it came to having robust online privacy policies and limited use of data-raking cookies. Social media had the shortest average duration for a third-party cookie stored on a user’s device, while the telecommunication and retail industries, ranked eighth and 11th, both had a third-party cookie which could be stored on a device for more than 135 years. Cookies usually last about two years. [Report]

US – FTC Names Katherine Race Brin CPO

The FTC has appointed Katherine Race Brin as its new chief privacy officer (CPO) to succeed Peter Miller. “Katie has served as acting CPO since December 2014,” said FTC Chairwoman Edith Ramirez, adding, “it’s an important role, and I look forward to continuing to work with her to ensure that the FTC complies with our privacy obligations.” Brin has served as senior advisor to the director of the FTC’s Bureau of Consumer Protection and as staff attorney in the Division of Privacy and Identity Protection. [Full Story]

US – Felten Named Deputy U.S. CTO

The White House’s Office of Science and Technology Policy has announced Ed Felten as its deputy U.S. chief technology officer. Felten currently teaches at Princeton University and was the first chief technologist at the FTC. “There is no one more valuable to bridging tech and policy than Ed,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology. [Source]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Mobile App Unveils Unencrypted Data

Researchers are now offering a new free online tool that shows users when transmitted data is not encrypted. Datapp, created by researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG), which so far is only compatible with Windows 7 or 8, acts as a consumer-friendly web traffic “sniffer,” normally something that requires some technical expertise. “Think of it as Wireshark (a network traffic-analysis tool) with an access point for dummies,” said UNHcFREG Director Ibrahim Baggili. He also said UNHcFREG created the tool without outside funding but is accepting donations in order to add more features. [IDG News Service]

US – FTC’s Sannappa on API Design’s Critical Role in Privacy

In a blog post for Tech@FTC, Nithan Sannappa of the FTC’s Division of Privacy and Identity Protection discusses privacy and security in mobile computing—specifically, the “principle of least privilege” and “sandboxing.” Sandboxing, Sannappa writes, “is an implementation of the principle of least privilege,” which recommends “every program and every user of the system should operate using the least set of privileges necessary to complete the job.” While most mobile operating systems feature sandboxing, the approach varies based on application programming interface (API) design. “Decisions about how to design APIs … play a critical role” in user privacy and security, Sannappa writes. [Source]

WW – Wave of Privacy-Enhancing Start-Ups Fail To Deliver

Violet Blue examines a wave of start-ups, their move to raise money from investors interested in privacy-enhancing technology (PET) and, to date, their failure to deliver those promises. The list includes Anonabox, which promised to put TOR in a router, raising $82,643 before being ejected from Kickstarter; iGuardian (now SHIELD), raising $174,382 without delivering as of yet; Webcloak, and LogMeOnce. “Despite debunkings,” Blue writes, “these ‘magic box’ charlatans keep coming; people keep funding them, and crowdfunding sites don’t seem well-equipped to stop them.” To pile on, a slew of “green” security reporters “are easily duped” into believing such PETs claims. Blue concludes by providing a cheat sheet for nontechnical individuals who come across others making bold PET claims. [ZDNet]

US – Wickr Announces Privacy Initiative

Online private-messaging service Wickr has announced it is splitting in two. Mark Fields will take over as chief executive of the for-profit wing, allowing Wickr Cofounder Nico Sell to lead its new nonprofit initiative. The Wickr Foundation aims to promote privacy and share online communication best practices with teenagers, dissidents, journalists and human rights activists. Fields said he plans to bring Wickr’s core technology to more businesses, the report states.

US – Judge Says Airport Laptop Search “Unreasonable”

A US federal judge in the District of Columbia has ruled that a laptop search conducted at Los Angeles International Airport violated the laptop owner’s constitutional privacy protections. The ruling allows the defendant, a South Korean businessman, to suppress evidence collected from his computer. He has been accused of selling aircraft parts to Iran. [Ars Technica] [ZDNet]

US – AVG Acquires Privax

AVG Technologies has acquired Privax , which currently has 250,000 paying subscribers who use its encrypted VPN service. AVG CEO Gary Kovacs said, “With this acquisition, we will immediately be able to provide new and innovative privacy and security services to hundreds of millions of users worldwide.” [Full Story ]

US – SEC Publishes Cybersecurity Guidance

The Securities and Exchange Commission (SEC) Division of Investment Management has published a guidance update setting forth cybersecurity concerns and advice for the investment companies and advisers it regulates. The SEC specifically suggests conducting a periodic assessment of the nature, sensitivity and location of information collected and the security controls and processes in place, and recommends creating and implementing a comprehensive strategy to prevent, detect and respond to cybersecurity threats, the report states, noting the strategy could include data encryption, an incident-response plan and data backup and retrieval. The SEC recommends implementing the cybersecurity strategy “through written policies and procedures and training programs,” the report states. [JD Supra]

Remote Identification

WW – Vehicle “Fitness Tracker” Start-Up Raises $5 Million

Automile, a Swedish start-up that offers a device and platform that connects users’ cars to the cloud, has closed a $5 million Series A round. “The device itself features GPS for location tracking and GSM for data connectivity, which is included as part of the service’s subscription fee,” the report states. It’s kind of like a fitness tracker for your car, the report states, allowing users to track mileage and fuel consumption or spot potential mechanical issues. The company plans to offer an application programming interface so third-party developers can develop new applications “in the areas of fleet management, logistics, insurance or in entirely new markets,” the report states. [TechCrunch]

Security

US – DHS Certifies First SAFTEY Act Cyber Product

The U.S. Department of Homeland Security (DHS) has certified the first-ever cybersecurity products under the SAFETY Act. The post-9/11 program offers certain liability protection to organizations that use approved cybersecurity products to defend their data. In its move, the DHS certified FireEye’s Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform, meaning, companies who use these products will be protected from lawsuits and other claims they failed to prevent cyberterrorism. FireEye CEO David DeWalt said, “FireEye is proud to earn this first-ever SAFETY Act certification in the cybersecurity space, bringing a new level of liability protection for our customers.” [The Hill]

Smart Cards

US – Orgs Sign On to IBM’s Threat Exchange Network

IBM has announced that more than 1,000 organizations across 16 industries are participating in its X-Force Exchange threat intelligence network. The network was launched a month ago and provides open access to historical and real-time data feeds of threat intelligence in an effort to thwart cybercrime. [Full Story]

WW – EMV Cards Making Way into U.S. Market, Concerns Remain

In the wake of massive data breaches affecting major retailers, the move to credit cards with chips using so-called EMV technology is underway, but, unlike Europe, many EMV-enabled cards in the U.S. are chip-and-signature cards instead of the more secure chip-and-PIN cards. A representative from Visa said the majority of card issuers in the U.S. are opting for the more familiar signature verification step for now “to keep the consumer experience as consistent as possible.” However, the use of signature over PIN is frustrating a number of retailers and other merchants. The National Retail Federation’s Mallory Duncan said, “It means that merchants will be spending billions of dollars and see they get very little benefit from this investment.” Significantly, a new Ponemon study reveals that a majority in the payment ecosystem don’t believe the switch to chip-and-PIN will improve consumer data security. [The Washington Post]

Surveillance

US – N.S.A. Collection of Bulk Call Data Is Ruled Illegal

In a 97-page ruling, a three-judge panel for the United States Court of Appeals for the Second Circuit held that a provision of the U.S.A. Patriot Act, known as Section 215, cannot be legitimately interpreted to allow the bulk collection of domestic calling records. The provision of the act used to justify the bulk data program is to expire June 1, and the ruling is certain to increase tension that has been building in Congress. [New York Times] . [WashPost: NSA Program on Phone Records Is Illegal, Court Rules] [US – N.S.A. Ruling Divides Republican Candidates] [Jim Harper – The Implications of Court’s NSA Ruling Assessing Order Declaring NSA Bulk Collection Program Illegal] [Wired: Court Rules NSA Bulk Data Collection Was Never Authorized by Congress] …perhaps the most important message the unanimous decision sends is a simple one: Congress could not have intended to approve a program whose true scope almost no one outside the National Security Agency fully comprehended — that is, until Edward Snowden leaked its details to the world. …In fighting this lawsuit, brought by the ACLU immediately after the Snowden leaks, the government argued that Congress was apparently fine with this alarmingly broad interpretation. The problem, as Judge Gerard Lynch of the Second Circuit Court of Appeals rightly pointed out in his 97-page opinion, is that “it is a far stretch to say that Congress was aware” of what the intelligence court was doing. To the contrary, Judge Lynch wrote, “knowledge of the program was intentionally kept to a minimum, both within Congress and among the public,” and there was “no opportunity for broad discussion” about whether the court’s interpretation was correct. Allowing the government to define “relevant” so loosely, he said, “would be an unprecedented contraction of the privacy expectations of all Americans.” [New York Times: The Illegal Phone-Data Sweeps] Court Ruling on N.S.A.’s Data Collection Jolts Both Defenders and Reformers …the Senate’s most ardent civil libertarians say that legislation has now been supplanted by the court’s ruling. Mr. Paul said Friday that he would press to ban the collection of phone records altogether. And Senator Ron Wyden, Democrat of Oregon, said he would filibuster efforts by Mr. McConnell to extend the government’s current collection authority beyond its May 31 expiration. …”I will filibuster any effort to have a short-term extension of the Patriot Act if there are not major reforms, specifically getting rid of the federal human relations database, also known as bulk phone records collection,” Mr. Wyden said Friday. “I believe I can also find other members to join me in it.” [NYTimes] Is the NSA’s Big Data Program Authorized? Key Quotes from a Major Court Ruling “We conclude that to allow the government to collect phone records only because they may become relevant to a possible authorized investigation in the future fails even the permissive ‘relevance’ test. Just as ‘the grand jury’s subpoena power is not unlimited, § 215’s power cannot be interpreted in a way that defies any meaningful limit. Put another way, we agree with appellants that the government’s argument is ‘irreconcilable with the statute’s plain text.’ Such a monumental shift in our approach to combating terrorism requires a clearer signal from Congress than a recycling of oft‐used language long held in similar contexts to mean something far narrower.” [Source]

US – Skynet: NSA’s Surveillance Program Analyses Phone Records

Another top secret presentation from June 2012 explains that Skynet works by analysing the target’s travel patterns – including which locations they have visited in a given timeframe and how often they have returned to the location. The program also analyses the target’s behaviour, based on how they use their mobile phone, and attributes such as swapping SIM cards and handsets repeatedly, as well as constantly turning the phone off, are flagged up in the system. Skynet also analyses data collected by the NSA into people around the target who might be travelling with them or have similar travel plans, as well as whether they have contacts in common. [Source] [It’s Time to End Orwellian Surveillance of Every American] [“Skynet” is real, and it could flag you as a terrorist If you visit airports or swap SIM cards often, you might be flagged by “Skynet“]

US – FAA Teams With Private Companies on Drone Tests

The Federal Aviation Administration (FAA) and three private companies announced plans to test an undisclosed number of commercial drones. Teaming up with CNN, PrecisionHawk and BNSF Railroad, the FAA will test drones while they gather news, survey crops and inspect railroads. “There will be a host of beneficial uses of drones that will benefit the public tremendously,” said the Center for Democracy & Technology’s Harley Geiger. “But with the pace of the technology’s improvement, it’s important to establish privacy rules now.” In February, the FAA said privacy was “beyond the scope” of its role as safety regulator. [BuzzFeed] [Drone, Data X: FAA Aims to Finalize Rules in Less Than 16 Months]

US – Researchers Find Android Apps Sharing Tracking Data

A security team has found that thousands of free Android apps are sharing user data by connecting with advertising and tracking sites without users’ knowledge. As detailed in a report from MIT Technology Review, Luigi Vigneri and his team created an automatic method to scan apps and used more than 2,000 free Android apps in their research. In some cases, a single app connected to 2,000 unique URLs, the report states. The team reportedly has a potential solution on the way called NoSuchApp that will monitor which URLs Android apps could be sharing tracking data with, the report states. [Slash Gear]

US – Drone Use Prompts Thorny Legal Questions on Airspace Ownership

Murky questions exist around commercial airspace and jurisdiction as unmanned aerial vehicle (UAV) use continues to rise. State and local police say complaints by citizens are soaring. International Association of Chiefs of Police President Richard Beary said, “We’ve never been responsible for airspace before. We understand the ground game; now all of a sudden you want state and local police to regulate airspace?” Plus, UAVs are flooding airspace below 500 feet, prompting privacy concerns. One Massachusetts town is declaring that property owners control the airspace 500 feet above their properties, citing a 1946 Supreme Court decision. The case—where does “navigable airspace” begin and property ownership end—now poses a dilemma for regulators and the UAV industry. [The Wall Street Journal]

CN – Chinese Drone Maker Becoming Global Industry Leader

Accel Partners has invested $75 million in Chinese drone developer DJI, helping make it “one of the leaders in the burgeoning civilian market for drones.” The investment comes amidst struggles to regulate unmanned aerial vehicles, particularly for safety and privacy reasons. Accel Partner Sameer Gandhi said, “The size of our investment really shows how big we think the opportunity can become … For one of the first times, you’re seeing an international company, a Chinese company, being the innovator and frankly leapfrogging all activity in other parts of the world and truly being the company everyone is chasing from an innovation point of view.” According to Forbes , DJI is on track to exceed $1 billion in sales this year alone. [New York Times]

Telecom / TV

US – Court Reverses Landmark Cell-Phone Privacy Decision

A U.S. Circuit court has reversed a landmark privacy decision. Last year, the court ruled against the government in a case involving Quartavious Davis, whose cell phone was tracked by police as he went on a crime spree. But in a decision published Tuesday, a panel of 11th Circuit Court judges overturned the ruling in U.S. v. Davis. The new ruling says that because Davis’s phone location data wasn’t his property but that of the phone carrier, he had no expectation of privacy and the police who were tracking him didn’t need a warrant. “It’s a huge setback as compared to the decision it vacated,” said one law professor. [Wired]

US – Appeals Court Overturns Privacy Win in Phone-Tracking Case

Two judges disagreed with the majority on the constitutional question, including Judge Beverly B. Martin who wrote a dissenting opinion arguing that the Fourth Amendment required the government to get a warrant before accessing the cell site location data. “The judiciary must not allow the ubiquity of technology—which threatens to cause greater and greater intrusions into our private lives—to erode our constitutional protections,” she wrote. [Source]

US – Court’s Reversal Leaves Phones Open to Warrantless Tracking

The 11th circuit’s reversal on Davis leaves the question of warrantless phone tracking in limbo. Several state courts have ruled that the practice is unconstitutional, including Massachusetts, New Jersey and Florida, while some higher courts now seem to allow it. “It’s a hodgepodge,” says Electronic Frontier Foundation civil liberties lawyer Hanni Fakhoury. “What does all this mean for someone who lives in Florida? One court has said yes and one has said no. That’s problematic.” [Wired]

US – DOJ Reviewing Use of Stingrays, Aiming for More Transparency

The Department of Justice (DOJ) has begun a review of the secretive use of Stingrays, or cell-phone surveillance technology that mimics cell-phone towers. Stingrays trick mobile phones into believing they are communicating with legitimate cell-phone towers while harvesting data from the phones including identity, location and phone content, the report states. The FBI for years used the technology without warrants. But senior government officials have said they want to be more open about the surveillance, though the DOJ hasn’t revealed what that will look like yet in terms of how little or how much it shares. [PCWorld] [ComputerWorld] [SC Magazine] [Ars Technica]

US – Trade Groups: FCC Reclassification Unfair for Broadband Providers

A coalition of industry trade groups argues in court papers that the FCC’s move to reclassify broadband as a utility will place “immense burdens and costs” on Internet service providers. “The order represents a sharp about-face in which a federal agency … has arrogated to itself breathtaking authority over the most transformative technology in living memory,” stated the coalition, which includes the USTelecom Association, CTIA-The Wireless Association, the Wireless Internet Service Providers Association, the American Cable Association, the National Cable & Telecommunications Association, AT&T and CenturyLink. “It has done so by subjecting broadband Internet access service to a regime that was originally designed, not for the era of social networking and streaming video but for 19th century railroads.” [MediaPost]

US Government Programs

US – Federal Court Rules NSA Bulk Surveillance Illegal

The Court of Appeals for the Second Circuit ruled today that the bulk collection of phone metadata by the NSA is illegal. Instead of looking at the constitutionality of the program, the court ruled it went beyond the scope of what Congress intended when it passed the USA PATRIOT Act. The 97-page ruling concluded that a provision of the law allowing the Federal Bureau of Investigation to collect business records relevant to combating terrorism cannot legitimately lead to bulk surveillance of domestic phone records, the report states. “We do so comfortably in the full understanding that if Congress chooses to authorize such a far-reaching and unprecedented program, it has every opportunity to do so and to do so unambiguously,” the judges wrote. [The New York Times] Appeals Court Rules NSA Data Collection Not Authorized by Patriot Act: A US Federal Appeals Court has found the NSA’s wholesale collection of cellphone communication metadata to be illegal. The court did not address the constitutionality of the practice, but instead said that the scope of the operation exceeds what Congress authorized in section 215 of the Patriot Act, which was passed in the wake of the September 11, 2001 attacks. The original case was brought by the American Civil Liberties Union (ACLU) and was dismissed by a lower court in 2013. [Wired] [Ars Technica] [Ars Technica]

NSA Bulk Surveillance Program Likely Heading to SCOTUS

The recent Second Circuit Court of Appeals ruling that the NSA bulk phone records collection program is illegal “raised constitutional questions likely to be answered by the Supreme Court.” The ACLU’s Patrick Toomey said, “Given the amount of metadata that Americans create everyday … I think it’s very likely that the status of the third-party doctrine ends up before the Supreme Court again sometime soon, whether through one of these cases or another.” National Whistleblowers Center Executive Director Stephen Kohn said Thursday’s NSA decision justified the actions of Edward Snowden and highlighted “the importance of whistleblowing.” Meanwhile, a column in TIME describes the ruling as “a victory for privacy.” [The Hill]

US – Cybercriminals Targeting Healthcare Data

According a new study on Privacy and Security of Healthcare Data, criminal attacks have now passed insider negligence as the main cause of data loss and theft in the healthcare industry, which is not well prepared. With “some exceptions, … healthcare providers either lack the resources, staff, or technical innovations to meet the changing cyber-threat environment.” Half of the healthcare organizations surveyed said they had “little or no confidence” that they would be able to detect every data loss or theft. And nearly two-thirds of healthcare providers and affiliated businesses offer no protection services for patients whose data are stolen. [Dark Reading] [NBC News]

US – What You Need to Know About Educational Software

Research released in January shows that educational applications are the second most popular category in the Apple App Store, comprising just over 10% of all app downloads. This indicates a tremendous interest in learning applications across a wide, technically savvy—and growing—demographic. But a lack of regulations and guidelines means privacy isn’t always a priority. “The topic will likely take its place as a top-level priority this year as parents, educators and administrators take greater notice of the potential issues coming down the road,” Goodman writes. [The Privacy Advisor]

US Legislation

US – House Passes USA Freedom Act to Curb NSA Spying

Civil liberties groups like the Electronic Frontier Foundation and others are divided in their support of the bill. Many say it’s better than nothing, but hope that the Senate will add wording to strengthen protections before passage. EFF had supported the legislation until last week when a federal appeals court ruled that the bulk collection of phone data is illegal. In that decision, the Second Circuit Court of Appeals found that the collection of Americans’ phone metadata was never authorized by Section 215 of the Patriot Act, as the intelligence community had insisted. EFF has now said that the ruling should embolden the Senate to roll back the bill to a previous 2013 version that provides stronger reforms. [Wired]

US – McCaul: USA PATRIOT Act Will Get Privacy Protections

House Homeland Security Chairman Mike McCaul (R-TX) says the USA PATRIOT Act, set to expire June 1, will be renewed by Congress with more privacy protections. The act would “stop metadata collection by the National Security Agency … and put it back in the hands of telephone carriers,” the report states. “I think that’s where you’re going to see Congress headed towards, and the courts have certainly gone in that direction,” said McCaul. Meanwhile, following the court ruling last week declaring the practice illegal, Senate Intelligence Committee Chairman Richard Burr (R-NC) has defended the federal government’s bulk phone-recorded collection saying it’s “very effective at keeping America safe.” [Newsmax]

US – Legislators Introduce Bill to Protect Student Privacy

After a 2013 Fordham University study unveiled that nearly 95% of schools were employing cloud services to manage students’ data, legislators are attempting to ensure its protection. The Hatch-Markey Bill aims to force the hand of educational intuitions to not only alert students and their families that their data is being handled by third parties, but also prohibit schools from selling said data as, per the Fordham study, only 7% of universities take these steps themselves. “Data analysis holds promise for increasing student achievement, but it also holds peril from a privacy perspective. A child’s educational record should not be sold as a product on the open market,” said Sen. Ed Markey (D-MA). [The Hill]

US – Senators Introduce Drone Bill

Two senators have introduced a bill that aims to establish temporary rules to regulate and manage the nascent commercial drone industry, Forbes reports. Sen. Cory Booker (D-NJ) and Sen. John Hoeven (R-ND) introduced the Commercial UAS Modernization Act, which would set guidelines for unmanned aircrafts systems. Commercial use of such aircrafts is currently banned by the Federal Aviation Administration, though businesses may apply for exemptions to operate UAS on a case-by-case basis. Booker said he introduced the bill to prevent the U.S. from falling behind other countries because of a lack of rules. [Source]

US – Illinois Data Breach Bill Opposed by Ad Industry

New state data breach legislation in Illinois is being opposed by the ad industry. In a letter to state lawmakers, the Association of National Advertisers, together with other groups—including the Direct Marketing Association, Interactive Advertising Bureau, American Advertising Federation, American Association of Advertising Agencies, Acxiom and Epsilon—said that Illinois Senate Bill 1833 would create “unnecessary compliance burdens” for businesses. The proposed legislation would require businesses to notify customers if a breach exposed financial and geolocation data. The bill has already passed the state senate and will be taken up by a house committee on Wednesday. Illinois Attorney General Lisa Madigan backs the proposed legislation. [MediaPost]

US – Washington Limits Stingray Surveillance in Unanimous ‘Pro-Privacy’ Law

Governor Jay Inslee, a Democrat, added his signature to HB 1440 this week, authorizing a law that effective immediately requires police officers to obtain search warrants before deploying “cell site simulators,” or devices that mimic the behavior of mobile phone towers. [RT.com]

US – Georgia Passes Student Data Privacy, Accessibility and Transparency Act

Pundits are calling the state’s new student data privacy law the most comprehensive in the nation. The state is required by the act to develop a data security plan that will keep student data as safe as possible. Technology vendors working with schools will be required to develop security procedures and prohibited from selling personal information about students to advertisers or anyone else. [GovTech]

US – Other Privacy Legislation

  • The White House has given its support to a bill proposed by Reps. Luke Messer (R-IN) and Jared Polis (D-CO). The Student Digital Privacy and Parental Rights Act “would bar school technology vendors from selling student information to third parties or from creating student profiles for noneducational purposes.”
  • Oman’s draft information protection law seeks to “make it mandatory for government and private institutions to take necessary steps to protect data they collect about citizens and individuals for official and other purposes.”

Workplace Privacy

US – Woman Fired for Turning Off 24-hour Tracking App

A California woman’s lawsuit in which she claims she was fired for turning off a tracking app installed on her employer-issued iPhone. Myrna Arias said she was fired shortly after she told her boss she was turning off the Xora app that she and her coworkers were required to use. Arias said her boss “admitted that employees would be monitored while off duty and bragged that he knew how fast she was driving at specific moments ever since she installed the app on her phone.” Arias said it was an invasion of her privacy during off hours, likening it “to a prisoner’s ankle bracelet,” the suit states. Arias now seeks $500,000 for invasion of privacy, retaliation and unfair business practices, among others. [Ars Technica]

+++

01-15 March 2015

Biometrics

US – Facial-Recognition Software Raises Privacy Concerns

New software is being implemented by Rutgers University for students taking an online course to track students’ facial identity, photo ID and browser activity. The ProctorTrack software suite records face, knuckle and personal identification details during the online courses and “keeps track of all activity in the monitor, browser, webcam and microphone” during each session. [The Daily Targum]

US – Privacy Advocates Launch Petition Against Voice-Activated Barbie

Children’s privacy advocacy organizations are trying to stop the production and release of a new voice-activated Barbie doll. The Internet-connected “Hello Barbie” can record and analyze speech and “listen and learn each girl’s preferences and then adapt to those accordingly.” The Campaign for a Commercial-Free Childhood has launched a petition to prevent the doll from hitting stores. “If I had a young child, I would be very concerned that my child’s intimate conversations with her doll were being recorded and analyzed,” said Angela Campbell, adding, “In Mattel’s demo, Barbie asks many questions that would elicit a great deal of information about a child, her interests and her family.” [The Washington Post]

Big Data

EU – Report: Privacy is a Global Issue of Economic Justice

Data Justice has issued a new report indicating companies’ control of personal information “is not just an issue of privacy but is becoming a critical issue of economic justice.” Data Justice Director Nathan Newman writes, “This steady loss of data by individuals into the hands of increasingly centralized corporate hands is helping drive a large portion of the economic inequality that has become central to the political debate in our nation.” The report proposes steps “to making big data work for everyone”—including requiring explicit consent and better informing users of how data is being used and how companies profit from it. [Huffington Post]

US – Universities Form Alliance to Manage Big Data

Aiming to better manage big data in healthcare, the University of Pittsburgh Medical Center, the University of Pittsburgh and Carnegie Mellon University have teamed up to form the Pittsburgh Health Data Alliance. The three organizations are hoping to integrate data from electronic health records, wearables, diagnostic imaging and other sources more seamlessly. Through the Pittsburgh Health Data Alliance, “the three institutions also hope to create and advance technologies around ‘data-heavy’ healthcare innovation, perhaps resulting in spin-off companies that could boost economic activity around the burgeoning data and digital health sectors.” [MedCity]

US – Interview: White House’s First Chief Data Scientist

The White House has named former PayPal and eBay executive DJ Patil as the nation’s first chief data scientist. As well as helping the government make the most of the data it holds, Patil said the government’s role in making sure data is used properly and helping citizens get access to data. He described his office’s purpose as ensuring “responsible use of data for the good of all citizens.” Patil’s immediate projects include analyzing the ways people use government websites and Precision Medicine, a longitudinal health study that aims to find patterns between lifestyle factors and genetic predispositions. [The Wall Street Journal] [Big Data: A Brief(ish) History Everyone Should Read] [Big Data’s Dark Side ]

Canada

CA – Canada’s “AntiTerrorism” Bill C-51

A Legal Primer: Expands the Powers of Canada’s Spy Agency, Allows Arrest on Mere Suspicion. Overly broad and unnecessary anti-terrorism reforms could criminalize free speech. Bill C-51,the Anti-Terrorism Act, 2015, would expand the powers of Canada’s spy agency, allow Canadians to be arrested on mere suspicion of future criminal activity, allow the Minister of Public Safety to add Canadians to a “no-fly list” with illusory rights of judicial review, and, perhaps most alarmingly, create a new speech-related criminal offence of “promoting” or “advocating” terrorism. These proposed laws are misguided, and many of them are likely also unconstitutional. The bill ought to be rejected as a whole. Repair is impossible. [Source] SEE ALSO: [Bill C-51 for Dummies: What you should know: Explaining the Tories’ controversial anti-terror legislation: Canada’s privacy commissioner Daniel Therrien has warned, in particular, about the information-sharing aspect of C-51. Therrien won’t be appearing in front of the House of Commons committee that is currently studying the bill, although both the NDP and Liberals requested that he do so.] | [Proposed CSIS powers a ‘constitutional mess,’ former watchdog warns: New anti-terror bill comes under heavy criticism during opening round of testimony. Ron Atkey, who served as the first chair of the Security Information Review Committee (SIRC), warned that provisions allowing CSIS agents to ask the federal court to authorize activities that could breach charter rights will almost certainly be struck down by the courts.] | [Bill C-51: Privacy watchdog Daniel Therrien blocked from committee witness list: Conservatives rebuff NDP attempt to add privacy commissioner to committee witness panel. Privacy Commissioner Daniel Therrien provided a written submission to the Commons committee reviewing the new anti-terrorism legislation, but efforts to add him to the witness list were blocked by Conservative committee members.] | [First Nations vow legal challenge of anti-terror bill: “We want the whole bill gone,” AFN National Chief Perry Bellegarde told reporters after testifying at a turbulent House of Commons committee on the proposed omnibus bill, which would give extraordinary powers to federal spies, government departments and the RCMP to thwart national security threats. The authorization to launch a Supreme Court challenge would first need the permission of AFN chiefs.] | [Aboriginal leaders fear anti-terror bill gives licence to target them as ‘terrorists in our own territories’: “We don’t want to be labelled as terrorists in our own territories, our own homelands, for standing up to protect the land and waters,” Assembly of First Nations national chief Perry Bellegarde told the House of Commons public safety committee. Public Safety Minister Steven Blaney told the committee earlier this week such concerns were ridiculous, saying the legislation is not intended to capture minor violations committed during legitimate protests.] | [Bill C-51: Blaney, MacKay questioned on anti-terror bill fine print: Justice Minister Peter MacKay, RCMP commissioner and CSIS director appear before committee. During his opening statement, Blaney highlighted the “key misconceptions” that he said had been put forward by members of the opposition and “so-called experts”: the claim that “legitimate protest” could be treated as potential terrorist threats, which he called “completely false, and frankly ridiculous.” …Before witness testimony got underway, Garrison tried to get unanimous consent from his committee colleagues to sit for an extra hour in order to hear from Privacy Commissioner Daniel Therrien, but that consent was denied.] | [Borders are “no-privacy” zones: Many do not know how few rights exist in that area. Others wish the courts would clarify that picture. As reported in Canadian news sources, Quebec resident Alain Philippon found all this out first hand when he recently refuse to provide the password for his cell phone to airport border agents inspection in Halifax. He was returning from time spent in the Dominican Republic.] | [Man arrested for refusing to give his phone’s passcode to border agents: Right now, Canadian laws don’t treat cellphones or smartphones any differently from other goods, so, they are subject to examination. The Supreme Court of Canada also says police can try to crack one’s passcode, but a person has no obligation to give up their password to police, under the charter right to silence.] | [Speaking against Bill C-51: “We are deeply concerned that (Security of Canada Information Sharing Act) SCISA would permit the sharing of personal information of individuals who have participated in lawful, peaceful demonstrations like the large-scale protests against investment in apartheid-era South Africa and the incarceration of Nelson Mandela,” the letter states. “The historic peaceful protests in support of nuclear disarmament would also almost certainly have been caught as well.”] | [Anti-Terrorism Act threatens privacy rights: Editorial – The new Anti-Terrorism Act gives the Canadian Security Intelligence Service and 16 other federal departments and agencies “excessive” power to share “unprecedented” amounts of personal information, the privacy commissioner warns] | [Officials flag federal anti-terror bill Privacy commissioners, ombudsmen unite in labelling it ‘far-reaching’ “There’s needs to be better balance in this bill,” acting Manitoba ombudsman Mel Holley said. “When we look at this new bill, we say it goes too far, the definitions are too broad, the powers are sweeping, and the oversight is lacking. There’s always this debate about the balance between privacy and security. Well, we don’t recall being at the debate. “It doesn’t matter if you’re in Montreal or Morris, this affects all of us.”] | [Anti-terror bill powers ‘excessive,’ Canada’s Privacy Commissioner says: “The end result is that national security agencies would potentially be aware of all interactions that all Canadians have with their government. That would include, for example, a person’s tax information and details about a person’s business and vacation travel,” Mr. Therrien said. Bill C-51 would beef up the powers of the Canadian Security Intelligence Service, criminalize the promotion of terrorism and provide the RCMP with new powers of preventative arrest. But the Privacy Commissioner is decrying the fact that 14 of the 17 federal agencies that are receiving “limitless” powers under C-51 are “not subject to independent oversight.”] | [Privacy Commissioner Slams Bill C-51: Canadians are ‘concerned with the issue of government surveillance,’ Therrien says. The privacy commissioner also expressed concern that the bill permits various government departments, approximately 17, to share information about Canadians, based simply on “relevance” rather than necessity. As an example, he writes, tax information that has traditionally been highly protected could be widely shared with other government departments. And, if it turns out that sharing such information was inappropriate, there’s no recourse for Canadians.] | [All Canadians would be trapped in anti-terror legislation’s ‘web’, warns privacy commissioner: The commissioner also called for a limit on how long personal information can be retained by departments, urged formal written agreements between departments, and asked that the government build in some type of independent oversight measures to ensure departments are treating personal information properly. He also said the government should include a mandatory review of the bill after three years, which has been the standard practice for other national security legislation.] | [Daniel Therrien: Bill C-51 Means Trouble Without Big Changes: The bill would provide 17 federal government agencies with almost limitless powers to monitor and profile ordinary Canadians, with a view to identifying security threats among them. The end result is that national security agencies would potentially be aware of all interactions all Canadians have with their government. That would include, for example, a person’s tax information and details about a person’s business and vacation travel.] [Daniel Therrien: Submission to PSNS Committee on C-51] | [Christy Clark says we could ‘regret’ giving away personal freedoms in Bill C-51: We should be very careful in Canada, in a country where so many people have sacrificed their lives to preserve our freedoms, to make sure that we aren’t — in the effort to protect ourselves against unknown threats – really diminishing our personal freedoms. …We will regret that forever. When you give up personal freedoms, it’s very hard to get them back.” — B.C. Premier Christy Clark.] | [Privacy lawyer warns against flying with ‘intimate information’: Alain Philippon case raises concerns about how far border guards can go. Border agents have the right to look though an individual’s computer or cellphone, or demand a password, as that power has yet to be constitutionally tested. Fraser says if you deal with private records professionally, it’s best to wipe your devices clean before you hit customs.] | [Profs Roach and Forcese & their swift assault on C-51: Kent Roach and Craig Forcese just happened to be on sabbatical when the PM announced his Anti-Terrorism Act. They set up a website, under the stolid banner “Canada’s Antiterrorism Act: An Assessment,” on which they have posted a series of devastatingly comprehensive critiques of the bill—tackling everything from how it would chill free speech, to how it would undermine privacy, to how it puts judges in the unprecedented position of authorizing Charter of Right and Freedoms violations by Canada’s spy agency. Their fine-grained commentaries now form the intellectual core of what’s emerged as surprisingly vigorous push-back against the Anti-Terrorism Act. Expect to see them citied again and again when the House public safety committee begins hearings into the bill on March 9. Roach and Forcese are slated to be called to testify. The committee won’t hear from anybody more steeped in the subject at hand.] | [Canada’s Terrifying Anti-Terror Bill Spooks Need a Tighter Leash, Not C-51’s Fresh Powers: If Canada’s security agencies are already overstepping their bounds, the extension of CSIS powers to include the “disruption” of terrorist activity, C-51’s extremely broad definition of terrorism, and preventative imprisonment when a subject “may” engage in terrorism, is nothing short of frightening. The complaints have come piling in, including from four former prime ministers. The latest plea to scrap C-51 comes from 100 law professors nationwide, with their 4,000-word text covering “some, and only some” of the serious flaws in the bill. The letter notes that the bill opens the door for the stifling of protests and other forms of legitimate dissent.] | [Colin Bennett: C-51 and no fly-lists — they will get longer: …the Secure Air Travel Act codifies what may seem like a deceptively simple idea to strangle the ability of terrorists, and those who support terrorists, from travelling by air. On the other hand, the list is going to get longer; it is going to be shared with more public and private agencies (domestic and foreign); the chances of the capture of erroneous, incomplete or obsolete information will be multiplied; the number of false-positive hits is likely to increase; and the process for innocents to seek removal and redress is likely to become more lengthy, costly and onerous.] | [Colin Kenny: What real intelligence oversight would look like: Efforts to increase national security accountability of CSIS must include the re-establishment of its Inspector General. The Harper government shut this organization down in 2012, arguing that its mandate overlapped with that of SIRC, even though both bodies were specifically designed to look at CSIS in different ways: SIRC held the role of after the fact, civilian review that reported to Parliament, while the Inspector General performed an internal oversight function that reported to the Minister of National Defence. Unlike the members of SIRC, Inspectors General had decades of experience working in Canada’s security and intelligence community. They had the background, access and mandate to provide as close to real-time oversight of the spy agency as is possible in a Westminster system.] | [Chill sets in over anti-terror laws Filmmaker concerned he’ll be labelled terrorist: “Just me posting some of my ideas for this drama series would be enough for them to throw me in jail and not charge me until they determine they’ve taught me a lesson, and perhaps even try to dissuade me from producing the series,” Torrie said. “Literally freedom of speech, of expression is at stake here.” The new law says it can apply to someone who purposely tells someone else to commit terrorism but also to someone whose comments might lead someone to do so, regardless of whether that was the intention, and regardless of whether the comments result in a terrorist activity. It is punishable by up to five years in prison] | [Why experts say Bill C-51 will spawn spy scandals] | [ The Conservatives insist accountability will be improved through the need for judicial warrants to exercise new CSIS powers. The paper points out that the only circumstance in which the bill clearly requires a court-approved warrant is when CSIS will contravene the Charter of Rights and Freedoms or other Canadian law. “As with its existing surveillance powers, a substantial amount of CSIS activity that falls short of the warrant ‘trigger’ will never be pre-authorized by a judge,” it says, adding this is especially true when it comes to international operations, where Canadian law generally doesn’t apply.] |  [Libertarian Party of Canada on Bill C-51] [Canada’s controversial anti-cyberbulliying law, Bill C-13, is now in effect].

CA – Mounties Stonewalled Request for Warrantless Data

The internal memorandum cites specific problems with the RCMP evidence, acknowledging “problems with the reliability of data were also provided by way of interviews with senior officials.” The details of those interviews are redacted, however, the memorandum states, “from these discussions we also found that statistics for warrantless access are inaccurate because of lack of reporting, multiple reporting or overlapping reporting.” The conclusion leaves little doubt about the problems the auditors encountered. It goes far further than the publicly released report, noting that “based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.” [Source]

CA – NF Govt Commits to Implementing Access Report Recommendations

“We will be acting on the recommendations contained in the report,” said Steve Kent the minister responsible for the Office of Public Engagement, adding that the government will begin implementing the recommendations during the spring sitting of the House of Assembly. The commission even went so far as to write draft legislation of its own. The independent commission is chaired by former Liberal premier and chief justice Clyde Wells, who prepared the report with retired journalist Doug Letto and former federal privacy commissioner Jennifer Stoddart. [Source]

Consumer

US – Pew: People Know About Surveillance Programs, Unsure How to Respond

In new research, roughly two years after the initial Snowden revelations, the Pew Research Center finds that U.S. citizens are aware of the surveillance programs revealed by Snowden, but are split on how they’ve responded to that knowledge. While just 6% are unaware entirely, 34% have taken at least one step to hide their information from the government and 40% of those under 50 have done so. Of the rest, 54% believe it would be “somewhat” or “very difficult” to do anything to avoid the surveillance, and are unaware of steps that would make it possible. Finally, the country is almost evenly split on whether there are appropriate checks and balances in place: 48% say the courts are balancing national security with the right to privacy appropriately. [Full Story]

WW – Privacy or Personalization? It’s Complicated

A recent study from Accenture shows that about 60% of consumers want real-time promotions and offers, but only 14% want to share their browsing history. The research also shows varying attitudes about the desired level of personalization depending on age. What most people do like, according to the study, is automatic discounts for loyalty points and coupons, sites that are optimized for different devices and “one-click” checkout. Marketingland offers suggestions for marketers navigating the balance between value and privacy, such as “make data use transparent” and “own and control your data.” [MediaPost]

US – Survey: This Tax Season, Privacy Concerns Abound

A recent survey by Taxsoftware.com indicates most Americans are “very or somewhat concerned about the privacy and safety of their personal and financial data” this tax season. Of the survey’s respondents, “70% expressed concerns about the safety of their data when using desktop computers to file their state and federal tax forms; 68% are concerned when using their iPads or tablets, and 69% are concerned when using their smartphones,” a news release states. A spokesperson for Taxsoftware.com suggests the IRS “would do all taxpayers a great favor by eliminating its free e-file service, and thereby dramatically and immediately help reduce fraud.” [Full Story]

CA – Quebec Man to Fight Phone Password Charge

A Quebec man “charged with obstructing border officials by refusing to give up his smartphone password” has said he will fight that charge, and the case is raising legal questions . Dalhousie University Schulich School of Law’s Rob Currie noted that travelers crossing Canada’s border “have a reduced expectation of privacy,” the report states. However, he said, “This is a question that has not been litigated in Canada, whether they can actually demand you to hand over your password to allow them to unlock the device,” adding, it is “one thing for them to inspect it, another thing for them to compel you to help them.” [CBC News]

E-Government

US – CA, ME City Officials on Protecting Citizens’ Privacy

At a meeting in Bangor, ME, a City Council member raised concerns that a proposed program to inspect more apartments in the city could result in privacy issues. Councilor Ben Sprague worried whether city inspectors would be required to report illegal activities to law enforcement. And in California, the Electronic Frontier Foundation reports Oakland City Council’s Public Safety Committee will soon consider recommendations by Oakland’s Domain Awareness Center Ad Hoc Advisory Committee on Privacy and Data Retention. The committee aims to pass a privacy policy following further input from city staff and the public. [Bangor Daily News]

E-Mail

WW – Yahoo Announces On-Demand Passwords, Releases Encryption Plugin Source Code for Review

Yahoo has announced that it will let users log into their accounts with on-demand passwords sent as SMS messages to their mobile devices. The scheme is not the same as two-factor authentication, which Yahoo also offers. Yahoo also plans to release a plug-in that would enable end-to-end encryption for its email by the end of the year. The company has released the plug-in’s source code for public review. [CNET] [DarkReading] [SC Magazine] [ComputerWorld] [Yahoo]

CA – CRTC Issues $1.1 Million Penalty to Compu-Finder for Spamming Canadians

The Chief Compliance and Enforcement Officer finds that Compu-Finder sent commercial electronic messages without the recipient’s consent as well as emails in which the unsubscribe mechanisms did not function properly. The emails sent by Compu-Finder promoted various training courses to businesses, often related to topics such as management, social media and professional development. The four alleged violations occurred between July 2, 2014 and September 16, 2014. Furthermore, an analysis of the complaints made to the Spam Reporting Centre of this industry sector shows that Compu-Finder accounts for 26% of all complaints submitted. [Press Release] [Million Dollar Spam Fine Sends Message to CASL Fencesitters]

Encryption

CA – Man Arrested at Canadian Border for Refusing to Divulge Phone Password

A Canadian man returning from the Dominican Republic was arrested in Halifax, Nova Scotia, for refusing to provide law enforcement at the border with the code to unlock his smartphone. A Canadian Border Services Agency spokesperson said the man was arrested for “hindering” border guards from performing their duties. [CNET] [CBC]

US – FTC’s Primary Domain Now HTTPS by Default

US FTC has made its primary domain HTTPS by default, which enhances security and privacy for users. Browsers will automatically verify the website’s authenticity, which will help guard against website impersonation. [Washington Post] [The Hill] [Full Story]

WW – Firefox Update to Add Certificate Security Feature

Firefox 37 will include a new mechanism to check SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates. While the technology, dubbed OneCRL (Certification Revocation List), will not supplant the currently used Online Certificate Status protocol (OCSP) for the time being, Mozilla may eventually disable OCSP for certificates covered by OneCRL. Firefox 37 is expected to be available at the end of March. [eWeek] [The Stack]

EU Developments

EU – Council Reaches Agreement on One-Stop Shop

The EU’s Council of Ministers has reached a partial general approach on specific issues of the draft regulation. The partial general approach includes the chapters and recitals on the one-stop-shop mechanism as well as those relating to the principles for protecting personal data. [The Irish Times] Jennifer Baker writes, however, that the plan is “far from ‘one stop’“ and may make matters more cumbersome than the status quo. [No Food, No Drink, No Water: Council to Finalize Regulation Draft] Meanwhile, The Wall Street Journal reports on the ways the draft regulation might irk U.S. tech companies.

EU – Oettinger Calls for “Digital Union of Europe”

With the EU being “the largest single market in the world” but still consisting of “28 fragmented digital markets,” European Commissioner Günther Oettinger is calling for a “Digital Union of Europe … which can become a capable partner for the United States, China and India.” “A national data protection law is no longer respected by Google, Facebook or Apple,” he said. [EurActiv]

EU – Leaked Documents Reveal Which Nations Support Proposed Regulation

LobbyPlag has obtained approximately 11,000 pages of classified EU documents as well as German diplomatic cables on the proposed General Data Protection Regulation. Among the leaked documents, the group put together an infographic detailing which national governments “are lowering or raising data protection laws in Europe.” According to the leaked documents, Ireland ranks third worst, just behind Germany and the UK, for undermining the EU’s data protection rules. [Full Story] [Is the Proposed Regulation Broken?]

EU Commissioner Jourová: Suspending Safe Harbor is “Plan B”

A delegation of 11 Members of the European Parliament is visiting the U.S. this week to discuss issues including “the renewal of the so-called Safe Harbor deal that regulates the transfer of personal data of EU citizens to the U.S.” [PCWorld] EU Commissioner Jourova is saying she wants to finalize Safe Harbor negotiations by May and that the EU will be “strict” about ensuring the U.S. government adheres to internal rules governing the use and safety of EU citizen data for national security purposes, European Commissioner Vera Jourová conducted a wide-ranging interview. As she heads up Justice, Consumers and Gender Equality for the commission, Jourová said the pending data protection regulation is also one of her two top priorities, and she said there is “strong momentum to finalise the reform by 2015.” She expects an EU Council vote by June and then the beginning of the trilogue process. [EurActiv]

EU – Advocates Worry They’re Losing Out on TPP Deal

As negotiations over the Trans-Pacific Partnership enter final stages in Hawaii this week, privacy advocates worry that even long-time privacy supporters like Sen. Ron Wyden (D-OR) are allowing too much surveillance of American and global citizens by corporations. Specifically, they “worry that data flow provisions in the trade agreement will enable big companies to fight and discourage strong privacy rules abroad.” While tech firms are often on the same side as advocates in battles over, for example, the Stop Online Piracy Act, here they find themselves at odds. It’s become “a Rorschach test,” said Google Head of Global Trade Policy David Weller, “whether you think kind of deep evil is being done or not …” [Huffington Post]

EU – Dutch Court Strikes Down Law; Germany Pans to Introduce Retention

The District Court of The Hague struck down the nation’s data retention law that gives law enforcement access to telecommunications data. The law had required telecommunications providers to collect and store users’ data for up to 12 months. According to the ruling, the law violated citizens’ rights to privacy. “The judge finds that this violation is not limited to what is strictly necessary,” the ruling stated. The Dutch government has argued the law helps it find and defend against terrorists. The ruling can still be appealed. Meanwhile, Germany’s government “plans to introduce data retention in a national solo run.”  [The Wall Street Journal]

EU – Irish Government Defends Record on Regulation Negotiations

In response to a report alleging the Irish government is looking to water down privacy protections in the upcoming Data Protection Regulation, accompanied by some 11,000 classified documents, the Department of Justice (DoJ) is defending its record. While LobbyPlag analyzed the documents to show just one of Ireland’s tabled changes “improved privacy,” the DoJ argued the report is “based on a crude analysis of footnotes recorded in council texts” and that those footnotes need to be placed in context of wider arguments. For instance, Ireland was seeking compromise when holding the presidency. [The Irish Times]

EU – FTC and Dutch DPA Sign Enforcement Pact

The U.S. FTC and the Dutch Data Protection Authority (DPA) have announced they have signed a memorandum of understanding (MoU) to bolster their information-sharing and enforcement efforts in matters related to privacy protection. “In our interconnected world, cross-border cooperation is increasingly important,” FTC Chairwoman Edith Ramirez said. “This arrangement with our Dutch counterpart will strengthen FTC efforts to protect the privacy of consumers on both sides of the Atlantic.” Dutch DPA Jacob Kohnstamm said, “The signing of this MoU between the Dutch DPA and the FTC is a great step … and marks the good relationship between our offices.” [FTC press release]

EU – CNIL Issues BYOD Guidelines

The French Data Protection Authority, the CNIL, has published new guidelines on bring your own device (BYOD). The guidance includes that if a company has already made a standard declaration to the CNIL about employee management or employs a data protection officer, there’s no need for additional declarations to cover its BYOD policy. [Hogan Lovells’ Chronicle of Data Protection]

UK – Inquiry Calls for Overhaul of Surveillance Laws but Clears Spy Agencies

Civil liberties advocates have long been concerned about the surveillance powers of government agencies, and some were dissatisfied with the oversight panel. Shami Chakrabarti, director of Liberty, an advocacy group, said that the committee “has repeatedly shown itself as a simple mouthpiece for the spooks — so clueless and ineffective that it’s only thanks to Edward Snowden that it had the slightest clue of the agencies’ antics.” [NY Times]

EU – A New Era at the EDPS

With the release of “The EDPS Strategy 2015-2019,” European Data Protection Supervisor Giovanni Buttarelli and Assistant Supervisor Wojciech Wiewiórowski have etched out a bold vision with ambitious goals, writes Christopher Kuner. The document lays out three major strategic objectives and 10 action items, and the interest in these pieces couldn’t be more clear: The release was attended by the first vice president of the European Commission and the chairman of Parliament’s LIBE Committee. Kuner analyzes why data protection has become so high-profile and what we can take away from the new five-year plan. [Privacy Perspectives]

Facts & Stats

WW – How Do the World’s DPAs Break Down by Gender?

With so many popular “Women Leading Privacy” events at the IAPP Global Privacy Summit, during the recent update of IAPP’s global data protection authorities (DPA) information page, IAPP decided to delve deeper into the question. This feature looks at DPA leadership according to gender and compiles the results, broken down by regions around the world. See whether Women Leading Privacy efforts so far have resulted in more opportunity on the regulatory side as well as in the private sector. [Full Story]

Filtering

UK – ISPs Take Another Tack to Block the Pirate Bay

Internet service providers (ISPs) in the UK are now blocking websites that offer pirated content as well as those that serve as proxies for such sites and even sites that simply list the proxy sites. The reach of the court order has raised concerns about censorship. [BBC] [WIRED] [The Responsibility of Operationalizing the Right To Be Forgotten | Google Report ]

Finance

US – Report: 80% of Global Merchants Fail PCI DSS

According to a new Verizon Communications report, four out of five global retailers fall short on debit and credit card security, failing the Payment Card Industry Data Security Standard (PCI DSS), Reuters reports. The report also found that businesses tend to only upgrade security software just before a PCI DSS compliance check. Data for the report was gathered from more than 5,000 companies in 30 countries. Additionally, Verizon found that in the past 10 years, not one company that suffered a breach was compliant with the standards at the time of the incident. [Full Story] [Verizon 2015 PCI report: More achieve PCI compliance, but fail to keep it] [Verizon: PCI requirement to test security systems a compliance weak point for orgs]

US – Orfel: Compliance Report Findings “Sobering”

Verizon’s 2015 PCI Compliance Report “should serve as a loud and clear wake-up call to everyone in the business community who cares about the payment data security of their customers,” writes Stephen Orfel, general manager of the PCI Security Standards Council. That’s because the report’s findings “are sobering,” Orfel writes, noting “a compound annual growth rate of 66%” in security incidents since 2009. Further, of the payment card breaches investigated by Verizon’s forensics team in the last 10 years, not a single organization was PCI DSS compliant at the time of the breach. “The business community needs to up its game to answer this enormous challenge,” Orfel writes. [The Hill]

US – AG, Credit Reporting Agencies Reach Settlement

The nation’s major credit reporting agencies have agreed to overhaul their approach to fixing errors and their treatment of medical debts on consumers’ reports. New York State Attorney General Eric Schneiderman announced Monday his office has reached a “sweeping settlement” with the agencies, which keep records on more than 200 million individuals. The settlement was prompted by an investigation in 2012. [The New York Times]

US – NCUA Seeks Power to Examine Third-Parties

The head regulator for the National Credit Union Association (NCUA) is pleading with Congress to give her agency the power to examine and police third-party vendors in an attempt to thwart cyber-hacking. The NCUA is the only federal banking regulator without the power to examine third-party vendors.

CA – Alberta Online Bank First In Canada to Shun U.S. Clients amid Tax Rules

The shunning of U.S. customers is part of the spreading fallout from the U.S. Foreign Account Tax Compliance Act, which came into force this year. The law is the centrepiece of a concerted U.S. effort to crack down on overseas tax evasion by identifying all offshore American account holders. .Canadian financial institutions have complained loudly about steep FATCA-related compliance costs, which can reach as high as $100-million for each of the Big Six banks. It’s also caused extreme stress for hundreds of thousands of Americans and dual Canada-U.S. citizens living in Canada, many of whom have never filed U.S. taxes. The new reporting rules mean they find it much trickier to avoid filing U.S. taxes and other required forms. Under U.S. law, Americans must file U.S. taxes every year, regardless of where they live. A number of financial institutions in Europe and elsewhere are already balking at doing business with Americans. [Source]

FOI

US – Clinton: Gov’t Doesn’t Have Right to Review Her Personal Emails

While Hillary Clinton says neither the federal government nor an independent third party has the right to review emails she sent as secretary of state if she deems them personal, tat’s inaccurate because State Department guidelines say there is “no expectation of privacy” for personal emails sent by government employees on a departmental email system. “No one creating records on an official government network has an individual ‘privacy right’ to demand that their emails or records should be shielded beyond the reach of public access requests under FOI laws, state or federal,” said Drinker Biddle’s Jason Baron. [USA Today] See also: [Clinton excuse ‘laughable’: veteran official] [Read the three BYOD mistakes Hillary Clinton made “and how your BYOD policy can avoid them.”]

US – Facebook Report Details Government Data Requests

Facebook’s Global Government Request Report shows that the overall number of requests the company received from governments worldwide increased slightly from the previous six months. The majority of the data requests were related to criminal cases. In the US, nearly 80% of requests were met with the release of some data. While requests from the US and German governments declined, the number of requests in the US may be higher than the figures indicate because Facebook did not include national security requests in its report. Facebook also notes that requests to restrict or take down content rose 11% over the previous six months. [ComputerWorld] [ZDNet] [Forbes] [GovtRequests.com]

Genetics

WW – In Growing Market for Genetic Data, Privacy Implications Prove Lasting

The work of researcher Michael Goetzman on the security implications of DNA technologies. Goetzman found “that the increasingly lucrative market for data brokers may simultaneously amplify breach concerns in the healthcare sector,” the report states. [SC Magazine]

Health / Medical

US – Wyden Concerned About Health Info Privacy on Campuses

Sen. Ron Wyden (D-OR) asked for details about the thoroughness of privacy protections on health information for students who use college and university medical facilities. Wyden wrote a letter to Education Secretary Arne Duncan with concerns that patients have less understanding of the rules governing campus health facilities versus those governing outside practitioners. “College students should be able to expect the same level of privacy as other people when it comes to the incredibly sensitive information they give their on-campus health and mental health providers,” Wyden said. [KTVZ]  edSurge reports optimism is coming back to the student privacy debate. Electronic Privacy Information Center’s Khaliah Barnes said, “It’s a false dichotomy: Privacy and innovation can and should exist.” [Student Sues UMontana Over Info-Sharing ]

US – HITRUST Releases Review Findings

The Health Information Trust Alliance (HITRUST) has released the findings from its three-month review of cyber-risk management for the healthcare industry. The analysis uncovered a constant theme: that today’s approach to cybersecurity is predominantly reactive and, for the vast majority of organizations, inefficient and labor-intensive,” HITRUST’s announcement states. And Government Health IT reviews the lessons privacy and security professionals can learn from each other.

Horror Stories

US – Three Charged in Massive Data Breach

The Department of Justice (DoJ) has charged three men for taking part in what it says is “one of the largest” data breaches uncovered in U.S. history. The three are charged with running a cyber-fraud ring that stole one billion email addresses and then sent spam offering knockoff software products. While the DoJ hasn’t named the companies involved in the breach, it appears Epsilon was among them, the report states. Two of the three men are now in custody; one has pleaded guilty to conspiracy to commit computer fraud while the other is charged with conspiracy to commit money laundering. The third is a Vietnamese citizen who was living in The Netherlands. [Krebs]

US – Breach Bill Discussed; More Breaches Announced; Class-Action Filed

Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT) are circulating their Data Security and Breach Notification Act of 2015, which would preempt 47 state data notification laws. [Gov Info Security] Meanwhile, a Wired article discusses the “crooked path to determining liability” in breaches.

US – Mandarin Oriental Breach

The Mandarin Oriental hotel chain has confirmed a breach of its systems that compromised customer payment card information. The attack affected point-of-sale systems at 45 of the company’s hotels. [Krebs] [BBC]

WW – Superfish Removed from 250,000 Windows Machines

Microsoft, along with Lenovo and other software manufacturers, has managed to scrub Superfish adware from 250,000 Windows-based PCs. According to Microsoft’s security team, the daily number of Lenovo machines infected has dropped below 1,000; at its peak, Superfish had been found daily on 60,000 PCs. [ComputerWorld] See also: [FREAK Still Affects Some Cloud Services]

US – School Accesses Rape Victim’s Medical Records

A woman is suing the University of Oregon for privacy violations after it allegedly used her mental health records to defend itself against allegations it “mishandled” her sexual assault by three of its basketball players. The three players were kicked out of school, but the assault case never went to trial. The woman suing the school had received therapy at the school’s clinic after being sexually assaulted. The university then allegedly used those records in its defense. The student-run Organization Against Sexual Assault’s Kelsey Jones said, “It’s very concerning for a lot of people … It’s 10 times harder now to seek that help and feel safe and feel OK to share 100% of what you’re feeling.” [NPR]

US – Other Breaches

  • Bistro Wants Suit Dismissed: P.F. Chang’s China Bistro has asked the Seventh Circuit to uphold a lower court’s dismissal of a class-action stemming from a data breach at the chain.
  • A Google software problem has exposed personal information on the owners of about 300,000 websites
  • Uber is facing a potential class-action over a recently disclosed data breach involving 50,000 of its drivers.

Identity Issues

New Guidance Released for De-ID

HITRUST announced it will release a De-Identification (De-ID) Framework, with guidance, standards and controls for de-identifying data in a healthcare setting. The framework includes use cases for defining levels of anonymization, criteria for evaluating De-ID methods and technical controls for mitigating the risk of using and storing health data. HITRUST will host a webinar March 24 to introduce the framework, at which point it will be available for download. [HealthData Management]

US – Do We Need a New Definition of Privacy?

See also the work of School of Communication and Information Assistant Prof. Vivek Singh and his recent paper, “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata. “ Singh, who is currently a visiting professor at MIT, suggests the research shows “we need to rethink the ideas we have about privacy,” the report states. Singh explains, “It is relatively easy for anyone, with just a bit of information, to find out very private details about our lives …We therefore need to redefine our current definition of privacy.” While the research doesn’t prove “that we all have any lesser privacy than before or that privacy is gone,” he notes, it “does show that we do need to rethink how we measure and define it.” [News.Rutgers]

Internet / WWW

US – FCC Releases Net Neutrality Rules

Documents from the US Federal Communications Commission (FCC) show that the commission is going to treat broadband as a public utility, which means it will be subject to more stringent regulation. The document indicates that the FCC will determine what is deemed acceptable in a case-by-case basis. [NYTimes] [Washington Post] [Silicon Republic] [FCC Press Release] [Net Neutrality Has Sparked an Interagency Squabble Over Internet Privacy : The FTC and the FCC are arguing over who is better at protecting consumers. ]

WW – UN Needs Privacy Rapporteur: Advocates

The Electronic Frontier Foundation (EFF) has joined a group of 60-plus advocacy groups to call for the creation of a UN special rapporteur on the right to privacy. “The special rapporteurs are independent experts appointed by the Human Rights Council and serve in their personal capacities,” the EFF announcement states. “A special rapporteur would play a critical role in developing common understandings and furthering a considered and substantive interpretation of the right to privacy in a variety of settings.” The EFF notes privacy is one of the few rights that does not have specialist attention in the UN. “There is a pressing need to better articulate the content of this right as part of international human rights law and produce guides on its interpretation,” the report states. [Full Story]

US – NIST Releases Draft of IoT Standard Framework

The National Institute of Standards and Technology (NIST) cyber-physical systems public working group has released a discussion draft of its Framework for Cyber-Physical Systems—what has come to be known as the Internet of Things. It synthesizes the work of five subgroups, one of which covered security and privacy, and offers the beginning of a common way of working with and protecting an array of items on the network as varied as cars and pill bottles. NIST is receiving feedback on the draft in the lead-up to the next in-person meeting of the working group, April 7 and 8. NIST hopes to have a finalized draft in 2016. [Hogan Lovells Chronicle of Data Protection]

Law Enforcement

US – Seattle Police Post Body Camera Footage for Public Viewing

Seattle police have posted footage from police-worn body cameras to their own YouTube channel. The new program is uncommon and probably the first in the country. But it answers a question facing every department employing body-worn cameras: How much should police show the public? In the past, the Seattle Police Department faced criticism for setting up drone networks or wireless cameras before holding public meetings. But police hope posting the footage for the public to view will engender trust. Phil Mocek of Seattle’s Privacy Coalition, however, worries the public footage could be used as a “roving network of public surveillance.” [The Guardian]

US – New Lawsuit by ACLU Targets Cellphone Snooping With Stingray Device

The ACLU suit, filed in Orange County Superior Court, seeks to find out what the state’s bigger police forces are doing with those peripheral numbers, what they are doing with the targeted data and what rules have been set to ensure the data aren’t being abused. …In a survey by the ACLU of nine California police agencies, three – including Santa Ana and the Orange County Sheriff’s Department – said they do not have StingRays. However, an official with the Orange County Sheriff’s Department confirmed that his agency is looking for money to buy a StingRay. [Source]

Location

WW – TomTom Addressing Privacy Concerns

GPS maker TomTom is planning to improve its service by using its customers’ travel data to make more timely updates to its road navigation software; however, this time around it plans to be more clear on how it uses customer data. According to Vice President of Privacy and Security Simon Hania, allegations the company shared data with police back in 2011 led the company to “take more action to better communicate how it uses customer data,” the report states. The data will also be encrypted, anonymized and held on secure servers. “If you cannot explain to your users what you are doing and why, maybe you shouldn’t be doing it,” Hania said. [V3.co.uk]

Offshore

WW – Fieldfisher Releases “Managing Global Data Residency Risk” Report

Fieldfisher has announced the publication of its “Managing Global Data Residency Risk” report, which provides an in-depth look at issues around Data Residency Rules—laws prohibiting the transfer of personal data from specific countries or regions unless certain legal standards are met—and legal solutions that enable international data exports. “In an increasingly data-hungry and interconnected world, data protection issues continue to take on greater importance, and it is against this backdrop that the report has been produced,” Fieldfisher said in its announcement on the report’s release. The report compiles research by privacy specialists on 47 territories worldwide. [Full Story]

Online Privacy

US – DARPA Details Plans for Privacy Tools

The Defense Advanced Research Projects Agency (DARPA) has formally announced its plans to research and develop tools for online privacy. Named for Supreme Court Justice Louis Brandeis, the new program “seeks to explore how users can understand, interact with and control data in their systems and in cyberspace through the expression of simple intentions that reflect purpose, acceptable risk and intended benefits,” the report states. DARPA Program Manager John Launchbury said the aim is to develop methods that can help protect private data “without having to impose cumbersome protective mechanisms that ultimately deplete the larger value of the information at hand.” The four-and-a-half-year program will be split into three 18-month phases resulting in experimental systems that show privacy technologies at work. [Full Story]

US – DARPA “Brandeis” Program Aimed at Privacy Protection

The Defense Advanced Research Projects Agency (DARPA) is examining a program the agency says will help develop the “technical means to protect the private and proprietary information of individuals and enterprises.” The program is named after Louis Brandeis-frequently referred to as the “father of privacy.” DARPA will gauge interest in the program at a Proposer’s Day event on March 12. Meanwhile, IBM has also said it is offering technology “to encrypt the certified identity attributes of a user, protecting privacy and enhancing security.” The program is called Identity Mixer and prevents third parties from accessing data “by revealing only selected data to service providers,” the report states. [NetworkWorld] [DARPA is tackling online privacy. But can you trust them?]

EU – Facebook Says Users Consented to Scans

Facebook intends to defend itself in a privacy lawsuit by arguing that users agreed to allow the company to scan “private” messages in order to determine whether people are sending their friends links to sites outside of Facebook. “Facebook users expressly consented to the conduct,” Facebook said in a report filed last week with U.S. District Court Judge Phyllis Hamilton. The proposed class-action alleges “Facebook violates the federal wiretap law and a California privacy law by scanning the private messages that users send to each other through the company’s platform,” the report states. [MediaPost]

US – Twitter Responds to Critics, Revises Image Policy

Just over a month after a public declaration by CEO Dick Costolo that Twitter had done a poor job protecting people from harassment, he has announced a new policy banning nonconsensual illicit images and videos. Issuing an FAQ based on a Buzzfeed questionnaire originally posed to Reddit, Twitter said it has changed its privacy notice and terms of service: “You may not post intimate photos or videos that were taken or distributed without the subject’s consent.” Those in pictures or videos can submit takedown requests, and accountholders may appeal the action, but the images will be hidden from view and the account will be locked. If there is no appeal, or the appeal fails, the accountholder will not be allowed to return until the image is deleted. Meanwhile, U.S. Rep. Katherine Clark (D-MA) has called on the Department of Justice to increase prosecution of online harassment cases. [Full Story]  A Twitter conversation about one ed-tech company’s terms of service prompted the company to change the policy to meet privacy concerns.

US – Amidst Consumer Concerns, Calls for ECPA Reform, Chip-and-PIN Tech

With persistent data breach reports in the news and polls indicating most U.S. consumers don’t believe their personal data is safe, there are new and persistent calls for changes. Digital Fourth, a coalition of technology companies, advocates and other groups, has renewed its “call for Congress to change a 29-year-old electronic privacy law called the Electronic Communications Privacy Act (ECPA).” [IDG News Service reports] Debra Berlyn writes on ProtectMyData, “a consumer education campaign advocating the implementation of chip and PIN technology for credit and debit cards.”

US – Apple Watch Gets Cautious Approval from Advocates

The Apple Watch has a sensor allowing users to keep track of their heart rates and even share that information with friends, signaling Apple’s move into the health space. The watch can be used in concert with Apple’s new ResearchKit software, “a platform for medical researchers, which will let them pull in data from the many sensors on the Watch and iPhone from willing iGuinea Pigs,” the report states. Privacy Rights Clearinghouse’s Pam Dixon said she’s pleased with the watch’s defaults, but added the onus is on users to be sure they’re not sharing data with third parties that could use it to harm them. [Fusion] [The CIA Campaign to Steal Apple’s Secrets]

US – FTC to Look at Cross-Device Tracking

The US FTC will hold a workshop in the fall to examine cross-device tracking and how it affects consumers. Such events can indicate that the agency will follow up with reports and increased enforcement of privacy rules. [Washington Post]

WW – Skype Updtes Privacy Statement for User-Friendliness

Skype announced this week it is “updating the look of its Privacy Statement” with an aim toward “increasing the transparency of the organization as a whole, highlighting the information that is typically hidden from the consumer,” Sean Cameron writes. “At Skype, we want to make it easier for you to understand and review the important documents that relate to our products and services,” Skype announced. [WinBeta]

Other Jurisdictions

AU – Proposed Law’s Amendment Protecting Journalists Raises Questions

Australia’s government is one step closer to enacting its data retention laws after agreeing “to a Labor amendment to protect journalists’ sources.” And while other concerns remain, “the bill to force communications companies to keep customer information for two years is set to pass through Parliament by the end of next week,” the report states. Labor’s Jason Clare is calling the amendment “a good result; it’s a victory for journalists,” while Sen. Scott Ludlam asked why journalists are being singled out: “I think the government has left itself open to, well, what about doctors, what about diplomats, what about legal professional privilege, what about serving military officers?” [ABC]

AU – Data Retention Bill Set to Become Law

Australian Communications Minister Malcolm Turnbull and Attorney-General George Brandis agree with a suite of recommendations made by a Parliamentary Joint Committee and that new data retention legislation will soon become law. The law will require telcos to keep a set of customer data, including call records, IP addresses, email address, text history and more, for a minimum of two years so the data can be accessed by law enforcement if necessary. Following the bill’s passage, roughly 20 agencies would have access to the data. [ZDNet]

AU – Over 100 Data Breaches Voluntarily Reported to OAIC in Past Year

One year into the Privacy Act, the Office of the Australian Information Commissioner issued a “law reform report card,” detailing “how organisations and agencies have responded positively to the challenge of implementation. The Office of the Australian Information Commissioner received over 100 voluntary data breach notifications, and saw a 43% increase in privacy complaints in the 12 months since changes to the country’s Privacy Act came into effect. Australian Privacy Commissioner Timothy Pilgrim said that he has been pleased to see private organisations and government agencies respond positively. “This is recognition that good privacy practices are good for business, particularly in building customer trust,” he said. “For the next 12 months, our focus will be on governance, assisting organisations and agencies to build a culture of privacy, and ensuring that organisations and agencies are proactive in meeting their compliance requirements. [Source] [Privacy Act amendments chalk up first anniversary : OAIC has received 4016 privacy complaints over past year says Timothy Pilgrim]

Privacy (US)

US – Wong: CPBR Gives Framework for National Privacy Discussion

President Barack Obama’s release of the proposed Consumer Privacy Bill of Rights Act (CPBR) has been met with an array of reactions. Among the recent reports on the CPBR, The National Law Review and Lexology examine the bill in detail. And the reaction pieces include Sen. Al Franken (D-MN) stating the CPBR “lacks the necessary teeth to hold companies accountable for their privacy policies and to ensure robust protections for consumers’ information,” while the Technology Policy Institute’s Thomas M. Lenard suggests it marks a step toward “regulating the Internet.” In a piece for The Christian Science Monitor, former White House Deputy Chief Technology Officer Nicole Wong writes, “What we need today is a framework for a national discussion about privacy regulation, and that is what the White House has given us.” [Full Story] SEE ALSO: [White House releases proposed “Consumer Privacy Bill of Rights,” to little acclaim Privacy advocates don’t like it, and tech companies don’t either] | [White House draws fire from privacy advocates over Consumer Privacy Bill of Rights] | [Obama’s ‘Privacy Bill of Rights’ Gets Bashed from All Sides: Some privacy advocates are disappointed that the proposal would not give the FTC the power to set regulations to enforce the principles. Instead, companies and industry associations would write their own rules and then ask the FTC to sign off on them. Additionally, the bill would overturn state laws that offer stronger protections. But the Web companies themselves aren’t so thrilled with the proposal either. Michael Beckerman, the CEO of the Internet Association, which represents Google, Facebook, Amazon, Yahoo, and others, warned that the bill “casts a needlessly imprecise net.”]

US – Wyndham Case Could Reach SCOTUS

Oral arguments in Wyndham Worldwide Corporation’s battle against “the FTC in a high-stakes legal case that will help define the role of the federal government in protecting the security of consumer data online.” Wyndham is trying “to reverse a district judge’s decision endorsing the FTC’s enforcement authority,” the report states, noting Wyndham’s lawyers argue the FTC “overstepped its authority by punishing companies for weak cybersecurity.” Indiana University’s Fred Cate said, “I would not at all be surprised if the case went to the Supreme Court … And if in fact this went against the FTC, Congress would almost certainly have to act because we would be left without a security regulator with authority across the economy.” [The Hill] [Oral arguments in Wyndham Worldwide Corporation’s battle against the FTC]

US – New Commerce Data Advisory Council Members Announced

Secretary of Commerce Penny Pritzker has announced the members of the new Commerce Data Advisory Council (CDAC), which includes “19 of the best and brightest private- and public-sector thought-leaders on data management and dissemination in the United States.” The CDAC’s role is to help guide the Commerce Department’s efforts “to foster innovation, help create jobs and drive better decision-making throughout our economy and society.” A full list of the CDAC members can be found here. “Together, they will help us make our data easier to access and use, and maximize the return of data investments for entrepreneurs, government, businesses, communities and taxpayers,” Pritzker said. [Full Story]

US – NTIA Seeks Comments on Drone Privacy

With its plans to hold its “multistakeholder process,” a series of meetings with interested people aimed at developing best privacy practices for the aerial drone industry, the National Telecommunications and Information Administration (NTIA) has announced it has “opened up a request for comments on discussions aimed at developing privacy best practices for both the commercial and private use of drones.” “The public is invited to submit suggestions concerning the structure of the multistakeholder engagement and the substantive issues stakeholders will discuss,” the NTIA wrote in its announcement, noting it “expects to convene the first public meeting within 90 days from the publication of the Request for Comment.” [PCWorld]

US – Judge Dismisses Breach Suits Over Lack of Provable Harm

A federal judge last week dismissed two would-be class-action lawsuits filed over last year’s Paytime, Inc., breach. The plaintiffs who sued the national payroll firm said they faced the threat of identity theft because of the breach and that the company delayed informing them of the breach. But U.S. Middle District Judge John Jones said in dismissing the suits that none of those who sued Paytime have been identity theft victims. “There is simply no compensable injury yet, and the courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to be able to successfully read and manipulate the data and engage in identity theft,” he said. [PennLive]

US – Jury Denies Damages for Privacy Intrusion Victim

A jury has found a California man is “not entitled to monetary damages from a neighbor he claimed used her position as a Sonoma County social worker to pry into his confidential files and embarrass him.” Eugene Alexeev testified in the trial that Lisbeth De Mejia, a Human Services Department eligibility worker, “shouted out confidential information about his lack of a job and dependence on public assistance in a 2010 argument,” the report states. Alexeev wanted damages for breach of privacy and infliction of emotional distress, and while jurors “found De Mejia’s conduct was outrageous and intrusive, violating Alexeev’s privacy,” they decided it had not been the cause of his “anxiety, crippling headaches, loss of sleep and depression,” the report states. [The Press Democrat]

US – Judiciary Committee Approves FBI Hacking Rule Change

A judicial advisory panel has approved a rule change that will broaden the FBI’s hacking authority despite concerns the amended language violates the Constitution. The Judicial Conference Advisory Committee on Criminal Rules voted 11-1 to allow judges more flexibility in how they approve search warrants for electronic data, the report states. The ACLU and others have said the rule violates Fourth Amendment rights on search and seizure, and Google said Congress should decide on such a rule. Meanwhile, the Treasury Department has issued a final rule exempting it from having to reveal to holders of preparer tax identification numbers the names of those who’ve asked for their files. [National Journal]

US – Department of Education Issues “Model Terms of Service” 

Despite the title, the Model Terms are not a template that the Department expects schools to insist that their online educational services and applications adopt when providing services to the school. Instead, the document contains a checklist of the types of privacy-related provisions that commonly appear in online services’ TOS, such as provisions related to marketing and advertising, modifications to the TOS, data use, data sharing, security controls, and data de-identification. For each type of provision, the document provides sample TOS provisions under the headings “GOOD! This is a Best Practice” and “WARNING! Provisions That Cannot or Should Not Be Included in TOS,” and explains why those provisions either represent a best practice or are problematic when considered in light of schools’ privacy obligations. [Source]

US – Companies Not Living Up to Student Pledge

Natasha Singer suggests companies are not living up to the Student Privacy Pledge . The pledge requires companies to “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality and integrity of student personal information against risks—such as unauthorized access or use,” but Singer suggests some “companies signed the pledge even though, at the time they joined, they had not begun full encryption, an elementary security measure.” The Future of Privacy Forum’s Jules Polonetsky said, “Companies that don’t provide strong security for sensitive data can be at legal risk for violating the pledge, state laws and contractual commitments.” [The New York Times]

US – No Privacy in Your Trash, Minnesota Supreme Court Rules

The State Supreme Court upheld a Court of Appeals ruling denying the search was unconstitutional. It said the U.S. Supreme Court has ruled consistently that trash is public. But the Minnesota court considered whether Minnesota’s Constitution affords greater protection than the U.S. Constitution on the matter. …It doesn’t, Justice Wilhelmina Wright wrote in her opinion. [Source]

US – Swire Recognized for Privacy Leadership

At the IAPP Global Privacy Summit, Georgia Tech Scheller College of Business Prof. Peter Swire was awarded the IAPP 2015 Privacy Leadership Award. The award recognizes a leader in the field of privacy and data protection who has demonstrated an ongoing commitment to furthering privacy policy, promoting recognition of privacy issues and advancing the growth and visibility of the privacy profession. Accepting the award, Swire said he’s had a lifelong fascination with the intersection of technology, policy and law and has always loved science fiction—stories about how people and societies respond to new technological challenges. He likened such stories to what privacy professionals do in their daily jobs. [Full Story] See also: [FTC Chair Edith Ramirez Talks Privacy, Data Security]

Privacy Enhancing Technologies (PETs)

WW – Windows 10 Settings Strive to Make Privacy More Accessible

A new report states that Microsoft’s Windows 10 and its new “Privacy” tab “has a bunch of privacy settings you won’t find in the traditional Control Panel, because a lot of these settings are more for tablets and phones than they are for laptops and desktops.” The report looks at such options as settings for location, ads and even microphone and webcam access. “The General section is where you’ll be able to quickly change basic privacy settings-for example, you can choose whether to let apps access your name, photo and other account info; you can let Windows track your typing and give you word suggestions based on what you write, and you can allow websites to access your language list,” the report states. [CNET]

US – Cashing in on Privacy; Good Reps Mean “Halo Effect”

With the recent shift away from the mindset that consumers don’t care about privacy, tech firms, service providers and start-ups have begun to tout their privacy-protecting features or build entirely new models and businesses around them. Companies like AT&T and Google have introduced pay-for-privacy models, and start-up Abine masks emails, encrypts passwords and blocks trackers for a monthly fee. Meanwhile, a recent study has shown that companies with positive reputations “benefit from a ‘halo effect,’ even when they have been accused of wrongdoing. However … companies with good reputations are punished more severely than companies with weaker reputations when the evidence of their wrong doing is stacked against them.” [Quartz] [Meet the free encryption app that promises to put your privacy first: The Cryptocat developer’s new team aims to get easy file and message encryption into everyone’s hands, which could give Gmail and Dropbox (and the NSA) a run for their money.] | [Peerio is an encrypted messaging and file storage app for Windows, Mac, and the Chrome browsers that takes the likes of Gmail and Outlook, HipChat, and Dropbox to task. The app puts its users in the privacy driving seat, clearly marking for the lay user when something is encrypted.]

Security

US – FTC Launching Data Security Initiative

Several FTC officials shared their views and concerns on recent developments in privacy, and Bureau of Consumer Protection Director Jessica Rich said the agency is set to launch “Start with Security” to provide businesses with resources, education and guidance on data security. This Privacy Perspectives piece highlights the details on the program Rich and FTC Chairwoman Edith Ramirez shared at the event, the four trends Commissioner Julie Brill said the FTC is looking at and reactions from the FTC on the Obama administration’s proposed Consumer Privacy Bill of Rights.[Full StoryA three-judge panel has suggested the Federal Trade Commission should handle privacy cases in its own administrative court rather than in federal court. [The Wall Street Journal]

WW – Cyber-Threats Outpacing Security Pros

A study of more than 1,000 security professionals in the U.S., UK and Canada “paints a picture of mounting pressures on organisations due to a shortage of necessary specialist skills, tight budgets and poor employee education,” suggesting security pros are not able “to keep pace with cybersecurity threats” from both external and internal sources. [Reuters]

WW – NSS Labs’ Testing Service Will Hold Security Vendors Accountable

NSS Labs, an independent security testing company, has developed a testing service to see how security vendors stack up—including which real threats their products are blocking and which they’re not. The new offering from NSS Labs allows security officers to test products in real time through a service that does not sell security products. This kind of benchmarking is sure to shake up an industry that is loathe to admit it doesn’t catch everything. NSS Labs got a taste of that kind of backlash last year, after it released a test of various breach-detection systems, which found that FireEye, then the darling of the breach detection space, underperformed similar offerings from Cisco, General Dynamics and Trend Micro. NSS Labs actually issued a grade of “caution” to customers who used FireEye’s web and email malware protection systems. [The New York Times]

US – Wikipedia Sues NSA; CIA Tried to Break Apple Security

Online encyclopedia Wikipedia has announced it will sue the NSA for its bulk surveillance programs, arguing they threaten freedom of speech and violate the Fourth Amendment. “By tapping the backbone of the Internet, the NSA is straining the backbone of democracy,” said Wikimedia Foundation Executive Director Lila Tretikov, adding, “By violating our users’ privacy, the NSA is threatening the intellectual freedom that is central to people’s ability to create and understand knowledge.” [National Journal] See also: The Intercept reports on a multi-year effort by the CIA to break the security of Apple’s iPhones and iPads. [NSA sued by Wikimedia, rights groups over mass surveillance: Lawsuit claims NSA illegally taps ‘backbone’ of Internet making a potentially new front for rights activists against spy agency. The litigation takes on what is often called “upstream” collection because it happens along the so-called backbone of the Internet and away from individual users. Bulk collection there violates the constitution’s First Amendment, which protects freedom of speech and association, and the Fourth Amendment, which protects against unreasonable search and seizure, the lawsuit said.] | [Wikimedia Foundation files suit against NSA to challenge upstream mass surveillance: When the 2013 public disclosures about the NSA’s activities revealed the vast scope of their programs, the Wikimedia community was rightfully alarmed. In 2014, the Wikimedia Foundation began conversations with the ACLU about the possibility of filing suit against the NSA and other defendants on behalf of the Foundation, its staff, and its users.] | [The case challenges the NSA’s use of upstream surveillance conducted under the authority of the 2008 Foreign Intelligence Surveillance Act Amendments Act (FAA). Upstream surveillance taps the internet’s “backbone” to capture communications with “non-U.S. persons.” The FAA authorizes the collection of these communications if they fall into the broad category of “foreign intelligence information” that includes nearly any information that could be construed as relating to national security or foreign affairs. The program casts a vast net, and as a result, captures communications that are not connected to any “target,” or may be entirely domestic. This includes communications by our users and staff.

Surveillance

ET – Ethiopian Government May be Using Spyware Against Journalists

The Ethiopian government is allegedly spying on Washington-area journalists who work for Ethiopian Satellite Television (ESAT) with spyware intended for use by law enforcement. ESAT computers were infected in 2013 when an employee opened what turned out to be a malicious file. That attack was likely aided by a tool from Italian company Hacking Team. A more recent incident revealed another attempt at such an attack. A spokesperson for the Hacking Team said the company cannot divulge clients’ identities or locations, and that it would take action if it learned that entities were misusing its products. [Washington Post]

Telecom / TV

EU – Dutch Court Strikes Down Data Retention Law

A Dutch district court has struck down a law that required telecommunications providers to retain customer data for six to 12 months. The law was initially enacted in 2009 to fulfill the EU directive on data retention, which the European Court of Justice struck down last spring. [ZDNet] In related news Bulgaria has also revoked its Data Retention law and the European Commission announced it will not be looking to introduce a new directive to require telcos “to store the communications data of European Union citizens for security purposes”. Of course individual member states may introduce their own national laws but there will be no requirement at the EU level to do so.

US – Former AT&T Biz Partners: Privacy Record Should Be Scrutinized

Dozens of former AT&T business partners have warned regulators that the company has a poor record on privacy, and increased scrutiny should be placed on its proposed $48.5 billion merger with DirecTV. The Minority Cellular Partners Coalition, which includes more than 90 former AT&T partners, has written to the Federal Communications Commission accusing the company of breaking the law by “voluntarily handing over data to the National Security Agency following the Sept. 11 terror attacks” without a court order. The coalition wants stronger privacy oversight of AT&T if the deal goes through. [U.S. News & World Reports]

CA – Internet Carriers May Be Breaching Canadian Privacy Laws

In privacy and transparency report, Teksavvy scores highest, Videotron and Shaw score low. The study looked at the information provided publicly by internet carriers in Canada about how they protect customers’ privacy and ranked them based on 10 criteria. In fact, “it appears that many Canadian internet carriers are in violation of their legal responsibilities” under Canadian privacy law, says the report entitled “Keeping Internet Users in the Know or in the Dark“ released by Toronto-area researchers. [Source]

WW – Android Lollipop 5.1 Brings Promised Anti-Theft “Kill Switch”

It’s the Android version of what’s known on the iPhone as Activation Lock or Find My iPhone. According to Secure Our Smartphones, the addition of the kill switch in iPhones running iOS 7 and iOS 8 has cut iPhone thefts dramatically in cities like San Francisco, New York and London – because, they say, would-be thieves have learned they can’t resell them. Although a remote lock-and-wipe feature is available on most Androids already, Device Protection promises to go beyond the Android Device Manager feature available on older versions. [Source]

US Government Programs

US – Survey: CTOs Concerned About Data Privacy, Security

The Consortium for School Networking (CoSN), which launched its Protecting Privacy in Connected Learning last year, has released its third K-12 IT Leadership Survey, and school technology leaders’ top concerns include the privacy and security of student data. “K-12 IT leaders are increasingly worried about the privacy and security of student data,” a CoSN press release states, noting 57% of respondents “said the issue is more important than it was last year.” Separately, Yale Law School has announced it is destroying student admissions evaluations and notations from the career development office “to avoid being forced to hand over a wide range of documents” amidst students’ Family Education Rights and Privacy Act requests for their files. [Full Story]

US Legislation

US – Senate Committee Approves CISA 14-1

By a vote of 14-1, the Senate Intelligence Committee “approved a controversial cybersecurity bill designed to help companies and the federal government better defend against the growing threat of data breaches.” The Cybersecurity Information Sharing Act (CISA) aims to help businesses and government thwart the threat of data breaches by expanding legal liability protections to companies sharing threat-detection data with each other and government agencies. CISA “is critically important both for our agencies that keep the country safe and the institutions that hold millions of Americans’ personal information,” said Sen. Richard Burr (R-NC). [CNet]

US – Senators Introduce Data Broker Legislation

Sens. Edward Markey (D-MA), Richard Blumenthal (D-CT) Sheldon Whitehouse (D-RI) and Al Franken (D-MN) have reintroduced legislation requiring “accountability and transparency for data brokers who are collecting and selling personal and sensitive information about consumers.” The Data Broker Accountability and Transparency Act (S 668) would allow consumers “to order the companies to stop using, sharing or selling data about them for marketing purposes,” and includes provisions for the FTC “to write regulations setting up a centralized website for people to easily understand their rights and get information about the companies.” Consumer Watchdog has endorsed the bill, while the Direct Marketing Association is opposing it. [Full Story]

US – Virginia Limits Retention Time for License Plate Reader Data

Virginia’s governor has signed legislation that limits the length of time law enforcement in that state may retain license plate reader data to seven days. While New Hampshire has banned license plate data collection altogether and Maine has set a 21-day retention limit, many other states have set no formal limits. The Virginia law allows the data to be retained more than seven days if they pertain to an active and ongoing criminal investigation. The law takes effect July 1, 2015. [Ars Technica]

US – CA Senator Proposes State Chief Data Officer

California Sen. Richard Pan (D-Sacramento) wants to overhaul the state’s open data portal and create the role of a chief data officer reporting to the secretary of the Government Operations Agency as leader of the effort. Pan’s bill “would task the governor with naming a chief data officer no later than Jan. 1, 2016, and require at least 150 data sets to be published on the statewide open data portal by 2017,” the report states. The bill also seeks the creation of “a statewide open data roadmap” and calls for all data inventoried by state agencies to be published on the data portal by 2022. [Techwire]

US – MN Privacy Amendment One Step Closer to Voters

Minnesota House Government Operations and Elections Policy Committee has given HF 327, a bill seeking to give Minnesota voters “an opportunity to amend their state constitution in order to reject significant parts of mass surveillance programs by both state and federal government officials,” a recommendation of “do pass.” HF 327 would allow Minnesota voters the chance to amend the state constitution and add references to protecting “electronic and communications data” against “unreasonable searches and seizures.” The report notes the addition “would make emails, phone records, Internet records and other electronic information gathered without a warrant inadmissible in state court.” [TenthAmendment]

US – Illinois AG Pushing for Stricter Breach Notification Law

While Illinois already has a law on the books mandating data breach notification, dating from 2005, Attorney General Lisa Madigan has unveiled, with Sen. Daniel Biss (D-District 9) and Rep. Ann Williams (D-District 11), an updated law that would expand the type of information requiring notification to include medical information, geolocation data, marketing data and much more. The law would also require that companies take “reasonable” steps to protect data. The move comes “after 67 million personal records were hit last year,” the report states. [Full Story]

US – Other Legislative News

+++

15-28 February 2015

Biometrics

WW – Breakthrough in Facial Recognition: The ‘Deep Dense Face Detector’

The technology has developed over the last 14 years, and the recent breakthrough coming out of the Yahoo/Stanford team is based on a new approach, springing from advances made recently in a type of machine learning known as a deep convolutional neural network. To train their neural net, Farfade and the other researchers created a database of 200,000 images, including faces at various angles and orientations, plus another 20 million images without faces. They then fed their neural net batches of 128 images at a time, over 50,000 iterations. The result is what the team calls the Deep Dense Face Detector: an algorithm that can spot faces set at a wide range of angles, even when partially occluded by other objects, such as the hands and head that are blocking Jolie’s face in the image. [Source]

WW – New Face-Detection Algorithm Could Revolutionize Search

A new face-detection algorithm could revolutionize image searches online. Traditional facial detection methods involved a head-on photo, but new methods dependent on deep convolutional neural networks can capture and detect faces from several different angles. The team of researchers who have developed the technology call it Deep Dense Face Detector. “The great promise of this kind of algorithm is in image search,” the report states, adding, “It is inevitable that this capability will be with us in the not-too-distant future.” Meanwhile, Built in Chicago reports on facial recognition technology developed by startup Verie. The app verifies an individual by using his or her face. The startup says such technology could be used to verify job applicants, lendees or potential dates. [MIT Technology Review]

WW – Neuro-Ethicist: Brain Data Must Be Protected

Technological advances “are making it easier than ever to measure, interpret and even reconstruct brain activity,” while the proliferation of wearables is creating “more ways to map our brainwaves than ever before,” and that means more opportunities for companies to mine that data. This presents an interesting question: Who owns brain data? Neuro-Ethicist Paul Roote Wolp recently stressed the importance of setting up ground rules to protect cognitive privacy. For example, functional magnetic resonance imaging (fMRI) is beginning to be used for lie detection, the report states, and “it’s not unreasonable to expect police and other actors to use cognitive data in the future” to determine innocence or guilt. [Gizmodo]

Canada

CA – Bill C-51: Support for Anti-Terror Legislation But With Additional Oversight

Nearly half of Canadians say draft law “strikes right balance”, fully one-third say it doesn’t go far enough. Four-in-five (82%) adult Canadians surveyed online by the Angus Reid Institute say they support the draft law, with fully one-quarter (25%) saying they “strongly” support C-51. Most Canadians (80%) profess to having at least heard about the legislation, and 4/5 respondents either strongly support (25%) or support (57%) Bill C-51. Opposition to the draft law stands at 17% in total, with just 5%  saying they are “strongly” against the legislation. [Angus Reid] [Why Stephen Harper’s terror bill is so popular] [National Post View: We need parliamentary debate on Bill C-51] [Mulcair won’t commit to scrapping anti-terror bill, if ever in power ] [“Total Information Awareness”: The Disastrous Privacy Consequences of Bill C-51] [Former justices, PMs express concern over lack of anti-terror oversight] [Former PMs call for more CSIS oversight as MPs debate anti-terror bill] [Bill C-51: Political battle lines drawn over anti-terror bill as election nears] [Anti-terror law shares information too easily, experts write ] [NDP will oppose ‘overreaching’ terrorism bill, while Liberals offer support] [Anti-terrorism bill’s powers could ensnare protesters, Elizabeth May, MP fears] [Anti-terror Act: Would new bill protect your financial information?] [Bill C-51 moves us one step closer to the end of privacy: Forcese, Roach]

CA – Open Letter to Parliament: Amend C-51 or Kill it

The following is an open letter addressed to all members of Parliament and signed by more than 100 Canadian professors of law and related disciplines.

Dear Members of Parliament,

Please accept this collective open letter as an expression of the signatories’ deep concern that Bill C-51 (which the government is calling the Anti-terrorism Act, 2015) is a dangerous piece of legislation in terms of its potential impacts on the rule of law, on constitutionally and internationally protected rights, and on the health of Canada’s democracy.

Beyond that, we note with concern that knowledgeable analysts have made cogent arguments not only that Bill C-51 may turn out to be ineffective in countering terrorism by virtue of what is omitted from the bill, but also that Bill C-51 could actually be counter-productive in that it could easily get in the way of effective policing, intelligence-gathering and prosecutorial activity. In this respect, we wish it to be clear that we are neither “extremists” (as the Prime Minister has recently labelled the Official Opposition for its resistance to Bill C-51) nor dismissive of the real threats to Canadians’ security that government and Parliament have a duty to protect. Rather, we believe that terrorism must be countered in ways that are fully consistent with core values (that include liberty, non-discrimination, and the rule of law), that are evidence-based, and that are likely to be effective.

The scope and implications of Bill C-51 are so extensive that it cannot be, and is not, the purpose of this letter to itemize every problem with the bill. Rather, the discussion below is an effort to reflect a basic consensus over some (and only some) of the leading concerns, all the while noting that any given signatory’s degree of concern may vary item by item. Also, the absence of a given matter from this letter is not meant to suggest it is not also a concern.

We are grateful for the service to informed public debate and public education provided, since Bill C-51 was tabled, by two highly respected law professors — Craig Forcese of the University of Ottawa and Kent Roach of the University of Toronto — who, combined, have great expertise in national security law at the intersection of constitutional law, criminal law, international law and other sub-disciplines. What follows — and we limit ourselves to five points — owes much to the background papers they have penned, as well as to insights from editorials in the media and speeches in the House of Commons. [Source] SEE ALSO: [Bill C-51 defies key rulings on security certificates, lawyers say Anti-terrorism bill muddies waters on disclosure rules for non-citizens] [Conrad Black: Alarm bells must ring in response to the government’s new anti-terror bill] [From opposition to retreat: Tom Mulcair and Bill C-51 ] [Conservatives extend anti-terror bill hearings after opposition filibuster] [Conservatives agree to more scrutiny of anti-terror bill after NDP filibuster][Bill C-51 threatens to sacrifice liberty for security] [National Post View: Why are the Tories determined to rush C-51 through committee?] [C-51: Conservatives demand limit on anti-terror bill expert testimony] [Fighting the evil within: The case for and against the Anti-Terrorism Act]

CA – CSE Monitors Millions of Canadian Emails to Government

CSE, under its mandate to protect federal government computer networks, vacuums up emails sent to and from the government and monitors website traffic, looking for malware and intrusions. Canada’s electronic spy agency watched visits to government websites and collected about 400,000 emails to the government every day, storing some of the data for years, according to the 2010 document. Today’s volume is likely much higher given online traffic growth. Common online activities involving the government include Canadians filing their taxes, writing to members of Parliament and applying for passports. The program to protect government servers from hackers, criminals and enemy states is raising questions about the breadth of the collection, the length of retention and how the information could be shared with police and spy partners in other countries. Public Safety Minister Steven Blaney may have a fight or, at least, a filibuster on his hands at the House public safety committee, which is slated to start reviewing the government’s proposed anti-terror legislation this week. A New Democrat-driven filibuster could delay the bill. [Critics question how long data is stored and what it’s used for ]

CA – Leaked Files Show Canadian Spy Agency Struggling With Flood Of Data.

Edward Snowden leaked documents to the CBC that reveal the massive amount of data Canada’s spy agency collects every day. CBC revealed the Communications Security Establishment in 2010 documents wanted a better computer system to deal with the 400,000 emails it collects every day. The emails are captured in a file format known as PCAP, which allows a government network administrator to record internet traffic in its entirety. The leaked files say the CSE is storing people’s messages on their servers for “days or months.” In one slide, a CSE employee says their servers can store up to 10 terabytes of emails a day — the equivalent of 2,128 DVDs. [Source]

CA – Spy Agency’s Review Group Can’t Perform ‘Oversight’ Role

During three days of lively debate in the Commons over the controversial anti-terror Bill C-51, Public Safety Minister Steven Blaney, Justice Minister Peter MacKay and other Conservative MPs have repeatedly characterized the Security Intelligence Review Committee (SIRC) as providing oversight of… the Canadian Security Intelligence Service (CSIS). Prime Minister Stephen Harper has done the same. Yet SIRC has no such mandate. “We review CSIS. We look at past activities,” to ensure they are lawful, appropriate and effective, SIRC’s Lindsay Jackson said. Recently the terms ‘oversight’ and ‘review’ have become almost interchangeable but they do actually mean separate things. Direct oversight implies a certain amount of involvement in the active political decision-making or the operational decision-making, and we are not involved in the operational decision-making,” at CSIS. [Source]

CA – Fed. P. Commish Urges Caution Over Sex Offender Registry

There is research that supports the view that laws that reduce the privacy of sex offenders makes rehabilitation and reintegration more difficult. Ultimately, this could increase the rate of recidivism. A publicly accessible database also creates a risk of vigilantism, as recognized on provincial dangerous offender websites such as the one in place in Alberta, and increases the risk that fears of being attacked or harassed will drive offenders underground. There is evidence that similar databases in the United States have led to the killing of sex offenders released in the community. [Appearance before the House of Commons Standing Committee on Justice and Human Rights (JUST) on Bill C-26, the Tougher Penalties for Child Predators Act ]

CA – Privacy Commissioners Issue Guidelines for Police on Body-Worn Cameras

Federal, provincial and territorial privacy and personal information protection Ombudspersons and Commissioners issued guidance on law enforcement and the use of body-worn cameras. The guidance notes that a Privacy Impact Assessment, which can help identify and mitigate the potential risks to privacy and personal information, is a highly recommended best practice before launching a body-worn camera program. As well, law enforcement agencies can consult with data protection experts and undertake a pilot project before deploying the cameras broadly. The privacy commissioners’ guidelines point to many concerns, including whether recordings will be made in private homes, if citizens will be informed they are being captured on video, and whether police forces will adequately protect private information caught on camera. Among their recommendations are that recordings be protected by safeguards, such as encryption and strict retention periods. They also suggest rules aimed at minimizing the recording of innocent citizens and innocuous interactions with the public [Press Release] [Source] [Guidance for the use of body-worn cameras by law enforcement authorities] [A new plan out of Ottawa would boost information-sharing between Canadian immigration and border enforcement officials, Employment Canada, Revenue Canada, the RCMP and provinces [The Toronto Star].

CA – Digital Privacy Act, Committee Hears from Federal Privacy Commissioner

Commissioner Therrien told the committee most people — and especially children and recent immigrants — aren’t always able to understand the language used in statements of terms and conditions. That has given rise to questions about whether such “vulnerable people” — as they were referred to by the committee — can legally give consent to the collection of their information. “(S-4) has a potential of improving the definition of consent from children,” he said, noting his office has had to deal with privacy complaints involving children before and recommendations have been made to businesses to use plainer language in the service agreements. “To have this clearly in legislation, that you must think about your clientele, would be useful.” [Source] A new plan out of Ottawa would boost information-sharing between Canadian immigration and border enforcement officials, Employment Canada, Revenue Canada, the RCMP and provinces, [The Toronto Star].

CA – B.C. Should ‘Aggressively Pursue’ Body-Worn Cameras for Police

“Members concluded by strongly supporting the use of body-worn cameras in B.C., and calling on government in the consultation with police and non-police stakeholders to aggressively pursue the steps necessary to implement the use of body-worn cameras by B.C. police members,” the report reads. [Metro News]

Consumer

US – Consumer Awareness of AdChoices Up, Concerns About Targeted Ads

A new study conducted by Ipsos on behalf of TRUSTe has found that 68% of smartphone users are concerned about being served targeted ads, but consumer awareness of the AdChoices program is up 16% from last year. “Our research shows that the majority of Americans are still uneasy about having their online activity tracked for use in targeted ads, mainly because they feel like they have limited control,” said TRUSTe CEO Chris Babel. “The good news is that awareness of the AdChoices icon … has risen substantially and continues to have the potential for positive impact on consumer attitudes.” [Full Story]

US – DAA Launches Two Privacy Control Tools for Consumers

The Digital Advertising Alliance (DAA) has launched two new tools to help consumers locate and opt out of behavioral advertising. “AppChoices” and “DAA Consumer Choice Page for Mobile Web“ intend to increase transparency and choice for online users. The DAA is offering AppChoices on Google Play, the Apple App Store and the Amazon Store. “Our new mobile choice tools deliver the same reliable, independently enforced, privacy-control experience where consumers and brands engage, both across the Internet and on the go,” said DAA Executive Director Lou Mastria. [Source]

E-Mail

WW – How Would Your Company Rate for Email Security?

The best industry for email security? Social media. The worst? Healthcare. Such are the findings of a survey conducted by Agari, which assessed the security of 147 businesses’ email communications, judging them on how they employ the three major email security protocols: Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication, Reporting and Conformance. As many of the world’s largest data breaches were reportedly the result of a targeted phishing attack, email security is becoming an important front line in the cybersecurity battle. [Fortune]

CA – CRTC Levies 1.1M Spam Fine

nNovation Partner Shaun Brown discusses the Canadian Radio-television and Telecommunications Commission announcement of its first Notice of Violation under Canada’s Anti-Spam Legislation, including a $1.1 million penalty.

Encryption

UK – Alleged Cyber Criminal Will Not Give Up Encryption Keys

A British man accused of breaching systems at NASA, the FBI, and the US Federal Reserve is refusing to surrender cryptographic keys that would allow authorities in the UK to access devices seized after his October 2013 arrest. Lauri Love is facing charges in three federal districts in the US. He is planning to petition a UK court to compel the National Crime Agency (NCA) to return the computers and data storage devices. [Ars Technica] [BBC]

WW – New Level of Encryption Boosts Browsing Privacy

CloudFlare is deploying a new level of encryption to improve the security, privacy and speed of its websites. ChaCha20-Poly1305, as it’s called, was formerly used only by Google, but all CloudFlare websites now support the new algorithm, the report states. At the moment, about 10% of CloudFlare HTTPS website connections are using it. The algorithm also protects TLS against cyber-attackers inserting fake messages into secure streams. [ZDNet]

EU Developments

EU – Italian DPA to Audit Google on U.S. Soil

Google will be the subject of regular checks by the Italian Data Protection Authority (DPA) to monitor the status of its actions to bring its platform into line with domestic legislation. Italy’s DPA approved the verification protocol referred to in its order of July 2014 to Mountain View. The protocol envisages quarterly updates on progress status and empowers the DPA to carry out on-the-spot checks at Google’s U.S. headquarters to verify whether the measures being implemented are in compliance with Italian law. Is allowing a DPA onto foreign soil for spot checks a sovereignty issue? Without commenting on the Google case specifically, Hunton & Williams’ Lisa Sotto wondered “how welcome the FTC would be if the commission sought to audit Banca d’Italia in Rome. Of course, companies can voluntarily agree to DPA visits, but there certainly would be significant and complex jurisdictional questions should a foreign DPA seek to compel an audit in another country without the agreement of the company.” [Full Story]

EU – Report: Facebook Privacy Policy Still Violates EU Law

A report from the Belgian Privacy Commission says Facebook is acting in violation of European law, despite updating its privacy policy. The study, which was conducted by the Centre of Interdisciplinary Law and ICT at the University of Leuven in Belgium, found Facebook’s privacy policy update last month “only expanded older policy and practices” and still violates EU consumer protection law. The authors said Facebook’s policies on profiling for third-party advertising don’t meet the requirements for legally valid consent and the social network “fails to offer adequate control mechanisms” for the use of user-generated content for commercial purposes. [The Guardian] [WSJ: The Sharpest Jabs From the Facebook Privacy Report] The 61-page “critical analysis” of Facebook’s revised policies says the social network fools its users into thinking they have more control over data and privacy than they actually do. Facebook says it has made its rules clearer and that it is confident it complies with all laws.

UK – ICO Fines Travel Insurance Company Over Breach

The UK Information Commissioner’s Office (ICO) has fined travel insurance company Staysure GBP 175,000 (US $270,000) for lax website security that resulted in 100,000 payment cards being compromised. Of those, about 5,000 were used fraudulently. The breach occurred in October 2013. The ICO’s ensuing investigation focused on Staysure’s lack of effective IT update policies in place at the time. Staysure says it has improved its security posture. [v3.co.uk]

EU – New EU Privacy Rules to Allow Challenges to Irish Regulator

Under a “one-stop-shop” mechanism initially proposed in reforms of EU data protection laws, businesses operating across the 28-nation bloc would only have had to deal with the data protection authority in the country where they are headquartered or have their main European base – even if the alleged mishandling of data affects citizens in another country. But opposition from some member states that do not want their national regulators to lose policing powers over multinationals such as Google, with an Irish base, led to the proposal being altered so that any “concerned” authority could object to a decision. …A majority of member states agreed to scrap an option requiring at least a third of concerned authorities to object, diplomats said, potentially giving a single “concerned” authority the right to complain. [Source]

EU – Regulation May Be Moving Away from One-Stop-Shop Mechanism

“Ireland will not retain sole control over privacy disputes involving companies such as Facebook and Apple under new rules agreed allowing any of its European peers to challenge Irish rulings.” Had a proposed one-stop-shop mechanism been approved, businesses operating in the EU would only have dealt with the regulator where they have they primary European base. But, according to anonymous sources, member states that did not want their regulators to lose policing powers over multinationals pushed for a change allowing any concerned authority to object to a decision, triggering the intervention of the still-to-come European Data Protection Board, the report states. Ministers still have to sign off on Wednesday’s decision when they meet next month. General Data Protection Regulation may be moving away from a one-stop-shop mechanism]

US – U.S. Companies Better Work Harder at Data Protection

European Commissioner for Digital Economy and Society Günther Oettinger said the EU should create a single law to protect its citizens’ data from Facebook and Google. “Americans are in the lead. They have the data, the business models and the power,” Oettinger said. “They come along with their electronic vacuum cleaner and suck up all the data, take it back to California, process it and sell it as a service for money,” Oettinger said. He warned tech giants must do more to comply with the EU’s strict data protection rules or face being “thrown out of the single market.” [USA Today]

UK – First Data the First With Double BCRs Through ICO

U.S.-based First Data began its effort to win approval for its binding corporate rules (BCRs) in 2007, back when the process was young and still evolving. This month, the UK Information Commissioner’s Office (ICO) officially recognized the multinational payment solutions company’s BCRs for data processors. Now able to