01-15 January 2015

Big Data

US – Federal Study Says Mass Data Collection Irreplaceable

The National Academy of Sciences has released an in-depth report informed by communications and cybersecurity experts as well as former intelligence officials concluding that there is no effective alternative to bulk data collection for intelligence purposes. According to the study, “no software-based technique can fully replace the bulk collection of signals intelligence.” However, the report did conclude there are ways to “control the usage of collected data” including, notably, placing strong privacy protections on the collected data once it’s in the government’s hands. [The New York Times]

WW – Big Corps Want to Know How You Feel; Defense Contractors Are Happy to Help

It’s no secret that businesses track consumers online and study social media to learn more about their shopping habits. But the public backlash against Sony after its response to being hacked, criticism of Target’s handling of its 2013 cyberattack and other examples of corporate embarrassment have put a spotlight on another type of analysis — measuring public sentiment about a business. Now, contractors that traditionally performed this type of work for government intelligence agencies are offering their skills to large corporations. Corporations are increasingly looking for early warnings to manage potential disruptions. Not everyone is excited by the prospect. The thought of government contractors offering intelligence-level expertise to corporations worries some privacy advocates. “This is the creation of a digital blacklist,” said Jeffrey Chester, who leads the Center for Digital Democracy. “A system designed for defense use should not be unleashed on the everyday goings-on of Americans.” [The Washington Post]

US – Why Uber Is Sharing Ride Data With the City of Boston

Uber said it will begin sharing trip data with the city of Boston with the goal of helping to reduce traffic congestion and assist urban planners. Under the first-of-its-kind deal, the car booking app said it will give city officials granular reports about every trip taken with Uber in the city. Riders’ personal information will not be included in the report, Uber said. What city officials will see, according to Uber, is an anonymized report showing the time, date and ZIP code of where a rider was picked up and where and when their trip with Uber ended. The data will also allow city planners to study the duration of the ride and come up with solutions to ease traffic congestion, including adding more public transportation options.[ABC News]

US – Pasquale on the Black Boxes of Data-Mining

Author Frank Pasquale discusses the lack of transparency and redress in big data profiling, both for students and employees. Though he applauds President Barack Obama’s privacy initiatives rolled out earlier this week, Pasquale writes, “it’s time for policy-makers to aim higher” because, through big data algorithms, individuals can easily be stigmatized without knowing they’ve been flagged as a high-risk student or employee. “Students should not be ranked and rated by mysterious computer formulas,” he writes, adding, “They should know when they’ve been marked for special treatment.” [Los Angeles Times]


CA – Watchdog to Study ‘Privacy Compliance’ Among Canadian Advertisers

The Office of the Privacy Commissioner of Canada is launching a research project to examine advertising on popular websites in Canada. The goal is to determine whether advertisers are complying with Canadian privacy laws. As “big data” becomes more crucial to advertisers who hope to reach consumers with messages that might be relevant to their needs, the industry has also been working to ease concerns about privacy. Industry groups representing Canadian advertisers and their agencies launched a self-regulatory group, the Digital Advertising Alliance of Canada (DAAC), in 2013. Despite the publication of the OPC’s guidelines, and the launch of the DAAC, “informal observations of major websites viewed by Canadians show that privacy compliance may still be an issue,” Privacy Commissioner Daniel Therrien wrote in a letter to the Interactive Advertising Bureau of Canada in mid-December, giving notice of the upcoming study. Similar letters were sent to the other industry groups including the DAAC. Results of the study will likely be published in the spring. [The Globe and Mail]

CA – New Sask. Privacy Commissioner to Continue Pushing for Police to Be Included in Legislation

For 10 years, former privacy commissioner Gary Dickson regularly recommended that municipal police be brought under the authority of Saskatchewan’s privacy legislation. His successor, Ronald Kruzeniski, intends to do the same. Aside from Prince Edward Island, which doesn’t have a Local Authority Freedom of Information and Protection of Privacy Act (LAFOIPP), Saskatchewan is the only province in Canada in which municipal police aren’t legislated under access and privacy laws. The RCMP, which operates in smaller centres in the province, is covered under federal privacy laws. This means anyone wishing to get access to municipal police information or file a privacy complaint through Kruzeniski’s office is unable to do so. Citizens wishing to file complaints with municipal police can currently do so through the Public Complaints Commission. Kruzeniski intends to officially make the recommendation at some point this year, and plans to meet with the Saskatchewan Association of Chiefs of Police. [Leader-Post] SEE ALSO: Ontario Acting Privacy Commissioner Brian Beamish “is calling for changes in legislation to make it harder for hospitals to handle privacy breaches internally without reporting them to the privacy office.” [Hospitals should report privacy breaches to commissioner: Editorial] [ON: Hundreds of hospital privacy violations go unreported

CA – RCMP Refusing to Pay Rogers’ New Cellphone Fees

The RCMP and many other police forces are refusing to pay new fees imposed by Rogers Communications for helping track suspects through their mobile phones. Police say the telecommunications firm is legally obligated to provide such court-ordered services and to cover the cost as part of its duty to society. Rogers says while it picks up the tab for most judicially approved requests, in some cases it will charge a minimal fee. The quietly simmering dispute underscores long-standing tensions over who should pay when police call on telephone and Internet providers to help investigate cases. Although they have concerns about the new Rogers fees, the Mounties did pay more than $2 million to telecom firms in 2012-13 in connection with customer information and intercept-related activities, the force says. [The Star]

CA – Debate Shaping Up About New Law to Fight Terror in Canada

Only 17 people have been convicted of terrorism and related offences in Canada since 2001. Five others await trial in three separate cases. In July, a sixth Canadian was charged with taking up arms in Syria and has not returned to Canada. Conservative Senator Dan Lang, chair of the Senate’s national security and defence committee, and other politicians are demanding to know why the numbers are so relatively low compared with the United States and Britain. This past week, while expressing solidarity with France over the shooting attack on the Paris office of satirical magazine Charlie Hebdo, Prime Minister Stephen Harper said a new anti-terrorism bill giving the state additional powers to watch, detain and arrest extremists will be tabled shortly after Parliament resumes in late January. [The Ottawa Citizen] SEE ALSO: Legislation will be tabled this month that “will provide national security agencies with explicit authority to obtain and share information that is now subject to privacy limits]

CA – Serious Offenders Among Dozens Mistakenly Released From Ontario Jails

Prisoners who were supposed to be locked up on charges of attempted murder, sexual assault, armed robbery and assault with a weapon were mistakenly released from Ontario jails during the last six years. In total, 98prisoners were freed prematurely between 2009 and 2013, mostly because of clerical errors. Four of these prisoners committed new offences while they should have been behind bars, the government acknowledged for the first time in December. [Toronto Star]

CA – Torontonian Uses Big Data and Privacy Expertise to Create Anonymous Index of Sexual Assault

Lauren Reid is a 30-year-old Toronto resident using her professional background in big data and privacy to push for a national, anonymous, user-controlled and self-reported database on sexual assault. It is an ambitious project, unprecedented in its scope, but it comes with its own set of complicated challenges and concerns.” The goal is to create a database that allows us insights into ‘Why didn’t you report it?’“ among other things, and also try to gauge how many people are sexually assaulted more than once, if people didn’t know it was rape at the time, if they were drinking or drugged and so on. Users would enter their stories and add or change information any time. The database would need to maintain clear definitions of sexual assault, she said, and it would be fully anonymous — no naming of names allowed. Even those who support the intention of such a database worry about privacy concerns, legal implications and false reports. “The purpose is to generate knowledge about a problem,” Ms. Reid said. “It isn’t to prosecute people.” [National Post]

CA – To Guard Government Computers from Hacking, Ottawa to Spend $100-Million on Security

Ottawa will spend as much as $100-million to safeguard Canadian government computers after a Chinese state-backed hacker broke into the National Research Council’s system last summer – and the 2015 budget is expected to help underwrite the bill for upgrading network security. There’s a request from inside government for extra money in the 2015 federal budget to fund long-term cyberprotection measures. This request is a sign of how seriously the increased threat of Chinese state hacking is being taken inside Ottawa. [The Globe and Mail] [CA – Canadian passports stolen at gunpoint in Caracas]

CA – Search Warrants’ Surge Denounced by Defence Lawyer

Search warrants have become much too easy for Toronto police to obtain, says a veteran defence lawyer who is calling on the courts to “bring some control to the situation that’s become like the Wild West.” New documents show the number of search warrants executed by Toronto police has almost tripled in a nine-year period. In roughly half the cases, nothing illegal was found and no charges laid. A 50% “failure rate” is a “huge problem,” lawyer David Bayliss said. [Toronto Star] [Interview: Privacy guru Ann Cavoukian] [ON: Hundreds Of Hospital Privacy Violations Go Unreported] and [Mondaq News: $7,500 in Damages Awarded for Intrusion Upon Seclusion] AND [Canadian Lawyer Magazine: Is Google Search Evidence Admissible?]

CA – Auto Lenders Quietly Install a Digital Repo-Man

A little-known black box buried in the guts of many GTA vehicles makes drivers with poor credit the hapless targets of what is becoming a 24-hour surveillance culture. Known as a starter interrupter, the GPS-equipped, wallet-sized box is popular with auto loan companies: If the owner stops making payments, the lender can send a signal to the box, disabling the vehicle by shutting off the starter. The GPS function also allows for tracking the customer’s movements. Thousands of starter interrupters have been on the roads in Canada for years, but in Ontario, little has been said about how they’re used and the information they allow lenders to collect. Consumer protection laws have curtailed their use in Quebec, and serious questions are being raised about their safety in the United States, following reports about moving cars being shut down remotely. [Toronto Star]


US – Art Indicates Teens Have Complex Understandings of Privacy Threats

Privacy Illustrated, a project Carnegie Mellon University (CMU) researchers unveiled last week. It includes art submitted by 175 people from kindergarteners to senior citizens, but some of the most complex images on threats to privacy came from teens. “Teens actually value privacy a lot, but their threat models are very different from adult threat models,” said Lorrie Faith Cranor, director of CMU’s Cylab Usable Privacy and Security Lab, who led the initiative. According to the teens’ drawings, they’re “acutely concerned about prying parents, siblings and schoolmates and worried about a spying government.” View the art here. [Pittsburg Post-Gazette] [The New York Times: ThinkUp Helps the Social Network User See the Online Self]

WW – Apple Spotlight Runs Roughshod Over Mail Privacy Settings

Apple’s Spotlight desktop search engine in OS X Yosemite ignores privacy settings in the Mail email client. The searches results could include pictures and other files linked to email messages, even if users have told Mail not to load remote content. HTTP requests sent to the pages hosting the content will reveal users’ IP addresses. Users can prevent this leak by unchecking “Mail & Mailboxes” in Spotlight System Preferences. [The Register] [ComputerWorld] [ArsTechnica]


WW – Beware Governments’ ‘Big Data’ Promises

The so-called ‘Big Data Revolution’ has governments enthralled. The BC government sees itself as a leader in bringing about ‘transformation’ with the use of data. The promises are that 1) the government is going to free itself up in its use of citizens’ personal data and this will bring convenience and make money, and 2) the government is going to free up government data and this will bring transparency and ‘digital engagement,’ and make money too. The data will be free and we will be wiser, happier and richer. At least, that’s what the glossy brochure says. You may not be too surprised to discover it’s not actually working out quite that way on the ground. In actual practice, part of this formula looks a lot like old ‘e-government’ initiatives that have been soundly criticized for costly failures and privacy fiascos. [British Columbia Civil Liberties Association]

Electronic Records

CA – City, Province to Work on Electronic Patient Reporting Across Manitoba

The way Winnipeg deals with electronic records for patients could eventually be used province-wide. This week, a city committee approved a motion for the province and city to work together to have the city’s electronic patient care system implemented across the province. Winnipeg Fire Paramedic Service Chief John Lane said Winnipeg was one of the first municipalities in Canada to use the electronic system. He said most other places use paper-based record keeping. The system uses Bluetooth to send the information from emergency crews to hospitals, and “provides absolutely seemless record keeping in terms of care,” Lane said. In 2013, the province reviewed its emergency medical services, and one of the recommendations was to find a common platform to be used across Manitoba to capture patients’ records electronically. The committee passed a motion that will allow the Winnipeg Fire Paramedic Service to start working with the province on a potential rollout of their system across the province. [CBC News]


UK – UK PM Wants to Ban Encrypted Communication

UK Prime Minister David Cameron has said that if he wins reelection, he will initiate legislation that would provide law enforcement with a means to access private, encrypted online communications. Under the plans put forth by Cameron, encrypted messaging services such as WhatsApp, iMessage, Skype and CryptoCat would not be legal. “The first duty of any government is to keep our country safe and our people safe,” he said. Privacy International’s Mike Rispoli said , “The UK simply cannot command foreign manufacturers and providers of services … to accommodate the desires of British spies.” In a blog post, Cory Doctorow wrote, “there’s no back door that only lets the good guys go through it.” [Computerworld] ameron is urging President Obama to pressure Apple, Google and Facebook to stop using stronger encryption in their communications products. An article published in The Guardian includes details from a 2009 report from the US National Intelligence Council that has surfaced expresses concern that both government and private computers are not adequately protected because encryption is not being implemented as quickly as it ideally should be. [ZDNet] [CNET] [The Register] [Ars Technica] [Ars Technica] [David Cameron seeks cooperation of US president over encryption crackdown]

US – New York Prosecutor Calls for Law to Fight Apple Data Encryption

Apple Inc. and Google Inc. should be legally required to give police access to customer data necessary to investigate crimes, New York County’s top prosecutor said. Federal and state governments should consider passing laws that forbid smartphones, tablets and other such devices from being “sealed off from law enforcement,” Manhattan District Attorney Cyrus Vance said today in an interview at a cybersecurity conference in New York. Apple and Google’s mobile operating systems together accounted for more than 95% of smartphone shipments through the first three quarters of last year. [Bloomberg]

UK – PM Makes Apple CEO Tim Cook a Global Privacy Champ

“I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services,” Apple CEO, Tim Cook wrote last year. “We have also never allowed access to our servers. And we never will.” Now, it looks like Apple will need to fight to maintain customer privacy, as British Prime Minister David Cameron wants to ban services that encrypt messages so they cannot be intercepted by spies, criminals or anyone other than those in the conversation. This directly impacts Apple’s iMessage or FaceTime, which offer end-to-end encryption. [computerworld.com]

EU – Paris Airport Security Made Security Expert Decrypt Laptop Hard Drive

When security expert Katie Moussouris was traveling through Paris’s Charles de Gaulle airport on her way back to the US after a conference, she was asked by security personnel there not only to power up her laptop, but also to enter her passwords to decrypt the machine’s hard drive. The laptop was not confiscated. [The Register]

EU Developments

EU – New Data Privacy Law Could Be Delayed Until 2016

Europe’s long-awaited new data protection law may be delayed until 2016, partly because of resistance by the UK Government. That’s the warning last week from MEP Jan Philipp Albrecht, vice chairman of the European Parliament committee overseeing the bill. The new General Data Protection Regulation(GDPR) is due to be finalised by the end of 2015 – but failure to agree the new rules is leaving European citizens exposed to snooping from foreign and European intelligence agencies and companies, Albrecht said. At a 7 January briefing in the European Parliament, he warned that delays to the law – which was first proposed in 2012 and has been hit by nearly 4,000 amendments – are “bad for democracy”. [SC Magazine]

UK – Theresa May: Data Law Could Have Helped Catch More Paedophiles

The home secretary, Theresa May, has told a child abuse summit that so-called snooper’s charter laws could have helped law enforcement officers catch more paedophiles online. May told representatives from more than 50 countries, 23 technology companies and nine non-governmental organisations that gaps remained in law enforcement and intelligence agencies’ capabilities to track down child abusers. Last month new powers were announced for police to force internet firms to hand over details that could help identify suspected terrorists and paedophiles. The counter-terrorism and security bill will oblige ISPs to retain information linking internet protocol addresses to individual users. [The Guardian] SEE also: [UK Prime Minister David Cameron has called for a ban on encrypted communications] [French data protection authority, the CNIL, published its standard defining accountability in practice, and companies demonstrating compliance will receive accountability seals from the data protection authority]. [the CNIL has issued new standards for call-monitoring and recording by employers] AND In The Netherlands next month, the District Court of the Hague will hear a legal challenge of the Dutch data retention law “filed by a broad coalition of organizations.”]

EU – Finland Gets Tough on Privacy

Finland is cracking down on social media and online messaging providers ahead of a big European Union review. On 1 January, the ‘Information Society Code’ passed into law. The Code is a major new umbrella act revising the country’s electronic communications legislation, which has four main goals: simplifying existing rules; improving consumer protection; boosting information security; and creating more equal telecoms markets. The greatest potential consequence of the Information Society Code comes from its increased regulatory powers over the information society. Most notable is the new requirement to ensure confidentiality of communications rules apply to all electronic communication distributors, including social media companies.[zdnet.com]

UK – Wellers’ Child Privacy Case: Peers Urged To Change Law

It follows a campaign by the wife of the rock star Paul Weller, who won a high court battle last year over unpixelated photos of their children published by a newspaper website. Hannah Weller’s cause is being supported by the Labour peer Angela Smith, who raised it in the Lords. The government said a balance had to be struck between privacy and free speech. Hannah Weller set up a campaign group to make it illegal to publish unpixelated pictures of children without parental consent. She insists there would be exceptions granted for pictures published in the public interest, those taken of a crowd or where there is implied consent, such as a red carpet event. The Labour peer and Shadow Home Office Minister, Angela Smith, is supporting the campaign, arguing that civil law could be changed to prevent specific abuses of privacy without threatening free speech. [BBC News]

EU – IRE: Concern Over Personal Info Database for Every Primary Student

Concern is being expressed about a new Primary Online Database being established by the Department of Education. Under the plan, all children’s PPS numbers along with details of their religion and ethnic backgrounds will be included on the database, which the Department said will be used to develop education policy into the future. Parents of all primary school children are being sent letters outlining how the new POD will work and what information will be stored, the letter states that the information will be kept until the child reaches the age of 30. The Department claims the database will eliminate the existing annual school census, facilitate transfers between schools, and keep track of students who do not go on to secondary school. [breakingnews.ie]


US – Marriott to Stop Blocking Personal Wi-Fi Hotspots

Marriott International will no longer block personal wi-fi hotspots in its hotels. The US Federal Communications Commission (FCC) investigated the issue after a customer complained, and found that a hotel in Tennessee was using a monitoring system that de-authenticated guests’ hotspots. The FCC fined Marriott US $600,000. Marriott believed it was acting within its rights to block the hotspots and maintained that blocking customers’ wi-fi hotspots was a security measure. [BBC] [Silicon Republic] See also: [Manitoba: Hotel Wi-Fi exposes woman’s passport, credit card numbers]

US – Writers Say They Feel Censored by Surveillance

A survey of writers around the world by the PEN American Center has found that a significant majority said they were deeply concerned with government surveillance, with many reporting that they have avoided, or have considered avoiding, controversial topics in their work or in personal communications as a result. The findings show that writers consider freedom of expression to be under significant threat around the world in democratic and nondemocratic countries. Some 75% of respondents in countries classified as “free,” 84% in “partly free” countries, and 80% in countries that were “not free” said that they were “very” or “somewhat” worried about government surveillance in their countries. Smaller numbers said they avoided or considered avoiding writing or speaking on certain subjects, with 34% in countries classified as free, 44% in partly free countries and 61% in not free countries reporting self-censorship. Respondents in similar percentages reported curtailing social media activity, or said they were considering it, because of surveillance. [nytimes.com]


US – SEC Considers CyberSecurity Disclosure Rules

The Securities and Exchange Commission (SEC) is “advancing measures” that would require publicly owned businesses to share more data about their cybersecurity vulnerabilities, including data breaches. The move would likely prompt businesses to tighten their security because the public would know how well companies are protecting data. “It’s a harbinger of what’s to come, and I think it will change the way companies think about and report on cyber,” said Squire Patton Boggs’ Norma Krayem. Former Securities and Exchange Commissioner Roberta Karmel said, “It’s kind of a recent trend that Congress seems to think federal security laws should cover absolutely everything that goes on in terms of the conduct at public companies.” [The HIll]

US – Regulator Criticized for Breach Response

In the wake of a breach during a regulatory exam, a federal banking regulator is getting a chilly reception to its plans to consider new rules related to encryption of data shared with examiners. Michael Fryzel, a former NCUA chairman, says consideration of a new encryption regulation is premature. Instead, the NCUA should focus on establishing a working group to review the agency’s security practices during examinations, he says. [bankinfosecurity.com]


MB – Refusal to Release Info Revisited

The City of Winnipeg is rethinking its refusal to divulge part of the rationale for pursuing the $210-million Winnipeg police headquarters project. The ombudsman’s report grew out of a February 2014 Free Press request for information that led city officials to recommend purchasing the Canada Post building in 2009 and renovating it into a new police headquarters instead of fixing the Public Safety Building. The city denied access the following month, prompting the complaint to the ombudsman. After nine months of investigating, the ombudsman concluded while the city could invoke the “advice to a public body” exception, it did not provide any reason why it made that decision and predetermined its decision as a refusal. Mayor Brian Bowman made a campaign promise to stop the city from the frequent use of the discretionary exceptions as a means of denying access-to-information requests. [winnipegfreepress.com]


WW – New DNA Technique May Reveal Face of Killer in Unsolved Double-Murder

There were no witnesses to the gruesome murder of a South Carolina mother and her 3-year-old daughter inside a busy apartment complex four years ago. But a new technology that can create an image of someone using DNA samples left at crime scenes might bring police closer to catching the killer. Reston, Va.-based Parabon Nanolabs, with funding from the Department of Defense, has debuted a breakthrough type of analysis called DNA phenotyping which the company says can predict a person’s physical appearance from the tiniest DNA samples, like a speck of blood or strand of hair. The DNA phenotyping service, commercially known as “Snapshot,” could put a face on millions of unsolved cases, including international ones, and generate investigative leads when the trail has gone cold. “Traditional forensic analysis treats DNA as a fingerprint, whereas Snapshot treats it as a blueprint — a genetic description of a person from which physical appearance can be inferred,” Greytak said. [Fox News] See also: [Surprise! With $60 Million Genentech Deal, 23andMe Has A Business Plan]

Health / Medical

CA – Confidentiality Agreement Handcuffs Assisted-Suicide Researcher

A professor who has successfully defended his right to protect the subjects of his research on assisted suicide wants to return to teaching at a university in Surrey, B.C., but a confidentiality agreement is blocking the way. Russel Ogden is drawing a yearly salary – more than $87,000 in 2014 – from Kwantlen Polytechnic University, but unable to teach or conduct research in its name since 2008 as a result of the deal he signed with the school. [The Globe and Mail]

Horror Stories

US – Park ‘N Fly Confirms Breach

Following a breach of its e-commerce website, Park ‘N Fly has been notifying “an undisclosed number of customers that their payment card information was exposed.” “Airport parking lots are attractive targets for fraudsters because they are often used by business travelers utilizing business or commercial credit cards,” the report states, quoting one card-issuer that noted such cards have “high lines, low decline rates and less scrutiny on a day-to-day basis by cardholders.” Park ‘N Fly is working with law enforcement and credit card issuers to investigate the incident, and those affected are being offered one year of free credit monitoring and identity protection services. [BankInfoSecurity]

US – NCUA Accepts Responsibility for Breach, Pays $50,000

The National Credit Union Administration (NCUA) announced that its board approved a payment of $50,000 to Palm Springs Federal Credit Union (PSFCU) to help cover expenses related to a data breach. In October, PSFCU notified its members that an unencrypted flash drive was lost when it was given to an NCUA examiner. The drive contained member names, addresses and Social Security numbers. NCUA, which at first faced criticism for not taking responsibility for the breach , now says it is “reinforcing training on protecting sensitive information and reviewing regulations, policies and procedures” and is considering adopting additional safeguards for electronic data. [Bank Info Security]

US – Heartland Provides Breach Warranty as Retail Encryption Need Grows

One of the country’s largest retail payment processors, Heartland Payment Systems, has announced it will offer a new breach warranty for users. The program will reimburse merchants that use Heartland for cost impacts from data breaches, the report states. Heartland Executive Director of Product Development Mike English said, “There is no bad time to ensure the businesses that process cards with us are safe … Hackers and criminals don’t wait until the busy times to breach a retail or restaurant network.” English also said the warranty also offers a “forensic audit by a PCI-certified Qualified Security Assessor.” [eWeek]

US – LinkedIn Account Credentials Targeted in Phishing Scheme

Attackers are using phony security alerts to steal LinkedIn account access credentials. The messages pretend to come from LinkedIn support staff saying that users must download an attachment that will tell users how to install an update. The attachment appears to be the LinkedIn website but it sends entered data to the attackers. Users can protect themselves by activating LinkedIn’s two-factor authentication. [v3.co.uk] [SCMagazine]

US – US Military Social Media Accounts Hijacked

The Twitter and YouTube accounts of the US military’s Central Command (Centcom) have reportedly been hijacked by people claiming to be operating on behalf of Islamic State. Both accounts were temporarily suspended. Centcom has called the incident vandalism, and says it did not affect operations, nor was it a serious data breach. Some information about military personnel was posted, but it came from the Massachusetts Institute of Technology (MIT), not from military systems. The compromised accounts were taken offline. [BBC] [WIRED] [CNET] [SCMagazine] [NextGov] [ZDNet] [Washington Post]

US – United Mileage Plus Accounts Compromised

using logon information obtained from a third-party managed to access about 35 United Airlines Mileage Plus accounts and arranged free travel and upgrades. United was not the source of the breach; the access credentials were used in attacks against other companies as well. [ComputerWorld] [Washington Post]

US – Possible Breach of Chick-fil-A Payment Systems

According to information from several US financial institutions, fast-food chain Chick-fil-A may have experienced a payment system breach. The financial institutions note a pattern of fraud connected with payment cards used at the restaurants in the US. At one financial institution alone, nearly 9,000 cards appear to have been affected. Brian Krebs notes that in similar cases, the particular franchises affected were those that had outsourced point-of-sale system management to a third party. [Krebs] [DarkReading]

US – Morgan Stanley Employee Fired Over Alleged Customer Data Theft

Morgan Stanley has fired an employee for allegedly stealing customer data, including account access credentials, and offering them for sale online. The breach affected approximately 10% of the company’s 3.5 million wealth management customers. The employee had worked at Morgan Stanley since 2008. [Bloomberg] [NYTimes] [SC Magazine]

US – USPS Breach Affected Some Health Data

Additional details being released about the September 2014 intrusion of US Postal Service computers indicates that certain health information was compromised as well. The affected data are related to workers’ compensation claims. Because the compromised health data are not part of an insurance plan, the breach will not incur health data security fines. [NextGov]

Identity Issues

US – New York City ID Opens Doors — and Privacy Concerns

In New York City, Mayor Bill de Blasio made a pitch for a piece of plastic — a new ID card for New York City residents, regardless of immigration status. New Yorkers 14 and older can now join the largest municipal identification program in the country. De Blasio said renting an apartment, opening a bank account and entering a school building will now be easier for the city’s estimated half-million unauthorized immigrants. And the IDNYC program doesn’t leave out New Yorkers who already have ID. Here’s how the mayor sweetened the deal: “A free, one-year membership to 33 cultural institutions! That did get the attention of many New Yorkers,” he said. Los Angeles is preparing to roll out an ID similar to New York’s. They join cities like San Francisco; Oakland, Calif.; and New Haven, Conn., where only about 10 percent of the city’s population has applied since 2007. New York officials hope their program will be more widely adopted. [NPR] See also: [[US – A plan to put your driver’s license on your phone] and [National Post editorial board: Good riddance to carding]

US – Debra J. Farber: Identity Management’s Role in Data Privacy

UnboundID: What are the biggest challenges at organizations right now when it comes to protecting customer privacy? Farber: Companies are struggling to know exactly where their data is located, how many copies of that data exist, who has access to it, and for how long it is stored. They don’t have the staff to manually govern this. On top of this, there are varied laws depending on your industry and the states and countries where your business operates. Usually, there’s only a high-level business process understanding as to why data is collected, from which sources, and where it resides. There’s usually confusion about “ownership,” which means that nobody knows who should make decisions about personal data. Adding to the mix is that large organizations usually have legacy systems, which have not yet been decommissioned, but which are still collecting data. Generally, companies need to tighten their processes around data lifecycle management. With the movement toward big data, the tendency for many organizations now is to collect and store as much data as possible with the hopes that insights may be gleaned in the future. Though, from a privacy perspective, that’s a bad practice. Most privacy laws require a company to collect, store, and share personal data for a specific purpose. [UnboundID]

Intellectual Property

CA – Canadian VPN Services Could Be Forced to Alert Pirating Customers

It’s unclear if VPN services will be forced to keep customer records under Canada’s new Copyright Modernization Act. Virtual Private Network (VPN) services are legal and until now, believed to be completely unregulated in Canada, making them particularly popular for internet users interested in online privacy protection, accessing geolocked content via streaming services like Netflix and U.S.-only Hulu, or for those interested in more nefarious activities like piracy-focused Torrent downloading or criminal activity. However, new legislation, which went into effect on Jan. 1, doesn’t clearly state whether Canada’s Copyright Modernization Act pertains to VPN platforms in Bill C-11’s section 41.25 (a). An integral aspect of the new law requires internet service providers (ISPs) to relay copyright infringement allegations to customers (an act that has already been occurring for years), and to also keep a record of these allegations for six months in case the copyright holder makes the decision to take legal action. Over the next few years virtual private networks could potentially become significantly less private in Canada. [Canada.com]

Internet / WWW

US – Lawmakers Launch Congressional IoT Caucus

U.S. Reps. Suzan DelBene (D-WA) and Darrell Issa (R-CA) have announced the creation of a new Congressional Caucus dedicated to the Internet of Things (IoT). “Policy-makers will need to be engaged and educated on how we can best protect consumers while also enabling these new technologies to thrive,” DelBene said, adding, “It’s important that our laws keep up with technology, and I look forward to co-chairing the IoT caucus.” Issa, who chairs the Subcommittee on Intellectual Property, Courts and the Internet, said, “It’s critical that lawmakers remain educated about the fast-paced evolution of the Internet of Things and have informed policy discussions about the government’s role in access and use of these devices.” [Press Release] [U.S. Reps. Suzan DelBene (D-WA) and Darrell Issa (R-CA) have announced the creation of a new Congressional Caucus dedicated to the Internet of Things.]

US – FTC Chair Says Internet of Things Presents “Significant Privacy and Security Implications”

In a speech at the International Consumer Electronics Show in Las Vegas, US FTC chairperson Edith Ramirez warned that the Internet of Things (IoT) presents “significant” privacy issues. The billions of connected device collect, store, and in some cases transmit data. Ramirez urged companies to make security a part of their product development process, to collect the minimum amount of data necessary, and to notify consumers of unexpected use of their data and provide simplified choices regarding this use. [BBC] [Ars Technica] [v3.co.uk] [Text of speech]

US – Cullen Joins Accountability Foundation to Work on “Accountability 2.0”

The Information Accountability Foundation (IAF), a nonprofit organization headed by Marty Abrams, announced this week that Peter Cullen, formerly GM and chief privacy strategist for Microsoft’s Trustworthy Computing Group, is joining the organization as executive strategist, policy innovation. He will be tasked with leading the IAF’s work “in developing a Holistic Governance Policy Model,” which Abrams called “an essential building block of Information Accountability 2.0 .” [Full Story]

WW – Surveys and Predictions 2015 Roundup

[Top Tech News: The Future of Your Privacy Doesn’t Look Good | Pew Internet Report] [Experts say privacy soon to be a ‘luxury’] [EFF: 2014 in Review: Mobile Privacy and Security Takes Two Steps Forward, One Step Back] [Harvard Business Review: The Tech Trends You Can’t Ignore in 2015]

Law Enforcement

US – Body-Worn Camera Plans Have Residents Worried

L.A. residents’ have privacy concerns over proposed body cameras for Los Angeles Police Department (LAPD) officers. The plan is for nearly 900 cameras to be issued in the first quarter of the year, which will record interactions between LAPD officers and members of the public. The LAPD is one of many police departments considering such a measure. Meanwhile, city police officers in Pittsburgh are required to sign a policy forbidding them from releasing information to the public without authorization. Releasing the information could result in termination. Editor’s Note: The IAPP will host a web conference on January 30 from 1 to 2:30 p.m. EST on Law Enforcement Use of Body-Worn Cameras. [NBC] See also: [North Dakota State Rep. Kim Koppelman (R-West Fargo) has introduced a bill that would exempt images from police-worn body cameras from open records requirements]

US – Spokane: Police Body Camera Pilot Ends; Review and Implementation Next

A four-month pilot program to outfit Spokane police officers with body cameras will formally come to an end this week, but little is expected to immediately change in the department’s day-to-day use of the cameras. Officers who began wearing the cameras during the pilot will be able to continue wearing them on a volunteer basis going into 2015, said Tim Schwering, director of the department’s Office of Professional Oversight. Additional officers may also elect to begin wearing cameras. Over the next several months, he said, police will review use of the cameras and work to develop estimates on the video storage capacity and staff time to respond to record requests that a full body camera program would require. The department also will create a permanent policy governing camera use and will create a stakeholder commission to help with that process, Schwering said. He said the policy will be revised and updated to reflect any forthcoming changes in state law addressing video footage and public records. Once the pilot program has been reviewed, Schwering said, cameras will be phased in for patrol officers gradually, with the goal of outfitting all patrol officers by the end of 2015. [The Spokesman-Review]

US – FBI Says Warrants Not Necessary to Use Stingray in Public

US Senators are questioning the FBI’s use of cell-tower spoofing technology known familiarly as Stingray. The agency says it does not need a warrant to harvest data. Senators Patrick Leahy (D-Vermont) and Chuck Grassley (R-Iowa), chairman and ranking member of the Senate Judiciary Committee, have written a letter expressing concern “about whether the FBI and other law enforcement agencies have adequately considered [American’s] privacy interests,” and seeking additional information on the technology’s use. [Ars Technica] [Washington Post]


US – Plans to Deploy Drones Draws Backlash

A move by law enforcement agencies in the San Francisco Bay Area to deploy drones has provoked a privacy backlash. The University of California, Berkeley, would be one of the places subject to drone monitoring. “Berkeley and the Bay Area have a long history of political discussion, protests and debate, and there’s a real concern around the use of these drones under those circumstances and the broader privacy issues,” said Jesse Arreguin of the Berkeley City Council. The ACLU has released a model ordinance for municipal drone use “that would require notifying the public and developing a policy for how the device is used, what data it collects and keeps and who can access it,” the report states. [Bloomberg] [DOD wants to build drones that can buzz into bad guys’ doorways]

Online Privacy

US – Ad Company Using Verizon Tracking Header

An advertising company appears to be using Verizon unique identifier token headers (UIDH) to track users’ online behavior. Clearing cookie caches will not prevent this tracking. [ComputerWorld] [The Register] [PC World]

WW – Report: New Super Cookies Can Even Track Your Privacy-Mode Browsing

A chink in the HTTP Strict Transport Security protocol makes it possible to fingerprint users who browse sites, even when they’re using a privacy mode like Chrome’s Incognito Browsing. HTTP Strict Transport Security is usually used to ensure that users only interact with the correct servers when using HTTPS connections, by flagging how one type of encryption should be used for all future interactions. But security researcher Sam Greenhalgh has used the feature to create a new tool called HSTS Super Cookies. Just like normal cookies, they fingerprint a user when they’re browsing without a privacy feature turned on, so they can be used to identify them at a later date. But these new cookies are visible even when using privacy modes, and can also be read by websites from multiple domain names, not just the original provide. Combined, that means that these super cookies will allow any number of websites to track a users movements on the web, even when they’re using a private browsing mode. [Gizmodo]

Privacy (US)

US – 75 Companies Sign Pledge, But Google’s Not One

Google’s has decided not to sign the Student Privacy Pledge created by the Future of Privacy Forum (FPF) and endorsed by President Barack Obama, who said , “If you don’t join this effort … we intend to make sure those schools and parents know you haven’t joined this effort.” Google has said its “contracts and policies demonstrate a commitment to student privacy,” the report states. FPF’s Jules Polonetsky said Google agrees with “the substance of the commitments listed in the pledge,” noting the pledge is one way to convey how companies use student data, “But certainly it’s not the only way … Some companies may choose privacy seals or prominent privacy policy statements or other ways to communicate and self-regulate.” [The Wall Street Journal]

US – FTC Casebook Tool Unveiled by Westin Privacy Research Center

After a great deal of work, the IAPP Westin Research Center has launched its casebook of FTC privacy and data security enforcement actions. The casebook is a digital resource, collecting all 180 FTC enforcement actions (for now) and making them easily accessible, full-text searchable, tagged, indexed and annotated. To help users better understand the benefits and functionality of this tool, they have developed several use cases displaying how users might search the casebook and make use of the results.

US – New Data Breach Preparedness, Response Guidance

New to the IAPP Resource Center is the Washington Legal Foundation (WLF) Monograph Data Security Breaches: Incident Preparedness and Response. Authored by Jena Valdetero, and David Zetoony of Bryan Cave LLP with a forward by Federal Trade Commissioner Maureen Ohlhausen, the handbook provides a basic framework to assist in-house legal departments with handling a security incident. It explains security incidents, outlines ways in-house counsel can help prepare for an incident and offers steps that should be taken in responding to an incident as well as costs involved. “I believe this WLF Monograph will be a useful reference for in-house counsel as they prepare for and encounter security incidents,” Ohlhausen writes. [Full Story]

The IAPP’s Westin Research Center released the FTC Casebook, in which all FTC complaints and consent decrees and attendant documents are searchable by keyword, tag or case home page.

Privacy Enhancing Technologies (PETs)

WW – Google Patents Method for Enabling Private Browsing Automatically

While users who want to browse the Internet incognito usually must explicitly enable their browsers’ privacy settings to avoid being tracked, a new technology from Google may soon eliminate the step. The company has been granted a U.S. patent for a method that would allow private browsing automatically via certain websites. Browsers equipped with the technology would be able to tell when the website’s content might prompt users to opt for private browsing, the report states. Google’s description of the service says, “The privacy mode can be enabled to prevent storage of webpage user information generated as the user browses the webpage.” [eWeek]

US – Wearable Start-Up Raises $16M in Funding

A San Francisco-based healthcare start-up has raised $16 million in venture capital funding—$23 million in total funding—to bring Google Glass into the healthcare world. Augmedix uses the wearable technology to minimize the amount of time clinicians spend with electronic health records to increase the time spent with patients. The company’s chief executive officer said, “In terms of economic impact, we’ve repeatedly shown that our service effectively turns three doctors into four.” [Healthcare IT News]

US – Mining Your Genes

Fusion reports on the potential for pharmaceutical companies to mine people’s genes. “Imagine a world where genetic sequencing is free, like Gmail,” the report states. “That’s where we’re headed.”

US – On the Importance of Building Privacy Into Apps and Reddit AMAs

Massachusetts Institute of Technology’s Jean Yang and her team are working on Jeeves, a framework for programmers to implement privacy policies directly into the code. “If it works as foreseen—and there is still a lot to do around performance—a developer could write policies—who can see what and when—right into the application,” the report states. For example, an app might share GPS data only when the user is in a given ZIP code. [GigaOM]


WW – This is the Cyberattack that Keeps Edward Snowden Up At Night

In an interview with James Bamford published by NOVA, Edward Snowden said that when it came to cyber warfare, the United States has “more to lose than any other nation on earth.” And he’s not just talking about attacks on systems with obvious effects on the physical world, but the potential fallout of attacks aimed at crippling the Internet itself. The United States is among the most digitally reliant nations out there, which opens up more avenues for cyberattacks. [The Washington Post]

WW – Majority of PHP Installations are Unsecure

More than three-quarters of PHP installations contain at least one security issue. Other software packages were found to contain flaws as well: 38 percent of sites running Apache web server were found to be unsecure, as were 36% of sites running Nginx, 22% of sites running Python, and 18% of sites running Perl. [The Register] [IRC Maxwell]

Smart Cars and Devices

WW – BMW Sounds Alarm Over Tech Companies Seeking Connected Car Data

BMW says technology companies and advertisers are putting increasing pressure on carmakers to hand over data collected by connected cars, “underlining the fine line being taken by the automotive industry between functionality and privacy.” BMW’s Ian Robertson said every car the company makes now offers some kind of wireless connectivity and there’s plenty of people saying, “Give us all the data you’ve got and we can tell you what we can do with it … and we’re saying ‘No thank you.’” Robertson said the data cars can collect now is as granular as being able to detect whether a child is in the car based on weight sensors. [The Irish Times]

CN – Even China’s Academy of Science thinks wearables are privacy problem

Researchers from the Chinese Academy of Sciences, the Australian National University, Dakota State University, Sydney University and Australia’s Commonwealth Scientific and Industrial Research Organisation (CSIRO) have looked over the state of play in the Internet of Things, and find that concern for privacy is lacking. Their paper at Arxiv notes that the current enthusiasm for wearables involves consumers handing over far more data (much of it highly personal and sensitive) than the mere boat-loads of data collected by outfits like Facebook. The paper offers a summary of areas the group says research is needed to develop both technologies and behaviours to protect user privacy in the IoT era. Problems highlighted by the report include:

  • User consent – somehow, the report says, users need to be able to give informed consent to data collection. Users, however, have limited time and technical knowledge.
  • Freedom of choice – both privacy protections and underlying standards should promote freedom of choice. For example, the study notes, users need a free choice of vendors in their smart homes; and they need the ability to revoke or revise their privacy choices.
  • Anonymity – IoT platforms pay scant attention to user anonymity when transmitting data, the researchers note. Future platforms could, for example, use TOR or similar technologies so that users can’t be too deeply profiled based on the behaviours of their “things”. [The Register]


WW – Paris Attacks Prompt Call for Intelligence-Sharing

Following the terrorist attacks in Paris, EU interior ministers pledged to increase intelligence-sharing, while data regulators warn surveillance programs under consideration must strike the right balance between privacy and security, Bloomberg reports. German Chancellor Angela Merkel has said she will press for new EU rules on data retention to help in the fight against terrorism; UK Prime Minister David Cameron says he will urge U.S. President Barack Obama to pressure Internet firms to cooperate more with intelligence agencies tracking the online activities of extremists, and European Council President Donald Tusk “has implored MEPs to accept the creation of a single, shared database of personal information on air passengers arriving in, or leaving, the EU.” Meanwhile, the European Commission said Monday it does not plan to launch an EU-wide intelligence agency. [Full Story]

US: FBI Says Search Warrants Not Needed to Use “Stingrays” In Public Places

The Federal Bureau of Investigation is taking the position that court warrants are not required when deploying cell-site simulators in public places. Nicknamed “stingrays,” the devices are decoy cell towers that capture locations and identities of mobile phone users and can intercept calls and texts. The FBI made its position known during private briefings with staff members of Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Sen. Chuck Grassley (R-Iowa). In response, the two lawmakers wrote Attorney General Eric Holder and Homeland Security chief Jeh Johnson, maintaining they were “concerned about whether the FBI and other law enforcement agencies have adequately considered the privacy interests” of Americans. According to the letter, which was released last week: “For example, we understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.” [Slashdot] See also: [Hacked emails reveal China’s elaborate and absurd internet propaganda machine]

US – F.B.I. Is Broadening Surveillance Role, Report Shows

Although the government’s warrantless surveillance program is associated with the NSA, the FBI has gradually become a significant player in administering it, a newly declassified report shows. In 2008, according to the report, the F.B.I. assumed the power to review email accounts the N.S.A. wanted to collect through the “Prism” system, which collects emails of foreigners from providers like Yahoo and Google. The bureau’s top lawyer, Valerie E. Caproni, who is now a Federal District Court judge, developed procedures to make sure no such accounts belonged to Americans. Then, in October 2009, the F.B.I. started retaining copies of unprocessed communications gathered without a warrant to analyze for its own purposes. And in April 2012, the bureau began nominating new email accounts and phone numbers belonging to foreigners for collection, including through the N.S.A.’s “upstream” system, which collects communications transiting network switches. That information is in a 231-page study by the Justice Department’s inspector general about the F.B.I.’s activities under the FISA Amendments Act of 2008, which authorized the surveillance program. The report was entirely classified when completed in September 2012. But the government has now made a semi-redacted version of the report public in response to a Freedom of Information Act lawsuit filed by The New York Times. The Times filed the lawsuit after a wave of declassifications about government surveillance activities in response to leaks by the former intelligence contractor Edward J. Snowden. [nytimes.com]

US – Citizenfour Earns Oscar Nod; Snowden Talks from Moscow

It’s just been announced that Citizenfour, the documentary portraying the Snowden disclosures, has been nominated for an Oscar. Eric Jones reviews the film, noting it refrains from any narrative defense of Snowden’s actions and instead reveals Snowden’s slowly developing apprehension and also his lack of panic or regret. “The net effect is a sympathetic portrayal of a man, misguided or not, who views himself as doing the right thing and is only in this moment seeing the monumental consequences of his actions,” he writes. Meanwhile, James Bamford of PBS has published an interview with Snowden from Moscow on cyberattacks. [Privacy Advisor]

WW – Welcome to ‘Uber-Veillance’ Says Australian Privacy Foundation

Regulators are way behind the game when it comes to wearable and IoT privacy, and users are willingly conspiring with companies that don’t care about them to help create a society of “uber-veillance”. That’s the grim conclusion reached by Australian Privacy Foundation (APF) board member and University of Wollongong researcher Katina Michael in conversation with The Register. [theregister.co.uk]

WW – Ex MS Privacy Head Had Warned of Cloud Spying, But Lost His Job

Two years before Snowden in 2011, Microsoft’s then Chief Privacy Officer Caspar Bowden tried to warn his company that any cloud computing solutions sold to foreign governments would mean unlimited mass surveillance on their clients by the NSA. Two months later Bowden was fired from Redmond. [NetworksAsia]

Telecom / TV

US – Mayer Identifies Zombie Cookies

The latest technological find in the device-tracking landscape is ominously called “zombie cookies.” Initially discovered by Stanford’s Jonathan Mayer, zombie cookies stem from a “hidden undeletable number“ placed on users of Verizon smartphones and tablets and used by advertising company Turn. The Verizon number is used “to respawn tracking cookies that users have deleted,” the report states. Turn Chief Privacy Officer Max Ochoa said, “We are trying to use the most persistent identifier that we can in order to do what we do.” Verizon’s “perma cookie” caused a stir in the news last year, and AT&T dropped a similar ID number after those reports surfaced. In a blog post, Mayer wrote that given the tracking practice, “I think there’s also a good FCC, FTC or state deception case against Verizon.” [ProPublica]

US – EFF Wants Verizon to Ditch Tracking Technology

The Electronic Frontier Foundation (EFF) is urging Verizon Wireless to ditch a tracking technology that allows ad networks to collect data and send targeted ads to mobile users even in cases in which the user has tried to avoid tracking by deleting cookies. “It is clear that Verizon does not understand the privacy risks it is imposing on customers,” the EFF said. Verizon’s tracking system, which came to light last November, allows third-party advertisers to develop a “deep, permanent profile” of web-browsing habits. “Going forward, the company should undertake to obtain genuine prior, informed consent for any future tracking activities,” the EFF said. [MediaPost]

UK – ‘Burglar’s Shopping List’ Security Flaw Fixed

An online service recommended by most of the UK’s police forces has fixed a privacy flaw after being alerted by a security expert. Immobilise allows members of the public to add records to the National Property Register, detailing valuables in their homes. But security consultant Paul Moore discovered a flaw that made it possible to access other people’s records. Recipero, operators of Immobilise, said it had fixed the vulnerability. [BBC News]

US Government Programs

US – NSA to Begin Internship Program This Fall

The NSA will begin accepting applications this fall for its first privacy and civil liberties internship program. At least one student will be chosen for the 2016 summer program to work in the NSA’s newly created Civil Liberties and Privacy Office, the report states. NSA Director of Civil Liberties and Privacy Rebecca Richards said interns are an opportunity for her office. “Exposing the agency to newly minted college grads as well as exposing those newly minted college grads to what the agency does can only bring benefits to this conversation” around NSA surveillance practices, Richards said. [Fedscoop]

US Legislation

US – Obama Lays Out Legislative Proposals

President Barack Obama announced a new legislative proposal to enable cybersecurity information-sharing between the public and private sectors. Specifically, the private sector is encouraged to share threat data with the Department of Homeland Security (DHS). Additionally, the proposal includes modernizing law enforcement authorities by providing tools to fight cybercrime—including the sale of botnets, stolen credit card data and malware. The Center for Democracy & Technology’s Harley Geiger said the proposal includes further privacy-protecting measures than the Cyber Intelligence and Sharing Act, but it “allows companies to share user information with the (DHS) regardless of any privacy law” and allows the DHS to share with other law enforcement “for purposes unrelated to cybersecurity.” [Full Story]

US – Obama Releases Breach Bill Text; NY AG Proposing Data Security Bill

The Obama administration has released the text of its proposed data breach notification bill. While the proposal would strip states of the ability to make their own rules, state AGs could still keep pressure on companies by using state laws that aren’t preempted by the measure. Meanwhile, New York Attorney General (AG) Eric Schneiderman said he will propose legislation to make the state’s data security law the strongest in the country, and Schneiderman and 18 other state AGs have asked JP Morgan for more evidence on last year’s data breach. And The Hill reports credit unions want Congress to create a bipartisan working group to address the ongoing rash of data breaches. [Law360]

US – Obama Wants Breach Disclosure Law

President Obama is asking legislators to pass a bill that would require companies to disclose data security breaches that expose customer data within 30 days. The move is a response to recent breaches that have compromised the personal information of millions of people. Obama also wants the bill to include a provision prohibiting companies from selling students’ information to third party companies. [DarkReading] [TheRegister] [ComputerWorld] [CNET] [President Barack Obama announced a new legislative proposal to enable cybersecurity information-sharing between the public and private sectors] [The Hill reports on comments made by Rep. Zoe Lofgren (D-CA) on the Cyber Intelligence Sharing and Protection Act, saying its “astonishingly broad and overly vague information-sharing regime does more harm than good when it comes to Americans’ privacy.” [Reed Freeman, IAPP Privacy Perspectives] [US – Obama’s Data-Breach Initiative Has Privacy Advocates Optimistic, Cautious] and [After a long delay, Obama declines to fire U.S. attorneys over Aaron Swartz’s suicide]

US – Senator to Introduce Breach Bill; Business Happy with Obama Proposal

Sen. Bill Nelson (D-FL), the ranking member on the Senate Commerce Committee, will soon introduce a data breach notification bill that closely resembles a proposal President Barack Obama called for during his speech Monday. “Now is the time Congress must act,” Nelson said. Meanwhile, NationalJournal reports business groups and Republicans are cheering rather than jeering Obama’s proposal, largely because it would uncomplicate the patchwork state laws businesses must now comply with, but Nextgov asks the question: why wouldn’t the legislation apply to government agencies? [The Hill]

US: New Tennessee Law Protects Employees’ Online Privacy

Now that 2015 is here, the new year means lots of new laws take effect in Tennessee. That includes a change that protects employees’ private information on Facebook, Twitter, and other social media accounts from nosy bosses. Tennessee now joins a list of dozens of states that have passed an Employee Online Privacy Act. McCarty says it protects people who make their online settings private, not the information someone shares with the entire world wide web. The new law says employers cannot force an employee or job applicant to provide access to private information. There are some exceptions that allow employers to pry, such as social media accounts that are specifically for work and identified as affiliated with an employer. [WBIR TV]

US: Delaware’s New Laws: Privacy Protection, Digital Assets

As of midnight Jan. 1, new Delaware laws went into effect to protect the privacy of consumer information; allow access to digital assets of an incapacitated family member; require new disclosure around campaign contributions; and require notice of cancellation of an insurance policy. [The News Journal]

US: Illinois Passes New ‘Revenge Porn’ Law That Includes Harsh Penalties

Illinois became the latest state to criminalize “revenge porn,” crafting what its creators hope will become a model for federal legislation. Gov. Pat Quinn signed a measure making the “non-consensual dissemination of private sexual images” a felony offense in Illinois. The new “revenge porn” law goes into effect June 1, 2015, and will punish offenders with one to three years in prison and up to a $25,000 fine. [Huffington Post]

US – N.D. Bill on Teacher ‘Privacy’ Introduced

A bill introduced to the State Legislature would restrict access to school district records and is the latest in a trio of bills aiming to exempt certain information from the state’s open records laws. Senate Bill 2153 would seal relevant records in a school district employee’s file should that employee be charged with a crime in district court. The records would become publicly available after the criminal complaint against the employee was resolved. The bill is the third this legislative session to attempt to create exemptions to the state’s open records laws. Senate Bill 2133 would remove university students’ email, home and mailing addresses, as well as phone numbers, from the public record. The bill, introduced Tuesday, is a reaction to a mass open records request for students’ contact information by Odney Advertising, which consults for the Republican Party. Senate Bill 2134 would allow the State Board of Higher Education to discuss in private the hiring or firing of a chancellor. It would also make confidential all records used to prepare performance evaluations of top education officials. [The Bismarck Tribune] See also: [US – Teen’s computer-privacy tussle with his Wayzata school goes viral]

Workplace Privacy

UK – BBC Accused of ‘Spying’ After 150 Staff Emails Accessed or Monitored

The BBC has been accused of “spying” on its own staff after it was revealed that nearly 150 staff email accounts were accessed or monitored over the past two years. In response to a Freedom of Information request from the Press Gazette, the BBC said 37 staff email accounts had been monitored because of leak investigations in 2013 and 2014. Other staff accounts had been looked into as a result of a variety of complaints and inquiries, including allegations of fraud, assault, harassment and disciplinary cases. Michelle Stanistreet, general secretary of the National Union of Journalists, said: “The BBC has previously denied any significant monitoring of staff email accounts, and only in criminal or disciplinary investigations, but these figures cast doubt on that explanation and the NUJ will work with our network of reps to get to the bottom of the kind of spying that has been taking place.” [The Guardian]


16-31 December 2014


WW – Hacker Clones Politician’s Fingerprint from Photos

Chaos Computer Club’s Jan Krissler said he successfully replicated the fingerprint of a German politician by using commercial software and several photos taken during a press conference. Krissler said, “politicians will presumably wear gloves when talking in public.” Prof. Alan Woodward noted, “Biometrics that rely on static information like face recognition or fingerprints—it’s not trivial to forge them, but most people have accepted that they are not a great form of security because they can be faked,” adding, “People are starting to look for things where the biometric is alive—vein recognition in fingers, gait analysis—they are also biometrics, but they are chosen because the person has to be in possession of them and exhibiting them in real life.” [BBC News] [Hacker claims you can steal fingerprints with only a camera]


CA – Most Canadians Trust Government to Protect Their Privacy: Poll

According to a survey by Environics Institute and the Ottawa-based Institute on Governance (IOG), most Canadians are reasonably confident the federal government is protecting the personal information it collects about them, and support the idea of sharing that data between departments to improve service. And they accept government surveillance on Canadians for national security as “important” — unless it applies to them. That’s when the majority feel government snooping on their phone records and Internet activity would be a violation of privacy. The survey found 9% of those asked strongly agreed with the notion that the government is “adequately” protecting the personal information it gathers when they fill out their taxes, apply for a passport, cross a border or apply for employment insurance. 48% “somewhat” agreed; 31% aren’t very confident and 12% say they aren’t at all confident that their privacy is protected. [National Post] see also [Schneier: Over 700 Million People Taking Steps to Avoid NSA Surveillance]

CA – Canada: $7,500 In Damages Awarded for Intrusion Upon Seclusion

In McIntosh v Legal Aid Ontario, Superior Court Justice Cornell awarded the plaintiff damages of $7,500 after finding a breach under the relatively new tort of intrusion upon seclusion. This tort was first recognized in Ontario in Jones v. Tsige, 2012 ONCA 32 (CanLII), in which the Court of Appeal for Ontario allowed a civil action for damages for the invasion of personal privacy in Ontario and awarded the plaintiff $10,000 in damages. [Lexology]

CA – Ontario Liberals Paid $10,000 to Have Gas Plant Data Erased: OPP

IT consultant Peter Faist, who is the spouse of former Ontario premier Dalton McGuinty’s deputy chief of staff, was paid $10,000 by the Liberal caucus to wipe data off approximately 20 government computers, police claim. The allegation, unproven in court, comes from an Ontario Provincial Police Information to Obtain document released by the Ontario Superior Court on Thursday. The document was used to get a search warrant, which was executed at a government office in late November.The data Faist is said to have deleted relates to the cancellation of two gas plants in the Toronto-area prior to an election campaign. Police suspect the data were internal email conversations regarding the cancellation of the gas plants. David Livingston, McGuinty’s chief of staff, is accused of ordering the deletion of the emails. [CBC News]

CA – Canada Revenue Agency Destroys Staffers’ Texts

The Canada Revenue Agency has destroyed all text message records of its employees and has disabled logging of these messages in the future. Emails, released through access to information legislation, reveal that Shared Services Canada, the federal organization responsible for information technology services, destroyed the records in the middle of a business day in August. The Canada Revenue Agency has confirmed that it instructed the organization to destroy those records and also no longer log the instant messages, including PINs, BBMs and regular texts, going forward. “Since SMS and BBM messaging are non-secure, transitory methods of communication are used only for routine and nonbusiness related purposes; there is no requirement to maintain the transitory information,” said Philippe Brideau, a CRA spokesman. [Toronto Star]

CA – Alberta Amends PIPA to Address Concerns Between Freedom of Expression and Privacy

Alberta’s amendments to the Personal Information Protection Act have narrowly addressed the Supreme Court of Canada’s concerns about the appropriate balance between freedom of expression and rights to privacy, leaving a number of larger questions to another day. [Lexology] SEE ALSO Michael Geist offers an alphabet of Canadian tech policy in this report.

CA – RCMP Broke Privacy Laws by Sharing Medical Histories of Officers: Report

The RCMP committed a “serious privacy breach” and broke federal privacy laws when it shared sensitive medical information about five of its officers while throwing accusations at their psychologist, according to a privacy commissioner’s report written last month. The five Mounties went to the Office of the Privacy Commissioner of Canada two years ago, after discovering the RCMP had submitted portions of their personal medical histories to the College of Psychologists of B.C. [National Post]

CA – Ontario Fails to Track Complaints Against Crown Attorneys

Ontario’s Ministry of the Attorney General has no idea how many complaints have been lodged against its nearly one thousand prosecutors from across the province, or how many have been disciplined for misconduct in recent years. The lack of organized, accountable oversight, legal observers say, marks a “failure” by the government to properly scrutinize complaints against its Crown attorneys: public servants responsible for making important decisions such as who to prosecute for crimes and recommending sentences for those found guilty. [Mississauga News]

CA – Future Saskatchewan Licences to Prevent Fraud]

SGI is looking to add facial recognition services to their future driver licences and identification cards to help prevent fraud. With SGI’s current five-year contract for driver’s licence and identification card production expiring in 2016, SGI is asking vendors to offer their proposal for a contract by Feb. 13, 2015. “In addition to proposals for regular driver’s license production services, were also asking for proposals for facial recognition services,” said Kelley Brinkworth, manager of media relations for SGI communications. [Moose Jaw Times Herald]

CA – Ontario Privacy Commissioner Slams Hospital’s Lax Privacy Controls

More than a year after discovering a massive privacy breach, Rouge Valley Hospital still has no way of finding out whether any confidential patient records have been inappropriately accessed, Ontario’s privacy watchdog revealed. An investigation by the privacy commissioner found the hospital’s computer system preserves only two weeks of user history. It was only after one careless employee admitted to stealing records and another left patient information in a printer that the privacy breaches were discovered. Privacy Commissioner Brian Beamish ordered Rouge Valley to overhaul its system so that all access to patient files can be tracked. He also ordered the hospital to improve confidentiality training and privacy breach management procedures. He has given the hospital until Sept. 16, 2015, to comply, but declined to name the people or financial institution involved in the breach. This summer, Rouge Valley revealed that two employees had accessed the records of more than 14,000 mothers who gave birth there between 2009 and 2013, so as to sell them Registered Education Savings Plans (RESPs). [Toronto Star]


WW – UN Approves Privacy Resolution in Major Victory for Human Rights

The UN General Assembly formally approved a major resolution on the right to privacy, by consensus. The resolution spotlights the privacy violations that are enabled by advances in technology, overbearing government surveillance, and corporate complicity. As communications have gone global, so too must privacy protections. Privacy rights limited by national borders are increasingly meaningless. As detailed in November, this resolution contains strong language that definitively places mass surveillance under international human rights law. The Human Rights Council has a chance in March to follow through and create a permanent mechanism to safeguard the right to privacy at an international level. The resolution calls for a permanent office on the right to privacy. For that to happen, though, the Human Rights Council in Geneva will have to take action in March by creating a new “special rapporteur” on the right to privacy. If so, in 2015, the world will have its first independent authority examining and promoting the right to privacy with the power to admonish governments for violations. [AccessNow]

WW – The Privacy and Security Winner and Loser Was the User in 2014

In last year’s “unofficial contest to determine computer security and privacy winners and losers,” the award goes to “you, the user,” Kim Zetter writes, with “a host of new products and services … to help protect the privacy and security of your data and communications” and court rulings providing “better protection against the warrantless seizure of your data.” But, the user was also the loser, Zetter notes, with reports suggesting spy agencies across the globe “will not rest until they’ve seized or deciphered every bit of your data.” Zetter lists privacy and security’s other winners and losers: Apple, WhatsApp, the Florida Supreme Court, U.S. Supreme Court, Yahoo and Google Project won, while Sony, President Barack Obama, the U.S. Marshals, Verizon and Gamma International lost. [WIRED]

US – Pew Research Reports on the Future of Privacy

The Pew Research Internet Project has released a new study on the future of privacy. The survey interviewed more than 2,500 experts in conjunction with Elon University’s Imagining the Internet Center and found a split in what respondents think 2025 will look like. For example, 45% said there would likely be “a secure, popularly accepted and trusted privacy-rights infrastructure by 2025,” while the remaining 55% said there are not enough incentives for governments or industry to create such an infrastructure. Stanford University Prof. Paul Saffo said, “Privacy has already shifted from being a right to a good that is purchased.” [Pew Research] and [Experts believe digital privacy may be entirely gone by 2025] and [US: Data privacy important to farmers, study shows]


US – Possible Breach Affects Files of 40,000 Federal Workers

The data of more than 40,000 federal employees may have been compromised in a cyberattack on federal contractor KeyPoint Government Solutions. The Office of Personnel Management (OPM) has started notifying affected workers and will offer free credit monitoring. KeyPoint specializes in background screening and investigations of federal workers and is the second such company to be breached this year. A representative for the OPM said officials concluded an investigation into the incident, finding “no conclusive evidence to confirm sensitive information was removed from the system” and that “Keypoint has worked closely with OPM to implement additional security controls.” [Associated Press]


US – Mediation Attempt in Yahoo Case Fails

U.S. District Court Judge Lucy Koh received this week a status report saying a class-action lawsuit between web users and Yahoo could not be resolved through out-of-court mediation. The plaintiffs argue that Yahoo “violates the federal Electronic Communications Privacy Act by intercepting emails and scanning them for keywords.” Koh rejected Yahoo’s bid to get the lawsuit dismissed earlier this year, but has yet to rule on whether the case can move forward as a class-action. [MediaPost]

EU – Ireland Chimes in on Microsoft Data Privacy Case

Ireland has filed a friend-of-the-court brief in support of Microsoft’s refusal to provide the US government with customer email held on a server in Ireland. The document asks the US to respect Ireland’s sovereignty. Microsoft maintains that the US’s Electronic Communications Privacy Act (ECPA) stored communications provisions are not applicable outside US borders. The data pertain to a criminal case in the US. [CNET] [Why Microsoft, Apple, Fox News and NPR Are Suddenly Working Together] [Tech Giants Rally Around Microsoft to Protect Your Data Overseas]


US – Snowden Leak Shows Which Encryption Agencies Can’t Crack

The latest leak from Edward Snowden details how the U.S. National Security Agency (NSA) and the UK GCHQ have undertaken efforts to “crack all types of encrypted Internet communication.” The leaks did reveal which encrypted services the NSA could not break, including Tor, Truecrypt and PGP. [Der Spiegel]

WW – Google Plans to Warn Chrome Users on All HTTP Connections

Google plans to flag all HTTP traffic as unsecure in its Chrome browser.Chrome users will see alerts when they attempt to visit HTTP sites. Google plans to implement the change in 2015. [The Register] [BBC] [eWeek]

EU Developments

EU – Commission Releases 2015 Agenda; Privacy Bridges Project to Release Consensus Report

The European Commission made public its work agenda for 2015. High on the list is the ongoing effort to break down national barriers to create a digital single market. The commission aims to keep pushing for new telecom legislation including provisions on net neutrality; new data protection rules and a long-term digital strategy for the years ahead, among other goals. Meanwhile, the University of Amsterdam and the Massachusetts Institute of Technology have issued a press release about two recent meetings of the EU-U.S. Privacy Bridges Project—a group of EU and U.S. privacy experts aiming to bridge the gap between EU and U.S privacy regimes—in Washington, DC. The group will release a report in 2015. [PCWorld]

EU – Gov’t Leaders Push for Passenger Name Record Legislation

European Union governments are pushing EU lawmakers to end their opposition to proposals that would make it easier to track airline passengers. UK Prime Minister David Cameron said the stalemate is putting lives at risk. Talks on the passenger name record legislation, which would force airline carriers to give EU countries information about passengers entering or leaving the EU, have been deadlocked since its introduction in 2011. MEPs who oppose the legislation say it undermines data privacy. But Cameron said at a recent summit of EU leaders that lawmakers shouldn’t prevent a mechanism that could keep innocent people from being killed. [Bloomberg]

UK – UK Gov’t Seeks to Water Down Meaning of ‘Consent’

The UK government has raised objections to current EU proposals that would require businesses seeking to rely on ‘consent’ as the lawful basis for processing personal data to ensure that that consent has been unambiguously given “for one or more specific purposes”. It said those proposals are “unjustified” and called on EU law makers to instead turn to the definition of consent under existing EU data protection rules instead for setting the legal standard businesses would need to achieve for consent under the draft new General Data Protection Regulation. Under the 1995 Data Protection Directive, set to be replaced by the Regulation, individuals’ consent is defined as “any freely given specific and informed indication of … wishes by which the data subject signifies his agreement to personal data relating to him being processed”. However, organisations wishing to rely on individuals’ consent to process their data are obliged to ensure that “the data subject has unambiguously given his consent”. The UK government is arguing for this requirement to be removed. Its concerns are detailed in a Council of Ministers (Council) document published by information law business Amberhawk Training. [Out-Law.com]

EU – The Dutch Government Has Published New Draft Bill Implementing EU Data Retention Regulations.

The Dutch government has published its draft concept adapting the regulations on the retention of online data and is calling on all interested parties to send in comments. The proposal was adjusted according to the Telecommunications Act and the Code of Criminal Procedure, in response to an earlier ruling by the European Union’s Court of Justice. The ruling said the Dutch telecom data retention law was invalid. Despite calls from the opposition to scrap the data retention law, the government said the law is essential for the investigation and prosecution of serious criminal offenses and must therefore be sharpened. The latest proposal presents more stringent time limits for storing telephony data. Data will have to be kept for 12 months or even longer in case of a serious offense where the sentence is of at least 8 years. For crimes with a sentence of less than 8 years, data will have to be retained for 6 months instead of the current twelve. The retention law will be further restricted to data that is strictly required by the government for the investigation and prosecution of serious crimes. In addition, the data will have to be stored exclusively on EU territory. Access to data will in the future have to go through a judge. That is not the present case. [Telecompaper]

EU – Funding for Irish DPA Doubled

Funding for Ireland’s Office of the Data Protection Commissioner has doubled. The office will now receive a total of 3.65 million euros, up from 1.89 euros in 2014. Minister of State for Data Protection Dara Murphy said the funding exemplifies the government’s willingness to protect personal data, “irrespective of the nationality of the individuals concerned.” Murphy added, “Organizations in both the public and private sectors, including government departments, state bodies, multinationals and SMEs all need to be mindful of their obligations when dealing with data entrusted to them by citizens.” [Irish Times]


CN – Gmail Blocked in China

China is reportedly blocking access to Gmail inside the country. China began blocking various Google services in 2009 and started blocking Gmail access earlier this year. Users have been seeking third party email clients to access their accounts, and now those have been blocked as well. The only way to access Gmail in China now is through virtual private networks (VPNs). [CS Monitor] [ZDNet] [Ars Technica] [NYTimes] [GreatFire] SEE ALSO [Hacked emails reveal China’s elaborate and absurd internet propaganda machine]


US – FTC Charges Data Broker; Warns Children’s App Maker

The U.S. FTC has charged a data broker with selling “the sensitive personal information of hundreds of thousands of consumers … to scammers who allegedly debited millions from their accounts.” The FTC complaint says data broker LeapLab purchased payday loan applications of financially disadvantaged consumers “and then sold that information to marketers whom it knew had no legitimate need for it,” the FTC press release states. FTC Bureau of Consumer Protection Director Jessica Rich said, “Defendants like those in this case harm consumers twice: first by facilitating the theft of their money and second by undermining consumers’ confidence about providing their personal information to legitimate lenders.” Meanwhile, the FTC has sent a warning letter to a Chinese-based developer that makes the children’s app BabyBus alleging the app collects geolocation information without parental consent and that such actions could violate the Children’s Online Privacy Protection Act. [Source] SEE ALSO: [Hong Kong: Privacy czar hits leaky holiday agency app]


AU – Watchdog Exposes Tricks Public Servants Use to Avoid Sharing Information With the Public

A government watchdog has exposed some of the techniques federal public servants use to wrongfully prevent citizens from accessing their own records. The Information Commissioner’s investigation of the bureaucracy’s biggest workplace, the Department of Human Services, revealed an organisation obsessed with process, that preferred legalese to plain English and had increasingly lost sight of its duty to share information. In one Kafkaesque case, freedom of information officers told a man that recordings of his own voice breached his ex-partner’s privacy because he had mentioned her. Rather than give him the readily available recordings of his phone calls to the Child Support Agency, the FOI team proposed spending weeks of staff time going through each call and censoring the moments he spoke about his ex-partner. Another FOI applicant had asked for a copy of an “actual conversation” he had with department staff. The department refused his request, saying it had no audio recording of the phone call. But it did not tell him it had a written record of it. The report also cited an applicant who wanted details of a call an official had made to another organisation, within a specific date range, that “apparently infers that I was attempting to extort money”. The department denied that request, too, saying there was no document that mentioned “extortion”, even though it had a similar record that matched the request. The commissioner, Professor John McMillan, began investigating the department, which includes Centrelink and Medicare, after noticing a huge increase in the number of times it invoked its “practical refusal” power. Under FOI law, government agencies can knock back requests for documents if processing them would “unreasonably” waste time and resources. However, the department used this power 777 times last financial year, a more than twentyfold increase from two years earlier. Professor McMillan said he had also received many complaints about a change in the department’s culture. [Canberra Times]

JP – Site Aims to Allow Whistleblowing Without Retribution

A Japanese Internet activist and academic who’s challenging a new state-secrets law by setting up a website aimed at making it easier for government officials to leak sensitive information to the media without getting caught. The website was unveiled and uses an open-source platform called GlobaLeaks. “I want to create a secure channel that people can use to transfer information without putting themselves in jeopardy,” said creator Masayuki Hatta. The site responds to a state-secrets law that went into effect last week that establishes prison terms of up to 10 years for public servants or others who leak state secrets. Reporters Without Borders called the law “an unprecedented threat to freedom of information.” [Reuters] [Right to privacy still tentative in Japan] SEE ALSO: [MB: Ombudsman prods city on HQ]

US – NSA Releases 12 Years’ Worth of Internal Reports

On December 24, the US National Security Agency (NSA) made public 12 years worth of internal reports for the President’s Intelligence Oversight Board. Even so, the reports indicate that the NSA conducted illegal surveillance with mild or no consequences. The reports, which are heavily redacted, were released in response to a Freedom of Information Act (FOIA) lawsuit brought by the ACLU. [Ars Technica] [The Register]


UK – Foreign Criminals’ Data Taken Off Police Records

Biometrics commissioner warns privacy laws meant to protect innocent could also guard those committing offences abroad: Thousands of foreign criminals who have been convicted of offences outside England and Wales have had their DNA profiles and fingerprint details deleted from British police databases, a Home Office watchdog has revealed. Alastair MacGregor QC, the biometrics commissioner, has warned the Home Office that this “obviously unsatisfactory state of affairs” might be putting the public at unnecessary risk. The commissioner says there is a gap in the law as a result of new rules designed to remove DNA profiles and fingerprints of innocent people from the police national computer. He says this gap means the biometric details of those arrested but not charged with an offence in Britain cannot be held indefinitely solely because they have been convicted of an offence outside England and Wales. “If the police wish to retain the biometric records of such individuals and have no other basis for doing so, they have no option but to go back to those individuals and (re-arresting them) to take further samples and fingerprints from them,” said the commissioner, voicing concern about the burden this places on forces. MacGregor says re-arresting and re-sampling a suspect following his conviction outside England and Wales could prove a greater invasion of their privacy than simply holding onto the DNA and fingerprints samples already taken from them. The commissioner also says rules that restrict the holding of DNA and fingerprint details of foreign-national criminals on the police national computer of foreign criminals have severely limited the practical use of the powers for British police forces. [The Guardian]

Health / Medical

US – Better Communication Can Mitigating Patient Privacy Concerns: Research

Research reveals that patient privacy concerns could be alleviated by improved communication between individuals and the primary care physician. The survey, conducted by Xerox, found that data security remains a top concern; nearly 35% did not use a portal to interact with their electronic health records. “With providers facing regulatory changes, mounting costs, and patients who increasingly seek access to more information, our survey points to an opportunity to address issues by simply opening dialogue with patients about patient portals,” said Xerox Commercial Healthcare Chief Innovation Officer Tamara St. Claire, adding, “Educating patients will empower them to participate more fully in their own care while helping providers demonstrate that electronic health records are being used in a meaningful way.” [Health IT Security]

US – Consumer Watchdog Tells Insurance Customers to Boycott Medical Database

Consumer Watchdog is calling on customers of Anthem and Blue Shield to boycott a new healthcare database. Backed by $80 million from the two insurance companies, the California Integrated Data Exchange, or Cal Index, would provide state hospitals and doctors with a one-stop database for patient medical records, but Consumer Watchdog argues the plan is being rushed ahead without considering privacy vulnerabilities. The insurers have already sent out nine million notices to customers advising them of their inclusion in the database unless they opt out. “We urge people to opt out because Anthem and Blue Shield have failed to notify consumers of everything they plan to do with their medical information,” said Consumer Watchdog’s Carmen Balber, adding the insurers “have jumped the gun.” [Los Angeles Times] [California Health Database Must Address Privacy, Consumer Group Says]

US – Many Patients Block Access to Electronic Records in Study

Nearly half of the patients who were allowed to choose whether or not to share their electronic records with physicians, nurses, or other clinic employees chose to block the access of some providers to all or a subset of their health information in a study conducted at an Indianapolis safety net clinic. In a companion article about provider reactions to patient control over access to information, the majority of physicians supported the principle of patient control of EHRs but expressed concern over the consequences for the quality of care and the physician–patient relationship. The two studies were part of a group of related papers published online and in a January supplement to the Journal of General Internal Medicine. The research was sponsored by the Office of the National Coordinator of Health IT and conducted by Indianapolis’ Regenstrief Institute. [MedScape] SEE ALSO: [High noon for federal health records program?] and [Neil Wilkinson, former chair of Capital Health, claimed $450,000 in honoraria]

US – Expanded Newborn Screening Raises Privacy Concerns

President Barack Obama is expected this week to sign into law a $100 million bill renewing federal funding for newborn screening. Involving a pinprick to a baby’s heel and a few drops of blood, newborn screening is intended to identify serious disorders within a few days of birth. But privacy advocates worry about the government collection and long-term storage of newborn DNA. The federal law, first authorized in 2008, now includes for the first time an amendment acknowledging privacy concerns over dried blood spots stored on cards and kept on file by state governments: For blood spots used in federally funded research, scientists must obtain a consent form signed by the parents. (The consent requirement will remain in place for up to two years, until the Department of Health and Human Services updates rules governing research on human subjects.) [WorldMag]

US – Insurance Company Sued for Mail-Order Policy for AIDs Drugs

A San Diego man and Consumer Watchdog have filed a lawsuit against Aetna alleging the insurer violates the privacy of individuals with HIV and AIDs by requiring them to get necessary medications through mail-order delivery. An Aetna spokeswoman said the policy is part of a strategy to keep health plans affordable. Consumer Watchdog Attorney Jerry Flanagan said, “Requiring health plans to offer coverage for patients with a preexisting condition means little if the insurer can charge these patients exorbitant co-insurance or only cover care through inconvenient and ineffective mail-order requirements that put the patients’ health and privacy at risk.” [Associated Press]

Horror Stories

US – The Latest in Breaches, and a Prediction for 2015

Chick-Fil-A has announced it is investigating a possible data breach after it “received reports of potential unusual activity involving payment cards used at a few of our restaurants,” stating also that the breach may be the common link in the loss of 9,000 sets of card details. A group of hackers associated with the activist group Anonymous has taken responsibility for hacking the online retailer Amazon, compromising customers’ user names, passwords and credit card information. Experian’s Second Annual Data Breach Industry Forecasts that estimates healthcare data breaches will cost $5.6 billion in 2015. [Source] [Security in 2015: Will you care about the next big breach?] [Top hack attacks of 2014: Love, nudity and politics] [US: 10 recent data breaches]

WW – ICANN Reports November Hack

Unknown attackers hacked sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), which allowed them to take control of employee email accounts and access personal information of business contacts. ICANN said, in a release, the breach also gave attackers administrative access to files stored in its centralized zone data system and personal information of account holders who used the system. The breach occurred last month, ICANN says. The group controls the Internet’s domain name system and so is a prime target for hacking attacks that aim to get data that can be used to then breach other targets, the report states. [Ars Technica]

US – Federal, Health Cyber Attacks “Skyrocketing”

A review of cyberattacks against federal agencies during the past year concludes that the number of government system breaches is “skyrocketing.” FireEye’s Tony Cole said, “This is a global problem. We don’t have a malware problem. We have an adversary problem. There are people being paid to try to get into our systems 24/7.” Meanwhile, GovInfoSecurity profiles the biggest health data breaches in 2014, according to the latest federal tally, noting that security incidents involve a range of causes, including insider threats, missteps by business associates and hackers. Additionally, the National Credit Union Administration, itself a federal regulator, will review its data security policies following the loss of sensitive consumer data during an audit. [CNN] [Star investigation: 3 GTA hospitals don’t proactively audit access-to-patient files]\

US – Class-Action: Kmart Breach Due to Brand’s Failure to Protect

A federal class action claims Kmart’s failure to protect customer information with “elementary” security measures left banks liable for the resulting fraud. First NBC Bank filed the class-action against Kmart Corp. and its parent, Sears Holding Corp., over an announcement hackers had breached Kmart’s payment data systems in September, the report states. First NBC Bank says the hack occurred because of Kmart’s outdated anti-virus system, which hadn’t been updated to detect the malware hackers used. Kmart has not disclosed how many were affected by the breach. [Courthouse News Service]

US – Staples Confirms Breach of 1.2 Million Credit Cards

Staples confirmed that hackers had compromised approximately 1.2 million customer credit cards. The confirmation by the company is an update on the breach that was originally announced in October. Cyber criminals, in this case, deployed malware to point-of-sale systems in 115 stores across the U.S. According to Staples’ investigation, criminals may have had access to “cardholder names, payment card numbers, expiration dates and card verification codes.” [US: Staples data breach unlikely to dampen holiday shopping] SEE ALSO: [130K users’ data leaked via China’s train ticketing site]

US – Customers Sue Target

In related news, a federal judge ruled that a consumer lawsuit against Target can proceed. U.S. District Court Judge Paul Magnuson wrote, “Plaintiffs’ allegations plausibly allege that they suffered injuries that are ‘fairly traceable’ to Target’s conduct.” Meanwhile, Boston Children’s Hospital agreed to pay $40,000 and strengthen its data security after a breach affected 2,100 patients. [USA Today]

Identity Issues

US – IOWA: Driver’s License App On a Smartphone Raises Privacy Issues

A smartphone app that drivers in Iowa will be able to use as an official driver’s license could lead to privacy abuses by law enforcement. In 2015, the Iowa Department of Transportation (DOT) plans to become the first to offer the apps to drivers for free, according to published reports. “The way things are going, we may be the first in the nation,” Iowa DOT Director Paul Trombino was quoted as saying in a report published in The Des Moines Register. Iowa police will accept the driver’s license app during traffic stops and by airport security officers screening travelers, Trombino said. Thirty states already allow drivers to show proof of insurance via a smartphone app, so allowing them to also identify themselves as licensed drivers on a smartphone is a natural extension. However, handing police officers or security screeners your smartphone gives them access to a lot more than your license, according to Forrester analyst Heidi Shey. “The privacy concerns that have been brought up already about this are all worth considering. Putting a driver’s license on a smartphone app leaves the door open to privacy violations simply due to device access,” Shey said. For example, if a police officer pulls over a driver for a traffic violation, the officer typically takes the license and registration back to the patrol vehicle to process the information. While the U.S. Supreme Court ruled in Riley v. California that a warrant must first be obtained prior to searching the contents of a cell phone, that ruling could be thwarted by officers citing “probable cause” or “exigent circumstances.” “Once well-recognized exception [to a warranted search] applies when ‘the exigencies of the situation’ make the needs of law enforcement so compelling that a warrantless search is objectively reasonable under the Fourth Amendment,” the Supreme Court wrote in its decision. The Electronic Privacy Information Center, a research group in Washington, filed a brief as part of the Riley case before the Supreme Court. Alan Butler, EPIC’s senior counsel in Washington, said while there’s “no direct application of Riley” because the Iowa mobile app is being built to act only as an ID, it still raises a host of privacy concerns – not the least of which is all the searchable private information on a smartphone. Additionally, what if the driver were to get a phone call or text message while the smartphone was in a police officer’s possession? “And, what is the app doing? Is it collecting additional information about me, whether intentionally or unintentionally?” Butler said. “What is my device doing when it’s using the app? Is it leaking private information about me without my knowledge?” There are also practical reasons a smartphone could fail as a means of legal ID, including a dead battery. [ComputerWorld]

Internet / WWW

WW – CSA: Cloud Privacy Top Issue

The Cloud Security Alliance (CSA) has said data privacy is a top issue for industry in 2015 across the globe, citing “Microsoft’s ongoing battle with the U.S. government over emails contained in an offshore data center as prime example of the battles that lie ahead.” CSA’s Jim Reavis described the Microsoft case as “one of the biggest issues we’ve seen” for cloud security and adoption. Meanwhile, Iceland could become the “Switzerland of information,” with data centers located in a country that “is in the initial stage of implementing the most progressive data-privacy laws in the world.” [TechTarget] [The Irish government has sided with Microsoft against demands by the U.S. government for the company to share data held on servers in Ireland]

WW – Cloud Computing Standard Released, but Will It Be Obeyed?

While cloud computing is emerging, transparency, confidentiality and control are key concerns of potential cloud clients. Cloud clients often lack the necessary information on how the information moved to the cloud is safeguarded, processed, and what happens in case they want to move to another provider or their provider terminates its operation or changes the terms of its policies? At the European Commission’s urging, the national data protection authorities and the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) developed the new standard ISO/IEC 27108. The acceptance of the standard and the ability to live up to the expectations of its developers still remains to be seen in practice. [Full Story]

Law Enforcement

US – Duluth Case Shows Police Body Camera Footage Is New Legal Battleground

When a man in Duluth, Minnesota, barricaded himself in a garage at his home and threatened to kill himself with a knife, police officers shot him twice. The incident, which happened in August, was captured on police body cameras. Months later, city officials who want the body camera video kept secret are in a battle with advocates of police accountability that many believe will be fought out in the Minnesota legislature. The man who was shot by police, 34-year-old Joe Zontelli, survived. The two officers involved were cleared of wrongdoing. But the incident made news in the midwest city of 86,000, and after an investigation was completed by the St Louis County attorney Mark S Rubin, reporters expected the video to be released. It was not. Tom Olsen, a reporter for the Duluth News Tribune who filed a public records request for the police body camera videos, said that under normal circumstances, reporters would have received their information requests after an investigation was complete and a press conference held. The county prosecutor reviewed body camera footage, but authorities didn’t release the videos. Gunnar Johnson, the Duluth city attorney, instead used a legal maneuver to try to temporarily classify the video – and future videos from other cases. Duluth requested the state clarify what body camera footage is public and what should be kept private, through an unusual request to Minnesota’s information policy analysis division. The office denied Duluth’s request, in what will be the final word on the issue unless the legislature picks it up this spring. Johnson said his office was now “working” with the decision, “with the support of other municipalities”. [The Guardian] [The Minnesota Department of Administration has declined an application by the Duluth Police Department that would restrict public access to police body-camera video] SEE ALSO: [Spokane: Police body camera pilot ends; review and implementation next] and [LAPD to buy 7,000 body cameras] and [Cops with cameras coming to Durham, Ontario] and [Calgary Police chief says new tech ‘absolutely’ compliant with privacy laws] and [US: Seattle Police Held a Hackathon to Figure Out How to Redact Body Cam Video Streams] and, finally, [U.S. Army will launch 2 missile surveillance blimps over Maryland]


WW – TTIP Negotiations Continue, While Leaked TISA Negotiation Proposals Have Critics Speaking Out

Progress between the EU and U.S. on the Transatlantic Trade and Investment Partnership (TTIP), a deal to cut tariffs and regulatory barriers to trade. While supporters say it will open up new markets and reduce trade costs, opponents are concerned the agreement threatens privacy by encouraging surveillance of personal data. Meanwhile, negotiations are also underway for the Trade in Service Agreement, in which the U.S. aims to free up data flows online. Leaked proposals in the negotiations have an Australian advocate saying they include rules that would “threaten privacy and civil rights protections for digital personal data.” [BBC News]

Online Privacy

WW – Facebook Has New Search Feature; Class-Action Over Ads Will Continue

Facebook’s new keyword search feature has “enormous implications” for advertising, developers and Facebook itself. With the new feature, users can search stories from their friends and surrounding network, which could add up to more than a trillion posts, according to CEO Mark Zuckerberg. “Privacy by obscurity is basically dead … Now anyone armed with the right, or wrong, keywords can pull up your worst moments and either quietly judge or publicly shame you,” the article states. Meanwhile, a federal judge has denied Facebook’s request to dismiss a class-action suit claiming it violated the U.S. Wiretap Act, saying because of “Facebook’s unwillingness to offer any details regarding its targeted advertising practice” she couldn’t determine whether the practice falls under an “ordinary course of business” exception. [TechCrunch] See also: [ThinkUp Helps the Social Network User See the Online Self] See also [The Slow Death of ‘Do Not Track’]

EU – Dutch DPA Investigating Facebook Privacy Policy

A day after warning Google it may fine it nearly 18 million euros for alleged privacy violations, the Dutch Data Protection Authority (DPA) has said it is also investigating Facebook’s recently revamped privacy policy. The changes, set to go live in January, attempt to simplify the site’s privacy policy, but the policy also states Facebook may use data it collects to sell advertising. The Dutch DPA is looking into that and has asked the company to delay rolling out its new privacy policy until the investigation is completed. “We were surprised and disappointed to learn about the inquiry,” Facebook said, noting it “routinely” reviews such updates with Ireland’s Office of the Data Protection Commissioner for compliance with the EU Data Protection Directive. [The New York Times] see also: [Google Faces $19M Fine Over Privacy Policy]

Other Jurisdictions

RU – Data Protection Law to Become Effective One Year Earlier Than Planned

On December 17, the lower chamber of the Russian Parliament passed legislation that would change the effective date of Russia’s new law requiring local storage of Russian citizens’ personal data from September 2016 to September 2015. Impacted businesses hoped the law would not go into effect until 2016 because of practical considerations that would require the reworking of IT systems to meet the deadline. The Federation Council and president must now approve the change, which would mean businesses “will lose a year of reviewing and implemented their compliance obligations under the law,” the report states. [Hogan Lovells’ Chronicle of Data Protection]

CH – Chilean Bill Aims to Establish Enforcement Body

The Chilean government will soon introduce legislation to create an autonomous body to oversee data protection issues, according to Deputy Economy Minister Katia Trusich. the new law would also require companies to register databases containing personal information but would aim to strike a balance between protecting personal data and allowing it to circulate, Trusich said. “This is an urgent issue for Chile,” Trusich said. Chile’s current data protection framework was enacted in 1999 and is based on Spain’s model. While it aims to protect individuals’ personal information, it doesn’t contain a provision for an enforcement agency or provide sanctions for violations. The new bill aims to close the gaps. [Bloomberg BNA]

NZ – Privacy Commissioner to ‘Name and Shame’ Wayward Corporates

Until recently, Privacy Commissioners rarely named wayward corporates. Instead they relied on bringing tribunal proceedings, which are steps that are time consuming and expensive, and therefore taken only on limited occasions. Now, like other regulators such as the Commerce Commission, the Privacy Commissioner will, in appropriate cases, ‘name and shame’. For many corporates that is a much bigger negative than, say, being ordered to pay a penalty. With greater regulatory exposure, corporates should up their privacy compliance. Plus, when the Privacy Commissioner starts to investigate they should be proactive and careful in managing the situation. [Lexology] SEE ALSO: [NZ: Veil of privacy could be lifted on suspect surgeons] See also [US – Another Voice: Campaign finance disclosure laws may invade citizens’ privacy

AU – South Australia’s Worst Fine Evaders Have A ‘Right To Privacy’, Civil Liberties Group Says

Naming South Australia’s worst individual fine evaders online is an invasion of privacy, according to the SA Council for Civil Liberties. The State Government yesterday published the five worst individual offenders and the three worst companies in an effort to embarrass them into paying hundreds of thousands of dollars in unpaid fines.Attorney-General John Rau said the Government had some success in the past by “naming and shaming” those with outstanding debts. But the council’s spokesperson, George Mancini, said the Government needed to recognise peoples’ right to privacy. He said he was concerned because the information would not normally be available to the public, despite legislation enabling the Government’s fines recovery unit to publish the names of anyone who has not paid a fine. “One of the reasons it’s not available is because it’s confidential, or it’s private information, even just your name and the fact that you have a fine, your date of birth and the amount of the fine,” Mr Mancini said.”Their identity is all information that is not ordinarily available to anybody.” [ABC Net]

WW – Rest of the World News Roundup

Privacy (US)

US – FTC Finalizes Charges with Snapchat

The FTC has finalized a settlement with Snapchat, according to the agency. The complaint, which was originally announced last May, alleges the company deceived customers with guarantees that messages would be deleted and that appropriate security measures had been taken to protect data. The final order states the company must not misrepresent how it handles the data of its customers and that Snapchat “must implement a comprehensive privacy program monitored by an independent privacy professional for the next 20 years.” [FTC]

US – Advocates File Suit to Block Use of Driver Databases for Immigrant Deportation

Immigrant advocates filed a lawsuit over concerns that federal immigration agents could use state driver’s license databases to track down people for deportation. The National Immigration Law Center sued the Department of Homeland Security demanding documents detailing how federal immigration agents access and use driver’s license data. The lawsuit comes after immigrant advocates in Maryland received reports that federal agents earlier this year arrested several immigrants with prior deportation orders after apparently identifying them with help from a driver’s license photo and vehicle information. It also comes about two weeks before California starts issuing driver’s licenses to immigrants in the country illegally. More than 1 million people are expected to apply over the next three years. “We need to at least know what the current policy is,” said Melissa Keaney, an attorney at the Los Angeles-based advocacy organization. “We don’t want to cause unnecessary panic, but we don’t want to cause a repeat of what happened in Maryland.” The lawsuit aims to compel Homeland Security and Immigration and Customs Enforcement (ICE) to release records under the Freedom of Information Act that were requested in April. ICE declined to comment on the suit. The agency does not use driver databases to identify immigration enforcement targets but “like other law enforcement agencies, ICE may use DMV data in support of ongoing criminal investigations or to aid in locating individuals who pose a national security risk or public safety threat,” said Gillian Christensen, an agency spokeswoman. Ten states have approved driver’s licenses for immigrants in the country illegally, many of them with a distinct marker so the documents can be distinguished from those carried by US citizens and permanent residents. Meanwhile, a ruling by the US supreme court has moved thousands of young immigrants a step closer to obtaining driver’s licenses in Arizona. [The Guardian]

US – Oracle Acquires Datalogix, FTC Called Upon to Investigate

Oracle announced that is has acquired Datalogix, drawing criticism from privacy advocates worried the deal could give the company too much access to consumer data. According to an Oracle press release, Datalogix aggregates and provides analysis on more than $2 trillion in consumer spending, from offline to online advertising. In response, the Center for Digital Democracy’s Jeffrey Chester has called on the FTC to investigate the deal, noting it could violate Facebook’s consent decree with the agency. “Through the data it gathers on what we buy, and with its relationship with Facebook and other powerful marketers, Datalogix consists of a online treasure trove of data on Americans,” Chester said. [Full Story]

Privacy Enhancing Technologies (PETs)

WW – App Maker Pitches Self-Destruct Messaging To Hollywood

A startup is eyeing Hollywood in the wake of the Sony Pictures hack by offering a messaging app that never reveals the full text and then automatically destroys the conversation after it’s read. The app maker, Confide, launched an ad campaign on Tuesday, offering the business version of its self-destruct tool to entertainment studios, networks and labels for free, in perpetuity. [CNET] SEE ALSO: [8 Free Privacy Programs Worth Your Year-End Donations] and [Can New Messaging Apps Inadvertently Cause Spoliation? ]

US – Boeing and Blackberry Create ‘Self-Destructing’ Phone

BlackBerry will help Boeing with its self-destructing “Black” phone, which has been in planning since 2012 and is capable of wiping all data if someone tries to access its content inappropriately. The phone is designed for government agencies with a need for secrecy. [The Telegraph] SEE ALSO: [The Affair: the fashion brand making stealth tech stylish]


US – FBI Investigating “Revenge Hacking”; Sony Hack May Have Been Inside Job

The U.S. FBI is looking into so-called “revenge hacking” by companies that have been breached by criminal hackers. The recent hack of Sony has generated “an intensifying and largely unspoken sense of unease inside many companies,” the report states, prompting some to “push the limits of existing law” to find ways of hacking back. Rep. Michael McCaul (R-TX) said, “It’s kind of a Wild West right now,” and some businesses may be conducting reactive hacking operations “without getting permission” from the federal government first. Similarly, The Washington Post published a Q&A with the Lizard Squad, the hackers who allegedly took down the PlayStation and Xbox networks on Christmas Day, which claims to have provided the Guardians of Peace—the group that released stolen data from Sony—with employee log-in credentials. Investigators familiar with the Sony hack now say the cause of the breach may have been a combination of a disgruntled employee and a piracy group and not North Korea as the FBI argues. [Full Story] and [Sony says PlayStation still has problems, gradually coming back online] [US: Hacked Sony ex-employees sue for privacy violations] and The recent Sony Pictures hack has transformed the debate over cybersecurity legislation in Congress and may spur lawmakers to make changes.

US – Simple Fix Could Have Thwarted JP Morgan Data Breach

A preliminary investigation of the massive breach at JP Morgan Chase last summer revealed that a simple security fix to an overlooked server could have prevented the damaging incident. Last spring, hackers stole the login credentials of an employee, but one of the servers did not have the two-factor authentication necessary to prevent unauthorized access, leaving the company vulnerable to attack. In response, JP Morgan has set up a “business control group” comprising technology and cybersecurity executives to analyze the incident and prevent another such attack. [The New York Times] [Two-factor authentication oversight led to JPMorgan breach, investigators reportedly found]

US – Seattle Police Hold Hackathon to Test Body Camera Footage Privacy

Seattle Police are planning to test body cameras on officers in the field, and in a “hackathon” They attempted to find a balance between releasing footage and redacting private details. Approximately 80 people attended the hackathon, working on techniques to redact such details as people’s faces or license plate numbers captured on film. Police departments in New York City and Los Angeles are also prepping to test body cameras. “With 1,612,554 videos already on our servers—and more on the way through our upcoming body cam pilot program—our department is looking for a better, faster way redact those videos and make them accessible as public records,” Seattle police said in an announcement. [Slate]

Smart Devices

US – Despite Voluntary Code of Conduct, Smart Meters Privacy Worries Persist

Concerns persist about the smart grid’s impact on consumer privacy via smart meters. The Department of Energy will publish the final draft of a voluntary code of conduct on data privacy for smart meters this month. Thirty-eight million have already been installed in the U.S., the report states, gathering information about household electricity consumption at a granular level. Despite the voluntary code of conduct, critics are worried consumers will still be “cajoled or conned into giving up their data,” the report states, to power companies but also to third-party aggregators. “I think the data is going to be worth a lot more than the commodity that’s being consumed to generate the data,” said Miles Keogh of the National Association of Regulatory Utility Commissioners. [Politico]

US – Ford Names Data Analytics Officer; Advocates Worry About the Data Use

Ford has hired an executive to oversee its collection and management of the information it captures from its cars and trucks. Ford has hired Paul Ballew, a research expert, to be its chief data and analytics officer-a new title at the 113-year-old company. The data collection aims to enhance driver services, but it also has some worried that privacy and security will diminish. “There’s another facet that comes with them being able to provide all these services,” said Julia Horwitz, consumer protection counsel at the Electronic Privacy Information Center. “What are they going to do with your data?” Editors Note: The automotive industry recently unveiled privacy principles, but one U.S. Senator says they don’t go far enough. [International Business Times]


US – Senators Ask for Clarification on Cell-Phone Surveillance

In a letter to the Departments of Justice and Homeland Security, Sens. Patrick Leahy (D-VT) and Chuck Grassley (R-IA) have requested clarification on behalf of the Judiciary Committee on how federal law enforcement agencies use cell-phone data collection. Of particular concern is technology like “Stingray,” which is a device that mimics a cell-phone tower in order to sweep up the data of phone users in the area. The letter “demanded answers about how the FBI and other law-enforcement agencies protect the privacy of people whose cell-phone information is collected, even when they’re not targeted or suspected of wrongdoing.” [Source]

US – EFF Argues Privacy Case in Jewel v. NSA

The Electronic Frontier Foundation (EFF) told a federal judge that the NSA has illegally searched and seized U.S. citizens’ Internet communications. The privacy advocacy group argued in Jewel v. NSA that the agency violates the Constitution when it uses a method called “upstream” to access data, in this case, from AT&T customers. The class-action lawsuit was originally filed six years ago and dismissed in 2010 for lack of standing, but that was overturned in 2011. According to the report, “The case showcases the challenge of litigating matters that engulf both individual liberties and national security.” [Courthouse News Service]

US – IoT, Connected Cars, Wearable Tech to Make Big Showing at CES

The 2015 Consumer Electronics Association’s 2015 International Consumer Electronics Show starts next week. Connected cars will be represented at the show more than ever before; Audi, BMW, Chrysler and Ford will all be showcasing the new technology, among others. Wearable tech is also anticipated to make a big showing, and the Internet of Things (IoT) will be a main theme at the show, with more than 900 exhibitors showing products. Meanwhile, IoT continues to grow in popularity despite consumers’ privacy concerns, citing a new study indicating 65% of U.S. consumers are “moderately or extremely open to the idea of adopting smart home technology.” [CBS News]

US – Judge Throws Out Evidence Collected from Webcam

A federal judge this week threw out evidence collected from a webcam that was nailed to a utility pole near a suspected drug dealer’s house during a six-week period. The U.S. Justice Department argued the placement of the webcam is no different than posting a police officer to make the necessary observations. U.S. District Court Judge Edward Shea said a warrant is necessary to post a webcam controlled by the local police. Shea said, “The American people have a reasonable expectation of privacy in the activities occurring in and around the front yard of their homes, particularly where the home is located in a very rural, isolated setting,” and that such a reasonable expectation “prohibits the warrantless, continuous and covert recording” of the defendant. [Ars Technica] SEE ALSO: [Neighbourhood watch: how domestic CCTV is sweeping the UK]

Telecom / TV

EU – German Researchers Discover Flaw to Let Anyone Listen to Cell Calls

German researchers have discovered a flaw that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale. The flaws are to be reported at a hacker conference in Germany this month and describe insecurities on SS7, the global network that allows cellular carriers to route calls, texts and other services to each other, the report states. Even while carriers work to secure their systems, they still have to communicate with each other over SS7, “leaving them open to any of thousands of companies worldwide with access to the network,” so a single carrier in Kazakhstan could be used to hack into networks in the U.S., for example. [Washington Post]

WW – Researchers Find Apps Exploit Permissions

Android apps “really do use those permissions they ask for to access users’ personal information.” French researchers found, for example, that one online store records a phone’s location up to 10 times a minute. To conduct the experiment, researchers had volunteers use monitoring app Mobilitics, which was developed by researchers in conjunction with the French data protection authority, CNIL. Over a three-month period, Mobilitics recorded every time an app accessed personal data on the phone and whether that data was transferred to an external server, finding location was one of the most frequently accessed data points. Meanwhile, Hong Kong’s privacy commissioner has found Android apps “are able to access a user’s personal photos and files on Android version 4.3 or older without notifying them.” [PCWorld]

US Government Programs

US – NSA Reports Detail Decade’s Worth of Privacy Violations

On Christmas Eve, the NSA released more than a decade of reports detailing internal privacy violations. The reports include instances of employees accessing unauthorized information to spy on U.S. citizens. Meanwhile, there are five cases involving NSA surveillance that the U.S. Supreme Court could hear in 2015. [The Hill] [US: NSA reports detail decade’s worth of privacy violations]

US – Secret Service Has Not Submitted Digital Cyber Defense Reports: Auditor

According to a report from an internal auditor, the US Secret Service does not use two-factor authentication for network access and it does not abide by established rules for government agencies regarding network security monitoring. The DHS Office of Inspector General found the Secret Service refused to hand over mandatory data on its computer security systems to DHS in 2014. The office found that the Secret Service’s refusal to provide the required data “created a significant deficiency in the Department’s information security program,” the report states. The USSS CIO was concerned about “operational security” of data feeds [The Hill]. [NextGov] [DHS]

US – Obama Wants Congress to Introduce Information Sharing Legislation

At his end-of-year press conference, President Obama indicated that he would like to see the reintroduction of an intelligence-sharing bill in this legislative session. In the wake of the Sony Pictures breach, Obama said that he has a team working on seeing what can be done to prevent such attacks in the future, and that he would like to see Congress focus on “stronger cyber security laws that allow for information sharing across private sector platforms as well as the public sector.” [ZDNet]

US Legislation

US – Obama Signs Five Cyber-Related Bills into Law

For the first time in more than 12 years, major cybersecurity bills have become law after President Barack Obama signed five of them on Thursday. The five new bills include the Federal Information Security Modernization Act, the Homeland Security Workforce Assessment Act, the Cybersecurity Workforce Assessment Act, the National Cybersecurity Protection Act and the Cybersecurity Enhancement Act. [GovInfoSecurity] This FEDweek report outlines changes in cyber-incident reporting that come with the newly enacted Federal Information Security Modernization Act of 2014.

US – 2014 legislative Roundup

US – State Legislative News Roundup

Workplace Privacy

WW – Whether Working or Job Seeking, the Algorithm Is Watching

Are you perusing LinkedIn at work more than usual? That small change in behavior could set off alerts in computer analytics programs used to surveil and rank employees, according to a forthcoming book, “The Reputation Economy: How to Optimize Your Digital Footprint in a World Where Your Reputation Is Your Most Valuable Asset.” If your LinkedIn browsing is noticed “by a recruiter, look forward to increased cold calls trying to lure you into new jobs,” the authors write. “If it’s caught by your company, look forward to either a conversation about what it would take to keep you — or a swift kick toward the door.” In my latest Sunday Business column, I wrote about “The Reputation Economy” and another coming book, “The Black Box Society: The Secret Algorithms That Control Money and Information.” Both books examine how companies are increasingly using sophisticated computer scanning systems to score people on their health risks, financial wherewithal and purchasing patterns — ranking systems of which consumers are often unaware.But the books’ descriptions of employee scoring systems are particularly noteworthy, whether you are currently a satisfied employee or seeking a new job.”The Reputation Economy,” for instance, describes how human resource departments and search firms are increasingly turning to software programs to automate the process of weeding out applicants with weaker résumés as well as identify job candidates to interview. Companies also use such scoring programs, the authors write, to rate their own workers — on productivity, teamwork, creativity and so on — and to identify promising employees to select for promotion or management training programs. [NY Times]

US – FBI Unit Studying How to ID Insider Threats

The profiling unit of the FBI, the FBI Cyber Behavioral Analysis Center, has begun a multi-year project studying how technology can help identify insider threats. “Is there a similarity between the person who is putting a logic bomb on your network and the person who is going to throw a bomb in your office?” asked Supervisory Special Agent Kevin Burton. “Are the behaviors different? Do they intersect?” Those are some of the questions the unit aims to answer to help federal managers detect otherwise hidden behavioral patterns, doing so within the bounds of privacy, the report states, adding that ultimately human beings—not computers—are behind breaches. [NextGov]

UK – Welsh Council Rapped for Covert Spying on Sick Leave Worker

A council that ordered covert surveillance of a sick employee has been ordered to review its practices following an investigation by data privacy watchdogs. An Information Commissioner’s Office (ICO) investigation found that Caerphilly Council breached the Data Protection Act when it ordered the surveillance of an employee suspected of fraudulently claiming to be sick. The surveillance was only authorised on anecdotal evidence and began only four weeks into the employee’s sickness absence. Caerphilly Council went straight to snooping on its worker using a private investigation firm without properly considering other options. The covert surveillance was used to compile a report, which was ultimately shelved having gone unused. The ICO determined the council did not have sufficient grounds to undertake the surveillance, especially at such an early stage of the employee’s absence, as an agreed data protection undertaking (PDF) explains. Anne Jones, assistant information commissioner for Wales, commented: “It shouldn’t need to be said that spying on employees is incredibly intrusive and must only be done as the last resort.” “Organisations need to be absolutely clear why they need to carry out covert surveillance and consider all other alternatives first. If it cannot be completely justified, it shouldn’t be done,” she added in a statement on the case. The ICO accepts covert surveillance of employees can be justified in some exceptional circumstances, such as suspicions the employee is engaged in criminal activity or equivalent malpractice. Covert surveillance should be used as a last resort when alternatives which respect the employee’s privacy have been considered and ruled out as inappropriate. The ICO’s Employment Practices Code, which covers monitoring of employees at work, can be found here (PDF)

Xmas / Seasonal

WW – Santa Claus Breaks the Law Every Year

Each year when the nights start growing longer, everyone’s favourite rotund old man emerges from his wintry hideaway in the fastness of the North Pole and dashes around the globe in a red and white blur, delivering presents and generally spreading goodwill to the people of the world. Who can criticise such good intentions? Despite this noble cause, Father Christmas is running an unconventional operation at best. At worst, the jolly old fool is flagrantly flaunting the law and his reckless behaviour should see him standing before a jury of his peers. Admittedly, it would be a challenge to find eleven other omnipotent, eternally-old, portly men with a penchant for elves. Read on to find out four shocking laws Santa breaks every year. But be warned; this is just the tip of an iceberg of criminality that dates back centuries! [Source] SEE ALSO: [Elf on the Shelf: festive fun or Santa’s sinister spy?] AND [UK: Make sure gadget gifts are safe for youngsters] and [UK: Drones given as Christmas gifts will lead to soaring privacy complaints, watchdog warns] AND [Horrifying ‘sexy’ Santa selfies remind you to check your online privacy settings] AND [Ho, ho, ho! NSA reports on its spying naughtiness]


1-15 December 2014

Big Data

US – Does Data-Mining Have a Place at the Guggenheim?

A new trend across the country is seeing museums mining “increasingly detailed layers of information about their guests, employing some of the same strategies that companies like Macy’s, Netflix and Walmart have used in recent years to boost sales by tracking customer behavior.” Museums are using the data to make decisions about exhibit design, donor outreach and gift shop marketing strategies, the report states. But such data-mining has some critics questioning whether the big data revolution “has a place in the nonprofit arts world.” [The Wall Street Journal]

US – ‘Womb-to-Workforce’ Data-Mining Scheme Sparks Revolt

Privacy advocates are calling for a moratorium on the Pennsylvania school system’s sweeping data-collection program, which they say is part of the federal government’s goal of being able to track the development of every child “womb to workforce.” All 50 states have been mandated by the U.S. Department of Education to establish inter-connected “longitudinal databases” accumulating information on every student from pre-kindergarten through college. Two groups, Pennsylvania Against Common Core and Pennsylvanians Restoring Education, are asking Gov. Tom Corbett to place a moratorium on data collection in the Pennsylvania Information Management System or PIMS. The system gathers information on students in all 500 school districts across the state and some schools have started collecting behavioral data that goes beyond testing for academic knowledge, according to the two organizations. The two groups are also asking the state attorney general’s office to launch an investigation into possible violations of student privacy laws. [Source]


US – Stakeholders Work on Facial Recognition Code of Conduct

Attempts to create a multi-stakeholder, voluntary code of conduct for the commercial use of facial recognition continued at the Commerce Department, as the “National Telecommunications & Information Association’s John Verdi moderated a wide-ranging discussion about language on issues including data retention/disposal, security and deletion.” The focus this week was on the language surrounding the retention, security and disposal of biometric images. The Center for Digital Democracy’s Jeff Chester urged the group to include more specific language on data use, but a representative from Facebook said that too much “granularity” would make the code too prescriptive. [Broadcasting & Cable]

WW – The Vending Machine of the Future Is Here, and It Knows Who You Are

The “vending machine of the future” is the first vending machine with facial-recognition technology. The machines are able to “identify and greet a user, remember a person’s preferences and even refuse to vend a certain product based on a shopper’s age, medical record, dietary requirements or purchase history,” the report states. A school can in fact link the machine with its database and direct it to refuse to sell certain products to underage students, or a gym could program the machine with its membership database so the machine wouldn’t vend sugary or high-fat products to a person on a diet, for example. [The Telegraph]

US – Pizza Hut Launches Digital Menu that Reads Your Mind by Tracking Eye Movement… And Tells You What to Order In 2.5 Seconds

It can tell you what you want to eat in the blink of an eye, simply by tracking the movement of your retina. In exactly 2.5 seconds the subconscious menu reads the minds of customers, by using a mathematical algorithm to identify a customer’s perfect pizza. The incredible software was developed for Pizza Hut by Swedish eye tracking technology pioneers Tobii Technology. Taking six months to build, the menu is completely controlled by the customer’s retina. [The Daily Mail]


CA – Supreme Court: Limited Warrantless Phone Searches Are Legal

In a 4-3 decision, the Supreme Court of Canada has ruled police may conduct limited searches of suspects’ cell phones without getting search warrants if they follow strict rules.. “When is it okay for the police to conduct a warrantless search of a cell phone when making an arrest? The short answer, according to the Supreme Court’s decision in R. v. Fearon, is ‘sometimes,’” he writes. Beyond that point, Brown writes, “I’m really only sure about a couple of things. First, there is no reason to worry that the police are about to start searching everyone’s mobile device. Second, the law can be incomprehensible and impractical at times.” [IAPP Privacy Tracker] See also: [Privacy Commissioner Daniel Therrien told the House Privacy Committee if Bill C-13 passes without amendment, it could face a Charter challenge] [Canada: Missing Persons Act ‘broadly worded,’ says lawyer Mike King] and [Alberta privacy commissioner to investigate leak of Lukaszuk phone bill] and [A new paper in The John Marshall Journal of Information Technology & Privacy Law contends Canada’s federal anti-spam legislation, CASL, “creates unconstitutional limits on free speech,” stating CASL violates freedom-of-expression guarantees in the Charter of Rights and Freedoms.]

CA – Province to Legislate What Police Can Disclose About Innocent Ontarians

Ontario will table legislation in the new year detailing for the first time what information police can — and cannot — disclose to employers, volunteer agencies and academic institutions about Ontarians who have not been convicted of a crime, the Star has learned. A lengthy Toronto Star investigation earlier this year detailed how the routine release of police-held information about innocent Ontarians has ended careers, undermined job prospects, forced students out of university and college programs and ended up in the country’s criminal records database which is accessed by U.S. border officials who have used it to restrict the travel of Canadians. Once a policy is developed it will go before a cabinet committee for review, then to cabinet for approval, he said. If approved, legislation will be drafted. He said he expects tabling in the legislature by spring. [Source] See also: [Revealing ‘sensitive’ surveillance details worried Ottawa: memo]

CA – Former Privacy Commissioner and Journalist Bruce Phillips Dead at 84

Former journalist and federal privacy commissioner Bruce Phillips has died. He was 84. A statement from his family says he died of kidney failure on Saturday in Penticton, B.C. The statement says he suffered a stroke in June. Phillips worked for a number of media outlets during his career including CTV news in the 70’s and 80’s. Among his other duties he hosted the CTV show “Question Period.” He later served as Canada’s privacy commissioner between 1991 and 2000. Phillips was invested in the Order of Canada in 2010. After leaving the office of the privacy commissioner, Phillips retired to B.C.’s Okanagan region to be near his two daughters. [The Canadian Press] See also: [2014 Year in Review]


US – Retailers Dabbling With In-Store Beacon Technology

Stores are turning to beacons to help communicate with and entice in-store shoppers. Macy’s, for example, has installed the low-frequency technology in all 840 of its stores, while Kohl’s is testing them out in various locations. Shelfbucks CEO Erik McMillan said the technology will “skyrocket” from the 50,000 that are currently being used to as high as 10 million in the next year. A survey conducted by Swirl revealed 30% of in-store customers made a purchase after receiving a beacon-enabled “push ad.” Still, some are concerned about being tracked. One IT administrator said, “If a retailer really wants to draw me into their store, showing me deals before I get to the mall is a better way.” [Associated Press]

US – Consumer Privacy to Be “Major Factor” in 2015

Over the past year, privacy has become a political and business issue. That’s according to a report that cites recent surveys indicating consumer privacy “will likely become a major factor for businesses in 2015.” The report considers the many privacy-focused products companies have launched and cites a Ponemon Institute survey that found “more than half of U.S. companies and about two-thirds of EU companies placed more trust in open-source commercial code to reduce privacy risks, compared with closed-source code.” Larry Ponemon said, “The problem for many companies is that proprietary software potentially may be doing things with your data that you might not know.” [eWeek] [US: Data Privacy Became a National Political, Business Issue in 2014]

CA – British Columbians Becoming More Concerned About Sharing Their Health Data

Half of British Columbians are “very willing” to allow health researchers to study their personal health records provided the information is anonymous, but that number has been dropping over growing privacy and security concerns, a new Mustel Group poll reveals. Last year, 63% of British Columbians polled as very willing. “Concerns about sharing data is growing in the public’s mind,” Mustel research consultant Phil Giborski told participants at The Data Effect conference in Vancouver Monday. “Their main concerns are that they will not remain anonymous and guarantees against hacking cannot be provided.” [Source]


US – Gas Tax Tracking Raises Privacy, Fairness Concerns

As more California drivers shift toward using energy-efficient vehicles, state officials are trying to come up with alternative revenue generators for the highway budget. A main source of the revenue is from a gas tax, but a mileage-based concept is being considered in California as well as nine other states. In order to track vehicles’ mileage, cars would have to be equipped with odometer readers, smartphone applications and GPS technology, all of which raise privacy concerns. Privacy advocates are worried the data could potentially be used not only to track total mileage but to learn when and where people drive. [Los Angeles Times]

US – Iowa Mobile ID Program Raises Privacy Questions

The state of Iowa is proposing using a mobile app as an alternative to a traditional driver’s license and may be the first in the nation to do so. The idea has been proposed by Iowa Department of Transportation Director Paul Trombino, who promises the free, government-developed app would be secure. He describes the digital license as an “identity vault app” that would require Iowans to use PINs to verify their identity. But opponents to the plan worry about what happens if a police officer takes a smartphone back to the cruiser to check a driver’s license and the driver has sensitive content on the device they’d rather not make available to police. Questions arise, such as, would the digital license app display only the phone ID or also have access to the entire phone? [InformationWeek] See also: [It’s 10pm, Do You Know Where Your Kids Are? (This App Does)] and [NZ: Husband of ex-MP loses job for peek at records]


US – Microsoft Draws Support for Fight Against Government Demand for Customer eMails

Major tech companies, including Apple, Verizon, and eBay, are lending their support to Microsoft in its effort to resist a US Justice Department demand for information held on a company server in Ireland. The companies, along with business associations and news media outlets have filed briefs urging that the Justice Department’s warrant be thrown out. Many noted that to require Microsoft to surrender the data would cause damage to US businesses. In a blog post, Microsoft General Counsel Brad Smith wrote, “This case involves not a narrow legal question, but a broad policy issue that is fundamental to the future of global technology.” [NextGov] [CS Monitor] [WIRED] [ComputerWorld] [Microsoft Makes Argument in Email Privacy Case] See also: [Damning emails withheld from media, opposition: Manitoba ombudsman]

Electronic Records

WW – Study Calls Nymity Accountability Framework Most Relevant

The recent “Privacy Accountability Management Framework for Data Controllers Operating across Asia “ study, which examined six privacy accountability frameworks, named the “Nymity Accountability Framework as the most creditable, practical and relevant framework to address the data protection laws of nine Asian jurisdictions,” according to a media release. Nymity’s Terry McQuay said, “We are absolutely flattered at the recognition as we had no knowledge that this study was being conducted … Based on the feedback provided in the study, we have modified the Nymity Privacy Management Accountability Framework to ensure 100-percent coverage for compliance.” [PR Newswire]


US – Prosecutors Want Phone Makers to Help Them Access Data on Encrypted Devices

Federal prosecutors have invoked an 18th century law, the All Writs Act, to compel smartphone makers to decrypt seized devices in two separate cases. Judges in both cases ordered the device manufacturer to provide “reasonable technical assistance” to help decrypt the information. [Ars Technica] [The Register] SEE ALSO: [People Want Safe Communications, Not Usable Cryptography]

US – Encryption Standard Will Allow Law Enforcement Access

“Verizon is the latest big company to enter the post-Snowden market for secure communication, and it’s doing so with an encryption standard,” Bloomberg Businessweek reports. The product, known as Verizon Voice Cypher, was introduced with encryption company Cellcrypt and “offers business and government customers end-to-end encryption for voice calls on iOS, Android or BlackBerry devices equipped with a special app,” the report states, noting it provides secure communications “regardless of their wireless carrier, and it can also connect to an organization’s secure phone system.” Verizon and Cellcrypt said law enforcement will have the ability to access Voice Cypher communications if they can “prove that there’s a legitimate law enforcement reason for doing so,” the report states. [BusinessWeek]

EU Developments

UK – Court Rules Gov’t Intel Spying Legal; WP29 Releases Working Doc

A British court that oversees the nation’s intelligence agencies has ruled that mass electronic surveillance of citizens’ cell phones and online activity is legal. A complaint against the programs had been brought by a group of privacy advocates and Amnesty International. The groups have said they will appeal to the European Court of Human Rights. Privacy International Deputy Director Eric King said the decision “is a worrying sign for us all.” [The New York Times] SEE ALSO: [The Article 29 Working Party released its Working Document on surveillance of electronic communications for intelligence and national security purposes. This is the legal analysis of the group’s opinion on electronic surveillance for national security] and [UK: Fight against terror should not trump privacy rights – Human Rights Commissioner]

EU – Commission Enacts Gag Order for Safe Harbor Talks

The EU Commission is imposing gag orders on MEPs and preventing journalist access to discussions at the European Parliament’s LIBE Committee. Such clampdowns occur whenever an official is to speak on ongoing negotiations with the U.S. about Safe Harbor, the report states. MEPs face the risk of sanctions if they discuss the issue outside of the room during these “in-camera” sessions, as they’re called. Last week, Dutch MEP Sophie in ‘t Veld and German MEP Cornelia Ernst voted to suspend the Safe Harbor session but were outvoted and the meeting was kept secret. “We hear absolutely nothing that justifies the in-camera. Nothing,” in ‘t Veld said. [EUObserver]

EU – WP29 Seeks Consistent Data-Transfer Agreement Approach

The Article 29 Working Party has agreed on a new “Co-Operation Procedure for Issuing Common Opinions on Contractual Clauses” that aims to help companies that want to rely on model contracts to export personal information from the European Economic Area (EEA). “The procedure adopted by the Article 29 Working Party recognizes the need for a truly harmonized approach to handling data-transfer agreements throughout the EEA,” Jan Dhont and David Dumont of Lorenz write, adding, “Consistent approaches will become even more important under the future General Data Protection Regulation, which exempts model contracts from prior DPA authorization.” [The Privacy Advisor]

EU – Falque-Pierrotin Criticizes Risk-Based Approach

CNIL President and Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin has warned that too much reliance on the so-called “risk-based approach“ to privacy could undermine fundamental human rights. Addressing the French Parliamentary Commission on Digital Rights, Falque-Pierrotin said the risk-based approach is useful “as a guide to allocate resources but should not affect the underlying rights of the data subject.” She also said that accountability should be applied to all processing, including low-risk processing. [Hogan Lovells Chronicle of Data Protection] See also: [French data protection agency, the CNIL, has undergone a reorganization leading to the creation of a compliance directorate with the goal of supporting data controllers in compliance efforts] AND [The French data protection authority, the CNIL, has published a Methodology for Privacy Risk Management, while the UK Information Commissioner’s Office has issued a code of practice for conducting privacy impact assessments (PIAs) and commissioned a research study on PIAs and risk management. More recently, the Article 29 Working Party issued a new opinion on legitimate interests of the data controller.

UK – Social Media Urged to Simplify Terms and Conditions by UK Parliament

A report issued by the House of Commons Science and Technology Committee is calling on the government to work with the Information Commissioner’s Office (ICO) to develop a set of information standards that would commit websites and apps to explain how they use personal data in clear, concise and simple terms. The committee’s report suggests that an internationally recognised Kitemark could be the first step towards ensuring the responsible use of UK citizens’ data by social media platforms and other organisations. [Source]

EU – EU Privacy News Roundup

Facts & Stats

US – Uber Disciplines One Employee; Faces Class-Action from Another

Uber Technologies has taken unspecified disciplinary action against a manager for tracking a journalist’s movements. The car-booking company had been investigating the actions of a general manager at its New York business for monitoring the whereabouts of a reporter without her permission. Meanwhile, Business Insider reports on the amount of data Uber and Lyft collect according to their Android privacy policies, and an Uber driver has filed a lawsuit in California seeking class-action status. The suit claims Uber accessed his credit report to unfairly fire him. [Today] and [Why Uber has a Canadian privacy problem]


US – US Treasury Department Says Tor is a Major Source of Financial Account Takeovers

In a non-public report, the US Treasury Department says that many bank account hijackings could have been prevented if financial institutions had known to block transactions that came through the Tor network. The Treasury Department’s Financial Crimes Enforcement Network analyzed suspicious activity reports that banks filed between August 2001 and July 2014. [Krebs]

US – Intruders Stole Insider Information to Beat Wall Street

Information thieves used phishing messages to gain access to systems at more than 100 publicly traded companies and stole data about merger discussions, product information, and legal action, which could be used to help inform investment decisions. The majority of affected companies are in the health care and pharmaceutical industries. [Ars Technica] [CNN]


CA – Ontario Passes Legislation That Makes It Illegal to Destroy Government Records

Based on some of the recommendations of the IPC report, Deleting Accountability: Record Management Practices of Political Staff – A Special Investigation Report, the Ontario government yesterday passed Bill 8, The Public Sector and MPP Accountability and Transparency Act. The legislation makes it an offence to alter, conceal or destroy records with intent to deny an access request, with a penalty of up to $5,000. [Information and Privacy Commissioner, Ontario] See also: [AU: Freedom of information laws upheld by two men working from home] See also: [ON: Horwath pressures Liberals about more power for IPC]

CA – PEI: Freedom of Information Should Apply to UPEI, Say Students

‘Public money should equal public access,’ says UPEI Student Union president Lucas MacArthur. Student union president Lucas MacArthur will meet with Premier Robert Ghiz. MacArthur said P.E.I. is the only province in Canada that hasn’t brought post-secondary institutions under the law. The student union has already met with Minister of Labour and Justice Janice Sherry, the standing committee on education, and UPEI administration about freedom of information at the university. MacArthur said UPEI does have a freedom of information office, but it is not accountable to the government and it should be. [CBC News ]

CA – Billings By Ontario Doctors Are Secret: Should They Be?

Nineteen physicians billed Ontario’s publicly funded health insurance plan more than $2 million each in 2012-13. But you can’t know who they are. Revealing their names would be an unjustified invasion of privacy, according to the health ministry’s privacy office, which denied that part of a freedom-of-information request from the Star. But the release of physician-identified billing records in the United States earlier this year has reignited a decades-old debate about public disclosure of such information in Ontario. Even the province’s acting information and privacy commissioner has indicated the time may have come to rethink keeping the data under wraps. [Source]


US – Courts Strike Down DNA Collection and Drug Testing Laws

In two separate cases, courts struck down state laws involving the collection of DNA and drug-testing data. A California appeals court ruled the state’s law requiring the collection of DNA from anyone suspected of a felony is unconstitutional. Presiding Justice J. Anthony Kline said, “We conclude that the DNA Act … unreasonably intrudes on such arrestees’ expectation of privacy.” Meanwhile, a federal appeals court ruled Wednesday that a Florida law requiring welfare applicants to submit to drug tests prior to receiving benefits violates the Fourth Amendment. Judge Stanley Marcus wrote, “If we are to give meaning to the Fourth Amendment’s prohibition on blanket government searches” the law “crosses the constitutional line.” [The Associated Press]

Health / Medical

US – Dozens of Federal Agencies Could Get Access to PHI

Under a proposed Federal Health IT Strategic Plan 2015-2020, 38 government agencies would have the ability to collect, share and use the personal health information of U.S. citizens. “While I’m a big fan of NASA, why the heck does NASA need access to my health records?” she asks. “A better question … why the heck does the Bureau of Prisons need to access the health records of non-felons?” The draft plan is still open for public comment until February 6. [NetworkWorld] See also: [Pharma Teaming with Web Biz To Target Prescription Ads] Sewe also: [BC: Privacy probe to investigate medical records faxed to wrong numbers] and [Staffers snooped into 500 patients’ files at Lakeridge Health] AND [ON: Six hospital staff fired for accessing patient files after in-hospital suicide]

US – Research Group Wants HIPAA Amended for Data Use Without Consent

The American Medical Informatics Association (AMIA) says allowing health researchers to access patients’ personal health information (PHI) without their permission could be beneficial. The group’s board chair and vice president of policy and development, Ross Martin, wrote a letter to Rep. Fred Upton (R-MI) suggesting Congress amend HIPAA to allow for increased data-sharing. Martin said exemptions for access to PHI should be made for “observational or data research.” The AMIA letter made recommendations that HIPAA amend the definition of healthcare operations so covered entities and their business associates can be trusted “with the responsibility of conducting research with health data to improve the health of our nation as a whole.” [HealthITSecurity]

Horror Stories

WW – Sony Employees Offered Reprieve by Hackers, with a Twist

The alleged hackers of Sony Pictures Entertainment (SPE) have offered to withhold email correspondences of employees, but only if each employee writes in and asks the hackers. “Message to SPE Staffers,” the hackers’ post states. “We have a plan to release emails and privacy of the Sony Pictures employees. If you don’t want your privacy to be released, tell us your name and business title to take off your data.” Meanwhile, attorneys for SPE are reaching out to publishers, telling them not to report and publish the “stolen data” and to delete what they do have. In an op-ed for The Christian Science Monitor’s Passcode feature, Prof. Evan Selinger argues that publishing hacked emails is a privacy violation. [Re/Code] See also: [Sony Pictures Allegedly Hacking the Hackers] and [SONY Private Key Leaked, Used in PoC to sign malware]

WW – Hack Could Cost Sony $100 million; Employees Mull Class-Action

Fallout from the unprecedented hack and release of massive amounts of information from Sony Pictures continues, with news the attack could cost the company as much as $100 million. Several former Sony Pictures employees who had their personal information disclosed say a class-action lawsuit is in the works. “We’re all worried about our identities, privacy and our families, and Sony so far hasn’t done much to address the situation,” said one former employee. U.S. Federal Bureau of Investigation agents will be on hand at Sony Pictures headquarters this week to advise and update employees on the investigation. Meanwhile, a Ponemon survey of employees of organizations in the U.S., UK, France and Germany found 71 percent have access to data they should not. [Reuters]

US – Sands Casino Network Hit by Cyber Attack

In February 2014, staff at the Las Vegas Sands Corp. noticed things starting to go very wrong very quickly with its computer network. Hard drives at the headquarters of the world’s largest gaming company were being wiped. Early on, Iran was suspected of being behind the campaign, an apparent retaliation for remarks made by casino CEO and majority shareholder Sheldon Adelson. Sands spends millions on security, protecting Adelson and his family, and protecting the company’s assets, but cyber security was lagging. The attackers made their way into one system at a casino in Pennsylvania and eventually worked their way to the company’s Las Vegas servers. When the extent of the attackers’ intended destruction became apparent, the Sands severed itself from the Internet. The attack, which was kept largely under wraps, is similar to the recent attack on Sony Pictures because the perpetrators are seeking not financial gain, but retribution. The attacks are far-reaching, but because they do not pose a threat to national security, the government is unlikely to take action. [BusinessWeek]

US – MA AG: TD Bank Must Pay $625K for Breach

Massachusetts Attorney General Martha Coakley has announced TD Bank will pay a $625,000 fine and must take actions to improve its security practices following a 2012 data breach involving lost backup tapes that contained the personal information of more than 90,000 state residents. According to Coakley, the bank also delayed notice of the incident to her office. Coakley filed an assurance of discontinuance on Monday and in it alleged the bank lost two unencrypted computer server backups that were to be transported by a third party. TD Bank has said there is no evidence the loss of data has led to any fraud or unauthorized access or use. [WCVB] see also: [US: The Case of the $1.7 Million Laptop]

US – Target to Argue No-Harm, No-Foul in Breach Suit

Following a federal court’s ruling to allow a class-action lawsuit against Target to proceed, Bloomberg reports the company plans to use a “no-harm, no-foul” defense based on a 2013 Supreme Court ruling. The high court ruling stated citizens have no basis to seek damages as a result of mass surveillance because they cannot prove they were in imminent danger. Likewise, Target argues that customers were not in imminent danger of identity theft or financial harm, the report states. Meanwhile, the Pennsylvania Superior Court will allow a plaintiff a second chance to certify a class-action alleging Keystone Mercy Health Plan violated the law when it lost a flash drive containing sensitive personal information of approximately 286,000 subscribers, and in California, IKEA is seeking decertification in a ZIP code case. [Source] SEE ALSO: [7 Lessons from Target’s Breach]

Identity Issues

WW – Tech Alliance FIDO Releases Specifications for Two-Factor Authentication

The FIDO (Fast Identity Online) Alliance, a consortium of high-profile tech companies, has released the first specifications for manufacturers to develop two-factor and biometric authentication systems that will work on different devices. The document addresses two login systems: the Universal Authentication Framework (UAF), and Universal 2nd Factor (U2F). FIDO members will share patent licensing on the developed technologies, which should hasten their adoption. [ComputerWorld] [SC Magazine] [The Register] [FIDO Press Release]

US – City’s New Municipal IDs to Employ Facial Recognition

New York City has hired nearly two dozen investigators and will employ high-tech facial recognition software to deal with security concerns about the new municipal IDs being issued next month. The program is designed to become one of the largest of its kind in the country, the report states, and aims to give undocumented immigrants a chance to participate in the community. Concerns about information being stored in government databases are being addressed by limiting access to only high-level administrators, and law enforcement must obtain warrants to access data. [New York Post] [NYC to Issue ID Cards with Free Benefits to Illegal Aliens] See also: [For Afghans, Name and Birthdate Census Questions Are Not So Simple]

WW – Google Rethinking CAPTCHA

Google is retooling the way it implements CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) authentication to incorporate behavioral information. Google’s new system will ask users to click on a box indicating that they are not robots. The technology takes into account how the user moves the mouse. Google also uses other, undisclosed behavioral information. If the single click is inconclusive, users will be given a traditional CAPTCHA. [Google Can Now Tell You’re Not a Robot With Just One Click] [WIRED] [The Register] [ComputerWorld] [Google Online Security Blog]

Intellectual Property

EU – Police Shutter Websites Hawking Counterfeit and Pirated Products

Law enforcement agencies in Europe have seized nearly 300 domains associated with selling counterfeit electronics and medications as well as pirated movies and music. No arrests have been made yet. [BBC] [Computer Weekly]

WW – The Pirate Bay Offline After Swedish Authorities Seize Servers

Authorities in Sweden have raided seized the servers of The Pirate Bay, causing the torrent tracking website to go dark. The site has been taken down before but previously has always returned quickly. This time, the site does not appear to be bouncing back as quickly. One of The Pirate Bay’s founders, Peter Sunde, says he is fine with the site’s disappearance, because he does not like what it has become. Other filesharing sites reportedly also went down on the same day, but it is not clear if the incidents are related. [eWeek] [BBC] [WIRED] [ComputerWorld]

Internet / WWW

WW – Commissioners to App Marketplaces: Make Developers Share Privacy Policies

A total of 23 privacy enforcement partners from across the globe are telling app marketplaces, including Google Play and Apple’s App Store, “to make it mandatory for mobile app developers to post links to privacy policies prior to download if they’re going to collect personal information,” Canada’s Office of the Privacy Commissioner announced. In an open letter to the operators of seven app marketplaces, the data protection and privacy commissioners wrote that many apps that appear to collect personal information do not have privacy policies, “thus removing the ability for individuals to be meaningfully informed when making decisions about the collection, use and/or disclosure of their personal information.” The joint recommendation follows the Global Privacy Enforcement Network’s mobile app privacy sweep. [Source] [A total of 23 privacy enforcement partners from across the globe are telling app marketplaces “to make it mandatory for mobile app developers to post links to privacy policies prior to download if they’re going to collect personal information,” Canada’s Office of the Privacy Commissioner announced].

US – Think Tank Publishes IoT Guidelines

A Washington think-tank funded in part by corporate backers has published guidelines for collection and use of data gathered via the Internet of Things (IoT). The Information Technology and Innovation Foundation’s (ITIF) Center for Data Innovation published the 10 guidelines in conjunction with a bipartisan event featuring senators who sent a letter in October to Commerce Committee leaders requesting an oversight hearing on IoT, the report states. “We’re hoping that (the principles) will help to direct the conversation in Washington,” said Daniel Castro, a senior analyst at ITIF, adding, the Federal Trade Commission, which held an IoT workshop recently, should focus more on actual scenarios than hypotheticals. [Advertising Age] See also: [IoT, Trust, And The Emerging Market Of One] and [Omer Tene: Customers in the Maze: Ethics Heat Up the Flatirons]

US – Mobile Apps Still Collect Vast Amounts of Personal Data on Kids, Despite FTC Privacy Rule

According to privacy and consumer advocates, more than a year after federal regulators issued privacy rules for kids’ mobile apps, online stores are flooded with software programs that “quietly collect vast amounts of data on the youngest consumers,” including location data and even voice recordings. The FTC expanded the Children’s Online Privacy Protection Act in July 2013 to require app developers to get parental consent before collecting data on anyone younger than 13. “Kids are such a lucrative market, especially for apps,” said the Center for Digital Democracy’s Jeff Chester. “Unfortunately, there are still companies out there that are more concerned about generating revenue than protecting the privacy of kids.” [Associated Press]

WW – BBB: Native Ads Must Comply with Privacy Code

Native advertising, which Mashable previously described as one of the biggest trends in advertising, “must comply with the industry’s privacy code.” That’s the word from the Better Business Bureau (BBB) in a compliance warning that states, “Native advertisements personalized for consumers based on their prior browsing across websites must comply with the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising (OBA) … Companies involved in interest-based native ads are responsible for meeting all the requirements of the OBA principles, just as they would be with respect to any other” ads based on interest. The BBB also advised web publishers “must provide ‘enhanced’ notice when data about visitors is used to serve them native ads on other sites,” the report states. [MediaPost]

EU – In-Car Emergency Systems Will Meet Privacy Concerns

A proposal that would mandate all cars in the EU have automatic emergency calling systems has been approved after meeting privacy concerns. The “eCall” system would allow cars to automatically call emergency services after an accident. The system needs to transmit sensitive data, including location information, which has many concerned about their privacy being violated. However, a deal has been reached addressing such concerns. “The new rules will ensure that eCall works only as a safety device,” said MEP Olga Sehnalova, rapporteur on the issue, adding, “It will be illegal to use it to track a driver’s movements or to misuse location data, which must be sent only to the emergency services.” [PCWorld]

Law Enforcement

UK – UK Police Not Receiving Adequate Cyber Crime Training

According to a survey of UK police intelligence analysts, British police are not receiving adequate training to equip them with what they need to know to fight cyber crime. Just 30 percent of respondents said they felt they had the necessary skills to deal effectively with cyber crime. [Independent] [PA Consulting] See also: [SSK: Police chief says privacy practices sometimes too restrictive] and [Spotting terrorist behaviour online is harder than finding child abuse images] and [RCMP accidentally sent woman’s assault complaint to media]

UK – Child Abuse Database Containing Millions of Images to Launch

Data taken from tens of millions of child abuse photos and videos will shortly be used as part of a new police system to aid investigations into suspected paedophiles across the UK. The obscene material was seized during previous operations. The project, called the Child Abuse Image Database (Caid), will be launched by the Prime Minister at an internet safety event on Thursday 11 December. But one expert warned its success depended on it being properly staffed. [Source] See also: [Ottawa firm’s emergency response portal could help first responders]

US – Body-Worn Cameras Seem Imminent and So Do Privacy Concerns

Just one year ago, the idea of police officers wearing body cameras seemed novel. But within the past few months, big cities including Washington, DC, Los Angeles and New York have been piloting programs. After the events in Ferguson, MO , it’s no longer a question, the report states. “The body camera is here to stay,” said one privacy law expert. President Barack Obama proposed earlier this week to reimburse communities half the cost of buying cameras and storing video, which prompted privacy questions regarding when officers should turn cameras on and off, how to store the massive amount of data and how long to keep the footage. [The Washington Post] See also: [Body cameras: Can they reduce confrontations with police?] and [Data from wearable devices could soon land you in jail]

US – New York Flags 278 Gun Owners as Mentally Unstable

New York State’s tough new SAFE Act gun control law has flagged 278 gun owners who could lose their weapons because they have been deemed mentally unstable, a new report shows. Gov. Andrew Cuomo urged lawmakers to pass the SAFE Act quickly after the 2012 mass shooting at the Sandy Hook elementary school in Newtown, Conn. Since the law’s enactment, the state has collected 38,718 names in a database of individuals who have been found at-risk for owning guns by psychiatrists and other health professionals. The paper said when the database was checked against a list of pistol permit holders in the state, there were 278 matches, less than 1 percent. [The Syracuse Post-Standard]


WW – IAPP Resource Center: Location Data Privacy Guidelines

The Location Forum, in partnership with the IAPP, is now offering IAPP members free access to its Location Data Privacy: Guidelines, Assessment and Recommendations through the IAPP Resource Center. These guidelines were developed by the forum to bring attention to critical issues and provide a framework for developers, managers, marketers and executives to follow. They aim to help organizations understand the potential risk areas related to location privacy and offer a risk assessment scorecard as well as transparency recommendations that provide a comprehensive overview of the business, technology and user issues associated with handling location data. (IAPP member login required) and [AU: Mental health group questions using tracking devices on patients]

US – Lyft Cofounder Says Company “Open” to Privacy Options

Lyft Cofounder John Zimmer says the company “is ‘open’ to considering any options to increase people’s privacy.” That’s after Sen. Al Franken (D-MN) wrote to the company earlier this week criticizing it for allegedly allowing employees to track users’ locations. Zimmer said, “If you look at our company and our company’s values and the way we operate internally, we’ve always respected users’ privacy.” He added that, in recent weeks, the company has upgraded its policy to limit the number of people who can access information about a customer’s ride and that he’s open to working with Franken. [The Hill]

US – Senator Franken Unhappy With Uber Response

Sen. Al Franken (D-MN) is unhappy with the answers he received from rideshare service Uber about its privacy practices, saying the company lacked details and, in some cases, avoided answering questions altogether, PCWorld reports. “Quite frankly, they did not answer many of the questions I posed directly to them,” he wrote in a blog post. “Most importantly, it still remains unclear how Uber defines legitimate business purposes for accessing, retaining and sharing customer data. I will continue pressing for answers to these questions.” [PC World] See also: [Franken Turns Attention From Uber to Lyft]


TW – Gov’t Probe Reveals Smartphones Violate Privacy Law

A regulatory agency of the Taiwanese government has found 12 smartphone makers violate the region’s privacy rules. A two-month-long probe revealed some of the smartphones collect user data without consent while others contain “imperfections” that do not meet the law. Taiwan National Communications Commission Vice Chairman Hsiao-Cheng Yu said the agency’s report will be released in the coming weeks and the government will ask the phone makers to modify their handsets to comply with the privacy standards or face monetary fines or bans on their products. [Reuters] [UK: Rory McIlroy ‘wiped important data from electronic devices’, court is told]

Online Privacy

WW – Hackers Are Getting Personal Information Easier Than Before: Symantec

In the mobile app world, when hackers want access to personal information, they simply need to ask for it. That’s according to a recent survey by Symantec of more than 6,000 smartphone users globally that found many are willing to forgo privacy for free entertainment. Symantec is aiming to change that by implementing its “App Advisor” functionality to preemptively scan apps for privacy issues and alert users of the necessity of app permissions in real time prior to the download process. “When you download an app, the term ‘free’ rarely comes without a cost,” said Symantec’s product manager of mobile applications, James Nguyen, adding it’s good for users to think about whether the data they’re giving up is worth the trade-off. [Computer Dealer News] [Norton] [Safe Practices] [Infographic] See also: [Zuckerberg admits Facebook deserves criticism for how it handles its privacy messaging] and [That privacy notice you’re posting to Facebook? It won’t work]

WW – Google to Develop Products Aimed at Kids

Beginning next year, Google plans to create specific versions of its most popular products for users age 12 and under. Kids under 13 have typically been off-limits to tech companies. “We expect this to be controversial, but the simple truth is kids already have the technology in schools and at home,” said Google’s vice president of engineering, adding, “So the better approach is to simply see to it that the tech is used in a better way.” The move follows other recent “kid-centric efforts,” including Google’s virtual Maker Camp, Doodle 4 Google competition and Made with Code initiative, the report states. [USA Today] See also: [Managing Your Online Presence after Death]

US – Online Curriculum Helps Teach Kids About Privacy, Security

Increased use of technology by children in the classroom and at home and how McAfee has teamed up with Discovery Education to unveil a free online curriculum to teach children about online privacy and safety. The program, thinkbeforeyoulink.com , is aimed at children between the ages of eight and 11 and uses interactive scenes that children may come across in the real world—such as sites asking them to share their addresses or the names of their schools. The program, co-developed by McAfee CPO Michelle Dennedy also teaches children about cybercriminals and how they use personal details to get into their parents’ bank accounts or place harmful software on computers. [The New York Times]

WW – Kickstarter Campaign Results in Facebook Alternative

NPR reports on Diaspora, a nonprofit social network born out of a New York University (NYU) computer lab. Four undergrads were given “a global commission to rebottle the genie of personal privacy” after they were granted $200,000 thanks to a Kickstarter campaign. Jim Dwyer wrote a book, More Awesome Than Money, on the NYU grads’ creation of Diaspora, which aims to resist “the surveillance economy that underwrites so much of what goes on online.” [NPR] See also: [Facebook Swipe At Apple On Privacy Is The Real News]

WW – Twitter Improves Tools for Users to Report Harassment

Twitter has always prided itself on being a forum for free speech, even if that speech is vile and hateful. So it has tread more carefully than other public message services when it comes to blocking users that spew abuse at others. It didn’t even have a button for reporting abuse until July 2013, shortly before it sought to raise money from the public through an initial stock offering. Now, after numerous cases involving vile language and threats of rape or death made to Twitter users — and slowing use of the service — the company appears to have a new approach. It wants to do more to make Twitter an appealing place to hang out online. The company has announced new tools to make it easier to report harassment, which will be gradually introduced this month to its 284 million active users. In particular, Twitter intends to simplify the forms that a user has to fill out to report abuse, especially for mobile users, who have been forced to navigate a clunky interface. The company will also encourage bystanders to report abuse they witness, which will improve the ability of Twitter’s safety team to respond quickly and fairly. [The New York Times]

Other Jurisdictions

HK – Hong Kong’s First Prison Sentence Under the Personal Data Ordinance

The Hong Kong Privacy Commissioner for Personal Data (PCPD) announced that a former insurance agent has received a prison sentence in respect of offences under the Personal Data (Privacy) Ordinance (the Ordinance). This case is important in that it marks the first custodial sentence being imposed pursuant to the Ordinance. [Source] See also: [‘Right to be forgotten’ on the Internet gains traction in Japan]

AU – ANZEN Privacy News Roundup

Privacy (US)

US – Judge: NSA Should Have Unlimited Collection Ability

The NSA should have an unlimited ability to collect digital information in the name of protecting the country against terrorism and other threats, said a federal judge at an event in Washington, DC. Judge Richard Posner of the U.S. Court of Appeals for the Seventh Circuit said, “I think privacy is actually overvalued,” adding, “Much of what passes for the name of privacy is really just trying to conceal the disreputable parts of your conduct.” Meanwhile, The Intercept reports on Snowden documents indicating the NSA plans to “secretly introduce new flaws into communications systems so that they can be tapped into,” with an operation codenamed AURORAGOLD. [PCWorld]

US – Court Demands More Info on Secret Spying Program

A federal judge ordered the federal government to provide more detail on a “mysterious” law enforcement database that sparked the investigation of a man charged with violating the trade embargo against Iran. The U.S. government maintains that Homeland Security investigators did not spy on defendant Shantia Hassanshahi using the National Security Agency’s bulk telephony metadata program, which collects individuals’ phone calls and records. But Hassanshahi argues that the government used the mass surveillance program, or at least something like it, to access telephone records that helped secure his arrest. [Source]

US – FISMA Reform to Make DHS More Efficient; FBI Calls for Data-Sharing Laws

Phyllis Schneck’s job as deputy undersecretary at the Department of Homeland Security (DHS) should get easier when President Barack Obama signs the Federal Information Security Management Act (FISMA) reform legislation that passed Congress this week. For example, after the Heartbleed bug threatened IT systems earlier this year, Schneck’s team had to get permission from other federal agencies for DHS to scan their IT systems to check for vulnerabilities. FISMA would allow DHS to do so without permission. Meanwhile, FBI officials are calling for updates to the Computer Fraud and Abuse Act and for new laws to allow data sharing on threats. [BankInfoSecurity] See also: [White House silent on privacy debate]

US – FCC Settles TV Station Investigation for $35,000

The Federal Communications Commission (FCC) has settled an investigation of a television station licensee. Newport Television LLC, former licensee of KTVC Salt Lake City, will pay a $35,000 civil penalty to settle an investigation “involving the station’s recording and broadcast of a person’s telephone conversation as part of a news segment without first telling the person that the call was being recorded and would be broadcast,” the report states. Doing so was a violation of the FCC’s Telephone Broadcast Rule. “We hold broadcasters to high standards and will ensure that they fully respect the privacy rights of consumers,” said the FCC’s Travis LeBlanc. [TVNewsCheck]

US – Supreme Court to Hear Online Free Speech Case

Beginning today, the Supreme Court will hear a landmark case about threats on the Internet. In Elonis v. U.S., Anthony Elonis claims threats he wrote about his wife and coworkers on his Facebook page weren’t meant to be taken seriously. Elonis was jailed for the posts, which has First Amendment advocates worried about free speech rights. But the government and others say making a threat is a crime itself, despite intent. [The Hill]

US – Oregon AG Calls for Student Privacy Bill of Rights

Oregon Attorney General Ellen Rosenblum has called on the state’s legislature to adopt legislation that would prevent the collection and sale of student information to third-party advertisers. She said current law is outdated and does not appropriately protect personal information. “We essentially need a consumer bill of rights so that people know what their rights are online,” she said, adding, “There’s great things about technology, but we have to inform the people; we have to inform parents and the kids so we can be protected better online as well as offline.” [TNS]

US – Ad Company Agrees to Pay $750K for Violations

An online advertising company has agreed to pay $750,000 to six states for bypassing some users’ privacy settings. PointRoll, owned by Gannett, has agreed to the settlement with New York, New Jersey, Connecticut, Florida, Maryland and Illinois for going around users’ Safari privacy settings to place cookies to track user behavior. “Every company is expected to play by the same set of rules: No one should have to fear a business is violating their privacy by bypassing personal settings on their computers or mobile devices,” said New York AG Eric Schneiderman. [Bloomberg]

US – FTC Settles with Medical Billing Provider, Former CEO for Deceptive Data Collection

The FTC has settled with a medical billing provider and its former CEO for misleading “thousands of consumers who signed up for an online billing portal by failing to adequately inform them that the company would seek highly detailed medical information from pharmacies, medical labs and insurance companies.” In complaints against PaymentsMD and former CEO Michael C. Hughes, the FTC alleged the patient portal provided a means by which sensitive health information could be acquired. “Consumers’ health information is as sensitive as it gets,” said FTC Bureau of Consumer Protection Director Jessica Rich. “Using deceptive tactics to gain consumers’ ‘permission’ to collect their full health history is contrary to the most basic privacy principles.” [FTC] [FTC: Online billing service deceptively collected medical records]

US – Union Files Charge Against USPS Over Breach

Following its data breach that may have compromised the personal data of approximately 800,000 employees, the USPS is now facing a new problem. After employees were notified of the breach in November, the American Postal Workers Union filed an unfair labor practice charge with the National Labor Relations Board alleging the USPS violated the National Labor Relations Act, which “requires an employer to bargain in good faith with the union representing its employees.” The USPS failed to provide the union with an opportunity to bargain over the impacts of the breach on employees, the charge alleges. [The National Law Review] and [Breach Delays USPS Financial Report]

US – White House Weighs Drone Integration and Privacy

The next few weeks may determine how drones will be integrated into U.S. airspace. The White House Office of Information and Regulatory Affairs is reviewing the Federal Aviation Administration’s (FAA) sUAS rule as well as privacy issues, while the FAA is set to publicly release its rules for drones weighing less than 55 pounds. The rules will include requiring operators to have licenses and limiting flights. The White House is also creating an executive order on privacy issues. Columnist Gregory McNeil writes, “If small drone businesses want to have a voice, they will need to work with experienced professionals individually or organize and hire someone to represent their views collectively.” [Forbes] See also: [US: Private drone market threatens our privacy] [The White House Office of Information and Regulatory Affairs is reviewing the Federal Aviation Administration (FAA) sUAS rule as well as privacy issues, while the FAA is set to publicly release its rules for drones weighing less than 55 pounds] and [The FAA’s new drone rules will include requiring operators to have licenses and limiting flights.]

US – PCLOB Budget Could Double Under Proposed Spending Bill

A proposed spending bill released on Tuesday could more than double the current budget of the Privacy and Civil Liberties Oversight Board (PCLOB). The PCLOB has been busy during the last year, examining various U.S. intelligence surveillance programs to determine whether they are legal and have proper oversight. Under the proposed bill, the PCLOB budget would increase from $3.1 million to $7.5 million next year. The additional funding “will enable the PCLOB to pursue its mission without delay,” Senate Democrats said in a summary of the bill. [The Hill]

US – Groups Allege Candy Contest Violated COPPA, Ask FTC to Investigate

Earlier this year, the company behind popular candy Ring Pop, Topps Company, ran a contest called #RockThatRock, inviting users to post photos on Facebook, Twitter and Instagram of themselves wearing the candy ring and using the hashtag. The winning photos were featured by a pop-rock band popular with preteens and teens. Some of the photos posted on the brand’s Facebook and Twitter pages used contestants’ social media names and some showed teenage girls—and younger—in provocative poses. Now, 10 advocacy groups have asked the FTC to investigate Topps Company, alleging it violated COPPA by using names and pictures of children under 13. [The New York Times]

US – CA’s First “Revenge Porn” Conviction

A man has been sentenced to one year in jail for violating California’s newly enacted “revenge porn” law. Noe Iniquez, after breaking up with his girlfriend, posted topless photos of her on her employer’s Facebook page in an attempt to get her fired. Previously, such actions were outside the reach of law, but now they are a misdemeanor crime. “We are breaking ground in California on an issue that is affecting people around the country,” said California AG Kamala Harris. Prof. Mary Ann Franks notes the law still needs tweaking, explaining, “it requires that the victim demonstrate that she suffered serious emotional distress, which is unnecessary, burdensome and potentially requires the victim to expose even more of her private life to the public eye.” [Los Angeles Times]

US – VPPA Case Dismissed

A potential class-action lawsuit against ESPN for allegedly violating the Video Privacy Protection Act (VPPA) has been dismissed by a federal judge. U.S. District Court Judge Thomas Zilly said the court papers did not contain enough facts to back up claims the company disclosed a plaintiff’s name to a third party without his consent. Zilly said the transmission of “anonymous” data—in this case, the serial number of plaintiff’s Roku device—to Adobe for data analytics is not a violation of the VPPA. Zilly added, “Even if Adobe does ‘possess a wealth of information’ about individual consumers, it is speculative to state that it can, and does, identify specific persons as having watched or requested specific video materials.” [MediaPost]

US – PwC Releases Report on CMO’s Role in Privacy

PricewaterhouseCoopers has released a report on the role chief marketing officers (CMOs) play in privacy. The report notes that, traditionally, privacy has not been on the radar of many CMOs, and asks whether CMOs are familiar with their organizations’ privacy policies. “Do you know who leads privacy aspects for your organization?” the report asks, adding, “Once that area was the sole realm of the chief privacy officer or the general counsel; now it’s time for CMOs to take a more active role in managing and protecting consumers’ data.” [Source]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Quantum Security for Passports and Credit Cards?

Researchers in The Netherlands are proposing what they believe will be a way “to make it impossible for criminals to forge passports, ID cards or credit cards.” University of Twente researchers have developed a way to authenticate documents “using principles derived from quantum physics,” the report states, noting each card is painted with “a thin white strip of nanoparticles” and when the card is issued “a laser fires tiny bundles of light into it, which bounce around like pinballs among the nanoparticles, creating a unique pattern that is all but impossible to copy.” However, the report states, such cards “could still be stolen and used. That is why Pinkse envisions that the method will likely be used in combination with others, such as biometrics.” [CNBC] See also: [Change all of your passwords at once with Dashlane] and [Should we expect every messaging app to offer full privacy?]


CA – 60% of Canadian Businesses Don’t Have a Security Strategy: Report

According to new research from Cisco, Canadian businesses are not equipped to respond to security threats within their networks. The study, which combines the views of Canadian businesses and consumers about security at work, also found there are discrepancies between the preparedness of large and small businesses. [canadiansecuritymag.com] SEE ALSO: [Canadian firms seeing fewer data breaches – why that could actually be bad]

US – Cybersecurity Guidance Predicted to Include Coverage for Third Parties

It now seems likely new cybersecurity guidance expected from federal banking regulators in 2015 will include recommendations for investments in cyber-insurance. The December 10 New York State Department of Financial Services notice to New York banking institutions on expanded IT examination procedures specifically notes state banking regulators expect to see policies related to cybersecurity insurance for not only the bank but also any third parties with which the bank works. That move could foreshadow federal expectations for banking institutions by the Federal Financial Institutions Examination Council, the report states. [BankInfoSecurity] and [A Boost for Cybersecurity Policy Analysis: $45 Million in Grants to Support 3 Universities’ Initiatives]

US – Another Large Retail Breach; Another Push for Cyber-Threat Sharing Bill

Thieves have stolen credit and debit card data from Bebe Stores, Inc., a nationwide chain of women’s clothing stores. While officials for Bebe have not responded to requests for comment, various banks have reported a pattern of fraudulent charges on customer credit cards that had all been used previously at a Bebe store. Meanwhile, major retail and financial industries came together to press Congress to pass legislation that would allow industry to exchange cyber-threat information with the government. [KrebsOnSecurity]

WW – Credit Cards, Healthcare Data on Hackers’ Hit List For 2015: Experian

It seems like there were headlines highlighting yet another data breach almost every week in 2014. Bad news for sure, and what’s worse is that we haven’t heard the last of them yet. So what’s in store for data breaches in 2015? Turns out cybercriminals will still be after credit card data – but that’s no surprise, given criminals always look for the ultimate payload, which is usually financial data they can use to their advantage. Yet what’s also striking is that they’ll be eyeing healthcare data as well, according to Experian, a global information services group providing consulting services in finance, security, and regulatory compliance. [Source]

US – Privacy Issues Stall Newborn Screening Bill

A bill that would support newborn screening nationwide has stalled in Congress because some Republican senators have privacy concerns about genetic research funded by the legislation. The senators won’t comment individually, but the Senate Steering Committee has indicated it wants a provision added to the bill to require parental consent before genetic research and genomic sequencing could be done on a child’s newborn screening sample.[Milwaukee Journal Sentinel]


US – ISP Sues Gov’t Over Gag Order

A small Internet provider is challenging the Justice Department concerning a 10-year-old gag order served by the FBI for the company’s customer records. The now-defunct Calyx Internet Access first sued the FBI in 2004 for being served warrantless National Security Letters. In a lawsuit filed on Thursday, Calyx Founder Nicholas Merrill, who now runs the Calyx Institute , argued the U.S. government, in placing a permanent gag order on a case that is now closed, has violated his First-Amendment rights. “It’s really long past due that we have an open and public discussion about how warrantless searches are being used against Americans,” Merrill said. [The Washington Post] Dee also: Meanwhile, a 2006 memo indicates former President George W. Bush’s administration told a secret court it was justified in spying on communications without warrants to prevent terror attacks, according to a legal memo released recently, and new reports indicate UK Government Communications Headquarters hacked Belgium’s largest telecommunications provider, Belgacom. See also: [Canadian Telcos Want to Build Surveillance-Ready Networks] and [UK Lawyers’ bid to protect client talks from spies] AND [The unstoppable rise of the global surveillance profiteers]

US – Senator Argues Against Back Doors for Government

Noting that a back door placed in software and electronic communication devices to allow government access is also a backdoor that could be exploited by entities with malicious intents, US Senator Ron Wyden (D-Oregon) has proposed legislation that would prohibit government agencies from requiring back doors in digital products. [The Register] [Wyden’s Op/Ed in LA Times]

US – CA Sheriff Could Have State’s First Authorized Drones

Alameda County Sheriff Gregory Ahern formally announced Wednesday that the county has acquired two drones. With Federal Aviation Administration approval, which could come next year, it could “become the first law enforcement agency in California to deploy an authorized drone,” the report states. County citizens had “vociferously” opposed the agency’s proposed acquisition of the technology. “The reason for specifically acquiring this is search and rescue,” Ahern said. A representative from the Electronic Frontier Foundation, however, said, “The sheriff has done nothing to address the concerns expressed by the community at the February 2013 hearing.” The sheriff’s office has released a new draft order, but privacy advocates worry the language in the draft lacks substantial privacy safeguards. [Ars Technica] see also: [India: Police Drones To Patrol Delhi Streets After Alleged Uber Rape]

EU – BND Says it Can Spy on Citizens if They Work for Foreign Entity

German intelligence agency BND claims it has the authority to spy on German citizens if those citizens work for a foreign organization. German law forbids intelligence agencies in that country to spy on German citizens, but BND claims a loophole in this case for communications attributed to the foreign employer. [Ars Technica]

WW – Using Surveillance to End the Impunity of Oppressors

The words “hidden camera” raise privacy red flags immediately, but for Oren Yakobovich, head of the human rights organization Videre, privacy concerns take a back seat to exposing the atrocities of oppressive regimes. Arming activists with micro-cameras, Yakobovich “uncovers, verifies and publicizes human-rights abuses that the world needs to witness.” In his recently released TED Talk from a conference in Rio, he outlines how he came to a life of turning the idea of surveillance on its head. [YouTube] See also: [Automakers Working To Gain Consumer Trust on Smart Cars] and [Car Insurers Promise Discounts If Big Brother Watches You]

Telecom / TV

WW – Blackphone to Open Privacy-Focused App Store

Makers of the anti-surveillance Blackphone are set to unveil a privacy-focused app store and the ability to run separate operations for private and pseudonymous accounts and applications. The new app store will be released in January and will feature apps approved by Blackphone. Plus, the privacy-focused smartphone will roll out a new feature, called Spaces, in the phone’s operating system that allows for separate and varying levels of privacy and security. “The addition of Spaces and the Blackphone app store is the most significant update to PrivatOS since its inception,” Blackphone CEO Toby Weir-Jones said . “We are delighted to have developed the Silent Space, alongside Graphite Software, who share our core values of privacy and security.” [GigaOM]

US – Law Firm Faces Class-Action for Text Message Violations

A law firm is facing a putative class-action lawsuit for allegedly violating the Telephone Consumer Protection Act. Pullin Law Firm allegedly sent text messages to an unknown number of users to generate business. The case could be a signal to law firms to avoid such marketing tactics. According to the complaint , “In a misguided effort to offer legal services to financially vulnerable consumers, Defendant engaged in an invasive and unlawful form of marketing: the unauthorized transmission of advertisements in the form of ‘text message’ calls to the cellular telephones of consumers throughout the country.” The suit seeks a minimum of $500 per violation. [Law360]

US Government Programs

US – NSA Surveillance Practices Create Trade Barrier

Paul Nemitz, a director in the European Commission’s Justice Department who is tasked with leading the overhaul of the EU data protection law, has said the law allowing the U.S. National Security Agency’s surveillance practices “is a real trade barrier to a European digital company to provide services to Americans inside America.” Nemitz’s concern that “U.S. citizens are deterred from using European email providers because they do not get the same protection as they would by using U.S. providers.” Meanwhile, a Council of Europe report states, “Unless the U.S.A. improves compliance with international human rights standards in its activities that affect the Internet and global communication systems, the movement towards such a truncated Internet will be difficult to stop.” [Reuters] See also: [US: Congress Passes Bill Giving Police Unlimited Access to Citizens’ Private Communications]

US – DoJ Creates Unit to Fight Cybercrime

U.S. Assistant Attorney General Leslie Caldwell has announced the Department of Justice is creating a dedicated cybersecurity unit within the department’s Computer Crime and Intellectual Property Section. The unit was formed in response to significant crimes like the “cyberheist campaign last year (that) caused $45 million in losses in a matter of hours,” the report states. “Prosecutors from the Cybersecurity Unit will provide a central hub for expert advice and legal guidance regarding the criminal electronic statutes for both U.S. and international law enforcement conducting complex cyber investigations to ensure that the powerful law enforcement tools are effectively used to bring the perpetrators to justice while also protecting the privacy of everyday Americans,” said Caldwell. [eSecurity Planet]

US Legislation

US – FISMA Now Awaits President’s Signature

A cybersecurity bill that will change the way federal agencies respond to and manage data breaches has now passed both houses of Congress and awaits President Barack Obama’s signature. The House of Representatives approved the Federal Information Security Modernization Act (FISMA) a day after the Senate did the same . FISMA authorizes the Office of Management and Budget to set federal information security policies and requires the Department of Homeland Security to help implement the policies. Senate Homeland Security and Governmental Affairs Committee Chairman Tom Carper (D-DE) said, “This bill will modernize our outdated federal network security laws, provide the tools and authorities needed to improve security at our federal agencies and increase transparency and accountability for data breaches at federal agencies.” [The Hill] [Senate Approves Bill To Help Federal Agencies Avoid Data Breaches]

US – Outlook for State Data Security Laws: More than Breach Notification

Forty-seven states have breach notification laws on the books, at least 31 have data destruction or disposal laws, 12 have imposed broad data security requirements and a few more have more granular laws. “Is data security legislation coming to a state near you?” Delving into New York’s proposed A 10190, the team suggests “the bill may be a harbinger of legislation to come, with potentially significant implications for corporate security and compliance resources and budgets.” F [Hogan Lovells for Privacy Tracker]

US – Legislative News Roundup

Workplace Privacy

WW – Employers’ Use of IoT: The New Panopticon?

Employers are increasingly using Internet of Things (IoT) technology to monitor and measure employee productivity and movements, but the University of Illinois’ Jerome McDonough suggests the technology allows for “a new form of panopticon for employees,” calling the trend “very troubling.” Courts have traditionally granted broad rights to record employees while at work, but the growing use of IoT gives unprecedented surveillance capabilities to employers. “The law is very slow to react,” said University of Denver Prof. Corey Ciocchetti, who predicts “it’s only getting worse for employees.” [San Jose Mercury News] See also: [NZ: Credit union admits privacy breach: The head of a credit union in Napier has admitted the company breached the privacy of a former employee by taking a private Facebook image and distributing it to employment agencies.]

US – Background Check Practices Prompt Lawsuit, Questions

A putative class-action filed in a New Jersey federal court alleges Michaels Stores violates state and federal consumer protection laws by burying disclosures alerting job applicants the company will procure background checks on them during the application process. A woman filed the suit last week claiming Michaels only tells prospective employees it will obtain background checks by a disclosure at the end of its written and online job applications, the report states. Meanwhile, the strength of car service Uber’s background checks on drivers has come into question. [Law360]

US – How Much Access to PII Do Your Employees Have?

In response to several stories during the last year about employee access to intimate details they shouldn’t have—from the NSA employees using “surveillance to collect data on love interests” to an Uber employee tracking a reporter’s location, 29 tech companies including social networks, fitness trackers and dating sites 10 questions about their internal privacy policies for accessing user data. Of those questioned, “only 13 responded,” the report states, and of the 10 that provided comment, responses ranged from serious to “boilerplate” commentary. “All told, the collective responses offer a complex and, in many cases, unsettling survey of the current data privacy landscape.” [Buzzfeed]


16-30 November 2014


CA – Privacy Czar Doesn’t Get Chance to Testify on CSIS Powers

Federal Privacy Commissioner Daniel Therrien has flagged concerns about legislation to broaden CSIS’s foreign spying powers, saying the Conservatives’ bill does not include adequate safeguards against possible future human rights violations, or enough oversight. But the Conservative-dominated committee studying the bill swiftly wrapped up testimony without accepting Therrien’s request to appear. In fact, over the objections of opposition MPs and civil libertarians who wanted to testify, no more witnesses will be called. [Windsor Star] See [CBC News: Privacy Commissioner Daniel Therrien has warned senators “that the increased police powers proposed in the government’s cyberbullying and Internet surveillance bill need to be matched with ways of tracking their use.”] and [Geist: Choosing Between Privacy and Cyberbullying: My Appearance on Bill C-13 Before the Senate Legal and Constitutional Affairs Committee] [The Supreme Court of Canada dismissed the appeal of a BC man who says his rights were violated when the RCMP handed over the results of wiretaps to U.S. authorities]

CA – Privacy Commissioner Signs MOU on Cooperation

The purpose of this Memorandum of Understanding is to set out a framework to support federal/provincial collaboration and co-operation; each participant in the Memorandum of Understanding will allow the OPC, OIPC AB and OIPC BC share information between offices for the following purposes – assess jurisdiction and transfer complaints as necessary, evaluate whether or not investigations or complaints relate to the same or similar matters in order to assess whether or not a parallel or joint investigation is appropriate, conduct parallel or joint investigations, and otherwise assist in the conduct of an ongoing or potential investigation of a complaint or, where applicable, audit. [Source] See also: [Privacy and Access Council of Canada (PACC): The overall privacy landscape in Canada]

CA – Alberta Considers Privacy Amendments Allowing Union Intrusions

The Alberta Legislature is considering privacy legislation amendments giving unions considerable scope to collect and disclose personal information. The amendments, which have already been endorsed by the Privacy Commissioner of Alberta, respond to a 2013 Supreme Court of Canada decision striking down the province’s Personal Information Protection Act. The province has until April 30, 2015 to remedy the constitutional deficiencies before the decision takes effect. If the legislation is passed, trade unions will be able to collect, use and disclose personal information without consent when the purpose is to inform the public about a matter of significant public interest or importance relating to a labour relations dispute involving the trade union; the collection, use or disclosure is reasonably necessary for the purpose; and it is reasonable to collect, use or disclose the personal information without consent for that purpose, taking into consideration all relevant circumstances, including the nature and sensitivity of the information. More changes may be in the offing as PIPA requires a review of its provisions as of July 1, 2015. [Financial Post] and [AB: Union says province’s privacy act changes ignore spirit of top court ruling] See also: [AB: Opposition want Alberta’s Privacy Commissioner called in after phone bill leak]

CA – Canadians Growing Concerned Over Internet Privacy, Poll Shows

Canadians are growing more wary about their privacy on the Internet, according to a new survey commissioned by the Centre for International Governance Innovation. The poll found that nearly 70% of Canadians are worried about hackers stealing their banking information or personal messages and photos. The same percentage of Canadians reported they’re concerned about private companies tracking their Internet usage and attempting to monetize their information. More than half (52%) reported that they’re concerned about government and law enforcement authorities monitoring their Internet activity. The poll comes as the governing Conservatives are moving two controversial pieces of legislation on Internet monitoring and information sharing through Parliament. Bill C-13, introduced in the name of cyberbullying victims, gives private companies legal immunity for handing over their users’ personal information to authorities. [Source]

CA – FB Info Sharing Created Zoosk.Com Dating Profile for Married Woman

Online privacy advocates say current legislation fails to protect Canadians’ privacy online. Last January, Mari Sherkin, married for 25 years, says she got a pop-up ad on Facebook from Zoosk.com. “I didn’t know what it was,” she said. “So I clicked on the X to close it. At least I thought I did. She says that within minutes, she started getting messages in her Facebook inbox from men. “‘A Zoosk member wants to meet you,’ [it read]. I was absolutely unaware of what was going on. “So I opened it and found out — unbeknownst to me — Zoosk had created a dating profile for me.” Dating profile used Facebook photo. Sherkin says she was horrified to see the dating profile, which used her Facebook photo, her name and her postal code. And Mari isn’t the only one. There are many similar complaints online from women who say they have no idea how a dating profile was created for them on Zoosk. Zoosk Victims is just one of the Facebook pages that feature dozens of complaints about the dating website and how it creates profiles. Graham Williams, a Vancouver-based technology expert, points to what is known as an “open authentication protocol” — or OAuth — where people often unwittingly share personal information with third-party websites. “This open authentication scheme is used by Facebook, it’s used by Google, it’s used by Twitter. “And it is basically saying to users out there — you don’t want to have to remember 100 different passwords or 100 different log-ins, so we’re going to let you log in with your Facebook credentials.” So, by logging in with Facebook, for example, you automatically agree to share your private information with other websites. [Source]

CA – Fitbit Data Now Being Used in the Courtroom

A Calgary-based law firm is currently working on the first known personal injury case using data gleaned from a client’s Fitbit, Forbes reports. The client in question was once a personal trainer, but because of an accident four years ago, the lawyers want to demonstrate with the device that her physical activity levels are below that of her age and profession. McLeod Law’s Simon Muller said the data will “back up what she’s been saying.” The report notes what is “intriguing” and “a little creepy” is such cases could make it possible for such data to be used in prosecutions as well. Muller added, “Insurers will want it as much as plaintiffs will.” [Forbes] See also: [Canada: The Fitbit detectives that could be using your data in court]


US – Are Consumers’ Privacy Expectations Hypocritical?

Two reports focus on consumer expectations of privacy and the trade-offs provided by smart technology. CNet looks into Amazon’s newest product, Echo, and it’s lack of a privacy policy. The virtual assistant is voice-activated and gets smarter with continued use. One consumer said the product is “a bit creepy, but I’d totally use one in my classroom,” adding he understands businesses make money off him by using his data. “It’s a trade-off,” he said. A report for The Guardian questions whether the Internet has turned consumers into hypocrites, noting people worry about their privacy but happily share their personal information online, leading columnist John Naughton to ask, “could it be that what we’re getting is not the Internet we say we want but the Internet we deserve?” [CNET]

US – Pew Internet Survey Reveals Privacy Policies Misunderstood

The Pew Center for Internet and American Life released a new survey to shed light on the average consumer’s “Web IQ,” or their digital literacy. Questions included identifying famous leaders of technology companies, such as Bill Gates and Sheryl Sandberg, and basic digital meanings, including whether a kilobyte is larger than a megabyte. Noticeably, however, was a general lack of understanding by consumers about what a privacy policy protects. More than half of the respondents said they thought it was true that privacy policies ensure “that the company keeps confidential all the information it collects on users.” Hayley Tsukayama wrote, “But that is not at all what privacy policies do; in fact, they are generally there to tell you exactly how companies are not keeping your data confidential and how they’re sharing your information with their partners.” [Pew Internet Research]

US – Public Perceptions of Privacy and Security in the Post-Snowden Era

The Pew Research Foundation has released its Public Perceptions of Privacy and Security in a Post-Snowden Era based on a survey of U.S. adults, noting, “Across the board, there is a universal lack of confidence among adults in the security of everyday communications channels—particularly when it comes to the use of online tools.” Justin McNaughton asks whether the post-Snowden perceptions of privacy will change the way consumers and organizations treat privacy policies. With the U.S. Federal Trade Commission cracking down on violations and recently releasing guidance, McNaughton offers some things to address in your company’s policy. Meanwhile, the makers of the game Fruit Ninja will soon update its privacy policy to better inform consumers of its practices. [Mondaq Report]

US – Studies Offer Insight on Breach Response Times, Consumer Fears

A study from FireEye shows the average time it takes organizations to detect a breach is 229 days. The report states one reason for the lengthy timeframe is that two-thirds of organizations find out about a breach through a third party, and it recommends data minimization and proactive issue spotting to hasten the process. A separate study has found that 23% of consumers plan to do less online shopping due to privacy concerns and 64% believe they will be the victim of a breach within the next year. [BankInfoSecurity]

US – Home Depot Spent $43 Million on Data Breach In Just One Quarter

Home Depot has announced it is facing at least 44 civil lawsuits and “investigations by a number of state and federal agencies” related to its breach earlier this year, which, it says, “may adversely affect how we operate our business, divert the attention of management from the operation of the business, and result in additional costs and fines.” [Ars Technica] [Source]

Electronic Records

US – ClassDojo Revises Data Deletion Policy

Student behavioral tracking app ClassDojo has announced it will change its data deletion policy and now retain records on students for one year, which recently ran a story on the privacy concerns related to this app and others like it. “We are not a data company. So we have no need to keep any data beyond allowing it to be communicated between teachers, parents and students,” said Sam Chaudhary, the cofounder of ClassDojo. The new deletion policy directly addresses concerns about the possibility of sharing student data with third parties; however, the debate over use of the app also touches on its ability to publicly display behavior scores and parents’ ability to access them. [The New York Times]

US – ClassDojo Sparks Privacy Concerns

ClassDojo and other apps that help teachers “automate the task of recording classroom conduct” and “communicate directly with parents” are raising privacy concerns. ClassDojo is being used in roughly one out of three U.S. schools, the report states, and “some parents, teachers and privacy law scholars say ClassDojo, along with other unproven technologies that record sensitive information about students” are being adopted without fully considering “the ramifications for data privacy and fairness, like where and how the data might eventually be used.” [Source]

US – Law Firm Releases 8,000 Students’ Info

Meanwhile, Seattle Public Schools is seeking the U.S. Department of Education’s after a law firm contracted with the school department released the personal information of 8,000 students receiving special education services. [Seattle Times]


WW – Internet Architecture Board Calls for Default Encryption;

The Internet Architecture Board (IAB) has issued a statement calling for encryption to be the standard across the web, saying it “now believes it is important for protocol designers, developers and operators to make encryption the norm for Internet traffic.” The IAB also said default encryption at all levels of the Internet “will help restore the trust users must have in the Internet.” [IAB Statement on Internet Confidentiaity]

US – AT&T Stops Using Undeletable Phone Tracking IDs

AT&T has stopped its controversial tracking program that assigned undeleteable identification numbers to its mobile customers’ online activity. Verizon has said it will continue its program, but added, “as with any program, we’re constantly evaluating.” Though it has put the brakes on its “Relevant Advertising” program, an AT&T spokeswoman said, “we could have one in the future.” [ProPublica]

US – Case Suggests How Government May Get Around Phone Encryption

The U.S. Department of Justice is using a novel legal maneuver to get around smartphone encryption by using a law created in 1789 called the All Writs Act. In October, prosecutors convinced a Manhattan-based federal magistrate to order an unnamed phone maker to provide “reasonable technical assistance” for unlocking an encrypted cell phone. The All Writs Act gives courts broad authority to carry out their duties such as this, the report states. Stanford University Center for Internet and Society Civil Liberties Director Jennifer Grannick said, “It’s part of what I think is going to be the next biggest fight that we see on surveillance as everyone starts to implement encryption,” adding, “Does this mean you have to do something to your product to make it surveillance friendly?” [The Wall Street Journal] See also: [Privacy groups have sent a letter to the National Institute for Standards and Technology calling for encryption standards that are “free from back doors or other known vulnerabilities | Letter]

WW – WhatsApp Adopts End-to-End Encryption

In what is being called the largest implementation to date, messaging services WhatsApp has announced it will now bring end-to-end encryption to its 600 million users. The new security feature will be included in the company’s latest security update for Android. Open WhisperSystems, which has helped develop the feature, said it will take time to get it out to all of its users, but Android will be the first mobile platform to receive it. [Gizmodo] WhatsApp has upped its encryption game to offer better protection for messages sent from Android devices running the app. The change means that WhatsApp will not be able to decrypt users’ messages. The encryption system WhatsApp has chosen to use encrypts messages from the time they leave one device until they arrive at the recipient’s device. [v3.co.uk] [NBCNews] [SCMagazine] [Ars Technica]

US – EFF Launches Certificate Authority

The Electronic Frontier Foundation has announced the unveiling of Let’s Encrypt, a certificate authority it plans to launch in 2015 in conjunction with Mozilla, Cisco, Akamai, IdenTrust and University of Michigan researchers. The initiative seeks to help transition the web from HTTP to encrypted HTTPS. Let’s Encrypt will offer free encryption services to any website.

EU Developments

EU – A29 to Google: Forget the .Com Links, too

Just as Google announced new capabilities for users to monitor the devices that are accessing their Google accounts, the Article 29 Working Party in the EU has released a new set of guidelines that runs contrary to Google’s current compliance with the so-called “right to be forgotten” court decision. As recounted from the DPC stage last week, Google has been removing references to specific people only on its country-specific URLs, like those with .de for Germany or .es for Spain. However, the new guidelines from A29 say web sites should apply the right to be forgotten to all domains, including Google.com. “The court says the delisting decision has to be effective,” A29 Chair Isabelle Falque-Pierrotin told the WSJ. “These decisions should not be easily circumvented by anybody.” [The Wall Street Journal] SEE [Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” c-131/121] and Out-Law.com: The European Parliament’s Civil Liberties, Justice and Home Affairs Committee has said the Court of Justice of the EU’s decision on the Data Retention Directive needs to be reviewed “before they agree to a new EU Passenger Name Record Directive’”

EU – EU Considers Binding Powers for Privacy Regulators

Italy, which currently holds the EU presidency, has issued a new proposal that would give a a new body of European data protection authorities “the power to adopt legally binding decisions in cross-border disputes over a company’s misuse of personal data.” The so-called European Data Protection Board would be an alternative to the controversial “one-stop-shop” proposal that has divided member states and slowed the reform process. Some governments, the report states, are concerned, however, that the process will get more complicated by allowing multiple authorities to intervene in a case. [Reuters] See also: [UK: Look out: That data protection watchdog can bite] [Reuters: Italy has issued a new proposal for a European Data Protection Board with “the power to adopt legally binding decisions in cross-border disputes over a company’s misuse of personal data.”] [The proposed EU General Data Protection Regulation will be finalized in 2015] The Dutch data retention legislation will remain in place, despite an EU court ruling earlier this year that struck down the associated EU directive.

EU – Giovanni Buttarelli Named New Data Protection Watchdog

The next European Data Protection Supervisor (EDPS) will be Giovanni Buttarelli, Parliament’s President Martin Schulz announced. His Assistant Supervisor will be Wojciech Rafal Wiewiórowski. Messrs Buttarelli and Wiewiórowski were listed as Parliament’s top candidates for the two posts after hearings in the Civil Liberties Committee on 20 October. [Source] See also: [60 things European legislators don’t want Canada to learn about air passengers] [RTE News: The Irish government is seeking “the support of the European Commission in a legal battle involving the U.S. federal authorities and tech giant Microsoft.”] and [U.S. Federal Trade Commissioner Julie Brill and Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin discussed Safe Harbor at the IAPP Data Protection Congress.

UK – Phone Data of 1,700 Murdoch Staff Probed

Scotland Yard has examined the mobile phone records of more than 1,700 journalists, lawyers and staff working for News UK, it emerged last night. In a major breach of privacy laws, Vodafone handed over data from phones belonging to journalists, lawyers, secretarial staff and senior executives working for The Times, The Sunday Times and The Sun newspapers between 2005 and 2007 to the Metropolitan Police. Detectives working on Operation Elveden, which is investigating alleged payments by journalists to ‘public officials’, requested data last October from the phone of one reporter who had been arrested. But when the telecoms giant mistakenly disclosed a mass of staff phone records, police held onto the material for seven months despite requests to return it. It is feared that the data could have compromised confidential journalistic sources. Detectives conducted an analysis of the records and built a spreadsheet listing outgoing calls made from 1,757 phones, even know they knew the information relating to innocent journalists had been passed on improperly. The data breach is now being investigated by the privacy watchdog bodies, the Information Commissioner (ICO) and the Interception of Communications Commissioner’s Office (IOCCO). The latter, which is also investigating police use of surveillance powers against journalists, said the case was of ‘very significant concern’ and it has urged the publisher News UK to take up the matter with the Investigatory Powers Tribunal. The case comes amid concerns about the extent to which police use surveillance powers under the Regulation of Investigatory Powers Act (Ripa) against journalists and their sources. [Source]

Facts & Stats

WW – Nearly a Billion Records Were Compromised in 2014

In first nine months of 2014, after 1,922 confirmed incidents, criminals managed to compromise 904 million records. Many of the incidents reported in 2014 were record setting, including twenty of them that resulted in the compromise of more than a million records each. According to data given to CSO Online by Risk Based Security, nearly 85% of the records exposed in the first nine months of this year were due to hacking (external influence), accounting for 74% of the reported incidents. Another lesson learned this year centers on keeping all of one’s eggs in a single basket. As mentioned, twenty incidents reported in 2014 exposed one million records or more in each instance, but three of them resulted in the compromise of a combined 489 million records. [Source] Untangling Breach Loss Liability: Target says that it is not liable for losses incurred by banks as a result of the retailer’s massive breach during the holiday shopping season a year ago. Five of the banks that issued the compromised cards – there were at least 40 million card numbers affected – have filed a federal lawsuit against the company. Target’s legal team said that the company is not liable for the banks’ losses because payments are processed by third parties. [Ars Technica] [Insurance Journal]

US – Colleges Finding Less Damaging Material Online

A poll of 403 undergraduate admissions officers by Kaplan Test Prep indicates fewer “are finding online material that could derail a student’s chance of admission, even though an increasing number of college admissions officers consider the public social media accounts of applicants as fair game.” Of those polled, 35% indicated they had visited applicants’ social networking pages, up 9% from 2012, but those who found “information online that had hurt a student’s application” had dropped from 35% in 2012 to 16 percent in the most recent poll. “Students are more aware that any impression they leave on social media is leaving a digital fingerprint,” said Kaplan’s Seppy Basili. [The New York Times]


EU – French ‘Right to be Forgotten’ Decision Takes Link Removal Beyond Europe

A recent decision by a French court that relied on the European ‘right to be forgotten’ has landed Google’s subsidiary there with a €1,000 per day fine unless it stops linking to a defamatory article. The case involved Dan Shefet, a lawyer who sued Google in France last August to counter a “defamation campaign” aimed at his firm, which he details here. He won a court order for Google to remove certain URLs on a worldwide basis, however, the search company only took them down from google.fr and, according to Shefet, ignored subsequent demands based on that order. Shefet told The Guardian that the court’s decision means that people in any EU country may obtain an injunction against their local Google subsidiary if they want a result that can only be completed by the parent company. Previously, if the complainant wanted a result removed from google.com, they would need to sue Google in the US since Google Inc controls the search engine worldwide. “Until now a subsidiary could not be legally forced under the threat of daily penalties to deliver a result which was beyond its control.” [Source] [Google Removal Tool] and See also: [Doxxing defense: Remove your personal info from data brokers] [Google’s advisory council meetings on the RTBF led to more questions than answers] and also: [Office of the Privacy Commissioner of Canada contacts search engine over individual’s complaint]


WW – PCI SSC Hopes Emerging Tech Will Help Thwart Breaches

As “one of the worst ever” years for data security nears its end, CSO reports the Payment Card Industry Security Standards Council (PCI SSC) hopes emerging technologies will help prevent future breaches. PCI SSC International Director Jeremy King said, “We hope to get better. Unfortunately, the criminals are getting better.” As of January 1, organizations must be compliant with PCI-DSS 3.0, the report states. Meanwhile, a “brightening economic picture spurred more people to buy homes and renovate them,” resulting in gains for Home Depot and easing concern the retailer’s recent breach “would scare customers away,” The New York Times reports. In a blog for ComputerworldUK, Forrester Analysts discuss privacy as a competitive differentiator, suggesting data can “be the downfall for an organization when improperly handled or lost.” [PCI Council] ALSO: [Financial Sector Terrorism Threat Grows] and [The Consumer Financial Protection Bureau has finalized a rule allowing financial institutions to post their annual privacy notices online rather than having to mail them to customers individually]


UK – Highest Court Urged to Overturn Decision to Allow Royal Correspondence to Politicians to Be Released

Seven justices at the Supreme Court in London are hearing the latest round of a lengthy legal dispute over disclosure of the royal correspondence. The Attorney General, the Government’s principal legal adviser, is challenging a decision by three Court of Appeal judges earlier this year that he has unlawfully prevented the public seeing the letters. In March they unanimously ruled that he has “no good reason” for using his ministerial veto and overriding the decision of an independent tribunal, chaired by a High Court judge, in favour of disclosure. In 2005 Guardian journalist Rob Evans applied to see a number of written communications between Charles and various government ministers between September 2004 and April 2005. [Source]

Health / Medical

US – How Worried Are Americans About Their Health Information?

To what degree are American citizens concerned with the privacy of their personal health information? According to the NPR-Truven Health Analytics poll, “in general, worries don’t run very high.” Nearly 75% of those surveyed have doctors who use electronic health records, but only 14% had privacy concerns with their hospitals. Additionally, two-thirds of respondents said they were willing to share health data with researchers as long as it was de-identified, the report states. [NPR]

US – Government Storing Baby Blood Data Raises Privacy Concerns

The Nafkes of Apex have two healthy daughters, and their girls are among the millions of children already screened. Both of their results came back perfectly normal. But it’s what the government is doing with your child’s DNA after the children are screened for diseases that is raising ethical concerns. The Nafkes had no idea that DNA left over from their daughter’s newborn screening tests, called dried blood spots, are stored in a government facility for up to five years in North Carolina. [Source]

US – Providers Vindicated in Patient Privacy Case

A California Superior Court sided with Prime Healthcare Services and Shasta Regional Medical Center in a civil case over an alleged violation of patient privacy rights. The healthcare providers accurately contended that “the patient had implicitly waived her privacy rights” when, at the behest of the United Healthcare Workers West union (SEIU-UHW), she had agreed to share her medical information from Shasta Regional with the media. General Counsel Troy Schell commented the suit was “part of SEIU-UHW’s malicious corporate campaign against the company and hospital,” adding the providers are committed to protecting patient rights. [PR Newswire release] see also: [BC: Privacy breach at Island Health leads to dismissals] and [A recent Connecticut Supreme Court ruling may offer a way for individuals to bring claims against healthcare providers and others who engaged in activities that violate HIPAA].

CA – NL: Western Health Privacy Breach Court Decision Favours Plaintiffs

The Supreme Court of Newfoundland and Labrador has decided that a group of patients who had their health information inappropriately accessed by a Western Health employee have grounds to continue with a class action lawsuit against the health authority. The legal action was launched in light of the privacy breaches involving Donna Colbourne, a clerk at Western Memorial Regional Hospital. She was fired from her position in 2012 after she allegedly inappropriately accessed patient files while on the job. Those who had their health information accessed applied for certification of a class action law suit. The application was divided into two stages, with the first stage determining whether the pleadings disclosed a cause of action and whether the proposed class was identifiable. In his decision, Goodridge agreed that the pleadings disclosed a cause of action. He said the proposed class, as long as it was limited to the 1,043 people known to be affected, would be identifiable and acceptable for certification purposes. The civil action is still not certified at this stage. The determination of whether the action is appropriate for certification has been deferred until completion of the second stage of the application. [Source] See also: [UK: Pharmacist Fined for Spying on Friends’ Medical Records]

Horror Stories

CA – Canada Tax Agency Breach Reveals Info of High-Profile Citizens

A Canada Revenue Agency spreadsheet was mistakenly sent to CBC News revealing the value of tax credits granted to hundreds of high-profile Canadians. The likes of author Margaret Atwood and former Prime Minister Jean Chrétien were affected by the detailing of tax-deductible donations of items like manuscripts, fine art and other items of value to non-profit organizations, along with home addresses and the value ascribed to the donation. One affected party donated a Rubens work valued at $200 million. It was an erroneous response to a request for unrelated records under the Access to Information Act. Revenue Minister Kerry-Lynne Findlay told the CBC it acknowledges the breach and has notified the House of Commons and the privacy commissioner, along with affected parties. [CBC News] See also: [How sweet it isn’t: Godiva notifies employees that stolen laptop held their data] and [NZ: Error exposes carparkers’ details] See also: [No data breached in City of Ottawa website hack, mayor says]

US – Beth Israel to Pay $100,000 Fine for 2012 Breach

Beth Israel Deaconess Medical Center will pay a $100,000 fine for a 2012 data breach that exposed sensitive personal information of nearly 4,000 patients. Massachusetts Attorney General Martha Coakley said the organization failed to follow data protection policies and to appropriately notify those affected, as required by law. Beth Israel Chief Information Officer John Halamka said they have worked “to ensure that (the hospital) adopts state-of-the-art security policies and technologies,” adding, “Every device we purchase is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted.” Meanwhile, a server containing sensitive personal information of 48,000 Visionworks’ customers may have been compromised, and a breach hit approximately 10,000 public school employees. [The Boston Globe] See also: [ON: Rouge Valley hospital clerk charged with misusing confidential patients records]

US – Lawyer: $1.4M Judgment Sets National Precedent

The Indiana Court of Appeals has upheld a $1.4 million verdict for a Walgreens customer whose prescription information was provided to a third party in what the attorney who argued the case is calling “a national precedent.” Attorney Neal Eggeson said this marks the first time a healthcare provider “has been held liable” for Health Insurance Portability and Accountability Act (HIPAA) violations committed by employees. Meanwhile, emerging trends in healthcare privacy and security mean that “risks have upped the ante for HIPAA security and privacy officers and increased fines have many on edge.” [Indianapolis Business Journal]

US – Breach May Have Compromised SSNs; Courts Asked to Amend Lawsuits

Thomson Reuters is notifying subscribers to Westlaw of a data breach that may have compromised their Social Security and driver’s license numbers, as well as other personal information. Individuals are thought to have used valid subscriber login information to infiltrate the public records database and conduct unauthorized searches. Meanwhile, CNN wants a federal judge to dismiss a lawsuit claiming the company’s iPhone app violates the Video Privacy Protection Act, and Community Health Systems and its subsidiaries have asked an Alabama judge to dismiss portions of a proposed class-action related to its recent data breach, saying that few injuries are described. [InfoDocket]

WW – Sony Pictures Security Breach

Sony Pictures is in digital lockdown while it investigates a breach in which intruders reportedly stole more than 200MB of data and defaced employees’ workstations. Sony Pictures staff are being asked to disconnect computers and personal devices from the network and to shut down virtual private networks (VPNs). [The Register] [NextGov]

Identity Issues

US – Who’s Anonymous Now? KKK Members Losing Their Digital Hoods

As a grand jury prepares to deliver the outcome of its investigation, things are again heating up in Ferguson, MO, where this summer’s racially charged events prompted hacktivist collective Anonymous to use PII as a weapon against those who would harm the city’s protestors. Jedidiah Bracy examines the cyber-war Anonymous has declared on the Ku Klux Klan (KKK) by disclosing its leaders’ personal information and conducting cyber-attacks against its websites. “The KKK has always operated under a hood, fueled by hatred. Remaining anonymous, ironically, has been important for its members,” Bracy writes. While even 10 years ago the techniques Anonymous is using to fight discrimination would not have been possible, the control of PII is a powerful, double-edged sword in the Digital Age. [Source] See also: [Ottawa: Hackers pledge more attacks] See also: [New Tricks to Deanonymize Tor Users] San Francisco Chronicle: a federal appeals court has barred California from enforcing a law that would require more than 70,000 registered sex offenders to disclose their Internet identities to police

WW – A New Service Will Help You Wrest Your Online Identity from Google

A new group called Indie Hosters is looking to remedy the potential privacy concerns of letting your favorite social network or search provider as your login for “countless other services across the net.” Now in its earliest stages Indie Hosters aims to provide web identities that its users control. “So far, there are only two members of the network, the project’s founders Michiel de Jong and Pierre Ozoux. But they hope more hosts will join them,” the report states, noting the pair has “launched a crowdfunding campaign to work on building the tools and network to make that happen.” [Wired] See also: [5 Web Cookie Myths Exposed] The Wall Street Journal: A new report from the Information Technology and Innovation Foundation states the EU’s cookie notification policy costs billions of euros per year and offers few benefits.

Internet / WWW

WW – UN Panel Approves Anti-Bulk Surveillance Resolution

A UN panel has approved a resolution prompting the General Assembly to call on member nations to respect and protect digital privacy. The draft, called “Right to privacy in the digital age,” was sponsored by Brazil and Germany and would mostly be considered a symbolic move by the UN. The new resolution also included a mention of protecting metadata in the context of digital surveillance, the report states. Ambassador Harald Braun, Germany’s permanent representative to the UN, said, “This means that human rights obligations of states also apply when they use private companies for surveillance purposes.” [PC World]

Law Enforcement

CA – AG: Police Need Better Data on Criminals Returning From Abroad

An audit of government efforts to support the fight against transnational crime found Foreign Affairs, Trade and Development Canada does not notify the RCMP because of restrictions in the Privacy Act and Charter of Rights. Police can gain access to the information when it clearly relates to criminal investigations, or when the public interest outweighs any invasion of privacy from disclosure. Still, of 34 such requests in 2010-14, only 17 were met. [Source]

ON – Hamilton Police Launch Online Crime Mapping Tool

Hamilton police have launched at crime mapping tool that allows residents to search when and where certain types of crimes have happened in the city. The new tool, which was introduced at the monthly Hamilton Police Services Board meeting, tracks the following types of crimes for the past 60 days: The crimes are posted with a one-day delay. To protect victims’ privacy, crime locations are randomly offset, and addresses are mapped to the block level. For example, 123 King St. becomes 1xx King St. In addition to the mapping feature, the tool is also equipped with basic analytical features that show crime density, crime type by day of the week and other trends. Residents can set up crime alerts to receive email and text notifications of crimes in their chosen areas. An iPhone app is also available for this purpose. A new feature will also be added soon to allow residents and businesses to register their security cameras to help police build a database of cameras and turn them into law enforcement tools. To help residents navigate the new tool and its features, police have posted a tutorial video on YouTube. Hamilton is the second police agency in Canada to work with the company for the mapping service. London, Ont., police have been using the mapping tool for less than a year, according to the presentation. [Source]

US – State AG: Cops Don’t Need to Ask Permission to Use Body-Cams

Washington Attorney General Bob Ferguson says police do not have to ask permission to use body cameras to record their interactions with the public in most circumstances. Ferguson said citizens must assume interactions with on-duty police are public and so officers are under no obligation to turn off body cameras even when asked, the report states. Ferguson added, citizens have the same right to film uniformed police officers in public. Ferguson referred to the Supreme Court opinion recognizing that “a conversation between a police officer and a member of the public that occurs in the performance of the officer’s duties is not private.” [The Seattle Times]


US – Will Rideshare Incident Prompt Location Privacy Law?

Some are calling it “the gaping hole in the nation’s privacy laws” for protecting users’ location information. “Right now we protect health data, we protect financial data, we protect kids’ data, but location isn’t protected,” said Georgetown University Center on Privacy and Technology Executive Director Alvaro Bedoya. “As long as a company is not deceiving you about how they’re using the data, they can pretty much do whatever they want.” In response to last week’s news that Uber may have misused some of its users’ data, Uber competitor Lyft has changed its internal privacy policies to limit employee access to user data. The company said it has implemented “tiered access controls.” [The Hill] [Uber touts “strict” privacy rules, but terms suggest broad access] [U.S. Senator Al Franken questions Uber’s privacy policies]


Online Privacy

WW – Yahoo to Honor DNT in Firefox; Tweets Become Searchable

Mozilla has announced Yahoo will now be the default search engine in its Firefox browser for users in the U.S., but other search options will continue to be available, according to a blog post by the company. As part of the partnership, Yahoo agreed to honor the Do-Not-Track option for U.S. customers using Firefox but will not do so for users of other browsers. “We will now focus on expanding our work with motivated partners,” Mozilla writes, “to explore innovative new search interfaces, content experiences and privacy enhancements across desktop and mobile.” Meanwhile, Twitter has announced it will make every public tweet since 2006 available to search, raising privacy concerns for some who may have posted regrettable content in the past. [Mozilla Blog]

WW – Group Launches Transparency Index Tool

Digital rights organization Access has announced the release of its Transparency Reporting Index, a tool designed to help users “see whether their favorite app or service discloses user data and to learn about corporate policies on government demands for data and disruptions.” According to Access, “Transparency reporting is one of the strongest ways for technology companies to disclose threats to user privacy” and can help educate the public about government access to user data. The tool includes a list of companies that have issued transparency reports and links to them. [Source] [Doxxing defense: Remove your personal info from data brokers]

UK – Owner Shuts Down Webcam Website

Following calls from data protection authorities (DPAs), the owner of a Russian-based website connecting to tens of thousands of webcam streams has shut down, BBC News reports. The site, which at one point connected to more than 73,000 webcams using default password settings, prompted concerns from DPAs in the UK, Canada and others. UK Information Commissioner Christopher Graham said, “If we can take one lesson away from this experience, it is that default passwords do not provide protection from the threats that exist in the modern world.” Foscam’s Chase Rhymes said, “An analogy best describing this would be just because someone leaves their window open it does not give permission for an unauthorized individual to set up a camera outside their window and broadcast the feed worldwide.” [BBC] See also: [The Big Data Security Risks Of Little Things] [Australia, Canada, UK and China weigh in on Insecam privacy issue] See also: [Algorithms Are Great and All, But They Can Also Ruin Lives] and [Public Health Surveillance and Privacy in the Age of Ebola]

WW – Image Search, Analysis Emerge as Powerful Tools, Privacy Threat

The rise in smarter image systems, including recent technology called neural net artificial intelligence (AI), is raising some personal privacy concerns. Neural net AI allows computers to understand what is occurring in a given picture—for example, recognizing that a boy is throwing a Frisbee to a dog. “Combine this technology with facial recognition,” the article states, “and anyone with access (which will be everyone) will be able to search the web for people doing things or involved with or associated with some activity.” Combined with mass photo surveillance, such technology could present equally positive and negative uses. “Love it or fear it,” the article adds, “this technology is happening now.” [eWeek] See also: [Toronto police considering facial recognition software to identify suspects] AND:

WW – Facebook Tests Buy Button, Tweaks Basic Privacy Settings

Starting January 2015, users of social networking giant Facebook may be able to buy things online—and, hopefully, have more control over what they share. Facebook said these tweaks are contained in its terms and policies, as well as in its newly rolled out Privacy Basics. Also, Facebook will continue to improve ads based on the apps and sites people use off Facebook and expanding users’ control over the ads they see. “Privacy Basics” is a how-to guide on the new features and controls available to Facebook users. Updates to Facebook policies include:

  • Discover what’s going on around you: Facebook explains how it gets location information depending on the features users avail of.
  • Make purchases more convenient: in some regions, Facebook is testing a Buy button that helps people discover and purchase products without leaving Facebook.
  • Find information about privacy on Facebook at the moment you need it: moving tips and suggestions to Privacy Basics. Facebook’s data policy is shorter and clearer, making it easier to read.
  • Understand how Facebook uses the information it receives.
  • Users’ information and advertising: Facebook will continue to help advertisers reach people with relevant ads without telling them who its users are. [Source] See also: [Social media terms of service may be trumped by Canadian law]

Privacy (US)

US – FTC Settles With TRUSTe

The FTC announced a settlement with privacy seal provider TRUSTe on charges the company “deceived customers about its recertification program for company’s privacy practices, as well as perpetuated its misrepresentation as a nonprofit entity.” FTC Chairwoman Edith Ramirez said, “TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge … Self-regulation plays an important role in helping to protect consumers. But when companies fail to live up to their promises to consumers, the FTC will not hesitate to take action.” In a blog post, TRUSTe CEO Chris Babel wrote, “we take very seriously the role we play in the privacy ecosystem” and that both issues raised by the FTC have been addressed. [FTC] [FTC says firm that offered online privacy certificates didn’t check compliance] The FTC announced a settlement with privacy seal provider TRUSTe on charges the company “deceive customers about its recertification program for company’s privacy practices, as well as perpetuated its misrepresentation as a nonprofit entity.”

US – FTC: Two ‘Tech Support’ Firms Tricked Customers Out of $120 Million

The Federal Trade Commission announced that it has temporarily shut down two telemarketing operations that, the agency alleges, were dedicated to tricking customers into buying fake technical support. The agency announced action against two separate operations, both based in Florida. One case includes charges against the makers and sellers of software called “ PC Cleaner”; the other names companies doing business as Boost Software Inc. and OMG Tech Help. The FTC says the two companies have cheated consumers out of $120 million. [Source]

US – FTC Denies AgeCheq COPPA Verifiable Parental Consent Method

After a window for public comment and review, the FTC has denied AgeCheq, Inc.’s application for its proposed Children’s Online Privacy Protection Act (COPPA) verifiable consent method. In a letter to AgeCheq, the FTC stated that the company’s proposed method “incorporates methods already enumerated in the (COPPA) Rule …” AgeCheq recently proposed another verifiable consent method and that is currently open for public comment. [FTC]

US – Judge Dismisses Some Claims in Apple Class-Action

U.S. District Judge Lucy Koh “dismissed some but not all claims in a class-action accusing Apple of intercepting and failing to deliver text messages sent from iPhones to non-Apple cell phones” that alleged Apple violated the Stored Communications Act, the Electronic Communications Privacy Act and California’s unfair competition and consumer laws. Meanwhile, a class-action has been filed against Jimmy John’s Gourmet Sandwiches following a breach involving customers’ credit and debit cards, and a New Jersey woman has filed a suit against a law firm “that works with debt collection agencies for putting her account number on the collection notice sent to her home.” [Courthouse News Service] and [US: Judge threatens detective with contempt for declining to reveal cellphone tracking methods]

US – CNN Wants Video Privacy Case Thrown Out

CNN is asking a federal judge to dismiss a lawsuit alleging that the company’s iPhone app violates a federal privacy law by sending information about users’ devices to the analytics company Bango. The company argues in papers filed on Friday that any information transmitted to Bango is “anonymous” and doesn’t personally identify users. CNN argues that the federal Video Privacy Protection Act – a 1988 law that prohibits video rental companies from disclosing consumers’ personally identifiable information – doesn’t apply when companies transmit device identifiers. “The history of the VPPA and recent case law confirm that a random numerical string associated with an electronic device is outside the VPPA’s scope,” CNN argues. “No court has accepted the contention that a number that identifies a device (e.g., a computer, tablet, modem, set-top-box or phone) constitutes PII.” The lawsuit, filed this February by Illinois resident Rick Perry, centers on allegations that CNN sends Bango information about the clips that iPhone users watch, along with their 12-digit Media Access Control addresses. A similar lawsuit against Dow Jones was dismissed in October. In that matter, U.S. District Court Judge Thomas Thrash, Jr. ruled that an Android ID isn’t personally identifiable information. The consumer who sued, Mark Ellis, is appealing that ruling. [Source]

US – Other News

US – Legislators Seeking Answers on Breaches

Senate and House Democrats have sent letters to 16 financial institutions seeking information on recent breaches. Those receiving letters from Sen. Elizabeth Warren (D-MA) of the Senate Banking Committee and Rep. Elijah Cummings (D-MD) of the House Oversight and Government Reform Committee included banks and investment firms. “The increasing number of cyber-attacks and data breaches is unprecedented and poses a clear and present danger to our nation’s economic security,” Cummings and Warren wrote. Meanwhile, Staples has said it is not yet “reasonably” able to estimate the costs it will incur in connection with last month’s breach. [Reuters]

Privacy Enhancing Technologies (PETs)

WW – New Product Aims to Ease Data Transfer

IBM has patented a design for a privacy engine that it says will “eventually enable businesses to aggregate international requirements for data transfers on individual projects and flag any cross-border privacy issues.” The engine, still in its infancy, will also ease data-sharing between private clouds. IBM Chief Privacy Officer Christina Peters says the invention “provides a privacy technique that helps businesses navigate an increasingly complex compliance landscape of regulations to help companies avoid unknowingly sharing data that could put their business at risk.” [ZDNet]

WW – Detekt Lets You See If Somebody’s Watching Your Computer

Detekt is a free tool released by a coalition of privacy and civil liberties groups including Amnesty International, Electronic Frontier Foundation, Privacy International and Germany’s Digitale Gesellschaft. Detekt is designed for those who might be targets of government scrutiny, including journalists and human rights advocates and looks for spyware that “might be collecting emails, listening to Skype video calls, observing through a computer camera or even monitoring keystrokes to determine passwords and Internet activity,” the report states. The coalition cautioned there are few regulations “to safeguard against these technologies being sold or used by repressive governments or others … for serious human rights violations and abuses.” Meanwhile, NameRemoval.com recently launched to provide “robust powerful privacy and reputation management services to businesses and individuals.” [The Hill]

WW – Yik Yak Raises $73M

Anonymous messaging app Yik Yak has closed a $62 million round of financing led by a venture capital firm. The total amount raised in three rounds is about $73 million. The app allows users to chat anonymously with one another based on location. [IAPP]


WW – Small Biz Thinks Workers Are Weak Cybersecurity Link

In a new report from security firm CloudEntr, 77% of Internet technology managers at small- to medium-sized businesses say employees are their biggest security concern. “The empoloyee factor is huge,” said one executive. “For most companies it’s the single biggest exposure point.” Another survey finds companies plan to increase spending on cybersecurity budgets by $2 billion over the next two years. Meanwhile, the U.S. State Department shut down its unclassified computer network over the weekend due to concerns it was hacked. In a column for The Hill, former Minnesota Gov. Tim Pawlenty writes that “notifying customers of a problem after it occurs does not prevent the problem … Legislation is also necessary to ensure businesses are held to a higher standard” for protecting customer information. [CNBC] and [10 security mistakes that will get you fired] [The National Institute of Standards and Technology has released draft guidelines to help organizations share information about cyber-attacks]


UK – DPAs Warn About Webcam Website

A website connecting to more than 73,000 unsecure webcams has gotten the attention of data protection regulators around the world. They are warning the public about the site and asking its operators to shut it down. UK Information Commissioner Christopher Graham said he aimed to “sound a general alert,” to warn the public “there are people out there who are snooping.” Graham said the baby-monitor webcam access is “spooky,” adding, “But after all, it is the responsibility of the parents to set a proper password if you want remote access.” The ICO’s Simon Rice also wrote a blog post today about the site. [BBC News] and [AUS: Topless neighbour’s drone picture prompts calls for privacy law overhaul]

US – AT&T Wants Warrants from Law Enforcement for Location Data

An amicus brief filed by AT&T that states law enforcement may need to obtain warrants prior to accessing user cell phone data. The brief was filed in a federal appeals case and asks courts to set a clear standard of what type of approval law enforcement must get to obtain user data. Meanwhile, responding to reports that law enforcement is accessing cell phone data from airplanes, [The Wall Street Journal]

US – Franken Wants Answers on Airplane Spying

Sen. Al Franken (D-MN) wants more information about the programs from U.S. Attorney General Eric Holder. “While I understand that law enforcement agents need to be able to track down and catch dangerous suspects, this should not come at the expense of innocent Americans’ privacy,” wrote Franken.

US – Markey: Auto Privacy Principles Don’t Go Far Enough

Sen. Edward Markey (D-MA) says he plans to investigate the automotive industry’s privacy and security practices and will release the findings. The statement comes a week after a coalition of automakers issued a privacy pledge . Markey said the principles “represent an important first step toward protecting the information collected by modern technology in our cars … However, the proposed principles fall short in two key areas: choice and transparency.” The senator said, in addition to releasing his findings, “I will call for clear rules-not voluntary commitments-to ensure the privacy and safety of American drivers is protected.” The Future of Privacy Forum has released a paper exploring connected cars and privacy. [Source] See also: [Car Camera Network Could Produce Virtual Maps of Pedestrians] and [US: #HappyTracksgiving : How your travels are tracked this holiday season]

Telecom / TV

US – Secret US technology Said to Intercept Cellular Communications

Fake cell phone signal receivers on airplanes gather cell traffic in a secret government program, a new report reveals. The next time you use your cell phone in a crowd, the US Marshals may be listening in. The way it works is through a specialized box affixed to an airplane flying overhead, according to a report from The Wall Street Journal. That box is designed to trick mobile phones into communicating with it, sending all sorts of information through the air and into the device. And innocent Americans are just as likely to have their information collected as anyone else. The Justice Department, which houses the Marshals Service, did not immediately respond to a request for comment. [Source]

US – Judges Require Stricter Rules for Stingray Use

Law enforcement agencies in Pierce County in Washington state must now specify when they will use stingray technology in their investigations and must also swear in the affidavit that they will not retain data belonging to people who are not the target of the order. The 22 Pierce County Superior Court judges have approved a new requirement for law enforcement agencies “… requir[ing] language in pen register applications that spells out [that] police intend to use the [tracking] device.” [Ars Technica] [SC Magazine] [The News Tribune]

UK – Bill Would Expand Law Enforcement Access to Internet User Information

UK home secretary Theresa May is expected to propose a bill that would require companies to provide law enforcement agencies with information about the identities of people using computers and mobile devices. The bill would require service providers to retain data that links users to devices based on IP addresses, which are often shared by multiple users and often change. The data retention changes are expected to be part of the Counter-Terrorism and Security Bill. The plan has met with criticism because it allows for broad surveillance of online activity. The Lib Dems insisted that the communications data bill – branded the “snooper’s charter” – was “dead and buried.” Emma Carr, director of campaign group Big Brother Watch, said: “It is perfectly reasonable that powers to provide the police with the ability to match an IP address to the person using that service is investigated. “However, if such a power is required, then it should be subject to the widespread consultation and comprehensive scrutiny that has been sorely lacking to date with industry, civil society and the wider public when it comes to introducing new surveillance powers. “Before setting her sights on reviving the snooper’s charter, the home secretary should address the fact that one of the biggest challenges facing the police is making use of the huge volume of data that is already available, including data from social media and internet companies. The snooper’s charter would not have addressed this, while diverting billions from investing in skills and training for the police.” [Source] [BBC] [v3.co.uk]

US Government Programs

US – Reports Critical of DHS, VA Privacy Practices

A new report from Department of Homeland Security (DHS) Inspector General John Roth reveals the agency is struggling to protect personally identifiable information and create an effective management system to secure and protect data. “DHS did not take appropriate steps to identify and mitigate physical risks to the security and confidentiality of records,” Roth stated. “We observed instances in which passwords, sensitive IT information … could be accessed by individuals without a ‘need to know,’“ he added. A separate report from the Government Accountability Office indicates the Department of Veterans Affairs has not fully addressed its cybersecurity vulnerabilities and has not done enough to mitigate them. [GovInfoSecurity]

US Legislation

US –Senate NSA Bill Blocked in Procedural Vote

By a narrow margin, the US Senate has blocked a bill aimed at curtailing NSA data gathering practices from reaching the floor. The USA Freedom Act was two votes short of the 60 it needed to pass. The bill would have ended bulk phone metadata collection, instead leaving those data under the control of telecommunications companies from which the NSA can access them with court orders from the Foreign Intelligence Surveillance Court. It would also have required the NSA to focus its search terms more narrowly to ensure that only relevant records are accessed. It would also have granted telecommunications companies more transparency in disclosing the number and types of data requests it receives. The bill’s author, Sen. Patrick Leahy (D-VT) said, “I am disappointed by tonight’s vote, but I am not new to this fight,” adding Republicans failed to work “productively to protect Americans’ basic privacy rights and our national security.” In a strongly worded column responding to the vote, The Intercept’s Glenn Greenwald writes, “the last place one should look to impose limits on the power of the U.S. government is … the U.S. government.” However, the White House says it will pursue a new bill in 2015.[NationalJournal] [WIRED] [CNET]

US – Tech Coalition Urges Surveillance Reform; DoJ Defends “Dirtbox” Spying

A group of technology giants have published an open letter to the U.S. Senate urging it to pass the USA FREEDOM Act. The legislation, which may be voted upon this week, would limit the National Security Agency’s bulk collection of phone data. Aol, Apple, Dropbox, Evernote, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo all support the bill, which they say “both protects national security and reaffirms America’s commitment to the freedoms we all cherish.” In separate surveillance news, the Justice Department is defending a practice that uses “dirtboxes” on airplanes to collect cell-phone data of suspected criminals, saying the program is legal. Sen. Edward Markey (D-MA), however, has sent a letter of inquiry about the program to Attorney General Eric Holder. [Source] See also: The Hill reports on a number of technology and privacy issues that policy-makers will look into in the coming months, including National Security Agency and email privacy reform. Jeff Kosseff explores 10 ways the recent election could affect privacy and data security law.

US – Other News

Workplace Privacy

US – Slack Alters Privacy Policy to Let Bosses Read Your Messages

Slack, a workplace communication tool, has announced it will begin selling a number of tools aimed at system administrators. Stack Plus will give companies the ability to request every message employees have sent on the service from that point forward, including direct messages to coworkers. Slack has revised its privacy policy to communicate the changes. [Source] See also: [Oklahoma’s social media privacy law went into effect November 1, meaning employers are prohibited from requiring employees or prospective employees to hand over social media log-in information]

US – Court Finds Deletion of Fired Employee’s Info Not a Violation

A federal judge has ruled that no privacy rights were violated when a company deleted personal information from a fired worker’s cell phone. The company asks its employees to use personal devices to carry out various work functions, and the plaintiff used his iPhone to access email. According to the claim, Design Tech, after firing the worker, remote-accessed his iPhone and, without warning, “wiped or erased all of the information on the plaintiff’s device, including all of plaintiff’s personal and professional information.” The plaintiff claimed the action violated the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, but a judge disagreed, saying he had “not produced evidence of any costs he incurred” from the action. [Courthouse News Service]


01-15 November 2014


US – Judge Rules FBI Facial Recognition Database Needs Scrutiny

A federal judge has ruled the Federal Bureau of Investigation’s (FBI) facial-recognition database needs scrutinizing due to its size and scope. U.S. District Judge Tanya Chutkan wrote of the FBI’s Next Generation system, “There can be little dispute that the general public has a genuine, tangible interest in a system designed to store and manipulate significant quantities of its own biometric data, particularly given the great numbers of people from whom such data will be gathered.” The ruling validates an Electronic Privacy Information Center (EPIC) lawsuit. EPIC National Security Counsel Jeramie Scott said, “The opinion strongly supports the work of open-government organizations and validates their focus on trying to inform the public about government surveillance programs.” [National Journal] See also: [US: Virginia police can now force you to unlock your smartphone with your fingerprint]

CA – Royal Bank to Test Toronto Company’s Nymi Technology

The Royal Bank of Canada has paired with Toronto-based technology developer Bionym to test a wristband called Nymi (pronounced Nim-ee), which identifies owners through their unique heartbeat and then lets them charge purchases to their credit card. The device looks like a watch, and will soon grace the wrists of 250 RBC clients and staff under a pilot project in Toronto that runs through February. Eventually, the bank hopes to roll out its RBC PayBand across the country. For now, the Nymi band will only work with MasterCard, though eventually the Royal Bank hopes to allow debit transactions. [The Canadian Press, cbc.ca] [Globe & Mail] and [This Startup Is Turning the Human Body Into a Next Gen Design Platform]

US – ‘This Call May Be Monitored’ — To Study Your Voice Print

You may not know it, but banks like Wells Fargo may be already using voice biometrics to make sure you’re really you. JP Morgan Chase & Co., Wells Fargo & Co. and other banks are using customer calls to record biometric voiceprints, using the data to help screen out later fraud. The technology is used to help create voiceprint “blacklists” of criminal who break into customer accounts by fooling call-center workers. But the practice has some pitfalls — some states prohibit collecting biometric data, and privacy lawyers said that the boilerplate “this call may be monitored” statement doesn’t give banks the authority to store customer biometrics.. [Minneapolis Business Journal]

Big Data

US – Groups Tell FTC Approved Merger Must Be Rethought

The Center for Digital Democracy and U.S. PIRG called on the FTC to rethink its decision to approve a marketing corporation merger. The groups told the FTC the $2.3 million merger of direct marketing company Alliance Data Systems and Conversant “raises serious privacy concerns” and the FTC’s approval of the transaction without appropriate safeguards “directly undermines its role as the country’s chief privacy regulator.” The merger amounts to “expanded commercial surveillance of the American people,” the groups said, calling for the FTC to launch a formal review of consolidations of companies that deal with big data. [The Hill] SEE ALSO: [Big Data, Underground Railroad: History says unfettered collection of data is a bad idea] and [Fox and Macaulay: IoT and Privacy Can Thrive Together] and [Forbes: Everything You Need To Know About The Internet Of Things] and [Top 10 Big Data Technologies of Present Times] and [How Can Healthcare Ensure Its Big Data is Smart Enough?] and [Big Data Survey: Trouble Brewing For IT] and [$$$ Cloud will make up 3/4 of all data center traffic in 3-4 years]


CA – RCMP Record Keeping Needs Work, Says Privacy Commissioner

Canada’s Royal Canadian Mounted Police (RCMP) cannot tell whether it complies with federal privacy law when gathering information about citizens without a warrant, according to the Canadian Privacy Commissioner’s annual privacy report. The Commissioner attempted to audit the RCMP’s collection of subscriber data from telecommunications service providers without warrants. It searched the organization’s records, but found that it couldn’t extract the relevant data. The RCMP said that it would establish a working group to better monitor and report on warrantless requests for subscriber information. It will report back to its Departmental Audit Committee in April 2015. The Commissioner’s report also highlighted a record high in voluntarily reported data breaches by government organizations. It received reports of 228 data breaches across the federal government, up from 109 in the prior year. Among the biggest offenders was Correctional Service Canada, which reported 22 incidents. The Canada Revenue Agency reported 33 incidents, while Citizenship and Immigration Canada revealed 54 privacy breaches. The leader, however, was Veterans Affairs Canada, which reported 60 privacy incidents. It was responsible for over a quarter of all federal agency breaches documented throughout the year. [SC Magazine] See also: [Geist: Ontario Provincial Police Recommend Ending Anonymity on the Internet] and [How Canada’s privacy deficit undermines our economy] and [Canada: More Disturbing Questions about Warrantless Data Disclosures]

CA – British Columbia: Committee to Review PIPA on Breach Notification

The Special Committee to Review the British Columbia’s Personal Information Protection Act (PIPA) (‘the Committee’) will issue a report to the Legislative Assembly, on 25 February 2015, on the results of its review. The Committee, which sought further input on the effectiveness of PIPA, held a public hearing in Victoria on 7 October 2014 and received submissions from stakeholders and the public. A number of the submissions suggested that PIPA should be amended to include a specific notification requirement for information security breaches. Currently, British Columbia’s PIPA does not contain such a provision. British Columbia’s Freedom of Information and Privacy Association recommended that mandatory breach notification be incorporated into PIPA. Also, British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, advised the Committee that mandatory breach provisions would bring PIPA in line with other jurisdictions. [Data Guidance] See also: [November 1st – 10th Anniversary of PHIPA]


US – US Privacy Confidence at New Low, Survey Indicates

A new Pew Research report reveals that 91% of U.S. citizens believe that consumers have lost control of how their personal information is collected and used by corporations and 80% said there should be concerns about government surveillance. The report’s author, Mary Madden, said, “There is both widespread concern about government surveillance among the American public and a lack of confidence in the security of core communications channels.” She added, “At the same time, there’s an overwhelming sense that consumers have lost control over the way their personal information is collected and used by companies.” [BBC News] See also [PCWorld: U.S. Concerns About Online Privacy Present Opportunity, Experts Say]

US – Online Privacy Should Be Marketed More Like Snowboarding

Wickr and r00tz Asylum CEO and Cofounder Nico Sell says there are ways to make privacy products exciting for kids. “Don’t use the words privacy and security,” Sell explained. “When kids ask me, ‘What’s Wickr?’ I say it’s an app that spies use to send secret messages,” Sell said, adding kids then respond, “Wow! Can I use it?” Sell calls on her past career as a snowboarder as an example: “If we would have gone to kids and said, ‘Hey, snowboarding makes your legs strong and your heart healthy,’ it wouldn’t have worked” Instead, she says, the focus should be, “It’s rebellious; it’s what the cool kids do; it’s what parents don’t know how to do.” [Slate]


CA – Ottawa Finalizes Action Plan 2.0 on Open Government

New portal launched with calls for open government on non-sensitive data by default. The second chapter of the federal government’s open government strategy now has a confirmed action plan. Treasury Board said this week that the action plan — a document that civil servants have to follow over the next two years — for what it calls Open Government 2.0 has been issued following a consultation period. The plan includes a directive that federal employees treat open by default for the handling of non-sensitive information. There’s a commitment to develop a federated open data search service that provides what the government calls a “no wrong door approach”; an enhanced set of tools and resources to make it easier to search and compare government spending across federal departments; and a new government-wide consultation portal to promote opportunities for public participation. [IT World Canada] See also: [Ottawa announces second action plan on open data ] | [Treasury Board has 15 apps that prove its open data strategy is working

US – Voter Data Use Fails the Creepy Test

According to a KSN report, a group calling itself the Kansas State Voter Report has been sending out flyers to citizens that include their names, addresses and whether or not they voted in past elections. The disclosed data is public information, but it has voters up in arms. “I don’t think that’s anyone’s business,” one voter said. The local county elections commission said it did not know who the group was or who funded the group. Likewise, last week a similar instance was reported in New York. [Privacy Perspectives] [US – Voters Angry About Mailers]

US – Seattle Launches Sweeping, Ethics-Based Privacy Overhaul

The City of Seattle this week launched a citywide privacy initiative aimed at providing greater transparency into its data collection and use practices by convening a group of stakeholders. Called the Privacy Advisory Committee, the group comprises various government departments to look at the ways the city is using data collected from practices as common as utility bill payments and renewing pet licenses, or during the administration of emergency services like police and fire. By this summer, the committee will deliver to the City Council suggested principles and a privacy statement. Chief Technology Officer Michael Mattmiller is responsible for privacy in the progressive city and said city leadership agrees the city’s policy on privacy should be ethics-based: It will answer the question, “Who do we want to be as a city, and how do we want to operate?” [Source]

US – Federal Agencies Can Now Require Contractors to Get Privacy Training

Contractors with access to government records may have to start training their employees on how to appropriately process sensitive personal information. This week, a final rule was issued giving federal agencies-such as the Department of Defense, General Services Administration and NASA-the flexibility to either offer privacy training to contract employees or require the contractors to do the privacy training themselves. The Federal Acquisition Regulation now requires contractors to keep records of employees who have completed the training, which can be requested by federal agencies at any time. “Without proper proof of training, contracted employees will not be given access to federal records,” the report states. [The Hill]


WW – Google Releases Results of Email Hijacking Study

A new report from Google suggests that the perpetrators of manual account hijacking often approach this type of digital invasion as a job. “These are really professional people with a very specific playbook on how to scam victims,” says Elie Bursztein, the lead author of the report. While the volume of these attacks are low — nine incidents per million users per day, according to Google’s analysis — their toll can be devastating. The report, released on Google’s security blog, is the result of years of research by a team that works on account abuse. [Study] [Washington Post] See also: [Verizon tells customers not to give out passwords—and disregards its own advice] and also: [3rd Skillsoft email raises privacy concerns in N.B.]

Electronic Records

CA – Revenue Canada Adds Internal Fraud Detection

The online activities of civil servants at the Canada Revenue Agency are going to watched more closely after the government chose an Israeli software surveillance solution to ensure staff don’t improperly access income tax and other files, part of a policy of toughening up procedures after embarrassing revelations of staff violating privacy procedures. [Source]


US – EFF: ISP is Stripping STARTTLS Flags from eMail

According to the Electronic Frontier Foundation (EFF), a US Internet service provider (ISP) is removing encryption from the traffic between customers and email servers, stripping the communications of the expected level of privacy. There have been incidents in which the ISP intercepted email to remove STARTTLS flags, which signal requests for encryption while communicating with another server or client. If the flag is removed, the email is sent in clear text. Some firewalls use this technique to prevent spam from emanating from their servers, but when it affects legitimate email, the unencrypted messages become vulnerable to interception and eavesdropping. [Ars Technica] [The Register] [EFF.org]

US – The New York Times Challenges News Sites to Embrace HTTPS

Staff members from The New York Times are calling on news sites to encrypt their online traffic by deploying HTTPS. The paper’s software engineering architect and its chief technology officer, together with a cybersecurity and technology strategist, write, “If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015.” In addition to being more secure, HTTPS protects the privacy of users by preventing their search and reading histories from being transmitted “for anyone to see.” [Source]

US – AIDS Websites that Leaked Location Data Now Encrypting User Traffic

Two federal websites that help individuals seek AIDS-related medical services have started encrypting user traffic after years of no protections. The lack of basic encryption could have potentially revealed the identities and location of those seeking such highly sensitive services. “We started requiring SSL (Secure Sockets Layer) for the (services) Locator because we understood that information should be encrypted to protect privacy,” said the director of AIDS.gov. The site, which is run by the Department of Health and Human Services, also added encryption to its related smartphone apps. Another site, run by the Centers for Disease Control and Prevention, has also upgraded its security controls. [The Washington Post]

WW – New Google Tool Detects Crypto Flaws

Google engineers have released an open-source tool to help developers detect bugs and other crypto flaws to prevent the leaking of sensitive information. Called “nogotofail,” a play on a flaw in Apple’s iOS and OSX devices, the tool “provides an easy way to confirm that the devices or applications you are using are safe against known TSL/SSL vulnerabilities and misconfigurations,” the engineers wrote in a blog post, adding, it works with “any device you use to connect to the Internet.” [Ars Technica]

WW – Privacy Tools: The Best Encrypted Messaging Programs

Working with Princeton’s Joseph Bonneau and the Electronic Frontier Foundation’s Peter Eckersley, Julia Angwin has compiled a review and analysis of the best available encrypted messaging services to date. However, Bonneau notes, “It’s important to realize we’re mostly grading for effort here and not execution.” [ProPublica] See also: [Critics bash the EFF Secure Messaging Scorecard]

EU Developments

EU – Council Proposes Amendment to EU Data Protection Regulation, Chapter IV

The Council of the European Union has proposed amendments to Chapter IV of the EU General Data Protection Regulation as it relates to compliance obligations of data controllers and data processors including – privacy impact assessments will only be required for processing activities likely to involve high risk to the rights and freedoms of individuals (such as discrimination, identity theft, fraud, or financial loss), only processing which would result in a high degree of risk would require that the data authority be consulting prior to the commencement of processing activities, and the appointment of a data protection officer is voluntary unless the national law of the relevant member state provides otherwise. [Source] See also: [The Proposed General Data Protection Regulation: Suggested Amendments to the Definition of Personal Data – Douwe Korff, Professor of International Law, EU Law Analysis] and [EU Regulation: A Tipping Point Has Been Reached] See also: [Nemitz: Google Meetings Are Passive-Aggressive Lobbying Efforts] According to leading lights of the EU data protection scene, the proposed EU General Data Protection Regulation will be finalized in 2015. As the new European Commission starts its five-year term, plans include working toward agreement on the EU’s new data protection rules, a European Parliament media release states. With a new EU Commission in place and operational, Hogan Lovells Partner Eduardo Ustaran discusses the three key players with “ultimate responsibility” for the commission’s place in the data protection reform process. French data protection authority the CNIL requires businesses operating in France to declare all personal data processing tools and communicate the decision to operate such tools to employee representatives.A report from the Information Technology and Innovation Foundation states the EU’s cookie notification policy costs billions of euros per year and offers few benefits, The Wall Street Journal reports.

EU – German Apps Struggle to Comply with Strict U.S. Patient Data Rules; Portuguese, French Start-Ups Focus on Privacy

The U.S.’s strict patient data rules are a struggle for some German healthcare apps to comply with despite Germany’s reputation as one of the strictest privacy jurisdictions. Meanwhile, a small start-up from Portugal tells the story of how difficult it is to launch a tech business that relies on people’s data given Europe’s ever-stricter rules on data privacy. It’s been working for two years to get a privacy seal from EuroPriSe GmbH, a pan-European certification company. And Computerworld reports on French start-ups taking a more privacy-centric approach to file-sharing offerings for consumers and organizations. [The Wall Street Journal] See also: [Are your file sharing tools leaking data?]

PO – New Law Would Up the Ante for DPOs, Ease Data Transfers

With a draft data protection law having passed its third reading in Poland’s lower house, there’s a good probability it will become law—meaning new responsibilities for organizations and, in particular, data protection officers (DPOs). In this Privacy Tracker blog post, Marcin Lewoszewski of CMS writes about provisions in the bill that would ease cross-border data transfer and require organizations to appoint a DPO with “appropriate knowledge in the field of personal data protection,” among other things. “However,” writes Lewoszewski, “there is no information in the new law about how a candidate’s ‘appropriate’ knowledge in the field of privacy should be verified or certified, or about who should do it.” Poland’s draft data protection law would mean new responsibilities for organizations and, in particular, data protection officers]

Facts & Stats

WW – IAPP Study: Benchmarking Privacy Investments of the Fortune 1000

How is the average Fortune 1000 privacy program organized? What is its annual budget? To whom does the privacy lead report, and what are the privacy team’s responsibilities? How much does the company spend on privacy per dollar of revenue or per employee? All of these questions and more are answered in the IAPP’s first annual study, Benchmarking Privacy Management and Investments of the Fortune 1000, which establishes the Privacy Industry Index, an estimate of the total spend of the Fortune 1000 on privacy, along with important data for understanding how privacy is done in major corporations throughout the U.S. [Full Story] See also: Center for Democracy & Technology CEO Nuala O’Connor is struck that every company is now a tech company and “those that respect privacy and have strong security practices in place are the ones that consumers are increasingly turning to for a variety of services.” Merck CPO Hilary Wandall similarly notes that “today’s businesses can’t run without data,” but the study’s results cause her to wonder: If “sales and profits are everyone’s responsibility, shouldn’t privacy be too?” Se ealso [IAPP: A New Home for Privacy Industry Research and Information]

QWW – Malware Masquerades as Trusted App; Carnegie Mellon Launches PrivacyGrade

A new and potentially invasive malware makes nearly 95% of iPhone and iPad devices vulnerable. A vulnerability in Apple’s iOS allows hackers to replace official apps, such as a Gmail or a banking app, with a malicious one, called the Masque Attack, which can access sensitive personal information. “Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced,” researchers said. “These data may contain cached emails, or even login-tokens, which the malware can use to log into the user’s account directly.” Meanwhile, researchers at Carnegie Mellon have created “PrivacyGrade,” a site that provides “privacy summaries that highlight the most unexpected behaviors of an app.” [The Hacker News]

EU – Report Suggests EU Cookie Policy Costs Billions, with Few Benefits

A new report from the Information Technology and Innovation Foundation states the EU’s cookie notification policy costs billions of euros per year and offers few benefits. “There are compliance costs for websites, and we don’t see much benefit,” said one of the report’s authors, Daniel Castro. “These banners don’t really educate users, and there has been no noticeable change in user behavior since cookie warnings were introduced, so the directive appears to be a waste of resources,” he added. [The Wall Street Journal]


US – FCC Chairman Tells Silicon Valley He’s Open to Obama Net Neutrality Plan

President Barack Obama went public with his support of an aggressive approach to protecting net neutrality. Shortly after that, Federal Communications Commission Chairman Tom Wheeler told a gathering of business representatives and public interest groups that he was taking the president’s comments under advisement and that he would need the groups’ support in the coming fight over net neutrality, according to multiple sources in the meeting. The sources said that Wheeler did not, as had been reported earlier, say that he had decided to go in a different direction from what the White House wanted.” [Huffington Post] See also: [Obama’s call for an open Internet puts him at odds with regulators] and [US: The split between Obama and the FCC on net neutrality, in plain English] The U.S. Federal Communications Commission has issued clarification on its 2006 Junk Fax Order confirming that fax ads must contain an opt-out provision, reports The National Law Review.


US – OCC: Law Should Hold Retailers Accountable for Breach Costs

“Congress must move forward with legislation that would put retailers, and not just banks, on the hook for at least some of the costs related to data breaches,” citing comments from Comptroller of the Currency Thomas Curry. While many recent headline-making breaches “occurred through retailer computer systems, it is banks who have been put in the position of replacing debit and credit cards, monitoring accounts and repaying customers,” the report states. Also last week at the IAPP Practical Privacy Series, regulators including Office of the Comptroller of the Currency National Bank Examiner Melissa Love-Greenfield offered insight into where they are focusing their efforts and what financial services companies can do to avoid their wrath. [Law360]


UK – Facebook’s Government User Data Requests Up 24%

Requests by governments for Facebook’s user data are up by nearly a quarter in the first half of this year compared with the previous six months. Global government requests were up by 24% to almost 35,000 in the first six months, the social media giant said. The amount of Facebook content restricted because of local laws also rose about 19% in the same period. News of the increase comes as Facebook fights its largest ever US court order to hand over data from 400 people. [BBC News]

CA – P.E.I. Govt Creates New Office to Handle Freedom of Information Requests

The P.E.I. government has created a new office to handle all Freedom of Information requests due to a big increase in the number of requests being made. A new Access and Privacy Services office has replaced individual co-ordinators within each of the 13 departments and executive government offices. Kathryn Dickson, manager of this new office, says the number of Freedom of Information and Protection of Privacy (FOIPP) requests coming into the province has doubled over the last five years. Previously, each government department had its own FOIPP coordinator, but these were made up of existing departmental staff with other duties and responsibilities. The province’s privacy commissioner has repeatedly raised concerns about backlogs in her office as a result of FOIPP requests denied. The new Access and Privacy Services office is located within the Department of Environment, Labour and Justice. [Charlottetown Guardian] See also: [B.C. Health Ministry ordered to release papers related to firings]


WW – Would You Put Your Genome in the Cloud?

Google Genomics may eventually possess millions of genomes on its servers, Sarah Zhang asks, “Are there legitimate privacy concerns here?” Genomic research works better with bigger sets of genomic data, and Google aims to centralize them into one database, a potential boon for researchers. “This is the infrastructure for personalized medicine,” she writes, noting that bigger databases create bigger privacy concerns, and “the privacy worries aren’t unique to Google Genomics … but the sheer scale of their envisioned database magnifies the potential problems.” If it succeeds, she writes, “it’ll be because it forces us to reckon with the privacy issues that lie behind genome sequencing.” [Gizmodo] See also: [UK – Major genome data project can deliver increasingly personalised drug treatments] and [Genomic Researchers Seeking Balance Between Ethics and Patient Privacy]

Health / Medical

US – FTC asking Apple About Health Data Protection

The U.S. Federal Trade Commission is seeking assurances from Apple Inc. that it will prevent sensitive health data collected by its upcoming smartwatch and other mobile devices from being used without owners’ consent,” two sources said. “The two people, both familiar with the FTC’s thinking, said Apple representatives have met on multiple occasions with agency officials in recent months to stress that it will not sell its users’ health data to third-party entities such as marketers or allow third-party developers to do so.” [Wall Street Journal] See also: [Privacy attorney: Med device cybersecurity guidance ‘is the future’ ] [Wearable Health Tech: New Privacy Risks]

US – Connecticut Court Court Allows HIPAA Negligence Claim

“Since the implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in 2003, injured or wronged individuals (and their lawyers) have been looking for ways to bring claims against healthcare providers and others who engaged in activities that appeared to violate these rules,” writes Kirk Nahra of Wiley Rein. It appears that the Connecticut Supreme Court has just given them some hope. In Byrne v. Avery Center for Obstetrics and Gynecology, P.C., the court found that “HIPAA does not preempt the plaintiff’s state common-law causes of action for negligence …” However, Nahra writes, “Neither side should overreact to this decision. Plaintiffs now can move a claim forward but still have a long way to go to prove their case.” [GovInfoSecurity] [Privacy Tracker] See also: [Legal aid employee to pay $7,500 for intrusion upon seclusion] and also: [Insurer Includes Sensitive Data in Email Subject Lines] and [CA – Winnipeg patient alarmed to hear medical details broadcast in clinic] and [UK – ICO interest in digital health initiatives likely to grow]

US – Healthcare Privacy Policies Must Be Stronger, Says AMA

The American Medical Association (AMA), at its interim meeting, released policies calling for increased diligence in protecting patients’ health data, particularly at insurance companies. “The disclosure of potentially sensitive medical information on standard insurance forms has become more of a concern as the Affordable Care Act allows an increasing number of young adults to obtain health insurance as dependents of their parents, guardians, spouses or domestic partners,” AMA President Robert Wah said. “The AMA’s new policy promotes a multi-pronged approach to protect the privacy interests of patients and preserve the financial interests of policyholders.” [HealthITSecurity] See also: [ONC CPO: We Need To Explain HIPAA Better] See also: [US – HHS Issues Ebola Privacy Guidance | US – Office for Civil Rights (OCR) Issues Ebola Guidance on HIPAA Privacy ]

WW – Insurer Publishes Guide on Avoiding Breaches

TechInsurance, an insurance provider for small technology businesses, has published The Small-Business Owner’s Guide to Identity Theft Prevention and Data Security, a free e-book that offers small businesses data security tips. The guide offers tips on how to strengthen security to prevent data breaches; tips on what to do when a data breach occurs; simple steps to boost security, and checklists aimed at preventing, responding to and recovering from breaches. The guide also includes a recent study finding 29 percent of businesses “incorrectly believe their cyber exposures are covered under an existing insurance policy.” [Security IT]

Horror Stories

WW – Home Depot: 53 Million E-Mails Stolen

Home Depot on Nov. 6 offered an update to the findings of its data breach investigation, saying that, in addition to 56 million cards being compromised, approximately 53 million e-mail addresses were also taken. The latest news follows weeks of investigation involving law enforcement and third-party IT security experts, Home Depot says. In order to evade detection, the criminals involved in the cyber-attack against Home Depot used custom-built malware, which has not been used in other attacks. The malware, which was present on Home Depot’s payment systems between April and September, has since been eliminated from its U.S. and Canadian networks, the retailer says. [Source]

US – NOAA Breach

The US National Oceanic and Atmospheric Administration (NOAA) suffered a security breach in September. To prevent further infiltration, the government shut down some services. When satellite data suddenly became unavailable in October, NOAA attributed it to “unscheduled maintenance.” Officials say that NOAA did not notify the necessary authorities when it learned of the attack. [Washington Post] [eWeek] [ZDNet] [The Register] [CNN] [SC Magazine] [ComputerWorld] [ITNews]

US – USPS Breach Affects Employee Data

A breach of US Postal Service (USPS) information systems compromised personally identifiable information of more than 600,000 employees, including employees of the US Postal Regulatory Commission. The breach was detected in September. Customers who contacted the USPS customer care center by phone or email between January and August 2014 may be affected as well. The FBI is investigating. [ComputerWorld] [NextGov] [ArsTechnica]

EU – HSBC Turkey Confirms Card Breach

HSBC Turkey confirms that a recent cyber-attack exposed payment card information for 2.7 million customers. Information compromised in the breach includes debit and credit cardholder names, account numbers and expiration dates. The bank says that, so far, it has not seen any evidence of fraud or other suspicious activity arising from the incident. HSBC Turkey detected the attack in the past week through its internal security controls, according to an FAQ. The attack was limited to Turkey, and all card operations have been restored to normal functioning, the bank says. No other details about the nature of the incident were revealed. An investigation is under way in collaboration with the Banking Regulation and Supervision Agency of Turkey and other relevant authorities, HSBC Turkey says. Turkey’s Public Prosecutor’s Office has also been notified about the incident. [Bank Information Security]

WW – Scammers Victimize 10,000 Booking.com Customers

As many as 10,000 users of hotel booking site Booking.com have been the victims of a scam using a list of email addresses that were allegedly obtained fraudulently. According to the BBC’s “Money Box,” the criminals accessed Booking.com reservations to gather contact details of customers for the purpose of phishing. Booking.com insists it was not breached but that the scammers contacted individual hotels to gather the data. The incident has affected customers in the UK, U.S. France, Italy, Portugal and the United Arab Emirates. [International Business Times]

US – What CIOs Can Learn From the Biggest Data Breaches

Several lessons may be gleaned from some of this year’s largest data breaches, including Adobe, eBay, JP Morgan Chase, Target and Home Depot. Among the lessons, Hexis Cyber Solutions VP of Corporate Development Todd Weller said that in addition to encrypting its data, eBay should have educated its employees about various phishing scams that could lead to hacker infiltration. Other lessons include investing in intrusion detection and identifying vulnerabilities. [CIO] [Tracking Data Breaches]

US – Lawmaker Seeks Info on Cyber-Attacks; More Orgs Breached

U.S. Rep. Elijah Cummings (D-MD) has sent letters to the chief executives of five companies—including Home Depot, Target and Kmart—seeking more information on the cyber-attacks each suffered. The ranking Democrat on the House Oversight and Government Reform Committee, Cummings said, “The increased frequency and sophistication of cyber-attacks on both public and private entities highlights the need for greater collaboration to improve data security.” Chinese hackers have infiltrated computer systems overseen by the U.S. National Oceanic and Atmospheric Agency and the Turkish unit of HSBC was breached, resulting in the theft of 2.7 million customers’ bank data. Back in the U.S., banking trade groups are calling on Congress to implement cybersecurity regulations for retailers. [Reuters] see also: [British Columbia’s provincial government is notifying 15,000 individuals after a privacy breach in its Wildfire Management Branch] [AU – Immigration Department breached privacy of 9,250 asylum seekers by publishing their details online] and [Dentist’s patient information found scattered on Toronto street]

Identity Issues

UK – Gov UK Quietly Disrupts the Problem of Online Identity Login

A new “verified identity” scheme for gov.uk is making it simpler to apply for a new driving licence, passport or to file a tax return online, allowing users to register securely using one log in that connects and securely stores their personal data. After nearly a year of closed testing with a few thousand Britons, the “Gov.UK Verify” scheme quietly opened to general users on 14 October, expanding across more services. It could have as many as half a million users with a year. The team behind the system claim this is a world first. Those countries that have developed advanced government services online, such as Estonia, rely on state identity cards – which the UK has rejected. “This is a federated model of identity, not a centralised one,” said Janet Hughes, head of policy and engagement at the Government Digital Service’s identity assurance program, which developed and tested the system. The Verify system has taken three years to develop, and involves checking a user’s identity against details from a range of sources, including credit reference agencies, utility bills, driving licences and mobile provider bills. But it does not retain those pieces of information, and the credit checking companies do not know what service is being used. Only a mobile or landline number is kept in order to send verification codes for subsequent logins. When people subsequently log in, they would have to provide a user ID and password, and verify their identity by entering a code sent to related stored phone number. The US, Canada and New Zealand have also expressed interest in following up the UK’s lead in the system, which requires separate pieces of verified information about themselves from different sources. The level of confidence in an individual’s identity is split into four levels. The lowest is for the creation of simple accounts to receive reports or updates: “we don’t need to know who it is, only that it’s the same person returning.” The service has been built in consultation with privacy pressure groups including No2ID, Big Brother Watch, the University of Oxford’s Internet Institute, the Consumers Association, and the privacy regulator, the Information Commissioner’s Office. … Privacy groups have worked with the government to create a list of principles for interacting with the Verify system. [The Guardian]

US – Android User Takes Privacy Battle With Cartoon Network to Appellate Court

Android user Mark Ellis has appealed the dismissal of his privacy lawsuit against Cartoon Network for allegedly violating the Video Privacy Protection Act (VPPA). Ellis filed the appeal with the 11th Circuit Court of Appeals, claiming Cartoon Network’s app transmitted his Android ID together with his video viewing history to a third party. U.S. District Court Judge Thomas Thrash dismissed the lawsuit last month saying that “an Android ID does not identify a specific person.” [MediaPost] [Would you like to put an Ontario card in your wallet? Bureaucrats are in charge, not governments]

Internet / WWW

WW – Germany, Brazil Urge U.N. to Strengthen Digital Spying Resolution

Both Germany and Brazil are urging the United Nations (UN) to strengthen a digital spying resolution to include metadata. The draft notes that arbitrary surveillance, communications interception and the collection of metadata are “highly intrusive acts” and “violate the right to privacy and can interfere with the freedom of expression and may contradict the tenets of a democratic society, especially when undertaken on a mass scale.” The draft also calls on the UN Human Rights Council to appoint a special rapporteur for privacy rights standards clarification. Germany’s UN ambassador said, “As the universal guardian of human rights, the United Nations must play a key role in defending the right to privacy, as well as freedom of opinions and expression in our digital world.” [Reuters] Telecompaper reports the German interior ministry has introduced a revised version of its bill on improving IT security that includes a new data retention clause.

US – NIST – US Government Cloud Computing Technology Roadmap, Volume II, – Useful Information for Cloud Adopters: Special Publication 500-293

Security challenges unique to cloud computing include that broad network access has the potential to introduce new cyber threats and the lack of visibility and control over the IT assets often runs counter to the existing security policies and practices that assume complete organizational ownership and physical security boundaries; recommendation include – process-oriented requirements (such as clarity of security roles and responsibilities, detailing privacy requirements in contracts and service-level agreements) and technical requirements (such as encrypting data at rest and in transit, applying application partitioning, logical separation and physical separation, and controlling VM and Virtual Networks). [Source] See also: [FFIEC Regulators: Banks Need to Share Cyber-Threat Info] [DOD’s Vision for a Commercial Cloud Ecosystem]

WW – CSA Releases Security Guidance for Critical Areas of Cloud Computing

Best practices regarding information management and data security in the cloud include understanding the cloud storage architecture in use and using the data lifecycle to identify security exposures and determine controls, monitoring key internal databases and file repositories with database activity monitoring and file activity monitoring to identify large data migrations, encrypting all sensitive data (paying particular attention to key management), and ensuring removal of data from a cloud vendor is covered in the service level agreement (e.g. deletion of user accounts, migration/deletion of data from primary/redundant storage, and transfer of keys). [Source]

WW – Apple Users Raise Privacy Concerns After Hard-Drive Files Uploaded to Servers

Security researcher Jeffrey Paul’s discovery that several of his personal files found their way to the cloud after he upgraded the operating system on his MacBook Pro. He thought the files only lived on his encrypted hard drive. Cryptography experts Bruce Schneier and Matthew Green had similar experiences. All three have publicly written about their dismay over the finding. [The Guardian] UPDATE: [Clarification of iCloud Autosave Issue Earlier this week we ran a story about documents being saved to iCloud without notifying users. The headline suggested that the issue affected all documents, when in fact, the feature is on by default for iWork apps, Preview, and TextEdit. It does not affect Word. Apple describes the autosave default in an August 2014 support document

Law Enforcement

CA – RCMP Reveals Details of Plan for 700-Km Surveillance Fence Along Canada-U.S. Border

A massive intelligence-gathering network of RCMP video cameras, radar, ground sensors, thermal radiation detectors and more will be erected along the U.S.-Canada border in Ontario and Quebec by 2018, the Mounties said this week. The $92-million surveillance web, formally known as the Border Integrity Technology Enhancement Project, will be concentrated in more than 100 “high-risk” cross-border crime zones spanning 700 kilometres of eastern Canada, said Assistant Commissioner Joe Oliver, the RCMP’s head of technical operations. [Source]

CA – Alberta Privacy Commissioner to Investigate Police Use of Body Worn Cameras and Facial Recognition Software

Alberta’s Privacy Commissioner Jill Clayton has ordered an investigation into some potentially scary tools being employed by the local police department — tools with the capability of seriously infringing on a citizen’s right to privacy if not used correctly. On Wednesday, just two days after Calgary cops announced they would become the first police service in Canada to adopt facial recognition software capable of matching any photograph or video image to their databank of 300,000 mugshots, Clayton stepped in. “Information and Privacy Commissioner Jill Clayton has initiated an investigation of the Calgary Police Service’s use of body-worn cameras and facial recognition software,” read the stern-sounding release.[Source] Alberta Privacy Commissioner Jill Clayton has launched an investigation into BWCS after being dissatisfied with the lack of evidence of a privacy assessment by a local police service. It is too early to tell whether that investigation will have any meaningful effect on the implementation of BWCS in Canada. [Privacy Advisor] [Calgary police service looks to put a face to crime, adds facial recognition software NeoFace to its investigative arsenal] AND ALSO: [Influx of records requests may force police to drop body cams]

US – Private License Plate Data Raises Privacy Flags

Privately owned license-plate imaging systems are popping up around Rochester and upstate New York — in parking lots, shopping malls and, soon, on at least a few parts of the New York state Thruway. Most surprisingly, the digital cameras are mounted on cars and trucks driven by a small army of repo men. Shadowing a practice of U.S. law enforcement that some find objectionable, records collected by the repo companies are added to an ever-growing database of license-plate records that is made available to government and commercial buyers. At present that database has 2.3 billion permanent records. On average, the whereabouts of every vehicle in the United States appears in that database nine times. Todd Hodnett, founder of the company that aggregates and sells that data, defends the activity as lawful and harmless. “We’re just photographing things that are publicly visible,” he said. Many private-sector camera operators, like parking companies, say they do not know the names and addresses behind the plates they scan. Others, like universities, say they discard the records almost immediately. But that doesn’t satisfy critics. No matter how benign the intentions of camera system operators, they say, their data may prove irresistible to government or private parties bent on snooping. Only five states have adopted laws regulating or banning private use of license-plate readers, also known as LPRs, with legislative bodies in as many more states having considered such measures. Lee Tien of EFF, a leading digital privacy group, said advocates have been trying without success to get a clear picture of who is getting access to DRN’s data. But they know state and federal regulations leave room for a wide range of clients. “As a general matter, the limit is what they’re currently willing and able to do to monetize the data,” he said. [Democrat & Chronicle]


US – Carmakers Unite Around Privacy Protections

19 automakers accounting for most of the passenger cars and trucks sold in the U.S. have signed onto a set of principles they say will protect motorists’ privacy in an era when computerized cars pass along more information about their drivers than many motorists realize. The principles were delivered in a letter to the FTC, which has the authority to force corporations to live up to their promises to consumers. Industry officials say they want to assure their customers that the information that their cars stream back to automakers or that is downloaded from the vehicle’s computers won’t be handed over to authorities without a court order, sold to insurance companies or used to bombard them with ads for pizza parlors, gas stations or other businesses they drive past, without their permission. The principles also commit automakers to “implement reasonable measures” to protect personal information from unauthorized access. The automakers’ principles leave open the possibility of deals with advertisers who want to target motorists based on their location and other personal data, but only if customers agree ahead of time that they want to receive such information, industry officials said in a briefing with reporters. Industry officials say they oppose federal legislation to require privacy protections, saying that would be too “prescriptive.” But Marc Rotenberg, executive director of the Electronic Privacy Information Center, said legislation is needed to ensure automakers don’t back off the principles when they become inconvenient. [ABC News] [Hogan Lovells] [Auto Alliance Press Release]

Online Privacy

WW – Facebook Rewrites Its Privacy Policy So that Humans Can Understand It

Facebook has announced that it has expanded its data use policy and has also made an effort to rewrite the language in a way normal people can understand. To do that, Facebook has taken some information on how the site itself works – and how users can set their privacy on Facebook – and created a new “Privacy Basics” page that walks users through its most-used privacy features. That includes step-by-step instructions on how to control who sees posts you create or items you “like.” The data use policy will now be displayed on an interactive, colorful site aimed at making it easy to navigate. But there are some changes to the language, as well — again aimed at making it easier to understand, getting rid of some of the confusing legalese. Unchanged was how the company uses data for research. The current guidelines, which give Facebook the broad right to conduct “research,” remain effective. As per Facebook’s usual way of operating, the changes are only a proposal for now. Users will have seven days to comment on the policy changes, which Facebook will then review before making the policy final. Once Facebook’s announces its final changes, the policy will take effect in 30 days. Facebook is also rolling out a tool that lets users give Facebook more information about ads they do — or don’t — want to see on the site in Europe. This option had previously only been available in the United States. Egan said that Facebook users will also be able to apply their ad preferences, such as requests to opt out of seeing personalized ads, across mobile and desktop devices — something that they can’t do now. [The Washington Post] See also [The Canadian government wants to pay more people to creep your Facebook] and also: [A new poll conducted for CNBC.com found 45% of those surveyed are most concerned about Facebook regarding personal data collection. And [ZDNet: Users can’t tell Facebook from a scam] A NY District Court ruling “says that by merely agreeing to AOL’s terms of service,” users have waived their Fourth Amendment rights.

US – Facebook Campaign Aims to Assure Advertisers Their Data Is Safe

In an effort to assure brands that their data is safe when they share their consumers’ information to buy ads on Facebook, the social networking giant has been meeting with marketers in recent weeks to make them comfortable with the platform. Facebook’s new ad server, Atlas, and ad product, Custom Audiences, lets brands use their email lists and other customer information to target marketing, the report states. Brands have been nervous about sharing data with anyone in a time when hacks and breaches involving stolen email lists can be devastating to brand reputation. Some say Facebook’s recent interest in talking about good stewardship of sensitive information is a sign of its “maturing advertising business.” [Adweek]

EU – CJEU Case on ‘Screen-Scraping’ Has Potential to Affect Business Models

Some price comparison websites and other online businesses could be forced to alter their business models if the EU’s highest court takes steps to prevent unauthorised ‘screen-scraping’ of data, an expert has said. This week, the Court of Justice of the EU (CJEU) is due to hear arguments from Ryanair and a Dutch price comparison business about the extent to which rules contained in the EU’s Database Directive apply to data that is not protected by copyright or a ‘sui generis’ database right. The CJEU’s judgment on the matter, which is unlikely to be issued for many months, will determine the extent to which businesses can apply contractual restrictions, in the absence of having copyright or database rights protection for their data, to prevent others from using that data. Screen scraping involves the use of software to automatically collect information from websites and systems. [The application to the CJEU] [Out-Law]

WW – Snapchat Starts Actively Warning Users That Third-Party Apps Aren’t Safe

Following the exposure of users’ private “snaps,” ephemeral messaging app Snapchat is warning users to not use third-party apps with its service. Snapchat said companies that claim to offer Snapchat services violate its terms of service and are untrustworthy. “We’ve enjoyed some of the ways that developers have tried to make Snapchat better,” the company wrote. “Unfortunately, some developers build services that trick Snapchatters and compromise their accounts.” Meanwhile, Reuters reports that consumers who are concerned about over-sharing are turning to private messaging services like Snapchat. [PCWorld]

AU – Samaritans Radar Depression App Raises Twitter Privacy Concerns

A newly launched app by a UK suicide prevention charity is raising massive privacy concerns by monitoring Twitter accounts without user consent. The new web app — called Samaritans Radar – works by proxy. When a user downloads and signs up to Samaritans Radar, the app then has access to the Twitter accounts followed by that user. It will monitor those accounts, looking for key phrases in public Tweets. These include the terms such as “depressed”, “help me” (probably not parsing for Star Wars fandom), “tired of being alone”, “hate myself” and “need someone to talk to”. When it finds one of these phrases, it will alert the user via email, offering support on how to reach out to the depressed party; if the user is reported as suicidal, the report will be verified by Twitter Trust & Safety, and both the Radar user and the reported account will be contacted by Samaritans. So far, the app has had over 3,000 users sign up, with more than 1.6 million accounts being monitored — and, according to The Register, a mere 4 percent of the Tweets flagged by the app have been validated as genuine. Meanwhile, a Change.org petition addresses Twitter, noting that it has no faith in Samaritans to address user concerns, and requesting that the social network deny the app access to user data, effectively shutting it down. [Source] See also: [The Truth About Teenagers, The Internet, And Privacy] See also: [Somebody’s Already Using Verizon’s ID to Track Users]

WW – 81% of Tor Users Can Be De-Anonymised by Analysing Router Information, Research Indicates

Research undertaken between 2008 and 2014 suggests that more than 81% of Tor clients can be ‘de-anonymised’ – their originating IP addresses revealed – by exploiting the ‘Netflow’ technology that Cisco has built into its router protocols, and similar traffic analysis software running by default in the hardware of other manufacturers. [The Stack]

WW –73,000 Unsecured Webcams Available for View

A website offers video feeds and links to more than 73,000 unsecured webcams from around the globe. “Eerily, the site is very user-friendly. You can search by country … by manufacturer … or, like an iTunes playlist, you can hit shuffle and view a random camera feed. Plus, many of the connected cameras include location coordinates and a handy Google Map pinpoint.” Highlighting several recent examples in the news of bad actors out there “trying to hack their way into our lives,” Bracy writes, “The last thing we need is for poor design practices and wanting consumer education to make it easier for those adversaries.” [NetworkWorld] see also: [NY Woman Suing Landlords for Secretly Installing Cameras]

Other Jurisdictions

AU – Australian Law Reform Commission Issues Final Report on Serious Invasions of Privacy in the Digital Era

The final report regarding serious invasions of privacy recommend the following – a new tort of serious invasion of privacy in a new federal law (either by intrusion upon seclusion or misuse of private information, only actionable by a natural person who has a reasonable expectation of privacy, and not requiring proof of actual damage); a general statute of limitations (1-3 years) would apply. The Act should provide for specified defences (e.g. consent, absolute privilege), and exemptions (minors); a court may consider countervailing public interest matters (e.g. freedom of expression, national security), and award damages (but not aggravated damages). The Privacy Commissioner’s powers should be extended to make declarations about serious invasions of privacy complaints, and (with court leave) to assist a court as amicus curiae and intervene in court proceedings. [Summary Report] [Final Report] The Australian Communications and Media Authority and the Office of the Privacy Commissioner have signed a memorandum of understanding formalizing their streamlined approach to telecommunications, spam and telemarketing matters. See also: The Australian state of Victoria has made unsolicited “sexting, sharing unwanted ‘intimate images’ and even threatening to distribute such images” illegal under new laws designed to protect digital privacy. AND [NZ – Beneficiary awarded more than $20,000 in case of over collection of information] Hogan Lovells’ Chronicle of Data Protection offers an update on South Africa’s data protection regime. And also [Data Privacy Regulation Comes of Age in Asia]

Privacy (US)

US – FTC Refutes Wyndham’s Challenge; Unreasonable Security Is “Unfair”

Generating a flurry of conversation among privacy professionals worldwide, the U.S. Federal Trade Commission (FTC) last week filed its response to Wyndham Worldwide Corporation’s interlocutory appeal in the Third Circuit. It’s the most recent activity in a case that began in 2012, when the FTC issued a complaint against Wyndham alleging data security failures that enabled three data breaches between 2008 and 2009. The FTC’s response outlines and affirmatively answers the three questions presented in Wyndham’s appeal, including whether unreasonable failure to protect the security of consumer data constitutes an unfair act or practice. [Privacy Advisor] [What’s Reasonable Security? A Moving Target]

US – FTC v. Pairsys, Inc. – Stipulated Preliminary Injunction – U.S. District Court for the Northern District of New York

The Court granted a preliminary injunction against a company that mislead consumers by claiming to remove spyware and viruses from the consumer’s computers (the company exploited consumers’ concerns about malware infection and claimed to represent legitimate computer software companies). The company is restrained and enjoined from making false or misleading statements to induce any person to pay for goods or services in violation of the Telemarketing Sales Rule, or initiating an outbound telephone call to a telephone number within a given area code, without first paying the required annual fee for access to the National Do Not Call Registry. [Complaint] [Preliminary Injunction]

US – FTC Says Debt Broker Disclosed Too Much

The FTC has sued a debt broker for posting debt portfolios containing sensitive personal information of approximately 28,000 consumers online without adequate protections. Bayview Solutions buys and sells portfolios of consumer debt for debt collectors. The FTC complaint alleges “one particular website used by defendants is a public website that is readily accessible to anyone with Internet access,” and, “There are not passwords or other security methods” to restrict access. The unencrypted data included names, dates of birth, contact information and bank account and driver’s license numbers. Plus, the consumers affected “would be unlikely to know that defendants possess, and are openly disclosing, their information,” the complaint states. [Courthouse News Service] [FTC sends dozens of warning letters to companies over advertising disclosures]

US – Carrier IQ Agrees “in Principle” to Settle Suit

“Carrier IQ has agreed in principle to resolve a class-action lawsuit alleging that its software for mobile devices violated consumers’ privacy.” The settlement would resolve allegations the software was capable of logging users’ keystrokes, the report states. The allegations came as the result of a researcher’s video report, and consumers subsequently filed class-action lawsuits against Carrier IQ and six device manufacturers, including HTC, Samsung and LG Electronics. The device manufacturers have not yet agreed to settle the lawsuit. [MediaPost]

US – TRUSTe’s DPM Platform Beta Commences at Capacity

TRUSTe has announced that the beta program for its Data Privacy Management (DPM) Platform, a privacy compliance solution where businesses can manage privacy initiatives from a single dashboard, has commenced at capacity. “Privacy professionals have struggled to keep pace with the evolving privacy and regulatory landscape and are looking for solutions to reduce these risks and protect their brands,” TRUSTe’s Chris Babel explained, noting the platform “provides an easy way to manage these complex privacy initiatives across multiple business units from a single interface.” [The Privacy Advisor]

US – Making the Case for Data-Driven Education; Student Sues School for Privacy Violations

An in-depth report explores the rise of data-driven education and its effect on students and policy-makers. U.S Department of Education Chief Privacy Officer Kathleen Styles said she receives 12,000 calls and 2,000 emails a year from schools looking for assistance with the Family Education Rights and Privacy Act and approximately 300 to 400 complaints from parents concerned the law has been broken. She added that states, on the whole, do a “solid job” protecting student data. Additionally, the Family Online Safety Institute has released the report, Parenting in the Digital Age: How Parents Weigh the Potential Benefits and Harms of Their Children’s Technology Use. Meanwhile, a University of Montana (UM) student is suing the school on behalf of the student body, claiming UM illegally shared students’ personal information with a Connecticut-based vendor. [Government Technology] See also: [US – FOSI Calls for “Redefining Internet Safety”]

US – White House Names Next US Chief Technology Officer

The White House announced that it has named its next Chief Technology Officer, Megan Smith, a Google executive with decades of experience in Silicon Valley. The Obama administration named as deputy U.S. CTO, Alexander Macgillivray, a former Twitter lawyer known as a staunch defender of the free flow of information online. The New York Times and NPR feature interviews with new U.S. Chief Technology Officer (CTO) Megan Smith. “I actually think that working in the federal government, or state or local, is one of the most significant things that a technical person can do,” Smith tells The New York Times. But there are challenges. “Smith will have to call on all her powers to turn government agencies into more tech startup-type cultures.” “One agency still saves data on floppy disks.” Looking to the future, Smith’s focus is on people. “We want to create an environment where, in addition to amazing policy groups … tech teams feel comfortable, included and are in leadership positions here,” she said. [Washington Post] [New York Times: From Silicon Valley To White House, New U.S. Tech Chief Makes Change]

US – Ramirez: Businesses Need To Get Better at Notice

Federal Trade Commission Chairwoman Edith Ramirez said that online service providers must get better at disclosing their information collection and processing practices. “It’s crucial to provide some form of notice, like in the initial setup of a device or app, about what information is collected, how it’s used and with whom it’s shared,” she said. [Computerworld]

US – FISMA Reforms Stalled

Changes to the 2002 Federal Information Security Management Act (FISMA) may not be as easily brought about as legislators would like. The compliance requirements of the original plan were correctly criticized for generating vast quantities of paper reports (and vast fees for consultants) while providing little true assurance of security. The changes would require a move toward continuous monitoring. While including the FISMA changes in the 2015 National Defense Authorization Act is one a possibility, sources say that its inclusion is unlikely, particularly because “there are provisions in FISMA that are raising concerns.” [NextGov]

US – Justice Department Seeks to Expand Judges’ Search Warrant Purview

The US Department of Justice (DOJ) has petitioned the Advisory Committee on Criminal Rules to expand magistrate judges’ reach in granting search warrants. Rule 41 of the Federal Rules of Criminal Procedure allows judges to issue search warrants within their judicial district. DOJ wants to broaden the judges’ purviews to allow them to issue warrants for electronic surveillance regardless of the device’s location. Opponents say that the change DOJ is asking for would threaten the Fourth Amendment’s limitations on search and seizure, and that it could allow for unprecedented access to foreign networks. [NextGov] [RT.COM]

US – Dating Site Faces $16.5 Million Penalty in Privacy Case

A jury in California rendered a verdict late last month of $16.5 million for the plaintiff in a case involving a dating website for individuals with sexually transmitted diseases (STDs). The website PositiveSingles was found guilty of sharing photos and other sensitive information of its users with other dating websites even though it claimed to be a “confidential” service. According to a press release , the service promised it would not share data with third parties, but “it turned out that PositiveSingles was simply one of over a thousand different websites, funneling member profiles and personal information into a single database that in fact shared that information with third parties.” The verdict was rendered under the California Legal Remedies Act, the report states, with $1.5 million stemming from compensatory damages and $15 million in punitive damages. A related case is still active. [BBC News]

Privacy Enhancing Technologies (PETs)

WW – Mozilla Unveils Polaris Privacy Initiative with CDT, Tor

Mozilla has announced a new strategic initiative called Polaris to help privacy leaders in the industry “collaborate more effectively, more explicitly and more directly to bring more privacy features into our products.” The project aims to give users better privacy technology and more control, awareness and protection, a Mozilla blog post states. Mozilla is joined by the Center of Democracy & Technology and the Tor Project, which “will support and advise Polaris projects and help us align them with policy goals.” Mozilla has also introduced a new “forget” button and added private search engine DuckDuckGo. [Mozilla]

WW – Changes in Firefox 33.1 Focus on Privacy

Mozilla has released version 33.1 of its Firefox browser. While incremental updates usually go unannounced, this update is notable for the Forget Button, which allows users to delete recent history and cookies for the last five minutes, two hours, or 24 hours, with a simple click. The button is new, but the capability is not – until version 33.1, it has been buried in the Firefox menu. Firefox also has a Private Mode that has been available since version 3.1, released in 2008. [eWeek]

WW – Tor Reacts to Silk Road Operation Onymous; NSF Awards Privacy Grant

The international sweep that took down some parts of the online drug and criminal underworld continues to elicit reaction. The Tor blog offers a detailed account of what the developers know and don’t know about what is known as Operation Onymous. In trying to understand how the anonymous network was so thoroughly infiltrated by law enforcement, the blog states that when the time comes to prosecute those arrested, “the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical Internet-facing services.” Meanwhile, the U.S. National Science Foundation has awarded a University of Texas at Arlington computer scientist with a $250,000 grant to improve online privacy and protections against adversaries. [Source]

WW – New Apps Meet Need for More Privacy After Oversharing

Consumers concerned about oversharing on public social networks are turning to private messaging apps to share texts, photos and videos with a limited group of people. Downloads of private social messaging apps increased 200% in 2013 over 2012, making them the fastest-growing category of apps, according to San Francisco-based mobile analytics firm Flurry. The apps provide more private connections and allow users to express themselves without worrying about how they are perceived by their entire networks. [Source]


US – NIST Releases Cyber-Threat Sharing Draft Guidance

The National Institute of Standards and Technology (NIST) has released draft guidelines to help organizations share information with one another about cyber-attacks. “Organizations can gain valuable insights about their adversaries,” said Christopher Johnson, one of the authors of the guidelines. “They can learn the types of systems and information being targeted, the techniques used to gain access and indicators of compromise.” The window for comment on the guidelines is open until November 28. [FierceHealthIT]

EU – ENISA Publishes Technical Guidelines on Incident Reporting version 2.1

Electronic communications network and service providers are required to report significant incidents to their National Regulatory Authority (“NRA”); however, member states are taking different approaches (such as setting thresholds for national reporting relatively high, keeping track of major security incidents and intervene whenever network and service provides fail to improve on security issues, or monitoring security networks and service to improve security). When reporting to ENISA, NRA’s should assess whether or not an incident is relevant for NRA’s in other countries and include an incident report which includes – service and number of users affected, duration, root cause and a description of the response action and lessons learned. [Source] See also: [Practical Information Security Management and Data Breach Response – Kelly Friedman, Partner, Davis LLP]

WW – DarkNet Domains Seized, Black Market Websites Shuttered

In an international effort, law enforcement officials seized and shut down hundreds of dark net domains associated with black market websites. Seventeen people have also been arrested. Among the seized domains are 414 .onion domains, addresses used by the Tor anonymity software. Last week, news of the arrest of alleged Silk Road 2.0 operator Blake Benthall made headlines, but that arrest was just part of Operation Onymous, the larger effort to dismantle online black markets. [WIRED] Update: [Europol have corrected the statement regarding over 400 domains being seized. The figure is closer to 27, the 400 number refers to URL links pointing back to the domains]

HK – Hong Kong Monetary Authority Guidance on Customer Data Protection

Controls for preventing and detecting customer data loss or leakage should include the following – develop formal security policies and procedures (covering system controls, physical security, mobile computing, and outside service providers), implement logical access controls (the rights to access customer data and transmit customer data to external parties should be granted on a need-to-have basis only), implement controls over data transmission (prohibit unauthorized transmission of consumer data from internal systems to outside networks/systems via Internet services that could store data – e.g., using peer-to-peer file sharing software), and conduct periodic audits over customer data protection. [Source]

WW – The Staggering Complexity of Application Security

During the past few decades of high-speed coding we have automated our businesses so fast that we are now incapable of securing what we have built. [Dark Reading] See also: [Stanford: Guidelines for Securing Mobile Computing Devices] [Mobile Security Guide – Everything You Need to Know] [Mobile Phone Security Tips] [Ultimate Library of ICS Cyber Security Resources] [Data Security Confidence Index] [E&Y: Global Information Security Survey 2014]

Smart Devices

WW – Smart TV, Dumb Policy

A 46-page privacy policy which is now included in all newly purchased Samsung Smart TVs states that voice recognition technology “may capture voice commands and associated texts” in order to “improve the features” of the system. The policy, a summary of which is also posted online, ominously advises users to, “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.” Writing about the privacy policy for Salon.com, Michael Price, counsel in the Liberty and National Security Program at the Brennan Center for Justice at NYU School of Law, said he was now “terrified” of his new TV, noting that voice recognition is just one feature that could be used to spy on users. The television also logs website visits, has a built-in camera for facial recognition and uses tracking cookies to detect “when you have viewed particular content or a particular email message.” “I do not doubt that this data is important to providing customized content and convenience, but it is also incredibly personal, constitutionally protected information that should not be for sale to advertisers and should require a warrant for law enforcement to access,” writes Price, adding that current privacy laws offer little protection against “third party” data. [Source]


US – Americans’ Cellphones Targeted in Secret U.S. Spy Program

The Justice Department is scooping up data from thousands of cellphones through fake communications towers deployed on airplanes, a high-tech hunt for criminal suspects that is snagging a large number of innocent Americans, according to people familiar with the operations.” “The U.S. Marshals Service program, which became fully functional around 2007, operates Cessna aircraft from at least five metropolitan-area airports, with a flying range covering most of the U.S. population, according to people familiar with the program.” [Wall Street Journal] See also: [Cam Kerry: Surveillance Should Not Overshadow Civil Liberties] [UK – UK intelligence agencies spying on lawyers in sensitive security cases] and [Tomgram: Shamsi and Harwood, An Electronic Archipelago of Domestic Surveillance] and [Craig Forcese: Does the State belong in the computers of the nation? (audio)] and [PRISM scandal threatens EU-US ‘Safe Harbour’ agreement]

US – Justice Department Walks Back Transparency on National Security Letters

The government is retracting an argument made on appeal in a case challenging the constitutionality of an investigative tool widely used by the FBI to obtain data on Americans without court oversight,” reports The Washington Post’s Ellen Nakashima. “In a case being heard by the Ninth Circuit Court of Appeals in San Francisco, a Justice Department lawyer last month asserted that companies that receive national security letters — an administrative subpoena that can be issued by a field office supervisor — can comment on the ‘quality’ of NSLs they receive, including whether they think that ‘the government is asking for too much.’ “ [Washington Post]

WW – Director Says NSA Will Deal With Encryption Challenges; GCHQ Says Tech Firms In Denial; Germany, Brazil Make Anti-NSA Moves

U.S. NSA Director Michael S. Rogers visited Silicon Valley and said that “a fundamentally strong Internet is in the best interest of the U.S,” The New York Times reports. Increased encryption of services by U.S. tech giants is “a challenge” for law enforcement, he said, adding, “And we’ll deal with it.” The new head of the UK’s GCHQ says some U.S. tech companies have become “command-and-control networks … for terrorists and criminals” and that British intelligence agencies could not tackle the challenges of increased encryption “at scale” without the help of the private sector. Meanwhile, Germany may enact a law that would require national clouds be built on local technologies, and Brazil, to avoid U.S. surveillance has started laying its own undersea Internet cables. [New York Times]

US – Silicon Valley Privacy Push Sets Up Arms Race With World’s Spies

There is an arms race developing between Silicon Valley and government intelligence programs, and so far, Silicon Valley “shows no sign it plans to give in.” Government requests place tech companies in a Catch-22: If they comply, they risk alienating their customers; if they don’t, they face continued allegations from law enforcement for aiding criminals and terrorists. Specifically, Microsoft General Counsel Brad Smith has called for arms-control talks. [Bloomberg] See also: Facebook has reported a 24% increase in government requests in the first half of 2014. A federal appeals court urged to strike down the NSA bulk phone metadata program and the Supreme Court considered how to balance whistleblower protections with national security. Finally, some are calling Sen. Mark Udall’s (D-CO) reelection loss a “blow for privacy and transparency advocates, as Udall was one of the NSA and CIA’s most outspoken and consistent critics.” The Privacy Advisor recently reported on the “ national emergency“ that is potentially brewing in this arena. [Bloomberg]

UK – ICO Issues Data Protection Code of Practice for Surveillance Cameras

The Information Commissioner’s Office release a Code of Practice (the “Code”) – which provides guidance on the operation of CCTV or other surveillance camera devices (e.g. body worn video cameras, and unmanned aerial systems ); organisations should take into account the nature of the problem the organisation is seeking to address, whether a surveillance system would be a justified and effective solution, what effect its use may have on individuals, and if its use is a proportionate response to the problem. Organisation should establish who is responsible for the control of the information, how the information is used, and to whom it may be disclosed. [Source]

EU – German Data Protection Authority Issues Guidelines on Video Surveillance

Use of video surveillance cameras in public places requires notification to the Data Protection Authority; special consideration should be given to monitoring in the following situations – retail establishments (cameras should not be used in areas where customers have an expectation of privacy, such as fitting and change rooms), shopping malls (video surveillance should be avoided in locations such as ATMs, relaxation areas, washrooms, and locker areas), employee monitoring (constant monitoring of employees is usually inadmissible, unless they are working in a vulnerable area such as point of sale, jewelry or warehousing operations), and dashcams (dashcams infringe on the privacy rights of pedestrians and fellow motorists, due to the ongoing monitoring while the car is running). [Source] See also: [US: Woman Claims Landlord Hid Cameras In Her Upper West Side Apartment] and [Can We Afford Privacy from Surveillance?] and [UK – Drone use puts operators at risk of ‘collateral privacy intrusion’, says data watchdog]

EU – German Spy Agency Seeks Millions To Monitor Social Networks Outside Germany And Crack SSL

The BND also wants to spend EUR4.5 million to crack and monitor HTTPS (Hypertext Transfer Protocol Secure) encrypted Internet traffic. By 2020 some of that money may be spent [on] the black market to buy zero day exploits, unpublicized vulnerabilities that can be exploited by hackers. [IT World]

US – Brookings Institution Tells Congress Drone Privacy Concerns Inflated

The Brookings Institution has published a report urging Congress to not respond to privacy concerns raised by the future implementation of drones by drafting anti-drone legislation. Gregory McNeal, the author of the report, says drones and other automated surveillance may actually bolster privacy protections. He noted that state anti-drone legislation has “focused on the technology (drones), not the harm (pervasive surveillance),” adding, “In many cases, this technology-centric approach creates perverse results, allowing the use of extremely sophisticated pervasive surveillance technologies from manned aircraft while disallowing benign uses of drones for mundane tasks like accident and crime scene documentation or monitoring of industrial pollution and other environmental harms.” [Ars Technica] see also: [Will the EU Beat the U.S. to Commercial Drones?]

US – Harvard Secretly Photographed Students to Study Attendance

Students and faculty raise concerns after Harvard University announced it had secretly photographed undisclosed classrooms in a study researching student attendance, The Boston Globe reports. “Just because technology can be used to answer a question doesn’t mean that it should be,” one professor said, adding, “And if you watch people electronically and don’t tell them ahead of time, you should tell them afterwards.” Harvard President Drew Faust said she is taking the matter “very seriously” and will have the incident reviewed by a recently created panel that already oversees the school’s electronic communications policies. Harvard was criticized a year-and-a-half ago after news spread that administrators had been secretly searching school email accounts. [Full Story]

US Government Programs

US – NSA’s Richards Introduces New Privacy Assessment Process

Since the Snowden disclosures in June of 2013, the NSA has become the poster child for over-collection both in the U.S. and abroad. But NSA Civil Liberties and Privacy Officer Rebecca Richards, wants to change that by bringing the agency’s civil liberties and privacy program beyond a compliance system that just checks off boxes. Speaking at a recent Privacy and Civil Liberties Oversight Board hearing on “Defining Privacy,” Richards said, “We have an opportunity to bring NSA’s approach to privacy together with a broader approach” that takes into consideration people’s legitimate privacy interests. As part of this new approach, Richards said she is testing a new privacy and civil liberties assessment process that includes frameworks from the private sector and non-intelligence agencies. [Privacy Advisor]

US Legislation

US – What the Midterm Elections Mean for Privacy Legislation

As the dust settles from this week’s midterm elections, Wired reports on what it calls the last bipartisan issue: reform of the NSA. Two senators helping to lead the charge for reform—Sens. Mark Udall (D-CO) and Mark Begich (D-AK)—were ousted this week, but, the report states, “a Republican majority in the House and Senate is not the devastating blow to privacy you might have expected it to be.” However, one of Congress’ loudest data security advocates , Rep. Lee Terry (R-NE), was unseated this week as well. Outside of Congress, California Attorney General Kamala Harris defeated her challenger one week after releasing the state’s first data breach report in two years. Experts say she plans to build upon cybersecurity policies in the upcoming term. [WIRED]

US – Senate May Vote on NSA Reform Next Week

The U.S. Senate could vote on ending the National Security Agency’s bulk collection of phone records as early as next week. If passed, the House could vote on the legislation by year’s end, which would “clear the decks for incoming Senate Majority Leader Mitch McConnell (R-KY),” the report states. “The American people are wondering whether Congress can get anything done,” said Sen. Patrick Leahy (D-VT), author of the bill. “The answer is yes. Congress can and should take up and pass the bipartisan USA FREEDOM Act without delay.” [The Washington Post]

Workplace Privacy

US – Postal Workers Union Files Complaint to NLRB After Data Breach

Following a breach affecting 800,000 U.S. Postal Service (USPS) employees, the American Postal Workers Union (APWU) has filed a complaint with the National Labor Relations Board. The APWU alleges the USPS “didn’t work with them to address the issue during the two months between the breach’s discovery and the Post Office’s public announcement on Monday,” the report states. APWU President Mark Dimondstein said the USPS was aware of the security problems, “they kept you and your union leadership in the dark … We do not know at this point whether management did everything in their power to protect our privacy, but they bear the ultimate responsibility.” [The Hill] Update: [House To Question USPS] See also: [Analytics in HR and in the Cloud]

US – Employee Mistakes Undermine US Government Data Security

According to an Associated Press analysis of information obtained through Freedom of Information Act (FOIA) requests, at least half of US government IT security incidents are the result of mistakes made by workers. Employees have violated workplace policies; lost or had stolen devices containing sensitive information; and shared sensitive information. [The Guardian] [A final rule was issued giving federal agencies the flexibility to either offer privacy training to contract employees or require the contractors to do the privacy training themselves]

US – DoD Puts Contractors on Notice For Insider Threats

New rule requires US government contractors to gather and report information on insider threat activity on classified networks. According to a 2012 financial services sector study by the Software Engineering Institute (SEI), the impact of insider attacks is considerable. Each attack, which, on average, remains undetected for 32 months, costs the victim between $382,750 and $479,000. The impact of the unwitting insider threat is huge. According to a report published by the Ponemon Institute in December 2013, the costs to remediate damage caused by an advanced persistent threat (APT) attack run as high as $18 million ($9.4 million in reputational damage, $3.1 million in lost user productivity, $3 million in lost revenue and business disruption, and $2.5 million in technical support costs). Approximately 50% of known APT attacks are initiated through phishing attacks – the other half of successful APT attacks succeed because of users with poor cyber hygiene habits, or unwitting insider threat actors, [Dark Reading]

US – Cybersecurity Codes Being Added to All Federal Job Descriptions

By the end of 2015, the Office of Personnel Management plans to have every position within the federal government labeled with a descriptive code detailing the cybersecurity functions – if any – required of the employees performing that job function. Federal employees active in cybersecurity account for some 4 percent of the workforce but, until recently, there were no standard job descriptions for the work being done. Prior to OPM’s efforts, there were no clear definitions on cybersecurity workflow in federal agencies and no baseline for hiring managers on what related skills were needed across a variety of positions. [Federal Times]

US – Coca-Cola Faces Class-Action

A former employee of Coca-Cola has filed a class-action lawsuit against the company for failing to protect and notify the loss of personal information of more than 70,000 current and former employees. Over a six-year period, 55 laptops were allegedly stolen from the company’s Atlanta headquarters. They reportedly contained Social Security numbers, driver’s license records, physical addresses and financial information. The plaintiff is seeking $5 million in damages. [The Pennsylvania Record]

US – Former Law Firm Employee Sues Over Photos

A woman is suing her former employer for uploading compromising photos of her to the firm’s computer server. Aubrey Fullmer, former receptionist of Simpson Logback Lynch & Norris, was allegedly dating one of the firm’s lawyers, Benjamin Simon, who decided to leave to start a new firm. The firm “confiscated his laptop computer,” which contained revealing photos of Fullmer. She claims the firm accessed personal files that were not stored on the confiscated computer but rather Simpson’s “personal GoogleDrive”—a cloud-based server. The suit claims the firm eventually moved them to the firm’s shared server where any employee could view the images. [Courthouse News Service]


16-31 October 2014


US – Court: Police Can Compel Defendants to Give Up Fingerprints but Not Passwords

A circuit court judge has ruled that defendants can be compelled to give up fingerprints but not passwords to law enforcement in cell-phone search cases. Judge Steven C. Frucci said that disclosing a fingerprint is like giving up one’s DNA or handwriting sample and thus not a violation of the Fifth Amendment protecting against self-incrimination. However, a password requires defendants to share knowledge, which is protected by the Fifth Amendment. Last year, privacy advocate and lawyer Marcia Hofmann predicted that Apple’s fingerprint ID could mean that users would not be able to plead the Fifth in cellphone search cases. [The Virginian-Pilot]

WW – This MasterCard with a built-in fingerprint sensor is coming in 2015

MasterCard has announced the world’s first contactless payment card that uses your fingerprint to authenticate payments. It’s partnered with Zwipe, the company behind this biometric technology, on a card that will only permit charges if your thumb is resting on the built-in sensor. You can wave it near an NFC reader for contactless payments, and it’s also fully compatible with chip terminals. Fingerprint data is all stored locally inside the card’s secure element and is never transmitted to MasterCard. And since biometric authentication obviates any need to enter a PIN, Zwipe says this is fundamentally more secure than the chip and PIN system. The company already ran a pilot with Norway’s Sparebanken DIN bank, but the prototype card used was far from perfect. It had a battery inside, which made it a bit more unwieldy compared to your everyday plastic. [Source]

AU – Opposition Grows to Storage of Photo and Biometric Data

Photographs of millions of Australians will be stored by the Immigration Department, and this “biometric data” gathering could extend to fingerprinting and iris scanning under the Abbott government’s controversial counterterrorism laws. The “foreign fighters” bill means there will be a major expansion of facial recognition imaging of Australians passing through international airports in a crackdown on passport fraud that could eventually apply to a wide range of biometric data – which could be shared with other government agencies. Critics say the danger of such information being hacked is profound, given many personal electronic devices are now secured by fingerprints and iris scans. The sheer scale of the personal information that would stream into the government’s databanks is set to open one of the first fissures in the largely bipartisan approach to national security, with Labor warning that the legislation poses a danger to privacy. [Source]


CA – Legislative News Roundup

Canada Introduces New Anti-Terror Legislation After Ottawa Attacks C-44: [Canada’s Public Safety Minister Steven Blaney introduced Bill C-44, which would broaden the powers of CSIS including authorizing Canadian spies abroad to break the laws of a foreign country when investigating threats to the security of Canada] | S-4: [The Canadian House of Commons is discussing Bill S-4, which would amend the Personal Information Protection and Electronic Documents Act to include mandatory breach notification provisions] [Canada’s House of Commons Industry Committee will now review Bill S-4, the Digital Privacy Act] and [Canada Mulls Mandatory Data Breach Notifications] | C-13 [Canadian Justice Minister Peter MacKay is getting criticism from both parties over Bill C-13, also known as the cyberbullying bill] and AB PIPA [Alberta has “formally filed” a motion to extend the deadline for the province to amend its Personal Information Protection Act (PIPA) with the Supreme Court] [Tighter privacy laws were among the issues highlighted by the Saskatchewan government in last week’s throne speech] and finally: Canada’s Conservatives’ latest budget bill includes the creation of a national missing persons’ DNA databank] [November 1st – 10th Anniversary of PHIPA] and finally: [CASL Enforcement: Much Ado About Nothing]

CA – Statement of the Privacy and Information Commissioners of Canada on National Security and Law Enforcement Measures

Privacy and Information Commissioners of Canada attending their annual meeting noted with sadness last week’s events in Saint-Jean-sur-Richelieu, Quebec, and in Ottawa, Ontario. “The following days, weeks and months will be critical in determining the future course of action to ensure not only that Canada remains a safe country, but also that our fundamental rights and freedoms are upheld. Legislative changes being contemplated may alter the powers of intelligence and law enforcement agencies. We acknowledge that security is essential to maintaining our democratic rights. At the same time, the response to such events must be measured and proportionate, and crafted so as to preserve our democratic values. To that end, the Privacy and Information Commissioners of Canada call on the federal Government:

  • To adopt an evidence-based approach as to the need for any new legislative proposal granting additional powers for intelligence and law enforcement agencies;
  • To engage Canadians in an open and transparent dialogue on whether new measures are required, and if so, on their nature, scope, and impact on rights and freedoms;
  • To ensure that effective oversight be included in any legislation establishing additional powers for intelligence and law enforcement agencies.

Canadians both expect and are entitled to equal protection for their privacy and access rights and for their security. We must uphold these fundamental rights that lie at the heart of Canada’s democracy. The statement is available on the website of the Office of the Privacy Commissioner of Canada and the Office of the Information Commissioner of Canada. [Source]

CA – Ruling Prevented Sharing of Data on Men Who Killed Soldiers

Canada didn’t share “some intelligence” with the U.S. about the two men who committed fatal acts last week because of a 2013 court ruling limiting the transfer of personal data, according to a Canadian official. U.S. authorities knew little about Michael Zehaf-Bibeau or Martin Roulou, who each killed a solider last week in Canada. A court ruling last year said the Canadian Intelligence Service was breaking privacy laws by passing data about Canadian citizens to the “Five Eyes” intelligence-sharing network, comprising Canada, the U.S., Australia, New Zealand and the UK. [Reuters] See also: [The Canadian Forces Counter Intelligence Unit has issued a new directive regarding social media practices in the wake of last month’s attacks]

CA – Classroom Behavior App Has Commissioners Worried

Privacy commissioners in Canada are concerned about a new computer program, increasingly used in Canadian schools, that collects and stores information about the in-class behavior of students. ClassDojo allows teachers to assign or deduct points for students based on their behavior, creating a competition for the best behavior among classmates and allowing parents to monitor how their kids are doing in real time. ClassDojo collects information on 53 million students globally on a minute-by-minute basis and stores it on a private company’s servers in the U.S. that is not subject to Canadian privacy laws, the report states. [Ottawa Citizen] See also: [Toronto: Rate My Classmate site meant to call out group-project slackers] and [Canadian university athletes must waive privacy to play: CIS] and [If a teacher’s decades-old erotic films can resurface online, what rights should we have to digital privacy?]

CA – Privacy Commissioner Issues Annual Report, MetaData Research Paper

The Office of the Privacy Commissioner (OPC) has released its annual report and a privacy research paper entitled Metadata and Privacy: A Technical and Legal Overview. See also: [Dentons Bernier Shares Tips from a Former Privacy Regulator]

CA – Alberta Privacy Commissioner Worried About Calgary Police Service’s Body-Worn Camera Plans

Growing worries over the Calgary Police Service’s plans to equip 550 officers with body cameras forced Jill Clayton, Alberta’s privacy commissioner, to voice concerns in a letter to Chief Rick Hanson. In September, deputy police Chief Trevor Daroux told Metro his pilot program ran through 2012 to 2013, recorded 2,700 videos and helped in 32 criminal cases. After completing the project, CPS announced they would move forward with body-worn cameras in 2015. This announcement sparked privacy concerns from the public and a civil liberty group. Clayton told Metro she was concerned about the project because she hasn’t heard from anyone at CPS. In her letter, which was later posted the her website, Clayton urges CPS to file a Privacy Impact Assessment. This report would address the CPS’s ability to handle the endless amounts of private information they would gather from using body-worn cameras. Though not required, she has been lobbying for legislation to make PIAs mandatory. [Source]


US – Study Finds Discriminatory Pricing “Much More Widespread”

A new study of top e-commerce websites has found “price steering”—when companies use consumer profiles to personalize prices—is much more widespread than previously understood. The study, which was conducted by a team of computer scientists at Northeastern University, tracked searches on 16 popular e-commerce sites and found six of the sites used the pricing technique but none alerted consumers of it. [The Wall Street Journal]

US – Vladeck, Calo Examine Digital Marketing Manipulation

David Vladeck, former director of the Federal Trade Commission’s Bureau of Consumer Protection, discusses a recent article by Prof. Ryan Calo in which Calo writes about the potential for digital marketing to manipulate consumer choice. Vladeck writes that Calo’s “arguments are powerful and persuasive” but suggests the risks might be “less pronounced” than Calo asserts, noting there are ways “regulators are already responding to the risks that manipulative digital advertising poses to consumers.” Reiterating that any disagreements he has with Calo’s article are “gentle caveats,” Vladeck concludes that Calo “has responsibly sounded an alarm to prompt regulators into action.” [The George Washington University Law Review]

WW – Study Spotlights PII Collection, Impact on Consumer Behavior

LexisNexis Risk Solutions has released a study focusing on why industries collect, store and process personally identifiable information (PII) and its corresponding effect on consumer behavior. The study surveyed more than 3,000 consumers regarding their willingness to share their PII in low, medium and high-risk transactions, and the study also interviewed 22 executives in the financial, healthcare, retail and government sectors to reveal how each uses PII for identity verification. LexisNexis Risk Solutions VP Dennis Becker said, “Organizations need to be cognizant of how consumers’ fears and experiences affect their willingness to share sensitive data and seek ways to minimize the amount of personal information being requested.” [BusinessWire] One survey has found nearly half of holiday shoppers said they will not shop at stores that have been hacked. See also: [Nico Sell of Wickr: Privacy Is the New Fame]


WW – Facebook and Yahoo Develop Mechanism to Protect Recycled eMail Addresses from Abuse

Facebook and Yahoo are taking steps to prevent users of recycled email addresses from taking control of other accounts. When Yahoo began recycling email addresses last year, critics were concerned that the information could be used to change passwords on accounts that used the old email address for password change confirmation, and that the new email user could possibly receive sensitive messages intended for the former user. Yahoo and Facebook have together developed a mechanism for preventing such abuse. Using Simple Mail Transfer Protocol (STMP), sensitive email messages will include a field within the header that notes the date since the sender has known the address. If the address is determined to have changed ownership since that date, the message will not be delivered. [ComputerWorld] [WIRED] See also: [After Nova Peris and Barry Spurr, should we all give up on email in the name of privacy?]

WW – Mobile ISP Cricket was Thwarting Encrypted Emails, Researchers Find

Engineers from digital security and privacy firm Golden Frog found some customers of Cricket, a prepaid mobile company, were prevented from sending encrypted emails for months. The findings were shared with the FCC and released in a media report earlier this month, but without the company’s name, the report states. “Golden Frog said that Cricket customers were unable to send encrypted messages and said its testing found that the problem ended shortly after the TechDirt article was published,” the report states. “It is unclear how long or how many customers were affected.” [The Washington Post] See also: [Mondaq looks at Canada’s Anti-Spam Law provisions “concerning the distribution and installation of computer programs,” suggesting they should “be of particular concern to all businesses who distribute or intend on distributing software either alone or as part of their product or service offerings.”]


WW – China Using Phony Apple Certificate to Snoop on iCloud

A group that monitors Chinese government censorship, GreatFire.org, says that censors in China are conducting man-in-the-middle attacks on Apple’s iCloud in that country. Technical information suggests that a phony Apple certificate is being used to intercept the traffic. [GreatFire] [ArsTechnica] [InformationWeek] [v3.co.uk] [ComputerWorld] See also: [Apple Chief Vouches for China’s Pro-Privacy Stance

WW – Apple Issues iCloud Security Advisory

Apple has issued a security warning about attacks attempting to steal information from iCloud users with fraudulent certificates. An Apple support page warns users to heed invalid certificate warnings while visiting iCloud and that they should never enter login information into websites that present certificate warnings. [Apple] [TheRegister] [CSMonitor] [v3.co.uk] [Adobe eReader now using SSL to phone home] [Analysis of Samsung KNOX] See also: T-Mobile is “quietly” hardening its network to a more sophisticated form of encryption, making it more difficult for bulk surveillance

WW – Apple to Stop Using SSL 3.0 for Push Notifications

Apple plans to stop using the Secure Sockets Layer 3.0 (SSL 3.0) encryption standard for its Apple Push Notification service following the disclosure of a vulnerability. Developers have until October 29 to update their apps. More information on the SSL 3.0 flaw can be found here and [ZDNet] [CNET]

EU Developments

EU – Parliament Approves New Commission

President-Elect Jean Claude Juncker has secured confirmation for his new European Commission with 423 Members of the European Parliament voting in favor and 209 voting against. Juncker said the commission will focus on digital matters. Harmonizing tech-related policy and laws across the EU will be the responsibility of two new commissioners, Andrus Ansip and Günther Oettinger, who will replace outgoing Commissioner for the Digital Agenda Neelie Kroes. And Access has published an extensive look at the incoming group of EU commissioners, suggesting, “In the five years ahead a certain number of these incoming commissioners will have a huge influence on digital rights and security issues that impact the lives of European citizens and, indirectly, the rest of the world.” [EurActiv] [Germany’s government is calling for “EU-wide retention of flight passenger data to combat the risk of terror,” and that move is “sparking opposition in the European Parliament.”] [During a meeting in Luxembourg, EU justice ministers for the first time “sounded out their political views on the balance between the right to be forgotten and the right to know“][The parliamentary committee in Italy’s Chamber of Deputies has published the initial draft of an “Internet Bill of Rights” it has been working on since August] [The ICO has updated its code of practice for surveillance cameras and personal information, cautioning that surveillance cameras “must only be used as necessary and proportionate to address real and pressing concerns.”] [The Paris Court of First Instance has found for the plaintiffs in a suit on the right to be forgotten]

EU – Commission to Focus on Data Protection

As the new European Commission starts its five-year term, plans include working toward agreement on the EU’s new data protection rules, a European Parliament media release states. Data protection will be a key area of focus. “The EU hopes that the legislative package, which has always had the complete support of the European Parliament, will be adopted in 2015,” the report starts, citing the European Commission Director for Fundamental Rights and Union Citizenship Paul Nemitz as indicating “if the political will exists, the council will adopt the package.” As Nemitz put it, “This reform will pave the way for a digital age with a fair competitive environment for European SMEs.” [EurActiv] See also: [Hogan Lovells Partner Eduardo Ustaran writes in a blog post, “2015 may be the year that sees the culmination of a legal modernisation process that has been running for the best part of four years.”] and [UK: Coming Down The Tracks: The Legislation That Will Make Data Protection Law Even Worse!] and [Hunton & Williams’ Privacy and Information Security Law Blog examines the Council of the EU’s proposed revisions to the compliance obligations of data controllers and data processors and the risk-based approach to compliance] [Christian Wiese Svanberg of Plesner Law Firm offers an overview of the recent EU Council of Ministers discussions on the proposed data protection regulation, noting “the reform now appears unstoppable, and fundamental changes to the scope and legal form of the proposal are becoming increasingly unlikely.”] [Christian Wiese Svanberg offers an overview of the EU Council of Ministers’ discussions of the proposed General Data Protection Regulation and the highly debated right to be forgotten] [Olivier Proust writes about the “burdensome exercise” that is notifying data protection authorities of data processing, noting it is still necessary.]

EU – No Details Being Shared on the DPC’s “Significant” LinkedIn Audit

The Office of the Data Protection Commissioner’s (DPC) has issued a “raft of ‘significant’ recommendations” last month for LinkedIn to improve the privacy of its 1.2 million Irish users. “The recommendations, delivered on behalf of all European citizens, represent the culmination of a year-long investigation,” the report states, noting the DPC “is not releasing any details of those ‘significant’ recommendations. Nor is it indicating what problems it may have discovered in relation to how LinkedIn treats our personal information.” The reason, a DPC spokeswoman explains, is that it is up to organizations “to decide whether to publish an audit report carried out by this office.” The report states LinkedIn has declined to share the findings of the audit. [Independent.ie] See also: [While it hasn’t yet received the increase funding expected, the Irish Office of the Data Protection Commissioner is getting a “range of measures designed to strengthen the office“]

EU – Amazon Web Services Opens German Location to Quell Privacy Concerns

Confirming a report from this summer, Amazon Web Services has opened a location in Frankfurt, Germany. The move is designed to help diminish the post-Snowden privacy concerns of Europeans, especially Germans. Gartner Research Director Gregor Petri said, “The customers who are the hardest to convince to move workloads out of the country are mostly from Germany.” Forrester Research’s Stefan Ried said, “With the announcement, Amazon sets itself up to address not only the typically higher legal compliance and security concerns of European customers but also gets more credibility with the usually more conservative CIOs across Europe.” [PCWorld] see also: [A German court wants clarification from the European Court of Justice on whether dynamic IP addresses constitute private data] See also: [UK: GCHQ’s outgoing director warns spies must monitor the internet]

Facts & Stats

WW – Attacks Up 48%; Data Security Legal Practice Booming

A new PricewaterhouseCoopers (PwC) study reveals that the number of detected cyber-attacks has gone up 48% since 2013. There will be approximately 42.8 million cyber-attacks this year alone, or about 117,339 attacks per day. The study notes, “It is no surprise to find that as the number of information-security incidents continues to mount, so do financial losses.” Meanwhile, corporate “legal spending on cybersecurity and data privacy issues is expected to grow at the highest rate of any practice area in 2015, as clients look to ramp up their efforts to address the increasingly prevalent and sophisticated threats to the sensitive data they hold.” Plus, New York’s banking regulator says law firms, as a vendor, need to be carefully watched to develop strong data security practices. [The Hill]


WW – Google Changes Search Algorithm to Help Fight Piracy

Google made changes to its search algorithm that have had a noticeable effect on the number of video streaming and torrent sites that appear at the tops of results. Visibility of many sites known to offer pirated content has been significantly reduced. [Ars Technica] See also: [Montreal woman wins cash from Google for Street View cleavage]

WW – Survey Shows Orgs Disable Firewall to Improve Network Performance

According to a report from McAfee, while 60% of 504 surveyed IT professionals say security is paramount in network design, about 30% of organizations responding to the survey said that firewall security features are often disabled to boost network performance. McAfee senior director of network security Jennifer Geisler noted that “the way most firewalls are designed, it forces the trade-off so this is not a negative reflection on the administrator.” [Source]


US – Obama Signs Federal Card Security Order; MasterCard Unveils Biometric Cards; Apple Pay Available Today

President Barack Obama has signed an Executive Order that will bolster security for federal credit cards, a move designed to urge private-sector banks and retailers to follow suit. Starting in January, federal credit cards will use chip-and-PIN technology, and the White House said that Home Depot, Target, Walgreen and Wal-Mart will roll out chip-and-PIN-compatible terminals in all stores by January. Obama also called on Congress to enact data breach notification legislation, but that won’t happen this year. [Reuters] MasterCard announced it will introduce built-in fingerprint sensors for contactless payment cards in 2015. Starting this month, Apple Pay will work with iPhone 6 devices. [President Barack Obama signed an executive order that will bolster security for federal credit cards, a move designed to urge private-sector banks and retailers to follow suit, Reuters reports] [The U.S. Consumer Financial Protection Bureau finalized a rule allowing certain financial institutions to post annual privacy notices online rather than by paper delivery] and [In a filing with the FCC, the American Bankers Association (ABA) said banks that call or text customers run the risk of being sued under the Telephone Consumer Protection Act, a 23-year-old law that requires consumers’ consent to being called on their mobile phones] and [The California Superior Court has ordered Bank of America to turn over call recordings made with borrowers during the period of the Excessive Forbearance Remediation Project in 2013, subject to the Privacy Notice]

US – PCI Issues Security Awareness Guidance

PCI leaders have for months stressed the need for merchants to implement more structured employee education programs around data security. Now the PCI Security Standards Council has outlined just how it expects businesses that handle card data to address employee education. In a 28-page supplement to security awareness program best practices, the council reiterates that continuing employee education about how to detect and mitigate data security risks is a PCI compliance requirement. Three key points noted in the guidance include:

  • The need to assemble a security awareness team, which is responsible for the development, delivery and maintenance of the security awareness program;
  • Why developing security awareness content for the business plays a critical role in developing appropriate content and training information; and
  • How business can use security-awareness checklists to monitor and security awareness training programs.

The guidance’s appendix also includes a detailed checklist with specific compliance recommendations for each of the PCI-DSS requirements included in version 3.0. While this guidance is directed at requirement 12.6, which deals with information security policies and awareness programs, it touches on a range of security best practices – a comprehensive take on PCI compliance that industry security experts agree is needed. [Bank Information Security]

WW – Home Depot Breach Costs Twice Target’s

A new survey reveals that credit unions spent $60 million after the data breach at Home Depot last September, a cost that is more than double that of Target’s. The Credit Union National Association (CUNA) survey noted that 7.2 million consumer cards at credit unions were affected, and that, on average, it costs $8.02 to reissue a card. CUNA’s president and CEO said, “The bottom line is that credit union members end up paying the costs—despite the fact that the credit unions they own had nothing to do with causing the breach in the first place.” Retail groups pushed back in a letter sent to CUNA. “Even after absorbing substantial fraud losses,” the letter stated, “merchants are subject to massive fines by Visa and MasterCard networks and hundreds of millions of dollars in restitution through private litigation for cybersecurity breaches.” [The Hill]

WW – Coalition Launches Bitcoin Principles; EFF Aims to Stop NY Bitcoin Rules

A coalition of cryptocurrency companies has endorsed a new principles-based framework aimed at bolstering identity security, trust and access to a shared data Internet. The initiative was spearheaded by the institute for Data Driven Design out of the MIT Media Lab, and the resources—called the Windhover Principles—are being implemented on an open source platform, the report states. “The Windhover Principles for Digital Identity and Trust are deeply rooted in the belief that individuals should have control of their digital personal identities and personal data,” an announcement said. “Underlying this core value is the principle of ensuring innovation in trust and privacy.” Meanwhile, the Electronic Frontier Foundation has launched a “Stop the BitLicense” initiative, arguing New York’s proposed Bitcoin rules could threaten privacy rights. [InsideBitcoins] See also: [India: Swiss authority willing to disclose info on black money:Centre]


CA – NB Ombudsman, Privacy Boss Call for More Open Government

Observers and officials are calling on Premier Brian Gallant to steer a cultural shift in New Brunswick’s civil service toward more transparency and less partisanship. The province’s Right to Information and Privacy Commissioner and the Ombudsman both say there needs to be a real change. A focus on government secrecy and partisanship in the civil service follows on some recent revelations:According to a poll commissioned by CBC News ahead of the Sept. 22 provincial election, New Brunswickers care more about transparency and integrity than they do about public education, taxation and shale gas. Residents have been largely left in the dark by their government on some major undertakings. Both the previous Liberal government’s move to sell NB Power and the Alward government’s forestry deal were criticized over secrecy. [Source] and also: [Alberta care homes fight to prevent release of financial reports]

CA – UPEI Student Union Wants University Included Under FOI Legislation

If a UPEI student wants information about the P.E.I. Sports Hall of Fame, they can file a freedom of information request and appeal a denied request. If that student wanted to do the same thing with their university, they would be out of luck. It’s a point UPEI student union president Lucas MacArthur made when he pitched the idea of including the university in Freedom of Information and Privacy Protection legislation to the education and innovation committee. MacArthur said P.E.I. is the only province that doesn’t include post-secondary institutions in its access to information law. The student union executives are meeting with Justice Minister Janice Sherry on Nov. 26 to discuss the issue. [Source] See also: [Toronto: School trustees not compelled to post details of expenses] and [Toronto school board trustees tampered with FOI request for expense reports, emails suggest]


CA – Ottawa Proposes DNA Database

Ottawa is one step closer to creating a DNA-based national missing-persons tool it says will assist coroners and police in solving cases and identifying human remains – a victory for families who have long pressed for the database despite privacy concerns and funding obstacles. The proposed legislation, introduced in the Conservatives’ latest budget bill, is the culmination of more than a decade of advocacy by those calling for a system that can compare missing persons’ DNA with samples culled from unidentified human remains. Victims’ families say the national database will give them the comfort of knowing that if their missing loved one is in a morgue somewhere, at least they’ll know. The budget bill is aimed at creating a missing-persons index, a human-remains index and an index for relatives whose profiles may be valuable in locating loved ones or identifying remains. The new indexes will be housed within the RCMP’s National DNA Data Bank facility, which already holds a crime-scene index and a convicted-offenders index. The legislation says profiles uploaded to the missing-persons index and the human-remains index can be compared against those in the crime-scene index and the convicted-offenders index – a move that could set up a battle with the Office of the Privacy Commissioner, which said it doesn’t object to a missing-persons database so long as it’s tightly secured and independent from the criminal indexes. The Privacy Commissioner’s Office told The Globe and Mail it is reviewing the proposed amendments to the DNA Identification Act and will be looking closely at the relationship between the new indexes and the existing criminal ones. The Criminal Lawyers’ Association has also raised concerns about linking the various indexes, saying it’s possible an intentionally “missing” person’s DNA could innocently end up at a crime scene. The association argues police might then become aware of that person’s whereabouts, infringing on privacy rights. [Source] See also: [Nevada’s four-month-old law requiring DNA samples be taken form all individuals arrested for a felony has received little pushback]

Health / Medical

US – DHS ICS-CERT Investigating Medical Device Vulnerabilities

An unnamed official at the US Department of Homeland Security (DHS) said that the agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is investigating approximately two dozen cases of vulnerabilities in medical devices. While there have been no reported attacks exploiting these flaws, DHS is concerned that they could be exploited to cause heart implants and drug infusion pumps to malfunction. [ArsTechnica] [InformationWeek] [BBC] [SCMagazine] [IBT]

US – Federal Court Rules No HIPAA Violation in Malpractice Reform

A Florida federal appeals court recently ruled that physician defendants may have equal access to the health information of plaintiffs and that such access does not violate the Health Insurance Portability and Accountability Act. A tort reform law, which was upheld by this decision, states that prospective plaintiffs must submit a written request that authorizes defendants to access health records and conduct ex parte interviews. Jeff Scott of the Florida Medical Association said, “The impact is: It’s going to level the playing field in medical malpractice cases by giving defendant physicians the same access to crucial expert witnesses that the plaintiff has.” [Health IT Security] See also: [A Florida court has ruled that physician defendants may have equal access to the health information of plaintiffs and that such access does not violate the Health Insurance Portability and Accountability Act] and [Bloomberg BNA reports on the ambiguities that occur when the U.S. Health Insurance Portability and Accountability Act and the Telephone Consumer Protection Act intersect] See also [US: Potential Health Data Breach, Medical Records Fly off Truck] and [Hospital privacy violations rife in Ontario] and [Yellowknife woman’s psychiatric report lands in employer’s hands] and [Ford’s records accessed at second hospital]

US – Apple’s Ban on Sharing HealthKit Data with Advertisers OK by FTC

Apple’s decision to bar HealthKit app developers from sharing user data with brokers or advertisers was a “welcome move” to FTC Chairwoman Edith Ramirez, Re/code reports. “Steps like this are, I believe, critical to fostering consumer trust,” Ramirez said during a conference Monday on connected devices. “Consumers will enthusiastically invite the Internet of Things into their homes, cars and workplaces only if they are confident that they remain in control over their data,” she said. The FTC has been looking into whether the government needs to get more involved in how companies are using Internet of Things data, and Ramirez has noted concerns about how such data is protected from hackers. [ReCode] See also: [US: Medical Information More Valuable To Hackers Than Credit Card Numbers] and [Beware of gift iPads]

Horror Stories

CA – Federal Data Breaches Up Again

The number of data breaches reported to the federal privacy commissioner by bureaucrats increased, hitting a record high according to a new report. Privacy commissioner Daniel Therrien said in his annual report to Parliament that 228 data breaches across the federal government were reported for the 12 month period ending March 31. Human error accounted for just over two-thirds of those breaches. The number was more than twice the number reported for the previous fiscal year. As a result the commissioner’s office issued a four-page tip sheet with checklists on four controls for protecting against breaches. Physical controls, for example, stress the importance of protecting devices not in use by placing them in locked cabinets or in storage areas where access is restricted. Technological controls would include encryption or strong passwords, with training for employees in each. Imprinting serial numbers on devices so they can be tracked is another recommendation. So is using portable storage devices to store personal information only as a last resort. Personnel security controls include regular mandatory training about security and privacy, and monitoring the use of personal storage devices by employees to ensure policies and procedures are being followed. Also in the report, the privacy commissioner’s office said it wants to get a better idea of how bureaucrats use portable storage, so it has started to study how into 17 departments and agencies use the devices and whether they have implemented policies and adequate controls. It hopes to have the report done in the next year. [Source]

US – Staples Breached

Staples said its computer systems were compromised, affecting customers’ payment card information. The office supplier is working with law enforcement to determine the extent of the breach and has not revealed when the attack occurred, at which stores or how many customers were affected. The Massachusetts-based office supply store chain has contacted law enforcement. Information from sources at banks in the northeastern US suggest that the breach affects stores in Pennsylvania, New York, and New Jersey. [Krebs] [The New York Times] See also: [The personal information of nearly 100,000 people seeking their high school transcripts was recently exposed on a site that helps students obtain their records] and [Canada: Staples investigating potential security breach of credit cards]

WW – D&T Report Offers Guidance for Determining Veracity of Data Leak Claims

Deloitte & Touche has published a paper that contains advice for determining whether data found on the Internet are actually data stolen from a company or if posted information is fake. Companies can check to see if the posted data are duplicates of data that has been posted previously; they can also check to see if the listed usernames actually exist, and if the passwords abide by the company’s password policy. [SC Magazine] [Krebs] [DarkReading] [Deloitte Report]

US – BBB Goes After Five Web Publishers for Lack of Enhanced Notice

The enforcement wing of the Better Business Bureau (BBB) has gone after five web publishers for not complying with the ad industry’s self-regulatory privacy guidelines. Answers Corporation, Best Buy, BuzzFeed, Go.com and Yelp have all agreed to revise their sites by offering “enhanced notice” on all pages where ad networks and other third parties collect information for use in targeted advertising. A spokesperson from Yelp said the company was contacted by the BBB’s enforcement unit in February, adding, “We immediately looked into whether any changes should be made to Yelp’s site and willingly made those minor updates.” Genie Barton, head of the BBB’s enforcement wing, said many web publishers appeared to be unaware of the self-regulatory principles. “We’ve done everything that we can to publicize it,” she added. [MediaPost] see also: [Librarians Are Dedicated to User Privacy. The Tech They Have to Use Is Not]

US – Employees of Fortune 500 Companies May Have Credentials Leaked

New research alleges that at 221 of the Fortune 500 companies, employees’ credentials are leaked online for hackers to access and use in cyber-attacks. Web intelligence firm Recorded Future said of the 600,000 websites that have posted users’ credentials from January 1 to October 8 of this year, 44 percent included a username-password combination from a Fortune 500 company. The leading industrial sectors affected include the financial sector and the retail/customer service vertical. Meanwhile, NetworkWorld reports on Voxis, a platform that allows cybercriminals to use stolen credit card data while avoiding fraud detection systems. Apple Pay competitor CurrenC, which is in beta, may have been breached, and cybersecurity firm IT Governance is urging U.S. organizations to implement ISO27001 to minimize data breach risk. [Mashable]

US – Hotel Company Files Complaint Against Insurer

InterContinental Hotels Group PLC has filed a complaint against Zurich American Insurance Co. “demanding coverage under two insurance policies for any potential losses that might result from a pending class-action accusing the hotel company of illegally recording customer service phone calls in California.” The class-action in question, which includes a potential class of 7,000 California residents, alleges Six Continents Hotels “recorded their calls to the company’s reservation hotline without their consent,” the report states. [Law360] See also: [Marketing Company Settles with Vermont AG]

Identity Issues

US – Report: Identity Fraud Surging

The Medical Identity Fraud Alliance’s new report, “The Growing Threat of Medical Identity Fraud: A Call to Action,” includes “several harrowing anonymous stories” as the number of medical data breaches continue to climb, Fortune reports. In fact, that number has quadrupled in the past five years fueled by “a decentralized U.S. health system, increasing digitization of records and demand in the black market,” the report states. “The crime itself can be very valuable to a cyber criminal or any criminal, even a low-tech criminal, and the reason is that the information contained in a medical record includes just about everything about you,” the Ponemon Institute’s Larry Ponemon said. [Source]

US – MyE-Verify to Use Cloud Services for Backend

The US Department of Homeland Security’s (DHS’s) MyE-Verify identity check tool allows people to place freezes on their Social Security numbers (SSNs). MyE-Verify has been available in some states since October 6 and is expected to be rolled out across the country by mid-2015. While DHS will operate the public facing website, the agency is looking for a cloud service provider to host the system’s backend. Here’s how the government describes Mye-Verify: “myE-Verify is a free, Web-based service that provides you with self-service features to participate in the E-Verify process. E-Verify is a Web-based system that enables an employer, using information reported on an employee’s Form I-9 for Employment Eligibility Verification, to determine if that employee is eligible to work in the United States. Many employers use E-Verify to verify the employment eligibility of their new employees.” [NextGov] See also: [850 voters in NYC are officially 164 years old]

US – Judge Finds Android IDs Are Not PII, Dismisses Cartoon Network Suit

A U.S. District Court judge has found that Cartoon Network (CN) doesn’t violate users’ privacy rights by transmitting the names of videos they view to analytics company Bango. Judge Thomas Thrash, Jr., dismissed a potential class-action lawsuit by an Android user alleging CN violated the Video Privacy Protection Act when it shared the titles of the videos he watched, combined with his Android ID, to Bango, which was then able to attribute his private viewing habits to an “existing digital dossier.” Thrash found Android IDs are not personally identifiable information, writing that although the randomly generated number is unique, “It is not, however, akin to a name. Without more, an Android ID does not identify a specific person.” [MediaPost]

US – LifeLock Introduces Consumer-Control Tool for Personal Information

LifeLock has announced it is beta-testing a new service that would allow consumers “to find and remove or suppress their personally identifiable information, such as name, address, age and known relatives, from selected common people-search websites and Internet-based advertising companies.” Called Lifelock Privacy Monitor, the free service “gives consumers better control of their privacy,” said LifeLock President Hilary Schneider, “and ultimately puts one more hurdle in the way of would-be identity thieves.” The company also recently conducted a survey that found 86% of consumers do not want their personal information sold by people-search websites and ad companies. [Source]

WW – Google Now Offering USB Key Security

Google is now offering optional enhanced security for users of its many services. The Security Key technology lets users of Google’s Chrome browser insert a key into a USB port on the device and tap it when prompted. It’s a more streamlined version of the 2-Step verification the company already offers, which sends users a code as a text message or email that users then enter. The new system requires that users purchase the USB key. The Center for Democracy and Technology’s Joseph Lorenzo Hall supports such technology, writing in a recent blog post that it’s time for “the beginning of the end of passwords.” [Google Online Security Blog] [Ars Technica] [Krebs] [CNET]

US – CES to Feature Companies Finding Solutions to ID Theft, Fraud

The Consumer Electronics Association (CEA) has announced the launch of the Personal Privacy and Cybersecurity Marketplaces at the 2015 International CES. The marketplaces will include personal cybersecurity products, solutions from smart wallets and safe payment apps as well as private Internet access. “As we all embrace the convenience and ‘always-connected’ powerful capabilities of our electronic devices, our privacy and security take on even more importance,” said a CEA spokeswoman, adding the CEA developed the marketplaces to highlight companies developing advanced solutions to stop identify theft, fraud and other cyber-crimes. [Press Release]

Intellectual Property

WW – OECD Releases Guidance on “Intangible Digital Content Products”

The OECD has released guidance urging governments and businesses to implement data protections for consumers of digital content. Consumer Policy Guidance on Intangible Digital Content Products was released on October 27, according to Bloomberg BNA, and it details customer surveys and complaints, including concerns about improper information disclosure as well as “misleading or unfair” data collection and use practices. Consumers also complained about poor redress mechanisms, the security of online payment systems and unclear terms of service. [OECD Library]

Internet / WWW

WW – Overview of Mauritius Conference of Data Protection Commissioners

The 36th International Conference of Data Protection and Privacy Commissioners (ICDPPC), held in Mauritius, “was an extremely productive and revealing event,” writes Hogan Lovells Partner Eduardo Ustaran. The ICDPPC, an annual gathering of data protection regulators “and other movers and shakers of the privacy world has become a reference point in terms of debating key public policy issues and coordinating regulatory strategies and actions,” Ustaran writes, noting the quality of the discussion and participants this year was top-notch. Given how active things are at the moment, this year’s conference did not disappoint. Ustaran highlights takeaways of particular relevance to the world’s privacy pros. [Privacy Perspectives] [The Big Takeaways From the DPAs Conference in Mauritius]

WW – ISO Cloud Standard Offers Help with Compliance Challenges

While cloud computing continues to grow, many organizations have delayed adoption due to the compliance concerns that come with sharing data with third-party providers. Kurt Wimmer and Caleb Skeath of Covington & Burling LLP write that the International Organization for Standardization’s (ISO) new standard, ISO 27018, is the first voluntary international standard for processing information that is specifically tailored for cloud providers and includes many requirements imposed by EU law. Because of this, “the new standard may provide … a quick reference point to evaluate the security practices of cloud service providers” and, as a result, may change the industry of cloud computing. Meanwhile, it will be difficult for healthcare companies “to fully trust cloud software vendors” unless governments “tighten the regulatory screws on SaaS vendors to make them be more transparent and forthcoming about their security practices.” [Source] [Kurt Wimmer and Caleb Skeath of Covington & Burling LLP write that the International Organization for Standardization’s (ISO) new standard, ISO 27018, is the first voluntary international standard for processing information that is specifically tailored for cloud providers and includes many requirements imposed by EU law.]

Law Enforcement

CA – RCMP Failed to Keep Records on Warrantless Access, Watchdog Says

There’s no way to know if the RCMP complied with privacy laws in requesting Canadians’ personal information without a warrant, or even how often the Mounties made such requests, according to Ottawa’s privacy watchdog. Privacy Commissioner Daniel Therrien said his office was not able to track how often the national police force requested access to Canadians’ personal information without a warrant — because the RCMP don’t track that information themselves. Therrien’s office revealed they were formally reviewing the RCMP’s warrantless access practices after the Star and the Halifax Chronicle Herald reported that police forces asked nine telecommunications companies for their customers’ information 1.2 million times in 2011 alone. Since launching the review in October 2013, Therrien’s office interviewed 50 RCMP members, including senior officers, field agents making warrantless requests, and IT specialists. After reviewing RCMP databases, which receive round two million new entries per year, the watchdog’s investigators could only find a few cases where they could identify a warrantless request had been made. [Source]

US – Local Cops Say Your Driving History Is Public — Unless You Want a Copy

Monroe Police have been using high-speed cameras to capture license plates in order to log vehicle whereabouts. As of July, the County’s database contained 3.7 million records, with the capability to add thousands more each day. The justification for cops having records of the whereabouts of law-abiding citizens is that the vehicles are driven in public and therefore drivers have no expectation of privacy. It’s an argument that’s at odds with the Supreme Court’s 2012 ruling in U.S. v. Jones. In Jones, a GPS tracking case, the court held that individuals do have an expectation of privacy when it comes to their long-term whereabouts, even when using public roads. [Source]

US – Virginia Police Departments Sharing Suspects’ Phone Metadata

For nearly two years, several law enforcement agencies in Virginia have been sharing suspects’ phone metadata with each other. The information, shared between five police departments, has been compiled into a database. [Ars Technica] [Virginia Police Have Been Secretively Stockpiling Private Phone Records] See also: [UK: Police apologise after personal details of crime victims leak online]


WW – Apple’s New OS X Yosemite Sends Search Data and Location back to Company Servers

While Apple has made headlines recently for its enhanced encryption in iOS 8, the company’s newest Mac operating system, OS X Yosemite, reportedly leaks user information by sending location and search data when users query Spotlight, the operating system’s search feature. [ArsTechnica] [TheRegister] [Spotlight: Privacy Advocates Furious As Apple Feature Siphons Off Location Data of Yosemite And iOS 8 Users][Users can turn off the setting in Mac OS X’s System Preferences]

Online Privacy

US – Verizon Under Fire for Inserting Unique Identifiers, Tracking Internet Activity

Verizon Wireless has been inserting Unique Identifier Headers (UIDH) into data flowing between its users and the websites they visit. The short-term string of approximately 50 characters helps advertisers identify users on the web, and according to the report, “it’s the lynchpin of the company’s Internet advertising program.” The Electronic Frontier Foundation’s Jacob Hoffman-Andrews said, “ISPs are trusted connectors of users and they shouldn’t be modifying our traffic on its way to the Internet.” A Verizon spokeswoman said the company doesn’t use the UIDH to create customer profiles and customers who opt out of the Relevant Mobile Advertising program will not receive targeted ads. [Wired] [Ars Technica] [Verizon Wireless] See also: [Forbes: The Scoop on Permacookies] and [Unraveling and Unpacking the Technology of Web Tracking]. Meanwhile, technologists have developed a Firefox browser extension called AdNauseum that aims to turn ad blocking into a form of protest. The extension clicks on online ads that are blocked by AdBlock instead of ignoring them. One of its developers said “it is not advertising we are protesting but advertising insofar as it represents a dominant means of tracking.” Meanwhile, a program at Verizon Wireless gives customers points toward rewards like the “perfect night out” or other entertainment in exchange for their personal information. UPDATE: [Somebody’s Already Using Verizon’s ID to Track Users] see also: [Comcast customer files lawsuit claiming privacy violation]

US – Facebook Says Political Data-Mining Deal Is Privacy-Safe

Facebook is mining data on its users’ political views and plans to share those insights with ABC News and BuzzFeed for use in their reporting in 2016. The data will be collected from users 18 and older in the U.S. and will classify political sentiment as positive, negative or neutral. Facebook Director of News and Global Media Partnerships Andy Mitchell said, “Given the volume of conversation around politics on Facebook, we believe this data truly represents what the American people think about the potential candidates.” A Facebook spokesperson said the data “is gathered in an aggregated and depersonalized manner in a privacy-safe way.” [Politico] See also: [Twitter and IBM strike data mining agreement, Report] See also: [Online privacy taught to teens at Calgary conference] and also: [Social media is our modern diary. Why do tech companies own all the keys?]

WW – Facebook Experiments to Improve Tor Access

Facebook London Software Engineer for Security Infrastructure Alec Muffett writes about the social network’s efforts “to provide methods for people to use our site securely” and an experiment that “makes Facebook available directly over Tor network” via an “onion” address. “Tor challenges some assumptions of Facebook’s security mechanisms,” he writes, describing how a Tor user “who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada” might be mistaken for a botnet. “Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud,” Muffett writes. [Source] SEE ALSO: Facebook has unveiled a new pseudonymous app called Rooms, developed by Josh Miller, which is reportedly the first product where Facebook doesn’t require users to use their real names.

WW – Apple Responds to Privacy Concerns About Spotlight

Apple’s Spotlight search function, updated last week with the latest version of Apple’s operating system and also available for older machines to download. The tool offers Google search suggestions and allows users to search their PCs or the Internet via Bing. Following privacy concerns that it was collecting user location data, Apple issued a statement clarifying Spotlight’s data collection practices, including that it doesn’t retain IP addresses and blurs locations. “We are absolutely committed to protecting our users’ privacy and have built privacy right into our products,” Apple said, adding it has worked to minimize the amount of information sent to the company. But security expert and new FTC CTO Ashkan Soltani called the feature the “worst example of ‘Privacy by Design’ I’ve seen yet.” [The Washington Post]

US – Senator Demands Explanation from Whisper Over User Tracking

Fallout from last week’s report by The Guardian about several privacy issues with anonymous social media app Whisper continued after Senate Commerce Committee Chairman Jay Rockefeller (D-WV) wrote a letter to the company’s chief executive asking for a detailed, in-person meeting, The Guardian reports. In his letter, Rockefeller told Whisper CEO Michael Heyward that as commerce chair, Rockefeller has “jurisdiction over the FTC and consumer protection issues including online privacy.” Last week, Whisper’s editor-in-chief said The Guardian’s report was “a pack of vicious lies,” but last weekend, in a statement, Heyward said, “We realize that we’re not infallible.” [The Guardian]

US – Whisper Fires Back Against Accusations

The company behind Whisper—the site enabling users to make confessions they’d be unlikely to make publicly, while promising anonymity and claiming to be the safest place on the Internet—is tracking user location. Further, it reports the company is sharing information gleaned from smartphones being operated from military bases with the U.S. Department of Defense. However, the company has written a five-page statement alleging the story is inaccurate. “Whisper does not collect nor store any personally identifiable information from users and is anonymous,” the company said. “There is nothing in our geolocation data that can be tied to an individual user and a user’s anonymity is never compromised.” [The Guardian] See also: [What happens when your friend’s smartphone can tell that you’re lying]

CA – Negative Online Reviews Led to Threats of Legal Action from Targeted Businesses

It’s just an opinion, right? But if you post it online, you could get some unwanted attention from lawyers. A growing number of companies are going after people who post negative reviews online. Ottawa student Olivia Parsons learned that the hard way. After moving out of her apartment in June, she says she posted several less-than-flattering online reviews on Google and Yelp. The reviews took aim at CLV Group — the company that manages the building. According to its website, CLV manages more than 7,500 rental apartments in Ontario and Quebec. Parsons was upset about fees she was asked to pay after moving out and the way, she says, the company handled the issue. About a week later, Parsons got a surprise in the mail — a letter from CLV Group’s lawyer demanding Parsons immediately stop posting negative reviews and that she delete the ones already up. The letter described her reviews as “false” and “misleading” and damaging to the company’s reputation. That letter came as a surprise for another reason. Parsons used an online pseudonym. Yet the company was still able to track down her real name and even her new address. She has no idea how they managed to do that. [Source]

US – Ello Gets $5.5 Million in VC

Privacy-promising social network Ello has received $5.5 million in venture capital funding, while simultaneously filing as a Public Benefit Corp. in Delaware, which makes it “impossible under U.S. law for investors to require Ello to show ads, sell data or sell the company to any buyer who would violate those conditions.” Addressing skepticism about Ello’s plans for not selling data to third parties, Ello investor Seth Levine said, “Our belief is that there are products and features that Ello can develop that users will be willing to pay for.” [TechCrunch]

Other Jurisdictions

AU – Gov’t Delays Vote on Metadata Bill

The Australian government will delay a parliamentary vote on a mandatory metadata retention bill until next year, The Guardian reports. The bill would require Australian telecommunications companies and ISPs to store data on users—specifically IP addresses and who users have emailed but not their web-browsing history—for two years, but, it will not be subject to a vote until a bipartisan committee initiates an inquiry. A communications spokesman for the Labor party said, “It involves privacy concerns from everyone that’s got a mobile phone or access to the Internet and potential cost concerns.” [The Guardian]] [Australian Communications Minister Malcolm Turnbull has introduced a bill that would repeal certain reporting requirements for telcos] [Australian Immigration Minister Scott Morrison is defending a proposal to collect biometric data, noting such retention of “sensitive personal information on travelers was becoming a ‘common standard’ for countries.”] and [The Office of the Australian Information Commissioner has released its 2013-14 Annual Report, which shows the office handled a record number of complaints] and also [The New South Wales Office of the Attorney General “has confirmed the government’s intentions” to include rules for “storing data offshore, particularly as part of cloud computing arrangements.”] and also: [Hong Kong Privacy Commissioner Allan Chiang has issued guidance on a number of data protection issues banks must consider]

Privacy (US)

US – NSA Phone Program Faces Court Test

In a case that will be “closely watched,” the DC Circuit Court of Appeals will hear arguments challenging the constitutionality of the NSA’s bulk phone data collection program. Plaintiff Larry Klayman said “all we’re really asking is that the NSA adhere to the law.” The FBI is urging Congress to change the Communications Assistance for Law Enforcement Act to essentially force companies to give the FBI a mobile device master key to sidestep encryption. Section 213 of the USA PATRIOT Act, which allows for so-called “delayed-notification search warrants” concerns privacy advocates that such “sneak and peak” warrants are also being used in cases not involving suspected terrorists. See also: Colorado’s senate race, Sen. Mark Udall’s (D-CO) political fight for survival and what his loss could mean for surveillance reform. [Source]

US – ACLU Challenging School District Digital Policy for Violating Students’ Rights

The ACLU is challenging a Tennessee school district’s policy of searching students’ electronic devices and monitoring and controlling what the students post to social media. The policy also allows schools to monitor communications sent through or stored on school networks. The ACLU says the policy is broadly written and “demonstrates a fundamental misunderstanding” of students’ constitutional rights. [WIRED] [Policy] [ACLU Letter] See also: [“Al Quaida” SSID causes flight delay]

US – Google, Viacom Ask Judge to Dismiss Suit “With Prejudice”

Google and Viacom have asked a federal judge to throw out a proposed class-action suit that alleges the companies violated children’s privacy rights by collecting personal data from those visiting sites like Nick.com for example. The suit, “which was brought in 2012 on behalf of a group of children, stems from allegations that Viacom allows Google to set tracking cookies on Nick.com, Nickjr.com and Neopets.com,” the report states, noting an earlier version of the suit was dismissed without prejudice in July , “meaning that the children’s lawyers could amend their allegations and try again,” which they did, in August. Google and Viacom are urging the judge “to dismiss the lawsuits with prejudice, which would prevent the users from bringing the complaint again.” [Media Post] See also: [Federal Court Won’t Revive Redbox Suit] nad [A New Jersey federal judge threw out a Wyndham Worldwide Corp. shareholder’s derivative action over a series of security breaches] and [In a case deciding whether the display of ads by Google’s Remarketing service violated the Israeli Spam Act, a district court correctly dismissed the case but in turn “practically altered the law’s provisions”] and [Judge Thomas Thrash, Jr., dismisses a potential class-action lawsuit by an Android user alleging Cartoon Network violated the Video Privacy Protection Act when it shared the titles of the videos he watched, combined with his Android ID, to Bango, which was then able to attribute his private viewing habits to an “existing digital dossier.”]

US – SCOTUS to Take Up Hotel Privacy Rights Case

The Supreme Court agreed to take up a hotel privacy rights case involving a Los Angeles city ordinance that requires hotels to maintain detailed guest lists and make them “available to any officer of the Los Angeles Police Department for inspection.” In December, a “divided” Ninth Circuit Court of Appeals said the ordinance violated the Fourth Amendment. The plaintiffs’ lawyer said, “A lot of the hotel owners in the LA area are being subject to warrantless searches under this ordinance.” Lawyers representing the city said the ordinance helps police investigate crimes, locate fugitives and could assist in responding to a homeland terrorist attack. [The Wall Street Journal] See also: [Police: Texas women digging through hotel dumpster had guests’ credit card information]

US – DMA, Venable Release Breach Notification Guide

The Direct Marketing Association (DMA) and Venable LLP have released a new guide on state data breach notification laws, according to a press release. The Essential Guide to Data Breach Notification is being distributed now. “We hear nearly every week about the occurrence of data breaches,” said Peggy Hudson, DMA’s senior VP for government affairs. “Data security and consumer trust are inextricably linked, and it’s up to all marketers to act as stewards of consumer information. With this guide and our extensive advocacy efforts, DMA is making the task of data stewardship more manageable for responsible actors across the data-driven marketing economy.” [Source] [DMA Fact Sheet]

US – Most U.S. Farmers Worried About Data Privacy -Farm Bureau Survey

Three out of four U.S. farmers fear data they share with companies offering big data services may fall into the wrong hands or be used without their consent, including for commodity market speculation, according to a survey published this week. The American Farm Bureau Federation said in the survey of 3,380 farmers from late July to September that more than 82% of farmers are unsure how companies selling data-mining tools aimed at boosting yields and efficiency plan to use their data. (Survey findings). Despite the unease, more than half of farmers say they plan on investing in new or additional precision planting or data gathering tools in the future, according to the survey by the country’s largest farmer organization. [Source]

US – Privacy Act Turns 40, Gets Roasted

The Privacy Act turned 40 this year. To celebrate, Georgetown Law’s freshly launched Center on Law and Technology held a birthday party of sorts. Well, a birthday party where the guest is partly celebrated but mostly roasted by all of its friends and foes and then told how it can improve. But who doesn’t love a good roast? The event featured an all-star roster of panelists who discussed how the law came to be and why it was so desperately needed 40 years ago, as well as the ways its provisions now fail to protect Americans thanks to technology, the ascension of big data and some pretty sneaky workarounds created to circumvent the law’s prohibitions. [IAPP Privacy Advisor]

US – Ashkan Soltani Named FTC’s New Chief Technology Officer

The U.S. FTC named Ashkan Soltani as its new chief technology officer. Soltani, who has been an independent security researcher and investigative reporter, is taking over for Latanya Sweeney, who will be returning to Harvard University. “Technology and online and mobile platforms are continuing to evolve at a rapid pace and will remain a key focus for the FTC,” said Chairwoman Edith Ramirez, adding, “I am very grateful to Latanya Sweeney for her outstanding work … particularly for her leadership in strengthening the commission’s efforts to better protect sensitive consumer information.” Soltani will take up his new role in November. [FTC] See also: [Omer Tene breaks down the FTC’s reasonable standard and how it can help you navigate the uncertainty of “reasonable security.”]

Privacy Enhancing Technologies (PETs)

WW – Overview of Emerging Tokenization-as-a-Service Model

Payments security specialist Ian Hermon writes about the emergence of the tokenization-as-as-service model for payment card data protection. He points out that tokenization “protects merchants by devaluing the data they need to hold,” thus making it less desirable for hackers—a notion highlighted last week in the California attorney general’s report on data breaches. A report released by security company Solutionary reveals that 75% of the companies it assisted had no cyber-incident response team or policies and procedures in place. Cybereason CEO and Cofounder Lior Div argues, in a column for Forbes, that the “main reason … security fails to successfully battle complex hacking operations is not due to a lack of competency or negligence” but rather “because security teams desperately lack context.” [SC Magazine]

US – Karp: Engineers, Technologists Can Help Mine Data and Protect Privacy

Palantir Technologies Chief Executive Alex Karp says privacy is at risk in the current data ecosystem, but engineers and technologists can help protect individuals from government snooping by placing “tags” on data that would require anyone who uses a given data point to disclose how they’re using it. Palantir has developed similar technology for the private sector and law enforcement agencies. “The behavior should be tagged in a way that a third party can always be aware of what (the engineer) is doing,” Karp said. He also noted that more technologists should go to work for the U.S. government because it is in short supply of engineers, the report states. [WSJ] See also: [Will Breaches and Privacy Concerns Lead to the Rise of the Personal Cloud?] See also: [Professor: Anonymous Apps Give False Sense of Security] and [The Hidden Privacy Threat of … Flashlight Apps?] and [MIT Tech Review: Well-funded start-up Illumio says it has created software designed to reduce intrusions and protect data centers from massive breaches] SEE ALSO” [A Look at Dynamic Data Obscurity: What Anonymization and the TSA Have in Common] AND [Experts Point to ‘Responsible’ De-identification Methods as the Means to Protect Patient Privacy and Harness the Power of Big Data for Much-Needed Research and Analytics] AND [US: Riding with the Stars: Passenger Privacy in the NYC Taxicab Dataset]

WW – Kickstarter Suspends Funding for Privacy Router

Kickstarter has suspended funding for Anonabox, a privacy-enhancing router project, for allegedly misleading investors. In an email to investors who had pledged money to the project, Kickstarter said “a review of the project uncovered evidence that it broke Kickstarter’s rules,” including “offering purchased items and claiming to have made them yourself” and “presenting someone else’s work as your own” as well as “misrepresenting or failing to disclose relevant facts about the project or its creator.” A post on Reddit revealed that what the project’s creator, August Germar, said was custom-built hardware was already for sale by Chinese suppliers. [Wired] Meanwhile, web creator Tim Berners-Lee is backing MeWe, a private communications network that combines social media, cloud storage and individual and group messaging, all with privacy at the forefront. See also: [Opinion: Better data privacy will boost innovation]

WW – Google Employs 1960s-Era Technique for Privacy-Friendly Stats Collection

Google plans to use a technique developed in the 1960s in a project aimed at gathering users’ computer data in a privacy-friendly manner. Named Randomized Aggregatable Privacy-Preserving Ordinal Response , the project will collect software statistics, including security flaws, without compromising sensitive information. It does this by using a “statistical trick … allowing software to send reports that are effectively indistinguishable from the results of random coin flips and are free of any unique identifiers,” said Ulfar Erlingsson, the project’s lead tech manager for security research. “However, by aggregating the reports, we can learn the common statistics that are shared by many users.” Google will present a paper on this at the ACM Conference on Computer and Communications Security [PCWorld]


US – NIST Issues Information Sharing Guidelines for Public Comment

The US National Institute of Standards and Technology (NIST) has released a draft of its Guide to Cyber Threat Information Sharing for public comment. “The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices.” NIST will be accepting comments through November 28. [Source]

US – NIST Warns of Security Issue in Samsung’s “Find My Mobile” Service

A vulnerability in Samsung’s “Find My Mobile” service could be exploited by attackers to lock the devices. The National Institute of Standards and Technology (NIST) has issued a warning about the problem. [ComputerWorld] [NIST]

Smart Cards

US – US Defense Dept Starting to Roll Out Chip-and-PIN Cards for Travelers

The US Department of Defense (DOD) has issued approximately 600 payment cards with chip-and-PIN technology to members of the military who travel. All 1.3 military travelers will have the new cards by the end of summer 2015. DOD military travelers may also request the cards starting in January 2015. [NextGov] [US Government to Require Chip-and-Pin for Federal Payments]

US – POS Malware Persistent

Point-of-sale malware known as Backoff is still being found on systems in the US. According to numbers from Damballa, Backoff infections increased 57% in August and 27% in September. It is unlikely that infections will decrease any time soon as the holiday shopping season draws near. [The Register] [NBC News]

US – Automakers Working on Protecting Vehicle Data Privacy

The Association of Global Automakers — the trade association representing Toyota Motor Corp, Honda Motor Co., Nissan Motor Co., Hyundai Motor Co. and other foreign automakers — and the Alliance of Automobile Manufacturers — the group representing U.S. automakers, Toyota, Volkswagen AG, Daimler AG and others — both say they are working together to ensure driver data privacy. The two groups told the National Highway Traffic Safety Administration late Tuesday they are working jointly to write consumer privacy protection principles. Sen. Al Franken, D-Minnesota, has raised concerns about driver privacy because of consumer data from GPS and in-vehicle systems. Global Automakers told NHTSA it supports making vehicle to vehicle communications required. [Source] See also: [Napel: Where’s the Security for Wearables?]


US – Intelligence Director’s Interim Report Calls for Privacy Improvements

The Office of the Director of National Intelligence (ODNI) has issued an interim report on the implementation of Presidential Policy Directive/PPD-28, Signals Intelligence Activities. The directive was issued in January of this year and establishes new principles and strengthens oversight on signals intelligence activities. The interim progress report recommends ensuring “privacy and civil liberties are integral considerations in signals intelligence activities,” say Alexander Joel, CIPP/US, CIPP/G, and Robert Litt, in their announcement. Among the key points denoted by the Civil Liberties Protection Officer and the General Counsel for ODNI are a call for improving how privacy and civil liberties complaints are handled and reviewing training “to ensure that the workforce understands the responsibility to protect personal information, regardless of nationality” with completion of the training “a prerequisite for accessing personal information in unevaluated signals intelligence.” [Source] See also: [FBI Director: Post-Snowden Pendulum Has Swung Too Far] and [How the FBI caught a teenager making bomb threats: It planted a fake news article about him and hoped he clicked it]

US – Florida Supreme Court Says Warrant Required for Cell Phone Tracking

Florida’s Supreme Court has ruled that law enforcement must obtain a warrant before collecting cell phone location data. The court ruled that obtaining cell tower location data from service providers in real-time constitutes a Fourth Amendment search and therefore requires a warrant. The case involves cell data from a provider but could likely be applied to devices like StingRays, which simulate cell tower signals. [WIRED] [ArsTechnica] [SCMagazine] [Ruling] and also: [US: Can privacy be applied when using mobile phones for Ebola contact tracing?]

US –Washington, DC Police and Stingray

Documents obtained through a Freedom of Information Act (FOIA) request show that police in Washington, DC have had a StingRay cellular surveillance device since 2003, but it remained unused until 2009, when officers were trained in its use. StingRay is a trademarked name, but has come to serve as a generic term for the technology. The devices, also known as IMSI catchers, can determine the location of cell phones as well as intercept calls and text messages. They also vacuum up data from other phones in the area. [Ars Technica]

UK – Schneier, Diffie, Ex-MI5 Bod, Privacy Advocates Team Up On Code Red

Security experts including Bruce Schneier and Whitfield Diffie are teaming up with privacy advocates to form a new privacy group that aims to champion privacy against the growing tide of intrusive government surveillance. The project, Code Red, is due to begin in January with the aim of becoming a “strategic think tank and campaign clearinghouse to provide new resources and tactical advice to human rights groups across the world”. The project reflect concerns that that government surveillance and intrusion has escalated – despite the national security disclosures by whistleblower Edward Snowden. Code Red aims to support whistleblowers as well as human rights groups. Code Red has put together an impressive cast of members on its steering group including Diffie, one of the pioneers of public key cryptography, and influential security expert Schneier as well as Tor developer and Snowden disclosures affiliate Jacob Appelbaum. Code Red’s steering group includes several influential figures in civil society, among them MI5 whistleblower Annie Machon, former US Congress member and presidential candidate Cynthia McKinney, former Wikimedia General Counsel Mike Godwin, the Electronic Frontier Foundation’s International Rights Director Katitza Rodriguez and the former editor of Index on Censorship Judith Vidal-Hall. [Source]

SK – Government Tries to Ease Public’s Online Privacy Fears

South Korean Prime Minister Chung Hong-won is trying to ease fears among the public about online privacy after prosecutors last month launched a cyber-investigation team to help uncover online rumors that President Park Geun-hye said “crossed the line.” As a result, citizens have been fleeing a domestic chat app to a foreign rival due to fears the government is spying on their conversations. Hong-won said the government is only monitoring for high-profile crimes such as murder, human trafficking or insurrection. The prime minister’s office said he has “emphasized that the government has been steadfast in ensuring freedom of expression and other basic privacy rights and will continue to do so.” [Reuters]

UK – Lords Consider Drone Laws Over Privacy Fears

A House of Lords committee will hear from drone safety experts about whether legislation needs updating. The committee is investigating the civil use of unmanned aerial vehicles (UAVs) and is expected to report its findings in 2015. The popularity of drones has surged as the technology has improved, leading to a consumer boom in cheaper, simpler models. Among the questions the committee will seek answers to are the implications of drones for air traffic control, and whether drones will be affected by current data protection legislation. [Source] See also: [The Skies Are Watching You] and also: [Nevada: Where Drone and Data Scientist Jobs Are Headed]

Telecom / TV

US – Advocates Concerned About Phone “Kill Switch” Legislation

Several states are attempting to pass legislation requiring cell-phone makers to include a “kill switch” in the devices allowing for remote shutdown capabilities in an attempt to stymy cell-phone theft and protect the personal data of consumers. But the legislative trend is raising red flags for privacy advocates who say such kill switches would provide law enforcement with too much power, potentially preventing citizens from communicating and documenting public demonstrations. The Center for Democracy & Technology’s Jake Laperruque said, “The idea of this being co-opted as an anti-protest tool is especially disturbing.” To date, California and Minnesota have passed kill-switch legislation, while Nevada and New Jersey are considering it. [USA Today]

WW – Why Consumers Should Be Scared of Smart TVs

Michael Price writes about why he’s scared of his new “smart television” after reading through its 46-page privacy policy. “The amount of data this thing collects is staggering,” he writes, adding users can always go with a “dumb” option, “but it comes at a cost. The device will not function properly or allow the use of its high-tech features,” leaving users “with an unacceptable choice between keeping up with technology and retaining their personal privacy.” Last year, the Center for Democracy & Technology’s Justin Brookman discussed how the lack of Privacy by Design in smart TVs will erode consumer trust. Meanwhile, five predictions for “addressable television,” includes how “privacy will be a key conversation.” [Salon] See also: [Whirlpool’s “Internet of Things” problem: No one really wants a “smart” washing machine]

US Government Programs

US – DHS Privacy Office’s Annual Report Outlines Next Priorities

The Department of Homeland Security’s Privacy Office has released its 2014 Annual Report to Congress, which includes highlights of such accomplishments as its Fair Information Practice Principles becoming “the privacy policy touchstone” for all federal agencies, its impact assessment official guidance becoming a model for agencies and foreign countries and its publishing of a directive on the department’s use of social media as a standard for other agencies’ use. The office will prioritize assessing new systems and programs to develop robust privacy protections; expand its service as a consultation organization and increase its engagement with the privacy community, among others. [Source] See also: [The “second source” for Snowden reporters, explained]

US – ICE Twice Breached Privacy Policy With License-Plate Database

Since February, shortly after the U.S. Department of Homeland Security (DHS) canceled plans for widespread access to a national license-plate tracking database, officials within the DHS’s Immigration and Customs Enforcement agency (ICE) have allegedly bypassed the privacy office on at least two occasions to purchase a one-year subscription to a license-plate tracking database. An ICE spokeswoman said use of the database is limited and a privacy impact assessment is in preparation. Rep. Bennie Thompson (D-MS) said, “there may be law enforcement need for certain personal information, [but] DHS must make sure that contracts of this nature are thoroughly reviewed by its privacy office and Office for Civil Rights and Civil Liberties to ensure compliance with all relevant laws and regulations.” [The Washington Post]

US – NSF to Fund Database Research Project

A US initiative will create a database for the collection, storage and analysis of learning and behavioral data generated by students via digital learning technologies. Called LearnSphere, the project will be led by researchers at Carnegie Mellon University, which is receiving $4.8 million in funding from the National Science Foundation. The eventual infrastructure, distributed across several institutions, third parties and for-profit vendors, will include a trove of anonymous data, including digital-interaction options, chat-window messages between students and possibly some biometric information generated during classroom interactions, the report states. A representative from the Electronic Privacy Information Center said LearnSphere “warrants further evaluation” before moving ahead. [Education Week]

US – FCC Brings Largest Enforcement Ever (Again): $10 Million

The FCC is planning to fine TerraCom and its affiliate YourTel America $10 million for several violations of laws protecting the privacy of phone customers’ personal information. It is the largest enforcement action in the commission’s history (beating out the $7.5 million fine for Sprint in May), according to an FCC press release. The companies “apparently stored Social Security numbers, names, addresses, driver’s licenses and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access.” In the companies’ privacy policies, they promised customers “technology and security features to safeguard the privacy” of that information, the FCC said. [Source] [The Federal Communications Commission intends to fine TerraCom and its affiliate YourTel America $10 million] See also: [Call Center Scams on Rise]

US – U.S. FCC Joins Global Enforcement Network

The U.S. Federal Communications Commission (FCC) has announced it has joined the Global Privacy Enforcement Network (GPEN). GPEN seeks to promote the cooperation and collaboration of global privacy enforcement authorities and includes about 50 data protection authorities. “We live in a world where threat to consumer privacy and data security often require the cooperation of numerous law enforcement agencies around the world,” said FCC Enforcement Bureau Chief Travis LeBlanc, adding, “If we are to detect, disrupt and dismantle these persistent global privacy assaults, it is critical that we work closely with our international partners abroad as well as our federal, state and local partners here at home.” [Source] [Does the FCC Have FTC Envy] See also: [The Blind Men, the Elephant and the FTC’s Data Security Standards] [The Federal Communications Commission announced it has joined the Global Privacy Enforcement Network.]

US – Report Examines USPS Audit, Lack of Controls in Law Enforcement Requests

According to a U.S. Postal Service Office of Inspector General audit that came out earlier this year, the USPS granted 49,000 law enforcement requests to track mail in 2013. Additionally, the inspector general said the program has “insufficient controls,” including the lack of proper approvals and justifications and failing to require annual reviews, the report states. The program’s shortcomings could “hinder the Postal Inspection Service’s ability to conduct effective investigations, lead to public concerns over privacy of mail and harm the Postal Service’s brand.” In another report revealed earlier this month, the Inspector General concluded nearly 14 million customer records had been put at risk when changing addresses. [Bloomberg]

US Legislation

US – 9/11 Commission Urges Cybersecurity Legislation

Members of the 9/11 Commission are urging Senate Majority Leader Harry Reid (D-NV) to pass cybersecurity legislation before year’s end. Noting recent large-scale hacks against Target and Home Depot and reports of security vulnerabilities, members warn that the U.S. could face a major cyber-attack if nothing is done. “The al Qaeda threat did not manifest itself without warning on September 11, 2001,” Commission Chairman Thomas Kean and Vice Chairman Lee Hamilton wrote in a letter . “But we did not heed those warnings until it was too late. Unfortunately, that pattern seems to be repeating itself in the cyber realm.” [The Hill] [Senate Judiciary Committee Chairman Patrick Leahy (D-VT) said when the Senate reconvenes next month “it must swiftly take up and pass the USA FREEDOM Act.”] and [Members of the 9/11 Commission are urging Senate Majority Leader Harry Reid (D-NV) to pass cybersecurity legislation before year’s end] [The Washington Post reports on the potential effects a Republican-run Senate would have on tech policy.]

US – Feinstein Floats Privacy Changes to Cyber Bill

Senate Intelligence Committee Chairwoman Dianne Feinstein (D-CA) has said she is considering changes to the Cybersecurity Information Sharing Act to address privacy concerns, but has acknowledged that might not be enough to get the law passed. “You know, it’s always more, more, more,” Feinstein said. She declined to share specific details about the changes, the report states. Feinstein’s measure was passed 12-3 by the Senate Intelligence Committee, the report states, noting Feinstein commented, “I think if we could get this up on the floor, I believe we can pass it … We’re willing to take amendments and do them on the floor, so that shouldn’t stop it.” [The Hill] [Senate Intelligence Committee Chairwoman Dianne Feinstein (D-CA) has said she is considering changes to the Cybersecurity Information Sharing Act to address privacy concerns, but has acknowledged that might not be enough to get the law passed.]

US – California AG Calls for Action from Retailers, Healthcare

California Attorney General (AG) Kamala Harris unveiled the California Data Breach Report, the state’s first since 2012. In it, the AG focuses on the retail and healthcare sectors and sets forth recommendations that call for more readable breach notices, increased use of technology like chip cards to devalue stolen credit card data and for the healthcare industry to employ widespread encryption. She also calls for additional security funding for smaller retailers, a growing target of cyber-attacks. [Source] [The Privacy Advisor outlines California Attorney General’s California Data Breach Report, which sets forth recommendations that call for more readable breach notices, increased use of technology like chip cards to devalue stolen credit card data and for the healthcare industry to employ widespread encryption.]

US Legislative News Roundup: [While President Barack Obama has called on Congress to enact data breach notification legislation, that won’t happen this year.] | [Several states are attempting to pass legislation requiring cell-phone makers to include a “kill switch,” but the trend is raising red flags for privacy advocates who say they would provide law enforcement with too much power] | [Sen. Orrin Hatch (R-UT) outlined his agenda for technology legislation in the next Congress and highlighted the need to reform to email privacy] | [Alabama Sen. Arthur Orr (R-Decatur) has indicated he is working on legislation that would require companies doing business in the state to notify customers of data breaches] | [New Jersey legislators have proposed AB 3322, requiring health insurers to encrypt personal health data on all of their computers] | [The New Jersey Assembly Consumer Affairs Committee has approved AB 3146, aiming to protect consumers from identity theft] | [Pennsylvania Gov. Tom Corbett is expected to sign a bill that creates a prescription drug monitoring program despite privacy concerns] [The Pennsylvania Senate has passed a prescription drug monitoring bill despite privacy concerns voiced by the American Civil Liberties Union. The bill now head to the governor’s desk] | [The Conference of the German Federal and State Data Protection Authorities has adopted a resolution expressing concern about privacy risks involved in the collection and processing of personal data in cars]

Workplace Privacy

WW – Exploring the Balance of Data Security and Employee Privacy

“With the right technology, enterprises can control the risk associated with maintaining confidential and private information. However, as many of these security measures require a detailed supervision of business operations, enterprises must be careful to avoid intruding on worker privacy,” states a new whitepaper from the Medical Device Privacy Consortium. Securing the Enterprise in a Privacy-Responsible Manner looks at the intersection of surveillance of systems and employee privacy rights in different regulatory environments and offers some recommended privacy principles to follow. [Source] See also: [The French Supreme Court has ruled employers must notify the CNIL of devices to monitor employees’ email volume and flows] and also: [US: 5 best practices for lawfully monitoring your employees’ social media activities]


01-15 October 2014


US – Airlines Look to Biometrics to Streamline the Check-In Process

Biometrics, the technology that uses human physical traits as a form of identification, is gaining popularity with governments and merchants. Now airlines are considering the technology. The next breakthrough in paperless airline ticketing may be under your thumb — literally. Alaska Airlines is exploring using passengers’ fingerprints to replace travel documents, driver’s licenses and credit cards now needed to navigate from airport curbs to jetliner seats. If successful, it would be the first U.S. carrier to employ biometrics for boarding passes and inflight purchases and could spur wider adoption across the industry. [Source]

WW – Build in Biometric Security for Market Advantage” Levin

Adam Levin writes about how “legions of sophisticated hackers are infiltrating the most state-of-the-art data security strategies out there” and how biometrics “may well be the next ‘less hackable’ thing.” He notes there will likely be a small window of time before biometrics become “‘the new normal,’” so “there is a marketing advantage, which is why it’s crucial for companies that handle sensitive information to get in front of the trend.” He notes Apple has begun this process and other companies are experimenting with “bio-specific authentication.” He writes that if there is a takeaway, “it’s to be found in the Apple model, which doesn’t lead with a security solution so much as it incorporates it.” [Forbes] See also: [Companies Battle It Out on Privacy]

EU – Comedy Club Charges Per Laugh With Facial Recognition

A comedy club in Barcelona is experimenting with charging users per laugh, using facial-recognition technology to track how much they enjoyed the show. The software is installed on tablets attached to the back of each seat at the Teatreneu club. Each laugh is charged at 0.30 euros (23p) with a cap of 24 euros (£18). Takings are up so far. The project was developed to combat falling audience numbers.The system is now being copied in other theatres around Spain. The comedy club has also launched a mobile app as a method of payment, as well as its first pay-per-laugh season ticket. James Woroniecki, director of London’s 99 Club, said: “Sounds fun, just so long as all the facial recognition data doesn’t get forwarded to the NSA [US National Security Agency]. [BBC News]

WW – Millions of Voiceprints Quietly Being Harvested as Latest ID Tool

The collection of voiceprints by governments and businesses is increasing “to pay pensions, collect taxes, track criminals and replace passwords.” A representative from a voice biometric vendor said, “There’s a misconception that the technology we have today is only in the domain of intelligence services, or the domain of Star Trek … The technology is here today, well-proven and commonly available.” A Barclays executive suggested “voice biometrics will be the de facto standard in the next two to three years.” A separate report notes the rise of the technology is spurring privacy concerns. One advocate said if public use of voice biometrics services were to be compromised, “We could lose a major avenue of anonymous speech.” [The Guardian] [Voiceprint harvesting – the next frontier in data privacy war]

Big Data

US – FPF Whitepaper Intros Toolbox for Weighing Big Data Rewards, Risks

Over the past few years, organizations have developed various frameworks to measure privacy risks of new projects, products or services. Yet these frameworks, typically called privacy impact assessments or risk management tools, account for only one part of a cost-benefit analysis. In a new Future of Privacy Forum (FPF) whitepaper, Jules Polonetsky, IAPP VP of Research and Education Omer Tene and the FPF’s Joseph Jerome introduce a new toolbox for weighing big data rewards against privacy risks. The paper includes case studies and graphics and provides a taxonomy of privacy risks and an analytical framework for “data benefit analysis.” [Source] See also{ Washington Post: Weighing the Benefits of Mining Health Data] See also: [Big Data is watching you. Has online spying gone too far?] AND Intel Global Privacy Officer David Hoffman explained

US – Information Accountability Foundation Releases Big Data Ethics Whitepaper

The Information Accountability Foundation released its first paper on its Big Data Ethics Project. The project aims to create tools for businesses and law enforcement authorities to ensure big data benefits while preventing negative outcomes such as discrimination or misuse of data. Governance, according to the paper, is key. “To establish big data governance, the foundation believes in the need for a common ethical frame based on key values and the need for an interrogation framework,” the paper states. “In formulating a frame, we concluded the following: Governance requires enforcement; big data enforcement needs to be explored by stakeholders, and interrogation frameworks should be customized [Source] SEE ALSO: Intel’s endeavor to encourage organizations to take “a data innovation pledge “ that promotes “the simultaneous ethical and innovative use of data.” Meanwhile, speaking at an EU event, Tim Berners-Lee suggested “the promise of big data has been undermined by companies using their customers’ data to deliver targeted advertising,”

UK – ICO Publishes Report on Big Data

On 28 July, the ICO released its report ‘Big data and data protection’ (the ‘Report’). The Report defines ‘Big Data’ and sets out the data protection and privacy issues raised by Big Data, as well as compliance with the UK Data Protection Act 1998 (‘DPA’) in the context of Big Data. The ICO defines Big Data by reference to the Garter IT glossary definition, and further explains that processing personal data must be of a significant volume, variety or velocity. When announcing publication of the Report, Steve Wood, the ICO’s Head of Policy Delivery, stated that “Big Data can work within the established data protection principles….The principles are still fit for purpose but organisations need to innovate when applying them”.[Source]

WW – Can Mobile Tracking Help Stem Ebola Outbreaks?

Big data analytics may help emergency response teams, medical charities and nongovernmental organizations contain the Ebola virus, but to do so, tracking of mobile phones is needed. According to the report, citizens in some of the poorest countries in Africa own mobile phones, which is proving to be a “rich source of data in a region where other reliable sources are sorely lacking.” In one example, Orange Telecom in Senegal shared anonymized voice and text data from 150,000 mobile phones with Swedish nonprofit Flowminder to help draw up maps of population movements in the region. And the U.S. Centers for Disease Control is currently collecting mobile phone activity data from operators to map where helpline calls are sourced. [BBC News]


CA – Cyberbullying Bill Inches Closer to Law Despite Privacy Concerns

A controversial bill to fight cyberbullying and give more powers to law enforcement is set to pass third reading in the House of Commons. Bill C-13 would make it illegal for anyone to post or transmit an “intimate image” of another individual without that person’s consent. But other measures included in the bill would give police easier access to the metadata that ISPs and phone companies keep on every call and email by their customers. It would also make it easier for police to get preservation or production orders by lowering the threshold from a “reasonable grounds to believe” a crime has happened or could happen to “reasonable grounds to suspect.” The bill would also give immunity to any companies that turn over to police the information they hold. The bill is expected to pass, with the majority Conservatives supporting it despite a number of objections raised by Canada’s privacy commissioner, Daniel Therrien, and by Amanda Todd’s mother. Both Therrien and Todd said the bill should have been split so the widely embraced cyberbullying measures were considered separately from the far more controversial online data-collection measures. NDP digital issues critic Charmaine Borg said she expects the bill, should it become law, to be challenged in court following the Supreme Court’s decision last June in the case R vs. Spencer. The Spencer decision barred ISPs from voluntarily disclosing the names, addresses and phone numbers of their customers to law enforcement officials in response to an informal request — something ISPs have been doing hundreds of thousands of times a year. The landmark decision came the day the House justice committee reported back to the House on C-13. [Source] See also: [Cyberbullying bill C-13 moves on despite Supreme Court decision] See aslo: [Harper government missed deadline on jihadi tracking tool]

CA – Alberta’s PIPA Scheduled to Lapse on November 15, 2014

On November 15, 2013, the Supreme Court of Canada found Alberta’s Personal Information Protection Act (PIPA) to be invalid and gave Alberta’s Legislature 12 months to make it constitutional. To date, no amendments to PIPA have been tabled by the Alberta government and the next session of the Alberta Legislature has been delayed until November 17, 2014. On September 22, 2014, Alberta’s Information and Privacy Commissioner wrote an open letter to Alberta’s Premier, the Minister of Justice and Solicitor General and the Minister of Service Alberta expressing concern over PIPA’s inevitable lapse as result of the delayed start to the session of the Alberta Legislature: If PIPA is allowed to lapse, Alberta’s citizens and businesses will lose the unique benefits afforded by the legislation, including: mandatory breach reporting and notification to affected individuals, local enforcement without court involvement, and protection for the access and privacy rights of employee of provincially-regulated private sector businesses. As the oversight body for PIPA, the Commissioner’s office is receiving inquiries from the public and stakeholders as to the status of the legislation. In addition, there are 280 PIPA cases currently open – including breach reports from organizations, complaint investigations, and quasi-judicial inquiries – which will potentially be affected in the event the legislation lapses. In response, Alberta’s new Premier, Jim Prentice, declared he would be seeking an extension from the Supreme Court with respect to the amendment deadline. A motion extending the suspension of the declaration of invalidity was filed in the Supreme Court by the Attorney General of Alberta on October 1, 2014. [Source] “In a precedent-setting decision, Alberta’s Court of Queen’s Bench has ruled the province’s Health Information Act protects any information broadly connected to a patient’s care, even if that information is about another person.”

CA – Decision Reserved in Lawsuit Over Sask. Student’s Cellphone Privacy

A judge has reserved decision in a lawsuit over whether a Grade 6 student’s privacy was violated when school staff read the texts on his cellphone. Court heard a teacher at Riverside Community School in Prince Albert took the 12-year-old’s phone when she caught him texting during class in March 2010. The teacher gave the phone to the then-vice-principal, who went through the boy’s texts and found one about a car theft. Dwayne Tournier testified the text was from someone who said — quote — “we stole a car.” The lawsuit alleges that after the school contacted police, an officer got the boy to text the sender back about the car’s location and then took him in a cruiser to identify the vehicle. The boy’s grandparents, who were his guardians, argue the actions of the school put the boy in a position where he feared retaliation by the text’s sender because the boy was seen in the cruiser. The lawsuit claims damages from the Saskatchewan Rivers School Division and Tournier. “The mistake, if a mistake was made, is in reading the contents of the cellphone, then calling the local city police to take this young lad to a stolen vehicle to identify a vehicle,” said lawyer Marcel Simonot, on behalf of the grandparents. [Source]

CA – OPC’s Bernier Joins Private Practice

Former Interim Privacy Commissioner of Canada Chantal Bernier has joined Dentons’ privacy and security practice as counsel. “We are honored to have Chantal Bernier, a renowned thought-leader in privacy protection, join Dentons,” said Dentons CEO Chris Pinnington. “In the digital age, when privacy risks and concerns are on the rise, Ms. Bernier’s perspective and insight as a seasoned regulator and senior executive will be a tremendous asset to our clients, in Canada and around the world.” [MarketWired]


EU – Survey Shows What Europeans Think Their Personal Data Is Worth

A survey commissioned by European telco Orange examines how Europeans perceive the value of their personal data. “There is a perceived imbalance within the data-sharing relationship,” the survey states, “with two-thirds of consumers believing that organizations benefit the most from the sharing of data—just 6% think that the consumer benefits the most.” The UK, France, Spain and Poland were surveyed, and respondents, on average, said that each piece of personal data shared with a familiar business is worth approximately $21. For unfamiliar companies, the value increased to $25. The report includes breakdowns of what respondents thought specific data points were worth, including full name, date of birth, location, income and marital status. [Quartz]

US – The Future of Retail Tracking and Allegations About Uber’s Location Privacy

Macy’s is leading the rise of iBeacon technology in retail stores. The retail chain will add 4,000 iBeacon devices to its almost 800 stores nationwide in the next few weeks. Macy.com President Kent Anderson said, “The customer who gets more engaged in more of the channels that Macy’s has to offer gives us more wallet share.” iBeacons also being placed at various Marriott locations. [The Washington Post]

US – Experiment Demonstrates Perils of Not Reading Privacy Policies

In an experiment to demonstrate the dangers of connecting to unfamiliar networks, security firm F-Secure set up an open WiFi network in a busy, public area in London, UK, complete with lengthy terms and conditions that included a “Herod clause.” Yup. Six people clicked through to exchange “permanent ownership” of their firstborn children for WiFi access. Enter Terms of Service; Didn’t Read, a user rights initiative that is rating websites according to their terms and privacy policies. [Source]

US – How Many Chocolate Chip Cookies is Your Personal Data Worth?

New York-based artist Risa Puno’s recent experiment in which she asked New Yorkers at an arts festival to give up sensitive personal information from fingerprints to partial Social Security numbers (SSNs) for a cookie—not a web cookie, an actual cookie. In total, 380 did so, with 117 allowing Puno to take their fingerprints and just under half giving her the last four digits of their SSNs. Based on the experiment, Slate offers advice on how to measure the value of your personal data in cookies. Meanwhile, ComputerworldUK reports on how firms can survive in the age of data currency. [ProPublica]


CA – PEI Privacy Commissioner Urges Review of Government Document Storage

Personal records stored in derelict buildings should serve as a wake-up call to government, says the information and privacy commissioner. The province is in the process of relocating health and financial records housed in two boarded-up Health P.E.I. buildings in Charlottetown. City police have reported that the buildings have been broken into at least five times in the last month. Maria MacDonald doesn’t believe this is an isolated case of poorly stored documents. Close to 1,200 boxes of documents, including medical and financial records, are being removed from the buildings, says Pam Trainor, executive director of acute care, mental health and addictions for Health P.E.I. The removal of the records began Thursday and most were expected to have been taken out of the old buildings by the end of Monday. [Source] [Ireland: Investigators accessed social welfare information and disclosed to credit unions]

CA – IBM Wins a Federal Data Centre Contract

IBM Canada has won a multi-year contract to provide and manage one of the new data centres the federal government needs as it consolidates IT infrastructure under its Shared Services program. IBM’s Barrie, Ont., data centre building, which was opened in 2012, will house some of the federal IT infrastructure as the government squeezes 485 data centres into seven by 2020. This contract dealt only with the physical space. IBM will not be providing servers, storage or networking. [IT World Canada]

US – Public Officials Give Up Some Privacy on Personal Cellphones – Editorial

Citizens expect, demand and deserve public officials who put the public first. One way we put the public first is by promoting open government and protecting the people’s right to know. An official cannot choose to use personal technology like a cellphone or home computer to conduct public business and then deny access to the resulting public records on grounds of personal privacy. This point was driven home recently for Pierce County Prosecuting Attorney Mark Lindquist, who had been using his personal cellphone for official business. The question of whether public officials can keep public information private is now winding its way through the courts. Public records do not become private property when created and stored on personal devices. The information in public records belongs to the people, even if accessing it on a private device is inconvenient or embarrassing for the official who created and stored it there.[Source] See also: [New York postman accused of hoarding 2,500 pounds of mail]


CA – CASL: Rules for the Installation and Use of Computer Programs

Effective January 15, 2015, Canada’s anti-spam law (commonly known as “CASL”) will impose onerous restrictions and requirements for the commercial installation and use of computer programs on another person’s computer system. The rules apply to almost any computer program (not just malware/spyware/harmful programs) installed on almost any computing device (including mobile phones) as part of a commercial activity (regardless of expectation of profit). The rules have potentially serious implications for Canadian businesses that distribute computer programs and for foreign businesses that distribute computer programs to computer systems located in Canada. Unfortunately, the rules are challenging to interpret and apply, and regulators have provided limited guidance. [More] See also: [CRTC works with small business to stop malicious spam from being sent to Canadians]

Electronic Records

US – Advocates Claim Compliance Site Violates COPPA

The Center for Digital Democracy and Campaign for a Commercial-Free Childhood have alleged in comments filed with the FTC that AgeCheq—a company that aims to help app developers comply with children’s privacy rules—itself violates those regulations. The comments claim AgeCheq collects data about children without first obtaining their parents’ permission, in violation of the Children’s Online Privacy Protection Act (COPPA). AgeCheq CEO Roy Smith said the allegations are “specious,” adding, “We’re mystified by this whole thing.” Smith said he doesn’t believe COPPA bans the company from collecting data about children because his site doesn’t fit into COPPA’s definition of a website operator. [MediaPost]

EU Developments

EU – Google Ordered to Change Handling of User Data in Germany

Hamburg Data Protection Commissioner Johannes Caspar issued a statement ordering Google to limit how it combines user data that could be used to determine such customer information as marital status or sexual orientation. Caspar emailed Google about its 2012 privacy policy terms, which allow it to combine data it gathers when customers use its services. “With that, one can compile detailed movement patterns, detect the social and financial status, and friendship, sexual orientation and the relationship status,” Caspar said, ordering Google “to take the necessary technical and organizational measures to guarantee that their users can decide on their own if and to what extend their data is used for profiling.” Google is reportedly reviewing the order. [Bloomberg]

EU – Ansip: EU May Suspend Data-Sharing Agreements if U.S. Doesn’t Shape Up

Europe may suspend data-sharing agreements with the U.S. if American policy makers don’t improve how Europeans’ online information is protected. That’s according to Andrus Ansip, the nominee to lead Europe’s digital agenda, who added the U.S. still needs to convince European lawmakers it takes a hard line on data protection. “Americans have to deliver and provide real trust to European citizens,” Ansip said during a hearing at European Parliament in Brussels, adding a suspension of Safe Harbor is still on the table. [The New York Times]

EU – Belgium Appoints First Privacy Minister

After several months of negotiations, finally a new governmental coalition has been formed in Belgium. It may come as a surprise, but the new government has paid particular attention to privacy-related issues in its coalition agreement, including the appointment of a Secretary of State for privacy. DLA Piper’s Patrick Van Eecke and Elisabeth Verbrugge look at the new government’s stated intentions for privacy, including a slate of planned reforms, and look into the future to assess the impact of these decisions. [Full Story] [Belgium’s New Government Sets Privacy High on the Agenda, Appointing Minister of Privacy] and also: [IRE: Government expected to increase data protection budget]

Facts & Stats

WW – How Much is Data Really Worth?

While companies are building entire businesses around the collection and sale of data, no one really knows what all that information is worth. “It’s flummoxing that companies have better accounting for their office furniture than their information assets,” said a Gartner analyst. “You can’t manage what you don’t measure.” As more companies traffic in information and use big data analytics tools to find ways to generate revenue, the lack of standards for valuing data leaves a widening gap in our understanding of the modern business world, the report states. Such intangible assets like patents, trademarks and copyrights could be worth more than $8 trillion, one economist estimates. [The Wall Street Journal]


US – FCC Fines Marriott for Blocking Guests’ Wi-Fi Hotspots

Marriott has agreed to pay the US Federal Communications Commission (FCC) US $600,000 to settle charges that the company blocked guests’ personal hotspots, forcing them to use the hotel’s WiFi at significant cost. The Gaylord Opryland Hotel in Nashville, Tennessee, admitted to the blocking, saying that it normally established wireless services and networks for groups at the convention facility, charging US $250 to US $1,000 per access point. The service provided by the hotel includes a monitoring system that blocks networks that are not its own. [Ars Technica] [The Register]


US – TCPA Prompts Bank Fears; Kohl’s Seeks Class-Action Dismissal

In a filing with the Federal Communications Commission (FCC), the American Bankers Association (ABA) said banks that call or text customers run the risk of being sued under the Telephone Consumer Protection Act (TCPA), a 23-year-old law that requires consumers’ consent to being called on their mobile phones. “A single financial institution might be responsible for 50,000 to 60,000 or more potential data security breach notifications per month,” the ABA wrote to the FCC. “A substantial portion of these automated notifications must be sent to mobile telephone numbers.” Meanwhile, Kohl’s has asked a federal judge to throw out a putative TCPA class-action alleging the retailer gathered consumers’ cell-phone numbers for debt-collection purposes. [Quartz]


AU – FOI May Cost $800 as Coalition Seeks to Abolish Regulator

The federal government has introduced a bill to abolish Australia’s freedom of information watchdog. In a move that will wind back significant reforms in Australia’s federal freedom of information framework introduced in 2010, the government has pushed ahead with its plans to abolish the Office of the Australian Information Commissioner (OAIC). The bill would remove an office conceived as the “champion” of freedom of information and privacy, and would largely revert to the pre-2010 framework where complaints about freedom of information matters were heard by the commonwealth ombudsman and appeals went to the Administrative Appeals Tribunal (AAT). Labor and the Greens have previously raised major concerns about this move, saying it would “shut the door on open government”. Crucially, the bill provides no relief or waivers for the $800 filing fee to make applications to the AAT, which is likely to create a substantial barrier to seeking review of government decisions.[Source] The Freedom of Information Amendment (New Arrangements) Bill 2014 was introduced into Australia’s Parliament on Thursday, and the Office of the Australian Information Commissioner (OAIC) has detailed what to expect if the bill becomes law. The Australian government’s plan to require data retention continues to make headlines as do allegations that Australian privacy laws are putting military personnel at risk.


US – 23andme Genetic Testing Service Coming to Canada

A California company offering a genetic testing service that claims to pinpoint both health conditions and genetic background has begun operating in Canada, despite being blocked by the U.S. health regulator from offering its full service. The company 23andme tests for about 100 health markers based on a sample of your saliva. Customers apply for the testing kit online, submit a sample and get a response in two to six weeks via email. The U.S. Food and Drug Administration blocked 23andme from sending health information to customers of its genetic testing kits in the U.S. “The FDA believes that we are a medical device, so we are going through the medical device review process. In Canada we are working with health authorities and they have deemed that we are non-therapeutic and therefore we don’t need pre-market clearance,” said CEO Anne Wojcicki. However, Canada’s privacy commissioner has raised concerns about the privacy of genetic tests. At this time, there are no laws in Canada that specifically address the use of genetic test results by insurance companies. The Canadian Life and Health Insurance Association has agreed its members will never require a genetic test from a customer, but say that if there is such a test, “the insurer would request access to the information, just as it would for other aspects of the applicant’s health history.” [Source]

Health / Medical

US – FDA Issues Medical Device Cyber Security Guidance

The US Food and Drug Administration (FDA) has released guidance for medical device cyber security. The publication offers recommendations to manufacturers and urges them to “consider cybersecurity risks as part of the design and development of a medical device.” The agency also encourages manufacturers provide the FDA with documentation about risks in devices and plans to mitigate those risks, as well as plans for providing updates and patches. The FDA is holding a workshop on the issue later this month. [FDA] [SCMagazine] [USA Today] [MobiHealthNews: A Roundup of FDA-Approved Electronic Medical Devices]

US – OCR Prepping to Launch Phase II Audits

The Department of Health and Human Services Office for Civil Rights (OCR) is preparing to launch OCR Phase II Audits, a permanent audit program for covered entities, although the OCR is still dealing with funding constraints and finalizing the program, the OCR’s Iliana Peters said at a conference last month. When the program will begin depends on some technology upgrades, Peters said, noting once Phase II starts, the OCR will use it as an enforcement tool and, depending on what issues are discovered, corrective actions may result. She added settlements and monetary penalties are “never off the table” if major compliance issues are found during investigations. [PR Web]

WW – Facebook Moving Into Healthcare

Amidst reports that Facebook will feature new guidelines and an ethics review panel for research projects, the social networking giant is also reportedly moving into the healthcare landscape. Facebook is allegedly exploring the development of online “support communities” to connect users with similar ailments and a small team is considering “preventative care” applications. The company has been convening meetings with various medical industry experts and entrepreneurs to set up a research and development team to test new health apps, the report states. [Reuters]

Horror Stories

US – JP Morgan Chase: Breach Affected 76 Million Households

In a filing with the US Securities and Exchange Commission (SEC), JPMorgan Chase disclosed that a security breach earlier this year affected 76 million households and seven million businesses, and that the data compromised include phone number and email addresses, but not account information. The company has denied emerging reports of a second breach. Stanford’s Jonathan Mayer said, “There’s no doubt that companies with valuable information have a target on them.” Meanwhile, new evidence on where “massive data breaches lead“—including to “clone cards” sold to low-level criminals—and details some of the costs of data breaches. [NBC News] [NBC News] [Fast Edgar] [NYTimes] [CS Monitor] [The Register] [ComputerWorld] [ZDNet] [SCMagazine] [NPR News] Lawmakers in the U.S. are using the JP Morgan data breach to push privacy-diminishing cyber-legislation.

CA – Personal Info Accessed In B.C. Government Database Breach

The B.C. government is trying to notify 15,000 people whose personal information has been illegally accessed because of a data breach on a Ministry of Forests’ website and associated databases. The ministry says names, contact information, birth dates, drivers’ licence numbers and job evaluation information of firefighters who applied to work on wildfire crews may have been compromised. A ministry news release says data about applicants’ aboriginal, minority or disabled status may have also been viewed when the information was accessed by an unauthorized user on Sept. 24. The ministry says public website access was shut down as soon as the breach was discovered and the Information and Privacy Commissioner was notified. The government says it is offering free credit protection services to people who have been affected. However, it says some of the database records are up to 10 years old and contacting everyone involved in a timely manner may be difficult. [The Globe and Mail]

US – Inspector General Says Nearly 14 million Postal Service Records at Risk

The U.S. Postal Service Inspector General has concluded the Postal Service has put nearly 14 million customer records at risk. The inspector general’s audit found that hundreds of businesses have access to millions of change-of-address forms with little oversight from the Postal Service. “There is a risk that the (data) could be accessed by unauthorized users,” auditors for Inspector General David Williams wrote, adding, “Security controls … are not sufficient to protect the confidentiality and integrity of customer information.” [The Washington Post] See also: [Kmart, Dairy Queen see payment-card data stolen] [Oregon Employment Dept. Reports Breach]

US – Senators Want Answers on USIS Breach

Senate Homeland Security and Governmental Affairs Committee leaders have sent letters to the Obama administration as well as the Department of Homeland Security (DHS), the Office of Management and Budget and the Office of Personnel Management seeking answers to a breach that hit the U.S. Investigations Services (USIS) in August. The breach likely compromised the personal information of approximately 25,000 government employees. Committee Chairman Tom Carper (D-DE) and ranking member Tom Coburn (R-OK) wrote in the letter to DHS Secretary Jeh Johnson that the breach raises significant concerns, noting, “If you determine that additional tools and authorities are needed to further improve federal network security, we urge you to inform the committee as soon as possible.” [GovInfoSecurity]

CA – Alberta Health Services Unsure What Happened to Information Lost in a Privacy Breach

Officials don’t know what happened to the information gleaned from 19 months of a breach of patient records by an Alberta Children’s Hospital staffer targeted a wide variety of victims, including high-profile people. And though Alberta Health Services says the low-level administrator’s access to 247 patients’ records hasn’t impacted care of the integrity of the data, the agency’s president Valerie Kaminski said it’s not clear what was done with the information. “We don’t know ─ we asked that question and the information they gave us was very non-descript,” said Kaminski. “There was no evidence they made copies at all.” The former staffer, who was fired, had access to patient history, contact information, date of birth and family information on two different databases from January of 2013 to August 2014 on at least one of the databases. It went beyond children’s medical information, extending to nurses, physicians and “high profile people across the community, there were a large number of adult patients,” said Kaminski. [Source] [Alberta Children’s Hospital patient privacy breach prompts apology] See also: [The Alberta Court Of Appeal Considers Confidential Information, Settlement Privilege And The Freedom Of Information And Protection Of Privacy Act]

WW – Hartzog: Snapchat Should Not Blame Users for Latest Leak

Prof. Woodrow Hartzog writes that Snapchat, in its message to consumers after a hack of images stored on a third-party server, should not have blamed users for the incident. “Snappchatters were allegedly victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use,” the company wrote. Hartzog notes that such rules are “buried in the fine print” and that two lessons can be drawn from the incident and response: Businesses need to educate their users about security risks in plain language, and technologies that promise to protect privacy “must provide better data security than traditional social media.” Meanwhile, Gizmodo writes new app Vent is a “disaster waiting to happen,” and The Globe and Mail reports anonymous app Shadow creates a false expectation of privacy. [Wired]

US – AT&T Employee Fired for Accessing Customer Data

AT&T has fired an employee for allegedly accessing customers’ personal data, including driver’s license and Social Security numbers, as well as customer metadata about calls made. AT&T notified the affected customers by letter. [The Register] [ZD Net] [Net Security] [Text of Letter]

WW – Cybersecurity Awareness Month News Roundup

In conjunction with cybersecurity awareness month, the U.S. FTC has released online shopping tips in a short YouTube clip, and in an effort to help organizations better understand the data breach landscape, Experian has released its 2014-2015 Data Breach Response Guide. Meanwhile, in a survey by UK-based telecoms company BT, 26% of the 640 IT decision-makers said their business had experienced a data breach incident where their cloud provider was partly at fault, and Help Net Security reports the majority of IT decision-makers said they aren’t confident data would be secure if outsiders penetrated their network’s perimeter security. Separately, EBay has moved to dismiss a proposed class-action over a data breach, and software company Netwrix has recommended three steps Home Depot could have taken to prevent its breach. In healthcare, there’s been a “substantial spike” in the number of major data breaches posted on the U.S. Health and Human Services “wall of shame” since the Health Insurance Portability and Accountability Act Omnibus Rule came into play a year ago.

WW – Interpol Says “Around 100” Cyber Kingpins Worldwide

The latest business to announce a credit and debit card breach is the U.S.-based ice cream and restaurant chain Dairy Queen. The company said 395 of its stores were affected. In a similar story, U.S. investigators believe the hackers that breached JP Morgan are the same ones who breached Fidelity Investments. The slew of cyber-attacks are prompting some companies to consider going on the offensive by “hacking back” or going on “active defense.” Trend Micro’s chief cybersecurity officer said, “Active defense is happening. It’s not mainstream. It’s very selective.” According to Europol’s Cybercrime Center, there are only “around 100” cybercriminal kingpins worldwide. [The Washington Post]

Identity Issues

SK – Wave of Identity Thefts Forces South Korea to Overhaul National ID System

After an avalanche of data breaches, South Korea’s national identity card system has been raided so thoroughly by thieves that the government says it might have to issue new ID numbers to every citizen over 17 at a possible cost of billions of dollars. The admission is an embarrassment for a society that prides itself on its high-tech skills and has some of the fastest Internet access. The issue came to a head after 20 million people including the president, Park Geun-hye, were victims of a data theft at three credit card companies. Park acknowledged in January change was needed and ordered a study of possible options. A decision is due later this year. Rebuilding the system and tightening security could take up to a decade, according to Kilnam Chon, a researcher known as the “Father of the Korean Internet” for his pioneering work in online technology in the 1980s. “The problems have grown to a point where finding a way to completely solve them looks unlikely,” said Chon. [Source] [SCMagazine] [The Register] See also: [BC: Pastafarian’s fight with ICBC comes to a boil]

US – Feds Say Agent Legally Impersonated Woman

The Justice Department says a federal agent had the right to impersonate a young woman online by creating a Facebook page in her name without her knowledge. The woman’s account was set up by a U.S. Drug Enforcement Administration special agent after she was arrested for allegedly being part of a drug ring. While she awaited trial, the agent set up the fake Facebook page, using her name and posting photos from her seized cell phone, to communicate with at least one wanted fugitive. The woman is suing the agent for invading her privacy. The Justice Department is looking into the matter. [Buzzfeed] [US: Government Set Up A Fake Facebook Page In This Woman’s Name]

Internet / WWW

WW – International Privacy Conference Releases Declaration, Resolutions

As the 36th Annual International Conference of Data Protection and Privacy Commissioners winds down in Mauritius, leaders from the conference have released a declaration on the Internet of Things (IoT) as well as resolutions on accreditation, big data, international cooperation and privacy in the digital age. In their IoT declaration, Executive Committee Chairman Jacob Kohnstamm and Mauritius Data Protection Office Chairwoman Drudeisha Madhub conclude data collected from IoT devices should be considered personal data; IoT value is not only found in devices but in services; transparency will be key; local processing is needed to help bolster security; regulators will closely watch the IoT landscape; Privacy by Design should be “a key selling point,” and “a strong, active and constructive debate” is needed between all stakeholders. [Source] Notable private sector Interviews: [Google Chairman: ‘We’re Going to End Up Breaking the Internet’ – Eric Schmidt said the Internet as we know it will fail unless governments reform their surveillance practices] [Privacy as a Selling Point: An Interview with Siemens’ Rob Gratchner] [Microsoft’s Lynch Talks Privacy and Trust, Then and Now] [Protecting Privacy In The Digital Age: Mikko Hyppönen Answers Your Questions] [Edward Snowden’s Privacy Tips: “Get Rid Of Dropbox,” Avoid Facebook And Google]

WW – UN Report Says Bulk Surveillance Threatens International Law

A 22-page report to the UN General Assembly claims that mass surveillance “is indiscriminately corrosive of online privacy and impinges on the very essence of the right guaranteed by” the UN’s International Covenant on Civil and Political Rights. The study was written by Ben Emmerson, UN special rapporteur on counterterrorism. He said spy programs implemented by the U.S. NSA and the UK GCHQ, for example, “pose a direct and ongoing challenge to an established norm of international law,” and such programs undermine “the right to privacy of communications on the Internet altogether.” The report follows an equally critical analysis from UN High Commissioner for Human Rights Navi Pillay released in July. [The Guardian] [OHCHR]

WW – IPEN Hears Top Risks, Focuses on Privacy-Friendly Tech

In a time when mass surveillance is being supported by the Internet and Western governments in the effort to fight terrorism, and “insecure protocols and the lack of technical measures to protect data in current Internet technology make it easy to circumvent privacy,” Florian Stahl writes on the efforts of the Internet Privacy Engineering Network (IPEN), recently founded by the European Data Protection Supervisor. The IPEN, which held its first workshop in Berlin, Germany, late last month, is working “to support the development of privacy-friendly technologies and raise awareness,” Stahl writes, detailing the Open Web Application Security Project’s presentation of its top 10 privacy risks at the workshop. [Privacy Perspectives] [IPEN website] [IPEN Press Release]

WW – HTTPA? Researchers Work on Accountability Internet Protocol

Two MIT Computer Science and Artificial Intelligence Lab researchers are developing a new Internet protocol called HTTPA, or HTTP with Accountability. Instead of keeping data secret, Oshani Seneviratne and Lalana Kagal are building a protocol that allows data owners to attach conditions for the data’s use, with a way of auditing whether such conditions are being met. If users want to audit their data, the protocol will identify everyone who accessed the data and what was done with it. Since there are potentially hundreds of resources on a given page, Seneviratne explained, “HTTPA would just be applied to resources that need protection … You don’t want to protect every resource, just those that contain sensitive information or protected content.” [CSO Online]

Law Enforcement

NZ – Mobile Fingerprint Scanners Coming to Alcohol Checkpoints

Thousands of motorists suspected of drink-driving could soon be hauled into booze buses [a mobile police drug and alcohol checkpoint] to have their fingerprints taken and stored on a police database. The Booze Bus Biometrics system will enable officers to check the identities of huge numbers of people more quickly and easily than by taking them to the nearest police station. But a leading civil rights lawyer says expanding the tools available for storing people’s personal data is a further step in a creeping “trend of net-widening”. [Source] See also: [Toronto: 18 Officers Probed Toronto Crack House Break-in]

US – Crime-Fighting Surveillance Planes Provoke Privacy Controversy

A US company has developed a way to monitor entire neighbourhoods, using a technology originally developed for the recent wars in Iraq and Afghanistan. But while police forces are excited by the prospect of getting access to the tech, privacy campaigners see it as a threat to citizens’ constitutional rights. By flying a special manned plane over a city, Persistent Surveillance Systems (PSS) says it is able to view and record everything that is happening on the ground across a 25 sq mile (64.7 sq km) area. Rigged with 12 high-resolution cameras, a spliced together picture of a sort of “live Google Earth” map is beamed down from the aircraft to analysts. “The resolution is not high enough to show who someone is, people appear as merely one grey pixel on a screen,” Ross McNutt, a retired United States Air Force veteran and PSS president, told BBC Click. But that one pixel is enough for the person’s movements to be accurately tracked for the time the plane is in the air – up to six hours. When PSS flew its planes over Compton, California, in early 2012 over nine days, it recorded murders, robberies and many other crimes. By matching the time frames of the PSS recordings with on-the-ground testimony, analysts and police were able to see the moment when the crime was committed. They were then able to track where the suspect was before and after the moment of crime. But PSS doesn’t just see the murders and the criminals – its cameras look down onto the streets and backyards where everyday activities happen as well. The firm’s insistence that the close-ups it obtains are low resolution are not enough to placate opponents who see its tech as a threat to Americans’ liberties. [Source] [BBC News] See also: [Police to Receive X-Ray Glasses, Identify Suspects Through Walls]

US – Surveillance Drone Taken Out By Privacy Protecting Hawk

A recent video seems to prove that it’s not just humans that are annoyed with the excessive surveillance these days. While capturing video with a drone, the operator was a bit more than shocked to see his RC aircraft get taken out by an apparent privacy protecting hawk. The incident began when Christopher Schmidt decided to strap a go pro camera to a Quad Copter to take some video around Magazine Beach Park in Cambridge, Massachusetts. During his filming, he appears to have ticked off a hawk who decided to let the drone know who was boss. Sending the drone hurling toward the ground, the Google engineer said the hawk decided he wasn’t happy with his drone invading the airspace and knocked it to the ground, according to Fox 5. Schmidt goes on to write, “As far as I could tell, the hawk came out unscathed, and having defeated his prey, was happy to retreat. (As soon as he flew at me, I throttled down the props to try to minimize any harm to the bird.) The quadcopter came out unscathed as well.” Last week we reported on a man using his shotgun to take out a similar drone – do you think people will start getting the message? [Mad World News]


WW – Grindr Shuts Off Proximity Tracker in Egypt; Privacy Art Exhibit Cancelled

Dutch artist Dries Verhoeven has been forced to cancel his “non-sexual social media-based” art exhibit after privacy concerns were raised. The Berlin-based social-media experiment used the sex-dating app Grindr to lure users to the installation site in order to project the user comments in a public setting. Grindr said, “While Grindr supports the arts, what Dries Verhoeven is doing by luring Grindr users under false pretenses is entrapment. This is an invasion of user privacy and a potential safety issue.” Meanwhile, Egyptian officials have been arresting individuals believed to be homosexual men, prompting Grindr to disable its proximity feature and send a message to users to be “as savvy as you can and to be very careful.” [Hyperallergic] Meanwhie, Venture Capitalist Peter Sims alleges his location was tracked by Uber during a Chicago event. “After learning this,” he wrote, “I expressed my outrage … that the company would use my information and identity to promote its services without my permission.” See also: [US: ‘God View’: Uber Allegedly Stalked Users For Party-Goers’ Viewing Pleasure]

Online Privacy

WW – Adobe Collects eReader Data and Transmits it in Cleartext

Adobe has acknowledged that its Digital Editions eBook reader gathers information about users’ reading histories and sends the data back to the company unencrypted. Adobe maintains that the feature is designed to prevent piracy. The company says the information it collects, which includes user, device and app IDs; IP addresses; duration of reading; and percentage of book read is data that could be demanded by publishers. Adobe now says it plans to issue an update to the software to address the cleartext data transmission. [NBCNews] [Ars Technica] [The Register] [The Register] [The Digital Reader] A tip from a hacker prompted a journalist to use a network tracking app to discover Adobe Digital Editions 4 was “gathering data on the ebooks that have been opened, which pages were read, and in what order.”[GigaOm] See also: [New Flaw: POODLE Puts Browsers at Risk]

UK – Your Colleagues Pose Bigger Threat to Your Privacy than Hackers

The threat from hackers is not nearly as big a problem as the threat posed by your own colleagues, a privacy report has revealed. According to research conducted at the Central European University’s Centre for Media, Data and Society, over half of all privacy breaches in Europe over the last decade are inside jobs, rather than the work of external hackers. The team from CEU conducted the study by examining 350 privacy breaches that took place across ten years. Focussing on the 229 incidents that directly involved the privacy of European citizens, the primary conclusion of the study was that organisational insiders are more to blame for the loss of private information than those attempting to maliciously access information from elsewhere. [Source] [Report: Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005‐2014]

WW – Even Those Who Opt Out Are Part of the Database

Companies like Google and Facebook may be learning about those who don’t use their services. Researchers from Switzerland’s ETH Zurich University studied publicly available data archived from social network Friendster and found that if the company had used certain state-of-the-art prediction algorithms, it could gather sensitive information, such as sexual orientation, about even nonmembers. Meanwhile, Natasha Singer’s column in The New York Times explores how her birthday-information she doesn’t give out online-appeared on a site that lists reporter birthdays. Another Times article looks at the tension inherent in humans’ wishes for privacy and instincts to share. [WIRED] See also: [‘Words With Friends’ Addicts Asked Zynga What It Knew About Them And Got More Than Expected]

EU – Justice Ministers Worry RTBF Is Leading to “Mass Data Erasure”

For the first time, EU justice ministers have “sounded out their political views on the balance between the right to be forgotten and the right to know.” Meeting in Luxembourg, the ministers expressed concern that Google’s compliance with a ruling from the EU’s top court in May requiring it to delete certain search links upon request could lead to a mass erasure of data, the report states. Austrian Justice Minister Wolfgang Brandstetter said, “We can’t leave it up to search engines to decide on the right balance between freedom of expression and a right to be forgotten.” Google’s Eric Schmidt said it would have been helpful if the court was clearer on the details of which delete requests should be honored. [Bloomberg] See also: [Google Notifies NYT of Story Link Removal, Citing RTBF] and [The Economist: Google Continues To Grapple with Right To Be Forgotten Ruling]

WW – Beacon Trial Shows Difficult Balance between Privacy and Personalization

Mothercare, a UK-based baby products retailer, has said it will trial beacons at the beginning of 2015. The goal is to give customers a better in-store experience. Harpinder Singh, a mobile commerce manager for the company, said, “There’s definitely an opportunity here, and because it’s so low-cost, we’re definitely going to a trial at the start of next year,” but added, “it’s a little scary how much you can do” with the technology. Steven Skinner of business technology firm Cognizant said customers need to be reassured their privacy won’t be compromised. “To overcome this, retailers need to educate customers about the benefits this technology offers them and demonstrate the unique benefits they would not get otherwise.” [Computing]

Other Jurisdictions

JP – Court Calls on Google for Right to Be Forgotten

A Japanese court has ordered Google to remove various Internet search results related to a specific Japanese citizen, saying it violates the man’s privacy. The Tokyo District Court issued an injunction ordering Google to delete 120 out of 230 search results that hinted the man was involved with criminal activity, the report states. The man originally filed for the injunction in June, claiming the results endangered his life. His lawyer said, “This is good news for those who feel their lives are threatened and are sickened physically and psychologically by Google’s search results.” [The Wall Street Journal] Minister Yuko Obuchi has announced that Japan’s Ministry of Economy, Trade and Industry will amend its guidelines implementing the Personal Information Protection Law.

HK – Privacy Commissioner Issues Guidance “Banks Must Consider”

Hong Kong Privacy Commissioner Allan Chiang has issued guidance on a number of data protection issues banks must consider. That’s after his office handled 373 data protection complaints about banks in 2013-2014, up from 198 cases the year before. Banks have “been among the top three private-sector organizations being complained about,” Chiang said. The guidance includes instructions on marketing activities, the collection of personal data, cookies and data-retention policies, the report states. “Privacy-assuring banks will enjoy enhanced customer trust and loyalty, thus creating a win-win-win for the customers, their businesses and the banking industry as a whole,” the guide said. [Out-Law.com] See also: A Russian regulator has sent notifications to Facebook, Google and Twitter saying they must register as “organizers of information,” meaning they must store user data locally.

Privacy (US)

US – Following Largest Breach Yet, Obama Now to be Briefed on Cyber-Attacks

Following the JP Morgan Chase breach, “the largest data breach ever,” President Barack Obama will now receive regular updates on foreign cyber-attacks. The breach “now ranks alongside Islamic State group news as a national security concern,” the report states, noting there has been speculation that the Russian government might have supported the attack. Meanwhile, The New York Times reports that, in the coming year, banks in the U.S. are likely to replace debit or credit cards with versions that have tiny computer chips in them in an effort to make shopping at brick-and-mortar stores more safe. [International Business Times] See also: [Chase Breach: Fear of Phishing]

US – Privacy advocates sue Pentagon over Internet voting test results

The Electronic Privacy Information Center (EPIC) has filed a lawsuit against the Pentagon under the Freedom of Information Act over online voting experiments. EPIC’s Ginger McCall said, “Voting is an integral part of our democratic system, and it is imperative that the public have information about whether or not e-voting systems are really secure and reliable before they are used or more money is spent on their acquisition.” Meanwhile, a privacy activist is suing the Chicago Police Department for monitoring cell phones. [The Washington Post]

US – Cartoon Network Suit Dismissed; Google Seeks the Same

Developments in two class-action lawsuits. In California, Google has asked a federal judge to dismiss an amended putative class-action that alleges “the tech giant breached user contracts by giving consumer data from Google Wallet users to third-party app developers, saying Tuesday that there is no significant difference from the dismissed, original complaint.” And in Georgia, a federal judge has dismissed a putative class-action alleging that Cartoon Network’s Android app violated the Video Privacy Protection Act and accusing the network “of disclosing its mobile application users’ personal information without consent.” The judge ruled “the shared information wasn’t personal enough,” the report states. [Law360]

US – A Look at Recent Privacy Class-Action Developments

Google will enter into mediation with consumers who alleged the company disclosed their contact information with third parties after various apps were purchased and downloaded. A federal judge approved the order, stating the mediation must begin by 6 February 2015. Meanwhile, eBay has filed a motion to dismiss a class-action that alleges consumer injury sustained after the company’s network was breached in a cyber-attack. Late last week, a California judge approved Vendini’s $3 million class-action settlement in which the ticket-seller was accused of compromising user data when its servers were breached. And Travelers Indemnity has filed a federal lawsuit seeking a declaration that it does not have to defend or indemnify P.F. Chang’s data breach litigation, according to a Law360 report [Courthouse News Service]

US – Aaron’s to Pay $28.4M; $14M comScore Settlement Finalized

California Attorney General Kamala Harris announced the nation’s second largest rent-to-own chain, Aaron’s, has agreed to pay $28.4 million to settle violations of state consumer protection and privacy laws. The company settled with the Federal Trade Commission last year. “Aaron’s concealed its illegal privacy and business practices from customers in a deceptive attempt to avoid California’s robust consumer protection laws and increase its profits,” Harris said. A company spokeswoman said Aaron’s admitted to no wrongdoing or liability. In related news, a federal judge approved a $14 million class-action settlement with comScore, and the Digital Trust Foundation—created out of the Facebook Beacon lawsuit—is giving away more than $6 million to projects that promote online privacy, safety and security. [Source] [Source]

US – Savage Named Chief Privacy Officer of ONC

The U.S. Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC) has named Lucia Savage as its new chief privacy officer. Savage is currently a senior associate general counsel at UnitedHealthcare, where she runs a team that works with large data transactions with health information exchanges, transparency initiatives and other data-driven healthcare innovation projects, the report states. The ONC’s Karen DeSalvo said Savage “brings to our team a set of rich experiences at the intersection of health information, privacy and modernizing the healthcare delivery system.” She is set to start on October 20. [Heath IT Outcomes]

US – Snowden: Supreme Court Will Strike Down NSA Programs

Senate Judiciary Committee Chairman Patrick Leahy (D-VT) said when the Senate reconvenes next month “it must swiftly take up and pass the USA FREEDOM Act.” He said “there is no excuse for inaction” and that reforms in the bill “are strongly supported by the technology industry, the privacy and civil liberties community and national security professionals in the intelligence community.” Last week, Sen. Ron Wyden (D-0R) and leaders from the tech industry expressed similar calls for surveillance reform. Edward Snowden is “confident” that the U.S. Supreme Court will find mass surveillance programs illegal. Plus, Forbes reviews “Citizenfour,” a documentary about Snowden. [The Hill]

US – NBA Union Wants to Ensure Privacy Is Protected

The National Basketball Players Association (NBPA) is raising concerns about increased tracking and data collection of players through sleep trackers, off-court movement monitors and other mobile sensors that determine players’ health and improve performance. According to the report, the NBPA was not aware of the rapid growth of Internet-of-Things technology and other biometric advances and, thus, had not developed an official position on the data collection. “If the league and teams want to discuss potentially invasive testing procedures that relate to performance, they’re free to start that dialogue,” said NBPA Counsel Ron Klempner, adding, “Obviously, we’d have serious privacy and other fairness concerns on behalf of the players.” Security of the collected data is also mentioned as a concern, the report states. [ESPN]

US – FPF, SIIA Issue Student Privacy Pledge

The Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA) have announced a pledge to protect student data. The FPF and SIIA, together with school service providers, educator organizations and other stakeholders including Reps. Jared Polis (D-CO) and Luke Messer (R-IN), have come up with a pledge that includes a promise not to sell student data, behaviorally target students or use student data without authorization. Organizations that have made the pledge include Microsoft, Houghton Mifflin Harcourt and the National Parent-Teacher Association. According to Politico , some privacy advocates have raised concerns about organizations that have yet to sign the pledge, including Apple, Google, Pearson and Khan Academy. [Source] See also: [Toronto school board sets higher targets for students based on race, sexual orientation]

Privacy Enhancing Technologies (PETs)

WW – Money, Interest Continue to Pour in for Privacy-Enhancing Tech

In the blog post “You are not your browser history,” data artist Jer Thorpe discusses our “online doppelgängers” and a new browser extension called Floodwatch. Developed in conjunction with Ellery Royston, Ian Ardouin-Fumat and Ashkan Soltani, Floodwatch allows users to “easily track and analyze their browser-based ad histories.” Meanwhile, Frankly, a mobile start-up that provides self-destructing messaging apps, has secured $12.8 million in funding bringing total funding up to $22 million since its founding. USA Today reports on Authy, a free app that places two-factor authentication on smartphones, and a Fast Company column discusses the case for making encryption the default—a topic featured in a recent Privacy Perspectives post. Plus, Facebook is reportedly working on an app that lets users remain anonymous.

EU – German Start-Up Sees 400% User Growth, Secures $3.2 Million

ZenMate is a Berlin-based start-up that provides users with secure, encrypted access to any website, from anywhere, via a Virtual Private Network-style connection. The start-up secured Series A funding in the amount of $3.2 million this week. Its registered users have grown to more than five million, with a 400% increase in the last six months. Its key markets are Germany, the U.S. and the UK, “and growth in those markets reflects the fact that consumers are growing increasingly concerned about personal data being harvested from web histories by ad firms and that privacy is now a global issue that could have a major impact on e-commerce,” the report states. [Forbes]

WW – New Internet Security System to Revolutionise User Privacy

Researchers have developed a new system that protects Internet users’ privacy while increasing the flexibility for web developers to build applications that combine data from different sites, thus dramatically improving the safety of surfing the internet. According to the researchers at UCL, Stanford Engineering, Google, Chalmers and Mozilla Research, the system, named Confinement with Origin Web Labels (COWL), works with Mozilla’s Firefox and the open-source version of Google’s Chrome web browsers and prevents malicious code in a web site from leaking sensitive information to unauthorized parties. The system also allows code in a web site to display content drawn from multiple web sites – an essential function for modern, feature-rich web applications. The researchers show that the system provides strong security without perceptibly slowing the loading speed of web pages and will be freely available for download and use on October 15 at http://cowl.ws.[Source]

WW – Privacy Products Continue to Proliferate

The “Pretty Easy Privacy” project is a user interface project currently crowdfunding on Indiegogo that aims to make standards like PGP more accessible to ordinary people by removing the need to understand key management. Meanwhile, researchers from Stanford, Google, Mozilla and other firms have built a new system that protects Internet users’ privacy while “increasing the flexibility for web developers to build web applications that combine data from different websites.” And Syme, a social network that gained attention last year for its strong privacy features, has quietly disappeared. [GigaOm]

US – One Firm’s Self-Imposed Privacy-Protective Process: Costly but Worth It

Ad-tech firm 4Info’s self-imposed rigorous process to ensure the data it gathers, shares and uses to aim mobile ads at consumers is protected and “near-impossible to connect to an individual.” The company incorporated Privacy by Design and reports it spends at least 30% more to store data in a privacy-safe way than it would otherwise. It does that by “spreading data points associated with a specific user ID across several servers located in multiple physical locations so it cannot be compiled easily into one user profile by outside systems or hackers,” the report states. [Advertising Age]

WW – Messaging App Launches Korean Version to Cash in on Privacy Fears

Privately owned German messaging app Telegram released a Korean-language version on Tuesday to capitalize on a surge in demand from users wary of local apps such as KakaoTalk after the government said it would boost cyber surveillance. Telegram, which advertises its app with the tagline “taking back our right to privacy”, does not have any servers in South Korea, where prosecutors last month launched an cyber monitoring campaign after complaints by President Park Geun-hye. Market research firm Ranky.com said KakaoTalk had in the last week lost 400,000 users, or about 2 percent, of its 35 million or so customers in South Korea. During the same period, Telegram was downloaded by one million Koreans. [Source]

US – Twitter Investing $10 Million in MIT Lab

Twitter is investing $10 million in a lab at the Massachusetts Institute of Technology (MIT) to create platforms for online collaboration between users on civic and political issues. MIT Media Lab’s Laboratory for Social Machines (LSM) will get access to Twitter’s real-time, public news feed and its archives going back to the very first tweet, the report states. The lab will research the potential of social networks “to remake the public sphere.” Additionally, the investment will be spread over the next five years, and the “LSM will have operational and academic independence in its research,” the report states. [Computerworld]


WW – Protect Your Tappable Credit Cards and Personal ID from Wireless RFID Pickpocketing

RFID (Radio Frequency Identification) chip technology has become embedded in passports, health cards, drivers licenses, grocery store dongles, gas station dongles, debit cards and credit cards in many countries to help us get serviced faster by tapping/waving them when we are buying a coffee, gas or crossing a border. All of the information stored in the RFID chip of our credit cards and personal IDs can easily be sniffed and stolen wirelessly unless we keep them in a RFID signal blocking protective sleeve, wallet, purse or bag. Your RFID enabled cards and IDs can get scanned from 4.5 metres away. Here are the manufacturers that list products with RFID signal blocking capabilities:


US – NIST Releases Final Smart Grid Doc, Revised Guidelines on Privacy

The National Institute of Standards and Technology (NIST) has released its third and final version of a document that aims “to help industry transform the more-than-century-old U.S. electrical system into an advanced, interoperable smart grid.” NIST has released version 3.0 of its “Framework and Roadmap for Smart Grid Interoperability Standards,” two years after its second version was published. NIST also published a revision to its “Guidelines for Smart Grid Cybersecurity,” which is an update to the 2010 version. The revision covers regulatory changes involving privacy, among other updates. [NIST Press Release] [FierceGovernmentIT] [Full Story] See also: [Ericsson Buys Bankrupt SmartGrid Tech Company]

US – IT Security Workforce Reaches New High

As IT security employment reaches a record high in the United States, the workforce remains overwhelmingly white and male. And that hasn’t changed in years. Here’s a look at the latest employment numbers from the federal government. “Information security analyst” is the only IT security occupation classification BLS tracks. An annualized 61,000 individuals considered themselves information security analysts during the third quarter of 2014. That includes 59,800 employed and 1,300 unemployed, resulting in an annualized unemployment rate of 2%. Economists generally consider an unemployment rate below 3% as full employment, meaning that a low unemployment rate denotes churn in the marketplaces, not people desperate for a job. During the same quarter in 2013, an annualized 53,500 individuals called themselves information security analysts, with 51,100 employed and 2,000 jobless, and an annualized unemployment rate of 3.7%. Those statistics translate into a 14% gain in the information security analysts’ workforce in just a year, reflecting the growing demand for IT security skills by businesses and governments. [Source]

WW – Researchers Uncover Voice-Activation Flaws

Researchers warn that voice-activated smartphones and other devices can be a significant security risk as some systems responded just as well to fake voices as they did to the voice of the owner. Security firm AVG says this means hackers could use this flaw to send “bogus messages or compromise gadgets in the future.” “Utilizing voice activation technology in the Internet of Things without authenticating the source of the voice is like leaving your computer without a password,” noted AVG Chief Technology Officer Yuval Ben-Itzhak, adding, “everyone can use it and send commands,” said. [BBC News]

WW – Dropbox Says Account Credentials Taken from Other Services

Several Pastebin posts claim to contain hundreds of sets of login credentials for Dropbox. A note accompanying the posts claims that credentials for nearly seven million accounts were compromised. Some sets have been confirmed as authentic. Dropbox appears to have reset access credentials for all accounts in the posts. Dropbox has issued a statement saying that they were not compromised, and the posted information was taken from other services. [Ars Technica]

WW – Malicious Android App Steals Data

An Android app that appears to be a simple game is actually malware capable of recording audio with infected devices, as well as stealing messages and device data, gaining root privileges. Gomal may be spreading through unofficial app stores. The malware will steal email from the Good for Enterprise app. Good for Enterprise developer, Good Technology, says that Gomal is a proof-of-concept app presented at Black Hat 2013. [SC Magazine] See also: [HP Will Revoke Certificate Inadvertently Used to Sign Malware]

Smart Cards

US – White House Issues Executive Order to Use Chip and Pin

The U.S. President today signed a new Executive Order directing the government to lead by example in securing transactions and sensitive data. Multiple initiatives are included. The most important is an example of the government leading by example to secure payments to and from the Federal government by applying chip and PIN technology to newly issued and existing government credit and debit cards. [White House]


US – FBI Director Acknowledges Some Warrantless Data Collection, Calls for Updated Wiretapping Laws

FBI Director James Comey has admitted that in some cases, his agency does collect information without a warrant. Speaking at the Brookings Institution, Comey qualified his statement on television news magazine 60 Minutes earlier in the week that the FBI never conducts surveillance without first obtaining a court order. Comey noted that the two types of cases in which the FBI gathers information without a warrant are when consent has been obtained and when conducting surveillance of foreign suspects under Section 702 of the Foreign Intelligence Surveillance Act. Comey also spoke of his concerns that stronger encryption on new iPhones and Android devices will make it more difficult to pursue investigations. He said that the government needs wiretapping powers because CALEA is outdated and has not kept up with changing technology. He did acknowledge that any provision that allows law enforcement to gain access to communications could also be abused by criminals. [NextGov] [NextGov] [DarkReading] Sen. Ron Wyden (D-OR) held a roundtable in a Palo Alto, CA, high school last week with some of the tech industry’s most influential leaders in what he referred to as “one of the first times Congress has focused squarely on the economic impact of the overreach of government intelligence.”

US – New FISMA Regulations Allow DHS to Scan Some Civilian Networks

The US Office of Management and Budget (OMB) is granting the Department of Homeland Security (DHS) authority to scan certain civilian networks for indications of threats. The issue came up after DHS had to get permission from agencies to scan for Heartbleed, which delayed mitigating that threat. New rules for compliance with the Federal Information Security Management Act (FISMA) require the agencies to agree to the DHS scanning. [Federal News Radio] [NextGov] [US – Audio Recording Capability in 2015 Corvettes Could Violate Privacy and Three New Jersey lawmakers are sponsoring bills to limit access to vehicle black box event recorders.

US – Tech Companies Say NSA Harms Business; Privacy Office Releases Report

The National Security Agency (NSA) privacy office has released a report on the privacy and civil liberties protections under Executive Order 12333, which dates back to 1981 and allows the agency to keep the contents of U.S. citizens’ communications if they are captured “incidentally” overseas. The office said there are multiple privacy safeguards in place. The ACLU has criticized the lack of judicial and congressional oversight. U.S.-based technology companies—including Google, Facebook and Dropbox—are banding together in a roundtable discussion with Sen. Ron Wyden (D-OR) to discuss how foreign companies are using the NSA revelations to gain a competitive advantage over U.S. business. [PC World] Facebook and other tech companies can appeal “bulk warrant” requests from U.S. intelligence agencies.

CA – Twitter Sues U.S. Government Over National Security Data

Twitter is suing the U.S. government in an effort to loosen restrictions on what the social media giant can say publicly about the national security-related requests it receives for user data. The company filed a lawsuit against the Justice Department on Monday in a federal court in northern California, arguing that its First Amendment rights are being violated by restrictions that forbid the disclosure of how many national security letters and Foreign Intelligence Surveillance Act court orders it receives — even if that number is zero. Twitter vice president Ben Lee wrote in a blog post that it’s suing in an effort to publish the full version of a “transparency report” prepared this year that includes those details. Critics of the U.S. government’s secrecy surrounding its national security surveillance activities lauded Twitter’s move. Jameel Jaffer, the ACLU’s deputy legal director, said “challenging this tangled web of secrecy rules and gag orders” was the right move, and he urged other tech firms to follow Twitter’s lead. “If these laws prohibit Twitter from disclosing basic information about government surveillance, then these laws violate the First Amendment,” Jaffer said. “The Constitution doesn’t permit the government to impose so broad a prohibition on the publication of truthful speech about government conduct.” [Source] [Source]

WW – MoFo Launches New Drone Practice Group

Morrison & Foerster has launched a new practice group that collects “the capabilities of attorneys from its aviation, privacy, environmental, product liability and other practices to tackle the challenges presented by the growing use of commercial drones by U.S. companies and others.” The group will include “more than 25 attorneys boasting a range of practice specialties,” the report states. [Law360] Meanwhile, Amazon has announced it is seeking an attorney to fill the corporate counsel role at its Prime Air delivery system , which is currently being developed to “get packages into customers’ hands in 30 minutes or less using unmanned aerial systems.”

US – Public Beacons Make Appearance in NYC, Quickly Taken Down

Beacons—small radio transmitters that can push advertisements to smartphones—were placed in New York City phone booths. Within hours of the report, City Hall ordered Titan, the company that controls the phone booth ad space, to remove the devices. City Hall’s Phil Walzak said, “While the beacons Titan installed in some of its phones for testing purposes are incapable of receiving or collecting any personally identifiable information, we have asked Titan to remove them from the their phones.” Some are concerned beacons can be used to track the movement of users. [Buzzfeed] [Buzzfeed] [Polonetsky commentary]

HK – Hong Kong Protests: China May Be Spying With Smartphone Apps

The Chinese government might be using smartphone apps to spy on pro-democracy protesters in Hong Kong, a U.S. security firm said. The applications are disguised as tools created by activists, said the firm, Lacoon Mobile Security. It said that once downloaded, they give an outsider access to the phone’s address book, call logs and other information. The identities of victims and details of the servers used “lead us to believe that the Chinese government are behind the attack,” said a Lacoon statement. [Source]

WW – Good2Go: App Lets Users Give Consent but Raises Privacy Concerns

The new app, which helps two parties gauge their level of intoxication and practice affirmative consent, also requires users to log their phone numbers. This means the company gets information about who a user is hooking up with and when it happened. [Source] Meanwhile, the Justice Department has charged a Pakistani man for the sale of an app that could spy on unsuspecting users, a technology domestic violence activists have tried to stop.

US – Police-Boosted Parental Control App is a Privacy Mess, Says Report

The heavily distributed kid-monitoring software ComputerCop, which many police departments around the US gave to families for free, is doing far more harm than good, a new report by the Electronic Frontier Foundation alleges. An eight-month investigation by the group — a nonprofit that focuses on civil liberties in the digital realm — says ComputerCop, which allows parents and guardians of children to monitor a child’s computer and Internet use, is sketchy in its effectiveness and falls short on protecting user data from spying. The EFF report also alleges that ComputerCop engages in shady business practices to convince law enforcement officials to spend taxpayer money on the software. “Probably the biggest problem of all is that there are law enforcement agencies that aren’t actually paying attention to cybersecurity,” said Dave Maass, who wrote the EFF report. “Some of the biggest jurisdictions in the country are giving out software that makes kids less safe if they use it.” [Source]

Telecom / TV

PH – Philippines’ SIM Card Registration May Be Violation of Privacy

A GROUP of privacy and human rights experts has urged the government to rethink the proposal that requires registration of cellphone subscriber information module (SIM) cards, a move endorsed by the national police force and Malacañang. In a statement, Foundation for Media Alternatives Executive Director Al Alegre said that while addressing crimes is important, the government should rethink how “this policy could be a violation of our citizen’s right to privacy.” “SIM cards registered when it falls into the wrong hands can wrongfully implicate innocent citizens,” Nighat Dad of Digital Rights Foundation Pakistan was quoted in a statement by the Foundation for Media Alternatives. Mr. Dad also warned that precedents exist in his country, saying SIM card registration had become a “new tool for monitoring citizens.” Foundation for Media Alternatives said in a statement that “most countries in Asia don’t have data protection laws that could help secure the collected information from SIM card registration.” [Source] See also: An article in JDSupra explores the ramifications for businesses of California’s “Kill Switch” law.

US Government Programs

US – Government Says Accessing Foreign Servers Without a Warrant is Legal

The US Justice Department maintains that the government can break into servers outside the country without a warrant. The statement is part of a response to a motion from the legal team of alleged Silk Road mastermind Ross Ulbricht, which claimed that the government’s activity violated their client’s Fourth Amendment rights and that all information the government gathered when it accessed Silk Road servers should be suppressed. [Forbes] [WIRED] [Ars Technica]

US – Federal Agencies Seek Advice on Privacy Tech Spending

Several U.S. government agencies are looking for ways to bolster privacy protection by investigating privacy-enhancing technology, and the White House has launched a project to assess federal research in privacy technology. The deadline for comment is October 17 and includes in-house research by federal agencies as well as research conducted by federal contractors and recipients of federal grants. According to an information request published by the National Science Foundation last month, the National Privacy Research Strategy “will establish objectives and prioritization guidance for federally funded privacy research, provide a framework for coordinating research and development in privacy-enhancing technologies and encourage multidisciplinary research that recognizes the responsibilities of the government, the needs of society and enhances opportunities for innovation in the digital realm.” [E-Commerce Times]

WW – Create App-Specific Passwords for iCloud

Apple has long offered two-step verification for iCloud accounts, but extra barrier for gaining access to your account was limited. The change was prompted after the recent celebrity photo leak. An unfortunate incident spurred Apple to secure users iCloud accounts using both two-step verification and app-specific passwords. The change requiring app-specific passwords was put into place on October 1. For those unfamiliar, app-specific passwords are used when an app or service you’re attempting to sign into doesn’t support two-step verification. Instead of forcing you to enter your account password, you create a single-use app-specific password, eliminating any potential for your account to be compromised. Signing into your iCloud account in Outlook, using the Email app on an Android device or a third-party calendar app are all examples of when an app-specific password is going to be required. [Source]

UK – UK Police Say Some Smartphones Have Been Remotely Wiped After Seizure

Police in the UK have reported that several mobile phones in their possession as evidence have been remotely wiped. The feature is designed to prevent owners’ data from being exposed if a phone is stolen. [BBC] [ZDNet]

US Legislation

US – White House Considering Options for Cyber Security Legislation

White House Cybersecurity Coordinator Michael Daniel says that instead of trying to push a single, comprehensive cyber security bill through the legislature, the administration will instead focus on supporting a series of smaller bills that will address the necessary issues. The administration would like to see legislation that paves the way for the Department of Homeland Security (DHS) to work more closely with private companies to protect their systems from attacks as well as clarifying how government agencies work together and with DHS. [USA Today] [Federal Times]

US – CA Gov Signs “Revenge Porn 2.0” While Publishers Sue to Stop Law in AZ

California Gov. Jerry Brown has signed an expanded “revenge porn” law that now includes “selfies.” Existing law made it a misdemeanor to post private or graphic photos with the intention of humiliating those pictured, and SB 1255 expands that to include private images regardless of who took the photo. Brown also signed AB 2643, which allows revenge porn victims to bring civil actions against those posting the images. In Arizona, a group including bookstores, publishers and the American Civil Liberties Union is suing to stop a so-called revenge porn law because it has no requirement for malicious intent and could include images taken in a “commercial or public setting.” See also: UK prosecutors are seeking prison time for revenge porn convictions. [The Sacramento Bee] Patricia Bailin writes about California’s new laws addressing a variety of privacy, security, breach notification and surveillance concerns. See also: California Gov. Jerry Brown has signed a bill that supporters say is the nation’s toughest law on protecting student privacyCalifornia has also passed an expanded “revenge porn” law that now includes “selfies.” Brown also signed a bill that would extend the expiration date of the state’s 25-year-old wiretap law from 2015 to 2020 and vetoed a bill that would have required police to obtain warrants for surveillance via drones. See also: [Anisa Salmi speaks out after nude photos leaked online] California has passed a law that requires schools to discard students’ public posts on social media within a year after a student leaves the district and notify parents that school officials are analyzing social media posts. California has passed a law making it illegal for paparazzi to use drones to take celebrity photographs, while Connecticut’s legislature is making another attempt at regulating drones,.

Workplace Privacy

WW – Working Papers Frame the Future of Labor

Data & Society’s Future of Labor project has rolled out working papers exploring the issues raised by the impact of technology on work. The papers, authored by Alex Rosenblat, Tamara Kneese and danah boyd, aim to frame the ways in which data-centric technology is affecting work to assist researchers, policy-makers and activists “who are trying to get a handle on future of work issues,” the report states. The working papers address topics including the automation of hiring via algorithms; the history of using track technologies to increase efficiency and measure productivity at the workplace, and the ways robots, drones and other intelligent systems are being integrated into the workforce “in both protective and problematic ways.” [Data & Society]


16-30 September 2014


US – FBI Facial-Recognition Technology Achieves ‘Full Operational Capability’

The Next Generation Identification System, a controversial biometric database that relies heavily on facial-recognition technology, is now fully operational, the agency has announced. The program is designed to help law-enforcement officials identify criminal suspects, but it has endured repeated scrutiny from civil-liberties groups that say the database will endanger the privacy of everyday citizens guilty of no wrongdoing. The agency announced two new services that complete the database’s “operational capability.” The first, called Rap Back, allows officials to receive “ongoing status notifications” regarding the reported criminal history of people “in positions of trust, such as schoolteachers.” The other newly deployed service is the Interstate Photo System, a facial-recognition program that will allow law-enforcement agencies, including probation and parole officers, to cross-reference photographic images with criminal databases. Privacy groups have repeatedly deplored the FBI’s facial-recognition database as rife with troubling privacy implications. In June, the American Civil Liberties Union, the Electronic Frontier Foundation, and others warned that the facial-recognition program has “undergone a radical transformation” since it was last vetted for privacy concerns six years ago. The lack of oversight, they said, “raises serious privacy and civil-liberties concerns.” No federal laws limit the use of facial-recognition software, either by the private sector or the government. [Source]

CA – Fingerprint, Retina Scans Considered for Border Crossing Security

Canadian and U.S. security officials are considering new advanced technology features, such as fingerprinting and retina scanning, to improve the border crossing between Windsor, Ont., and Detroit. Delegates to the U.S. and Canada Border Conference in Detroit learned how security will change once the new cross-border bridge is constructed between west Windsor and Detroit. Officials spoke of eliminating paperwork, and using mobile apps, self-serving booths and fingerprinting and retina scans as some of the options. [CBC News]

Big Data

US – FTC Warns of Big Data Discrimination

At Monday’s FTC workshop on big data, Chairwoman Edith Ramirez acknowledged that while big data can bring enormous benefits to society, it “also has the capacity to reinforce disadvantages faced by low-income and underserved communities.” Computerworld reports that Commissioner Julie Brill also repeated calls for transparency rules for data brokers and advances in self-regulation by brokers. Participants had varying ideas on how to handle the issues surrounding big data, with some advocating for policy-makers to look at data “situationally” and others saying consumers should have control over their data. Meanwhile, consumer groups and others are urging the FTC to use tools other than its “enforcement hammer to address data security” as large-scale breaches continue. [Source]

US – KPMG Releases Big Data Whitepaper

Authored by Greg Bell; Doron Rotman and Mike VanDenBerg, consultancy KPMG has released a whitepaper on the privacy and security risks inherent in the use of big data. Navigating Big Data’s Privacy and Security Challenges first helps define big data, then sums up the existing regulatory landscape and identifies the five biggest challenges, ranging from re-identification risk to issues of notice and consent. Finally, the document offers a brief case study on the use of big data at a global telecom firm. [Source] See also: [IOT risk security management and the internet of things] and [The 5 V’s of Big Data…. adding in value] and [Here’s What You Need to Know About Big Data] and also: [Data miners peek into medicine cabinets]


CA – Supreme Court Ruling Not Stopping Police from Warrantless Data Requests

Law enforcement agencies are still making warrantless requests for telecom customers’ personal data months after a Supreme Court ruling appeared to shut down the practice. Police in Canada used to ask telecom companies to voluntarily hand over data on Canadian customers more than a million times per year. In June, the Supreme Court struck down this warrantless method as an invasion of privacy. But while the number of warrantless requests has dropped since the decision, they have not stopped. Key players, including the country’s largest police force and a major telecom, aren’t saying whether they still send or accept them. Another of Canada’s “big three” telecoms, Rogers, started demanding warrants for all requests after the June ruling, known as the Spencer decision. Even after this policy change, the company continues to receive warrantless requests, according to Ken Engelhart, vice-president of regulatory affairs at Rogers. [The Toronto Star] SEE ALSO: [Geist: An Inconsistent Mess: Government Documents Reveal Ineffective and Inconsistent Policies Amid Widespread Demands for Subscriber Information] and [Canadian cellular carrier TELUS has finally released a transparency report. The company received 103,500 official requests in 2013. Bell is the only major Canadian telecom company left who hasn’t revealed the number of law enforcement or government requests they receive] AND [In Canada, you can send a letter to your ISP or cellular provider asking for all of the information they collect and retain about you. In theory. Motherboard wrote about the responses received] [Telecom firms handed customer info to Environment Canada, other federal agencies] and [Geist: Geist: Fed Web Snoops Don’t Have Their Stories Straight] [Geist: An Inconsistent Mess: Government Documents Reveal Ineffective and Inconsistent Policies Amid Widespread Demands for Subscriber Information]

CA – Inquiry Shows Justice Department Sought Details for Foreign Countries

“The Justice Department asks Canadian technology companies for information on their subscribers dozens of times each year on behalf of foreign countries seeking records from wireless carriers, messaging services and even online dating sites.” That disclosure is according to the response to an inquiry by Liberal MP Irwin Cotler, who sought information from federal agencies “on when and how often they seek subscriber data from various telecom and service providers,” the report states. University of Ottawa Prof. Michael Geist is calling the results an “inconsistent mess,” the report states. The Justice Department’s International Assistance Group indicated between January 1, 2010, and May 22, 2014, “there have been approximately 250 requests made to various service providers including the country’s large telecommunications companies,” the report states. [Source] [Are You ‘Kind Of A Big Deal?’ Dating App For Elites Will Protect Your ‘Personal Brand’]

CA – Privacy Watchdog Investigating RCMP Data Collection

Canada’s privacy watchdog is investigating the RCMP’s warrantless collection of Canadians’ personal data. The Office of the Privacy Commissioner confirmed last week it is formally reviewing the police force’s collection of Canadians’ personal data from telecommunications companies. The findings are expected to be made public in the near future. The RCMP has never met with the privacy commissioner to ensure that its requests comply with privacy laws, according to a recent disclosure to Liberal MP Irwin Cotler. The investigation was launched after the former privacy commissioner, Chantal Bernier, revealed to the Star and the Halifax Chronicle Herald that nine telecoms were asked to turn over user data 1.2 million times in 2011. Authorities in Canada, including the RCMP, routinely sought “basic subscriber information” — names, telephone numbers, address and Internet protocol addresses — without having to obtain a warrant. Public Safety revealed last week that it has met with the privacy office numerous times to attempt to draft a new system of accountability for Canada’s police and spy agencies. “Those provisions would have required that law enforcement agencies and (the Canadian Security Intelligence Service) create written records of each request, conduct regular audits of practices, deliver these audits to responsible ministers, and be subject to review by relevant oversight bodies,” said Public Safety Canada in a disclosure to Cotler. The reform efforts have failed so far. All pieces of legislation that would have enacted the reforms have languished in Parliament and died on the order paper. As such, data requests remain shrouded in secrecy. With the exception of voluntary transparency reports from a handful of telecoms, there is no public disclosure on the volume of requests. Customers are not informed when their data is shared with police. Privacy Commissioner Daniel Therrien’s office also confirmed they have launched a review into private Canadians’ complaints about the warrantless access. Those complaints focus on the telecom companies themselves, for voluntarily turning information over to police. [Source] See also: [ON: Privacy commissioner intervening in Peterborough hospital privacy breach case]

CA – Alberta Commissioner Seeks PIPA Amendments

The Commissioner is asking the Government of Alberta to take action to amend the Personal Information Protection Act, pursuant to a decision by the Supreme Court of Canada (which ruled that the Act was unconditional, and gave the Alberta Legislature 12 months to bring it in line with the Canadian Charter of Rights and Freedoms). Unless the amendments are made by November 15, 2014, the Act will lapse, causing Alberta to lose the benefits of the law (including mandatory breach reporting and notification to affected individuals, and local enforcement without court involvement). [Source]

CA – Former Commissioner Radwanski Dead at 67

Former Canadian Privacy Commissioner George Radwanski died this past Thursday of a heart attack at the age of 67. Radwanski was the editor-in-chief of the Toronto Star before becoming involved in public policy in the 1980s. A speech and policy writer for Jean Chretien, the prime minister appointed Radwanski as federal privacy commissioner in 1996, where he served until resigning in 2003 amidst a parliamentary investigation for inappropriate spending. He was cleared of all charges of fraud in 2009, but the report notes that his career never recovered from the incident. “I think it was a nightmare for him being charged with anything, and being acquitted I think he thought, ‘Now I’ve been exonerated and now I can re-engage in public life,’ and he didn’t really get a chance to do that,” his son told reporters. [The Canadian Press]


CA – Canadians Anticipate a More Connected World in 2025, But Have Concerns About Security And Privacy

McAfee Canada released findings from its first Safeguarding the Future of Digital Canada in 2025 study, which examines the thoughts and attitudes of more than 500 Canadian consumers concerning technology trends. The study looks at how technology relates to people’s homes, workplace, cars, mobile devices and online security. Canadian consumers believe that technology will significantly change their lifestyle by 2025, but feel hesitant in sharing personal information or adapting to these technologies in fear of their privacy being jeopardized. 66% of Canadians expressed concern over the expected state of cyber security in 2025. [Source]

US – Fitbit Denies Claims It Sells Personal Data

Fitbit, the maker of a popular line of wearable fitness-tracking devices, makes a statement saying it does not sell personal data to advertisers. This in response to a campaign by Senator Charles Schumer for a federal regulation to require companies like Fitbit to let customers prevent their data from being sold. [Wireless Week]


US – Feds Hesitate Moving IT Services to the Cloud

Government agencies know the benefits of cloud computing and want to double its use. But when it comes to migrating applications to the cloud, the majority of feds — 89% — are hesitant to lose control of their IT services, according to a new MeriTalk report. For “Cloud Control: Moving to the Comfort Zone,” MeriTalk surveyed 153 government IT executives closely involved in their agencies’ cloud deployments, and found that only 44% of agencies have “mature” data governance practices in the cloud. When asked how they feel about transitioning IT service to the cloud, 43% of feds compared it to giving their son the keys to a new convertible. This explains why agencies manage 71% of data themselves, whereas cloud vendors manage just 29%. [Source]


US – OTA Releases Email Unsubscribe Best Practices

More than a decade removed from the implementation of the CAN-SPAM Act, the Online Trust Alliance (OTA) has revealed a set of “user-centric unsubscribe best practices.” In May, the OTA called for public comments seeking input on email marketing unsubscribe best practices “with the goal to move beyond regulatory requirements” by gathering feedback from industry and submitters in North America, the EU, New Zealand and Australia. In addition to benchmarking best practices, the OTA aimed to “raise awareness of the issue and provide actionable advice to the email marketing community” as well as “aid consumers and empower them to control their inbox and enhance their trust and confidence in email.” [OTA] See also: [Toronto: Doug Ford’s campaign emails raise privacy concerns, says municipal lawyer]

US – New Overseas Email Act Receives Mixed Reviews

New legislation is aimed at providing greater legal protection for emails held by U.S. service providers overseas. The Law Enforcement Access To Data Stored Abroad Act (LEADs Act) would mandate digital content contained within an account of a “U.S. person” but stored on a server outside of the U.S. be accessible by law enforcement only with a warrant. The catalyst for the bill is the ongoing legal wranglings about email data stored on Microsoft servers in Ireland. Microsoft General Counsel Brad Smith said, “This bill proposes a more principled legal blueprint for balancing law enforcement needs with consumer privacy rights.” The Center for Democracy & Technology’s Greg Nojeim applauded the bill’s “overall thrust” but said he is concerned it applies only to emails held by a “U.S. person.” [Full Story]


WW – Open Source Project Aims to Provide Encryption for Communications

An open source project aimed at providing easy-to-use encryption for email launched on Monday, September 15. The Pretty Easy Privacy (PEP) Project plans to develop the technology to interact with “existing communication tools on different desktop and mobile platforms.” [CSO Online]

WW – Android Phones Will Join iPhones In Offering Default Encryption

The next generation of Google’s Android operating system, due for release next month, will encrypt data by default for the first time, the company said, raising yet another barrier to police gaining access to the troves of personal data typically kept on smartphones. Android has offered optional encryption on some devices since 2011, but security experts say few users have known how to turn on the feature. Now Google is designing the activation procedures for new Android devices so that encryption happens automatically. [Washington Post]

US – New Level of Smartphone Encryption Alarms Law Enforcement

Moves by Apple Inc. and Google Inc. to put some smartphone data out of the reach of police and the courts are raising alarms inside U.S. law-enforcement agencies, current and former officials say.” [The Wall Street Journal]

US – FBI Director Critical of Default Encryption on Mobile Phones

FBI Director James Comey has expressed concerns about Apple’s and Google’s decisions to increase encryption on mobile devices. Comey said that the new features appear to be “something expressly to allow people to place themselves beyond the law.” [ArsTechnica] [ComputerWorld] [NBC News] [The Register]

WW – IOS 8 Prevents Apple from Accessing Device Data

Apple says that the most recent version of its mobile operating system removes the company’s ability to provide law enforcement with data from devices running iOS 8. Encryption used in this iteration of iOS prevents everyone expect the device’s owner from accessing data stored on the device. Apple will still be able to turn over data stored elsewhere, such as in iCloud. However, while Apple may not have the ability to access those data, police could ostensibly retrieve the data from locked devices. [Washington Post] [WIRED]

WW – Apple Will No Longer Unlock iPhones, iPads, Even With Search Warrants

Apple said that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user information. [Washington Post]

US – Apple’s “Warrant Canary” Disappears from Transparency Reports

Apple’s “warrant canary” – a statement in its transparency report that the company has never received an order from the US government under the Patriot Act – is conspicuously absent from the company’s two most recent reports. The report for the first six months of 2014 does say that “Apple has not received any orders for bulk data.” [ZDNet] [Expert: Apple’s health push poses big privacy challenges]

EU Developments

EU – National Parliaments Raise the Pressure on Data Protection

Parliamentary delegations from 16 states call on the EU to adopt its legislative package to protect personal data ‘by 2015’. The 16 countries are: Germany, Austria, Belgium, Croatia, France, Greece, Hungary, Lithuania, Luxembourg, the Netherlands, Portugal, the Czech Republic, Romania, the United Kingdom, Slovakia and Sweden. Spokesperson Viviane Loschetter from Luxembourg said: “It is essential that the adoption happen before 2015: the EU must impose its data protection standards on third countries, otherwise they will do it first. I am thinking particularly of the United States.” [World News Report]

EU – French Crime Database Breaches Privacy Rights, EU Court Rules

Storing someone’s private information in a crime database for 20 years when charges against that person have been dropped violates privacy rights, the European Court of Human Rights (ECHR) ruled in a case brought by a French citizen, Francois Xavier Brunet, against the French government. Retaining his data “could be regarded as a disproportionate breach of Mr Brunets right to respect for his private life and was not necessary in a democratic society,” the court ruled. It found this to violate Article 8 of the European Convention on Human Rights which protects the right to respect for private and family life, the court ruled. France was ordered to pay Brunet €3,000 (about US$3,900) in damages. [Source] SEE ALSO: [Proposed anti-terror law in France would erode civil liberties] and [Austria boosts anti-terrorism measures]

EU – Internet Firms Should be Banned from Building Customer Profiles: Germany

German Interior Minister Thomas de Maiziere says Google and other Internet companies should be banned from building profiles of customers using their personal data, according to this media report. “We need additional tools that enable meaningful use of Big Data but we also need to prevent the creation of customer profiles,” Mr. de Maiziere told the Sunday edition of the Frankfurter Allgemeine Zeitung. He said he wanted to ban Internet companies from gathering customer data and then selling those profiles. [Capital.gr]

UK – Data Guide: Direct Marketing Association

Legislation and codes applicable to marketing in the UK include the Data Protection Act 1998, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the British Code of Advertising, Sales Promotion and Direct Marketing (CAP Code), and the Direct Marketing Association Code; considerations for data acquisition include consent (e.g. obligations to customer at sign-up, channel-specific consent rules, and privacy and data protection notices), cookies, unsubscribe requests, and subject access requests. Considerations for data care include preference services (e.g. TPS, CTPS, MPS, BMPS, and FPS), data sharing, and data security and storage; data usage considerations include privacy impact assessments and anonymisation/pseudonymisation. [Source]

EU – Article 29 Working Party Gives Google Guidelines for Privacy Practices

The Article 29 Working Party (WP29) gave Google a set of guidelines to help the company alter its privacy practices to make them more in line with EU data protection law. The guidelines include a list of measures Google could implement, including disclosing how it collects and shares user data and what other third parties could collect data. Since consolidating its more than 60 privacy policies into one, Google has been under fire from European regulators and has been investigated by six EU countries, including Spain, France, Italy, Germany, the UK and The Netherlands. Google’s Al Verney said the company was open to the regulators’ feedback and future discussions. “We have worked with the different data protection authorities across Europe to explain our privacy policy changes,” he said. [Re/Code]

EU – Article 29 Working Party Release Guidelines on Handling RTBF Requests

The EU’s Article 29 Working Party released a statement addressing “how search engines are complying” with the European Court of Justice ruling on the so-called right to be forgotten, Bloomberg reports. The data protection authorities said they’ve agreed on a “tool box” on a “coordinated and consistent approach” for handling user complaints “resulting from search engines’ refusals to ‘de-list’ complainants from their results.” Additionally, “it was decided to put in place a network of dedicated contact persons in order to develop common case-handling criteria,” according to the statement. The network will provide a “common record of decisions taken on complaints” and “a dashboard to help identify similar cases as well as new or more difficult cases.” [Full Story] [Bloomberg]

EU – Commission Nominees Grilled by MEPs

A “grilling” of nominees for positions in the next European Commission was conducted by Members of the European Parliament (MEPs), including EU Home Affairs Commissioner Cecilia Malmström, who has been nominated to head up trade. Malmström is under fire for her alleged “soft response” to U.S. spying programs. Malmström has rejected claims that she watered down EU data protection reform. “I have always defended the European data protection proposals, internally and externally,” she said, adding, “These are based on misconceptions or on lies.” Additionally, Günther Oettinger, who has been nominated to be Europe’s new “digital economy and society” chief, is being criticized for his response to the recent hack of celebrities’ photos. [EUObserver]

EU – Group Claims EU Home Affairs Chief Worked With U.S. to Undermine Privacy Reform

Digital rights group Access has said that EU Home Affairs Commissioner Cecilia Malmström, who will be stepping down shortly, secretly collaborated with the U.S. Department of Commerce to water down the EU’s draft data protection reform. Access released an email dated January 12, 2012, claiming it proves the Home Affairs department actively worked to undermine the reforms. “If this assessment is correct,” GigaOm’s David Meyer writes, “the revelation may jeopardize Malmström’s confirmation by the European Parliament as the EU’s new trade commissioner.” The trade commissioner role will play a large part in the upcoming EU-U.S. Transatlantic Trade and Investment Partnership. Her confirmation hearing is set for October 22. [GigaOm]

EU – EDPSA Shortlist Announced

The European Commission has announced its shortlist of candidates for the European data protection supervisor (EDPS) and assistant supervisor positions in a letter to the secretaries-general. “Following a selection process carried out in line with its internal selection and recruitment procedures, the commission decided on 16 September 2014 to adopt the following lists of candidates, in alphabetical order,” the letter states. For EDPS, the finalists are Giovanni Buttarelli, Noëlle Lenoir and Yann Padova. For assistant EDPS, the finalists are listed as Cinzia Biondi, Giovanni Buttarelli and Wojciech Wiewiórowski. [Source]

Facts & Stats

US – Study: Average Budget for a Fortune 1000 Privacy Program?

This spring, the IAPP looked at privacy professionals’ roles in organizations worldwide , the influence they had on budget spending and the areas over which they had primary control. What we found was interesting, but we realized that, as a benchmarking device, it was difficult to utilize. As our members come from all manner of industries, and companies of every size and shape and have roles that range from CPO to outside counsel to HR manager, it was hard to pinpoint just what kinds of privacy programs we were looking at. So we focused more tightly, getting a sample that was alike in crucial ways: All of them were privacy leads at large, private, for-profit firms. And we are beginning to unearth some good benchmarking data. [Full Story]

US – A Day in the Life of a Data Mined Kid

Education, like pretty much everything else in our lives these days, is driven by data. Nearly everything they do at school can be — and often is — recorded and tracked, and parents don’t always know what information is being collected, where it’s going, or how it’s being used. See what a day in the life of a data mined student looks like with our Quantified Student infographic. In most states, the data are fed into a giant database, known as a “statewide longitudinal data system.” Different states collect different elements of personal student data. In the last decade, the federal government has handed states more than $600 million to help them create these databases. A study released last year by Fordham Law professor Joel Reidenberg found that very few school districts explicitly restrict the sale or marketing of student information in contracts with service providers. There are also privacy issues with third-party educational apps, often brought into the classroom by teachers. Those apps may have weak privacy policies, or, in some cases, none at all. Experts say the growth of technology in schools is happening faster than we can keep up with it. The larger concern, he says, is that connecting all those dots can create a profile of a student that can follow him from kindergarten through college. Maybe even into the workforce. It’s the prospect of that permanent data trail, say privacy advocates, that makes it so important that schools, teachers and parent wrestle with student data issues now. [Source] See also: [Canada: Graphic Back to School Tips from Privacy Commissioner] [Why Ed Privacy Laws Should Open the Eyes of All Privacy Pros]

US – Privacy Concerns Arise Over Tech in Classrooms

California lawmakers ban the sale and disclosure of data related to K-12 students. At a New York state elementary school, teachers can use a behavior-monitoring app to compile information on which children have positive attitudes and which act out. In Georgia, some high school cafeterias are using a biometric identification system to let students pay for lunch by scanning the palms of their hands at the checkout line. And across the country, school sports teams are using social media sites for athletes to exchange contact information and game locations. Technology companies are collecting a vast amount of data about students, touching every corner of their educational lives — with few controls on how those details are used. Now California is poised to become the first state to comprehensively restrict how such information is exploited by the growing education technology industry. Lawmakers in the state passed a law last month banning educational sites, apps and cloud services used by schools from selling or disclosing personal information about students from kindergarten through high school; from using the children’s data to market to them; and from compiling dossiers on them. The law is a response to growing parental concern that sensitive information about children — like data about learning disabilities, disciplinary problems or family trauma — might be disseminated and disclosed, potentially hampering college or career prospects. Although other states have enacted limited restrictions on such data, California’s law is the most wide-ranging. California lawmakers did make some concessions to industry. An exception in the legislation, for instance, allows companies to use student data for “legitimate research purposes.” “The bill sets a standard that is applicable to the larger privacy debate,” Steinberg said. “Personal information should only be used for other purposes with the permission of the individual.” [The New York Times]

US – Employee Errors Cause Most Breaches; Malware Breaches Cost the Most

Amidst the latest breach-related announcements, including reports that Home Depot’s recent breach affected 56 million payment cards , Beazley Breach Response Services released its analysis for more than 1,500 data breaches from 2013 and 2014. The results, released at the IAPP Privacy Academy and Cloud Security Alliance Congress, indicate the two most common sources of breaches are unintended disclosure—like misdirected emails and faxes, which account for 31%—and the physical loss of paper records, accounting for 24 percent.[Full Story]

WW – Scientists Support Ethics Guidelines

Findings from a Revolution Analytics survey of 144 data scientists revealed that many believe big data research needs a set of ethical guidelines. Nearly half of those surveyed believed the recent Facebook emotion contagion experiment was unethical. “Statisticians and data scientists have an important role to play in the practices and standards around handling and analyzing data in the world at large,” said Revolution Analytics Chief Community Officer David Smith, “my hope is that web and technology companies will involve data scientists more in analyzing the data that they collect.” [InformationWeek]


CN – DuckDuckGo Joins Google in Being Blocked In China

“DuckDuckGo joins Google in being censored and blocked in the nation. Google, after years of being throttled by China’s Great Firewall since the web giant turned off its mainland China servers in 2010, was finally blocked totally in June this year. Only foreign search engines that have Chinese servers, such as Bing and Yahoo, work in China. But, operating under Chinese media laws, both Bing and Yahoo heavily censor their search results – in contrast to Google and DuckDuckGo.” [Tech in Asia]


US – GAO: CFPB Needs Data Protection Plan

The Consumer Financial Protection Bureau (CFPB) collects financial data on millions of U.S. citizens, but a report released Monday by the Government Accountability Office (GAO) suggests the CFPB “lacks a plan to adequately protect it.” The GAO’s primary privacy concern is the lack of written data collection and security procedures, the report states. “The GAO’s report recognizes that the bureau collects data on a scale similar to other regulators and uses that data to carry out its mission to protect consumers,” a CFPB spokesman said, adding, “The CFPB agrees with the GAO’s recommendations, which focus primarily on documentation of processes related to data collection.” [National Journal]

US – FTC Submits Comments on Mobile Financial Services to CFPB

A FTC press release has announced the agency has provided comments to the Consumer Financial Protection Bureau (CFPB) on mobile financial services in response to a CFPB request for information on the topic. FTC staff highlighted five consumer protection issues in the mobile financial sphere, including liability for unauthorized charges, unfair billing practices, the privacy of consumers’ financial and personal data, the security of that data and the potential use of personal and financial data by data brokers and other third parties. [FTC Press Release]


CA – Privacy Watchdog to Probe Handling of Minister’s Expenses

Canada’s Privacy Commissioner, and possibly its Information Commissioner, are investigating a federal department’s handling of Access to Information requests for Alberta Premier Jim Prentice’s expenses from when he was a cabinet minister in Ottawa. In a letter sent to NDP MP Charlie Angus, Claude Beaulé, a senior investigator in Privacy Commissioner Daniel Therrien’s office, confirms a “complaint file has been opened.” The Canadian Taxpayers Federation, meanwhile, said it had complained to Canada’s Information Commissioner about the case, and was told an investigation would be conducted. A CTF official was among those who made the original requests for Mr. Prentice’s expenses, which were initially said to have been destroyed. A spokesperson for the Information Commissioner said earlier this month the office would not confirm if it was conducting an investigation. [Source] See also: [Toronto trustees expense everything from $28 cookies to $4,000 walking tours of Israel – Documents reveal how Toronto District School Board trustees have been spending taxpayer dollars]

CA – Revoking ISIS Passports: Government Refuses to Disclose Numbers

Despite repeated queries from CBC News, Immigration Minister Alexander’s office has refused to reveal just how many passports have been seized since 2002, citing privacy concerns. Instead, they directed questions to the Canada Border Services Agency, which has yet to respond. Outside the Commons, Alexander cited privacy and security concerns for his refusal to release numbers. According to government records, since 2003, just 40 now-former Canadians have had their citizenship formally stripped after it was determined that they had obtained it by false representation or through other fraudulent means. The new provisions, which give the minister the power to revoke citizenship for terrorism-related offences, has not yet been tested. Unlike passport revocation, those numbers — but not the names of the individuals themselves — are available, as such decisions are cabinet orders, and are published on the Privy Council Office website. [CBC News]


US – Genetics Testing Company Reverses Plans for Privacy Changes

Personal genetics testing company 23andMe is reversing its plans to make a major change to its privacy settings. It was recently reported that the company was planning to alter its user settings in a way that would give people less control over the results genetic tests would reveal about them. While it used to employ an opt-in system that would allow 23andMe to reveal close DNA relatives, it planned to change that to automatically opt new customers into the system. However, the company has since decided to reverse that decision as well as hire a chief privacy officer as a result of some backlash over the proposed changes. IAPP President and CEO Trevor Hughes discussed the privacy implications of such genetic work, even when consent is given. [VOX]

Health / Medical

US – Developers Seek HIPAA Clarity for Apps

A group of app developers have sent a letter seeking clarity on the Health Insurance Portability and Accountability Act (HIPAA). Startups including CareSync, AirStrip and AngelMD sent a letter to Rep. Tom Marino (R-PA) to express their frustration at the limited online resources to help app developers navigate the complex HIPAA mandate. They said they are struggling to compete with larger vendors that have greater resources to hire lawyers and consultants. Regulators “have not kept pace with the rapid growth of technology that gives users greater access to healthcare providers and more control over their health information,” they wrote. Meanwhile, Fitbit has hired a lobbying firm to work on consumer privacy and healthcare issues a month after Sen. Charles Schumer (D-NY) criticized its data collection practices. [Reuters]

US – GAO Report: Healthcare.gov Has Privacy, Security Vulnerabilities

The main website for the Obama administration’s health insurance exchange, Healthcare.gov, has several privacy and security vulnerabilities, according to a GAO report. The GAO also noted that moves by the Centers for Medicare & Medicaid Services to protect privacy and security have not mitigated vulnerabilities in the management of security and privacy. “Until these weaknesses are addressed, increased and unnecessary risks remain of unauthorized access, disclosure or modification of the information collected and maintained by Healthcare.gov,” the GAO report states. Reuters reports on Sen. Lamar Alexander’s (R-TN) criticism that the administration launched the site “knowing that the personal information of Americans who bought insurance through the website was not safe.” [Full Story]

US – HHS Releases HIPAA Guidance on Same-Sex Couples

Healthcare Info Security reports the Department of Health and Human Services (HHS) Office for Civil Rights has developed guidance on how the HIPAA Privacy Rule affects married same-sex couples to assist covered entities and business associates (BAs) “in understanding how the 2013 decision by the Supreme Court in United States v. Windsor may affect certain of their HIPAA Privacy Rule obligations.” The Windsor ruling requires covered entities and certain BAs “consider lawfully married same-sex spouses to have the same rights under the HIPAA Privacy Rule as opposite-sex spouses,” the report states. The guidance states “spouses include … individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.” [Source] See also: [County health department takes major tech step forward on privacy] See also: [Rob Ford Tumour Diagnosis: Do Politicians Have A Right To Medical Privacy?]

WW – Merck Finds Patients Willing to Sell Access to Data

A survey conducted by Merck, and outlined in a paper in The American Journal of Accountable Care, judged willingness of patients to have their tumors sequenced and the data studied in exchange for payment. Sixty-three of the 64 patients surveyed were willing to share their data as long as they retained data ownership and only shared the data with the entity that paid for it. “While the model would still involve significant outlay,” the report notes, “the authors think it would be cheaper than assay development.” Meanwhile, the California Supreme Court has agreed to hear a case that would determine whether healthcare regulators violated the state Constitution’s privacy clause when they accessed a local doctor’s prescribing records as part of an investigation into claims of unprofessional conduct.” [FierceBiotechIT]

US – Hospital CIO Shares How They Fought Attacks from Anonymous

Boston Children’s Hospital senior VP for information services and CIO Dr. Daniel J. Nigrin, shares how his organization defended itself against a series of attacks launched earlier this year. The hospital received a warning about the attacks several weeks before they began. The hospital incident response team prepared for the attacks along with the IT department. They managed to fend off a series of distributed denial-of-service (DDoS) attacks for a while, but when those reached a certain level of intensity – 27 Gbps – the hospital called in third-party help. The attacks affected the hospital’s external websites and networks. When Nigrin saw what was happening, he shuttered all the websites and took down email service. Employees communicated through a secure messaging application. [CSO Online]

WW – Pilot Program Allows Patients Choices on Which Data to Share With Doctors

Five behavioral health patients in Maryland have volunteered to participate in a federally organized five-month pilot project in which they pick and choose what information they want to share with their primary healthcare physicians via software called Consent2Share, a practice one public health official says is indicative of a more general paradigm shift, Modern Healthcare reports. The pilot is one of a series hosted by the Office of the National Coordinator for Health Information Technology in an initiative called Data Segmentation for Privacy. Meanwhile, a Canadian start-up plans to offer personal health assessments based on wearable sensor data and public health data sets. [Modern Healthcare]

Horror Stories

US – Home Depot Breach Put 56 Million Payment Cards at Risk

Home Depot announced that a breach at its U.S. and Canadian stores over a six-month period this year may have put an estimated 56 million payment cards at risk.” “That would make it the largest compromise of debit and credit cards in the string of cyberattacks that have hit retailers over the past year.” [Washington Post] [Analysis: Home Depot Breach Details]

US – Ex-Employees Say Home Depot Ignored Early Warnings; Class-Action Filed

Former members of Home Depot’s cybersecurity team have said that the high risk of cyber-attack was evident as far back as 2008. In interviews after the company experienced the largest retail data breach ever, the former employees said outdated software was being used to protect its network. And, a computer engineer hired to oversee security has been sentenced to jail for “deliberately disabling computers at the company where he previously worked,” the report states. Meanwhile, Toronto law firm McPhadden Samac Tuovi LLP has filed a class-action against Home Depot of Canada and its American parent, The Home Depot, Inc., in the Ontario Superior Court of Justice. [New York Times] See also: [Steven Lozanski v. Home Depot Inc. – Court File #CV-14-51262400CP – Ontario Superior Court of Justice]

US – Following Breach, Report Shows Home Depot Has $105 Million in Coverage

Following news of a data breach last week, Business Insurance reports Home Depot has a total of $105 million in cyber coverage. American International Group provides $10 million of primary coverage, followed by Zurich Insurance Group providing $20 million and Liberty Mutual Insurance providing $15 million, among others. Home Depot is likely to point to the Supreme Court’s Clapper ruling to fend off class-actions, but attorneys say plaintiffs are “quickly learning that they can bypass the defendant-friendly 2013 decision by proving that their data has been misused or that they relied on false security pledges.” [Business Insurance]

WW – TripAdvisor Customer Data Compromised

Viator, a website recently acquired by TripAdvisor, has learned that a breach of a payment card service provider’s system exposed customer data. The breach affects approximately 1.4 million customers. Viator learned of the breach after investigators looked into fraudulent payment card transactions that led back to the website. [NextGov] [The Register]

US – Jimmy John’s Confirms Data Breach

US sandwich restaurant chain Jimmy John’s has acknowledged that a payment vendor’s data breach compromised customer payment card information. The incident affects transactions at 216 stores between June 16 and September 5, 2014. [Krebs] [DarkReading] [Darkreading]

JP – Japan Airlines Data Breach

Japan Airlines (JAL) has confirmed that a cyber attack compromised personal information of as many as 750,000 customers. The incident involved unauthorized access to a JAL database from an external server.

The compromised data include names, addresses, and workplaces. The malware appears to have infected 23 computers and did not affect financial information. The attack is believed to have gained purchase through a phishing attack and may have remained undetected for over a month. [SC Magazine] [ZDNet]

WW – Breach Roundup

Data loss incidents and breach headlines include a lawsuit against six Mississippi hospitals following a breach of sensitive patient information are causing experts to weigh in with tips on why breaches happen, best practices in the event of a breach and complying with data breach laws. Mondaq reports on Florida’s Information Protection Act of 2014, which amended Florida’s breach notification statute, while TechTarget offers recommendations for “best practices” in reporting breaches. CSO examines “why retailers get hacked,” quoting one expert’s suggestion that retailers and their marketing firms must recognize some information is “just too dangerous to have.” And research from Protiviti suggests, “Businesses are failing to maintain proper security and are still not managing data properly, when looking at the big picture.” [ITProPortal]

Identity Issues

CA – Ping Identity Scoops $35m to Authenticate Everywhere

Identity provider Ping Identity has secured $35m in funding, bringing the total funding for the company to $110m. The market for identity assurance is booming as the more customers carry out transactions online. Third party vendors such as Ping Identity are in competition with existing vendors such as Facebook and Google who are also developing in this space. Forbes predicts “it will be a third party approach that straddles all the different vendors that will win”. [Forbes]

Internet / WWW

WW – Yahoo Slams New ‘Digital Will’ Law; Users Have Privacy When They Die

What should happen to your personal digital communications—emails, chats, photos and the like—after you die? Should they be treated like physical letters for the purposes of a will? Yahoo doesn’t think so. The company is criticizing new legislation giving executors charged with carrying out the instructions in a person’s will broad access to their online accounts. The legislation aims to tackle the sensitive question of what to do when someone’s online accounts on sites like Facebook, Google or Yahoo outlive them. This past summer, Delaware signed into law the Fiduciary Access to Digital Assets and Digital Accounts Act. It was modeled after legislation approved earlier by the Uniform Law Commission, a nonprofit group that drafts and lobbies for new state laws. In Delaware, the measure removes some of the hurdles that an estate attorney or other fiduciary would otherwise have to go through to gain broad access to the deceased’s online accounts. “A fiduciary with authority over digital assets or digital accounts of an account holder under this chapter shall have the same access as the account holder,” the law states. That expanded access violates the initial agreement users entered into when they started using Yahoo’s services, the company said Monday in a blog post. “When an individual signs up for a Yahoo account, they agree to our terms of service, which outlines that neither their account nor the contents of their private communications are transferrable at the time of death,” wrote Bill Ashworth, Yahoo’s senior legal director of public policy. Delete, not transfer. Yahoo’s terms of service say it may delete an account and all of the account data, if it’s shown a copy of the person’s death certificate. [Source]

US – What Impact Will “Cyborgization” Have?

A new paper from the Brookings Institution explores the privacy impacts of a trend of “cyborgization”—using cell phones and wearable devices as an extension of ourselves. “Should we recognize our increasing cyborgization as more than just a metaphor, given the legal and policy implications both of doing so and of failing to do so?” Benjamin Wittes and Jane Chong write in the paper. The trend raises questions about privacy, access, discrimination and other issues, the report states, noting, “This cyborgization of the populace, the authors say, could have immediate and significant effects on the law especially around surveillance.” [FierceGovernmentIT]

Law Enforcement

CA – Toronto Police to Wear Body Cameras in Test Project

By the end of the year, 100 Toronto police officers are expected to be sporting body-worn cameras as the force launches a one-year pilot project testing the increasingly popular — and at times, controversial — policing tool. Major details are still being hammered out, including where the cameras will be worn, when the cameras will record, and what the final price tag will be, but the Toronto Police Service plans to equip officers in four areas of the city with cameras by mid-December, according to a Request for Proposals seeking a supplier for the cameras and software. The pilot project comes after numerous reports and recommendations suggesting that the cameras, usually affixed to an officer’s lapel, glasses or police cap, could improve police accountability and reduce the use of force by officers. But the president of the Toronto Police Association, Mike McCormack, says numerous concerns will need to addressed before rank-and-file officers get fully on board. “We want to see sound policies around not only the implementation, but when are they going to be used, what about privacy rights for citizens, what about privacy rights for police officers, and what are we trying to capture with these lapel cameras?” McCormack said. The 2012 Police and Community Engagement review (PACER) was the first Toronto report to recommend that police adopt body-worn cameras, a recommendation echoed in this summer’s review of police interactions with people in mental crisis, penned by retired Supreme Court justice Frank Iacobucci. In his report, Iacobucci cited research indicating the cameras decrease complaints against police, “in part because police have an additional incentive to treat people respectfully, and also because individuals are deterred from bringing false allegations against police.” [Source]

US – New Radar Gun to Help Police Detect Texting Drivers

Police may soon have a new weapon in their efforts to prevent drivers from texting while on the road. A Virginia company is working on a device that detects the radio signals sent out from a vehicle when someone inside is using a cell phone. The technology is able to differentiate text messaging from phone calls. Virginia law allows adults to talk on a cellphone while driving, but not send text messages. The device is not yet ready for production. It still needs legislative approval and a commitment from law enforcement. [CBS-DC]


AU – Information Commissioner Updates Guide for Mobile App Developers

New content has been added to the guide for mobile application developers that discusses the preparation, implementation and regular updates to a data breach policy and response plan; to aid app developers in creating a breach plan additional information regarding data breaches can be found in the Guide to the Information Security and a Guide on Data Breach Notification. [Source]


NZ – Snowden Says New Zealand Lied About Mass Surveillance Activities

Snowden wrote a thing for The Intercept ahead of New Zealand’s election alleging the country is lying about its use of and role in developing mass surveillance technology. Meanwhile, a new report says that Snowden’s leaks haven’t really made life easier for terrorists, despite frequent claims to the contrary.

Online Privacy

WW – Apple CEO Tim Cook’s Open Letter on Privacy

Apple launches a new web site making privacy a key part of its brand values. An ‘Open Letter’ from Apple CEO Tim Cook says: “We believe in telling you up front exactly what’s going to happen to your personal information and asking for your permission before you share it with us. And if you change your mind later, we make it easy to stop sharing with us. Every Apple product is designed around those principles. When we do ask to use your data, it’s to provide you with a better user experience.” It goes on: “Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple.” It’s really hotting up now! [Apple]

WW – Facebook Testing Update Option with Expiration Dates

Facebook is currently testing a new option that would allow users to place an expiration date on a given post, ranging from one hour to one week. The move comes after more employers, attorneys and law enforcement officials increasingly use social media posts to make hiring and other decisions. “It’s interesting to me because Facebook used to push this idea that our cultural notions of privacy were changing and that people should share things all the time. People reacted poorly to that,” said University of Maryland Human-Computer Interaction Lab Director Jennifer Golbeck. “But in the last six months or so, they’ve started coming around to the idea that people still want to do things privately.” [Bloomberg Businessweek]

WW – Facebook Takes Vault of Consumer Data to the Masses

Using the vast amount of data it has gathered from its 1.3 billion users, Facebook has made itself the number-two digital advertising platform in the world. Now, it’s going to take its targeted ads to the rest of the Internet, rolling out its ad platform, Atlas, which will allow marketers to use the social networking site’s detailed knowledge of users to target ads to users on other websites and mobile apps. Meanwhile, U.S. Federal Trade Commission Chief Technologist Latanya Sweeney writes in a new blog post on the ramifications of the decisions ad networks are making. [The New York Times] See also: [The ‘hot’ new thing on Tinder: Posting photos of your resume and bank account instead of your face]

US – Lawyers Seeking Telematics Data

Lawyers are turning increased attention to the data gathered by vehicle telematics systems, seeing “the data as a puzzle piece in building court cases.” The report suggests this attention indicates “privacy concerns raised about telematics data won’t go away soon. At the least, the industry’s quest to be closer to consumers through telematics has created new responsibilities involving data management.” Don Slavik, a product liability lawyer, said, “It introduces some questions of privacy issues that people aren’t aware of … We’ve just learned about the large volume of data going through systems. Not just one or 10 or 20 pieces of data, but thousands of pieces of data that are reported.” [Automobile News]

Privacy (US)

US – Study: What “Reasonable” Privacy and Security Means to the FTC

A new study from the Westin Research Center looks at the “reasonable” components of a privacy and data security program as interpreted from more than 40 FTC enforcement actions. Part of the IAPP’s ongoing FTC Casebook project, this report by Westin Fellow Patricia Bailin is meant to help shed light on what an acceptable level of privacy and data security could be, even as companies litigate the issue with the FTC in federal courts. [Source] See also: [Artificial Intelligence Is Doomed if We Don’t Control Our Data]

US – Rep. Wants Hearing to Look at Health Breach

Rep. Elijah Cummings (D-MD) has sent a letter to Rep. Darrell Issa (R-CA), chairman of the House Committee on Oversight and Government Reform, requesting that a bipartisan hearing be held to look at the causes and effects of a breach at Community Health Systems reported last month. Cummings said cybersecurity threats are an ongoing problem and an investigation of the breach would help the committee “learn from these witnesses about security vulnerabilities they have experienced in order to better protect our federal information technology assets.” [FierceHealthIT]

US – Justice Sotomayor Worried About Drones

Speaking to students and faculty at the Oklahoma City University’s law school, Supreme Court Justice Sonia Sotomayor said we are seeing “frightening” changes in surveillance technology and that citizens should get more engaged in the privacy debate. She said drone technology, for example, should “stimulate us to think about what is it that we cherish in privacy and how far we want to protect it and from whom,” adding, “people think that it should be protected just against government intrusion, but I don’t like the fact that someone I don’t know … can pick up, if they’re a private citizen, one of these drones and fly it over my property.” [The Wall Street Journal]

US – TRUSTe Announces DPM Platform

TRUSTe has announced the launch of its comprehensive end-to-end data privacy management solution, the TRUSTe Data Privacy Management (DPM) Platform, which includes automated capabilities to assess and manage privacy risks, implement compliance controls and ensure ongoing monitoring. TRUSTe CEO Chris Babel notes, “Developed in consultation with our extensive enterprise customer-base, the new TRUSTe DPM Platform puts privacy professionals in the driver seat giving them full control of data privacy management, automating processes and increasing productivity as they manage their global privacy initiatives from a single dashboard.” [Press Release]

US – Judge Dismisses Neiman Marcus Class-Action

An Illinois federal judge has thrown out a proposed class-action lawsuit alleging Neiman Marcus Group negligently failed to protect 350,000 customers’ credit card information prior to a 2013 hack into the department store’s servers. U.S. District Judge James B. Zagel ruled the plaintiffs lacked standing under Article III, stating he “wasn’t convinced unauthorized credit card charges for which the plaintiffs would be reimbursed qualify as concrete injuries warranting Article III standing,” the report states. [Law360]

US – Facebook Wins Appeal;

Facebook’s appeal against law enforcement’s collection of bulk user data has been accepted. The New York State Supreme Court ruled against a government request to dismiss the appeal and accepted briefs in support of Facebook from groups including Google and Microsoft. “Facebook is asking for the return or destruction of the data and also wants a ruling on whether the warrants are in violation of the Fourth Amendment,” the report states, and is also asking the court to determine whether the warrants’ gag provisions violated the Stored Communications Act. [PCWorld]

US – Courts Aren’t Recognizing Harm, But Breach Cases Keep Coming

George Washington University Law School’s Daniel Solove, founder of TeachPrivacy, notes in a blog that the law has not been kind to plaintiffs in data breaches. “The fact is,” he writes, courts “don’t recognize harm. Generally, we make those who cause wide-scale harm pay for it … But when a company loses data about a lot of people … the courts frequently say ‘no harm, no foul.’ Yet the lawsuits keep coming. Why?” Solove highlights a paper, Empirical Analysis of Data Breach Litigation, outlining some conclusions it makes, such as “data breach lawsuits lacking actual harm or class certification are almost as equally likely to reach settlement as dismissal.” Solove writes, “This research study shows that parties are bargaining around the legal system to make it go away.” [Source]

US – As Ad Industry Capitalizes on Tracking, One Scientist Looks at the Effects

The Economist reports on surveillance as the advertising industry’s new business model. Internet ads now account for around a quarter of the $500 billion global advertising business, and companies are able to capitalize on data they collect from users based on what sites they visit and what they click on. But users should be able to find out if they’re being tracked and what information is being stored on them and be able to stop it if they wish, the report states. Meanwhile, computer scientist Roxana Geambasu of Columbia University has recently developed software which uses a series of “shadow accounts” to see how ads change for a user when certain phrases are used. [Full Story]

US – Privacy Pathways Training Program Launched

The Privacy Pathways program, piloted through partnership with schools like the University of Maine School of Law and the High Tech Law Institute at Santa Clara Law, aims to give students access to privacy training and discounts on exams, publication opportunities and connections to the IAPP member community through internships and externships. At this week’s Privacy Academy and CSA Congress, the IAPP announced the program is expanding rapidly, with the addition of the Privacy and Technology Project of the Institute for Innovation Law at UC Hastings College of the Law in San Francisco, CA, and the University of Washington. [Full Story]

US – Yelp Agrees to $450,000 Settlement with FTC

Yelp has agreed to settle charges brought against it by the FTC and pay $450,000 for accepting registrations from children under the age of 13 in its app. In 2009, the company introduced a registration feature in its app that allowed users to create new accounts “but failed to implement a working age-screen mechanism in the new in-app registration feature,” the report states. In turn, data was collected about children through the app. Yelp wrote about the settlement in a blog post and has agreed to destroy the personal information of children collected by the bug within 30 days of the service of the order. [PCWorld] See also: [StubHub Case Rejected: a California judge rejected a proposed $2 million settlement between StubHub and a class of 69,000 customers] and also: [Google Class-Action Dropped: a group of Android users who brought a class-action against Google have dropped their case] and also [The EU will approve Facebook’s $19 billion offer for messaging service WhatsApp]

US – Hoffman Named 2014 IAPP Privacy Vanguard, Calls on Privacy Pros To Promote Ethical Use of Data

Computing has become so sophisticated that, if used correctly, it could solve many of the very real problems we face in areas like healthcare, education and renewable resources. But progress can only be made if the data we collect and compute is used correctly and ethically, and privacy professionals have an obligation to fight for that. That was the call-to-action David Hoffman made from the stage at the IAPP’s Privacy Academy in San Jose, CA, just after he accepted the 2014 IAPP Privacy Vanguard Award. “The public needs to understand that our organizations can be trusted,” Hoffman said. [Full Story]

US – Microsoft Privacy, Security Work to Become Part of Cloud, Legal Groups

Microsoft has announced its Trustworthy Computing group will no longer be a stand-alone entity, with the unit’s work on privacy, security and related issues being folded into Microsoft’s Cloud & Enterprise Division and Legal & Corporate Affairs, GeekWire reports. Microsoft indicated one of the goals “is to integrate the Trustworthy Computing work more tightly into Microsoft’s engineering teams,” the report states, noting a portion of the group will report to Microsoft General Counsel Brad Smith and another to the Cloud & Enterprise Division’s Scott Guthrie. [Source]

WW – Jepsen Questions Apple Watch; Apple Lobbies Congress on Health Privacy

Connecticut Attorney General George Jepsen has sent a letter to Apple requesting a meeting to discuss his concerns about how the company will collect, store and process personal health information generated by its forthcoming Apple Watch. Jepsen noted he was not accusing Apple of any violations but attempting to open a dialogue. Meanwhile, Apple has sent a cadre of executives to Capitol Hill to address the emerging privacy and security concerns a week after it unveiled a slew of new products and services, Politico reports. Apple’s chief technology officer and health product manager have briefed the House Energy and Commerce Committee to “provide an overview of Apple’s new offerings, demonstrate the new products and discuss how Apple sees this market developing.” [PC World]

US – Apple Makes Bold Privacy Statement

With a letter from CEO Tim Cook posted at the top, Apple released today a new privacy notice , which includes “a detailed look at how we protect your privacy.” Perhaps most notably, Apple is committing to technology that will make it impossible for the company to read the contents of iPhones or iPads upon government request. Further, declared Cook, “I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.” In another sign of the company’s commitment to privacy as a business driver, Apple, along with Box, announced via TRUSTe that it is Asia-Pacific Economic Cooperation-certified. [Full Story]

US – Mining WiFi Data: Retail Privacy Pitfalls

To compete with large online sites, more brick-and-mortar retail outlets are exploring in-store tracking. This feature looks into the practice to see whether retailers are going too far. “Two years ago, nobody wanted to put WiFi in their stores to give customers a way to window shop,” said General Datatech Senior Wireless Engineer Ryan Adzima. “Now they have a massive incentive because they’ll see you going to Amazon or other competitors; they’ll see your buying history, and they can target you more specifically and draw you away from competitors.” [InformationWeek]

Privacy Enhancing Technologies (PETs)

WW – Privacy Technology Everyone Can Use Would Make Us All More Secure

Cory Doctorow argues privacy-enhancing technology has long been unnecessarily difficult to use for the common person. In doing so, he announced SimplySecure.org, a nonprofit that he’s advising and which “collects together some very bright usability and cryptography experts with the aim of revamping the user interface of the Internet’s favorite privacy tools.” He also reaches out to those who haven’t shown an interest in privacy until now: “If you were lucky enough to be born with the unearned privilege of having ‘nothing to hide,’ then you owe it to your children, brothers, sisters, parents and friends who don’t have your good fortune to help provide cover for them.” [The Guardian]

WW – Nokia Position Paper Highlights the “Privacy Engineer”

Privacy by Design and legislative developments in privacy are valid, says a paper from Nokia entitled “Privacy Engineering and Assurance“; however, it notes, “they do not answer the question of ‘How do you do it, in practice?’“ The Nokia paper aims to foster the birth of a new professional—the privacy engineer—and solve the problem of “how” by developing a software engineering discipline that includes privacy engineering and privacy assurance to “take Privacy by Design from a subjective set of seven essential principles into a framework for implementation of privacy in the product creation process.” [Source] See also: [Creating Standards for Privacy Engineers]

WW – Ello Promises Privacy;

Privacy-focused alternatives to popular services continue to emerge, including, this week, the introduction of Ello, a social networking alternative to Facebook that claims to respect user privacy by not selling or sharing data with third parties. “You are not a product,” the invite-only social network wrote in its manifesto. The site does use cookies, both on its site and in emails; Google Analytics to generate aggregated user data, and honors Do-Not-Track settings. [CSO]


US – Missouri RFID Ban Highlights Nation’s Privacy Fears

Student privacy advocates are hailing a new law in Missouri that bans school districts from tracking students using radio frequency technology. Last week, state lawmakers overrode the governor’s veto of the bill. The controversial technology uses radio waves emitted from tiny batteries, often embedded in a card or badge, to track the location of students. The new law reflects growing national concern about electronic privacy in the wake of reports of massive government surveillance efforts through the National Security Agency. It also shows a growing interest in student privacy as parents are increasingly questioning the kinds of student records that schools maintain electronically. [Source]


WW – OWASP Releases Its First Top 10 Privacy Risks

Just seven months after the project’s start , the Open Web Application Security Project’s Top 10 Privacy Risks Project has released its first list of findings. Headed up by Florian Stahl and Stefan Burgmair, the project, quite simply, aims to document the top 10 privacy risks in web applications, consulting with volunteers and experts from across the globe. “The result,” reads the project’s description, “is a list covering technological and organizational aspects focusing on real-life risks and not only legal issues.” The top three risks include web application vulnerabilities, operator-sided data leakage and insufficient data breach response. The project and its results are free to use, and it is licensed under the GNU GPL v3 license. [Privacy Perspectives]

EU – European Network and Information Security Agency Annual Incident Reports 2013: Analysis

Security incidents in the electronic communications sector across the European Union, are classified as follows – natural phenomena (earthquakes, floods, pandemic diseases, etc.) – 38%, human errors (improper use of tools or errors in execution of procedures) – 31%, malicious attacks (a deliberate attack by an internal or external agent) – 4%, and system failures (hardware and software failures) – 27%. The most prominent causes of data security incidents include the following – software bugs, hardware failure, software misconfiguration, human error, and hardware misconfiguration; the assets most affected include the following – base stations and controllers, switches, mobile switching, core networks, and power supply systems. [Report]

WW – NSA/GCHQ/CSEC Infecting Innocent Computers Worldwide

There’s a new story about a 5-Eyes program to infect computers around the world for use as launching pads for attacks. These are not target computers; these are innocent third parties. The article actually talks about several government programs. Increasingly, innocent computers and networks are becoming collateral damage, as countries use the Internet to conduct espionage and attacks against each other. This is an example of that. Not only do these intelligence services want an insecure Internet so they can attack each other, they want an insecure Internet so they can use innocent third parties to help facilitate their attacks. The story contains formerly TOP SECRET documents from the US, UK, and Canada. Note that Snowden is not mentioned at all in this story. [Schneier on Security – Crpto-Gram Newsletter] SEE ALSO: [Why it’s a bad idea to sell your child’s cheap tablet on eBay]

US – NIST Releases Draft Guidelines for 3-D Printer Security

The US National Institute of Standards and Technology (NIST) has released draft guidelines for 3-D printer security. The guidelines note that attackers who manage to breach the printers’ security could not only steal sensitive plans but also pose physical threats to the plants and employees. The specialized printers, which sometimes use metal powders to “print” objects, could explode. The machines’ commands could also be altered, undermining the printed objects’ integrity. NIST will accept comments on the document through October 17, 2014. [NextGov] [NIST]

US – DHS Program Will Bring Technologies from Lab to Practice

The US Department of Homeland Security’s (DHS’s) Transition to Practice (TTP) program aims to bring cyber security technology developed at federal laboratories “into the real world.” [HSToday]

US – NIST Creates Digital Evidence Subcommittee

The National Institute of Standards and Technology (NIST) has established a new digital evidence/forensic science subcommittee in its Organization of Scientific Area Committees (OSAC). The committee will “identify and establish national standards and guidelines for forensic science practitioners.” [NIST]

WW—Bash Shellshock Flaw

A serious flaw in a software component called Bash is said to be more serious that the Heartbleed vulnerability that was disclosed earlier this year. The flaw, which is being called Shellshock, can be exploited to remotely take control of vulnerable systems. It affects an estimated 500 million UNIX and LINUX machines. Bash, or the GNU Bourne Again Shell, is a command prompt on many Unix systems. The US Computer Emergency Response Team (US-CERT) has issued a warning and is urging admins to patch the flaw. Others have expressed concern that the patches that have been made available are incomplete. [BBC] [CSMonitor] [Krebs] [Ars Technica] [US CERT] –Shellshock Flaw is Being Actively Exploited (September 25, 2014) There are reports that attackers have already begun exploiting this flaw to infect vulnerable servers around the world. [eWeek] [ZDNet] [WIRED and [NYT: Shellshock May Further Marginalize Open Source Software]]

Smart Cards

US – US Will Adopt Chip-and-PIN

The idea of storing credit card account information on a magnetic stripe, while innovative in 1960 when it was first conceived, is now vulnerable to theft, particularly because the data encoded on the magnetic stripes are static. The US is finally following the rest of the world in moving to the more secure chip-and-PIN, or EMV technology (so-called because it was started by Europay, MasterCard, and Visa). [WIRED]


CA – Ottawa Admits to Tracking Hundreds of Protests

Ottawa has kept tabs on hundreds of demonstrations across Canada and around the world over the last eight years, from peaceful protests to public university lectures to riots. Newly released documents show about 800 public demonstrations and events were observed and reported on by government departments and law enforcement agencies since 2006. Reports were collected centrally by the Government Operations Centre, an agency tasked with preparing the federal government’s response to emergencies. Some were collected by Foreign Affairs on international protests, but the majority focused on domestic events – especially First Nations protests and environmental activism. Some appear to be media reports detailing the events, but others were prepared by Canada’s spy agency, CSIS, and the RCMP. The Conservative government has defended the practice, saying even peaceful protests can go bad and the public’s safety must be protected. But the documents, tabled in Parliament, reveal the Government Operations Centre was interested in much more than protests. [The Toronto Star]

US – NSA Chief Dismisses Scandal’s Impact; Agency ‘Fully Compliant’ With Law

Whistleblower Edward Snowden’s revelations about the NSA surveillance programs have not negatively affected its relationship with foreign counterparts, said NSA Director Adm. Michael Rogers, adding the corporate sector, nation states and foreign intelligence counterparts have not walked away from the agency. Rogers, who has been at the agency’s helm for only five months, said he is not dwelling on the past, but he did defend the agency’s controversial operations. “The reviews to date have all come to the conclusion that the National Security Agency has been fully compliant with the law and, secondly, that in the execution of those lawful operations, there is no finding that the NSA has attempted to systematically undermine that law or failed in its duties to protect the information that it collects,” he said. Moving forward, the NSA should aim for “translucency” because true “transparency” would undermine surveillance efforts entirely, he said. “The people on the other side of the glass can see the broad movement of the shapes and have a comfort level with that,” said Hayden. [FierceGovernementIT]

US – NSA Director: Snowden Hasn’t Damaged Our Relationships with Counterparts

NSA Director Adm. Michael Rogers said the Edward Snowden revelations have not negatively affected the NSA’s relationship with its counterparts, pointing out “the corporate sector, nation states and foreign intelligence counterparts have not walked away from the agency.” Rogers has been leading the agency for the last five months. Meanwhile, a new chat program designed by a middle-school dropout, now aged 22 and a self-taught coder, offers anonymity and encryption and even resolves the issue of metadata . A new version of the program, called Ricochet, is planned for release in November. [FierceGovernmetn IT]

US – Border Patrol to Test Body Cameras to Curb Use of Force

The U.S. Border Patrol has purchased body cameras and will begin testing them this year at its training academy, two people briefed on the move said Wednesday, as new leadership moves to blunt criticism about agents’ use of force. R. Gil Kerlikowske, who has led the Border Patrol’s parent agency since March, announced the plans to a small group of activists who have pressed for cameras, according to a person who attended the briefing and spoke on condition of anonymity because the discussion was intended to be private. Testing will occur at the Border Patrol academy in Artesia, New Mexico. [CBC News]

WW – Making an Art of Surveillance

An exhibit set to feature hacked photos of naked celebrities is raising eyebrows, blurring lines between our online and offline worlds. “Celebgate has brought many privacy issues to the forefront,” noting that while XVALA’s exhibit may seem to “demonstrate that noncelebrities simply have much less to fear,” past artistic installations have shown that random images of “unremarkable people” have also raised concerns, sometimes even leading to lawsuits. “Like other art before it, this leading edge of expression exploring surveillance, privacy and anonymity will challenge and make us face the realities we are creating—at least as long as these exhibits are permitted for public consumption’” [Source]

Telecom / TV

US – ‘Interceptor’ Cellphone Towers Found Near White House, Senate

Mysterious “interceptor” cellphone towers that can listen in someone’s phone call despite not being part of any phone networks have turned up near the White House and Senate. A company that specializes in selling secure mobile phones discovered the existence of several of the towers in and around the nation’s capitol. “It’s highly unlikely that federal law enforcement would be using mobile interceptors near the Senate,” ESD America CEO Les Goldsmith said. The towers are also capable of loading spyware onto a mobile device before passing off a victim’s call to a legitimate network. “My suspicion is that it is a foreign entity,” he told Venture Beat. [The Washington Times]

CA – The Covert Cellphone Tracking Tech the RCMP and CSIS Won’t Talk About

Law enforcement and intelligence agencies in Canada won’t say whether they use covert tools called International Mobile Subscriber Identity (IMSI) catchers to track the location of mobile phones and devices – even as the extent of their use by U.S. government agencies is raising serious questions among civil libertarians. The devices colloquially known as Stingrays – which is the trademarked name for a widely used model sold by Florida-based Harris Corp. – commonly work by masquerading as a legitimate cellular communications tower and tricking nearby devices into connecting and sharing your phone’s IMSI, typically without the knowledge of device owners. Once connected, an operator can collect identifying information on all connected devices in a geographic area, or home in on the location of a specific device. In certain circumstances, it can even intercept phone calls and text messages. [The Globe and Mail] SEE ALSO: [Documents Suggest Maker of Controversial Surveillance Tool Misled the FCC] AND [The ACLU wrote a letter to the FCC asking for an investigation]

CA – Netflix Refuses CRTC Demand for Confidential Data

Netflix refused to heed a demand from Canada’s federal broadcast regulator to hand over confidential customer data despite threats its exemption from regulation would be revoked if the video streaming service did not comply. “While Netflix has responded to a number of the CRTC’s requests, we are not in a position to produce the confidential and competitively sensitive information ordered by the commission due to ongoing confidentiality concerns,” said a Netflix spokesperson. “While the orders by the CRTC are not applicable to us under Canadian broadcasting law, we are always prepared to work constructively with the Commission.” [Source] See also: [Mining WiFi Data: Retail Privacy Pitfalls]

US – FTC Files Comments with FCC on Promoting Privacy in Broadband

In a comment filed Friday with the FCC, the FTC provided information on its enforcement, policy and education work as it relates to consumer privacy and data security as applied to residential broadband Internet services, according to an FTC press release. In its comments, the FTC highlights its efforts to promote consumer privacy and data security “through rigorous enforcement of the FTC Act, the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act.” It also describes its privacy report, Protecting Consumer Privacy in an Era of Rapid Change, and its numerous workshops and seminars on related topics. [Source]

US – Apple’s CEO Throws Major Shade at Tech’s Ad-Based Business Model

Apple announced new privacy features and a push to educate consumers on how the company uses their data in an open letter from chief executive Tim Cook. In the letter, Cook also took some not so subtle digs at competitors who mine user data for advertising purposes: “We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you.” [Washington Post]

US – FPF Gives iOS8 a Thumbs-Up; Apple Faces Criticism for iTunes Gift

The Future of Privacy Forum has reviewed Apple’s iOS8, concluding its new “prompting with purpose” disclosures, refined location settings and strict requirements for apps “will present greater transparency, protection and control over privacy” for users. Meanwhile, as part of its launch of the iPhone6, Apple featured a gift to users: Irish rock band U2’s new album. A free download was sent to users’ iTunes music collection, but some users weren’t so excited, citing Apple had gained access to their accounts without asking permission first. [Source]

US Government Programs

US – CFPB to Tighten Controls After Government Audit Cites Problems

Responding to government auditors, the Consumer Financial Protection Bureau (CFPB) is formalizing a comprehensive privacy plan addressing how the agency will assess and manage privacy risks and monitor and audit privacy controls. The CFPB also will develop role-based privacy training for its staff and review its remedial action plans and information-security risk management process “to further refine oversight of service providers,” according to CFPB Director Richard Cordray. The changes come after a Government Accountability Office audit issued this week stated the CFPB “lacks a plan to adequately protect” the consumer financial data it collects. [GovInfoSecurity]

US – GAO Says TSA Needs to Strengthen Privacy Oversight

The Government Accountability Office (GAO) has said the Transportation Security Administration (TSA) has made positive strides implementing its Secure Flight program but still needs to improve oversight of its privacy mechanisms, including staff training. “Because the program relies on sensitive information, including personally identifiable information from the approximately two million people Secure Flight screens each day, privacy incidents and inappropriate disclosures could have significant impacts on the traveling public,” the GAO audit states. Though the TSA has implemented privacy measures, more could be done, including job-specific privacy training in line with Office of Management and Budget privacy training requirements, the report states. [HS Today]

US – FISA Court Renews NSA Metadata Program

The Foreign Intelligence Surveillance Court has reauthorized the NSA program that collects in bulk the metadata of U.S. citizens’ phone records. The reauthorization comes while a reform bill remains stuck in the Senate. “Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the Section 215 telephony metadata program, the government has sought a 90-day reauthorization of the existing program,” said the Department of Justice and Office of the Director of National Intelligence in a joint statement. Both of the government agencies also said they support the USA FREEDOM Act, saying “it reflects a reasonable compromise that preserves essential intelligence community capabilities, enhances privacy and civil liberties and increases transparency.” [The Hill]

US – Appeals Court Says NCIS Scan of Civilian Computers Went Too Far

A US federal appeals court in California ruled that the Naval Criminal Investigative Service (NCIS) overstepped its authority when an NCIS agent used a tool to search for hashed child pornography images on the computers of all Washington state computer users running Gnutella file-sharing software. Judge Marsha Berzon wrote that the “surveillance of all computers in Washington amounted to impermissible direct active involvement in civilian enforcement of the child pornography laws, not permissible indirect assistance.” [Ars Technica]

US – Air Force Seeking Improved Network Mapping and Analysis Technology

According to a presolicitation notice, the Air Force is seeking situational awareness technologies to help it see what is happening on its networks. The program, called Mission Awareness for Mission Assurance (MAMA) “will investigate the automated assessment of mission execution by analyzing network traffic flows” so personnel can “prioritize essential functions, map out cyber assets, and assess and mitigate vulnerabilities.” The Air Force wants to be able to carry out core missions in the face of attacks. [Defense Systems] [Presolicitation Notice]

US – Connect.gov Password Consolidation to be Tested Next Month

Starting as soon as October 2014, Connect.gov, a system that will eliminate the need for users to remember at least some of their sets of access credentials, will “launch with a few key anchor agencies that will be testing it out in the first round.” More agencies are expected to join within the next two years. [NextGov]

US Legislation

US – As Laws Are Slated for the Books, Tech Worries Persist

Student privacy bills are headed to the books in 20 states. According to the Data Quality Campaign, 110 bills on student data privacy were introduced in 36 states this session, with 24 being signed into law. They addressed biometric, social and personal information. Mmeanwhile, the lack of restrictions on the “unprecedented student data amassed by education technology companies,” and the tensions that continue to build as the federal government encourages the use of such technology while parents worry about who gets that information and what’s done with it. A story in The New York Times story reports on similar concerns. [Government Technology]

US – Tech Companies Urge Lawmakers to Move Forward with Bill to Amend ECPA

Technology companies are calling on US legislators to pass Email Privacy Act, a bill that would update the 1986 Electronic Communications Privacy Act (ECPA), which allows law enforcement authorities to search, without a warrant, communications that have been stored in what we now call the Cloud for more than 180 days. The bill’s supporters say that ECPA is outdated and poses a threat to people’s privacy. [The Hill]

Workplace Privacy

NZ – Is it Wrong to Send Personal Emails to Work Addresses?

The Legal Complaints Review Officer (“LCRO”) of the Office of the Privacy Commissioner, New Zealand, determined that there was a risk that a confidential email sent by an lawyer to an individual’s work email account might have been accessed by others in the workplace (the fact that this did not appear to have occurred did not detract from concern about the risk); however, the LCRO declined to make a disciplinary finding, claiming that it was not appropriate to make an example of the lawyer when the use of email for communication needed more discussion by the Law Society and its members. [Source]

US – Barriers to BYOD? A Lack of Trust In Employers to Protect Privacy

A new survey released by AdaptiveMobile finds only 30% of more than 5,000 employees of global organizations are happy with “employers managing their corporate mobility service.” In total, 84% of respondents listed privacy as a top-three concern with the use of personal devices for work. Almost half simply wanted to keep work and private life separate, but a full quarter also said they have a general mistrust of their employer “being granted any type of control over their devices.” [ZDNet]

US – Federal Background Checks, One Year After The Navy Yard Shooting

A year after a Navy and Marine Corps subcontractor killed 12 people at the Washington Navy Yard, the federal government has fired the firm that handled most of its background checks, conducted multiple reviews of security-clearance processes and changed key screening policies. Now the government is touting major reforms of the process, which faced challenges long before incidents with Alexis and Edward Snowden brought critical problems into focus. In a February report, the council said screeners need greater access to state and local police reports. It concluded that they can’t always view records that could raise red flags, oftentimes because of legal and technological limitations. The review echoed findings from the House Oversight and Government Reform Committee. OPM said it now has increased its engagement with local and state police agencies and is working on IT upgrades to connect more with crime databases. The Obama-appointed council also called for OPM to conduct follow-up investigations every five years for employees and contractors who hold clearances. That requirement is now in place. In addition, it also recommended reducing the number of workers who hold clearances. The Defense Department made the same recommendation in its review of the shooting, released in March. Clapper has directed all agencies to identify clearances they could eliminate. The Pentagon has said it expects to reduce the number of Defense authorizations by 10 percent. Earlier this month OPM announced another major change: It said it would not renew its contract with USIS for background checks. In Congress, lawmakers have also proposed various background-check bills. [Source]


01-15 September 2014


WW – Academics Unveil Facial Recognition Technology for Shopping

Academics at the Chongqing Institute of Green and Intelligent Technology in southwest China say they have developed a new system of facial recognition software that is capable of taking images of shoppers’ faces from 91 angles. The information is then analyzed over a period of just a couple of seconds using two million data sets, with an accuracy rate of 998 out of 1,000. The system could be operational from the second half of 2015 and would allow shopping without PINs or passwords as identifiers. Meanwhile, a judge has issued a warning about the consequences of a rape conviction based on DNA collected at a police station despite the alleged perpetrator’s protest. [International Business Times]

US – GM to Launch Eye-Tracking Technology for Distracted Drivers

General Motors is preparing “to launch the world’s first mass-produced cars with eye- and head-tracking technology” that can decipher whether drivers are distracted. Australian group Seeing Machines has signed an agreement with a manufacturer to supply GM with tracking devices for up to 500,000 vehicles over the next three to five years, the report states. “The technology raises significant privacy concerns over how manufacturers and insurers will store and handle the data, though Seeing Machines’ devices will not keep or transmit the information, at least initially,” the report states. [Gulf News] See also: [Car Hacking Is The New Car Jacking] [US: GM reportedly ready to introduce facial recognition tech in cars]


CA – B.C. Government Set to Review Controversial Privacy Law

Until Sept. 19, B.C. residents have an opportunity to voice any concerns over the provincial Personal Information Privacy Act (PIPA), which has been criticized for overstepping the boundary when it comes to the privacy rights of citizens. The key concerns with PIPA include how personal information is handed over to government authorities and other organizations without a warrant or consent, and citizens aren’t notified when their information has been given up. It was enacted in 2003 and last reviewed in 2008. The special committee, comprised of MLAs, is expected to issue a report to the Legislative Assembly on the review’s results by Feb. 25, 2015. “The committee is undertaking a comprehensive review of B.C. private sector privacy legislation,” said MLA Mike Bernier, committee chair, in a media release. “We are holding a public consultation to gather important information on how well the act is working, and whether changes are necessary.” [Source] [Metro News]

CA – Peterborough Lawsuit Sets Precedent for Ontario Patient Privacy Rights

A class-action suit against Peterborough Regional Health Centre to be heard by the Court of Appeal in December will determine whether patients can sue hospitals for invasion of privacy. [Toronto Star] See also: With the certification of Evans v. The Bank of Nova Scotia, the newly introduced tort of intrusion upon seclusion has become another weapon in the arsenal for the class-action plaintiffs’ bar. [Law Times] See also: [Focus: Privacy class actions on the rise]

CA – B.C. Police Too Prying In Volunteer Background Checks

A privacy watchdog is calling on B.C.’s privacy commissioner to investigate whether police departments are being too intrusive in the questions posed to potential volunteers and employees. The B.C. Freedom of Information and Privacy Association said several police departments are collecting “unnecessary, inappropriate and excessive personal information” from people applying for paid and unpaid positions. The non-profit association was approached by someone applying for a volunteer position with the Delta Police Department’s community police section. They had been given a 25-page “integrity and lifestyle questionnaire” asking about sexual activity, drug use, finances and whether the applicant has ever been unemployed or on welfare. Applicants also have to undergo a polygraph test and a background investigation and are told “deceit, dishonest or non-disclosure concerning questions in this document may result in your disqualification from current or future civilian employment opportunities.” “This kind of statement encourages respondents to disclose further personal information even when it is not specifically asked for,” said Vincent Gogolek, the association’s executive director. Once the privacy association started investigating, it found many police departments across B.C. have similar questionnaires, he said. The association is asking B.C.’s information and privacy commissioner, Elizabeth Denham, to determine whether police departments are invading people’s privacy with these questions. Denham’s office confirmed it had received the complaint and said staff would be reviewing it before deciding whether to launch a formal investigation. [Source]

CA – Audit Raises Concern About Prisoners’ Privacy Rights

The federal organization with one of the worst track records on privacy continues to suffer from lack of awareness, lack of training and a lack of reporting, according to a recent audit. Auditors reviewing the privacy of inmates at federal institutions noted that Correctional Service Canada staff didn’t report all privacy breaches, believing some incidents weren’t breaches at all. Auditors noted that they saw first-hand an inmate return a report to guards because the document was given to him by mistake. The potential privacy breach wasn’t reported, auditors wrote. According to the report, CSC staff were told that institutional culture, “fear of reprimand” and lack of awareness about “what actually constitutes a privacy breach” were among the reasons why privacy breaches weren’t being reported. The internal audit team concluded “offender safety may be jeopardized if these systemic issues continue.” The audit renewed concerns about the privacy practices in prisons that were identified in 2006, with auditors noting that CSC had yet to implement some recommendations from that eight-year-old report. The service was to implement sweeping changes by the end of July, including training packages. [Source]


US – Airbnb Sued Over Privacy Concerns—Anonymously

Airbnb has been sued by 21 anonymous New Yorkers who hope to prevent the home-sharing website from turning over their personal information to the New York Office of the Attorney General, CNBC reports. Airbnb said in May that it will comply with a subpoena from New York Attorney General Eric Schneiderman during his probe of illegal hotel operations in New York City, the report states. The case involves a law that prohibits residents of multiple buildings to rent out their apartments for less than 30 days unless they are also at their apartments. Airbnb has said it will withhold the renters’ info until a court tells it otherwise. [CNBC]


EU – Microsoft Agrees to be Held in Contempt So It Can Appeal Case

Microsoft has reached a deal with the U.S. government in which it will agree to be held in contempt of court in order to move an email privacy case on to appeal. The case involves a U.S. government demand for emails stored on a server in Dublin, Ireland. The Obama administration has said the company must comply with valid warrants for data, even if it’s held overseas, the report states. “Everyone agrees this case can and will proceed to the appeals court,” said Microsoft in a statement. “This is simply about finding the appropriate procedure for that to happen.” [Ars Technica] [ZDNet] [SCMagazine] [The Register] [Stipulation Regarding Contempt Order]

US – Tech Giants Want Vote on Email Privacy Act

A host of technology companies including Google, Microsoft, AOL and Yahoo have written to congressional majority leaders requesting a vote on the Email Privacy Act, which has seen no movement since it was proposed last summer, despite having the support of more than half the house. congressional supporters of the bill say the delays are due to attempts to attach other provisions to the bill. According to the letters, the bill, which is an update to the Electronic Communications Privacy Act, would “eliminate outdated discrepancies between the legal process for government access to data stored locally in one’s home or office and the process for the same data stored with third parties” in the cloud. [The Hill]


WW – CryptoWall More Prolific Than CryptoLocker

Analysis from Dell SecureWorks Counter Threat Unit shows that CryptoWall ransomware has passed infection rates of its relative, CryptoLocker. In just five months, CryptoWall infected an estimated 625,000 computers around the world, collecting more than US $1.1 million in ransom. [SC Magazine]

WW – Mozilla Retires 1,024-bit Certificates; 100,000+ Websites Now “Untrusted”

Because Mozilla allowed its 1,024-bit certificates to expire, more than 100,000 websites are now considered untrusted by that company’s browsers. Chrome has not allowed its 1,024-bit certificates to expire due to just those concerns. [The Register]

UK – ICO Fines Ministry of Justice Over Unencrypted Prison Records

The UK Information Commissioner’s Office (ICO) has fined Ministry of Justice GBP 180,000 (US $298,500) for losing a device that contains unencrypted prison records. In May 2012, the Prison Service issued new hard drives with encryption capabilities to all 75 prisons in England and Wales. The ministry, for which this is a repeat offense, was reportedly unaware that disk encryption needed to be switched on. The missing device contained personal data about nearly 3,000 inmates. The data include health information, visitor information, and prisoners’ links to organized crime. [NextGov] [v3.co.uk]

WW – CryptoPhone Identifies Rogue Cell Towers

Rogue cell towers, also known as IMSI catchers, can track smartphones and intercept calls, often without detection. “It’s only a matter of time before they’re as ubiquitous as GPS trackers.” In response, German firm GSMK has developed a firewall for its high-end, secure CryptoPhone. The system—reportedly the first of its kind—can detect when a rogue cell tower is connecting to the phone but is currently only available for Android phones. CSMK’s CryptoPhone 500 combines its operating system with a Samsung Galaxy S3 device, while offering end-to-end encryption. Additionally, in response to the rise of IMSI catchers, the Federal Communications Commission is developing a task force to address the issue. [Wired]

EU Developments

EU – DPA: RTBF Ruling Bolsters Regulators’ Roles

After Europe’s top court created a right to be forgotten, an almost-forgotten battle involving Facebook was resurrected. The European Court of Justice (ECJ) May ruling bolsters Hamburg data protection regulator Johannes Caspar’s case aiming to force Facebook to comply with German law, which Caspar discussed with the company at an August meeting. Facebook says it is only bound by Irish rules, as its EU headquarters are in Dublin, Ireland. “The ECJ ruling bolsters the jurisdiction of the national data protection authorities,” Caspar said, adding, “It determines that national law is applicable to data processors which have a unit in the country, even if its activity is merely to to economically support the Internet offerings.” [Bloomberg]

EU – President Calls for Privacy Negotiations to be Completed in 6 Months

Amidst what the Financial Times has called “one of the biggest overhauls of the EU executive in more than a decade”—with incoming European Commission President Jean-Claude Juncker’s announcement of his nominations for a suite of new commissioners—Juncker has called for the “conclusion of negotiations on the reform of Europe’s data protection rules as well as the review of the Safe Harbour arrangement with the U.S.” One large departure under Juncker is his creation of a sort of hierarchy within the commission. Rather than 27 commissioners, there are now two ‘high vice presidents,’ five vice presidents and then 20 commissioners.” [Privacy Advisor]

EU – Ireland Names Dixon as Next DPC; Hawkes Talks Expectations

Irish Data Protection Commissioner Billy Hawkes’ tenure came to an end on August 31, and today, an Irish government committee approved longtime civil servant Helen Dixon as the new data protection commissioner of Ireland. Dixon will have an increasingly important role to play. Mark Scott recently called the position “relatively obscure” but with “global sway.” Hawkes—who was sometimes criticized for having a “light touch” as a regulator—discusses the highs and lows of his tenure and what his replacement may expect, especially given it will be her job to regulate tech giants like Yahoo, Google and Facebook, headquartered in Ireland. [The Privacy Advisor] [The New York Times]

UK – Data Explosion Fuels Growth in Privacy Cases

The number of privacy cases fought in UK courts has doubled in the last five years, amid an explosion in the amount of personal data held and shared by government agencies, and retained by businesses. In the year to 31 May 2014, there were 56 cases in the High Court, up from 28 five years ago, according to figures from legal information provider Thomson Reuters, which said a high proportion of the cases this year involve claims against public institutions, particularly the police. These have included stop and search complaints. Improved data storage and search technology allows personal data on citizens to be much more easily shared and transferred between government departments. The rapid growth in the commercialisation of personal data has created a lot of new threats to people’s privacy. When businesses cross the line, people feel strongly enough to enforce their privacy rights through the courts. [Source] See also UK Prime Minister David Cameron is “expected to unveil plans that make it easier for intelligence agencies to access airline passenger information” as part of the government’s strategy to fight terrorism. [PressTV] and The Swiss Federal Council said the European Court ruling on data retention has no effect on Swiss laws. The Swiss law on telecoms surveillance is under review, with an aim to increase the required data storage period to 12 months. [Telecompaper] and [Decision No 2014-693 DC March 25 2014 – The Constitutional Council, France]

Facts & Stats

WW – GPEN: 85% of Apps Fail to Protect Privacy

The results from a survey of more than 1,200 mobile apps by 26 privacy regulators from around the world has found 85% of apps fail to provide basic privacy information, according to a UK Information Commissioner’s Office press release. Nearly 60% of the apps left users struggling to find basic privacy information, and 43% did not adequately tailor privacy notices to a small screen. [UK ICO] See also Disconnect Mobile app, Google has once again removed it from its Google Play Store. UPDATE: [Privacy guard Disconnect Mobile returns to Google Play]

WW – Study Reveals Popular Android Apps Put Privacy, Security at Risk

A newly published study has revealed that many of Android’s most popular apps—including Instagram, Grindr and OKCupid—do not take basic security measures to protect users’ data. Researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) analyzed a broad range of Android-specific apps to find security vulnerabilities and plan to release one YouTube video per day disclosing their findings. UNHcFREG’s Ibrahim Baggili said, “What we really find is that app developers are pretty sloppy.” Many of the vulnerabilities included lack of encryption of images stored on servers, messages between users and other data traffic. Baggili also said the team has contacted developers of the apps that were analyzed. [PC World] See also: [Xiaomi under investigation for sending user info back to China]


WW – Google Kicks Off RTBF Meetings

Google’s inaugural right-to-be-forgotten meeting in Spain, noting the company’s advisors “took just three questions from the public.” The Madrid meeting is the first of seven set across Europe, but some are criticizing the meetings as publicity stunts. “Whatever Google would have done would have been considered PR,” said Luciano Floridi, an Oxford philosophy professor and current panelist, adding future events will devote more time to questions. Jef Ausloos, a researcher at Belgium’s University of Leuven, said, “What we need to know now, is how exactly this should happen, what the role is for national data protection authorities.” [Bloomberg] See also: After Europe’s top court created a right to be forgotten, a battle involving Facebook and Hamburg data protection regulator Johannes Caspar was resurrected. [Bloomberg]

CN – China Snooping on Scholars’ Google Searches

People conducting research in China are being watched by authorities when they conduct Google searches. Public Internet users in China are not able to use Google at all, but scholars at research institutions are able to use the search engine through the CERNET education network. Authorities in China were able to see what those scholars were researching until Google began encrypting searches. Now China uses a man-in-the-middle attack to keep an eye on CERNET users’ searches. [InfoSecurity] [NextGov] [Netresec] In a related story, a Chinese man is suing state telecommunications company China Unicom for blocking his access to Google]


US – Bank of America Finalizes 32 Million Dollar Settlement in TCPA Class Action

A U.S. District Court in California has approved a $32 million Telephone Consumer Protection Act settlement, ending a class-action against Bank of America and FIA Card Services that alleged the defendants systematically called or texted consumers’ cell phones through automatic dialing systems and/or prerecorded voice systems without express consent [Hunton & Williams Privacy and Information Security Law Blog See also: [Adobe Class-Action Moves Forward | Home Depot Suit Filed]

US – Verizon Fined for Customer Privacy Violations

Verizon has agreed to pay US $7.4 million for failing to notify approximately two million customers of their privacy rights and to settle charges Federal Communication Commission (FCC) that it used customer billing and location data in targeted marketing campaigns aimed at trying to sell them other Verizon services. Communications companies may do this if they first obtain customers’ permission. [CNN] [ArsTechnica] [FCC] See also: Carrier IQ and a group of mobile phone manufacturers have asked a judge to dismiss a class-action accusing the software maker of violating several privacy laws, including a federal wiretap law. [Verizon failed to tell 2 million people it was using their personal info for marketing. Now the FCC is making it pay]


CA – Number of People on Canadian No-Fly List Must Stay Secret: Government

Federal security officials are resisting pressure to reveal how many people are on Canada’s no-fly list, arguing the information could help terrorists plot a catastrophic attack on an airliner. In newly filed court documents, the government also contends that divulging the figure might damage relations with key allies, especially the United States. Information Commissioner Suzanne Legault is challenging the government’s refusal to disclose the data to a Montreal journalist who requested it under the Access to Information Act. La Presse reporter Daphne Cameron filed two requests for figures from 2006 through 2010 — one for the total number of people on the list, the second for the number of Canadian citizens. Legault’s office investigated Cameron’s complaint against Transport Canada and recommended last year that the agency release the figures. Transport Canada refused to comply, prompting Legault to take the case to the Federal Court of Canada. In withholding the numbers, Transport Canada invoked a section of the access law shielding information whose release could interfere with the conduct of international affairs as well as the detection, prevention or suppression of “hostile activities.” The U.S. has revealed there are about 16,000 people — including fewer than 500 Americans — on its no-fly list. In a 2012 report, the watchdog that keeps an eye on CSIS said confusion over how the no-fly list should work had “significantly undermined” its potential to help keep the skies safe. The Security Intelligence Review Committee said the notion of “an immediate threat to civil aviation” was open to interpretation, and federal agencies had “struggled” with nominating people for the list. [Source] See also: [AU – Clear and Present Danger to Freedom of the Press] and [CA – Prentice expense report requesters leaked, raising privacy concerns] and [CA – Soldiers on Viagra part of a list of secrets held by Harper government] and [CA – Calgary: Some city councillors argue for hike in FOIPP charges]

Health / Medical

US – Second Healthcare Sector Cyber Security Exercise to Start in October

According to a press release from the Health Information Trust Alliance (HITRUST), the second cyber security exercise for the healthcare sector, CyberRX 2.0, will begin in October 2014. More than 750 healthcare organizations have signed up to take part in the cyber attack simulation exercise. The program has been expanded to offer three tiers of participation: Local/Basic, Regional/Mature, and National/Leading. [SC Magazine] [HITRUST Alliance Press Release]

US – Web Portal Delays HIPAA Audits

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has delayed the launch of a second round of HIPAA audits in an attempt to implement new web portal technology. “We recently had an opportunity to update the technology we’re using, giving us capabilities that we just didn’t have access to before,” said OCR Senior Adviser Linda Sanches. The portal will automate some elements of the auditing process, lightening the load on human resources. Sanches also encouraged healthcare providers to have a list of business associates prepared, and while the requirements of the audits remain the same, Adam Greene of Davis Wright Tremaine notes that the documentation must be meticulous. [FierceHealthIT] See also: [ON: Surgery room ‘black box’ poised to change medical culture]

US – Court Tosses Advocate Health Suit; CarrierIQ Asks Judge for Dismissal

A federal court based in Illinois has thrown out a putative class-action against Advocate Health and Hospitals that alleged the organization violated the Fair Credit Reporting Act (FCRA) by not appropriately securing health data stolen from its facilities. The judge ruled the hospital cannot be considered a credit-reporting agency covered by the FCRA. [Law360]

US – Exploring Health Data Collection, Marketing

The health data marketing ecosystem and hundreds of medical databases are up for sale to willing marketers. “People would be shocked if they knew they were on these lists,” said World Privacy Forum President Pam Dixon. “Yet millions are.” Directories including such category headings as “Suffering Seniors” or “Aching and Ailing” and other lists categorized by diagnosis, including 2.3 million cancer patients, are reportedly available. In February, Sen. Jay Rockefeller (D-WV) introduced legislation to limit such lists, but the Direct Marketing Association (DMA) said self-regulation is the better route. “We have very strong self-regulation,” said DMA Vice President for Government Affairs Rachel Nyswander Thomas, adding, “Regardless of how the practices are evolving, the self-regulation is as strong as ever.” [Bloomberg] Separately, the Vermont attorney general has settled a computer privacy case with a leasing company. SEI/Aaron’s has agreed to pay $45,000 to the state and $2,000 to each of the three customers who were affected. And [ON – Concerns raised over demographic data collection at Toronto hospitals] [NL: Donna Colbourne fined in Western Health privacy breach]

WW – Epidemiologist: Accurate De-Identification Important for Research

Daniel Barth-Jones, an HIV and infectious disease epidemiologist at Columbia University, writes about the importance of accurate de-identification methods in response to the paper Privacy, Anonymity and Big Data in the Social Sciences from MITx and HarvardX MOOC scholars Jon Daries, Justin Reich and others. Barth-Jones writes that the view that “anonymization is an obsolete tactic made increasingly difficult by advances in data mining and big data” is short-sighted, noting, “de-identification should rather be appropriately taken as part of an integrated and multidimensional approach for fashioning effective public policy for big data privacy.” [FierceBigData] SEE ALSO: [Concerns raised over demographic data collection at Toronto hospitals] and [UK HSCIC Data Pseudonymisation Review: Interim Report – Health & Social Care Information Centre]

WW – Apple Updates Language on HealthKit’s Permitted Data Uses

Apple has updated the language in its HealthKit platform to explicitly state that consumer health information is off-limits to data farmers. Developers who create software using the HealthKit’s application programming interface (API) are only permitted to gather data that’s used to enhance services outlined in the apps’ policy, and selling the data to advertisers is forbidden. “Your application must not access the HealthKit APIs unless it is primarily designed to provide health and/or fitness services, and this usage is clearly evident in your marketing text and user interface,” states Apple’s HealthKit license. [Tech Times]

Horror Stories

WW – Massive Celebrity Hack and Leak Raises Cloud Questions

Hundreds of intimate photos and videos of female celebrities were leaked online over the weekend, many of them allegedly stemming from hacks of Apple’s iCloud service. A spokesperson for Oscar-winning actress Jennifer Lawrence said the hacks and subsequent disclosure of such images are a “flagrant violation of privacy.” In a column for Mashable, Christina Warren asks, in light of the hack, how secure is the cloud? Twitter has suspended accounts of users who have posted the stolen data, and a legal representative for Lawrence said, “The authorities have been contacted and will prosecute anyone who posts the stolen photos.” The Atlantic’s Jennifer Valenti writes about the ethics of looking away from the disclosed personal information, noting that people who look at the photos “are violating these women in much the same way that the person who stole the pictures did.” [Newsweek] See also: [Taking a Naked Selfie? Your Phone Should Step In to Protect You]

WW – Apple Says iCloud Accounts Were Breached in Targeted Attack

Apple has acknowledged that several celebrities’ iCloud accounts were compromised, but the company said it was done by guessing or stealing login credentials rather than breaching Apple’s iCloud security. There was public speculation that the accounts had been breached using a recently disclosed exploit for Apple’s Find My iPhone service, but Apple denies that was the case, saying that the breaches were the result of “a very targeted attack on user names, passwords, and security questions.” [BBC] [DarkReading] See also: [Apple Patches Flaw in Find My iPhone | Source] See alwso: [Google Locks Down Stolen Credentials]

US – Home Depot Investigating Reports of Payment Card Data Breach

Home improvement retailer Home Depot has confirmed that it is working with its “banking partners and law enforcement to investigate” reports of a data breach. The company declined to comment further until the investigation is complete. The attorneys general (AGs) of Connecticut, Illinois and California are leading a multi-state probe into a data breach disclosed by Home Depot, said Connecticut AG George Jepsen. The IAPP featured an interview with Jepsen on AG enforcement priorities. [Home Depot breach could be one of the biggest in history] [Krebs] [DarkReading] [SC Magazine] [The Register] [BBC]

US – Temple University Announces Breach Affecting Nearly 4,000

Temple University has announced a breach involving the theft of an unencrypted desktop computer containing personal information on 3,780 patients from a physician’s office. The computer contained files with such information as name, age and billing codes but did not include Social Security numbers or financial data, the report states. The theft was reported to police, and the university says it has offered identity-monitoring services to all affected patients for 12 months and has taken steps to prevent such a theft in the future. [The Philadelphia Inquirer] See also: [US – 900,000 Customers Affected in Goodwill Breach] and [NZ – Earthquake data privacy breach ‘avoidable’]

US – AGs Probing Home Depot Breach

Meanwhile, Bartell Hotels has announced a data security breach at five of its San Diego-area hotels; a university is shutting down online voter registration following a data breach in February; Ernst & Young has been accused by a Canadian customer alleging customer business data was found on two Dell servers he purchased in 2006; a Goodwill data breach has been linked to a third-party vendor, and Miranda Alfonso-Williams offers advice on “five ways to prevent costly data breaches” at your business. [Reuters]

US – JP Morgan Breach a “Legacy” Issue

Hackers managed to breach the cyber-defenses at JP Morgan just as the bank’s cybersecurity chief was getting acquainted with his new position and the organization’s vast technology infrastructure, Bloomberg reports. Greg Rattray had just been appointed the company’s head of information security when the June breach incident started. “It sucks that this happened at the beginning of Greg’s watch, but this is a legacy issue,” said Trend Micro Chief Cybersecurity Officer Tom Kellerman. “They had an acting person who was juggling way too much, with no one fully dedicated to the role for a bit of time.” [Bloomberg] [US: Casinos may offer lessons about protecting privacy]

Identity Issues

CA – StatsCan Considering ‘Virtual Census’ to Replace Head Count

Statistics Canada is studying a radical new method of counting how many people live in this country — one that could eventually replace the census with a “virtual population register.” Chief statistician Wayne Smith said the agency’s work on building a virtual census is one part of its aggressive pursuit of innovation. A virtual census relies heavily on administrative data: giant caches of information collected by government in the regular course of business. Statistics Canada already uses 500 databases drawn from federal, provincial and municipal governments, and the private sector. Among many other things, those data files provide information on individual incomes taxes, corporate taxes, payroll deductions, employment insurance, building permits, births and deaths, even telephone bills. A handful of European countries — Finland, Holland, Sweden, Denmark and Germany — have scrapped their survey-based censuses in favour of population counts that rely heavily on an amalgam of administrative data. Sometimes, that data is combined with information from sample surveys. Smith conceded that the growing reliance on administrative data raises enormous privacy issues, but he insisted that the statistics agency operates within strict limits. [Source]

IN – Controversial Biometric Project in India May Go Ahead

The largest biometric identification projects in the world — India’s attempt to give an ID number to 1 billion people linked to fingerprint and iris scans — may be going ahead under the new government. The winning Bharatiya Janata Party had said during last spring’s election campaign that it would review the controversial program for a secure ID to get government benefits. However, this week it approved a 2015 target for voluntary enrollments, signalling that it will back the project. [itworldcanada.com] See also: [South Carolina boy sues over makeup removal for driver’s license photo]

Law Enforcement

US – Cities Seek to Upgrade Stingray Before Providers Drop 2G Network

Several US cities are seeking to upgrade cell phone surveillance systems commonly known as stingray. The controversial technology has been shrouded in secrecy, e.g., law enforcement agencies allegedly misleading the courts about the technology. Stingrays are capable not only of determining a target’s location, but also of intercepting communications contents. One of the techniques the technology uses is to force targeted devices to resort to using the 2G network by jamming 3G and 4G network signals because 2G network security is not as strong as that of later generation networks. Most providers will stop supporting the 2G networkwithin the next few years, which means current stingrays will no longer work. [Ars Technica]


PH – Philippine House to Rewrite Privacy Bill

After certain stakeholders criticized the current draft of a privacy bill in front of the Philippines House of Representatives, the House will rewrite the bill—a request made by its author, Rep. Rufus Rodriguez [The Philippine Star].

WW – APEC Cross Border Privacy Rules Update

Markus Heyder provides an update on the status of the APEC Cross-Border Privacy Rules. See also: [SG – Monetary Authority of Singapore – Consultation Paper on Proposed Credit Bureau Regulatory Framework and Credit Bureau Bill]

Online Privacy

US – Why Privacy Policies Are So Inscrutable

The Atlantic reports on why privacy policies are so inscrutable, analyzing 50 of the most popular websites in the U.S., whose policies, taken together, totaled 145,641 words—or the equivalent of The Grapes of Wrath . “Today’s privacy policies don’t tell consumers the whole story for two main reasons,” the report states, noting that, first of all, “websites have adopted a kind of precautionary legalese to inoculate themselves against lawsuits and fines.” And second, the rise in data brokerage firms has created a lucrative industry around consumer profiling. The column delves into the vagueness of many basic terms, particularly consent, explicit consent and third-party data sharing. Of the 50 privacy policies analyzed, 48 interact with other third parties, but only nine say which ones. [The Atlantic]

WW – Facebook Messenger Tracking ‘A Lot More Data Than You Think’

“Messenger appears to have more spyware type code in it than I’ve seen in products intended specifically for enterprise surveillance,” tweeted Jonathan Zdziarski, a noted author and expert in iOS related digital forensics and security on Tuesday. In an email to VICE’s Motherboard, Zdziarksi told reporter Matthew Braga that Facebook logs “practically everything a user might do within the app.” “[Facebook is] using some private APIs I didn’t even know were available inside the sandbox to be able to pull out your WiFi SSID (which could be used to snoop on which WiFi networks you’re connected to) and are even tapping the process list for various information on the device,” he wrote. News of Zdziarski’s findings spread swiftly around the web this week, prompting Facebook to issue the following statement: “These accusations are completely unjustified. Privacy is core to our approach with Messenger, and like any developer, we analyze usage trends to make our apps better, faster, and more efficient. As an example, with regard to what and where people tap – when we noticed that people were using the ‘Like’ stickers a lot, we modified the app so that people could send them with fewer taps.” [CBC] See also: [The Economist: Everything people do online is avidly followed by advertisers and third-party trackers] and also: [Facebook Generation Rekindles Expectation of Privacy Online]

WW – Facebook Testing Update Option with Expiration Dates

Facebook is currently testing a new option that would allow users to place an expiration date on a given post, ranging from one hour to one week. The move comes after more employers, attorneys and law enforcement officials increasingly use social media posts to make hiring and other decisions. “It’s interesting to me because Facebook used to push this idea that our cultural notions of privacy were changing and that people should share things all the time. People reacted poorly to that,” said University of Maryland Human-Computer Interaction Lab Director Jennifer Golbeck. “But in the last six months or so, they’ve started coming around to the idea that people still want to do things privately.” [Bloomberg Businessweek] See also: [Facebook being more proactive in pushing users to check privacy settings]

Other Jurisdictions

AU – Report into Serious Invasions of Privacy in the Digital Era released

The Australian Law Reform Commission’s Final Report, Serious Invasions of Privacy in the Digital Era (Report 123, 2014) was tabled in Parliament and is publicly available. The Terms of Reference for this Inquiry, required the ALRC to design a tort to deal with serious invasions of privacy in the digital era. In this Report, the ALRC provides the detailed legal design of such a tort located in a new Commonwealth Act and makes sixteen other recommendations that would strengthen people’s privacy in the digital environment. The Report also recommends that a new Commonwealth surveillance law be enacted to replace existing state and territory laws, to ensure consistency of surveillance laws throughout Australia, and a number of other reforms to supplement the statutory cause of action. The Report and a Summary Report is available to freely download or purchase in hard copy from the ALRC website. The Report is also freely available as an ebook. [Source] See also: [AU – New laws open door for ACT information privacy commissioner]

AU – Australian Law Reform Commission Recommends Privacy Invasion Tort

The Australian Law Reform Commission is recommending a new Commonwealth tort for serious invasions of privacy [ZDNet]. See also: [Attorney General, Government of Australia – Confidential Industry Consultation Paper: Telecommunications Data Retention – Statement of Requirements] and Austrian Justice Minister Wolfgang Brandstetter would like a data retention law following the Constitutional Court’s decision to strike down Austria’s existing law in July. [Telecompaper]

US – Miles Driven Tax Could Replace Gas Tax

It hasn’t hit the fastlane yet. But the controversial idea of imposing a mileage-based driving tax in California is gaining speed. The Legislature last month approved Senate Bill 1077, which authorizes a pilot program to explore a “road usage charge” as a potential replacement of the state gas tax. The bill would have no authority to impose the charge. But just the concept a mileage-based fee, and the related idea of the government tracking one’s driving habits, has stirred concerns over privacy, fairness and excessive taxation. [Source]

Privacy (US)

US – FTC Announces Panelists, Topics for Upcoming Workshop

The FTC has announced the agenda and panelists for its upcoming big data workshop, which aims to look at the use of big data and its impact on consumers, including those who are low-income or underserved. FTC Commissioner Edith Ramirez will make the opening remarks at the September 15 event in Washington, DC. Panelists will include Princeton University’s Solon Barocas, Promontory’s Michael Spadea, the Electronic Frontier Foundation’s Jeremy Gillula, Georgia Institute of Technology’s Peter Swire and the World Privacy Forum’s Pam Dixon, among many others. The workshop will look at what’s on the horizon with big data, survey the legal landscape and consider the path forward. [Press Release]

US – White House Names New CTO and Deputy CTO

The White House announced today the appointment of Google’s Megan Smith as U.S. Chief Technology Officer (CTO) and former Twitter Counsel Alex Macgillivray as Deputy CTO. Both have long histories in Silicon Valley. Smith also served as CEO of PlanetOut, an early online forum for the LGBT community that is now defunct, in addition to a number of roles at Google, including her most recent post as VP of Google[x], where new projects are developed. Macgillivray was deputy general counsel at Google before taking the lead counsel role at Twitter and was a lawyer with Wilson Sonsini Goodrich & Rosati before that, representing clients like Creative Commons and the Internet Archive. Among the new CTO team’s tasks, a White House statement said, will be a “focus on policy matters,” including items like “where big data and privacy intersect.” Most recent U.S. CTO Todd Park will remain with the White House “to help recruit technologists to federal service.” Most recent Deputy CTO Nicole Wong departed the White House recently to return to California. [Washington Post]

US – FTC Complaint and Final Decision and Order on Credit Karma App

An FTC order (in effect for 20 years) resolves complaints that a mobile app company failed to securely transmit consumers’ sensitive personal information; the company’s app developer used code that disabled SSL certificate validation “in testing only” but the company failed to ensure this code’s removal from the production version of the app that was shipped to consumers and failed to perform an adequate security review of its app prior to launch. The company is required to implement a comprehensive security program (including training in secure engineering and defensive programming), and requiring service providers to implement and maintain appropriate safeguards. [FTC]

US – EFF Argues Against CISA

The Electronic Frontier Foundation makes its case to pass the USA FREEDOM Act and kill the Cybersecurity Information Sharing Act in this release. See also: [In Re Application of the Federal Bureau of Investigation for an Order Requiring the Production of Tangible Things – BR 13-25 – Foreign Intelligence Surveillance Court]

US – REDEEM Act Needs a European Import: The Right To Be Forgotten

The unlikely duo of Sens. Rand Paul (R-KY) and Cory Booker (D-NJ) recently announced the REDEEM Act, a bill intended to facilitate the sealing of adult criminal records. According to the proposed legislation, those convicted of nonviolent crimes can petition to have their criminal records sealed. The legislation would have significant consequences for those who have committed nonviolent crimes, calling for a limited right to be forgotten in the U.S. “so that the common-sense goal of allowing Americans to achieve a better future can be realized.” [The Privacy Advisor]

US – Google Accord With Harvard Tie Fails Judge’s Smell Test

Google’s settlement of a privacy lawsuit likely won’t win approval because its terms include a donation to Harvard University and other schools that attorneys involved in the case attended, a judge said. [Reuters]

US – Hoofnagle Opines on Big Data Impacts on Civil Liberties and Society

UC-Berkeley Prof. Chris Jay Hoofnagle writes that use-regulation “has tremendous implications for civil liberties and our society,” adding, “Ultimately, it can help determine how much power companies and governments have.” [Slate]

US – Judges Hear Appeal Against NSA Spying; Congress Questions Secret Spying Law

During this week’s review of the legality of the NSA’s bulk collection of phone records, the panel of federal judges expressed concerns about the privacy implications of NSA tactics. The ACLU has challenged a lower court’s decision to uphold the NSA practices, arguing they are unconstitutional. One judge said, “We don’t know what we don’t know” about the operations. Meanwhile, four House Democrats are protesting what they call a “secret law” that allows spying on Americans’ emails and is a “threat to democracy.” The legislators are asking President Barack Obama “to ban ‘disproportionate or unnecessary’ collection of people’s messages, Internet chats and other communications,” the report states. [FOX News] [Slate]

Privacy Enhancing Technologies (PETs)

WW – Programmers Developing Privacy-Enhanced Skype Alternative

A group of programmers famous for frequenting such sites as 4Chan, Hacker News and Reddit are working on an open-source, security-focused replacement for Skype. Tox, as the project is called, is “yet another example of programmers uniting in the post-Snowden era to make easy-to-use tools with encryption and privacy considerations built in.” Tox uses encrypted peer-to-peer networking and eliminates the need for messages to travel through a central server, the report states, and users are given a Tox ID to allow for anonymity. [PCWorld] See also: [Book Review: No Place To Hide: Worth a Read, Maybe Two] See also: [Australian patents privacy indicator for Google Glass]

WW – Privacy Big Ingredient in Apple’s New Products Release

Apple unveiled a slew of new products this week, including the iPhone 6 and 6 Plus as well as the Apple Watch, Apple Health Kit and Apple Pay. The product launch comes a week after a targeted hack of celebrities, which has been tied to Apple’s iCloud. Now that it is releasing products that will handle the most sensitive of personal data, including financial, location and health data, the company is placing a huge onus on privacy and security. “Security is at the core of Apple Pay,” said Apple CEO Tim Cook. McDermott Will & Emery Attorney Jennifer Geetter said, “Given the popularity of the iPhone and its uncanny ability to know what we want before we know, anything Apple does now compounds and expands the existing challenge of meeting consumer expectations while protecting privacy.” [Politico] [On the Privacy Challenges Ahead for Apple]

WW – New Platforms Make the User the Data Broker

A slew of platforms are designed to give users the ability to sell their personal information to advertisers and marketers. Datacoup, Handshake and Meeco all share the same goal of cutting out the data-broker middleman by allowing users to profit from their personal data. “The way we see it,” said Handshake CEO Paul Davis, “your data belongs to you. So if someone should be making a profit on it, it should be you.” MIT Technology Review also profiles Datacoup. [NPR] See also: AVG Technologies has unveiled a new short privacy notice for its most popular apps. The easy-to-read disclosures are meant to resemble a nutritional label, showing what the company does and does not collect as well as how and why data is shared. Meanwhile, less than 24 hours after reinstating the


US – NYC Firefighters Are Being Tracked With Military-Developed Radio Tags

New York City’s fire department is experimenting with outfitting its firefighters with $20 radio tags. Think of it as an E-Z Pass for tracking firefighters during the confusion of an emergency. “It’s in a little sealed plastic — it looks like a little key fob, actually,” said George Arthur, a Naval Research Laboratory engineer, in a statement. “They’re positioned over the left breast, inside the bunker coat in a little Kevlar pocket that’s sewn in there. And it just sends out a little ping every five seconds: Here I am, here I am, here I am.” Back on the truck, a $1,100 reader picks up the signal. “It just listens and says, ‘Okay, 1234, that’s Jessica Smith,’ so we know Jessica Smith is nearby,” said NRL’s David DeRieux. The data is also sent back to the FDNY’s command center in Brooklyn, too, and projected on a wall to help in the wide-scale coordination of firefighters. They are currently testing the technology on 15 trucks. But how well can the technology determine firefighters’ precise locations — like what floor of a building they are on? Indoor tracking, admits the Naval lab’s DeReiux, is “a very tough nut to crack,” in part because a six-inch shift in any direction could mean the difference of being on one side of a wall or the other.[Source]


WW – Need for Privacy Operations at Nonprofits

A recent study of nonprofits revealed many are, on average, increasing staff dedicated to technology-related issues, and as many as 64% included technology as part of their operational plans. These results “are generally encouraging,” writes Network Advertising Initiative Executive Director Marc Groman, but “information privacy controls and data governance are conspicuously absent from the survey and discussion.” Groman points out nonprofits “often possess vast amounts of data” and that “it isn’t simply about investing in new technology” but also integrating “privacy considerations and responsible data governance” into the organization’s management practices. He writes it is “critical” that someone within a nonprofit has responsibility for information privacy. [Privacy Perspectives]

WW – Does Training Actually Thwart Breaches?

In a LinkedIn blog post, George Washington University Law School’s Daniel Solove discusses whether employee training really can reduce data security breaches. “Coming up with a quantifiable return on investment for training is challenging because the threats are constantly changing,” Solove writes, adding that it’s not just training that matters but the quality of that training. Among the many reasons to train employees—including that it creates a culture of compliance, all it takes is one person to create an incident, and it’s often the law to train—the bottom line is that no organization is going to suffer because they trained employees, but plenty have because they didn’t. [LinkedIn] See also: [Ernst & Young accused by Canadian used computer dealer of data breach]


US – Groups Reveal Decade-Old Memos Authorizing Wiretapping

The Justice Department has released two decade-old memos describing the Bush administration’s legal justification for the warrantless wiretapping of Americans’ phone calls and emails. The program began in secret after the September 11 attacks and was justified, according to the memo, by the fact that the “president has inherent constitutional power to monitor Americans’ communications without a warrant in a time of war.” The memos were obtained by the Electronic Privacy Information Center and the ACLU. Meanwhile, a coalition of 40 groups including the ACLU has asked the Senate to prioritize passing the latest version of the USA FREEDOM Act without weakening it. [The Washington Post] See also: [US: Army’s eyes in the sky built to spot people from 5 kilometers away]

Telecom / TV

US – Unsealed Documents Show Yahoo Fought PRISM Compliance

Recently unsealed documents reveal that the US government threatened Yahoo with a US $250,000-a-day fine if it did not comply with the PRISM data collection program and surrender user communications information. Yahoo had been fighting the demand in court; the government was able to use the ruling from the Foreign Intelligence Surveillance Court of Review to convince other technology companies to comply with their data demands. That same court ordered the documents unsealed. [Washington Post] [NYTimes] [ArsTechnica]

US – Comcast Using Public Wi-Fi Hotspots to Inject Ads

People who use Comcast’s public Wi-Fi network are finding that they are receiving pop-up advertisements for the company’s service. Comcast calls the practice “watermarking.” Comcast uses JavaScript to inject the content into the data flows of users who have signed up to use the company’s Wi-Fi hotspots around the country. Comcast says that the messages are there to assure users that they are using a legitimate Comcast hotspot. [The Register] [PC World] [ArsTechnica]

US – US Cities Seek to Upgrade Stingray Before Providers Drop 2G Network

Several US cities are seeking to upgrade cell phone surveillance systems commonly known as stingray. The controversial technology has been shrouded in secrecy, e.g., law enforcement agencies allegedly misleading the courts about the technology. Stingrays are capable not only of determining a target’s location, but also of intercepting communications contents. One of the techniques the technology uses is to force targeted devices to resort to using the 2G network by jamming 3G and 4G network signals because 2G network security is not as strong as that of later generation networks. Most providers will stop supporting the 2G network within the next few years, which means current stingrays will no longer work. [Ars Technica] See also: [MN: Inmates lose telephone privacy]

US Government Programs

US – FISA Court Renews NSA Metadata Program

The Foreign Intelligence Surveillance Court has reauthorized the National Security Agency (NSA) program that collects in bulk the metadata of U.S. citizens’ phone records. The reauthorization comes while a reform bill remains stuck in the Senate. “Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the Section 215 telephony metadata program, the government has sought a 90-day reauthorization of the existing program,” said the Department of Justice and Office of the Director of National Intelligence in a joint statement. Both of the government agencies also said they support the USA FREEDOM Act, saying “it reflects a reasonable compromise that preserves essential intelligence community capabilities, enhances privacy and civil liberties and increases transparency.” [The Hill]

US Legislation

US – Two Bills Head to CA Gov for Signing

There are two bills heading to California Gov. Jerry Brown for signing, both of which deal with issues affecting student privacy. SB 1177 describes privacy guidelines for operators of websites, online services and mobile applications, while AB 1584 focuses on obligations with contracts between local education organizations and third-party technology vendors. Assembly Education Committee Chief Consultant Rick Pratt said, “There really was very little if any protection that would guard the security, the privacy, the confidentiality of student information … and so hopefully bill 1584 and 1177 will provide some security and privacy where it doesn’t exist in current law right now.” A representative from Common Sense Media said it’s “a landmark regulatory scheme.” In separate news, school officials have said the Oklahoma State Department of Education violated student privacy laws. [Government Technology] and [Does California’s “Kill Switch” Bill for Smartphones Risk Privacy for Personal Safety?]

US – North Carolina Advances Further Drone Legislation

The North Carolina General Assembly has advanced the Appropriations Act of 2014, which includes a provision giving anyone surveilled without a warrant “civil cause of action against the person, entity or state agency that conducts the surveillance or that uses an unmanned aircraft system to photograph for the purpose of publishing or otherwise disseminating the photograph.” [HSToday.us]

Workplace Privacy

US – Every Three Minutes, a Worker’s Personal Device Is Remotely Wiped

While the bring-your-own-device trend is on the upswing, so are remote data-wipes of workers’ personal phones, tablets and laptops, according to PA-based firm Fiberlink Communications Corp., which specializes in mobile device management. Fiberlink’s software wiped 81,000 devices in the first six months of this year, compared with 51,000 in the last six months of 2013. That’s an average of 450 per day or three per minute. The WSJ reports that employers are not required to make a distinction between personal and professional information when erasing data. [The Wall Street Journal] See also: [Canada: Limited Protection of Dependents’ Personal Information In Group Insurance Matters]


01-15 June 2014


US – NSA Collecting Millions of Web-based Facial Images

The latest leak from Edward Snowden reared its head over the weekend when The New York Times reported that the U.S. National Security Agency (NSA) has been collecting millions of facial images from texts, social media, video conferences and e-mail over the last four years. According to the documents, the NSA intercepts “millions of images per day” including nearly 55,000 “facial recognition quality images.” A representative from the Electronic Frontier Foundation said, “The government leads the way in developing huge face recognition databases, while the private sector leads in accurately identifying people under challenging conditions.” In related news, the NTIA is set to host its latest meeting in the process of creating a self-regulatory code of conduct for the commercial use of facial recognition on Tuesday. Meanwhile, Reddit, Imgur and BoingBoing are joining the “Reset the Net“ campaign to protest mass surveillance. [New York Times]

US – NIST Finds Facial Recognition Accuracy Is Improving

The National Institute of Standards and Technology (NIST) has released results from its 2013 study on facial recognition algorithms, finding that accuracy is noticeably improving, according to a NIST press release. Compiled by biometrics researchers Patrick Grother and Mei Ngan, Performance of Face Identification Algorithms found that accuracy is up 30% since 2010. “We studied the one-to-many identification because it is the largest market for face recognition technology,” Grother said. “These algorithms are used around the world to detect duplicates in databases, fraudulent applications for passports and driving licenses, in token-less access control, surveillance, social media tagging, lookalike discovery and criminal investigations.” [NIST]

WW – Will Facial Recognition Tech Soon Be Reading Our Emotions?

Facial recognition is becoming “emotional recognition,” The Atlantic reports, where advances in technology “could give anyone sporting a future iteration of Google Glass the ability to detect inconsistencies between what someone says (in words) and what that person says (with a facial expression).” A recent study indicated humans “are capable of reliably recognizing more than 20 facial expressions and corresponding emotional states.” When the study was conducted with a facial recognition software program, the accuracy rate was “on the order of 96.9% in the identification of the six basic emotions,” the report states, continuing on to predict, “We run the serious risk of losing, little by little, our spontaneous humanity, appearing more and more like the predetermined algorithms that observe and judge us.” [The Atlantic]

US – Should the Facial Recognition Code Apply to the Gov’t? Could It?

Stakeholders met for the sixth in their series of meetings organized by the National Telecommunications and Information Administration (NTIA) in hopes of creating a voluntary code of conduct on facial recognition technology. This meeting aimed to look at the risks and issues the process’ participants identified since last month’s meeting. It also looked at a list of drafted definitions the not-yet-existent code could include. The most passionate debate yesterday centered around what the code should say about government access to raw images and what standards should apply to requests by governments to gain access to such information. [Privacy Advisor]

US – No Joke: Secret Service Wants Sarcasm-Detection Algorithm

According to a work order released by the U.S. Secret Service last week, the agency tasked with protecting current and former national leaders is asking developers to create an algorithm that can detect and delete online sarcasm. Additionally, the work order calls for the development of software capable of targeting “influencer identification,” “access to historical Twitter data,” the “ability to search online content in multiple languages,” “audience segmentation” and “data visualization representations, (like) heat maps.” A Secret Service spokesman said the “objective is to automate our social media monitoring process. Twitter is what we analyze. This is real live stream analysis … We are looking for the ability to quantify our social media reach. We aren’t looking solely to detect sarcasm.” [Ars Technica]


CA – Supreme Court Rules In Favor of Online Anonymity

Canada’s Supreme Court ruled unanimously that ISPs may not provide police with customers’ names, addresses and phone numbers without a search warrant. The case involved Matthew David Spencer, who was charged with possessing child pornography “and making it available to others” in a file-sharing network after a detective “found his publicly available child pornography” and “asked Shaw Communications for the IP address,” the report states. The government argued, “There is no objective reason to think that an Internet service provider must keep such basic information as an address and a name private, let alone shield it from a child pornography investigator.” Writing for the court, Justice Thomas Cromwell said, “Anonymity is an important safeguard for privacy interests online.” [The Globe and Mail] See also: [Police watch key Internet privacy appeal] and also: [Posting porn photos of ex-girlfriend called ‘despicable’ and ‘morally wrong,’ but not illegal, judge rules]

CA – Rogers Opens Curtain on Warrantless Government Snooping

Rogers Communications gave Canadians their first real peek behind the curtain of warrantless government snooping Thursday, revealing they were asked almost 175,000 times for their customers’ data in 2013. Rogers became the first major Canadian telecommunications provider to issue a transparency report, revealing aggregate numbers on how many law enforcement requests they receive in a year.More telecom and Internet service providers are expected to follow suit, as Canadian customers learn more about the scope of government access to their personal data. [The Canadian Press]

CA – Therrien Testifies on Bill C-13

Testifying before the House of Commons Justice Committee on Tuesday, Privacy Commissioner Daniel Therrien urged the government to split Bill C-13 “to allow for thorough examination of several measures that would expand online monitoring,” Ottawa Citizen reports. Bill C-13 would make it illegal to share “intimate images” without consent and would “remove barriers to getting such pictures scrubbed from the Internet—changes Therrien supports,” the report states. However, the report states, Therrien’s office has warned that provisions giving authorities tools to track telecommunications “would dangerously lower the proposed threshold” for access to personal information. Meanwhile, MP Charlie Angus has written to Treasury Board President Tony Clement “to convene an independent expert panel to make recommendations on securing Canadians’ privacy in the digital era.” [Full Story] [Commissioners Cavoukian, Clayton, and Denham’s Joint Letter to the Standing Committee Reviewing Bill C-13] and also: [Privacy watchdog cancels cyberbullying bill appearance]

CA – Conservatives Keep New Surveillance Powers in Cyberbullying Bill C-13

The Conservative government has rejected calls to change a controversial cyberbullying bill, preserving a broad range of new police surveillance powers that critics warn will infringe on Canadians’ privacy rights. The House of Commons Justice Committee wrapped up its review of Bill C-13, with the Conservative-dominated committee voting down nearly every proposed amendment. They did so despite calls from the federal ‎privacy commissioner, provincial commissioners, civil liberties groups and other experts to change parts of the bill to rein in the broad surveillance powers and warrantless access to private information. The bill was tabled as an anti-cyberbullying law, but also gives telecommunications companies immunity for handing private data over to police without a warrant. It creates a range of new surveillance warrants, such as one allowing police to install software on someone’s phone, with what critics say is too low an evidence threshold – in other words, they warn it will be too easy for police to get approval to spy on Canadians. Finally, the bill hands the broad new powers to a range of public officials, not just police. [Source]

CA – Therrien Experts Examine Facebook Class-Action

The BC Supreme Court’s recent certification of a class-action suit against Facebook over its “Sponsored Stories.” Reed Smith’s Mark S. Melodia and Frederick Lah write, “In the Canadian case, one of the main issues was whether Facebook users have the protection of BC’s Privacy Act, or instead, whether Facebook’s online Terms of Use overrode these protections.” The court pointed to a section of BC’s Privacy Act that states actions under the Privacy Act “must be heard and determined by the Supreme Court,” the report states, and defined the class as “all BC residents who are or have been Facebook members at any time between January 2011 and May 2014 and whose name or picture was used as part of the Sponsored Stories.” [Mondaq]

CA – Therrien Confirmed as Commissioner, Criticizes C-13 in Committee

Just days after NDP Leader Tom Mulcair hammered Prime Minister Stephen Harper over his nomination of Justice Department lawyer Daniel Therrien to take over as federal privacy commissioner, The Globe and Mail reports that the House of Commons voted 153 to 75 to approve Therrien. Meanwhile, CBC reports, Therrien voiced support for splitting Bill C-13 to a Parliamentary committee, a plan advocated by the Canadian Bar Association and others. He also advocated for an independent review of the bill, saying, “I think Canadians want to know more about why police and security agencies require information.” He likely knows more than most Canadians, as he’s given legal advice on surveillance to security agencies in the past. Therrien’s first order of duty is to testify before the committee considering Bill C-13 on June 10. Editor’s Note: The Privacy Advisor rounded up heated reaction to Therrien’s nomination last week. [Full Story] and [Canada: New privacy watchdog approved with Conservative and Liberal support]

CA – BC Supreme Court Certifies Class-Action Against Facebook

The BC Supreme Court has authorized a lawsuit against Facebook claiming that its practice of publishing users “likes” of businesses on their friends’ pages violates the BC Privacy Act. Through Facebook’s “Sponsored Stories” program, companies can pay to use a person’s name and likeness as proof of an endorsement. Plantiff lawyer Christoper Rhone says doing this without consent breaches the BC Privacy Act. In the court decision, BC Supreme Court Justice Susan Griffin said one key question is whether BC users of foreign social media sites have the protection of the BC Privacy Act, adding, “Given the almost infinite life and scope of internet images and corresponding scale of harm caused by privacy breaches, BC residents have a significant interest in maintaining some means of policing privacy violations by multi-national internet or social media service providers.” [CBC News]

CA – OPC: S-4 Will Allow Data Sharing without Consent

While Bill S-4 intends to overhaul online privacy rules, introduce new penalties for breaches and give new powers to the Office of the Privacy Commissioner (OPC), the OPC warns it also opens the door for the sharing of consumer data between private companies without consent. Patricia Kosseim, OPC senior general counsel and director general, told a Senate committee on Wednesday the bill’s data-sharing provision “could lead to excessive disclosures that would be invisible both to the individuals concerned and to our office.” Industry Minister James Moore, who is leading government efforts to pass the bill said, “These rules ensure that information is only released when there is a reason to believe the law has been broken.” [The Globe and Mail] [InfoWorld]


WW – Survey: Consumers Won’t Trade Privacy for Convenience

While users worldwide are “thrilled by the ease and convenience of their smartphones and Internet services,” they aren’t willing to trade their privacy for more of it. That’s according to a new survey of 15,000 consumers in 15 countries conducted by EMC Corporation. 51% of respondents said they aren’t willing to trade “some privacy,” while 27% said they are. 41% said they “believe the government is committed to protecting” their privacy, while 81% said they expect privacy to erode over the next five years. “Consumers worldwide seem to strongly agree with the notion that there should be laws ‘to prohibit businesses from buying and selling data without my opt-in consent’—87%,” the report states. [The New York Times] See also: [UK: Young people give up privacy on Google and Facebook ‘because they haven’t read 1984’]

CA – Nearly all Canadian Businesses Collect Personal Info: Survey

The percentage of Canadian businesses collecting their customers’ personal information has sharply increased over the last seven years, a new survey for Ottawa’s privacy watchdog reveals. A total of 97% of companies surveyed in 2013 said they collect their customers’ personal information, including name, address, and telephone numbers — up from 63% in 2007. But while the number of companies collecting Canadians’ personal data is increasing, the number concerned about losing that data seems to be on the wane. Half of the businesses surveyed said they were “not at all” concerned about data breaches in 2013 — while only a year earlier 40% indicated some concern about such breaches. “58% of surveyed companies do not have guidelines in place in the event of a breach where the personal information of their customers is compromised.” [Source]


CA – Federal Agency Seeks to Widen Surveillance of Demonstrators In Canada

The federal government is expanding its surveillance of public activities to include all known demonstrations across the country, a move that collects information even on the most mundane of protests by Canadians. The email requesting such information was sent out this week by the Government Operations Centre in Ottawa to all federal departments. “The Government Operations Centre is seeking your assistance in compiling a comprehensive listing of all known demonstrations which will occur either in your geographical area or that may touch on your mandate,” noted the email, leaked to the Citizen. “We will compile this information and make this information available to our partners unless of course, this information is not to be shared and not available on open sources. In the case of the latter, this information will only be used by the GOC for our Situational Awareness.” Wesley Wark, an intelligence specialist at the University of Ottawa, said such an order is illegal. “The very nature of the blanket request and its unlimited scope I think puts it way over the line in terms of lawful activity,” said Wark. “I think it’s a clear breach of our Charter rights.” Wark said the only lawful way a Canadian government agency, with the appropriate mandate, would have to monitor a demonstration would be if that agency could establish that the protest would constitute some kind of threat to civil order. “But it has to be specific and it has to be justifiable in law to mount such surveillance,” he added. [The National Post]


WW – Google Testing eMail Encryption Plug-in

Google is testing a tool for its Chrome browser that allows users to encrypt their email. The End-to-End plug-in uses OpenPGP to encrypt, decrypt, digitally sign, and verify messages in Chrome. The plug-in is currently in alpha testing mode and is not yet available in the Chrome Web Store. [DarkReading] [v3.co.uk] [CNN] [ArsTechnica] [GOOGLE] and also [Google Street View prank creates murder scare]

Electronic Records

US – National Health IT Office Unveils 10-Year Plan

The Office of the National Coordinator for Health IT has outlined a 10-year plan to develop an “interoperable health IT ecosystem that can simultaneously improve population health, boost patient engagement and lower costs.” By 2024, the office’s health IT infrastructure and data standards aim to support “robust information sharing and aggregation,” the report states. Meanwhile, the new Healthkit app for iOS8 acts as a dashboard that can collect and summarize health data from other connected apps or third-party fitness devices. But how do this and other similar apps negotiate with HIPAA rules, asks a NetworkWorld report? [FierceHealthIT] and [US: Group Of Electronic Health Record Vendors To Become Officially Interoperable]


WW – New OpenSSL Vulnerability Revealed; Searching for New Privacy Tech

In another blow to online encryption, a researcher has found a new and severe vulnerability in the OpenSSL cryptographic library that allows bad actors to potentially decrypt and change web, e-mail and virtual private network traffic that is protected by the Transport Layer Security (TLS) protocol. TLS is the most common way to encrypt traffic on the Internet. “The good news is that these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari, etc.) aren’t affected,” said Google software engineer Adam Langley in a technical analysis. He added, “Nonetheless, all OpenSSL users should be updating.” Meanwhile, The Wall Street Journal reports on finding privacy-enhancing technology in a post-Snowden world. [Ars Technica]

WW – Google to Name Non-Encrypting E-mail Providers

Google announced in a blog post that it will begin publicly identifying which companies support and do not support e-mail encryption as part of its transparency reports, and the company plans to unveil a piece of encryption code called End-to-End, which will attempt to add a level of encryption to solve the issue of other sites not supporting Transport Layer Security. According to the blog post, 65% of traffic sent to Google servers is not encrypted. Gmail Delivery Team Tech Lead Brandon Long wrote, “The important thing is that both sides of an email exchange need to support encryption for it to work; Gmail can’t do it alone.” ACLU Technologist Christopher Soghoian said, “Google’s naming. We can shame … And we will.” [Google Blog] See also: [When Bad Passwords Make a Great Dress]

EU Developments

US – Microsoft Fights U.S. Order to Disclose E-mail Stored Overseas

In a continuing legal battle, Microsoft is challenging a U.S. federal court order to turn over a customer’s information stored in a data center in Ireland—possibly the first time a corporation has challenged such a warrant. Additionally, Verizon filed an amicus brief on Tuesday that parallels Microsoft’s arguments, and, according to the report, more companies are expected to join. In a court filing made public on Monday, Microsoft contends that if the order were upheld, it “would violate international law and treaties and reduce the privacy protection of everyone on the planet.” Peter Swire said, “This is a policy decision as well as a legal one.” [The New York Times]

EU – Ministers Agree EU Privacy Law Applies to Non-EU Business

EU justice ministers reached a partial agreement on the proposed overhaul of EU data protection law. The ministers agreed to rules governing international data transfers and the territorial scope of the proposed regulation, the report states. EU Justice Commissioner Viviane Reding said, “It’s in the interest of companies to have legal certainty rather than having to spend money on costly lawsuits only to arrive at the same result at the end.” The main sticking point is the so-called “one-stop-shop” mechanism. A European Data Protection Supervisor representative said, “Everyone agrees that a one-stop-shop is necessary, but there are about 20 different ideas of what that should mean in practice.” The lack of full agreement means a final round of negotiations cannot resume until October. [PC World]

EU – EU DPAs to Form Right-To-Be-Forgotten Task Force

A panel of watchdogs will be formed in the EU to examine “right-to-be-forgotten” takedown requests. A member of the Article 29 Working Group said the move was approved in a meeting in Brussels. The panel will reportedly analyze how regulators should respond to citizen complaints about Google’s management of takedown requests. [Bloomberg]

EU – EU Council Unlikely to Back One-Stop-Shop

EU ministers are not expected to reach an agreement on the proposed “one-stop-shop” (OSS) component of the proposed General Data Protection Regulation (GDPR). On Tuesday, an EU official said, “The discussion hasn’t moved on to be honest since the last council,” and an EU presidency source said finalizing the OSS “is out of the question.” A “discussion text” to resolve the disagreement was passed out last week, but some member states, including Germany and the UK, have expressed concern their nations could be subject to unwanted data protection rules. European Data Protection Supervisor Peter Hustinx said, “I expect the council will mark that progress has been made, but will probably not give the OK to the final version,” adding, “with the one-stop-shop principle, it can only work if we think in terms of close collaborations.” [EUobserver]

EU – Council May Offer Tweak to Proposed “One-Stop-Shop” Mechanism

The Presidency of the Council of Ministers in the EU has provided an outline of plans to tweak the proposed “one-stop-shop” mechanism by allowing local data protection authorities (DPAs) to have more of a say in cases where a questionable data protection practice affects citizens within their jurisdiction. The presidency proposed not employing the one-stop shop “if the subject matter of the specific processing concerns only processing carried out in a single member state and involving only data subjects in that single member state.” The local DPA, in such a case, would have power to investigate and resolve cases on their own, regardless of where the data processor’s headquarters are located, the report states. [Out-Law]

EU – UK Man Wins Damages Under Spam Rules

Retailer John Lewis has been prosecuted for sending unsolicited e-mails in a privacy ruling “that could open the floodgates for harassed consumers.” A producer for Sky News brought the case, and a county court said the company acted unlawfully because it couldn’t prove Roddy Mansfield agreed to receive the e-mails or was a customer. This is the third time Mansfield has won damages for receiving spam under the Privacy and Electronic Communications Regulations. [Sky News]

EU – Garante Publishes New Cookie Rules

Garante, the Italian data protection authority, has published new provisions on consent and policies around online cookies, emphasizing the difference between “technical” cookies and “profiling” cookies. For technical cookies, the presence of a privacy policy will suffice. However, when using profiling cookies, sites will need to gain consent and notify the Garante of the practice. The provisions also distinguish between first- and third-party cookies, drawing a line between the liability of publishers and of others. “On this point the DPA is clear: As for the to third parties cookies, the editor acts as a mere technical intermediary and does not have any responsibility for privacy infringements,” the report states. [eLex]

EU – Room: Regulators Acting Like EC Proposal Is In Effect

While proposed EU data protection reforms may be far from becoming law, “Regulators and courts throughout Europe are acting as if the proposed legislation were already in force,” Stewart Room told SC Congress attendees, noting that “with regulators and courts already acting according to the new thinking embodied in” the proposal, increased fines are the only big change that would come with its passage. Room also addressed the recent European Court of Justice ruling against Google, noting that it shows that “anyone with power over data will be treated as a data controller” and that EU authorities have no fear in taking on big tech firms. [ComputerWeekly]

EU – Malta’s Education Minister Suspends Student Data Request Pending Report

Education Minister Evarist Bartolo has suspended the implementation of a legal notice allowing him and “unspecified” authorities to request student information from school representatives. Legal Notice 76 would require school representatives to hand over data relating to students’ abilities and identity card numbers or face criminal charges. Bartolo contacted the Data Protection Commissioner once the notice was passed, and the commissioner set up a working group to determine the privacy concerns and whether the notice breached the privacy act. The notice is suspended pending the working group’s report. [The Independent]

EU – Swiss Gov’t Surveillance Bill Sparks Protest

The Swiss government has proposed legislation that would increase its ability to access electronic communications and Internet data and strengthen mandatory data retention laws. The proposal contains “provisions which greenlight government use of Trojan horse software and IMSI catchers” for criminal investigations and increase data retention requirements on telcos, telecom-enabled communications providers and non-commercial providers as well. The bill easily cleared the Council of States, the report states. Privacy rights activists have planned a protest against “BÜPF,” as it’s called. [Access Now]

WW – Apple Talks Privacy Amongst Plans to Connect Home, Devices

At the Worldwide Developers Conference on Monday, Apple unveiled plans to connect users’ mobile devices with an array of Internet-connected home appliances, Politico reports. Apple Senior Vice President Craig Federighi said, “We thought we could bring some rationality to this space.” McKenna Long & Aldridge advisor Dan Caprio said, “When you see a company like Apple (talking) about open standards and interoperability, that’s the next phase,” adding, “It’s a very big deal for consumer applications.” Other updates include a new API for the fingerprint sensor and encrypted e-mail storage on the cloud. Additionally, Apple will make privacy-enhancing search engine DuckDuckGo available on its Safari browser. However, The Hill reports that privacy advocates are examining Apple’s new features, including plans for a new fitness data center. [Source]

US – Brill to Push Back Against Use-Based Privacy Frameworks

The FTC’s Julie Brill spoke in Brussels yesterday about big data, data brokers, privacy and competition with still-in-office European Data Protection Supervisor Peter Hustinx. Brill said she’s planning to push back against privacy frameworks that examine only use or risk, Politico reports. “Notice and choice, collection limits and data security—as well as a careful analysis of the risks that go along with actual data uses—are all necessary strands in the tapestry we must weave to create effective consumer privacy protection,” Brill said. She added that she applauds companies that are using privacy as a competitive differentiator. [Politico]

Facts & Stats

WW – Cloud Breaches Are Three Times Costlier, Report Finds

While many IT professionals might say differently, a data breach in the cloud could be at least three times as costly as a typical security breach, a recent IT survey indicates. The Ponemon Institute report surveyed more than 600 U.S.-based IT and IT security professionals. Meanwhile, cloud software startup Okta will announce later this week that it’s secured a new round of funding via Sequoia Capital, putting its pre-money valuation at nearly $600 million, and Google is getting behind an open source cloud computing technology called Docker

US – HR Analytics Firm Secures $25.5 Million

Visier has attracted $25.5 million in new financing as “the growth of its software business applying big data analytics technologies to the human resources market” continues. The company’s CEO says it is the next step in the development of HR technology. The company’s software uses “natural language processing” to return information from direct queries about business processes and human resources information “directly to the end-user, without having to take any additional steps,” the report states. Visier’s customers include companies like Nissan Automotive, energy company Exelon Corp. and government agencies in cities across the U.S. [Tech Crunch]


US – CFPB Collecting Info on Mobile Financial Services

The Consumer Financial Protection Bureau (CFPB) has announced it is looking “into the opportunities and challenges associated with the use of mobile financial services.” The regulatory agency wants to know more about how consumers are using such services, including a focus on economically vulnerable customers. Four areas of interest for the CFPB include access for the underserved, real-time money management, customer service, privacy concerns and data breaches. The move “suggests that the bureau may attempt to use its authority under the Dodd-Frank Act to expand further into arenas touching on telecommunications and privacy and data security.” [Consumer FInance ] [Ad Law Access]

US – Credit Union Association Renews Calls for Federal Data Security Standards

With the P.F. Chang’s breach fresh in the headlines, National Association of Federal Credit Unions (NAFCU) President and CEO Dan Berger is renewing calls for national data security and breach notification standards. “It has been almost six months since Target’s data breach, and we still have no new data security standards for retailers,” he said, adding, “Since Target, there has been a major data breach discovered almost every month. The continued lack of national data security standards is an open invitation to cybercriminals.” Credit unions are subject to the Gramm-Leach-Bliley Act, but retailers are not, the report states. Meanwhile, P.F. Chang’s is reportedly using carbon-copy credit card machines after their recent breach. [Gov Security News]

US – 77,000 Non-U.S. Financial Organizations Agree to Share Data with IRS

Associated Press reports on a new data sharing agreement between the U.S. Internal Revenue Service and more than 77,000 foreign banks, investment funds and other financial organizations to help curb offshore tax evasion. As of March 2015, the organizations have agreed to share account holder names, account numbers and balances for U.S. taxpayer accounts. Under the Foreign Account Tax Compliance Act (FATCA), foreign institutions that do not participate face harsh penalties when conducting business in the U.S. “The strong international support for FATCA is clear,” said Deputy Assistant Treasury Secretary for International Tax Affairs Robert Stack. [AP]


CA – Sharp Increase in Ottawa Blocking Release of Records, Watchdog Says

Canada’s Access to Information Commissioner received a major increase in complaints over the past year related to federal departments blocking the release of government records. In her annual report tabled this week, Commissioner Suzanne Legault urges the government to improve its performance as soon as possible, after complaints rose by more than 30%. “This decline in performance must be promptly addressed,” she states. “Canadians should be concerned and speak out whenever their quasi-constitutional right of access is in jeopardy.” [The Globe and Mail]

CA – Freedom of information gets D on P.E.I.

Access to government information on P.E.I. is limited says a new report from Newspapers Canada, and the information commissioner herself is complaining she hasn’t got the resources to do her job. Information and privacy commissioner Maria MacDonald wrote in her annual report she is falling farther and farther behind in reviewing files where government has refused to provide information under the province’s Freedom of Information Act. MacDonald’s position is part-time, three days a week. She inherited a backlog of cases when she got the job. And every year that pile of cases grows. Some date back to 2010. “It’s not a secret we have been struggling since the office opened basically with the backlog of file reviews,” she said. [CBC News]


CA – Human Tissue Removed for Medical Tests is ‘Personal Property’ of Institution, Not Person it Came From: Ruling

In a precedent-setting decision that could eventually affect everything from stem cell research to billions in pharmaceutical spending, an Ontario court has ruled that excised human tissue is private property and that it belongs not to the person from whom it came but to the institution that holds it. The ruling, which came in the preliminary phase of a medical malpractice case, is the first “clear, definitive statement about tissue being property in Canada,” said Tim Caulfield, a Canada Research Chair in health law and policy at the University of Alberta. If held up by other courts, it could eventually limit the ability Canadians have to decide what’s done with their own blood samples, tissue biopsies and genetic data. [Source]


EU – Google to Flag “Right To Be Forgotten” Search Results

In the continuing developments after last month’s European Court of Justice ruling on the so-called “right to be forgotten,” Google has indicated it will flag search results it has censored after a takedown request has been accepted. The message would be similar to ones notifying users when a copyright takedown has been enacted. Google also said it will include statistics on takedown request removals in its biannual transparency report. As of June 9th, the company had received approximately 41,000 takedown requests. Google CEO Larry Page said that, of those requests, nearly one-third involved a fraud or scam, one-fifth a serious crime and 12% were connected to child pornography arrests, the report states. [The Guardian]

WW – Google’s New All-Seeing Satellites Have Huge Potential—for Good and Evil

With the $500 million purchase of Skybox, a startup that shoots high-res photos and video with low-cost satellites, Google can extend its reach far across the offline world. Thanks to its knack for transforming mass quantities of unstructured data into revenue-generating insights, the unprecedented stream of aerial imagery to which the company is gaining access could spark a whole new category of high-altitude insights into the workings of economies, nations, and nature itself. But this acquisition will also demand assurances from Google that it will incorporate privacy safeguards into its vast new view of the world. [Wired]

Health / Medical

WW – Apple to Release Health-Tracking App

Apple will this week introduce a new health-tracking app at its annual Worldwide Developers’ Conference. The app will monitor users’ footsteps, heart rate and sleep activity, the report states, initially pulling data from third parties’ health and fitness hardware. Apple will likely release a smart watch later this year, however, that will synch with its app. Meanwhile, Nick Bilton describes some of the risks inherent in homes that are connected to the Internet of Things. “I can’t shake the feeling that one day, maybe, just maybe, my entire apartment is going to get hacked,” Bilton writes. [The New York Times]

US – Apple’s HealthKit Raises Eyebrows Among Experts, Advocates

Following the debut of Apple’s HealthKit last week, healthcare experts and privacy advocates are voicing concerns over the sharing of confidential data and use of medical terms. One healthcare expert recently noted, for example, that data on a user’s phone isn’t covered under HIPAA, but it may be if it’s transmitted to a doctor, provider or pharmacy. Meanwhile, a report on the MIT Digital Summit suggests mobile apps and cloud computing “may soon end the doctor’s reign as the be-all, end-all of medical care,” and a federal IT panel recently took “baby steps” toward using technology to ensure future privacy protections for electronic health records. [FierceMobileHealthcare] See also: [How Can Healthcare Get Security Right?]

WW – Android Changes App Update Permissions Change Notification

A change in the way automatically updated Android apps inform users about changes in permissions could put users at risk of having their information shared, or allowing their device to send SMS messages from apps without their knowledge. Formerly, apps displayed any permission changes when they updated automatically. Now, permission changes are not displayed if users have previously allowed a permission in the same category. [ArsTechnica] See also: [“WARNING Your phone is locked!” Crypto ransomware makes its debut on Android]

US – Startup Unveils “Wearable Health Record” for Google Glass

Healthcare tech startup Drchrono has developed a new “wearable health record” application for Google Glass. Doctors can use it to record a consultation or surgery with patient consent, and then videos, notes and photos can be stored in the patient’s electronic health record. Dr. Bill Metaxas, who uses the technology, has warned physicians to be diligent about obtaining patient consent prior to use and to lock down the app’s security settings. “Google is still in the early stages of determining the most viable use cases for Google Glass,” Drchrono Cofounder Daniel Kivatinos said, adding, “But some doctors are demanding Glass, so Google is providing resources and support to developers.” [Reuters] See also: [Smartwear revolution promises healthier lives but raises privacy concerns]

WW – Worried About Getting Glassed? A Berlin Artist Offers One Solution

A Wired report offers a solution to those worried about Google Glass’s ability to surveil . A Berlin artist, Julian Oliver, has written a program called Glasshole.sh that detects any Google Glass device attempting to connect to a WiFi network—it’s effectively a “glass-detector,” capable of sending a “deauthorization command,” cutting off the WiFi connection and emitting a “beep” to alert others that a Glass wearer is nearby. “To say, ‘I don’t want to be filmed’ at a restaurant, at a party or playing with your kids is perfectly okay. But how do you do that when you don’t even know if a device is recording?” Oliver said. “This steps up the game. It’s taking a jammer-like approach.” [Wired]

US – What’s Top Privacy Concern for Healthcare Execs? Access Management

A new report from KLAS reveals that identity management and unauthorized data access by employees tops the table for healthcare executives’ biggest privacy and security concerns. The report, “Security and Privacy Perception 2014: High Stakes, Big Challenges, “ is based on a survey of 104 healthcare providers and found that, according to the respondents, there is no clear leader in healthcare security services. The top five services healthcare organizations were looking for included HIPAA and Meaningful Use risk assessment; attack and penetrating testing; privacy assessment; HIPAA breach advisory services, and mobile security advisory services. Additionally, 75% of academic medical centers said they were “prepared” or “very prepared” for an Office for Civil Rights audit. The second leading privacy concern, according to the report, is bring-your-own-device and remote security policies. [FierceHealthIT] See also [“Data Breach Fatigue,” Ralph Nader and What It Could Mean for the Privacy Profession] and [Canada: Privacy laws hamper quest to find birth defect’s cause]

Horror Stories

US – AT&T Says Sensitive Consumer Data Accessed in Breach Incident

In a filing with California state regulators, AT&T said an unknown amount of customer data was accessed in a breach. Compromised data included Social Security numbers and call records reportedly accessed between April 9 and 21. California law requires companies to report breaches affecting at least 500 customers. “Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization,” AT&T wrote in a letter to customers. “AT&T believes the employees accessed your account as part of an effort to request codes from AT&T (that) are used to unlock AT&T mobile phones in the secondary mobile phone market.” The company believes three employees of a vendor may have improperly accessed customer accounts. [PC World]

US – PF Chang’s Investigating Data Breach

US restaurant chain PF Chang’s says it is in contact with law enforcement agencies regarding reports that attackers stole customer payment card data from the company’s systems. Several days ago, thousands of recently stolen credit card numbers and their associated information were offered for sale in an underground forum known for trading in such things. The breach affects cards used at several different locations, suggesting that the attackers breached the company’s point-of-sale network, much like the attacks on Target and Sally Beauty. [KrebsonSecurity] [GovInfoSecurity] [