12-19 November 2021

COVID-19

When are COVID-19 vaccination policies enforceable in unionized workplaces?

In two decisions released last week, Ontario labour arbitrators ruled upon the enforceability of workplace COVID-19 vaccination policies. In one decision the arbitrator upheld the employer’s policy as reasonable. In another, an employer’s vaccination policy was found to be unreasonable. These decisions provide a useful indication of how decision-makers are likely to approach the adjudication of workplace COVID-19 vaccination policies going forward. SEE ALSO: Extending Its Stay, the U.S. 5th Circuit Says OSHA’s Vaccine Mandate Is ‘Fatally Flawed’

Brussels platform can reveal employees’ vaccination status

Brussels vaccination platform Bruvax can allow employers to obtain individuals’ vaccination status with a national registry number and postal code. Once the information is entered, if an appointment option appears, the individual has not been vaccinated. Privacy rights organization Charta21 called on the Brussels Joint Community Commission to “immediately put an end to the data leak.” Health Inspectorate Inge Neven said a legal analysis is ongoing and necessary adjustments will be made.

Privacy concerns of finding a COVID-19 proof of vaccination app

Privacy experts are advising individuals looking for COVID-19 proof of vaccination applications to be wary. Without federal regulation on a COVID-19 vaccination registry or app, many third-party apps have cropped up for individual use, but experts warn some come at a privacy cost of personal data.

Identity / Biometrics

Ontario delays launch of digital ID program until 2022

The Ontario government has delayed the launch of its digital ID program until 2022. The project was set in motion in October 2020 and consultation began in January 2021 [press notice, backgrounder, Q&A, Action Plan & (PDF)] As reported by CTV News, the program was postponed because of the launch of Verify Ontario, the province’s proof-of-vaccination app. More details on the launch of the DI initiative, including timing and specifics, will be announced in 2022. See also: Ontario is developing a digital ID program for its citizens. The process needs more transparency, privacy experts say.

Adelaide passes motion to ban police use of facial recognition until further legislation

The Adelaide City Council passed an amendment to ban police use of facial recognition until South Australia laws are drawn up regarding the use of the technology. The amendment was tied to the city’s plans to replace its worn “City Safe CCTV network” system, and specifically prevents the police from using any facial recognition technology in the new CCTV delivery in 2023 until new legislation.

Integration of blockchain and biometrics to redefine digital identity by 2030: report

Behavioral biometrics, digital government, ecommerce, banking and airport security could see some of the biggest and most notable changes over the next decade as developments in artificial intelligence, blockchain technology and biometrics enable the creation of global solutions for digital ID, according to a report by Frost & Sullivan.

UK Government digital identity plans advance amid scepticism, lack of awareness

Britons do not feel well informed about common digital identity and biometrics, according to a recently published survey into opinions around the topic ahead of plans to establish a nation-wide ‘OneLogin.’ UK millennials meanwhile feel that the government and other businesses are not properly protecting personal data. Australia’s new bill for a Trusted Digital Identity System (TDIS) has sparked similar concerns over the possibility of identity theft and lack of data safeguards.

WEF cites stats showing how digital IDs can accelerate national economies

A new World Economic Forum white paper finds reason to believe that digital ID programs will be decisive in modernized financial services. In turn, those digitized services will play a growing role in a global economic recovery from the COVID pandemic. Three factors are cited as recovery accelerators.

First, digital ID will be the “catalyst” of a more fully digital future. Second, SMEs will be helped back to health thanks to digital identification programs. Third, there is evidence that digital services, including IDs and biometric systems have “transformed consumer habits and delivered tangible benefits” to Chinese citizens.

ICO questions tech companies on app age ratings

U.K. ICO is seeking to know how technology companies assess applications to determine age ratings. The ICO has written 40 organizations “to identify conformance” with the U.K.’s Age-Appropriate Design Code. ICOP interventions are focused “on operators of online services where there is information which indicates potential poor compliance with privacy requirements, and where there is a high risk of potential harm to children.”

Education / Youth

Senators seek to protect schools from cyberattacks

A group of U.S. senators wrote a letter to the Departments of Education and Homeland Security urging stronger action against cyberattacks on schools. “K-12 schools are increasingly coming under cyberattacks from a diverse set of actors, driven largely by the rapid rise of ransomware.”

Report assesses privacy policies of hundreds of education and consumer tech apps and services

Common Sense Media released a comprehensive report examining the privacy trends and practices of hundreds of popular technology companies and products over the last five years. The “2021 State of Kids’ Privacy“ report finds increased transparency around privacy policies that provide more information about the products that children and students are using. However, that same transparency also reveals the increase of problematic practices like tracking, profiling and the sale of personal data. Across the pool of companies and apps evaluated in the report, only 26% met the minimum safeguards for all users of a product, earning a “Pass” rating. The remaining 74% scored below the threshold, earning a “Warning” rating, which indicates that these products are putting kids’ privacy at risk.

Data Sciences

Department of Defense issues ‘responsible’ AI guidelines

The U.S. Department of Defense’s Defense Innovation Unit released “responsible artificial intelligence“ guidelines, required to be used by third-party developers building AI systems for the military. The guidelines cover planning, development and deployment, and include procedures for identifying users of the technology and those who could be harmed by it, as well as potential harms and how to avoid them.

AI in Canadian Healthcare – Bias and Discrimination (new paper)

In an article for the Canadian Journal of Law and Technology, Bradley Henderson, Colleen Flood and Teresa Scassa examine issues of algorithmic and data bias leading to discrimination in the healthcare context. The paper lays out the landscape and identifies areas where there are legal and regulatory gaps and a need for both law reform and regulatory innovation. The paper is part of the newly launched Machine MD project at uOttawa that will run for the next four years. The full pre-print text of the article can be found here.

Proposed Filter Bubble Transparency Act targets algorithms

U.S. House lawmakers introduced the Filter Bubble Transparency Act, a proposal that would require internet platforms to offer an algorithm-free version of their services. Companies with fewer than 500 employees, annual gross receipts lower than $50 million in the last three-year period, and those gathering data on less than 1 million users annually would be exempt. See also: A bill proposed in New York City would require a bias audit to be conducted before an employer uses an automated employment decision tool.

Danish DPA identifies projects for regulatory sandbox on artificial intelligence

Norway’s data protection authority selected three projects for its regulatory sandbox on artificial intelligence. One uses machine learning to identify hospital patients in danger of being readmitted, another tackles money laundering and terrorist financing, and the third explores the possibility of using machine learning to identify emails and associated documents to be archived. The projects “show the breadth of cases where some of the answer may lie in the analysis of personal data.” SEE ALSO: German Court asks CJEU to clarify whether calculating consumer credit scores falls within the scope of automated decision-making under GDPR

Law Enforcement

RCMP seeks AI use to learn encryption passwords

The RCMP is seeking to use artificial intelligence to obtain passwords easier during investigations. The RCMP wants AI that would process an individual’s passwords, web history and documents, and use that information to develop passwords for encrypted data. Experts caution that a strong decryption method used by police could be overreach of its intended access and be misused.

LAPD use of social media spy tech in 2019 raises concerns

The L.A. Police Department used a social media surveillance company with controversial abilities as a trial in 2019. Technology company Voyager Labs offers social media data surveillance and collection, including “friends” and connections, and pitched its artificial intelligence algorithm can determine a user’s ideological beliefs and likeliness to commit a future crime.

Online Privacy / Surveillance

Norwegian leaders urge ban on surveillance-based advertising

Norwegian Data Protection Commissioner, Consumer Council Director, and Amnesty International Norway General Secretary call for a ban on surveillance-based advertising. “It is unacceptable to violate fundamental human and consumer rights in an attempt at serving more relevant ads. The business model of the tech giants is incompatible with the right to privacy,” they said. “It entails major challenges to human and consumer rights.”

UK Supreme Court halts billion-dollar privacy class action against Google

The UK’s Supreme Court has denied a claim that sought billions of dollars in damages in a class-action lawsuit against Google over alleged illegal tracking of millions of iPhone users. SEE ALSO: Lloyd v Google – a return to first principles and Positive news for data controllers in the much-anticipated Lloyd v Google Supreme Court judgment and Lloyd v Google UK Supreme Court Class Action Judgment — End of the Road for Some, Open Door for Others.

Facebook to stop targeting ads based on race, sexual orientation, and politics

Facebook announced it will stop letting advertisers use certain targeting options related to “sensitive” characteristics such as race, religion, sexual orientation, health causes, and political beliefs. In their announcement, Facebook owner Meta said: Starting January 19, 2022 we will remove Detailed Targeting options that relate to topics people may perceive as sensitive, such as options referencing causes, organizations, or public figures that relate to health, race or ethnicity, political affiliation, religion, or sexual orientation. See also: Zuckerberg’s metaverse will invade workers’ privacy, whistleblower says

Mozilla identifies privacy strengths, weaknesses of connected gifts

Mozilla’s Privacy Not Included shopping guide identifies 47 connected gifts with “problematic privacy practices” and 22 products that protect user privacy. Mozilla researchers examined 151 popular connected gifts, determining whether they had cameras, location tracking features or other tools that collect user data. Lead researcher said smart exercise equipment “stood out as especially problematic,” adding, “We also found that consumers continue to shoulder way too much of the responsibility to protect their own privacy and security.”

UK Councils and police must ‘weigh CCTV firms’ human rights records’

UK Councils and police should consider CCTV firms’ human rights records before purchasing, the surveillance camera watchdog has said. An update to the Surveillance Camera Code of Practice is expected soon – the first update in eight years. It will set out the rules which police and local authorities are expected to follow when using surveillance cameras.

Privacy issues hinder potential central bank digital currencies

Potential central bank digital currency schemes have privacy pitfalls. Chief among the concerns are how to preserve user privacy when these currencies call for user identification and transaction tracking. SEE ALSO: New anti-money laundering guidelines issued for the crypto space and FATF Issues Updated Virtual Asset Guidance.

Bitcoin update improves transaction privacy, security

An update to Bitcoin’s network improves privacy and security for complicated transactions. The “Taproot” code upgrade, the first to Bitcoin’s network code since 2017, adds signatures that make transactions look like any other, preventing attackers from recognizing an unusual transfer.

FPF, IBM report explores mitigating privacy risks of brain-computer interfaces

A Future of Privacy Forum and IBM Policy Lab report includes a recommended framework for mitigating privacy risks associated with brain-computer interface technologies. The report, “Privacy and the Connected Mind,” details ways to implement the technology while protecting users’ privacy rights.

Mobile / Location Privacy

Facebook’s Use of Alternate Location Tracking Methods to Circumvent Apple Privacy Protections Expands to Accelerometer Data

In a move that appears to primarily be aimed at iPhone users that have opted out of device tracking, Facebook is now using device accelerometer data as an alternate means of pinpointing locations and following app users about their day. This happens even if users both opt out of targeted advertising and disable location tracking within the Facebook app.

Apple will soon let you pass on your iCloud data when you die

Apple’s new Digital Legacy program, arriving in iOS 15.2, allows users to designate up to five people as Legacy Contacts. These individuals can then access your data and personal information stored in iCloud when you die, such as photos, documents, and even purchases. To activate Digital Legacy, Apple still requires proof of death and an access key. Both Google and Facebook have systems in place for designating account access to other people.

Cybersecurity / Breaches

Consultation on new OSFI Guideline on technology and cyber risk management

The Office of the Superintendent of Financial Institutions launched a three-month public consultation on a new Draft Guideline B‑13: Technology and Cyber Risk Management (Draft Guideline). The Draft Guideline will apply to all federally regulated financial institutions (FRFIs), including banks, insurers, and trust and loan companies. The publication follows OSFI’s consultation on technology risks in the financial sector that was launched in September 2020. OSFI issued a summary of the feedback received from this earlier consultation in May 2021, which is also addressed in the Draft Guideline and related OSFIletter.

CISA publishes cybersecurity incident, vulnerability response playbooks

The U.S. Cybersecurity Infrastructure and Security Agency launched two playbooks for federal civilian agencies to use in planning and conducting cybersecurity vulnerability and incident response [press notice, activity report & PDF] . The playbooks provide agencies with “a standard set of procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents and vulnerabilities affecting [federal civilian] systems, data, and networks.” See also: CISA Issues New Cybersecurity Directive for Federal Agencies.

Hacker accesses FBI email service, sends phony emails

A hacker accessed the FBI’s Law Enforcement Enterprise Portal through a temporary software misconfiguration and sent phony emails purporting to be from the agency and the Department of Homeland Security. The fake emails contained message headers from the FBI’s infrastructure. The agency said no data or personally identifiable information was accessed and the vulnerability was “quickly remediated.” Hoax Email Blast Abused Poor Coding in FBI Website

U.S. Government takes increasingly aggressive actions targeting ransomware

On November 8, 2021, the U.S. Department of Justice, U.S. Department of the Treasury, and the U.S. Department of State made several significant announcements regarding recent U.S. government actions targeting the ransomware ecosystem. The announcements are the latest signal that the federal government is taking increasingly aggressive actions to combat the threat of ransomware, which the U.S. government views as a national security threat. See also: “Whole of Government” Anti-Ransomware Campaign on Full Display and FTC recommends steps to protect against ransomware

Sophos 2022 Threat Report Identifies malware, mobile, machine learning and more

Following Cybersecurity Awareness Month, Sophos has released its latest Sophos Threat Report [news release | video summary] Five key topics covered include: 1. Malware, 2. Mobile, 3. Machine Learning and AI, 4 Ransomware, and 5 Where next? (Threat Landscape). SEE ALSO: Companies Still Struggling with Implementing Ransomware Backup Plans

Workplace Monitoring

New York State Requires Private Employers to Notify Employees of Electronic Monitoring

On November 8, 2021, New York Governor Kathy Hochul signed into law A.430 [and companion Senate bill S.2628], which requires private employers with a place of business in New York State to provide their employees prior written notice, upon hiring, of any electronic monitoring, as defined in the Act, to which the employees will be subjected by the employer. SEE ALSO: NY Enacts Employee Monitoring Notification Law

UK Workplace surveillance booming during pandemic, destroying trust in employers

An explosion in workplace monitoring during the pandemic – in part supported by common software tools from global vendors – threatens to erode trust in employers and employees’ commitment to work, according to a European Commission research paper. SEE ALSO: Zuckerberg’s metaverse will invade workers’ privacy, whistleblower says

Health Privacy

College of Physicians and Surgeons of Ontario invites comments on draft virtual care policy

The College of Physicians and Surgeons of Ontario is asking for feedback by Nov. 22 on the new draft virtual care policy and the draft advice to the profession document, the policy’s companion resource. The new virtual care policy acknowledges the shift toward remote connectivity and platforms that allow patients to access healthcare without ever entering a clinic. The COVID-19 pandemic has sped up the adoption of virtual care.

Medical Device Incident Response Playbook

A new publication from the Cloud Security Alliance IoT Working Group aims to help healthcare organizations mitigate security risks. The document provides guidance not only for incident response, but also for incident response preparation.

Events

Integrating compliance and risk management through NIST’s Privacy Framework

The U.S. National Institute of Standards and Technology will hold a Dec. 1 webinar to help organizations use regulatory crosswalks in implementing its Privacy Framework. Discussion will include creating a foundational privacy program that can be tailored to various jurisdictions, bridging the gap between compliance requirements and design, and going beyond compliance with a forward-thinking risk management approach.

21-28 October 2021

Biometrics / Identity

How digital vaccine passports pave way for unprecedented surveillance capitalism

The titans of global capitalism are exploiting the Covid-19 crisis to institute social credit-style digital ID systems across the West. As the military surveillance firm and NATO contractor Thales recently put it, vaccine passports “are a precursor to digital ID wallets.” For the national security state, digital immunity passports promise unprecedented control over populations wherever such systems are implemented. Ann Cavoukian, the former privacy commissioner of Ontario, Canada has described the vaccine passport system already active in her province as “a new, inescapable web of surveillance with geolocation data being tracked everywhere.”  See also: Former privacy czar calls vax mandates ‘abhorrent’.

Schools pause facial recognition to pay for school lunches

Eight schools in North Ayrshire, Scotland, have “temporarily paused” use of facial recognition scans for payment in cafeterias, while one has completely abandoned the option. More schools were expected to follow the facial recognition use, which raised concerns from privacy advocates. The U.K. Information Commissioner’s Office also intervened to see if a “less intrusive” option was possible. The North Ayrshire Council said it is reverting to the previous PIN number system “while we consider the inquiries received.”

Companies, governments adding age checks to protect children online

In response to claims that technology companies aren’t doing enough to protect children online, more companies and governments are adding digital age checks online. But critics say the changes, some requiring government-issued identification or credit card data, could negatively impact user privacy and anonymity. SEE ALSO: A ‘moment like no other’ for children’s privacy and Enhancing protections for children’s data

Resisting the Menace of Face Recognition

According to the EFF, “Face recognition technology is a special menace to privacy, racial justice, free expression, and information security. Our faces are unique identifiers, and most of us expose them everywhere we go. And unlike our passwords and identification numbers, we can’t get a new face. So, governments and businesses, often working in partnership, are increasingly using our faces to track our whereabouts, activities, and associations.”

Mobile / Location Privacy

Location Data Firm Got GPS Data From Apps Even When People Opted Out

An established data vendor that obtains granular location information from ordinary apps installed on peoples’ phones and then sells that data, has been receiving GPS coordinates even when people explicitly opted-out of such collection. The news highlights a stark problem for smartphone users: that they can’t actually be sure if some apps are respecting their explicit preferences around data sharing. It also confirms that location data firms may not even know whether they are actually getting this data with consent or not 

Online / Surveillance

Job scams stealing personal data on the rise

Job listing scams as a way to steal personal data and defraud individuals are on the rise. Cybercriminals are posting ads, including large sites like Facebook, Indeed and LinkedIn, offering lucrative wages from fake or impersonated companies in exchange for an application full of personal information, including Social Security numbers. In March, a reported 2,900 scam listings were found. That number skyrocketed to 18,400 by July, and is now 36,350 as of October. 

More than half of most-trafficked NZ sites use dark patterns, report finds

Of all the New Zealand e-commerce, media, government, telecommunications, property and banking websites tested, 54% had one or more dark patterns on their website. Most dark patterns were found around financial transactions on the page, and were most common on e-commerce and media sites. The findings also report on aspects such as customer surveillance, unsubscribing, online shopping and regulation. 

FTC report finds concerns with internet service providers’ data collection, use

A report by the U.S. FTC on the data collection and use practices of ISPs found many collect and share more data than consumers expect. The report found the six ISPs combine personal, application and web browsing data for ad targeting and share real-time location data with third parties. It also raised concerns with companies’ privacy protections and said while many ISPs claim to offer consumers choice around their data, many make it difficult for consumers to exercise those choices.

Nonprofit Websites Are Riddled With Ad Trackers

The Blacklight tool scanned more than 23,000 websites of nonprofit organizations working in sensitive areas, like mental health, finding many are gathering and sharing visitors’ data. 86% of websites were found to have third-party cookies or tracking network requests, 439 websites loaded scripts to monitor visitors’ clicks and keystrokes, and some had embedded trackers.

License plate readers divide neighborhoods on safety, privacy

The use of license plate readers in suburban Colorado is dividing a community on privacy and safety. A homeowners’ association announced intention to buy license plate readers from industry leader Flock. The readers photograph and sort car data, including license plate number, make, when and where it was spotted, and even bumper stickers, and store the photographs for 30 days in a database homeowners can access by discretion of the HOA. 

Law Enforcement

How Predictive Policing Can Criminalize Kids’ Online Searches

To date, there has been no systematic review of police efforts using algorithmic technology to forecast crime in the UK. A recent report has provided valuable insight into how UK’s National Crime Agency (NCA) is adopting these technologies in a cybercrime context, with some interesting case study examples [read “Influence government: exploring practices, ethics, and power in the use of targeted advertising by the UK state” ]

Education

Privacy Groups Uneasy With Monitoring Students for Self-Harm

A new report from Student Privacy Compass, a website from the nonprofit think tank Future of Privacy Forum, says schools are making more use of programs that monitor student devices for clues of suicidal ideation and self-harm, despite concerns about student privacy and the efficacy of such programs. Anisha Reddy, policy counsel with the Future of Privacy Forum and one of the report’s authors, said she was unable to find “any independent research” into the efficacy of K-12 monitoring programs, which raises the question of whether schools themselves are the testing grounds for these programs.

Data Sciences

EU Proposed Regulatory Regime for Artificial Intelligence (AI) Could Set Global Standard

The EU has launched the world’s first comprehensive legislative package to regulate AI.  The Artificial Intelligence Act will establish a risk-based framework for regulating use of AI anywhere within the EU, including by companies based outside the EU. A limited number of unacceptable AI use cases, such as social profiling by governments, would be completely banned; high-risk use cases would be subjected to prior conformity assessment and wide-ranging new compliance obligations; medium risk functions are subject to enhanced transparency rules; and low risk use cases can largely be pursued without any new obligations under the AIA. By legislating now, the EU hopes to establish a de facto global standard for AI. [EDPB & EDPS joint opinion].

Regulators

CNIL’s CookieViz software wins innovation award

The CookieViz 2.0 software developed by the French data protection authority, the Commission nationale de l’informatique et des libertés, won the Global Privacy and Data Protection Awards 2021 in the innovation category at the 43rd World Privacy Assembly. The software displays cookies stored by third party domains when browsing online. Following an analysis on the use of cookies on the highest viewed websites in France, the CNIL sent a letter to select sites encouraging them to inform users on the use of cookies and obtain their consent.

DPAs divulge privacy expectations for video conferencing platforms

The U.K. ICO offered an update on its global coordination with six data protection authorities to convey privacy expectations for video conferencing platforms. In July 2020, the ICO joined regulators from Australia, Canada, China, Gibraltar, Hong Kong and Switzerland in an open letter to Microsoft, Google, Cisco and Zoom regarding preferred privacy practices and standards.

Advocacy groups support FTC privacy rulemaking

Forty-five advocacy groups joined on a letter to U.S. FTC Chair Lina Khan urging her and the agency to take up a privacy rulemaking, The groups asked for a rulemaking that covers “entire life cycle of data—collection, use, management, retention, and deletion” and one that ensures consumers “significant protection from discrimination and related data harms.”

  • Meanwhile, the FTC announced it updated the Safeguards Rule to better protect against personal data breaches and cyberattacks that lead to identity theft and other financial losses.
  • The Wall Street Journal reports the FTC is reviewing Facebook’s disclosures regarding harmful algorithms associated with its products and whether those issues violate the company’s $5 billion settlement with the FTC from 2019.
  • New York Magazine published a wide-ranging interview with FTC Chair Lina Khan regarding the future of Big Tech enforcement.

Security / Breaches

Cyberattacks spurring demand for cyber insurance: Moody’s

Demand for cyber insurance has surged as companies respond to high-profile cyber attacks, increased regulatory scrutiny, mounting reputational risk and the need for protection against vulnerabilities among supply-chain counterparties, according to Moody’s Investors Service. See also: Cyber insurance market encounters ‘crisis moment’ as ransomware costs pile up.

HHS Bulletin Lists Cybersecurity Issues Relevant to Healthcare Sector

The US Department of Health and Human Services Monthly Cybersecurity Vulnerability Bulletin for October 2021 lists the BrakTooth vulnerabilities, Conti ransomware, and the Medusa TangleBot as top security concerns for the healthcare sector. The bulletin also lists relevant vulnerabilities in products from Microsoft, Adobe, Apple, Cisco, WordPress and other companies. 

NIST releases draft reports on cloud security

The U.S. National Institute of Standards and Technology announced its National Cybersecurity Center of Excellence published draft reports examining various aspects of hardware-enabled security for cloud systems. The reports cover techniques and technologies that can improve platform security, an approach for safeguarding container deployments in multi-user cloud systems, and an example solution for leveraging hardware roots of trust to oversee enforcement of security and privacy policies on cloud workloads.

Report: 24% of execs implement privacy, security in planning stages

A report from EY shows 24% of Canadian executives begin implementing cyber and security practices in planning stages of projects. Nearly one quarter of chief information security officers reported their teams were either consulted too late or not at all during strategic planning steps, and 34% of executives felt cybersecurity was flexible and collaborative. 

Privacy engineers as superheroes?

What happens if an organization wants to track data flows, but avoid exposing personal information? How does it mitigate damage if there is a data breach? Privacy engineers can be instrumental in helping with these issues. An ACM communication breaks down how privacy engineers are “often the real superheroes when things go wrong” and how they are “essential to preventing privacy disasters.”

14-21 October 2021

COVID-19

Justice Centre sues Ontario Government over vaccine passport

The has filed a constitutional challenge against Ontario’s vaccine passport mandate in Ontario’s Superior Court of Justice [Notice of Application dated October 15]. The legal challenge is brought on behalf of eight Ontario citizens who are exercising their Charter rights and freedoms by not taking one or more doses of the Covid vaccine.

Advocacy group pitches privacy principles for NZ vaccine certificates

The Privacy Foundation New Zealand’s Health Care and Policy Working Group published proposed privacy principles around New Zealand’s COVID-19 vaccine certificates. “It is essential that all implications associated with the creation, use and limitations of the certificates have been considered prior to their implementation,” the organization said in its proposal. The principles include data minimization and deletion requirements, transparent terms and conditions, prohibition of biometric identity verification and more. 

NHS Vaccine Passport Outage Causes Travel Problems

The UK’s National Health Service (NHS) vaccine passport, NHS Covid Pass, suffered a disruption on Wednesday, October 13. The feature is part of the NHS smartphone app. Users received error messages suggesting that the service was experiencing unusually high traffic volumes, which was limiting access. Some passengers at UK airports reported that they were unable to board their flights because they did not have sufficient proof of their vaccination status without access to NHS Covid Pass.

BIOMETRICS / IDENTITY

NZ privacy commissioner outlines regulation of biometrics

The Office of the Privacy Commissioner of New Zealand published a white paper outlining how the Privacy Act covers the use of biometric technologies. According to OPC, the intent of the white paper is to “inform decision-making about biometrics by all agencies” in public and private sectors.

Facial recognition cameras arrive in UK school canteens

Nine U.K. schools will start taking payments for school lunches by scanning the faces of pupils, claiming that the new system speeds up queues and is more Covid-secure than the card payments and fingerprint scanners they used previously. Many British schools have used other biometric systems, such as fingerprint scanners, to take payments for years, but privacy campaigners said there was little need to normalise facial recognition technology, which has been criticised for often operating without explicit consent. “It’s normalising biometric identity check for something that is mundane. You don’t need to resort to airport style [technology] for children getting their lunch,” said Silkie Carlo of the campaign group Big Brother Watch. Swantson said cameras check against encrypted faceprint templates, which are stored on servers at the schools and 65 school sites had signed up. Live facial recognition has previously caused controversy after being used by schools for security or to monitor attendance. New York State has temporarily banned this practice, and Sweden has fined a municipality that trialled such a scheme. The UK council said that 97% of children or their parents had given consent for the new system.

Students using facial recognition to pay for school lunches, ICO to intervene

Schools in the U.K. are using facial-recognition technology to take payments for students’ school lunches. Officials say the technology reduces transaction times and is more secure than card payments and fingerprint scans.  The U.K. Information Commissioner’s Office said it will be inquiring about the use of the technology and urged a “less intrusive” approach.

Moscow metro launches facial recognition payment system

The city of Moscow launched “Face Pay,” a facial recognition fare system for their network of more than 240 metro stations in the city. “Moscow is the first city in the world where this system is operating on such a scale.”

Study: Consumers prefer biometric verification

Research by the Chief Marketing Officer Council found 44% of consumers favor biometrics for authentication over other methods. 34% of the 2,000 consumers surveyed prefer biometrics if the system is secure, while 10% prefer passwords or other methods of authentication, and 81% said they prefer to work with companies that verify their identity “simply, quickly, and safely.”

Government ID network database potentially hacked on massive scale

A hacker breached Argentina’s National Registry of Persons, stealing the personal information of every Argentinian citizen and putting it for sale online. The database, called RENAPER, is used to issue citizens identifying cards and verify personal information by other governmental bodies.

ONLINE PRIVACY / SURVEILLANCE

More than half of most-trafficked NZ sites use dark patterns, report finds

Dark patterns are being commonly engrained in New Zealand e-commerce, media, government, telecommunications, property and banking websites. Most dark patterns were found around financial transactions on the page, and were most common on e-commerce and media sites. The findings also report on aspects such as customer surveillance, unsubscribing, online shopping and regulation. 

Thin line between COVID-tech and public surveillance

Chinese surveillance companies like Dahua, one of the top providers of “smart camp” systems used in the surveillance and oppression of undesirables in China, have capitalized on the pandemic by selling their heat-mapping camera systems to companies like Amazon looking to monitor employees for COVID symptoms

Brave’s privacy-first search engine is now built in to its browser

Brave is very confident in its privacy-centric search engine — so much so that it’s giving Google the boot. As of October 19th, Brave will use the engine as its browser’s default search tool, replacing Google in the US, UK and Canada. It’ll also supplant DuckDuckGo in Germany and Qwant in France, with more countries seeing the switch in the “next several months.” Brave Search is effectively billed as the anti-Google engine. It doesn’t track you, your search history or what you’ve clicked. While its independent index won’t necessarily be robust as Google’s, Brave is betting that the default position will significantly boost adoption.

MOBILE / LOCATION PRIVACY

Study reveals ‘massive’ data collection by Android devices with no opt-out for users

Extensive data collection on Android phones which users cannot opt out of raises a “number of privacy concerns”, research conducted by Trinity College Dublin and the University of Edinburgh has found. The research, which centred on a range of popular Android mobile phones, revealed significant data collection and sharing, including with third parties, with no opt-out available to users.

iPhone App Privacy Just Slightly Better than Android, Says Oxford Study

Even though Apple champions privacy as one of the biggest selling points of the iPhone, a recent in-depth study from the University of Oxford examined 24,000 apps from Apple’s App Store and Google Play to conclude that the iPhone provides the same level of app privacy as Android, with “broad” third-party tracking rampant on both platforms.  In fact, the study found that iOS was actually worse at preventing apps from acquiring the location data of minors. [coverage]

Researchers call phone scanning ‘dangerous technology’

A group of researchers called plans by Apple and the European Union to detect illicit material on devices “dangerous technology.” Apple’s now delayed plans would scan images uploaded to its iCloud storage service to detect images of child sexual abuse, while an anticipated proposal in the EU would detect similar images on encrypted devices. “It should be a national-security priority to resist attempts to spy on and influence law-abiding citizens,” the researchers said.

Researchers study tools to give therapists access to patient smartphone data

Researchers are designing applications that could give therapists access to data from patients’ smartphones in between sessions. The apps would use voice-analysis software and online-search behavior to help professionals assess and assist with patients’ conditions. Questions remain about how to ensure informed consent and safeguard users’ information.

App privacy details available in Google Play Store in February 2022

Google’s new Play Store data privacy section will go live in February 2022. Application developers can now fill out Google’s “Data safety form.” The information will be available to users in February and required from developers by April. Developers are encouraged to disclose the data an app collects, if the data is required or optional for app use, if it is encrypted, and if the app has been reviewed “for conformance with a global security standard.”

CHILDREN’S PRIVACY

UNICEF Issues policy guidance on AI for children

As part of UNICEF’s Artificial Intelligence for Children Policy project, UNICEF has developed guidance to promote children’s rights in government and private sector AI policies and practices, and to raise awareness of how AI systems can uphold or undermine these rights. A virtual conference will be held Nov 30-Dec 1, 2021 to discus the findings and caser studies.

US K-12 Cybersecurity Act Signed into Law

The US K-12 Cybersecurity Act was signed into law on October 8, 2021. The legislation calls for the Cybersecurity and Infrastructure Security Agency (CISA) to assess the cyber risks faced by K-12 school systems, develop recommendations for K-12 cybersecurity guidelines, and create an online toolkit that K-12 schools can use to implement those recommendations.

SECURITY / BREACHES

White House hosts meeting on global response to ransomware

U.S. President Joe Biden hosted officials from 30 countries for a two-day virtual summit aimed at addressing a potential global solution to growing ransomware threats around the world. The discussion covered a range of topics within the ransomware discussion, including cybersecurity measures, tactics for disrupting cyberattacks, virtual currency and general diplomacy. China and Russia did not attend.

On Global Encryption Day (Oct 21), Let’s Stand Up for Privacy and Security

October 21, 2021 is the inaugural year for Global Encryption Day. EFF and partner organizations are asking people, companies, governments, and NGOs to “Make the Switch” to strong encryption. EFF is hoping this day can encourage people to make the switch to end-to-end encrypted platforms, creating a more secure and private online world. It’s a great time to turn on encryption on all the devices or services you use, or switch to an end-to-end encrypted app for messaging—and talk to others about why you made that choice. Using strong passwords and two-factor authentication are also security measures that can help keep you safe. The Global Encryption Day website has some ideas about what you could do to make your online life more private and secure. Watch Edward Snowden launch Global Encryption Day, live today

10 Phishing Stats That’ll Make Your C-Suite Think

Wanting to run a phishing simulation is one thing, but persuading colleagues of the importance of doing so is another. We’ve collated a few facts, figures, and bullet points to help busy security teams convince those who hold the purse strings, to make them realize running phishing tests and raising cybersecurity awareness is an important and valuable use of security team resources.

  1. Phishing is the number one cause of enterprise cybersecurity breaches and has been for the last two years.
  2.  The prevalence of phishing attacks is undeniable, but this isn’t matched by colleague awareness. 
  3. industry participants who encountered a phishing breach reported the following consequences:76% were infected with ransomware or malware.
    1. 60% of compromised businesses lost data.
    1. 52% had accounts or credentials compromised.
    1. 18% encountered direct financial losses.
  4. Some industries are more vulnerable to these attacks than others.
  5. The cost of a data breach can be devastating to businesses. 
  6. Most phishing attacks are aimed at companies that utilize webmail and SaaS
  7.  Bad actors rely on staff ignorance, FOMO and psychology, familiarity, and basic social engineering tactics.
  8. Remote working and BYOD are targets
  9. Attacks will often appear to come from a reputable source
  10. The cost of conducting a simulated phishing attack, and the return on investment (ROI), varies from business to business

Google Warns of State Sponsored Hacking

Google says that in 2021, it has sent more than 50,000 warnings of state-sponsored phishing and other attacks targeting its customers. A security engineer from Google’s Threat Analysis group (TAG) notes that “receiv[ing] a warning it does not mean your account has been compromised, it means you have been identified as a target.” Google urges users to enable two-factor authentication, and says that it plans to provide hardware security keys to 10,000 high-risk users.

VirusTotal’s Ransomware Data Analysis

VirusTotal has published a report detailing its findings from analyzing 80 million ransomware samples. VirusTotal says that of those samples, 95% targeted Windows machines. The report breaks down ransomware activity by threat operator groups and geographic areas targeted. The data were collected between January 2020 and August 2021. 

Missouri Governor Threatens Legal Action Against Journalist for Story About Security Flaw

Missouri’s governor has threatened to prosecute a journalist and the St. Louis Post-Dispatch newspaper after they ran a story about a vulnerability in a state education website. The paper disclosed the vulnerability to the Missouri state Department of Elementary and Secondary Education (DESE), which addressed the issue before the story was published.
 

OMB Memo Spells Out Steps for Endpoint Detection and Response 

A memo from the White House Office of Management and Budget (OMB) directs federal agencies to provide the Cybersecurity and Infrastructure Security Agency (CISA) with access to their current endpoint detection and response (EDR) deployments within the next three months. The memo outlines other steps for agencies to take “to further the goal of centrally managing the information needed to support host-level visibility, attribution, and response with respect to agency information systems.”

CNIL opens public consultation on updated password management recommendations

France’s data protection authority opened a public consultation on its updated recommendations on secure password management in the context of increasing threats to data security. The public consultation is open until Dec. 3.

DATA SCIENCES

Does the U.S. Need an AI “Bill of Rights”?—White House Says “Yes”

The White House Office of Science and Technology Policy (OSTP) announced a plan to develop a “bill of rights” to protect against what the OSTP perceives to be potentially harmful consequences of AI, including anticipated and unanticipated risks arising from AI applications developed using biometric data such as facial recognition, voice analysis, and heart rate trackers [WIRED].

National AI Strategy: UK Government Publishes Artificial Intelligence Strategy for the Next Decade

On 22 September 2021, the UK Government published its Artificial Intelligence strategy. The paper outlines the Government’s plan to make Britain a “global superpower” in the AI arena, and sets out an agenda to build the most “pro-innovation regulatory environment in the world”. This post highlights some of the key elements from the UK AI strategy. Significantly, the UK’s proposed approach may diverge in some respects from the EU’s GDPR. For example, the UK strategy includes consideration of whether to drop Article 22’s restrictions on automated decision-making, and whether to maintain the UK’s current sectoral approach to AI regulation.  The UK will publish a White Paper on regulating AI in early 2022, which will provide a basis for further consultation and discussion with interested or affected groups before draft legislation is formally presented to the UK Parliament. SEE ALSO: UK Government publishes National Artificial Intelligence Strategy

AI fake-face generators can be rewound to reveal the real faces they trained on

Researchers are calling into doubt the popular idea that deep-learning models are “black boxes” that reveal nothing about what goes on inside.

REGULATORS

Bill would allow B.C. citizens’ personal data to be sent out of country

The NDP government is dropping a legal requirement to protect citizens’ private data by storing and handling it in Canada, in a new bill that alarms the information and privacy commissioner. The NDP is now saying the measure is out of date and hampers competitiveness 

BC: Watchdog says some changes to B.C. privacy laws ‘inappropriate’

Michael McEvoy said he is “extremely troubled” that proposed amendments to B.C.’s Freedom of Information and Protection of Privacy Act that will allow public bodies to send British Columbians’ personal information outside Canada do not spell out how people’s privacy will be protected. B.C.’s Minister of Citizen Services, Lisa Beare, said laws that prevent personal information from being stored outside Canada can make it difficult for universities to deliver online education tools or doctors from providing online health care because some of the information required to do so may be stored with companies that work internationally. McEvoy said the proposed amendments do not spell out how people’s privacy will be protected. Beare said the details about how privacy will be protected will be announced through regulations. McEvoy calls that “inappropriate.” The privacy commissioner is also concerned with a plan to charge a $25 fee for so-called “freedom of information” requests. McEvoy supports other proposed amendments that include the duty to tell individuals if their privacy has been breached, through ransomware attacks or an accidental leak of information, as well as making it an offence to snoop at records for non-official reasons. Privacy management plans will also have to be created when a new program is introduced by government agencies.

Access delayed, access denied: Here’s why P.E.I’s information system is broken

A year is a long time to wait for information, but some of CBC P.E.I.’s requests have been in the hopper much longer. In some cases, “files have been delayed simply because the government failed to respond with the requested records in the time required”

Data Privacy and Cybersecurity FTC Priorities Going Forward

The FTC has made it clear that data privacy and cybersecurity are now a priority, and will be for years to come. In particular, the Commission recently designated eight key areas of focus for enforcement and regulatory action, three of which directly implicate privacy, cybersecurity, and consumer protection. 

  • Children Under 18: Harmful conduct directed at children under 18 has been a source of significant public concern, now, FTC staff will similarly be able to expeditiously investigate any allegations in this important area.
  • Algorithmic and Biometric Bias: Allows staff to investigate allegations of bias in algorithms and biometrics. Algorithmic bias was the subject of a recent FTC blog.
  • Deceptive and Manipulative Conduct on the InternetThis includes, but is not limited to, the “manipulation of user interfaces,” including but not limited to dark patterns, also the subject of a recent FTC workshop.

Report: Bipartisan efforts to regulate tech is increasing

Legislative proposals to protect children online and adopt tougher regulations on technology companies are gaining momentum in the U.S. Congress after years of inaction. Special Assistant to the President Tim Wu said, “There’s a different sense of urgency now, coupled with a level of bipartisanship that is truly rare. … This is, as they say, the moment.” Legislation around protections for children, including an update to the Children’s Online Privacy Protection Act, has good prospects to pass.

EDPB launches first coordinated action on cloud-based services

The European Data Protection Board launched its first action under the Coordinated Enforcement Framework on the use of cloud-based services by the public sector. Created in October 2020, the framework aims to coordinate joint actions for supervisory authorities. “The results of these national actions are then bundled and analysed, generating deeper insight into the topic and allowing for targeted follow-up on both the national and the EU level,” the EDPB said.

NASCIO issues report on cloud adoption

A report from the National Association of State Chief Information Officers (NASCIO) examines states’ gradual movement to cloud services. For more than a decade, state CIOs have said cloud services is among their top priorities; however, adoption appears to be slow. Of the 35 state CIOs responding, 89% say they are still using mainframes and 71% say they have not moved any mainframe applications to the cloud. 

WhatsApp messages are being deleted by UK officials. Should that be allowed?

Should UK government officials be allowed to send each other “disappearing messages” on WhatsApp? A High Court judge has ruled that two campaign groups can pursue their case to end the practice by UK officials, which they describe as “government by WhatsApp.” Apps such as Signal and WhatsApp, which is owned by Facebook (FB), allow users to send messages that disappear automatically after a set amount of time.

Study predicts privacy laws will regulate 75% of worldwide consumers by 2023

In their newly released predictions on privacy and cybersecurity, Gartner anticipates increased privacy laws worldwide and a shift to physical harm from malware in the coming few years. Gartner said 75% of the world’s population will be under privacy regulations that include subject rights requests in 2023. By 2025, Gartner predicted “60% (of enterprises) will use cybersecurity risk as a primary determinant for business transactions.” Additionally, it will expect to see cybercriminals causing human harm using operational technology malware. 

Albertans file hundreds of applications for disclosure under Clare’s Law; privacy concerns remain

Between April 1 and Aug. 31, the government has received 226 applications through Clare’s Law , which allows people to ask about an intimate partner’s police record as it pertains to domestic violence. Under Clare’s Law regulations, the person of disclosure isn’t notified when an application for disclosure is submitted. There have been 102 information disclosures on intimate partner violence risks. Although not every application leads to disclosure, 127 applicants have been referred to social service agencies for supports.

OTHER

Privacy and Data Protection Laws Stimulate the Technology Market

Entrepreneurs have started to invest in products/services that increase their data management and processing capacity, generating a demand for new professionals who, in turn, invest in courses and certifications to reach positions such as Data Protection Officer

Insurance as a cybersecurity and privacy risk management tool

Borden Ladner Gervais: While organizations primarily manage cybersecurity and privacy risks through practices, policies and procedures, organizations often look to manage residual risks through insurance. Two recent Canadian cases illustrate how traditional insurance policies might provide limited or no coverage for losses and liabilities resulting from cybersecurity and privacy incidents.

Microsoft announces privacy management, compliance tools

To help navigate data privacy regulations emerging around the world, Microsoft is introducing Privacy Management for Microsoft 365 and Microsoft Compliance Manager. The tools will help “customers safeguard personal data and build a privacy-resilient workplace” and make it easier to “interpret, assess, and improve” compliance with regulatory requirements.

09-15 July 2021

Online Privacy

Research Shows 25% Opt-In Rates for Apple’s ATT

Studies revealed 25% of iOS users have opted in to Apple’s App Tracking Transparency framework. The lack of opt-ins is concerning for marketers of all sizes, from Facebook down to small- and medium-sized businesses, that rely on user tracking for advertising campaigns.

Data Sciences

DSCI Issues Privacy-By-Design Handbook for AI Development

The Data Security Council of India published a handbook outlining best practices for implementing data protection into artificial intelligence technologies from the design stage. The handbook maps out key privacy-by-design principles for developers to consider, including transparency, accountability, mitigating bias, fairness, security and privacy. Additionally, developers are provided tools such as checklists, a compliance map and examples of data security techniques to aid proper implementation.

Report: A Rise In AI-Based Toys Threatens Children’s Privacy

Efforts to develop artificial intelligence-based toys for kids could risk children’s privacy. Among the notable types of smart toys are smart companions, which learn and interact with children, and programmable toys that employ machine learning to educate kids.

CDEI Issues UK Guide for Privacy-Enhancing Technologies

The U.K. Centre for Data Ethics and Innovation published the beta version of its guidance on the adoption of privacy-enhancing technologies, which aims to support decision-making regarding the various deployments. The guide uses “a question and answer-based decision tree” format that encourages users “to explore which technologies could be beneficial to their use-case.” Also included in the guidance was more general background on privacy-enhancing tech and their benefits.

Biometrics

NIST Studies Facial Recognition’s Flight Boarding Accuracy

The U.S. National Institute of Standards and Technology released results of a study on the accuracy of facial recognition software for boarding airline flights, finding several algorithms confirmed passenger identities with 99.5% accuracy or better.

State Legislatures Pass on Facial Recognition Bans

At least 17 U.S. states rejected bills prohibiting or limiting government use of facial recognition technology during their 2021 legislative sessions. The majority of the bills concerned bans on deployments by state and local government entities, but each law met pushback focused on public safety concerns and benefits outweighing risks to individual privacy. Meanwhile, Privacy International published a guide to protestors’ privacy, noting the risks associated with biometric and artificial intelligence-based technologies. See also: More than 35 civil rights organizations are urging retailers to stop using facial recognition to screen shoppers, citing privacy concerns and disproportionate misidentification of people of color, Bloomberg reports.

Security

Report: Smart Cities Behind on Privacy, Cybersecurity

The World Economic Forum and Deloitte released a report on how smart cities are faring with their digital transformation, highlighting some shortcomings on privacy and cybersecurity. The report, which looked at smart cities in 22 countries, shows less than 25% conduct privacy assessments for new technologies and a majority of cities have not designated a cybersecurity chief.

DPAs Focusing Efforts on Insufficient Data Security

EU data protection authorities are zeroing in on companies with lacking cybersecurity measures. Regulators in Belgium, Croatia, Norway, Spain and the U.K. are among those that have issued fines related to insufficient security safeguards. Eirik Gulbrandsen, a senior engineer at Norway’s data protection authority, Datatilsynet, said most of these security violations “are entirely preventable,” and Steptoe & Johnson Partner Charles-Albert Helleputte, said the fines show regulators want to emphasize how “privacy and security in principle should go hand in hand.”

Interpol Says ‘United Global Action’ Needed Against Ransomware

The International Criminal Police Organization says “united global action” is necessary to avoid a “ransomware pandemic.” There has been “exponential growth” in ransomware incidents, and Interpol Secretary General Jürgen Stock said it has “become too large of a threat for any entity or sector to address alone.”

OCR Urges Private Sector to Beef Up Ransomware Protections

Echoing other agencies in recent weeks, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued an alert sharing resources to address and protect institutions against the recent influx of ransomware attacks. Resources included a White House Memo urging companies to strengthen their commitment to cybersecurity. Similar to other recommendations we have recently written about (for example those from NYDFS), OCR recommends that the private sector:

  1. Implement the five best practices from the President’s May 2021 Executive Order on Cybersecurity: (a) multifactor authentication, (b) early detection of cybersecurity vulnerabilities, (c) robust response to cybersecurity incidents, (d) encryption, and (e) dedicated security teams;
  2. Back up all information and data, regularly test backups, and keep the backups offline and not connected to core business systems;
  3. Update and patch operating systems, applications, firmware and other systems promptly;
  4. Test and optimize incident response plans;
  5. Run third-party checks to ensure system security; and,
  6. Segment networks to minimize damage in the event of a system compromise.

02-08 July 2021

COVID-19

Privacy Pros Concerned Over Canada’s Vaccine Passport

privacy professionals are raising concerns regarding safeguards for Canada’s proposed vaccine passport. The exact passport methodology and protections have yet to be revealed, but professionals are taking issue with potential collection of personal data. Global Privacy and Security by Design Centre Executive Director Ann Cavoukian said the program could “introduce surveillance like we’ve never seen before.”

Manitoba Universities, Colleges Will Not Be Making Vaccinations Mandatory on Campus

As universities across Canada wrestle with mandating COVID-19 vaccinations for a return on campus, seven universities and colleges in Manitoba say they will not make vaccinations compulsory when the fall term starts, citing legal and privacy concerns. A small handful of post-secondary institutions in Ontario, such as University of Toronto, Western University, Fanshawe College and Ontario Tech University, have made vaccinations a requirement for students living in residence. Other places, like McGill University, University of British Columbia, University of Alberta, University of Calgary and University of Regina, are not implementing such a policy.

Google API Update Enables Storage of COVID-19 Status on Android Devices

Google has updated its Passes application programming interface (API) to allow COVID vaccination and test result records to be stored as digital health passes on Android devices. Following the update, healthcare and other authorized organizations, together with government agencies, will be able to use the APIs to develop a fully digital version of COVID vaccination or test information. Once stored on their device, users will be able to access the digital certificate either online or offline, using their devices’ password, PIN, or biometric form of authentication. To protect user privacy, Google clarified users will be able to freely share their COVID Card with others, but the company will not share the information contained in it with its services or third parties, nor will it be used for targeted ads. Google will also reportedly not retain a copy of the user’s COVID vaccination or test information. The COVID Cards feature is currently available on devices running Android 5 or later.

Biometrics / Identity

Facial Recognition Fraud on the Rise

The Wall Street Journal reports on the rising exploitation of vulnerabilities in facial recognition systems by hackers. Parmy Olson outlines the tactics being used to fool systems, including artificial intelligence-based deepfakes and “Frankenstein faces,” while also diving into the motives behind the attempted hacks and possible preventative measures being explored. Potential solutions include algorithm redesigns and training systems on a range of altered faces.

Genetics Firm Collecting Health Data on Millions of Women Globally

Chinese-based genetics company BGI Group is collecting women’s health data from a prenatal test taken by more than 8 million women globally. The test was created in collaboration with the People’s Liberation Army of China and marketed around the world starting in 2013. BGI stores leftover blood samples and genetic data for population research, but the company maintained its collection is in compliance with relevant privacy laws, including explicit consent for collection and destruction of data after five years.

Chinese Gene Company Using Prenatal Tests to Harvest Data from Millions of Women

A Chinese gene company selling prenatal tests around the world developed them in collaboration with the country’s military and is using them to collect genetic data from millions of women for sweeping research on the traits of populations, a review of scientific papers and company statements found. U.S. government advisors warned in March that a vast bank of genomic data that the company, BGI Group, is amassing and analyzing with artificial intelligence could give China a path to economic and military advantage.

Cryptographic Technique Can Preserve Genetic Privacy in Criminal DNA Profiling

Crime scene DNA analysis can help identify perpetrators, but current methods may divulge the genetic information of innocent people. Cryptography can protect genetic privacy without hampering law enforcement, Stanford researchers say.

Latest Apple Patent Extension Filing Suggests Touch ID Biometrics on IPhone Power Button

Future iPhone releases may follow the iPad Air’s lead by integrating Touch ID biometrics in the power button. The 19 new claims relate mostly to the method of implementation and the electronic device, and describe fingerprint authentication as a first step towards unlocking and a last step towards locking the iDevice. The described electronic device could also include Face ID biometrics.

Biometric Payment Technology Changing Restaurant Experience for Guests

Experts and analysts predict self-service growth: constraints brought about by the coronavirus pandemic have led to significant changes in the way restaurant guests get access to menus, make orders and pay, with self-service kiosks and Point of Sale terminals presenting an opportunity to meet changing customer expectations with biometrics.

Google Must Face Voice Assistant Privacy Lawsuit -U.S. Judge

A federal judge said Google must face much of a lawsuit accusing the company of illegally recording and disseminating private conversations of people who accidentally trigger its voice-activated Voice Assistant on their smartphones.

Online Privacy / Surveillance

Concerns Grow Over Kids’ Debit App’s Data Collection

Greenlight is a kids’ finance technology applicationa nd. According to Greenlight’s privacy notice, the app has the right to share users’ personal data, including names, birth dates, email addresses, location history, purchase history and more, with third-party vendors. The notice also allows Greenlight to serve targeted advertisements based on the data it collects. A spokesperson said the sharing provisions were devised for future “merchant-funded offers to parents,” which would use “aggregated and anonymous information.”

ICO Crafting Draft Guidance for Children’s Code Compliance

The U.K. Information Commissioner’s Office is working on its initial draft for guidance to help organizations adhere to the agency’s Children’s Code. The draft guidance will be tested through virtual events and the ICO will accept feedback on the most effective approaches to embedding transparency practices into design processes.

Apple’s iPhone is So Good at Protecting Privacy, Advertisers are Giving Up and Switching to Android

The release of Apple’s App Tracking Transparency feature is already sending advertisers flocking to Android. Originally released as part of iOS 14.5, Apple’s new iPhone privacy-oriented feature provides users with an unprecedented amount of control over the data apps are allowed to track.

Twitter Shares Ideas Around New Privacy Features, Including A Way to Hide Your Account from Searches

Twitter today has shared a few more ideas it’s thinking about in terms of new features around conversation health and privacy. This includes a one-stop “privacy check-in” feature that would introduce Twitter’s newer conversation controls options to users, and others that would allow people to be more private on the service, or to more easily navigate between public and private tweets or their various accounts.

Atlas VPN’s New Cutting-Edge Privacy Feature Allows Users to Have Rotating IP Addresses

Virtual private network service provider Atlas VPN has introduced a new privacy feature called SafeSwap that further enhances the anonymity of its users. Atlas VPN is the first and only VPN provider to allow users to have many rotating IP addresses without having to switch between different VPN servers. This way, it makes it even harder for snoopers, authorities, Internet Service Providers, and advertisers to spy on user’s online activity.

CNPD Plans to Issue Cookie Guidance

Portugal’s data protection authority, the National Data Protection Commission, plans to issue guidelines on the use of cookies by the private and public sectors this year. The CNPD has already started to analyze how public administrations use online resources for data processing.

Law Enforcement

Law Enforcement Using AI Software to Patrol Social Media

U.S. law enforcement is using artificial intelligence software to monitor social media is sparking privacy concerns. Israeli data analysis firm Zencity, contracted to 200 agencies in the U.S., uses machine learning to formulate custom reports from scans of public conversations across social media platforms. Zencity redacts personal information from the reports and does not allow its users to see individuals’ profiles. The surveillance tactic remains controversial, with Pittsburgh City Councilor Deb Gross noting, “Surveilling the public isn’t engaging the public. It’s the opposite.”

Data Sciences

CNIL Issues Opinion on EC Proposal for AI Regulation

France’s data protection authority (CNIL) offered its opinion on the European Commission’s proposal for regulating artificial intelligence. The CNIL called for clarification on what is permitted under the framework as it would not only benefit citizens but also those who are unsure whether the products they offer can be authorized. The agency also seeks more clarity on how the regulation interacts with the EU General Data Protection Regulation.

Security / Breaches

Ransomware Attack Hits Hundreds of Businesses Globally

A ransomware attack on technology management software from Florida-based supplier Kaseya has potentially affected up to 1,500 businesses around the world. Hackers entered systems using Kaseya’s software, taking over databases while encrypting the affected companies’ customers files. Kaseya acknowledged a potential attack and advised companies to shut down potentially affected systems.

White House Working to Finalize US Ransomware Strategy

U.S. President Joe Biden is working toward finalizing a new strategy for combating and mitigating ransomware threats. Biden and relevant entities are exploring all options for sufficient and quick responses to cyberattacks, including increased cybersecurity measures and prohibiting companies from paying ransoms. Biden said he feels “good” about the current abilities to respond to ransomware despite the most recent attack on 1,500 companies stemming from hacks against Florida-based software provider Kaseya.

Linkedin Denies Exposure of 700 Million User Records Is a Data Breach

LinkedIn has forcefully denied the exposure of data relating to 700 million users of its workplace networking platform – over 90% of its total user base – which has been offered for sale on the dark web, is a data breach, insisting that since the data was scraped by malicious actors it is not at fault.

Chronicling Two Years of NHS Data Breaches

According to the U.K. Information Commissioner’s Office, the NHS reported 866 data breaches from April 2019 to March 2021, including personal data mailed to the wrong person and the loss of paperwork and laptops. Of those breaches, 12 cases involved a party altering data without patient consent.

Researcher Finds Certain Network Names Can Disable Wi-Fi on IPhones

It looks like Wi-Fi networks with percent symbols in their names may cause a bug. A security researcher has found that certain Wi-Fi networks with the percent symbol (%) in their names can disable Wi-Fi on iPhones and other iOS devices. Carl Schou tweeted that if an iPhone comes within range of a network named %secretclub%power, the device won’t be able to use Wi-Fi or any related features, and even after resetting network settings, the bug may continue to render Wi-Fi on the device unusable.

UK Government Publishes ‘Plan for Digital Regulation’

The U.K. government published its “Plan for Digital Regulation,” which outlines how the country will govern technology. The strategy highlights how the U.K. will ensure its data protection standards support “a world-leading digital economy and society whilst underpinned by the trustworthy use of data.” The plan also covers the use of artificial intelligence to “automate parts of the financial advice process.”

Privacy Implications of Autonomous Vehicles to Smart Cities: Dentons’ Report

Dentons’ “A Guide to Autonomous Vehicles 2021 – A Canadian Perspective“ dissects the frontburner policy issues, legislative and regulatory frameworks and updates, new legal precedents and leading global trends shaping the sector. The report examines five key areas: regulatory landscape; driverless vehicle testing and deployment; liability; data privacy and security; and telecommunications and 5G.

25 June – 02 July 2021

COVID-19

Google is Pushing Out Massachusetts COVID Contact Tracing App

Google appears to be force-installing the Massachusetts MassNotify COVID-19 contact tracing app on residents’ Android devices. Users are reporting that the app has been installed even if they have not activated Android Exposure Notification on their devices. It also appears that the app is not yet active; users have been unable to open it or to uninstall it. Google said “This functionality is built into the device settings and is automatically distributed by the Google Play Store, so users don’t have to download a separate app.”

Proposed Vaccine Passports Raise Privacy Concerns and Data Security Risks

Cox & Palmer Law provides an overview and discussion of the current prospect for vaccine passports in Canada, including privacy implications. They propose that any organization considering the development and implementation of a vaccine passport regime should take the following steps to limit liability and improve privacy protections:

  • Ensure the regime falls within an already existing privacy program
  • Complete a privacy impact assessment.
  • Follow guidance from federal and provincial privacy commissioners.
  • Develop and implement a data retention (and destruction) plan.
  • Engage external legal counsel.

Biometrics / identity

Liberal Party Scrutinized for Facial Recognition Use

The Liberal Party of Canada is under fire for its use of facial recognition technology to verify voter identities in candidate nomination elections. BC Information and Privacy Commissioner Michael McEvoy said the questions at hand are whether the collection and use of biometric data was done appropriately according to provincial privacy law. In addition to a provincial investigation, Canada’s New Democratic Party asked Privacy Commissioner of Canada Daniel Therrien to open an investigation. Civil Liberties Group Urges Liberal Party to Stop Using Facial Recognition Technology

GAO Surveys Federal Agencies’ Use of Facial Recognition Tech

A report from the U.S. Government Accountability Office surveyed federal agencies’ use of facial recognition technology. Of the 42 agencies examined, the GAO found 20 owned systems equipped with facial recognition technology and six of those used the tech to identify individuals following last year’s protests of the murder of George Floyd. The GAO offered recommendations for 13 agencies to assess the risks of these systems.

Online Privacy / Surveillance

Microsoft Exec Details Number of Data Requests from Law Enforcement Agencies

During a U.S. House Judiciary Committee hearing, Microsoft VP Tom Burt detailed the amount of orders for information the technology company has received from federal agencies. Burt said federal law enforcement agencies send Microsoft between 2,400 to 3,500 secrecy orders a year. “Most shocking is just how routine secrecy orders have become when law enforcement targets an American’s email, text messages or other sensitive data stored in the cloud,” said Burt.

Appeals Court Rules Aerial Police Tracking of Citizens Violates Fourth Amendment

The U.S. Court Of Appeals for The Fourth Circuit ruled that Baltimore’s process of keeping tabs on citizens’ movement across 90% of the city, without a warrant, by way of surveillance planes to track people’s movement for long periods is a violation of the Fourth Amendment. The majority opinion determined that “because the AIR program enables police to deduce from the whole of individuals’ movements, we hold that accessing its data is a search, and its warrantless operation violates the Fourth Amendment.”

Digital Identity Verification Market Forecast to Reach $16.7B by 2026

Remote onboarding adoption will drive global spending on digital identity verification to $16.7 billion in 2026, as the total number of identity verification checks more than doubles from 45 billion in 2021 to 92 billion. The Juniper Research whitepaper ‘Maximising (sic) security with digital identity verification’ reviews the various methods of identity verification, including biometrics and liveness detection, and breaks down the market by industry and geography.

Digital Government

German DPA Tells Government Organizations to Shut Down Facebook Pages

Germany’s Federal Data Protection Commissioner Ulrich Kelber asked government organizations to close their Facebook pages by the end of the year. Kelber said the pages are not able to operate in a way that does not transmit followers’ data to the U.S., in violation of privacy laws. He also recommended organizations discontinue using Clubhouse, TikTok and Instagram due to similar concerns. “Given the continuing violation of personal data protection, there is no time to waste,” Kelber said.

Mobile / Location Privacy

Australian Research Finds ‘Pervasive’ Privacy Breaches on Health Apps

An analysis of more than 20,000 health-related applications by researchers at Sydney-based Macquarie University found thousands have “serious problems with privacy” and “collection of personal user information” is “pervasive.” The researchers said “inadequate privacy disclosures” prevent users from “making informed choices.” A quarter of the apps violated their own privacy policies, and 90% of data transmissions were on “behalf of third party services, such as external advertisers, analytics, and tracking providers.”

Improving Mobile Phone Data Extraction Practices Across the UK Criminal Justice System

In a blog post, U.K. Information Commissioner Elizabeth Denham discussed efforts to improve mobile phone data extraction practices, saying a “strategic, coordinated approach is needed.” While the ICO called for a code of practice to “introduce clarity, consistency and adequate safeguards,” Denham said that has yet to be introduced.

Supreme Court Declines to Hear Digital Device Border Search Cases

The U.S. Supreme Court declined to hear three cases on searches of electronic devices at the U.S. border. One of the cases, filed by the ACLU and EFF, argued search warrants should be required for border agents to search smartphones and laptops at ports of entry. EFF said in a Tweet it filed the case “to put a stop to this egregious privacy violation” and “the fight continues to defend digital privacy at the U.S. border.”

App Pays Contractors to Collect Open-Source Intelligence

Premise is an application that pays gig workers to collect open-source intelligence for a range of private and public clients, including U.S. government agencies. The app indicated it has made $5 million off of government contract work since 2017. Data sources include Wi-Fi networks, cell towers and mobile devices, with various types of data picked off from each. Premise CEO Maury Blackman said the data collection is not intelligence work because it is “available to anyone who has a cellphone.”

Youth Privacy

Researchers: 1 In 5 Children’s Google Play Apps Violate COPPA, And Other Updates

Comparitech’s research team surveyed 500 most popular children’s applications in the Google Play Store. Key findings

  • 1 in 5 apps have privacy policies that suggest COPPA violations
  • These have been downloaded by almost 492 million users
  • 50% of all the apps that violate COPPA have received a “teacher-approved” badge
  • 5% of all the company privacy policies reviewed contained claims that the respective apps were not intended for children, despite being within the “Everyone” age category on Google Play
  • 18% of “teacher-approved” apps violate COPPA
  • 21% of free apps and 20% of paid apps violate COPPA
  • 38% of all the apps that violate COPPA are classed as “educational”

Lawmakers Ask Facebook and Google to Extend Online Privacy Protections to Youth.

U.S. Sen. Ed Markey, D-Mass., and U.S. Reps. Kathy Castor, D-Fla. and Lori Trahan, D-Mass., sent letters to Amazon, Facebook, Google, Snapchat, TikTok and Twitter asking the companies to give teenagers and young children in the U.S. the same privacy protections as provided under the U.K.’s Age Appropriate Design Code. Meanwhile, the U.K.’s Department for Digital, Culture, Media & Sport released a “one-stop shop” guide to child online safety, outlining key measures businesses should take to protect children, and TikTok removed over 7 million accounts in the first quarter of 2021 for potentially belonging to children under 13.

Security / Breaches

Ransomware Attacks Have Seen Dramatic Increase

The speed at which ransomware attacks have continued to grow is surprising, says Blake, Cassels & Graydon LLP’s Cybersecurity group of the firm’s recently released Canadian Cybersecurity Trends Study 2021, as is the increasingly large ransoms demanded for stolen data over the past two to four years. See also: Data Breach: Notification Obligations and Best Practices

Cyber Insurance Does Not Appear to be Improving Cybersecurity

A paper from Britain’s Royal United Services Institute (RUSI) “explores whether cyber insurance can incentivise better cyber security practices among policyholders, … [and] finds that the shortcomings of cyber insurance mean that its contribution to improving cyber security practices is more limited than policymakers and businesses might hope.”

Vulnerabilities Found in Dell SupportAssist

Researchers from Eclypsium have discovered four vulnerabilities in the BIOSConnect feature of Dell SupportAssist. When chained together, the flaws “allow a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device.” The flaws affect 128 models of Dell PCs and tablets. Server-side updates released in late May address two of the flaws; Dell has released client-side firmware updates to address the other two flaws.

OIG Report: Medicare Needs to Improve Hospital Medical Device Security Assessments

A report from the Office of Inspector General for Health and Human Services (OIG HHS) says that the Centers for Medicare & Medicaid Services (CMS) does not have adequate protocols in place to assess the cybersecurity of networked medical devices in hospitals. In the report OIG HHS writes that they “recommend that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals, in consultation with Department of Health and Human Services (HHS) partners and others.”

Small Devices Can Cause Big Problems: Improving Enterprise Mobile Device Security

NIST has published guidance on mobile device management best practices in the workplace. Threat identification tools, such as NIST’s Mobile Threat Catalogue, used in conjunction with a risk management process, such as the NIST Risk Management Framework, can help organizations identify security and privacy requirements and design mobile device solutions to meet those requirements. Guidance:

NIST SP 1800-21, Mobile Device Security: Corporate-Owned Personally-Enabled.

NIST SP 1800-22, Mobile Device Security: Bring Your Own Device.

NIST SP 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise

Data Sciences

StandardsCouncil Publishes Data Governance Roadmap

The Standards Council of Canada released a roadmap for data governance in parallel with Canada’s Digital Charter. The plan outlines a view on the current and desired Canadian standardization landscape while providing 35 recommendations the SCC says will “address gaps and explore new areas where standards and conformity assessment are needed.” The recommendations include accountability frameworks for privacy and security of personal information as well as a call to harmonize federal and provincial privacy laws.

MEPs Urge Safeguards With Law Enforcement’s AI Use

The European Parliament Committee on Civil Liberties, Justice and Home Affairs adopted a draft report on the use of artificial intelligence-based surveillance, highlighting the need for human oversight and sufficient safeguards. MEPs demanded a ban on the use of biometric data in public places and law enforcement’s use of private facial recognition databases. The urging is based on claims that AI-powered technologies bring potential bias and discrimination.

Survey: AI Is Stressing Data Infrastructures

A Redis Labs survey of IT professionals responsible for machine learning and AI operations found AI applications are stressing data infrastructures. 40% of respondents said their current data structures do not meet requirements for training AI models and infrastructures that consume real-time data.

NSA Issues Guidance on Securing Video and VoIP Communications

The US National Security Agency has issued guidance on securing Unified Communications/Voice and Video over IP (UC/VVoIP) systems. The technical report “outlines best practices for the secure deployment of UC/VVoIP systems and presents mitigations for vulnerabilities due to inadequate network design, configurations, and connectivity.”
 

NIST Proposes Approach for Reducing Risk of Bias in Artificial Intelligence

In an effort to counter the often pernicious effect of biases in artificial intelligence (AI) that can damage people’s lives and public trust in AI, the National Institute of Standards and Technology (NIST) is advancing an approach for identifying and managing these biases — and is requesting the public’s help in improving it. NIST outlines the approach in A Proposal for Identifying and Managing Bias in Artificial Intelligence (NIST Special Publication 1270), a new publication that forms part of the agency’s broader effort to support the development of trustworthy and responsible AI. NIST is accepting comments on the document until Sept. 10, 2021 (extended from the original deadline of Aug. 5, 2021).

CNIL Releases New Version of PIA Software

France’s data protection authority, the Commission nationale de l’informatique et des libertés, released a new version of its privacy impact assessment software. The tool “has been enhanced with a major new feature to customise the information in the knowledge base that is continuously present and guides the completion of an analysis,” the CNIL said. It is available in 20 languages.

AEPD Releases Data Processing Risk Management Guide

Spain’s data protection authority, the Agencia Española de Protección de Datos, released the “Risk management and impact assessment in personal data processing” guide. The guide includes guidance and criteria from the AEPD, the European Data Protection Committee and the European Data Protection Supervisor.

GEA-1 Encryption Algorithm Weakness Was Intentional

A paper from researchers at several European universities and research institutions suggests that the GEA-1 encryption algorithm had a deliberately baked-in weakness. The algorithm was used in cellphones in the 1990s and 2000s. Following the paper’s publication, the European Telecommunications Standards Institute (ETSI), which developed the algorithm confirmed that the weakness was deliberate, noting that it was introduced to meet encryption export regulations.

Baltimore County Public Schools Ransomware Recovery is Expensive

According to information obtained by a local television news station, Baltimore County (Maryland) Public Schools has already spent more than $8 million recovering from a November 2020 ransomware attack. The incident prevented 115,000 students from accessing remote instruction for a week. The school system’s insurance covered $2 million of the incurred costs.

18-24 June 2021

COVID-19

Ottawa In Talks With Provinces, Territories Over ‘Proof Of Vaccination’ Passport for International Travel

Intergovernmental Affairs Minister Dominic LeBlanc says Ottawa is in talks with the provinces and territories about creating some type of “passport” containing proof of vaccination against COVID-19. LeBlanc says while health information falls under provincial jurisdiction, Ottawa’s goal is to provide Canadians with a document to verify vaccinations against the coronavirus if they want to travel outside Canada. LeBlanc says the government may provide Canadians who want to travel soon an interim document to verify vaccinations. Canada Is Launching a “Vaccine Passport” Next Month

OPC Therrien Urges Proper Safeguards for Vaccine Passports

Privacy Commissioner of Canada Daniel Therrien told the House of Commons Standing Committee on Access to Information, Privacy and Ethics Canada’s COVID-19 vaccine passport application needs sufficient purpose limitations and user safeguards. Therrien said there are “issues about protection of that information” that require a detailed review process “that we have not yet done.” Therrien spoke confidently about arriving at a “privacy-sensitive and protected” solution.

Access, Privacy, Enforcement: Lawyers Say Canada’s Plan for Digital Vaccine Passports Raises Thorny Issues

The prospect of digital vaccine passports being required for Canadians embarking on post-pandemic travel has some raising concerns over privacy, accessibility, and enforcement.  Immigration lawyer Alex Stojicevic says the most obvious concern is that those who don’t have access to the proper tech will face barriers to travel. He also has concerns around who will be reviewing people’s proof of vaccine. He says people should not be required to hand their phones over to Canada Border Services Agency: Stojicevic says there are a number of other thorny logistical issues — including the fact that each province within Canada is approaching immunization in a different way, and sharing different data.  Privacy concerns are also being raised by the Canadian Civil Liberties Association. According to Executive Director Michael Bryant: “We need to make sure that that data, held internationally, is kept secure and private and isn’t used for other purposes and other agencies, other than its intended purpose of international travel. It’s one thing to require people to waive their privacy rights at the border. It’s quite another thing to ask people or require people to waive their privacy rights once they are in Canada, travelling between provinces or entering public facilities or using public services.”

Nova Scotia Privacy Commissioner Calls for Strong Vaccine Passport Privacy Protections

Nova Scotia Information and Privacy Commissioner Tricia Ralph called for future vaccine passports to have proper privacy protections in place. Ralph called for a privacy impact assessment to take place in a letter to the provincial government.

Biometrics / Identity

EU Privacy Watchdogs Call for Ban on Facial Recognition in Public Spaces

The European Data Protection Board and European Data Protection Supervisor teamed up to call for a ban on the use of facial recognition in public spaces, going against draft European Union rules which would allow the technology to be used for public security reasons. “A general ban on the use of facial recognition in publicly accessible areas is the necessary starting point if we want to preserve our freedoms and create a human-centric legal framework for AI,” EDPB Chair Andrea Jelinek and EDPS head Wojciech Wiewiorowski said.

Denham Issues Opinion on UK’s Public Facial Recognition Deployments

U.K. Information Commissioner Elizabeth Denham offered a Commissioner’s Opinion regarding the use of facial recognition by private and public entities in public spaces. Denham explained “data protection and people’s privacy must be at the heart of any decisions to deploy (live facial recognition)” and the opinion aims to set “a high bar to justify the use of LFR and its algorithms.” The opinion, according to Denham, is based off law and “six ICO investigations into the use, testing or planned deployment of LFR systems.”

Civil Liberties Group Urges Liberal Party to Stop Using Facial Recognition Technology

The CCLA is calling on the governing Liberals to “cease and desist” using facial recognition technology to verify the identity of people voting in candidate nominations, saying it “takes unfair advantage of its exemption from Canadian privacy laws.” Further, it “sends the wrong message to municipal, provincial and federal election officials that this technology is ready for prime time,” reads the letter signed by executive director Michael Bryant and privacy, technology and surveillance program director Brenda McPhail.

Unemployment Applicants Say Facial Recognition Service Caused Benefit Denials

Some U.S. unemployment recipients say incorrect identity verification by ID.me’s facial recognition technology led to denial of unemployment benefits. The service uses applicants’ biometric information with official documents to confirm identity, but some said the technology failed to correctly identify them, putting applications on hold.

Regulators Launch Campaign Against Spy Cameras, Hidden-Camera Videos

The Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Public Security Bureau and the State Administration for Market Regulation announced a three-month campaign against spy cameras and hidden-camera videos. The regulators say online platforms and camera developers that do not address privacy violations will be “severely punished” in accordance with laws and regulations. The campaign follows passage of China’s Data Security Law, slated to take effect 1 Sept.

Health Privacy

Niagara Health Patients First in Ontario to Access Diagnostic Scans Under One Digital ID

Patients at Niagara Health are among the first in the province who can access their diagnostic records such as an x-ray, CT scan, MRI, or ultrasound through Ontario trusted account, a unique patient digital identity service on the Niagara Health Navigator mobile app. Similar to the ease of online banking, patients can view and manage their diagnostic records from the convenience of their mobile device and can choose to securely share access with family members, family doctors, specialists and other care providers. This is powered by PocketHealth, a service that receives digital diagnostic records from the hospital, organizes them in a secure account and stores them for patients to access at a small fee. For more information on the Ontario trusted account, visit https://mytrustedaccount.ca

UK Health Department, NHS Publish Draft Health Data Strategy

The U.K. Department of Health and Social Care and the National Health Service released a draft data strategy that will provide patients more control of their health and records. The strategy proposes ease of access to data for patients and medical professionals while also simplifying data sharing practices. The NHS noted its plan comes with a commitment “to using data lawfully, with respect, and holding it securely with the right safeguards in place.” Additionally, the NHS committed to publishing a transparency report on data use by 2022.

Mobile / Location

CNIL Releases Draft Recommendation on Retention of Traceability Data

France’s data protection authority (CNIL) launched a public debate over its draft recommendation relating to terms of retention and use of data logs. One of the purposes of data logs, particularly in multi-user systems, is to ensure traceability of access and actions on the information systems within an organization facilitating security policy compliance. When it comes to retention periods for data logs, the CNIL recommends a period not exceeding six months to one year is sufficient except for cases when a legal obligation or particularly significant risk would require another retention period.

Commission D’access a L’Information Du Quebec Issues Guidance on Employee Geolocation Tracking

Commission d’access a la information du Quebec has issued guidance on employee geolocation tracking [see here in French and English trans here].

Online privacy / Surveillance

Study Reviews Pandemic-Era Employee Monitoring Trends

Software designer Surfshark released its Employee Surveillance Report highlighting trends in employee surveillance from March 2020 to March 2021. Surfshark scraped searches for “bossware” surveillance tools across the world and found the use of and interest in employee monitoring was most prevalent in Sweden, the U.S. and Norway. The study also found one in five businesses are deploying surveillance technology while 62% of companies do so to collect productivity data. The report goes on to compare various monitoring tools and discuss potential employee privacy tactics.

Dutch Organizations File Claim Against Tiktok Over Children’s Privacy

In a claim against TikTok, Dutch consumer protection organization Consumentenbond and the Take Back Your Privacy Foundation say the company should pay $1.5 billion euros for illegally collecting and selling children’s data for targeted advertising. The organizations also said TikTok should delete children’s data it has maintained. “TikTok’s way of working is pure exploitation and the company is earning hundreds of millions a year from children,” Consumentenbond Director Sandra Molenaar said.

Law Enforcement

RCMP Body Camera Pilot Project Wraps Up in Iqaluit

A pilot project in which Iqaluit RCMP officers wore body cameras while working has wrapped up but concerns about accountability and trust remain. Last fall, the Iqaluit RCMP launched a trial run increasing the number of Iqaluit officers wearing cameras, until all 53 were equipped in February. According to Legal Aid, officers wore the cameras at work, but they would be turned on only after the initial interaction, or in some cases, the arrest. Also, the camera only points in one direction, so it doesn’t capture everything. “There’s no guarantee that even if there is an image that is damning of police that police will release it,” said a professor.

LAPD Provided with Free Surveillance Cameras for Promotion

Ring gave Los Angeles Police Department officers free devices or discount codes to market its surveillance cameras. According to emails obtained by the Los Angeles Times, the company encouraged officers to “spread the word” about its doorbell’s ability to “reduce crime in neighborhoods.” ACLU of Southern California Senior Staff Attorney Mohammad Tajsar said the relationship highlights “a lack of clarity as to where the public sector ends and private surveillance capitalism begins.” A Ring spokesperson said the marketing campaign ended “years ago.”

Data Sciences

EDPB, EDPS Issue Opinion on Proposed AI Rules

The European Data Protection Board and European Data Protection Supervisor released a joint opinion on the European Commission’s proposed artificial intelligence regulation. Notably, the opinion proposed a ban on AI-powered biometric recognition technologies and potentially discriminatory AI systems in public spaces. In a joint statement, EDPB Chair Andrea Jelinek and EDPS Wojciech Wiewiórowski said the ban is a “necessary starting point” for a “human-centric legal framework for AI,” also noting the biometric deployments in combination with AI “means the end of anonymity in those places.”

Study Looks at Advances, Long-Term Impact of AI

A new report from Pew Research Center and Elon University’s Imagining the Internet Center found 68% of responding developers, business and policy leaders, researchers and activists do not believe ethical principles focused on public good will be employed in most AI designs by 2030. The report includes written explanations from professionals, including Google’s Chief Internet Evangelist Vint Cerf, who said, “There will be a good-faith effort, but I am skeptical that the good intentions will necessarily result in the desired outcomes.”

NIST Seeks to Quantify User Trust In AI

The National Institute of Standards and Technology is looking to quantify user trust in artificial intelligence. The NIST is accepting public comments until July 30, saying it wants to identify areas of mistrust in AI and promote informed decisions in its use. A user trust score will be used to measure items such as the age, gender, cultural beliefs and AI experience of an individual using an AI system, while a trustworthiness score will explore technical concepts.

Security / Breaches

Humber River Restores Computers After Malware Attack

Humber River Hospital is continuing to work through the shutdown of its computer systems in response to an extensive malware attack last week. The hospital had deactivated all of its computers as a safety precaution against the attack, which was a form of ransomware. Because the organization caught the malware early, it believes that it avoided the loss of data and has not received demands for a ransom.

Kroll Releases ‘2021 Data Breach Outlook’

Digital service provider Kroll published its “2021 Data Breach Outlook,” which reviewed the effects of data breaches on its clients in 2020. The report shows a 140% increase in data breach notifications compared to 2019, with the most affected industries being health care, education and financial services. Kroll said the rise in incidents is linked to a combination of remote work, the evolution of ransomware, impacts to supply chain attacks, and heightened awareness to privacy rights and regulations. SEE ALSO: Cybersecurity Firm Reports 116% Increase in Ransomware Attacks | A survey released by Cybereason found 80% of organizations that paid demands in ransomware attacks experienced a second breach, 46% believing it to be caused by the same threat actors.

CISA Highlights How Solarwinds Attack Could’ve Been Prevented

The U.S. Cybersecurity and Infrastructure Security Agency highlighted how established security recommendations could have stopped last year’s SolarWinds cyberattack, Reuters reports. In a letter to U.S. Sen. Ron Wyden, D-Ore., the CISA said had victims configured their firewalls to block outbound connections from the servers running SolarWinds, it “would have neutralized the malware,” adding those who did so avoided the attack.

Danish DPA Offers Ransomware Guidance

Denmark’s data protection authority, Datatilsynet, posted guidance on best practices to combat ransomware attacks. In a video, Datatilsynet IT Security Specialist Allan Frank offered advice on mitigation tactics as well as proper system backups. Additionally, the DPA issued a checklist of actions organizations can take to reduce the threat of ransomware, including employee awareness, system patching, filtered emails and more.

17 June 2021

COVID-19

UN Agency Details New ‘Digital Seal’ As Countries Mull COVID-19 Vaccine Passports

The International Civil Aviation Organization (ICAO) is paving the way for the creation of COVID-19 vaccine passports. In a press release, the ICAO says it has made new “technical specifications for a visible digital seal.” The ICAO said the seal stores datasets for “test and vaccination certificates” in a two-dimensional barcode which can be made of paper or “screen-based.” “Border control and other receiving parties can verify the data against established requirements efficiently and seamlessly, including through the use of traveller self-service kiosks and processes.”

Nova Scotia Privacy Commissioner Calls for Strong Vaccine Passport Privacy Protections

Nova Scotia Information and Privacy Commissioner Tricia Ralph called for future vaccine passports to have proper privacy protections in place. Ralph called for a privacy impact assessment to take place in a letter to the provincial government. “They can be a valuable tool for Canadians, but my concern is they be done the right way,” said Ralph. “My concern is they be developed in a way that would not collect too much information or disclose too much information than is really necessary.”

Human Rights Commission Wants Cautious Approach to COVID-19 Vaccine Cards 

The Manitoba Human Rights Commission urges caution in the wake of the province’s plan to issue COVID-19 immunization cards to people two weeks after they get their second vaccine dose.    The MHRC said requirements for people to provide proof of vaccination for work, access to public services or housing could potentially discriminate on the basis of disability, religious belief, political belief, social disadvantage and age. Manitoba Human Rights Commission ‘monitoring’ province’s COVID-19 vaccination card, incentives | Mayor questions vaccine card privacy | COVID-19 ‘vaccine passports’ could be abused in Manitoba, legal experts warn

Survey: 56% of Americans Don’t Trust Vaccine Passports to Protect Data

A survey conducted by Help Net Security gauged Americans’ attitude toward the security measures implemented by vaccine passports. Of the 3,000 Americans polled, 56% said they do not trust vaccine passports to keep their data secure. The study also found 58.5% of respondents said vaccine passports should not be required to attend sporting events, schools or other areas and events.

Biometrics / Identity

Privacy Commissioners Issue Draft Guidance on Police Use of Facial Recognition Technology

The OPC and the provincial / territorial privacy regulators have jointly released draft guidance on the use of facial recognition technology by police agencies for public comment. The draft guidance covers federal, provincial, regional and municipal police agencies, but not other public organizations such as border control or organizations in the private sector such as private security companies within its scope. But parts of the guidance may provide insight to organizations seeking to ensure compliance with privacy and human rights legislation, said the regulators. See also: Mugshots to megabytes: facial recognition has made privacy protection more urgent than ever 

Congress Weighs Moratorium on Facial Recognition and Biometric Surveillance Technologies

A group of congressional Democrats re-introduced the Facial Recognition and Biometric Technology Moratorium Act of 2021 [Senators Markey’ press notice)

Canadian Government Launches Plans for Digital identity

The Government of Canada has launched the latest iteration of its digital strategy, which includes a continued effort to introduce secure digital identities for citizens. In the Digital Operations Strategic Plan (DOSP) 2021–2024, CIO Marc Brouillard said that the COVID-19 pandemic has “significantly accelerated the global shift to online services” and praised civil servants’ efforts. However, Brouillard said, the government needs to go even further to make digital services as seamless as possible. Alongside creating a single digital identity for citizens, other plans include Shared Services Canada (SSC) working to consolidate departments’ networks with a wholesale shift to “cloud-first networks”.

Maryland City Bans Facial Recognition and Other Biometric Updates

The Baltimore, Maryland, City Council approved a moratorium on use of facial recognition technology by residents, businesses and most of city government. The city’s police department is exempt from the moratorium.

DHS Planning Biometric System Update

The U.S. Department of Homeland Security is preparing to transition its 27-year-old biometric systems to its new Homeland Advanced Recognition Technology in December. The rollout is not expected to be fully operational until DHS addresses three outstanding risk management best practices cited by the Government Accountability Office. In the meantime, DHS and fellow national security entities will continue using the Automated Biometric Identification System, which stores biometric data on foreign nationals for travel, trade and immigration.

TikTok Has Started Collecting ‘Faceprints’ and ‘Voiceprints.’

Recently, TikTok made a change to its U.S. privacy policy, allowing the company to “automatically” collect new types of biometric data, including what it describes as “faceprints” and “voiceprints.” TikTok’s unclear intent, the permanence of the biometric data and potential future uses for it have caused concern among experts who say users’ security and privacy could be at risk.

Europe Needs to Back Browser-Level Controls to Fix Cookie Consent Nightmares: NOYB

European privacy group noyb, which recently kicked off a major campaign targeting rampant abuse of the region’s cookie consent rules, has followed up by publishing a technical proposal for an automated browser-level signal it believes could go even further to tackle the friction generated by endless “your data choices” pop-ups. Its proposal is for an automated signal layer that would enable users to configure advanced consent choices — such as only being asked to allow cookies if they frequently visit a website; or being able to whitelist lists of sites for consent (if, for example, they want to support quality journalism by allowing their data to be used for ads in those specific cases).

Youth and Children

Report Surveys EU Children’s Privacy Standards

The U.S. Law Library of Congress published a report exploring children’s data protection standards in 10 EU jurisdictions, including the EU’s own overarching regulations and policies. The other nine countries analyzed were France, Denmark, Germany, Greece, Portugal, Romania, Spain, Sweden and the non-EU member U.K. The report dives into current landscape for children’s data protection in each case study before analyzing the protection of children in regards to targeted advertising.

Online Privacy / Surveillance

Google Agrees to UK CMA Commitments on Phasing Out Cookies

Google agreed to a series of commitments with the U.K. Competition and Markets Authority over its plan to phase out cookies via its Privacy Sandbox proposal. The commitments include limits on how Google can use user data for digital advertising after third-party cookies are removed and informing the CMA 60 days before it starts to remove cookies to give the agency an opportunity to reopen its investigation.

Google Announces Privacy, Data Security Measures for Workspace

Google announced new privacy and data security measures within its Google Workspace. Client-side encryption will give customers control of encryption keys and make customer data indecipherable, the company said. Google also announced new phishing and malware content protection for Google Drive and launched Drive labels, which enables users to classify files to ensure proper handling. The feature also works with Google Workspace’s data loss prevention and Google Vault capabilities to enhance data loss prevention.

New Privacy and Security Features Coming to iOS and macOS

Apple has unveiled improvements to iOS designed to keep your email private, crack down on data stealing apps, and help you find lost devices.

Location Privacy

Vehicle Location Data Appears to Identify People, Addresses

While Otonomo’s vehicle location data is supposed to be pseudonymous, a Motherboard investigation linked the data to vehicle owners and movements. Data from Otonomo was used to track drivers’ locations and identify their likely home addresses and identities. Electronic Frontier Foundation Staff Attorney Adam Schwartz called the data a “privacy nightmare.”

Law Enforcement

Bitcoin is Traceable, Colonial Pipeline Investigation Shows

Federal investigators’ recovery of $2.3 million of the $4.3 million in Bitcoin that Colonial Pipeline paid to hackers in a ransomware attack shows cryptocurrencies may not be hard to track. While cryptocurrency can be transferred without a bank’s permission, it can also be tracked and seized by law enforcement, and each payment is recorded in a permanent ledger. “It is digital bread crumbs,” said former federal prosecutor Kathryn Haun. “There’s a trail law enforcement can follow rather nicely.” SEE ALSO: The Fed’s Digital Dollar Would Be ‘Nightmareville’ for Privacy  and Bitcoin network approves privacy update as scrutiny increases

ICCL To Sue IAB Tech Lab Over Real-Time Bidding Allegations

The Irish Council for Civil Liberties is filing a lawsuit against the Interactive Advertising Bureau Tech Lab for alleged EU General Data Protection Regulation violations. The ICCL will file the suit in Hamburg, Germany, arguing real-time bidding systems, used by IAB member companies, harvest users’ personal data. “A retailer might use the data to single you out for a higher price online. A political group might micro-target you with personalised disinformation,” said ICCL Senior Fellow Johnny Ryan.

Mobile / Location

Apple CEO Says EU’s Proposed DMA Threatens iPhone Security, Privacy

Apple CEO Tim Cook said the European Union’s proposed Digital Markets Act will threaten the security and privacy of iPhones. While Cook said parts of the proposal are good, he criticized others, like language that would lead to installation of applications outside of Apple’s App Store. “It would destroy the security of the iPhone, and a lot of the privacy initiatives that we’ve built into the AppStore or the privacy intrusion labels and app-tracking transparency,” he said.

Data Sciences

Experts Doubt Ethical AI Design Will Be Broadly Adopted as the Norm Within the Next Decade

According to Pew Research Center, a majority of developers, business and policy leaders, researchers and activists worry that the evolution of artificial intelligence by 2030 will continue to be primarily focused on optimizing profits and social control. They also cite the difficulty of achieving consensus about ethics. Many who expect progress say it is not likely within the next decade. Still, a portion celebrate coming AI breakthroughs that will improve life.

ICO Calls for Views on Anonymisation Guidance

The UK ICO has published a call for views on the first draft chapter of its anonymisation, pseudonymisation and privacy enhancing technologies draft guidance. This first chapter is part of a series of chapters of guidance that the ICO will be publishing on anonymisation and pseudonymisation and their role in enabling safe and lawful data sharing. The guidance supplements the ICO’s Data Sharing Code of Practice.

Accounting Firm to Invest $12B in AI, Cybersecurity Hires

Accounting firm PricewaterhouseCoopers is planning to invest $12 billion over the next five years in hiring 100,000 new employees in artificial intelligence and cybersecurity. As companies face increasing scrutiny on issues including data privacy, PwC U.S. Chairman and Senior Partner Tim Ryan said, “It’s critical that our people have those skills.” The firm also plans to offer new products featuring artificial intelligence and machine learning, Ryan said, and is considering acquiring other companies to grow offerings.

Security / Breaches

G7 Commits to Action on Ransomware, Digital Privacy

The G7 group has urged Russia and other countries that may harbour criminal ransomware groups within their borders to take accountability for tracking them down and disrupting their operations. Meanwhile, the G7 also committed to ongoing collaboration towards a “trusted, values-driven digital ecosystem” and an “open, interoperable, reliable and secure internet” that is unfragmented, and supports freedom, innovation and trust to empower users. “We support the development of harmonised principles of data collection which encourage public and private organisations to act to address bias in their own systems, noting new forms of decision-making have surfaced examples where algorithms have entrenched or amplified historic biases, or even created new forms of bias or unfairness.” The summit further addressed issues around internet safety and countering far-right hate speech, whilst protecting fundamental human rights and freedoms such as freedom of speech and expression.

03-10 June 2021

COVID-19

European Parliament Finalizes COVID-19 Certificate Program

The European Parliament announced final approval of the EU’s COVID-19 certificates. Citizens will be issued a quick response code carrying information proving vaccination, negative test result or recovery from a COVID-19 infection. All EU member states will accept the certificates proving vaccination, negative test result or recovery from a COVID infection. It should facilitate free movement and contribute to restrictions being lifted gradually in a coordinated manner. It should apply from 1 July 2021 and be in place for 12 months.

Canadian Commissioners Adopt Resolution on Pandemic Privacy and Vaccine Passports

Canada’s federal, provincial and territorial information and privacy commissioners issued a joint resolution calling on governments around the country to respect citizens’ privacy rights during and after a pandemic. The resolution includes 11 principles Canadian governments can implement to modernize “legislative and governance regimes around freedom of information” and make privacy a priority.

Manitoba Launches New, Secure Immunization Cards for Fully Vaccinated People

Fully immunized Manitobans will now be able to travel without having to self-isolate for two weeks upon return with a new, secure immunization card that will be available to people two weeks after they have received both doses of a COVID-19 vaccine, Premier Brian Pallister announced today.

Vaccination Records Raising Privacy Concerns in California

The California Public Department of Health’s digital Immunization Information System holds information of California residents who received a COVID-19 vaccination, raising concerns over health data. Privacy advocates say current regulations do not prevent vaccine data from being leaked or sold into data markets, and raised concerns over weakened confidentiality laws and vaccine verification systems.

Hong Kong Residents Can Store Vaccine Records in Leavehomesafe App

Hong Kong residents can now store vaccination records or test records in the LeaveHomeSafe COVID-19 contact tracing application. Biometric or password authentication is used to unlock phones when attempting to access records. Data is saved locally on devices and users can remove the records at any time. The Privacy Commissioner for Personal Data was consulted to ensure the app’s compliance with the Personal Data (Privacy) Ordinance. SEE ALSO: A study from the Surveillance Technology Oversight Project that found vaccine tracking applications are ineffective and raise privacy concerns.

Biometrics / Identity

European Commission Proposes a Digital Identity for All EU Citizens

The European Commission has proposed a framework for a trusted and secure European Digital Identity (interchangeably referred to as ‘European e-ID’). In essence, the European Digital Identity will be available to all citizens, residents, and business in the EU, enabling them to prove their identity, access various services and share documents from their European Digital Identity wallets. The EC states that the European Digital Identity framework will be based on three pillars:

  1. Availability only to who wants to use it;
  2. Widely Useable; and
  3. Users remaining in control of their data.

OPC Finds RCMP’s Use of Clearview AI Violates Privacy Act

The OPC found the RCMP’s use of Clearview AI services violated the Privacy Act. The RCMP matched photographs against individuals in a database provided by Clearview, which OPC determined violated Canadian privacy laws last year. “The use of (facial recognition technology) by the RCMP to search through massive repositories of Canadians who are innocent of any suspicion of crime presents a serious violation of privacy,” said Privacy Commissioner of Canada Daniel Therrien.

Human Rights Commission Urges Facial Recognition Ban

The Australian Human Rights Commission is urging the federal government to issue a temporary ban on “high-risk” use of facial recognition pending legislation. The commission recommends introducing legislation “that regulates the use of facial recognition and other biometric technology,” establishing an “artificial intelligence safety commissioner” and notifying affected individuals “where artificial intelligence is materially used in making an administrative decision.”

Feds Planning to Use Biometrics at Canada-US Border

Canada’s border agency has an “urgent need” to hire a global technology firm to help develop a biometric strategy in response to rapidly evolving issues including COVID-19. The CBSA issued a notice of procurement inviting 15 firms to submit proposals for immediately setting up an Office of Biometrics and Identity Management. The chosen contractor would help the border agency develop a plan to “manage, evolve and adapt” the use of biometrics while considering its relationship with other federal departments and international partners. The OPC had not been consulted about the border services agency’s procurement notice.

National Technical Spec for Digital Credentials to Provide Greater Privacy and Security for Canadians

With a growing need for reliable methods to confirm digital identities and documents as the economy pivots online, the Standards Council of Canada (SCC) has engaged the CIO Strategy Council to develop a technical specification that will bring widespread use of digital credentials a step closer. The new technical specification will set minimum requirements to ensure that digital credentials and trust services are interoperable between businesses and governments and create a seamless experience for users. Once agreed upon, the requirements will form the basis of conformity assessment solutions to provide consumers with confidence when sharing their digital personal information.

Class-Action BIPA Suit Alleges Unlawful Voice Assistant Use

A US federal court will consider a class-action suit from McDonald’s customers in Illinois alleging the fast-food chain violated the state’s Biometric Information Privacy Act. Plaintiffs claim voice assistants were utilized at McDonald’s drive-thru windows throughout Illinois and collected consumers’ biometric information without their express consent.

Mobile / Location Privacy

CBP’s Asylum Seekers App Brings Privacy Concerns

A U.S. Customs and Border Protection mobile application to help manage the information of asylum seekers is receiving backlash from privacy advocates. The CBP One app employs facial recognition, geolocation and cloud technology to collect, process and store the sensitive information. Despite privacy impact assessments from the Department of Homeland Security deeming the app as necessary,

Police Arrest Hundreds Using Data Gathered Through Backdoored Chat App

The FBI was able to trick criminals into using an FBI-developed app, ANoM, to communicate with each other. The app was distributed on phones configured for the purpose of using the app, and starting in 2018, distributed on black markets. This week, several law enforcement agencies worldwide searched hundreds of locations in a coordinated effort using information collected from the ANoM app. The raids led to 224 arrests, the seizure of 3.7 tons of drugs, and the disruption of 20 “threats to kill.

Law In Hong Kong Would Connect Identity to Mobile Phone Numbers

A new law in Hong Kong that would require people to provide their real name and personal details to register mobile phone numbers, including prepaid SIM cards, is raising surveillance concerns. The policy would take effect in September. Assistant Professor at the Chinese University of Hong Kong School of Journalism and Communication Lokman Tsui said it is an invasion of privacy. “The Hong Kong government continues to make policies that show they don’t trust their own citizens,” he said.

Mexican Registry for Cell Phone Users Sparks Privacy Concerns

Mexico has approved a plan to register biometric data, names, and addresses of cell phone users in a database, in what activists say is an alarming decision. The Mexican government has already failed several times to protect personal data.

Amazon Sidewalk Brings Mobile Device Privacy Concerns

Amazon Sidewalk, a shared network initiative for Amazon devices set to roll out June 8, is raising privacy concerns. At launch, Sidewalk will automatically enroll devices, including Alexa, Echo and Ring products, into these networks unless users update their personal device settings. The sharing could potentially leave users’ devices and information, such as cameras and browsing histories, open to nearby devices within a local Sidewalk network.

Apple Unveils New Privacy Features for iOS 15

Apple unveiled a new slate of privacy features to debut with iOS 15 this fall. The upcoming operating system will include a “privacy report” that informs users about which applications collect their personal data.

Online Privacy

Max Schrems’ Privacy NGO, Noyb, Submits Hundreds of Draft Complaints to Companies Across Europe About Their Cookie Law Compliance

Max Schrems’ privacy NGO, noyb, has sent hundreds of draft complaints to companies across Europe that it claims use unlawful cookie banners along with a guide of how to comply [press notice]. noyb is giving these companies one month to make the changes to their cookie banners and consent management solutions before filing formal complaints with data protection authorities.

FPF, PTA Release Privacy Tech Report

The Future of Privacy Forum and Privacy Tech Alliance released a new report titled “Privacy Tech’s Third Generation: A Review of the Emerging Privacy Tech Sector.” The report looks at the evolving privacy technology market, analyzes trends and predictions, and identifies five market trends and their implications for the future. Key themes include the COVID-19 pandemic’s role in accelerating global marketplace adoption of privacy tech and the role of regulatory compliance in driving initial privacy tech purchases.

Youth Privacy

CNIL Offers Children’s Privacy Recommendations

France’s data protection authority, the CNIL, released eight recommendations to improve the protection of minors online. Based on results from an April 2020 public consultation, the CNIL suggestions include increased parental supervision and controls, further exercising of minors’ rights, and a focus on age verification and consent. The regulator also noted it launched workshops to gain further perspective from minors. The CNIL announced a public consultation on a draft framework for processing minors’ data in relation to the social and medical care sectors. The public comment period ends 31 July.

Dartmouth Ends Unfounded Cheating Investigation After Students, Rights Groups Speak Out

The Dartmouth Geisel School of Medicine has ended its months-long dragnet investigation into supposed student cheating, dropping all charges against students and clearing all transcripts of any violations. This affirms what EFF, The Foundation for Individual Rights in Education (FIRE), students, and many others have been saying all along: when educators actively seek out technical evidence of students cheating, whether those are through logs, proctoring apps, or other automated or computer-generated techniques, they must also seek out technical expertise, follow due process, and offer concrete routes of appeal.

NYC, Kinsa Partner to Distribute Smart Thermometers in Elementary Schools

Technology company Kinsa is partnering with the New York City Department of Health to distribute up to 100,000 internet-connected thermometers in elementary schools. Data collected by the smart thermometers and an accompanying application will be aggregated, anonymized and made available to local health officials.

Surveillance

Stakeholders Pen Open Letter Urging Global Biometric Surveillance

A coalition of more than 175 stakeholders signed an open letter supporting a global ban of biometric recognition technologies that aid mass surveillance efforts. The coalition, led by Access Now, claims the various tech deployments undermine civil liberties as they “identify, follow, single out, and track people everywhere they go.” Stakeholders added “no technical or legal safeguards could ever fully eliminate the threat” posed by biometric technologies, which indicates “they should never be allowed in public or publicly accessible spaces.”

Amnesty International Maps 15,000 Surveillance Cameras Used by NYPD

Human rights organization Amnesty International mapped the location of more than 15,000 cameras in Manhattan, Brooklyn, and the Bronx, used for surveillance and facial recognition searches by the New York Police Department. The cameras have been used in nearly 22,000 facial recognition searches since 2017. “Whether you’re attending a protest, walking to a particular neighborhood, or even just grocery shopping, your face can be tracked by facial recognition technology using imagery from thousands of camera points across New York,” said AI Researcher Matt Mahmoudi. [New Yorkers Are Watched by More Than 15,000 Surveillance Cameras]

Data Sciences

UK ICO Issues Draft Paper on De-Identification for Comment

The U.K. Information Commissioner’s Office opened a public consultation on the opening chapter of its draft guidance for anonymization, pseudonymization and privacy-enhancing technologies. The first of the seven-chapter guidance explores “the legal, policy and governance issues around the application of anonymization and pseudonymization in the context of data protection law.” The first consultation is open through 28 Nov.

CANON Publishes Report on De-Identification

The Canadian Anonymization Network (CANON) has recently published its report “Practices for Generating Non-identifiable Data” which was funded by the OPC. The report provides some definitions to ensure consistent terminology (which is a problem in this space), and presents a series of case studies of organizations implementing various approaches for creating non-identifiable data. It concludes with lessons learned across all of the case studies about current practices across multiple private and public sector organizations.

Australian Department of Health Notes Deidentification, Genomic Information Challenges Within Privacy Act

In a submission to a review of the Privacy Act 1988, the Australian Department of Health asked for government guidance on deidentification and genomic information. The department said, “any changes in the Privacy Act that require additional protections in relation to de-identified, anonymised, and pseudonymised information … will need to be supported by appropriate guidance and expertise in order for implementation to be effective.” It also noted “uncertainty and inconsistency” around genomic information within the scope of the Privacy Act.

Census Releases Guidelines for Controversial Privacy Tool

After three years of fierce debates, conflicting academic papers and a lawsuit, the U.S. Census Bureau announced guidelines for how a controversial statistical method [called Differential Privacy] will be applied to the numbers used for drawing congressional and legislative districts. The method is meant to protect the privacy of people who participated in the 2020 census, though critics have claimed it favors confidentiality at the expense of accurate numbers. [See also: Harvard Researchers Discourage Differential Privacy Use in 2020 Census]

Security / Breaches

Cyber Attacks More Sophisticated, Data Exfiltration ‘Not Going Away’: Risk Expert

The pandemic has proven to be fertile ground for cyberhackers. Despite this, fewer organizations surveyed by the Canadian Internet Registration Authority expected to increase human resources dedicated to cybersecurity in the next 12 months, according to its 2020 Cybersecurity Report.

Highlights

US Agencies Share Updates on Ransomware Protections

The U.S. Department of Health and Human Services’ Office for Civil Rights shared updates from the White House and Cybersecurity and Infrastructure Security Agency on protecting against ransomware threats. Addressing an increase in the number and size of ransomware incidents, a White House memo called on the government and private sector to protect their organizations with recommended best practices. An OCR fact sheet included information for organizations regulated by the Health Insurance Portability and Accountability Act.

May 28 – June 3, 2021

COVID-19

7 EU countries roll out vaccine passport

Bulgaria, the Czech Republic, Denmark, Germany, Greece, Croatia and Poland made the digital green certificate available to citizens Tuesday. The certificate shows whether an individual is fully vaccinated against COVID-19, recovered from the virus or received a negative test over the past three days. See also: Privacy Commissioners Comment on Vaccine Passports; Ombudsmen from across Canada warn provinces of domestic COVID-19 vaccine passport pitfalls; Canadian Privacy Commissioners Issue Joint Guidance on Vaccine Passports

CoE, Parliament reach provisional deal on COVID-19 certificates

The Council of Europe and European Parliament reached a provisional deal on COVID-19 certificates. Under the deal, member states will not be able to store information gathered through the certificates. Entities processing personal information will be made public to allow citizens to exercise their rights under the EU GDPR. The European Parliament Committee on Civil Liberties, Justice and Home Affairs also endorsed the digital COVID certificates.

New York vaccine passport gaining traction amid privacy questions

More than 1 million New York Excelsior Passes — the first government-issued vaccine passport in the U.S. — have been downloaded since it was introduced in March. Some states banned the use of vaccine passports, citing privacy protections, while technology professionals warn of fraud possibilities. Surveillance Technology Oversight Project Executive Director Albert Fox Cahn downloaded a different individual’s Excelsior Pass using information from social media posts and Google in 11 minutes.

Identity / Biometrics

EU Commission proposes a trusted and secure Digital Identity for all Europeans

The Commission has proposed a framework for a European Digital Identity which will be available to all EU citizens, residents, and businesses in the EU. Citizens will be able to prove their identity and share electronic documents from their European Digital Identity wallets with the click of a button on their phone. They will be able to access online services with their national digital identification, which will be recognised throughout Europe. [Report from the Commission to the European Parliament and the Council on the evaluation of Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS)]

Digital wallet unveiled in EU

The European Commission announced its proposal for a digital wallet that would store payment details and passwords and be accessible via fingerprint or retina scanning. The application would allow citizens to access government websites or pay utility bills using one identity. Users could also store official documents on the app.

Facial Recognition in the News

New York City Biometrics Law Takes Effect in July 2021

Following the municipal ban on the use of facial recognition technology in Portland, Oregon, New York City’s more expansive “biometric identifier information” law, set to go into effect July 9, 2021, will ban the sale of biometric data but permit the use of biometric identifying technologies with posted notice to customers in “simple language” to be prescribed by forthcoming rules

Online Privacy / Surveillance

NGO issues 560 cookies complaints, plans 10K more

Advocacy group NOYB sent 560 complaints to companies in 33 countries alleging unlawful deployment of cookie banners under the EU GDPR. NOYB Founder Max Schrems argues the violators do not provide a “simple yes or no option” for cookies but instead “use every trick in the book to manipulate users.” The group claims it will send up to 10,000 more complaints by the end of 2021 through its own automated system that detects cookie violations.

Mobile / Location

Amazon Sidewalk brings mobile device privacy concerns

Amazon Sidewalk, a shared network initiative for Amazon devices set to roll out June 8, is raising privacy concerns. At launch, Sidewalk will automatically enroll devices, including Alexa, Echo and Ring products, into these networks unless users update their personal device settings. The sharing could potentially leave users’ devices and information, such as cameras and browsing histories, open to nearby devices within a local Sidewalk network.

Law Enforcement

Richmond public CCTV cameras subject to function creep

Richmond may be one of the most ‘surveilled’ city in Canada now that 110 closed-circuit TV cameras have been installed at major intersections, including those leading to Vancouver International Airport.  Four years ago, Richmond adopted a $2.18-million “predictive traffic management” plan with footage also available to settle disputes like who actually was at fault in a crash. In 2018 B.C. Privacy Commissioner Michael McEvoy raised no objections to the plan after reviewing it because the traffic cameras deliberately collected low-resolution video that obscures faces and licence plates. To further ensure a privacy firewall, McEvoy also insisted that the city — not the RCMP — manage the data. Because Richmond accepted McEvoy’s guidance, its traffic management cameras are exempt from FIPPA. Now, Richmond now wants the province’s blessing to jettison all of that. The mayor and council of the city with British Columbia’s fourth lowest crime rate want the cameras zoomed in, transformed from benign traffic monitoring into high-resolution surveillance.  

Human rights groups say digital surveillance of immigrants raises privacy concerns

Human rights groups are urging the Biden administration and U.S. Immigration and Customs Enforcement to end a digital surveillance program that uses GPS-tracking ankle monitors and facial recognition technology to monitor immigrants. The groups said the SmartLINK application, one app used in the program that requires immigrants to check in with facial recognition and location confirmation, “raises a number of privacy and surveillance concerns.” They called for “solutions that put an end to all forms of immigrant surveillance and detention.”

Security /Breaches

Ransomware: avoidance and response

Ransomware is on the rise. A 2020 report by IBM demonstrates the commonality of these attacks, indicating that ransomware is by far the most common form of cyber attack in the world. It is also one of the most common cyber threats in Canada according to the Canadian Centre for Cyber Security (the “CCCS”). The CCCS stated that ransomware is becoming an increasingly common threat and that it is one of the cyber threats most likely to affect Canadians. It is thus understandable that Canadian IT professionals flagged malicious software attacks (including ransomware) as the most significant cyber risk according to the Canadian Internet Registration Authority’s 2020 Cybersecurity Report.

Phishing campaign targets government agencies

Microsoft said the group behind the SolarWinds hack launched a phishing campaign targeting 3,000 email accounts at more than 150 organizations, including government agencies.

U.S. Reports Health Breach Statistics

The U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website has seen nearly 100 new breaches in recent weeks, while the Office for Civil Rights website listed 251 breaches added this year.

Canada Post reveals supplier data breach involving shipping information of 950,000 parcel recipients

A cyber-attack on a third-party supplier of Canada Post has resulted in a data breach impacting 950,000 parcel recipients. In a press release, Canada Post said it had informed 44 “large business customers” that they had potentially been affected by “a malware attack” against Commport Communications, a provider of electronic data interchange services.

Regulators

ICO seeks comments on guidance on privacy-preserving practices

The U.K. Information Commissioner’s Office opened a public consultation on the opening chapter of its draft guidance for anonymization, pseudonymization and privacy-enhancing technologies. The first of the seven-chapter guidance explores “the legal, policy and governance issues around the application of anonymization and pseudonymization in the context of data protection law.” The examination covers the ability to anonymize datasets, if it can be done effectively and what the benefits are to applying the practice.

EDPS launches ‘Schrems II’ investigations on EUIs, European Commission’s tech use

The European Data Protection Supervisor launched a pair of investigations as part of its strategy to have EU institutions comply with the Court of Justice of the European Union’s “Schrems II” decision. The first investigation centers on the use of cloud services provided by technology companies under Cloud II contracts by EU institutions, bodies and agencies, while the second focuses on the European Commission’s use of Microsoft Office 365.