06–18 August 2016

Biometrics

WW – Algorithms Can Identify Individuals Trying to Evade Facial Recognition

German researchers published a paper revealing algorithms can be used to identify individuals even if they have obscured their faces. The researchers from the Max Planck Institute call it the “Faceless Recognition System,” which “trains a neural network on a set of photos containing both obscured and visible faces, then uses that knowledge to predict the identity of obscured faces by looking for similarities in the area around a person’s head and body.” Depending on the level of obscurity, the success rate can range from 14.7% to 91.5%. Meanwhile, Facebook users filing a lawsuit against the social media network say the level of damages they received meet the level set in the Spokeo decision. Editor’s Note: The IAPP will be hosting a discussion on biometrics and consumer privacy at the Privacy. Security. Risk. conference from Sept. 13-16, in San Jose, California. [Motherboard]

Canada

CA – OPC Canada Provides Tips Protecting Employee Privacy

the Office of the Privacy Commissioner of Canada has published tips to human resources professionals regarding the protection of employee personal information. HR professionals should ensure the bcc field is used for emails sent to multiple recipients that include sensitive personal information, vet documents to remove personal information before disclosing to third parties, and only share information that is factual, objective and pertinent; HR professionals should be knowledgeable about relevant privacy legislation requirements when handling personal information and advising clients on sensitive personal matters. [OPC Canada – Key Privacy Protection Tips for Federal Human Resources Professionals – Fact Sheets]

CA – Clayton Rules Former Premier Violated Privacy Law

Alberta Privacy Commissioner Jill Clayton said the office of former Premier Alison Reford violated privacy laws when she leaked personal information about former Deputy Premier Thomas Lukaszuk and three other government officials. The information revealed Lukaszuk rang up more than $20,000 in international data roaming charges during a personal trip to Europe in 2012. Clayton said the disclosure of the information goes against the Freedom of Information and Privacy Act. “While it is arguable that the release of information about cellphone charges may have been in the public interest, it was leaked in an uncontrolled manner — nobody’s privacy interests were considered,” Clayton said. [Global News[

CA – NL OIPC Reports 66 Breaches between March and June

The Information and Privacy Commissioner has disclosed 66 breaches within public entities between March and June 2016, an increase from the 51 breaches during 2016’s first quarter. “Most of the private information was released through email or regular mail, and only one was intentional,” the report states. Institutions like Service NL, Central Health and the Newfoundland and Labrador English School District all reported breaches. [CBC News]

CA – Newfoundland OIPC Sees Rise in Access to Information Requests

Newfoundland and Labrador’s new Information and Privacy Commissioner Donovan Molloy has seen a large increase in access to information requests. Molloy said changes to the Access to Information and Protection of Privacy Act have made asking for information far easier, resulting in a large influx of applications. “It’s my understanding that there’s been a substantial increase in the number of requests since 2015,” said Molloy. Since taking over last month, Molloy said the large amount of requests have been taxing on his office. “It’s a real struggle right now in terms of volume, keeping up with the number of requests,” said Molloy. “Because of the capacity to store large volumes of information electronically, then the requests are often quite broad as well.” [CBC News]

CA – Lawsuits Filed Against ‘Pokemon Go’, IP Mapping Company

Two separate lawsuits have emerged against companies that use location data. A family in Alberta, Canada, has initiated a class-action lawsuit against the makers of “Pokemon Go” because their house is a “Gym” in the augmented reality game, meaning it’s a destination for players. Homeowner Barbra-Lyn Schaeffer said more than 100 players have wandered onto her property in the past month. A separate lawsuit has been filed by a Kansas, U.S., family against IP mapping company MaxMind. The issue, originally reported on by Fusion’s Kashmir Hill, involves a default GPS setting — which happens to be where the family lives, meaning law enforcement is often called out to the family’s home thinking it’s a place where a crime has been committed. MaxMind has changed the IP location, but not all users have updated their settings, meaning the issue could affect the family for years to come. [Calgary Herald]

E-Government

US – Interior Dept. Needs to Update Logical Access Controls: Report

According to a report from the US Department of the Interior (DOI) Office of the Inspector General (OIG), eight of nine systems OIG tested at the agency did not meet minimum federal standards for logical access controls. The report also found that DOI needs to encrypt mobile devices and to develop “the ability inspect encrypted traffic for malicious content.” The OIG report acknowledges that “DOI has implemented multifactor authentication to reduce the risk of unauthorized access” to systems. [SC Magazine: Interior Dept. must update access control standards to meet NIST guidelines – report | FCW: IG: Interior needs to tighten computer security | DOIOIG: Inspection of Federal Computer Security at the US Department of the Interior]

US – OIF Finds GSA Access Controls in Good Shape

The Office of Inspector General (OIG) of the US General Services Administration (GSA) found the agency’s “policies and procedures regarding access controls” to be in line with federal standards. Eleven of the GSA’s 18 examined systems use “multifactor authentication for privileged users consistent with government-wide policies.” The seven systems that do not have multifactor authentication use “compensating controls for privileged user access.” [Nextgov: GSA Gets Thumbs Up on Cybersecurity Act Assessment | GSAIG: US General Services Administration Office of Inspector General Cybersecurity Act Assessment]

E-Mail

WW – Google to Warn Users About Potentially Dangerous e-Mail

In a blog post, Google says it will send warnings to users when they receive email messages that could harm their computers. The warning will ask users if they want to open messages that Google deems untrustworthy either because they contain links to sites known to host malware, or because Google cannot authenticate that the sender is who it claims to be. [CNET: Don’t click on that: Google updates email warnings | ZDNet: Google Gmail: Now you about get security alerts about senders to beat email spoofing | Google: Making email safer with new security warnings in Gmail]

EU Developments

WW – ICDPPC Updates Upcoming Morocco Conference

In its latest communique, the International Conference of Data Protection and Privacy Commissioners provides an update to this year’s conference in Marrakech, Morocco. The conference’s closed session will feature discussion on artificial intelligence, robotics and encryption, while the program will also include themes such as “privacy as a driver for sustainable development, security and privacy, digital education, technology and social trends,” New Zealand Privacy Commissioner and ICDPPC Chair John Edwards wrote. The newsletter also features highlights from the executive committee’s meeting in Singapore, a Q&A with Macedonia Director of the Directorate for Personal Data Protection Goran Trajkovski, and an update on the cloud computing resolution that was adopted in 2012. [Full Story]

EU – E-Privacy Directive Draft on September Docket for European Commission

The European Commission will release its E-Privacy Directive update draft in September, which will mandate that apps like Skype and WhatsApp fall under the same privacy regulatory umbrella as SMS text messages and both mobile and landline calls. “It was obvious that there needs to be an adjustment to the reality of today,” said Green MEP Jan Philipp Albrecht. “We see telecoms providers being replaced and those companies who seek to replace them need to be treated in the same way.” He added that the proposed law will take special aim at upholding strong encryption. Critics counter that these laws must be careful not to curb economic innovation, and that re-tailoring older legislation to fit newer technology is “well-nigh impossible,” the report states. [The Gurdian]

Facts & Stats

WW – Study: ‘Insider Negligence’ Most Likely Cause of Data Breaches

A Ponemon Institute study revealed “insider negligence” is the most common cause of a data breach. The study polled more than 3,000 employees in the U.S., U.K., France and Germany, and found 76% of their organizations suffered a data breach in the last two years. The respondents said insider negligence results in more breaches than hackers, malicious employees or poor contractor security. The study also found that 87% of those polled said their jobs require access and use of customer data, employee records and financial information, but only 29% said their organizations allow access on a “need-to-know” basis, with 25% monitoring employee email and file activity. [ZDNet]

FOI

CA – OIPC SK Outlines Steps for Responding to Access and FOI Requests

The Office of the Information and Privacy Commissioner in Saskatchewan has provided guidance on granting individuals access to records within public bodies, pursuant to the: Freedom of Information and Protection of Privacy Act; and Local Authority Freedom of Information and Protection of Privacy Act. Applicant identity should not disclosed to anyone without a legitimate need to know, public bodies are not entitled to require applicants to explain the reason for their request (unless to refine/narrow it, deciding to waive fees, or it believes it is frivolous, vexatious, or in bad faith); fee estimates should be proportionate to the work required to respond efficiently and effectively, and notice should be given to third parties any time access is denied due to a third party exemption, or there is an OIPC review. [OIPC SK – Best Practices for Responding to Access Requests]

CA – OIPC NFLD Finds Government Employee Names, Titles and Remuneration Amounts Should Be Disclosed

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador has reviewed a complaint by third parties, regarding the decision of the Newfoundland and Labrador English School District to allow access to records pursuant to the Access to Information and Protection of Privacy Act, 2015. Disclosure is not an unreasonable invasion of privacy if the information is about a public employees’ position, function, or remuneration; the privacy of public employees must be balanced against the public’s right to know how tax dollars are spent, and to release specified information about employees without employee names would undermine the purpose of the Access to Information and Protection of Privacy Act. [OIPC NFLD – Report A-2016-015 – NFLD English School District]

Genetics

US – MIT Scientists Create System Protecting Patient Privacy Within Genomic Databases

MIT’s Computer Science and Artificial Intelligence Laboratory and Indiana University at Bloomington have developed a research database that allows queries from genome-wide association studies while decreasing privacy threats to “almost zero.” The database employs differential privacy techniques to keep vulnerabilities so low. “It does that by adding a little bit of misinformation to the query results it returns,” the report states. “That means that researchers using the system could begin looking for drug targets with slightly inaccurate data. But in most cases, the answers returned by the system will be close enough to be useful.” Decreased privacy risks and increased access cut database wait times down from the months-long queue period, the report adds. [MIT News] [Nature] See also: [Genetic analysis and its privacy pitfalls]

Health / Medical

WW – Some mHealth Apps Aren’t Making Privacy a Priority

A new study finds that health and wellness apps in particular aren’t making privacy policies easily available to users, even though they are collecting sensitive data. A study by the Future of Privacy Forum finds an overall improvement in the mHealth industry, with 76% of apps surveyed having a privacy policy – an 8% increase since the last survey in 2012. Among their findings was a marked difference in transparency between free and paid apps. Some 86% of the free apps have an accessible privacy policy, while only 66% of the paid apps have a policy. Researchers noted that free apps are usually sustained by advertising, and often are required to disclose their tracking practices to comply with that industry’s standards. [mHealthIntelligence]

Horror Stories

WW – IoT Sex Toy Shares Private Data With Manufacturer

Security researchers have revealed that an internet-connected sex toy is sending intimate data back to the manufacturer for “market research.” The We-Vibe 4 Plus can be controlled remotely through a mobile device and is intended to help couples be more intimate when they’re away from each other. However, the researchers demonstrated the device also shares temperature and vibration intensity data with the manufacturer, and can be easily hacked. “As teledildonics come into the mainstream,” their presentation description noted, “human sexual pleasure has become connected with the concerns of privacy and security already familiar to those who previously only wanted to turn on their lights, rather than their lover.” The president of the manufacturer said the data it receives is not granular enough to know how it’s being used. [Newsweek]

Location

EU – Irish Commissioner Releases Guidance on Location Data

The Office of the Data Protection Commissioner today released guidance on location data. “Aimed at both individuals and organizations, our guidance will assist individuals in understanding how much information relating to their location is collected and processed, and provides clarity to organizations on their obligations regarding such data. The overriding principle of the guidance centers on the protection of the individual’s right to data privacy,” the DPC said in a press release. Included in the guidance are tips about smartphone apps and public Wi-Fi networks collecting location data, as well as wearable devices. The guidance is part of an ongoing educational effort on behalf of the DPC. [Full Story]

US – FTC Offers Analysis, Guidance from InMobi Location Tracking Case

In a new FTC blog post, Nithan Sannappa and Lorrie Faith Cranor offer a deep dive into the location privacy issues revealed in the InMobi case. “In this post,” they write, “we explain the mechanism that the commission alleges InMobi used to track users’ location without permission, and discuss technical steps that mobile operating systems have taken to try to address this practice.” In addition to a detailed analysis of how InMobi tracked the location of users, Sannappa and Cranor write, “Given these complexities, all actors in the mobile ecosystem have a role to play in protecting consumer privacy.” Further, app developers should “consider contractual terms or other steps to help ensure that their third party service providers do not circumvent consumers’ privacy choices.” [Full Story]

Offshore

TH – Thai Government Could Require SIM Cards for Tourists

Thailand’s National Broadcasting and Telecommunications Commission could mandate tourists to carry “location-tracking SIM cards.” “It is not to limit tourists’ rights. Instead it is to locate them which will help if there are some tourists who overstay or run away (from police),” said Secretary-General Takorn Tantasith. Details surrounding the potential program are sparse, like the cost of the cards, how location tracking would work on the card, and when the program could start, the report states. [The Nation]

Online Privacy

WW – Facebook Update Overrides Ad Blockers

Ad blockers will no longer work on Facebook thanks to site updates. While ad blockers will continue to work on others sites and Facebook users can tailor their ad preferences on-site, the move will spark more debate about ads, privacy, and the blockers used to prevent them, the report states. Many are frustrated at the erosion of user control. “It takes a dark path against user choice,” said Eyeo G.m.b.H’s Ben Williams. Some feel Facebook’s updates strike a balance. “Many users rely on ad blockers because they are concerned about privacy or malware,” said the Future of Privacy Forum’s Jules Polonetsky. “Facebook’s change lets users continue to use ad blockers to protect themselves, while ensuring ads are displayed.” [The New York Times]

Other Jurisdictions

NZ – Privacy Commissioner Launches Tool for Privacy Questions

New Zealand’s Office of the Privacy Commissioner launched an online service allowing people to ask privacy-related questions whenever they need to. The “Ask Us“ tool allows anyone from individuals to small-business owners to government workers the chance to access privacy information, according to Privacy Commissioner John Edwards. “We have designed this tool with a 360-degree view of who might find it useful,” said Edwards. “We believe this is a leading model that is available to be shared with other public-sector agencies that are also on the Common Web Platform. People will be able to access information that is relevant to them in a convenient way without having to join a phone queue to a call centre.” [CIO]

Privacy (US)

US – FTC to Host Ransomware Event Sept. 7

The Federal Trade Commission will host a three-panel discussion on ransomware in Washington on Sept. 7 as part of its Fall Technology Series, the agency announced in a press release. FTC Chairwoman Edith Ramirez, FTC Chief Technologist Lorrie Faith Cranor, and representatives from organizations like PhishLabs, Red Canary and the FBI will speak. “In addition to the panel discussions, the FTC’s Office of Technology Research and Investigation and New York University’s computer science department will present research based on a study of dozens of ransomware variants,” the report states. This event is free and public. [FTC]

US – Judge Denies Google’s Request to Dismiss Email Interception Lawsuit

U.S. District Judge Lucy Koh denied Google’s request to dismiss a class-action lawsuit alleging the company illicitly intercepts and scans emails before reaching a user’s inbox. Google claims its process for obtaining emails and scanning their contents for use in targeted advertising is part of their standard operating procedure. Koh disagreed with Google, saying its policy may violate the California Wiretap Act. “Under the plain meaning of the Wiretap Act, the ‘ordinary course of business’ exception protects an electronic communication service provider’s interception of email where there is ‘some nexus between the need to engage in the alleged interception and the [provider’s] ultimate business, that is, the ability to provide the underlying service or good,’” Koh wrote in her ruling. [Courthouse News Service]

US – DOC Releases First List of Privacy Shield-Compliant Companies

Late last week, the International Trade Administration — an arm of the U.S. Department of Commerce — released a list of nearly 40 companies that have been approved under the EU-U.S. Privacy Shield. A DOC spokesman said the list would be updated on a rolling basis, adding, “There are nearly 200 applications currently involved in our rigorous review process.” However, businesses have been slow to join the agreement, mostly due to a lack of legal uncertainty in the EU. PwC’s Jay Cline, CIPP/US, said, “we don’t expect a stampede to join it in the next few days, but rather a steadily growing wave over the long run, especially if European companies begin to favor Privacy Shield membership in competitive bids.” [Wall Street Journal] See also: The EU-U.S. Privacy Shield is fully operational, as the U.S. Chamber of Commerce has opened registration for U.S. companies, the European Commission announced in a press release, and [Could privacy trust marks be a better Privacy Shield alternative?]

US – California’s Gang Member Database May Violate Privacy Rights

California’s database of suspected gang members may violate the privacy rights of those within the system. A state auditor report examined the CalGang database, a system shared by police agencies across the state, and contains information on nearly 150,000 gang members. The system “does not ensure that user agencies collect and maintain criminal intelligence in a manner that preserves individuals’ privacy rights,” wrote auditor Elaine Howle. The report found four court cases where the database was used as proof of an individual’s gang involvement, and three law enforcement agencies using the database for employment or military-related screenings. “These instances emphasize that inclusion in CalGang has the potential to seriously affect an individual’s life,” the report states. “Therefore, each entry must be accurate and appropriate. [SFGate]

Privacy Enhancing Technologies (PETs)

WW – Enterprise Privacy Tech Solutions Are On the Rise

With a major new privacy regulation on the horizon in Europe, and increased media and regulatory scrutiny of companies’ privacy practices around the world, the job of engendering consumer trust and maintaining privacy compliance is getting seemingly more difficult every day. Of course, employing privacy pros is the obvious first step in ensuring a robust internal privacy regime, but more and more, privacy pros are in need of tools to help them do their jobs. Fortunately, startups and venture capitalists are recognizing this need for better privacy and information management tools. In this post for Privacy Tech, Jedidiah Bracy, CIPP, looks at two startups looking to work further with privacy pros in an effort to provide technological solutions designed directly for the privacy pro. [IAPP] See also: [Op-ed: New tech could be the boon health care privacy needs]

Security

US – Study: 91% of Visual Hacking Attempts Successful

A Ponemon and 3M Company study found the vast majority of visual hacking attempts are successful. The Global Visual Hacking Experiment spanned 157 trials in 46 participating companies across eight countries, including China, France, Germany and the U.K. The study had a white hat visual hacker take information in different ways, including walking through offices for information, taking confidential business documents off desks and placing them into briefcases, or taking a picture of confidential information using a smartphone. The attempts were successful 91% of the time, with 52% of the sensitive information taken from employee computer screens. Hackers were normally not confronted, as 68% of visual hacking attempts resulted in the malicious party not receiving any questioning. [Full Story]

US – Active Response, Behavior Baselining Hot at Black Hat Conference

One of the popular security terms making their way into conversations during the Black Hat conference last week in Las Vegas is behavior baselining, where an organization focuses on understanding its system’s typical behavior in order to identity any deviations. “Most organizations accomplish this by employing people and technologies utilizing data science and machine learning for automated analysis,” the report reads. This is complemented by active response, another term making its way around Black Hat. “Active response is the ability to respond to an attack as soon as it is detected within the organization’s environment. The response could include communication with secondary systems such as a ticketing system, or it could include creating a ticket or collecting additional data.” [TechCrunch]

Surveillance

US – NYC Art Exhibit Examines Privacy in the Surveillance Age

An art exhibit in New York City is focusing on the attempts to stay private in a growing age of surveillance. “Public, Private, Secret” features a wide range of privacy-themed surveillance art from the 1940s to today, a video diary made up of an individual’s private online thoughts, and photos of celebrities. One of the themes of the exhibit is the growing number of people who have access to cameras, allowing more people to engage in visual communication. “The big difference is, it used to be a few people taking images that went out to millions,” said the International Center of Photography’s Executive Director Mark Lubell. “Now it’s millions and millions of people going out to millions and millions of people. I think that’s a seismic shift in the medium, and it’s something we should be looking at and exploring.” [PBS Newshour]

WW – AI Company Develops Drone Risk Analysis Program

An artificial intelligence company is developing a risk analysis program for commercial drones. Flock’s program allows drone operators to safely use their devices by leveraging real-time weather information, locating buildings, and predicting when areas will be filled with people in order to find less congested routes. “We extract actionable insights and predictions from big data by extracting multiple data sources and amassing a wealth of historical data in cities,” said Flock CEO Ed Leon Klinger. “The machine learning element of our technology is what allows us to predict when and where certain areas of cities will become particularly hazardous for drones.” Flock may also be used by insurance companies to help determine the risks of drone flight. [Yahoo!]

US Government Programs

US – Court of Appeals Finds Government’s Warrantless Use of Cell Phone Location Information was Justified

The US Court of Appeals reviewed an appeal by Frank Caraballo for a conviction by the District Court for the District of Vermont for conspiring to distribute drugs, possession of a firearm in furtherance of a drug trafficking crime, and causing the death of an individual. The Court found that emergency circumstances may make the needs of law enforcement so compelling that a warrantless search is objectively reasonable under the Fourth Amendment; the Defendant was reasonably believed to be armed, had recently been identified by the victim as a person who was likely to cause harm, was likely to escape if not quickly apprehended, and posed an imminent threat to law enforcement (undercover police and confidential informants). [US v. Frank Caraballo – 2016 US App. LEXIS 13870 – United States Court of Appeals for the Second Circuit]

US Legislation

US – New Illinois Law Requiring Stricter Rules for Stingray Use

SB 2343, An Act Concerning the Use of Cell Site Simulator Devices, was signed by the Illinois Governor. Before deploying cell site simulators, law enforcement agencies must submit a court application that includes a description of the nature and capabilities of the device to be used, the method of deployment, and procedures to protect the privacy of non-targets; all non-target data must be deleted within 24 hours (if the device is used to location or tracking) or 72 hours (if used for device identification). The Act is effective January 1, 2017. [SB2343 – An Act Concerning the Use of Cell Site Simulator Devices – Illinois General Assembly]

+++

29 July – 05 August 2016

Biometrics

WW – New Snapchat Facial Recognition Patent Could Have Retail Ramifications

Snapchat received a patent for technology to identify the face of specific individuals, then blur or obscure their faces if they have set their privacy settings to do so. The technology would allow Snapchat to surf through the database for anyone who has used the app, and if it finds a match, the app will place “a privacy-protected version of the image, wherein the privacy-protected version of the image has an altered image feature.” However, similar facial recognition technology, the report points out, could be used in a retail setting, where an organization could scan customers to determine their shopping habits and other information through social media and other online outlets. [Computerworld]

WW – Facial Recognition for Monitoring Crowd Reactions?

At each of the recent major political conventions held in the United States last month, Microsoft was on-site as part of an event with POLITICO where it demonstrated its Microsoft Research Division capabilities. One exhibit was titled “Realtime Crowd Insights” and displayed functionality whereby individual faces in a crowd could be singled out and identified by approximate age, emotional state and gender. The report questions whether the technology’s abilities mesh with consent-based privacy policies. “It’s difficult,” said Georgetown professor Alvaro Bedoya,” to envision how companies will obtain consent from people in large crowds or rallies.” [The Intercept]

WW – How Hackers Could Get Inside Your Head With ‘Brain Malware’

Hackers have spyware in your mind. You’re minding your business, playing a game or scrolling through social media, and all the while they’re gathering your most private information direct from your brain signals. Your likes and dislikes. Your political preferences. Your sexuality. Your PIN. It’s a futuristic scenario, but not that futuristic. The idea of securing our thoughts is a real concern with the introduction of brain-computer interfaces—devices that are controlled by brain signals such as EEG, and which are already used in medical scenarios and, increasingly, in non-medical applications such as gaming. Researchers at the University of Washington in Seattle say that we need to act fast to implement a privacy and security framework to prevent our brain signals from being used against us before the technology really takes off. “There’s actually very little time,” said electrical engineer Howard Chizeck over Skype. “If we don’t address this quickly, it’ll be too late.” “Broadly speaking, the problem with brain-computer interfaces is that, with most of the devices these days, when you’re picking up electric signals to control an application… the application is not only getting access to the useful piece of EEG needed to control that app; it’s also getting access to the whole EEG,” explained Bonaci. “And that whole EEG signal contains rich information about us as persons.” And it’s not just stereotypical black hat hackers who could take advantage. “You could see police misusing it, or governments—if you show clear evidence of supporting the opposition or being involved in something deemed illegal,” suggested Chizeck. “This is kind of like a remote lie detector; a thought detector.” [MotherBoard]

Big Data

WW – Privitar receives 3M GBP from Illuminate Financial Management

Big data privacy startup Privitar will receive 3 million GBP in financing from Illuminate Financial Management, with other investments coming from existing investors. Privitar will use the funds to boost its growth both in the U.K., and in Europe for its big data software, designed to let companies publish and share data privately, while meeting regulatory compliance. “Every organisation that collects and analyses data is grappling with the issue of data privacy. They are all potential customers for our privacy-enhancing software solution,” said Privitar CEO Jason du Preez. “That is why we are excited to be partnering with Illuminate Financial with their deep connectivity into one of our target vertical market.” [Finextra]

Canada

CA – Newfoundland & Labrador’s New Information and Privacy Commissioner Speaks Up

In an interview, Newfoundland and Labrador’s newly-appointed Information and Privacy Commissioner Donovan Molloy discusses elements of the role he looks forward to tackling and his goals for the province’s privacy. “At the end of the day, the public is entitled to every piece of information that exists in government, unless it is specifically exempted in the [Privacy] Act,” Molloy said. “The role of this office is to make sure the exemptions and qualifications are properly applied.” He added that he has a particular interest in privacy issues. It’s “one of the areas of law that’s developing very quickly, and will increasingly become more important in our society,” Molloy said. [The Telegram]

CA – BC SC Orders Voyeur to Pay $85,000 In Privacy Damages

The BC Supreme Court ordered $85,000 in damages to be paid to a young woman whose stepfather surreptitiously recorded her while she was undressed in her bathroom and bedroom. The damages finding was driven significantly by the “thoroughly undignified and humiliating actions” of the defendant, the age of the defendant and proof that the defendant’s actions caused a significant psychological disorder that the plaintiff was still recovering from at the time of trial (which was four years after discovering the defendant’s wrong). The plaintiff was recovering, the judge also noted, as well as noting that the defendant conducted his defence with “appropriate restraint.” The judge did not consider evidence that the plaintiff was herself provocative in his damages assessment. The Court also ordered damages to be paid for past loss of earning capacity, the cost of medication taken and health care received and the cost of future care. [Source] T.K.L. v. T.M.P., 2016 BCSC 789 (CanLII).

CA – Alberta Commish Issues ‘Landmark’ Trans-Privacy Ruling

In what’s being described as a “landmark” decision for the transgender community, the Office of the Information and Privacy Commissioner of Alberta has decided trans students have the right to protect their birth names from becoming public information. Following repeated incidents where teachers displayed the student’s birth name in front of other students or otherwise discussed the student’s birth gender status in public, the family complained. In the ruling, the adjudicator found the school in breach of the Freedom of Information and Privacy Act for disclosing personal information and failing to make proper security arrangements. The school has already amended practices, but Kris Wells, a professor with the University of Alberta’s Institute for Sexual Minority Studies and Services, called it a “landmark decision” because of the way it will force school boards to re-examine policies across Canada. [GlobalNews] [Trans student at centre of Edmonton school’s privacy breach hopes it doesn’t happen to others]

Consumer

WW – Windows 10 Privacy Concerns May Drive Customers Over to The Mac

A recent survey conducted by OnePoll reveals that two-thirds of the Windows-based population would consider switching to a Mac due to the privacy concerns over Microsoft’s latest platform, Windows 10. The poll arrives just after the French National Data Protection Commission (CNIL) presented Microsoft with examples late last month of how some of Windows 10’s user data collection is unwarranted. France’s reaction is just one of many reports of privacy concerns over Microsoft’s data collection. The OnePoll survey questioned 500 individuals in North America and 500 residents in the UK. It asked one simple question: If the controversial collection of user data in Windows 10 that’s causing privacy concerns would push them into considering a switch over to Mac. the survey found that 501 individuals said they “might” consider switching, while 141 individuals said they would “definitely” consider the switch. Another 358 individuals said they wouldn’t even consider it. The poll goes on to show that U.K. respondents are more concerned about the Windows 10 data collection than Americans, with 15.2% of the U.K. residents polled saying they would “definitely” consider a switch and 51.8 percent saying “maybe.” For the Americans, 13% said “definitely” and 48.4% said “maybe.” [Digital Trends]

E-Government

CA – Government of Canada Releases Cloud Adoption Strategy

The Government of Canada recognizes that a strong IT workforce and modern IT infrastructure are the backbone of better service delivery to Canadians. Treasury Board President Scott Brison has taken another step to modernize the Government of Canada’s use of IT by releasing the Cloud Adoption Strategy for public comment. This strategy prioritizes the security and privacy of Canadians while providing departments with new modern and flexible alternatives to make more efficient use of information technology. Using cloud computing services provides the Government with even more options in terms of data storage and running applications. The strategy is designed to allow the Government to select the right cloud solution for its evolving needs. This is the result of consultations with industry and provincial governments over the past two years, and a review of global trends in cloud computing. Feedback on the strategy will be collected until September 30, 2016, and will be used to finalize the Government’s approach. [Press Release] [Government of Canada Cloud Adoption Strategy | Security Control Profile for Cloud | Right Cloud Selection]

CA – General Insurance Council of Manitoba Fines Broker $1,000 For Unauthorized Access to Customer Database

The General Insurance Council of Manitoba investigated whether Basil Galarnyk violated the Insurance Act and the General Insurance Agent Code of Conduct. The broker accessed customer information 42 times without performing any transactions, without customer approval, and for no discernible reason; the broker acted in a manner that showed a lack of trust with regard to consumer privacy, and the rules for use of customer files in conducting business. [Decision of the General Insurance Council of Manitoba respecting Basil Galarnyk]

Electronic Records

US – Prominent Senator Calls for Open Access to Patient Data

U.S. Sen. Elizabeth Warren called recently for greater access to patient data created by drug and medical-device testing. “I appreciate that there are many policy, privacy and practical issues that need to be addressed in order to make data sharing practical and useful for the research community,” Warren said in an editorial in the New England Journal of Medicine, “but the stakes are too high to step back in the face of that challenge.” Counter-arguments did not involve privacy, however, but rather concern about “research parasites” and other intellectual property concerns. As a compromise, the International Committee of Medical Journal Editors has recently proposed that scientists publish research data within six months of publishing results — “stripped of any information that could identify patients.” Meanwhile, eight plaintiffs have sued a pair of anti-abortion activists in federal court to prevent their personal information from being released as part of the University of Washington’s Birth Defects Research Laboratory. [STAT]

EU Developments

WW – Morocco Launches Program for 38th DPAs Conference

This year, the International Conference of Data Protection and Privacy Commissioners will be held for the first time in an Arabic-speaking nation, when commissioners gather in Marrakech, Morocco, Oct. 17 through 20. Sam Pfeifle speaks with Morocco National Commission for the Control and Protection of Personal Data General Secretary Lahoussine Aniss about how this year’s program is designed “to show the world that privacy and data protection is taken seriously in Morocco.” [IAPP] [Program]

FOI

CA – OIPC BC Finds Disclosure of Info Related to Water Quality is in the Public Interest

The OIPC BC reviewed a complaint alleging the Ministry of Environment failed to meet its obligations under the Freedom of Information and Protection of Privacy Act. Disclosure of regulatory actions taken by a ministry body to address water contamination is clearly in the public interest; water quality and management of nitrate application was the subject of debate in the Legislature and media, the issues giving rise to significant harm to the environment, public health or safety is still ongoing, and disclosure of a summary of the information would not allow the public to assure itself that actions undertaken were appropriate. [OIPC BC – Investigation Report F16-02 – Disclosure of  Information Quality in Spallumcheen]

Health / Medical

UK – National Data Guardian Finds Healthcare Organisations Are Not Adequately Protecting Personal Data

The UK National Data Guardian reviews current approaches to data security in the National Health Services. Organisations were often confused about which data standard or principle they were to follow, 41% of all breaches reported to the ICO were from the health sector (mostly caused by employees), and there was a lack of clarity in processing responsibilities; recommendations include using appropriate tools to identify vulnerabilities (dormant accounts, default passwords, multiple log-ins from the same account), allowing opt-outs for uses beyond direct care, and stronger sanctions for malicious or intentional breaches. [UK Government – National Data Guardian for Health and Care – Review of Data Consent and Opt-Outs]

US – Federal Healthcare Rule Expands Use and Disclosure of Medicare Data

The Department of Health and Human Services issued a Final Rule to implement requirements under section 105 of the Medicare Access and CHIP Reauthorization Act of 2015, expanding availability of Medicare data: this Rule is effective September 6, 2016. Qualified entities may provide or sell combined or non-public analyses to authorized users provided that analyses are limited to de-identified data, a data use agreement has been executed, and authorized users do not use the data for marketing, harm or fraud; any violations of the terms of a data use agreement can result in an assessment being imposed by the Centers for Medicare & Medicaid Services. [Final Rule – 42 CFR Part 401 – Medicare Program – Expanding Uses of Medicare Data by Qualified Entities]

US – Cancer Database Allows Patients to Share Data Anonymously

Inspired by the Obama administration’s Cancer Moonshot Initiative, two professors joined forces to create CancerBase, a database allowing patients to share personal medical data to further cancer research. Stanford associate professor of bioengineering Jan Liphardt, Ph.D., and University of Southern California professor of medicine and engineering Peter Kuhn, Ph.D., created the database to give patients an opportunity to share their diagnosis and their location without revealing their identities. “So that’s the simple idea: A global map and give patients the tools they need to share their data — if they want to. They can donate information for the greater good. In return, we make a simple promise: When you post data, we’ll anonymize them and make them available to anyone on Earth in one second. We plan to display this information like real-time traffic data. HIPAA doesn’t apply to this direct data sharing,” said Liphardt. [Scopeblog][stanford.edu]

US – Advocate Health Care to Pay Largest HIPAA Settlement for Privacy Violations

Advocate Health Care has agreed to pay the largest HIPAA settlement ever to the Department of Health and Human Services’ Office for Civil Rights. Advocate will pay $5.55 million to settle multiple data protection violations over the last three years. The health system is also penalized for not properly assessing potential risks to its ePHI systems, and for failing to ensure the organization and its business associates had satisfactory protections for their systems. “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. [Modern Healthcare]

WW – Pregnancy-Tracking Exposes Extremely Sensitive Personal Information

Consumer Reports Labs tested Glow, a very popular menstrual cycle/fertility-tracking app, and found that the app’s designers had made a number of fundamental errors in the security and privacy design of the app, which would make it easy for stalkers or griefers to take over the app, change users’ passwords, spy on them, steal their identities, and access extremely intimate data about the millions of women and their partners who use the app. After being alerted to these problems, Glow fixed the app and re-released it. Consumer Reports has verified that the app’s known major problems have been fixed. This is the first cybersecurity audit that Consumer Reports has published, and the beginning of a wider project they’re commencing. [BoingBoing]

Horror Stories

WW – Hacker Dumps More Than 200M Yahoo Accounts On Deep Web

More than 200 million Yahoo accounts were discovered on a deep web marketplace. A hacker known by the name “Peace” dumped the data onto a marketplace called The Real Deal. Peace said the data was “most likely” from 2012, and the passwords were hashed with an MD5 algorithm. Yahoo has not confirmed whether the data is authentic, but is aware of the leak. “We are aware of a claim. We are committed to protecting the security of our users’ information and we take any such claim very seriously,” said a Yahoo representative. “Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.” [International Business Times]

US – Banner Health Alerting 3.7M Individuals Following Cyberattack

Banner Health suffered a cyberattack and has started to contact 3.7 million individuals whose information may have been compromised. The breach started on Banner’s credit card payment systems for food and beverage purchases, then expanded to include patient and health plan data. “The patient and health plan information may have included names, birth dates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and Social Security numbers,” read an investigation into the breach. Banner’s Vice President of Public Relations Bill Byron said there is no evidence the data has been used in an illicit manner. In related news, retailer Kmart agreed to settle their 2014 data breach lawsuit and will pay $5.2 million to hundreds of credit unions and banks. [Modern Healthcare]

WW – Sheer Number of Devices in Use Enlarges Security Gaps in Healthcare

Hospitals that want to improve network security should carefully assess the hundreds of medical devices they’re using, including fetal monitors, medical imaging devices, electrocardiographs, lasers and gamma cameras, to name a few. Some devices hold a sizable amount of data that can be hacked; others don’t have much data, but can increase network vulnerability. Infusion pumps, for instance, don’t have a lot of data but are a gateway to the network and “have become the poster child for medical device security gone wrong,” says Stephanie Domas, an ethical hacker and lead medical device security engineer at Battelle, a large research and development organization. [Source]

Internet / WWW

WW – Study: Mobile Streaming Represents New Privacy Frontier

In their research paper, “Up, Periscope: Mobile Streaming Video Technologies, Privacy in Public, and the Right to Record,” Lehigh University’s Jeremy Littau and Texas Christian University’s Daxton Stewart examine the privacy implications of live streaming technology. They found that U.S. privacy laws have yet to adapt to the new technology and that the First Amendment likely protects the rights of those streaming, the report states. “In this study, we advocate for less legal restraint of recording and live-streaming public matters or government officials in public places, which clearly deserve First Amendment protection,” Stewart said. “But we also call for wisdom by users and tech companies in controlling the spread of materials that may be more harmful to private individuals.” [Eurekalert] See also: [Amazon plans headphones that know when someone says your name]

Law Enforcement

US – Boston Police Used ‘Stingray’ Cellphone Spying Technology Without Warrants

Boston police never obtained warrants in the 11 instances when they used “Stingray” cell-site simulators, contradicting the commissioner’s claims that officers generally obtain permission from a judge to use the devices. The New England Center for Investigative Reporting (NECIR) reported that it had obtained documents indicating Boston police were using the spying devices without obtaining warrants. While Massachusetts does not have an explicit statute prohibiting the technology, judges will often throw out evidence obtained with Stingrays if their use is deemed to violate the privacy of the defendant. Boston Police Department (BPD) Commissioner William B. Evans said during a February radio interview that officers “normally” obtain a warrant before using the technology. In fact, the department had used Stingrays 11 times since 2009 and never obtained a search warrant for their use in any of those cases. However, BPD spokesman Lieutenant Detective Michael McCarthy told NECIR that there was no contradiction, because all of the situations in which the devices were used were considered to be emergencies. [RT]

US – Body Camera Scorecard Reveals Nationwide Failure to Promote Transparency and Accountability

An updated body camera scorecard highlights a disturbing state of affairs in body camera policy that lawmakers should strongly resist. A majority of the body camera policies examined by Upturn and the Leadership Conference on Civil and Human Rights received the lowest possible score when it came to officer review of footage and citizens alleging misconduct having access to footage, meaning that the departments were either silent on the issues or have policies in place that are contrary to the civil rights principles outlined in the scorecard. Such policies do not promote transparency and accountability and serve as a reminder that body cameras can only play a valuable role in criminal justice reform if they’re governed by the right policies. Upturn and the Leadership Conference on Civil and Human Rights looked at the body camera policies in fifty departments, including all departments in major cities that have either outfitted their officers with body cameras or will do so in the near future. Other departments that were scored include departments that received at least $500,000 in body camera grants from the Department of Justice as well as Baton Rouge Police Department and the Ferguson Police Department. Body cameras can only be tools for increased transparency and accountability in law enforcement with the right policies in place. Unfortunately, Upturn and the Leadership Conference on Civil and Human Rights’ scorecard reveals not only that many departments have poor accountability and transparency policies but also that the Department of Justice does not review these policies as disqualifying when it comes to body camera grants. [CATO] Also See: [Police body cam policies in San Jose and Oakland are flawed, report says | Police body cameras can provide accountability, but also risk, study finds | Harsh Consequences Required for Officers Who Fail to Activate Body Cameras]

Online Privacy

WW – Massive New Study Lifts the Lid on Top Websites’ Tracking Secrets

So, just how tracked are you? Plenty, according to the largest, most detailed measurement of online tracking ever performed: Princeton University’s automated review of the world’s top 1,000,000 sites, as listed by Alexa. To begin, huge numbers of folks are trying to track you: 81,000+ third-party trackers appeared on at least two of the top million sites. However, only 123 trackers showed up on at least 1% of those sites: “The number of third parties that a regular user will encounter on a daily basis is relatively small. [Moreover], all of the top 5 third parties, as well as 12 of the top 20, are Google-owned… Google, Facebook, and Twitter are the only third-party entities present on more than 10% of sites.” The researchers find “a trend towards economic consolidation” – fewer but larger third-party trackers. In their opinion, that’s actually good news for privacy advocates, as these “are large enough entities that their behavior can be regulated by public-relations pressure and the possibility of legal or enforcement actions.” According to the Princeton review, news, arts, and sports sites track the most, which typically provide content for free and “lack an external funding source, [and] are pressured to monetize page views with significantly more advertising.” The sites that track the least belong to government organizations, universities, and non-profit entities… websites [that] may be able to forgo advertising and tracking due to the presence of funding sources external to the web.” Oh, and adult sites, too. Next, the researchers turned to fingerprinting: techniques for individually identifying anonymous site visitors based on the unique characteristics of their hardware and software. (Check out our detailed primer on fingerprinting here.) The researchers wanted to know: Is it really being used in the wild? How widely? Which techniques? The reseachers say privacy tools like Ghostery do a nice job of protecting against standard tracking scripts from widely-used third-party trackers. However, they sometimes miss more obscure scripts using these emerging, exotic techniques. Since they’ve open-sourced OpenWPM, anyone can use it. That includes academics: it’s already been part of seven published studies. It also includes site owners who want to know what third-party trackers are doing on their sites. And it especially includes journalists and activists. [Naked Security]

CA – Ontario Defendant in Revenge Porn Case Seeking a Do-Over: Porter

How much is a lifetime of public humiliation worth? Ontario Superior Court Justice David Stinson pegged it at precisely $141,708.03 in January. That’s how much he ruled a young man had to pay his ex-girlfriend for the shame and psychological suffering he’d caused her by posting an intimate video of her on pornhub.com. He called it “college girl pleasures herself for ex boyfriends delight.” The decision set a new path for revenge porn victims. Since 2014, when Parliament passed the revenge porn law, victims can go to police and hope the jerk who put their images online without their permission lands in jail. But with Stinson’s ruling, they could also pursue some civil justice — cash, and a lot of it. He set the bar high, awarding the young victim the maximum damages — enough to pay her lawyer, and cover therapy bills for years of shame, fear, distrust … [Toronto Star]

Other Jurisdictions

EU – US Cloud Services Seeing Major Growth in Europe

U.S. cloud computing businesses is growing in Europe, despite pressure on European companies to keep sensitive data within the continent. The U.S. growth stems from European companies moving cloud computing needs to outside providers, with American organizations offering lower prices and the ability to rapidly put out new services and upgrades. Four U.S.-based businesses, for example, own 40 percent of the European market share, and more than a dozen new U.S. data centers have been built in Europe over the past couple of years, convincing European businesses U.S. providers can protect their data. “On paper, European companies should be poised to take advantage of this growth. But they are less nimble,” said RBC Capital Markets Senior Analyst Jonathan Atkin. [The Wall Street Journal]

Privacy (US)

US – FTC Issues Warnings to Companies Claiming APEC Privacy Certification

The FTC has issued warning letters to 28 companies claiming to be certified participants in the Asia-Pacific Economic Cooperative Cross-Border Privacy Rules system. This is an important reminder for companies, including Canadian companies, that the use of international certifications is something in which regulators take a keen interest. The FTC did not release the names of the organizations to which it sent letters. This gives the organizations a chance to demonstrate compliance and revise their websites and thereby avoid the reputational damage associated with being publicly cited by the regulator. However, the fact that the FTC publicized the issuance of the warning letters likely indicates that it views the problem of unsubstantiated certifications as an issue which needs to be addressed. [Cyberlex]

US – White House Announces New Drone Initiatives

Following a report on privacy by design in drones, the White House announced it will work on strengthening the integration of the technology by hosting workshops and deploying drones in different scenarios. The White House Office of Science and Technology Policy said the work will build on the Federal Aviation Administration’s drone rules from earlier this year. Reaction to the announcement was mixed: “Today’s announcement is another important step forward in realizing the enormous potential of unmanned aerial systems, and will help speed up our development and adoption of this technology, which still lags behind other countries,” said Sen. Mark Warner, D-Va. However, Sen. Ed Markey, D-Mass., expressed concern: “While I am pleased that the White House continues its efforts to safely integrate drones into our national airspace, when it comes to drone privacy, we are still essentially flying blind As more drones take flight, voluntary privacy guidelines and best practices are simply not enough.” [Broadcasting & Cable] See also: [FPF, Intel, PrecisionHawk advocate for privacy by design framework in drones] and May 2016 stakeholder-drafted Voluntary Best Practices for UAS Privacy, Transparency, and Accountability. And [New Hampshire town hit with wave of drone complaints]

US – Jimmy Carter Defends Edward Snowden, Says NSA Spying Has Compromised Nation’s Democracy

Former President Jimmy Carter announced support for NSA whistleblower Edward Snowden this week, saying that his uncovering of the agency’s massive surveillance programs had proven “beneficial.” Speaking at a closed-door event in Atlanta covered by German newspaper Der Spiegel, Carter also criticized the NSA’s domestic spying as damaging to the core of the nation’s principles. “America does not have a functioning democracy at this point in time,” Carter said,according to a translation by Inquisitr. No American outlets covered Carter’s speech, given at an Atlantic Bridge meeting, which has reportedly led to some skepticism over Der Spiegel’s quotes. But Carter’s stance would be in line with remarks he’s made on Snowden and the issue of civil liberties in the past. [Huffington Post]

US – Judge Blasts FBI for Bugging Courthouse, Throws Out 200 Hours of Recordings

The FBI violated the Fourth Amendment by recording more than 200 hours of conversation at the entrance to a county courthouse in the Bay Area, a federal judge has ruled. Federal agents planted the concealed microphones around the San Mateo County Courthouse in 2009 and 2010 as part of an investigation into alleged bid-rigging at public auctions for foreclosed homes. In November, lawyers representing five defendants filed a motion arguing that the tactic was unconstitutional, since the Fourth Amendment bans unreasonable searches. “[T]he government utterly failed to justify a warrantless electronic surveillance that recorded private conversations spoken in hushed tones by judges, attorneys, and court staff entering and exiting a courthouse,” US District Judge Charles Breyer wrote in an order published this week. “Even putting aside the sensitive nature of the location here, Defendants have established that they believed their conversations were private and they took reasonable steps to thwart eavesdroppers.” Breyer concluded that the disputed evidence must be suppressed. At a hearing next week, he’ll consider whether the recordings tainted the rest of the prosecution’s case. [Source]

Privacy Enhancing Technologies (PETs)

WW – Energy Monitoring Device Without the Cloud Sharing from MIT

MIT says it has the answer to those concerned with Google Nest’s privacy practices: an energy-monitoring device that measures in-home energy usage without sending data into the cloud. The system uses a wireless, sensor-based approach to energy measuring, the report states. “MIT electrical engineering professor Steven Leeb was particularly impressed with the team’s discovery that energy monitoring can be achieved despite keeping data within the home,” the report adds. “The system only releases ‘small subsets’ of data for cloud processing, which addresses bandwidth and privacy concerns.” If made commercially available, the device would cost an estimated $30 per household. [ZDNet]

RFID / IoT

US – NTIA Announces IoT Security and Education Initiative

The National Telecommunications & Information Administration has announced a new multistakeholder process to help consumers understand the security measures in internet of things devices and ensure security upgrades and patches are appropriately maintained. “The goal of the new multistakeholder process will be to promote transparency in how patches or upgrades to IoT devices and applications are deployed,” said NTIA Deputy Assistant Secretary for Communications and Information Angela Simpson. “Potential outcomes could include a set of common, shared terms or definitions that could be used to standardize descriptions of security upgradability or a set of tools to better communicate security upgradability.” The NTIA is encouraging “broad participation and diverse perspectives” and hopes to have its first meeting in early fall. [NTIA]

Security

WW – Most Healthcare Breaches Can Be Traced to One of Three Factors

Those include losses or thefts of laptops; improper or criminal accessing of credentials to information systems; and unintentional errors, such as sending sensitive information to the wrong person, according to Verizon Enterprise Solutions. [Information Management]

Surveillance

WW – Database Tracks Surveillance Companies Around the World

Privacy International has a new searchable database allowing users to find information on hundreds of surveillance companies around the globe. The Surveillance Industry Index possesses information on more than 520 surveillance companies, while also having information on the technology they have sent to government agencies and telecommunications companies. “State surveillance is one of the most important and polarizing issues of our time, yet the secrecy around it means it’s a debate lacking reliable facts,” said Privacy International Research Officer Edin Omanovic. “Understanding the role of the surveillance industry, and how these technologies are traded and used across the world, is crucial to not only understanding this debate, but also fostering accountability and the development of comprehensive safeguards and effective policy.” [The Verge]

US – Disney Obtains Patent to Track Theme Park Guests Through Their Feet

The U.S. Patent and Trademark Office has issued Walt Disney Co. a patent for a new type of technology: A system that can track theme-park guests through their feet. According to information supplied to the patent agency, sensors and cameras would help identify particular visitors, and the data “can be used to output a customized guest experience” including photographs. Theme parks could also use such a system to mine data about common paths from ride to ride. The company can already track guests at Walt Disney World who use MagicBands, RFID bracelets that function as theme-park tickets, FastPasses, hotel keys and credit cards. Current methods of tracking guests and matching them up “are limited to rather invasive methods, such as retinal and fingerprint identification methods,” the patent information said. “These methods are obtrusive and some guests may not feel comfortable providing this type of biometric information to a third party.” The company says that there are no immediate plans to use such a system. This project is part of Disney’s ongoing innovative research process, the company said, and many projects it explores may never actually end up in the parks. [Orlando Sentinel]

Telecom / TV

US – Comcast Asks FCC to Shoot Down Rules Prohibiting ‘Pay-For-Privacy’ Pricing

Comcast has sent a filing to the Federal Communications Commission requesting the agency to shoot down proposed rules stopping broadband providers from charging higher fees to customers declining behaviorally targeted ads. “A bargained-for exchange of information for service is a perfectly acceptable and widely used model throughout the U.S. economy, including the internet ecosystem, and is consistent with decades of legal precedent and policy goals related to consumer protection and privacy,” Comcast writes. The provider says prohibiting a pay-for-privacy pricing system “would harm consumers by, among other things, depriving them of lower-priced offerings,” while adding the FCC “has no authority to prohibit or limit these types of programs.” [MediaPost]

US Government Programs

US – Appointees named to New Evidence-based Policymaking Commission

All 15 appointees to the Evidence-Based Policymaking Commission have been named. The commission will determine whether the federal government should establish a clearinghouse for program and survey data, what data should be included in the clearinghouse, and which qualified researchers from both the private and public sector could access the data to perform program evaluations and related policy research. The commission will also study how best to ensure confidentiality of data and protect individuals’ privacy. See also: [H.R.1831 – Evidence-Based Policymaking Commission Act of 2016]

US – Student Data Policymaking Recommendations issued

DQC released its policy recommendations for state policymakers in April, and followed that up with district and federal recommendations. Each set of policy recommendations includes student data privacy and directs policymakers to align their policies across federal, state and district levels in four priority areas:

  • Measure What Matters
  • Make Data Use Possible
  • Be Transparent and Earn Trust
  • Guarantee Access and Protect Privacy

US – OMB Releases Updated Circular A-130

The Office of Management and Budget has released an update to Circular A-130, requiring every federal agency to, among other things, appoint a senior agency official for privacy, provide privacy training and conduct Privacy Impact Assessments. Under FISMA all NIST FIPS documents are now required. The 800 series documents are also going to be used by OMB as “best practices” when conducting their audits. Implementing these NIST standards is going to be quite a lot of work for most agencies. [FedScoop] [OMB] [Circular A-130] [Wikipedia on Circular A-130]

+++

 

 

21-28 July 2016

Biometrics

CA – The RCMP is Trying to Sneak Facial and Tattoo Recognition into Canada?

In November of 2015, the Royal Canadian Mounted Police had a problem. At the time, the US FBI had been using its massively controversial database of biometric information—photos of people’s faces, tattoos, iris scans, and more—at “full operational capacity” for about a year. The RCMP, on the other hand, was stuck with a national fingerprint database that didn’t allow officers to scan and search people’s faces or other body parts. Canada’s federal police force was falling behind its southern counterpart. The RCMP had “no authority” to support new capabilities for its nationwide Automated Fingerprint Identification System, or AFIS, according to an internal presentation from November 24 of 2015 obtained through an access to information request. Still, the police felt a pressing need to improve “interoperability with international partner systems”—in other words, to make sure their system meshed with what police in other countries were doing—but lacked an opportunity to do so. Undeterred, the RCMP went ahead and began working to procure a new AFIS system that could analyze and capture faces, fingerprints, palm prints, tattoos, scars, and irises—all without clear authorization or approval by the country’s federal privacy watchdog, or even a plan to implement it.  So, yeah, the RCMP is trying to bring biometric identification to Canada without anybody noticing. “There are no immediate plans to use facial recognition features,” RCMP spokesperson Annie Delisle wrote. “The priority for the RCMP is to replace AFIS. Once the new AFIS is operational, the RCMP may consider the use of facial recognition features.” According to Delisle of the RCMP, “There is currently no RCMP policy with regards to the use and retention of facial recognition images. In the event a new service requirement is identified in the future, consultation with the Office of the Privacy Commissioner of Canada would first be initiated.” The OPC has not received any privacy impact assessments from the RCMP relating to the use of facial recognition technology, an OPC spokesperson said. “[Motherboard]

WW – Snapchat Turns Facial Recognition Technology on its Head

While facial recognition technology is often criticized for invading people’s privacy, smartphone messaging company Snapchat is looking at how it can use the same technology to enhance the privacy of its users. Snapchat has filed a patent for a technology that automatically modifies a photo and restricts its distribution according to the privacy settings of the photo’s subjects. Facial recognition is very different to the object recognition used in Snapchat lenses. Object recognition simply uses algorithms to understand the general nature of objects within a photo so users can add real-time special effects and sounds to them. With a new facial recognition feature, Snapchat users would be able to dictate how and where images of them are displayed. Here’s how it would work:

  1. You take a photo.
  2. Snapchat scans it to work out if any of the faces belong to its users.
  3. If any do, it checks their privacy settings.
  4. Their face or body would be altered according to their privacy setting.
  5. The modified image would then be shared according to the subjects’ privacy settings.

For facial recognition to work, Snapchat would need to store images of all users that sign up to the feature – as a reference image to compare photos against. [Source]

Big Data

AU – OAIC Asks for Public Comment on Big Data Draft Guide

The Office of the Australian Information Commissioner is looking for public comment on a draft guide on big data. The OAIC Draft Guide aims to assist big data activities across public and private sectors, while ensuring personal information is protected under the Australian Privacy Principles. In order to have a balance between big data use and privacy protection, the Draft Guide advises APP entities to “introduce a holistic approach of ‘privacy by design’ to embed privacy protection in their cultures, practices, processes, systems and initiatives; conduct privacy impact assessments as part of their risk management and planning processes; and consider whether de-identified information can be used before undertaking any big data activities involving personal information.” The Draft Guide also mentions big data privacy issues, including notice and consent, retention minimizations, and use limitations. [Image & Data Manager]

WW – Victoria Commissioner Tapped for UN Big Data Study

Joe Cannataci, U.N. special rapporteur for privacy, has asked Victoria, Australia, Privacy Commissioner David Watts to lead a study looking at big data and open data and how they affect the right to privacy globally. According to the report, the study “will seek to bed down a globally recognized definition of big data, plus a list of its benefits, risks, and the kinds of management frameworks that could be endorsed as best practice on the international stage.” Watts will remain in his capacity in Victoria during the study. A report will be delivered to the U.N. General Assembly in October 2017. [iTnews]

Canada

CA – OPC/OIC Releases Annual Reports on the Privacy Act

The Office of the Privacy Commissioner of Canada has published its annual reports on the privacy and the access to information acts. Both the short reports are short (22 pages0 and provide overviews of the OPC mandate, governance structure and activities, with statistical breakdowns and charts. [2015-16 Annual Report to Parliament on the Privacy Act | PDF] [2015-16 Annual Report to Parliament on the Access to Information Act | PDF]

CA – OPC Announces Funding for 2017 Privacy Research Symposium

The Office of the Privacy Commissioner of Canada (OPC) has issued a call for proposals seeking applicants to organize and host the next research symposium in the Office’s Pathways to Privacy series. The OPC is inviting academic institutions and not-for-profit organizations, including industry associations and trade associations, eligible under its Contributions Program to submit proposals to organize and host an event to be held between January 15 and March 31, 2017. The proposed event should put a strong emphasis on innovation, in terms of both format and themes. The content should prominently feature previously funded projects under the Contributions Program and address one or more of the OPC’s privacy priorities: Economics of Personal Information, Government Surveillance, Reputation and Privacy, and Body as Information. The goal of the Pathways to Privacy series is to expand the reach and application of existing privacy research and knowledge translation projects, so that more people can benefit from this work. It also promotes and encourages a dialogue between the people who do privacy research and those who can apply it in the private or public sectors. There is a maximum of $50,000 available for this initiative. Eligible organizations must submit proposals in accordance with the established parameters, as outlined in the Applicant’s Guide, by August 15, 2016.

CA – Annual Report On CSE Activities Begins in Parliament

The Annual Report of the Communications Security Establishment Commissioner began in Parliament. The Honourable Jean-Pierre Plouffe’s report reviews the CSE’s activities to determine if the organization complied with Canadian law and protected the privacy of Canadian citizens. “Transparency continues to be a cornerstone of my approach, to inspire better informed public discussion and maintain confidence in the work of CSE. As such, I am committed to providing as much explanation as possible with respect to my investigations,” Plouffe said. “I have continued to encourage CSE to make as much information public as possible.” [Yahoo]

CA – New Privacy Commissioner of Newfoundland and Labrador Named

The provincial government of Newfoundland and Labrador named Donovan Molloy as its new information and privacy commissioner. A St. John’s lawyer and former assistant deputy justice minister, Molloy replaces former commissioner Ed Ring, who retired in June. “I am confident that his leadership abilities, senior executive experience and extensive legal background will serve the office well,” said Speaker Tom Osborne. The provincial government announced the new appointment Thursday and said Molloy officially takes over the position July 22. [CBC News]

CA – Overview of Proposed National Security Laws

A few weeks ago, the government of Canada introduced three bills in Parliament dealing with national security issues. One bill proposes a new National Security and Intelligence Committee for greater oversight of the intelligence community and the other proposals aim to continue strengthening Canada-U.S. cooperation at the border. Timothy Banks writes for Privacy Tracker about these bills, including the authority of the proposed committee and whether the new legislation will set the stage for expanded biometric screening of individuals heading from Canada into the U.S. [Privacy Tracker]

CA – Toronto Real Estate Board Gets Extension On Sales-Data Deadline

Canada’s Federal Court of Appeal has granted the country’s largest real estate board temporary relief from an impending deadline to make home-sales data more widely available online. In a decision published on the court’s website, Appeal Justice Mary Gleason ruled that the Toronto Real Estate Board would not be required to meet an Aug. 3 deadline issued by Canada’s Competition Tribunal to make data such as a home’s selling price available to the public over the Internet. In April, the Tribunal ruled that the real estate board’s restrictions on how its members share electronic home-sales data from the Multiple Listings Service was stifling competition and innovation in the Greater Toronto Area’s resale housing market. Under TREB’s existing rules, realtors were free to share details about the housing market with their individual clients, but were not allowed to publish such data in bulk on publicly accessible websites. [Source]

CA – Sask Updating FOIP & LAFOIP: Bills 30 and 31 Amendments

At a June 28 news conference presenting his 2015-16 annual report, Saskatchewan privacy commissioner Ronald Kruzeniski said he was pleased the government was updating the acts. “The first reason is because of the time since they were last amended, which is way too long for any legislation to not be looked at,” said Kruzeniski. “Secondly, we made proposals, and a good number, but not all, have shown up in the proposed amendments.” Maybe it’s a remnant of Saskatchewan’s old “party line” tradition where neighbours used to listen in on each other’s calls on shared phone lines, but as a province, our privacy and access to information track record is not good. IPC Kruzeniski flagged several amendments as highlights in Bill 30 and 31, including a duty to assist. “A public body has an obligation when an access request comes in to deal with it openly, accurately and completely,” he said. “Other provinces have this duty, and I’m pleased to see it’s there. My hope is that by public bodies communicating with those who request information that the issue gets solved so fewer people have to launch appeals with our office.” The amendments also introduce a duty for public bodies to report any breaches that occur so the affected party can take protective action, and broaden the definition of “employee” to include consultants and contractors who work for public bodies on service contracts. Considering how much outsourcing there is these days, that’s a no-brainer. [Source]

E-Government

US – State Supreme Court to Consider the Privacy of Government Metadata

Noah Feldman examines the role metadata plays when determining the privacy rights of the government and the public based on a lawsuit currently in front of the New Jersey Supreme Court. The case was brought by Open Government Advocacy Project Chairman John Paff, who has demanded the email logs — their metadata, not content — of government officials under New Jersey’s Open Public Records Act. According to Feldman, the “lawsuit in effect asks: if metadata isn’t that private, why not give the public access to the government’s records of who contacted whom, and when?” In defense of the government, lawyers have essentially echoed concerns of privacy advocates, stating that metadata reveals a lot about an individual and “would compromise confidentiality.” Privacy advocates have long called for more metadata protections for citizens. Feldman notes that the public shouldn’t get the metadata of government officials because of how much is revealed, but adds, “the police have something like the same privacy interests in their communications metadata that you and I should have in ours.” [Bloomberg View]

US – OMB Now Requires Privacy Head, Training, PIAs for All Agencies

The Office of Management and Budget will release on July 28 in the Federal Register an update to Circular A-130, a document that regulates how the federal government manages its information, the White House said in a press release. “Today’s update to Circular A-130 gathers in one resource a wide range of policy updates for federal agencies regarding cybersecurity, information governance, privacy, records management, open data, and acquisitions,” the release states. Most interesting for privacy professionals, the new regulations now require every federal agency to appoint a senior agency official for privacy, provide privacy training, conduct PIAs, maintain an inventory of PII, and actively limit the collection, use, storage, and processing of PII. [WhiteHouse.gov]

E-Mail

CA – CRTC Enforcement Advisory: Remember, You Must Have Records To Prove Consent

The CRTC has issued an enforcement advisory to both businesses and individuals that send commercial electronic messages (CEMs) to keep records of consent. The CRTC reminded senders of CEMs that section 13 of Canada’s anti-spam legislation (CASL) places the onus on the sender to prove they have consent to send every single CEM. The advisory made a point to note the CRTC has observed businesses and individuals unable to demonstrate they have obtained consent before sending CEMs. Failure to meet record keeping requirements has been alleged in recent CRTC enforcement decisions against organizations. However, today’s enforcement advisory may suggest the CRTC is finding record keeping to be a widespread concern, warranting this advisory. Record keeping is one of the most contested provisions under CASL as the financial, organizational and technical burden weighs on senders to meet the high record-keeping standards set by the CRTC. Having the record keeping requirements on the CRTC’s radar adds further urgency to ensure a sender’s compliance program is sufficient. The CRTC emphasized in its advisory that good record-keeping practices can assist senders establish a due diligence defense in the case of a violation under CASL. Violations of CASL may result penalties of up to CAD $1,000,000 for individuals, and up to CAD $10,000,000 for organizations. [Source] [CRTC’s guidelines to help develop a corporate compliance program.]

US – Court Orders Yahoo to Explain Email Access in Drug Trafficking Case

Magistrate Judge Maria-Elena James has requested Yahoo explain how it accessed emails that were thought to be deleted for use in a case against a U.K. drug trafficker. The plaintiff “claims Yahoo circumvented British law and included four ‘snapshots’ of content from the email account,” as he never actually sent an email through the service, the report states. While “Yahoo claims the ‘snapshots’ were files created by the company as part of its email autosave feature, which keeps versions of email drafts on its email server for ‘periodic intervals,’” the attorney maintains that Yahoo broke British surveillance law. Yahoo must respond to the court order by Aug. 31. [Threatpost]

WW – Yahoo Still Retains a Copy of Your Emails After They Are Deleted From Your Inbox

Yahoo’s ‘auto-save’ feature saves a copy of emails even after they have been deleted from Trash and Draft. A judge is now demanding that Yahoo explicitly define how it is able to retrieve deleted emails. The email provider is ordered present a witness and provide documents on how the email retention system works, as well as a copy of the software’s source code and instruction manuals used by Yahoo staff on how to retrieve the emails. Yahoo has argued that it is able to recover the emails via its “auto-save” feature, which creates snapshots of an email account preserving its contents at a certain date, and that it provided law enforcement with four snapshots from the Yahoo account used by Knagg and his accomplice. [IBTimes]

Electronic Records

UK – Government Consults on Data Security Standards and Data Sharing in the Health Sector

On 6th July, the UK Government published two independent reviews concerning data security and data sharing in the health and care system in England. At the same time the UK Government launched a public consultation on proposals resulting from these reviews. The public consultation will be of interest to organisations that regularly interact with the public health sector in the UK and in particular to those organisations that rely on access to health data from the NHS for research purposes. The two independent reviews are the:

  • Care Quality Commission review of data security in the NHS; and
  • Dame Fiona Caldicott’s (who is the National Data Guardian for Health and Care) review of data security, consent and opt-outs (the ‘Caldicott Report’).

The Care Quality Commission is the independent regulator of health and social care in England and is responsible for ensuring health and social care services are safe and effective through its monitoring and inspection activities. In its report examining data handling within the health sector, the CQC’s findings indicated that the main areas of concern are leadership, behaviours and systems. Accordingly, the CQC recommendations focus on senior leadership, staff training and support, patient-designed IT systems, audits and external validations as well as ensuring that the proposed new data security standards come within the CQC’s monitoring remit. The Caldicott Report acknowledges that the public still finds the data sharing model within the health sector confusing and that the case for data sharing still needs to be made to the public. At the heart of the proposals for data sharing are the principles of transparency and control. In other words, giving individuals clearer information on how their personal data can be used and a greater degree of control through a new consent/opt-out model. [Source]

EU Developments

EU – Article 29 Working Party Releases ePrivacy Directive Opinion

The Article 29 Data Protection Working Party has released its opinion on the evaluation of the ePrivacy Directive. “The Article 29 Working Party (WP29) supports the European Commission’s recognition of the need to have specific rules for electronic communications in the EU,” the opinion read. The Article 29 opinion also discussed how the ePrivacy Directive must not undermine the General Data Protection Regulation. “The revised ePrivacy instrument should keep the substance of existing provisions but make them more effective and workable in practice, by extending the scope of the rules on geolocation and traffic data to all parties, while simultaneously introducing more precisely defined conditions that take the intrusiveness of the processing of communication data to the private life of users thoroughly into account,” the group states. [EU Opinion]

EU – EDPS Publishes ePrivacy Directive Opinion

European Data Protection Supervisor Giovanni Buttarelli has expressed favor for strong encryption and against the use of backdoors within the revised ePrivacy law in his published opinion on the ePrivacy Directive on July 25. “Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited,” Buttarelli wrote. “In addition, the use of end-to-end encryption should also be encouraged and when necessary, mandated, in accordance with the principle of data protection by design.” He also maintained that the law’s encryption protections should include over-the-top service providers in addition to “publicly available electronic communication services,” the report states. [Ars Technica]

EU – Article 29 Working Party Issues Statement on Privacy Shield

The official group of the EU’s data protection authorities, the Article 29 Working Party, issued a statement on the EU-U.S. Privacy Shield. Though they commend the European Commission and U.S. Department of Commerce, the group still has concerns, particularly with regard to a lack of clarity on automatic decisions in the commercial sector and access by government authorities to EU citizens’ data. “The first joint annual review will therefore be a key moment for the robustness and efficiency of the Privacy Shield mechanisms to be further assessed,” the document states. Significantly, WP29 said the results of the first joint review “regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.” The group said in the intervening year it will commit to “proactively and independently assist data subjects” and work to provide guidelines to data controllers as to their obligations under Shield. [Europa] [A29WP promise one-year moratorium on Privacy Shield litigation]

EU – CNIL Formally Orders Microsoft to Limit Windows 10 Data Collection

The French data protection authority, the CNIL, has formally ordered Microsoft to alter the data collection practices in its Windows 10 operating system within the next three months, according to an official CNIL press release. Between April and June 2016, the CNIL “carried out seven online observations” and queried the company on “certain points of its privacy policy to check that Windows 10 complied with the French Data Protection Act,” the release states. The formal notice applies to France only, the CNIL points out, noting that other European data protection authorities are still conducting their own investigations. The CNIL also points out that “formal notices are not sanctions and no further action will be taken if the company complies with the Act” within the three months allotted. Microsoft VP and Deputy General Counsel David Heiner said it will work with the CNIL to fully understand the regulator’s concerns and “to work toward solutions that it will find acceptable.” [CNIL.fr]

Facts & Stats

WW – 75% of US Firms Have Failed to Detect Breach: Ponemon Study

Nearly two-thirds (60%) of US firms believe some of their data is now in the hands of a competitor because of a breach, according to a new study from Ponemon Institute. These “knowledge assets” could include profiles of high-value customers, product design, development and pricing, pre-release financial reports, strategic plans, and confidential information about existing relationships or anticipated transactions, according to the report. In fact, three-quarters (74%) of the 600 respondents to the study, carried out on behalf of law firm Kilpatrick Townsend, claimed that their firm had failed to detect a breach involving such assets. [Infosecurity Magazine]

Filtering

WW – Microsoft Approved 63% of Revenge-Porn Takedown Requests

Within six months of instituting a revenge-porn removal policy, Microsoft received 537 content removal requests from around the world, approving 63% of them, Microsoft reports in a blog post. The rest were denied, mainly because the content was not deemed revenge porn. The company added that it wanted to make the process continually easier for victims to report abuse. Meanwhile, Microsoft has announced it will adopt the EU-U.S. Privacy Shield, Out-Law.com reports, while company President and Chief Legal Officer Brad Smith discusses Microsoft’s recent win in the Irish data-storing appeals case in an interview with The Washington Post. [Full Story]

FOI

WW – Audit: Every Piece of Sensitive Data Could Have 1,000 Unnecessary Copies

An Identity Finder audit conducted at a multinational manufacturer, university, and health care tech company claims that unmanaged sensitive data will “will create up to 1,000 unnecessary copies.” It also found that for every accessor of unmanaged sensitive data, “up to 100 additional users will have access to it,” the audit states. Identity Finder CEO Dr. Jo Webber urged companies to identify their sensitive data and “start taking control by automatically classifying it according to [their] rules and policies.” This “should be able to remove extra, unneeded copies; stop additional spread at the time of creation; and apply appropriate controls and protection over needed copies,” she said. [Network World] [Betanews] See also: Study reveals security gap in big data projects

Health / Medical

WW – Concerns Raised and Addressed About Health Research Apps

Privacy concerns have been raised regarding apps created using Apple’s relatively new ResearchKit, which connects health researchers with patients willing to provide data for studies, often collected via the iPhone’s various sensors. GlaxoSmithKline, for example, has released a new arthritis study that gets 300 patients to do wrist exercises and record their experiences. The article raises concerns about re-identification of anonymous data, and the company doing much of the anonymizing is clear that perfect de-identification is virtually impossible. There is also some concern from a bioethicist about how informed the consent is, given a nine-page pdf in 12-point font explains data use, though a GSK spokeswoman’s response added as an update seems to address that concern. Finally, there is a question as to whether the for-profit ethical review board is appropriate for the app’s creation, though another update makes clear that GSK also conducted two separate internal reviews. [Gizmodo]

WW – Apple’s Health Experiment Is Riddled With Privacy Problems

Pharmaceutical giant GlaxoSmithKline (GSK) has partnered with Apple on a new clinical study on rheumatoid arthritis. The study relies on an iPhone app to collect data about arthritic symptoms from users as they go about their daily lives. That sounds great at first glance, but how well will it protect your privacy? The app was built by the London-based GSK using Apple’s ResearchKit, an open source software framework to transform your iPhone into a handy diagnostic tool for clinical studies. Launched last year, ResearchKit is designed to make it easier for medical researchers to access data about millions of potential subjects. As Lifehacker’s Alan Henry wrote at the time, “The platform aims to give anyone with an iOS device the opportunity to participate in medical research, join programs that can help them track their symptoms, or share information with their doctors.” So far there are just a handful of ResearchKit apps tied to clinical studies, but the GSK partnership is the first time Apple has joined forces with a major drug company. The Patient Rheumatoid Arthritis Data from the Real World (PARADE) study will use its app to track the mobility of over 300 participants suffering from rheumatoid arthritis, including information on their level of joint pain, fatigue, and changing moods. No drugs are being tested. Rather, the app guides users through a simple wrist exercise, with the iPhone’s built-in sensors recording data from that motion. That data may help Glaxo design better clinical trials in the future. [Source]

US – ProPublica Publishes Hundreds of OCR Closing Letters

Investigative news outlet ProPublica is releasing hundreds of closing letters issued to providers by the U.S. Department of Health and Human Services’ Office for Civil Rights. When the OCR fines a company for violating HIPAA, it issues a press release with details, but, the report points out, the agency sends thousands of letters per year to providers to resolve complaints about possible HIPAA violations. The letters tend to remind providers of legal requirements and provide advice on how to ameliorate any issues they have uncovered. Though the OCR could make such letters public, it chooses not to. “As part of its examination into the impact of privacy violations on patients,” the report states, “ProPublica has posted about 300 of these ‘closure letters’ in our HIPAA Helper tool.” The goal is to allow users to “review the details of these cases and track repeat offenders.” ProPublica said it obtained the letters through Freedom of Information Act requests. [ProPublica]

Horror Stories

US – Medical Center Settles With OCR For $2.75M After 2013 Breach

The University of Mississippi Medical Center has agreed to pay the Department of Health and Human Services’ Office for Civil Rights $2.75 million after a laptop theft in 2013 put data of 10,000 patients at risk, the Hattiesburg American reports. While the information was allegedly not accessed or disclosed, an OCR investigation found the medical center had known about lax security standards since 2005, the report states. “We have learned from this experience and are working hard to ensure that our information security program meets or exceeds the highest standard,” said Vice Chancellor for Health Affairs Dr. LouAnn Woodward in statement. The UMMC will further commit to an OCR-sanctioned three-year HIPAA corrective program, as per the settlement. [Full Story]

WU – Five Million Danish ID Numbers Sent to Chinese Firm

The Danish Data Protection Agency (Datatilsynet) said that the CPR numbers of 5,282,616 people were mistakenly delivered to the Chinese Visa Application Centre, a Copenhagen-based Chinese company. The CPR numbers and health information of 5.3 million residents was sent to a Chinese company. If you lived in Denmark between 2010 and 2012, it’s almost certain that your personal identification number (CPR number) and health information ended up in the hands of a Chinese company. SSI acknowledged that “we are talking about sensitive personal data of a very extensive character and it cannot be ruled out that it could have had concrete consequences for the affected individuals if the information had actually reached unauthorized individuals”. [The Local Denmark]

Identity Issues

UK – Govt Tests Whether ‘Online Activity History’ Can Serve to Verify Identity

The UK government has tested whether internet users’ “online activity history”, including data from social networks, can be used to verify their identity when they use online public services. Under the Verify system, individuals using government online services choose a certified ID assurance provider with which to verify their identity. This involves answering security questions and entering a unique code sent to an individuals’ mobile number, email address or issued in a call to their fixed-line telephone number. [Out-Law]

WW – Spotify Sharing Data on 70M Users for New Marketing Initiative

The Christian Science Monitor reports on Spotify’s plan to incorporate user data in a new personalized marketing initiative. The streaming music service will use the data collected on its 70 million free subscribers to generate targeted, automated advertising. The data will integrate users’ age, gender, location, music preferences and behavioral habits, allowing advertisers to send ads to specific demographics. The new process will allow advertisers to buy ads in real time, a major step in digital advertising, the report states. However, Spotify’s new method will be examined by concerned privacy advocates. “If, as advertisers claim, consumers are truly interested in receiving targeted ads, then they can affirmatively choose to do so, but the default is set the other way around because advertisers know that many people will not want to agree to that,” said Consumer Federation of America Director of Consumer Protection and Privacy Susan Grant. [Full Story]

SG – PDPC Releases Guidelines for Personal Data Removal Techniques

Singapore’s Personal Data Protection Commission delivered new guidelines to businesses for disposing personal information. The guidelines state papers that reveal personal information must be shredded in at least two different directions, and cannot be placed in unsecured dumpsters. The commission also said data stored on electronic devices such as hard disks, USB drives or DVDs need to be deleted using specialized software to avoid data leaks. The guidelines come as the commission and the Monetary Authority of Singapore conduct an investigation on United Overseas Bank for allegedly leaving intact client documents in a trash bag at Boat Quay. [The Straits Times]

Internet / WWW

US – Privacy Advocates Ask FTC to Investigate ‘Pokemon Go’ Creator

The Electronic Privacy Information Center is requesting the Federal Trade Commission investigate Niantic, Inc., the creator of “Pokemon Go.” The privacy advocacy group wrote a letter to the FTC alleging the app captures and stores information of its users, including children, in violation of federal privacy laws. “We want the FTC to establish concrete limits on the amount of information “Pokemon Go” is collecting and how long they are keeping it,” EPIC Consumer Protection Counsel Claire Gartland said. “Niantic should only be allowed to collect data that is necessary for the operation of the app. Data collection should not be a free-for-all of sensitive consumer data.” In related news, a man is suing Niantic in a Florida Court, claiming “Pokemon Go’s” terms of service and privacy policy are deceptive, unfair and violate state contract laws. [EdScoop]

Law Enforcement

AU – Queensland Police Begin Rolling Out Body-Worn Cameras

The Queensland Police Service has started its statewide rollout of 2,200 Axon body-worn cameras. Police Minister Bill Byrne said the cameras will be available to specialty teams, including tactical crime units, rapid action and patrol groups, the Railway Squad, Dog Squad, and the Road Policing Command. Police Commissioner Ian Stewart believes the cameras will assist in gathering evidence, while saying the technology has helped save 10 minutes per officer per shift in the initial trials. “Through use of the evidence management system, officers were able to add metadata to their recordings in the field, reducing the amount of time officers had to spend manually managing their data at the end of a shift,” said Stewart. [ZDNet]

WW – Company Wants Police Body Cams Live Streamed With Facial Recognition

Taser International is planning on live streaming police body camera footage to the cloud starting in 2017 as well as eventually integrating facial recognition technology. The combination would allow law enforcement to possibly identify criminals by looking at them. Facial recognition and body camera technology has caught the attention of other companies outside of Taser. “You’ve already got the ability to use cameras to tap into databases to find the license plates of stolen vehicles and overdue parking tickets,” said Digital Ally CEO Stan Ross, adding police and law enforcement are also excited to use facial recognition technology. “Why wouldn’t we be pushing to bring that technology to the next level?” Ross said. Georgetown Law’s Clare Garvie expressed concern about such capabilities, saying citizens would not be able to receive notice or give consent. “And there’s no police interaction even in place. No probable cause for a search,” she added. [Motherboard]

US – Wisconsin Supreme Court Upholds Use of Criminal Risk-Assessment Software

The use of risk-based software is being used to identify potential criminals and its involvement in a Wisconsin legal case. The software, covered in a ProPublica investigation earlier this year, assigns an individual points based on the likelihood they will commit a crime. Eric Loomis objected to the use of this data when he was arrested and sentenced for his alleged involvement in a drive-by shooting. Northpointe’s software known as COMPAS was used, and Loomis decided to appeal his conviction saying the software violated his rights to due process. The Wisconsin Supreme Court disagreed with Loomis, saying the software will continue to be used, but added, “some studies of COMPAS risk assessment scores have raised questions about whether they disproportionately classify minority offenders as having a higher risk of recidivism.” [Fusion.net]

Online Privacy

WW – Majority Still Unaware of Adchoices Program for Online Advertising

The AdChoices program is an attempt to persuade the public to get comfortable with “targeted” ads based on their Web browsing behaviour. But almost three years since its launch, more than 60 per cent of people don’t recognize that little symbol. The Digital Advertising Alliance of Canada (DAAC) has conducted a survey to gauge the awareness of the self-regulatory program. Of the 1,000 Canadians surveyed, 38 per cent recognized the blue icon that, when clicked, gives people information about how ads are targeted to them, and gives them options to opt out of targeting. (The recognition was higher among millennials – identified as those aged 18 to 34 for this survey – at 46 per cent.) [Source]

US – Anti-Domestic Violence Group, Twitter Release Harassment Protection Guide

The National Network to End Domestic Violence has released “Safety & Privacy on Twitter: A Guide for Survivors of Harassment and Abuse,” a guideline published “with the support of Twitter,” the group announced in a press release. “This new guide walks through a number of safety tips to help users control their privacy and explains several features to ensure that users are making informed decisions on how they use Twitter,” the report states. The release pushes back against the notion that those suffering from harassment shouldn’t go online. “This is not an acceptable solution,” it states. “Survivors should be able to use social media and online spaces while also maintaining control over their personal information and feeling safe.” [NNEDV]

Privacy (US)

US – FTC’s Ramirez Calls for Comprehensive Data Security Laws

FTC Chairwoman Edith Ramirez is pushing for comprehensive data security laws. With cyberattacks continuing to be a major issue, Ramirez believes Congress and the tech industry need to do more in order to protect user privacy. The FTC wants to create federal standards for the ways organizations can collect, share and store data, while also seeking greater authority to punish businesses for putting citizens’ data at risk. “So much of the data collection that’s taking place happens behind a curtain. It’s largely invisible to consumers,” said Ramirez. The FTC chair also hopes to see organizations step forward to install strong privacy initiatives. “It’s an issue on which I think a company can differentiate itself. And speaking also as a competition agency, we want to see more and encourage more competition in the area of privacy,” Ramirez said. [BuzzFeed]

US – Albany Law School to Offer Data Privacy Master’s Degree

The Albany Business Review reports on a new online master’s program offered by the Albany Law School focusing on cybersecurity and data privacy. Starting in January, students can obtain a Master of Science in Legal Studies degree in cybersecurity and data privacy through the institution. “We developed this program for students across the state, nation and globe to take advantage of our rich history and deep connections in the heart of New York State’s Tech Valley,” said Albany Law School President and Dean Alicia Ouellette in a press release. [Full Story]

US – US Privacy News Roundup

RFID / IoT

US – NSA Releases IoT Report

In the newest edition of the NSA’s publication “The Next Wave,” dedicated to reviewing emerging tech, the focus is on the internet of things. Over 50 pages, and with a mix of highly technical academic pieces and more informative magazine-style articles, the publication features everything from agile block cyphers to the NSA’s newest NiFi developments to an investigation into nascent privacy issues. In fact, NSA Director of Civil Liberties and Privacy Becky Richards is the publication’s guest editor. “NSA sees itself as a facilitator,” she writes, “bringing together diverse people and ideas to foment multidisciplinary research, and perhaps even to develop a true science of privacy.” [NSA.gov]

WW – Government Intervention Necessary Against IOT Manipulation: Schneier

Protection against internet of things manipulating can only come from government agencies taking a hard legislative stance, Bruce Schneier writes in an op-ed for Motherboard. Security solutions aren’t a silver bullet, he writes. “This is not something that the market can solve. Like data privacy, the risks and solutions are too technical for most people and organizations to understand … and the interests of the companies often don’t match the interests of the people.” The government needs to fill in the gaps, “setting standards, policing compliance, and implementing solutions across companies and networks,” he adds. [Full Story]

WW – The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters: Schneier

On the Internet of Things, integrity and availability threats are much worse than confidentiality threats. It’s one thing if your smart door lock can be eavesdropped upon to know who is home. It’s another thing entirely if it can be hacked to allow a burglar to open the door—or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car’s location. With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete. [Motherboard]

Security

US – White House’s New Cyberattack Directive Faces Criticisms

The White House and FBI issued official releases on the new cyberattack directive, but cybersecurity professionals are voicing their criticisms of it. One issue professionals see with the color-coded system is it’s oversimplification of the complexity of a cyberattack. “There [are] a lot of hacks that, over time, seem to affect a national or foreign policy interest — and we’re going to have to be more flexible and creative about the way these agencies are going to be involved,” said Digital and Cyberspace Policy Program at the Council on Foreign Relations Director Adam Segal. Other criticisms focus on the severity rankings of different cyberattacks. “I could steal $1 billion from the Federal Reserve, and that is probably more consequential than turning off the generator for the electric power in a town of 20,000 people,” said Stanford Center for International Security and Cooperation’s Herb Lin. [The Christian Science Monitor]

WW – Wireless Keyboard Vulnerabilities

Researchers have found that security weaknesses in some wireless keyboards could allow attackers to inject keystrokes and to read everything users type, spelling trouble for the security of account access credentials and any other sensitive communications. To sniff this information, attackers would need to be within 250 feet of a targeted device. [CNET: Hackers could sniff out your passwords if you’re typing nearby | ZDNet: Flaws in wireless keyboards let hackers snoop on everything you type | Wired: Radio Hack Steals Keystrokes from Millions of Wireless Keyboards | V3: Wireless keyboards and mice vulnerable to keystroke ‘sniffing’]

EU – Portal Offers Help with Ransomware

Europol, along with the Dutch National Police, Kaspersky Lab, and Intel Security, has launched the No More Ransom portal. Its goal is to educate people about ransomware and to provide resources to help people recover files without paying a ransom. The site includes tools for unlocking certain strains of ransomware, and will allow people whose computers have been infected to upload encrypted files to determine which strain of the malware was used. [BBC: Ransomware advice service to tackle extortion gangs | ZDNet: This initiative wants to help ransomware victims decrypt their files for free | Dark Reading: New Portal Offers Decryption Tools For Some Ransomware Victims] SEE ALSO: [The Register: Security firms team to take down rudimentary ransomware | Computerworld: Free decryption tools released for PowerWare and Bart ransomware] See also: US Civil Rights Office Issues Ransomware Guidance]

Smart Cars

EU – ENISA Launching Smart Car Cybersecurity Study

The European Union Agency for Network and Information Security is launching a study on cybersecurity measures for smart cars. “The objective of this project is to establish a comprehensive list of cybersecurity policies, tools, standards, measures and provide recommendations to enhance the level of security of smart cars. The study focuses on the assets inside the cars as well as on data exchanges related to safety,” the organization said. ENISA is looking for car manufacturers, Tier 1 and Tier 2 suppliers to participate in the study, with a workshop scheduled for 10 Oct., to review the findings. [Full Story]

US – Auto Industry Now Has Best Practices Guidelines for Cybersecurity

The Automotive Information Sharing and Analysis Center has published a set of cybersecurity best practices for the automobile industry. The guidelines cover “governance; risk assessment and management; security by design; threat detection and protection; incident response; training and awareness; and collaboration and engagement with appropriate third parties,” the report states. The “suggested measures” include standards from the International Organization for Standardization and National Institute of Standards and Technology, the report adds. [Covington Inside Privacy]

US – The case of traveling odometer data

Fusion reports on consumer surprise regarding the sharing of odometer data between companies like car dealerships and oil-change shops and insurance companies. One consumer got a letter earlier this year from his insurer letting him know his “low annual mileage” rating was being revoked, because he had driven too many miles. Another noticed his oil changes mentioned in a CarFax report. In fact, State Farm’s policy reads: “To ensure we’ve priced our insurance coverage accurately, we verify odometer readings through a third-party provider.” But what about those supplying the information? “If they’re following privacy best practices,” the article states, “they should be disclosing to their customers that they’re passing that data along to third parties.” The article does not ask any dealerships or oil-change shops for their policies or whether they inform customers in any way, however. [Fusion.net]

US Legislation

US – US Legislative Roundup

 

13-20 July 2016

Canada

CA – OICC Recommends Reform to Access to Information Act

The Information Commissioner of Canada provided an opinion on the Access to Information Act. Priority recommendations to bring the Access to Information Act up to date include extending coverage to ministers’ offices and institutions supporting Parliament and the courts, establishing a comprehensive legal duty to document (with appropriate sanctions for non-compliance), addressing delays, repealing the exclusion for Cabinet confidences and replacing it with mandatory exemption, narrowing the exemption for advice and recommendations, and ensuring mandatory periodic review. [Office of the Information Commissioner of Canada – The Act is Ripe for Amendments | Consultation]

CA – Federal Warrant Reports Understate True Police Activity

“Clear gaps” in how the federal government reports invasive surveillance practices may hide the true scope of police activities, according to documents prepared for Canada’s privacy watchdog. Although the number of authorized wiretaps has “plummeted” since 2002, a January briefing for Privacy Commissioner Daniel Therrien suggests those numbers may mask police surveillance practices. “It would be erroneous to infer from the drop in overall warrants issued that surveillance is affecting fewer individuals,” reads the document, obtained under access to information law. “While federal authorities issued just over a hundred surveillance warrants last year (2014), they issued 792 notifications of surveillance to individuals previously targeted. From this, one can conclude more and more individuals are being named as targets in a warrant application. “With a single warrant from the Federal Court (police) may list dozens of individuals for surveillance targeting.” [Chronicle Herald]

CA – Ontario Privacy Watchdog Drops Case Against Toronto Police Over Attempted Suicide Info

Ontario’s privacy commissioner is no longer taking legal action against Toronto police over the sharing of attempted suicide-related information with U.S. border services. The Information and Privacy Commissioner’s office says it has withdrawn its case because the force has developed new procedures to better protect people’s privacy. The privacy commissioner’s office, which investigated the issue, said since launching its legal action, Toronto police worked with the RCMP to create a new mechanism allowing all police services to suppress suicide-related entries from being accessed by U.S. users of the Canadian Police Information Centre database. [GlobalNews]

CA – OIPC AB: Access to PI Puts Individuals at Risk of ID Theft and Fraud

The Alberta OIPC reviewed a breach notification for ABS-CBN Canada Remittance Inc., pursuant to the Personal Information Protection Act. The incident resulted from a deliberate attempt to obtain unauthorized access to personal information, and the information was successfully used to process fraudulent transactions; the personal information involved was sensitive information, including name, address, identification document and number, place of issue and expiry date (if SIN was listed, only last 4 digits recorded), and information about whether an individual or family member is a politically exposed foreign person. [OIPC AB – P2016-ND-31 – ABS-CBN Canada Remittance Inc.]

EU Developments

UK – ICO Issues Guidance on ‘Internal Breach Reporting Procedure’

Although it remains unclear whether the General Data Protection Regulation (GDPR) will directly apply in the UK in light of the country’s vote to leave the EU, the UK watchdog has published a new piece of general guidance to help companies understand what their duties are under the new legislation. In its overview of the GDPR, the ICO explained, among other things, what organisations should do to prepare for new data breach notification rules. Those rules require them to tell data protection authorities and the public about personal data breaches they experience in certain circumstances. Organisations should put in place an “internal breach reporting procedure” so that they can comply with their obligations to notify personal data breaches under new EU data protection laws, the UK ICO has said. “You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data,” the ICO said. “You should ensure that you have an internal breach reporting procedure is in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public.” [Out-Law] See also: U.K. Information Commissioner has issued guidance on the General Data Protection Regulation and what the country’s imminent exit from the EU does to implementation.

EU – UK’s ICO Pushes Alternative to Consent as Based Cookie Rules

In response to a European Commission consultation on potential reforms to the EU’s Privacy and Electronic Communications (e-Privacy) Directive, the ICO said the rules should be updated and “seek to achieve a proportionate balance between the legitimate interests of information society services and the privacy rights of individuals”. “There is a case for an exemption or an alternative basis for processing other than consent, particularly in cases where the privacy impact on the individual is minimal,” the ICO said. In its consultation response the ICO also said that all forms of direct marketing via electronic communications should be subject to an opt-in consent requirement. Currently, some types of direct marketing activity can be carried out on an opt-out basis. Some social media communications should be considered subject to the e-Privacy rules on direct marketing. The ICO criticised rules that place restrictions on the processing of location and traffic data by internet service providers and mobile network operators. It urged the provisions to be deleted as conditions on such data processing are “covered by the GDPR”. The GDPR, or General Data Protection Regulation, is the EU’s new broad data protection framework which and will come into effect in May 2018. The ICO said: “Revised e-Privacy rules should avoid dictating business models, especially where there is minimal privacy impact for the individual.” The watchdog also said that the penalties regime for infringement of e-Privacy rules should not necessarily reflect that outlined under data protection laws since breaches do not always concern personal data. At the moment, the maximum fine for infringement, of £500,000, that can be issued under the UK’s Privacy and Electronic Communications is the same as that which can be issued under the Data Protection Act. [The ICO’s consultation response] [Out-Law News]

EU – Study: More than 75% of Cloud Apps Not in Line with GDPR Regulation

A Netskope survey of 22,000 cloud apps has found that more than 75 percent are out of compliance with the General Data Protection Regulation that will go into effect in less than two years. “This is the first time that data processors [cloud providers] actually have a direct compliance risk and obligation under the regulation,” said Intralinks Global Data Privacy Officer. “Now, it’s actually both data processors and data controllers. They would be liable and they have their own obligations under the GDPR.” As such, “Every organization should be keeping a frequently updated and well-documented data security risk assessment within easy reach,” said ESET’s Stephen Cobb. “You should be doing that regardless of GDPR, but GDPR is one more reason you should be doing it.” [SearchSecurity]

Filtering

CA – Google Faces Landmark Legal Fight, Advocacy Groups Rally in Support

The Supreme Court of Canada will soon have to assess whether Canadian courts have the authority to block search results outside of Canada’s borders, and under which circumstances a litigant can seek an injunction against a “non-party” that had nothing to do with the original lawsuit — in this case, Google. A spokesperson has confirmed that it submitted its brief to the Supreme Court last month, and it expects the court to hear the case in early December. The Wikimedia Foundation isn’t the only body to file a motion in support of Google — according to the SCC’s official proceedings page, the following entities have recently filed motions to intervene: Software Freedom Law Centre, Center for Technology and Society, Dow Jones & Company, Reporters Committee for Freedom of the Press, American Society of News Editors, Association of Alternative Newsmedia, The Center for Investigative Reporting, First Amendment Coalition, First Look Media Works, Human Rights Watch, and others. [Venturebeat]

US – Judge Reignites Debate Over Researching Jurors Online

Mining prospective jurors’ Facebook, Twitter and other social media accounts is common practice for many attorneys looking to spot biases that might cost their clients a fair trial. The American Bar Association has said the searches are ethical, and a ruling by the Missouri Supreme Court bolstered arguments that attorneys have a duty to do online research of prospective jurors. Still, some judges have deemed the online searches invasive and banned them. Now a federal judge’s ruling in a copyright battle between Silicon Valley heavyweights Oracle and Google has reignited debate about the practice while also offering a potential middle ground. U.S. District Judge William Alsup, raising concerns about prospective jurors’ privacy, said attorneys could research the jury panel, but would have to inform it in advance of the scope of the online sleuthing and give the potential jurors a chance to change online privacy settings. Otherwise, they had to agree to forego the searches. The ruling prompted a fresh wave of discussion in legal circles about how aggressively attorneys should be allowed to investigate jurors’ online personas and how beneficial the searches are. [Source]

Finance

UK – Bitcoin Benefits System Criticized On Privacy, Security Grounds

Much to the consternation of privacy advocates, the Department for Work and Pensions has begun a test of the GovCoin Systems’ bitcoin and blockchain program to provide welfare recipients with their benefits. While some maintain that blockchain payments increase security, others, like the Open Data Institute, aren’t so sure. “Experimenting with putting highly personal data in immutable data stores is fraught with danger,” said ODI Technical and Deputy Director. “To avoid undermining trust in government’s use of data, DWP should be much more open and transparent about the policy objective of these trials.” Both GovCoin and the DWP said they were aware of the security concerns and were continuing to develop safeguards. [Financial Times]

FOI

CA – OIPC SK Issues Guide to Exemptions for FOIP and LA FOIP

The OIPC SK has published guidance on exemptions pursuant to Saskatchewan’s: The Freedom of Information and Protection of Privacy Act; and The Local Authority Freedom of Information and Protection of Privacy Act. Exemptions in both statutes can be distinguished by the wording of the provision; use of the phrase “shall refuse” indicates a mandatory exemption, but some exemptions specify the conditions under which a public body may still release information. Many discretionary exemptions require the application of a multi-part test that must be met in order for the exemption to apply, and/or a clear cause and effect relationship between the disclosure of a record and the harm that is alleged to reasonably result. [OIPC SK – IPC Guide to Exemptions for FOIP and LA FOIP]

US – Database of Excuses the Govt Uses to Withhold Public Info Being Built

We’ve entered something of a golden era of government transparency—or at least, a golden era of journalists and interested citizens filing information requests with government agencies. Freedom of Information Act requests have increased greatly as the internet and services such as Muckrock, a tool that fills out sample language for information requests and then tracks them, have made filing easier. But there’s one major problem: Federal agencies use lots of different tactics to avoid actually releasing all sorts of documents, and few journalists actually know how to fight back against the system. It’s not entirely their fault: Enforcement of different FOI “exemptions” varies by agency and often depends on which specific FOIA officer handles the request. At the state level, where a patchwork of “sunshine” laws govern what records are public well, things are even more of a mess. By creating a central repository for FOI exemptions, Muckrock is in a better place to challenge them and to effect change. If most states, for example, allow FOI requesters to obtain police body camera footage but a couple exempt that data, Muckrock and others can push for greater transparency in those states that don’t allow it by floating model FOI legislation with friendly lawmakers. Crowdsourcing data on which FOI exemptions are most common will also help Muckrock identify problem areas—if certain states are inappropriately claiming that certain records are part of “internal deliberations” (a common FOI exemption in many states) when they shouldn’t be, there may be grounds for a lawsuit or a public shaming campaign that could help change things. [Motherboard]

CA – Edmonton Council Votes to Review Privacy Rules

City council voted to review its privacy rules this week, with some councillors musing more information should become public once sensitive matters have been decided. Edmonton has no automatic process for declassifying information. Coun. Michael Oshry wasn’t sure if the audio of the discussions should ever be public, even after 10 or 15 years. Coun. Mike Nickel put the privacy issue on the agenda, suggesting all private discussions should eventually become public and asking administration to come back with a list of policy options. He filed a two-page inquiry that Mayor Don Iveson ruled had to be entered as a motion. Council voted unanimously to accept it. Nickel also wants a policy to make council memos public, especially when they are a followup to a question asked at a public meeting. He also wants Edmonton to review its freedom of information process and add a review so redacted information can be released when it’s no longer sensitive. [Edmonton Journal]

CA – Canadian Researchers Who Commit Scientific Fraud Are Protected by Privacy Laws

78 Canadian scientists have fabricated data, plagiarized, misused grants, or engaged in dodgy scientific practices in projects backed by public funds, a Star analysis has found. But the publicly funded agency responsible for policing scientific fraud is keeping secret the details surrounding these researchers. The scientists’ names, where they worked and what they did wrong is not made public because that information is protected under federal privacy laws. “If you were going to be a fraudulent scientist or plagiarist, or you want to steal grant money, Canada is an excellent place to live,” said Amir Attaran, a professor in the faculties of law and medicine at the University of Ottawa. Making public the names of research wrong-doers and their transgressions, he said, would “keep scientists honest.” And because the agency doesn’t follow up with police, it’s not known if any of the researchers faced criminal charges. [The Star]

WW – Google Says Government Requests for User Data at All-Time High

Government requests worldwide for user data related to search engine traffic on Google increased 29% from 2014 to 2015, according to the search site’s most recent Transparency Report, which was published today. Google reports on the government requests every six months. In the second half of 2015, it said it received more than 40,000 requests for data related to more than 81,000 user accounts; That compares to the first half of the year when Google received about 35,000 requests related to about 69,000 accounts. In the second half of 2014, Google received 31,140 requests from U.S. entities for user information related to more than 50,000 accounts. By far, the U.S. leads the world in government requests for data, followed by Germany with 11,562 requests. Google agreed to hand over “some” user data for 64% of the requests worldwide, but it handed over data for U.S. government requests 79% of the time. [ComputerWorld] Google’s latest transparency report shows record government data requests | How Google became a champion for government transparency.

Health / Medical

US – HHS: HIPAA Struggling to Keep Up with Health Apps, Wearables

A U.S. Department of Health and Human Services study found HIPAA is struggling to keep up with the growing number of wearable fitness trackers, mobile health apps and online patient communities. “Health privacy and security law experts have a reasonably clear idea of where HIPAA protections end, but the layperson likely does not,” said the HHS’ Office of the National Coordinator for Health Information Technology report. “Moreover, even entrepreneurs, particularly those outside the health care industry … may not have a clear understanding of where HIPAA oversight begins and ends.” The HHS report, which was originally due in 2010, does not offer any suggestions to filling the lapses in legislation. “At the end of the day, it’s a very complicated environment that we find ourselves in,” said ONC for Health Information Technology Chief Privacy Officer. “We believe we’re fulfilling our duties. If Congress has concerns about that, I’m sure that we will hear about them.” [ProPublica] [Morning Consult: US – Lawmakers Call for Privacy Safeguards in Health Apps, Wearables] [Health Data Management: US – Privacy, Security Concerns Continue to Cloud Mhealth’s Future]

US – NIST and ONC Host White Paper Challenge on Blockchain in Health Care

The Office of the National Coordinator for Health Information Technology and the National Institute of Standards and Technology have created a challenge asking for white papers on the potential benefits of blockchain technology in health care. The “Blockchain and Its Emerging Role in Healthcare and Health-related Research” asks for submissions addressing the “privacy, security and scalability of health records.” Submissions are accepted through Aug. 20, and winners will present their papers at an ONC and NIST workshop. [HealthITSecurity]

WW – Active Market for Healthcare Records Looms as Newest Cyber Threat

Offers to sell patient records with protected health information on the “Dark Web” market represent a new level of threat for healthcare organizations trying to protect health information, offering further monetary inducement to hackers trying to access records. The addition of a new potential for profiting from hacking could increase the “demand” side of the equation for records, increasing the likelihood of attacks and the need for healthcare organizations to stiffen defenses. In late June, a hacker known as “The Dark Overlord” reported the theft of nearly 10 million patient medical records from providers and a major insurer and put them on the Dark Web market where hackers conduct buy and sell data taken from a variety of sources. The extent of the data theft has not been verified by outside sources. But what this hacker started—the creation of a new market for patient records—will only expand, cybersecurity professionals believe. OWL Cybersecurity said the information that is available is unencrypted plain text that includes usernames and passwords, It said the Dark Overlord reported the total includes 48,000 records from a provider in Farmington, Mo.; 210,000 records from a healthcare organization in the Midwest; 397,000 records from a provider in the Atlanta region; 34,000 records from a provider in New York State; and 9.3 million records from an unidentified insurer. Those figures have not been independently verified. [Info Management]

US – HHS Releases Healthcare Ransomware, HIPAA Guidance

According to new HIPAA guidance, ransomware attacks must be reported to the Department of Health and Human Services (HHS). The guidance “describes ransomware attack prevention and recovery from a healthcare sector perspective, including how HIPAA breach notification processes should be managed in response to a ransomware attack.” HHS has created a fact sheet to help covered entities keep ePHI secure and follow HIPAA regulations. Conducting a risk analysis, regular user training, and maintaining an overall contingency plan are just a few of the recommendations from the Department of Health and Human Services (HHS) in its recent healthcare ransomware and HIPAA guidance. The new guidance is meant to help covered entities and business associates reinforce their adherence to HIPAA regulations, and also better prevent, detect, contain, and respond to threats. Electronic data being compromised through cybersecurity threats, including ransomware, is one of the biggest current threats to the industry, Office for Civil Rights Director Jocelyn Samuels explained in a blog post. [HealthIT Security]

Horror Stories

CA – Doctor Fired for Unauthorized Access to Patient Files

Vitalité Health Authority has fired a doctor who accessed more than 100 sensitive medical records of young women. A New Brunswick College of Physicians and Surgeons notice said Dr. Fernando Rojas violated the ethics of the Canadian Medical Association and the College of Physicians and Surgeons. Vitalité CEO Gilles Lanteigne said processes are being implemented to prevent a similar breach from happening in the future. He said, “We put in place the systems where as we would receive red lights way sooner in the process, so that’s one thing we’ve learned,” adding, “The other thing is that the magnitude of the impact of the breach has on a person, you know, it really brought this to light how important that is.” [CBC] See also: [P.E.I. care home employee fired after photo of deceased resident shared on Snapchat]

CA – Phoenix Pay System Also Breached Federal Workers’ Privacy

A dysfunctional compensation system that’s withholding paycheques from federal workers has also been breaching their privacy. Newly released documents show senior officials were warned as early as Jan. 18 that the new Phoenix system has a flaw that allows widespread access to employees’ personnel records, including social insurance numbers. Despite the warning, the faulty software was broadly implemented this spring — without alerting the unions or any employees that their private details were no longer secure. The disclosure of a massive privacy breach appears in documents obtained by CBC News under the Access to Information Act, deepening a crisis that has already touched some 80,000 public servants and triggered a wave of hiring to patch the problems. The briefing material prepared by Public Services and Procurement Canada indicates that up to 70,000 public servants had access to the personal details of all 300,000 employees covered by the system. A spokeswoman for Canada’s privacy commissioner confirmed the department “has reported this matter to our office and we have followed up with them.” Valerie Lawton said she could provide no further details. [CBC]

Identity Issues

CA – OPCC Issues Guidance on Customer Identification and Authentication

The Office of the Privacy Commissioner of Canada has published updated guidance on identification and authentication of individuals. Organizations should only identify or authenticate customers when necessary (i.e. to fulfill the transaction), individuals should provide appropriate consent for provision of personal information, and authentication levels (e.g. single factor, multi-layer, or multi-factor) should be commensurate with identified risks; reliable audit records should be maintained (including date, time, and failed attempted authentications) with the level of detail reflecting associated risks. [OPC Canada – Guidelines for Identification and Authentication]

Law Enforcement

US – Boston Police Body Camera Pilot Program Raises Privacy Questions

A group of 100 Boston Police officers will soon volunteer to take part in a six-month pilot program that would explore the use of body cameras by the department, the mayor’s office announced last week. The program incorporates recommendations from several privacy and police accountability groups they believe balance privacy with improving department transparency. The ACLU, along with the Boston NAACP and the Boston Police Camera Action Team, praised the Boston Police Department for incorporating recommendations it felt balanced civilian protection while improving transparency in police interactions with the public. Those include a requirement officers activate the cameras when engaged in most “potentially adversarial” encounters with the public; privacy protections for those in homes or other sensitive situations with an expectation of privacy; an explicit ban on using the cameras to record civilians based only on their “political or religious beliefs or upon the exercise of the civilians’ First Amendment rights;” and a ban on any kind of biometric capabilities in the camera — including face recognition technology. [Source]

US – Taser Plans to Livestream Police Body Cam Footage to the Cloud by 2017

Could police officers someday identify criminals just by looking at them? That’s the vision being touted by Taser International, which holds a monopoly on “conducted electrical weapons” for law enforcement and is aiming to build one for police body cameras. Facial recognition has been part of Taser’s plan. It’s been mentioned in Taser press releases as far back as 2009. In 2010, a Taser spokesman told GQ that Axon would turn “every cop [into] RoboCop.” “You’ve already got the ability to use cameras to tap into databases to find the license plates of stolen vehicles and overdue parking tickets,” said Stan Ross, CEO of Digital Ally, one of a growing number of companies fighting for market share in the fast-growing body camera industry. The business case for facial recognition is obvious. Cops and police chiefs who are aware of facial recognition “are really excited to try it.” Robert Vanman of WatchGuard—another body camera competitor—had similar thoughts. “In regards to facial recognition, WatchGuard will certainly be deploying that technology in the future,” he said. “We are the clear technology leader in hardware, and we plan to keep it that way.” But Vanman brought the discussion down to earth. “Facial recognition will require enough pixel resolution to be effective (to get good recognition results the image needs to contain about 50 pixels between the eyes),” he wrote. “To run facial recognition algorithms in real time will require substantial processing power and an on-camera database (which will require frequent updating). Those elements work against the battery life needs.” So there are practical challenges—video resolution that isn’t yet crisp enough; and battery life that isn’t yet long enough. Not to mention that some police departments can’t even get decent enough internet speeds to download their body cam footage to in-house servers, let alone livestream them to the cloud. [Motherboard]

Online Privacy

US – Nobody Reads Terms of Service, Privacy Policies: Study

A new study found that nearly three-quarters of the 543 university students surveyed skipped over the terms of service of a social media site they thought was real. Researchers included clauses that users agreed to, that they had until 2050 to give up their firstborn and that their data will be shared directly with the U.S. National Security Agency. The paper, titled “The biggest lie on the Internet: Ignoring the privacy policies and terms of service policies of social networking services,” was written by York University communication technology professor Jonathan Obar and University of Connecticut communications assistant professor Anne Oeldorf-Hirsch. For those few who did read the terms of service and privacy policy, they on average spent 51 seconds and 73 seconds on each respectively. [Ars Technica] [PC World]

Privacy (US)

US – Court: U.S. Agents Can’t Access Data Held On Overseas Computers

Microsoft Corp. won a major legal battle with the U.S. Justice Department Thursday when a federal appeals court ruled that the government can’t force the company to turn over emails or other personal data stored on computers overseas. The case, closely watched by Silicon Valley, comes amid tensions between Europe and the U.S. over government access to data that resides on the computers of social-media and other internet companies. The ruling is another setback for the Justice Department’s efforts to force technology companies to comply with government orders for data, following the collapse earlier this year of two cases involving Apple Inc.’s refusal to help open locked iPhones. The ramifications of Thursday’s ruling by the Second U.S. Circuit Court of Appeals in Manhattan could be sweeping. If the appeals court’s legal rationale stands, it could influence companies’ and their customers’ decisions about how and where to store data. It also alters the course of talks between the U.S. and other governments, in terrorism and criminal cases, about access to evidence stored in servers on foreign soil. In a statement, Microsoft President and Chief Legal Officer Brad Smith called the decision “a major victory for the protection of people’s privacy rights under their own laws, rather than the reach of foreign governments.” [Wall Street Journal]

US – US Plans Would Allow Foreign Gov’ts to Serve Warrants on US Tech Firms

In the wake of last week’s U.S. court decision in the Microsoft warrant case, the Justice Department plans to secure a series of international agreements with certain countries that would allow them to serve warrants on U.S. internet companies. Justice Department senior official Brad Wiegmann said the deals would allow governments — for example, the U.K. — to serve warrants directly on U.S. companies. Such an arrangement between the U.S. and U.K., however, would require legislative approval from both nations. “These agreements will not be for everyone,” Wiegmann explained. “There will be countries that don’t meet the standards.” The Center for Democracy & Technology’s Greg Nojeim expressed concern about the plan, noting it would be “swapping out the U.S. law for foreign law,” arguing the U.K. has less robust warrant requirements. A British diplomat disputed Nojeim’s assessment, stating the U.K. would apply strict judicial scrutiny of such warrants. [The Wall Street Journal]

US – Appeals Court Rules Mugshots Do Not Need Public Release

The 6th U.S. Circuit Court of Appeals ruled mugshots do not need to be released to the public, but instead, can be reviewed on a case-by-case basis. The hearing was held en banc, with a 9-7 vote in favor of the notion that arrested individuals have a privacy interest in not having their mugshots publicized, overturning a decision the same court made in 1996. Judge Deborah Cook said booking photos falls under the Freedom of Information Act exemption criteria 7(c), which includes potentially “embarrassing” personal information. “Booking photos — snapped ‘in the vulnerable and embarrassing moments immediately after [an individual is] accused, taken into custody, and deprived of most liberties’ — fit squarely within this realm of embarrassing and humiliating information,” Cook wrote. The Detroit Free Press may ask the Supreme Court for further review. [Courthouse News Service]

US – Precedent Set for Stingray-Gleaned Evidence

In a first-of-its-kind ruling, U.S. District Judge William Pauley has decided that the U.S. Drug Enforcement Administration’s use of stingrays when collecting evidence against defendant Raymond Lambis was a violation of his rights. Agency officials had used the device to determine the location of Lambis’ cellphone for a drug-trafficking case, evidence that Judge Pauley suppressed. “Absent a search warrant, the government may not turn a citizen’s cellphone into a tracking device,” Pauley said in his decision. The third party doctrine does not apply; cell phone users do not voluntarily submit their location data to their provider, and there is no third party (with the cell-site simulator, the government cuts out the provider and obtains the information directly). The ACLU hailed the move as one that “strongly reinforces the strength of our constitutional privacy rights in the digital age.” While the prosecutors can pursue an appeal, they have not yet moved to do so, the report states. [Reuters: Precedent Set for Stingray-Gleaned Evidence] [United States of America v. Raymond Lambis – 2016 U.S. Dist. LEXIS 90085 – United States District Court For The Southern District Of New York]

Security

WW – Ponemon Study: Companies Lack Resources to Spot Cyberattacks

According to a report from the Ponemon Institute, nearly 80% of businesses say they do not have sufficient infrastructure or personnel to monitor their networks for and defend their networks against cyberattacks. Only 17% say they have established formal, company-wide intelligence gathering processes. [ZDNet]

UK – UK ICO Issues Basic Security Guidance on Baby Monitors

Two years after it was revealed that a creepy Russian website was allowing users to watch more than 73,000 live streams from unsecure baby monitors, the UK’s data watchdog has warned that manufacturers still aren’t doing enough to keep their devices safe from hackers. The privacy breaches have prompted the ICO to issue guidance to help users guard against opportunistic hackers, and people using the murky likes of the Shodan search engine to browse the Internet of Things. The ICO lists six basic steps parents can take to help prevent casual hackers:

  • Research the most secure products
  • Secure your router with a strong password
  • Secure the device by changing its default password
  • Check manufacturer’s websites for security updates to out-of-the-box software
  • Read the manual to see if there are extra measures listed
  • Use two-step authentication, if you can

The ICO declined to name any of the sites where streams are available, but a spokesperson said that “you can connect to these devices directly, so there’s no intermediary website as such.” [Ars Technica]

Surveillance

US – FAA Drone Bill Drops Key Privacy Provisions

A Federal Aviation Administration reauthorization bill that was passed by the Senate this week has excluded key privacy provisions, including a requirement that commercial and government users of drones must disclose if they collect personally identifiable information of a person. The provisions would put checks on the collection of personal data by drone operators, including the government. The bill passed this week would prohibit drones from interfering with emergency response activities, such as wildfire suppression and law enforcement, and provides for civil penalties of not more than US$20,000 for those found in violation. Drones are also to be used for firefighting and restoration of utilities. The bill, which is a compromise short-term extension to ensure continued funding at current levels to the FAA, was passed by the Senate and goes to President Barack Obama to be signed into law, two days before the current authorization is to expire. It was earlier passed by the House of Representatives. But Senator Edward J. Markey, a Democrat from Massachusetts and a member of the Commerce, Science, and Transportation Committee, said that the new bill, called the FAA Extension, Safety, and Security Act of 2016, was “a missed opportunity.” It does not include drone privacy provisions that he authored and were included in the Senate version of the FAA reauthorization bill that passed in April this year, the senator said in a statement. [PC World]

US Legislation

US – Legislative Roundup

+++

 

 

5-12 July 2016

Biometrics

UK – NHS Sending 1M Eye Scans to Google’s DeepMind

Google’s DeepMind division will receive 1 million anonymized eye scans from Moorfields Eye Hospital to help train its artificial intelligence system to identify signs of disease. DeepMind’s machine learning algorithms will examine the scans for symptoms of diseases such as macular degeneration and diabetes-related vision loss. The collaboration, however, has already raised some privacy concerns. In a letter to Moorfields, tech journalist Gareth Corfield cited the Data Protection Act, writing, “To be crystal clear, I have not consented for my personal data to be used by Moorfields NHS Trust for any purpose other than treating me for genuine medical purposes.” The announcement comes after Google’s AI system faced criticism for its collaborations with three small London hospitals. [BBC]

Big Data

WW – IDEAS Conference to Address Digital Privacy Issues in an Era of Big Data

All it takes is 300 “likes” while you’re scrolling through your newsfeed — that’s the point at which Facebook knows you better than your own spouse or your best friend. So if you’re averaging 10 “likes” a day, it will take just a month for the social network behemoth to have you figured out more accurately than the people you consider your soul mates. And if you’re a compulsive clicker of the “thumbs up” icon, Facebook may have insight into your innermost thoughts and feelings in a mere week-and-a-half. [Montreal Gazette]

Canada

CA – PIPEDA Amendments Creating General Obligation to Notify Individuals and Privacy Commissioner of a Breach Not Yet in Force

Canada’s federal privacy law does not currently include a general obligation to provide notification of breaches (the OPC has issued best practice guidelines that strongly encourage such notification); after the amendments to PIPEDA come into effect, organizations will be required to notify the OPC and affected individuals of any breach where it is reasonable to believe that the breach creates a real risk of significant harm to the individual. [Global Guide to Data Breach Notification – Canada – Peter Ruby and Rachel Ouellette, Goodmans LLP and George Pollack, Davies Ward Phillips & Vineberg] (Pages 22 – 32)] See also: the Office of the Privacy Commissioner of Canada has issued a call for proposals seeking applicants to organize and host the next research symposium in the Office’s Pathways to Privacy series. Learn more

CA – Toronto Real Estate Board Increases Efforts to Overturn Tribunal’s Ruling

The Toronto Real Estate Board is stepping up its efforts in court to overturn a decision by the federal Competition Tribunal that allows more detailed home sales data to be released on the Internet. TREB reiterated its concerns that the tribunal’s April 27 order mandating wider access to the industry’s Multiple Listing Service (MLS) database violates privacy law and the rights of buyers and sellers. On May 27, the real estate board filed a notice of appeal to challenge the ruling in the Federal Court of Appeal and last week, it asked the court to stay the tribunal’s decision. After a subsequent hearing last month to work out the details of its ruling, the Competition Tribunal said TREB’s active realtor members would be allowed to publish information online that is not currently being widely disseminated, including sales figures, pending sales and broker commissions. As part of this arrangement, virtual brokers would be permitted to display and analyze this data as freely over the Internet as other realtors currently share such information with their clients in person, by fax or over e-mail. Even as TREB continues to contest the decision in court, its information technology staff are working to upgrade its systems so it’s ready to comply with the order, which is set to come into effect on Aug. 3. [The Globe and Mail]

CA – Do Photographs Taken by a Landlord for Marketing a Rental Unit Offend Privacy Rights?

A recent decision of the Ontario Divisional Court has ruled that landlords of residential tenancies are not permitted to enter into a tenant’s premises to take photographs in order to market the property for sale while it is occupied by another tenant, unless there is a consent of that tenant or a specific provision in the lease permitting the taking and publication of photographs. In Juhasz v. Hymas (2016 ONSC 1650,) the Ontario Divisional Court noted that the lease and legislation did allow the landlord to show the premises to prospective tenants or purchasers but that that the lease did not contain a clause permitting entry by a real estate agent to take photographs for marketing the property for sale. [Source]

E-Government

US – How Presidential Candidates Sell Supporters’ PII to Other Candidates

What do failed presidential candidates do with their supporters’ email addresses once they drop out of the race for the White House? Nearly every GOP candidate in the 2016 presidential election has sold, rented or loaned their supporters’ addresses to other candidates, marketing companies, charities or private firms, CNNMoney found through an analysis of thousands of emails and Federal Election Commission records. The failed candidates have been able to make thousands of dollars through data sharing, with Marco Rubio taking home $504,651 and Rand Paul making $212,495. The practice is not illegal, as the campaign tells donors what will happen with their personal information when they give money to a particular candidate. [CNN Money]

E-Mail

CA – Private Right of Action Under Canada’s Anti-Spam Law (CASL)

As of July 1, 2017, individuals and organizations will be entitled to institute a “private right of action” before the courts against those that contravene certain provisions of Canada’s Anti-Spam Law (“CASL”). In the event of a contravention of the message rules in CASL, a monetary penalty up to a maximum of $1,000,000 per day may be imposed. This private right of action should be taken seriously right now. From this perspective and building on previous publications, this bulletin discusses this new mechanism. [Fasken] See also: [Emerging Limits on the Certification of Privacy Class Actions]

Encryption

WW – Facebook Testing Encryption for Messenger

Facebook has begun testing Secret Conversations, an end-to-end encryption feature for Messenger. Users will be able to create secret conversations that can be read on only one of the recipient’s devices. The cryptographic keys “are generated or derived on-device,” which means that Facebook never has possession of the keys. Secret Conversations will also let users determine how long the message will be visible. Starting July 8, a select number of Facebook Messenger users will test the social media site’s opt-in, end-to-end encrypted “secret conversations” feature. The site’s will make its “secret conversations” widely accessible starting “later this summer or in early fall.” [SC Magazine: Facebook testing ‘Secret Conversations’ end-to-end encryption feature for Messenger | Quartz: Facebook is testing encrypted, self-destructing messages | CNET: Facebook adds encryption to Messenger | Facebook: Messenger Starts Testing End-to-End Encryption with Secret Conversations] [WIRED]

CA – Encryption Keeping Police Out, Government Documents Indicate

Encryption and privacy technologies are making Canadian law enforcement’s ability to use data in an investigatory capacity increasingly difficult. “Canadians are increasingly using mobile phone networks, the internet, and other electronic means to communicate and execute transactions with each other,” wrote public safety officials in the documents addressed to Minister Ralph Goodale. “This has led to a significant gap between the technologies available for criminal exploitation and our means to enforce Canada’s laws and keep Canadians safe.” The documents suggested having a “thoughtful discussion” on the best legal framework for encryption technology that benefits all, the report adds. [The Star]

WW – Google Testing New Encryption That Protects Against Quantum Attacks

Google has begun testing a new form of encryption in its Chrome browser designed to protect systems from quantum attacks. Google is adding a post-quantum key-exchange algorithm to a small number of connections between the desktop version of Chrome and Google’s servers. [Wired: Google Tests New Crypto in Chrome to Fend Off Quantum Attacks | ZDNet: Google is experimenting with post-quantum cryptography]

EU Developments

EU – EU Governments Approve Privacy Shield

The European Union’s 28 member states have approved Privacy Shield, the EU-US data transfer agreement crafted to replace Safe harbor, which the EU high court struck down last autumn. Once the European Commission approves Privacy Shield, the agreement will take effect. European privacy groups are likely to challenge the agreement in court because they believe it does not go far enough to protect EU citizens’ privacy. [The Hill: Week ahead: EU set to finalize new data pact | eWeek: European Member States Approve Privacy Shield Agreement | BBC: Privacy Shield data pact gets European approval | SC Magazine: Privacy Shield gets nod from EU, ripe for judicial challenge]

EU – EU-U.S. Privacy Shield 2.0 Signed, Sealed and Delivered

The European Commission and the U.S. Department of Commerce-approved updated version of the EU-U.S. Privacy Shield was green lighted by a regulatory committee of EU countries July 8 and will be formally adopted and finalized the following week, the authors write as they discuss the outlines of the new data transfer pact. The updated Decision also clarifies that while the general rule will be that the Principles apply to a U.S. business immediately upon filing of the self-certification documents with the U.S. Department of Commerce, there will be an exception for cases where an organization has a pre-existing relationship with third parties. [BNA] [EU-US Privacy Shield agreement goes into effect: Tech companies welcome new data transfer agreement, but activists say it doesn’t do enough to protect privacy | New ‘Privacy Shield’ deal between U.S. and Europe is already catching flak | Say hello to the General Data Protection Regulation |

EU – European Parliament Approves Cybersecurity Law

The European Parliament has approved cybersecurity legislation that “establish[es] a common level of network and information security and enhance[s] cooperation among EU member states, which will help prevent cyberattacks on Europe’s important interconnected infrastructures.” The new rules affect a broad spectrum of business sectors, including finance, energy, transportation, and technology. [Bloomberg Technology | ZDNet: European lawmakers approve new cybersecurity law | Bloomberg: European Union’s First Cybersecurity Law Gets Green Light | European Parliament Press Release: Cybersecurity: MEPs back rules to help vital services resist online threats | European Parliament Press Release: Cyber security: new rules to protect Europe’s infrastructure] See also: The Digital Economy Bill had its first reading in the U.K. Parliament. The bill would allow for sharing of information between public bodies when there is a public benefit, increase online protection for minors, offer universal broadband access and more.

EU – EU Planning $2B Cybersecurity Research Investment

The European Union wants a $2 billion investment into cybersecurity research. The EU is planning on contributing $500 million to it and is asking industry to contribute the remaining $1.5 billion. The European Commission fears the EU economy is susceptible to cyberattacks, saying the incidents “could undermine the digital single market and economic and social life as a whole.” The $2 billion cybersecurity public-private partnership is “intended [to] boost cross-border research into cybersecurity, and to aid development of security products and services for the energy, health, transport and finance industries,” said the European Commission in a report published Tuesday. Developing strong levels of cybersecurity can also be a big advantage for the EU over other countries, the European Commission said, as IT security continues to accelerate in growth worldwide. [PCWorld]

EU – Norwegian DPA Critiques Facebook at Work’s Terms of Use

The Norwegian Data Protection Authority has reviewed Facebook at Work and found its terms of use do not stand up to the national Personal Data Act. The agency said businesses using Facebook at Work to conduct internal communications must create their own terms for Facebook’s part as the provider, as those companies are liable for protecting privacy and maintaining information security. Since Facebook is acting as the provider, and given the social network’s history of mining user data, the DPA said, “Facebook’s entry to the Norwegian workplace therefore requires vigilance in terms of privacy implications.” The agency expects to release a more in-depth analysis this September. [Telecompaper]

EU – Helen Dixon: DPC’s Resources Tied Up by ‘Ambulance Chasers’

Ireland Data Protection Commissioner Helen Dixon says her agency’s resources are being gummed up by “digital ambulance chasing.” At issue are a number of complaints about issues that could be considered “embarrassing or distressing” but not necessarily critical. “On this note,” she said, “I think we are starting to see the rise in digital ambulance chasers in terms of certain legal firms presenting volumes of cases to the office where essentially their goal is to obtain a formal determination of the data protection commissioner that organization x,y,z is in breach of data protection legislation.” Dixon said she wonders if these type of complaints “really represents anyone’s interests well,” noting they tie up the DPC when the “controller has already acknowledged the contravention and attempted to right the wrong.” [The Irish Times]

Finance

EU – Commission Places Stronger Controls on Bitcoin, Pre-Paid Credit Cards

The European Commission is looking to strengthen its efforts to stop financial crimes and terrorism funding by placing tighter controls on bitcoin transactions and pre-paid credit cards. “Today’s proposals will help national authorities to track down people who hide their finances in order to commit crimes such as terrorism,” said European Commission First Vice President Frans Timmermans. “Member States will be able to get and share vital information about who really owns companies or trusts, who is dealing in online currencies, and who is using pre-paid cards.” Virtual currency exchanges must now conduct stricter customer identification checks on customers exchanging fiat for bitcoin and other digital currency. To cut down on the number of anonymous transactions, pre-paid credit card thresholds for identification have been lowered from 250 euros to 150 euros. [Law360]

FOI

US – Private-Account Email Can Be Subject to FOIA: Court

On the same day that the FBI announced that the criminal investigation of Hillary Clinton’s use of a private email server is likely to conclude without any charges, a federal appeals court issued a ruling that could complicate and prolong a slew of ongoing civil lawsuits over access to the messages Clinton and her top aides traded on personal accounts. In a decision Tuesday in a case not involving Clinton directly, the U.S. Court of Appeals for the D.C. Circuit held that messages contained in a personal email account can sometimes be considered government records subject to Freedom of Information Act requests. The case ruled on by the D.C. Circuit focused on a relatively obscure White House unit: the Office of Science and Technology Policy. At least one federal judge handling a FOIA suit focused on Clinton’s emails said last month he was watching to see how the D.C. Circuit ruled in the dispute involving Obama science adviser John Holdren and an account he kept on a server at the non-profit Woods Hole Research Center in Massachusetts. After the free-market-oriented Competitive Enterprise Institute filed suit over a request for work-related emails sent to or from that private account used by Holdren, U.S. District Court Judge Gladys Kessler ruled last year that the government had no duty to search an email account that wasn’t part of OSTP’s official system. But the three D.C. Circuit judges who ruled Tuesday all said Kessler was too rash in throwing out the suit and they agreed the case should be reinstated. While the opinions in the case make no mention of Clinton or her private server, it seems evident that all three appeals judges involved are aware of the obvious analogy. [Source]

Genetics

EU – Sweden May Open National DNA Database to Law Enforcement

The Swedish government may allow law enforcement and possibly private insurance companies to access its massive DNA database. The PKU Registry contains the genetic information of every single Swedish citizen under the age of 43, as the government allowed blood samples to be collected of every newborn since 1975 in order to aid medical research. Privacy advocates are pushing back against opening up the database. The Pirate Party’s Rick Falkvinge believes the decision would be “an outrageous and audacious breach of contract with the parents who were promised the sample would be used only for the good of humanity in terms of medical research.” Falkvinge argues the insinuation of opening the database to police will stop individuals from providing samples in the future. [Ars Technica]

Health / Medical

CA – OIPC AB Provides Guidance for Safeguarding Electronic Health Systems

This OIPC guidance is intended for custodians and their information managers (i.e. EHR service providers) to assess the safeguards in electronic health record system. Practices include a system design that restricts access on a need-to-know basis, a system ability to reduce access, view or disclosure capability based on an individual’s request, tracking of research requests for disclosure of health information, the inclusion of privacy statements or reminders on system screens, availability of backup and restoration procedures (including the audit log information) at an offsite location, and systems/processes to securely dispose of health information where authorized. [OIPC AB – Guidance for Electronic Health Record Systems]

UK – Patients Should Have More Control Over How Their Medical Data Is Used, Says Caldicott

The national data guardian in England recommended that a new consent and opt-out model for data sharing be implemented in the NHS in England in a report presented at the end of her review of health and care data security and consent, which had been commissioned by the UK government. Dame Fiona said that NHS bodies should generally be free to share patients’ medical data for the purposes of delivering care directly to those people. However, patients should be given control over any other proposed uses of their health records, she said. “People should be able to opt out of their personal confidential data being used for purposes beyond their direct care unless there is a mandatory legal requirement or an overriding public interest,” Dame Fiona said. “Relevant information about a patient should continue to be shared between health professionals in support of their care. An individual will still be able to ask their doctor or other healthcare professional not to share a particular piece of information with others involved in providing their care and should be asked for their explicit consent before access to their whole record is given,” she said. Dame Fiona said that the new opt out and consent model could consist of either asking patients a single question about whether they will allow their data to be used for purposes beyond direct care or a “two-part” mechanism that would allow patients to be more specific about the way their data can be used. [Source]

US – Nursing Home Operator Agrees to Pay $640,000 for ePHI Breach

The Department of Health and Human Services, Office for Civil Rights entered into an agreement with the Catholic Health Care Services of the Archdiocese of Philadelphia a business associate, to settle alleged violations of the HIPAA Security Rule. An operator-provided smartphone was stolen that was unencrypted and not password protected and contained social security numbers, diagnosis/treatment information, medical procedures and names of family members/legal guardians; the operator must conduct a risk analysis, implement prescribed policies and procedures (e.g. regarding the encryption of ePHI, password management, security incident response, and mobile device controls), implement training programs, and submit reportable events and implementation and annual reports. [HHS – Resolution Agreement – Catholic Health Care Services of the Archdiocese of Philadelphia Press Release | Resolution Agreement] [Business Associates Beware: First HIPAA Settlement with Business Associate]

UK – Gov’t Takes Surgeon’s Knife to Controversial NHS Care.Data Scheme

A recent review published by National Data Guardian Dame Fiona Caldicott suggests moving forward with the data sharing plans of the U.K.’s now-extinct Care.data health database for the U.K.’s national health care system. In her review, Calidcott recommended “new data security standards for the NHS and social care, a method for testing compliance against the standards, and a new opt out to make clear how people’s health and care information will be used and in what circumstances they can opt out.” Meanwhile, Polly Toynbee criticizes the privacy concern-borne criticism that led to the demise of Care.data in an op-ed for the Guardian, calling it a “loss” for the country. [Ars Technica]

Horror Stories

WW – Analysts Concerned by ‘Insider Threat’ Trend

Insider threats are growing increasingly more dangerous than external hackers, some security analysts predict. “A lot of companies are really worried about employees walking off with their data,” said Gartner’s Avivah Litan. “Insider threats have become a major issue because external criminals are actively recruiting insiders to help perpetrate their crimes, while disgruntled employees are actively making their insider services available.” The influence of the Dark Web has incentivized these threats, he added. “Disgruntled employees, especially those working in data-rich organizations like financial services companies, pharmaceutical firms, and in government are being actively recruited by and selling access to network credentials and corporate data to criminals on the Dark Web.” An Intel report from September 2015 determined that insiders could be blamed for 43% of lost data, and Verizon’s 2016 breach report blamed disgruntled insiders for roughly one in ten security incidents. [Christian Science Monitor] See also: [Former SaskPower employee illicitly accessed more than 4,000 HR files]

UK – Police Departments Commit 10 Data Breaches a Week: Study

A study from civil liberties group Big Brother Watch finds police forces in the U.K. are responsible for 10 data breaches a week. Big Brother Watch’s report, “Safe in Police Hands?“ found police departments committed 2,315 data breaches between June 2011 and December 2015. Incidents include officers illicitly using information for financial gain and passing sensitive information to organized crime syndicates. More than half of the breaches resulted in no formal disciplinary action, with 13% resulting in a resignation or termination. “While there have been improvements in how forces ensure data is handled correctly, this report reveals there is still room for improvement. Forces must look closely at the controls in place to prevent misuse and abuse,” the report said. [Computer Weekly]

US – Wendy’s Payment Card Data Breach Affected More Than 1,000 Locations

Wendy’s fast food restaurant chain now says that malware was found on point-of-sale systems at more than 1,025 of its franchises, considerably more than the 300 initially reported earlier this year. The malware targeted: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. The investigation is still active. Fraudulent activity involving some of those accounts was first detected in fall 2015. [BBC: Food chain Wendy’s hit by massive hack | CNET: Wendy’s says payment card info accessed in malware attack | ZDNet: Wendy’s admits credit card hack is far worse than first thought | SecurityWeek: Over 1,000 Wendy’s Restaurants Hit by PoS Malware | USA Today: Wendy’s: Credit card numbers disclosed in cyber attack ]

Identity Issues

WW – ID Theft Cases Increased 57% as Thieves Mine Social Media

A study from fraud prevention service Cifas found the number of identity theft victims in the U.K. rose 57% in 2015. Cifas said there were 148,000 victims of identity theft last year, up from the 94,500 reported cases in 2014. The majority of the cases involved thieves assuming the identity of a real person, using their name, date of birth, address and bank details. Social media networks are becoming a popular place for identity thieves to garner the information necessary to commit the crimes. “The likes of Facebook, Twitter, LinkedIn and other online platforms are much more than just social media sites — they are now a hunting ground for identity thieves,” said Cifas Chief Executive Simon Dukes. “We are urging people to check their privacy settings today and think twice about what they share.” [BBC]

CA – OPC Releases Guidance on De-Identification

The OIPC Ontario outlined key issues to consider when de-identifying personal information in the form of structured data. An acceptable re-identification risk should assess information sensitivity, the level of detail of the information, the number of individuals, potential harms/injuries from a breach, and individual consent for disclosure; public and semi-public release should have a maximum risk measurement applied (non-public releases have an average risk), and agreements with recipients should prohibit re-identification, linking to external data sets, or sharing without permission. [IPC ON – De-identification Guidelines for Structured Data]

Internet / WWW

WW – The Cloud and Filing Cabinets Should Have the Same Privacy Rights

According to a civil complaint filed by Microsoft against the government in federal court, the U.S. government issued more than 5,600 demands to Microsoft over an 18-month period, seeking access to customer information hosted in the cloud. More than 2,500 of those demands came with court-issued secrecy orders that prevented Microsoft from alerting its customers that their information — including personal communications, business records and confidential documents — was being given to the government. Microsoft’s lawsuit challenges this abuse with a simple premise: citizens and businesses that store information on remote data centers are entitled to the same degree of privacy and freedom from unlawful seizure as those who store such information in filing cabinets or personal computers. [Source]

Law Enforcement

US – Minnesota Law Classifies Public and Private Law Enforcement Body-Worn Camera Footage

SB 498, classifying police body-worn camera data, has been signed into law by the Governor and is effective August 1, 2016. Footage is public data if it documents firearm discharge in the course of an officer’s duty, use of force that results in substantial bodily harm, and agencies may redact or withhold access to portion of public data that are clearly offensive to common sensibilities; individuals who are the subject of the footage may request access to a copy of the data, however data on other individuals who do not consent to its release must be redacted. [Senate Bill 498 – A Bill for an Act Relating to Portable Recording System Data – Minnesota Legislature]

UK – Police Suffered 2,315 Data Breaches in Last Five Years but Want More Data

A report from UK privacy watchdog Big Brother Watch (BBW) reveals that UK police suffered 2,315 data breaches between June 2011 and December 2015 as a result of insiders abusing their access to the data. BBW says that, in 869 cases, police officers accessed citizens private data without a work-related purpose, and in 877 incidents, police officers shared data with unauthorized third-parties. Few police officers who caused the breaches were punished. Despite the flagrant abuse, in 1,283 cases, authorities decided to take no disciplinary action against the individual that broke procedures. Only 297 cases resulted in the resignation or dismissal of the guilty employee. Authorities did decide to press charges, and for 70 cases, the investigation concluded with a criminal conviction or a caution warning. For 258 less flagrant cases, officers received a written or verbal warning. [Source]

EU – Swedish DPA Greenlights Security Police Registry of Terrorist Group Supporters

Swedish security police Säpo has received permission from the country’s data protection authority to register individuals who express support for ISIS and other terrorist groups. The authority deemed that public support of an EU or U.N.-recognized terror organization was not “sensitive personal information,” the report states. However, “according to Säpo, the decision from the Data Inspection Board does not mean that information can be registered based on political and religious beliefs, which is not generally allowed in Sweden,” the report adds. The move “will allow us to further streamline our work,” said Säpo Press Secretary Simon Bynert. “We will be able to register relevant tips and will be able to get a better overall picture of the people we follow.” [The Local]

Location

US – Researchers Develop Method for Stronger Location Data Control

A group of UCLA researchers are proposing a way to give users more granular control over their location in light of the growing amount of Internet of Things devices. Joshua Joy, Minh Lee, and Mario Gerla have come up with LocationSafe, a privacy module implemented directly into the GPSD of a user’s device, allowing the user to dictate the manner location data is provided before other applications can use it. “User applications requesting data of users is a binary permission, either I share my data or I don’t. However, sensitive data such as location needs finer control on how accurate and how often the location information is released,” the authors said in their paper. [Motherboard]

Online Privacy

EU – EU Submits Draft Code of Conduct on Privacy for Mobile Health Apps to Article 29 Working Party for Approval

the European Commission submitted a draft code of conduct for privacy for mobile health apps to the Article 29 Data Protection Working Party for its considerations and approval. The EC functioned as a facilitator with industry members who drafted a Code of Conduct. The Code of Conduct, once approved, can be voluntarily signed by app developers with a commitment to following its rules, including data protection principles (such as transparency and privacy by design), requires valid explicit consent for collect/use of data subject data, permits secondary use of data for scientific research or Big Data, and acknowledges that it can be difficult to irreversibly anonymise health data when a retention period expires. [European Commission – Draft Code of Conduct on Privacy for Mobile Health Applications Press Release | Draft Code of Conduct | Hogan Lovells]

EU – Tech Industry Gangs Up On European Commission, Calls for Cookie Law To Be Scrapped

A massive coalition of tech and telco companies have called for the EU’s so-called cookie law to be repealed. Ars reported yesterday that the European Commission was working to overhaul the current ePrivacy Directive, and had held a public consultation soliciting feedback. But a group of 12 trade bodies has now called for it to be scrapped altogether. The coalition includes the European Telecommunications and Network Operators association (ETNO), the European Competitive Telecommunications Association (ECTA), the GSMA representing mobile operators, the Computer and Communications Industry Association (CCIA), IAB, the interactive advertising bureau, and DigitalEurope. “We believe that simplifying and streamlining regulation will benefit consumers by ensuring they are provided with a simple, consistent, and meaningful set of rules designed to protect their personal data,” said the group. “At the same time, it will encourage innovation across the digital value chain and drive new growth and social opportunities. This is critical at a time when digital companies are striving to launch new innovative services and working to build a 5G Europe.” The coalition brings together telco operators, online service providers, hardware manufacturers, and online publishers. [Source]

US – MIT Researchers Develop Anonymity Network That Rivals TOR

Anonymity networks protect people living under repressive regimes from surveillance of their Internet use. But the recent discovery of vulnerabilities in the most popular of these networks — Tor — has prompted computer scientists to try to come up with more secure anonymity schemes. At the Privacy Enhancing Technologies Symposium in July, researchers at MIT’s Computer Science and Artificial Intelligence Laboratory and the École Polytechnique Fédérale de Lausanne will present a new anonymity scheme that provides strong security guarantees but uses bandwidth much more efficiently than its predecessors. In experiments, the researchers’ system required only one-tenth as much time as existing systems to transfer a large file between anonymous users. The system …employs several existing cryptographic techniques but combines them in a novel manner. The heart of the system is a series of servers called a mixnet. Each server permutes the order in which it receives messages before passing them on to the next. If, for instance, messages from senders Alice, Bob, and Carol reach the first server in the order A, B, C, that server would send them to the second server in a different order — say, C, B, A. The second server would permute them before sending them to the third, and so on. [MIT News]

Privacy (US)

US – Obama Administration Unveils National Privacy Research Strategy

The White House has announced the National Privacy Research Strategy, a program which aims to foster more sophisticated privacy research alongside the development of innovative data use. This strategy proposes the following priorities for privacy research:

  • Foster a multidisciplinary approach to privacy research and solutions;
  • Understand and measure privacy desires and impacts;
  • Develop system design methods that incorporate privacy desires, requirements, and controls;
  • Increase transparency of data collection, sharing, use, and retention;
  • Assure that information flows and use are consistent with privacy rules;
  • Develop approaches for remediation and recovery; and
  • Reduce privacy risks of analytical algorithms.

“With this strategy, our goal is to produce knowledge and technology that will enable individuals, commercial entities, and the federal government to benefit from technological advancements and data use while proactively identifying and mitigating privacy risks.” The strategy suggests increased transparency of data use; a more “multidisciplinary approach” to privacy research, and the creation of system design methods that satisfy privacy requirements. The new Federal Privacy R&D Interagency Working Group will help facilitate these efforts. [Press Release]

US – DEA Changes Wiretap Procedure After Questionable Eavesdropping Cases

Following criticism for its dubious surveillance program in the L.A. suburbs, the Drug Enforcement Administration is overhauling its procedures for agents to secure permission for wiretaps. DEA agents must discuss any plans for a wiretap with federal prosecutors, and then receive permission from a senior DEA official before taking their request to a state court. The change comes after an investigation discovered the DEA had a wiretapping program monitoring millions of calls and texts in the Los Angeles area, getting approval from a single state court judge while bypassing Justice Department lawyers. “With federal courts, there’s a significant amount of scrutiny on something before you get a wiretap, and there’s a lot of layers of protection for privacy that don’t exist in state court,” said Louisville defense lawyer Brian Butler, who is challenging the legality of the DEA’s past surveillance efforts. [USA Today]

US – Sports Authority’s Post-Bankruptcy Data Sale Sparks Privacy Concerns

After Dick’s Sporting Goods bid on and won the now-bankrupt Sports Authority’s trove of an estimated 25 million email addresses and 14 million shoppers’ files for $15 million, former Sports Authority consumers are now concerned about the potential ramifications on their privacy. “It’s extremely valuable data for companies to identify customers who are looking for a new home,” said SSP Blue’s Hemu Nigam. “Customer emails are stolen every day [but] they lack awareness that this is a possibility,” Nigam said. “The auction is raising awareness of another way customer data can be sold without even thinking about it.” Representatives from Dick’s Sporting Goods and Sports Authority declined to comment, the report states. [Los Angeles Times]

US – CFPB Proposes Privacy Notice Requirement Amendment

The Consumer Financial Protection Bureau is pitching to amend the privacy notice requirement under the Gramm-Leach-Bliley Act and has opened up a request for public comment. “The bureau is proposing to amend Regulation P, which requires, among other things, that financial institutions provide an annual notice describing their privacy policies and practices to their customers,” the report said. The CFPB alteration installs a December 2015 statutory amendment to the act, “providing an exception to this annual notice requirement for financial institutions that meet certain conditions.” The report also states, “If financial institutions share certain consumer information with particular types of third parties, the annual notices must also provide customers with an opportunity to opt out of the sharing.” [Consumer Finance]

US – Facebook 3rd-Party Data Sharing Case Will Move Forward with One Plaintiff

U.S. District Judge Ronald Whyte has ruled that plaintiff Wendy Marfeo’s suit against Facebook for allegedly sharing her information with a third-party site via “referrer headers” will move forward. Whyte found “that she had suffered harm by Facebook sharing her personal and private information despite the tech company’s many assertions it would not do so,” the report states. The judge did respect Facebook’s motion to dismiss co-plaintiff Katherine Pohl’s allegations that the company had shared her information with a third party, the report adds. “We are pleased that the court ruled in our favor and determined that the case should not proceed as a class action,” said a Facebook representative. [Courthouse News Service]

US – EFF and ACLU-led Coalition Opposes Dangerous “Model” Employee and Student “Privacy” Legislation

EFF, ACLU, and a coalition of nearly two-dozen civil liberties and advocacy organizations and a union representative are urging the Uniform Law Commission (ULC) to vote down dangerous model employee and student privacy legislation. The bill, the Employee and Student Online Privacy Protection Act (ESOPPA), is ostensibly aimed at protecting employee and student privacy. But its broad and vaguely worded exceptions and limitations overshadow any protections the bill attempts to provide. As our joint letter explains, ESOPPA will result in only further invasions of student and employee privacy. ESOPPA does next to nothing to prevent school administrators and employers—including public school employees and state officials—from coercing or requiring students and employees to turn over private, non-publicly available information from social media accounts. Furthermore, ESOPPA applies only to students at the college level and beyond, leaving the privacy of students at the high school level and below completely exposed. That’s why we’re asking the ULC to either address ESOPPA’s deficiencies or reject the bill outright at its upcoming meeting. Other organizations, including the Foundation for Individual Rights in Education (FIRE), have also sent their own letter to the ULC opposing the current draft of ESOPPA. You can read the full text of the letter below or access a PDF of the original letter here. Special thanks to all of our coalition partners, listed in full below. [Source]

US – More Than 95% of Public Comments Pan FCC Privacy Plans

More than 95% of public comments on a proposal by the Federal Communications Commission to regulate the privacy practices of broadband providers have been critical of that idea, according to a report. The figures were provided by “Protect Internet Freedom,” a nonprofit group that established an online platform for users to submit feedback to the FCC. “A total of 259,539 opposition comments were filed against the [rules], an overwhelming majority of the 271,669 total comments filed in the docket as the commenting deadline nears,” the group said in a press release. The public comment period is set to close this week. Democrats on the commission moved to issue the notice of proposed rulemaking, which would restrict how Internet providers are allowed to collect and use customer data. Critics say that tech companies like Google and Facebook represent a more significant threat and would be given an unfair advantage because the rule wouldn’t apply to them. [Washington Examiner]

RFID / IoT

US – Senator Asks FTC to Boost Privacy Efforts in IoT for Children

Sen. Mark Warner, D-Va., wrote a letter to FTC Chairwoman Edith Ramirez on her agency’s efforts to protect the privacy of the “Internet of Playthings.” In his letter, Warner says the FTC must work with Congress to safeguard children’s personal information as “smart toys” rise in popularity. “The ever-declining cost of digital storage and internet connectivity have made it possible to connect an unimaginable range of product and services,” Warner said in his letter. The senator cited researchers hacking into talking dolls and altering their responses and the ease of hacking the cloud to obtain conversations recorded by children’s toys as reasons for the FTC to take action. Warner also questioned Ramirez whether the FTC had enough authority to guard children’s privacy under the Children’s’ Online Privacy Protection Act with IoT on the rise. [Multichannel News]

Security

WW – Infrared Light Could Shut Off Forthcoming iPhones’ Camera

Apple has been granted a patent for an unnamed system that allows those with infrared-capable devices to disable the filming capabilities of proximate iPhones. While the system was initially developed to prevent bootlegging of films or illegal filming of concerts, there is concern that law enforcement agencies could manipulate it. “Given how police have secretly adapted new kinds of technology, from Stingrays that can intercept text messages in transit to license plate scanners, it’s not hard to predict how police could take [it] on as part of their arsenal, regardless of Apple’s recent anti-surveillance track record.” At the time of publication, Tech.Mic was still awaiting a potential response from Apple. [Tech.Mic]

US – Password Sharing Is a Federal Crime, Appeals Court Rules

One of the nation’s most powerful appeals courts ruled that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all “hacking” law that has been widely used to prosecute behavior that bears no resemblance to hacking. In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal’s use of a former coworker’s password to access one of the firm’s databases was an “unauthorized” use of a computer system under the CFAA. The decision is a nightmare scenario for civil liberties groups, who say that such a broad interpretation of the CFAA means that millions of Americans are unwittingly violating federal law by sharing accounts on things like Netflix, HBO, Spotify, and Facebook. Stephen Reinhardt, the dissenting judge in the case, noted that the decision “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.” At issue is language in the CFAA that makes it illegal to access a computer system “without authorization.” McKeown said that “without authorization” is “an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who? [Motherboard] [Reuters]

WW – D-Link Camera Vulnerability Found in Other Devices

A vulnerability initially detected in D-Link wireless IP surveillance cameras is now known to affect as many as 400,000 devices, because the flawed software component was used in other D-Link devices. D-Link was notified of the issue by researchers; the company performed its own analysis of its devices and determined that 120 different products contain the vulnerable component. The flaw allows attackers to take control of the administrator account on the devices. There is currently no patch available. [ SANS ISC InfoSec Forums: Pentesters (and Attackers) Love Internet Connected Security Cameras! | SC Magazine: D-Link flaw affects 400,000 devices | The Register: 414,949 D-Link cameras, IoT devices can be hijacked over the net]

WW – Home Entertainment, Health Care Tools’ Security Ranks Most Vulnerable

Recent studies have found that while consumers are concerned with the overall costs and privacy implications of Internet of Things devices, security professionals have identified specific technologies as most vulnerable to attack. A survey by Lastline found that home entertainment systems, health care-related tools, and connected cars were among the top-ranking devices that troubled IT analysts the most. “The very nature of hacking dictates that people will find the new and innovative hacking targets, such as hacking into toys, smart TVs and refrigerators which are seemingly harmless, and try and compromise them — simply because they can,” said Lastline’s Brian Laing. “IoT presents one of those unchartered territories.” [MediaPost]

US – HHS Publishes HIPAA, Ransomware Fact Sheet

The Department of Health and Human Services has released a fact sheet on ransomware and HIPAA, noting that adhering to the rule’s requirements can help businesses prevent and recover from a data-hostage situation. Under HIPAA, “some of these required security measures include implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information and implementing security measures to mitigate or remediate those identified risks,” the report states. HIPAA’s data backup requirements are also helpful should a ransomware occur, the fact sheet adds. Meanwhile, Becker’s Health IT and CIO Review reports that June was the worst month so far for hospital breaches in 2016, with more than 11 million patient records compromised. [Fact Sheet: Ransomware and HIPAA]

Surveillance

UK – 15 Secretive Orders ‘Allow Spy Agencies to Collect Communications Data’

A new report published by the Interception of Communications Commissioner’s Office (IOCCO) disclosed that there were a total of 23 “extant” section 94 directions within the scope of its oversight. They were all given by the Home Secretary or Foreign Secretary at various times between 2001 and 2016 on behalf of MI5, GCHQ, the three intelligence agencies collectively – MI5, GCHQ, and MI6 – or the Metropolitan Police’s counter-terrorism command. Fifteen of the directions relate to the acquisition of bulk communications data, while t he remaining eight directions relate to the provision of services in emergencies, for “civil contingency purposes” or to help agencies in safeguarding the security of their personnel and operations. [Source]

EU – Police Scotland to Dump Millions of ANPR Records Over Privacy Fears

A freedom of information request made earlier this year revealed that Police Scotland kept records of every recorded vehicle movement dating back to 2012, even though data protection rules prohibit forces from keeping records that are not linked to criminal activity being kept for longer than two years. Now a trove of official documents on ANPR published by The Ferret shows that senior officers were aware that they could be breaking data protection rules by retaining ANPR records as early as 2013. [The Ferret] [ANPR records retained by Police Scotland ]

Telecom / TV

EU – Vodafone Customers Exposed to Potential Privacy Breach

The Data Protection Commissioner of Ireland will look into an alleged Vodafone breach after users discovered that anyone with knowledge of their phone number can check their balance without passing through security controls. Vodafone maintains that the service is both acclaimed and unproblematic. The company “does not view this as a data protection breach on the basis that the balance given is not identifiable personal data,” Vodafone said in a statement. “The privacy of Vodafone’s customers is afforded the highest priority and the company continuously seeks feedback from our customers on the services we provide as well as regularly reviewing the IVR (interactive voice response) functionality.” [Independent.ie]

US – FCC Rules Government Can Make Robo-Calls

A ruling from the Federal Communications Commission clarified that federal government employees and their contractors are exempt from robo-call regulations. The regulations specifically prevent “persons” from making the calls, defined as “an individual, partnership, association, joint-stock company, trust, or corporation.” The FCC felt that the U.S. government does not fit in those categories, and was therefore free to make these calls until the law changes to specifically prohibit them. “The implications of the decision could be far-reaching,” the report states. “It validates the ability of federal agencies to perform surveys and polls on the effectiveness of their programs. … It also affirms the ability of contractors to make robo-calls to inform people of their Social Security benefits.” [The Washington Post]

US – Federal Judge Rules Automated Calls Can Cause Harm, Cites Spokeo

A West Virginia federal judge ruled the plaintiff accusing Got Warranty Inc., N.C.W.C. Inc. and Palmer Administrative Services Inc., of violating the Telephone Consumer Protection Act can move forward with her lawsuit. U.S. District Judge John Preston Bailey cited the Spokeo decision in the ruling, saying Diana Mey’s suit against the companies proved she suffered both tangible and intangible harm. Mey alleges the companies sent her numerous automated phone calls causing her harm in the form of lost battery life, lost phone minutes, and the “intrusion upon and occupation of the capacity of the consumer’s cellphone,” said Bailey. [Law 360]

US Government Programs

US – OMB Leadership Mandates Breach-Response Contracts

According to a memo issued by Office of Management and Budget Chief Acquisition Officer Anne Rung, all government agencies providing credit monitoring and identity theft protection must contract via the General Services Administration’s Identity Monitoring Data Breach Response and Protection Services blanket purchase agreement. “Taking advantage of the IPS BPAs ensures agencies can meet their needs for expeditious delivery of best-in-class solutions from pre-approved and vetted companies at competitive pricing,” Rung wrote. “For these reasons, the IPS BPAs shall be treated as a preferred source for federal agencies.” This would help avoid violation of federal laws, as the inspector general said the Office of Personnel Management did after “choosing the wrong contract vehicle” in the wake of its 2015 breach, the report states. [Federal Times]

US – NSA Labels Privacy-Centric Internet Users as Extremists

The NSA is not making any friends these days, and their latest statement on privacy-centric journalists is not helping matters much either. To be more precise, an investigation by the agency revealed how they are continuing to target the Tor network. Moreover, The Linux Journal is referred to as an “extremist forum”. Quite a strong sentiment, and possibly completely misguided as well. [The Merkle]

US Legislation

US – Ohio Bill Would Provide Privacy Exemptions for Releasing Police Body Cam Videos

The bill introduced by Rep. Niraj Antani, a Miamisburg Republican, maintains that camera videos are public records but adds exemptions to address privacy concerns. Body camera use has proliferated in recent years as have the legal issues surrounding their public release. Antani said he’s not aware of any Ohio cases where privacy was invaded on body camera video, but that lawmakers should be proactive considering more police departments are using them. [Source]

Workplace Privacy

US – Employees Express Workplace Wearables, BYOD Security Concerns

A Tech Pro Research survey found that while mobile devices are nearly universally used in the workplace, not all employees feel their devices are completely secure, ZDNet reports. The respondents expressed specific concern over wearables’ security. “Only 57% of respondents said their companies require user IDs and passwords, and less than a quarter used data encryption or device management software,” the report states. Bring-your-own-device security was also called into question. While 76% of respondents’ employers allowed the practice, “IT departments are still divided about supporting these devices,” the report adds. [Full Story]

WW – Business Travellers Putting Organisations’ Cyber-Security at Risk

Business travellers are more likely to be targeted for their access to private and corporate data than be mugged, according to a new report. A survey by Kaspersky Lab of 11,850 people from across Europe, Russia, Latin America, Asia Pacific and the US found that the pressure from work to get online is clouding the judgment of business travellers when connecting to the internet. It said that three in five (59%) of people in senior roles say they try to log on as quickly as possible upon arrival abroad because there is an expectation at work that they will stay connected. The research also found that 47% think that employers, if they send staff overseas, must accept any security risks that go with it. Almost half (48%) of senior managers and more than two in five (43%) of mid-level managers use unsecure public access Wi-Fi networks to connect their work devices when abroad. At least two in five (44% and 40%, respectively) use Wi-Fi to transmit work emails with sensitive or confidential attachments. One of the main reasons for business travellers acting the way they do on business is down to a widely held assumption that their work devices are inherently more secure than private communications tools, regardless of their connectivity. Two in five (41%) expect their employers to have set strong security measures. This is most pronounced among business leaders (53%) and mid-level executives (46%). One in five (20%) senior executives admit to using work devices to access websites of a sensitive nature via Wi-Fi – compared to an average 12%. One in four (27%) have done the same for online banking – compared to an average 16%. Kaspersky Lab said that the report showed that cyber-crime is a real hazard while traveling and employees are putting confidential business information at risk. [Source]

+++

 

25 June – 04 July 2016

Big Data

WW – Perspectives on Big Data, Ethics, and Society

A white paper has been published from the Council for Big Data, Ethics, and Society. The paper consolidates conversations and ideas from two years of meetings and discussions and identifies policy changes that would encourage greater engagement and reflection on ethics topics. It also indicates a number of pedagogical needs for data science instructors; explores cultural and institutional barriers to collaboration between ethicists, social scientists and data scientists in academia and industry around ethics challenges; and offers recommendations geared toward those who are invested in a future for data science, big data analytics, and artificial intelligence guided by ethical considerations along with technical merit. [Full Story]

US – What Algorithmic Injustice Looks Like in Real Life

Courtrooms across the nation are using computer programs to predict who will be a future criminal. The programs help inform decisions on everything from bail to sentencing. They are meant to make the criminal justice system fairer — and to weed out human biases. ProPublica tested one such program and found that it’s often wrong — and biased against blacks. (Read our story.) We looked at the risk scores the program spit out for more than 7,000 people arrested in Broward County, Florida in 2013 and 2014. We checked to see how many defendants were charged with new crimes over the next two years — the same benchmark used by the creators of the algorithm. Our analysis showed:

  • The formula was particularly likely to falsely flag black defendants as future criminals, wrongly labeling them this way at almost twice the rate as white defendants.
  • White defendants were mislabeled as low risk more often than black defendants. [Source]

Canada

CA – Ontario IPC Releases 2015 Annual Report

The Information and Privacy Commissioner of Ontario has published his 2015 annual report. Commissioner Brian Beamish has made four overarching suggestions for the year ahead. They include expanding the jurisdiction of established privacy laws, creating order-making power for privacy complaints, review address changing technologies, and enacting “mandatory proactive disclosure of identified categories of records.” He also recommended updating FIPPA and MFIPPA. “A public review and update of the acts will ensure greater transparency and accountability of government institutions, meet the growing expectations of the public and ensure that Ontarians benefit from the same access and privacy rights as other Canadians.” [IPC]

CA – Nova Scotia Still Missing Key Privacy Protections Says Annual Report

Nova Scotia’s information and privacy commissioner says the province needs a statutory duty to report breaches of individual privacy. Commissioner Catherine Tully published her office’s annual report on Nova Scotia’s access to information and protection of privacy laws. It found that personal information held by public bodies was “likely breached between 10 and 154 times” over the last year. Tully writes that her office is notified of minor breaches of privacy, but not major ones, and she’s “increasingly concerned” about those breaches that go unreported. The privacy office claims the number of minor breaches of private health information increased 75% this past year. It’s currently impossible to determine if there was an equal increase in major breaches. According to the annual report, there was also a 41% increase in new cases for the OIPC over this past year, along with a jump of 569% (from four to 58) in external consultations about file requests. Despite the heavier workload, the office boasts that it’s resolved 10% more complaints than 2014/15, with an average turnaround time of 65 days. [The Coast] [Global News] [Nova Scotians need better notification of privacy breaches, report says]

CA – PC Says Saskatchewan Health Care Laws Need Revisions: Annual Report

The Office of the Saskatchewan Information and Privacy Commissioner released its 2015-2016 Annual Report “Striking a Balance“. Saskatchewan Privacy Commissioner Ronald Kruzeniski recommended updates to the province’s 2003 Health Information Privacy Act in his 2015-2016 annual report. The health care law currently does not regulate post-breach patient notification, an omission Kruzeniski finds problematic. He further emphasized that “the act should also specify how long personal health information should be retained.” [Global News] [Sask. health minister considering beefing up privacy rules]

CA – Manitoba OIPC Releases Annual Report

Manitoba’s Ombudsman issued its 2015 Annual Report relating to the Freedom of Information and Protection of Privacy Act, the Personal Health Information Act, and the Public Interest Disclosure (Whistleblower Protection) Act. [Source]

CA – Drew McArthur Named British Columbia’s Acting Commissioner

Drew McArthur has been named acting information and privacy commissioner for British Columbia. McArthur will be taking the role vacated by Elizabeth Denham, who will be taking over the role of U.K. Information Commissioner from Christopher Graham. McArthur had served for six years on the Office of the Information and Privacy Commissioner’s external advisory board, while helping develop and install the privacy policy for Telus as its chief compliance officer. [Castanet]

E-Government

UK – Government Websites Must Switch to HTTPS with HSTS

All UK Government Digital Services websites will be required to adopt HTTPS encryption by October 1, 2016. The sites will also be required to use HTTP Strict Transport Security (HSTS) to protect them from downgrade attacks, and to publish a Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy for email systems. [V3: GDS to demand that all government websites go HTTPS from 1 October | Tom’s Hardware: UK Government Websites To Be Secured By HTTPS, HSTS, DMARC By October 2016 | GDS Guidance (February 2016): Domain-based Message Authentication, Reporting and Conformance (DMARC)]

Encryption

US – House Encryption Report Says No Current Bills Appropriate Solution

The House Subcommittee on Homeland Security released a report that states no current bills in Congress appropriately address the current encryption-government access issue. The report was based on “more than a hundred meetings” with privacy advocates, technologists, cryptographers and law enforcement. Though it does not present a way forward, it does reject the viability of all current bills, including the controversial Burr-Feinstein bill. The Subcommittee published a “primer” regarding the encryption debate in the legislature. The paper is based on “extensive discussions with stakeholders,” and says that no legislation yet proposed adequately addresses the issue, noting that “Lawmakers need to develop a far deeper understanding of this complex issue before they attempt a legislative fix,” the report states. [Wired] [Wired: Even Congress Is Slamming That Crummy Crypto Bill | US House: Going Dark, Going Forward: A Primer on the Encryption Debate] See also: [Pending Russian Legislation Would Require Companies to Decrypt Communications]

EU Developments

EU – New US-EU Data Transfer Agreement Expected to Win Approval

The New York Times reports that the EU is expected to approve the new draft of the US-EU Privacy Shield data transfer agreement. The new framework, developed to replace the Safe Harbor agreement that the European Court of Justice struck down last year, “protects the fundamental rights of Europeans and ensures legal certainty for businesses,” according to European Commission spokesman Christian Wigand. The absence of an agreement has left US companies in limbo regarding European customer data. In early June, the Hamburg (Germany) Data Commissioner fined three companies for using the defunct Safe Harbor agreement to transfer European customer data to the US. While agreement may have been reached, a number of hurdles stand in the way of passage. The first is that each of the member states of the EU have to pass the agreement. From there it will then be passed on to the College of Commissioners who will then validate the adequacy of the agreement. [New York Times: Europe Is Expected to Approve E.U.-U.S. Data Transfer Pact | Reuters: German privacy regulator fines three firms over U.S. data transfers] and European Commission sends new Shield to Article 31, vote expected this week.

EU – Belgian DPA Loses Privacy Case Against Facebook

The data protection authority in Belgium has said it lost its privacy case against Facebook. The Belgian DPA wanted the social network to stop tracking non-users of Facebook in Belgium who go to Facebook pages. Facebook has argued the so-called datr cookie is a security measure. A spokeswoman for the Belgian Privacy Commission said the case was dismissed by the Brussels Appeals Court because the regulator does not have jurisdiction over Facebook. The company’s European headquarters is located in Ireland. [Reuters]

UK – Christopher Graham Says Goodbye to ICO in Final Annual Report

Outgoing U.K. Information Commissioner Christopher Graham spoke highly of the agency in the last year as its head in his final annual report. “We have delivered on our objectives, responded to new challenges and prepared for big changes, particularly in the data protection and privacy field,” said Graham, who also discussed the agency’s work handling data breaches and other privacy violations. “The ICO also took part in the debate on surveillance and security and the Investigatory Powers Bill. And, in its responses following the Schrems judgment, with all the implications for trans-Atlantic data flows, the ICO’s influential counsel helped to avert a meltdown,” said Graham. The departing information commissioner also bid farewell on the ICO’s YouTube page, while calling the upcoming months and years ahead an exciting time for his successor, Elizabeth Denham. [Computer Weekly]

Facts & Stats

WW – Study: More Than 50% of SMBs Suffered Breaches Within Last Year

Security organization Keeper Security released the results of a study it conducted with Ponemon Institute on the rate small- and medium-sized businesses are hit with data breaches. The survey found more than 50% of SMBs suffered a breach within the last 12 months, and only 14% of the organizations polled felt their ability to stop attacks are highly effective. Phishing and social engineering attacks were the most common types of incidents, and while anti-virus software was deemed useful, companies felt they could not count on them to stop breaches. “Cyberattack prevention is now everyone’s responsibility,” said CEO of Keeper Security. “As both frequency and size of data breaches increases, SMBs must face the reality that a material adverse financial impact on their business is a real possibility.” [Market Wired]

Finance

WW – World-Check Terrorism Database Leaks Online

A financial crime database used by banks has been leaked on to the net. World-Check Risk Screening contains details about people and organisations suspected of being involved in terrorism, organised crime and money laundering, among other offences. Access is supposed to be restricted under European privacy laws. But the database’s creator, Thomson Reuters, has confirmed an unnamed third-party has exposed an “out of date” version online. The leak was discovered by security researcher Chris Vickery and made public by the Register, which reported it contained more than two million records and was two years old. “There was no protection at all. No username or password required to see the records,” Mr Vickery told the BBC. [BBC News]

FOI

CA – Ontario Doctors Challenge Ruling That Would Identify Top OHIP Billers

The Ontario Medical Association (OMA) is seeking to overturn a landmark decision by the province’s privacy commissioner to release the names of top-billing doctors. In addition, a group of about 40 doctors and one physician acting alone who are on the list have made separate applications for a judicial review of an order from the privacy commissioner to release to the Toronto Star the identities of the top 100 billers. The three parties filed applications this week with the province’s divisional court to quash the ruling made June 1 by the Information and Privacy Commissioner of Ontario. In seeking a judicial review of Higgins’ decision, the OMA, which represents the province’s 29,000 doctors, is arguing that it is not in keeping with previous rulings by the commissioner. “We continue to advocate that this is personal information and, without the proper context, OHIP billings will be misconstrued as income, which is false,” OMA president Dr. Virginia Walley said in a written statement. “OHIP billings do not provide insight into the number of hours doctors work, the complexity of care they provide to patients, or the overhead costs they bear in order to staff, equip and run their clinics.” Among the organization’s other arguments: the ruling is incorrect and/or unreasonable, the adjudicator failed to consider submissions from doctors, and the ruling was made without proper legal or factual bases. The two other physician parties are making similar arguments. They are asking the courts for a special order permitting them to proceed with the judicial review without their identities being made public. The physician acting alone, described only as “Dr. A.B.,” also argues that he was never informed about the case by the privacy commissioner even though he is among the top billers. He was never given the opportunity to argue his case, unlike other affected doctors, his application states. [Toronto Star]

CA – OIPC BC Finds Public Body Must Disclose Internal Investigative Information

The Office of the BC Information and Privacy Commissioner reviewed a decision by the Independent Investigations Office to deny access to records requested pursuant to the Freedom of Information and Protection of Privacy Act. Disclosure of the information would not harm the effectiveness of investigative techniques and procedures used; techniques used are obvious and clearly known to the general public (employee interviews and examining electronic equipment), and other information withheld was administrative (e.g. details about scheduling, general protocol and procedures, non-sensitive information about investigations the requestor was working on when employed by the public body). [OIPC BC – Order F16-28 – Independent Investigations Office]

Health / Medical

CA – Education Key to Preventing Medical Record Snooping: Commissioner

The latest case of medical record snooping uncovered in Ontario — in which at least six Mississauga patients had their files probed — highlights the ongoing challenge to protect patient privacy in the digital age, the province’s privacy commissioner says. Since formally assuming the role in 2015 — in the midst of controversies over a spate of snooping incidents of patient record across the province — Ontario privacy commissioner Brian Beamish has emphasized stiffer punishments for what he calls “higher-end cases.” That’s why five of the six snooping cases that have ever been referred to the attorney general for breaking the province’s health privacy legislation have occurred on Beamish’s watch, he said. “Snooping was a continuing, recurring problem, and we started to think: what else can we do to reinforce that this is unacceptable?” Beamish told the Star in an interview. On Monday, the College of Physicians and Surgeons of Ontario held its first-ever disciplinary hearing for one of its members accused of snooping. Dr. Douglas Brooks, a general practice physician in Sault Ste. Marie, was found to have improperly probed the electronic medical records of two non-patients several times, college spokesperson Kathryn Clarke said in an emailed statement. Brooks had his college certification suspended for five months, must participate in medical ethics training, and was ordered to pay $5,000 in costs for the hearing, Clarke said. There are three more discipline hearings scheduled in the coming months for alleged snooping by other doctors. [The Star]

US – States Pass Laws Requiring Dependents’ Care Remain Confidential

Several states have passed laws and regulations ensuring medical communications for dependents remain confidential. With the Affordable Care Act allowing young adults to remain on their parents’ insurance until they are 26, policyholders can receive notices from insurers every time their child gets medical care. California, Colorado and other states are starting to fill in gaps not covered by HIPAA requiring insurers to keep those encounters private for the patients’ safety. “There’s a longstanding awareness that disclosures by insurers could create dangers for individuals,” said Center for Adolescent Health and the Law Director Abigail English. “But there was an added impetus to concerns about the confidentiality of insurance information with the dramatic increase in the number of young adults staying on their parents’ plan until age 26.” [Kaiser Health News] [US: States Offer Privacy Protection For Young Adults On Parent’s Health Plan]

Horror Stories

WW – List of ‘Heightened-Risk Individuals’ Not Secure Enough, Researcher Says

Security researcher Chris Vickery has discovered a global terror watchlist containing more than 2.7 million entries of “heightened-risk individuals.” Vickery found the list on a server “configured for public access,” making the sensitive information too easy to investigate, he said. “If governments and banks are going to alter lives based upon information in a database like this, then there needs to be some sort of oversight,” Vickery added. There’s also the issue of data revision or deletion. “Those who are named in the database have little or no recourse to have their data corrected or removed,” the report adds. [ZDNet] [ZDNet: A massive financial crime and terrorism database has leaked]

Identity Issues

CA – Trudeau Says Canada Will Explore Gender-Neutral ID Cards

Canada is exploring the use of gender-neutral options on identity cards, Justin Trudeau told a television station as he became the first Canadian prime minister to march in a gay pride parade. Trudeau, who participated in the downtown Toronto parade along with other politicians, did not give details, saying only the government was exploring the “best way” and studying other jurisdictions. Last week, the Canadian province of Ontario said it would allow the use of a third gender indicator, X, for driver’s licenses, which are commonly used in North America to provide identification. Countries including Australia, New Zealand and Nepal already allow the use of the X gender indicator. [Source] [Fake fingerprints: The latest tactic for protecting privacy]

US – FOIA Improvement Act Becomes Law

President Obama has signed the Freedom of Information Act Improvement Act into law. It “codifies a statutory presumption of openness,” clarifying the need for agencies to justify their decision to withhold information rather than placing the burden of justification on the entity making the request. The bill also places a 25-year limit on the length of time agencies may keep internal deliberations confidential, and it requires the Office of Management and Budget (OMB) to create a single-access website for making FOIA requests. [SC Magazine: Obama signs FOIA reform bill into law | Federal News Radio: Obama celebrates 50th anniversary of FOIA by signing update into law | White House: Fact Sheet: New Steps Toward Ensuring Openness and Transparency in Government]

Law Enforcement

EU – Disgruntled Ex-Employee Leaks Info On 112,000 Police Officers

A file containing the home addresses and telephone numbers of 112,000 French police officers was uploaded to Google Drive with minimal protection. The data’s only means of protection was a “simple password,” and an investigation has been launched to determine if the compromised data was accessed. The data reportedly originated from a health and benefit insurance firm tied to the police and was uploaded by a disgruntled ex-employee in what is described as “an act of revenge.” The situation comes after French police work to implement extra privacy measures for their officers following the murder of a police officer by an ISIS jihadi in early June. [International Business Times]

Location

WW – Location Data Can Help Facebook Make Friend Suggestions

Facebook’s “People You May Know” feature now uses location data in addition to other features to suggest potential connections on its mobile app. If users have their Facebook app location settings switched to “always have access,” the company’s algorithms can identify and suggest users who have shared GPS and network connections as potential friends. Not everyone is comfortable with the practice. “Using location data this way is dangerous,” said Samford University’s Woodrow Hartzog. “People need to keep their visits to places like doctor’s offices, rehab and support centers discreet.” Facebook countered that location isn’t the sole factor in its suggestion process. “That’s why location is only one of the factors we use to suggest people you may know,” a Facebook representative said. [Fusion] [Facebook admits to using your location to suggest friends]

Online Privacy

US – Google Beats Children’s Web Privacy Appeal, Viacom to Face One Claim

Google and Viacom defeated an appeal in a nationwide class action lawsuit by parents who claimed the companies illegally tracked the online activity of children under the age of 13 who watched videos and played video games on Nickelodeon’s website. By a 3-0 vote, the 3rd U.S. Circuit Court of Appeals said Google, a unit of Alphabet, and Viacom were not liable under several federal and state laws for planting “cookies” on boys’ and girls’ computers, to gather data that advertisers could use to send targeted ads. The court also revived one state law privacy claim against Viacom, claiming that it promised on the Nick.com website not to collect children’s personal information, but did so anyway. Monday’s decision largely upheld a January 2015 ruling by U.S. District Judge Stanley Chesler in Newark, New Jersey. It returned the surviving claim to him. [Source]

US – Browse Free or Die? New Hampshire Library Is at Privacy Fore

A small library in New Hampshire sits at the forefront of global efforts to promote privacy and fight government surveillance—to the consternation of law enforcement. The Kilton Public Library in Lebanon, a city of 13,000, last year became the nation’s first library to use Tor, software that masks the location and identity of internet users, in a pilot project initiated by the Cambridge, Massachusetts-based Library Freedom Project. Users the world over can—and do—have their searches randomly routed through the library. [Source]

Other Jurisdictions

AU – Victorian Watchdog Develops Protocols for Agencies

Victorian Commissioner for Data and Privacy Protection David Watts has established regulations that would require agency heads to adhere to a minimum standard of data protection principles. The rules, dubbed the Victorian Protective Data Security Framework require agencies to have “a formal incident management plan; an organization-specific security management framework; and an access management regime,” among others. The rules also give the commissioner’s office “free and full access to data or data systems when requested.” [iTnews]

Privacy (US)

US – ACLU Files Legal Challenge to Computer Fraud and Abuse Act

The ACLU has filed a lawsuit challenging the Computer Fraud and Abuse Act (CFAA) on behalf of journalists, computer scientists, and academic researchers investigating online discrimination. The lawsuit focuses on a problematic CFAA provision: the prohibition against “exceeding authorized access” has often been interpreted to include violations of websites’ terms of service. [Washington Post: Does this cybercrime law actually keep us from fighting discrimination? | Computerworld: ACLU lawsuit challenges U.S. computer hacking law | Wired: Researchers Sue the Government Over Computer Hacking Law | CNET: ACLU sues to kill decades-old hacking law | SC Magazine: ACLU suit challenges CFAA for thwarting studies on discrimination | ACLU: ACLU Challenges Law Preventing Studies on ‘Big Data’ Discrimination | ACLU: SANDVIG V. LYNCH – COMPLAINT]

US – CDT Criticizes DHS’ Cyber-Threat Sharing Model

The Center for Democracy and Technology criticized the Department of Homeland Security’s cyber-threat sharing model. “The guidance fails to address many of the foundational issues in the law itself, and we remain concerned that [the Cybersecurity Information Sharing Act] will result in the sharing of sensitive personal information [that] could then be used for purposes that go far beyond ‘cybersecurity,’” the CDT said in a report. The CDT was highly critical of the four DHS guidelines for private organizations to share cyber-threat indicators with the government and amongst themselves. “None of the guidelines address one baseline issue — the overly permissive ‘use’ provision that allows cybersecurity information to be shared and then used for non-cybersecurity purposes,” the CDT said. [The Hill]

Privacy Enhancing Technologies (PETs)

WW – $6.1M Raised to Fund Data Startup

Data-sharing startup Digi.me has received $6.1 million in funding from its Series A push, most of which came from global re-insurer Swiss Re. The move is “is one key plank of a strategy for bagging the critical mass of users needed to deliver on a radical rethink of how personal data is collected and shared online,” the report states. For Digi.me founder Julian Ranger, the service is about empowering each user. Digi.me is “bringing data together for the individual and we were doing it on the individual’s own devices — which is the key thing for Digi.me is that we don’t see, touch, nor hold any data ever; it’s all only held by the individual — and that’s when the whole idea for [the current business vision] came about,” he said. [TechCrunch]

RFID / IoT

US – Broadband Advisory Group to Study Privacy, Security of IoT

The Broadband Internet Technical Advisory Group has announced a study on the technical aspects to the Internet of Things industry’s privacy and security. The multistakeholder nonprofit will study mobile phones, computers, tablets and other devices. “To address the technical issues underlying these security- and privacy-related concerns, BITAG’s technical working group will analyze this topic and issue a report that will describe the issue in-depth, highlight technical observations, and suggest appropriate best practices,” the group said in a statement. The BITAG aims to release the results of the study in the fall, the report states. [Broadcasting & Cable]

Security

WW – 67% of Drives for Sale Still Contain Sensitive Data: Study

Security organization Blancco Technology Group (BTG) found that 67% of 200 analyzed hard drives purchased from eBay and Craigslist still contained previous users’ personally identifiable information. An additional 11% contained “sensitive corporate data.” Companies must “test that [their] deletion methods are adequate,” said BTG. “Remaining data can still be accessed and recovered unless the data is securely and permanently erased.” This can lead to data breaches, loss of consumer trust, and even enforcement action. The U.K. ICO fined the Brighton and Sussex University Hospitals NHS Trust 325,000 GBP in 2012 for selling unclean drives online. [InfoSecurity]

Surveillance

US – Courts 2015 Wiretap Report

According to the US Courts 2015 Wiretap Report, the total number of federal and state wiretaps issued in 2015 was 4,148, a 17% increase from the number granted in 2014. No requests were reported as denied in 2015. While law enforcement encountered encryption in just 13 of those cases, the FBI indicated that it does not seek wiretap orders in cases where it knows it will encounter encryption. The report does not include wiretap requests made to the Foreign Intelligence Surveillance Court. [Encryption, wiretaps and the Feds: THE TRUTH | US courts didn’t reject a single wiretap request in 2015, says report | Wiretaps harvest fewer encrypted communications | Wiretap Report 2015]

UK – Surveillance Bill Web Activity Logging a Huge Risk to Privacy, Peers Warn

A former senior chief in the U.K.’s Met Police and now a Lib Dem peer in the House of Lords has warned about major risks to the privacy of web users’ personal data from a provision in the Investigatory Powers bill that would require ISPs to retain information on the websites and services accessed by their users for a full 12 months — so called Internet Connection Records (ICRs). Lord Paddick noted that the provision is not being requested by the security services, who have additional investigatory tools to obtain the data they need, so is purely a power on the police’s wish-list — going on to argue that the catch-all nature of ICRs is disproportionate given the warrantless access the bill affords police to this personal data on all U.K. web users. Any “reasonably high-profile individual” could be at risk of being accused of a crime they did not commit — resulting in their entire personal web access history being handed over to the police, Paddick argued. The draft bill has still to go through committee and report stages, so is certain to be subject to further amendments. Lib Dem peers are certainly mounting a concerted effort to tackle some of the more controversial elements of the bill, with Lord Strasburger also speaking out against ICRs, noting that a similar move was abandoned in Denmark in 2014 and warning the bill creates a “new theft risk” for internet users. Other elements concerning the Lib Dem peers at this stage include threats to privileged communications, such as between lawyers and their clients; so-called “request filters,” which imply a behind the scenes attempt by the government to build a searchable database of citizen data (including pulling in data from ICRs); the “vexed question” (as Strasburger put it) of bulk powers — currently under independent review by QC David Anderson, which was another concession pushed for by the Labour party; inconsistencies in authorization mechanisms for intercept warrants; and the need to ensure judicial commissioners, who are set to approve and review warrants, are rigorously independent of the government that appoints them. Strasburger also pointed to the current turmoil in the U.K. political landscape following the Brexit vote, noting “how quickly ruthless politicians can replace leaders” and warning of associated risks to freedom and democracy if such intrusive legislation passes onto the statute books unamended. “In the hands of an extreme government the IP bill is a toolkit for tyranny,” he warned. [techcrunch.com]

Telecom / TV

CA – 911 System Framework Should Limit Info Required for Communications

The OPC comments on the CRTC’s Notice of Consultation regarding a regulatory framework for next-generation 911. Existing policy states that individuals’ name, location, telephone number, and service class are provided for responding to calls; however other information will likely be collected (e.g. health information, voice and location information, personal medical alert systems, and intelligent transportation systems), and there should be boundaries to limit information required, and how the information is accessed. [OPC Canada – Establishment of a Regulatory Framework for Next-Generation 911 in Canada – Submission to the CRTC]

WW – Norton Releases New App Protecting Data Over Public Wi-Fi Networks

FREE Wi-Fi is no different to a filthy public toilet, water fountain or payphone. That’s according to antivirus firm Norton, which has released a new app designed to stop hackers from stealing users’ private information over unsecured Wi-Fi. According to Norton, more than one quarter of Australians have accessed banking or financial information while using public Wi-Fi — but most people can’t tell the difference between a secure and unsecure connection. The firm says hackers are eavesdropping and intercepting consumer information regularly, but 63% of Australians think their data is protected. Commonly available tools can easily see traffic, potentially exposing passwords, emails, social media accounts, photos, videos and financial information. The Norton Wi-Fi Privacy app, launched globally this week for iOS and Android, is designed to protect that data by routing all traffic through a virtual private network (VPN). It will also block advertisers from placing tracking cookies on your device. [news.com.au] [Yahoo] [Norton launches privacy app to combat hackers]

US Government Programs

US – FTC Closes 70% of Its Security Investigations

During a Heritage Foundation discussion on federal online data security regulations, Federal Trade Commission Commissioner Maureen Ohlhausen said her agency closes approximately 70% of the security investigations it opens. “The touchstone of our data security is reasonableness,” Ohlhausen said. “A company’s data security measures must be reasonable, in light of the sensitivity and volume of the consumer information it holds, the size and complexity of its data operations, and the cost of the available tools to improve security and reduce vulnerabilities.” Ohlhausen said the FTC doesn’t investigate companies over a single flaw, but rather, it investigates companies that have major issues with their overall security programs. If a company’s security is “reasonable, or even good,” she said, the investigation can be wrapped up quickly if the company resolves the issue in a timely manner. [FedScoop]

 

 

18-24 June 2016

Biometrics

WW – IBIA Approves New Facial Recognition Best Practices

The International Biometrics + Identity Association voiced its approval of a new set of facial recognition best practices. The guidelines were created by the Department of Commerce’s National Telecommunications and Information Administration, and have been hailed by the IBIA as a flexible guideline for numerous applications of the technology, including authentication and social media. “The clear benefits of facial recognition technology come with a responsibility to users and consumers,” said IBIA Managing Director Tovah LaDier. “These privacy best practices will help to assure the public that facial recognition is being used responsibly and accountably. They also demonstrate the strong commitment of the industry to protecting the public’s privacy, even as new technologies and applications emerge.” [Planet Biometrics] [NTIA group agrees on face recognition code of conduct]

Canada

CA – The OPCC has Released Its Annual Report for 2015-2016. [Source]

CA – PI Contained in Public Court or Tribunal Decisions is Publicly Available Information: OPC

The Office of the Privacy Commissioner investigated a complaint about an online legal database pursuant to PIPEDA. The OPC dismissed a complaint alleging an online legal database unlawfully published an individual’s PI by publishing a court decision about her; the PI appeared in a public judicial document for which there was no publication ban, and the company’s subscription-based research tools and services do not undermine the balance between privacy and the open courts principle. [OPC Canada – PIPEDA Report of Findings #2015-013 – Online legal database doesn’t need consent to use publicly available court decisions, in support of the open court principle]

CA – Decision Provides Rare Insight on the Applicability of RTBF in Québec

On April 14th, 2016, the Commission d’accès à l’information (the “CAI”) issued a decision discussing the relevance of the “right to be forgotten” with regards to the “right to rectification” found in the Act Respecting the Protection of Personal Information in the Private Sector, CQLR, c. P-39.1. The CAI interestingly noted that a person’s right to rectification with respect to inaccurate, incomplete or equivocal information is distinct from the “right to be forgotten.” This right, which is recognized in the European Union, allows individuals to stop search engines from providing links to information about them that is deemed “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue.”  As a result of this decision, it is now clear that the right to be forgotten is irrelevant to the examination of the right to rectification, as the two rights are different, both conceptually and practically. [Source]

CA – Therrien to Trudeau: Government Privacy Law Outdated

In a letter to Prime Minister Justin Trudeau, Privacy Commissioner Daniel Therrien warns that without renewal, protections under Canada’s Privacy Act “are proving to be increasingly out of touch with Canadians and their engagement with the digital world.” The act, which governs federal government data handling, was passed in 1983 and no substantial changes have been made to it since, reports The Star, even while advances in technology have dramatically changed the way government does business. A representative for the prime minister says the issue is a priority and they “are committed to working with the commissioner on an active and ongoing basis,” noting the minister of justice is reviewing the recommendations. [Source]

CA – BCCLA Says Warrantless Spying on Canadians Must End

In the latest step in a court case launched in 2013, the British Columbia Civil Liberties Association is asking the federal court to allow access to government documents that would shed light on the surveillance activities of the Communications Security Establishment. Specifically, the BCCLA objects to the warrantless collection of information on Canadian citizens, and points to recent data mishandling by the CSE as part of its participation in the Five Eyes program with Australia, New Zealand, the U.K. and the U.S. “The CSE is engaged in what is surely one of the largest warrantless activities directed at Canadians,” the BCCLA Litigation Director Grace Pastine told On the Coast guest host Michelle Eliot. [CBC News]

CA – Federal Court Finds Individual’s Request for Review of OPC Report Misdirected

The Federal Court hears E.W’s request for review of the findings of the Privacy Commissioner of Canada in response to her privacy complaint against the Department of Human Resources and Skills Development Canada. The OPC (after an investigation of the individual’s complaint of alleged improper collection of personal information without her consent) could not reach a finding, since 12 years had passed since the alleged collection, and the file retention period for the information had elapsed; the individual was provided opportunity to make submissions, all relevant evidence was investigated by the OPC, and the individual’s grievance lies with the institution that collected the data, not the OPC. [E.W. v. Privacy Commissioner of Canada – Federal Court – 2015 FC 1420]

CA – Proposed Manitoba Bill to Protect Kids Draws Privacy Criticism

Proposed legislation that would make it easier for Manitoba agencies and police to share information about at-risk children is raising privacy concerns. The Progressive Conservative government introduced Bill 8, the Protecting Children (Information Sharing) Act, earlier this week. The bill authorizes organizations and others who provide services to at-risk and vulnerable children to collect, use and disclose personal information or personal health information about them. The act would apply not only to children in the care of CFS or those involved in the criminal justice system, but also to those who require disability services, mental-health services, addiction services, victim services and to schoolchildren with special needs who require an individual education plan. Information could be disclosed about parents or guardians of the children.  Michelle Falk, executive director of the Manitoba Association for Rights and Liberties, said it appears the bill would give “ordinary bureaucrats” the power to make judgment calls that could have long-term implications for children in care and their families. “It gives unfettered authority to any government department, agency or the police department to share any information to any other department,” she said Thursday. [Winnipeg Free Press]

CA – Other Canadian News

Consumer

CA – New Online Tool Allows Users to Ask Companies About Their Data

A new version of a Canadian website allows individuals to contact companies to see what information they have collected. Access My Info Canada originally was created to message telecommunications companies, but the new version launched by developer Andrew Hilts now gives users the chance to reach out to companies making fitness trackers and dating apps. “This can help people answer questions if they’ve ever wondered if their cellphone provider is logging their location, or if their online dating app is ever sharing their sexual preferences,” said Hilts. Access My Info has been created to help consumers understand their rights under Canadian privacy laws, while also giving them information on what data could be compromised if a company were to suffer a data breach. [CBC News]

US – For Consumers, Injury Is Hard to Prove in Data-Breach Cases

The Wall Street Journal reports on consumer lawsuits following data breaches, and whether companies should be forced to compensate customers for attacks exposing sensitive information. Judges dismiss the majority of lawsuits spawning from major data breaches, including those in attacks against Target and Home Depot because customers have not been able to prove the breaches have caused any tangible harm. Companies argue having personal data exposed doesn’t equate to harm requiring compensation, and when stolen credit card information results in fraudulent purchases, customers often cannot prove the fraud was a result of the breach. Federal judges in Illinois and California, however, have let lawsuits proceed, possibly opening a door for corporate liability. [Wall Street Journal]

US – Privacy by the Numbers: A Deep Dive into the Structure of Privacy Policies

As researchers from the Common Sense District Privacy Evaluation Initiative analyze the correlation between the content and stylistic infrastructure of privacy policies, they have flagged “potential indicators” that they say will help them to analyze them more efficiently, the group’s Bill Fitzgerald writes. While Fitzgerald said he and his researchers “do not think we will find any direct correlation between policy structures and whether terms are good or bad,” technical elements of the policies, such as reading level, length of terms and structure, create patterns that matter. “It’s difficult to say what constitutes a ‘normal’ policy without a baseline, and the work we will be launching this summer will help create a clearer picture — supported by openly available data — of what a typical policy looks like,” he wrote. [The Journal]

E-Mail

US – Supreme Court Decision May Support Microsoft’s Position in Ireland Server Data Case

In a decision released earlier this week, the US Supreme Court wrote, “absent clearly expressed congressional intent to the contrary, federal laws will be construed to have only domestic application.” The ruling was made in a RICO (Racketeer Influences and Corrupt Organizations) Act case. While unrelated to the Microsoft case in which the company is refusing to surrender data held on a server in Ireland to US officials, the decision could provide support for Microsoft’s position that the Electronic Communications Privacy Act (ECPA) does not say that congress intended it to “reach private emails stored on provider’s computers in foreign countries.” [Computerworld: Microsoft invokes Supreme Court opinion in Ireland email case]

WW – Board Members Increasingly Targeted by Spearphishing Schemes

A growing trend is corporate boards of directors falling victim to spearphishing attacks. Board members can be hit by these schemes by receiving malicious emails that ask for tax information and bank transfer requests and sending it to another employee who handles the response. Members have lost financial statements, cybersecurity documents and intellectual property, mainly through a lack of education on identifying spearphishing emails. “Most board members use personal email accounts to handle board communications so they don’t get mixed with the emails from the companies where they work,” said Experian Information Solutions Vice President, Data Breach Resolution Michael Bruemmer. “These are less secure, and we have seen examples of these accounts having been compromised.” [CSO Online]

Encryption

US – Apple Makes Encrypted Operating System Public

In a surprising move, Apple has exposed the inner workings of its encryption-based operating system for the first time. The tech giant did not reveal whether the disclosure of its kernel was by design, but many in the security industry believe Apple made the code public in order to help locate possible security weaknesses in the software. To date, Apple has not run any bug bounty programs. The move comes after Apple’s well-publicized battle with the FBI in the San Bernardino case. By choosing to expose its software rather than starting a bug bounty program, Apple is taking a big risk, the report states. “This is a gamble,” said forensic scientist Jonathan Zdziarski. “But I can see the possible reason that Apple may have decided to make this wager.” [MIT Technology Review]

EU Developments

EU – German Court Ruling: WhatsApp Must Translate English TOS and Privacy Policy to German

German courts have ruled WhatsApp has violated the country’s Telemedia Act by forcing users to agree to the app’s terms of service in English. When the judgement is finalized, WhatsApp will be required to translate its terms of service and privacy policy into German, or face a $283,000 fine. Klaus Muller, CEO of the Federation of German Consumer Organizations, said companies make it difficult for consumers to comprehend terms of services, and WhatsApp has made it even harder for German users with the conditions written in a foreign language. The courts ruled WhatsApp’s violation stems from not allowing users to contact a German country representative if they have any questions or concerns . WhatsApp has not announced whether it will appeal the ruling. [Neurogadget]

Facts & Stats

CA – Average Cost of a Data Breach Up 12.5% Among Canadian Firms: Report

Canadian CISOs who want more hard data to convince the C-suite and boards to devote more resources to cybersecurity have a new report to show. If a study of 24 Canadian organizations is accurate, the total cost over a recent 12 month period of a breach of over 1,000 records went up 12.5 per cent compared to 2014 to just over $6 million. Another way of looking at it is the average cost per record stolen or lost went up 10.6% to $278 compared to the same period the year before. These numbers come from a study released last week by the Ponemon Institute that was funded by IBM. The costs were based upon estimates provided by participating victim organizations. The report is part of an annual global study of breaches in 13 countries (United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates, Saudi Arabia, Canada and, for the first time, South Africa), which last year covered 383 organizations. The average cost of a breach across all those firms was US$4 million. [IT World Canada]

Filtering

UK – Mandatory Web Monitoring in Schools Opens a Slippery Can of Worms

Without Parliamentary or public discussion, children’s internet use will be monitored by third parties from September. This is despite widespread associated concerns – including choking off free speech, religious freedom, and staff feeling vulnerable – presented to the Joint Select Committee for Human Rights by experts in education and security legislation. The brief paragraph 75 in The Department for Education (DfE) “New measures to keep children safe online at school and at home“ statutory guidance Safeguarding in Schools, will impose a change from a duty ‘to consider’ web monitoring to one that ‘should ensure’ it for educational establishments, excluding 16-19 academies and free schools. The supporting advice to which the Government response points, suggests actively monitoring all screen activity during a lesson from a central console using appropriate technology as a solution, even in circumstances that suggest low risk. And that logfile information should be able to identify an individual user, and be reviewed regularly. Pro-active monitoring is suggested where alerts are managed by a third-party provider. The Department for Education’s summary response and advice however offers little practical support to school leaders how to concretely take these things into account, while still meeting human rights legislation. Without explicit clarity on the practice of monitoring personal electronic devices not owned by the school, we risk a slippery descent into schools made complicit in a privacy invasion of family life. [Schoolweek]

FOI

CA – Audit Finds Vancouver Failing to Meet FOI Deadlines, Deleting Emails

City hall has received a stern talking to from the province’s information and privacy commissioner following an audit of Vancouver’s compliance with freedom-of-information (FOI) laws. “It is clear to me there is a need for change to the approach city staff use in processing access requests,” commissioner Elizabeth Denham said in a June 23 media release. “We observed shortcomings in almost every step of the freedom of information process—from receipt of the request, to searching for records, to the timeliness of response to the applicant and the content of the response itself.” The audit, conducted by the Office of the Information and Privacy Commissioner of B.C., mostly focuses on FOI response times and delays that appear to target requests filed by members of the media. But the report’s most troubling findings concern the alleged deletion of records and evasion of FOI laws. The OIPC, however, found that an examination of these concerns fell outside the scope of its investigation. [Straight]

CA – NFLD Public Bodies Should Not Allow Staff Use of Personal Email Accounts for Work

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador (“OIPC”) issues guidelines relating to the use of personal email accounts for public business. Use of personal email accounts does not relieve the duty to thoroughly search for records responsive FOI requests and produce them, however, officers and employees may be reluctant to produce records from these accounts or provide access for FOI purposes; personal accounts are less likely to meet requirements to protect personal information under a public body’s custody or control (terms of service may allow for third-party access, and security features may not be adequate). [OIPC NFLD – Use of Personal Email Accounts for Public Business]

US – Dropbox’s New Transparency Report Includes State-By-State Breakdown

Releasing its biannual transparency report, Dropbox has included a state-by-state breakdown of government requests in their July-December 2015 study. Dropbox received 574 requests for user data from around the globe, including 348 search warrants and 206 subpoenas, providing information on the vast majority of inquiries. California had more requests than any state in the U.S. with 70, followed by Texas with 49, Florida with 48, and Virginia with 32. “Although we continue to see an increase in requests from U.S. law enforcement, the numbers remain small compared to our user base of over half a billion users,” Dropbox said in a blog post. The company also detailed the joint efforts with tech companies to oppose government legislation forcing organizations to undermine their security protocols. [Dropbox Blog Post]

Genetics

CA – Supreme Court Rules Police Can Swab Suspected Rapist Without Warrant

In a ruling that adds to police powers in investigating rape, the Supreme Court of Canada says police have the right to take a penile swab (without a warrant) from suspected attackers, forcibly if necessary, as long as they do so in a private cell and have reasonable grounds to believe they will find relevant evidence. Just two Supreme Court judges, both of them women, said a penile swab should be deemed an illegal search. In a strong dissent in the case, Justice Andromache Karakatsanis accused the majority of straying from precedents that found a “close relationship between bodily privacy and human dignity.” Justice Rosalie Abella said she would have disallowed the penile swab and barred the evidence from being used. [G&M]

Health / Medical

CA – Trillium Health Partners Hit With Privacy Class Action

A class-action lawsuit has been filed against Trillium Health Partners, alleging a doctor’s assistant used patient credentials to access medical records. Former patient Katie Mallinson filed the suit against Dr. Tony Vettese and his assistant Lisa Lyons, claiming Lyons accessed Trillium’s database to review the confidential records of an unknown number of patients for many years. The records contain sensitive medical information, including medication history, treatments received and diseases suffered. The suit seeks $2 million in general damages, while stating Trillium’s privacy policies and procedures are “inadequate, underfunded and unenforced.” Trillium was not aware of Lyons’ improper access until Mallinson first became suspicious of illicit activity. [Press Release] See also: [397 medical records snooped at Hamilton General Hospital]

US – Workers May Soon Have to Share Health Data — Or Pay A Penalty

New Equal Employment Opportunity Commission regulations may force employees to share medical data in order to qualify for benefits, or face penalties. If employees choose not to share medical data with their employers, they face increases in health premiums and the possibility of the EEOC suing their organization. Privacy advocates are concerned employees will have to pay more for their privacy as well as face potential discrimination if an employee chooses to opt out of the program. Wellness programs also have access to medical records and insurance claims data, meaning employers can learn about genetic test results and access information on employee family history. “Our argument is participation in a wellness program is simply no longer voluntary if employees can be penalized in this way,” said American Society of Human Genetics Science Policy Director Derek Scholes. [BuzzFeed]

WW – Google Unveils Symptom-Search Functionality

Google has announced it will list related conditions when users search the site using health symptoms as keywords. “We create the list of symptoms by looking for health conditions mentioned in web results, and then checking [sic] them against high-quality medical information we’ve collected from doctors for our Knowledge Graph,” the report states. The move is an effort to simplify accessing and understanding online health information. The feature will go live in “the next few days” in the U.S. and will expand internationally in the future. [Google Blog]

US – OCR Releases Video Guidance on Provision of Medical Records

The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services. The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. That guidance is essential reading for companies operating in the medical records space, as it sets forth OCR’s views on such topics as how records must be provided upon request, methods for calculating reasonable fees for copies, and provision of medical records to third parties at a patient’s direction. [Source]

Horror Stories

US – Three Hacked Hospital Databases Up For Sale on Deep Web

Breaches of three separate health databases by one hacker has resulted in more than 650,000 medical records for sale on the deep web. The hacker was able to tap into a vulnerability in each database’s Remote Desktop Protocol. One database from Georgia containing more than 400,000 records is priced at 607 bitcoin, the report states. “Although it remains unclear as to which hospital was attacked, this story goes to show how lackluster IT security keeps plaguing the health care industry,” the report adds. Meanwhile, a TrapX Security study has found that hackers are increasingly targeting medical devices used within hospital systems, ZDNet reports. These tools “often contain backdoors, botnet connections and remote access tunnels for cyberattackers to manipulate devices,” the report adds. [The Merkle]

WW – Hacker Plans to Release 100,000 Escort Site User Records

Moroccan hacker ElSurveillance has breached and defaced an additional 37 escort sites, which are mostly from the U.K., and pledged to leak 100,000 users’ data online in the coming week. This is not the first instance of ElSurveillance’s breach activity, with the hacker claiming 79 defacement incidents of similar sites in January, the report states. The hacks are religiously motivated. “[O]ur bodies are gifted from Allah to us to look after and not to destroy,” the hacker said. “Unlike [ElSurveillance’s] fellow ISIS-affiliated colleagues who spread fear, threats and warnings of violence, he’s spreading a message of peace and a religious-rooted message,” the report adds. [Softpedia]

CA – Personal Info in 100,000 IT Requests Compromised in SFU Privacy Breach

More than 100,000 Simon Fraser University information technology service requests from 2013-2016 were inadvertently stored in an unprotected server for four months. The data compromised included 20,294 email addresses, contact information and other personal data, the report states. The school’s IT team discovered the breach May 16 and brought the information offline the next day, notifying the affected students in early June, the report adds. “We have no evidence that any third party accessed the database during the time it was unprotected, nor do we have any evidence that there was any misuse of the information contained in the database,” said SFU Communications Director Kurt Heinrich. He added that the school was reviewing and modifying additional breach protections. [Burnabynow]

Identity Issues

WW – Dashcam Smartphone App to Employ License-Plate Detection

A new smartphone app takes all of the features of a dashcam and adds license-plate detection to warn users of potentially dangerous drivers. The Nexar app uses a smartphone’s camera to detect and record automotive activity and collisions. It also plans to add “real-time warnings” to help drivers avoid cars with bad track records. Nexar uses machine vision and artificial intelligence algorithms to locate license plates and record drivers who speed and perform illegal maneuvers. Privacy concerns will likely arise, but the recording process is likely legal. “Courts generally say that people generally have little or no expectation of privacy in the movements of their cars on public roads,” said University of Chicago law professor Lior Strahilevitz, “as long as cars aren’t being tracked everywhere they go for a lengthy period of time.” [PC Magazine]

Location

US – Ad Network Settles with FTC, Will Pay $950,000 for Location Tracking

The FTC announced it has settled with the Singapore-based mobile advertising company InMobi under charges that it “deceptively tracked” the locations of hundreds of millions of consumers — including children — without notification or consent. As part of the settlement, InMobi will pay $950,000 in civil penalties and implement a comprehensive privacy program. The FTC alleges that the company — whose ad software reaches nearly 1 billion consumers worldwide — also violated COPPA by collecting location information from apps directed at children. “This settlement ensures that InMobi will honor consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises,” said FTC Bureau of Consumer Protection Director Jessica Rich. [FTC] – Ars Technica: Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users | – Computerworld: Mobile advertiser tracked users’ locations without their consent, FTC alleges | – FTC: Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission]

Online Privacy

US – Senate Rejects Measure That Would Allow FBI to Search Browsing Histories Without a Warrant

US legislators have rejected an amendment to a criminal justice funding bill that would have allowed the FBI to conduct warrantless searchers of people’s browsing histories. While the measure garnered a majority of the votes, it failed to obtain the necessary 60 votes to advance. The issue may come up for consideration as soon as next week, however, because Senate majority leader Mitch McConnell submitted a motion to reconsider it. Sources: – CNET: Senate nixes plan for warrantless FBI searches of internet browsing histories | – ZDNet: Senate rejects FBI bid for warrantless access to internet browsing histories | – Washington Post: After Orlando, Senate rejects plan to allow FBI Web searches without court order]

WW – New Firefox Feature Allows Users to Create Individual ‘Personalities’

A new feature from Mozilla will allow users to separate their web history within their browser. Firefox Containers divides the browser into individual “personalities.” Each persona can be used for different internet activities, such as banking, work, shopping and for personal use. The browsing histories and cookies are kept within a “fully segregated cookie jar” by keeping each persona’s caches separate, according to a Mozilla blog post. “We all portray different characteristics of ourselves in different situations,” said Mozilla Security Engineer Tanvi Vyas. “But when I use the web, I can’t do that very well. There is no easy way to segregate my identities such that my browsing behavior while shopping for toddler clothes doesn’t cross over to my browsing behavior while working.” [The Christian Science Monitor]

US – Cloud-Based EHR Company Settles FTC Complaint It Failed to Advise that Reviews of Doctors Containing Patient Information Would Be Made Public

This FTC agreement settles allegations that Practice Fusion, Inc. failed to disclose that consumer reviews containing sensitive personal information would be publicly disclosed in violation of the FTC Act. The company is prohibited from misrepresenting the extent to which it makes certain information (e.g. health information) publicly available (including by posting on the Internet); prior to such disclosure, the company must provide notice and obtain express consent from consumers, and must not maintain any healthcare provider review information (except for review and retrieval by its healthcare provider customers, or as permitted by law, regulation or legal process). FTC – In the Matter of Practice Fusion, Inc. – Complaint and Agreement Containing Consent Order | Press Release | Complaint]

Other Jurisdictions

IS – Judge Approves $400 Million Class Action Against Facebook for Violating Privacy

Israel’s Central District Court has approved a $400 million privacy class-action suit against Facebook, ruling that the company’s terms-of-use requirement for all lawsuits to be heard in California was invalid. The suit alleged that the company both breached privacy protocols by targeting advertisements based off of users’ private posts, and failed to register its database in Israel’s national database registry as mandated by the country’s law, the report states. “Perhaps the time has come to examine the issue from a different angle, from the customer’s standpoint, especially when he’s the customer of huge international corporations that deal with customers all over the world,” said Judge Esther Stemmer. The court gave Facebook 90 days to respond to the suit. [Haaretz]

Privacy (US)

US – Tech Companies Oppose Government Hacking Rule Change

A group of 50 organizations including Google and the American Civil Liberties Union has called upon Congress to block “dangerously broad” changes that, effective Dec. 1, increase judges’ warrant jurisdiction. The changes to Rule 41 of the Federal Criminal Procedure “invite law enforcement to seek warrants authorizing them to hack thousands of computers at once — which it is hard to imagine would not be in direct violation of the Fourth Amendment,” the later states. Meanwhile, in an additional report from Morning Consult, Sen. John McCain, R-Ariz., expressed his support for FBI Director James Comey’s surveillance perspectives over those of privacy advocates. “I have great sympathy for them but I respect more the view of Director Comey,” he said. [Morning Consult]

US – NTIA Publishes Revised Best Drone Practices Guidance

The National Telecommunications and Information Administration has released an updated best drone practices guidance. The guide is the culmination of a two-month public comment session and subsequent May 18 meeting on drone privacy and transparency issues. Meanwhile, the Federal Aviation Administration has published a 600-page drone regulation document that does not include specific privacy protocols, The Intercept reports. The Electronic Privacy Information Center responded to the announcement with a statement on its website, recalling its 2015 suit of the FAA for failing to regulate drone privacy. [NTIA]

US – Obama Administration Approves FAA Rules for Small Drones

The Obama administration has approved the commercial use of small drones. The Federal Aviation Administration created a new class of rules for drones weighing less than 55 pounds, fly up to 400 feet, and below 100 miles per hour. Drone operators now have the ability to fly the unmanned aircraft without special permission, but must be at least 16 years old. Drones will not be allowed to fly at night, unless they have special lighting and stay at least 5 miles from an airport. Transportation Secretary Anthony Foxx said, “As this new technology continues to grow and develop, we want to make sure we strike the right balance between innovation and safety.” [Reuters] [Op-ed: FAA’s rules for small drones are flawed]

US – AG Enforcement, Algorithmic Discrimination Top PLSC Line-Up

The Privacy Law Scholars Conference held its ninth annual gathering in Washington at the beginning of this month, bringing together academics and practitioners to present papers that are still in development. The workshop environment is a closed circuit — no tweeting or blogging about what happens there is allowed, and papers may or may not ever be published. However, papers and ideas inevitably rise to the top, and the IAPP recognizes two of those with its annual IAPP Papers Award, voted on by attendees. [IAPP]

Privacy Enhancing Technologies (PETs)

WW – Silent Circle Launches Virtual Security Assistant Privacy Meter

Silent Circle has announced its Silent OS 3.0 for Android mobile phones will include a program that will regularly scan a device, alerting the user if any apps, services or settings contain privacy-compromising elements. The program, dubbed “Privacy Meter,” is automatically embedded into the operating system, the report states. “Think of it as an assistant that is always next to you helping you maintain the most awareness of your Privacy Profile,” said Silent Circle’s David Puron. “Whether you have available software updates, your browsing certificates have been altered, or an app is sharing your location, the Privacy Meter will show you what is happening then guide you through the appropriate configurations, if desired.” [ZDNet]

RFID / IoT

US – Chicago Needs More Detail in Array of Things Privacy Policy, Experts Say

The city of Chicago is preparing to install a network of sensors that will track people on city streets — walking, biking, driving — and privacy experts say it needs to better spell out how it will use that information. The nine-page privacy policy includes just a few paragraphs on how the data will be collected, used and shared. The city plans to install 500 Array of Things devices across the city by the end of 2018. They will house sensors including a low-grade camera and microphone that can capture images and sound from passersby, bringing a new scale of data collection to busy intersections. Officials say the project will help improve city life by analyzing patterns in environmental and human behavior. City officials are seeking public input on the policy before installing the first 42 devices, slated to go up around the city starting in late July. The second of two public forums on the policy is from 5:30 to 7 p.m. Wednesday at the Harold Washington Library downtown. [Chicago Tribune]

Smart Cards

US – California County Approves Ordinance Restricting Government Use of New Technologies

The Board of Supervisors of Santa Clara County approved Ordinance No. NS-300.897, relating to surveillance technology and community safety. Law enforcement must seek approval of the County Board before purchasing any new surveillance technologies (e.g. drones, automated license plate readers, GPS, cell-site simulators, RFIDs, facial recognition, biometric identification); annual surveillance reports must be submitted to the Board detailing usage, complaints, internal audits, and how successful different technologies have been. [Ordinance No. NS-300.897 – Surveillance Technology and Community Safety – Board of Supervisors of Santa Clara County]

US Government Programs

US – DHS Wants to Snoop on Travelers’ Facebook, Twitter, and Instagram Accounts

The Department of Homeland Security has opened its proposal to include an optional field to disclose social media handles in travel documents to public comment. The documents in question are the Electronic System for Travel Authorization and Form I-94W, a document foreign travelers complete when leaving and entering the U.S., the report states. “Please enter information associated with your online presence — Provider/Platform — Social media identifier,” the forms would read if the proposal is accepted. “As phrased that could include your Twitter handle, the URL for your Facebook page, your OkCupid or Grindr handle …” the report adds. “Where does it end?” DHS will accept comments here until Aug. 22. [Fusion]

US Legislation

US – McConnell Pushes Measure to Expand Surveillance Tools

Senate Majority Leader Mitch McConnell, R-Ky., has proposed an amendment to the bill funding the Department of Justice and Department of Commerce that would both increase federal law enforcement surveillance powers and “permanently extend” elements of the PATRIOT Act. “Both measures have been criticized by privacy and civil liberties advocates, who have fought the proposals on multiple fronts in recent months,” the report states. The bill is considered similar to the legislative revisions Senate Republicans aim to make to the Electronic Communications Privacy Act, the report adds. A procedural vote on McConnell’s amendment is predicted for Wednesday. [The Hill]

US – Other Privacy News

Workplace Privacy

WW – BYOD Can Pose Privacy Risks to Employees: Study

Companies that use remote device management software to oversee employee devices used for business have the ability to collect a lot more information than employees may be comfortable with, according to a report released today. “The intent of these MDM solutions is not to spy on employees, but to monitor for things like malware and general security,” said Salim Hafid, product manager at Bitglass, which produced the report. But if the company wants to, these tools provide the ability to do a lot more, he said. That includes seeing where the phone is located, what apps are on the phone, and even what websites the user was accessing. “We were able to see virtually all the activity on the device,” he said. “We could see that some of our employees search for health information on the web.” [CSO Online]

WW – Russian Technology Allows Employers to Monitor Phone Calls

A Moscow security firm has created technology allowing companies to listen in on mobile calls made on their property. InfoWatch, a former subsidiary of Kaspersky Lab, says it has created the product for companies trying to curb information leaks by scanning employee phone calls for key terms that may prompt an investigation. While InfoWatch is legal in Russia, installing it in western countries would be very difficult. “This technology may become a hot ticket for any company seeking to protect its commercial secrets,” said Gartner analyst Petr Gorodetskiy. “But it can’t be rolled out in markets where it may trigger court claims.” Others question whether the product is truly functional. “The part that puzzles me is how successful speech recognition, transcription and automated analysis of texts can be,” said Polytechnic University of Milan professor Stefano Zanero “I would be surprised if any major company decided to buy into this.” [Bloomberg]

+++

 

10-17 June 2016

Biometrics

US – GAO Criticizes FBI on Facial Recognition Database

The Government Accountability Office has issued an in-depth report critical of the FBI’s use of facial recognition technology. Specifically, the GAO has “concerns regarding both the effectiveness of the technology” and the “protection of privacy and individual civil liberties.” The FBI has collected 411 million photos in various databases. “The FBI has entered into agreements to search and access external databases — including millions of U.S. citizens’ driver’s license and passport photos,” the GAO states, but until the FBI can assure the data they receive is accurate, “it is unclear whether such agreements are beneficial to the FBI.” Meanwhile, the National Telecommunications and Information Administration released suggested best practices derived from its multi-stakeholder process on facial recognition. Several consumer and privacy advocacy organizations have come out against the guidelines. [ZDNet] [Huge FBI facial recognition database falls short on privacy and accuracy, auditor says ]

AU – Australian Cops Want to Use Fingerprint Scanners to ID People In Public

The South Australian state parliament is considering a proposal to give police the power to scan fingerprints in public. If passed, the bill will give police the ability to request fingerprints from anyone they suspect of committing a crime—and anyone they think may be able to assist with an inquiry. Police are currently able to stop anyone on the street and request to see some form of traditional ID, but fingerprints are only allowed to be taken once a person has been charged. If the bill gets passed, suspects will be required to have their prints scanned upon request. Since 2014, the SA Government has trialled 150 scanners sporadically across the state and plans to spend $3.4 million on the technology if approved. The new scanners would be wirelessly linked to the National Automated Fingerprint Identification System, which will allow officers to access criminal records within a minute of scanning a suspect’s prints. Deputy Premier John Rau has released a statement arguing why fingerprint scanners are a good idea. “Legislative reform is necessary to enable police to use the scanners in wider circumstances, where a person does not have to give consent and police can scan for prints without the need to arrest,” he said. However, there’s been considerable backlash from both sides about the ramifications for privacy and civil liberties. Greens leader Mark Parnell likened the changes to something out of George Orwell’s 1984. “This is the realm of science fiction and it should send shivers down everyone’s spine,” he told The ABC. “It enables all manner of biometric testing and it does actually lead to a situation where the state could hold a database of every single person’s fingerprints.” [Source]

WW – Apple’s New Photo System to Include Facial Recognition

An update to Apple’s Photos software will include facial recognition technology. The upgrade will catalog photos within the app by the face of the person within the image. Apple’s new feature comes as Facebook and Google are locked in lawsuits over facial recognition capabilities, specifically possible violations of the Illinois Biometric Information Privacy Act. Apple Senior VP of Software Engineering Craig Federighi said the system uses local data rather than storing it on company servers. Though Apple’s features differ from that of Google and Facebook, it is not yet known if they would violate the Illinois law. [The Verge]

Canada

CA – New Spy Watchdog Will Have Power to Examine ‘Any Activity, Any Operation’

Sweeping powers to scrutinize “any issue, any activity, any operation” will be granted to a new committee of parliamentarians to watch over federal spying and other clandestine security and intelligence activities, the government has announced. The long-promised Bill C-22 tabled in the Commons proposes to create an unprecedented “national security and intelligence committee of parliamentarians” to hold to greater account the nation’s two chief spy services and at least 15 other departments and agencies with national security responsibilities. The move fulfils a major Liberal election promise to increase parliamentary scrutiny of national security operations to offset the expansive and controversial counterterrorism powers under the Anti-terrorism Act of 2015, formerly Bill C-51, to investigate, detain, arrest, silence or otherwise thwart individuals suspected as threats to the security of Canada. The all-party committee of nine MPs and two Senators, to be chosen by Prime Minister Justin Trudeau and supported by a small secretariat, would be sworn to permanent secrecy and handed a broad mandate to probe, mainly ex post facto, any and all national security activities to gauge whether they are effective, efficient and legal. Its primary investigative tool would be a statutory power to access many of the nation’s most guarded secrets. “They will be able to ask questions and conduct inquiries and satisfy themselves that two important objectives are being met: to make sure our security and intelligence agencies are being effective in keeping Canadians safe and to make sure they are safeguarding the rights and freedoms of Canadians.” Though the legislation clearly empowers the committee to explore and review the country’s deepest confidences, it also offers government a handful of disclosure escape clauses. Chief among them is the state’s power to deny the committee information “injurious to national security,” a catch-all clause that past governments have used to slam the door on politically sensitive or otherwise damaging inquiries. [National Post]

CA – New Bill Would Allow Border Guards to Collect Data on Those Leaving Canada

Public Safety Minister Ralph Goodale has proposed revisions to the Customs Act that would allow the federal government access to the personal data of Canadian travelers leaving the country. The information collected wouldn’t extend beyond information collected in a passport’s second page — meaning “full name, nationality, date of birth, gender and issuing authority of the passport,” the report states. “Having this data will allow us to better respond to Amber Alerts, for example, on missing children,” Goodale said. “It will help us deal with human trafficking. It will help us deal better with illegal travel by terrorist fighters.” [CBC News]

CA – Privacy Watchdog Seeks More Stringent Laws in Wake of Health Breach

B.C.’s privacy commissioner is calling on the province to step up its privacy laws and impose fines of up to $50,000 for health-care workers found snooping. “It’s a significant issue of public trust when one or more individuals access electronic health records without authorization,” B.C. privacy commissioner Elizabeth Denham said in an interview. B.C.’s privacy laws are outdated when it comes to protecting electronic health records from general snooping, Denham said. [Times Colonist] See also: 2 BC health workers fired in breach that included high-profile people

CA – Sask Cops, MLAs & Ministers to Fall Under FOI Legislation

New legislative amendments brought forward by the Saskatchewan government on Monday could soon mean police in the province will be subject to freedom of information requests. The proposed amendments to Saskatchewan’s FOI and privacy laws received first reading in the Legislature on June 13. One of the proposed changes is to extend the FOI legislation to include police services. Other changes include creating a new offence for snooping, extending privacy requirements to include MLA and cabinet ministers’ offices and increasing penalties for privacy violations. The Saskatchewan Information and Privacy Commissioner, Ronald Kruzeniski, said in a statement he is pleased with the proposed amendments and will work further on FOI regulations once the amendment is passed. [Global News]

CA – Frustration Over Health Disclosure Doesn’t Trump Privacy Protection: Experts

After a case involving a 21-year-old taking her own life following a battle with depression, Nova Scotia is examining whether it needs to review its health privacy laws for disclosing mental health issues to a patient’s family. Currently, Nova Scotia law allows for mental health disclosures when it’s determined there is an immediate threat to the health of any person, including the patient. Nova Scotia Privacy Commissioner Catherine Tully is apprehensive about whether officials and government body officials have enough knowledge to determine what can and cannot be disclosed. “It is absolutely a training issue,” said Tully. “I have travelled around the province and talked to hundreds of people responsible for administering our privacy laws and training is a very key issue and one that requires constant work.” [Global News]

Consumer

WW – Privacy Concerns Around Alternative Credit Reporting

Companies are trying alternative credit reporting using nontraditional data to determine a candidate’s reliability and creditworthiness, but privacy concerns surround the tactics. In addition to privacy concerns, efforts to determine an individual’s chances for receiving a loan, house, or a job often hurt those in low-income brackets. Though companies are using a wide range of ways to determine a person’s creditworthiness and reliability — as students, prospective employees, or credit applicants — the methods of doing so fall in a legal area that’s murky at best. Overseas, companies in parts of Africa and Latin America monitor cellphones and social media to evaluate potential loan recipients. While U.K. startup Tenant Assured has started a service mining social media accounts, selling information to landlords and other parties. [The Atlantic]

US – Data Breach Simulation Explores Notification Timing

During a mock data breach at Stanford University’s Hoover Institution, a group of journalists studied the art of post-breach notification, learning that sometimes waiting to sort out technical errors before notifying victims is the wisest route to take. “It takes time to figure out what happened, and sometimes notification can cause more damage because you haven’t had time to remediate it,” said Intel Chief Privacy and Security Counsel. [Los Angeles Times]

E-Government

US – Board of Elections Posts DC’s Compete Voter List Online

D.C. makes it shockingly easy to snoop on your fellow voters. A little-known law in the nation’s capital is leading to complaints over the way it lets anyone on the Internet find out D.C. voters’ names, addresses, voting history and political affiliations, with little more than a click or two. It’s not the existence of the file itself that’s shocking, critics say. It’s the fact that the D.C. Board of Elections made it available on the Internet. Typically, every state has this kind of voter information; it’s just held at the statehouse or at the public library where you have to physically retrieve it from the stacks — probably with the help of a staffer — in order to see it. Putting that data on the open Internet changes the game because it allows virtually anyone, from anywhere, to view the data with no questions asked. [The Washington Post] [Washington voter registry publication sparks debate]

UK – 36% of Public Trust Government to Protect Their Data: ICO SUrvey

An ICO survey, published on 15 June, asked more than 1,200 people for their views on data protection. It found that the public were only slightly more likely to trust government with their information as they were to trust energy providers. Just 36% of respondents to the survey said they trusted government departments with their information. High street banks garnered the highest overall levels of trust, with 53% saying they trusted them with their information. However, trust in government increased for those in the higher socio-economic group AB1, at 41%, and millennials, at 43%. The survey also found that almost half of respondents disagreed with the statement that existing policy and regulation were sufficient to protect their data. Just 20% said policies were sufficient, which shows little change since the ICO’s 2014 survey, when 19% said policies were sufficient. [Public Technology]

E-Mail

CA – CRTC Partners With International Agencies to Fight Spam, Unsolicited Calls

The Canadian Radio-television and Telecommunications Commission (CRTC) announced that it has signed a memorandum of understanding with ten enforcement agencies from across the globe, including the Office of the Privacy Commissioner of Canada, to fight unlawful spam and unsolicited telecommunications. The agreement promotes cooperation between the CRTC and its international counterparts in enforcing Canadian and international spam and unsolicited telecommunications laws. The agencies have committed to sharing information and intelligence, where permitted by the laws of its jurisdiction, regarding unsolicited communications. By working closely with its partners, the CRTC will be able to more effectively ensure that all those who engage in unsolicited communications, whether local or foreign, comply with the Unsolicited Telecommunications Rules and Canada’s Anti-Spam legislation. [Press Release]

EU Developments

UK – IP Bill Extends GCHQ Snooping Powers to All Law Enforcement

The Investigatory Powers Bill, which was passed by the House of Commons last week, will effectively give the police and other authorities the same powers of surveillance that are currently enjoyed by GCHQ. That’s according to Raegan MacDonald, senior policy manager EU principal at Mozilla. “It’s about legally justifying the previously secret practices of GCHQ and also allowing those powers to go to all levels of law enforcement.” The IP Bill, commonly known as the Snooper’s Charter, requires telecoms companies and ISPs to store records of telephone and internet communications for one year. What is less widely known is that the Home Office is also building a search engine for all this data known as “request filter”, which will allow authorities to conduct detailed searches across all of this data. These queries will be subject to the “filtering” oversight of the Investigatory Powers Commissioner, and for this reason request filter is being sold by the Home Office as a privacy enhancing measure. “The request filter, when used, acts as an additional safeguard for communications data requests made by public authorities, to ensure that the data they acquire is limited only to that which is absolutely necessary,” says the government in a fact sheet. But pointing out that the Bill is short on mechanisms to ensure that oversight is effective, Jim Killock, executive director of Open Rights Group, questioned how this will work in practice. [Source] See also: The U.K. House of Commons passed the controversial Investigatory Powers Bill with a 444-69 vote. The bill now moves to the upper house of Parliament, the House of Lords.

EU – 75% of Cloud Apps Are Not Ready for New EU Data Protection Rules

More than 75% of cloud apps in the EU lack key capabilities to ensure compliance under the new EU General Data Protection Regulation (GDPR), according to a new study by Netskope. In particular, these businesses failed to meet the minimum requirements of new regulations in areas like deleting personal data in a timely manner and violating data portability requirements. Netskope tracked 22,000 cloud apps in use in the EU by giving them a rating between 1 and 100 in terms of GDPR readiness.

  • Just under 28% of cloud apps were deemed unready.
  • Half (48%) were scored as somewhat ready.
  • Only 25% were deemed ready.

The results of the report are especially troubling for businesses, as the adoption of mobile and cloud strategies gains momentum. The shift to cloud brings with it increasing complexity and a greater volume of security challenges for enterprises. Chief among them is the need to comply with new GDPR laws. These businesses have less than two years to ensure their cloud apps are up to regulation or face fines of either $22 million, or 4% of their global turnover (whichever is higher). [Source]

US – Ransomware Attacks Taking Huge Toll on Healthcare Resources

Healthcare organizations are aware of the omnipresent threat of ransomware on their information systems, and the danger it poses to their HIPAA compliance efforts and reputations, and are struggling to bear the expense of shoring up their defenses. The rising number of ransomware attacks against providers is prompting security professionals to intensify data security efforts, as well as consider entirely different approaches to security. Ransomware is turning the tables on how healthcare organizations now deal with security. For years, top security professionals have struggled with thefts that took data out of an organization’s control—for example, through the theft of data on stolen unencrypted laptops or through employee snooping of records that contain protected health information. The incentive for avoiding these types of breaches was to avoid landing on the HHS Office for Civil Rights’ web site of major breaches, and possibly face OCR-imposed financial sanctions and corrective action plans. But ransomware is different. Information remains in a provider’s system but is inaccessible, locked away until a provider makes a financial payment to free it. That scenario in large part has not been considered as a possibility until recently. Consequently, intensified data security is not the answer in the ransomware era, he believes; organizations must look at different approaches to data protection. [Source]

EU – Google Announces EU-Based Machine Learning Research Group

Google has struck a research group in Switzerland dedicated to machine learning. Machine learning consists of “systems that can learn things and come up with predictions from sets of data, without being specifically programmed to do so.” Machine learning currently powers Google’s translation engine, its Inbox “smart reply” feature, spam recognition in Gmail, and assists Google’s driverless cars examine their surroundings. The research group will work on machine intelligence, speech recognition, natural language processing, and machine perception, such as identifying images in photos and recognizing handwriting. “We look forward to collaborating with all the excellent computer science research that is coming from the region, and hope to contribute towards the wider academic community through our publications and academic support,” wrote Emmanuel Mogenet, head of Google Research in Europe. [Fortune]

EU – Other EU News

Facts & Stats

WW – Data Breach Costs Up 29% Since 2013: Study

A study from the Ponemon Institute and IBM found the average cost of a data breach is $4 million, a 29% increase from 2013. Ponemon’s study examined 283 companies, finding the average cost per compromised record was $158 in 2016, up from $154 last year. The study also revealed a 26% probability of an enterprise suffering one or more data breach where 10,000 records will be compromised over the next two years. Ponemon found that the healthcare industry has the highest costs per breached record, and that U.S. data breaches were the most costly per record, coming in at $223, with the average total cost estimated at $7.01 million. In related news, hackers have stolen the information of more than 45 million users of car, sports and tech sites in what could be one of the largest data breaches ever. Compromised data appears to include email and IP addresses, usernames and passwords. [ZDNet]

CA –Data Breaches Detection, Escalation Costs Highest in Canada: Report

Detection and escalation costs related to data breaches were the highest in Canada and lowest in India, note findings of a new global survey. The average detection and escalation costs for Canada was US$1.60. In contrast, the average costs were US$0.53,” states 2016 Cost of Data Breach Study: Global Analysis, benchmark research sponsored by IBM and conducted by Ponemon Institute LLC. “Data breach costs associated with detection and escalation are forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and Board of Directors,” notes the report. …The average cost per record to resolve being US$170 compared to US$138 per record for system glitches and US$133 per record for human error or negligence. Canada held a distinction in this respect. “Companies in the U.S. and Canada spent the most to resolve a malicious or criminal attack (US$236 and US$230 per record, respectively),” the report states. [Canadian Underwriter]

WW – Study: Most Companies Struggle to Restrict Sharing of Confidential Data

A new study found only 36% of surveyed IT practitioners from large companies are able to control how confidential data is shared with third parties. The study of more than 600 IT professionals also found that companies are rarely able to track where their most sensitive documents go. Only 27% of the those surveyed were able to restrict the sharing of confidential data between employees. According to the survey, conducted by the Ponemon Institute on behalf of Fasoo, 58% of companies say their employees use free online file sharing applications, and almost half say their employees, on occasion, keep confidential documents on their home computers or personal mobile devices. In addition, 68% of those surveyed say they don’t even know where their company’s confidential information is located. The study also revealed a deficiency in employee education about protecting data. Of the respondents, 56% said their companies did not educate their employees about protecting confidential information. The study found that careless employees were the primary cause of company data losses 56% of the time. The second most common cause was lost or stolen devices. In March, a SailPoint survey revealed that more than a quarter of employees said they uploaded sensitive information to cloud apps intending to share the information outside the company. According to Gartner, more than 70% of unauthorized access to data is committed by an organization’s own employees. Employees are frequently the cause of many security weaknesses in the enterprise. Most of these insider threats actually carry no malicious intent, but instead are the result of weak access controls and a lack of employee awareness. [CIO Dive] CSO: Study: Most companies can’t protect confidential documents

Finance

US – Home Depot Suit Claims U.S. Credit-Card Firms Block Security Upgrades

The Home Depot has alleged that MasterCard and Visa use faulty security measures prone to fraud in a new federal lawsuit. The company accused the financial institutions of putting cybersecurity behind economic gain and “dominant market positions,” calling its reliance on chip cards behind other, more secure, global methods. “Regardless of how the cardholder’s identity is confirmed, the chip makes data much more secure, rendering it almost useless to create fraudulent cards or transactions,” said a MasterCard spokesman. Meanwhile, Bob Hedges urged banks to engage in privacy debates in an op-ed for American Banker. “If they don’t, they run the risk that the public policy debate could eventually hurt their historical ‘trusted agent’ position,” he said. [The Seattle Times]

FOI

EU – ENISA Creates Free Personal Data Breach Notification Tool

ENISA, in co-operation with the Office of the Federal Commissioner for Data Protection and Freedom of Information of Germany (German DPA), developed a tool for the notification of personal data breaches. In particular, the purpose of the tool is to provide for the online completion and submission of a personal data breach notification by the data controller to the competent authority (DPA/NRA). It covers all types of personal data breaches and all types of business sectors, public or private. Based on the input of the notification, the tool also provides to the competent authority an assessment of the severity of the breach. The assessment is based on the relevant Personal Data Breach Severity Assessment Methodology developed by ENISA in co-operation with the DPAs of Greece and Germany. The tool is free for use by any interested party, in particular national competent authorities who would like to facilitate the notification of personal data breaches by data controllers in their countries. [Source]

Health / Medical

US – Oregon Prescription Database Access Ignites Privacy Debate

The Drug Enforcement Administration hopes to access Oregon’s Prescription Drug Monitor Program database in an effort to curb drug abuse, causing privacy concerns. The agency is fighting a 2014 U.S. 9th Circuit Court of Appeals ruling that decided warrantless seizure of the data was illegal. The DEA countered that as the PDMP is a third-party data host, users shouldn’t have an expectation of privacy, the report states. Not everyone agrees. “The primary purpose of PDMPs is health care, not law enforcement,” said the American Medical Association in an amicus brief. The database wasn’t created to be “a tool or repository for law enforcement to initiate access to gather information,” the AMA added. [The Daily Beast]

CN – China Pledges Tighter Privacy as it Centralises Personal Health Data

Chinese Premier Li Keqiang has announced the Chinese government’s intention to increase privacy regulations as it increases developments for health care data systems. “Enhancing the development of medical big data is a pressing task now,” Keqiang said. “It is also an important project for public welfare, in the context of a growing need for health and medical services.” To that end, “more comprehensive regulation and legislation in personal information and data protection” is necessary, he added. The State Council’s plans would call for the creation a countrywide health database, as well as a guide for medical record portability, the report states. [The Register]

Horror Stories

US – Cyber Insurer Seeks to Void Data Breach Coverage Because of Purported Misstatements in Policy Application

Cyber insurers commonly require insureds to complete detailed applications, often including extensive technical disclosure and risk self-assessments. The complaint recently filed by the insurer in Columbia Casualty Co. v. Cottage Health System illustrates the pitfalls in these requirements. Cottage Health, an operator of a hospital network, suffered a data breach in 2013 resulting in thousands of its patients’ private medical information being publicly disclosed. In addition to other losses, Cottage Health paid $4.125 million to settle a putative class action in 2014 and faces additional proceedings arising from the breach. Columbia’s lawsuit denies all coverage for the breach and seeks to rescind its policy due to the insured’s alleged failure to comply with the cybersecurity practices described in its application. In its complaint Columbia contends, first, that the “Failure to Follow Minimum Required Practices” exclusion in its cyber policy—applying to losses from, among other things, the Insured’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application”—precludes coverage for Cottage Health’s losses. Columbia further contends that it has a right to void its policy altogether due to alleged misstatements in the “Risk Control Self Assessment” that Cottage Health completed as part of its cyber insurance application. Any new cyber policy wording requires expert legal scrutiny before purchase, because these specialty insurance products can contain gaps or hidden traps. For example, Cottage Health might have averted its dispute with Columbia if the policy’s potentially onerous “Failure to Follow Minimum Required Practices” exclusion had been modified or deleted. [Source] See also: [Cyber insurance is changing the way we look at risk ]

WW – Other Horror Stories

Identity Issues

WW – Apple to Use ‘Differential Privacy’ in New Software

Apple is using a special technique to balance user privacy with its data collection efforts. Apple’s Senior VP of Software Engineering Craig Federighi discussed “differential privacy” during his company’s Worldwide Developers Conference in San Francisco. “We believe you should have great features and great privacy,” Federighi said during the conference. “Differential privacy is a research topic in the areas of statistics and data analytics that uses hashing, subsampling and noise injection to enable … crowdsourced learning while keeping the data of individual users completely private. Apple has been doing some super-important work in this area to enable differential privacy to be deployed at scale.” [Wired] See also: [What Apple’s differential privacy means for your data and the future of machine learning] and [A Few Thoughts on Cryptographic Engineering]

IN – Alibaba Launches App With Face Recognition Lock Feature In India

Alibaba has unveiled Privacy Knight in India, a free app-lock that uses a one-second selfie to verify and grant access to users’ protected apps, BiometricUpdate.com reports. According to Alibaba, the program’s facial recognition with blink detection has 99.47% accuracy, the report states. “Face lock is set to change the way people protect their privacy,” said Alibaba’s Mobile Business Group. [Full Story]

Internet / WWW

WW – Microsoft’s Acquisition of Linkedin Faces Some Privacy Concerns

While Microsoft’s purchase of LinkedIn will benefit both companies, some are raising privacy concerns. BigID CEO Dimitri Sirota said the purchase is meaningful as Microsoft is acquiring “the world’s second largest personal database,” but the use of the data will determine the success of the sale. “Given that the value of the purchase will derive from the usage of personal data it will be natural to ask how this data usage gets governed so it doesn’t compromise either personal privacy or many privacy regulations,” said Sirota. Acquiring large amounts of personal data is an issue many companies now deal with, he said, adding, “Organizations gain tremendous marketing, sales and intelligence value from collecting and aggregating as much customer data as they can, but the tools to govern the privacy risk and compliance of the aggregated ‘identity’ data are only now being developed.” [TechRepublic]

Law Enforcement

CA – Constable Fired for Accessing Data

A Gatineau police officer was fired this week after pleading guilty in April to illegally accessing police records. For the crime of unauthorized use of a computer, whereby the constable checked information on three former friends in police databases, she received no jail time, but had to make a donation of $1,000 to a crime victims’ assistance center. Despite no data being passed to a third party, nor the constable apparently seeing any benefit from the access to the data, the Gatineau Police Service released a statement saying she was fired because it “requires its police officers meet the highest ethical standards and professional standards.” [Ottawa Citizen]

Online Privacy

US – OTA Releases Privacy Assessment of Consumer-Facing Websites

Consumer services websites are improving privacy practices while news sites need vast improvements. That’s according to the release of the 8th annual Online Trust Audit & Honor Roll. Conducted by the Online Trust Alliance, this wide-ranging audit looks at nearly 1,000 consumer-facing websites to assess their consumer protections, privacy practices and data security. [Full Story]

Other Jurisdictions

SG – Singapore PDPC Publishes Data Protection Guidelines

The Personal Data Protection Commission of Singapore has published a number of guidelines for data access, notification and privacy protection, among other related subjects, on its official website. Its newest guideline, Guide to Handling Access Requests, details “information and considerations for organizations in handling requests for access to personal data, including sample access request and acknowledgement forms,” the site states. [Full Story]

IN – TRAI Consultation Paper Talks Cloud Computing

The Telecom Regulatory Authority of India has released a 119-page consultation paper on cloud computing regulation. The paper’s six sections cover interoperability, cloud security, and bringing cloud services to governments, among other topics. Frameworks for cloud services remain a major focus, the report adds. “Regulations should be put in place to protect the interests of both cloud services providers and the consumers,” the paper states. “Legal framework under which the cloud operates becomes very important.” [The Wire]

Privacy (US)

US – FBI Says Utility Pole Surveillance Cam Locations Must Be Kept Secret

The US FBI has successfully convinced a federal judge to block the disclosure of where the bureau has attached surveillance cams on Seattle utility poles. The decision stopping Seattle City Light from divulging the information was expected, as claims of national security tend to trump the public’s right to know. However, this privacy dispute highlights a powerful and clandestine tool the authorities are employing across the country to snoop on the public—sometimes with warrants, sometimes without. Just last month, for example, this powerful surveillance measure—which sometimes allows the authorities to control the camera’s focus point remotely—helped crack a sex trafficking ring in suburban Chicago. Meanwhile, in stopping the release of the Seattle surveillance cam location information—in a public records act case request brought by activist Phil Mocek—US District Judge Richard Jones agreed with the FBI’s contention that releasing the data would harm national security. “If the Protected Information is released, the United States will not be able to obtain its return; the confidentiality of the Protected Information will be destroyed, and the recipients will be free to publish it or post the sensitive information wherever they choose, including on the Internet, where it would harm important federal law enforcement operational interests as well as the personal privacy of innocent third parties,” Jones ruled. [Ars Technica]

US – More States Adopt Education Privacy Protections

As students’ online presence grows due to schools’ growing reliance on digital third-party student databases, lawmakers and privacy advocates have expressed concern for the potential mishandling of students’ information. Some states have turned to stricter privacy laws, with nine states adopting new data regulations in 2016. “The conversation is looking different in every state and district at this point,” said the Data Quality Campaign’s Rachel Anderson. “Some states are really taking the approach of parents can decide if they want to opt-in or out of these additional recommendations.” In 2014, 21 states passed 26 student data laws mostly targeted at states and school districts. Many echoed a 2013 Oklahoma law that requires state approval to release student data and mandates that only aggregated data — no data tied to individual students — can be released. By last year, lawmakers had shifted their focus to third-party companies. They passed 28 student privacy laws, in many cases mirroring a California statute that prohibits service providers from using data to target ads to students, selling student information, and creating student profiles for commercial purposes. This year nine states — Arizona, Connecticut, Hawaii, Kansas, New Hampshire,Tennessee, Utah, Virginia and West Virginia — have added 11 new student data laws, mostly based on the California standard. A similar proposal is awaiting the signature of Colorado’s governor. Between 2014 and 2015, state legislators introduced 98 bills that included opt-in or opt-out provisions, and this year Arizona passed a law requiring schools to obtain parents’ permission before collecting certain data. [PBS Newshour]

RFID / IoT

US – Health and Human Services IG to Assess Medical Device Security Monitoring

The US Department of Health and Human Services (HHS) Office of Inspector General’s Fiscal Year 2016 Mid-Year Work Plan calls for an assessment of the Food and Drug Administration’s (FDA’s) review of cybersecurity control on wireless and Internet-connected medical devices. The HHS IG also plans to look into state Medicaid agency and contractor breach notification practices and responses. [GovInfoSecurity]

US – NSA Could Use Internet-Connected Medical Devices for Surveillance

NSA Deputy Director Richard Ledgett told an audience at the Defense One Tech Summit in Washington, DC, last week that the agency is examining ways to exploit the Internet of Things (IoT) to conduct covert monitoring. Ledgett said that the NSA is “looking at it sort of theoretically from a research point of view right now,” and noted that conducting surveillance through medical devices could be “a tool in the toolbox.” [ComputerWorld] [The Intercept]

US – Chicago Seeks Input on Privacy Policy for Sensor Network

Chicago officials will soon release their privacy policy for the city’s traffic sensor project, the Array of Things, for citizen input. The first of 500 devices will go live in July, collecting vehicular and environmental data, the report states. The policy aims to protect collateral information that could identify an individual. “We’ve always been focused on making sure there was a privacy policy to inform the public about how the data that the nodes are collecting is going to be managed,” said Department of Innovation and Technology Commissioner and Chicago Chief Innovation Officer Brenna Berman. Open policy screenings begin June 14, the report adds. [Chicago Tribune]

CA – Who is Watching You on B.C. Highways?

At any time thousands of drivers are on B.C. highways trying to get places as soon as they can. And there is a team of people keeping an eye on all of that that traffic – in a building nestled between Highway 1 and Lougheed Highway in Coquitlam. Transportation Management Centre staff keep watch on over 600 cameras throughout the province. And when you are on the Lions Gate Bridge, Penny Martin is watching and decides when to flip the counterflow lane. There are sensors and computers but Martin says it is often simply watching the causeway cameras for volume that will guide her decision to flip the lane. And it’s not just for Metro Vancouver. With the flick of a mouse people here can change the speed limits on the Sea to Sky or Coquihalla highways using the new variable speed limit signs. Centre manager Brigid Canil says they use advanced traffic management software to change speed limits, almost instantly, based on weather or traffic conditions. But what if the speed limit changes from 120 kilometres an hour to 80 km/hr and police pull you over? “We would know exactly what times the signs would change and be able to correlate what time the ticket was written to ensure the individual is treated fairly,” said Transportation Minister Todd Stone. Another big issue is privacy. On the Drive BC website you can see a “Replay the Day” video of many locations – but they say they don’t keep piles of surveillance. “We don’t keep the data and that is directly in response to concerns about privacy,” said Stone. [Global News]

Security

WW – Study: Weak Passwords, Phishing Attacks Top Breaches

Verizon’s 2016 Data Breach Investigations Report has found that 63% of recent breaches were due to weak passwords. Phishing scams are also a major culprit, the report states. Nearly one-third of the analyzed phishing emails were opened by recipients. While the sophistication and success rate of these attacks is growing, strategies for keeping oneself safe remains the same. “The surest anti-phishing protection is also one of the rarest assets around: common sense,” the report adds. “No matter who an email comes from, never click on a link in an email — instead cut and paste it into a web browser and read the address. If it smells phishy, it probably is.” [TechCrunch] [Employee Error Accounts for Most Security Breaches]

US – FICO to Offer ‘Enterprise Security Scores’

Fair Isaac Corp. has acquired cybersecurity startup QuadMetrics to create an industrywide “enterprise security score” for businesses. The security score will act as an equivalent to the FICO consumer-credit scores, giving chief information officers and other IT professionals an “easy-to-understand” metric to determine their company’s online risks, while handling other possible issues from third-party software vendors and acting as a guide for cyber breach insurance underwriting. “Just as the FICO Score gave credit markets a single metric for understanding credit risk, this product will give the industry a common view of enterprise security risk,” said FICO’s Vice President of Cybersecurity Solutions Doug Clare. [The Wall Street Journal]

Surveillance

CA – RCMP Can Spy on Your Cellphone, Court Records Reveal

A judge lifted the publication ban on information surrounding a suspected mafia murder, revealing different surveillance methods used by the RCMP. While investigating the 2011 murder of Salvatore Montagna, the RCMP used IMSI catchers, commonly known as “Stingrays,” to mimic cellphone towers in order to obtain information on a suspect’s phone. The RCMP used the collected information to intercept and decode BlackBerry PIN-to-PIN messages as part of the murder cover-up. “Our biggest concern with Stingrays is there’s really no regulation or oversight as to how they’re being used,” said OpenMedia Digital Rights Specialist Laura Tribe. “We right now, as the Canadian public, have no idea where they’re being used, when, what the requirements are for these technologies being used and what’s happening to the data of everyone being caught up in their sweep.” [CBC News] See also: [VPD admits to not owning a Stingray surveillance device, but is it ‘borrowing’ one?] and [Santa Clara County, California, has approved an ordinance that requires government agencies to put policies in place before acquiring or activating new surveillance technologies.]

US Government Programs

US – Federal Government Releases Final Guidance on CISA

The Department of Homeland Security (“DHS”) and Department of Justice released final guidance as required by Title I of the Cybersecurity Act of 2015 (“CISA”), which was enacted into law this past December. The guidance was prepared in consultation with several additional federal agencies, and includes four separate documents.

  1. The first document (“sharing guidance”) provides guidance for non-federal entities (including state governments) that elect to share cybersecurity information with the federal government under CISA.
  2. The second document establishes “privacy and civil liberties guidelines governing the receipt, retention, use, and dissemination” of cyber threat indicators and defensive measures by the federal government.
  3. The third document, which was released in final form on February 16, describes procedures through which information is shared by the federal government to participating non-federal entities.
  4. The fourth document describes procedures for the receipt of cyber threat indicators and defensive measures by the federal government. [Inside Privacy]

 

+++

 

 

03-09 June 2016

Biometrics

CA – Federal Photo-Matching Scheme Quietly Singles Out Passport Fraudsters

Federal officials used photo-matching technology to identify 15 high-risk people – all wanted on immigration warrants – who used false identities to apply for travel documents. The Liberal government might make the facial-recognition scheme permanent to help find and arrest people ineligible to remain in Canada due to involvement with terrorism, organized crime or human rights violations. The photo-matching idea emerged from concerns that people wanted by the Canada Border Services Agency might use fake names to obtain genuine Canadian travel documents from the Immigration Department’s passport program, say internal memos released under the Access to Information Act. The privacy commissioner’s office has not been consulted on the project. However, both the border agency and the passport program have shared information about other facial-recognition initiatives with the commissioner. Passport officials have used the image-matching technology for years to see if someone has applied for multiple travel documents in different names. The border agency has quietly been working with other agencies since at least 2011 to gauge the ability of devices to extract usable facial images from video footage. [Source]

Canada

CA – Court Rules that Health Records Do Not Require Vetting Prior to Disclosure to Childrens Aid Society

The Court considers a request for a protection application for the production of records from non-parties. The records, containing mental health information of a parent, do not require vetting by counsel for the society or the parent (this approach could give either party an unfair advantage in litigation), or the Court (the mental health records are relevant to whether the parent’s children are in need of protection, and the production order will be structured to preserve the parent’s privacy interests). [Catholic Children’s Aid Society of Hamilton v. L.K. – 2016 CanLII 15148 (ONSC) – Superior Court of Justice of Ontario]

CA – BC Appeals Court Finds Senders of Texts and Emails Have a Reasonable Expectation of Privacy in the Content of the Message

a review of impact of the BC Court of Appeal’s decision in R. v. Craig. Senders have a reasonable expectation that their text messages will be confidential; senders do not abandon their right to privacy in the content of the message, to the extent that they should be able to count on the recipient’s duty of confidentiality. While there is inherent risk in any human interaction, the risk that a message might be improperly shared (i.e. breach of confidentiality) is not enough to vitiate a reasonable expectation of privacy. ‘[Privacy, technology, and instant messaging – The British Columbia Court of Appeal sends a (instant) message – Dara Jospé, Michael Shortt, and Antoine Guilmain – Fasken Martineau, Montréal]

CA – Other Canada News

E-Government

US – Survey: A Year After the OPM Hack, Victims Don’t Feel Safer

A Federal News Radio survey on the Office of Personnel Management breach has found that roughly 55% of government employees and contractors don’t feel their personal information is safer a year after the hack. George Mason University’s Jim Jones said one reason for these responses is that many acknowledge that the risks move faster than security efforts. “The threat is so flexible and responsive in the sense that when we do something, we close one hole they simply move on to another one,” he said. Meanwhile, NPR also examines the changes in security practices at the OPM in a subsequent report. [Federal News Radio]

E-Mail

CA – OIPC ON Cautions Against Using Personal Email and Instant Messaging When Doing Public Business

Ontario’s Information and Privacy Commissioner, Brian Beamish, is calling on the leaders of all public institutions to educate staff and enact policies to strictly control the use of personal email and messaging tools, such as BlackBerry Messenger, to conduct business. All public servants should be aware that records relating to government business are subject to provincial access legislation, even if they are created, sent or received through instant messaging tools or personal email accounts. The use of these tools and accounts can create a number of challenges for institutions in meeting their obligations under Ontario’s access and privacy laws. To avoid these issues, Beamish is asking all Ontario institutions to either strictly control the use of personal email or instant messaging when doing business, and implement clear policies to help public servants meet their legal obligations. If it is necessary to use these tools, institutions must plan for compliance by conducting thorough risk assessments and implementing appropriate administrative and technical measures to ensure that records are saved. A new guide to assist Ontario’s public institutions, Instant Messaging and Personal Email Accounts: Meeting Your Access and Privacy Obligations, is now available. [Office of the Information and Privacy Commissioner of Ontario]

Electronic Records

CA – Alberta OIPC Issues Guidance for EHR Systems

The OIPC of Alberta has published Guidance for Electronic Health Record Systems. This guide was developed to assess the safeguards in electronic health record (EHR) systems. Custodians and their EHR service providers may use this document to support a Privacy Impact Assessment on an EHR system, or to examine whether changes to a system comply with Health Information Act requirements. Two versions of the document are available on our website. A PDF version and an editable Word document:

EU Developments

US – US and EU Officially Ink Umbrella Agreement

Officials from the EU and U.S. officially signed the so-called Umbrella Agreement, which sets privacy protections on European citizens’ personal data when transferred to the U.S. for law enforcement purposes. It will give EU citizens judicial redress in U.S. courts — something the EU already provides for U.S. citizens. U.S. Attorney General Loretta Lynch, Dutch Minister Ard van der Steur, and EU Justice Commissioner Věra Jourová signed the deal Thursday. Privacy advocates, however, have expressed concern about the deal. Access Now’s Estelle Massé said the new rules are “toothless” and that it “should absolutely be brought back to the drawing board.” [Ars Technica]

EU – British Lawmakers Pass New Digital Surveillance Law

The House of Commons passed the controversial Investigatory Powers Bill, which would provide security agencies with stronger monitoring abilities. The bill was approved 444-69. Interior Minister Theresa May said the new law will help “keep us safe in an uncertain world.” While May noted the scrutiny of the Investigatory Powers Bill was “unprecedented,” a new privacy clause has been added requiring agencies to contemplate less intrusive ways to surveil, while also offering special protections for lawmakers, journalists and lawyers. “It provides far greater transparency, overhauled safeguards and adds protections for privacy and introduces a new and world-leading oversight regime,” May said. The bill now moves to the upper house of Parliament, the House of Lords. [Reuters]

EU – European Commission Creates Code of Conduct for Mobile Health Apps

The European Commission has formally submitted a code of conduct to the Article 29 Working Party to increase privacy capabilities on mobile health apps. The code has been handed in for comments, and once approved, app developers can voluntarily commit to them. The European Commission code is based on EU data protection legislation, and aims to raise awareness for all parties, including small and medium enterprises as well as individual developers who may not have legal teams on hand, and “increase compliance at the EU level for app developers.” The code covers numerous issues, including user consent, purpose limitation, privacy by design and default, and data security. The European Commission also covered advertising within mHealth apps, disclosing data to third parties, children’s privacy, and data transfers. [Telecompaper] [Press Release] [Public Consultation]

EU – EDPS Announces New Accountability Initiative

European Data Protection Supervisor Giovanni Buttarelli announced a new accountability initiative to help EU bodies transition to the General Data Protection Regulation. The EDPS started working on a project to enhance accountability in data processing in 2015, when the agency examined itself as an institution. “We developed a specific tool to ensure and demonstrate our accountability as an organisation, to plan and to keep track of related actions. This document consists of a set of questions for the supervisors, the director, the staff responsible for managing processing operations and our data protection officer,” Buttarelli wrote in a blog post. “This year, we aim to visit — and have already started — small, medium, and large EU bodies to explain the new obligations,” he continued, adding, “As part of our efforts … we will recommend our accountability document during these visits and suggest that they tailor it to suit their specific needs.” [EDPS Blog Post]

Finance

WW – Facebook is Using Your Phone to Listen to Everything You Say: Professor

Facebook admits to using people’s microphones to listen to what they say, but they claim this is somehow a good thing. Kelli Burns, mass communication professor at the University of South Florida claims to have tested devices running the Facebook mobile app, and found that all of them are listening to everything you say, providing customized ads based on what you are saying. “I’m really interested in going on an African safari. I think it’d be wonderful to ride in one of those jeeps,” she said out loud with her phone in hand. According to the NBC report, less than a minute later, the first story in her Facebook feed was about a safari. And a car ad soon appeared on her page – go figure. Of course, this is not scientific evidence at this point, but Burns is not one to shun. Before becoming an academic, she spent seven years in corporate marketing and is a well-known figure in social media circles. Facebook didn’t deny the claims. Instead, it admitted that it picks up sounds from users, but said that it only does this to recommend they post things on Facebook. It’s not the first time Facebook has come under fire for something like this. Last years it was also accused of the same thing, and they said at the time that users had to turn their microphone on in order for this to work. But now, the microphone is on by default, so this does seem to confirm that Facebook is listening to you. [zmescience.com]

FOI

CA – Ontario Health Ministry Ordered to Disclose Names on OHIP Billings

Ontario’s privacy watchdog has ordered the province to publish the names of the 100 doctors whose billings to the Ontario Health Insurance Plan are highest. An adjudicator, ruling on an access-to-information request from the Toronto Star, said the billings are “not personal information” and, even if they were, it would be in the public interest to reveal them. The Ontario Medical Association, which represents the province’s 28,000 physicians, opposed release of the data, saying it could be misconstrued. (Billings are not salaries but gross payments from which doctors must pay office overhead, benefits and pension.) The OMA has not yet decided if it will appeal the ruling. If it does not, the data will be made public on July 8. [Source] [IPC Decision] [54-page order] [Ontario Doctors’ Billings: Transparency is the Best Medicine] [End the secrecy over doctors’ billings: Editorial]

CA – OIPC NFLD Expects Redaction to be Used Sparingly

The Office of the Newfoundland and Labrador Information and Privacy Commissioner provided its expectations for Public Body Coordinators on handling non-responsive information in an access request, pursuant to the Access to Information and Protection of Privacy Act. Redact non-responsive information only where necessary and appropriate; best practices include, releasing the information if it is just as easy as claiming non-responsive (this will save time-consuming consultations and time weighing discretionary exceptions), avoid breaking the flow of information (do not claim non-responsive within sentences or paragraphs), and explain what non-responsive means in the final response to the Applicant, and that information has been redacted on this basis. [Newfoundland and Labrador OIPC – Practice Bulletin – Redacting Non-Responsive Information in a Responsive Document]

US – Snowden Questioned NSA’s ‘Interpretation of Legal Authorities’ Before Leak

Former government contractor Edward Snowden attempted to contact the NSA about its surveillance programs before exposing a trove of documents to the public. In response to a “long-running” Freedom-of-Information-Act lawsuit, the Office of the Director of National Intelligence released more than 800 pages of communications to Vice News revealing Snowden tried to ask questions about the “interpretation of legal authorities” related to the programs. The documents also reveal Snowden’s face-to-face interaction with an official, details about Snowden’s work with the agency, and efforts by the NSA, the White House and U.S. Senator Dianne Feinstein, D-Calif., to discredit Snowden. [Full Story]

Genetics

US – Biden Unveils Launch of Major, Open-Access Database to Advance Cancer Research

Vice President Joe Biden will unveil a 12,000-patient, open-access cancer research database called the Genomic Data Commons today. The database will include “raw genomic and clinical data” as well as information regarding patients’ treatment types and their bodies’ response to it, the report states. “This is good news in the fight against cancer,” Biden said. “Increasing the pool of researchers who can access data and decreasing the time it takes for them to review and find new patterns in that data is critical to speeding up development of lifesaving treatments for patients.” The GDC will have privacy protections in place, with representatives from cancer centers drafting a model consent form, the report adds. [Washington Post] See also: [Canada: Genetic Discrimination And Canadian Law] and [How new DNA testing is cracking open long-stalled cold cases]

Health / Medical

US – OCR: Sharing Electronic Patient Data Crucial, Requires Cooperation

A slew of breakthroughs will put the pressure on health care leaders to start becoming more transparent with data. Deputy Director of Health Information Privacy in the Department of Health and Human Services’ Office for Civil Rights Deven McGraw highlighted this during the Office of the National Coordinator for Health Information Technology’s annual meeting in Washington, where she said cooperation will be key for successfully sharing patient data. “I can enforce people to comply with the law, but the culture change that makes a difference is not because the government is going to force it down people’s throat,” said McGraw. “It’s going to happen because people want it and demand it.” McGraw said providers should release electronic patient data at their request. “Whatever the patient wants to do with that information, it’s her right to have it and to have it in the form or format that she wants it,” McGraw said. [Healthcare IT News]

Horror Stories

WW – 32M Twitter Passwords Held at Ransom

A hacker with purported ties to the LinkedIn, Myspace, and Tumblr breaches is now claiming to have a database of 32 million Twitter login credentials at ransom. “The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” said a statement from breach-notification company LeakedSource, which analyzed the database and was able to verify accounts. The company added that the passwords taken were most likely in plain text with no hashing. “The lesson here? It’s not just companies that can be hacked, users need to be careful too,” the statement said. [ZDNet]

EU – Dutch DPA Receives More Than 1,500 Breach Notifications in First 4 Months

Review of the first 4 months of new breach notification requirements in the Netherlands shows that, in approximately two-thirds of breaches, the DPA had reason to more closely examine the circumstances of the breach or it opened formal investigations; subsequent action was taken against about 70 organisations. DPA’s classification of breaches found that 3 of the four categories related to inadvertent disclosures by the organisation (e.g. loss of unencrypted devices, insecure disposal, or insecure transfers); the remaining category related to malicious access to databases and ransomware. [130 days, 1,500 notifications: Does Dutch breach rule foreshadow GDPR? – Lokke Moerel and Alex van der Wolk, Morrison & Foerster LLP]

Identity Issues

WW – Search Queries Could Leave Medical Clues: Study

A Microsoft study published June 7 has found that by analyzing large sets of anonymized search engine queries, scientists may be able to detect those internet searchers with pancreatic cancer before an official diagnosis. “We asked ourselves, ‘If we heard the whispers of people online, would it provide strong evidence or a clue that something’s going on?’” researcher Dr. Eric Horvitz said. He acknowledged that using data in this way was uncharted territory for the health care industry. Regardless, “We’re hoping that this stimulates quite a bit of interesting conversation,” he said. [The New York Times]

WW – Inventor of the Web Creates Identity on Bitcoin Blockchain

Sir Timothy Berners-Lee, an english computer scientist and the inventor of the World Wide Web has created his first Bitcoin blockchain ID on June 9, through the popular blockstack-based platform Onename. Built on the decentralized, privacy-centric, and Bitcoin blockchain-secured database Blockstack, Onename is an open source platform which enables users to register their social media accounts and IDs through the Bitcoin blockchain network. The concept of embedding an account on the Bitcoin blockchain is fairly simple. Each Bitcoin transaction has a feature which allows users to store data apart from the core transaction information, creating space for anyone to embed small pieces of data in accordance with transaction data in a full transaction. Through the Blockstack nodes, Onename then verifies and authenticates various social media accounts, linking it to their network and enabling users to identify others through the account. “With the Blockstack software, a network of computers collectively maintain a global registry of identities, public keys and names. When you run a Blockstack node, you join this network, which is more secure by design than traditional identity, naming, and digital registry systems,” explains the Blockstack team. [Source]

Law Enforcement

CA – BC Police Act Violates Charter (sec.8), Suspended Vic Chief Says

Suspended Victoria Police Chief Frank Elsner is asking the courts to declare that sections of B.C.’s Police Act violate the Charter of Rights and Freedoms’ search and seizure provisions and are therefore not enforceable. Under the act, independent investigators with the Office of the Police Complaint Commissioner are not required to obtain warrants to search police premises, equipment and records when looking into allegations of misconduct at municipal departments. Those provisions violate Section 8 of the charter, because they relate to matters to which there is a high expectation of privacy, Elsner says. Section 8 protects against unreasonable search and seizure. [The Victoria Times Colonist]

Online Privacy

US – Android Users Seek Class-Action in Privacy Battle Over App Purchases

Android users are requesting to go forward with a class-action lawsuit against Google’s app store for allegedly disclosing personal information to developers. The lawsuit, started by Illinois resident Alice Svenson in 2013, is on behalf of numerous Android users who made purchases on the Google app store. “Casting aside the express promises made in their own terms of use, for years, defendants have routinely and systematically disclosed to third-parties, their buyers’ personal contact and billing information — including, names and email addresses — which they now admit was not necessary to complete the transactions or otherwise authorized for disclosure,” the users’ lawyers wrote in the motion. Svenson’s initial lawsuit was thrown out, but after revising her complaint by saying the disclosure lessened the value of her personal data, it was allowed to proceed. Last year, U.S. District Court Magistrate Paul Grewal in San Jose dismissed a separate lawsuit that also alleged Google violated app purchasers’ privacy by sending their names to developers. [MediaPost]

EU – Researchers Re-identify 40% of RTBF Subjects

One of the world’s most widespread efforts to protect people’s privacy online —RTBF— may not be as effective as many policymakers think, according to research by computer scientists based, in part, at New York University. The academic team said that in roughly a third of the cases examined, the researchers were able to discover the names of people who had asked for links to be removed. Those results, based on the researchers’ use of basic coding, came despite the individuals’ expressed efforts to remove their names from searches. The research paper raises questions about how successful Europe’s “right to be forgotten” can be if the identities can still be found with just a few clicks of a mouse. The paper says such breaches undermine “the spirit” of the right to be forgotten. The research also will add increased pressure on some European authorities, particularly the French privacy regulator, who would like Google and other online search engines like Microsoft’s Bing to extend the reach of the right to be forgotten across all of the companies’ global domains, including Google.com in the United States. “This poses a threat to whether the ‘right to be forgotten’ can be maintained in the long-term,” said Keith Ross, dean of engineering and computer science at NYU Shanghai, who led the project and who said he had contacted Google with his research. “If a hacker can easily find 30 or 40% of people’s names from delisted articles, what is the point?” he said. [New York Times]

Privacy (US)

US – Federal Appeals Court Says No Warrant Needed for Stingray Use

The Fourth US Circuit Court of Appeals has overturned a lower court verdict that ruled law enforcement must obtain warrants before using cell-site simulators to determine a suspect’s location. According to the ruling, obtaining the information does not violate a suspect’s Fourth Amendment rights because the information is already being shared with the suspect’s wireless carrier” “Whenever [an individual] expects his phone to work, he is permitting – indeed, requesting – the service provider to establish a connection between his phone and a nearby cell tower.” [ZDNet]

US – Yahoo Publishes National Security Letters

Yahoo has published three National Security letters it has received from the federal government. National Security Letters allow federal law enforcement officers to demand customer records and transaction information from communication companies without the need for a warrant. The letters also carried a gag order that until recently never expired – anyone or organization receiving an NSL was not permitted to disclose its contents or even its existence. The USA Freedom Act, which became law last year, changed those requirements. The FBI must now review gag orders once the investigation is closed or three years after it was opened, to determine if lifting the order will or will not be detrimental to the investigation. Yahoo’s disclosure is the first since the USA Freedom Act passed. [Wired] [eWeek] [Redacted letters] [Yahoo’s position]

US – NTIA Issues Best Practices for Operators of Commercial and Private Drones

The National Telecommunications and Information Administration released its best practices for use of drones by operators for private and commercial uses. Public comments were sought in 2015. Operators should making a reasonable effort to provide prior notice to individuals of the general timeframe and area in which they intend to operate a drone to collect data; provide a publicly available privacy policy that includes the purposes of collection, the types of data the drone will collect, the operator’s data retention and de-identification practices, the types of entities with which data will be shared, how to submit privacy/security complaints or concerns, and a description of response practices to law enforcement requests. [National Telecommunications and Information Administration – Voluntary Best Practices for UAS Privacy, Transparency, and Accountability]

US – Snowden Questioned NSA’s ‘Interpretation of Legal Authorities’ Before Leak

Former government contractor Edward Snowden attempted to contact the NSA about its surveillance programs before exposing a trove of documents to the public. In response to a “long-running” Freedom-of-Information-Act lawsuit, the Office of the Director of National Intelligence released more than 800 pages of communications revealing Snowden tried to ask questions about the “interpretation of legal authorities” related to the programs. The documents also reveal Snowden’s face-to-face interaction with an official, details about Snowden’s work with the agency, and efforts by the NSA, the White House and U.S. Senator Dianne Feinstein, D-Calif., to discredit Snowden. [Vice News] [Snowden and the NSA Gets Curiouser and Curiouser]

US – Court Certifies Class Action Alleging Social Networking Site Unlawfully Scanned Users’ Private Messages

A US Court has considered a motion for class certification of a complaint alleging Facebook violates users’ privacy by scanning their private messages. The Court accepted the Plaintiffs’ argument that injunctive relief is appropriate for the class as a whole because Facebook has utilized a uniform system architecture and source code to intercept and catalog its users’ private message content; the Court rejects the social networking site’s argument that individual proof will show that many class members impliedly consented to the challenged practices. [Matthew Campbell et al. v. Facebook, Inc. – 2016 U.S. Dist. LEXIS 66267 – United States District Court For The Northern District Of California]

US – Electronic Health Records Company Settles FTC Charges It Deceived Consumers About Privacy of Doctor Reviews

The FTC announced electronic health records company Practice Fusion has settled with the agency over claims it mislead customers by asking for reviews of its doctors without telling customers the reviews would be made public, resulting in the disclosure of sensitive medical data. “Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Companies that collect personal health information must be clear about how they will use it — especially before posting such information publicly on the internet.” In its settlement with the FTC, Practice Fusion is prohibited from making deceptive statements about the privacy and confidentiality of consumer information it collects, while requiring consumer opt-in before disclosing any information in the future. [Full Story]

Security

US – Three Bills Approved To Boost Security for California’s IT systems

California lawmakers passed three bills designed to strengthen the security of the state’s information technology systems. One of the bills would mandate a statewide response plan for cybersecurity threats on critical infrastructure by July 1, 2017. “Ensuring that these preparations are made for cybersecurity will make our state networks more resilient, improve response coordination, reduce recovery time and costs and ultimately limit the damage that is done,” said bill author Jacqui Irwin, D-Thousand Oaks. Another bill requiring state agencies to create detailed data breach response plans was unanimously approved by the California Senate, along with legislation making it illegal to knowingly put ransomware on a computer’s system, network or data. [Techwire]

CA – New Conference Board Centre to Focus on Cyber Security Policy

A new Conference Board of Canada research Centre is working to tackle cyber security issues that affect all Canadian citizens, starting with the critical issue of personal data privacy in the digital world. The first research from the Centre aims to get decision-makers and Canadians up-to-speed on privacy regulations and capable of making smart decisions. The report, Private Matters: Regulating Privacy in Canada, the European Union and the United States, highlights key trends that firms should address in order to maintain proactive privacy compliance. They include:

  • Consent—The broad concepts of informed and implied consent are no longer sufficient. Regulators are increasingly demanding that consent be active, explicit, and easily understood.
  • Breach notification—Enhanced regulations require organizations to report privacy breaches in a timely, comprehensive way. Failure to do so can result in steep fines and costs to a firm’s reputation.
  • Territoriality—Privacy will have to balance the rights of national citizens against the borderless nature of e-commerce. The new EU-U.S. Privacy Shield will have an impact on this debate. If EU demands prevail, EU citizens’ right to privacy will travel with their data.
  • Individual rights after consent—As regulators and industry get closer to figuring out how to get consent right, they will need begin enumerating the rights of individuals who have consented to data collection. They will also need to determine the appropriate remedies when those rights are violated.
  • Answering public demands—As the pace and pervasiveness of technology continue to accelerate, regulators will have to strike a balance between protecting the public and insisting the public more meaningfully contributes to its own protection.

The Conference Board of Canada’s new Cyber Security Centre examines the evolving nature of cyber security at the strategic and policy level, in order to meet the needs of senior executives and board members across all sectors and industries. [Conference Board of Canada News Release]

Surveillance

CA – BlackBerry Hands Over User Data to Help Police ‘Kick Ass,’ Insider Says

A specialized unit inside mobile firm BlackBerry has for years enthusiastically helped intercept user data — including BBM messages — to help in hundreds of police investigations in dozens of countries, a CBC News investigation reveals. CBC News has gained a rare glimpse inside the struggling smartphone maker’s Public Safety Operations team, which at one point numbered 15 people, and has long kept its handling of warrants and police requests for taps on user information confidential. A number of insiders, none of whom were authorized to speak, say that behind the scenes the company has been actively assisting police in a wide range of high profile investigations. But unlike many other technology companies, which regularly publish transparency reports, it is not clear how many requests BlackBerry receives each year, nor the number of requests it has fulfilled. [Source] See also: [More Canadian telcos should detail police data requests: Privacy commissioner]

US – Google Wants Privacy Lawsuit Dismissed, Cites Spokeo Case

Citing the Supreme Court’s decision in the Spokeo case, Google is asking a U.S. district judge to dismiss claims it disregards privacy laws. Google filed court papers in response to allegations it violates federal and state privacy laws by scanning emails in order to serve ads. A lawsuit from San Francisco resident Dan Matera claims Google illegally “intercepts” email messages, which forced him to interact with Gmail users, even though he did not have a Gmail account. Thanks to the result of the Spokeo case, Google wants Matera’s case thrown out, saying he cannot show a concrete injury, the report states. “Plaintiff does not allege, for example, that the alleged violations led to the disclosure of his confidential information to third parties, or that he suffered any other purported harm from the alleged ‘interceptions’ of his emails,” Google wrote in the papers. [MediaPost]

UK – Spies Circumvented Surveillance Laws With No ‘Meaningful’ Oversight

Privacy International has released previously confidential government documents that shed light on how British spy agencies circumvented legal restraints on their surveillance powers, with little interference from the commissioner charged with overseeing them. The documents detail correspondence carried out in 2004 between lawyers for two UK spy agencies — the Government Communications Headquarters (GCHQ) and MI5 — and Sir Swinton Thomas, the Interception of Communications Commissioner at the time. Thomas was responsible for overseeing the two agencies, but Privacy International, a London-based watchdog organization, says his correspondence with the GCHQ and MI5 “exposes the lack of meaningful restraint of the agencies’ over-reaching and intrusive powers.” The release of the document comes ahead of a Parliamentary debate on the controversial Investigatory Powers (IP) Bill. Introduced last year, the bill aims to provide a legal framework for bulk data collection, while increasing transparency and strengthening oversight for British spy agencies. But privacy advocates, internet service providers, and major technology companies have expressed alarm over the law — referred to by critics as the “snooper’s charter” — arguing that it gives police and intelligence agencies broad surveillance powers under vaguely defined terms. Privacy International says that the correspondence released today demonstrates the flimsiness of existing oversight mechanisms. [The Verge] [UK: Official correspondence reveals lack of scrutiny of MI5’s data collection]

+++

 

27 May – 02 June 2016

Biometrics

WW – Car’s Computer Can ‘Fingerprint’ You in 5 Min Based on How You Drive

The way you drive is surprisingly unique. And in an era when automobiles have become data-harvesting, multi-ton mobile computers, the data collected by your car—or one you rent or borrow—can probably identify you based on that driving style after as little as a few minutes behind the wheel. In a study they plan to present at the PETs Symposium in Germany this July, a group of researchers from the University of Washington and the University of California at San Diego found that they could “fingerprint” drivers based only on data they collected from internal computer network of the vehicle their test subjects were driving, what’s known as a car’s CAN bus. In fact, they found that the data collected from a car’s brake pedal alone could let them correctly distinguish the correct driver out of 15 individuals about nine times out of ten, after just 15 minutes of driving. With 90 minutes driving data or monitoring more car components, they could pick out the correct driver fully 100 percent of the time. “With very limited amounts of driving data we can enable very powerful and accurate inferences about the driver’s identity.” And the researchers argue that ability to pinpoint could have unexpected privacy implications: Everything from letting insurance companies punish drivers who loan their cars to their teenage kids, to confirming the identity of a driver who violated traffic laws or caused a collision. [Wired] [Is driving style the next biometric?]

US – Tattoo Recognition Research Threatens Free Speech and Privacy: EFF

An EFF Investigation Finds NIST/FBI Experimented with Religious Tattoos, Exploited Prisoners, and Handed Private Data to Third Parties Without Thorough Oversight …Now, with NIST and the FBI on the precipice of a new, larger experiment that will use upwards of 100,000 tattoo images, officials must suspend any further research into tattoo recognition technology until they address the First Amendment, ethical, and privacy concerns EFF has identified. [Source] See also: [Six Things You Need to Know Before Collecting Biometric Information]

Canada

CA – Company Scraps ‘Bad Tenant List’ After OPC Upholds Complaint

A property management company that maintained a “bad tenant” list for a landlord association has agreed to scrap it after the office of federal Privacy Commissioner Daniel Therrien concluded the personal information it contained was improperly collected. Therrien’s office investigated after receiving a complaint in February 2014 from a single parent with a disabled child. The unidentified woman had applied to the company for new rental accommodation that was fully accessible to her child, but was turned down. She was told by the company that her inclusion on the bad tenant list — for allegedly having skipped payments and for owing money for damages — was one of the reasons it was denying her housing services. The management company, which wasn’t named, told privacy commissioner investigators that members of the unidentified landlords association added the names of “bad tenants” to the list. The personal information on the list included the tenant’s name, the alleged incident for which the individual’s name was added to the list and the rental accommodation where the problem occurred. The company said the information was used to help landlords “avoid credit default” by potential tenants and determine “valid renters.” The complainant said she never consented to her personal information being collected for that purpose and wasn’t allowed to see the information about her or find out which landlord had added her name to the list. The property management company pointed to a clause in its rental agreement authorizing the landlord to obtain credit reports “or other information as may be deemed necessary.” But in a recently posted decision, the privacy commissioner’s office says it did not see how those words “would lead individuals to understand they were consenting to their personal information being collected, used and disclosed for the purposes of a ‘bad tenant’ list.” [Source]

CA – Office of the Privacy Commissioner Announces First Investigation Under Address Harvesting Provisions

The OPC announced its report of findings against Compu-Finder, a Quebec-based company that offers face-to-face professional training courses. The OPC alleges Compu-Finder used address harvesting programs to search and collect e-mails on the internet. This marks the first investigation by the OPC involving its address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). The OPC concluded that Compu-Finder did use e-mail addresses of individuals to send e-mails promoting its business activities, without the consent of the individuals concerned. Compu-Finder was unable to demonstrate it had the appropriate consent for the collection and use for many of the e-mail addresses. Further, the OPC found Compu-Finder lacked basic privacy knowledge of its obligations and failed in demonstrating accountability and openness of its privacy practices. This investigation also debuts the OPC’s compliance agreement power since the tool was added by the Digital Privacy Act on June 18, 2015. The compliance agreement between the Privacy Commissioner of Canada and Compu-Finder lists over ten remedial measures imposed on Compu-Finder. Some of the following measures that Compu-Finder has agreed to implement, include:

  • collect and use only e-mail addresses with proper consent;
  • destroy all e-mail addresses in its possessions which were collected without obtaining consent;
  • refrain from collecting any electronic addresses of individuals through the use of a harvesting computer program;
  • develop and implement a privacy program; and
  • obtain a third-party audit of its privacy program.

Compu-Finder is also under investigation by the CRTC, who issued a Notice of Violation against Compu-Finder pursuant to Canada’s Anti-Spam Legislation (CASL) on March 5, 2016. The OPC acknowledged the CRTC shared investigative information with the OPC pursuant to CASL and a Memorandum of Understanding between the two agencies. The CRTC’s proceedings against Compu-Finder are still on going. You can read the full report of findings and compliance agreement online here. [Source]

CA – Spy Agency Accidentally Shared Canadians’ Data With Allies for Years

A federal spy agency inadvertently shared logs of Canadians’ phone calls and Internet exchanges with intelligence allies such as the United States for years, a newly disclosed report says. The revelation that the CSE compromised Canadians’ privacy while sharing clandestinely captured data appears in a confidential watchdog’s report obtained from court filings related to a lawsuit against the Canadian government. The report said software that was supposed to remove identifying information on Canadians from material CSE captured during international surveillance operations had failed. This meant that Canada’s intelligence allies received data that Canadian laws say they should not see. The confidential report was written by Jean-Pierre Plouffe, a retired Quebec judge who heads the Office of the CSE Commissioner, the spy agency’s watchdog agency. In it, he suggests the unlawful seepage of Canadians’ phone and Internet records to foreign intelligence agencies could date back to the mid-2000s, and that the overall amount of compromised material is unclear. Given this, Mr. Plouffe is urging Parliament to pass laws spelling out how it wants the spy agency to function. “As CSE’s collection posture has strengthened, … the volume of metadata collected has increased considerably,” Mr. Plouffe writes in his 2015 report. He urged federal politicians to give clearer direction on surveillance. [The Globe and Mail]

CA – TREB Seeks ‘Opt-In’ Consent for MLS Data to Protect Consumer Privacy

Canada’s largest real estate board is urging the federal Competition Tribunal to protect consumer privacy by requiring homeowners to consent to sharing their housing information over the Internet. In filings posted on the tribunal’s website ahead of a hearing on Thursday in Ottawa, the Toronto Real Estate Board argues that electronic access to the board’s Multiple Listings Service should be made available to online real estate brokerages only after both buyers and sellers have checked an “opt-in” box on their sale and purchase agreement. TREB also asked the tribunal to make electronic home-sales data available for only six months after a house has sold, and said the data should not contain details of house sales that occurred before the tribunal issues its final order. It also argued that online brokers should not be able to use its MLS information for “data analytics” – such as building home-price heat maps or neighbourhood-level price trends – without the explicit consent of both buyers and sellers. The hearing comes a month after a three-member panel of the Competition Tribunal ruled that TREB was stifling competition in the Greater Toronto Area’s real estate industry by restricting how member realtors who run online brokerages access and share electronic data about homes that have sold. [The Globe and Mail]

Consumer

CA – Majority of Canadians Feel Their PI is Vulnerable to Security Breach

A report released earlier this month has indicated that the majority of Canadians believe the personal data the government holds on them, is vulnerable to a security breach. The study, conducted by Ipsos on behalf of Accenture Cyber, indicated that Canadians feel distrustful of their data in the hands of municipal, provincial and federal governments. A total of 54% of Canadians believe that personal information held by the federal government is vulnerable to a security breach. 20% of those surveyed feel they are “very vulnerable” and 33% feel they are “somewhat vulnerable,” according to the results of the survey. Albertans feel most distrustful of their governments, as 62% of those in the province report feeling vulnerable, followed by those from British Columbia (58%), Ontario (55%), and Atlantic Canada (53%). Quebec, Saskatchewan and Manitoba tied for last place with 49 % feeling their data could be compromised. On average, the results also say that women feel more vulnerable than men, and older Canadians are more skeptical of the safety of their data than younger ones. [Source]

E-Government

US – Uber Says New York Can’t Be Trusted With Its Data

Uber has gone to court to ensure confidentiality over records it provided for New York’s investigation of how the ride-sharing service secures data. New York began collecting the information two years ago after media reports surfaced about real-time tracking of rides — known internally as “God View” — that included personal information about riders. Uber provided the information at issue in response to an attorney general’s probe, so the company “thus enjoys categorical exemption from disclosure,” the petition states. Attorney General Eric Schneiderman’s office would only discourage similar cooperation from companies if it released the confidential information, the petition continues. [Source]

Electronic Records

US – Certified EHR Technology Now Widely Used at U.S. Hospitals

Nearly all of the country’s hospitals have adopted certified electronic health records, according to new survey data released May 31 by the Office of the National Coordinator for Health Information Technology. Results of the survey show the industry has a long way to go in sharing and then using from other healthcare organizations in treating patients—only a minority say they use patient information from outside their organization in treating patients. Based on the American Hospital Association IT Supplement to the AHA annual survey, the adoption rate of certified EHRs has increased from almost 72% in 2011 to 96% in 2015. Last year, 84% of hospitals adopted at least a basic EHR system, representing a nine-fold increase since 2008. ONC defines basic EHR adoption as a minimum use of core functionality determined to be essential to an EHR system, including clinician notes. The set of EHR functions must be implemented in at least one clinical unit to be considered basic EHR adoption. While small, rural, and critical access hospitals continue to have significantly lower basic EHR adoption rates compared with all hospitals, ONC notes that the new data show that adoption rates for these hospitals has increased significantly. Since 2014, small and rural hospitals increased their adoption of basic EHRs by at least 14 percentage points and CAHs increased their adoption of basic EHRs by 18 percentage points. Currently, about eight out of 10 small, rural, and CAHs have adopted a basic EHR. [Source]

Encryption

US – Proposed Senate Bill Requiring Backdoors in Encryption Appears Dead

A proposed anti-encryption bill has stalled out in the US Senate. The draft legislation would have required that encryption be breakable so investigators could access communications. The bill lacked White House support, and the intelligence community were reportedly “ambivalent” because the law could have impeded their own encryption efforts. [Reuters] [The Register] [CNET] [ComputerWorld] [ZDNet]

EU Developments

EU – Privacy Shield Doesn’t Hold Up: EDPS

European Data Protection Supervisor Giovanni Buttarelli has published his opinion on the EU-U.S. Privacy Shield, which he says is “not robust enough to withstand future legal scrutiny.” While he expressed appreciation for the legislative effort behind the agreement, “significant improvements are needed should the European Commission wish to adopt an adequacy decision,” he wrote. Buttarelli isn’t the only recent Privacy Shield critic. “We keep thinking we’re going to reach a date and from that date onwards we won’t have any more issues. That won’t happen,” said Intel Global Privacy Officer David Hoffman. “The idea that we’re going to solve the international data transfer issue with Privacy Shield, to me, is an incorrect assumption.” [v3] [BBC: EU Data Protection Supervisor Rejects Privacy Shield Agreement]

Facts & Stats

US – Most 2016 Healthcare Data Breaches from Unauthorized Access

Last year is often referred to as the “Year of the Hack” for healthcare, with the majority of healthcare data breaches being caused by third-party cyber attacks. The top three incidents alone combined to potentially affect nearly 100 million individuals, and were all involved hacking. So far, 2016 is not immune from healthcare data breaches, but the leading cause of incidents is unauthorized access, according to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach reporting database. There have been 114 incidents reported to OCR between Jan. 1, 2016 and June 1, 2016. Of those, 47 were classified as being caused by unauthorized access or disclosure. The rest of the classification breakdown is as follows:

  • 34 – hacking/IT incident
  • 26 – theft
  • 5 – loss
  • 2 – improper disposal

However, the largest healthcare data breach so far this year was due to a hacking incident. [Source] Top 10 Healthcare Data Breaches of 2015

UK – Sloppy Human Error Still Prime Cause of Data Breaches: ICO

FOI data from ICO reveals usual failings: loss of paperwork, data sent to wrong recipients, insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data …Of the sectors compared over the three years, 66% reported an increase in data breach incidents, with the courts and justice sector recording a rise of 500% over the period. Healthcare organisations continue to top the list for total number of reported incidents at 184. Human error continues to be mainly to blame. For January – April 2016, human error accounted for almost two-thirds (62%) of the incidents reported to the ICO, outstripping other causes such as insecure webpages and hacking, which stands at just 9% combined. Despite this, market attention and resource continues to focus on external threats, notably cyber-attacks and hackers. [Source] See also: [Human error causes more data loss than malicious attacksHuman Error to Blame as UK Data Breaches Soar | Courts and justice sector see 500 per cent rise in data breaches]

Filtering

CA – BC Supreme Court Orders Search Engine to Deny Access to Defamatory Statements

An individual seeks an injunction against a website that allegedly posted defamatory comments. An individual who filed a defamation lawsuit against two individuals and a website was granted a permanent injunction against those U.S. Defendants (who are prohibited from publishing such statements) in light of the possibility that they may resist enforcement of a monetary judgment of a Canadian court; a permanent injunction was also granted against a search engine, through which links can be obtained to the defamatory statements. [Nazerali v. Mitchell – 2016 BCSC 810 – In The Supreme Court of British Columbia]

CA – Officials Examining ‘Right-To-Be-Forgotten’ Potential in Canadian Law

As Google and the CNIL continue their battle over Europe’s “right-to-be-forgotten” law in France, Canadian officials are mulling whether the law has a place in their own legal system. A case involving Google and Datalink Technologies Gateways, Inc., has drawn parallels to the case in France, as the search engine is challenging an order in front of the Canadian Supreme Court to remove listings of Datalink, which is being accused of trademark violations across its worldwide search. To address their course on the RTBF, the Office of the Privacy Commissioner of Canada has received 23 formal submissions on the subject. “The law is broadly struggling to address these issues, and so we thought it was a legitimate question to ask,” said Patricia Kosseim, director general of the Legal Services, Policy, Research and Technology Analysis branch of the OPC. [The Globe and Mail]

FOI

CA – OPC Urges Committee to Rethink Information Commissioner’s Legal Jurisdiction

Privacy Commissioner of Canada Daniel Therrien suggested limiting the “proposed authority” for Information Commissioner Suzanne Legault in a brief to the Commons committee considering the Access to Information Act. Therrien argued that the current balance of power “illustrates the healthy tension between opposing interpretations” of what the law defines personal information to be. Said balance should be taken into consideration before revising job descriptions, he added. Instead, he suggested “the matter should only be discussed two years from now, when the government does a full-scale review of the access law,” the report states. [CTV News]

Health / Medical

CA – Saskatchewan Adopts Anti-Snooping Law for Health Records

The government is toughening up its laws around the protection of personal health information in Saskatchewan. The changes are in response to a member of the public finding thousands of medical records in a Regina dumpster in 2012, something the privacy commissioner at the time called the “worst breach of patient information” his office had ever seen. Despite that, there were no prosecutions. That incident sparked the government to create a working group made up of doctors, nurses, government officials and a patient representative to come up with stronger rules. The amendments to the Health Information Protection Act (HIPA) are effective June 1. They include a reverse onus clause for trustees of medical records to show they took reasonable steps to prevent their abandonment. [Source]

AU – Australian HealthCare Providers Must Protect Against Insider Risk

Recommendations for Australian healthcare providers to protect health information. Providers should adopt an approach that manages the risk of an external attack and aims to prevent internal data breaches from negligent or malicious staff; ensure employees have a high level of cybersecurity awareness (training and policies), encrypt all portable devices and allow for remote wiping, and revoke employee access to the network immediately after notice of termination is given. [Cybersecurity and the Risk of Inside Jobs – Marie Feltham, Special Counsel and Leonard Lozina, Lawyer – DibbsBarker]

CA – Ontario Health Ministry Ordered to Disclose Names on OHIP Billings

The province’s privacy commission has ordered the health ministry to release the names of doctors along with their OHIP billings, in the interests of transparency and accountability. The decision comes two years after the Toronto Star began requesting physician-identified billings from the health ministry, and brings the province more in line with other jurisdictions that are opting to disclose public funds paid to doctors. In granting an appeal the IPC said physician-identified billings are not “personal information” and are, therefore, not exempt from disclosure under the province’s Freedom of Information and Protection of Privacy Act. Even if they were deemed personal, a compelling public interest in their disclosure would outweigh the purpose of the act’s privacy exemption, the IPC wrote in a 54-page order released Wednesday and received by the Star Thursday. The IPC has ordered the health ministry to release the information to the Star by July 8. [Source]

Horror Stories

WW – Recently Confirmed Myspace Hack Could Be the Largest Yet

A report from LeakedSource.com says that there are over 360 million accounts involved. Each record contains an email address, a password, and in some cases, a second password. As some accounts have multiple passwords, that means there are over 427 million total passwords available for sale. Despite the fact that this data breach dates back several years, the size of the data set in question makes it notable. Security researchers at Sophos say that this could be the largest data breach of all time, easily topping the whopping 117 million LinkedIn emails and passwords that recently surfaced online from a 2012 hack. That estimation seems to hold up – while there are a number of other large-scale data breaches, even some of the biggest were not of this size. The U.S. voter database breach included 191 million records, Anthem’s was 80 million, eBay was 145 million, Target was 70 million, Experian 200 million, Heartland 130 million, and so on. [Source]

WW – LinkedIn Sends Out Breach Notification Emails

Users of LinkedIn likely received breach notification emails from the social network earlier this week. The emails come four years after a 2012 hack of the service in which millions of passwords and usernames were accessed. The incident was widely reported in 2012, but came back into the spotlight last week with news that 117 million email and password combinations — significantly more than the 6.5 million originally reported in 2012 — were for sale on the Dark Web. “While we do all we can, we always suggest that our members visit our safety center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible,” the email stated. [Fortune] See also: [Unencrypted Laptops Expose Over 400,000 Patients’ Medical Data]

WW – Hackers Stole 65 Million Passwords from Tumblr, New Analysis Reveals

On May 12, Tumblr revealed that it had just found out about a 2013 data breach affecting “a set” of users’ email addresses and passwords, but the company refused to reveal how many users were affected. As it turns out, that number is 65 million, according to an independent analysis of the data. Troy Hunt, a security researcher who maintains the data breach awareness portal Have I Been Pwned, recently obtained a copy of the stolen data set. Hunt said the data contained 65,469,298 unique emails and passwords. The passwords, however, were not in plaintext, but were “hashed,” a process that turns the actual password into a different string of digits. The company also added a series of random bytes at the end of the passwords before hashing them, or “salted” them, as Tumblr said when it disclosed the breach. The company, however, didn’t say exactly what algorithm it used to hash the passwords. Since Tumblr’s announcement, the hacked data appears to have been circulating within the internet underground. A hacker known as Peace, who also claims to have the data and was selling it on the darknet marketplace The Real Deal, said Tumblr used SHA1 to hash the passwords. Given that it also used salt, they are very hard for hackers to crack. [Source]

Identity Issues

US – Doctors Fire Back at Bad Yelp Reviews – and Reveal PHI Online

Burned by negative reviews, some health providers are casting their patients’ privacy aside and sharing intimate details online as they try to rebut criticism. In the course of these arguments — which have spilled out publicly on ratings sites like Yelp – doctors, dentists, chiropractors and massage therapists, among others, have divulged details of patients’ diagnoses, treatments and idiosyncrasies. [Source]

Internet / WWW

US – Tech in U.S. Schools Collects Student Data for Marketing Purposes: Report

The National Education Policy Center has issued its 18th annual report about commercialization of student information. Current regulatory frameworks do not effectively protect against application service providers using student’s personal information for marketing purposes; legislators should eliminate loopholes that provide companies with opportunities to collect and exploit children’s data, and pass enforceable legislation that holds schools, districts, and companies with access to student data accountable for violations of student privacy. [NEPC: Learning to be Watched: Surveillance Culture at School]

Law Enforcement

US – ACLU joins Microsoft’s Challenge to DoJ Gag Orders

The American Civil Liberties Union has filed a motion to join Microsoft’s challenge to the Justice Department’s use of gag orders that prevent companies from telling users when the government is demanding access to their data. “A basic promise of our Constitution is that the government must notify you at some point when it searches or seizes your private information,” said ACLU Senior Staff Attorney Alex Abdo. “Notice serves as a crucial check on executive power, and it has been a regular and constitutionally required feature of searches and seizures since the nation’s founding.” A Microsoft spokesman said the company “appreciates the support from the ACLU and many others in the business, legal and policy communities who are concerned about secrecy becoming the norm rather than the exception.” [USA Today]

Location

US – Appeals Court Delivers Blow to Cellphone-Privacy Advocates

Courts across the country are grappling with a key question for the information age: When law enforcement asks a company for cellphone records to track location data in an investigation, is that a search under the Fourth Amendment? By a 12-3 vote, appellate court judges in Richmond, Virginia, on Monday ruled that it is not — and therefore does not require a warrant. The 4th Circuit Court of Appeals upheld what is known as the third-party doctrine: a legal theory suggesting that consumers who knowingly and willingly surrender information to third parties therefore have “no reasonable expectation of privacy” in that information — regardless of how much information there is, or how revealing it is. Research clearly shows that cell-site location data collected over time can reveal a tremendous amount of personal information — like where you live, where you work, when you travel, who you meet with, and who you sleep with. And it’s impossible to make a call without giving up your location to the cellphone company. [The Intercept]

WW – Collaborative Project Maps Areas Where Governments Spy on People

The Digital Freedom Alliance has launched a collaborative open source project to map places in the world where governments use malware to conduct surveillance on journalists, activists, lawyers, and NGOs. The project gathers information from a variety of sources and maps the locations, noting the dates, targets, and type of malware used. [Wired]

Online Privacy

WW – Facebook to Begin Sending Targeted Ads to Nonusers

In an attempt to grow its online ad network, Facebook will display ads to consumers who do not have accounts with the social media network. Facebook plans to reach nonmembers through cookies, “like” buttons, and plug-ins on third-party sites. While Facebook says its new method will better serve relevant ads to nonusers, European regulators have cited privacy concerns in their criticism of the practices. Facebook feels they are in a great position to target nonmembers through the large amounts of data it holds on current users. “Because we have a core audience of over a billion people [on Facebook] who we do understand, we have a greater opportunity than other companies using the same type of mechanism,” said VP of Facebook’s Ad and Business Platform Andrew Bosworth to the Journal. [The Verge] See also: [You Should Go Check Facebook’s New Privacy Settings]

WW – Googling Yourself Now Leads to Personal Privacy Controls

Soon, all you’ll need to do is Google yourself if you’re wondering how deeply Google has been digging into your digital life. In coming weeks, a shortcut to personal account information will appear at the top of Google’s search results whenever logged-in users enter their own names in the query box. The feature is part of an update to the “My Account” hub that Google introduced a year ago to make it easier for people to manage the privacy and security controls on the internet company’s services. While Google isn’t making any additional information available, it is making it easier to find. The link to personal accounts will appear at the top right of the listings for searches done on personal computers and at the top of requests entered on smartphones. Google is making the change because it learned that many users doing a “vanity search” under their name wanted a quicker way to find out what the company knew about them, as well as to see how they are depicted on various sites across the internet, said Guemmy Kim, a Google product manager. A new feature on Google’s mobile app will also quickly take users to their account information with a spoken request. All that will be required are the words: “OK Google, show me my Google account.” This option initially will only be available in English. [Source]

WW – IETF Publishes RFC for DNS Encryption

The Internet Engineering Task Force has released an RFC (request for comments) proposing that DNS requests be encrypted with Transport Layer Security (TLS). DNS requests and responses are often collected by law enforcement because they are classified as metadata. [The Register] [RFC]

Privacy (US)

US – Report: Employee Cybersecurity Knowledge Low, Despite Training Programs

A study from Experian and the Ponemon Institute reveals security training programs aren’t efficient enough at altering workers’ unsafe online behavior. “Managing Insider Risk through Training & Culture” is a survey of companies providing data protection courses to their employees. The study revealed 60% of respondents said their employees were either not knowledgeable or had no knowledge of cybersecurity, despite having training available. Only 35% said senior executives placed a high priority on employee data threat education, and 43% said their corporate training consisted of one course covering all departments. Low numbers were also reported on courses containing information on phishing and social engineering. “Phishing and social engineering attacks have been shown to result in data breaches. Training programs should show the consequences of these attacks and how to avoid falling prey to them.” [SC Magazine]

US – Obama Releases Final Privacy Framework for Precision Medicine Initiative

The White House announced the release of the final Data Security Policy Principles and Framework for its Precision Medicine Initiative. The framework is based on the administration’s cybersecurity framework and creates data security expectations and a risk-management approach for organizations taking part in the initiative. All federal PMI agencies will also integrate the framework across all PMI activities. President Barack Obama said, “We’re going to make sure that protecting patient privacy is built into our efforts from day one.” [White House]

US – Other Privacy News

Security

US – New System Monitors Govt Employees for Potential “Insider Threats”

The Defense Department is creating a system designed to expose potential “insider threats” by monitoring national security personnel. The Pentagon is hiring a team of “cross-functional experts” who are trained in cybersecurity, privacy, law enforcement, intelligence, and psychology to help discover potential traitors. The DOD Component Insider Threat Records System will also examine employees’ social media posts, and their digital work habits, while also incorporating keystroke tracking, screen captures and email. Civil liberties advocates are voicing their opposition to the system, saying the constant surveillance will stop whistleblowers from coming forward. “When you read the insider threat material, what they view as a threat is somebody reporting information about government activity to the press, which is, in a democratic society, not only important but necessary,” said FBI veteran Michael German. [Nextgov]

US – DOD is Creating an Insider Threat Database

The US Defense Department (DOD) is creating a system that contains information about national security personnel and other people with security clearances to help identify potential insider threats. The DOD Component Insider Threat Records System was created in response to the Pfc. Chelsea Manning data leaks that occurred in 2010. [NextGov]

WW – CIOs Say Organized Cybercrime is Top Threat to Business Operations

According to the Harvey Nash/KPMG 2016 CIO Survey, one-third of the respondents said they had dealt with a significant IT emergency or a cyberattack over the past two years. CIOs say organized cybercrime is the biggest cyber-threat to their organizations. The report found that 46% of CDOs (chief digital officers) report to their organization’s CEO, while just 21% report to the CIO. And 65% of respondents said they believe that a shortage of technical talent will hinder their ability to keep pace with the changing digital landscape. The survey comprises data gathered from 3,352 CIOs and technology leaders in 82 countries. [Press Release] [v3.co.uk] [v3.co.uk]

US – Medical Devices Could Be Used as Point of Entry into Healthcare Networks

The US Department of Veterans Affairs (VA) deputy director of health information security told Nextgov that attackers are more likely to break into Internet-connected medical devices to gain access to a hospital network than to disrupt a patient’s treatment. Medical records are a valuable commodity on the data black market. Medical devices are not as readily patched as computers and phones. Lynette Sherrill also said that her agency removes devices that are found to be infected with malware, even if it means cancelling appointments. [NextGov]

WW – ICSA Launches IoT Certification Testing Program

ICSA Labs has launched its IoT (Internet of Things) Certification Testing program. The devices that pass muster will receive the ICSA seal of approval. The ICSA program will test both consumer products and enterprise products over six components: alerts and logging; cryptography; authentication; communications; physical security, and platform security. Earlier this year, Underwriters Laboratories launched its Cybersecurity Assurance Program (UL CAP). [DarkReading] [ComputerWorld]

WW – Microsoft Ends Common Password Use and Password Lockout

Microsoft has announced plans to dynamically prohibit common passwords, like the word “password,” while congruently using the smart password lockout system. The lockout program would keep hackers from continually attempting to access users’ accounts while not freezing out legitimate users at the same time, the report states. The changes respond to the recent hacker dump of LinkedIn data, the report adds. Reddit also took action in light of the breach, announcing it would reset user passwords, SC Magazine reports. Meanwhile, a hacker is selling more than 65 million Tumblr passwords on the Dark Web, while 427 million MySpace passwords were found for sale online for $2800. [SC Magazine]

WW – Unbox Your Laptop, and Say Hello to Security Risks

Powering up a new laptop can be exhilarating. It can also be full of security risks. Software update tools that are preinstalled on Acer, Asus, Dell, HP and Lenovo laptops all contained at least one critical security vulnerability that hackers could easily exploit, said Duo Labs, the research arm of Duo Security, in the results of an investigation published Tuesday. In total, Duo Labs uncovered 12 different OEM software vulnerabilities across all the computer makers. OEM (original equipment manufacturer) software includes programs like product registration and 30-day free trials that come installed on a laptop right out of the box. They’re often referred to as bloatware since they’re largely unnecessary and weren’t installed at the user’s request. Not only is bloatware superfluous, it’s often a weak link in the security chain, according to Duo Labs. “The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant — meaning, trivial,” wrote Darren Kemp, a security researcher with Duo Labs, in a blog post Tuesday. [Source]

Surveillance

WW – Governments Turn to Commercial Spyware to Intimidate Dissidents

A growing number of U.S. companies are teaching foreign law enforcement agencies to code unique surveillance devices, often to track dissidents. The tools can override encryption measures, the report states. “There’s no substantial regulation,” said Bill Marczak of the University of Toronto’s Munk School of Global Affairs. “Any government who wants spyware can buy it outright or hire someone to develop it for you. And when we see the poorest countries deploying spyware, it’s clear money is no longer a barrier.” [New York Times]

CA – Interim RCMP Policy Sets Body Cam Guidelines

A new RCMP policy will require Mounties wearing small video cameras to hit record when they believe force will be used against a suspect. The interim policy is being considered with two purposes in mind: To gather evidence for prosecution against criminal behavior, and to answer any questions surrounding the aftermath of an incident. “Police are making use of a relatively new technology to hold both police officers, and members of the public we interact with, accountable for any actions taken,” the RCMP says. Other privacy concerns addressed in the interim policy include telling an individual when officers are wearing cameras, teaching RCMP members of best video policies and practices, and making sure recordings are uploaded securely. [The Canadian Press] See also: [As More Police Wear Body-Cams, States Set New Rules Limiting Access to Footage] [Minnesota’s police body camera law is bringing privacy concerns.]

WW – Sports World Embraces Data Analytics

The Seattle Mariners’ use of sleep tracking tool Readiband last year is a window into the professional athletics’ community’s adoption of data-collecting tools. This use of data analytics is changing how coaches and players interact, Chicago Cubs Baseball Operations Assistant John Baker argues. “Welcome to the next frontier in baseball’s analytic revolution,” the report states. “Many of this revolution’s tenets will be familiar to anyone who works for a living — the ever-growing digitization and quantification of things never-before measured and tracked, for instance, or the ever-expanding workplace, the blurring distinction between the professional and the personal, and the cult of self-improvement for self-improvement’s sake.” [Vice Sports]

AU – ACT Govt Launches Review Into Civil Surveillance

The ACT government has announced a review of the use and conduct of civil surveillance in the territory that could lead to Australia’s first law to allow victims to sue over privacy intrusions. According to the statement, the review’s terms of reference be looking at a range of issues including:

  • Surveillance in civil litigation claims
  • Surveillance businesses
  • Surveillance technology and practices, such as geo-tagging
  • Expansion of the existing Listening Devices Act 1992 to capture video surveillance and electronic monitoring
  • Possible need for a tort of breach of privacy
  • Current regulation of civil surveillance and the Information Privacy Act 2014.

An independent reviewer will be engaged by the Justice and Community Safety Directorate in order to undertake the review. [Source]

Telecom / TV

WW – Charging Mobile Devices Could Put Data at Risk

Smartphones can be compromised when charged using a standard USB connection connected to a computer, Kaspersky Lab experts have discovered in a proof-of-concept experiment. The researchers are now evaluating what the impact of such an incident might be. To learn more, read the blog post available at Securelist.com. [Kaspersky Corporate News]

US Legislation

US – Legislative Roundup

+++

 

Follow

Get every new post delivered to your Inbox.