10-16 April 2018

Biometrics

WW – Fingerprints Can Show If You’ve Done Drugs

A raft of sensitive new fingerprint-analysis techniques is proving to be a potentially powerful new avenue for extracting intimate personal information—including what drugs a person has used. New techniques can determine, from a single fingerprint, not whether you have handled these drugs, but whether you have taken them. The new methods use biometrics to analyze biochemical traces in sweat found along the ridges of a fingerprint. And those trace chemicals can quickly reveal whether you have ingested cocaine, opiates, marijuana, or other drugs. One novel, noninvasive forensic technique developed by U.K. researchers can detect cocaine and opiate use from a fingerprint in as little as 30 seconds. The assay—which was so sensitive that it could still detect trace amounts of cocaine after subjects washed their hands with soap—correctly identified 99% of the users, and gave false positive results for just 2.5 percent of the nonusers. The researchers say they hope to expand the range of controlled substances that can be detected, which could include methamphetamines, amphetamines, and marijuana. The test can be modified to detect therapeutic drugs prescribed by physicians too. [The Atlantic]

CN – Facial-Recognition Cameras Caught Suspect Among 60,000 Concertgoers

China is pursuing an ambitious plan to make an omnipresent video surveillance network. On the night of April 7, nearly 60,000 people had gathered at the Nanchang International Sports Center for a concert by Cantopop legend Jacky Cheung. In the middle of an upbeat song, a pair of police officers began descending the aisles, according to footage posted on the Chinese video sharing site Miaopai. Soon, they had arrived at the row they were looking for and apprehended the 31-year-old. Before Cheung had finished singing the refrain, officers were escorting the man out of the show. The man, identified only by his surname Ao, was reportedly wanted for “economic crimes,” according to Kan Kan News. Details about Ao had been in a national database, and when he had arrived at the stadium, cameras at the entrances with facial-recognition technology had identified him — and flagged authorities, the news site reported. “He was completely shocked when we took him away,” police officer Li Jin told Xinhua news agency. “He couldn’t fathom that police could so quickly capture him in a crowd of 60,000.” Ao’s unlikely capture became the latest example of China’s growing use of facial-recognition technology. As The Washington Post’s Simon Denyer reported, law enforcement and security officials in China hope to use such technology to track suspects and even predict crimes. Ultimately, officials there want to create a comprehensive, nationwide surveillance system known as “Xue Liang,” or “Sharp Eyes” to monitor the movements of its citizens. At the back end, these efforts merge with a vast database of information on every citizen, a “Police Cloud” that aims to scoop up such data as criminal and medical records, travel bookings, online purchase and even social media comments — and link it to everyone’s identity card and face. A goal of all of these interlocking efforts: to track where people are, what they are up to, what they believe and who they associate with — and ultimately even to assign them a single “social credit” score based on whether the government and their fellow citizens consider them trustworthy. Images from Denyer’s visits to three technology companies showed people monitoring cars and people as they passed through an intersection. Attached to each entity were text bubbles that showed identifying characteristics: the person’s gender and home town, for example. “Surveillance technologies are giving the government a sense that it can finally achieve the level of control over people’s lives that it aspires to,” Adrian Zenz, a German academic who has researched ethnic policy and the security state in China’s western province of Xinjiang, told Denyer. Many have voiced their concerns about the ethical ramifications of such a system. Human Rights Watch has a page dedicated to mass surveillance and the use of “big data” in China. “For the first time, we are able to demonstrate that the Chinese government’s use of big data and predictive policing not only blatantly violates privacy rights, but also enables officials to arbitrarily detain people,” Wang wrote. “People in Xinjiang can’t resist or challenge the increasingly intrusive scrutiny of their daily lives because most don’t even know about this ‘black box’ program or how it works.” As for Ao, the man caught at the Jacky Cheung concert, he said he thought he would be safe in a crowd of tens of thousands. He and some friends had bought the concert tickets, and Ao had driven with his wife about 60 miles to see the show, according to the news site. [Opinion: China’s new surveillance state puts Facebook’s privacy problems in the shade]

Big Data / Data Analytics / Artificial Intelligence

EU – A Privacy Pro’s Guide to Explainability in Machine Learning Models

With the EU GDPR just around the corner, there has been some debate and discussion about whether the law requires a “right to an explanation” from machine learning models. “Regardless of the regulation’s effects on machine learning, however, the practical implications of attempting to explain machine learning models presents significant difficulties,” Immuta Legal Engineer Stuart Shirrell writes. “These difficulties will become an increasing focus for privacy professionals as machine learning is deployed more and more throughout organizations in the future.” [IAPP.org]

Canada

CA – Federal Privacy Commissioner Argues for Right to Be Forgotten

Canada’s privacy commissioner took the stage at a Canadian Journalism Foundation (CJF) privacy summit in Toronto to advocate for the right to online reputation. The half-day summit was an opportunity for members of the media, as well as lawyers and legislators to meet and discuss the right to privacy in relation to freedom of expression. Daniel Therrien’s core position is that Canadians should be able to access the internet without having to fear that their reputations will be ruined as a result. A draft paper published in January 2018 established the OPC position, while also suggesting that ‘de-indexing’ and ‘source takedown’ are possible solutions to maintain individual online reputation. Also known as the ‘right to be forgotten,’ de-indexing refers to the process by which individuals can request that search engines remove results when an individual’s name is used in the search. Source takedown, by comparison, refers to the removal of the original source of content from the internet entirely. As individuals at the summit pointed out, there’s some contention between the right to privacy, freedom of expression and the freedom to access information. In response to freedom of speech advocates, Therrien argued, “there are real consequences to incorrect information being out there to be seen by many.” “The solution can be discussed at length, and a reason why we have put this out as a draft position paper is that we’re pretty sure that there’s a harm to be remedied here, and as a regulator, the tool that I have… is the legislation to limit or enforce,” he said. Therrien further argued that the in the age of the internet, more information is easily accessible than ever before. As such, it’s necessary to find some way to regulate the information that’s available. [betakit.com] Canadian Government Leaning Towards A Right to Be Forgotten it Can Enforce Anywhere in The World]

CA – Quebec Commissioner’s Suggests Amendments to Privacy Law

The Quebec Commission on Access to Information’s has issued recommendations for amending the Private Sector Privacy Act. Quebec’s private sector privacy law should be amended to compel organizations to destroy personal information once the purposes for which they were collected are fulfilled (except when kept under a legal provision), and delete any provision recognizing the right of an organization to retain information, even if it can no longer use it according to the law. [CAI QC – Five-Year Report (Pages 120-122)

CA – Supreme Court Rules on B.C. Campaign Financing Case

In a unanimous decision, the Supreme Court of Canada dismissed a bid by the B.C. Freedom of Information and Privacy Association (FIPA) that challenged a section of B.C.’s Election Act that requires even small spenders to register with the province’s chief elections officer if they sponsor election advertising during a campaign. [see here] But in its 7-0 ruling, the top court clarified the law so that people who wear T-shirts bearing political messages, or put bumper stickers on their cars or signs in their windows during an election, will not have to register with the province’s election office, providing they spend less than $500. But people or groups who sponsor advertising must continue to register. FIPA, a non-profit public advocacy group, had argued the requirement to register inhibits “political expression by persons who don’t wish names and addresses to become public knowledge,” and is a violation of the Charter of Rights and Freedoms’ guarantee of freedom of expression. In B.C., a person or group wishing to sponsor advertising during one of the province’s 28-day provincial election campaigns must register with a full name, address and a service address, and provide a signed statement. The Chief Electoral Officer then makes that information public, although the factum of the Attorney General of B.C. says telephone numbers and home addresses can be obscured upon request. Failing to register could result in a fine up to $10,000 or imprisonment up to a maximum of one year, or both. Reacting to the decision, the Canadian Civil Liberties Union said “small voices” could still be silenced under the B.C. Elections Act. B.C. Freedom of Information and Privacy Association v. British Columbia (Attorney General) | BC’s election gag law being challenged in Supreme Court of Canada | Canadian Lawyer magazine | Top Court Upholds BC Law Requiring Election Advertisers to Register | SCC rules on election campaign sponsorship in B.C.  | Wearing a T-shirt isn’t ‘sponsored’ election advertising, top court rules

CA – Insurance Company Must Delete Personal Information

The OPC investigated a complaint against an insurance company, alleging violations of PIPEDA. The OPC investigation determined that a company should have treated an individual’s request to delete his data as a withdrawal of consent; the company initially denied the request (retention was necessary to provide insurance details to other insurers), however, once the individual accepted that deletion could result in higher premiums or coverage denial, his information was deleted. [OPC Canada – Case Summary 2017-005 – Insurance Company Required to Delete Individuals Personal Information After They Withdraw Consent]

CA – Nurse Fined for Criticizing Grandfather’s Healthcare Loses Appeal

A Prince Albert nurse fined for criticizing her grandfather’s palliative care online has lost her appeal of a $26,000 fine ordered by her professional regulatory board. In a written decision, Saskatoon Queen’s Bench Justice J. Currie said Carolyn Strom violated professional conduct rules relating to her profession as a registered nurse. Even though Strom was away from work on maternity leave at the time she wrote the online posts, Currie upheld an earlier decision from the Saskatchewan Registered Nurses’ Association (SRNA) that found Strom guilty of professional misconduct. In his decision, Currie said his role was not to determine whether the decision from the disciplinary committee was correct, but rather whether it “falls within the realm of reasonable decisions in the circumstances.” In that respect, Currie agreed with the discipline committee. The Saskatchewan Union of Nurses acted as an intervenor in the case, and said it is disappointed the SRNA ruling was upheld, saying the decision will affect nurses and other professionals, who will think twice before expressing their personal opinions. [paNOW]

CA – Alphabet to Start Toronto Smart-City Tech Pilot in Summer, Build in 2020

Alphabet Inc’s urban innovation company Sidewalk Labs hopes to break ground on its first ever smart-city project in Toronto in 2020, and begin testing some of the proposed technologies this summer, its chief executive said. This is the first time a timeline has been publicly disclosed for the project. A development plan is expected to be approved by the Sidewalk and Waterfront Toronto boards by the end of 2018, and the first residents could move in as early as 2022. The timeline is subject to government approvals and other processes that Sidewalk expects to spend most of 2019 working through. Other smart city projects have largely failed because of budgets, the involvement of too many parties, and the use of public resources on development with no immediate benefits for the broader population. Corporate access to personal information is a growing concern. Sidewalk Labs has faced growing scrutiny over its plans to put sensors and cameras all over Quayside. Doctoroff said Sidewalk Labs would destroy non-essential information, only retain data that would improve the quality of life, and not sell them to advertisers. Third parties must adopt privacy policies developed for the plan, he added. [Reuters]

CA – Man Arrested for Breaching Nova Scotia’s FOI Website

A 19-year-old Halifax man has been arrested for illicitly accessing the Nova Scotia government’s freedom-of-information website. The man was able to see more than 7,000 documents, some of which contained sensitive information, including birth dates, social insurance numbers, addresses and government-services client information. The Nova Scotia government said no credit card information was compromised in the breach, with government officials saying thousands of citizens in the province were likely affected. Halifax Regional Police searched the suspect’s house before his arrest. The man has been charged with the unauthorized use of a computer. Software and privacy professionals have expressed concerns the Nova Scotia government is using the 19-year-old man as a scapegoat for the breach. [CBC News See also: Teen charged after personal information exposed in Nova Scotia government website breach | Police refute claim they asked province to keep a lid on information breach | Province just sort of stumbles across massive data breach ]

Consumer

US – Majority of US Consumers Concerned About Privacy: Survey

The Network Advertising Initiative conducted a survey asking 10,000 U.S. consumers about their opinions on online privacy. Of the respondents, 85% said the current state of online privacy was at least “somewhat concerning,” with 50% of those consumers saying they are either “very” or “extremely” concerned about privacy. When asked about their top privacy concerns, 56% said hackers, while 15% said data collection by any federal government around the world. The majority of consumers said they want their online content to be paid by advertising, and 79% of respondents said individuals should be in control of opting out of any online marketing campaigns. [NAI]

CA – Canadians Skeptical About Cloud Security, Except at Work: Study

Nearly half of Canadians aren’t comfortable storing sensitive information in the cloud, according to a new study. 46% of Canadians don’t like the thought of storing family information on the cloud, a figure that rises to 52% when it comes to medical information, and 59% for financial information. Citrix Cloud and Security Survey says 62% of employed Canadians felt that documents uploaded to the cloud were either somewhat, or very secure. At the same time, 42% of workers think their employer is solely responsible for maintaining and upgrading security on all devices. A lot of employees, however – 34% – don’t even know if their company uses cloud services. In addition, more than 40% of all Canadians weren’t sure what the cloud was. [IT Business]

WW – Study Highlights Privacy Concerns with Gaming Platforms

Academic researchers published a paper that examined data handling practices in modern gaming. Platforms and consoles. These collect different types of user data through hardware (cameras, sensors, microphones), platform features (social media, user-generated content) and tracking technologies (cookies, beacons, and scripts). All games studied shared user data with advertising platforms and partners, while, mobile games stored private message contents and had a right to access and review these messages.[Privacy in Gaming – N. Cameron Russell, Joel R. Reidenberg and Sumyung Moon – Center on Law and Information Policy at Fordham Law School | Gaming Platform Updates Its Privacy Setting Default | DigitalTrends]

E-Mail

UK – ICO Fines Royal Mail Over 300,000 “Spam” Emails

Royal Mail, which claims to be the most trusted letter delivery service in the UK, was today fined for sending out more than 300,000 nuisance emails. The UK ICO said it launched a probe [see 16 pg PDF notice here] after an individual complained they had received a marketing email from Royal Mail, despite having opted out. Royal Mail argued the email in question was a service because it was telling customers there was a price drop for second-class parcels – but the ICO disagreed. Deeming the message to be marketing, the ICO issued a £12,000 fine for breaching the Privacy and Electronic Communications Regulations (PECR) since recipients hadn’t consented to receiving the mail. The ICO acknowledged that Royal Mail has an obligation to publicise price changes, but said there were more appropriate ways to do this, such as putting an update on its website. [The Register | BBC News, City A.M. and The Times]

Electronic Records

US – 25% of Patients Did Not Access Data Over Patient Privacy Concerns

A recent study by the Office of the National Coordinator for Health Information Technology (ONC) found that 25% of individuals who were offered access to their online medical records declined out of privacy and security concerns. Increasing access and adoption of electronic health records is stated to be a cornerstone of the ONC’s efforts. In response, the ONC created a guide to help individuals get and use medical records. National Coordinator for Health Information Technology Don Rucker said, “It’s important that patients and their caregivers have access to their own health information so they can make decisions about their care and treatments,” adding, “This guide will help answer some of the questions that patients may have when asking for their health information.” [HealthITSecurity | PR here | NAP.edu]

EU Developments

EU – Proposal Gives Consumers More Power to Sue Companies

The European Union has unveiled a proposal to give consumers more power to sue companies if their rights have been violated. The proposal would call for any offending company to be penalized up to 4 percent of their annual turnover. Under the new rules, EU consumer law would be extended to cover “free” digital services where consumers provide personal data, including social media information, email accounts and cloud storage services. While business groups said the proposed bill could lead to a wave of lawsuits, Justice Commissioner Věra Jourová said profit-seeking class-action lawsuits would not be permitted under the pending legislation. [Reuters]

EU – EDPS Launches ‘Privacy by Design’ Mobile Health App Contest

The European Data Protection Supervisor is launching a contest for creators to design the best mobile health apps using “privacy by design” and “privacy by default” principles. Contestants are encouraged to create apps designed to be user friendly and give users more control over their information. The top two winners will receive prizes of 20,000 and 10,000 euros respectively and will be able to present their projects during the 40th International Conference of Data Protection and Privacy Commissioners in October. Submissions must be sent in by the end of June. [Telecompaper]

EU – WP29 Forming Social Media Working Group

Article 29 Working Party Chairwoman Andrea Jelinek said the agency is forming a Social Media Working Group in response to the Facebook-Cambridge Analytica revelations. “What we are seeing today is most likely only one instance of the much wider spread practice of harvesting personal data from social media for economic or political reasons,” Jelinek said. During his second day on Capitol Hill, Facebook CEO Mark Zuckerberg said regulation of his company is “inevitable,” but lawmakers and privacy professionals are skeptical of when it may happen. [Reuters]

EU – Group Calls for EU to Exempt Blockchain from GDPR

A blockchain group is calling for the European Union to exempt the technology from the GDPR. In a blog post, Coin Center Executive Director Jerry Brito writes the GDPR is “incompatible with the reality of open blockchain networks,” and if technology is regulated under the impending rules without any changes to either, the outcome could be troublesome. “The result of the law, then, may be that Europe is closing itself off from the future of the internet to its detriment.” [The Verge | Gizmodo]

UK – ICO Releases Data Protection Self-Assessment Toolkit

The U.K. ICO has released a data protection self-assessment toolkit. The resource has been created to help organizations, particularly small- and medium-sized businesses, make sure they are compliant with data protection laws, such as the EU GDPR. The toolkit includes checklists for controllers and processors, as well as for other areas of compliance, such as information security, direct marketing, records management, data sharing and subject access, and CCTV. Once a checklist has been completed, a report will be generated advising companies on practical steps they can take to improve their compliance efforts. [ICO.org]

US – GDPR: Study Shows 35% of Organisations Ready

The Centre for Information Policy Leadership conducted its second global survey to understand organisational preparedness for the GDPR. 239 organisations were surveyed across several industries: The first global survey was conducted in 2017. A think tank notes that mandatory DPOs will be appointed in 47% of companies surveyed, 35% have a procedure in place to identify and classify privacy risks to individuals, and only 38% will have to re-obtain individual consent; areas that still require further clarity include legitimate interests, breach notification, DPIAs, privacy by design, certifications, codes of conduct, and internal processing records. [Organisational Readiness for the EU GDPR 2nd Edition – CIPL]

FOI

CA – 80-Year Extension on Access-to-Info Request Appears to be a Record

A federal institution has given itself what may be the longest-ever time extension to respond to a citizen’s request under the Access to Information Act — at least 80 years, which will delay the delivery of documents to 2098 or beyond. 70-year-old Michael Dagg, the requester and longtime user of the act, asked Library and Archives Canada (LAC) for files from Project Anecdote, an RCMP investigation into money laundering and public corruption that was launched in May 1993. No charges were ever laid in the massive probe, which concluded in 2003. The voluminous Mountie files were eventually turned over to the government archives. Library and Archives determined there are a minimum of 780,000 document pages to review, in addition to audio and video recordings. Dagg was advised that the review of the material would normally take at least 130 years, but many of the records will automatically become public after 80 years, without need for review under the Access to Information Act, helping to shorten the extension period. Dagg says he plans to contact Library and Archives to negotiate a smaller subset of the Project Anecdote documents. “I would narrow the scope so I can get something within a year or two, rather than beyond my lifetime,” he said in an interview. Timeliness of responses has been a growing issue under the act. In 2016-2017, for example, responses to 2,326 requests took more than a year, up from 1,526 the year previous — or 2.7%t of all requests, up from 2.1%. And 19.3% of all responses to requests in 2016-2017 were in so-called “deemed refusal,” that is, they were late — delivered beyond legislated deadlines. That level of ‘deemed refusals’ has almost doubled in the last five years. And some 1,741 of these late requests were delivered more than a year after deadline. In 2016, former commissioner Suzanne Legault warned of a “culture of delay” within the federal government that has created “a slow and arcane system that seems bent on denying access.” [CBC]

Health / Medical

US – Report Finds Insider Data Breaches Most Common in Health Care Industry

According to Verizon’s 2018 Data Breach Investigations Report, 25% of all attacks over the year were perpetrated by said insiders and were driven largely by financial gain, espionage and simple mistakes or misuse. It also reports that organised criminal groups continue to be behind around half of all breaches, while state-affiliated groups were involved in more than one in 10. Financial gain, unsurprisingly, continued to be the top motivation for cybercriminals. The health care industry ranks worst when it comes to preventing insider data breaches. As the only sector reported to have more internal actors behind data breaches than external, errors were the leading type of cyber incident across health care, followed by malware, hacking and privilege misuse. The report also found that for the malware detected in health care, ransomware accounted for 85%. Simple errors – such as failing to shred confidential information, sending emails to the wrong person or misconfiguring web services – were at the heart of nearly one in five breaches. More than 20 per cent people still click on at least one phishing campaign during a year. [The Washington Post]

Horror Stories

US – Consumer Reports Publisher to Pay $16.4M to Settle Privacy Lawsuit

The publisher of Consumer Reports magazine will pay $16.375 million to settle a lawsuit alleging it violated Michigan privacy law. The publisher was accused of selling customers’ subscription and personal information to third parties without consent. The personal information included customers’ age, race, religion, income, medical conditions and political affiliations. “We have long advocated for the rights of consumers to have control over their private information,” a Consumer Reports spokeswoman said. “While we believe that our practices were in compliance with Michigan law, we chose to settle this case, without admitting liability, so that we can spend our time, effort and resources on protecting consumers.” [Reuters | Insurance Journal

AU – Study Shows Willingness to Pay Malware Ransom Demands

According to findings from the Telstra Security Report, 47% of Australian businesses paid malware ransom demands when found to be the victim of a cyberattack. The report, which surveyed 1,252 people across 13 countries and 15 industries, found that a willingness to pay ransom demands was consistent across all respondents, with 60% of ransomware victims in New Zealand, 55% in Indonesia, and 41% in Europe stating they have paid a ransom demand. Furthermore, 87% of Asian businesses and 82% of European respondents stated they recovered stolen data once the ransom was paid. [ZDNet]

Identity Issues

AU – Anonymization: Australian DPA Finds Publication of Dataset Flawed

The Office of the Australian Information Commissioner issued the results of its investigation into the publication of a dataset by the Department of Health. A dataset had the potential to identify service providers and some individuals because a public agency’s process for de-identification of PI and assessment of the risk of re-identification was flawed; it unlawfully disclosed PI for a purpose other than that of collection, and failed to take adequate steps to remove PI from the dataset relative to the sensitivity of the information (medical/pharm benefits information), and the context of its release (online to the public). [OIC Australia – Publication of MBS/PBS Data]

Location

US – Can GPS Tracking Stop Customers from Stealing Rental Cars? In California, A New Debate Over Privacy Begins

The use of GPS to track stolen vehicles is at the center of a debate between car rental companies and privacy advocates in California. Most rental cars are equipped with navigation and GPS technology. But unlike automakers that can begin tracking their customer’s movements as soon as they drive off the lot, California law bars rental companies from tracking their customer’s location until the vehicle has been missing at least five days past its return date. Some car rental companies want to decrease the number of days significantly, making it possible to track the movements of customers who failed to return vehicles on time. Meanwhile, privacy advocates worry that allowing companies to track customers — even if only after they’ve failed to return a rental vehicle — could open the door to privacy abuses, such as collecting and selling valuable consumer data. The ease of stealing rental vehicles may explain why there were more than 92,000 rental cars thefts across the United States between 2015 and 2018, with nearly 18,000 of those thefts occurring in California, according to the National Insurance Crime Bureau. California remains a leading state for car theft alongside Nevada and Washington State, according to the NCIB. But privacy advocates such as state Sen. Hannah-Beth Jackson (D-Santa Barbara) say the rental industry hasn’t provided data proving that enough thieves are posing as customers to warrant a change in existing laws, such as allowing companies to track the location of overdue rental vehicles. [Wash Post| zdnet.com]

Other Jurisdictions

RU – Russia Seeks to Ban Telegram Messaging App

Russia’s Roskomnadzor, the Federal Service for Supervision of Communications, Information Technologies and Mass Media, has filed a lawsuit asking a court in that country to block the Telegram messaging app. Telegram has refused to provide Russian authorities with encryption keys. [www.v3.co.uk: Russia set to ban Telegram app for refusing to hand over decryption keys on demand | www.zdnet.com: Russia moves to block Telegram after encryption key denial]

CN – China Ranking Citizens With A Creepy ‘Social Credit’ System

The Chinese state is setting up a vast ranking system system that will monitor the behaviour of its enormous population, and rank them all based on their “social credit.” The “social credit system,” first announced in 2014, aims to reinforce the idea that “keeping trust is glorious and breaking trust is disgraceful,” according to a government document. The program is due to be fully operational by 2020, but is being piloted for millions of people already. The scheme is mandatory. At the moment the system is piecemeal — some are run by city councils, others are scored by private tech platforms which hold personal data. Like private credit scores, a person’s social score can move up and down depending on their behaviour. The exact methodology is a secret — but examples infractions include bad driving, smoking in non-smoking zones, buying too many video games and posting fake news online. China has already started punishing people by restricting their travel. Nine million people with low scores have been blocked from buying tickets for domestic flights. Three million people are barred from getting business-class train tickets. The eventual system will punish bad passengers specifically. Potential misdeeds include trying to ride with no ticket, loitering in front of boarding gates, or smoking in no-smoking areas. According to Foreign Policy, credit systems monitor whether people pay bills on time, much like financial credit trackers — but also ascribe a moral dimension. Other mooted punishable offences include spending too long playing video games, wasting money on frivolous purchases and posting on social media. Spreading fake news, specifically about terrorist attacks or airport security, will also be punishable offences. 17 people who refused to carry out military service last year were barred from enrolling in higher education, applying for high school, or continuing their studies, Beijing News reported. Citizens with low social credit would also be prohibited from enrolling their children at high-paying private schools. “Trust-breaking” individuals would also be banned from doing management jobs in state-owned firms and big banks. Some crimes, like fraud and embezzlement, would also have a big effect on social credit. People who refused military service were also banned from some holidays and hotels — showing that vacation plans are fair game too. The regime rewards people here as well as punishes them. People with good scores can speed up travel applications to places like Europe. Naming and shaming is another tactic available. A 2016 government notice encourages companies to consult the blacklist before hiring people or giving them contracts. However, people will be notified by the courts before they are added to the list, and are allowed to appeal against the decision within ten days of receiving the notification. It’s not clear when the list will start to be implemented. A prototype blacklist already exists, and has been used to punish people. There is also a list for good citizens — that will reportedly get you more matches on dating websites. They can also get discounts on energy bills, rent things without deposits, and get better interest rates at banks. Despite the creepiness of the system — Human Rights Watch called it “chilling,” while others call it “a futuristic vision of Big Brother out of control” — some citizens say it’s making them better people already. A 32-year-old entrepreneur, who only gave his name as Chen, told Foreign Policy: “I feel like in the past six months, people’s behaviour has gotten better and better. “For example, when we drive, now we always stop in front of crosswalks. If you don’t stop, you will lose your points. “At first, we just worried about losing points, but now we got used to it.” [Business Insider]

Privacy (US)

US – California Ballot Initiative Seeks to Establish Consumer Privacy Rights

Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., have proposed the Customer Online Notification for Stopping Edge-provider Network Transgressions Act aimed at enhancing consumer privacy. The “privacy bill of rights” would require edge providers, such as Facebook and Google, to obtain consumers’ consent before selling sensitive information. “The avalanche of privacy violations by Facebook and other online companies has reached a critical threshold, and we need legislation that makes consent the law of the land,” Markey said in a statement. The bill would prevent edge providers from forcing customers to provide consent in order to use any services. [Ars Technica | Engadget | Broadcasting Cable | MediaPost | LA Times | LW.com]

US – Consumer Groups Say YouTube Is Collecting, Using Children’s Data Improperly

A coalition of more than 20 consumer advocacy groups is expected to file a complaint with federal officials claiming YouTube has been violating a children’s privacy law. The complaint contends that YouTube, a subsidiary of Google, has been collecting and profiting from the personal information of young children on its main site, although the company says the platform is meant only for users 13 and older. The coalition of consumer groups said YouTube failed to comply with the Children’s Online Privacy Protection Act, a federal law that requires companies to obtain consent from parents before collecting data on children younger than 13. The groups are asking for an investigation and penalties from the FTC, which enforces the law. The New York Times and The Associated Press (via FT), USA Today, WIRED and The Guardian

US – Uber Agrees to Expanded FTC Data Breach Settlement

Uber has agreed to expand its proposed settlement with the FTC related to its 2016 data breach. The FTC released a revised complaint against the ride-hailing company, alleging Uber knew hackers used a key to access 25 million names and email addresses, 22 million names and phone numbers, and 600,000 names and driver’s license numbers. Uber could face civil penalties as a result of the expanded settlement if it fails to notify the agency of any future data breaches. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future,” Acting FTC Chairman Maureen Ohlhausen said. The FTC also offered lessons companies can learn from Uber’s data breach. [FTC.gov]

US – D.C. Court: Accessing Public Information is Not a Computer Crime

A district court in Washington, D.C. has ruled that using automated tools to access publicly available information on the open web is not a computer crime—even when a website bans automated access in its terms of service. The court ruled that the notoriously vague and outdated Computer Fraud and Abuse Act (CFAA)—a 1986 statute meant to target malicious computer break-ins—does not make it a crime to access information in a manner that the website doesn’t like if you are otherwise entitled to access that same information. The case, Sandvig v. Sessions, involves a First Amendment challenge to the CFAA’s overbroad and imprecise language. The plaintiffs are a group of discrimination researchers, computer scientists, and journalists who want to use automated access tools to investigate companies’ online practices and conduct audit testing. The problem: the automated web browsing tools they want to use (commonly called “web scrapers”) are prohibited by the targeted websites’ terms of service, and the CFAA has been interpreted by some courts as making violations of terms of service a crime. This is the second time in a year a court has recognized that a broad interpretation of the CFAA will negatively impact open access to information on the web. Judge Edward Chen found that a “broad interpretation of the CFAA invoked by LinkedIn, if adopted, could profoundly impact open access to the Internet, a result that Congress could not have intended when it enacted the CFAA over three decades ago.” The web is the largest, ever-growing data source on the planet. It is a critical resource for journalists, academics, businesses, and ordinary individuals alike. Meaningful access sometimes requires the assistance of technology to automate and expedite an otherwise tedious process of accessing, collecting and analyzing public information. Using technology to expedite access to publicly available information shouldn’t be a crime—and we’re glad to see another court recognize that. [EFF]

US – Woman Awarded $6.45 Million in Revenge Porn Case

A federal district court in California last week entered a default judgment against a man and ordered him to pay $6.45 million in damages after he was accused of spreading an ex-girlfriend’s naked pictures and videos online. It’s believed to be the second-largest payout for a victim of revenge porn who was not a celebrity, according to the woman’s lawyers. The unnamed woman, who was listed as Jane Doe in legal filings, sued the man, David Elam II, in civil court. She alleged copyright infringement, online impersonation with intent to harm, stalking and the intentional infliction of emotional distress. The case, which was filed in 2014, also underscores how complicated it can be to seek justice. There’s no federal law against revenge porn — just a patchwork of state laws. Doe was awarded $450,000 in damages because of copyright infringement. She also received $3 million in compensatory damages for emotional distress, and $3 million in punitive damages. [CNNMoney]

US – State AGs Opposed to Federal Bill

The New York Attorney General and 29 other State Attorneys General submitted their concerns to Congress regarding HR 4508, the PROSPER Act, specifically potential student-loan related abuses. The Bill would prohibit states from overseeing or addressing certain state law violations by student loan collectors or servicers and there are not federal protections for borrowers of student loans; such servicers have come under increased scrutiny from government agencies for practices that include collections on debt not owed, failures to provide borrowers about repayments options, and difficulties in contacting servicers through call centers. [New York Attorney General et al. – Letter to Congress Regarding PROSPER Act]

US – Copyright Office Considering DMCA Exemption for Voting Machines

As part of its triennial exemption process for the Digital Millennium Copyright Act (DMCA), the US Copyright Office is considering expanding the scope of exceptions to DMCA to include voting machines, which would allow researchers to probe the devices for vulnerabilities without fear of legal repercussion. At a hearing earlier this week, researchers and vendor representatives voiced their opinions about the possible change. [Cyberscoop: Security researchers and industry reps clash over voting machine security testing]

US – American Lawyers Urged to Use ‘Burner Phones’ When Travelling Abroad

Lawyers in the US are being advised to use “burner phones” when they travel abroad to protect information from government inspection on re-entering the country. The advice, given by the New York Bar Association, comes against the backdrop of the Trump administration tightening border security. Anyone entering the US can be asked to turn over their computers and phones to Customs and Border Protection for inspection. They will also be expected to disclose passwords to enable officials to examine their correspondence. Foreigners who refuse to comply can be denied entry into the country while US citizens face having their equipment confiscated temporarily to allow further inspection. The American Bar Association, which has 400,000 members, has been trying to persuade the Department of Homeland Security to devise a policy which will protect lawyer-client privilege. But no agreement has been reached, leading the New York Bar Association to suggest drastic measures. It has urged lawyers to use “burner phones” – cheap throwaway devices often seen in modern crime shows. The Association has also advised lawyers to install software to wipe sensitive information and to disconnect from cloud services. As things stand, the courts have yet to reach a conclusive decision on the legality of inspecting phones and computers. Currently 0.017 per cent of people entering the US are subjected to an electronic device search. [The Telegraph]

US – Data Breach Notification Laws Now Enacted in All 50 States

South Dakota and Alabama are the last of the 50 states to have enacted breach notification laws, along with Washington, D.C., Guam, Puerto Rico and the Virgin Islands. South Dakota became the 49th state to enact a data breach notification law when Governor Dennis Daugaard signed Senate Bill 62 into law on March 21. It goes into effect on July 1, 2018. On March 28, 2018, Alabama Governor Kay Ivey signed into law Alabama Senate Bill 318, effective May 1, 2018. Below are the parameters of these new data breach notification laws. As reported in a blog by Daniel Walbright, 32 state attorneys general have released a letter to Congress preemption of state data breach and security laws with a draft bill, “Data Acquisition and Technology Accountability and Security Act.” [DBR on Data]

US – FTC Launching Small Business Cybersecurity Education Campaign

The FTC announced a national education campaign to assist small businesses in strengthening their cybersecurity efforts. The campaign will include training modules and videos on subjects small business owners have identified as trouble spots, including ransomware, phishing attacks and email authentication. “Small businesses understand the importance of cybersecurity and the need to protect their networks and data, but many feel overwhelmed about how to address the myriad of cyber threats they face,” said the FTC. “Our new campaign aims to help these small businesses with targeted, plain-language advice on everything from protecting against phishing scams to tips on what to look for when choosing a cybersecurity vendor.” [FTC.gov]

US – FTC Report Makes Security Recommendations to the Mobile Device Industry

A new report by the FTC takes aim at how data security tech for mobile devices can be both improved and better utilized. The report, published in February 2018 and titled, Mobile Security Updates: Understanding the Issues [PR here], presents findings based upon information requested by the FTC in 2016 of eight mobile device manufacturers. The report recommends that both the devices themselves as well as their corresponding support services need to do a better job by deployed security updates quicker and more frequently. It recommends that manufacturers provide a minimum period during which security updates are to be provided, and make that period known to the consumer prior to purchase. It also recommended that manufacturers consider providing security updates that are separate and distinct from other updates that are often bundled together in one package. The report is intended to bolster consumer protection, however it is also relevant for small businesses and their use of mobile devices in the workplace such as bring-your-own-device (BYOD). While a BYOD policy helps a small business save on device and carrier costs, it also increases the likelihood of security threats to the business. [Working Place Privacy]

US – EPIC Releases US Privacy Law Updated Guide

The Electronic Privacy Information Center has released a guide on the major developments in U.S. privacy law ahead of the 63rd meeting of the International Working Group on Data Protection in Telecommunications in Budapest. The guide covers topics such as the passing of the CLOUD Act, the Facebook-Cambridge Analytica revelations, the investigation into potential interference with the 2016 U.S. presidential election, and the nominations of four new commissioners to the Federal Trade Commission, as well as U.S. Supreme Court affairs, including the U.S. v. Microsoft and the Carpenter v. U.S. cases. EPIC.org

Privacy Enhancing Technologies (PETs)

WW – Apple’s ‘Private by Design’ Health Care App Aims to Capture Market

With tech companies moving in to capture the health care market, Apple’s “private-by-design” strategy aims to ensure the security and privacy needs of organizations. A recent survey found that 47% of health care IT professionals expect to see mobile devices increase in use over the next two years, highlighting that health care providers are more willing to adopt mobile technology. Apple’s recently introduced Health Records app for iPhone users puts patients in control of data portability. Mike Restuccia, CIO at Penn Medicine, said, “I think the good thing about the Apple solution is that the data only resides on the end-user’s device,” adding, “So, we don’t have access to that. Apple doesn’t have access to the data. The beauty of the solution is it is patient managed, patient controlled and patient centered.” [Computerworld]

Security

AU – Human Error (Not Hackers) Behind Most Data Breaches in Australia

The Office of the Australian Information Commissioner released the first quarterly report since the country’s mandatory data breach notification scheme came into effect and noted an increase in the number of data breaches reported. The OAIC received notification of 63 data breaches in the first six weeks, compared to the 114 instances for the entire 2016–17 period when reporting was voluntary. The majority of breaches stemmed from human error, but an estimated 44% was the result of malicious or criminal behavior. The OAIC also stated that 78% of breaches included “contact information,” 24% contained “identity information,” and 73% of all eligible breaches “involved the personal information of under 100 individuals.” [iTnews | The Mandarin]

CA – Ontario Energy Board Establishes Cyber Security Framework

The Ontario Energy Board (OEB) established a Cyber Security Framework that is to be used by transmitters and distributors as the common basis for assessing and reporting their level of risk and security capability, as a means to move towards a more mature level of control and security. [Ontario Cyber Security Framework – Version 1.0 – Ontario Energy Board]

Surveillance

US – DHS to Compile Database of Journalists and ‘Media Influencers’

The Department of Homeland Security wants to track the comings and goings of journalists, bloggers and other “media influencers” through a database. The DHS’s “Media Monitoring” plan would give the contracting company “24/7 access to a password protected, media influencer database, including journalists, editors, correspondents, social media influencers, bloggers etc.” in order to “identify any and all media coverage related to the Department of Homeland Security or a particular event.” The database would be designed to monitor the public activities of media members and influencers by “location, beat and influencers,” the document says. The chosen contractor should be able to “present contact details and any other information that could be relevant including publications this influencer writes for, and an overview of the previous coverage published by the influencer.” Also, the contractor would have access to a password protected, mobile app that provides an “overview of search results in terms of online articles and social media conversations,” in several different languages such as Arabic, Chinese and Russian. The request comes amid concerns regarding accuracy in media and the potential for U.S. elections and policy to be influenced via “fake news.” The plan calls for the ability to track 290,000 news sources including online, print, broadcast and social media. Also, it would have the ability to track media coverage in over 100 languages, along with the “ability to create unlimited data tracking, statistical breakdown, and graphical analyses on ad-hoc basis.” DHS spokesman Tyler Q. Houlton tweeted that the practice of monitoring the press is considered “standard.” [Chicago Sun Times]

+++

Advertisements

03-10 April 2018

Big Data / Data Analytics 

CA – Big Data: Deceptive Use Is Harmful to Consumers

The Canada Competition Bureau released a study on Big Data, including its use in deceptive marketing practices. The Competition Bureau says Big Data collection is not always apparent to consumers because it may not be incidental to the main purpose of an app or service, and data is often collected from various sources surreptitiously by lead generators and sold; Big Data is also used to make false or misleading representations, target advertising to vulnerable consumers, and produce fake reviews (astroturfing). [Competition Bureau – Big Data and Innovation: Implications for Competition Policy in Canada]

Canada

CA – Canada Flagged Facebook’s Third-Party App Privacy Problem in 2009

Canadian federal privacy officials warned that third-party developers’ access to Facebook users’ personal information “raises serious privacy risks” back in 2009, documents show. The report also pointed out that app developers could access information about the Facebook friends of people using apps. In a 2009 speech, then-assistant privacy commissioner Elizabeth Denham said that her office’s top Facebook concern was “the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes.” “We were alarmed by a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information – as well as information about their online ‘friends,’” she said. In 2010, the commissioner’s office said it was satisfied with Facebook’s solution to the third-party app problem, which involved clearer user consent when apps were installed. “The privacy commissioner at the time kind of gave the green light to Facebook, and from our perspective that was really problematic, especially the access to third-party content through the API,” said David Fewer of the Canadian Internet Policy and Public Interest Clinic, whose complaints against Facebook led to the original investigation. “They reached a resolution which did away with our complaint, and basically gave the green light to Facebook to keep on doing what they do.” [Global News]

CA – OPC Joins U.K. and B.C. Counterparts in Probe of Brexit Tampering

Canada’s federal privacy commissioner is joining privacy watchdogs in B.C. and the U.K. in an investigation to determine whether Canadian privacy laws were violated by the Victoria-based political data firm, AggregateIQ, that was hired by the Leave side during the U.K.’s referendum on whether to remain in the European Union [see OPC announcement here]. Since the Leave side won, the company has been accused of being part of a scheme to sidestep U.K. campaign spending rules to sway the vote. Facebook is also being investigated in a separate joint probe by the B.C. and federal Canadian privacy watchdogs. Both probes will look at whether Facebook or AggregateIQ violated PIPEDA or B.C.’s PIPA.[CBC News at: CTV News, Reuters and TheTyee See also: UK probing AggregateIQ as part of inquiry into privacy law breach | Facebook claims its very busy man in Ottawa is not a lobbyist | Canada’s privacy commissioner isn’t surprised about the Facebook privacy scandal | Privacy watchdog suggests he may join ongoing AggregateIQ investigations

CA – NL OIPC Scolds Town of Paradise for the 6th Time in 5 Months

For the sixth time in five months Donovan Molloy, Newfoundland’s privacy commissioner, has made recommendations to the Town of Paradise — this time, it’s to shut off its security cameras [see PR here & Report here]. While he said he can’t comment on specifics of the case yet, Molloy said the Access to Information and Protection of Privacy Act prevents public bodies from putting up cameras without reason. When questioned by Molloy, the town said it installed 87 cameras after incidents of vandalism, false fire alarms, bomb threats and property damage. On two occasions, the footage was used to investigate criminal activity on town property. But when Molloy asked for more detailed information on those incidents, the report says there was no response. [CBC News and at: The Telegram and VOCM]

CA – Opinion: Privacy Laws Should Apply to Political Parties

The Harper Conservatives were innovators in the field of data-driven campaigning. In defeating Harper, the Trudeau Liberals drew on similar micro-targeting techniques. More and more, political parties thrive on big data, the more granular the better. Our privacy protections, however, have failed to keep pace. The current legal framework does almost nothing to ensure that political parties obtain and use citizens’ personal information responsibly. Canadian political parties are exempt from privacy laws. This is “not a good thing,” according to Daniel Therrien, Canada’s privacy commissioner. As he told the Canadian Press last week, “The absence of regulation facilitates the manipulation of information to influence elections in a way which I think is completely contrary to the public interest.” To the extent that micro-targeting happens without voters’ knowing about it or agreeing to it, the practice is manipulative in a way that distorts democracy. Data-hungry political parties are the last entities that should be exempt from privacy laws. If they want to know about us, they should be forced to ask. [Toronto Star and at: Montreal Gazette, The Globe and Mail, CBC News, Hill Times and The Toronto Star]

CA – Ontario Bill Prohibits Inquiries into Employee Compensation History

Ontario’s Bill 3, the Pay Transparency Act, 2018, related to disclosure of compensation for applicants and employees, was introduced and carried at first reading. Exemptions include an applicant’s voluntary and unprompted disclosure of their compensation history, compensation ranges or aggregate compensation for comparable positions, or publicly available compensation history, and employers must submit and post pay transparency reports; a government compliance officer may enter a workplace without a warrant to assess the employer’s compliance with the law. If passed it goes into effect January 1, 2019. [Bill 3 – Pay Transparency Act, 2018 – 41st Legislature, Ontario | Press Release | Status]

Consumer

WW – Number of Facebook Users Affected by Scandal Grows

Facebook now says that the number of users whose information was improperly used by political consulting company Cambridge Analytica could be as high as 87 million, up from an earlier estimate of 50 million. Facebook says it has adopted new measures to restrict third-part access to user data. Subsequently, Facebook decided to end the drip drip drip of increasing size of the compromise and now just says that its search tools were so easily misused that *most* of the 2 billion Facebook users should consider their personal information to have been harvested without their knowledge or permission. The FTC moved against Facebook in 2011 for privacy abuse and Facebook entered into a settlement that they appear to have violated, since they agreed to obtain” consumers’ express consent before their information s shared beyond the privacy settings they have established.” [nytimes: Facebook Says Cambridge Analytica Harvested Data of Up to 87 Million Users | thehill: Facebook says up to 87 million people affected by Cambridge Analytica scandal]

WW – Facebook: Majority of Two Billion Users May Have Had Data Scraped

Facebook has disabled a feature it believes may have allowed malicious actors to scrape the data of most of its two billion users, while also raising the amount of affected individuals from the Cambridge Analytica revelations. The social media company deactivated the feature letting users enter phone numbers and email addresses into its search tool, which it said could be used to gather information on the majority of its users. The tech company now says 87 million users were affected by the Cambridge Analytica revelations, up from the 50 million initially reported. Meanwhile, Mark Zuckerberg will testify in front of both the U.S. Senate Judiciary and Commerce Committees April 10 on the Cambridge Analytica situation. Facebook also announced a plan to restrict data access on its platform, while Zuckerberg said the companywill offer EU General Data Protection Regulation privacy controls worldwide, disputing previous reports. [FBloomberg]

E-Mail

CA – SK OIPC Advises MLA Against Using Personal Email for Government Business

Saskatchewan Information and Privacy Commissioner Ron Kruzeniski offered advice to Minister of Crowns and SGI Joe Hargrave about his use of his personal email account. A Saskatoon man filed a complaint after sending an email to Hargrave’s government email address, only to receive a response from the minister’s personal account. The man was concerned about the security protections for both of the email accounts. While Kruzeniski determined he had no jurisdiction to investigate the matter as it was not a “government institution,” the commissioner advised Hargrave to observe best practices and not use his personal email for government-related activities. [CBC News]

CA – NL OIPC Advises Caution When Sending PHI Via Email

New guidance from the OIPC Newfoundland and Labrador examined the use of email for communicating personal health information. According to the 3-page guidance, custodians should confirm that patients wish to be contacted via email, inform them of possible risks and verify their email address; prior to sending the email, consider whether it is necessary to send the PHI via email, send the PHI in a separate encrypted attachment (with encryption keys sent by a different method), limit the PHI to what is necessary, and maintain a copy for the patient’s file. [OIPC Newfoundland and Labrador – Use of Email for Communicating Personal Health Information]

FOI

CA – CJF Poll Finds 74% Support Right to Access News Over R2BF

A new poll commissioned by The Canadian Journalism Foundation (CJF) finds the right to access news outweighs personal reputation considerations when it comes to online news stories. The poll, conducted by Maru/Matchbox earlier this month among more than 1,500 people, found that 74% believe broadly that Canadians’ right to access news overrides the right to remove accurate and lawful stories that have a negative impact on a person’s reputation. “As the Office of the Privacy Commissioner contemplates a ‘right to be forgotten,’ it will need to strike a balance between those rights protecting freedom of expression and the right to manage reputation online,” says CJF executive director Natalie Turvey. “These polling results suggest Canadians may prioritize their Charter rights and that we care deeply about our right to access news and information.” The poll results come ahead of a topical half-day symposium in Toronto exploring the right to be forgotten, ‘Striking the Balance: Privacy and Freedom of Expression in a Digital Age‘ featuring Daniel Therrien, privacy commissioner of Canada; Michael Geist, law professor at the University of Ottawa; Peter Fleischer, global privacy counsel for Google; and other top privacy experts. [Newswire and at: TCP via CityNews]

Genetics

US – California Supreme Court Lets Stand Controversial Law Allowing DNA Collection Upon Arrest

The fight for more protective rules in the California government’s DNA collection suffered a major setback when the California Supreme Court. On a 4-3 vote [see 95 pg PDF ruling here], the state’s highest court refused to throw out that part of the [2004 voter initiative, Proposition 69 see here], which has led to the storing of DNA profiles of tens of thousands of people arrested but never charged or convicted. A majority of states collects DNA from arrestees, and the U.S. Supreme Court has approved the practice. Privacy advocates, though, argued that California’s law was more invasive than rules in other places. Of the 200,000 to 300,000 people arrested in California annually on suspicion of a felony, about a third are either acquitted or never formally charged. California, unlike most other states, takes DNA from people before they are even arraigned and has no automatic process for expunging DNA profiles when charges are dropped or people acquitted [Source and at: DeepLinks Blog (EFF), Courthouse News Service, The Recorder (Law.com) and JURIST]

Health / Medical

US – ONC Releases Guide on Sharing Patient Data

The Office of the National Coordinator for Health Information Technology released a guide to help educate patients on accessing and sharing their medical data. The resource informs patients on the benefits of accessing their data and offers advice on the best ways to view the data within their electronic health records. “It’s important that patients and their caregivers have access to their own health information so they can make decisions about their care and treatments,” National Coordinator for Health Information Technology Don Rucker said. [HealthITAnalytics]

US – Health Care Professionals Remain Concerned About Data Security

A recent survey showed that while health care professionals are overwhelmingly concerned about health care data security, 68% believes their own organizations are taking appropriate measures to ensure cybersecurity. The survey conducted by Venafi took place at last month’s HIMSS18 conference and queried 122 health care professionals on sector response to cyber threats. Despite their shared concern, only 29% of respondents believes cybersecurity can be enhanced through more regulation. BakerHostetler’s fourth annual Data Security Incident Response report found that of the 560 security incidents handled by the firm’s privacy and data protection team, more than one-third involved the health care industry, marking an increase from previous years. [HealthITSecurity]

WW – Facebook Sent Doctor on a Secret Mission to Ask Hospitals to Share Patient Data

Facebook was in talks with top hospitals and other medical groups as recently as last month about a proposal to share data about the social networks of their most vulnerable patients. The idea was to build profiles of people that included their medical conditions, information that health systems have, as well as social and economic factors gleaned from Facebook. The proposal never went past the planning phases and has been put on pause after the Cambridge Analytica data leak scandal raised public concerns over how Facebook and others collect and use detailed information about Facebook users. Facebook’s pitch, according to two people who heard it and one who is familiar with the project, was to combine what a health system knows about its patients (such as: person has heart disease, is age 50, takes 2 medications and made 3 trips to the hospital this year) with what Facebook knows (such as: user is age 50, married with 3 kids, English isn’t a primary language, actively engages with the community by sending a lot of messages). The issue of patient consent did not come up in the early discussions, one of the people said. Critics have attacked Facebook in the past for doing research on users without their permission. Notably, in 2014, Facebook manipulated hundreds of thousands of people’s news feeds to study whether certain types of content made people happier or sadder. Facebook later apologized for the study. Health policy experts say that this health initiative would be problematic if Facebook did not think through the privacy implications. [CNBC and at: Inquisitr, GIZMODO, Ars Technica, The Verge, Fast Company, The Hill and Becker’s Hospital Review ]

Horror Stories

AU – Apple Watch Health Data Is Being Used as Evidence in Murder Trial

Myrna Nilsson, 57, was murdered in Adelaide in September of 2017. Nilsson’s daughter-in-law, Caroline Nilsson, 26, told law enforcement that a group of men had invaded her home and attacked her following a road rage incident. Prosecutor Carmen Matteo presented evidence in court that Caroline Nilsson fabricated her story and should be held on charges of murder without bail. A forensic analyst studied the data on the victim’s Apple Watch and determined that the attack and her death occurred within a seven minute window. A flurry of activity was recorded followed by calm when the victim was presumably unconscious, then her heart rate stopped. “The prosecution accumulates those timings and the information about energy levels, movement, heart rate, to lead to a conclusion that the deceased must have been attacked at around 6.38pm and had certainly died by 6.45pm,” Matteo told the court.  The judge agreed with the prosecution and denied bail. Mrs. Nilsson will return to court on June 13th. [Gizmodo and at: News.com.au, The Daily Mail and New York Post]

EU – Norwegian Consumer Council Files Privacy Complaint Against Grindr Following Revelation of HIV Status Data Sharing

The Norwegian Consumer Council has filed a privacy complaint against popular gay dating app Grindr, after it was revealed the app had been sharing the HIV statuses of its users with third parties. Shortly after Grindr announced a new feature for the app which would remind users to get tested for HIV every few months, a report revealed that Grindr shares its user data, including HIV status and location, with at least two third-party companies. In a document published on Tuesday, the Norwegian Consumer Council claimed they were filing the complaint against Grindr “for breaching data protection law.” Citing a section of Grindr’s privacy policy that informs users they are responsible for “all associated risks” surrounding their data, the Council called the policy “unfortunate.” The Council also expressed that in their view, the current policy “is in breach of Norwegian and European data protection law.” [Brietbart and: TechCrunch, Forbrukerrådet and PinkNews and at: Grindr defends HIV-related data sharing | Grindr Sets Off Privacy Firestorm After Sharing Users’ H.I.V.-Status Data  | Dating app Grindr vows to stop sharing data after HIV scandal | The Guardian view on Grindr and data protection: don’t trade our privacy

WW – Grindr Changes Policy of Sharing Users’ HIV Status with Outside Vendors

In response to an outcry, Grindr will stop sharing users’ HIV statuses with third parties after a report disclosed that the company passed the information on to outside vendors hired by Grindr to test the performance of its app. Grindr’s vendors, Apptimize and Localytics, are fed user data that includes HIV statuses, GPS data, phone numbers and e-mail addresses that, when combined, could expose someone’s private health information In a statement Grindr said it would never sell personally identifiable information to third parties, including advertisers. Apptimize and Localytics — services that help Grindr test features on its platform — are under contract to safeguard user privacy and security, the company said. [LA Times and at: BuzzFeed News, Bloomberg, TechCrunch and The Verge]

WW – Panera Website Data Leak

The Panera Bread restaurant website was leaking customer data for at least eight months until it was taken offline on Monday, April 2. The compromised data include names, email and physical addresses, birth dates, and the last four numbers of payment cards. The leak affected customers who had signed up for an account to order food online. The data were accessible in part because “Panera Bread uses sequential integers for account IDs.” [krebsonsecurity: Panerabread.com Leaks Millions of Customer Records]

CA – Upscale Department Store Payment System Breached

Payment systems at some brick-and-mortar Saks Fifth Avenue and Lord & Taylor department stores have been breached. As many as five million payment card numbers allegedly stolen from the stores’ systems are being offered for sale online. The breach does not appear to affect online transactions. Both stores are owned by The Hudson’s Bay Company, which says that steps have been taken to contain the breach. [reuters: Saks, Lord & Taylor hit by payment card data breach | scmagazine: Saks, Lord & Taylor breached, 5 million payment cards likely compromised | theregister: Hacks Fifth Avenue: Crooks slurp bank cards from luxury chain Saks | nytimes: Card Data Stolen From 5 Million Saks and Lord & Taylor Customers]

WW – Under Armour Breach Affects 150 Million MyFitnessPal Accounts

Under Armour disclosed that its MyFitnessPal app and website had been breached, exposing personal Account information of as many as 150 million accounts. The incident occurred in February 2018. The breach did not affect payment account data, as Under Armour processes that information separately. [investor.underarmour: Under Armour Notifies MyFitnessPal Users Of Data Security Issue | scmagazine: Under Armour deftly manages breach, dodges GDPR scrutiny | zdnet: Under Armour says 150 million MyFitnessPal accounts hit by data breach | threatpost: Under Armour Reports Massive Breach of 150 Million MyFitnessPal Accounts]

Intellectual Property

EU – Group Calls for EU to Exempt Blockchain from GDPR

A blockchain group is calling for the European Union to exempt the technology from the General Data Protection Regulation. In a blog post, Coin Center Executive Director Jerry Brito writes the GDPR is “incompatible with the reality of open blockchain networks,” and if technology is regulated under the impending rules without any changes to either, the outcome could be troublesome. “The result of the law, then, may be that Europe is closing itself off from the future of the internet to its detriment,” Brito writes. [The Verge]

CA – DriveHer App Suspends Service Following Data Breach

The founder of the DriveHer app has suspended the service following a data breach. The app was created as a way to increase the safety and security of women drivers and riders. IT Consultant Darryl Burke discovered vulnerabilities within the app leading to the breach, such as finding the data provided by users was not encrypted. “The data accessed may have included personal information such as name, gender, telephone number, profile image,” DriveHer Founder Aisha Addo wrote in an email informing users of the breach. “DriveHer values your privacy and deeply regrets that this incident occurred.” [Toronto Star]

Internet of Things

US – Connecting the Dots Between Security Practices and Legal Obligations: California’s Connected Devices Bill

Internet connected devices can present serious privacy and security issues. California has had an information privacy connected devices bill [for SB-327 status see here] in the works since Feb. 13, 2017. In March 2017, we identified the bill and privacy concerns the state and regulators may be considering when it comes to connected devices. Less than a year later, in January 2018, the bill moved from the state’s Senate to being considered in the state’s Assembly. It has been read once and is currently being “held at desk” in the Assembly, waiting to be referred to a committee. After being introduced, the bill was transformed substantially, with several of its proposed requirements for connected devices stripped entirely at one point it had both privacy and security related requirements, but now largely calls for security obligations. The bill applies to manufacturers that “sell or offer to sell a connected device to a consumer” in California. It obligates manufacturers to “equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” The bill would not obligate manufacturers to seek out the highest level of security measures on the market, but rather creates a floor of at least the most “basic security standards,” according to the latest Senate Floor Analyses. It seems that the purpose of the bill is not so much to force companies to heighten their levels of security, but rather to ensure that IoT devices have some sort of security in place, such as basic encryption, as soon as they hit the market. Despite certain privacy obligations being stricken from the bill, companies should still consider the benefits of employing privacy by design, following the Fair Information Practice Principles, and consider the FTC’s general guidance on IoT devices and comments on draft guidance regarding communicating upgradability, security patches, and transparency. Also consider the evolving efforts to develop international standards, such as guidance published by the IoT Security Foundation from the U.K., security best practices published by the Institute of Electrical and Electronics Engineers, a global nonprofit, and the National Institute of Standards and Technology’s current draft of its Interagency Report on international cybersecurity IoT standardization. With the GDPR becoming effective on May 25, 2018, companies with ties to Europe should also look to what European Data Protection Supervisors have discussed regarding IoT devices in each European member state. [Data Privacy Monitor]

Law Enforcement

UK – Police Can Download All Smartphone’s Data Without A Warrant

A new report by Privacy International shows that since 2012, police forces across the UK have been downloading data from the smartphones of suspects, victims and witnesses, often without obtaining permission. What’s more, they may be storing this data indefinitely, even when no charges are brought. The report is based on Freedom of Information requests to 47 police forces. 26 forces (55%) confirmed that they are using mobile phone extraction technology. This follows on from a 2017 Big Brother Watch report which found that 93% of police forces in the UK are extracting data from digital devices. Data is being collected not only for serious crimes, but also for low-level offences, and several police forces have indicated that they want extraction of mobile data to become the ‘default‘. Police forces across the UK are extracting data from tens of thousands of mobile phones each year. There is no clear national guidance on when forces can use this technology, how data should be stored and for how long it can be kept. [Rights Info and at: The Telegraph, DIGIT and The Times]

Online Privacy

WW – Google Moves to Protect Chrome Web Store Users from Cryptomining

Google’s Chrome Web Store is no longer accepting extensions that mine cryptocurrency, even if it is the express purpose of the extension. In June, Google plans to delist all current cryptomining extensions. Google’s policy prior to this change was to allow cryptomining extensions as long as cryptomining was the extension’s sole function and users were sufficiently informed about the activity. [blog.chromium.org: Protecting users from extension cryptojacking | zdnet: Google to crack down on cryptojacking on Chrome]

Security

CA – Phishing and Ransomware Biggest Concerns: Survey

CIRA issued its 2018 Internet security survey of Canadians that own at least one .CA domain registered to a business or institution. Participants included 1,985 business professionals who play a significant role in their organization’s IT and security-related decisions; and domain name users include: companies – 58%; non-profit organizations – 34%; and government – 8%. The survey shows 22% of large Canadian organizations have been victims of a DDoS attacks in the last year that have negatively impacted business performance, and 32% had users within the organization unwittingly divulge information to hackers; IT security services are obtained through peers (70%), IT security events (50%), current vendors (43%), analyst research (43%) and webinars (40%). [2018 CIRA Canadian Internet Security Survey]

Surveillance

US – DHS Acknowledges Rogue IMSI Catchers in Washington, DC Area

In a March 26 letter responding to a November 2017 from US Senator Ron Wyden (D-Oregon), the US Department of Homeland Security (DHS) acknowledged that it had detected unauthorized cell-site simulators in the Washington, DC area. Also known as international mobile subscriber identity (IMSI) catchers, the technology has been used by law enforcement agencies for years. DHS has not attributed the IMSIs use to “specific entities.” [apnews: APNewsBreak: US suspects cellphone spying devices in DC } wyden.senate.gov: Wyden’s November 2017 letter to DHS (PDF) | scmagazine: DHS acknowledges unauthorized foreign Stingray use in Washington D.C. | theregister: Hold the phone: Mystery fake cell towers spotted slurping comms around Washington DC | zdnet: Evidence of stingrays found in Washington, DC, Homeland Security says | arstechnica: Feds: There are hostile stingrays in DC, but we don’t know how to find them | cyberscoop: DHS says unauthorized Stingrays could be in D.C. area]

 

+++

 

27 March – 03 April 2017

Big Data / Analytics / Artificial Intelligence

IS – Israel Launching Big Data Health Project

Israel Prime Minister Benjamin Netanyahu said the country will invest nearly $287 million for a big data project designed to make citizens’ health information available to researchers and privacy companies. Netanyahu said the project will help with personalizing medicine for each citizen and for preventive treatments. The information will come from the four health maintenance organizations within Israel that hold almost all the health data belonging to the nine million citizens of the country. Netanyahu’s office released a statement saying it will address data concerns by ensuring the information will be protected by the proper privacy and security measures while making sure access to the information is restricted. [Reuters]

Canada

CA – BC Political Parties and Online Privacy Protection: No Smoking Gun, But Plenty of Smoke

As questions swirl around the globe over Facebook, and how people’s digital profiles are analyzed for ever more precise targeting, B.C.’s Office of the Information and Privacy Commissioner is studying to what extent the phenomenon exists in our backyard. According to the IPC “The unique thing about our position in B.C. is we’re the only jurisdiction in Canada that has the ability to investigate political parties” That’s because B.C. political parties fall under the jurisdiction of B.C.’s Personal Information and Privacy Act. People in charge of digital communications for major B.C. parties will tell you that a data breach on the scale of Cambridge Analytica hasn’t happened here for a couple of reasons: one, British Columbia doesn’t have a large enough population to make the sort of bulk data scraping effective; and, second, there are metrics that political parties can use to create targeted Facebook ads in America that aren’t available in Canada. But that still leaves plenty of room for targeting on a smaller scale, say privacy advocates. [CBC News and at: The Times Colonist and CTV News]

CA – Privilege: Tribunal Orders Client Financial Information Redacted

The Law Society Tribunal considered an application by the Law Society of Upper Canada to make certain financial information non-public. Solicitor-client privilege belongs to the client (not the lawyer) and is not lost by a client who complains to the Law Society that her lawyer committed misconduct; the communications are between the lawyer and his client that have neither been made public nor been disclosed by the client in her civil lawsuit against the lawyer.[Law Society of Upper Canada v. Ian Neil McLean – 2018 ONLSTH 25 – Law Society Tribunal Hearing Division]

CA – OIPC BC: PIPA Does Not Provide Same Level of Protection

The OIPC BC compared PIPA’s obligations against the GDPR. PIPA does not incorporate mandatory breach notification or ensure the same level of individual rights (e.g., right to be forgotten and data portability), and permits implicit consent and opt-out (pre-checked boxes) as valid consent; with the exception of these differences, BC organizations can largely ensure compliance with the GDPR by complying with PIPA. [OIPC BC – Competitive Advantage – Compliance with PIPA and the GDPR]

Consumer

EU – European Commission Outlines Blockchain Development Plans, Calls for a Feasibility Study and Unveils Fintech Action Plan.

The EU Commission continues to show its support and investment in new technologies in the digital economy. On February 1, 2018, the Commission and the European Parliament launched the EU Blockchain Observatory and Forum, and earlier this month, the Commission also unveiled its FinTech Action Plan. The observatory is designed to be a comprehensive repository of blockchain expertise and a source of innovation and development. The action plan will assist EU businesses and investors utilize advances offered by blockchain, artificial intelligence and cloud services, as part of the push towards the digital single market. The observatory and the FinTech Action Plan represent a collaborative and thoughtful approach that is appropriate for addressing quickly proliferating and developing technologies in a highly regulated international financial industry. [Source]

CA – Nearly 75% Of Canadian Facebook Users Plan to Change Behaviour in Wake of Controversy

Nearly three-quarters of Facebook users in Canada say they will make some changes to how they use the social-media network after [it was] revealed a U.K.-based consulting firm surreptitiously obtained personal information of 50 million users. According to [a new] Angus Reid poll [see here]. The survey asked 1,500 Canadians what – if any – effect allegations that Cambridge Analytica gathered data from unsuspecting Facebook users will have on their personal use of the social-media platform. Sixty-four per cent of respondents said they will change their privacy settings or use Facebook less in the future, while 10 per cent said they would suspend their account or delete it altogether. The remaining respondents said they would continue to use Facebook as they always have. [The Globe & Mail and at: Global News and CBC News Also See: Worried about online privacy? Here’s how to delete data-mining apps off your Facebook | Victoria mayor deletes Facebook because it ‘rewards anger and outrage’ | Here is how to delete Facebook | What the coverage of #DeleteFacebook is missing

E-Government

CA – Conservatives, NDP Say They’ve Never Accessed Facebook Profiles to Microtarget Voters, Liberals Point to Privacy Policy

The Hill Times sent each of the major federal parties and the Liberal Research Bureau a series of questions about their methods of collecting data from and about Canadians, including data from Facebook. The Liberal Research Bureau did not respond, and the Liberal Party responded after the deadline for the print edition. Spokespeople for the federal Conservatives and NDP said neither they nor any organizations working on their behalf had ever asked Canadians for access to their Facebook accounts, directly or indirectly, in order to gather information. They said they had never accessed Facebook accounts to collect information on Canadians’ Facebook “friends,” and had never collected information on Canadians that was not provided with consent or already publicly-available, or employed an outside firm to do so. A Liberal Party spokesperson did not definitely answer “yes” or “no” when asked the same questions twice, but did imply that the Liberals had not done so either. Susan Delacourt’s 2016 book Shopping for Votes [see here] revealed how the Liberals used Facebook to help them win the last election, with a tool called The Console using information from Facebook to rank ridings on how winnable they were for the party, and how likely individuals were on a scale of one to 10, to vote Liberal. The Conservatives were the first federal party to develop a database technology, dubbed the Constituent Information Management System (CIMS), in 2004. The Liberals were next to follow in 2008, adopting a voter identification and relationship management system dubbed The Liberalist, which is similar to the Voter Activation Network used by the U.S. Democratic Party. The NDP once used a database system dubbed NDP Vote. Federally, there’s nothing to govern how parties collect, use, or distribute information. The Privacy Act only covers government institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA) only refers to organizations collecting information for commercial purposes. Federal parties have developed their own internal privacy policies, but on top of not being legally binding, they’re not always easy to find online. [Hill Times]

Encryption

US – DOJ Still Seeking Phone Encryption Backdoor

Federal law enforcement officials in the US are renewing their efforts to require technology companies to build tools into devices that would allow access to encrypted information. FBI and the US Department of Justice (DOJ) are meeting with researchers to find a way to allow “extraordinary access” to encrypted devices for law enforcement. [www.nytimes.com: Justice Dept. Revives Push to Mandate a Way to Unlock Phones]

EU Developments

EU – European Council Warns Digital Platforms After Facebook-Cambridge Analytica

The European Council issued a warning to digital platforms in the wake of the Facebook-Cambridge Analytica revelations. In a statement, the group of national leaders said, “Social networks and digital platforms need to guarantee transparent practices and full protection of citizens’ privacy and personal data.” European Council President Donald Tusk said the group “discussed recent developments concerning Facebook and Cambridge Analytica. It was clear to all the leaders that citizens’ privacy and personal data must be protected.” Meanwhile, U.K. Culture Secretary Matt Hancock characterized the revelations as a “turning point” for privacy online. Politico profiles U.K. Information Commissioner Elizabeth Denham, who is leading an investigation into Cambridge Analytica. Mozilla has said it will no longer advertise on Facebook, and in the U.S., the House Energy and Commerce Committee has called on Facebook CEO Mark Zuckerberg to testify at an upcoming hearing. “After committee staff received a briefing from Facebook officials,” said Rep. Frank Pallone Jr., D-N.J., “we felt that many questions were left unanswered.” [Euractiv]

UK – ICO Seeks Comments on Data Protection Impact Assessment Guidance

The ICO has for many years championed the benefits of voluntary Privacy Impact Assessments The new General Data Protection Regulation (GDPR) formalises this situation by making the use of Data Protection Impact Assessments (DPIAs) a legal requirement in certain circumstances. Controllers will be required to complete a DPIA where their processing is ‘likely to result in a high risk to the rights and freedoms of natural persons’. Our draft DPIA guidance builds on our previous PIA code, with further detail on specific GDPR requirements. This includes a DPIA template, although controllers who anticipate doing lots of DPIAs may wish to consider develop their own. We are seeking comment [from 22 March until 13 April 2018] on the draft guidance published last week, particularly on whether or not it is clear when a DPIA will be necessary. [ICO News blog]

Facts & Stats

US – BakerHostetler Releases 2018 Data Security Incident Response Report

BakerHostetler has released its 2018 Data Security Incident Response Report. The report examines 560 incidents from 2017, including the most common types of attacks, with phishing leading the way at 34%, followed by network intrusion at 19%. Key findings from the study include the uncertainty surrounding the EU General Data Protection Regulation, the need for an increase in multifactor authentication, and the rise in the roles of regulators. “Our goal in publishing this report is to offer practical steps you can take to reduce your risk profile, build resilience, and be better prepared to respond when an incident occurs,” writes BakerHostetler. [BakerHostetler and at: Law360]

Genetics

CA – Ontario Police Need Not Remove DNA Profiles: Court

An Ontario Court reviewed 54 applications under the Human Rights Code alleging discrimination by the Ontario Provincial Police. Although the Police had no ongoing need to retain/use the DNA profiles after the applicants were cleared of the crime for which their samples were taken, the likelihood of use of the DNA profile is highly remote since the samples were listed in a database using a code to which only the investigator had access and there is a legal prohibition to use it except where the DNA donor has been convicted of an offence. [Hosein et al v Ontario – 2018 HRTO 298 – Community Safety and Correctional Services]

Horror Stories

WW – Panera Website Data Leak

The Panera Bread restaurant website was leaking customer data for at least eight months until it was taken offline on Monday, April 2. The compromised data include names, email and physical addresses, birth dates, and the last four numbers of payment cards. The leak affected customers who had signed up for an account to order food online. The data were accessible in part because “Panera Bread uses sequential integers for account IDs.” [krebsonsecurity.com: Panerabread.com Leaks Millions of Customer Records]

CA – Upscale Department Store Payment System Breached

Payment systems at some brick-and-mortar Saks Fifth Avenue and Lord & Taylor department stores have been breached. As many as five million payment card numbers allegedly stolen from the stores’ systems are being offered for sale online. The breach does not appear to affect online transactions. Both stores are owned by The Hudson’s Bay Company, which says that steps have been taken to contain the breach. Sources: www.reuters.com: Saks, Lord & Taylor hit by payment card data breach | www.scmagazine.com: Saks, Lord & Taylor breached, 5 million payment cards likely compromised | www.theregister.co.uk: Hacks Fifth Avenue: Crooks slurp bank cards from luxury chain Saks | www.nytimes.com: Card Data Stolen From 5 Million Saks and Lord & Taylor Customers]

US – Under Armour Breach Affects 150 Million MyFitnessPal Accounts

Under Armour disclosed that its MyFitnessPal app and website had been breached, exposing personal Account information of as many as 150 million accounts. The incident occurred in February 2018. The breach did not affect payment account data, as Under Armour processes that information separately. [investor.underarmour.com: Under Armour Notifies MyFitnessPal Users Of Data Security Issue | www.scmagazine.com: Under Armour deftly manages breach, dodges GDPR scrutiny | www.zdnet.com: Under Armour says 150 million MyFitnessPal accounts hit by data breach | threatpost.com: Under Armour Reports Massive Breach of 150 Million MyFitnessPal Accounts]

WW – Orbitz Breach Affects 880,000 Payment Cards

Expedia subsidiary Orbitz has acknowledges that a data breach has compromised personal information associated with as many as 880,000 payment card accounts. The breach affected the company’s consumer platform between January and June 2016, and its partner platform between January 2016 and December 2017. [threatpost.com: Orbitz Warns 880,000 Payment Cards Suspected Stolen | – www.scmagazine.com: Orbitz hit with data breach, info on 880,000 payment cards at risk | www.reuters.com: Expedia’s Orbitz says 880,000 payment cards hit in breach]

Identity Issues

IN – A New Data Leak Hits Aadhaar, India’s National ID Database

India’s national ID database, called Aadhaar, which includes biometrics on more than 1.1 billion registered Indian citizens], has been hit by yet another major security lapse. A data leak on a system run by a state-owned utility company Indane allowed anyone to download private information on all Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and information about services they are connected to, such as their bank details and other private information. Karan Saini, a New Delhi-based security researcher who found the vulnerable endpoint, said that anyone with an Aadhaar number is affected India’s Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database, issued a strong denial. “There is no truth in this story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” says a portion of the statement, posted to Twitter, which you can read here. Government is currently defending the identity scheme in front of the country’s Supreme Court. Critics have called the database unconstitutional. Enrolling in the database isn’t mandatory [yet], but Indian citizens who aren’t subscribed are unable to access even basic government services. [ZDNet and at: Firstpost, National Herald, Financial Express, Reuters, The National and Times of India Also See: Narendra Modi app shares private data of users with American firm without consent, says cyber expert | ‘Absolutely No Breach Of Aadhaar Database’: Read UIDAI’s Full Statement On Report Of Data Leak | In Aadhaar vs Privacy Debate, Union Minister KJ Alphons’ Argument: ‘Getting Naked Before White Man Not A Problem’ | MoS KJ Alphons slams Aadhaar critics: What’s so private about iris? See also: India – Amid privacy fears, a list of the many apps launched by the Modi government]

Internet of Things

WW – Berlin Group Issues Recommendations for Updating IoT Firmware

The International Working Group on Data Protection in Telecommunications provides recommendations on firmware embedded in Internet of Things devices. The working paper focuses on risks associated with the failure to update the firmware controlling the behaviour of an IoT device. The following devices are excluded from the scope of this paper: desktop PCs, tablets; smartphones, smart TVs; and entertainment systems in connected vehicles. Device manufacturers should inform individuals about procedures to make security updates, consider privacy-friendly default settings, and ensure third-party suppliers support firmware included in components they supply; organizations should document an auditable process for installing firmware updates, and consider testing above and beyond that which was done by the manufacturer. [Working Paper – Updating Firmware of Embedded Systems in the Internet of Things – International Working Group on Data Protection in Telecommunications]

Law Enforcement

US – FBI Did Not Reach Conclusion Before Asking Apple for Help in Encryption Case

A report from U.S. Department of Justice Inspector General Michael Horowitz finds the Federal Bureau of Investigation had not fully come to a conclusion whether it could have opened the phone belonging to the San Bernardino shooter before an attempt to force Apple to do so, The Washington Post reports. Poor communication between FBI units was cited as the reason for the disconnect, while the report corroborated former FBI Director James Comey’s testimony stating the agency could not break into the iPhone in February and March 2016. “The issues identified in this report continue to stress the need for the FBI and other law enforcement to invest internally on processes and procedures,” Access Now U.S. Policy Manager Amie Stepanovich said. [Full Story

Online Privacy

US – Fordham CLIP releases ‘Privacy in Gaming’ research

Fordham Law School’s Center on Law and Information Policy has released its “Privacy in Gaming” research. The study looks at privacy issues and data collection practices surrounding mobile and console gaming, as well as with virtual reality devices. The research points out the many different ways gaming technology collects data from users, such as through cameras, sensors and other hardware. Among the conclusions include the enhancement of transparency regarding data collection practices and the need for special attention to be paid when handling the information belonging to children. [Fordham Law School]

CA – Kids Learn to Defend their Data with New Privacy Game

A new game is coming to Canadian classrooms and homes, designed not just to entertain children but also to teach them how to protect their privacy. Data Defenders, produced by the not-for-profit digital literacy organization MediaSmarts, shows kids how ad brokers try to collect their personal information and offers strategies to keep that information private. The online game is accompanied by parent and teacher guides and a lesson plan for grades 4 to 6 that further reinforces privacy learning. All materials, including the game, can be accessed free of charge on the MediaSmarts website at http://mediasmarts.ca/digital-media-literacy/educational-games/data-defenders-grades-4-6. Data Defenders was made possible by financial contributions from the Office of the Privacy Commissioner of Canada. [GlobeNewswire] and at Digital Journal

WW – Apple Really Wants You to Know It Values Students’ Privacy

At its Chicago event on Tuesday, the company makes a point of emphasizing data privacy in regard to its new educational app Schoolwork. Apple introduced a new way for teachers to hand out assignments and monitor student progress through an app called Schoolwork at its education event in Chicago last week. The Schoolwork app stores student data in the cloud, but the company really wants you to know that keeping this data safe from prying eyes is its No. 1 priority. Privacy is at the forefront of the tech world’s agenda at the moment, following a week of revelations about Facebook user data being harvested without people’s full understanding and therefore consent. Data belonging to children is an even more sensitive topic for many, and a number of toy companies have come under fire in the past for collecting children’s data without permission, or even just not taking security seriously enough. Apple promises it won’t make the same mistakes. “While teachers see each students’ progress information,” said Prescott, “we don’t, and neither can anybody else.” [CNet]

WW – Facebook Launching Privacy Setting System

In response to the Cambridge Analytica revelations, Facebook announced it will launch a centralized system designed to let users control their privacy and security settings. The system will be available to users all around the world and gives users the opportunity to control the information Facebook holds on them, as well as a file to download to see what data Facebook has already collected. Meanwhile, the Cambridge Analytica whistleblower, Christopher Wylie, said the number of people affected by the Facebook revelations is more than the 50 million currently being reported, while New Zealand Privacy Commissioner John Edwards voiced his criticism of the social media site’s handling of personal information. Pew Research Center released a study documenting U.S. citizens’ views toward social media and their privacy. [The New York Times]

WW – Facebook Introduces Central Page for Privacy and Security Settings

The system, which will be introduced to Facebook users globally over the coming weeks [see FB post here], will allow people to change their privacy and security settings from one place rather than having to go to roughly 20 separate sections across the social media platform. From the new page, users can control the personal information the social network keeps on them, such as their political preferences or interests, and download and review a file of data Facebook has collected about them. Facebook also will clarify what types of apps people are currently using and what permissions those apps have to gather their information. Facebook began developing the centralized system last year but sped it up after revelations that a British political consulting firm, Cambridge Analytica, improperly harvested the information of 50 million users of the social network. [NY Times and at: The Guardian, The Verge, Ars Technica and Financial Times See also Here’s a Long List of Data Broker Sites and How to Opt-Out of Them] and Google: Balancing rights and the right to be forgotten]

WW – Security Flaws Found Within Grindr Dating App

A cybersecurity professional discovered a pair of security issues with the Grindr dating app. Atlas Lane CEO Trever Faden set up a website where users could find out who blocked them on Grindr by entering their usernames and passwords, after which Faden could see user data, including email addresses, deleted photos and location data, even if the user opted out of sharing their location. Faden also discovered portions of user data are not protected, allowing anyone observing web traffic to see where a person is located when they open the app. Grindr said in a statement it has worked to patch the vulnerabilities. [NBC Bews]

Privacy (US)

US – FTC Confirms Investigation into Facebook Privacy Practices; Senate Committee Calls on Zuckerberg to Testify

The U.S. FTC announced that it had opened a non-public investigation into Facebook following media reports that it said raise “substantial concerns about the privacy practices” of the company. Also on Monday, the chairman for the Senate Judiciary Committee announced [see here] it had summoned Zuckerberg to testify before Congress on data privacy. The chairman, Chuck Grassley (R-Iowa), said Google CEO Sundar Pichai and Twitter CEO Jack Dorsey were also called to testify at the hearing, which is scheduled for April 10. Additionally on Monday, a bipartisan group of 37 state attorneys general sent a letter [see PR here & 4 pg PDF letter here] to Facebook inquiring about the company’s role in Cambridge Analytica’s activities and how this would affect the protection of data in the future. [The Knife Media and at: Facebook Draws Scrutiny From FTC, Congressional Committees and at: : The New York Times, Bloomberg & PBS NewsHour also see: Mark Zuckerberg has decided to testify before Congress | Zuckerberg will reportedly face the music before Congress instead of sending his deputies | Watch out, Zuckerberg — Congress is a trap | State Attorneys General Asked Facebook These 7 Questions About Cambridge Analytica | Dozens of US states are demanding answers from Facebook over the Cambridge Analytica scandal | State attorneys general send letter to Zuckerberg over data scandal | Facebook’s privacy practices are under investigation, FTC confirms | The Verge, BBC News, ZDNet and Forbes | Facebook scraped call, text message data for years from Android phones and at Global News, BetaNews, Android Central, CNET and Reuters]

US – State Attorneys General Advocate Continuing State Leadership in Privacy Enforcement, Denounce Federal Preemption of State Breach and Security Laws

A coalition of 32 attorneys general wrote a bipartisan letter [see 6 pg PDF here] on March 19, 2018, to the U.S. House of Representatives Committee on Financial Services and the Subcommittee on Financial Institutions and Consumer Credit regarding the proposed Data Acquisition and Technology Accountability and Security Act [see 34 pg PDF here], a draft bill introduced in the House last month. They are concerned that the bill, among other things, places consumer reporting agencies and financial institutions out of the reach of state enforcement. The AGs argue that the states have consistently proven themselves capable of rapidly and effectively responding to and protecting consumers at the state level through their own laws. The letter points out three key shortcomings of the Act beyond the preemption of state laws: (1) it allows entities themselves to judge whether to notify consumers of a breach, which reduces the transparency afforded by state notification requirements; (2) it allows entities that decide to notify consumers to notify after the harm has already occurred, preventing the opportunity consumers currently have under state law to take proactive steps upon timely notification; and (3) it addresses breaches that affect 5,000 or more consumers, leaving attorneys general without the ability to redress the majority of breaches affecting consumers today that do not occur on a national scale [Source and at: The Clarion-Ledger] and at Divonne Smoyer, Kimberly Chow & Kelley Chittenden – and see also Workplace Privacy Report: South Dakota: The 49th State to Enact a Data Breach Notification Law and: Data Privacy Monitor (BakerHostetler) and Oregon Strengthens Consumer Protections in Wake of Data Breaches

US – FPF, Nymity Release Legitimate Interest Report

The Future of Privacy Forum and Nymity collaborated to release a report on legitimate interest. The two organizations gathered cases from national data protection authorities and guidance from the Article 29 Working Party to detail how legitimate interest can be used as a lawful method for processing data under European Union data protection law. The 40 cases detailed the data-processing activities from more than 15 countries, including disclosing health data for litigation purposes, recording employee misconduct and research purposes, using GPS data for private investigations, and sending emails without consent for political purposes. [Full Story]

US – NY AG Penalizes Health Plan for Disclosure of Social Security Numbers

New York Attorney General Eric T. Schneiderman announced [March 6] a $575,000 settlement with EmblemHealth [see here] and its subsidiary, Group Health Incorporated, (together, “EmblemHealth”) after EmblemHealth admitted a mailing error that resulted in the disclosure of 81,122 social security numbers. EmblemHealth is one of the largest health plans in the United States. .The settlement agreement also obligates EmblemHealth to implement a Corrective Action Plan and conduct a comprehensive risk assessment of security risks associated with the mailing of policy documents to policyholders. EmblemHealth must also review and revise its policies and procedures based on the results of said risk assessment. EmblemHealth is also tasked with cataloguing, reviewing, and monitoring its mailings [DBR on Data and at: Becker’s ASC Review and HealthITSecurity]

Security

EU – IAPP and OneTrust map ISO 27001 to the GDPR

According to the International Standards Organization, in 2016 more than 33,000 organizations globally held certification to the ISO 27001 standard, which relates to information security management systems and security controls. That same year, the European Union’s General Data Protection Regulation was finalized, launching a two-year scramble for compliance by May 25, 2018, for companies of all sizes around the world. Noting the significant common ground between the GDPR and ISO 27001 requirements, the IAPP and OneTrust have endeavored to map these two risk-focused documents to each other, demonstrating the overlap in both principles and requirements as part of a significant new piece of research being released for the first time here at the Summit. [Read More]

UK – UK Issues 4-Phase Defensive Approach on Phishing

The UK National Cyber Security Centre HAS issued guidance on phishing. an effective multi-layer approach includes making it difficult for attackers to reach users (anti-spoofing controls), helping users identify and report suspected phishing emails (employee training), protecting the organization from the effects of undetected phishing emails (2-factor authentication), and responding quickly to incidents (incident response plan). A company was able to reduce 1,500 phishing emails to only 1 instance of malware installation. [National Cyber Security Centre, United Kingdom – Phishing Attacks: Defending Your Organisation| Infograph | Case Study]

Surveillance

WW – Tooth-Mounted Sensor Can Track Food Intake

Tufts University scientists have created a device designed to attach to a person’s tooth in order to monitor what they eat and drink. The device is similar to a Fitbit and can track glucose, salt and alcohol intake, with the scientists hoping to examine other “nutrients, chemicals and physiological states.” “If you are somebody with an eating disorder, it could be a checkpoint that monitors your diet a little more closely, or it could be an early detection for disease,” Tufts Professor of Biomedical Engineering Fiorenzo Omenetto said. “It’s a nice way to monitor these things because you have unusual access to these fluids.” [New York Post]

Telecom / TV

WW – Facebook Scraped Call, Text Message Data for Years from Android Phones

This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing [see here]: Facebook also had about two years’ worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received. [see Facebook response here] If you granted permission to read contacts during Facebook’s installation on Android a few versions ago—specifically before Android 4.1 (Jelly Bean)—that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017—the point at which the latest call metadata in Facebook users’ data was found. Apple iOS has never allowed silent access to call data. Facebook provides a way for users to purge collected contact data from their accounts, but it’s not clear if this deletes just contacts or if it also purges call and SMS metadata. [Ars Technica and at: Global News, BetaNews, Android Central, CNET and Reuters, Facebook logged phone records from Android users with older devices: reports]

US Government Programs

US – 14.7 Million Visitors to U.S. Could Face Social Media Screening

Nearly all applicants for a visa to enter the United States — an estimated 14.7 million people a year — will be asked to submit their social-media user names for the past five years, under proposed rules that the State Department issued last week. The proposal covers about 20 social media platforms. Most of them are based in the United States: Facebook, Flickr, Google+, Instagram, LinkedIn, Myspace, Pinterest, Reddit, Snapchat, Tumblr, Twitter, Vine and YouTube. But several are based overseas: the Chinese sites Douban, QQ, Sina Weibo, Tencent Weibo and Youku; the Russian social network VK; Twoo, which was created in Belgium; and Ask.fm, a question-and-answer platform based in Latvia. As news of the proposal emerged Friday, so did criticism. “This attempt to collect a massive amount of information on the social media activity of millions of visa applicants is yet another ineffective and deeply problematic Trump administration plan,” said Hina Shamsi, director of the ACLU’s National Security Project. “It will infringe on the rights of immigrants and U.S. citizens by chilling freedom of speech and association, particularly because people will now have to wonder if what they say online will be misconstrued or misunderstood by a government official.” [Toronto Star]

US Legislation

US – CLOUD Act Becomes Law, Increases Government Access to Online Info

The federal spending bill [read the 2232 pg document here] signed by US President Donald Trump on Friday does more than fund the budget. It also makes it easier for law enforcement agencies to demand access to online information no matter what country the data is stored in. Lawmakers added the CLOUD Act [32 pg PDF here], which stands for Clarifying Lawful Overseas Use of Data Act, to the spending bill before the final House and Senate votes Thursday. It updates the rules for criminal investigators who want to see emails, documents and other communications stored on the internet. Now law enforcement won’t be blocked from accessing someone’s Outlook account, for example, just because Microsoft happens to store the user’s email on servers in Ireland. The law also lets the US enter into agreements to send information from US servers to criminal investigators in other countries with limited case-by-case review of requests.Pprivacy advocates at groups like the ACLU [see here] and the Electronic Frontier Foundation [see here] criticized the change, saying it lets law enforcement bypass constitutional protections against unreasonable searches. It also could lead the US to send user data to police in countries known for abusing the human rights of their citizens, they argue. [CNET and at: Android Central, Bitsonline, Engadget, SC Magazine, Top Tech News, Just Security and TechTarget and also As the CLOUD Act sneaks into the omnibus, big tech butts heads with privacy advocates and at: Reuters, Forbes, Beebom, Slate Magazine and New Media and Technology Law Blog (Proskaur) and see also: Congress Could Sneak a Bill Threatening Global Privacy Into Law and at: Eurasia Review | |Why the CLOUD Act is Good for Privacy and Human Rights and at EFF blog here & here] and CLOUD Act passing likely means end to US v. Microsoft case]

Workplace Privacy

UK – ‘Vicarious Liability’ Breach Case May Have Big Consequences

The High Court of England and Wales, in December 2017, held a company “vicariously liable” for a deliberate data breach carried out by a disgruntled employee. In retaliation for a warning, an employee of supermarket chain owner Wm Morrison posted to the internet the personal data of approximately 100,000 of its employees. Marc Stauch, a research associate at Leibniz Universität Hannover, offers an analysis of Various Claimants v. Wm Morrisons, in which affected employees seek compensation from the company for distress due to the breach. In the case, the court cleared Morrisons of primary liability for the breach but determined that “just as an employer takes the benefits from the activities of his employees, so too should he take the risks of the employee wrongfully performing his duties and injuring others,” Stauch writes. [Full Story]

CA – Right-to-Disconnect Talk Picks Up as Popularity of Workplace Messaging Apps Rises

There’s growing chatter in North America about adopting right-to-disconnect laws to free workers from being tethered to their phones around the clock, but some labour experts say that while the digital demands of work in the 21st century need to be openly discussed, rigid regulations and fines may not be the solution. Last week, a New York councilman proposed making it illegal to force employees to access “work-related electronic communications” from home, with some exceptions including emergency situations. Companies would have to draft written policies spelling out the hours of work and time off, and employers would not be allowed to threaten penalties against anyone who refused to check their email or work-related social networks off-hours. Quebec’s Solidaire’s Gabriel Nadeau-Dubois also tabled a private member’s bill in the Quebec national assembly last week that aims to “ensure that employee rest periods are respected by requiring employers to adopt an after-hours disconnection policy.” The proposal calls for fines between $1,000 to $30,000 for companies that refuse to draft a proper policy, or reassess it annually to ensure it remains up to date and effective. The federal government has also signalled its interest in exploring the right-to-disconnect trend, which made headlines last year when France enacted its own legislation to help protect the free time of its workforce. As part of its public consultation earlier this year on how “labour standards should be updated to better reflect and respond to the new reality” of evolving workplaces, Employment and Social Development Canada released an online survey that included several questions about right-to-disconnect policies. One of the questions asked whether right-to-disconnect regulations should be one of the government’s “most important” labour issues. [CityNews]

 

+++

19-26 March 2018

Biometrics

WW – Businesses to Incorporate Biometric Authentication as Security Feature

There is a growing trend among businesses to incorporate biometric data into security settings, rather than relying solely on the use of passwords. Alex Simons, director of program management in Microsoft’s identity division, said, “Passwords are the weak link. They have terrible characteristics about them, and they’re hard for you to keep track of,” adding, “Passwords are also super expensive for companies.” Spiceworks, a professional network for the IT industry, reports that by 2020, the use of biometric authentication will grow to encompass 90% of businesses, up from the current 62%. Laws restricting the collection and use of biometric data are beginning to emerge, with Illinois and Texas both passing state laws, and the EU General Data Protection Regulation set to introduce consent requirements this May. [CNN Money]

US – Biometrics: Lawsuit Against Social Network to Proceed

A California Court considered a consolidated class action alleging Facebook’s practices violate Illinois’ Biometric Information Privacy Act. The court ruled that Plaintiffs adequately plead a concrete injury because Illinois’ biometric legislation provides them with a right to privacy in their biometric information, which requires their notice and consent. [Nimesh Patel et al. v. Facebook, Inc. – 2018 U.S. Dist. LEXIS 30727 – United States District Court For The Northern District Of California]

Big Data / Data Analytics / Artificial Intelligence

UK – Uber Releases Anonymized Data to Aid City Planning

In the aftermath of the Transport for London’s finding that Uber is not “fit and proper” to operate as a taxi service, the company has announced several changes to its business model, including a move that will provide anonymized data of its operations. While Uber is appealing the finding, it has also introduced a 24/7 telephone support line and began proactively reporting serious incidents to the police. Fred Jones, Uber’s head of U.K. cities, said the company is also responding to feedback that access to aggregated ride data would be helpful for city planning, adding “…we want to be a better partner to city planners and regulators, so we hope this data will help give them valuable insights for the future.” [Reuters]

Canada

CA – Therrien to Take Part in RTBF Symposium

Privacy Commissioner of Canada Daniel Therrien will take part in a half-day symposium in Toronto April 4 examining the “right to be forgotten” making its way into the country. Privacy professionals, journalists and tech leaders will discuss the ways the right to be forgotten will affect Canada and whether the country should embrace the rule. Speakers for the symposium include Canada Post Compliance and Chief Privacy Officer Amanda Maltby, Google Global Privacy Counsel Peter Fleischer, McInnes Cooper Partner David Fraser, and University of Ottawa Law Professor Michael Geist. [Full Story]

CA – B.C. Landlords’ Systemic Invasion of Renters’ Privacy Has to Stop

With near-zero vacancy rates in Vancouver and other cities around B.C., landlords are routinely asking for and getting more personal information than they have a legal right to. Some applicants have been asked whether they might get pregnant within the next year. Others are required to complete behavioural questionnaires, submit to credit checks, or provide three months’ worth of bank statements, according to a report by Drew McArthur, B.C.’s privacy commissioner, released last week. One of the 13 landlords investigated even asked applicants if he could inspect their current homes to determine whether he would rent to them. Another demanded to see an applicant’s child’s report card. Once they’ve collected all this information, few landlords have any policy or plan about what to do with it. But all of this is illegal. Even social media and internet searches are illegal. The interpretation of the Personal Information Privacy Act’s section on “publicly available” sources of information seems quaint to the point of foolishness. Regardless, McArthur says it has to stop. But his 39-page report with its 13 recommendations — including to not do those internet searches — is more educational and explanatory than punitive or threatening. [Vancouver Sun and at: BCLocalNews, The Globe and Mail, CBC News and The Canadian Press (via The Province) see also: Digital tool for landlords measures potential tenants’ kindness, cleanliness and Probe launched into B.C. landlords’ demands for sensitive information Read PR here (August 2017)

CA – OPC Decries ‘Gap’ in Law for Political Parties Handling Personal Info

The fact that political parties are excluded from federal laws on handling personal information — such as social media data – amounts to “an important gap” that could jeopardize the integrity of the electoral process, Canada’s privacy czar says. There should be a law governing the use of personal data by parties to prevent manipulation of the information to influence an election, said privacy commissioner Daniel Therrien. “From a privacy perspective, personal information is unregulated with respect to political parties, so that’s clearly not a good thing.” Neither of the two federal privacy statutes — one for government institutions, the other for private-sector organizations — covers political parties. Therrien’s comments come as he begins investigating the alleged unauthorized use of some 50 million Facebook profiles – possibly including those of Canadians — by Cambridge Analytica, a firm accused of helping crunch data for Donald Trump’s presidential campaign. This week’s events have shown that weak privacy safeguards can have serious effects that go beyond the commercial realm, potentially distorting democracy, Therrien said. “It’s a wake up call, frankly, if not a crisis in confidence. [CTV News and at: The Globe and Mail See also: Liberals awarded $100,000 contract to man at centre of Facebook data controversy | Canada’s privacy watchdog launches investigation into Facebook after allegations of data leak

CA – BC Hydro Handing Customer Information to Police Without Warrants

BC Hydro gave police the electricity bills of 3,500 to 5,000 customers per year without a warrant up until 2014. But shifting priorities — and perhaps the promise of marijuana legalization by the new federal government in 2015 — have led to a plunge in police requests for power bills. Since 2014, police requests for BC Hydro bills — usually to identify a marijuana grow op — have fallen 90% to 300 to 500 per year, said BC Hydro. Grow ops and hydro theft were a larger concern in past years. In 2010, BC Hydro said it was losing $100 million a year to grow ops that bypassed meters avoid detection. The Crown corporation now says its revenues from known grow ops — still illegal — are worth $50 million a year. BC Hydro still hands over customer information to police, including power use, without requiring a warrant. [The Tyee]

CA – Ontario Says Tribunals Should Not Be as Open as Courts

Ontario’s quasi-judicial tribunals are not courts and should not be subject to the same principles of openness when it comes to their records, the province argued in a court filing. Responding to a constitutional challenge from the Toronto Star that calls on Ontario’s various administrative tribunals — such as the Landlord and Tenant Board, and the Ontario Municipal Board, among others — to disclose hearing records as readily as courts do, the province’s lawyers said that while openness and transparency are “important features” of tribunals and the hearings themselves are typically open to the public, the right to access documents related to those hearings must be balanced against privacy concerns. The Star launched its legal challenge against the province last year in an effort to gain faster and fuller access to documents the paper argues are a matter of public interest. While reporters can attend and report on what happens at the tribunals’ public hearings, obtaining documents related to those hearings after they occur is inconsistent, onerous and often significantly delayed, the Star has argued. Unlike courts, some of Ontario’s tribunals require members of the public, including the media, to file formal freedom of information requests in order to access to documents related to a case. The province argues that tribunals do not require the same public scrutiny as courts because they are created by government legislation and subject to government oversight. [The Star]

CA – Some Advice to the Minister on How to Improve the BC FOIPPA

B.C.’s minister for citizens’ services has invited members of the public to offer their views on our provincial freedom-of-information and privacy legislation [Freedom of Information and Protection of Privacy Act (FOIPPA) see text here & IPC overview here] The legislation as it stands is frequently ambiguous, occasionally unintelligible, and an invitation to a game of hide and seek. It enables various public bodies to withhold information that by any reasonable standard should be made available. It has become common practice for public agencies such as health authorities or government ministries to withhold the names of employees dismissed for cause. The justification invariably given is the need to preserve “privacy.” But what right to privacy does an employee possess who has committed a breach of duty sufficient to get fired? There is a valid public interest in knowing this person’s identity, particularly on the part of future employers who are entitled to know who they might be hiring. Here is the nub of the problem. The commissioner has the authority to investigate spurious claims of privacy, but uses it only rarely. That creates an incentive, both for politicians and bureaucrats, to hide their dirty linen. My advice to the minister is simple. Ask the commissioner to spell out in plain language the rules that govern legitimate claims of privacy. Demand also a list of specific instances in which a claim of privacy would not be valid. (Previous commissioners, to be fair, have asked the legislature to clean up the existing muddle, and gone unheard.) And, if need be, rewrite the statutes to introduce greater clarity. [The (Victoria) Times Colonist]

CA – BC Privacy Law & Disclosing Private Info in A Civil Case

Disclosing a Litigant’s Private Information during Judicial Proceedings is not a Privacy Breach. It has long been settled that in civil actions, the public interest in getting at the truth will, absent special circumstances, trump the litigants’ right to privacy. In fact, the introduction of legal proceedings allows the parties, at the discovery stage, to probe into each other’s files and force the disclosure of otherwise confidential information, including private information, for the purpose of verifying the allegations of the parties. Relevant evidence thusly compelled is a permissible invasion of privacy based on the condition that it is solely used in the ongoing matter, for instance, as evidence at trial. But what about a litigant’s private information acquired by an opponent outside pre-trial discovery? Would the disclosure of this information by the opponent in support of their pleadings amount to an actionable breach of privacy against themselves or their counsel? Not under the Privacy Act of British Columbia, according to the BC Court of Appeal in Duncan v. Lessing, 2018 BCCA 9. The immediate implication of Duncan is to relieve counsels and litigants, at least in BC, from the fear that, in advocating their cause and mounting their case, they expose themselves to privacy breach claims from their opponent or third parties. Although not binding in the rest of the country, Duncan will most likely be taken into account in jurisdictions whose privacy legislation contains similar provisions. [CyberLex Blog (McCarthy Tétrault) See also: Truth, Privacy and the Public Interest in Securing Justice | BCCA – No privacy claim against lawyer | BCSC dismisses privacy claim against lawyer ]

CA – B.C. Court Re-examines Google Takedown Order in Light of U.S. Ruling

Last year’s Supreme Court of Canada Google v. Equustek case, which upheld a B.C. court’s global takedown order, continues to play out in the courts. The Supreme Court decision noted that it was open to Google to raise potential conflict of laws with the B.C. court in the hopes of varying the order: “If Google has evidence that complying with such an injunction would require it to violate the laws of another jurisdiction” Google thus argued in U.S. courts that “the Canadian order is ‘unenforceable in the United States because it directly conflicts with the First Amendment, disregards the Communication Decency Act’s immunity for interactive service providers [see wiki here & EFF take here], and violates principles of international comity.’” A U.S. court agreed [see 6 pg PDF here], noting that CDA immunity protections would be lost as a result of the Canadian court order. In doing so, the court concluded that the order “threatens free speech on the global internet.” In early March the case shifted back to Canada with Google seeking to vacate or vary the takedown order in light of the U.S. ruling. The judge confirmed that the hearing should go ahead in light of the U.S. ruling and the Supreme Court’s invitation to seek a variance …The court notably agreed that the case now engages core values of freedom of expression and comity [Geist and at: Barry Sookman Blog, Social Media Law Bulletin, Deeth Williams Wall Blog, Vancouver Sun and Motherboard]

Consumer

US – US Consumers Feel Companies Are Not Doing Enough to Protect Data

The free flow of data may be coming to an end due to security concerns, according to Deloitte’s Digital Media Trends Survey. It found 69% of consumers believe that companies aren’t doing everything they can to protect data. But 73% of consumers say they’d share data if they had visibility and control over it. Another wrinkle is that 93% of U.S. consumers believe they should be able to delete their online data when they want. The Deloitte survey data was collected from 2,088 consumers in November 2017. [ZDNet and at: Los Angeles Times, Variety and Recode]

E-Government

US—More States Adopting Auditable Paper Trails to Safeguard Election Reliability

US states are taking steps to make sure that their voting systems provide an auditable paper trail. Currently, there are five states that use only direct recording electronic voting machines (DREs), which do not include a paper trail. Other states have a mix of systems. While some states are moving quickly to make changes, others are incorporating the changes into the lifecycle of current equipment and may not have their auditable systems in place until 2020 or later. Two states, Colorado and Rhode Island, use entirely paper-based voting systems and both require post election risk-limiting audits. [www.cyberscoop.com: Spooked by election hacking, states are moving to paper ballots]

EU Developments

EU – European Data Protection Supervisor Presents 2017 Annual Report

On March 20, Giovanni Buttarelli, European Data Protection Supervisor (EDPS) presented his 2017 Annual Report to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) [see here & wiki here]. ”In the EDPS Strategy 2015-2019, Buttarelli set out three goals and an action plan to help the EU lead by example in the global dialogue on data protection and privacy in the digital age. Buttarelli confirmed the plans for new cloud computing guidance in his newly published annual report for 2017. New guidelines on IT governance and management will also be issued by the supervisor in 2018, according to the report. Another “main objective” for 2018 is preparing for the European Data Protection Board (EDPB) [see here] to become operational. The EDPB will replace the existing Article 29 Working Party as a regulatory body under the EU’s General Data Protection Regulation (GDPR) when the GDPR begins to apply on 25 May. It also promised to provide “targeted input where appropriate” to the continuing development of the proposed new EU regulation on privacy and electronic communications (e-Privacy). [EDPS | Out-Law]

EU – EDPS Releases Cloud Computing Guidelines

The European Data Protection Supervisor has released guidelines on the best ways for European institutions and bodies to use cloud-computing services. The guidelines are designed to help assess and manage the data protection and privacy risks entities may face when personal data is processed by cloud-based services. The guidelines highlight the relevant provisions related to the EU General Data Protection Regulation and focus on several topics, including assessments on whether cloud computing is an appropriate option, determining the proper cloud-computing option by examining and considering data protection requirements, and relevant organizational and technical safeguards. [EDPS]

EU – Reaction to Children’s Data Processing Requirements in GDPR

The Centre for Information Policy Leadership has published recommendations for processing children’s personal data under the GDPR. The think tank notes that parental consent is not the only legal basis for processing by information society services (contractual necessity or legitimate interests can apply), organisations should not have to create standard and child-friendly notices (they should cater to a general audience), and advertising to a child is not automatically a high-risk processing activity (it is a common, expected activity that can be based on legitimate interest). [GDPR Implementation In Respect of Children’s Data and Consent – CIPL]

Finance

CA – Royal Bank Offers Info to Help Create Data-Sharing Portals

The Royal Bank is allowing external software developers to access banking data in order to create a portal allowing customers to share their information. The move is a step toward “open banking,” where startups and developers have the ability to create apps using bank data. Royal Bank is currently offering application programming interface portals based on several different types of information, including credit card rates and fees and minimum down payments for buying a home. The portals are only using public information, but with open banking, the goal would be to eventually have customers share their personal banking data. [Financial Post]

US – Americans Spent $1.4B on Credit Freeze Fees in Wake of Equifax Breach

Almost 20% of Americans froze their credit file with one or more of the big three credit bureaus in the wake of last year’s data breach at Equifax, costing consumers an estimated $1.4 billion, according to a new study. The findings come as lawmakers in Congress are debating legislation that would make credit freezes free in every state. The figures, commissioned by small business loan provider Fundera and conducted by Wakefield Research, surveyed some 1,000 adults in the U.S. Respondents were asked to self-report how much they spent on the freezes; 32% said the freezes cost them $10 or less, but 38% said the total cost was $30 or more. The average cost to consumers who froze their credit after the Equifax breach was $23. .Curious about what a freeze involves, how to file one, and other options aside from the credit freeze? Check out this in-depth Q&A that KrebsOnSecurity published not long after the Equifax breach. [Krebs and at: International Business Times, FinancialBuzz and ConsumerAffairs]

Health / Medical

CA – Paper Documents in Hospitals Not Always Properly Destroyed: Study

Dr. Nancy Baxter, the chief of general surgery at St. Michael’s Hospital, Toronto, has just published a new research letter in JAMA [see “Disposal of Paper Records Containing Personal Information in Hospitals” that finds that while all patients have the right to expect their personal health information will be kept safe in hospital, that doesn’t always happen. Baxter and a team of researchers rifled through the recycling bins at five Toronto hospitals to see what got left behind. Among that half tonne of paper bound for recycling [591.6 kilograms of papers from emergency departments, intensive care units, hospital clinics and physician offices] were 2,687 documents containing personal information that should have been shredded. Of those items, 802 were documents with low sensitivity, 843 with medium, and 1,042 with high sensitivity. Though sensitive documents were found in recycling bins of all areas of all five hospitals, most of the items –1,449 of them — came from physicians’ offices. Ontario’s privacy commissioner Brian Beamish reviewed the study and says it is a good reminder that even though there is a move towards electronic medical records, there are still lots of paper medical records out there that need to be disposed of securely. [CTV News at: The Canadian Press (via CBC)]

CA – BC Public Starved for Details When Health Professionals Misbehave

When it comes to the misbehaviour of healthcare professionals, it’s sometimes a maddening process for regular British Columbians to find thorough information about how serious and widespread the offences were. The 23 professional colleges that regulate health workers in B.C. take inconsistent approaches to how much information they reveal in disciplinary decisions. And for anyone who wants to know more, the process for filing a Freedom of Information request can be frustratingly opaque. Unfortunately, the lack of information from many of these colleges leaves the public in the dark on the details we need to make critical decisions about our healthcare. For Mike Larsen, president of the Freedom of Information and Privacy Association, public discipline notices from many colleges look more like press releases than genuine efforts to keep people informed. “I don’t think, and FIPA doesn’t think, they’re doing as good a job as they could be,” Larsen said. [CBC News and at: CBC News and The Vancouver Sun]

CA – No Access to Deceased Spouse’s Medical Records

The BC OIPC reviewed a decision by St. Paul’s Hospital to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. A BC hospital correctly denied an individual access to her deceased husband’s medical records; the request for access was not made on behalf of the deceased individual (it was for use in legal action against the deceased’s daughter), and personal privacy rights continue for at least 20 years after death. [OIPC BC – Order F18-08 – St. Paul’s Hospital]

Horror Stories

US – Facebook Draws Scrutiny from FTC, Congressional Committees

Facebook Inc. is drawing scrutiny from the main U.S. Federal Trade Commission and half a dozen congressional committees over how the personal data of 50 million users was obtained by a data analytics firm Cambridge Analytica [see here & wiki here] — [Note: This is in addition to the UK Electoral Commission here, the UK OPC here, the Canadian Privacy Commissioner here & here, and the Irish Data Protection Commissioner here] The FTC is probing whether Facebook violated terms of a 2011 consent decree [see FTC post here & here] over handling of personal user data that was transferred to Cambridge Analytica without users’ knowledge. The FTC could fine the company into the millions of dollars if it finds Facebook violated the 2011 agreement — [it has the power to fine the company more than $40,000 a day per violation]. Facebook previously said in a statement it rejects “any suggestion of violation of the consent decree.” New York State Attorney General Eric Schneiderman announced that he and Massachusetts Attorney General Maura Healey had sent a demand letter to Facebook as part of a joint probe stemming from the fallout. Connecticut Attorney General George Jepsen announced his own probe. In addition to the briefings, Senator Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, said he wants to hear testimony from Facebook Chief Executive Officer Mark Zuckerberg, as well as Twitter Inc. CEO Jack Dorsey. Senator Richard Burr of North Carolina, chairman of the Intelligence Committee, said any decision about calling Zuckerberg to appear before the panel is farther off. [Bloomberg and at: The New York Times, Bloomberg & PBS NewsHour See also: Top EU privacy watchdog calls Facebook data allegations the ‘scandal of the century’ | Cambridge Analytica revelations are only ‘tip of the iceberg’, warns EU data protection chief | Irish Data Protection Commissioner to probe Facebook’s ‘oversight’ of political targeting on the platform | Facebook Has a Long History of Resolving Privacy Claims on the Cheap | Facebook needed third-party apps to grow. Now it’s left with a privacy crisis | A Facebook shareholder launched a lawsuit against the social network over the Cambridge Analytica scandal | ‘It just felt right’: David Carroll on suing Cambridge Analytica | Facebook Besieged by Wall Street, Washington and Europe | Cambridge Analytica CEO suspended as data scandal grows | Facebook data scandal: Canadian whistleblower was axed by Liberals over data harvesting ideas | A grossly unethical experiment’: Canadian whistleblower at centre of Facebook data breach scandal | Facebook loses control of 50 million users’ data, suspends analytics firm | Cambridge Analytica’s Ad Targeting Is the Reason Facebook Exists | Facebook privacy flaw was flagged with Irish regulator in 2011 | Why We’re Not Calling the Cambridge Analytica Story a ‘Data Breach’ | Canada’s privacy watchdog asks Facebook for info on data misuse that raises ‘serious concerns’ and at: MobileSyrup, CTV News, Global News, The Globe and Mail, National Post] Facebook suspends Cambridge Analytica, SCL, says data shared with third parties violated platform policies at: Reuters, The Wall Street Journal, The Guardian, The New York Times, and USA Today | Facebook may have broken FTC deal in Cambridge Analytica incident | Facebook on Defensive as Cambridge Case Exposes Data Flaw]

WW – Cambridge Analytica Facing Investigations After Revelation of Facebook Data Harvesting

Cambridge Analytica allegedly gathered data illegally from 50 million Facebook users through an online quiz and used them to serve targeted advertisements aimed at discrediting Hillary Clinton and promoting Trump’s presidential campaign. The UK’s Information Commissioner and the Massachusetts attorney general have launched investigations. Wikipedia describes Cambridge Analytica as “a privately held company that combines data mining and data analysis with strategic communication for the electoral process.” Read more in: www.bbc.com: Cambridge Analytica: Warrant sought to inspect company | www.theregister.co.uk: BOOM! Cambridge Analytica explodes following extraordinary TV expose | www.scmagazine.com: Probes launched after Facebook boots professor, Cambridge Analytica for harvesting info on 50M Americans without permission | www.zdnet.com: How Cambridge Analytica used your Facebook data to help elect Trump | www.nytimes.com: Cambridge Analytica, Trump-Tied Political Firm, Offered to Entrap Politicians | www.washingtonpost.com: Cambridge Analytica CEO appears to talk about using bribes and sex workers to sway elections on secretly recorded news video | www.wired.com: Cambridge Analytica Execs Caught Discussing Extortion And Fake News]

US – Former Equifax Exec Facing Insider Trading Charges

Former Equifax CIO Jun Ying is facing insider trading charges from both the US Securities and Exchange Commission (SEC) and the Department of Justice. The charges allege that Ying exercised company stock options work nearly $1 million USD before news of the company’s massive breach became public. [www.justice.gov: Former Equifax employee indicted for insider trading | www.sec.gov: Former Equifax Executive Charged With Insider Trading | www.scmagazine.com: SEC charges former Equifax U.S. CIO with insider trading related to data breach | www.zdnet.com: Former Equifax executive charged with insider trading after data breach | arstechnica.com: Senior ex-Equifax executive charged with insider trading | www.cyberscoop.com: Former Equifax executive charged with insider trading after mega breach]

Identity Issues

US – FTC Announces Blockchain Working Group

Following the FTC’s lawsuit against four individuals who allegedly promoted deceptive cryptocurrency schemes, Neil Chilson, the FTC’s acting chief technologist, announced that an internal Blockchain Working Group has been organized to protect consumers and promote competition in light of cryptocurrency and blockchain developments. “Fraudsters often attempt to capitalize on the excitement and confusion around hot new technologies, and they are quick to dress up old schemes in the clothes of the latest and greatest innovations,” Chilson wrote. “I expect that fraudsters will repurpose old schemes to capitalize on the current glamour and mystery of cryptocurrency.” The goals of the working group will include building upon staff expertise, facilitating communication and coordination of enforcement actions, and to serve as an “internal forum for brainstorming potential impacts on the FTC’s dual missions and how to address those impacts.” Full Story

EU – Blockchain Observatory and Forum Calls for Contributors

The EU Blockchain Observatory and Forum is calling for contributors to participate in two Working Groups it hopes to establish. Contributors can join the Blockchain Policy and Framework Conditions Working Group, which will look to establish the proper policy, legal and regulatory conditions needed to assist in the deployment of blockchain applications, and the Use Cases and Transition Scenarios Working Group, which will focus on public sector use cases for blockchain, including for health care, energy and environmental reporting. The forum is looking for EU citizens who have experience with blockchain technology and will be accepting applications until 9 April. [Full Story]

Internet / WWW

WW – ICANN Considering Limiting Access to Domain Name Registration Data

The Internet Corporation for Assigned Names and Numbers (ICANN) is considering limiting the scope of information about domain name registrations that will be publicly available. Currently, the names, addresses and contact information of entities who register domain names is usually publicly available. ICANN is considering limiting that information to basic website information, such as its location, to comply with European Union rules set to take effect in May 2018. The US government and technology companies are objecting to the proposed changes because they say it will make tracking down criminals more difficult. [thehill.com: Tech companies push back against internet watchdog’s new privacy rules]

WW – Google Announces New Privacy Tools for Data Privacy and Security

Google recently announced products and services to spotlight data privacy and help enhance cybersecurity. Among those included in the release, the new Cloud Security Command Center provides data risk analysis and threat intelligence dashboard to assist businesses gathering threat data, the VPC service controls allow for increased data privacy, and the new Access Transparency Logs, which was already used internally, is now available in a consumer-facing product. Google’s director of security, trust and privacy, said all these features are rooted in artificial intelligence. “We’re constantly evolving and pushing machine learning models so we can learn from literally billions of threat landscape indicators and quickly identify the source of an attack in the making,” she said. [PC Magazine]

Internet of Things

US – NIST Privacy Engineering Program hosting IoT roundtable

The National Institute of Standards and Technology (NIST) Privacy Engineering Program will be hosting a roundtable on the internet of things March 29. The roundtable will help develop a NIST document on the privacy and security risk considerations regarding the IoT. The group is seeking privacy professionals to participate in the roundtable in order to identify privacy risks involving the internet of things and has released a discussion draft offering information about their proposed approaches to the considerations. [NIST]

Law Enforcement

CA – Waterloo Police Considering Using Drones for Missing Person Searches

Waterloo Regional Police are considering the use of drones to assist in missing person cases and investigating car crashes. The drones will be fully operational by May 2018, and a Police Services Board report states the drones will be a faster and more efficient way to search large areas. The report also states the drones will not be used for surveillance purposes without “judicial authorization and completed privacy impact assessment.” [CBC News]

Location

US – Police Ask Google for Location Data to Narrow Suspect Lists

Police in North Carolina have hit on a simple if potentially controversial way to firm up suspect lists – use location data from Google to work out which devices were being used near the scene of crimes. Police in Raleigh used warrants in at least four recent investigations to make the search giant reveal the IDs of every device within certain map locations. Based on one or a combination of GPS, Wi-Fi and cellular location data, police were first given a list of anonymised time-stamped identifiers corresponding to every device within the map coordinates they were interested in. From an example warrant, this area of interest was as small as 150 metres from specific GPS coordinates, covering two narrow time ranges of around an hour each. The problem is that while treating device location data as evidence sounds logical, the inferences that can be drawn from it are fraught with danger. The obvious limitation is proving that a device’s registered owner was the one using it at the time and location police are interested in. If location data is requested while building a case based on a variety of evidence, that might be legitimate. The danger is that this data becomes the incriminating evidence from which the case is built. [Naked Security and at: WRL.com]

US – Spy Lab Wants to Geolocate Any Video or Photo Taken Outdoors

US intelligence is working on geotagging every possible outdoor location in the world. Difficulty of tracking down outdoor photos that haven’t been geotagged has led a US spy lab to launch Finder: a research program of the Intelligence Advanced Research Projects Agency (IARPA), the Office of the Director of National Intelligence’s dedicated research organization. The project aims to build on existing research systems to develop technology that augments analysts’ geolocating skills. At this point, analysts rely on information such as visible skyline and terrain; digital elevation data; existing, well-understood image collections; surface geology; geography; and architecture (think red phone booths). The goal is all-encompassing: IARPA wants Finder to find everything, as in, the ability to geolocate any video or photo taken anywhere outdoors. Once you realize how many of your photos are out there, bearing EXIF data that contains times, dates and locations of, say, your kids in the playground, you might want to start scrubbing your old photos clean. Here’s a guide on that from How-To Geek. [Naked Security and at: Ars Technica]

Online Privacy

WW – Updated Privacy Policies from Microsoft, Linkedin and Slack Leave Much to Be Desired

A week after the Facebook-Cambridge Analytica scandal came to light, Microsoft, LinkedIn and Slack emailed users updated policies committed to privacy. But while experts applauded the transparency efforts, they criticized them for being written in legalese or so vague that they end up raising more questions than answers. ”Companies think of privacy as an afterthought. It needs to be at the forefront,” said Imran Ahmad, a partner at Miller Thomson who leads the firm’s cybersecurity practice. “If you read a privacy statement and can’t understand it, are you really giving informed consent?” Teresa Scassa, the Canada research chair in information law and policy at the University of Ottawa, poked around the links and said she thought “wow, the ordinary consumer lost interest minutes ago.” [The Star]

Privacy (US)

US – 9th Circuit Further Split Over Standing in Data Breach Cases

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc.[see 18 pg PDF here], finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing [see here]. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, and Eighth Circuits over whether the mere exposure of personal information – without actual identity theft or credit/debit card fraud – establishes Article III standing. The Ninth Circuit has now joinwd its sister courts in the D.C., Sixth and Seventh Circuits to make it easier for plaintiffs to maintain data breach cases beyond the pleading stage despite no showing of actual injury. [Data Protection Coverage and at: Data Law Insights and Business Insurance]

US – FTC Modifies Sears’ Consent Order for Tracking Software App

Sears Holdings Management Corporation petitioned the FTC to reopen and modify its previous Consent Order. Sears must continue to notify and obtain express consent prior to disseminating any software program or app that monitors or records consumer activities, except where the tracked information is limited to the configuration of the software program itself, the functionality of the app, or consumers’ use of the app. [In the Matter of Sears Holding Management Corporation – Docket No. C-4264 – Before the FTC | Press Release | See also: Hogan Lovells Represents Sears in Achieving First-Ever Modification to FTC Privacy Consent Order]

Privacy Enhancing Technologies (PETs)

AU – Breach Notification: OIC Australia Releases Comprehensive Guide

The Office of the Australian Information Commissioner (OAIC) issued guidance on how to prepare and respond to data breaches. Entities must notify affected individuals and the Information Commissioner of “eligible data breaches”, which are defined as unauthorised access to or disclosure of PI held by an entity or information is lost in circumstances where unauthorised access or disclosure is likely to occur, that is likely to result in serious harm to any of the individuals to whom the information relates, and the entity has been unable to prevent the likely risk of serious harm with remedial action. 4 steps: Contain, assess, notify, review. [OIC Australia – Data Breach Preparation and Response and OAIC Received 31 Notifications Since Data Breach Scheme Took Effect]

Security

CA – Most Canadian Organizations Feel Insecure

A study, conducted for Scalar by IDC Canada, surveyed 421 IT security and risk compliance professionals in November-December 2017. Organizations expect to be breached but

  • 1/5 cite their security processes as ineffective
  • core security processes are not performed across the entire organization
  • less than 1/3 conduct formal employee training
  • vulnerabilities in third-party relationships are not accounted for
  • the speed of installing security updates and patches is inadequate, and
  • response planning lacks documentation and regular updating.

[The Cyber Security Readiness of Canadian Organizations – Scalar]

Surveillance

CA – Sidewalk Labs Addresses Privacy Concerns Over Proposed High-Tech Quayside District

The Google-affiliated company proposing a high-tech district in the Port Lands is trying to reassure Torontonians their privacy and data will be protected if the project proceeds. Hundreds of people turned out last week for an evening public consultations co-hosted by New York-based Sidewalk Labs and Waterfront Toronto at the Metro Toronto Convention Centre. Rohit (Rit) Aggarwala, Sidewalk Labs’ chief policy officer, told the crowd he has heard loud and clear concerns over privacy and the use of data that would be collected by sensors monitoring and controlling everything from traffic to snow-melting sidewalks in hyper-connected “Quayside.” Audience members seemed unsatisfied with answers about who would own data generated in the district and where it would be stored — officials could only say that negotiations continue. [Toronto Star and at: The Canadian Press (Global News), MobileSyrup, The Globe and Mail and ITBusiness.ca]

Workplace Privacy

CA – When Can HR Legally ‘Snoop’ on an Employee?

Spying, snooping, sleuthing – whatever you choose to call monitoring your employees, there’s no denying it’s a contentious issue in the workplace. But what legally constitutes snooping on your staff? And when are you allowed, or prohibited, from perusing their computers, emails and phones? We spoke to Cameron Wardell [see here], a lawyer at ‎Mathews, Dinsdale & Clark LLP, who gave us his take on this complicated topic.” The framework for privacy protections in BC and Canada is quite complex, and the law about it can be surprising,” observed Wardell “I would say that the biggest take-home point in this digital age is that the Courts and other decision-makers will assign privacy rights outside of what we might historically think of as private. In 2018, employers are well-advised to consider this—and to consult legal counsel—before searching any workplace computer or even the social media profiles of employees or prospective employees.” [HRMonline]

 

+++

13-19 March 2018

Biometrics

US – Madison Square Garden Used Face-Scanning Technology on Customers

Madison Square Garden has quietly used facial-recognition technology to bolster security and identify those entering the building. It is unclear when the face-scanning system was installed. The people familiar with the Garden’s use of the technology, who were granted anonymity because they were not authorized to speak publicly about it, said they did not know how many events at the Garden in recent months have used it or how the data has been handled. Although security is the most obvious use of the technology, some independent experts say it is less effective as a security measure for private businesses because they do not have access to various watch lists held by law enforcement agencies. In fact, some vendors and team officials said the customer engagement and marketing capabilities of facial recognition are even more valuable than added security for sports facilities.[NYTimes at: GIZMODO and Yahoo Sports]

Big Data / Data Analytics / Artificial Intelligence

US – California State Lawmakers Taking a Closer Look at AI and Privacy

The “robot apocalypse” that some envisioned with the rise of artificial intelligence hasn’t arrived, but machine learning systems are becoming part of Californians’ everyday lives, tech experts told state lawmakers in Sacramento. As use of the technology becomes more widespread, so will the challenges for legislators who will have to grapple with how and when they should step in to protect people’s personal data. The state Assembly hearing was the second this year to take on the issue of artificial intelligence. Members of the Little Hoover Commission, an independent state oversight agency that reviews government operations, held a similar discussion last month. Representatives of tech companies argued at that lawmakers should not move too quickly on developing privacy regulations. But tech privacy experts countered, saying users want more control over how their personal information is shared. Patients, for example, may agree to share their medical data with one AI developer, but might not want that business to release their information to their employers or health insurance companies. [LA Times]

US – University Uses Predictive Analytics to Increase Retention Rate

Researchers at The University of Arizona collect tracking data from student ID cards to analyze interactions and predict which students are most likely to drop out. In a news release, the university explained that their analysis can predict a student’s likelihood to drop out 73% of the time, starting from day one of classes and improving over time. Lists of the most at-risk students are cultivated and sent to advisors twice a semester, who can then intervene and help improve the retention prospect if they choose. It is reported, however, that the student ID policy site does not disclose how data is used in monitoring and tracking student activity. [Gizmodo, CTV News: Startup Uses AI to Assess Tenants’ Level of Risk]

CN – ‘Black Tech’ Facial Recognition Glasses Worn by Chinese Police Raise Privacy Concerns

Beijing police are testing out a new security tool: smart glasses that can pick up facial features and car registration plates, and match them in real-time with a database of suspects. The AI-powered glasses, made by LLVision, scan the faces of vehicle occupants and the plates and light-up warnings for the wearers if the glasses match the information with a centralized “blacklist.” The test, which coincides with the annual meeting of China’s parliament in central Beijing, underscores a major push by China’s leaders to leverage technology to boost security in the country. That drive has led to growing concerns that China is developing a sophisticated surveillance state that will lead to intensifying crackdowns on dissent. “(China’s) leadership once felt a degree of trepidation over the advancement of the internet and communication technologies,” said David Bandurski, co-director of the China Media Project, a media studies research project at the University of Hong Kong. “It now sees them as absolutely indispensable tools of social and political control.”[Global News]

Canada

CA – OPC Wants to Limit Data Collection in National Security Bill

The Office of the Privacy Commissioner of Canada (OPC) released on March 5th, 2018 a series of recommendations for Bill C-59 (The National Security Act 2017) that the agency hopes will help lessen some of the potential privacy infringements in the bill. In particular, Therrien’s recommendations related to “publicly available information” sought to add limits on when Canadian intelligence agencies can use information available in online public spaces — such as Facebook, Twitter and other social networks. The privacy commissioner worried that information won’t always be obtained in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) — the federal law that governs how organizations handle private information — potentially allowing the Communications Security Establishment (CSE) to use forms of invasive surveillance to gather intelligence on Canadians. This means that even though Canadians may have information about themselves available online, it would be a privacy invasion for a government agency to compile data and use it on Canadians without cause or consent. The Canadian Civil Liberties Association (CCLA) agreed with the OPC’s privacy concerns. Mobile Syrup, Ottawa’s privacy watchdog wants limits on spies’ information collecting powers

CA – AB OIPC Orders Uber to Notify All 815K Canadian Data Breach Victims

Following a ruling by Alberta Information and Privacy Commissioner Jill Clayton, Uber announced it will notify all 815,000 Canadians who were affected by the ride-hailing company’s 2016 data breach, City News reports. In her ruling, Clayton wrote the personal information of drivers, including their licenses, could be used for identity theft or fraud. Uber will be required to inform the commissioner it has notified all the affected individuals within 10 days of the ruling. While Uber disagreed with the ruling, Uber Spokesman Jean-Christophe de le Rue said the company will adhere to the decision. [Full Story]

Consumer

CA – How to Handle Loblaw’s Request for More Gift Card ID

Canada’s privacy commission revealed this week that it is investigating Loblaws for sending letters requesting that some customers mail them a copy of their driver’s license or other ID that’s in their name to verify their identity. “This is so outrageous,” says Ann Cavoukian, at the Privacy by Design Centre of Excellence at Ryerson University in Toronto. “It’s completely unacceptable for them to ask. You’re adding insult to injury when they should really be bending over backward to make this right.” Kevin Groh, vice-president of corporate affairs and communications for Loblaw Companies Ltd., explains the company’s position this way. “For a small percentage, we’ve asked for proof of name and address. No customer has to submit a driver’s license. Our first suggestion is that customers can send a utility bill—like a hydro or phone bill—which doesn’t contain sensitive information. ID will be collected through a secure channel, verified, then destroyed.” Cavoukian also doesn’t trust Loblaw when they say that they’re going to destroy the proof of identity documents. “Info gets lost or stolen because of so many people inside handling the documents. They’re putting people at risk.” Instead, Cavoukian says Loblaws should issue an immediate apology and tell people who’ve received the letters that they are destroying any information they’ve received immediately. [MoneySense]

Encryption

CA – Canucks Hit by ‘Cryptojacking’ Hacker Trend

A wave of so-called “cryptojacking” has been sweeping the internet, forcing unwitting web surfers into generating money for cybercriminals. Hackers infect websites with malicious code that secretly conscripts visitors into an army of cryptocurrency miners. Cryptocurrency mining involves devoting a computer’s processing power to solving a complicated mathematical problem with digital currency offered as a reward. The cryptojacking process is invisible and web surfers typically don’t even realize anything is happening in the background, unless they hear their computer’s fan kick in as the machine is forced to work at its full capacity. Once they leave the infected website, the cryptojacking stops. Last month. The websites of the Information and Privacy Commissioner of Ontario, the Centre for Addiction and Mental Health, and some municipal websites were among thousands that were hit with an attack linked to a third-party accessibility app called Browsealoud. [The Canadian Press and at: Naked Security, The Next Web, ComputerWeekly, Digital Trends, MyBroadband and Public Radio International]

WW – Privacy-Busting Bugs Found in Popular VPN Services

A new report reveals three popular VPN services have been found to leak private user information Hotspot Shield, Zenmate, and PureVPN all promise to provide privacy for their users. The research reveals bugs that can leak real-world IP addresses, which in some cases can identify individual users and determine a user’s location. ZDNet, CyberGhost VPN review: A speedy VPN provider that’s easy to use  | NordVPN review: This VPN’s features make it hard to beat  | SaferVPN review: Good features overshadowed by privacy concerns | TunnelBear VPN review: An option for occasional VPN users | TorGuard VPN review: A VPN service designed for extreme privacy | VyprVPN review: A VPN committed to online user security, privacy, and an open internet ||Speedify review: A mobile-focused VPN with zippy upload speeds

EU Developments

EU – Metadata Privacy Regulation at Heart of Broader Telecoms Market Debate

EU Working Party on Telecommunications and Information Society are set to scrutinise the issue of metadata processing [See here & here] at a meting when proposed new EU laws on privacy and electronic communications – a draft e-Privacy Regulation [see proposal overview here & download 35 pg PDF here other ePR Documents here] – will be discussed. In advance of that meeting, the Bulgarian presidency of the Council of Ministers has published a document that has highlighted that there are different views across national governments in the EU on the rules that should apply to metadata [wiki here] processing. The Bulgarian presidency’s document has set out a range of options for EU governments to consider which would loosen the rules around metadata processing for the companies subject to the e-Privacy framework. The options put forward range significantly on what they would enable electronic communication service providers to do. The final text of the new Regulation must be approved by both the Council of Ministers and the European Parliament before it can enter into EU law, and there is likely to be a transitional period after that point before the new rules take effect. [Out-Law]

FOI

CA – Alberta Privacy Commissioner to Investigate FOI Interference

Alberta Information and Privacy Commissioner Jill Clayton announced her office will launch an investigation into Premier Rachel Notley’s former chief of staff, John Heaney. A complaint alleges Heaney stopped a freedom-of-information request regarding email logs from executive council. Heaney sent an email suggesting the information should not be released until he discussed it with another staff member. The complaint states Heaney’s involvement led to a two-month delay, with the information having never been released. Heaney had left the premier’s office last summer. The investigation will include an oral hearing, and commissioner Jill Clayton expects to issue notices compelling staffers to attend and produce records. The opposition United Conservative Party wants the hearing to be public. In November, UCP accountability critic Nathan Cooper asked Clayton to investigate what he called “political interference” by Heaney and Service Alberta. According to internal emails, Heaney had concerns with the response prepared by bureaucrats and recommended changes to what would be released. Cooper slammed that as political interference. [Edmonton Journal and at: CBC News, CBC News]

CA – Rejected BC Job Applicants Obtain Disclosure of Application Records

The British Columbia Information and Privacy Commissioner recently ordered Compass Group Canada Ltd., a food, cleaning and maintenance service company, to disclose all records related to the job applications of a group of rejected applicants. This decision provides insight into the disclosure obligations of private organizations. Organizations cannot refuse to disclose records containing personal information on the basis that they contain confidential or personal information protected by the Personal Information Protection Act if the offending portions of the documents can be redacted. As a matter of procedure, if an organization considers that a disclosure request is frivolous or vexatious, it should ask the Commissioner for authorization to disregard the request prior to responding in any way. [Source] [Mondaq]

Health / Medical

UK – NHS Staff Breaking Data Security Policies Every Day With Whatsapp

CommonTime published ‘Instant Messaging in the NHS‘ that delves into the swelling issue of instant messaging apps (like WhatsApp and Messenger) being used to supplement official communication channels – a sign that NHS staff themselves are being driven to innovate faster than the trusts they represent. The very first finding from the report is that the issue of NHS staff communicating via consumer-oriented instant messaging (IM) services is actually much bigger than has been previously reported. A measly 15% of NHS staff use only Trust provided channels of communication, while a staggering 43% use consumer IM (to varying degrees). The report finds that thus far, attempts to stem the tide through education, the provision of alternatives and enforcement of policy are doing little to discourage staff with 1 in 50 receiving disciplinary actions for IM related incidents. [SecurityBrief and at: Infosecurity Magazine, Computer Business Review and The Sun]

US – ONC Officials Say It’s Time to Share Data With Patients

The Office of the National Coordinator for Health IT officials said it is time to give patients access to their data. ONC Deputy National Coordinator Jon White said patients are frustrated they cannot see their information, while National Coordinator Donald Rucker shot down the argument that medical information would be too complicated for patients to understand. The comments from the ONC officials come as the Centers for Medicare & Medicaid Services announced two initiatives designed to help enhance data-sharing practices. [FierceHealthcare]

Horror Stories

US – Yahoo Judge Lets Hack Victims Seek Payback for Data Breaches

Customers make a plausible argument that “high-ranking executives and managers at Yahoo” engaged in “malicious conduct,’’ the standard for seeking punishment damages on top of ordinary compensation for consumer harm, U.S. District Judge Lucy Koh in San Jose, California, said in a recent ruling. Yahoo reached an $80 million settlement this month with investors over claims that executives concealed the data breaches to artificially inflate the price of the internet firm’s shares. Under the accord, investors are slated to get 12 cents for each share of Yahoo stock they owned. With the investor claims settled, Yahoo will probably move to resolve the consolidated customer cases, said Rahul Telang, a professor of information systems at Carnegie Mellon University in Pittsburgh. “I foresee a settlement in the hundreds of millions rather than billions”. [Bloomberg and at: Reuters, Security Boulevard, Courthouse News Service and Business Insurance]

Identity Issues

US – Delaware to Pilot Mobile Driver’s Licenses

Delaware could be among the first states to use mobile driver’s licenses. The Division of Motor Vehicles has launched a mobile driver’s license pilot study that will run for six months and include about 200 state employees and stakeholders before deciding to roll out to 800,000 licensed drivers and ID card holders. Features of the mDL that will be tested include:

  • Enhanced privacy for age verification: No need to show a person’s address, license number and birthdate. The mobile driver’s license will verify if the person is over 18 or 21 and display a photo.
  • Law enforcement use during a traffic stop: The mobile driver’s license will allow law enforcement officers to ping a driver’s smartphone to request their driver’s license information before walking to the vehicle.
  • Business acceptance: Understanding how businesses that require identification or age verification interact with the mobile driver’s license will be advantageous throughout the pilot study.
  • Ease of Use: Ensuring the mobile driver’s license is able to be presented to any organization without difficulty.
  • Secure access: The mobile driver’s license is unlocked and accessible only by the license holder. The mobile driver’s license is accessed through an app on the owner’s smartphone and is opened/unlocked by entering a user-created PIN or facial recognition. [Delaware Online]

US – Judge Rules NH Lottery Winner Able to Stay Anonymous

A judge ruled that a New Hampshire woman who won a $560 million lottery will be allowed to keep her identity unknown. While the woman’s hometown may be disclosed, Judge Charles Temple said disclosing the woman’s name would constitute an invasion of privacy, adding, “This personal information is exempt from disclosure under the Right-to-Know law.” The state attorney general’s office had argued that since the woman signed her name on the back of the ticket, her identity must be revealed. [USA Today, Forbes, The Washington Post, USA Today, Courthouse News Service and BBC News]

UK – Controversial Online Porn Block Has Been Delayed

The UK government has delayed a controversial age verification block on pornography websites in the UK. The system, which was meant to go live in April, would have required all pornographic websites to verify if people viewing content were 18 years of age or older. Confirmation of the delay, buried deeply within a government press release about 5G, reveals that “age verification will be enforceable by the end of the year.” The project was introduced as part of the Digital Economy Act in 2017 [ wiki]. In what’s come to be known as the ‘UK porn block‘, three of the largest porn websites in the UK haven’t been able to confirm how they will implement age verification. One of the world’s biggest pornography companies has only released limited details of how its age checker will work. Under the law, pornography websites are expected to start using software, most likely from third-parties, to check whether someone is old enough to view the content. The UK government hasn’t recommended one piece of software that should be used but said it will leave this to the “industry”. [WIRED and at: The Register, Gizmodo, engadget and The Guardian]

Internet of Things

UK – Government Issues IoT Security Guidelines

The UK government’s Secure by Design review includes a proposed code of practice for Internet of Things (IoT) manufacturers, IoT service providers, mobile application developers, and retailers that includes not allowing universal default passwords, securely storing sensitive data, making it easy for consumers to configure the devices, updating software, and implementing a vulnerability disclosure policy. [www.gov.uk: Secure by Design: Improving the cyber security of consumer Internet of Things Report | www.gov.uk: New measures to boost cyber security in millions of internet-connected devices | www.zdnet.com: New IoT security rules: Stop using default passwords and allow software updates | www.v3.co.uk: Government to demand ‘security by design’ in new measures to tackle IoT security]

WW – Google Android Security Report 2017

Google released its fourth annual Android Security Year in Review – see Blog post – Key takeaways to ponder: 1) report is about perception and corralling an ecosystem that’s hard to wrangle; 2) Apple iOS vs. Android security argument is futile (apples vs. oranges, if you will); 3) Android’s security model (think patches from the sky) rhymes with Microsoft’s; 4) Google Play has given Google more control over security; 5) The Android security report is partly aimed at the enterprise; 6) The influx of PHAs now requires daily scanning; and 7)Cloud and machine learning give Google an edge in security [ZDNet and at: PC World, 9to5Google, Engadget and CNET]

Law Enforcement

UK – Amazon Partnership With British Police Alarms Privacy Advocates

Police in northwest England have rolled out a program to broadcast crime updates, photos of wanted and missing people, and safety notifications to Amazon Echo owners. Since February, the free app has been available to those using Alexa, a cloud-based voice assistant hooked up to the Echo smart speaker. The first of its kind in the U.K., the program was developed by the police force’s innovations manager in a partnership with Amazon developers. The next iteration of the pilot program, expected to launch by year’s end, will allow users to report crimes directly to their smart speakers. After that Alexa might be used not just by civilians, but internally by officers for briefings and important information. Given the sensitive nature of crime reporting, civil liberties experts wonder whether storing reports with a third party like Amazon might pose an obstacle to citizens hoping to report crimes anonymously. Another major concern is cybersecurity. [The Intercept]

Location

US – MoviePass CEO Misspoke on Company’s Location-Tracking Efforts

MoviePass CEO Mitch Lowe now says he misspoke when he described the ways his company is tracking users during the Entertainment Finance Forum on March 2. Lowe stressed that in the future, customers will have the ability to opt in to the company’s location-based marketing offers and said, “I said something completely inaccurate as far as what we are doing,” adding, “We only locate customers when they use the app.” According to Lowe, the MoviePass app only uses location data on two occasions: when customers are checking for movie theaters in their area and again to verify when a customer checks in to a theater. [Variety]

Online Privacy

WW – Anti-Tracking Browser Extension Now Open-Sourced

Ghostery, a browser extension that blocks online tracking software, announced it is now an open-source software. Ghostery Director of Product Jeremy Tillman said, “As a privacy product, especially one designed to give users a look behind the scenes at what data companies are collecting and doing with it, we thought it was important to give our users a look under the hood.” Tillman added that by becoming open-sourced, it will be easier to incorporate contributions and evolve the product. Currently, Ghostery is free to use in exchange for user data used in its business product. [CNET]

Privacy (US)

US – FTC Recommends Security-Only Updates for Mobile Devices

The FTC has issued a report regarding mobile device security update practices, with information obtained from special reports submitted by: Apple; Blackberry; Google; HTC; LG; Microsoft; Motorola; and Samsung. Patching vulnerabilities in security-only releases fast-tracks security updates by disentangling them from larger functionality upgrades; manufacturers should disclose minimum guaranteed security support periods and update frequency (e.g., notify device owners when security support is about to end so they can make decisions about post-support use). [FTC Report February 2018 – Mobile Security Updates Understanding the Issues]

US – Sears Achieves First-Ever Modification to FTC Privacy Consent Order

The FTC has approved the first-ever petition to reopen and modify a privacy-related consent order. The petition, filed by Sears Holdings Management Corporation, sought to amend the terms of Sears’ 2009 consent order, which settled allegations that Sears did not adequately disclose the extent to which desktop software it distributed collected information from consumers. After reviewing Sears’ petition and public comments, the Commission agreed with Sears that, as a result of changes in the mobile application marketplace, the Order’s requirements as applied to Sears’ mobile apps were “burdensome and counterproductive, both for consumers and Sears.” The decision offers important guidance on how the FTC views the mobile application marketplace and consumer expectations of data privacy in that rapidly-evolving space. Even more importantly, as the first of its kind, it shows that the FTC is willing to modify data privacy orders. [HLDA]

Security

WW – PWC Highlights Privacy Insights from Security Survey

PwC released a report detailing privacy insights stemming from their Global State of Information Security Survey 2018. Of the 9,500 executives interviewed around the world, 87% said they are investing in cybersecurity to build trust with customers, and while 81% said they will place an emphasis on transparency in regards to data use, only 44% said they will do so to a large extent. The report offered next steps global business leaders can take to shore up their privacy efforts, including prioritizing data use governance, engaging the board of directors, and viewing the EU General Data Protection Regulation as an opportunity to align themselves for future success. [PWC]

US – Interpreting the SEC’s Latest Guidance on Data Breach Disclosure

On the heels of several headline-grabbing data breaches – and greater emphasis on the importance of disclosure in the lead-up to the May 25 General Data Protection Regulation (GDPR) deadline – the US Securities and Exchange Commission (SEC) recently issued a statement that puts more responsibility on executives for data breaches. This updated guidance [PDF here] calls for public companies to provide investors with more information on all cybersecurity incidents – even just the existence of potential risks – with minimal delay. The statement goes a step farther in attempting to thwart the potential for the exchange of “insider” information, which was a major concern on the heels of the record-shattering Equifax data breach. Specifically, corporate officers, directors and “other corporate insiders” are prohibited from trading shares if they have knowledge of any unpublicized security incident within the company. [Dark Reading and at: The SEC says companies must disclose more information about cybersecurity risks

CA – Employees Confused About Cybersecurity Responsibilities

A new survey of 1,505 Canadians on workplace security found employees are confused as to who is responsible in the workplace for protecting company information. The shows Canadians are split on who should safeguard the security of corporate data. 40% of employees believe they bear zero responsibility for securing information, pointing to the need for a more comprehensive strategy that makes security everyone’s business. The findings show that companies are increasingly vulnerable to breaches from unsafe practices. Six-in-10 employees have accessed personal or work data using public WIFI networks, which may be unsecure, and half have been the victim of a phishing email or online virus. One in three employees are not fully aware of security protocol. So, what can be done from an organizational perspective? The report proposes three guiding principles that can be applied to all workplace security practices. [Toronto Star]

Surveillance

UK – Surveillance Camera Commissioner Calls for New Safeguards

Surveillance Camera Commissioner Tony Porter called on politicians to implement new rules to ensure that surveillance technologies are not abused. In an address to the ANPR Conference, Porter said there is a growing appetite for the “use of increasingly intrusive technologies integrated with surveillance camera systems in society”. He asserted that he has been lobbying government ministers, council members, law enforcement officials and privacy advocates to explore ways these systems can be better regulated. “The public interest which demands clear legislation, transparency in governance and approach and a coherent and effective regulatory framework in which they can have confidence,” he said. Just over a year ago, Porter launched the National Surveillance Camera Strategy [Exec Sum] which outlined ways in which the government and organisations should use surveillance technology. “I engaged with a broad spectrum of stakeholders including police, public and privacy campaigners to better understand the divergence of opinion around its use,” he said. The Commissioner revealed that he has come across many people who are concerned about the lack of regulations that ensure this technology is used responsibly. [Computing]

US Government Programs

US – ACLU Hits TSA With FoI Suit Over E-Device Searches

The ACLU Foundation of Northern California filed a lawsuit against the TSA [PR] demanding that the government disclose its policies for searching the computers and cellphones of domestic travelers, arguing that anecdotal accounts have raised concerns about potential privacy invasions. “We’ve received reports of passengers on purely domestic flights having their phones and laptops searched, and the takeaway is that TSA has been taking these items from people without providing any reason why,” the staff attorney said. “The search of an electronic device has the potential to be highly invasive and cover the most personal details about a person.” A TSA spokesman declined to comment on the lawsuit but said: “TSA does not search the contents of electronic devices.” [The Guardian] and at: ACLU of NC Blog, Law360 and engadget

 

+++

6-12 March 2018

Big Data / Data Analytics /Artificial Intelligence

WW – Is Artificial Intelligence the Ultimate Test for Privacy?

Artificial intelligence is emerging as the new testing ground for privacy. 21st century artificial intelligence relies on machine learning, and machine learning relies on data. Artificial intelligence is essentially about problem solving and for that we need data, as much data as possible. Against this background, data privacy and cybersecurity legal frameworks around the world are attempting to shape the use of that data in a way that achieves the best of all worlds: progress and protection for individuals. Is that realistically achievable?  Ironically, assessing the impact of technology on our privacy and identifying the right safeguards may end up being more accurately done by machines in the not too distant future. Until then, our principal job will be to embed privacy and cybersecurity practices in the development of artificial intelligence involving personal data. This is not a machine v. human battle. It is a defining moment which requires a sense of responsibility and a long-term view. Future generations will thank us if the way in which we develop artificial intelligence today looks at the true value it can deliver while respecting data protection principles. [HLDA Data Protection]

Canada

CA – Parliamentary Committee Gives Privacy Commissioner Enforcement Powers

The federal Privacy Commissioner would have the power to make orders and impose fines for companies not complying with PIPEDA if the government approves suggested changes to the law recommended by a Parliamentary committee. The change is one of a number unanimously proposed by the Standing Committee on Access to Information, Privacy and Ethics [see PR here and Report here or 108 pg PDF here]. Some of the proposed changes could mean big changes in corporate privacy and marketing policies. The recommendation doesn’t say what order powers or how high the fines the Privacy Commissioner should be given. Some of the recommendations, if approved, could also bring PIPEDA closer to complying with Europe’s new privacy law, the General Data Protection Regulation (GDPR), which comes into effect May 25. Under the EU’s current privacy regime, PIPEDA – which companies here have to follow unless provincial legislation applies – has adequacy status. Privacy experts have worried that after May 25, when the GDPR comes into effect, PIPEDA would automatically not be seen as adequate with GDPR.  The committee made other recommendations to Parliament that if passed will affect corporate privacy and marketing strategies. They include:

  • ensuring that consent remains the core element of the privacy regime, while enhancing and clarifying it by additional means, when possible or necessary;
  • amending PIPEDA to explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, with a view to also implementing a default opt-in system regardless of purpose;
  • amending PIPEDA to replace the term “fraud” with “financial crime” (and propose a definition for that term);
  • amending PIPEDA to provide for a right to data portability, which would give a person the right to transfer their personal data from one company to another. This right is one of the essential elements of the GDPR;
  • considering implementing measures to improve the transparency of algorithms, such as used in machine learning and artificial intelligence applications;
  • study the issue of the ability of people to revoke the consent they’ve given to a company for use of personal data in order to clarify the form of revocation required and its legal and practical implications;
  • modernizing the Regulations Specifying Publicly Available Information in order to take into account situations where individuals post personal information on a public website and in order to make the Regulations technology-neutral;
  • considering amending PIPEDA in order to clarify the terms under which personal information can be used to satisfy legitimate business interests;
  • examining the best ways of protecting depersonalized data;
  • considering implementing specific rules of consent for minors, as well as regulations governing the collection, use and disclosure of minors’ personal information. This is also linked to the issue of the right to ask sites like search engines to de-index links to certain pages (see below). One issue, Lawford said, is that young people’s ability to make an informed decision on consenting to allow their personal information to be used by a company is limited. The Canadian Marketing Association already has a rule that sites shouldn’t market to people under 16, he pointed out;
  • considering including in PIPEDA a framework for a right to erasure based on the model developed by the European Union that would, at a minimum, include a right for young people to have information posted online, either by themselves or through an organization, taken down;
  • considering including a framework for the right to de-indexing web links to Internet stories in PIPEDA, and that this right be expressly recognized in the case of personal information posted online by individuals when they were minors. The issue of de-indexing links for searches on request has been raised by people who have been involved in criminal convictions or divorces years ago and want these events placed lowered in searches for their names;
  • consider amending PIPEDA to strengthen and clarify organizations’ obligations with respect to the destruction of personal information;
  • determine what, if any, changes to PIPEDA will be required in order to maintain its adequacy status under the GDPR; and, if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, create mechanisms to allow for the seamless transfer of data between Canada and the EU;
  • work with the provinces and territories to make sure that all relevant jurisdictions are aware of what would be required for adequacy status to be granted by the EU.

Under the EU’s current privacy regime, PIPEDA — which companies here have to follow unless provincial legislation applies — has adequacy status. Privacy experts have worried that after May 25, when the GDPR comes into effect, PIPEDA would automatically not be seen as adequate with GDPR. [ITWorld see also: The Globe and Mail, Denton’s and BetaKit]

CA – Saskatchewan Agency Unlawfully Disclosed PI

The Saskatchewan OIPC investigated a complaint that the Workers’ Compensation Board disclosed of personal information, in violation of the Freedom of Information and Protection of Privacy Act. The agency was not authorized to disclose to an employee an individual’s home address, family status, opinion about the agency’s support of employees, or status with the agency; the information was not required to investigate the individual’s harassment claim against the employee, and no conditions were placed on the employee to prohibit any further disclosures. [OIPC SK – Investigation Report 266-2017 – Saskatchewan Workers Compensation Board]

CA – B.C. Seeks Public Input on Updating FOI Legislation

The BC government has launched a new public engagement website to give residents a chance to provide input on how Freedom of Information (FOI) requests and privacy protection in the province operate. The Freedom of Information and Protection of Privacy Act (FOIPPA) [see text here & IPC overview here] covers approximately 2,900 public bodies in British Columbia. The public is being asked to participate in online discussions and provide written feedback on topics related to privacy and access to information, including what records should be released without an FOI request; timelines for responding to access requests; fees that can be charged; and what should happen when privacy is breached. According to Minister of Citizens’ Services, Jinny Sims, “The engagement website will be updated regularly, so be sure to keep checking back for new topics and new opportunities to submit your thoughts.” British Columbians will be able to participate until the engagement closes on April 9. [Lawyer’s Daily See also: British Columbians are more FOI-hungry than all other Western provinces combined ]

CA – Ontario Passes Law Overhauling Policing Rules in the Province

Bill 175, dubbed the Safer Ontario Act, passed in the legislature Thursday and offers the first updates to the Police Services Act in more than 25 years. Many of the changes stem from Appeal Court Justice Michael Tulloch’s report on police oversight, which made 129 recommendations aimed at increasing transparency and accountability for the province’s forces and the three bodies that oversee their conduct. The new bill requires the Special Investigations Unit or SIU, one of Ontario’s three police oversight agencies, to report publicly on all of its investigations and release the names of officers charged. The three agencies – the SIU, the Office of the Independent Police Review Director (OIPRD) and the Ontario Civilian Police Commission (OCPC) – will also get expanded mandates. The OIPRD will be renamed the Ontario Policing Complaints Agency and investigate all public complaints against police officers. The OCPC will be renamed the Ontario Policing Discipline Tribunal, dedicated solely to adjudicating police disciplinary matters, so that such matters are no longer handled internally. An Inspector General will be established to oversee police services, with the power to investigate and audit them, and Ontario’s ombudsman will be able to investigate complaints against the police oversight bodies. As well, the SIU will have expanded powers to investigate both current and former officers, volunteer members of police services, special constables, off-duty officers and members of First Nations police services. Police officers who don’t comply with such investigations could be fined up to $50,000 and/or be sent to jail for up to one year, a departure from current rules that do not force officers to co-operate with an investigation. [CTV News See also: Toronto Sun, Canada NewsWire and Orangeville Banner]

CA – Policies and Procedures Lacking in Yukon Government

The Yukon’s Executive Council Office audited the government’s privacy management policy, pursuant to the Access to Information and Protection of Privacy Act. None of the 12 departments audited have completed data mapping to identify the PI in their custody and control, purpose for collection, use and disclosure, or the sensitivity of data they process; a comprehensive set of policies and procedures relating to the purpose and authority of processing were also lacking. [Privacy Management Policy – Compliance Audit Final Report – Yukon Executive Council Office]

Consumer

CA – Majority of Canadians Still Worried About Identity Theft: Poll

The Chartered Professional Accountants of Canada’s annual fraud survey [see PR here], found 71% of Canadians are concerned about identity theft, up from 66 per cent last year [see here]. 68% of those surveyed believe electronic payment methods, such as tapping debit and credit cards or using smartphone apps, make it easier for thieves to commit fraud. And most surveyed think businesses are still vulnerable to cyber attacks. Still, despite those fears, the survey suggests half of Canadians are comfortable making online purchases. The CPA fraud survey of 1,000 Canadian adults was conducted by Nielsen, a market research company, between Feb. 7 and 18, 2018. [Vancouver Sun see also: Canadian Underwriter, Insurance and Investment Journal and IT World Canada]

UK – Study Finds Growing Privacy Concerns Among UK Consumers

A recent ForgeRock survey suggests U.K. consumers share a growing concern for how widely their personal information has been shared and how it may be used by businesses. The survey of 2,000 U.K. consumers found that 63% believed organizations holding their data should be responsible for protecting it, and 58% said they would cut ties with an organization if it was discovered to have shared their personal information without consent. Furthermore, the survey found that 64% of those surveyed had either never heard of the EU General Data Protection Regulation or knew nothing about it. Eve Maler, vice president of innovation and emerging technology in ForgeRock’s office of the CTO, said, “Organisations need to take notice of these concerns and focus on building trust and brand loyalty by giving consumers greater visibility and control over how their data is being collected, managed and shared.” [ComputerWeekly | More than half of UK consumers will share personal data for reward points]

CA – Digital tool for Landlords Measures Potential Tenants’ Kindness, Cleanliness

Victoria-based tech startup Certn [here] is helping landlords and property managers leverage the power of big data and artificial intelligence to weed out potentially undesirable tenants before handing over the keys. It combs through more than 100,000 online data points, everything from social media posts to criminal convictions to eviction notices, in order to build a risk profile for each consenting applicant. The company even offers behavioral analysis questionnaires to gauge things like ethics, honesty, intelligence, attitudes and beliefs. Digital tenant screening solutions like those on offer from Certn, and its Canadian competitor Naborly, can be powerful tools for landlords in saturated rental markets like Victoria, Vancouver and Toronto. But using companies that scour the internet to build a comprehensive history of applicants, complete with numerical rankings for character and personality traits, raisequestions. “It’s very hard to see how information that is disclosed on Facebook, Instagram or Twitter would be related to a tenant suitability decision,” said Acting Deputy B.C. Privacy Commissioner Bradley Weldon. “If you are collecting more information than is necessary, which would almost certainly include information that is in a social media platform . . . then you are likely in contravention of PIPPA [here].” [CTV News See also: Probe launched into B.C. landlords’ demands for sensitive information | Privacy commissioner to query whether landlords violate prospective tenant privacy | ‘It feels like a jail’: Surrey renters revolt over ‘heavy-handed’ strata fines, surveillance | Get ready to give up your online privacy to score the perfect rental | Report landlords who break privacy rules, urges BC agency | Company scraps ‘bad tenant list’ after privacy commissioner upholds complaint

E-Government

EU – Germany Government Computers Infiltrated, Data Stolen

Germany’s government computer networks have been targeted in a cyber attack. The intruders were first detected in December 2017. They were able to steal information and may have been exfiltrating data for as long as a year before they were detected. Reports suggest that the attacks may be the work for a hacking group known as Fancy Bear or APT28. [www.theregister.co.uk | www.zdnet.com | www.reuters.com]

US – DHS Disputes Report Russia Compromised Voting Systems

The US Department of Homeland Security (DHS) is refuting claims that Russia breached voter sites and registration systems in seven US states prior to the November 2016 presidential election. The news report cited unnamed US officials as saying that there was evidence that the systems had been compromised but that the states were not informed. Alaska’s top election official Josie Bahnke said that according to information she received from DJS, Russian scanned a public elections website but got no further. www.nbcnews.com | www.govtech.com: | thehill.com]

Electronic Records

CA – Alberta Physicians’ EHR Access Lawful: Court

The Alberta Court reviewed a decision of the Alberta OIPC, finding Drs. Gowrishankar and Pinsk violated the Health Information Act. The Court quashed a OIPC decision that two physicians were not authorized to access a child’s medical records in a hospital database; the access was to respond to a complaint by the child’s mother about medical treatment received from the physicians, and the mother signed a consent form (as part of the complaint process) allowing the hospital to obtain relevant medical records. [Drs. Gowrishankar and Pinsk and AB Health Services v. JK_LK and OIPC AB – 2018 ABQB 70 CanLII – Court of Queens Bench of Alberta]

EU Developments

EU – WP29 Clarifies Automated Decision-Making

The provision on automated decision-making should be interpreted as a prohibition, not a right to be invoked; however, this prohibition only applies in specific circumstances when a decision based solely on automated processing (including profiling) has a legal effect on or similarly significantly affects someone (e.g. eligibility for credit or access to health services), and even in these cases may be subject to an exception (e.g. performance of a contract). [ Article 29 Working Party – Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 – Working Paper 251 rev. 01 ]

EU – WP29 Requires Clarifications for Cloud Providers

The Article 29 Data Protection Working Party provided an opinion on the Code of Conduct for Cloud Infrastructure Service Providers. It should be made clear where the GDPR is cited and when it is interpreted in the Code, and focus should be put on the security measures providers offer, rather than stressing what it is not responsible for; providers are required to inform the customer of any intended changes in service (such as using a subprocessor in a third country), providing customers with an opportunity to object to such changes. [Article 29 WP – Letter to Cloud Infrastructure Service Providers]

EU – WP29 brings Binding Corporate Rules in Line with the GDPR

On February 6, 2018, the Article 29 Working Party adopted updated guidelines on Binding Corporate Rules (“BCRs“) [WP256 for Controllers | WP257 for Processors, which replace the previous WP29 working documents 153 and 195 on BCRs and Processor BCRs. BCRs are one of the permitted data export solutions under European data protection law, allowing members of a corporate group that have committed to a binding and approved set of data protection rules to transfer personal data within their organization (including from inside the European Economic Area to outside of it). In contrast to the Directive, the General Data Protection Regulation [see text here] incorporates BCRs into legislation and sets out at Article 47 [see here] various conditions that must be met when relying on BCRs. The updates draw attention to the following elements: 1) Right to lodge a complaint; 2) Transparency; 3) Scope of Application; 4) Data Protection Principles; 5) Accountability; 6) Third Country Legislation; 7) Third Party Beneficiary Rights; and 8) Service Agreement. [Data Protection Report and at: Technology Law Dispatch and William Fry Blog]

US – Reaction to Article 29 WP Consent Requirements

The Centre for Information Policy Leadership recommendations on the Article 29 Working Party’s guidelines on consent under the GDPR. A think tank notes that the concepts of freely given consent and genuine choice are not a one-size-fits-all approach, and the elements of consent should be assessed taking into account the nature, scope, context and purpose of the processing; old consents should only be refreshed under the GDPR where they were conditional on processing not necessary for the performance of a contract or do not meet requirements for consent of a child for information society services. [Comments on the WP29 Guidelines on Consent – CIPL]

EU – Insights on the Data Protection Commissioner’s Annual Report for 2017

The Data Protection Commissioner (DPC) has published her Annual Report for 2017 [76 pg PDF], which discusses the key activities and challenges of her office last year, as well as her priorities for the coming year. The DPC spent much of 2017 raising awareness of the GDPR. She continued to engage with organisations in regard to their data protection law compliance, carrying out over 200 consultations and 100 face-to-face meetings in which preparation for the GDPR was a constant feature. The DPC dealt with a record number of complaints (2,642), most of which were resolved amicably. She was also busy on the litigation front, particularly in regard to court proceedings concerning the validity of the EU Standard Contractual clauses as a legal mechanism to transfer personal data out of the EEA. [In this post we review]: 1) Litigation & Data Transfers; 2) Proactive Engagement with the Financial Sector; 3) Other Engagement Activities; 4) Consultation Queries; 5) Complaints & Prosecutions; 6) Investigations & Audits/ Inspections; 7) Breach Notifications; and 8) The Year Ahead …The DPC, like other stakeholders, is eagerly awaiting the finalisation and enactment of the Irish Data Protection Bill 2018 [read bill 132 pg PDF here & review here], which is currently before the Oireachtas. That legislation will give further effect to the GDPR in areas where national derogations are permitted, and will transpose the Law Enforcement Directive into Irish law, as well as further underpinning the structures, functions and powers of the DPC. The Irish Government has committed to finalising the Bill by 25 May 2018, when the GDPR comes into force. [Ireland IP]

UK – Data Watchdog Draws Up Plans for ‘Data Protection by Design’

The Information Commissioner’s Office (ICO) plans to create a “regulatory sandbox” as part of its first ever technology strategy to help organisations build adequate data protection into their products before they are released. The scheme forms part of the UK data watchdog’s wider Technology Strategy, announced last week, which outlines eight priorities for the regulator between now and 2021, including educating both businesses and the public on emerging technologies such as AI and big data. The sandbox provides a means for organisations to test products and services they produce against the regulatory requirements enforced by the EU’s incoming General Data Protection Regulation. The ICO hopes this will allow for “data protection by design”, where adequate safeguards can be baked into a product as it’s being created. As part of this initiative, the ICO will create a two-year postdoctoral role looking at the effect of AI on data privacy. It will also establish an annual ICO conference on Data Protection and Technology to help showcase industry innovations, and a “panel of forensic investigators” that will support current regulatory investigations. [ICO Blog – additional coverage at: The Register and Out-Law]

UK – Denham Named Most Influential Individual in Data-Driven Business

U.K. Information Commissioner Elizabeth Denham has been given the top spot of the DataIQ 100. For the fifth year in a row, DataIQ has been releasing their list of the top 100 influencers in data-driven business. Denham lands the highest spot on the list recognizing individuals who show leadership and engagement with the data and analytics industry. “My role allows me to engage with progressive companies and public bodies looking to adopt privacy by design solutions. I am struck by entrepreneurial development of products which minimise the amount of personal data processed and which maximise the control people have over their data,” Denham said. “I am honoured to work with 500 staff dedicated to innovative regulation and excellent public service.” [ICO.uk.org]

UK – New Fee Charging Structure to Fund the UK ICO

The UK Government has announced a new three-tier charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office (ICO) to come into effect on 25 May 2018 to coincide with the GDPR coming into force. Currently, organisations that are controllers of personal data are legally required to register details of their processing activities with the ICO and pay a notification fee of £35 or £500, unless they are exempt. The [new] three-tier fee structure is as follows: Tier 1) Micro organisations Fee: £40; Tier 2) Small or medium organisations Fee: £60; and Tier 3) Large organisations Fee: £2,900 Generally, organisations that are controllers of personal data are required to pay the notification fee. However, there are exemptions [but] even if there is an exemption to paying a fee, there is still a need to comply with other data protection obligations. [HLDA Data Protection see also: Security & Privacy // Bytes Blog (Squire)]

Finance

CA – Split Tax Information Sharing Plan from Budget Bill, Says Critic

A controversial proposal to give the Canadian government more powers to share confidential tax return information with police in foreign countries should be broken out of the budget [see here & 369 pg PDF here] and tabled separately in the House of Commons, said Conservative revenue critic Pat Kelly. “We should have an opportunity to debate it separately and at committee hear testimony from the privacy commissioner,” Kelly said. “It’s not budgetary. There are significant privacy issues that really should be debated and I’m not prepared to take a position on whether or not this expansion of their information-sharing regime is appropriate or not until that debate and discussion and details are provided.” Michael Bryant of the Canadian Civil Liberties Association said …”The big concern is that Canada would be unwittingly participating in a star chamber investigation and prosecution of somebody in another jurisdiction,” he said, “or that Canadians would in essence be thrown under the bus and information would be shared with other jurisdictions that don’t have our due process and constitutional protections.” [Kelly said] …”privacy is a major, major concern and it’s not clear whether a privacy impact assessment has taken place.” Tobi Cohen, spokeswoman for Privacy Commissioner Daniel Therrien’s office, said the office has not yet received a privacy impact assessment (PIA) from the government for the measures included in the budget. Cohen said the privacy commissioner’s office will wait to see the details of the measures in legislation before it comments further. [CBC | Commissioner provides comments and recommendations for the review of the Proceeds of Crime and Terrorist Financing Act | Canadians’ confidential tax info to be shared with police in other countries ]

FOI

CA – P.E.I. Urged to Extend Freedom of Information Legislation to Include UPEI

Post-secondary institutions in P.E.I. have skirted accountability far too long, says the UPEI faculty president. Nola Etkin is urging the government to extend the province’s Freedom of Information and Protection of Privacy (FOIPP) legislation to include the Island’s lone university. “UPEI is the only Canadian university that doesn’t fall under FOIPP legislation and Islanders should have the same rights to that information that all other Canadians take for granted,’’ she says. With the provincial FOIPP legislation currently under review [see here], the UPEI Student Union, the UPEI Faculty Association, and CUPE 1870 are calling on the province to add post-secondary institutions to the list of public bodies included under the FOIPP Act. [The Guardian see also: CBC News and P.E.I.’s FOIPP review: Where the key players stand on releasing information to you ]

CA – Ontario Town’s Disclosure an Invasion of Privacy

The IPC Ontario addressed a complaint against the Town of South Bruce Peninsula involving disclosure of litigation records, under the Municipal Freedom of Information and Protection of Privacy Act. The town was under the wrong impression that records of an individual’s name, the amount of the court costs awarded against him, and the fact that these have been paid are not “personal information”; the fact that the information relates to the entity as well does not mean that it cannot also consist of personal information. [IPC ON – privacy Complaint Report MC15-41 – Town of South Bruce Peninsula]

NZ – NZ Privacy Commissioner Introduces Subject Access Request Tool

New Zealand’s Office of the Privacy Commissioner has created AboutMe, a new tool to help individuals request their personal data from organizations in New Zealand. Under the Privacy Act, individuals will have the right to request that their personal data be disclosed. To consumers, the commission states, “If your request deals with highly personal or very sensitive information, we suggest you call or write to the organisation directly, rather than using this tool to email it.” [Privacy.org.nz]

Health / Medical

WW – Insider Threat Seriously Undermining Healthcare Cybersecurity

The healthcare industry’s ability to defend against cyberthreats is being seriously undermined by its own workforce, according to two separate reports released last week. In an analysis of 1,368 security incidents at healthcare organizations in 27 countries, Verizon found that nearly six out of 10 (58%) security incidents involve insiders. That figure, according to Verizon, makes healthcare the only sector where internal actors pose the biggest threat to an organization’s cybersecurity posture than external actors. In an Accenture report [see blog post here] based on a survey of 912 healthcare employees in the US and Canada, some 18% of the respondents — or nearly 1 in 5 — professed their willingness to sell confidential data to unauthorized thirds parties for as little as between $500 and $1,000. Among the malicious activity they were willing to perform: sell login credentials, download data to portable drives, and install tracking software on business systems. 24% actually know someone in their organization who had sold their access credentials to an unauthorized third-party. The willingness to sell confidential data was more pronounced among respondents from provider organizations (21%), compared to those in payer organizations (12%) The Verizon and Accenture reports are among several new reports that paint an especially bleak picture of healthcare cybersecurity against the backdrop of the Healthcare Information and Management Systems Society’s (HIMSS) conference in Las Vegas this week. US organizations in particular appear to be struggling more with security issues than counterparts in other regions of the world. [Dark Reading and at: Health IT Security, Healthcare Informatics, Fortune and Becker’s Hospital Review]

Horror Stories

US – Equifax Hack Could Cost ‘Well Over $600M’

Equifax’s massive 2017 data breach could turn out to be the most costly in corporate history. Equifax disclosed that it expects to incur another $275 million this year in costs related to the hack, bringing the total to $439 million through the end of 2018. Larry Ponemon, chairman of Ponemon Institute [here] said total costs could be “well over $600 million,” including costs to resolve government investigations into the incident and civil lawsuits against the firm. [CFO Additional coverage at: Reuters | Equifax says consumer bureau still probing hack despite report it eased off]

CA – Uber to Inform Canadians Affected by Data Breach

Uber will inform all Canadians whose personal data may have been compromised in a 2016 breach after Alberta’s privacy commissioner ruled it must notify impacted drivers and riders in the province. In a decision dated Feb. 28, the commissioner ruled that there is a real risk of significant harm to the affected individuals as a result of an Oct. 2016 breach that saw the theft of information — including names, email addresses and mobile numbers — from some 57 million accounts globally. The personal information of drivers, such as their driver’s license numbers, could be used for identity theft or fraud, wrote Jill Clayton, information and privacy commissioner. “These are significant harms,” she wrote. While Uber disagrees with the ruling, it will comply, said a spokesman. [The Canadian Press]

Law Enforcement

CA – Toronto Police Used IMSI Catchers to Identify Threat Against Mayor

City of Toronto Mayor John Tory told reporters at March 6th, 2018 press conference that he was made aware of TPS [Toronto Police Services] using IMSI catchers [see wiki here] last year. TPS used IMSI mobile phone trackers last year in order to identify an individual making threats against Tory Tory’s acknowledgement that he knew about TPS using cellphone trackers came mere days after the Toronto Star reported that it was able to obtain documents stating that TPS used IMSI catchers in five separate investigations since 2010 — even after the force claimed to not use the technology or even have access to it. An Office of the Privacy Commissioner of Canada (OPC) report [see here] also revealed that the RCMP used IMSI catchers without “exigent circumstances” six times out of 126 instances of surveillance. [MobileSyrup | Two years after they said they didn’t, Toronto police admit they use Stingray cellphone snooping device | Star editorial: Ontario: Time to crack down on ‘stingrays’ | How the Star finally learned Toronto police used cellphone data-catching devices]

Location

US – MoviePass CEO Discloses Location Tracking Efforts

Speaking at the Entertainment Finance Forum, MoviePass CEO Mitch Lowe described the ways his company is tracking users. “We get an enormous amount of information,” Lowe said. “We watch how you drive from home to the movies. We watch where you go afterward.” The MoviePass privacy policy, however, only refers to tracking locations when selecting a theater in order to help customize the service. A MoviePass representative said in a statement the company does not sell any of the data it collects but intends to use the information to offer personalized advertisements. [TechCrunch]

WW – Transcription App’s Privacy Policy Found To Be Faulty

Privacy issues have been identified in new transcription app Otter. The app allows users to record and transcribe meetings in real time using artificial intelligence. While the app claims only the user has access to the data, Otter’s privacy policy does not state that data will not be used for any purpose. After ZDNet published their original story, Otter changed its privacy policy and removed several sections, including a segment on granting the company the rights to access and use data. An Otter spokesperson said only their CTO has access to any information and will allow access only for legitimate user requests. [ZDNet]

US – Location-Based Advertising Expected to Expand

The potential increase in mobile app access and profit from available user location data. When a user shares location data with an app, the user often inadvertently allows the app to sell the data to data vendors. While personal data is often fragmented in such instances, the article states that as the ability to track users expands, so too does the possibility of exposing user location data. While advertisers spent $16 billion on location-targeted ads for mobile devices in 2017, research from BIA/Kelsey estimates that firms will increase spending to $32.4 billion by 2021. [Wall Street Journal]

Offshore

WW – New Series Highlights Privacy in Marginalized Communities

The International Journal of Communication announced the release of a new section, designed to highlight privacy in marginalized communities. In the series, “Privacy at the Margins,” 10 international scholars challenge the basic assumptions underlying privacy and shine a light on new considerations for researchers. Editors Alice Marwick, faculty adviser to the Media Manipulation Initiative at the Data & Society Research Institute, and danah boyd, principal researcher at Microsoft Research and founder and president of Data & Society Research Institute, write, “Although privacy and surveillance affect different populations in disparate ways, they are often treated as monolithic concepts by journalists, privacy advocates, and researchers. Achieving privacy is especially difficult for those who are marginalized in other areas of life. This special section interrogates what privacy looks like at the margins, investigating a broad spectrum of issues, methodologies, and contexts.” [Source]

Online Privacy

US – FTC Recognizes Lower Notice Requirements for “Consumer-Expected” Data Collection

Last week, the FTC granted a petition by Sears Holding Management seeking modification of a 2009 Commission Order. The notable 2009 Order settled allegations that Sears had improperly failed to provide notice regarding data collection by certain software the company offered to consumers. Sears argued that the 2009 Order placed it at a “competitive disadvantage” in the mobile application marketplace. The now-modified Order enables Sears to conduct certain “consumer-expected” forms of data collection and use without requiring heightened notice or consent under the 2009 Order. The Order may hold broader significance for companies which collect information via mobile applications and other platforms. The modified Order clarifies that the Commission generally does not expect heightened notice regarding data use relating to application functionality “in performing a service the consumer expects.” However, in its opinion granting Sears’ petition, the Commission distinguishes such application functionality from other forms of data use, such as “passive tracking, cross-application tracking, or third-party tracking.” For these activities, and for the “collection and use of sensitive information,” the Commission appears to favor heightened forms of consumer notice and consent. [Alston Privacy]

US – FPF Releases ‘Session Replay Scripts’ Guide

The Future of Privacy Forum has released a guide on “session replay scripts“ based on research conducted at Princeton University’s Center for Information Technology Policy. The scripts are used to track visitors’ browsing sessions by monitoring keystrokes and mouse movements. The FPF guide aims to educate privacy professionals on the potential problems the scripts can cause, as improperly implemented scripts can lead to security vulnerabilities and accidental data collection. The guide offers a checklist for privacy professionals to follow when implementing the scripts and advice on vetting the tools, such as examining script providers’ terms of service and privacy policies. [FPF]

Other Jurisdictions

HK – Privacy Commissioner Urges Businesses to Use Data Ethics

Speaking at the Mobile World Congress in Barcelona, Hong Kong Privacy Commissioner Stephen Wong said data privacy policies are essential to increasing consumer trust and growing the field of big data analytics, artificial intelligence and machine learning. Wong stressed the need for data ethics and said, “While consumers disclose to data users or controllers all their sensitive data, we do expect data users or controllers not to betray consumers’ trust. Herein, accountability involves taking proactive and preventive measures to ensure privacy protection and legal compliance.” Wong also asked that attention be paid to the “the reasonable expectations, rights, interests and freedoms of the individuals concerned when processing personal data.” He added, “In this regard, I urge data users and controllers to embrace two principles: (1) no surprise to consumers and (2) no harm to consumers.” [Telecom Asia]

Privacy Enhancing Technologies (PETs)

WW – IAPP Releases 2018 Privacy Tech Vendor Report

In the last year, the privacy technology market has gone from an emerging space to a full-blown, dynamic ecosystem. While the first issue of the 2017 Privacy Tech Vendor Report contained 44 privacy tech vendors, Thursday’s newly released 2018 Privacy Tech Vendor Report includes 122 vendors and counting. In this new report, Jedidiah Bracy, CIPP, interviewed 12 privacy practitioners and consultants to get their insight into operationalizing the implementation of third-party tech vendors, from the vetting process, to acquiring budget, to negotiations, to staff training. The report also includes a new “product category matrix,” a visualization of the types of services these vendors offer. This issue also includes a new product category: the “privacy information manager.” [IAPP.org]

Internet of Things / RFID

UK – ICO Advice: 6 Reasons You Need Think About IoT Data Protection

It’s safe to say the IoT market is booming. At the same time, barely a week goes by without hearing of a connected device that has serious yet basic security flaws, leaving personal data potentially exposed to malicious third parties. As internet-enabled devices process increasing amounts of personal data, as a manufacturer or retailer how much do you really know about the rules around IoT and the way your products use personal information? Here are six points to consider as a starting point for manufacturers and retailers of IoT devices: (For manufacturers) – 1) Your devices will probably be processing personal data; 2) Privacy should be built in from the beginning if a device uses personal data; 3) Data protection and cyber security go hand in hand; 4) You want to build trust with your customers – (For retailers) 5) You have a duty to your customers; and 6) Shoddy products can ruin your reputation Looking to the future of IoT, we’re working closely with the “Department for Digital, Culture, Media and Sport” (DCMS) on their Secure by Design project. The project is focusing on improving the security of consumer internet connected devices and associated services. DCMS will be publishing a report today [see PR here & Report here] which advocates a fundamental shift in approach to moving the burden away from consumers having to secure their devices and instead ensuring that strong cyber security is built into consumer IoT products by design. Going forward, we are keen to support DCMS’s work with developing their recommendations and encourage stakeholders to provide feedback on DCMS’s draft proposals during their informal consultation. [ICO News blog at: ITPro, Electronics Weekly, Information Age and ZDNet]

Security

AU – Study: Many Companies Don’t Change Security Policy After Cyberattack

A recent study found that 52% of Australian respondents said their organizations rarely change their security strategy, even in the wake of a cyberattack. The 2018 Vanson Bourne-CyberArk Global Advanced Threat Landscape Report surveyed a mix of 160 chief information officers and chief technology officers. In a statement, CyberArk ANZ Regional Director Matthew Brazier said, “Attackers have almost limitless freedom and agility, and are constantly evolving their tools and techniques,” adding, “Organisations, being much larger and more structured, are not able to evolve their security strategy and controls to match this pace of change.” [CSO]

Smart Cars / Cities

US – New Orleans Surveillance Program Gives Powerful Tools to a Police Department With a History of Racism and Abuse

On a street lamp in New Orleans red and blue flashing lights are fastened to an NOPD surveillance camera that, just like the lights, runs 24 hours a day. This camera is just one of an unknown number that the city installed over the past few months, part of Mayor Mitch Landrieu’s $40 million public safety plan which the American Civil Liberties Union has condemned as “surveillance on steroids.” The plan also includes new license plate readers and a controversial city ordinance that requires the installation of cameras on the outside of all bars and liquor stores. The plan has endured criticism about its high cost and the lack of evidence that surveillance programs are an effective crime prevention strategy. Still others have worried that the Big Easy’s free-wheeling spirit and eccentricity will wane under the perpetual gaze of the police. But more concerning is the public safety plan’s ambiguous purpose and the potential for abuse. It seems that the only oversight will come from the city’s Office of Homeland Security and from within the police department itself, which is currently under a federal consent decree for a myriad of violations including “a pattern of stops, searches, and arrests that violate the Fourth Amendment.”[The Intercept] See also: Detroit Police Are Playing ‘Big Brother’ at Local Businesses

CA – The Risks of Becoming a Google City

Waterfront Toronto’s eagerness to sign a deal with a Google sister company has alarmed experts who warn cities are easy prey for Big Tech and its unquenchable thirst for data. “Google isn’t going to be creating these urban innovations for the public good or the common welfare,” says Jathan Sadowski [see here], a postdoctoral research fellow in Smart Cities at the University of Sydney in Australia. “They’ll be doing things — as we should expect them to — that will benefit their own interests as a private company, as one of the most profitable, most wealthy companies in the world. Last fall Sidewalk Labs, the urban innovation firm of Google parent Alphabet Inc., won [see here] a competitive bid to be Waterfront Toronto’s “innovation and funding partner” for Quayside, a 12-acre former industrial site at Queens Quay E. and Parliament St. [What few people know is] that board members of Waterfront Toronto, a city, Ontario and federal partnership, had only four days to review the “framework agreement” before signing. Julie Di Lorenzo, chair of the agency’s investment and real estate committee — responsible for reviewing and evaluating “major development projects” — voted against the framework agreement, expressing alarm at the process’ “accelerated manner” Sidewalk Labs’ role in developing waterfront land, unlocked by the promise of $1.25-billion in government-funded flood protection, remains unclear as work continues on an agreement expected later this year that, if signed by both parties, would formalize the Quayside project dubbed “Sidewalk Toronto.” Sidewalk’s assurances that it envisions making money from licensing new technologies created in the high-tech district, rather than selling data, are not allaying fears. Micah Lasher, Sidewalk Labs’ head of policy and communications, told the Star in an email “there is no data-sharing agreement between Google and Sidewalk Labs.” Sidewalk Toronto is holding its first “public roundtable” March 20 at 6:30 p.m. [Toronto Star] See also: Cracks appear in Sidewalk Labs’ Toronto waterfront plan after fanfare | Welcome to the neighbourhood. Have you read the terms of service? | Sidewalk Labs’ Toronto waterfront tech hub must respect privacy, democracy | A Google-Related Plan Brings Futuristic Vision, Privacy Concerns To Toronto | Sidewalk Toronto promises to listen, but what it really wants is an open question | Don’t lose sight of personal privacy in futuristic city: Editorial]

Surveillance

US – Geek Squad’s Relationship with FBI Is Cozier than We Thought

EFF filed a Freedom of Information Act (FOIA) lawsuit last year to learn more about how the FBI uses Geek Squad employees to flag illegal material when people pay Best Buy to repair their computers. The relationship potentially circumvents computer owners’ Fourth Amendment rights. New documents [see here] released to EFF show that the relationship [between the FBI and Geek Squad] goes back years. The records also confirm that the FBI has paid Geek Squad employees as informants. The documents show that Best Buy officials have enjoyed a particularly close relationship with the agency for at least 10 years. They show that over the years of working with Geek Squad employees, FBI agents developed a process for investigating and prosecuting people who sent their devices to the Geek Squad for repairs. The documents detail a series of FBI investigations in which a Geek Squad employee would call the FBI’s Louisville field office after finding what they believed was child pornography. The FBI agent would show up, review the images or video and determine whether they believe they are illegal content. After that, they would seize the hard drive or computer and send it to another FBI field office near where the owner of the device lived. Agents at that local FBI office would then investigate further, and in some cases try to obtain a warrant to search the device. Some of these reports indicate that the FBI treated Geek Squad employees as informants, identifying them as “CHS,” which is shorthand for confidential human sources. In other cases, the FBI identifies the initial calls as coming from Best Buy employees, raising questions as to whether certain employees had different relationships with the FBI. Although these documents provide new details about the FBI’s connection to Geek Squad and its Kentucky repair facility, the FBI has withheld a number of other documents in response to our FOIA suit. Worse, the FBI has refused to confirm or deny to EFF whether it has similar relationships with other computer repair facilities or businesses, despite our FOIA specifically requesting those records. We plan to challenge the FBI’s stonewalling in court later this spring. [EFF.org and at: ZDNet, NPR, National Review, Tom’s Hardware, Fast Company and The Register and also Privacy commissioner says that just because information may be “publicly-available,” it doesn’t mean it’s automatically fair game for spy agency’s.]

US Government Programs

US – DHS Cybersecurity Audit Scores Below Target Security Levels

The Office of Inspector General evaluated the information security practices of the Department of Homeland Security and found [see 34 pg PDF here] the agency to be underperforming expected targets in three out of five areas. Unfortunately, while DHS FISMA scores were expected to be at Level Four – which the NIST Cybersecurity Framework describes as a security program that is “Managed and Measurable” but not yet “Optimized” (Level Five) – the DHS cybersecurity audit found that the agency only met those targets for two of five so-called cybersecurity functions. Of the five functions – Identify, Protect, Detect, Respond and Recover – DHS FISMA scored at Level Four in risk management (Identify) and incident response (Respond), but at Level Three in Protect – which includes configuration, identity and access management and training – Detect and Recover. [SearchSecurity See also: ZDNet, CSO Online and Infosecurity Magazine]

US Legislation

US – How Close Is an American Right-To-Be-Forgotten?

While one 2015 survey claims 88% of Americans support this so-called “right-to-be-forgotten,” the prospects of similar legislation or court decision in the U.S. are dim. The New York State Assembly has come nearest to an American version of a right-to-be-forgotten. The Bill, A05323[see here & 2 pg PDF text here], titled “An act to amend the civil rights law and the civil practice law and rules, in relation to creating the right to be forgotten act,” in large part mimics of the European Court of Justice’s decision [see 2014 “Google Spain v AEPD and Mario Costeja González” here & wiki here]. The Assembly’s government operations committee is currently reviewing the legislation for the second time. [Forbes]

Workplace Privacy

US – More Companies Using Technology to Monitor Employees, Sparking Privacy Concerns

Sensors and microchips may signal a new era of a connected workforce, but some experts say these technologies also put employees’ privacy at risk. For example, a recent patent [see here] submitted by tech giant Amazon describes an electronic wristband that could monitor employees’ tasks. Three Square Market, a tech company based in Wisconsin, started an optional microchipping program for its employees in July 2017 [see here]. UPS has sensors on its delivery trucks to track the opening and closing of doors, the engine of the vehicle, and whether a seat belt is buckled [see here]. [ABC News See also: Keeping an Eye on Employees Guidance from BC’s Office of the Information and Privacy Commissioner | European Court Proposes Criteria for Assessing Employee Monitoring Activities

+++

26 Feb – 05 March 2018

 

Big Data / Artificial Intelligence

WW – Artificial Intelligence: Privacy and Legal Issues

The implementation of AI-based systems is raising a whole host of new legal issues and stimulating a robust public debate about data privacy. It is important, first and foremost, to recognize that data is the “raw material” of artificial intelligence. The greater the amount of data these AI systems have, the better the decisions become. Thus, for any company aiming at AI, the goal is to get as much data as possible in an effort to make their artificial intelligence systems as powerful as possible. There is nothing sinister about this – at least directly. But where things get dicey is when customer data is used in ways that are completely unexpected, potentially representing a threat to your private information. Legal researchers sometimes refer to this as the “Big Data Challenge.” [CPOMagazine and at: Computerworld Australia]

CA – Canadian Competition Policy Focuses in on “Big Data”

The application of competition law and policy to “big data” has become a major focus for government agencies in Canada and around the world. In recent weeks, both the Competition Bureau and the Bank of Canada have weighed in. Competition regulators around the world, from the U.S. to Japan to Germany and the European Union have also issued their own policy statements on the application of competition laws to big data. …The collection and use of personal data raises novel competition law issues. As the Canadian economy becomes increasingly digitized (as reflected by the February 15, 2018 announcement to support a Digital Technology Supercluster), resolving these issues in a coherent and consistent manner will become even more important. [Blakes see also: The Globe and Mail here & here]

WW – NIST Issues Final Guidance on Attribute Metadata

The National Institute of Standards and Technology issued a final report on attribute data. Attribute metadata is considered “trust data” that can be used in agreements, contracts and trust frameworks; parties must evaluate and understand privacy implications associated with a given use case or transaction type, and conduct risk assessments to identify potential negative impacts to privacy arising from the use of certain metadata elements. [NIST – Attribute Metadata – NISTIR 8112]

WW – Opinion: Sublime and Scary Future of Cameras With A.I. Brains

Something strange, scary and sublime is happening to cameras, and it’s going to complicate everything you knew about pictures. There’s a new generation of cameras that understand what they see. They’re eyes connected to brains, machines that no longer just see what you put in front of them, but can act on it — creating intriguing and sometimes eerie possibilities. It doesn’t take long to imagine the useful and very creepy possibilities of cameras that can decipher the world. A.I. will create a revolution in how cameras work, too. Smart cameras will let you analyze pictures with prosecutorial precision, raising the specter of a new kind of surveillance — not just by the government but by everyone around you, even your loved ones at home. [New York Times]

Canada

CA – Federal Standing Committee on Access to Information, Privacy and Ethics Issues Review of PIPEDA

The Standing Committee on Access to Information, Privacy and Ethics (Committee) issued the report Towards Privacy By Design: Review of the Personal Information Protection and Electronic Documents Act (Report). The Report makes 19 recommendations.  Some of the more notable ones:

  • Consent remain the core element of the privacy regime, but that it be enhanced and clarified by additional means, when possible or necessary.
  • The Government of Canada consider implementing measures to improve algorithmic transparency.
  • Paragraph 7(3)(d.2) of the Personal Information Protection and Electronic Documents Act be amended to replace the term “fraud” with “financial crime”  and that the definition of “financial crime” in the Act include:
    • fraud;
    • criminal activity and any predicate offence related to money laundering and terrorist financing;
    • all criminal offences committed against financial service providers, their customers or their employees;
    • the contravention of laws of foreign jurisdictions, including those relating to money laundering and terrorist financing.
  • The Government of Canada should consider including in the Personal Information Protection and Electronic Documents Act a framework for a right to erasure based on the model developed by the European Union that would, at a minimum, include a right for young people to have information posted online either by themselves or through an organization taken down.
  • The Government of Canada should consider including a framework for the right to deindexing in the Personal Information Protection and Electronic Documents Act and that this right be expressly recognized in the case of personal information posted online by individuals when they were minors.
  • PIPEDA should be amended to make privacy by design a central principle and to include the seven foundational principles of this concept, where possible.
  • PIPEDA should be amended to give the Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance.
  • The Government of Canada work with its European Union counterparts to determine what would constitute adequacy status for the Personal Information Protection and Electronic Documents Act in the context of the new General Data Protection Regulation.
  • The Government of Canada determine what, if any, changes to the Personal Information Protection and Electronic Documents Act will be required in order to maintain its adequacy status under the General Data Protection Regulation; and if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, the Government of Canada create mechanisms to allow for the seamless transfer of data between Canada and the European Union.
  • The Privacy Commissioner of Canada issued a statement applauding the Committee’s recommendations to enhance the Commissioner’s enforcement powers and for taking seriously the Commissioner’s concerns regarding consent and reputation.

CA – OPC: Ottawa Looking to Collect Data, ‘Blurring’ Lines on Privacy

The federal government is “blurring” lines around privacy protections as they look for new ways to collect data on Canadians, according to documents prepared for privacy commissioner Daniel Therrien and obtained under access to information law, which suggest the 35-year-old Privacy Act may be too “permissive” in how the federal government can collect and use Canadians’ personal information. Therrien’s warning was aimed at a select group of senior bureaucrats tasked with examining new ways to deliver government services using digital means, while balancing concerns around privacy and transparency. The Liberal government has committed to overhauling the Privacy Act, but has not yet begun promised public consultations on the issue. Any Canadian review of privacy laws would take place against the backdrop of sweeping new data protection rules in the European Union, which come into force later this year. [Toronto Star]

CA – Liberals Pitch $500 Million Cyber Security Plan

The National Cyber Security Strategy, announced in the Liberals’ 2018 budget, spreads the $507.7 million over five years and across multiple departments and agencies with a hand in cyber defence. The budget is light on the actual details of the strategy, but it does lay out who will get increased funding. The Communications Security Establishment will play a central role in the new strategy. The Liberals are planning to consolidate the federal government’s cyber defence expertise under one roof [“Canadian Centre for Cyber Security“] within the CSE and will be open to Canadian citizens and private businesses. CSE will receive $155.2 million over the next five years to establish and operate the centre. Under the new strategy, responsibility for investigating cyber crime will remain with the RCMP, who will receive $116 million over five years to create a new unit to coordinate those investigations. In addition to the cyber security strategy, the Liberal budget proposed $225 million over four years, beginning in 2020, to “preserve” CSE’s ability to conduct foreign electronic spying. [Toronto Star at: IT World Canada, National Observer, iPolitics, Calgary Herald and MobileSyrup]

CA – Parents, Muslim Group Welcome Budget’s $$$ for Federal No-Fly Fixes

The 2018 Federal budget sets aside $81.4 million over five years, starting in 2018–19, and $14 million a year ongoing, to remake the much-maligned no-fly program. The money will go to the Canada Border Services Agency, Public Safety and Transport Canada. Families from the group known as the No Fly List Kids successfully pressed the government to redesign the system after many nerve-racking airport delays due to children being mismatched with people on the no-fly roster. The federal money will be used to develop “a rigorous centralized screening model” as well as a redress system for legitimate air travellers caught up in the no-fly web. The revised program will help ensure that privacy and fairness concerns are addressed, while keeping Canadians safe, the budget plan says. [Winnipeg Free Press See also: Global News, CTV News and CBC News]

CA – Federal budget: Ottawa to Study Merits of ‘Open Banking’

Ottawa is going to study the merits of introducing “open banking“, which allows consumers’ financial data to be shared between banks and other financial services providers, to see if it should be introduced in Canada. In last week’s budget, the government said open banking has the potential to increase innovation and competition in the banking sector. But it also gives rise to concerns over privacy and data security, so a final decision has not been made. [Calgary Herald and at: Global News and IT World Canada]

CA – B.C Parent Raises Flags Over School District Privacy Breach

About 1,000 past and present students in the Chilliwack School District may have been affected by a privacy breach that took place between 2005 and 2015. A letter [PDF here or here] explaining the breach was published by the district on their website on Dec. 22, 2017, but the information has not come up in any recent public meetings. It happened through the district’s participation in research with a not-for-profit group called Educational and Community Supports, a program of the University of Oregon. The connection between School District 33 and Educational and Community Supports was for the use of a program called “Positive Behaviour Information System” (PBI-SWIS). Data was sent across the border for the program, and the school district paid a licensing fee for the software. In their public letter, the district states the program is used to track behavioural incidents. “PBI-SWIS was used to gather information about the type and frequency of school based behavioural interventions on an individual and aggregated basis. Only information pertaining to students receiving behaviour support or intervention was affected. We estimate that the number of students affected was approximately 1,000.” The school district has been working with the Office of the Information and Privacy Commissioner to respond to privacy concerns and say there is “no information to suggest that any of this research information was used or disclosed or any purpose other than the university research.” [Observer]

CA – Preparing for Mandatory Data Breach Reporting and Record-Keeping

In Canada, regulation of the protection of personal information for private-sector organizations is governed by either federal, PIPEDA [text here & OPC info here], or substantially similar provincial legislation — currently Alberta [here], British Columbia [here] and Quebec [here]. In June of 2015, PIPEDA saw significant amendments under the “Digital Privacy Act“, including the introduction of mandatory breach reporting and record-keeping …[which are expected to become opperational this Spring] On September 2, 2017, the Canadian government published the Breach of Security Safeguards Regulations [here] provides further details on mandatory breach reporting and record-keeping. Alberta’s “Personal Information Protection Act” (“PIPA” here) is the only piece of Canadian legislation currently requiring mandatory notification of data breaches. There are many similarities between the reporting provisions of PIPA and PIPEDA and we can look to PIPA in assessing how mandatory reporting will occur. PIPEDA will also require organizations to maintain records of every unauthorized disclosure of personal information for two years after it occurs. There is no threshold associated with this requirement, so even records relating to data breaches with no risk of significant harm must be kept. This record-keeping requirement is a significant regulatory burden on corporations, particularly smaller organizations without dedicated privacy departments. However, with potential fines of up to $100,000 under both PIPA and PIPEDA, organizations are well advised to ensure compliance with privacy requirements. The OPC may request to inspect a corporations breach records at any time [DLA Piper]

CA – OIPC AB Finds Lawful Access to Records

The Alberta OIPC investigated a complaint against the Calgary Police Service, pursuant to the Freedom of Information and Protection of Privacy Act . A credit check performed by the police service was necessary to maintain public safety and the safety of children; the individual failed to show up for scheduled court application to deal with a guardianship order relating to his children, had taken his premature infant son from the hospital (against doctor’s advice), and left the province with his children. [OIPC AB – Order F2018-05 – Calgary Police Service]

CA – Newfoundland Entity Failed to Preserve Responsive Records

This OIPC NFLD and Labrador reviews the Town of Paradise’s handling of a request for records pursuant to the Access to Information and Protection of Privacy Act. The entity’s CCTV system erased the recordings after receiving the request for images captured, they were overwritten at 14 days instead of 30 days as indicated in their policy due to having exceeded storage capacity; the organization must acquire the capacity to store the information as indicated by their policy and be able to de-identify persons recorded. [OIPC NL – Report A-2018-005 – Town of Paradise]

CA – A Strong Society Interest Protects Excess Information from Exclusion

The court reviewed Joshua and Cynthia DeSilva’s request to exclude the results of a production order issued by a Justice of the Peace and executed on the CIBC. Individuals’ privacy was infringed when police obtained information which led them to believe there were bank accounts at a certain financial institution; this information was outside the scope of the warrant but a strong societal interest in having the issue resolved allowed the evidence to be used. [Her Majesty the Queen v Joshua and Cynthia DeSilva – Ontario Court of Justice]

CA – Ontario Court: Insurer Obligated to Defend Hospital Employee in Lawsuit

The Ontario Superior Court has ruled, In the case Oliveira v. Aviva Canada Inc, that insurance company Aviva is obligated to defend a hospital employee against a privacy breach lawsuit by a former patient. An ex-patient alleged that the employee – who is not involved in providing care to the patient – breached the patient’s privacy by frequently accessing the patient’s medical records without a legitimate reason. Aviva refused to defend the employee on the basis that the alleged privacy breach did not arise from the “operations” of the hospital. The insurer also argued that the employee was not “acting under the direction of the hospital” when the individual committed the alleged privacy breach. The company added that the employee abused her position and engaged in unlawful activities unrelated to her employment by the hospital, conflicting with her employment obligations. The Superior Court rejected these arguments, saying that they would have excluded a considerable portion of the privacy breach coverage that Aviva’s insurance policy claimed to provide. [Insurance Business Magazine]

CA – Metrolinx Gave Presto Users’ Personal Info to Police 30 Times Last Year

Metrolynx provided law enforcement agencies with Presto fare card users’ personal information 30 times in 2017, complying with roughly half of the requests made by officers. In a first-of-its-kind report published last week, the regional transit agency detailed its response to all of the police applications for Presto information it received last year. The public disclosure is part of an enhanced privacy policy Metrolinx adopted in December, after the Star revealed it had been quietly sharing Presto data with police. According to the report, law enforcement agencies made 64 requests in 2017. Of those, 27 were for emergencies such as a missing person, and 33 were related to investigations into an alleged offence. Four instances were related to found wallets. Metrolinx provided information for eight of the 27 emergency requests. The agency said that often the missing person was found before it provided police with their card information. It shared data in the majority of requests related to offence investigations, or 22 out of the 33. Although Metrolinx agreed to 30 of the requests, in some cases more than one card owner was involved, and the agency says a total of 35 customers’ information was provided. At least 10 agencies asked Metrolinx for Presto data, including two from outside the province. In addition to requests made by the agency’s own transit safety officers, applications also came from forces in Durham, Edmonton, Halton, Ottawa, Peel, Port Hope, Quebec, Toronto, and York. Metrolinx didn’t comply with 34 of the 64 requests it received in 2017. The agency said one reason it would reject an application if it was too broad. [Toronto Star]

CA – New Standard for Certifying Privacy Breach Class Actions?

Judges in class action lawsuits involving privacy breaches are going to become “more accepting of the notion that you can get money for your inconvenience,” Eric Dolden, a partner with Dolden Wallace Folick LLP, said at a Cyber Risk Summit in Toronto [see here]. “If you had a psychological “sequela” secondary to an invasion of privacy, that’s going to get you over the finish line.” [A “sequela” is a condition that is the consequence of a previous condition or a disease.] In Condon v. Canada, the Federal Court of Appeal allowed claims for negligence and breach of confidence to be included as part of a class proceeding. The original Federal Court judge did not include it as part of the class action lawsuit, noting that “it is plain and obvious that the claims based on negligence and breach of confidence would fail for lack of compensable damages.” …”People whose privacy’s being infringed electronically or otherwise have a right to claim damage even if they have no actual injury,” Dolden said during the session Claims & Losses Update. “[There’s cases] where Canadian judges awarded damage where there’s no harm to the claimant, merely the fear of harm – my credit card might be used or my personal medical details might be disclosed to someone. That’s really important because that’s the bulk of claims that as defence counsel we face in Canada.” [Canadian Underwriter]

CA – N.W.T. Health Information Act too Complicated, Should Be Simplified: OIPC

Elaine Keenan Bengts [see here], the information and privacy commissioner for the N.W.T. [and Nunavut] is calling on the N.W.T. government to fix its Health Information Act [see 111 pg PDF here] because she says it’s too dense and hard to understand. Keenan Bengts said the government doesn’t have the technology to properly protect people’s health information, as outlined in the act. The act says residents should be in control of who can have access to their health records, but Keenan Bengts said the systems aren’t in place for that to happen. She said people should be able to block someone, such as an ex-partner working in health care, from accessing their health information. This isn’t the first time the privacy commissioner has chastised the department over the Health Information Act. In the six months after the act became law, the commissioner said there were seven separate privacy complaints. [CBC]

CA – Cracks Appear in Sidewalk Labs’ Toronto Waterfront Plan after Fanfare

Four months have passed since Waterfront Toronto, the municipal-provincial-federal development agency, named Sidewalk its “innovation and funding partner” for the project [see here] – time enough for some of the gee-whiz talk of hyper-energy-efficient modular buildings and “taxibots” to be replaced by a rising chorus of critics both inside and outside City Hall. The concerns over privacy sparked by proposals involving arrays of cameras and sensors – from a company owned by Google – have been raised locally and in publications such as U.S. tech magazine Wired and Britain’s The Guardian. Sidewalk has hired former Ontario privacy commissioner Ann Cavoukian and Waterfront Toronto hired former federal privacy commissioner Chantal Bernier as advisers to help deal with these issues. Meanwhile, despite briefings from Waterfront Toronto and Sidewalk executives, some city councillors say they still have little idea what Sidewalk actually intends to do – or where. The project is supposed to be limited, at first, to the 12-acre Quayside parcel. [Globe & Mail and at: The Globe and Mail and The New York Times]

CA – Some Gains on FOI and Privacy, Says Gogolek, But Much More to Do

Vincent Gogolek offered parting comments after stepping down as executive director at the Freedom of Information and Privacy Association, an advocacy group. FIPA will be in good hands with Sara Neuert taking over as executive director, Gogolek said. And he expressed gratitude to founder Darrell Evans, the Law Foundation of BC, volunteers on the FIPA board, and the various information and privacy commissioners “who’ve listened to us with varying degrees of sympathy or annoyance over the years.” Gogolek has commented on FOI, privacy and other topics frequently for The Tyee and other media, so we took the occasion of his retirement to get his thoughts on what’s changed, what still needs to be improved, and what he sees as the emerging issues. Following is an edited version of that discussion. [The Tyee]

WW – The Next Big Thing: Data Breach Securities Class Action Litigation

Over the past year, plaintiffs have filed nine federal class action securities fraud lawsuits [see wiki here] against public companies after data security incidents, according to a recent Bloomberg Law study. And in each case, the company’s stock dropped after the disclosure of either a data breach or alleged data security vulnerability. In earlier data breaches, it was unusual to see declines in stock price – a necessary element of a securities fraud claim. But the Yahoo! and Equifax hacks changed that with stock prices tumbling and billions of dollars in market capitalization lost. Shareholders have generally used one of two legal theories: First, shareholders have alleged that the company’s pre-breach public disclosures didn’t adequately disclose the risk of a data security incident or that the company overstated its cybersecurity strength or capabilities. Or second, that the company withheld or was too slow in disclosing a breach after it was detected. This way, the claims cover both shareholders who purchased stock before the breach as well as those who purchased after the breach but before the public disclosure. For companies on the receiving end of a data security-related class action securities fraud complaint during the past year, we have found that the lawsuits fall into three general categories: 1) Companies That Tout Their Data Security; 2) Companies That Said Nothing about Data Security (Allegedly); and 3) Companies That Concededly Disclose Risks Connected to Data Security But Are Sued Nonetheless. We suspect that these nine cases are only the beginning and additional cases will be filed whenever a data security incident is followed by a decline in stock price. [PBWT]

Consumer

AU – Australian Concerned About Online Privacy

The University of Sydney released the results of a study concerning the role of private, transnational digital platforms on work, study and business in Australia, based on: a national survey of 1,600 Australians; a focus group discussion; and an analysis of legal, policy and governance issues. Concerns include profiling and analytics (almost 2/3 have changed their social media settings), government data matching and surveillance (most consider retention of phone call information to be a privacy breach), the workplace (almost half of employers have a policy on what employees post online), and speech regulation (1/4 have had personal content posted without their consent). [Digital Rights in Australia]

E-Government

US – Lack of Funding Exposes US Federal Agencies to High Data Breach Risks

Last week, cybersecurity firm Thales, in conjunction with analyst firm 451 Research, revealed the results of the “2018 Thales Data Threat Report, Federal Edition” [see PR here & 8 pg PDF report here]. [It] suggests US federal agencies suffer the highest volume of data breaches out of government agencies worldwide and budgets are part of the problem 57% of federal agencies experienced a data breach in the past year, in comparison to only 26% of non-US government agencies worldwide. This is a vast jump from an estimated 34% in 2016 – 2017, and 18% in 2015 – 2016. 93% of respondents said that security spending will be increased over the coming year within their IT budgets. In total, 56% plan to spend their budgets by focusing on endpoint security, 48% will hone in on network security, and 19% view data-centric security as a focal point. [ZDNet and at: ExecutiveBiz Blog and Channelnomics]

US – DHS Classified Briefings for State Election Officials

The US Department of Homeland Security (DHS) provided state election officials with classified briefings on election systems cybersecurity. The election officials were in Washington, DC, for a meeting of the National Association for Secretaries of State (NASS) and the National Association of State Election Directors. DHS described the briefings as being “focused on increasing awareness of foreign adversary intent and capabilities against the states’ election infrastructure, as well as a discussion of threat mitigation efforts.” [fcw.com: State officials get classified briefings on election security]

E-Mail

CA – Ontario Arbitration Board Rules Patient Consented to Email

The Ontario Health Professions Appeal and Review Board considered an appeal by a patient of a decision of the Inquiries, Complaints and Reports Committee of the College of Optometrists. A patient complained that an optometrist had sent her digital eye exam images over email in an unsecured manner, but the Board ruled that the patient had specifically requested that the images be sent to her at that email address. [C.T. v. A.L.,OD – 2018 CanLII 5616 – File # 16-CRV-0525 – Health Professions Appeal and Review Board of Ontario]

Electronic Records

CA – OIPC ON: Health Records Were Accurate to Serve Purpose

Ontario OIPC investigated complaints against the Toronto Central Local Health Integration Network, alleging violations of PHIPA. An individual sought the correction of 62 health records consisting of an assessment of her care needs and evaluation of placement in a care facility; however, the request failed to establish that the records were inaccurate to serve the purposes of assessment and evaluation, and custodians are not obligated to correct information on which it does not rely for the relevant purpose. [IPC ON – PHIPA Decision 67 – Toronto Central Local Health Integration Network]

CA – Alberta Physicians’ EHR Access Lawful

An Alberta Court reviewed a decision of the Alberta OIPC, finding Drs. Gowrishankar and Pinsk violated the Health Information Act. The Court quashed a OIPC decision that two physicians were not authorized to access a child’s medical records in a hospital database; the access was to respond to a complaint by the child’s mother about medical treatment received from the physicians, and the mother signed a consent form (as part of the complaint process) allowing the hospital to obtain relevant medical records. [Drs. Gowrishankar and Pinsk and AB Health Services v. JK_LK and OIPC AB – 2018 ABQB 70 CanLII – Court of Queens Bench of Alberta]

CA – Increased Risk of Harm from Loyalty Program Hack

The Alberta OIPC was notified of a personal information breach by Imperial Oil Ltd, pursuant to the Personal Information Protection Act. Routine website traffic alerts discovered the hack by an unknown third party using IDs and passwords; the breached information (name, billing address, account password, loyalty points and email) could be used to access accounts, for phishing, or to compromise other online accounts with the same password. The Company required users to reset all logins and passwords, enhanced geo-blocking with IP location control for website access, and issued new accounts and cards. [OIPC AB – Breach Notification Decision P2018-ND-019 – Imperial Oil Ltd]

CA – OPCC: Bill C-49 Lacks OPC Oversight

The OPC Canada commented before the Senate Standing Committee on Transportation and Communications on Bill C-49. If enacted, the bill would provide that companies would not have to comply with PIPEDA’s obligations in relation to the collection, use, disclosure and retention of PI collected from locomotive voice and video recorders; the bill should confirm the jurisdiction of the OPC to investigate complaints relating to alleged violations of PIPEDA, including whether exceptions found in the Railway Safety Act were properly applied. [OPC Canada – Appearance Before the Senate Committee on Transportation and Communications on Bill C-49]

EU Developments

EU – Europe Seeks Power to Seize Overseas Data in Challenge to Tech Giants

The European Union is preparing legislation to force companies to turn over customers’ personal data when requested even if it is stored on servers outside the bloc, a position that will put Europe at loggerheads with tech giants and privacy campaigners. The EU push comes as a landmark legal battle in the United States nears its climax. The U.S. Supreme Court will [Feb 26] hear oral arguments in a case pitting Microsoft against U.S. prosecutors, who are trying to force the company to turn over emails stored on its servers in Ireland. [see here] Campaigners say giving governments so-called extra-territorial authority to reach across borders and access data would erode individuals’ privacy rights. The planned law, which would apply to all companies around the world that do business in the European Union, is an apparent shift in position for the European Commission, the EU executive. In 2014, it said in relation to the Microsoft case that “extraterritorial application of foreign laws (and orders to companies based thereon) … may be in breach of international law”. The legislation is still in the drafting stage and is expected to go before lawmakers and member states at the end of March. [Reuters see also at: Silicon UK, AppleInsider, Wccftech, Siliconrepublic, Patently Apple and Computing]

EU – Article 29 WP Draft Accreditation Guidelines

The Article 29 Working Party has issued draft guidance on the accreditation of certification bodies under the GDPR. Public comments can be submitted until March 30, 2018. The GDPR empowers Supervisory Authorities to accredit certification bodies, using accreditation criteria guided by ISO 17065 and complemented by any additional requirements to assess the independence and data protection expertise of the certification body, and where applicable, withdraw certifications or order certification bodies to not issue certifications. Article 29 WP – Draft Guidelines on the Accreditation of Certification Bodies Under the GDPR – WP261 AP WP – WP261 – Certification Bodies]

Filtering

CA – Canadian Telecoms Firms Target Pirates With Online Censorship Plan

Plans are afoot in Canada to block access to websites which host pirated content. …The coalition, which has named itself Fairplay and consists of more than 30 media companies, including Bell, Rogers, and CBC, submitted their proposal to the CRTC at the end of January. But there has been a heated response to the proposals because of the fears of the wider internet censorship it could lead to. The coalition proposed that the CRTC should set up an independent agency whose job was to identify websites which were primarily focused on disseminating pirated content. That body would then have the power to require telecommunications companies to block access to these sites. The CRTC quickly put the idea up for comment on their website Of the 5,000 or so people who have commented [see submissions here] so far, most have been overwhelmingly negative, with many highlighting big concerns about where this online censorship programme would end. Open Media, has been especially vocal in its criticism of the proposals and is collecting signatories for their own submission in response to the proposals. They have amassed 16,000 signatures in support of their position so far. If the suggested blocking of sites does come into effect, then all will still not be lost for Canadian citizens who value their online privacy either. By using a reputable VPN, such as IPVanish or ExpressVPN, they will be able to access any blocked content simply by redirecting their online traffic through a server located outside Canada. [VPN and at: CBC News and Michael Geist Blog here, here, here, here, here]

CA – The Case Against the Bell Coalition’s Website Blocking Plan, Part 12: Increasing Privacy Risks for Canadians

The Bell website blocking coalition cites privacy protection as a reason to support its plan, noting the privacy risks that can arise from unauthorized streaming sites. There are obviously far better ways of protecting user privacy from risks on the Internet than blocking access to sites that might create those risks, however. Further, with literally millions of sites that pose some privacy risk, few would argue that the solution lies in blocking all of them. In fact, the privacy argument is not only weak, it is exceptionally hypocritical. Bell is arguably the worst major Canadian telecom company on user privacy and its attempt to justify website blocking on the grounds that it wants to protect privacy is not credible. …Rather than enhancing privacy protection, the Bell coalition proposal puts it at greater risk, with the possibility of VPN blocking, incentives to monitor customer traffic, and the potential adoption of invasive site blocking technologies. [Geist]

Finance

CA – Confidential Tax Info to Be Shared With Police In Other Countries

Confidential information from Canadian taxpayers could soon be shared with police and authorities in three dozen countries around the world, under measures included in Finance Minister Bill Morneau’s latest budget [see here & 369 pg PDF here]. In an inconspicuous section tucked into a small 78-page annex to the budget, the government says it wants to give police and tax authorities new powers to fight tax evasion and advance international investigations into serious crimes, ranging from drug trafficking and money laundering to terrorism. A civil liberties advocate accuses the government of using the budget to hide controversial changes. “If you can get something buried in the budget that nobody knows about, sometimes you can get something passed without getting the kind of heat it deserves … this deserves a lot of heat from the opposition and scrutiny from media.” said Michael Bryant, executive director of the Canadian Civil Liberties Association and a former Ontario attorney general. Bryant said the proposed changes risk affecting Canadians’ civil liberties and should be introduced — and debated — as part of a separate bill. “The big concern is that Canada would be unwittingly participating in a star chamber investigation and prosecution of somebody in another jurisdiction, or that Canadians would in essence be thrown under the bus and information would be shared with other jurisdictions that don’t have our due process and constitutional protections,” he said. The government also plans to give Canadian police more access to tax information. Currently, police investigating certain crimes can obtain a court order to get income tax information. The government plans to extend that ability to access confidential information to the Excise Act, which taxes a variety of products, including tobacco and alcohol. [CBC See more at: Canadian Press, iPolitics.ca, The Globe and Mail, CTV News and Global News]

FOI

CA – Canadian Firms Hindering Customer Data Access Requests: Study

Businesses could do a better job at responding to Canadians’ requests to look at the personal data they hold, according a new study from the University of Toronto’s Citizen Lab. Under the federal PIPEDA Canadians can make data access requests (DARs) to find out how their personal data is collected and is being used by any company — based here or not — that holds their personal information. But after a three-years of volunteers submitting requests to 23 telecommunications companies, fitness trackers and online dating services researchers concluded “processes surrounding DAR-handling and -processing are immature.” Among the problems were inconsistent responses, large dumps of data that would be hard to understand and charging fees. For those wanting to create a DAR, Citizen Lab and its partners have operated Access My Info (AMI), a web application that makes it easier for Canadians to create one. As of February over 6,000 requests have been created using the application in Canada. [IT World Canada | CBC Radio]

Health / Medical

US – Medical Center Not Liable for Unauthorized Access

The Arkansas Supreme Court considers whether St. Vincent Infirmary Medical Center is vicariously liable for unauthorized access to medical records. An Arkansas medical center is not liable for its employees accessing medical records of a public figure treated at its facility; the access was outside the scope of their employment, in violation of the medical center’s training, was not authorized or ratified by the medical center (the employees were subsequently terminated), and the individuals pled guilty to HIPAA violations. [Patricia Cannady v. St. Vincent Infirmary Med. Ctr. 2018 Ark. LEXIS 31 – Supreme Court of Arkansas]

Horror Stories

US – Equifax Identifies Additional 2.4 Million Affected by 2017 Breach

Equifax announced that it identified about 2.4 million U.S. consumers whose names and partial driver’s license information were stolen. The company said the consumers affected “were not in the previously identified” population of cyberattack victims. That brings the total number of U.S. consumers whose personal information was compromised by the breach to 147.9 million, up from 145.5 million previously. These latest breach findings are based on a new methodology it is using to conduct further analysis of the impact of the event. It said its original findings were centered around people whose Social Security numbers were compromised because its forensic investigation led the company to believe that the attackers were focused primarily on attaining Social Security numbers. The analysis found that there were partial driver’s license information, like strings of digits of drivers’ license numbers, and names. That is how it found the additional 2.4 million people who were affected. The company said those consumers’ information was stolen by the hackers. However, their Social Security numbers weren’t affected by the hack. It said that “in the vast majority of cases” the partial information that was stolen on these 2.4 million consumers didn’t include home addresses, driver’s license states, dates of issuance, or expiration dates. [Wall Street Journal See also: NPR, ConsumerAffaires, CNNMoney, Washington Post, and Daily Report (Law.com)]

Law Enforcement

CA – Despite Unanimous Queen’s Park Vote, Police Still Disclosing Unproven Allegations

More than two years after passing legislation protecting innocent Ontarians from having unproven allegations, mental health incidents or withdrawn charges show up on their police record checks, the proposed law remains unenforced. The Police Records Check Reform Act, passed at Queen’s Park in December 2015 by a vote of 93-0, followed a Toronto Star investigation that revealed that tens of thousands of Canadians have records in police databases despite having never been convicted of a crime. The province still hasn’t proclaimed the legislation into law, meaning it is not yet in force. This unusual delay has continued to undermine careers, volunteer opportunities and travel because of the disclosure of false or misleading information, say lawyers, victims and a new report [see PR here, Report overview here & 52 pg PDF Report here] from the John Howard Society [Toronto Star and at: CCLA]

Online Privacy

WW – Google Rejected 57% “right to be forgotten” Privacy Requests

In its latest annual Transparency Report [Blog post here & report here], Google reveals that it was asked to delist 2.4 million URLs from 2014 to 2017. Of those requests, Google denied 57% of the requests and green-lighted just 43%. An overwhelming number of requests—nearly 85%—come from private individuals, according to a draft of Three Years of the Right to be Forgotten, a paper authored by Google-affiliated researchers. A handful of people are making a significant portion of the requests. Just 1,000 people (0.25% of the people who filed requests) accounted for 15% of the URLs submitted for delisting. In all, 51% of total requests came from the U.K., France, or Germany. [Fast Company See also at: Engadet, Venture Beat, Mashable, Gizmodo and The Register]

Privacy (US)

WW – Justices Divided Over Disclosure of Overseas Emails

Computer giant Microsoft told the SCOTUS justices today [oral arguments here, the case is “United States v. Microsoft Corp. – often called “the Microsoft Ireland case” see here, here & wiki here] that the SCA [Stored Communications Act: see text here, wiki here & EFF take here] only applies within the United States, so the company cannot be compelled to turn over emails stored outside the country. The federal government countered that, although laws don’t normally apply outside the United States, the SCA focuses on “classically domestic conduct”: Here, it stressed, Microsoft is simply being asked to turn over electronic records that it controls, even if those records happen to be stored elsewhere. After struggling with the issues (and the technology) in the case for approximately an hour of oral argument, it wasn’t at all clear how the justices will rule – if they even have the opportunity to do so before Congress enacts legislation that would resolve the case. Recently a bipartisan group of senators introduced legislation — known as the CLOUD Act [Clarifying Lawful Overseas Use of Data Act] — that would allow warrants for data stored overseas, but would also give both email providers and the countries where the data is stored a chance to object to those disclosures. Ginsburg and Justice Sonia Sotomayor seemed to believe that Congress, rather than the Supreme Court, was best suited to deal with the questions before the court. [SCOTUS Blog See also: Lawfare Blog, The Los Angeles Times, The New York Times, The Washington Post, The Washington Times and Bloomberg and also: The Microsoft-Ireland Case: A Supreme Court Preface to the Congressional Debate and also at: Reuters, The Irish Times, The Washington Post and Financial Times]

US – 9th Circuit Court of Appeals to Review Protect Device Privacy at Border

Saying that the U.S. Court of Appeals for the Ninth Circuit has a new opportunity to strengthen personal privacy at the border, the EFF recently filed amicus briefs in two cases, U.S. v. Cano and U.S. v. Caballero, before the Ninth Circuit arguing that the Constitution requires border agents to have a probable cause warrant to search travelers’ electronic devices. Border agents, whether from U.S. Customs and Border Protection (CBP) or U.S. Immigration and Customs Enforcement (ICE), regularly search cell phones, laptops, and other electronic devices that travelers carry across the U.S. border. The number of device searches at the border has increased six-fold in the past five years, with the increase accelerating during the Trump administration. These searches are authorized by agency policies that generally permit suspicionless searches without any court oversight. With these Ninth Circuit briefs, EFF has now filed a total of five amicus briefs since 2015 arguing that border agents need a probable cause warrant to search electronic devices at the border. [EFF]

US – Information Injury Workshop Covers Non-Financial Harms Faced by Consumers

The FTC held its Information Injury Workshop [see here and here] in December in Washington D.C. The goal of the workshop was to explore how to characterize and measure information injuries to consumers. Information injury is the harm that a victim suffers as a result of privacy or data security breach. Financial, health and safety injury are the most common types of alleged injuries that the FTC has seen in privacy and data security in the past few years. Yet, injury that does not cause financial harm can be challenging to quantify. In her opening remarks at the workshop, FTC Acting Director Maureen Ohlhausen said the FTC needs a “framework for principled and consistent analysis of consumer injury in the context of specific privacy and data security incidents.” The workshop had four panels with noted experts in a variety of fields and disciplines. The brief summary that follows is not intended to be comprehensive, but to touch on some interesting points made during the course of the workshop. Transcripts for each panel are linked below, [including]: 1) Injuries 101 Panel; 2) Potential Factors in Assessing Injury; 3) Business and Consumer Perspectives; and 4) Measuring Injury [DBR on Data]

US – Opinion: Six Big Privacy Concerns for Edtech

In December, the U.S. FTC hosted a workshop on student privacy and edtech in Washington, D.C. During one panel, Priscilla Regan, a professor at George Mason University — who has been writing about privacy policy since the late 1970s — set the framework for discussion by identifying six broad concerns that together comprise the facets of the U.S. student privacy discussion:

  • Organizational information privacy concerns: Federal and state laws generally regulate the collection, use, retention and disclosure of personal information. This is becoming more complicated and complex as greater quantities of data are collected and as qualitative information — such as behavior — is being derived and collected. Parental concerns are heightened as citizens generally become more aware of data collection activities.
  • Anonymity: Part of privacy, in many people’s minds, is the ability to remain anonymous, sometimes called “practical obscurity.” As more and more data is gathered and retained, it becomes more difficult to anonymize that information. The evolving use of such technology as artificial intelligence makes the ability to remain anonymous less feasible. “This is where we get into sort of the algorithmic searches, the use of artificial intelligence, the fact that personally identifiable information is sort of a less meaningful concept,” Regan said.
  • Surveillance and tracking: As personalized learning, online learning and online testing all become more common, the applications are monitoring and analyzing what students are doing, when and where they are working, who else may be working on similar things. “Things like how long it might take to read a page, the patterns and the ways in which students are reading and responding, which gives some indication, then, of the students’ thought processes,” Regan said, which facilitate qualitative information-gathering.
  • Autonomy: There is a risk that using analytics to determine students’ strengths and weaknesses and building a personalized learning experience around that may narrow students’ options too early, by limiting the avenues for their curiosity and creativity. And today’s students are more aware of being monitored and channeled toward particular disciplines; they may self-censor what they’re doing.
  • Bias, discrimination and due process: Another part of the concept of privacy is fairness — treating people equally and without discrimination. “This is obviously critical in the edtech and the education environment generally, because of the importance of education to equal opportunity,” Regan said. With the kind of algorithmic analyses in place now, it can make it harder to identify bias and discrimination, thus also harder to reverse. As with concerns about autonomy, judging students early may lead to discrimination.
  • Data ownership: As data is generated, collected and analyzed, the question arises — who owns the information, the individual, the school or a third party such as the application vendor? Generally, school records are owned by the school, but laws such as FERPA (Family Education Rights and Privacy Act) ensure parental rights. This issue is something to be addressed in schools’ contracts with vendors. [EdScoop]

Privacy Enhancing Technologies (PETs)

US – FTC Warns Users on VPN Apps

In a blog post last week, the US FTC warned consumers to thoroughly research VPN apps before using them. According to a report from researchers at CSIRO, the University of New South Wales, ICSI, and the University of California at Berkeley that examined nearly 300 VPN apps, many did not encrypt traffic and requested information and privileges that could put consumers’ privacy at risk. Some VPN apps sell customer data to third parties. [www.consumer.ftc.gov: Shopping for a VPN app? Read this | www.icir.org: An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps | www.scmagazine.com: FTC warning users to do homework before using VPN apps]

WW – Private Browsing Lacks Privacy

Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) delivered a paper at the Network and Distributed Systems Security Symposium describing a framework to improve the privacy of private browsing modes. The framework is necessary because even in private modes, browsers can leak information. [www.ndss-symposium.org: Veil: Private Browsing Semantics Without Browser-side Assistance | www.theregister.co.uk: Private browsing isn’t: Boffins say smut-mode can’t hide your tracks]

RFID / IoT

WW – NIST Identifies Gaps in Standards for IoT

The National Institute of Standards and Technology issued a report on international cybersecurity standardization prepared by the Interagency International Cybersecurity Standardization Working Group. Gaps include cyber incident management (best practices for remediation when software patches are not feasible), hardware/software assurance (best practices for avoiding malware in firmware/software), supply chain risk management (generic standards are not specific to IoT and need to be reviewed to see if they are sufficient or require revision), and system security engineering (determine if generic standards consider IoT systems). [NIST – Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) – Draft NISTIR 8200 | Press Release]

Security

US – NIST Releases Draft Report on IoT Cybersecurity Standards

The National Institute of Standards and Technology (NIST) has released a draft of its NIST Interagency Report 8200 (NISTIR 8200) [see PR here & 187 pg PDF here], which is intended to inform policymakers and standards participants in developing and implementing cybersecurity standards in and for IoT devices and systems. NISTIR 8200 provides a non-exhaustive list of five IoT technology application areas that are offered for use in any analysis of the present state of IoT cybersecurity standardization. These include: 1) Connected Vehicle IoT; 2) Consumer IoT; 3) Health IoT; 4) Smart building IoT; and 5) Smart manufacturing IoT. The report breaks down each of the five IoT technology application areas into eleven cybersecurity core areas and analyzes IoT cybersecurity objectives, risks, and threats present in each. The report notes that this proliferation of varying IoT devices presents a challenge in terms of sheer volume of systems to be protected, and the diverse nature of IoT services increases the challenge for development of consistent cybersecurity standards. The list of IoT cybersecurity standards the report contains will constitute a valuable resource for tracking the current state of IoT cybersecurity standards, as it is quite extensive and contains a range of information about each standard. Comments on NISTIR 8200, the draft report, are due by April 18, 2018. [DBR on Data and at: Federal News Radio, GCN and HealthITSecurity]

EU – ENISA Issues Guidance for Organisations on Cybersecurity Programmes

The EU Agency for Network and Information Security guidance for organisations on creating a Cybersecurity Culture programme. ENISA recommends setting a core work group to oversee implementation of cybersecurity activities, equipping employees with risk awareness, skills and controls specifically related to their role, allowing them to provide feedback on how the programme affects their daily duties, and revising initial programme goals if they are impossible to achieve or unacceptable to employees. [ENISA – Cyber Security Culture in Organisations]

Smart Cars

US – Trust Needed in TV Data Collection Practices

The Future of Privacy Forum carried out a review of Smart TVs in 2017 and published the results. Smart TV manufacturers provide little detail about how their automated content recognition technology works and the information collected is generally referred to only as “viewing information” or “viewing history”; privacy policies should be relevant, accurate and easy to comprehend. [Seeing the Big Picture on Smart TVs and Smart Home Tech – Future of Privacy Forum]

Workplace Privacy

CA – Alberta’s Top Court Upholds Injunction Against Drug Testing of Workers

The Alberta Court of Appeal has upheld an injunction that stops random drug and alcohol testing at Suncor Energy sites in the northeastern part of province. In a two-to-one decision, the court dismissed the appeal by Calgary-based Suncor, which has been arguing for years that random tests are needed to bolster safety at its projects near Fort McMurray. A Court of Queen’s Bench judge granted the injunction last December, pending an arbitration hearing, after the union representing about 3,000 oilsands workers in the region requested one. The Appeal ruling said the crux of the case is balancing safety against privacy interests. Two judges noted that while there is clearly a safety issue, random testing would target about 1,339 employees per year or 104 per month. “It is therefore conceivable that some union employees would be forced to comply with multiple tests within the same month … constituting a significant intrusion on their privacy, dignity and bodily integrity.” Justice Frans Slater said he would have allowed Suncor’s appeal and set aside the injunction. Suncor spokeswoman Sneh Seetal said the company is reviewing the Appeal decision and assessing its options. [National Post: See also: CBC News]

 

+++

 

January 2018

Big Data / Data Analytics / Artificial Intelligence

CA – Feds to Search Social Media Using AI to Find Patterns of Suicide-Related Behaviour

The Canadian government will hire an Ottawa-based company specializing in social media monitoring and artificial intelligence to forecast potential spikes in suicide risk. A contract with Advanced Symbolics Inc., an AI and market research firm, is set to be finalized next month. Working with the company to develop its strategy, the federal government will define “suicide-related behaviour” on social media and “use that classifier to conduct market research on the general population of Canada,” according to a document published to Public Works website. [See here] This pilot project will last three months, after which the government “will determine if future work would be useful for ongoing suicide surveillance,” the tender document said. Advanced Symbolics said its artificial intelligence looks for trends, not individual cases. Instead, the AI will flag communities or regions where multiple suicides could be likely. According to said CEO Erin Kelly, “We’re not violating anybody’s privacy — it’s all public posts. We create representative samples of populations on social media, and we observe their behaviour without disturbing it.”‘ The company will begin defining suicide-related behaviour in January, with monitoring slated to start later in 2018. [CBC | See also: Vice and Dispelling 3 Most Common Myths About AI and Big Data]

US – Universities Adding Computer Science Ethics Courses

US universities are beginning to introduce computer science ethics courses to help guide the next generation of computer scientists through the issues they are likely to face over the coming years. Harvard and MIT are offering a joint course, “The Ethics and Governance of Artificial Intelligence.” The University of Texas at Austin has recently introduced a course called “Ethical Foundations of Computer Science” that is likely to become a requirement for all students majoring in computer science. At Stanford University, the computer science department will offer a course called “Ethics, Public Policy, and Computer Science.” [www.nytimes.com]

Canada

CA – Create New Watchdog to Review Border Agency, RCMP, Federal Report Recommends

The Trudeau government should create a new watchdog to handle public complaints about the Canada Border Services Agency, says a federally commissioned report. Prepared for Public Safety Canada, the new watchdog, the Canada Law Enforcement Review Commission, would scrutinize both the border agency and the RCMP, given the frequent overlap between the two enforcement organizations. The border agency’s thousands of employees manage the flow of about 100 million travellers — as well as some 16 million commercial shipments — entering Canada annually. They collect, analyze and distribute information concerning people and goods at border points, air terminals and seaports. Border officers can stop travellers for questioning, take blood and breath samples, and search, detain and arrest citizens and non-citizens without a warrant. Civil libertarians, refugee lawyers and committees of both the House of Commons and Senate have called in recent years for stronger arm’s-length monitoring. The commission, with a chair and four or five commissioners, would have power to compel documents and witnesses, as well as authority to dismiss frivolous complaints. Cappe suggests it issue non-binding recommendations to the RCMP and border agency to preserve the accountability of the agencies. [Source | New powers for Canadian spy agency alarming]

CA – Electronic Spy Agency Watchdog Asks for More Powers

In a memo to the House of Commons’ public safety committee [SECU], Jean-Pierre Plouffe [CSE watchdog see here] argued the proposed new position of intelligence commissioner should have a greater role in reviewing and approving the actions of the Communications Security Establishment (CSE). Plouffe, who has served as the independent reviewer of CSE’s activities since 2013 [see here], said the agency’s new power to launch cyber attacks is even broader than the controversial power given to CSIS to “disrupt” threats to Canada. Despite that broad range of activities, there is no independent oversight of CSE’s new offensive capabilities, Plouffe notes; instead, only the ministers of national defence and foreign affairs need to sign off.” There is no role envisaged for the (intelligence commissioner) to approve such an authorization, even where third-party rights, including their privacy rights, could be affected, including (the rights) of a Canadian outside of Canada, or where Canadian law could be contravened,” Plouffe wrote. Plouffe testified [before SECU] on Bill C-59 [see here], the Liberals’ omnibus national security bill January 30 [see here] [Toronto Star]

CA – P.E.I. Government Spent $140K on Lawyers in Privacy Investigation

The P.E.I. government says it spent $140,000 in legal costs after hiring an outside lawyer to represent it in an investigation by the province’s privacy commissioner. That investigation concluded government was ultimately responsible for the leak of personal information belonging to three former government employees who went public with allegations of wrongdoing regarding P.E.I.’s provincial nominee program. most of the $140,000 in legal fees was for work that took place during the first three years of the six-year investigation. A spokesperson from the office of the privacy commissioner told CBC News that on its side, the office did not hire legal representation as part of its investigation. [CBC See also: Premier shouldn’t question privacy commissioner, justice critic says | EDITORIAL: A breach of privacy by province | P.E.I. government launches court review against privacy commissioner | P.E.I. government takes privacy commissioner to court — again | Information commissioner denied access to Health PEI report]

CA – SK Police, Civic Workers Could Be Fined or Jailed Under New Anti-Snooping Law

Civic employees and police officers could be fined or imprisoned for snooping under changes to Saskatchewan privacy laws that came into effect on Jan. 1. The Local Authority Freedom of Information and Protection of Privacy Act has been amended to include punishments for employees who access personal records for inappropriate reasons. Anyone who breaks the law could be fined up to $50,000 or imprisoned for up to one year, or both. A similar law already applies to provincial health workers, who would face the same punishments if convicted of an offence. Stronger privacy measures were introduced after a member of the public found thousands of medical records in a Regina dumpster in 2012. The amendments to the Health Information Protection Act (HIPA) came into effect on June 1, 2016. [CBC | Additional coverage at: Regina Leader-Post and Lexology | See also: Sask. city police fine-tuning accountability process before FOI law change | Sask. access and privacy laws extended to cover political staff, police services | Police and MLAs subject to freedom of information requests under new legislation]

CA – Student Privacy Breached With Website Upload, Says SK OIPC

Students’ personal information and privacy was breached by a teacher’s actions but Regina Public Schools has made “reasonable efforts” to contain the breach, according to Saskatchewan’s Information and Privacy Commissioner. ”My office accessed the website and noted there were over 2,000 documents that had been uploaded to the subdirectory,” he wrote in a Dec. 19 investigation report, noting items such as students’ photos, grades and birth dates were uploaded. In total, 77 students may have had their information accessed by an unknown person or people. A teacher at Regina’s W.F. Ready School uploaded the information to the church website, mistakenly believing he was the only one, as the website administrator, with access to the documents for work purposes. In his report, Kruzeniski wrote he applauded the division’s approach to notifying all those affected and answering any questions with phone calls. Kruzeniski made further recommendations for the division, including creating explicit guidelines around record-keeping only storing records on Regina Public Schools’ computer network [and] that employees should sign annually that they have read and understood guidelines on confidentiality. [CBC | See also: Luxora Leader & Regina Leader-Post]

CA – Regina Public Investigated After Teacher Breached Students’ Privacy

The Regina Public School Division is addressing policy gaps after a teacher uploaded more than 2,000 documents, many containing students’ information, to a public website. Some of the information was online for 15 months before the privacy breach was reported to the Office of the Saskatchewan Information and Privacy Commissioner on Sept. 1. The documents have since been removed. The teacher at W.F. Ready School posted student assignments, letters to parents, photos, birthdates, grades and passwords to his church website beginning in May 2016. “He had uploaded the documents to a subdirectory of the church’s website, mistakenly believing he would be the only person, as the website administrator, to be able to access the documents,” wrote privacy commissioner Ronald Kruzeniski in his report dated Dec. 19. [see 13 pg PDF Report here] The [school] division is working to apply the privacy commissioner’s six recommendations They include updating policies, creating guidelines, and training staff in privacy law. The commissioner stated that the school division should prohibit storing student information on teachers’ personal computers. [Leaderpost]

CA – OPC Launching Privacy Campaign Aimed at Grade Schoolers

Privacy Commissioner Daniel Therrien’s office is launching a campaign aimed at raising grade schoolers’ awareness about how their personal data is collected and used on their devices and apps. A 2015 study by non-profit group MediaSmarts found three quarters of school-aged children in Canada have some a social media account or blog. [The OPC] says their campaign will target students in 8,500 elementary schools across Canada, part of a larger push to teach children how to guard their online reputation and safely use their electronic devices. [The] office is also pushing provincial education ministers to make online privacy part of the regular curriculum in grade schools. [Toronto Star]

CA – CBA Warns of Court Challenge to Bill C-58 Over Privilege/Privacy

The Canadian Bar Association (CBA) says it will “in all likelihood” go to court to challenge incursions on professional secrecy, if Ottawa proceeds to enact proposed measures that would empower the federal privacy and information commissioners to review legal advice and other privileged communications between legal advisers and their federal government clients. The national 36,000-member association, and the Federation of Law Societies of Canada (FLSC), are both urging the Trudeau government to drop proposed “regressive” amendments to the Access to Information Act and the Privacy Act (Bill C-58)[see here & here] that would expressly authorize the federal commissioners to examine privileged government records as part of their assessment of the validity of claims made by government entities that those records are exempt from disclosure because they are shielded by solicitor-client privilege, litigation privilege (i.e. communications whose dominant purpose is preparation for litigation), or professional secrecy. The CBA and FLSC argue [Read CBA’s concerns here] the government has produced no evidence that the proposed routine piercing of the privileges is “absolutely necessary” — the threshold the Supreme Court of Canada has set for incursions on solicitor-client privilege: Alberta (Information and Privacy Commissioner) v. University of Calgary 2016 SCC 53.[see here] The bar association and legal regulators emphasized that the Supreme Court’s University of Calgary decision established that solicitor-client privilege has evolved into a fundamental substantive principle and is not merely a privilege under the law of evidence. [Lawyers Daily]

CA – B.C. Appeals Court: Virtual Presence Enough to Enforce Production Order

Since the Supreme Court passed down its decision last June [see Judgment here] in “Equustek,” lawyers have been waiting with baited breath to see just how broad an interpretation the new internet regime will receive from the courts. Global tech companies, including Google, hoped to see the Canadian — and even American — tribunals rein in the ability of our courts to order companies to take actions beyond our jurisdictional borders. A recent B.C. appellate decision [see Judgment here] suggests that “Equustek” isn’t going to be relegated to a tiny corner of Canadian law. It is very much the standard. [In “Equustek”, SCoC found] that Canadian courts have jurisdiction to make orders for foreign-based internet companies that carry on business in Canada, there have been concerns about the practical implications. Since “Equustek” was a civil case, it’s unclear how the ruling would apply to criminal cases remained to be seen. The B.C. case revolves around the online classified giant Craigslist, which is based in the U.S. but has dozens of sites for communities across Canada. The RCMP filed a production order to obtain details around a specific post, including the name and address of the poster. A trial judge rejected the production order, and the comparison to “Equustek”, on two grounds: Unlike Google, Craigslist has no Canadian office to speak of; and being a criminal matter, “Criminal Code” processes must be followed. The trial judge pointed out that the RCMP had the option in this case to pursue a Mutual Legal Assistance Treaty request (more commonly known as an MLAT.)[see wiki here] But the [BC] appeals court saw things differently. It concluded that the existence of an MLAT — itself just a tool to obtain documents through foreign legal structures — does not diminish the authority of Canadian courts in issuing production orders. The court therefore dispensed with the idea that forcing a foreign company to comply with an order would run afoul of territorial sovereignty. David Fraser, partner at McInnes Cooper with a focus on privacy law, says [see here] “The court’s conclusion that the distinction between a virtual-only presence and a ‘physical’ presence is effectively a distinction without a difference could carry implications far beyond the availability of production orders Whether its reasoning vis-a-vis an internet-based company’s ‘presence’ in Canada will have application to, for example, tax laws, remains to be seen.” [National Magazine]

CA – Supreme Court Finds Expectation of Privacy in Text Messages

The Supreme Court of Canada considered an appeal by an individual alleging his text messages were seized in violation of his Charter rights. A seizure of text messages violated Canadian Charter rights since the individual had a reasonable expectation of privacy in his messages (he expected them to remain private based on his repeated requests that the recipient delete the messages) and the messages reveal information about his lifestyle (that he was involved in criminal enterprise. [R. v. Marakah – 2017 SCC 59 – Supreme Court of Canada]

CA – NS OIPC Says Businesses Need to Increase Privacy Awareness

January 28 is Data Privacy Day. Its purpose is to raise the privacy consciousness of individuals and businesses. At the Office of the Information and Privacy Commissioner for Nova Scotia (OIPC)[here] we decided to try something new this year to assess the privacy consciousness of Nova Scotian organizations. Staff at the OIPC contacted 52 Nova Scotian businesses and organizations [large and small organizations, non-profits to big-profits] and asked to speak with the chief privacy officer or privacy leader. A sort of “Where’s Waldo” response occurred. Half of the businesses simply never responded. Of the remainder, most had no idea what a chief privacy officer was or who was responsible for managing privacy, instead referring us to a senior manager. Ten of the 52 businesses identified a privacy leader. Interestingly, only six of the privacy leaders were able to answer our rudimentary privacy questions. The rest either didn’t respond or promised to get back to us and didn’t. [Halifax Today]

CA – Manitoba Organization Should Have Audited System Activity

The Manitoba Ombudsman conducted a privacy investigation into Manitoba Health, Seniors and Active Living. An employee accessed the system beyond his authority and disclosed PHI in response to government requests; recommendations include making signing a confidentiality pledge mandatory for employment (the employee refused to sign a confidentiality pledge) and ensuring that new/upgraded systems track whether a user has printed or downloaded PHI. [Manitoba Ombudsman – Report under the Personal Health Information Act – Case 2014-0500 – Manitoba Health, Seniors and Active Living Provincial Drug Program – Privacy Investigation: Collection, Use, Disclosure, Security]

CA – New Quebec Law Regulates Communication of Student PI

Quebec Bill 144, an Act to Amend the Education Act, received royal assent and became effective on November 9, 2017. Personal information gathered under the Education Act may not be communicated, used or its existence confirmed for the purpose of determining a person’s immigration status, except with the consent of the person concerned; information can be disclosed when required by a summons, warrant or judicial order, or as required for purposes relating to compulsory school attendance. [Bill 144 – An Act to Amend the Education Act and Other Legislative Provisions Concerning Mainly Free Educational Services and Compulsory School Attendance – National Assembly of Quebec]

CA – Quebec CAI: Metadata Should be Treated as PI

The Commission d’Accès à l’Information du Québec has issued recommendations for protection of PI relating to criminal investigations and operations in response to the Commission of Inquiry into the Protection of Journalistic Sources report published outlining concerns that police investigation methods allow for collection and retention of large amounts of data Metadata can identify individuals (alone, or in combination with other information), and reveals a significant mass of information; applications for judicial authorization should detail the reasons why metadata is necessary, incorporate data minimization, and service providers should consistently exercise discretion in complying with requests to disclose customer information. [CAI QC – Recommendations resulting from Inquiry into Protection of Confidential Journalistic Sources]

CA – Quebec CAI: Customs’ Cellular Searches Permissible

The Commission d’Accès à l’Information du Québec has issued guidance on the right to privacy at the US and Canadian border. US border officials may search electronic devices and seize them if travelers refuse to present or unlock the device; Canadian officials may search a device, but are prohibited from searching data outside the device (e.g., social media accounts, in the cloud). Employers should limit the amount of PI stored on employee devices and implement security measures to protect PI that is present. [CAI QC – Cellular Search at Customs – Some Details of the Access to Information Commission]

CA – Ontario Entity Rightfully Withheld Third Party Information

The Ontario IPC reviewed a decision from the Independent Electricity System Operator denying access to records under FIPPA. According to the IPC decision, the Electricity Act shields information deemed to be confidential from disclosure, and the document at issue, a technical schedule to a power plant refurbishment agreement, included a recital indicating its confidential nature; the public interest in the information is met by the disclosures already available on the third party’s and the entity’s websites. [IPC ON – Order PO-3800 Appeal PA16-220 – Independent Electricity System Operator]

CA – Data Privacy Officers Hard to Find in Nova Scotia

Catherine Tully, Nova Scotia’s information and privacy commissioner describes a recent survey of organizations across the province as a “Where’s Waldo?” exercise. The office called 52 provincial businesses and organizations at random this month, large and small, for-profit and non-profit. “Almost every call, when we asked to speak to a chief privacy officer or the privacy lead, was met with silence,” said Tully only 10 of the businesses were able to identify a privacy lead. Of those, only six were able to answer rudimentary questions, such as whether employees could access their own personnel files, whether the organization used video surveillance or whether they had a policy for retaining records containing personal information. Tully says the results are troubling. [CBC]

CA – Nova Scotia Court Rules on Neighbourly Dispute Over Security Cameras

Nova Scotia provincial court Judge Peter Ross says it’s not the court’s place to enforce good manners, in ruling on a case that pitted a homeowner’s interests in monitoring her property against her neighbour’s privacy concerns. In a 21-page decision released Wednesday [see here], Ross found Joan O’Connor not guilty of committing mischief for installing security cameras around her property in Sydney, N.S., that captured some views of the home next door. Crown had not proved its assertion that O’Connor’s recordings amounted to criminal interference with Stephanie Ayre’s ability to enjoy her property. [In his ruling Ross wrote]: “While (O’Connor) was aware that her actions bothered Ms. Ayre, she did not set her cameras out with this purpose in mind [she] may have been inconsiderate and uncaring about the effect the video-recording had on Ms. Ayre, but even if this is so, it does not give rise to criminal culpability Even if Ms. O’Connor had nothing more than a prurient curiosity about her neighbour’s activities, it is not at all clear that viewing and/or recording on camera what is apparent to the naked eye constitutes criminal interference with a neighbour’s use and enjoyment of property.” Ross mused about how the prevalence of closed-circuit TVs, privately owned security cameras and drones could erode people’s expectations of privacy to the point that surveillance of personal activity becomes a simple “fact of life.” Legislatures could see fit to limit surveillance in residential areas, he said, but those issues fall beyond the court’s scope. [The case is R. v. O’Connor, 2017 NSPC 68, Ruling here] Chronicle Herald

CA – P.E.I.’s FOIPP Review: Where the Key Players Stand On Releasing Information to You

The P.E.I. provincial government wants your feedback [see here] on whether it should expand the provincial access to information and privacy act. Some of the big issues the government is asking Islanders about include whether to include municipalities, post-secondary institutions and provincial police under the act. The public has until Feb. 23 to submit feedback. Here’s what the act does, why it matters and the key stakeholders’ views on what FOIPP modernization should look like. [CBC]

CA – Court Finds New Sharing Methods Is Not a New Purpose

The Court considered an appeal by the Toronto Real Estate Board of a decision by the Competition Tribunal on its information sharing practices. Property listing information can be distributed to brokers via electronic data feeds (e.g. selling prices) based on broad consents obtained in listing agreements; consents obtained cover use and dissemination of data during the term of the listing and after, selling prices are not sensitive information requiring specific consent for disclosure, and the data is already shared through other conventional methods (new consent would only be required if it was used for a new purpose. [TREB v. Commissioner of Competition and the Canadian Real Estate Association – 2017 FCA 236 – Federal Court of Appeal]

CA – Security Cameras Permitted for Quebec Cooperative

The Commission d’Accès à l’Information du Québec investigated a housing cooperative’s alleged violations of the Act Respecting the Protection of Personal Information in the Private Sector following a complaint that the Cooperative was using CCTV cameras without the consent of all members. The cameras are required to secure the property and residents at a housing cooperative against a wave of theft and vandalism, no cameras are pointed at private entrances or windows, and the cameras only record when activated by motion sensors; captured images are securely stored with restricted access and are automatically erased when the server reaches capacity. [CAI QC – Decision 1005283-S – Housing Cooperative of Solidarity]

CA – OIPC SK Clarifies Real Risk of Significant Harm

The OIPC SK has issued guidance on whether the level of risk warrants mandatory breach notification by a government institution. The primary considerations are the definition of “significant harm” (e.g., damage to reputation, loss of professional opportunities, financial loss) and whether there is a real risk that such harm will occur (what parties could have obtained the PI, was there encryption in place, was there malicious intent, was the PI sensitive, was the PI recovered, how many individuals were affected and are especially vulnerable. [OIPC SK – Real Risk of Significant Harm]

CA – Truth, Privacy and the Public Interest in Securing Justice

Over the years, the courts have sought to protect the public interest in ascertaining the truth in civil litigation proceedings while at the same time affording protection to the privacy interests of the parties involved. The Court of Appeal for British Columbia recently addressed this issue in Duncan v. Lessing, 2018 BCCA 9, when affirming that the statutory tort of invasion of privacy created by British Columbia’s Privacy Act, R.S.B.C. 1996, c. 373 does not apply to activities that occur during judicial proceedings. In doing so, the court upheld the principle that the public interest in securing justice outweighs a litigant’s privacy interests, but that such privacy interests are entitled to reasonable protection as long as this does not interfere with the efficient conduct of litigation. Privacy legislation has been accorded quasi-constitutional status and the courts continue to emphasize the importance of privacy and its role in protecting individual autonomy: Douez v. Facebook, 2017 SCC 33 at para 59. However, the Duncan decision articulates a clear limit on an individual’s ability to seek redress for violations of privacy occurring in the context of civil litigation proceedings. [Source see also: Rights Watch Blog]

CA – Data exchange with U.S. fuelling Canadian visa scrutiny

The federal government has flagged more than 1,000 possible cases of people overstaying their visas or committing other immigration infractions based on information provided by the U.S., newly obtained memos show. [The number of immigration enforcement actions is almost certainly larger than 1,000, given that the figures do not cover the most recent two years. However, the border agency was unable to provide updated numbers.] Under a 2011 continental security pact [see here & here], Canada and the U.S. agreed to set up co-ordinated systems to track the entry and exit information of travellers. The federal NDP and privacy advocates are watching closely, however, out of concern the data could be used to build invasive personal profiles with little accountability. The data includes the traveller’s name, nationality, date of birth and gender, the country that issued their travel document and the time, date and location of their crossing. Legislation [Bill C-23, here & here] being debated in Parliament would allow Ottawa to collect similar information about Canadians entering the U.S. But the newly disclosed memos say the preliminary phases are already helping Canada zero in on people who may be running afoul of immigration laws. The Canadian Press used the Access to Information Act to obtain the figures from the Canada Border Services Agency, a process that took 18 months. A complaint to the federal information commissioner helped dislodge the pages. The NDP is skeptical of the need to expand information-sharing with the U.S. and wary of the implications for Canadians in the era of “false positives” that can land people in trouble or deny them entitlements, said Matthew Dube, the party’s public safety critic. “Mistakes can be very costly in those circumstances for people.” [Toronto Star]

Consumer

CA – Almost 50% Surveyed Would Share PII for Lower Insurance Rates

Nearly half of Canadians would share personal information for lower insurance premiums, says survey

Many Canadians may not be all that worried about having their private information revealed to others — at least, when there’s a financial incentive in play. In fact, 46% of Canadians say they’d be willing to give up personal information like lifestyle and driving habits, according to a survey from online insurance marketplace Kanetix. In a survey of 1,000 Canadians [see highlights & infographic here], Kanetix looked to see general acceptance of the increasing prevalence of connected and driverless vehicles.

  • Two-thirds of respondents said they are comfortable with voice assistance (such as Google Assistant or Siri)
  • Sixty percent of respondents are comfortable with their car transmitting location and vehicle data tracking
  • Fifty-eight percent of the audience said they were comfortable with augmented reality or heads-up displays on the windshield
  • Fifty-nine percent of respondents are uncomfortable with autonomous vehicles
  • Overall, the most accepting demographic of autonomous vehicles is the 18 to 34 demographic at 55 percent, compared to 30 percent of middle aged (45 and older) respondents
  • Respondents said their biggest concerns were security (35 percent) and privacy (29 per cent)
  • Fifty-four percent of the respondents said they’d most likely share home-related data (such as alarm and flood data) and medical information to their insurer via technology
  • Nearly half (46 per cent) of people said they would also share lifestyle habits and driving information [Mobile Syrup See also: t: Canadian Underwriter

CA – Canadians Ready to Ditch Passwords for Facial, Fingerprint Recognition: Survey

Canadians are ready to forget the many, many passwords they have for online accounts in favour of biometric technology, according to a new survey by Visa of a survey of 1,000 Canadians 69% are interested in using fingerprint recognition over passwords for identification purposes. Canadians were also interested in using other biometrics such as eye scans, and voice or facial recognition. 32% said they’ve given up online purchases because they couldn’t remember their passwords. Passwords have been the cause of major security concerns. They often need to be written down, are susceptible to hacks, and can be stolen in lost phones or laptops. The survey found about 44% expressed concern that unlike passwords that are stolen, fingerprints can’t be changed. [Global News | See also: News1130 and ITBusiness.ca]

E-Government

US – Secret Evidence and the Threat of More Warrantless Surveillance

Internet monitoring of non-US citizens abroad – itself a human rights problem – and the capture of potentially enormous amounts of communications of people in the United States. In theory, if the government were using this surveillance data to investigate and imprison people in the US, defense attorneys would be able to find out and judges able to evaluate whether the surveillance was constitutional. In reality, this is not the case. As suggested by Human Rights Watch’s new report on secret evidence in US criminal cases [announcement here & report here], the government may be concealing its use of Section 702 surveillance by deliberately creating an alternative explanation for how it gathered evidence – a practice known as “parallel construction“ [see wiki here]. [HRW see also:: The Cipher Brief, Hit & Run Blog (Reason), WIRED, Christian Science Monitor, Eurasia Review and The Orange County Register]

US – Breach Compromised Personal Data Belonging to 240,000 Current and Former DHS Employees

A data security breach at the US Department of Homeland Security (DHS) that was detected in May 2017 compromised personal information belonging to more than 240,000 current and former DHS employees. The breach may also have compromised information belonging to people who were the subject of DHS Office of Inspector General (OIG) investigations between 2002 and 2014. The incident did not involve an external cyber attack; instead, in the course of a criminal investigation, DHS OIG discovered that a former DHS OIG employee was in possession of an unauthorized copy of the organization’s investigative case management system. [www.dhs.gov | www.theregister.co.uk]

E-Mail

US – NIST Identifies Security Measures to Address Outdated SMTP Protocol

The National Institute for Standards and Technology issued draft guidelines for enhancing trust in email. Recommendations include the email service (block outbound and inbound port 25 and deploy firewalls), sending domain/individual mail messages (deploy DNSSEC for all DNS name servers), email confidentiality (encryption of emails should require certificate chain authentication against a known Certificate Authority), and end user email security (discourage authenticating with username and password. Comments are requested by January 31, 2018. [NIST – Trustworthy Email – Second Draft SP 800-177 Revision 1]

Electronic Records

US – ONC Unveils Plan for Health Information Sharing Framework

Federal health IT officials under the 21st Century Cures Act [see here & here] have proposed regulations for health data information sharing, the Trusted Exchange Framework ‘network of networks.’ If you want a say in how the government deals with health data interoperability, now’s your chance. The Office of the National Coordinator for Health IT (ONC) has released draft rules [see 48 pg PDF here & to submit comments see here] for a health information sharing plan, called the Trusted Exchange Framework, and the public has until Feb. 18 to comment. The framework stems from the interoperability provisions of the 21st Century Cures Act of 2016, a wide-ranging law that includes many aspects of healthcare and health IT, of which the health information sharing plan is only one part. Among the existing networks that ONC officials are looking to link within the health information sharing framework are the many health information exchanges that have sprung up since the HITECH Act of 2009 spurred data sharing with the meaningful use program. The ONC envisions the Trusted Exchange Network — expected to be started by the end of 2018 and fully built out by 2021 — as being used by federal agencies, individuals, healthcare providers, public and private health organizations, insurance payers and health IT developers. [Source | See also: Fierce Healthcare, Health IT Buzz, GlobeNewswire, EHR Intelligence and Patient Engagement HIT]

Encryption

US – FBI Assails Encryption (Again)

FBI director Christopher Wray told an audience at the International Conference on Cyber Security earlier this week that unbreakable encryption is “an urgent public safety issue,” noting that his agency was unable to access nearly 7,800 devices in the 12-month period ending on September 30, 2017. [news.softpedia.com | threatpost.com See also: Wyden Takes Wray to Task on Encryption Back Doors -.zdnet.com | thehill.com | www.theregister.co.uk | www.theregister.co.uk | fcw.com | regmedia.co.uk

WW – Chrome 68 Will Label HTTP Sites “Not Secure”

Starting with Chrome 68, Google’s browser will begin calling out as unsecure websites that don’t use HTTPS. When Chrome 68 users visit an HTTP site, Chrome will display a “Not Secure” message in the address bar. Chrome 68 is scheduled to be released to the stable channel in July 2018. [www.theregister.co.uk | www.zdnet.com: | www.bleepingcomputer.com ]

EU Developments

EU – Article 29 Working Party Releases Guidelines on Consent and Transparency under the GDPR

The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency. Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP 29 working party will issue final guidance. WP29 is an independent European advisory body on data protection and privacy. This blog post focuses on WP260, the guideline on transparency. Our companion post on WP259, the guideline on consent can be read here. Transparency has long been a fundamental feature of EU privacy law and is an overarching obligation under the GDPR. The draft guideline notes that a central consideration of the principle of transparency is that the data subject should be able to determine in advance what the scope and consequences of the processing entails. [This post considers the following]: 1) Elements of Transparency; 2) Information to be Provided to the Data Subject; 3) Layered Privacy Notices; 4) Information Related to Further Processing; 5) Visualisation Tools; and 6) Exercise of Data Subjects’ Rights. While much of the specific content that controllers are required to communicate to data subjects and the circumstances in which those communications are specifically dictated by the GDPR, many of the format and communications issued addressed in this guidance are consistent long standing Federal Trade Commission (FTC) guidance with respect to the making of clear and conspicuous disclosures. For some practical guidance for making clear and conspicuous disclosures, the FTC’s dot.com disclosure guidance provides useful examples on how to make disclosures effective. [DBRonData] See also: Business Review: Data Privacy Impact Assessment at a glance]

UK – ICO Advises Not All Breaches Must Be Notified

The UK’s Information Commissioner’s Office has issued guidance on handling personal data breaches under the GDPR. Breaches that are likely to result in a high risk to individuals’ rights and freedoms must be notified to affected individuals, such as theft of a customer database (likely to result in identity fraud), network attack on contracted IT services firm (clients personal data is unlawfully accessed), and hospital’s accidental disclosure of patient records (the data is sensitive and may become known to others. [ICO UK – Personal Data Breaches Guidance]

EU – Facebook Escapes Austria Class Action but Still Faces Grilling

The EU’s highest court [European Court of Justice] ruled on Thursday that [Austrian privacy activist Max Schrems] could not bring a consumer lawsuit on behalf of 25,000 Facebook users for alleged privacy breaches. [Case C-498/16 – Schrems, see here & ruling text here] Instead, the ECJ said Schrems could only file an individual case against Facebook for allegedly illegally handling data relating to his personal Facebook account in Austria. Schrems’ attempted lawsuit sought to use EU consumer laws to sue Facebook for damages worth E500 for each of his signatories, a list that has topped 25,000 users in Austria. But EU judges said Schrems’ claims did not fall under Europe’s consumer protection laws although he could still sue Facebook individually in the Austrian courts. Despite the class action being dismissed, Schrems celebrated Thursday’s judgment as a “huge blow” for Facebook, which will have to defend its use of personal data in Austrian courts. Facebook had argued the case should be heard in Ireland, where it has its European headquarters. Unlike the US, class action cases are rarely brought in Europe. Under the General Data Protection Regulation, which comes into force in May, collective action will be possible for some privacy violations. [FT.com see also: Deutsche Welle, Courthouse News Service, The Times, EURACTIV and europe-v-facebook.org ]

UK – ICO UK Issues Final Guidance on Automated Decisions

The UK Information Commissioner Office (ICO) has issued final guidance on rights related to automated decision making, including profiling under the GDPR. The guidance is in response to a request for feedback. Solely automated individual decision-making and profiling with similar significant effects is restricted unless it is necessary for the performance of a contract, authorized by law, or based on explicit consent; processing is permitted where there is human intervention, as long as the legal basis for processing is identified and recorded, and individuals are able to exercise their right to object. [ICO UK – Rights Related to Automated Decision Making Including Profiling]

UK – Top 10 Stories on State Surveillance, Technology and the Law in 2017

In 2017, the government faced multiple legal challenges over the legality of mass surveillance of the population, most of whom pose no threat, in cases that will set the parameters between individual freedom and state intrusion a slew of court cases brought by Privacy International, Liberty, other campaigning groups and courageous individuals are shedding new light on the practices of the secret state, and are beginning – but only beginning – to establish where the limits of state intrusion should lie. New laws and state powers introduced to combat terrorism have quietly eroded privacy and due process for those individuals unlucky enough to be caught up in the legal machinery. Their battles will become important milestones in setting the boundaries between the rights of the individual and the rights of the state, and will ultimately decide what liberties society is prepared to sacrifice for the promise of greater security. [Here are the top 10 relevent CW stories for 2017]: 1) Islamic State supporters shun Tails and Tor encryption for Telegram; 2) UK intelligence agencies ‘unlawfully’ sharing sensitive personal data; 3) Safeguards permit GCHQ to share huge databases on public; 4) UK sale of surveillance equipment to Macedonia; 5) Lauri Love would face ‘medieval’ conditions in US prison if extradited over hacking charges; 6) Cage director found guilty of terrorism offence after refusing to disclose passwords; 7) UK spies face landmark challenge over mass surveillance in human rights court; 8) My brother Lauri Love should have the right to a trial in the UK; 9) US says its views must be heard in legal challenge to EU-US data sharing; and 10) Max Schrems’s mass surveillance complaint knocked back another year or two by Irish judge [ComputerWeekly]

EU – Global Market and Opinion Researchers Checklist

The European Society for Opinion and Market Research has issued guidance to researchers on their responsibilities within a global data protection framework. Researchers must ensure compliance with legal requirements in countries where they operate and national data protection requirements; minimum standards include data minimisation, sufficient notice to individuals, obtaining voluntary, clear consent, ensuring adequate protection for cross-border transfers, and use of pseudonymisation and anonymisation (in accordance with applicable national laws and self-regulatory codes. [Data Protection Checklist – Esomar World Research

Facts & Stats

CA – Privacy Breaches Hit Record High in Alberta

Last year, the Office of the [Alberta] Information and Privacy Commissioner (OIPC) issued decisions on 162 breaches where there was a real risk of significant harm to affected individuals. That is more than double the number of decisions from any previous year. Many of the privacy breaches were related to unauthorized accessing of personal information through hacking, malware or email phishing. But there were also plenty of cases of companies or employees inadvertently sharing personal information with unauthorized parties. [CBC News | See also: Insurance Business]

FOI

CA – Alberta C.of Q.B. Limits Public Access to Family Court Files

Members of the public can no longer freely access family court files after changes were implemented this year to protect sensitive personal information, according to the Court of Queen’s Bench of Alberta. The changes for the province’s higher family court have been in the works for about two years The shift was prompted by members of the family law bar raising concerns that clients’ personal information filed with the court could be accessed by curious onlookers. Documents detailing financial, medical and social security information, as well as intimate details about family relationships, are all commonly added to files in family cases, according to the court. Increased disclosure requirements in recent years have meant parties are required to file more financial documents, including tax returns, pays stubs and bank statements. Parents will also file affidavits against one another containing information that would be harmful for children to learn about, according to the court. In response, more and more sealing orders, which are highly restrictive, were being requested. A committee of Queen’s Bench judges developed the new terms of access. The changes were implemented in mid-October. [Source]

CA – RCMP Backlogged With Access-to-Information Requests from its Own Staff

The RCMP has reversed course after a policy forcing officers to use the Access to Information Act [see here] to get their own personnel and medical information backfired badly. The RCMP has been flooded with so many new ATI requests over the past few years that it now has a backlog of about 3,250 unanswered files that have gone past their legislated deadlines, with the number growing weekly. Under the federal act, all departments must respond to requests within 30 days or give themselves an extended deadline for more difficult files. When the deadlines are missed, the files are known as “deemed refusals.” The massive backlog has also triggered a record number of complaints to the Office of the Information Commissioner So far this fiscal year, which ends March 31, there have been at least 331 formal complaints about the RCMP’s poor performance, easily surpassing the record 274 complaints from 2016-2017, said Natalie Bartlett, spokesperson for the commissioner. Even though almost all RCMP documents requested under the Access to Information Act are already in digital form, the RCMP requires they be printed on paper and shipped to the access and privacy office in Ottawa to be scanned back into electronic form — a major bottleneck. The problem of “deemed refusals” has been growing across the federal government. In 2016-2017, there were a total of 16,780 overdue requests in all departments — almost double the 8,405 in 2014-2015. [CBC]

CA – BCLC to Charge $500K to Fulfill Casino Workers’ Union FoI Request

A casino workers’ union has been told to ante up — to the tune of over $500,000 — for a freedom of information request it made to the B.C. Lottery Corporation. Marc Hollin of Unite Here requested five years’ worth of communication between the lottery corporation and Great Canadian Gaming Corporation, which operates several casinos in B.C. Hollin’s request concerned communication about compliance with anti-money laundering rules. A lottery corporation freedom of information analyst replied in a memo shown to CBC that work would take an estimated 16,817 hours to complete and would cost $504,480. Before starting the work, BCLC wanted the union to pay half up front. [Source | Additional coverage at: Vancouver Sun]

CA – BC’s Parties Mum on What They Know About You

Political parties in British Columbia are required by law to tell individuals what information they’ve collected about them, how they are using it, and with whom they’ve shared it. But when I asked what the three main provincial parties knew about me, all I got was a partial response from one of them [Liberals]. The other two [NDP & Greens] didn’t respond to the initial request at all. “Just simply not responding obviously is the worst-case scenario, but providing a partial response is not adequate either,” said Bradley Weldon, the acting deputy commissioner in British Columbia’s Office of the Information and Privacy Commissioner. The OIPC launched an investigation in September to find out how the parties are interpreting B.C.’s privacy law and to develop guidelines so they understand what is and isn’t authorized under the Act. It expects to release the report within a couple of months. [Tyee]

Health / Medical

US – Apple Health Data Is Being Used as Evidence in a Rape and Murder Investigation

One of the most important witnesses to the rape and homicide of a 19-year-old-woman in Germany [see here] might be a stock app on the iPhone of her alleged murderer. Hussein Khavari, an Afghan refugee in Freiburg, has been on trial since September for raping and murdering a student in Freiburg many of the details of the trial have been hazy there’s a mysterious chunk of time missing from the geodata and surveillance video analysis of his whereabouts at the time of the crime. He refused to give authorities the passcode to his iPhone, but investigators hired a Munich company (which one is not publicly known) to gain access his device They searched through Apple’s Health app and were able to gain more data [e.g.., steps taken and elevation changes] about what he was doing that day The app recorded a portion of his activity as climbing stairs,” which authorities were able to correlate with the time he would have dragged his victim down the river embankment, and then climbed back up. I asked Michael Kwet and Sean O’Brien, both researchers at Yale Privacy Lab who have previously written on the topic of privacy and health apps for Motherboard, whether we should expect more of these kinds of cases—where someone’s own phone essentially testifies against them—in the US. “Yes,” O’Brien said in an email. Kwet added that a study by the nonprofit think tank Rand Corporation found that data culled from fitness trackers, smartphones, and other personal devices is likely to be used in criminal investigations, and that the legal system is ill-equipped to handle these cases. [Vice.com | Naked Security, Daily Mail, Digital Trends and The Drum]

Horror Stories

US – Bell Canada Suffers Another Data Breach

Bell Canada has acknowledged a second data breach in less than a year. In May 2017, a hackers stole information belonging to 1.9 million customers. The more recent breach affected fewer than 100,000 customers. Bell Canada has not said if the two breaches are related. [www.cbc.ca | www.theregister.co.uk | www.scmagazine.com]

CA – OPC Report & Comments on VTech Breach Investigation

An OPC investigation into a global data breach at VTech found the connected toy maker had failed to adopt adequate security measures to protect sensitive personal information of children. The breach in late 2015 compromised the personal information of millions of people around the world, including more than 500,000 Canadian children and their parents. The Office of the Privacy Commissioner of Canada is satisfied that these measures VTech has implemented are sufficient and will reduce the risk of a future breach. The Commissioner’s office investigated the breach in cooperation with the U.S. Federal Trade Commission, which also announced today that it has reached a settlement with VTech. The office also collaborated with the Privacy Commissioner for Personal Data for Hong Kong, where VTech is headquartered. The OPC report highlights important lessons for other organizations that collect the personal information of children. In particular, heightened safeguards need to be in place to protect sensitive information from unauthorized access. [Privcom]

Identity Issues

US – Identity Fraud Hits All Time High: Research Study

The 2018 Identity Fraud Study released February 6 revealed that the number of identity fraud victims increased by eight percent (rising to 16.7 million U.S. consumers) in the last year, a record high since Javelin Strategy & Research began tracking identity fraud in 2003. The study found fraudsters successfully [hit] 1.3 million more victims in 2017 over 2016, with the amount stolen rising to $16.8 billion. The Study found four significant trends: 1) Record high incidence of identity fraud; 2) Account takeover grew significantly; 3) Online shopping presents the greatest fraud opportunity; and 4) Fraudsters are getting more sophisticated. Consumers can minimize their risk and impact of identity fraud. The following are five recommendations for consumers to follow: 2) Turn on two-factor authentication wherever possible; 2) Secure your devices; 3) Place a security freeze; 4) Sign up for account alerts everywhere; and 5) Protect yourself from unauthorized online transactions [Javelin Strategy | Additional coverage at: Dark Reading, CBS News, CNBC, MediaPost and Wall Stree Journal]

Intellectual Property

CA – Website Publishing Debtors’ Personal Info Pulls Plug After Lawsuit

The man behind a website that named and shamed debtors who owe money as a result of court judgments resisted the Ontario government’s request that he “cease and desist” [see here] — but ultimately backed down after the federal privacy watchdog took him to Federal Court. Until December last year, publicexecutions.ca would publish names and other personal information [provided by successful parties in small claims and civil suits] linked to people who were successfully sued but still owe money — in exchange for a fee ranging from $25 to $100. The site’s motivation was to address what many of those victorious litigants say is a major problem with the small claims court system: their difficulty in collecting the money they’re owed. While all the information in question is public, Canada’s privacy commissioner claimed in a notice of application that the website’s actions contravened Ontario’s Consumer Reporting Act and several federal laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA). Dougall Grange, the owner and operator of Public Executions, pushed back, [says] “I wrote them a fairly long letter telling them exactly why I wasn’t breaching their statute. Number one — a judgment is not a consumer report. It’s a publicly known statement of fact from a court about a person. I consider what I was doing was protecting consumers.” Grange said he believes his website was “absolutely legitimate” and that he was not violating anybody’s privacy with what he published online — although he admitted the site called out debtors “in a bit of a crude way.” “It wasn’t perfect,” he said, adding he was aware that some people “simply couldn’t pay the money.” The privacy watchdog ultimately discontinued the suit against Public Executions on Dec. 22, 2017 — just over a month after filing the application — after Grange told the commissioner’s office he would take down the site and had “no intention to reinstate it at this time.” [iPolitics]

Law Enforcement

UK – Report Shows Police IP Address Errors Lead to Wrongful Arrests

Police have been increasingly making errors in IP address resolution, according to a letter presented by the Interception of Communications Commissioner (IOCCO), Sir Stanley Burnton, to accompany his annual report to the prime minister. [See here] Burton explains that while “errors and more general problems form a very small percentage of the total activity I inspect”, he is “concerned by the increasing number of errors that occur when public authorities try to resolve IP addresses” and that errors are “far more common than is acceptable”. The errors mainly stem from manual entry of details into software that helps police work out the location at which a specific IP (internet protocol) address has been used. As it is, communication service providers (CSPs) can easily reassign IP addresses, for good reasons, Burnton explained The impact of these errors has in some cases been enormous, he says, citing Nigel Lang for “having had the courage to highlight this issue in the media.” [See here] He suggests that mindsets need to change: we just can’t assume that “technical intelligence” such as IP address resolution is infallible. The commissioner made recommendations in his earlier, July 2015 half-yearly report. [Source  | Additional coverage at: The Times, The Register, The Telegraph and International Business Times]

US – NYPD subpoenas Google for Staten Island Teen’s Digital History

The NYPD is requesting from Google the “entire digital history” of a Staten Island high school student, which according to the teen’s attorney, represents an “unconstitutional violation of privacy.” The subpoena relies on the city Administrative Code, drafted by the New York City Council, rather than approval from a state or federal court, which according to the teen’s attorney is both unlawful and unusual. The NYPD contacted Google last month with the Dec. 14 subpoena for the 17-year-old’s e-mails, contacts, search history and other digital information in regard to an ongoing investigation, according to the teen’s Manhattan state Supreme Court filing, which seeks to block the subpoena. Regardless what the investigation is about, the fight in court is about tempering the power police have in obtaining a citizen’s personal information, said attorney Martin Soltar. [He] said the request is invalid because the city code it references was not meant to allow the NYPD to issue subpoenas in criminal investigations. He said it also violates the federal stored communication act, in that it isn’t backed by a state or federal statute. It’s not the first time the NYPD has requested account data from a social media site prior to obtaining a court order. In 2012, Twitter refused an NYPD request for account data tied to threats about a public event in the city, then, later complied under court order. [Source | See also: New York Post]

US – NY Police Union Files Suit Over Release of Body Camera Footage

A union representing New York City police officers sued the department Tuesday, saying its release of body camera footage without a court order violates a state law that makes officer disciplinary records confidential. The Patrolmen’s Benevolent Association [see here], which represents about 24,000 uniformed officers, said the public release of footage, which began last summer on a limited basis, also violates the privacy of everyday citizens caught on camera. [see PR here, Petition here and Memo of Law here]. The city’s law department said it is reviewing the complaint. Use of body cameras in police departments has exploded in the past five years. The public has largely been in favor of using cameras and departments have advertised them as a way to protect police from false accusations. Chicago’s police union is fighting body cameras on the grounds that their implementation wasn’t properly negotiated with the union and violated the labor contract. Seattle’s police union filed a complaint over the summer. [ABC News | See also: New York Post, The Daily Caller, Newsday, Wall Street Journal and Politico]

Location

US – Strava Fitness App Map Reveals Locations of Military Bases

A map generated by the Strava fitness tracking app has exposed information about military bases and facilities around the world. Strava published the map, which includes GPS data from the app’s users, last year. The company’s intent was to demonstrate how many people were already using the app. Instead, the map revealed the locations of military bases through concentrated areas of fitness activity in remote places. The exposed bases belong not just to the US, but to other countries as well. [www.bbc.com | thehill.com |www.zdnet.com | www.bleepingcomputer.com | arstechnica.com | DHS Re-examining Personal Electronic Device Policy | www.nextgov.com See also: Fitness tracking app not a security problem for Canadian military See also: The Daily Beast, The Washington Post, NPR, Ars Technica and Fox News]

Online Privacy

CA – B.C. Court Grants Crown Appeal in RCMP Attempt to Discover Identity of Craigslist Advertiser

B.C.’s highest court has overturned two lower-court rulings offering a measure of protection for the identity of a person who placed a classified advertisement on an online website. [See ruling here] The RCMP wanted the Craigslist advertiser’s name or physical address, email address, IP address, phone numbers to verify the account, dates and times that the post was created, and the record of the posting. This application was refused by Provincial Court Judge M.J. Brecknell on jurisdictional grounds. Craigslist does not have a physical presence in B.C. The lower-court judge noted that a Supreme Court of Canada ruling [see here & here] in a case against Google didn’t apply in this instance because that concerned a civil matter. The RCMP’s application concerned a criminal matter. The Provincial Court ruling was upheld after the Crown filed an appeal in B.C. Supreme Court. However on January 9, a three-judge B.C. Court of Appeal came to a different conclusion. Noting that Craigslist “is willing to respond to production orders issued in British Columbia and has provided information in response to court orders in the past”. [Straight | See also: Vancouver Sun & Prince George Citizen]

US – Marketing Company Seeks to Unmask Blogger

The Appeals Court reviewed the district court’s refusal to unmask an anonymous blogger regarding Signature Management Team, LLC’s copyrights claims. When deciding whether to identify the blogger or allow him to maintain anonymity the court will consider the fact that he was already found to be an infringer of copyrights laws and the company has an interest in unmasking him in order to enforce its remedies; the blogger will have to prove he participates in non-infringing anonymous speech that would be affected by revealing his identity. [Signature Management Team, LLC v. John Doe – United States Court of Appeals for the Sixth Circuit]

Other Jurisdictions

US – Supreme Court Will Hear Microsoft and Irish Data Centre Case

Twenty-three amicus briefs signed by hundreds of individuals and organizations support Microsoft’s position regarding customer data held on a server in Ireland. The US Department of Justice (DoJ) has demanded the information, and Microsoft has refused. The case has made its way to the US Supreme Court. The court will hear arguments in the case next month. [gizmodo.com | www.theregister.co.uk]

US – Feds: Cloud Cybersecurity Benefits Now Outweigh Risks

Many federal government IT managers used to be wary of the shortcomings of migrating to cloud technology because of potential data security problems affecting email, business systems, personal data records and, especially, national security operations. However, after the federal “cloud first” [see here] initiative’s six-year effort to promote the technology, there are signs that federal IT managers gradually have changed their assessment. Federal IT managers have concluded that cloud technology will meet — and even exceed — government data protection requirements, two recent reports indicate. Importantly, there also is an emerging trend among agencies toward using cloud technology by itself, either as a complete cyberprotection system, or as a tool to provide both specialized and comprehensive cybersecurity capabilities.[eCommrece Times | Additional coverage at Federal News Radio]

Privacy (US)

US – FTC Makes Case for Data Privacy, Security Muscle

The Federal Trade Commission issued its annual report on privacy and data security actions over the past year [FTC PR here & 22 pg PDF Report here]. [It outlines] the FTC’s “broad” authority over privacy issues: “The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act [see FTC here & wiki here], which prohibits unfair or deceptive practices in the marketplace. The FTC also has authority to enforce a variety of sector specific laws, including the Truth in Lending Act [here], the CAN-SPAM Act [here], the Children’s Online Privacy Protection Act [here], the Equal Credit Opportunity Act [here], the Fair Credit Reporting Act [here], the Fair Debt Collection Practices Act [here], and the Telemarketing and Consumer Fraud and Abuse Prevention Act [here].” [ISPI Note: The FTC enforces or administers at least 73 statutes see here] The report cites 130 spam and spyware cases and 50 general privacy lawsuits in 2017–the FTC’s enforcement authority is via filing suits and securing settlements. It also points out, in regard to the FCC’s rollback of the net neutrality regs, that the FTC “has expertise in the antitrust and consumer protection issues raised by net neutrality concerns.” [Broadcasting & Cable see also: Consumer Finance Monitor (Ballard Spahr) & Inside Cybersecurity]

IoT

US – NIST Issues Draft Report on IoT Security Standards

The US National Institute of Standards and Technology (NIST) has released a draft report, “Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT),” that is designed to help “policymakers, managers, and standards participants as they seek timely development of and use of such standards in IoT components, systems, and services.” [gcn.com | Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) ]

US – Consumer Reports Examines Smart TV Security

A Consumer Reports analysis of five brands of smart TVs found that all can track users’ viewing habits. Security on two of the brands was so weak that hackers were able to remotely change channels, install apps, and play YouTube videos of their choosing. The evaluated TVs did ask permission to collect viewing data and additional information, but they did not make it easy for viewers to understand exactly what they were agreeing to share. [www.usatoday.com]

CA – Experts Advise Precautions with Digital Assistant Speakers

“Eventually there will be ways to hack into these virtual systems,” said Dana DiTomaso, CBC’s tech columnist and president of Edmonton-based digital marketing agency Kick Point. “They’re too juicy a target for hackers to turn it down.” The devices record the voice of the user and send it back to servers which use “machine learning” to return “the most relevant responses”, said Daniel Blair, a technology researcher and CEO of a virtual reality startup in Winnipeg. Those with privacy concerns can limit the activity of the device by modifying settings and using mute functions, he said. Both Amazon and Google say customers can delete information collected by logging in to their Amazon or Google accounts. But former Ontario privacy commissioner Ann Cavoukian said Canadians should carefully consider bringing a device into their home because “you don’t know how your information might be used, to whom it might be disclosed.” [CBC | Insurance Business] SEE ALSO: The Lost Art of Privacy: In-home devices like Amazon’s Alexa are prompting a reconsideration of a timeless virtue | | The skeptic’s guide to smart home gadgets | What’s Holding Back the Smart Home from Mass Adoption? | Expect more IOT attacks in 2018 | Understanding user privacy in the age of smart speakers | How to Delete the Voice Data That Amazon Echo and Google Home Are Storing | Need-to-knows before buying Google Home or Amazon Echo | Experts Break Down The Difference Between Google Home and Amazon Echo | ‘Tis the season for unfettered government access to your data | Experts caution against using digital assistants without knowing where your data goes | Home Assistant Adopter Beware: Google, Amazon Digital Assistant Patents Reveal Plans for Mass Snooping | Apple plugs IoT HomeKit hole | Gifts That Snoop? The Internet of Things Is Wrapped in Privacy Concerns | The Internet Of Toys: Legal And Privacy Issues With Connected Toys | Why you should be ‘suitably paranoid’ about your home devices’ cybersecurity | Voice-enabled smart speakers to reach 55% of U.S. households by 2022, says report | Citing ‘a few’ malfunctions, Google nukes touch function from Home Mini | Amazon’s Echo Show strips you of your last shred of privacy | Electronics all over your home could be spying on you. Here’s how to stop it | Amazon hands over Echo data in murder case | Ryerson’s director of privacy and big data says Canadians should be cautious of all things ‘smart’ | Devices sprout ears: What do Alexa and Siri mean for privacy? | The Privacy Threat From Always-On Microphones Like the Amazon Echo | Murder case will test privacy rights of Amazon Echo users | Police mull gathering crime evidence from smart home devices ]

CA – Welcome to the Neighbourhood. Have You Read the Terms of Service?

Before long, Quayside may be one of the most sensor-laden neighbourhoods in North America, thanks to Alphabet’s Sidewalk Labs, which has been working on a plan to redevelop the area from the ground up into a test bed for smart city technology. It’s being imagined as the sort of place where garbage cans and recycling bins can keep track of when and how often they’re used, environmental probes can measure noise and pollution over time and cameras can collect data to model and improve the flow of cars, people, buses and bikes throughout the day. the idea is that all of this data — and the newfound insights its analysis could yield — will help cities run more efficiently and innovate at a faster pace than they do today. But when it comes to the data these cities gather, not everyone believes the tradeoff is worth it. Although governments already collect lots of data on their citizens, it’s becoming clear that current privacy laws aren’t going to be enough to deal with the realities of what most of these visions propose — data collection on a scale that far surpasses what’s happening today. Smart cities, after all, take data collection and analysis to a new, previously unimagined extreme. And with so many different sensors and so much data being collected and analyzed, how could anyone be expected to understand, much less consent to it all?. [CBC]

Security

EU – Critical Vulnerabilities Discovered in Chip Processors

The European Union Agency for Network and Information Security (ENISA) has examined the critical vulnerabilities found in various types of chip processors. The vulnerabilities, called Meltdown and Spectre, affect personal computers, cloud systems, mobile devices and operating systems; mitigating measures include security patches (which may impact performance, so backups are advised), using up-to-date ad-blockers and anti-malware software, and protecting systems that handle sensitive data (prevent them from executing unauthorised software and accessing untrusted websites). [ENISA – Meltdown and Spectre: Critical Processor Vulnerabilities]

WW – Vendor Data Security Checklist

An advocacy group recommends certain considerations prior to investing in software applications. Prior to investing in software, consider past security criticisms and guarantees about data availability; asks questions of the vendor about their privacy policy, law enforcement disclosure practices, whether they have a dedicated security team, encryption in place, and regularly conduct security audits, any experience with a data breach and their notification policy, and any compliance with specific legal requirements (e.g. HIPAA, COPPA or FERPA. [Source]

EU – ENISA Issues Recommendations to Mitigate Threats

The European Union Agency for Network and Information Security has issued its Threat Landscape Report 2017. Organizations should perform traffic filtering to all relevant channels (web, network and mail), implement data access rights on a need-to-know basis, train users to avoid common security pitfalls like phishing and social engineering attacks, and implement malware detection in all platforms in use (servers, network infrastructure and mobile devices. [ENISA – ENISA Threat Landscape Report 2017). [ENISA Threat Landscape Report 2017]

US – Report: CISOs Say Lack of Competent Staff is Top Cybersecurity Concern

According to a Ponemon Institute survey, 612 Chief Information Security Officers (CISOs) and IT security professionals said that their top cyber security concern for 2018 is the lack of competent in-house staff. Other concerns in the top five are data breaches, cyber attacks, inability to reduce employee negligence, and ransomware. [www.darkreading.com]

WW – Sensor Data Can Be Used to Guess Your PIN, Unlock Your Phone

According to researchers from the Nanyang Technological University (NTU) in Singapore, malicious apps on your phone could use the datastream from those sensors to build up information on how the phone is used and ultimately guess the phone’s PIN. The researchers’ algorithm was able to guess a PIN with a 99.5% accuracy on the first try using a list of the top 50 most common PINs, although the success rate went down to 83.7% when it tried to guess all 10,000 possible combinations of four-digit PINs within 20 tries. There’s no barrier to collecting the data because those sensors are what’s known as “zero-permission” – essentially, an app doesn’t need a user’s consent to access [“non-critical”] data from a device’s accelerometer, gyroscope, magnetometer, proximity sensor, barometer or ambient light sensor they are yet another example of how data from seemingly disparate and unrelated sources can be merged to provide information that is much more invasive than you thought. In this case, enough to guess your PIN and invade your phone, at which point your critical data is at risk. [Naked Security | See also: Phys.Org, Digital Journal, Hack Read and BleepingCompute]

US – NIST Update Emphasizes Security Design Principles

The National Institute of Standards and Technology (NIST) has issued an update to its Special Publication 800-160 on systems security engineering. Security design principles are divided into 3 categories; security architecture and design (e.g. trusted components and least privilege), security capability and intrinsic behavior (e.g. accountability and traceability and secure failure and recovery), and life cycle security (e.g. repeatable and documented procedures and secure system modification). [NIST – Systems Security Engineering – Special Publication 800-160 | Press Release]

WW – Data Security Predictions 2018: Ransomware Threats Lead the Top Trends

In 2018, the volume, complexity, and stakes of cyberattacks will only continue to increase — with malicious actors capitalizing on the IT/OT/IoT convergence phenomenon to identify new attack vectors and wreak more widespread havoc. As we enter a New Year, here are my thoughts for what is on the horizon for the cybersecurity landscape in 2018: 1) We will see new and creative forms of ransomware; 2) The probability is high that we will see the first major cyberattack on US critical infrastructure; 3) Security budgets will shift significantly as they relate to size and allocation; and 4) Cybersecurity workforce will go under the red line [Source | See also: Predictions 2018: What tighter European GDPR will mean for marketers | 10 Security Predictions For 2018 | New Year, New Threats: 5 security predictions for 2018 | Cybersecurity forecast 2018: threats and trends for the year ahead | A look into the crystal ball: Cybersecurity predictions for 2018 | 10 Security Predictions, Trends & Challenges for 2018 | What’s in store for security in 2018? | Six 2018 security predictions from the security experts at Beyond Security | Predictions 2018: How GDPR is Forcing Big Changes in Storage | Forcepoint 2018 Predictions: Privacy Fights Back | Data Breach Predictions: The Trends to Shape 2018 | IDC Canada Releases Its 2018 ICT Predictions | Arcserve Serves Up 2018 Predictions in Data Protection | WatchGuard’s 2018 Security Predictions | Why Companies Should Prepare for More Data Breach Lawsuits | 2018 Security Predictions From Splunk | 2018 Biometric Security Predictions | 2018 Cybersecurity prediction: Extortion attempts, ransomware will proliferate | 2018 is primed for blockchain, big data and cloud computing advancements, all with a better security plan | 2018 Predictions & Recommendations: The Internet of Things Blurs the Line Between Personal and Corporate Security | 2018 Predictions – Rise of IoT adoption will increase cybersecurity attacks ]

Smart Cars

US – FTC Staff Releases Paper Highlighting Key Privacy and Security Issues for Autonomous and Connected Vehicles

FTC Staff released a new “Staff Perspective“ [see FTC PR here] on January 9, 2018, that highlights key privacy and data security issues related to autonomous and connected vehicles. The Staff Perspective outlines four key takeaways from a workshop hosted by the FTC and the National Highway Traffic Safety Administration (NHTSA) on June 28, 2017[see here]. It also summarizes recent legislative and regulatory developments and indicates that the FTC will continue to monitor the connected car marketplace. Companies that manufacture or integrate with connected car technology should keep a close eye on future FTC actions in this marketplace, and they should understand that the FTC expects businesses to protect the privacy and security of information relating to consumers when collecting, using, or sharing data through connected cars. We summarize below the FTC’s key takeaways from the workshop: 1) Many companies throughout the connected car ecosystem will collect data from vehicles, much of which will be used to provide important benefits to consumers; 2) The types of data collected through connected cars will range from aggregate data, to non-sensitive data about a particular vehicle or individual, to sensitive personal data; 3) Consumers may be concerned about secondary, unexpected uses of data (Transparency, Choice, Respect for Context, Data Minimization, De-Identification & Retention, Data Security, Integrity & Access and Accountability); 4) Connected and autonomous vehicles will have cybersecurity risks that can potentially be exploited; and 5) Developments since the workshop The FTC’s Staff Perspective indicates that FTC Staff will continue to monitor the connected car marketplace. At least for the moment, FTC Staff appears willing to allow individual companies and self-regulatory programs to continue developing privacy and security principles and best practices for connected car technologies. In the meantime, however, the Staff Perspective also notes that the FTC Staff will use its civil authority under Section 5 of the FTC Act to bring enforcement actions against companies that engage in unfair or deceptive practices, such as if a company makes materially false or misleading statements to consumers regarding its privacy or data security practices or fails to have “adequate security protections,” as described in the FTC’s Start with Security guidance document and its Stick with Security Blog series. [Privacy and Cybersecurity Law Blog]

US – Connected Cars: Different Approaches Required for Data Types

The FTC and the National Highway Traffic Safety Administration hosted a workshop on connected cars. Automated vehicles will collect aggregated data for traffic management, personal data related to car performance, and sensitive personal data about vehicle occupants (e.g location data, biometrics for authentication); safety-critical data (speed, direction, brake status) should be regularly transmitted to other vehicles automatically, but non-critical data should require opt-in consent, and consumers should be informed of secondary, unexpected uses (e.g. targeted advertising. [FTC – Connected Cars Workshop]

CA – Senators Urge Liberals to Act on Privacy, Security Issues with Automated Cars

In a report released this week [see 78 pg PDF report here & Infographic here] the Senate’s transport committee is urging the federal Liberals to take control of the development and testing of self-driving cars on Canadian roads before governments fall too far behind the technological revolution. [It describes] how different departments and levels of government are taking different approaches to automated vehicles: some are hitting the brakes out of safety concerns, while others hope to drive innovation by stepping on the gas. The committee says the federal government needs to better co-ordinate action The report recommends giving the privacy commissioner greater reach over how car companies use drivers’ information, including whether companies can monetize personal information, and giving federal cybersecurity officials a bigger role over protecting the new technology from hackers. The chairman of the committee says government action must be stronger than in the United States, but must also strike a balance to prevent spilling over into the private sector. [CTV News see also: CBC News]

US – Navigating the Road Ahead: Auto Industry Stakeholders and Regulators Convene to Discuss Connected Vehicle Privacy

On January 23 a cross-section of automotive stakeholders, government officials, and consumer and privacy advocates came together at Hogan Lovells’ Washington office to discuss privacy issues facing connected vehicles The half-day conference, co-hosted by Hogan Lovells and the Future of Privacy Forum, convened with the theme of “Privacy and the Connected Vehicle: Navigating the Road Ahead” [see here]. Panels focused on the privacy landscape surrounding automobiles and connectivity generally, regulatory developments and areas of government interest, and the effect of emerging technologies on business models and privacy practices in the automotive space. several key themes emerged: 1) What Sets Vehicles Apart; 2) Not All Data Are Created Equal; 3) Role of the Government; and 4) Many Challenges and Questions Remain [HLDA]

US – Big Brother on wheels: Why your car company may know more about you than your spouse.

[We] may consider [our] everyday driving habits mundane, but auto and privacy experts suspect that big automakers see them as anything but. By monitoring [our] everyday movements, an automaker can vacuum up a massive amount of personal information about [us], everything from how fast [we] drive and how hard [we] brake to how much fuel [our] car uses and the entertainment [we] prefer. [They] can determine where [we] shop, the weather on [our] street, how often we wear [a] seat belt, what [we were] doing moments before a wreck — even where [we] likes to eat and how much [we] weigh. Though drivers may not realize it, tens of millions of American cars are being monitored like [this], experts say, and the number increases with nearly every new vehicle that is leased or sold. Carmakers have turned on a powerful spigot of precious personal data, often without owners’ knowledge, transforming the automobile from a machine that helps us travel to a sophisticated computer on wheels that offers even more access to our personal habits and behaviors than smartphones do. [Wash Post | My Business]

Surveillance

US – ICE is About to Start Tracking License Plates Across the US

The Immigration and Customs Enforcement (ICE) agency has officially gained agency-wide access to a nationwide license plate recognition database, according to a contract finalized earlier this month. The system gives the agency access to billions of license plate records and new powers of real-time location tracking, raising significant concerns from civil libertarians. The source of the data is not named in the contract, but an ICE representative said the data came from Vigilant Solutions [here], the leading network for license plate recognition data. spokesperson Dani Bennett said in a statement: “ICE is not seeking to build a license plate reader database, and will not collect nor contribute any data to a national public or private database through this contract.” While it collects few photos itself, Vigilant Solutions has amassed a database of more than 2 billion license plate photos by ingesting data from partners like vehicle repossession agencies and other private groups. Vigilant also partners with local law enforcement agencies, often collecting even more data from camera-equipped police cars. The result is a massive vehicle-tracking network generating as many as 100 million sightings per month, each tagged with a date, time, and GPS coordinates of the sighting. On December 27th, 2017, Homeland Security issued an updated privacy assessment [See ICE PR here] of license plate reader technology, a move it explained was necessary because “ICE has now entered into a contract with a vendor.” The new system places some limits on ICE surveillance [but] the biggest concern for critics is the sheer scale of Vigilant’s network, assembled almost entirely outside of public accountability. [The Verge see also: The Hill, CATO at Liberty Blog, GIZMODO, The New American, Deeplinks Blog (EFF) and Fast Company]

US – ICE Accesses Commercial License Plate Reader Database—We Want Access to ICE

The United States Immigration and Customs Enforcement (ICE) agency recently issued a contract request [see here] for query-based access to a commercial license plate reader (LPR) database. On December 27, 2017, ICE released a Privacy Impact Assessment (PIA) in which ICE confirmed it had procured this service. On Friday, February 2, we filed a Freedom of Information Act (FOIA) request [5 pg PDF here] with ICE seeking information on the contract, as well as any internal training materials, policy memos, and documents related to how ICE agents plan to use the commercial database and LPR data. We filed this request because ICE’s access to a commercial LPR database raises multiple concerns: 1) ICE’s policy permits excessive access to and retention of LPR data; 2) The “hotlist” feature provides ICE the ability to monitor ongoing movements of designated license plates indefinitely and without clear restrictions; and 3) This access may undermine limits on racial profiling and surveillance at ‘sensitive locations.’ [CDT | Related coverage at: Campus Safety Magazine, PressConnects, Security Today and OC Weekly]

UK – CCTV Commish: Bring All Surveillance Systems Under Code of Practice

The UK’s surveillance camera commissioner has told the British government to adopt a “common sense position” and bring all bodies using surveillance camera systems under its code of practice. Tony Porter, whose term as commissioner was in 2017 extended for another three years, used his annual report, [see PR here], to call for the Surveillance Camera Code to extend to rail franchises, the health sector and transport hubs. He also used it to raise concerns about inaccuracies in the UK’s use of Automatic Number Plate Regulation (ANPR) technologies and ask for the database to be placed on a statutory footing by the government, as well as lobby for more resourcing for his office. Porter noted that its ANPR use was growing beyond law enforcement, to road enforcement and managing traffic flows. In a speech delivered at the ANPR conference last month, Porter said that ANPR accuracy had been quoted at more than 97 per cent, but that this still meant between 750,000 and 1.2 million misreads per day. Porter directed a dig at the Home Office over the much-delayed Biometrics Strategy – this should cover facial recognition technology, which is an area of overlap between Porter and the biometrics commissioner, Paul Wiles. [Source | See also: Jersey Evening Post and The Sun]

US Government Programs

US – ACLU Says New Customs and Border Patrol Directive Doesn’t Go Far Enough

The US Customs and Border Patrol (CBP) released new guidelines for the search and seizure of electronic devices belonging to travelers leaving and entering the US. The American Civil Liberties Union (ACLU) has issued a statement regarding the CBP’s new directive, saying that it does not go far enough to protect travelers’ constitutional rights. According to the ACLU, while the new “policy would at least require officers to have some level of suspicion before copying and using electronic methods to search to search a traveler’s electronic device [it] still falls far short of a search warrant based on probable cause.” [threatpost.com | www.scmagazine.com | www.nextgov.com | CBP Directive No. 3340-049A: Border Search of Electronic Devices]

US – New Guidelines: Border Agents Need ‘Reasonable Suspicion’ for ‘Advanced’ Device Searches

Customs and Border Protection (CBP) on Friday issued the updated guidelines for searches of electronic devices at the U.S. border [see here], which contain new restrictions on the circumstances under which officials can conduct what are called “advanced” searches. These searches are those in which agents connect external equipment to a device in order to analyze or copy its contents. According to the new directive, agents need to demonstrate reasonable suspicion of criminal wrongdoing or otherwise show that there is a “national security concern” in order to conduct advanced searches. Border agents are still allowed to manually search through devices — which could involve sifting through photos, browsing histories or messages — “with or without suspicion,” in what are called basic searches. New data released by CPB [see here] shows that the agency conducted more than 30,000 border searches of electronic devices belonging to those exiting and entering the country in fiscal 2017, a 50 percent increase over the previous year. More than 29,000 international travelers entering the U.S. had their devices searched, compared with nearly 18,500 the previous year. Far fewer individuals had devices searched when leaving the United States. CBP conducted device searches for the most travelers, 3,133, in August 2017, the only month that the count broke 3,000. Most months in 2017 hovered around 2,500. The previous year, the

US Legislation

US – House Fails to Protect Americans from Unconstitutional NSA Surveillance

The House of Representatives cast a deeply disappointing vote today to extend NSA spying powers for the next six years by a 256-164 margin. The vote concerned S. 139 [see here & reviewed here], a bill to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA), a powerful surveillance authority the NSA relies on to sweep up countless Americans’ electronic communications. EFF vehemently opposed S. 139 for its failure to enact true reform of Section 702.[see here & here] In a related vote, the House also failed to adopt meaningful reforms on how the government sweeps up large swaths of data that predictably include Americans’ communications. The House’s inability to pass an amendment—through a 183-233 vote—that would have replaced the text of S. 139 with the text of the USA Rights Act. [see here & reviews here] The amendment to replace the text of S. 139 with the USA Rights Act was introduced by Reps. Justin Amash (R-MI) and Zoe Lofgren (D-CA) and included more than 40 cosponsors from sides of the aisle. Its defeat came from both Republicans and Democrats. S. 139 now heads to the Senate, which we expect to vote by January 19. [EFF.org | See also: Hit & Run Blog (Reason), CATO At Liberty, CNET, The New York Times and The Washington Post ]

Workplace Privacy

CA – BC OIPC Issues Guidance on Tracking Employees

As technology becomes more inexpensive, accessible and ubiquitous, we are seeing an increase in employers’ use of surveillance tools. While workplace monitoring has its benefits, such as providing safety coverage and greater transparency, it can come with risks, including the unlawful collection of employees’ personal information. Recognizing the enhanced role technology plays in the modern workplace, the Office of the Information and Privacy Commissioner for British Columbia (OIPC) recently published two guidance documents to help employers navigate their use of employee surveillance: 1) Employee Privacy Rights; and 2) Using Overt Video Surveillance [Source]

CA – NL OIPC Issues Warning on Using Social Media for Employee Checks

Information on social networks such as Facebook and Twitter may be public, but Newfoundland and Labrador’s privacy commissioner Donovan Molloy said that doesn’t mean it can be used to make hiring decisions. “In our view, they’re not meant for public-body employers in Newfoundland and Labrador to use as an indirect source of determining whether or not you’re somebody that they might want to hire.” To help employers make good hiring decisions in a world where personal information about candidates is often just a Facebook search away, the privacy commission has released a new set of guidelines [see 3 pg PDF here] on doing employee and background checks via social media. The collection, handling, and use of information by public bodies is governed by the province’s Access to Information and Protection of Privacy Act. That act specifically requires that with the exception of specified circumstances, information must be directly collected from the individuals a public body is dealing with. “If you’re collecting information about job candidates from their social media sites it isn’t a direct collection, it’s an indirect collection,” Molloy said. “Unless you’ve gotten consent, it’s not authorized. And even if you do have consent there are dangers associated with finding outdated material, material related to third persons.” The concern isn’t insignificant. Seventy per cent of employers use social media to screen candidates before hiring, according to a 2017 CareerBuilder poll. [Source]

WW – BYOD: Discoverable Devices Contain Relevant Unique ESI

Working Group 1 of the Sedona Conference have created draft principles for developing policies and meeting discovery obligations regarding Bring Your Own Device (“BYOD”) programs. Factors to determine whether electronically stored information (“ESI”) is discoverable include whether the ESI is within the employer’s possession, custody or control, and whether the discovery is proportional to the needs of the case; employers cannot ignore discovery obligations because a device containing ESI is also used for personal purposes. Comments can be submitted until March 26, 2018. [The Sedona Conference – Commentary on BYOD – Principles and Guidance for Developing Policies and Meeting Discovery Obligations BYOD Principles] See also: [E-Discovery for Defendants Cheat Sheet – James M. Beck, Lawyer, ReedSmith – Drug and Device Law Blog]

 

+++

 

 

January 2018

Big Data

CA – Feds to Search Social Media Using AI to Find Suicide-Related Behaviour

The Canadian government will hire an Ottawa-based company specializing in social media monitoring and artificial intelligence to forecast potential spikes in suicide risk. A contract with Advanced Symbolics Inc., an AI and market research firm, is set to be finalized next month. Working with the company to develop its strategy, the federal government will define “suicide-related behaviour” on social media and “use that classifier to conduct market research on the general population of Canada,” according to a document published to Public Works website. This pilot project will last three months, after which the government “will determine if future work would be useful for ongoing suicide surveillance,” the tender document said. Advanced Symbolics said its artificial intelligence looks for trends, not individual cases. Instead, the AI will flag communities or regions where multiple suicides could be likely. According to said CEO Erin Kelly, “We’re not violating anybody’s privacy — it’s all public posts. We create representative samples of populations on social media, and we observe their behaviour without disturbing it.”‘ The company will begin defining suicide-related behaviour in January, with monitoring slated to start later in 2018. [CBC | See also: Vice and Dispelling 3 Most Common Myths About AI and Big Data]

US – Universities Adding Computer Science Ethics Courses

U.S. universities are beginning to introduce computer science ethics courses to help guide the next generation of computer scientists through the issues they are likely to face over the coming years. Harvard and MIT are offering a joint course, “The Ethics and Governance of Artificial Intelligence.” The University of Texas at Austin has recently introduced a course called “Ethical Foundations of Computer Science” that is likely to become a requirement for all students majoring in computer science. At Stanford University, the computer science department will offer a course called “Ethics, Public Policy, and Computer Science.” [www.nytimes.com]

Canada

CA – Create New Watchdog to Review Border Agency, RCMP, Federal Report Recommends

A federally commissioned report says the Trudeau government should create a new watchdog to handle public complaints about the Canada Border Services Agency. Prepared for Public Safety Canada, the new watchdog, the Canada Law Enforcement Review Commission, would scrutinize both the border agency and the RCMP, given the frequent overlap between the two enforcement organizations. The border agency’s thousands of employees manage the flow of about 100 million travellers — as well as some 16 million commercial shipments — entering Canada annually. They collect, analyze and distribute information concerning people and goods at border points, air terminals and seaports. Border officers can stop travellers for questioning, take blood and breath samples, and search, detain and arrest citizens and non-citizens without a warrant. Civil libertarians, refugee lawyers and committees of both the House of Commons and Senate have called in recent years for stronger arm’s-length monitoring. The commission, with a chair and four or five commissioners, would have power to compel documents and witnesses, as well as authority to dismiss frivolous complaints. Cappe suggests it issue non-binding recommendations to the RCMP and border agency to preserve the accountability of the agencies. [Source | New powers for Canadian spy agency alarming | National Post: Critics Fear the Government’s National Security Bill Puts Canadians in the Crosshairs]

CA – Electronic Spy Agency Watchdog Asks for More Powers

In a memo to the House of Commons’ public safety committee [SECU], Jean-Pierre Plouffe [CSE watchdog] argued the proposed new position of intelligence commissioner should have a greater role in reviewing and approving the actions of the Communications Security Establishment (CSE). Plouffe, who has served as the independent reviewer of CSE’s activities since 2013 [see here], said the agency’s new power to launch cyber attacks is even broader than the controversial power given to CSIS to “disrupt” threats to Canada. Despite that broad range of activities, there is no independent oversight of CSE’s new offensive capabilities, Plouffe notes; instead, only the ministers of national defence and foreign affairs need to sign off.” There is no role envisaged for the (intelligence commissioner) to approve such an authorization, even where third-party rights, including their privacy rights, could be affected, including (the rights) of a Canadian outside of Canada, or where Canadian law could be contravened,” Plouffe wrote. Plouffe testified [before SECU] on Bill C-59, the Liberals’ omnibus national security bill January 30 [see here] [Toronto Star]

CA – P.E.I. Government Spent $140K on Lawyers in Privacy Investigation

The P.E.I. government says it spent $140,000 in legal costs after hiring an outside lawyer to represent it in an investigation by the province’s privacy commissioner. That investigation concluded government was ultimately responsible for the leak of personal information belonging to three former government employees who went public with allegations of wrongdoing regarding P.E.I.’s provincial nominee program. most of the $140,000 in legal fees was for work that took place during the first three years of the six-year investigation. A spokesperson from the office of the privacy commissioner told CBC News that on its side, the office did not hire legal representation as part of its investigation. [CBC See also: Premier shouldn’t question privacy commissioner, justice critic says | EDITORIAL: A breach of privacy by province | P.E.I. government launches court review against privacy commissioner | P.E.I. government takes privacy commissioner to court — again | Information commissioner denied access to Health PEI report]

CA – SK Police, Civic Workers Could Be Fined or Jailed Under New Anti-Snooping Law

Civic employees and police officers could be fined or imprisoned for snooping under changes to Saskatchewan privacy laws that came into effect on Jan. 1. The Local Authority Freedom of Information and Protection of Privacy Act was amended to include punishments for employees who access personal records for inappropriate reasons. Anyone who breaks the law could be fined up to $50,000 or imprisoned for up to one year, or both. A similar law already applies to provincial health workers, who would face the same punishments if convicted of an offence. Stronger privacy measures were introduced after a member of the public found thousands of medical records in a Regina dumpster in 2012. The amendments to the Health Information Protection Act (HIPA) came into effect on June 1, 2016. [CBC | Additional coverage at: Regina Leader-Post and Lexology | See also: Sask. city police fine-tuning accountability process before FOI law change | Sask. access and privacy laws extended to cover political staff, police services | Police and MLAs subject to freedom of information requests under new legislation]

CA – Regina Public Investigated After Teacher Breached Students’ Privacy

The Regina Public School Division is addressing policy gaps after a teacher uploaded more than 2,000 documents, many containing students’ information, to a public website. Some of the information was online for 15 months before the privacy breach was reported to the Office of the Saskatchewan Information and Privacy Commissioner on Sept. 1. The documents have since been removed. The teacher at W.F. Ready School posted student assignments, letters to parents, photos, birthdates, grades and passwords to his church website beginning in May 2016. “He had uploaded the documents to a subdirectory of the church’s website, mistakenly believing he would be the only person, as the website administrator, to be able to access the documents,” wrote privacy commissioner Ronald Kruzeniski in his report dated Dec. 19.  The school division is working to apply the privacy commissioner’s six recommendations. They include updating policies, creating guidelines, and training staff in privacy law. The commissioner stated that the school division should prohibit storing student information on teachers’ personal computers. [Leaderpost | CBC | Luxora Leader & Regina Leader-Post]

CA – OPC Launching Privacy Campaign Aimed at Grade Schoolers

Privacy Commissioner Daniel Therrien’s office is launching a campaign aimed at raising grade schoolers’ awareness about how their personal data is collected and used on their devices and apps. A 2015 study by non-profit group MediaSmarts found three quarters of school-aged children in Canada have some a social media account or blog. The OPC says their campaign will target students in 8,500 elementary schools across Canada, part of a larger push to teach children how to guard their online reputation and safely use their electronic devices. The office is also pushing provincial education ministers to make online privacy part of the regular curriculum in grade schools. [Toronto Star]

CA – CBA Warns of Court Challenge to Bill C-58 Over Privilege/Privacy

The Canadian Bar Association (CBA) says it will “in all likelihood” go to court to challenge incursions on professional secrecy, if Ottawa proceeds to enact proposed measures that would empower the federal privacy and information commissioners to review legal advice and other privileged communications between legal advisers and their federal government clients. The national 36,000-member association, and the Federation of Law Societies of Canada (FLSC), are both urging the Trudeau government to drop proposed “regressive” amendments to the Access to Information Act and the Privacy Act (Bill C-58) that would expressly authorize the federal commissioners to examine privileged government records as part of their assessment of the validity of claims made by government entities that those records are exempt from disclosure because they are shielded by solicitor-client privilege, litigation privilege (i.e. communications whose dominant purpose is preparation for litigation), or professional secrecy. The CBA and FLSC argue the government has produced no evidence that the proposed routine piercing of the privileges is “absolutely necessary” — the threshold the Supreme Court of Canada has set for incursions on solicitor-client privilege: Alberta (Information and Privacy Commissioner) v. University of Calgary 2016 SCC 53. The bar association and legal regulators emphasized that the Supreme Court’s University of Calgary decision established that solicitor-client privilege has evolved into a fundamental substantive principle and is not merely a privilege under the law of evidence. [Lawyers Daily]

CA – B.C. Appeals Court: Virtual Presence Enough to Enforce Production Order

Since the Supreme Court passed down its decision last June [see Judgment here] in “Equustek,” lawyers have been waiting with baited breath to see just how broad an interpretation the new internet regime will receive from the courts. Global tech companies, including Google, hoped to see the Canadian — and even American — tribunals rein in the ability of our courts to order companies to take actions beyond our jurisdictional borders. A recent B.C. appellate decision [see Judgment here] suggests that “Equustek” isn’t going to be relegated to a tiny corner of Canadian law. It is very much the standard. In “Equustek”, SCoC found that Canadian courts have jurisdiction to make orders for foreign-based internet companies that carry on business in Canada, there have been concerns about the practical implications. Since “Equustek” was a civil case, it’s unclear how the ruling would apply to criminal cases remained to be seen. The B.C. case revolves around the online classified giant Craigslist, which is based in the U.S. but has dozens of sites for communities across Canada. The RCMP filed a production order to obtain details around a specific post, including the name and address of the poster. A trial judge rejected the production order, and the comparison to “Equustek”, on two grounds: Unlike Google, Craigslist has no Canadian office to speak of; and being a criminal matter, “Criminal Code” processes must be followed. The trial judge pointed out that the RCMP had the option in this case to pursue a Mutual Legal Assistance Treaty request (more commonly known as an MLAT.)  But the BC appeals court saw things differently. It concluded that the existence of an MLAT — itself just a tool to obtain documents through foreign legal structures — does not diminish the authority of Canadian courts in issuing production orders. The court therefore dispensed with the idea that forcing a foreign company to comply with an order would run afoul of territorial sovereignty. David Fraser, partner at McInnes Cooper with a focus on privacy law, says “The court’s conclusion that the distinction between a virtual-only presence and a ‘physical’ presence is effectively a distinction without a difference could carry implications far beyond the availability of production orders Whether its reasoning vis-a-vis an internet-based company’s ‘presence’ in Canada will have application to, for example, tax laws, remains to be seen.” [National Magazine]

CA – Supreme Court Finds Expectation of Privacy in Text Messages

The Supreme Court of Canada considered an appeal by an individual alleging his text messages were seized in violation of his Charter rights. A seizure of text messages violated Canadian Charter rights since the individual had a reasonable expectation of privacy in his messages (he expected them to remain private based on his repeated requests that the recipient delete the messages) and the messages reveal information about his lifestyle (that he was involved in criminal enterprise. [R. v. Marakah – 2017 SCC 59 – Supreme Court of Canada]

CA – Manitoba Organization Should Have Audited System Activity

The Manitoba Ombudsman conducted a privacy investigation into Manitoba Health, Seniors and Active Living. An employee accessed the system beyond his authority and disclosed PHI in response to government requests; recommendations include making signing a confidentiality pledge mandatory for employment (the employee refused to sign a confidentiality pledge) and ensuring that new/upgraded systems track whether a user has printed or downloaded PHI. [Manitoba Ombudsman – Report under the Personal Health Information Act – Case 2014-0500 – Manitoba Health, Seniors and Active Living Provincial Drug Program – Privacy Investigation: Collection, Use, Disclosure, Security]

CA – New Quebec Law Regulates Communication of Student PI

Quebec Bill 144, an Act to Amend the Education Act, received royal assent and became effective on November 9, 2017. Personal information gathered under the Education Act may not be communicated, used or its existence confirmed for the purpose of determining a person’s immigration status, except with the consent of the person concerned; information can be disclosed when required by a summons, warrant or judicial order, or as required for purposes relating to compulsory school attendance. [Bill 144 – An Act to Amend the Education Act and Other Legislative Provisions Concerning Mainly Free Educational Services and Compulsory School Attendance – National Assembly of Quebec]

CA – Quebec CAI: Metadata Should be Treated as PI

The Commission d’Accès à l’Information du Québec has issued recommendations for protection of PI relating to criminal investigations and operations in response to the Commission of Inquiry into the Protection of Journalistic Sources report published outlining concerns that police investigation methods allow for collection and retention of large amounts of data Metadata can identify individuals (alone, or in combination with other information), and reveals a significant mass of information; applications for judicial authorization should detail the reasons why metadata is necessary, incorporate data minimization, and service providers should consistently exercise discretion in complying with requests to disclose customer information. [CAI QC – Recommendations resulting from Inquiry into Protection of Confidential Journalistic Sources]

CA – Quebec CAI: Customs’ Cellular Searches Permissible

The Commission d’Accès à l’Information du Québec has issued guidance on the right to privacy at the US and Canadian border. US border officials may search electronic devices and seize them if travelers refuse to present or unlock the device; Canadian officials may search a device, but are prohibited from searching data outside the device (e.g., social media accounts, in the cloud). Employers should limit the amount of PI stored on employee devices and implement security measures to protect PI that is present. [CAI QC – Cellular Search at Customs – Some Details of the Access to Information Commission]

CA – Ontario Entity Rightfully Withheld Third Party Information: OIPC ON

The Ontario IPC reviewed a decision from the Independent Electricity System Operator denying access to records under FIPPA. According to the IPC decision, the Electricity Act shields information deemed to be confidential from disclosure, and the document at issue, a technical schedule to a power plant refurbishment agreement, included a recital indicating its confidential nature; the public interest in the information is met by the disclosures already available on the third party’s and the entity’s websites. [IPC ON – Order PO-3800  Appeal PA16-220 –  Independent Electricity System Operator]

CA – Data Privacy Officers Hard to Find in Nova Scotia

Catherine Tully, Nova Scotia’s information and privacy commissioner describes a recent survey of organizations across the province as a “Where’s Waldo?” exercise. The office called 52 provincial businesses and organizations at random this month, large and small, for-profit and non-profit. “Almost every call, when we asked to speak to a chief privacy officer or the privacy lead, was met with silence,” said Tully only 10 of the businesses were able to identify a privacy lead. Of those, only six were able to answer rudimentary questions, such as whether employees could access their own personnel files, whether the organization used video surveillance or whether they had a policy for retaining records containing personal information. Tully says the results are troubling. [CBC | Halifax Today: NS OIPC Says Businesses Need to Increase Privacy Awareness]

CA – Nova Scotia Court Rules on Neighbourly Dispute Over Security Cameras

Nova Scotia provincial court Judge Peter Ross says it’s not the court’s place to enforce good manners, in ruling on a case that pitted a homeowner’s interests in monitoring her property against her neighbour’s privacy concerns. In a 21-page decision, Ross found Joan O’Connor not guilty of committing mischief for installing security cameras around her property in Sydney, N.S., that captured some views of the home next door. Crown had not proved its assertion that O’Connor’s recordings amounted to criminal interference with Stephanie Ayre’s ability to enjoy her property. In his ruling Ross wrote: “While (O’Connor) was aware that her actions bothered Ms. Ayre, she did not set her cameras out with this purpose in mind [she] may have been inconsiderate and uncaring about the effect the video-recording had on Ms. Ayre, but even if this is so, it does not give rise to criminal culpability Even if Ms. O’Connor had nothing more than a prurient curiosity about her neighbour’s activities, it is not at all clear that viewing and/or recording on camera what is apparent to the naked eye constitutes criminal interference with a neighbour’s use and enjoyment of property.” Ross mused about how the prevalence of closed-circuit TVs, privately owned security cameras and drones could erode people’s expectations of privacy to the point that surveillance of personal activity becomes a simple “fact of life.” Legislatures could see fit to limit surveillance in residential areas, he said, but those issues fall beyond the court’s scope. [The case is R. v. O’Connor, 2017 NSPC 68] Chronicle Herald

CA – P.E.I.’s FOIPP Review Seeks Feedback

The P.E.I. provincial government wants your feedback on whether it should expand the provincial access to information and privacy act. Some of the big issues the government is asking Islanders about include whether to include municipalities, post-secondary institutions and provincial police under the act. The public has until Feb. 23 to submit feedback. Here’s what the act does, why it matters and the key stakeholders’ views on what FOIPP modernization should look like. [CBC]

CA – Court Finds New Sharing Methods Is Not a New Purpose

A Federal Court considered an appeal by the Toronto Real Estate Board of a decision by the Competition Tribunal on its information sharing practices. Property listing information can be distributed to brokers via electronic data feeds (e.g. selling prices) based on broad consents obtained in listing agreements; consents obtained cover use and dissemination of data during the term of the listing and after, selling prices are not sensitive information requiring specific consent for disclosure, and the data is already shared through other conventional methods (new consent would only be required if it was used for a new purpose. [TREB v. Commissioner of Competition and the Canadian Real Estate Association – 2017 FCA 236 – Federal Court of Appeal]

CA – Security Cameras Permitted for Quebec Cooperative

The Commission d’Accès à l’Information du Québec investigated a housing cooperative’s alleged violations of the Act Respecting the Protection of Personal Information in the Private Sector following a complaint that the Cooperative was using CCTV cameras without the consent of all members. The cameras are required to secure the property and residents at a housing cooperative against a wave of theft and vandalism, no cameras are pointed at private entrances or windows, and the cameras only record when activated by motion sensors; captured images are securely stored with restricted access and are automatically erased when the server reaches capacity. [CAI QC – Decision 1005283-S – Housing Cooperative of Solidarity]

CA – OIPC SK Clarifies Real Risk of Significant Harm

The OIPC SK has issued guidance on whether the level of risk warrants mandatory breach notification by a government institution. The primary considerations are the definition of “significant harm” (e.g., damage to reputation, loss of professional opportunities, financial loss) and whether there is a real risk that such harm will occur (what parties could have obtained the PI, was there encryption in place, was there malicious intent, was the PI sensitive, was the PI recovered, how many individuals were affected and are especially vulnerable. [OIPC SK – Real Risk of Significant Harm]

CA – Truth, Privacy and the Public Interest in Securing Justice

Over the years, the courts have sought to protect the public interest in ascertaining the truth in civil litigation proceedings while at the same time affording protection to the privacy interests of the parties involved. The Court of Appeal for British Columbia recently addressed this issue in Duncan v. Lessing, 2018 BCCA 9, when affirming that the statutory tort of invasion of privacy created by British Columbia’s Privacy Act, R.S.B.C. 1996, c. 373 does not apply to activities that occur during judicial proceedings. In doing so, the court upheld the principle that the public interest in securing justice outweighs a litigant’s privacy interests, but that such privacy interests are entitled to reasonable protection as long as this does not interfere with the efficient conduct of litigation. Privacy legislation has been accorded quasi-constitutional status and the courts continue to emphasize the importance of privacy and its role in protecting individual autonomy: Douez v. Facebook, 2017 SCC 33 at para 59. However, the Duncan decision articulates a clear limit on an individual’s ability to seek redress for violations of privacy occurring in the context of civil litigation proceedings. [Source see also: Rights Watch Blog]

CA – Data Exchange With U.S. Fuelling Canadian Visa Scrutiny

The federal government has flagged more than 1,000 possible cases of people overstaying their visas or committing other immigration infractions based on information provided by the U.S., newly obtained memos show. The number of immigration enforcement actions is almost certainly larger than 1,000, given that the figures do not cover the most recent two years. However, the border agency was unable to provide updated numbers. Under a 2011 continental security pact [see here & here], Canada and the U.S. agreed to set up co-ordinated systems to track the entry and exit information of travellers. The federal NDP and privacy advocates are watching closely, however, out of concern the data could be used to build invasive personal profiles with little accountability. The data includes the traveller’s name, nationality, date of birth and gender, the country that issued their travel document and the time, date and location of their crossing. Legislation [Bill C-23, here & here] being debated in Parliament would allow Ottawa to collect similar information about Canadians entering the U.S. But the newly disclosed memos say the preliminary phases are already helping Canada zero in on people who may be running afoul of immigration laws. The Canadian Press used the Access to Information Act to obtain the figures from the Canada Border Services Agency, a process that took 18 months. A complaint to the federal information commissioner helped dislodge the pages. The NDP is skeptical of the need to expand information-sharing with the U.S. and wary of the implications for Canadians in the era of “false positives” that can land people in trouble or deny them entitlements, said Matthew Dube, the party’s public safety critic. “Mistakes can be very costly in those circumstances for people.” [Toronto Star]

CA – Technology Law Highlights: 2017 Year in Review

2017 was an eventful year in technology law both in Canada and abroad. From a surprise late reprieve from the year’s most anxiously anticipated anti-spam legislative provisions to a decision from the country’s top court upholding a Canadian-issued global order against Google, legislators, regulators and the courts made moves with important implications for technology lawyers, companies and departments in the course of the year. Here, in no particular order, are some of the year’s highlights as chronicled by McCarthy Tétrault’s bloggers: 1) Cryptocurrency and ICO generates hype—and backlash; 2) Supreme Court of Canada upholds worldwide de-indexing order; 3) SCC refuses to enforce Facebook forum selection clause; 4) Canadian Government delays CASL private rights of action; 5) Ontario court rejects information location tool and fair dealing copyright defences; 6) Blockchain technology makes its mark; 7) Canada’s Federal Court interprets TPM provisions; 8) CRTC clarifies regulatory principles governing mobile virtual network operators (MVNOs); 9) Increased regulatory focus on Fintech; and 10) Important developments in patent litigation. [Canadian Techlaw Blog]

Consumer

CA – Almost 50% Surveyed Would Share PII for Lower Insurance Rates

Nearly half of Canadians would share personal information for lower insurance premiums, says survey. Many Canadians may not be all that worried about having their private information revealed to others — at least, when there’s a financial incentive in play. In fact, 46% of Canadians say they’d be willing to give up personal information like lifestyle and driving habits, according to a survey from online insurance marketplace Kanetix. In a survey of 1,000 Canadians [highlights & infographic], Kanetix looked to see general acceptance of the increasing prevalence of connected and driverless vehicles.

  • Two-thirds of respondents said they are comfortable with voice assistance (such as Google Assistant or Siri)
  • Sixty percent of respondents are comfortable with their car transmitting location and vehicle data tracking
  • Fifty-eight percent of the audience said they were comfortable with augmented reality or heads-up displays on the windshield
  • Fifty-nine percent of respondents are uncomfortable with autonomous vehicles
  • Overall, the most accepting demographic of autonomous vehicles is the 18 to 34 demographic at 55 percent, compared to 30 percent of middle aged (45 and older) respondents
  • Respondents said their biggest concerns were security (35 percent) and privacy (29 per cent)
  • Fifty-four percent of the respondents said they’d most likely share home-related data (such as alarm and flood data) and medical information to their insurer via technology
  • Nearly half (46 per cent) of people said they would also share lifestyle habits and driving information [Mobile Syrup See also: Canadian Underwriter

CA – Canadians Ready to Ditch Passwords for Facial, Fingerprint Recognition: Survey

Canadians are ready to forget the many, many passwords they have for online accounts in favour of biometric technology, according to a new survey by Visa of a survey of 1,000 Canadians 69% are interested in using fingerprint recognition over passwords for identification purposes. Canadians were also interested in using other biometrics such as eye scans, and voice or facial recognition. 32% said they’ve given up online purchases because they couldn’t remember their passwords. Passwords have been the cause of major security concerns. They often need to be written down, are susceptible to hacks, and can be stolen in lost phones or laptops. The survey found about 44% expressed concern that unlike passwords that are stolen, fingerprints cannot be changed. [Global News | See also: News1130 and ITBusiness.ca]

E-Government

US – Secret Evidence and the Threat of More Warrantless Surveillance

Internet monitoring of non-US citizens abroad – itself a human rights problem – and the capture of potentially enormous amounts of communications of people in the United States. In theory, if the government were using this surveillance data to investigate and imprison people in the US, defense attorneys would be able to find out and judges able to evaluate whether the surveillance was constitutional. In reality, this is not the case. As suggested by Human Rights Watch’s new report on secret evidence in US criminal cases [announcement here & report here], the government may be concealing its use of Section 702 surveillance by deliberately creating an alternative explanation for how it gathered evidence – a practice known as “parallel construction.” [HRW see also:: The Cipher Brief, Hit & Run Blog (Reason), WIRED, Christian Science Monitor, Eurasia Review and The Orange County Register]

US – Breach Compromised Personal Data Belonging to 240,000 Current and Former DHS Employees

A data security breach at the U.S. Department of Homeland Security (DHS) that was detected in May 2017 compromised personal information belonging to more than 240,000 current and former DHS employees. The breach may also have compromised information belonging to people who were the subject of DHS Office of Inspector General (OIG) investigations between 2002 and 2014. The incident did not involve an external cyber attack; instead, in the course of a criminal investigation, DHS OIG discovered that a former DHS OIG employee was in possession of an unauthorized copy of the organization’s investigative case management system. [www.dhs.gov | www.theregister.co.uk]

E-Mail

US – NIST Identifies Security Measures to Address Outdated SMTP Protocol

The National Institute for Standards and Technology issued draft guidelines for enhancing trust in email. Recommendations include the email service (block outbound and inbound port 25 and deploy firewalls), sending domain/individual mail messages (deploy DNSSEC for all DNS name servers), email confidentiality (encryption of emails should require certificate chain authentication against a known Certificate Authority), and end user email security (discourage authenticating with username and password. Comments are requested by January 31, 2018. [NIST – Trustworthy Email – Second Draft SP 800-177 Revision 1]

Electronic Records

US – ONC Unveils Plan for Health Information Sharing Framework

Federal health IT officials under the 21st Century Cures Act [see here & here] have proposed regulations for health data information sharing, the Trusted Exchange Framework ‘network of networks.’ If you want a say in how the government deals with health data interoperability, now’s your chance. The Office of the National Coordinator for Health IT (ONC) has released draft rules for a health information sharing plan, called the Trusted Exchange Framework, and the public has until Feb. 18 to comment. The framework stems from the interoperability provisions of the 21st Century Cures Act of 2016, a wide-ranging law that includes many aspects of healthcare and health IT, of which the health information sharing plan is only one part. Among the existing networks that ONC officials are looking to link within the health information sharing framework are the many health information exchanges that have sprung up since the HITECH Act of 2009 spurred data sharing with the meaningful use program. The ONC envisions the Trusted Exchange Network — expected to be started by the end of 2018 and fully built out by 2021 — as being used by federal agencies, individuals, healthcare providers, public and private health organizations, insurance payers and health IT developers. [Source | See also: Fierce Healthcare, Health IT Buzz, GlobeNewswire, EHR Intelligence and Patient Engagement HIT]

Encryption

US – FBI Assails Encryption (Again)

FBI director Christopher Wray told an audience at the International Conference on Cyber Security earlier this week that unbreakable encryption is “an urgent public safety issue,” noting that his agency was unable to access nearly 7,800 devices in the 12-month period ending on September 30, 2017. [news.softpedia.com | threatpost.com See also: Wyden Takes Wray to Task on Encryption Back Doors -.zdnet.com | thehill.com | www.theregister.co.uk | www.theregister.co.uk | fcw.com | regmedia.co.uk]

WW – Chrome 68 Will Label HTTP Sites “Not Secure”

Starting with Chrome 68, Google’s browser will begin calling out as unsecure websites that do not use HTTPS. When Chrome 68 users visit an HTTP site, Chrome will display a “Not Secure” message in the address bar. Chrome 68 is scheduled to be released to the stable channel in July 2018. [www.theregister.co.uk | www.zdnet.com: | www.bleepingcomputer.com ]

EU Developments

EU – Article 29 Working Party Releases Guidelines on Consent and Transparency under the GDPR

The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency. Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP 29 working party will issue final guidance. WP29 is an independent European advisory body on data protection and privacy. This blog post focuses on WP260, the guideline on transparency. Our companion post on WP259, the guideline on consent can be read here. Transparency has long been a fundamental feature of EU privacy law and is an overarching obligation under the GDPR. The draft guideline notes that a central consideration of the principle of transparency is that the data subject should be able to determine in advance what the scope and consequences of the processing entails. [This post considers the following]: 1) Elements of Transparency; 2) Information to be Provided to the Data Subject; 3) Layered Privacy Notices; 4) Information Related to Further Processing; 5) Visualisation Tools; and 6) Exercise of Data Subjects’ Rights. While much of the specific content that controllers are required to communicate to data subjects and the circumstances in which those communications are specifically dictated by the GDPR, many of the format and communications issued addressed in this guidance are consistent long standing Federal Trade Commission (FTC) guidance with respect to the making of clear and conspicuous disclosures. For some practical guidance for making clear and conspicuous disclosures, the FTC’s dot.com disclosure guidance provides useful examples on how to make disclosures effective. [DBRonData] See also: Business Review: Data Privacy Impact Assessment at a glance]

UK – ICO Advises Not All Breaches Must Be Notified

The UK’s Information Commissioner’s Office has issued guidance on handling personal data breaches under the GDPR. Breaches that are likely to result in a high risk to individuals’ rights and freedoms must be notified to affected individuals, such as theft of a customer database (likely to result in identity fraud), network attack on contracted IT services firm (clients personal data is unlawfully accessed), and hospital’s accidental disclosure of patient records (the data is sensitive and may become known to others. [ICO UK – Personal Data Breaches Guidance]

EU – Facebook Escapes Austria Class Action but Still Faces Grilling

The EU’s highest court European Court of Justice ruled on Thursday that Austrian privacy activist Max Schrems could not bring a consumer lawsuit on behalf of 25,000 Facebook users for alleged privacy breaches. [Case C-498/16 – Schrems, see here & ruling text here] Instead, the ECJ said Schrems could only file an individual case against Facebook for allegedly illegally handling data relating to his personal Facebook account in Austria. Schrems’ attempted lawsuit sought to use EU consumer laws to sue Facebook for damages worth E500 for each of his signatories, a list that has topped 25,000 users in Austria. But EU judges said Schrems’ claims did not fall under Europe’s consumer protection laws although he could still sue Facebook individually in the Austrian courts. Despite the class action being dismissed, Schrems celebrated Thursday’s judgment as a “huge blow” for Facebook, which will have to defend its use of personal data in Austrian courts. Facebook had argued the case should be heard in Ireland, where it has its European headquarters. Unlike the US, class action cases are rarely brought in Europe. Under the General Data Protection Regulation, which comes into force in May, collective action will be possible for some privacy violations. [FT.com see also: Deutsche Welle, Courthouse News Service, The Times, EURACTIV and europe-v-facebook.org ]

UK – ICO UK Issues Final Guidance on Automated Decisions

The UK Information Commissioner Office (ICO) has issued final guidance on rights related to automated decision making, including profiling under the GDPR. The guidance is in response to a request for feedback. Solely automated individual decision-making and profiling with similar significant effects is restricted unless it is necessary for the performance of a contract, authorized by law, or based on explicit consent; processing is permitted where there is human intervention, as long as the legal basis for processing is identified and recorded, and individuals are able to exercise their right to object. [ICO UK – Rights Related to Automated Decision Making Including Profiling]

UK – Top 10 Stories on State Surveillance, Technology and the Law in 2017

In 2017, the government faced multiple legal challenges over the legality of mass surveillance of the population, most of whom pose no threat, in cases that will set the parameters between individual freedom and state intrusion a slew of court cases brought by Privacy International, Liberty, other campaigning groups and courageous individuals are shedding new light on the practices of the secret state, and are beginning – but only beginning – to establish where the limits of state intrusion should lie. New laws and state powers introduced to combat terrorism have quietly eroded privacy and due process for those individuals unlucky enough to be caught up in the legal machinery. Their battles will become important milestones in setting the boundaries between the rights of the individual and the rights of the state, and will ultimately decide what liberties society is prepared to sacrifice for the promise of greater security. [Here are the top 10 relevent CW stories for 2017]: 1) Islamic State supporters shun Tails and Tor encryption for Telegram; 2) UK intelligence agencies ‘unlawfully’ sharing sensitive personal data; 3) Safeguards permit GCHQ to share huge databases on public; 4) UK sale of surveillance equipment to Macedonia; 5) Lauri Love would face ‘medieval’ conditions in US prison if extradited over hacking charges; 6) Cage director found guilty of terrorism offence after refusing to disclose passwords; 7) UK spies face landmark challenge over mass surveillance in human rights court; 8) My brother Lauri Love should have the right to a trial in the UK; 9) US says its views must be heard in legal challenge to EU-US data sharing; and 10) Max Schrems’s mass surveillance complaint knocked back another year or two by Irish judge [ComputerWeekly]

EU – Global Market and Opinion Researchers Checklist

The European Society for Opinion and Market Research has issued guidance to researchers on their responsibilities within a global data protection framework. Researchers must ensure compliance with legal requirements in countries where they operate and national data protection requirements; minimum standards include data minimisation, sufficient notice to individuals, obtaining voluntary, clear consent, ensuring adequate protection for cross-border transfers, and use of pseudonymisation and anonymisation (in accordance with applicable national laws and self-regulatory codes. [Data Protection Checklist – Esomar World Research

Facts & Stats

CA – Privacy Breaches Hit Record High in Alberta

Last year, the Office of the Alberta OIPC issued decisions on 162 breaches where there was a real risk of significant harm to affected individuals. That is more than double the number of decisions from any previous year. Many of the privacy breaches were related to unauthorized accessing of personal information through hacking, malware or email phishing. But there were also plenty of cases of companies or employees inadvertently sharing personal information with unauthorized parties. [CBC News | See also: Insurance Business]

FOI

CA – Alberta C. of Q.B. Limits Public Access to Family Court Files

Members of the public can no longer freely access family court files after changes were implemented this year to protect sensitive personal information, according to the Court of Queen’s Bench of Alberta. The changes for the province’s higher family court have been in the works for about two years The shift was prompted by members of the family law bar raising concerns that clients’ personal information filed with the court could be accessed by curious onlookers. Documents detailing financial, medical and social security information, as well as intimate details about family relationships, are all commonly added to files in family cases, according to the court. Increased disclosure requirements in recent years have meant parties are required to file more financial documents, including tax returns, pays stubs and bank statements. Parents will also file affidavits against one another containing information that would be harmful for children to learn about, according to the court. In response, more and more sealing orders, which are highly restrictive, were being requested. A committee of Queen’s Bench judges developed the new terms of access. The changes were implemented in mid-October. [Edmonton Journal]

CA – RCMP Backlogged With Access-to-Information Requests from its Own Staff

The RCMP has reversed course after a policy forcing officers to use the Access to Information Act to get their own personnel and medical information backfired badly. The RCMP has been flooded with so many new ATI requests over the past few years that it now has a backlog of about 3,250 unanswered files that have gone past their legislated deadlines, with the number growing weekly. Under the federal act, all departments must respond to requests within 30 days or give themselves an extended deadline for more difficult files. When the deadlines are missed, the files are known as “deemed refusals.” The massive backlog has also triggered a record number of complaints to the Office of the Information Commissioner So far this fiscal year, which ends March 31, there have been at least 331 formal complaints about the RCMP’s poor performance, easily surpassing the record 274 complaints from 2016-2017, said Natalie Bartlett, spokesperson for the commissioner. Even though almost all RCMP documents requested under the Access to Information Act are already in digital form, the RCMP requires they be printed on paper and shipped to the access and privacy office in Ottawa to be scanned back into electronic form — a major bottleneck. The problem of “deemed refusals” has been growing across the federal government. In 2016-2017, there were a total of 16,780 overdue requests in all departments — almost double the 8,405 in 2014-2015. [CBC]

CA – BCLC to Charge $500K to Fulfill Casino Workers’ Union FoI Request

A casino workers’ union has been told to ante up — to the tune of over $500,000 — for a freedom of information request it made to the B.C. Lottery Corporation. Marc Hollin of Unite Here requested five years’ worth of communication between the lottery corporation and Great Canadian Gaming Corporation, which operates several casinos in B.C. Hollin’s request concerned communication about compliance with anti-money laundering rules. A lottery corporation freedom of information analyst replied in a memo shown to CBC that work would take an estimated 16,817 hours to complete and would cost $504,480. Before starting the work, BCLC wanted the union to pay half up front. [Source | Additional coverage at: Vancouver Sun]

CA – BC’s Parties Mum on What They Know About You

B.C. Political parties are required by law to tell individuals what information they’ve collected about them, how they are using it, and with whom they’ve shared it. But when I asked what the three main provincial parties knew about me, all I got was a partial response from one of them Liberals. The other two NDP & Greens didn’t respond to the initial request at all. “Just simply not responding obviously is the worst-case scenario, but providing a partial response is not adequate either,” said Bradley Weldon, the acting deputy commissioner in British Columbia’s Office of the Information and Privacy Commissioner. The OIPC launched an investigation in September to find out how the parties are interpreting B.C.’s privacy law and to develop guidelines so they understand what is and isn’t authorized under the Act. It expects to release the report within a couple of months. [Tyee]

Health / Medical

US – Apple Health Data Is Being Used as Evidence in a Rape and Murder Investigation

One of the most important witnesses to the rape and homicide of a 19-year-old-woman in Germany [see here] might be a stock app on the iPhone of her alleged murderer. Hussein Khavari, an Afghan refugee in Freiburg, has been on trial since September for raping and murdering a student in Freiburg many of the details of the trial have been hazy there’s a mysterious chunk of time missing from the geodata and surveillance video analysis of his whereabouts at the time of the crime. He refused to give authorities the passcode to his iPhone, but investigators hired a Munich company (which one is not publicly known) to gain access his device They searched through Apple’s Health app and were able to gain more data [e.g.., steps taken and elevation changes] about what he was doing that day The app recorded a portion of his activity as climbing stairs,” which authorities were able to correlate with the time he would have dragged his victim down the river embankment, and then climbed back up. I asked Michael Kwet and Sean O’Brien, both researchers at Yale Privacy Lab who have previously written on the topic of privacy and health apps for Motherboard, whether we should expect more of these kinds of cases—where someone’s own phone essentially testifies against them—in the US. “Yes,” O’Brien said in an email. Kwet added that a study by the nonprofit think tank Rand Corporation found that data culled from fitness trackers, smartphones, and other personal devices is likely to be used in criminal investigations, and that the legal system is ill-equipped to handle these cases. [Vice.com | Naked Security, Daily Mail, Digital Trends and The Drum]

Horror Stories

US – Bell Canada Suffers Another Data Breach

Bell Canada has acknowledged a second data breach in less than a year. In May 2017, a hackers stole information belonging to 1.9 million customers. The more recent breach affected fewer than 100,000 customers. Bell Canada has not said if the two breaches are related. [www.cbc.ca | www.theregister.co.uk | www.scmagazine.com]

CA – OPC Report & Comments on VTech Breach Investigation

An OPC investigation into a global data breach at VTech found the connected toy maker had failed to adopt adequate security measures to protect sensitive personal information of children. The breach in late 2015 compromised the personal information of millions of people around the world, including more than 500,000 Canadian children and their parents. The Office of the Privacy Commissioner of Canada is satisfied that these measures VTech has implemented are sufficient and will reduce the risk of a future breach. The Commissioner’s office investigated the breach in cooperation with the U.S. Federal Trade Commission, which also announced today that it has reached a settlement with VTech. The office also collaborated with the Privacy Commissioner for Personal Data for Hong Kong, where VTech is headquartered. The OPC report highlights important lessons for other organizations that collect the personal information of children. In particular, heightened safeguards need to be in place to protect sensitive information from unauthorized access. [Privcom]

Identity Issues

US – Identity Fraud Hits All Time High: Research Study

The 2018 Identity Fraud Study released February 6 revealed that the number of identity fraud victims increased by eight percent (rising to 16.7 million U.S. consumers) in the last year, a record high since Javelin Strategy & Research began tracking identity fraud in 2003. The study found fraudsters successfully [hit] 1.3 million more victims in 2017 over 2016, with the amount stolen rising to $16.8 billion. The Study found four significant trends: 1) Record high incidence of identity fraud; 2) Account takeover grew significantly; 3) Online shopping presents the greatest fraud opportunity; and 4) Fraudsters are getting more sophisticated. Consumers can minimize their risk and impact of identity fraud. The following are five recommendations for consumers to follow: 2) Turn on two-factor authentication wherever possible; 2) Secure your devices; 3) Place a security freeze; 4) Sign up for account alerts everywhere; and 5) Protect yourself from unauthorized online transactions [Javelin Strategy | Additional coverage at: Dark Reading, CBS News, CNBC, MediaPost and Wall Stree Journal]

Intellectual Property

CA – Website Publishing Debtors’ Personal Info Pulls Plug After Lawsuit

The man behind a website that named and shamed debtors who owe money as a result of court judgments resisted the Ontario government’s request that he “cease and desist” — but ultimately backed down after the federal privacy watchdog took him to Federal Court. Until December last year, publicexecutions.ca would publish names and other personal information provided by successful parties in small claims and civil suits linked to people who were successfully sued but still owe money — in exchange for a fee ranging from $25 to $100. The site’s motivation was to address what many of those victorious litigants say is a major problem with the small claims court system: their difficulty in collecting the money they’re owed. While all the information in question is public, Canada’s privacy commissioner claimed in a notice of application that the website’s actions contravened Ontario’s Consumer Reporting Act and several federal laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA). Dougall Grange, the owner and operator of Public Executions, pushed back, says “I wrote them a fairly long letter telling them exactly why I wasn’t breaching their statute. Number one — a judgment is not a consumer report. It’s a publicly known statement of fact from a court about a person. I consider what I was doing was protecting consumers.” Grange said he believes his website was “absolutely legitimate” and that he was not violating anybody’s privacy with what he published online — although he admitted the site called out debtors “in a bit of a crude way.” “It wasn’t perfect,” he said, adding he was aware that some people “simply couldn’t pay the money.” The privacy watchdog ultimately discontinued the suit against Public Executions on Dec. 22, 2017 — just over a month after filing the application — after Grange told the commissioner’s office he would take down the site and had “no intention to reinstate it at this time.” [iPolitics]

Law Enforcement

UK – Report Shows Police IP Address Errors Lead to Wrongful Arrests

Police have been increasingly making errors in IP address resolution, according to a letter presented by the Interception of Communications Commissioner (IOCCO), Sir Stanley Burnton, to accompany his annual report to the prime minister. [See here] Burton explains that while “errors and more general problems form a very small percentage of the total activity I inspect”, he is “concerned by the increasing number of errors that occur when public authorities try to resolve IP addresses” and that errors are “far more common than is acceptable”. The errors mainly stem from manual entry of details into software that helps police work out the location at which a specific IP (internet protocol) address has been used. As it is, communication service providers (CSPs) can easily reassign IP addresses, for good reasons, Burnton explained The impact of these errors has in some cases been enormous, he says, citing Nigel Lang for “having had the courage to highlight this issue in the media.” [See here] He suggests that mindsets need to change: we just can’t assume that “technical intelligence” such as IP address resolution is infallible. The commissioner made recommendations in his earlier, July 2015 half-yearly report. [Source  | Additional coverage at: The Times, The Register, The Telegraph and International Business Times]

US – NYPD Subpoenas Google for Staten Island Teen’s Digital History

The NYPD is requesting from Google the “entire digital history” of a Staten Island high school student, which according to the teen’s attorney, represents an “unconstitutional violation of privacy.” The subpoena relies on the city Administrative Code, drafted by the New York City Council, rather than approval from a state or federal court, which according to the teen’s attorney is both unlawful and unusual. The NYPD contacted Google last month with the Dec. 14 subpoena for the 17-year-old’s e-mails, contacts, search history and other digital information in regard to an ongoing investigation, according to the teen’s Manhattan state Supreme Court filing, which seeks to block the subpoena. Regardless what the investigation is about, the fight in court is about tempering the power police have in obtaining a citizen’s personal information, said attorney Martin Soltar. He said the request is invalid because the city code it references was not meant to allow the NYPD to issue subpoenas in criminal investigations. He said it also violates the federal stored communication act, in that it isn’t backed by a state or federal statute. It’s not the first time the NYPD has requested account data from a social media site prior to obtaining a court order. In 2012, Twitter refused an NYPD request for account data tied to threats about a public event in the city, then, later complied under court order. [Source | See also: New York Post]

US – NY Police Union Files Suit Over Release of Body Camera Footage

A union representing New York City police officers sued the department, saying its release of body camera footage without a court order violates a state law that makes officer disciplinary records confidential. The Patrolmen’s Benevolent Association, which represents about 24,000 uniformed officers, said the public release of footage, which began last summer on a limited basis, also violates the privacy of everyday citizens caught on camera. [see PR here, Petition here and Memo of Law here]. The city’s law department said it is reviewing the complaint. Use of body cameras in police departments has exploded in the past five years. The public has largely been in favor of using cameras and departments have advertised them as a way to protect police from false accusations. Chicago’s police union is fighting body cameras on the grounds that their implementation wasn’t properly negotiated with the union and violated the labor contract. Seattle’s police union filed a complaint over the summer. [ABC News | See also: New York Post, The Daily Caller, Newsday, Wall Street Journal and Politico]

Location

US – Strava Fitness App Map Reveals Locations of Military Bases

A map generated by the Strava fitness tracking app has exposed information about military bases and facilities around the world. Strava published the map, which includes GPS data from the app’s users, last year. The company’s intent was to demonstrate how many people were already using the app. Instead, the map revealed the locations of military bases through concentrated areas of fitness activity in remote places. The exposed bases belong not just to the US, but to other countries as well. [www.bbc.com | thehill.com |www.zdnet.com | www.bleepingcomputer.com | arstechnica.com | DHS Re-examining Personal Electronic Device Policy | www.nextgov.com See also: Fitness tracking app not a security problem for Canadian military See also: The Daily Beast, The Washington Post, NPR, Ars Technica and Fox News]

Online Privacy

CA – B.C. Court Grants Crown Appeal in RCMP Attempt to Discover Identity of Craigslist Advertiser

B.C.’s highest court has overturned two lower-court rulings offering a measure of protection for the identity of a person who placed a classified advertisement on an online website. [See ruling here] The RCMP wanted the Craigslist advertiser’s name or physical address, email address, IP address, phone numbers to verify the account, dates and times that the post was created, and the record of the posting. This application was refused by Provincial Court Judge M.J. Brecknell on jurisdictional grounds. Craigslist does not have a physical presence in B.C. The lower-court judge noted that a Supreme Court of Canada ruling [see here & here] in a case against Google didn’t apply in this instance because that concerned a civil matter. The RCMP’s application concerned a criminal matter. The Provincial Court ruling was upheld after the Crown filed an appeal in B.C. Supreme Court. However on January 9, a three-judge B.C. Court of Appeal came to a different conclusion. Noting that Craigslist “is willing to respond to production orders issued in British Columbia and has provided information in response to court orders in the past”. [Straight | See also: Vancouver Sun & Prince George Citizen]

US – Marketing Company Seeks to Unmask Blogger

A U.S. Appeals Court has reviewed the district court’s refusal to unmask an anonymous blogger regarding Signature Management Team, LLC’s copyrights claims. When deciding whether to identify the blogger or allow him to maintain anonymity the court will consider the fact that he was already found to be an infringer of copyrights laws and the company has an interest in unmasking him in order to enforce its remedies; the blogger will have to prove he participates in non-infringing anonymous speech that would be affected by revealing his identity. [Signature Management Team, LLC v. John Doe – United States Court of Appeals for the Sixth Circuit]

Other Jurisdictions

US – Supreme Court Will Hear Microsoft and Irish Data Centre Case

Twenty-three amicus briefs signed by hundreds of individuals and organizations support Microsoft’s position regarding customer data held on a server in Ireland. The US Department of Justice (DoJ) has demanded the information, and Microsoft has refused. The case has made its way to the US Supreme Court. The court will hear arguments in the case next month. [gizmodo.com | www.theregister.co.uk]

US – Feds: Cloud Cybersecurity Benefits Now Outweigh Risks

Many federal government IT managers used to be wary of the shortcomings of migrating to cloud technology because of potential data security problems affecting email, business systems, personal data records and, especially, national security operations. However, after the federal “cloud first” [see here] initiative’s six-year effort to promote the technology, there are signs that federal IT managers gradually have changed their assessment. Federal IT managers have concluded that cloud technology will meet — and even exceed – government data protection requirements, two recent reports indicate. Importantly, there also is an emerging trend among agencies toward using cloud technology by itself, either as a complete cyberprotection system, or as a tool to provide both specialized and comprehensive cybersecurity capabilities.[eCommrece Times | Additional coverage at Federal News Radio]

Privacy (US)

US – FTC Makes Case for Data Privacy, Security Muscle

The Federal Trade Commission issued its annual report on privacy and data security actions over the past year [FTC PR here & 22 pg PDF Report here]. It outlines the FTC’s “broad” authority over privacy issues: “The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act [see FTC here & wiki here], which prohibits unfair or deceptive practices in the marketplace. The FTC also has authority to enforce a variety of sector specific laws, including the Truth in Lending Act [here], the CAN-SPAM Act [here], the Children’s Online Privacy Protection Act [here], the Equal Credit Opportunity Act [here], the Fair Credit Reporting Act [here], the Fair Debt Collection Practices Act [here], and the Telemarketing and Consumer Fraud and Abuse Prevention Act [here].” [The FTC enforces or administers at least 73 statutes see here] The report cites 130 spam and spyware cases and 50 general privacy lawsuits in 2017–the FTC’s enforcement authority is via filing suits and securing settlements. It also points out, in regard to the FCC’s rollback of the net neutrality regs, that the FTC “has expertise in the antitrust and consumer protection issues raised by net neutrality concerns.” [Broadcasting & Cable see also: Consumer Finance Monitor (Ballard Spahr) & Inside Cybersecurity]

IoT

US – NIST Issues Draft Report on IoT Security Standards

The US National Institute of Standards and Technology (NIST) has released a draft report, “Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT),” that is designed to help “policymakers, managers, and standards participants as they seek timely development of and use of such standards in IoT components, systems, and services.” [gcn.com | Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) ]

US – Consumer Reports Examines Smart TV Security

A Consumer Reports analysis of five brands of smart TVs found that all can track users’ viewing habits. Security on two of the brands was so weak that hackers were able to remotely change channels, install apps, and play YouTube videos of their choosing. The evaluated TVs did ask permission to collect viewing data and additional information, but they did not make it easy for viewers to understand exactly what they were agreeing to share. [www.usatoday.com]

CA – Experts Advise Precautions with Digital Assistant Speakers

“Eventually there will be ways to hack into these virtual systems,” said Dana DiTomaso, CBC’s tech columnist and president of Edmonton-based digital marketing agency Kick Point. “They’re too juicy a target for hackers to turn it down.” The devices record the voice of the user and send it back to servers which use “machine learning” to return “the most relevant responses”, said Daniel Blair, a technology researcher and CEO of a virtual reality startup in Winnipeg. Those with privacy concerns can limit the activity of the device by modifying settings and using mute functions, he said. Both Amazon and Google say customers can delete information collected by logging in to their Amazon or Google accounts. But former Ontario privacy commissioner Ann Cavoukian said Canadians should carefully consider bringing a device into their home because “you don’t know how your information might be used, to whom it might be disclosed.” [CBC | Insurance Business] SEE ALSO: The Lost Art of Privacy: In-home devices like Amazon’s Alexa are prompting a reconsideration of a timeless virtue | | The skeptic’s guide to smart home gadgets | What’s Holding Back the Smart Home from Mass Adoption? | Expect more IOT attacks in 2018 | Understanding user privacy in the age of smart speakers | How to Delete the Voice Data That Amazon Echo and Google Home Are Storing | Need-to-knows before buying Google Home or Amazon Echo | Experts Break Down The Difference Between Google Home and Amazon Echo | ‘Tis the season for unfettered government access to your data | Experts caution against using digital assistants without knowing where your data goes | Home Assistant Adopter Beware: Google, Amazon Digital Assistant Patents Reveal Plans for Mass Snooping | Apple plugs IoT HomeKit hole | Gifts That Snoop? The Internet of Things Is Wrapped in Privacy Concerns | The Internet Of Toys: Legal And Privacy Issues With Connected Toys | Why you should be ‘suitably paranoid’ about your home devices’ cybersecurity | Voice-enabled smart speakers to reach 55% of U.S. households by 2022, says report | Citing ‘a few’ malfunctions, Google nukes touch function from Home Mini | Amazon’s Echo Show strips you of your last shred of privacy | Electronics all over your home could be spying on you. Here’s how to stop it | Amazon hands over Echo data in murder case | Ryerson’s director of privacy and big data says Canadians should be cautious of all things ‘smart’ | Devices sprout ears: What do Alexa and Siri mean for privacy? | The Privacy Threat From Always-On Microphones Like the Amazon Echo | Murder case will test privacy rights of Amazon Echo users | Police mull gathering crime evidence from smart home devices ]

CA – Welcome to the Neighbourhood. Have You Read the Terms of Service?

Before long, Quayside may be one of the most sensor-laden neighbourhoods in North America, thanks to Alphabet’s Sidewalk Labs, which has been working on a plan to redevelop the area from the ground up into a test bed for smart city technology. It’s being imagined as the sort of place where garbage cans and recycling bins can keep track of when and how often they’re used, environmental probes can measure noise and pollution over time and cameras can collect data to model and improve the flow of cars, people, buses and bikes throughout the day. the idea is that all of this data — and the newfound insights its analysis could yield — will help cities run more efficiently and innovate at a faster pace than they do today. But when it comes to the data these cities gather, not everyone believes the tradeoff is worth it. Although governments already collect lots of data on their citizens, it’s becoming clear that current privacy laws aren’t going to be enough to deal with the realities of what most of these visions propose — data collection on a scale that far surpasses what’s happening today. Smart cities, after all, take data collection and analysis to a new, previously unimagined extreme. And with so many different sensors and so much data being collected and analyzed, how could anyone be expected to understand, much less consent to it all?. [CBC]

Security

EU – Critical Vulnerabilities Discovered in Chip Processors

The European Union Agency for Network and Information Security (ENISA) has examined the critical vulnerabilities found in various types of chip processors. The vulnerabilities, called Meltdown and Spectre, affect personal computers, cloud systems, mobile devices and operating systems; mitigating measures include security patches (which may impact performance, so backups are advised), using up-to-date ad-blockers and anti-malware software, and protecting systems that handle sensitive data (prevent them from executing unauthorised software and accessing untrusted websites). [ENISA – Meltdown and Spectre: Critical Processor Vulnerabilities]

WW – Vendor Data Security Checklist

An advocacy group recommends certain considerations prior to investing in software applications. Prior to investing in software, consider past security criticisms and guarantees about data availability; asks questions of the vendor about their privacy policy, law enforcement disclosure practices, whether they have a dedicated security team, encryption in place, and regularly conduct security audits, any experience with a data breach and their notification policy, and any compliance with specific legal requirements (e.g. HIPAA, COPPA or FERPA. [Source]

EU – ENISA Issues Recommendations to Mitigate Threats

The European Union Agency for Network and Information Security has issued its Threat Landscape Report 2017. Organizations should perform traffic filtering to all relevant channels (web, network and mail), implement data access rights on a need-to-know basis, train users to avoid common security pitfalls like phishing and social engineering attacks, and implement malware detection in all platforms in use (servers, network infrastructure and mobile devices. [ENISA Threat Landscape Report 2017]

US – Report: CISOs Say Lack of Competent Staff is Top Cybersecurity Concern

According to a Ponemon Institute survey, 612 Chief Information Security Officers (CISOs) and IT security professionals said that their top cyber security concern for 2018 is the lack of competent in-house staff. Other concerns in the top five are data breaches, cyber attacks, inability to reduce employee negligence, and ransomware. [www.darkreading.com]

WW – Sensor Data Can Be Used to Guess Your PIN, Unlock Your Phone

According to researchers from the Nanyang Technological University (NTU) in Singapore, malicious apps on your phone could use the datastream from those sensors to build up information on how the phone is used and ultimately guess the phone’s PIN. The researchers’ algorithm was able to guess a PIN with a 99.5% accuracy on the first try using a list of the top 50 most common PINs, although the success rate went down to 83.7% when it tried to guess all 10,000 possible combinations of four-digit PINs within 20 tries. There’s no barrier to collecting the data because those sensors are what’s known as “zero-permission” – essentially, an app doesn’t need a user’s consent to access [“non-critical”] data from a device’s accelerometer, gyroscope, magnetometer, proximity sensor, barometer or ambient light sensor they are yet another example of how data from seemingly disparate and unrelated sources can be merged to provide information that is much more invasive than you thought. In this case, enough to guess your PIN and invade your phone, at which point your critical data is at risk. [Naked Security | See also: Phys.Org, Digital Journal, Hack Read and BleepingCompute]

US – NIST Update Emphasizes Security Design Principles

The National Institute of Standards and Technology (NIST) has issued an update to its Special Publication 800-160 on systems security engineering. Security design principles are divided into 3 categories; security architecture and design (e.g. trusted components and least privilege), security capability and intrinsic behavior (e.g. accountability and traceability and secure failure and recovery), and life cycle security (e.g. repeatable and documented procedures and secure system modification). [NIST – Systems Security Engineering – Special Publication 800-160 |  Press Release]

WW – Data Security Predictions 2018: Ransomware Threats Lead the Top Trends

In 2018, the volume, complexity, and stakes of cyberattacks will only continue to increase — with malicious actors capitalizing on the IT/OT/IoT convergence phenomenon to identify new attack vectors and wreak more widespread havoc. As we enter a New Year, here are my thoughts for what is on the horizon for the cybersecurity landscape in 2018: 1) We will see new and creative forms of ransomware; 2) The probability is high that we will see the first major cyberattack on US critical infrastructure; 3) Security budgets will shift significantly as they relate to size and allocation; and 4) Cybersecurity workforce will go under the red line [Source | See also: Predictions 2018: What tighter European GDPR will mean for marketers | 10 Security Predictions For 2018 | New Year, New Threats: 5 security predictions for 2018 | Cybersecurity forecast 2018: threats and trends for the year ahead | A look into the crystal ball: Cybersecurity predictions for 2018 | 10 Security Predictions, Trends & Challenges for 2018 | What’s in store for security in 2018? | Six 2018 security predictions from the security experts at Beyond Security | Predictions 2018: How GDPR is Forcing Big Changes in Storage | Forcepoint 2018 Predictions: Privacy Fights Back | Data Breach Predictions: The Trends to Shape 2018 | IDC Canada Releases Its 2018 ICT Predictions | Arcserve Serves Up 2018 Predictions in Data Protection | WatchGuard’s 2018 Security Predictions | Why Companies Should Prepare for More Data Breach Lawsuits | 2018 Security Predictions From Splunk | 2018 Biometric Security Predictions | 2018 Cybersecurity prediction: Extortion attempts, ransomware will proliferate | 2018 is primed for blockchain, big data and cloud computing advancements, all with a better security plan | 2018 Predictions & Recommendations: The Internet of Things Blurs the Line Between Personal and Corporate Security | 2018 Predictions – Rise of IoT adoption will increase cybersecurity attacks ]

Smart Cars

US – FTC Staff Releases Paper Highlighting Key Privacy and Security Issues for Autonomous and Connected Vehicles

FTC Staff released a new “Staff Perspective“ [see FTC PR here] on January 9, 2018, that highlights key privacy and data security issues related to autonomous and connected vehicles. The Staff Perspective outlines four key takeaways from a workshop hosted by the FTC and the National Highway Traffic Safety Administration (NHTSA) on June 28, 2017[see here]. It also summarizes recent legislative and regulatory developments and indicates that the FTC will continue to monitor the connected car marketplace. Companies that manufacture or integrate with connected car technology should keep a close eye on future FTC actions in this marketplace, and they should understand that the FTC expects businesses to protect the privacy and security of information relating to consumers when collecting, using, or sharing data through connected cars. We summarize below the FTC’s key takeaways from the workshop: 1) Many companies throughout the connected car ecosystem will collect data from vehicles, much of which will be used to provide important benefits to consumers; 2) The types of data collected through connected cars will range from aggregate data, to non-sensitive data about a particular vehicle or individual, to sensitive personal data; 3) Consumers may be concerned about secondary, unexpected uses of data (Transparency, Choice, Respect for Context, Data Minimization, De-Identification & Retention, Data Security, Integrity & Access and Accountability); 4) Connected and autonomous vehicles will have cybersecurity risks that can potentially be exploited; and 5) Developments since the workshop The FTC’s Staff Perspective indicates that FTC Staff will continue to monitor the connected car marketplace. At least for the moment, FTC Staff appears willing to allow individual companies and self-regulatory programs to continue developing privacy and security principles and best practices for connected car technologies. In the meantime, however, the Staff Perspective also notes that the FTC Staff will use its civil authority under Section 5 of the FTC Act to bring enforcement actions against companies that engage in unfair or deceptive practices, such as if a company makes materially false or misleading statements to consumers regarding its privacy or data security practices or fails to have “adequate security protections,” as described in the FTC’s Start with Security guidance document and its Stick with Security Blog series. [Privacy and Cybersecurity Law Blog]

CA – Senators Urge Liberals to Act on Privacy, Security Issues with Automated Cars

In a report released this week [see 78 pg PDF report here & Infographic here] the Senate’s transport committee is urging the federal Liberals to take control of the development and testing of self-driving cars on Canadian roads before governments fall too far behind the technological revolution. [It describes] how different departments and levels of government are taking different approaches to automated vehicles: some are hitting the brakes out of safety concerns, while others hope to drive innovation by stepping on the gas. The committee says the federal government needs to better co-ordinate action The report recommends giving the privacy commissioner greater reach over how car companies use drivers’ information, including whether companies can monetize personal information, and giving federal cybersecurity officials a bigger role over protecting the new technology from hackers. The chairman of the committee says government action must be stronger than in the United States, but must also strike a balance to prevent spilling over into the private sector. [CTV News see also: CBC News]

US – Navigating the Road Ahead: Auto Industry Stakeholders and Regulators Convene to Discuss Connected Vehicle Privacy

On January 23 a cross-section of automotive stakeholders, government officials, and consumer and privacy advocates came together at Hogan Lovells’ Washington office to discuss privacy issues facing connected vehicles The half-day conference, co-hosted by Hogan Lovells and the Future of Privacy Forum, convened with the theme of “Privacy and the Connected Vehicle: Navigating the Road Ahead” [see here]. Panels focused on the privacy landscape surrounding automobiles and connectivity generally, regulatory developments and areas of government interest, and the effect of emerging technologies on business models and privacy practices in the automotive space. several key themes emerged: 1) What Sets Vehicles Apart; 2) Not All Data Are Created Equal; 3) Role of the Government; and 4) Many Challenges and Questions Remain [HLDA | FTC – Connected Cars Workshop]

US – Big Brother on wheels: Why Your Car Company May Know More About You than Your Spouse

We may consider our everyday driving habits mundane, but auto and privacy experts suspect that big automakers see them as anything but. By monitoring our everyday movements, an automaker can vacuum up a massive amount of personal information about us, everything from how fast we drive and how hard we brake to how much fuel our car uses and the entertainment we prefer. They can determine where we shop, the weather on our street, how often we wear a seat belt, what we were doing moments before a wreck — even where we likes to eat and how much we weigh. Though drivers may not realize it, tens of millions of American cars are being monitored like this, experts say, and the number increases with nearly every new vehicle that is leased or sold. Carmakers have turned on a powerful spigot of precious personal data, often without owners’ knowledge, transforming the automobile from a machine that helps us travel to a sophisticated computer on wheels that offers even more access to our personal habits and behaviors than smartphones do. [Wash Post | My Business]

Surveillance

US – ICE is About to Start Tracking License Plates Across the US

The Immigration and Customs Enforcement (ICE) agency has officially gained agency-wide access to a nationwide license plate recognition database, according to a contract finalized earlier this month. The system gives the agency access to billions of license plate records and new powers of real-time location tracking, raising significant concerns from civil libertarians. The source of the data is not named in the contract, but an ICE representative said the data came from Vigilant Solutions [here], the leading network for license plate recognition data. spokesperson Dani Bennett said in a statement: “ICE is not seeking to build a license plate reader database, and will not collect nor contribute any data to a national public or private database through this contract.” While it collects few photos itself, Vigilant Solutions has amassed a database of more than 2 billion license plate photos by ingesting data from partners like vehicle repossession agencies and other private groups. Vigilant also partners with local law enforcement agencies, often collecting even more data from camera-equipped police cars. The result is a massive vehicle-tracking network generating as many as 100 million sightings per month, each tagged with a date, time, and GPS coordinates of the sighting. On December 27th, 2017, Homeland Security issued an updated privacy assessment [See ICE PR here] of license plate reader technology, a move it explained was necessary because “ICE has now entered into a contract with a vendor.” The new system places some limits on ICE surveillance [but] the biggest concern for critics is the sheer scale of Vigilant’s network, assembled almost entirely outside of public accountability. [The Verge see also: The Hill, CATO at Liberty Blog, GIZMODO, The New American, Deeplinks Blog (EFF) and Fast Company]

US – ICE Accesses Commercial License Plate Reader Database—We Want Access to ICE

The U.S. Immigration and Customs Enforcement (ICE) agency recently issued a contract request [see here] for query-based access to a commercial license plate reader (LPR) database. On December 27, 2017, ICE released a Privacy Impact Assessment (PIA) in which ICE confirmed it had procured this service. On February 2, we filed a Freedom of Information Act (FOIA) request [5 pg PDF here] with ICE seeking information on the contract, as well as any internal training materials, policy memos, and documents related to how ICE agents plan to use the commercial database and LPR data. We filed this request because ICE’s access to a commercial LPR database raises multiple concerns: 1) ICE’s policy permits excessive access to and retention of LPR data; 2) The “hotlist” feature provides ICE the ability to monitor ongoing movements of designated license plates indefinitely and without clear restrictions; and 3) This access may undermine limits on racial profiling and surveillance at ‘sensitive locations.’ [CDT | Related coverage at: Campus Safety Magazine, PressConnects, Security Today and OC Weekly]

UK – CCTV Commish: Bring All Surveillance Systems Under Code of Practice

The UK’s surveillance camera commissioner has told the British government to adopt a “common sense position” and bring all bodies using surveillance camera systems under its code of practice. Tony Porter, whose term as commissioner was in 2017 extended for another three years, used his annual report, [see PR here], to call for the Surveillance Camera Code to extend to rail franchises, the health sector and transport hubs. He also used it to raise concerns about inaccuracies in the UK’s use of Automatic Number Plate Regulation (ANPR)  technologies and ask for the database to be placed on a statutory footing by the government, as well as lobby for more resourcing for his office. Porter noted that its ANPR use was growing beyond law enforcement, to road enforcement and managing traffic flows. In a speech delivered at the ANPR conference last month, Porter said that ANPR accuracy had been quoted at more than 97 per cent, but that this still meant between 750,000 and 1.2 million misreads per day. Porter directed a dig at the Home Office over the much-delayed Biometrics Strategy – this should cover facial recognition technology, which is an area of overlap between Porter and the biometrics commissioner, Paul Wiles. [Source | See also: Jersey Evening Post and The Sun]

US Government Programs

US – ACLU Says New Customs and Border Patrol Directive Doesn’t Go Far Enough

The US Customs and Border Patrol (CBP) released new guidelines for the search and seizure of electronic devices belonging to travelers leaving and entering the US. The guidelines contain new restrictions on the circumstances under which officials can conduct what are called “advanced” searches. These searches are those in which agents connect external equipment to a device in order to analyze or copy its contents. According to the new directive, agents need to demonstrate reasonable suspicion of criminal wrongdoing or otherwise show that there is a “national security concern” in order to conduct advanced searches. Border agents are still allowed to manually search through devices — which could involve sifting through photos, browsing histories or messages — “with or without suspicion,” in what are called basic searches. New data released by CPB [see here] shows that the agency conducted more than 30,000 border searches of electronic devices belonging to those exiting and entering the country in fiscal 2017, a 50 percent increase over the previous year. More than 29,000 international travelers entering the U.S. had their devices searched, compared with nearly 18,500 the previous year. Far fewer individuals had devices searched when leaving the United States. CBP conducted device searches for the most travelers, 3,133, in August 2017, the only month that the count broke 3,000. Most months in 2017 hovered around 2,500. The ACLU has issued a statement regarding the CBP’s new directive, saying that it does not go far enough to protect travelers’ constitutional rights. According to the ACLU, while the new “policy would at least require officers to have some level of suspicion before copying and using electronic methods to search to search a traveler’s electronic device[it still falls far short of a search warrant based on probable cause.” [threatpost.com | www.scmagazine.com | www.nextgov.com | CBP Directive No. 3340-049A: Border Search of Electronic Devices]

US Legislation

US – House Fails to Protect Americans from Unconstitutional NSA Surveillance

The House of Representatives cast a deeply disappointing vote today to extend NSA spying powers for the next six years by a 256-164 margin. The vote concerned S. 139 [see here & reviewed here], a bill to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA), a powerful surveillance authority the NSA relies on to sweep up countless Americans’ electronic communications. EFF vehemently opposed S. 139 for its failure to enact true reform of Section 702.[see here & here] In a related vote, the House also failed to adopt meaningful reforms on how the government sweeps up large swaths of data that predictably include Americans’ communications. The House’s inability to pass an amendment—through a 183-233 vote—that would have replaced the text of S. 139 with the text of the USA Rights Act. [see here & reviews here] The amendment to replace the text of S. 139 with the USA Rights Act was introduced by Reps. Justin Amash (R-MI) and Zoe Lofgren (D-CA) and included more than 40 cosponsors from sides of the aisle. Its defeat came from both Republicans and Democrats. S. 139 now heads to the Senate, which we expect to vote by January 19. [EFF.org | See also: Hit & Run Blog (Reason), CATO At Liberty, CNET, The New York Times and The Washington Post]

Workplace Privacy

CA – BC OIPC Issues Guidance on Tracking Employees

As technology becomes more inexpensive, accessible and ubiquitous, we are seeing an increase in employers’ use of surveillance tools. While workplace monitoring has its benefits, such as providing safety coverage and greater transparency, it can come with risks, including the unlawful collection of employees’ personal information. Recognizing the enhanced role technology plays in the modern workplace, the Office of the Information and Privacy Commissioner for British Columbia (OIPC) recently published two guidance documents to help employers navigate their use of employee surveillance: 1) Employee Privacy Rights; and 2) Using Overt Video Surveillance  [Source]

CA – NL OIPC Issues Warning on Using Social Media for Employee Checks

Information on social networks such as Facebook and Twitter may be public, but Newfoundland and Labrador’s privacy commissioner Donovan Molloy said that doesn’t mean it can be used to make hiring decisions. “In our view, they’re not meant for public-body employers in Newfoundland and Labrador to use as an indirect source of determining whether or not you’re somebody that they might want to hire.” To help employers make good hiring decisions in a world where personal information about candidates is often just a Facebook search away, the privacy commission has released a new set of guidelines [see 3 pg PDF here] on doing employee and background checks via social media. The collection, handling, and use of information by public bodies is governed by the province’s Access to Information and Protection of Privacy Act. That act specifically requires that with the exception of specified circumstances, information must be directly collected from the individuals a public body is dealing with. “If you’re collecting information about job candidates from their social media sites it isn’t a direct collection, it’s an indirect collection,” Molloy said. “Unless you’ve gotten consent, it’s not authorized. And even if you do have consent there are dangers associated with finding outdated material, material related to third persons.” The concern isn’t insignificant. Seventy per cent of employers use social media to screen candidates before hiring, according to a 2017 CareerBuilder poll.  [Source]

WW – BYOD: Discoverable Devices Contain Relevant Unique ESI

Working Group 1 of the Sedona Conference have created draft principles for developing policies and meeting discovery obligations regarding Bring Your Own Device (“BYOD”) programs. Factors to determine whether electronically stored information (“ESI”) is discoverable include whether the ESI is within the employer’s possession, custody or control, and whether the discovery is proportional to the needs of the case; employers cannot ignore discovery obligations because a device containing ESI is also used for personal purposes. Comments can be submitted until March 26, 2018.  [The Sedona Conference – Commentary on BYOD – Principles and Guidance for Developing Policies and Meeting Discovery Obligations BYOD Principles] See also: [E-Discovery for Defendants Cheat Sheet – James M. Beck, Lawyer, ReedSmith – Drug and Device Law Blog]

 

+++

01-21 February 2018

Biometrics

US – Customs Aims to Replace Airport Boarding Pass with Facial Recognition

The U.S. Customs and Border Protection plans to use facial recognition technology to replace traditional travel documents at U.S. airports. The federal agency recently started a joint facial recognition initiative with the U.S. Transportation Security Administration at Los Angeles International Airport. The plan is to streamline the travel process and bolster security by matching travelers’ facial image with travel documents. “The future of travel is going to be transformed by biometrics,” CBP Office of Field Operations Executive Director of Planning, Program Analysis and Evaluation Colleen Manaher explained. The hope, according to Manaher, is to allow a passenger to “go from reservation to destination and back home again” without using a passport, RFID document or boarding pass. NextGov

US – Study: Facial Recognition Accuracy Varies by Skin Color, Gender

A researcher at the MIT Media Lab found the accuracy of facial recognition technology depended on the subject’s skin color. Joy Buolamwini conducted an experiment to see if facial recognition technology could accurately identify a subject’s gender. When testing 385 photos of lighter-skinned males, the technology was accurate 99 percent of the time, but when testing 271 photos of darker-skinned females, the number of errors shot up to 35 percent. Buolamwini noted, “You can’t have ethical AI that’s not inclusive. And whoever is creating the technology is setting the standards.” The New York Times See also: The Verge, Global News and PCMag]

Big Data / Analytics

EU – Commission Clarifies Promotion of Big Data Analytics

This European Commission issued a press release highlighting changes imposed by the GDPR. The GDPR encourages the use of data protection techniques (anonymisation, pseudonymisation and encryption), which allows raw data to be retained for Big Data, while simultaneously protecting the rights of individuals; however, a business should be able to anticipate and inform individuals of the potential uses and benefits of Big Data, even if the exact specifics of the analysis are not yet known. [European Commission – Questions and Answers – General Data Protection Regulation]

CA – Canadian CEOs and Academics Push Ottawa for National Big-Data Strategy

Canadian CEOs and academics have been pushing Ottawa for months to develop a national strategy for harnessing data’s burgeoning power – an approach advocates say will pay dividends on everything from boosting economic growth to improving health care. Rapidly expanding technologies like artificial intelligence depend on vast amounts of high-quality data and the expertise to properly analyze it and use it. The potential benefits cut across sectors – from optimizing industrial processes, to improving the detection and treatment of disease, to exporting the resulting expertise abroad. But the big-data prize lies on the other side of some privacy and sovereignty minefields, demanding a thoughtful and careful approach. [Globe& Mail]

CA – Bank of Canada Warns of Threat from Big Data

The Bank of Canada is calling for tougher regulation to stop the spoils of innovation from being concentrated in the hands of a clutch of superstar tech giants. The benefits of the growing global economy are being spread unevenly across society, leaving too many people behind, senior deputy governor Carolyn Wilkins [here] said [ PR here& remarks here] to a gathering of top officials from Group of Seven countries in Montebello, Que. The world’s five largest global technology companies have a market capitalization of US$3.5-trillion, or nearly a fifth the size of the entire U.S. economy, she pointed out. Those companies are Google parent Alphabet, Amazon, Apple, Facebook and Microsoft. Too much market and pricing power in the hands of few companies raises concerns about monopolistic behaviour, she said. Ms. Wilkins also raised a red flag about the impact of too much big data – massive amounts of data collected and analyzed by computers – falling into the hands of a few powerful companies. Ms. Wilkins is not alone in expressing concern about the robustness of Canada’s competition and privacy protections in the face of rapid technological change. Federal Privacy Commissioner Daniel Therrien, for example, has called for an update of the country’s privacy laws to give regulators more power and consumers more protection. [G&M see also: Financial Post and CBC News]

US – Researcher Exploring Economic Inequality with Facebook User Data

A study is currently underway to explore economic inequality in the U.S. by using Facebook user data. Stanford economist Raj Chetty, “a favorite among tech elites for his focus on data-driven solutions to the nation’s social and economic problems,” is leading the study, the report states. The research is focusing on the social connections of U.S.-based users. It is estimated that three out of five Americans currently use Facebook. Cecilia Muñoz, who led President Barack Obama’s Domestic Policy Council, said, “For a policy nerd like me, being able to see that quantifiable evidence about things lots of us have been debating in theory for a long time is absolutely huge.” Politico

WW – New Tool Uses AI to Automatically Read Privacy Policies

Researchers from Switzerland’s Federal Institute of Technology at Lausanne, the University of Wisconsin and the University of Michigan have developed a new tool designed to read privacy policies for users. Polisis is a website and browser extension designed to use machine learning to automatically examine an online service’s privacy policy. Within 30 seconds, Polisis can offer a user a readable summary of a privacy policy, tell a user what data the service collects and where it could be sent, and inform users whether they can opt out of the collection and sharing. The tool also has a chat interface to answer any questions about the privacy policy it has scanned. Wired

Canada

CA – Parliament Could Authorize CSE to Disable Computers Abroad

On February 13, Shelly Bruce, associate chief of the Communications Security Establishment (CSE), told [see here] the House of Commons Standing Committee on Public Safety and National Security [see here] that A Liberal bill [Bill C-59 see here] would help the Communications Security Establishment counter various forms of cyberaggression and violent extremism. The bill would give the agency the ability to disable computers located abroad, and possibly “corrupt information sitting on foreign servers.” The CSE has offered its assurances that it will not use any of its powers to build profiles on citizens. Rather, the agency seeks to only use the abilities to go after foreign servers if the CSE can determine information has been stolen from the Canadian government and to help in “covertly dismantling foreign-based systems used to disrupt the democratic system.”  A December report by leading Canadian cybersecurity researchers [see 90 pg PBF here] said there is no clear rationale for expanding the CSE’s mandate to conduct offensive operations. It said the scope of the planned authority is not clear, nor does the legislation require that the target of the CSE’s intervention pose some kind of meaningful threat to Canada’s security interests. Bruce stressed the proposed legislation contains safeguards that would prohibit the agency from directing active cyberoperations at Canadians. It would also forbid the CSE from causing death or bodily harm, or wilfully obstructing justice or democracy. [The Globe and Mail | National Post | Here’s what you need to know about Canada’s ‘extraordinarily permissive’ new spying laws  | If Canadian spies found a flaw in the iPhone, would they tell Apple? Make the policy public, critics say | Electronic spy agency watchdog asks for more powers

CA – OPC: Canadians Concerned Over ‘Growing Risks to Their Reputation’

The OPC recently issued a report [see OPC PR here, report here& pre-report consultation info here] stressing both existing and proposed new legal measures to achieve better protection against online reputation harm, including the right to request search engines to de-index web pages that contain inaccurate, incomplete, or outdated information about themselves. The [report] says Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) [here], the federal privacy law for private-sector organizations, already includes certain protections for individuals. “At the core of the interpretation is Principle 4.6 [see here], which requires organizations to collect, use and disclose information that is accurate, complete and up-to-date,” said Commissioner Daniel Therrien. The report also highlights Principle 4.9, which states that “an individual shall be able to challenge the accuracy and completeness of [his or her personal information] and have it amended as appropriate.” Principle 4.9.5 states that “when an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required.” However, noted Therrien, there is currently no explicit reference in PIPEDA to de-indexing or the right to reputation, and so the OPC is asking Parliament to examine this issue to resolve any potential ambiguity. The OPC said that after seeking stakeholder views on the proposals outlined [see here], it will finalize its position and develop an action plan to put the new measures into practice. The OPC also announced that it is seeking enhanced powers with respect to protecting online privacy, including reputation. “I think it is important that we have order making powers and the authority to impose fines. This is an authority that other countries have given to their privacy commissioner or data protection authority,” said Therrien. [Lawyer’s Daily See also: Right to be Forgotten, eh? Canada’s Privacy Commissioner Says Law Requires Search Engine De-indexing | Éloïse Gratton Blog, Michael Geist Blog, Teresa Scassa Blog, Barry Sookman Blog, All About Information Blog, and The Canadian Privacy Law Blog]

CA – Why a Canadian Right to be Forgotten Creates More Problems Than it Solves

The right to be forgotten faces the challenge of balancing privacy protections with the benefits of the internet for access to information and freedom of expression. The Privacy Commissioner of Canada waded into the debate on Friday with a new draft report [see OPC PR here and report here] concluding that Canadian privacy law can be interpreted to include a right to de-index search results The commissioner envisions a system that would allow Canadians to file de-indexing requests with leading search engines, who would be required to evaluate the merits of the claim and, where appropriate, remove the link from the search index or lower its rank to obscure the search result. Moreover, the commissioner would require search engines to actively block Canadians from accessing the offending links by using geo-identifying technologies to limit access in Canada to the results. The Privacy Commissioner’s proposal raises a plethora of concerns: 1) the claim that existing law includes a right to de-index search results stands on shaky ground; 2) the report’s conclusions stand at odds with the majority of responses generated by the Privacy Commissioner’s consultation [read submissions here]. [One] can be forgiven for wondering whether the report’s recommendations were a foregone conclusion; 3) the proposed approach features a remarkable level of micro-managing of search engine activity; 4) [It proposes] search engines to use geo-identifying technologies to block access in Canada to offending links; and 5) the report empowers search engines to play the role of judge and jury over the relevance and harm associated with links to content. [By Michael Geist – January 26, 2018 – The Globe and Mail]

CA – Will PEI’s Expanded FoI Law Diminish Solicitor-Client Privilege?

Solicitor-client info must be kept from information commissioner’s prying eyes, say lawyers. A provincial-government discussion paper [9 pg PDF here] is asking for feedback when it comes to the possibility of expanding P.E.I.’s Freedom of Information and Protection of Privacy Act (FOIPP) to include municipalities, post-secondary institutions and police forces. [It] also talks of a possible amendment that would give P.E.I.’s information and privacy commissioner the ability to access information claimed as solicitor-client privileged in order to assess that privilege when answering an information request. The paper’s release comes just as the [Canadian] Senate discusses Bill C-58 [here], a set of proposed changes to the “Access to Information Act” that could see the granting of similar power to Canada’s information commissioner. And it comes merely months after information commissioners from across Canada called for the legislative power to order the production of privileged materials [see here]. Charlottetown lawyer Jonathan Coady of Stewart McKelvey says such a move would mean the erosion of “a substantive right that is fundamental to the proper function of our legal system” and could lead to legal challenges. [The] discussion paper is asking for feedback when it comes to the possibility of expanding P.E.I.’s FOIPP to include municipalities, post-secondary institutions and police forces. [The Lawyer’s Daily] See also: CBA warns of court challenge to Bill C-58 if Ottawa persists with ‘incursions’ on privilege

CA – Quebec CAI Okays Retailer’s PI Collection

The Commission d’Accès à l’Information du Québec investigates Canadian Tire’s alleged violations of the Act Respecting the Protection of Personal Information in the Private Sector. In response to a customer’s complaint that the retailer collected personal data that was unnecessary for returning a product. According to the CAI, the processing of customer names, addresses and phone numbers and viewing of their ID is necessary and proportionate for identity verification, and fraud detection (for the return or exchange of products); the PI is not used for other purposes or stored at other locations, the ID is not retained, access to the PI is restricted and the PI is destroyed after 24 months, and the retailer clearly tells customers of its practices (online, in-store and on sales receipts). [CAI QC – Decision 1010268-S – Canadian Tire]

CA – ON Police Records Bill Has Yet to Go into Effect

Despite having been passed more than two years ago, the Police Records Check Reform Act has yet to go into effect. The law would prevent unproven allegations, mental health incidents, and withdrawn charges from appearing on the police records of innocent citizens. A report from the John Howard Society finds the delay has resulted in individuals losing out on career and volunteer opportunities. Ministry of Community Safety and Correctional Services Spokesperson Dorijan Najdovski said the agency is working on developing regulations to support the bill, while Toronto criminal defense lawyer John Struthers said the law is in danger of dying if it is not worked on by Ontario’s June election. [Toronto Star]

ON – IPC ON Highlights Gaps in Draft Children and Minors Regulation

The Ontario OIPC commented on proposed regulation to support the implementation of the Child, Youth and Family Services Act, 2017 that creates obligations for entities using PI for research and disclosing PI to prescribed and non-prescribed entities; approved research entities should not publish identifiable information, make contact with individuals without consent, use PI for non-permissible purposes, and minimum standards should be set for non-prescribed entities receiving PI to limit further PI disclosures, and contact with individuals. [IPC ON – Comments on the Proposed Regulation under Part X of the Child, Youth and Family Services Act 2017]

Consumer

CA – Invasion of Privacy Class-Action Against Equifax Proceeds in Ontario

A class-action lawsuit arising from last year’s Equifax cyber breach is proceeding in Ontario on the basis of a new invasion-of-privacy tort that has caught the eye of Canada’s property and casualty insurers because it allows courts to award damages even when no economic loss is proven. In a ruling released Jan. 24, Ontario Superior Court Justice Benjamin Glustein ruled [see here] that law firm Sotos [see statement of claim here] can proceed with a class action against Equifax Inc. and Equifax Canada Co. The representative plaintiffs are Bethany Agnew-Americano and a “Jane Doe” plaintiff who is requesting anonymity from the court because of the sensitivity of information that Jane Doe says fell into the wrong hands. At the same time, Justice Benjamin Glustein stayed a separate class action lawsuit against Equifax filed by Merchant Law Group on behalf of Laura Ballantine. The Jan. 24 ruling was not on the merits of the lawsuit but rather on which of two class-actions would proceed. Merchant Law – whose lawsuit is now pretty much dead in the water – had argued unsuccessfully that the Sotos lawsuit should not proceed. This is because Sotos wants one cause of action to be “intrusion upon seclusion,” which was recognized in 2012 by the Court of Appeal for Ontario as a new tort in 2012 [see Jones v. Tsige here]. Justice Glustein decided it was not obvious that an intrusion-upon-seclusion lawsuit against Equifax would fail. [Canadian Underwriter]

CA – OPC Placing Focus on Children’s Online Reputation

The Office of the Privacy Commissioner of Canada released a draft report on protecting online reputations, with part of the paper focusing on the reputation of children. The commissioner’s report states young people face a tougher road when dealing with their online reputation, as they are essentially forced to operate on the internet. The agency also believes young people should be granted the ability to remove content from the internet once they become adults. While some instances may be as simple as deleting a photo, other material may be difficult to remove given the ease in making and distributing copies of online content. CBC News

EU – Survey: 34% of UK citizens will use RTBF once GDPR arrives

A survey conducted by 7stars found 34% of U.K. citizens will enforce their “right to be forgotten” once the EU General Data Protection Regulation goes into effect. Of the respondents to the survey, 75% said the U.K. government needs to make it clear how the GDPR will affect their lives, while 58% said the GDPR is a positive step in protecting their privacy. U.K. citizens said the GDPR would help them think higher of businesses, as 32% of customers said the rules would lead them to place more trust in organizations in handling their data. [ComputerWeekly]

E-Government

CA – Privacy Act May Be Too ‘Permissive’ in Allowing Government Data Use

In documents prepared for Privacy Commissioner of Canada Daniel Therrien, the Privacy Act may be too “permissive” in the ways it allows the federal government to collect and use the personal data of Canadian citizens. “We’ve seen numerous instances where — despite government itself not seeking to identify or track individuals — their program delivery decisions risked doing precisely (that),” the document states. The analysis is a warning for senior bureaucrats charged with finding new ways to deliver government services via technology, while ensuring privacy and transparency concerns are addressed. [Toronto Star]

US – Study: Federal Agencies Suffer Higher Volume of Data Breaches

A study conducted by the cybersecurity company Thales and analyst firm 451 Research found U.S. federal agencies suffer a higher volume of data breaches compared to the rest of the world. The study found 57% of U.S. federal agencies suffered a data breach last year, while only 26% of non-U.S. government agencies worldwide reported an incident. U.S. agencies also said they were more vulnerable than their global counterparts, with 68% saying they are “very” or “extremely” vulnerable, compared to 48% of worldwide agencies. Thales suggests budget plays a part in the problem for U.S. agencies, as the overall federal budget dropped by $6.2 billion in 2017, with a large portion of the budget going toward maintaining older legacy systems. ZDNet

CA – BC to Require All Land Owners to Reveal True Identities in Registry

British Columbia announced it will be launching a public registry where all landowners within the province will need to reveal themselves. In a provincial budget document, the registry will help reveal who owns expensive properties and can help deter tax evasion schemes, money laundering and other criminal activities. York and Harvard Universities Professor of Corporate Governance Richard LeBlanc called the move “long overdue.” “It shows leadership, especially in the real estate market where owners can withhold their name,” LeBlanc said. “This puts pressure on key provinces such as Ontario, Quebec. [Metro]

US – FPF Releases Assessment of Seattle’s Open Data Program

The Future of Privacy Forum released its City of Seattle Open Data Risk Assessment, a holistic assessment that aims to help city officials navigate the complexities of privacy-protective open data programs and address the privacy risk of the landscape. FPF Policy Counsel and lead author of the assessment Kelsey Finch, said, “Although there is a growing body of research on open data privacy, open data managers and departmental data owners need to be able to employ a standardized methodology for assessing the privacy risks and benefits of particular datasets.” She added: “The City of Seattle is one of the most innovative cities in the country, with an engaged and civic-minded citizenry, active urban leadership, and a technologically sophisticated business community.” FPF

Electronic Records

US – Comments Sought on Nationwide EHR Exchange Framework

The Office of the National Coordinator for Health IT has released its draft Trusted Exchange Framework to promote interoperability among health information networks. The framework sets out principles to generate trust among participating health information networks (standardization of policies and procedures, transparency, cooperation, data security and integrity, and individual access to their information), and proposes minimum terms and conditions for participants (reporting of adverse events, publicly available privacy practices, access controls, backup procedures, audit logs, and breach notification). [Draft Trusted Exchange Framework – Office of the National Coordinator for Health IT | Health IT Groups Want ONC to Clarify Exchange Framework

CA – OIPC BC Issues Guidance on Health Data Research

The OIPC BC has issued guidance outlining the requirements and legal provisions applicable to disclosure of personal information and personal health information for health research purposes. PI or PHI disclosure for research purposes without consent is subject to a number of statutes (e.g., FIPPA, PIPA, E-Health Act) depending on the origin of the data, and is therefore subject to a wide array of conditions and prohibitions, which can include storage of the PI only in Canada, a prohibition on disclosure for market research purposes, and compliance with prescribed confidentiality policies and procedures. [OIPC BC – Access to Data for Health Research]

Encryption

US – NIST Releases Draft Blockchain Technology Overview

On January 25, 2018, the National Institute of Standards and Technology (NIST) division of the U.S. Department of Commerce released a draft report of Blockchain technology (Overview)[See PR here]. The Overview draft report provides a high-level discussion of the technical components of Blockchain technology, addressing how data is encrypted, and how the data is verified and then distributed among the participating Blockchain parties. NIST is seeking comments on the scope and completeness of the draft Overview, which are due by February 23, 2018. While the NIST draft Overview provides a useful summary for those that seek an introduction to the subject, it might have been beneficial to have include a brief discussion on the ongoing governmental efforts to regulate the various applications of Blockchains. It is likely that some of these issues will be addressed in the comments that are due by February 23, and be incorporated into the final report. [Source see also: Bitcoin Magazine and TechStartups and 5 Blockchain Opportunities No Company Can Afford To Miss | How blockchain is revolutionising the legal sector | The Bitcoin Hype And The Potential Disruptive Power Of Blockchain Technology | Blockchain Explained: How It Works, Who Cares and What Its Future May Hold – Is Blockchain the Swiss Army Knife to All of Our Cyber-Insecurities? | New chip links blockchain to industrial IoT devices | Could blockchain unshackle us from the corporate internet? | New cryptocurrencies offer better anonymity, new security challenges | 6 use cases for blockchain in security | The role of blockchain in helping organizations meet GDPR compliance ]

US – House Holds Hearing on Blockchain Technology

Speaking at a U.S. House Committee on Science, Space, and Technology hearing, IBM Fellow Jerry Cuomo advocated for government use of blockchain. Cuomo called for the government to take the lead in promoting and deploying blockchain. Cuomo did warn the government about overregulation, saying cryptocurrency does not represent the potential of blockchain. At the same hearing, Benjamin N. Cardozo School of Law Associate Clinical Professor Aaron Wright recommended the creation of an advisory group to handle various blockchain issues and to provide “a unified approach to the numerous regulatory decisions.” [Computerworld]

EU – European Commission Outlines Blockchain Development Plans

The European Commission outlined its efforts to develop a common approach on blockchain technology for the European Union. Among the projects are the EU Blockchain Observatory and Forum, which will map blockchain initiatives in Europe and monitor trends with the technology, and calls for a feasibility study to determine whether there is an opportunity for an EU Blockchain Infrastructure. The European Commission also plans to examine the potential for blockchain to help improve European cross-border services related to customs, taxation, environmental and financial reporting, and health record and identity management. [Europa]

CA – Canada Testing App to Store Traveler Data Using Blockchain

The Canadian government will be assisting in the testing of a new app allowing travelers to digitize information with authorities before flying. The “Known Traveler Digital Identity” system gives individuals the opportunity to store data such as their residency cards, countries they have visited, and biometric information such as facial recognition scans and fingerprints. The data would be securely stored via blockchain. Launched at the World Economic Forum, the system will be tested in several pilot projects, aiming to allow airport authorities to focus on investigating high-risk travelers, according to a WEF report. [Global News]

EU Developments

EU – Article 29 WP Revises Breach Notification Guidelines Under GDPR

The Article 29 Working Party updated previous guidance on personal data breach notification under the GDPR. Revisions include implementing measures to ensure immediate awareness of breaches (to comply with timely notification requirements), documenting incidents where personal data is made temporarily unavailable (even if notification is not required), ensuring joint controller contracts include identifying who is responsible for taking the lead on notification. Non-EU entities caught in the territorial scope of the GDPR (i.e. offering goods or services to EU data subjects) must comply with notification obligations. [Article 29WP – Guidelines on Personal Data Breach Notification Under the GDPR – WP 250 Revision 1]

EU – WP 29 Releases Updated Guidelines on Profiling

The Article 29 Working Party updated guidelines on automated decision-making and profiling under the EU General Data Protection Regulation. The Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 cover definitions, general provisions on both, specific provisions “solely on automated decision-making defined in Article 22,” children and profiling, and data protection impact assessments and data protection officers. The WP29 has opened up a comment period for its guidelines on the accreditation of certification bodies under the GDPR (link is behind registration). The period is open until March 29. [IAPP.org]

EU – Rise of the Data Protection Officer

Data protection officers are suddenly the hottest properties in technology [as] companies across the globe scramble to comply with the EU’s GDPR, which goes into effect in May and represents the biggest shake-up of personal data privacy rules since the birth of the internet It requires that all companies whose core activities include substantial monitoring or processing of personal data hire a DPO. More than 28,000 will be needed in Europe and U.S. and as many as 75,000 around the globe as a result of GDPR The need for DPOs is expected to be particularly high in any data-rich industries, such as tech, digital marketing, finance, healthcare and retail. Those companies who have DPOs, meanwhile, are braced for poaching. [Reuters See also: Benefits PRO and Independent (Ireland)]

EU – CJEU: EU-Wide Class Action Cannot be Brought Against Facebook

The EU Court of Justice considered the admissibility of Max Schrems’ class action suit against Facebook Ireland Ltd. for alleged privacy breaches. The EU Advocate General previously provided their opinion. The CJEU confirmed that an individual can file claims against Facebook’s use of his personal data in his Member State of Austria, however, he cannot file claims on behalf of other individuals living in other countries (he is not a party to their contract with Facebook). [Max Schrems v. Facebook Ireland Ltd – Case C-498-16 – CJEU]

EU – German Court Finds Fault With Facebook’s Default Privacy Settings

A court in Germany has ruled that Facebook’s default privacy settings and some of its terms and conditions breached local laws. The Berlin court passed judgement late last month but the verdict was only made public this week. The legal challenge, which dates back to 2015, was filed by a local consumer rights association, the vzbv. It successfully argued Facebook’s default privacy settings breach local consent rules by not providing clear enough information for the company to gather ‘informed consent’ from users when they agreed to its T&Cs. Pre-formulated declarations of consent are clearly on borrowed time in the European Union, as the bloc will shortly have an updated data protection framework — GDPR And pre-ticked consent boxes buried at the end of lengthy, opaque and vague T&Cs will not pass muster under the new standard. So the regional court’s finding on that aligns with wider incoming personal data processing consent standards that will be enforced across the entire EU from this May. …Last month Facebook announced incoming changes to how it approaches privacy — including outing a set of ‘privacy principles’ and trailing a new global privacy settings hub — which are part of its compliance efforts to meet the EU’s new data protection standards. [TechCrunch See also: Naked Security (Sophos), Deutsche Welle, The Guardian, Reuters, ZDNet and ITPro and also: Facebook makes privacy push ahead of strict EU law | Facebook starts polishing its privacy messaging ahead of GDPR | Facebook to roll out new tools in response to EU privacy laws]

Facts & Stats

CA – Study: 41% of Companies Had Sensitive Info Exposed in Breaches

A study conducted by IDC Canada for Scalar Decisions found 87% of Canadian organizations suffered a data breach last year. Of the 420 respondents who work on their company’s cybersecurity efforts, 41% said sensitive data was exposed when they were hit by the breach. The study found one in five cyberattacks was classified as “high impact,” with sensitive customer or employee information compromised. The estimated cost of a breach in 2017 came to $3.7 million on average, factoring in network downtime, employee work days and lost data. [The Canadian Press]

US – Study: Average Cost of Stolen Health Care Record Rose in 2017

A study from the Ponemon Institute found the cost for a stolen health care record rose in 2017, while the global average for other industries went down. The study found a stolen health care record cost an organization $380 last year, up from $355 in 2016. The global average for other industries was $141 in 2017, down from the $158 average the year before. Ponemon’s study also states 52% of incidents in 2017 was a result of malicious attacks, up 4% from 2016. Another study released by MediaPro found 24% of physicians could not identify a phishing email. [HealthITSecurity]

WW – Study: 93% of Breaches Reported in 2017 Were Preventable

A report from an internet society noted that key causes of breaches included not promptly patching known vulnerabilities, unencrypted data, misconfigured devices and servers, use of unsupported devices, systems and applications, employee errors and accidental disclosures, and not blocking malicious emails; recommendations include data inventories, ongoing assessments of IoT devices, service providers, and operational processes, and ongoing employee training. [Cyber Incident and Breach Trends Report – Online Trust Alliance]

US – Research: A Strong Privacy Policy Can Save Your Company Millions

New research shows that data breaches sometimes harm a firm’s close rivals (due to spillover effects), but sometimes help them (due to competitive effects). The study found that a good corporate privacy policy can shield firms from the financial harm posed by a data breach — by offering customers transparency and control over their personal information — while a flawed policy can exacerbate the problems caused by a breach. Together, the report’s evidence is the first to show that a firm’s close rivals are directly, financially affected by its data breach and also to offer actionable solutions that could save some companies hundreds of millions of dollars. The research shows that the severity of, or number of customers affected by, a breach is a key to understanding whether close rivals will be harmed or helped by their competitor’s bad fortune. In large data breaches, customers increasingly desire to leave the breached firm. Expected switching behavior ultimately benefits the breached firm’s competitors The research finds that firms can protect or inoculate themselves from their own or a rival’s breach by implementing two important privacy-focused practices that benefit customers: 1) they can clearly explain to customers how they are using and sharing their data; and 2) firms can give customers ample control over the use and sharing of their data. [HBR]

FOI

CA – Report Finds Telcos Demand Fees for Detailed Customer Info Requests

A study from the University of Toronto measured how different companies responded to consumer requests for personal data. “Approaching Access” tracked 24 requests drawn from 6,000 customers made through the Access My Info tool created by the report’s lead author, Andrew Hilts. Most of the companies that responded gave different answers when faced with the same type of requests. When consumers pushed for more detailed answers from telecom companies, they were told they had to pay a fee, a response Hilts disagrees with. “I think any request for a payment acts as a barrier to access, because what we’ve seen from people who’ve requested their data is any sort of roadblock they encounter can serve to discourage them,” Hilts said. [CBC Radio | Canadian Citizens Face Barriers to Accessing Data]

UK – Companies Tested on Responding to Subject Access Requests

A UK newspaper filed subject access requests to six companies to see whether the companies complied with the U.K. 1998 Data Protection Act and whether they would have complied with the upcoming EU General Data Protection Regulation. The media company sent written requests to the six companies to see the information held about a data subject. Of the six companies, Apple, drink retailer Majestic Wine, clothing company Charles Tyrwhitt, and the loyalty card company Nectar responded in a timely manner, while Facebook and Amazon did not send a response to the requests. The three smaller companies sent info on customers’ names, addresses and lists of transactions, while Apple sent 3,314 different data points. Financial Times

CA – OIPC BC: Quality Assurance Records Can be Disclosed

The OIPC BC reviewed the College of Physicians and Surgeons of BC’s decision to withhold access to records requested under the Freedom of Information and Protection of Privacy Act. A BC health regulator must disclose to a physician the requested records related to an assessment of his medical practice; participants knew the physician was aware that they were involved (questionnaires were distributed from the physician) and provided their consent for the release of their responses). [OIPC BC – Order F18-01 – College of Physicians and Surgeons of BC]

Health / Medical

CA – Every Yukon Organization Needs a Privacy Primer

The Yukon privacy commissioner is highlighting steps needing to be taken to enhance the protection of citizens’ personal information. Health care providers in Yukon’s public and private sectors must comply with the Health Information Privacy and Management Act (HIPMA) [see 124 pg PDF here also see here& here], which requires reporting of any breaches. A health care provider must notify an individual (and Yukon’s privacy commissioner) following a privacy breach where there is a risk of significant harm to the individual. If found guilty of failing to do this, fines are between $10,000 and $100,000. The best way for public or private sector organizations in Yukon to avoid being found in violation of mandatory breach reporting requirements is to identify a “privacy contact,” i.e. someone in the organization to be responsible for privacy and to develop breach reporting policy and procedure. All staff need to be trained on the policy and procedure, so that they know what a privacy breach is and who to call when one is discovered. The policy should require employees to notify the organization’s privacy contact immediately upon learning of a breach. The privacy contact must be trained on how to effectively manage a breach and on the mandatory breach reporting requirements in applicable laws. [Yukon News]

CA – AB Court Quashes OIPC Decision Regarding Doctors’ Access to Patient Information

In [the recently decided] “Gowrishankar v JK” [see here], two physicians and Alberta Health Services sought judicial review of an adjudicative order [see Order H2016-06 here] of the [Alberta] Office of the Information and Privacy Commissioner. The OIPC’s adjudicator had determined that the Applicants accessed or permitted access to a patient’s medical information in contravention of the “Health Information Act” [see here]. In a ruling that has far-reaching implications on physicians’ right to access, use and disclose health information stored in the province’s Electronic Health Record [see here], the Alberta Court of Queen’s Bench quashed the Adjudicator’s decision. The practical impact of the Adjudicator’s decision is that it would have prevented physicians from using Netcare to effectively respond to patients’ complaints about the health services they provide. While the decision in “Gowrishankar v JK” brings some much needed clarity to this issue, it also demonstrates that the HIA requires a revisit. The statute is overly vague, incompatible with current modalities and, as was clearly demonstrated, capable of producing absurdities. Consequently the Court encouraged the parties in this action to reach out and consult with their provincial legislators to amend the HIA. He explained that with a little tweaking, the HIA would leave less room for doubt. [MCross]

EU – Study Finds ‘Numerous’ Shortcomings in Health Apps

A recent study of popular health apps found “numerous” shortcomings in the privacy and data protection of user data. To be included in the study, the app had to be free, in English, downloaded more than 100,000 times, and require users to input health or personal data that would be transmitted to a third party. The researchers wrote that the majority of the apps failed to follow “well-known practices and guidelines, not even legal restrictions imposed by contemporary data protection regulations, thus jeopardizing the privacy of millions of users.” Meanwhile, HealthITSecurity reports that a recent survey shows half of organizations cite security and privacy concerns as a leading factor for why mobile and digital health tools are not more widespread. [MobiHealthNews]

Horror Stories

CA – PEI Whistleblowers Seek Financial Compensation for Privacy Breach

Two of the former PEI government employees who had their private information released to the press are seeking financial compensation for the incident. The two whistleblowers came forward to reveal issues with the province’s provincial immigration program but found their emails and personnel records were leaked to the media. Despite the province’s privacy commissioner releasing a report stating the women’s privacy rights were violated, the two former employees are asking for a monetary sum to address the fallout they faced following the leak. One of the women, Susan Holmes, said she has been refused a meeting with Premier Wade MacLauchlan to discuss the privacy commissioner’s findings. [CBC News | PEI Whistleblowers Whose Private Info Was Leaked Consider Legal Options

Identity Issues

US – Identity Fraud Hits All Time High

The 2018 Identity Fraud Study released February 6 revealed that the number of identity fraud victims increased by 8% (rising to 16.7 million U.S. consumers) in the last year, a record high since Javelin Strategy & Research began tracking identity fraud in 2003. The study found fraudsters successfully [hit] 1.3 million more victims in 2017 [over 2016], with the amount stolen rising to $16.8 billion. The Study found four significant trends: 1) Record high incidence of identity fraud; 2) Account takeover grew significantly; 3) Online shopping presents the greatest fraud opportunity; and 4) Fraudsters are getting more sophisticated consumers can minimize their risk and impact of identity fraud. The following are five recommendations for consumers to follow: 2) Turn on two-factor authentication wherever possible; 2) Secure your devices; 3) Place a security freeze; 4) Sign up for account alerts everywhere; and 5) Protect yourself from unauthorized online transactions [Javelin See also: Dark Reading, CBS News, CNBC, MediaPost and Wall Stree Journal]

AU – Australian Government Agrees to Medicare Card Access Recommendations

Following an independent review of health providers’ access to Medicare card numbers, the Australian government has agreed to the 14 recommended changes made in the examination. The recommendations include transitioning from a Public Key Infrastructure to Provider Digital Access, making the terms of the authentication services simpler for users to understand, and ensuring Medicare cards remain a valid form of identification. “The government takes seriously its obligation to protect the significant personal information of Australians, and is working to maintain and strengthen its defences against ever more sophisticated cyber and criminal attacks,” the government wrote in its response to the findings. [ZDNet]

IoT

CA – OPC Issues Guidance on Minimum IoT Security

In “PIPEDA Report of Findings #2018-001” [see PR here& report here], the Office of the Privacy Commissioner of Canada (OPC) reported on its investigation of VTech Holdings Limited [here], a manufacturer of electronic learning products for children. The case arose following a complaint from an affected individual whose information was compromised when VTech’s global server was breached between Nov. 12 and Nov. 29, 2015. The hacker gained access to various VTech environments and ultimately to customer data, in a live production environment, copying customer data off of VTech’s network. The OPC estimated that the breach affected more than 316,000 Canadian children and more than 237,000 Canadian adults. The decision provides some useful guidance in connection with minimum security standards required for Internet of Things/web-connected devices, particularly those that collect personal information and data from children. [Canadian Lawyer Magazine | See also: VTech Data Breach Enforcement Actions – Guidance for Data Security and Privacy Law Compliance | What Toymakers Can Learn From VTech Breach And Settlement | VTech Settlement Resolves COPPA Allegations in FTC’s First Connected Toy Case | VTech breach investigation highlights security failures | FTC Cracks Down on Internet-Connected Toys]

US – Smart TV’s Privacy Capabilities Placed Under the Microscope

Consumer Reports conducted an analysis of the privacy and security capabilities of smart TVs. The group tested televisions from five major brands using their new Digital Standard, finding TVs made by Samsung, TCL and others using the Roku TV platform could be vulnerable to unsophisticated hackers who could change channels or play offensive content. Consumer Reports also examined the data collection practices of the televisions, finding smart TVs can collect information related to viewing habits to share targeted advertising. The group also discovered customers could lose television functionality if they attempt to limit data collection. Meanwhile, the Future of Privacy Forum released their views on the findings from Consumer Reports. In an extensive article for Gizmodo, Kashmir Hill described her experience living in a fully equipped smart home for two months. Full Story

WW – Google-Nest Merger Raises Privacy Issues

Tech giant Alphabet is merging its Google and Nest [here] divisions together [see blog post here] to aid its efforts to build hardware and software to “create a more thoughtful home”. Nest had run as a standalone unit since its $3.2bn (£2.3bn) takeover in 2014. Its smart home products benefit from gathering data about its users. Nest previously pledged the data would be kept separate from Google’s other operations. Privacy campaigners have raised concerns at the reorganisation. But Google has said it will be “transparent” about any changes that might be made. Nests’s products include: 1) internet-connected security cameras for inside and outside the home; 2) thermostats that use motion-detecting sensors to detect when the owners are about; 3) a camera-equipped doorbell; and 4) a movement-detecting alarm system and smoke detector. The division’s app can be set to gather data from other products – including cars, ovens, fitness trackers and even sensor-equipped beds …The Big Brother Watch [here] campaign group said it was concerned by the development. “Google already harvests an incredible amount of detailed information about millions of internet users around the globe,” said director Silkie Carlo. “Now, Google is becoming embedded in the home, through ‘smart’ soft surveillance products. “Adding data from Nest’s home sensors and security cameras will significantly expand Google’s monopoly on personal data. Many customers will be justifiably anxious about Google’s growing, centralised trove, especially given that its business model relies on data exploitation.” [BBC See also: Gizmodo, TechCrunch, CNET and Yahoo News UK]

US – NIST, DHS Co-Host Conference on Smart Cities

The Global City Teams Challenge announced its 2018 kickoff conference, where this year’s Smart and Secure Cities and Communities Challenge aims to encourage municipal governments and technology innovators to focus on cybersecurity and privacy concerns while also working towards replicability, scalability and sustainability. The 2018 GCTC is co-hosted by the National Institute of Standards and Technology and the U.S. Department of Homeland Security Science and Technology Directorate. The conference will be held Feb. 6-8, in Washington, and registration is free but required before Jan. 30. [NIST]

Law Enforcement

CA – OIPC AB Investigates Unlawful Disclosure by Alberta Police

The Alberta OIPC has investigated a complaint against the Edmonton Police Service, alleging violations of the Freedom of Information and Protection of Privacy Act. A police service disclosed to an individual’s employer details of police investigations he was subject to as a teenager, and allegations made against him as an adult (resulting in his termination); the waiver signed by the individual for a police check did not state that investigations, allegations and non-convictions would be used, and no review was done to determine if it was necessary to inform his employer of the information. [OIPC AB – Order F2017-87 – Edmonton Police Service]

Online Privacy

US – Report: Schools Must Strike Balance with Personalized Learning, Privacy

A report from the National Association of State Boards of Education found that, although school privacy policies can often conflict with personalized learning, it is up to state policymakers to develop laws and policies that harmonize a balance between the two. In the report, authors state that “good student data privacy policies recognize the potential for personalized learning to accelerate student achievement while also guaranteeing safe, secure access to a predetermined, transparent set of student data.” The study reviewed policies in Louisiana, Kansas and California. [EdScoop]

US – WSJ Uses Machine Learning to Determine Likelihood of Subscriptions

The Wall Street Journal has been using machine learning to determine the likelihood a user will subscribe to their site. More than 60 signals are used to analyze a user’s behavior on WSJ’s website, including what stories they click on, their location, and their operating system. From there, the company places users into three categories. If it is determined the user will likely subscribe to the Journal, they will face a hard paywall, but if a user scores lower, they may be granted an additional free session before facing the call for a subscription. [Niemen Labs]

CA – Study: Canadians Avoid Privacy Policies Due to Length, Complexity

A report commissioned by the Canadian Marketing Association examined whether citizens read privacy policies. Released on International Data Privacy Day, the study found 60% of Canadians only read portions of privacy policies, while 25% said they do not read policies at all. Respondents said they do not read the full privacy policy due to length, complexity of the language, and lack of choice. When asked about how informed they are regarding Canadian privacy laws and data rights, 39% said they are not informed, while 40% said they only have a basic understanding of their rights and the laws. [CMA]

US – FTC Offers Advice on Using, Researching VPNs

The FTC has released a guide offering advice to individuals looking to use a virtual private network. The FTC offers a rundown of what VPNs are, why people use them, and the privacy concerns surrounding the technology. The agency offers several pieces of advice to those interested in VPNs, including to research VPN apps before using them and reviewing the permissions the app requests, while warning potential VPN users the apps do not always encrypt information and of the possibility of VPNs sharing information with third parties, as well as debunking the idea the apps will make a user completely anonymous. [Full Story See also: Don’t Trust the VPN Facebook Wants You to Use]

Other Jurisdictions

UK – NHS Publishes Healthcare Risk Assessment for Public Cloud Services

The UK National Health Service has issued guidance on the use of cloud services for patient information, including: a one-page overview; a good practice guide; a risk framework; and a data risk model. The 4-step process involves understanding how the healthcare organisation handles data (e.g., the volume and retention period), a specific risk assessment (does the calculated risk classification align with the organisation’s risk appetite), implementing proportionate controls (selecting a provider based on required security standards), and monitoring (ensure the provider notifies of any detrimental changes to its security. [National Health Service, United Kingdom – NHS and Social Care Data: Off-Shoring Data and the Use of Public Cloud Services | NHS – Overview | NHS – Good Practice Guide | NHS – Risk Framework | NHS – Data Risk Model]

Privacy (US)

US – FTC Releases PrivacyCon 2018 Agenda

The Federal Trade Commission has released the final agenda for PrivacyCon 2018. The third annual PrivacyCon will focus on the privacy implications of artificial intelligence, the internet of things and virtual reality, while also highlighting the economics of privacy, such as quantifying harm when organizations do not properly protect consumer data. The conference will host sessions on the collection and leakage of private data, consumer preferences and research tools related to privacy management. This year’s event will also have a Student Poster Session designed to encourage a new wave of privacy researchers. PrivacyCon 2018 will take place Feb. 28. FTC | Source]

Privacy Enhancing Technologies (PETs)

WW – Should There Be A ‘Do No Harm’ Principle for Tech Developers?

Data scientists met this week to start drafting an ethics code for their profession, continuing an evolving discussion around whether programmers and data scientists should have to sign an industry equivalent to the Hippocratic Oath. A recent release by Microsoft argued that it “could make sense” to tie coders to a similar “first, do no harm” principle sworn to by physicians. DJ Patil, chief data scientist for the United States under President Barack Obama, said, “We have to empower the people working on technology to say, ‘Hold on, this isn’t right.’” [Wired]

EU – Privacy by Design Paper Wins CNIL Award

France’s data protection authority, the CNIL, and public research body Inria handed out their 2017 “privacy protection” prize at the CPDP conference last week in Brussels to the research behind the paper “Engineering Privacy by Design Reloaded.” The prize was created in 2016 as a way to encourage privacy research, while also aiming to raise awareness of data protection issues in the scientific community. The paper analyzed the methods engineers use to apply privacy by design in practice and provides practical guidelines for using privacy engineering to minimize the amount of data collected and held by data controllers and processors. CNIL

Security

US – HHS Issues Recommendations to Avoid Attacks

The Office for Civil Rights of the U.S. Department of Health and Human Services has issued recommendations regarding cyber extortion. Organizations should implement a risk management program that identifies cyber risks throughout the organization, train employees to identify suspicious communications, patch systems, limit internal network access to deny/slow attackers’ movements, and encrypt and back up sensitive data. [HHS – Cyber Extortion]

US – Study: State and Local School Websites Among the Most Vulnerable

A study by EdTech Strategies found that state education departments and local school systems are among the most vulnerable websites, with many failing to implement the HTTPS protocol. The report found that 49 of 51 states and 158 of 159 school systems used tracking software to compile user data and employ targeted advertising. When reviewed in comparison to the state education departments’ and school systems’ privacy policies, such tracking was found to be in violation of their policy. Douglas Levin, president of EdTech Strategies and director of the study, said, “Based on that review, it’s clear there’s a disconnect,” adding that many websites in the study “made demonstrably false statements.” Levin said the report suggests “a widespread lack of attention to issues of online security and privacy.” Levin estimated the average IT support-to-user ratio in companies is between 50 and 300 per IT support person, but in schools it can be up to 1,000. And many school districts likely don’t have a full-time IT staff; they may be part-time, or it might be a third-party contractor. [EdScoop See also: DARKReading, T.H.E. Journal and EdSurge]

Smart Cars

WW – Who Owns the Data Connected Cars Generate?

While many automakers have pledged to follow the Alliance of Automobile Manufacturers’ privacy principles, privacy concerns have been raised over automakers’ data collection practices. A panel at the Washington Auto Show discussed the difficulty of controlling data collected by connected cars, particularly when it is time to wipe a user’s data from a vehicle, like upon driver’s return of a rental. At the same time, the panel found the adoption of the voluntary privacy principles set forth by the AAM to be sufficient. Catherine McCullough, executive director of the Intelligent Car Coalition, said, “I don’t know of any carmakers specifically that are proactively giving drivers control over data here.” [Yahoo]

US – FPF Publishes Automotive Privacy Principles on 2017 Models

The National Automobile Dealers Association and Future of Privacy Forum has published a guide that explains what personal data is collected in cars. Sensitive personal data is collected and used by event data recorders, on-board diagnostics, and apps, including geolocation data, driver behavioral data and biometrics; manufacturers commit to the 3 principles of transparency (providing clear and concise privacy policies), affirmative consent for sensitive data (prior to use for marketing or sharing with unaffiliated third parties), and sharing with government and law enforcement (clearly stating when they do so. [Personal Data In Your Car – National Automobile Dealers Association and Future of Privacy Forum]

CA – Report: Canada ‘Ill-Prepared’ for Autonomous Vehicles

A report from the Senate Committee on Transport and Communications found Canada is “ill-prepared” for autonomous vehicles. The committee states Canada needs to begin to prepare for the disruptions caused by self-driving cars as soon as possible to ensure it “is ready for this upcoming period of technological change.” Despite issues surrounding privacy and security, Senator Dennis Dawson argued the technology will be implemented regardless. The report offered 16 recommendations to help Canada answer concerns surrounding the vehicles, including continuously assessing the need for privacy regulations in connected and autonomous cars and developing connected-car frameworks with privacy protections as a key component. [IT World Canada | Driving Change – Senate of Canada]

Surveillance

US – Police Use of Commercial License Plate Database Lawful

A US Court considered a criminal defendant’s motion to suppress evidence obtained through a license plate query on a database. The database relies on random observations of license plates on public streets by digital cameras placed on repossession and law enforcement vehicles; the cameras cannot be easily manipulated, do not permit police to continuously track the location of a particular vehicle or individual, and the image of license plates are taken on public streets. [United States of America v. Jay Yang – 2018 U.S. Dist. LEXIS 11967 – United States District Court for the District of Nevada]

US – California Senate Rejects License Plate Privacy Shield Bill

The California Senate has rejected S.B. 712 [with a 12-18 vote, see here]. It would have allowed drivers to protect their privacy by applying shields to their license plates when parked. The simple amendment to state law would have served as a countermeasure against automated license plate readers (ALPRs) that use plates to mine our location data. Just last week, news broke that Immigrations & Customs Enforcement would be exploiting a database of more than 6.5 billion license plate scans collected by a private vendor. Indeed, the federal government—including the Drug Enforcement Agency and Immigrations & Customs Enforcement—are ramping up their efforts to use ALPR data, including data procured from private companies. Major vulnerabilities in computer systems are revealing how dangerous it can be for government agencies and private data brokers to store our sensitive personal information. [EFF.org]

US – Seattle Dismantles Controversial Wireless Mesh Surveillance Network

In 2013, Seattle police installed (using $3.6 million from the Department of Homeland Security) surveillance cameras and a network that could track wireless devices throughout downtown — after unwanted publicity, they turned it off [see here]. Now the city has budgeted $150,000 to remove dozens of surveillance cameras and 158 “wireless access points” The mesh network, according to the ACLU, news reports and anti-surveillance activists from Seattle Privacy Coalition, had the potential to track and log every wireless device that moved through its system This isn’t the first time SPD has been pressured to abandon a Homeland Security-funded tool. In 2013, it gave up its drones. Like the mesh network, they were quietly bought with federal money and became a flashpoint for public outcry. [Seattle Times | Activist Post]

CA – City of Hamilton to Study Allowing Home Cameras to Point at Street

[Hamilton, Ontario] will study allowing residents to point their security cameras at the street. But a council decision won’t be made until city lawyers report back on the prospect, including concerns made public by Ontario’s privacy commissioner Brian Beamish [see PR here & Letter here]. Right now, Hamilton bylaws [see here] ban home cameras from pointing anywhere other than a homeowner’s own property. Beamish said he’s uncomfortable with any government law change that sets out to “empower a private citizen to act as a police agent” via homeowner surveillance of the public realm. At the same time, relatively few other Ontario cities currently enforce such a bylaw. Those include Milton, Oshawa and Brampton. [Hamilton Spectator | CBC News See also: Hamilton councillors endorse studying expanding surveillance cameras guidelines | The Spectator’s view: Right to privacy a quaint notion? | Should Hamilton homeowners be allowed to point cameras at the street? | Hamilton to consider expanding use of private surveillance camera footage for police use

CA – OIPC BC Admonishes Government Surveillance

B.C.’s acting privacy commissioner singled out Kelowna in a public memo [read here] as potentially violating privacy by monitoring surveillance cameras  In the memo, acting information and privacy commissioner Drew McArthur acknowledged consulting with the Kelowna, as well as Richmond and Terrace over their own plans for surveillance cameras. These proposals all assume that video surveillance prevents crime and justifies the persistent invasion of the privacy of law abiding people who are just going about their day-to-day business,” he writes. “But what Richmond, Terrace and Kelowna are ignoring is that for all its monetary and privacy costs, there is little evidence that surveillance works.” Kelowna risk manager Lance Kayfish said the surveillance monitoring program was designed under guidelines provided by the privacy commissioner which he says do show monitored cameras to be more effective than those that simply record automatically. [OIPC BC – Use of Video Surveillance by Local Governments | BC Legality of Surveillance Cameras Enters Review Process | Civil Liberties Association warns B.C. city against surveillance cameras in public park | | InfoTel | InfoTel News, Kelowna Capital News, Castanet and KelownaNow | Vancouver Councilor Calls for Return of Surveillance Cameras Following Homicide]

CA – Security Cameras Back on in Yellowknife, New Policy Adopted

Some public surveillance cameras are back on in Yellowknife, and a new security camera policy is in place [see PR here & new policy here]. The city shut down the cameras last month, after CBC News and local media reported the technology was used by some city staff, including the head of the municipal enforcement division, to allegedly zoom in on and ogle women. The allegations date back to 2014. The policy states the cameras can only be installed and monitored when deemed necessary to address a specific issue, when there isn’t another way that’s “less privacy-invasive” to address that issue. It says the footage should only be accessed by authorized employees, the city’s chief lawyer, specific employees from the municipal information technology division and others, with approval from the city’s senior administrative officer. The city also put out a public notice of a special municipal services committee meeting Thursday to discuss the inquiry into allegations of workplace misconduct in the city’s municipal enforcement division. Earlier this month, the city held a secret meeting to discuss the inquiry, and no records were kept of that meeting. [CBC | See also: Encrypted surveillance video may solve Yellowknife’s security camera woes: former privacy commissioner | Yellowknife city councillor proposes using security cameras as webcams | Inquiry into Yellowknife bylaw department goes dark | Yellowknife security cameras go offline following reports city staff abused their use | Former employee alleges inappropriate behaviour by head of Yellowknife’s bylaw

CA – Surveillance Cameras Allowed in Quebec’s Long-Term Care Homes

Beginning March 7, residents of publicly funded long-term/chronic care institutions (CHSLDs) in Quebec will have the right to install surveillance equipment in their rooms to prevent mistreatment.[See here] The new policy was initially made public in October, although the government has now announced some slight modifications to its original guidelines. These include extending the regulations to permit the use of smartphones and electronic tablets, as well as surveillance cameras. Each long-term care facility will have a designated representative to assist residents who want to install cameras. That person’s mandate will be to ensure the footage respects privacy rules, among them: 1) The camera can’t be used to capture images and sounds from outside the user’s room; 2) The camera also cannot capture images from a bathroom, unless it’s justified; 3) When it is installed in a shared room, the camera cannot be used to capture images or sounds of the other residents; and 4) The camera must be removed if its use is no longer necessary for the purposes sought by its installation. There will also be signs posted at the entrance of CHSLDs, advising visitors and staff of the possibility of surveillance cameras in the rooms. [CBC See also: Patients’ advocate slams decision to allow cameras in Quebec long-term care homes |No hidden cameras allowed in P.E.I. long-term care facilities | ‘Cloak of privacy’ keeping nursing home abuse secret, advocate says]

Workplace Privacy

CA – OIPC NFLD Cautions Against Social Media Access

The Newfoundland and Labrador OIPC issued recommendations on collecting employee information from social media. Even where job candidates consent, employers should avoid collection and use of information from their social media platforms; there is a reasonable expectation of privacy in these accounts, and information collected can be unreliable, inaccurate, irrelevant and prejudicial. Employees may authorize checks of their social media platforms (through employment terms and conditions), however, do not contract a third party to perform the check to avoid privacy obligations. [OIPC NL – Collecting Information via Social Media – Employee and Background Checks]

 

+++