15-28 February 2015


WW – Breakthrough in Facial Recognition: The ‘Deep Dense Face Detector’

The technology has developed over the last 14 years, and the recent breakthrough coming out of the Yahoo/Stanford team is based on a new approach, springing from advances made recently in a type of machine learning known as a deep convolutional neural network. To train their neural net, Farfade and the other researchers created a database of 200,000 images, including faces at various angles and orientations, plus another 20 million images without faces. They then fed their neural net batches of 128 images at a time, over 50,000 iterations. The result is what the team calls the Deep Dense Face Detector: an algorithm that can spot faces set at a wide range of angles, even when partially occluded by other objects, such as the hands and head that are blocking Jolie’s face in the image. [Source]

WW – New Face-Detection Algorithm Could Revolutionize Search

A new face-detection algorithm could revolutionize image searches online. Traditional facial detection methods involved a head-on photo, but new methods dependent on deep convolutional neural networks can capture and detect faces from several different angles. The team of researchers who have developed the technology call it Deep Dense Face Detector. “The great promise of this kind of algorithm is in image search,” the report states, adding, “It is inevitable that this capability will be with us in the not-too-distant future.” Meanwhile, Built in Chicago reports on facial recognition technology developed by startup Verie. The app verifies an individual by using his or her face. The startup says such technology could be used to verify job applicants, lendees or potential dates. [MIT Technology Review]

WW – Neuro-Ethicist: Brain Data Must Be Protected

Technological advances “are making it easier than ever to measure, interpret and even reconstruct brain activity,” while the proliferation of wearables is creating “more ways to map our brainwaves than ever before,” and that means more opportunities for companies to mine that data. This presents an interesting question: Who owns brain data? Neuro-Ethicist Paul Roote Wolp recently stressed the importance of setting up ground rules to protect cognitive privacy. For example, functional magnetic resonance imaging (fMRI) is beginning to be used for lie detection, the report states, and “it’s not unreasonable to expect police and other actors to use cognitive data in the future” to determine innocence or guilt. [Gizmodo]


CA – Bill C-51: Support for Anti-Terror Legislation But With Additional Oversight

Nearly half of Canadians say draft law “strikes right balance”, fully one-third say it doesn’t go far enough. Four-in-five (82%) adult Canadians surveyed online by the Angus Reid Institute say they support the draft law, with fully one-quarter (25%) saying they “strongly” support C-51. Most Canadians (80%) profess to having at least heard about the legislation, and 4/5 respondents either strongly support (25%) or support (57%) Bill C-51. Opposition to the draft law stands at 17% in total, with just 5%  saying they are “strongly” against the legislation. [Angus Reid] [Why Stephen Harper’s terror bill is so popular] [National Post View: We need parliamentary debate on Bill C-51] [Mulcair won’t commit to scrapping anti-terror bill, if ever in power ] [“Total Information Awareness”: The Disastrous Privacy Consequences of Bill C-51] [Former justices, PMs express concern over lack of anti-terror oversight] [Former PMs call for more CSIS oversight as MPs debate anti-terror bill] [Bill C-51: Political battle lines drawn over anti-terror bill as election nears] [Anti-terror law shares information too easily, experts write ] [NDP will oppose ‘overreaching’ terrorism bill, while Liberals offer support] [Anti-terrorism bill’s powers could ensnare protesters, Elizabeth May, MP fears] [Anti-terror Act: Would new bill protect your financial information?] [Bill C-51 moves us one step closer to the end of privacy: Forcese, Roach]

CA – Open Letter to Parliament: Amend C-51 or Kill it

The following is an open letter addressed to all members of Parliament and signed by more than 100 Canadian professors of law and related disciplines.

Dear Members of Parliament,

Please accept this collective open letter as an expression of the signatories’ deep concern that Bill C-51 (which the government is calling the Anti-terrorism Act, 2015) is a dangerous piece of legislation in terms of its potential impacts on the rule of law, on constitutionally and internationally protected rights, and on the health of Canada’s democracy.

Beyond that, we note with concern that knowledgeable analysts have made cogent arguments not only that Bill C-51 may turn out to be ineffective in countering terrorism by virtue of what is omitted from the bill, but also that Bill C-51 could actually be counter-productive in that it could easily get in the way of effective policing, intelligence-gathering and prosecutorial activity. In this respect, we wish it to be clear that we are neither “extremists” (as the Prime Minister has recently labelled the Official Opposition for its resistance to Bill C-51) nor dismissive of the real threats to Canadians’ security that government and Parliament have a duty to protect. Rather, we believe that terrorism must be countered in ways that are fully consistent with core values (that include liberty, non-discrimination, and the rule of law), that are evidence-based, and that are likely to be effective.

The scope and implications of Bill C-51 are so extensive that it cannot be, and is not, the purpose of this letter to itemize every problem with the bill. Rather, the discussion below is an effort to reflect a basic consensus over some (and only some) of the leading concerns, all the while noting that any given signatory’s degree of concern may vary item by item. Also, the absence of a given matter from this letter is not meant to suggest it is not also a concern.

We are grateful for the service to informed public debate and public education provided, since Bill C-51 was tabled, by two highly respected law professors — Craig Forcese of the University of Ottawa and Kent Roach of the University of Toronto — who, combined, have great expertise in national security law at the intersection of constitutional law, criminal law, international law and other sub-disciplines. What follows — and we limit ourselves to five points — owes much to the background papers they have penned, as well as to insights from editorials in the media and speeches in the House of Commons. [Source] SEE ALSO: [Bill C-51 defies key rulings on security certificates, lawyers say Anti-terrorism bill muddies waters on disclosure rules for non-citizens] [Conrad Black: Alarm bells must ring in response to the government’s new anti-terror bill] [From opposition to retreat: Tom Mulcair and Bill C-51 ] [Conservatives extend anti-terror bill hearings after opposition filibuster] [Conservatives agree to more scrutiny of anti-terror bill after NDP filibuster][Bill C-51 threatens to sacrifice liberty for security] [National Post View: Why are the Tories determined to rush C-51 through committee?] [C-51: Conservatives demand limit on anti-terror bill expert testimony] [Fighting the evil within: The case for and against the Anti-Terrorism Act]

CA – CSE Monitors Millions of Canadian Emails to Government

CSE, under its mandate to protect federal government computer networks, vacuums up emails sent to and from the government and monitors website traffic, looking for malware and intrusions. Canada’s electronic spy agency watched visits to government websites and collected about 400,000 emails to the government every day, storing some of the data for years, according to the 2010 document. Today’s volume is likely much higher given online traffic growth. Common online activities involving the government include Canadians filing their taxes, writing to members of Parliament and applying for passports. The program to protect government servers from hackers, criminals and enemy states is raising questions about the breadth of the collection, the length of retention and how the information could be shared with police and spy partners in other countries. Public Safety Minister Steven Blaney may have a fight or, at least, a filibuster on his hands at the House public safety committee, which is slated to start reviewing the government’s proposed anti-terror legislation this week. A New Democrat-driven filibuster could delay the bill. [Critics question how long data is stored and what it’s used for ]

CA – Leaked Files Show Canadian Spy Agency Struggling With Flood Of Data.

Edward Snowden leaked documents to the CBC that reveal the massive amount of data Canada’s spy agency collects every day. CBC revealed the Communications Security Establishment in 2010 documents wanted a better computer system to deal with the 400,000 emails it collects every day. The emails are captured in a file format known as PCAP, which allows a government network administrator to record internet traffic in its entirety. The leaked files say the CSE is storing people’s messages on their servers for “days or months.” In one slide, a CSE employee says their servers can store up to 10 terabytes of emails a day — the equivalent of 2,128 DVDs. [Source]

CA – Spy Agency’s Review Group Can’t Perform ‘Oversight’ Role

During three days of lively debate in the Commons over the controversial anti-terror Bill C-51, Public Safety Minister Steven Blaney, Justice Minister Peter MacKay and other Conservative MPs have repeatedly characterized the Security Intelligence Review Committee (SIRC) as providing oversight of… the Canadian Security Intelligence Service (CSIS). Prime Minister Stephen Harper has done the same. Yet SIRC has no such mandate. “We review CSIS. We look at past activities,” to ensure they are lawful, appropriate and effective, SIRC’s Lindsay Jackson said. Recently the terms ‘oversight’ and ‘review’ have become almost interchangeable but they do actually mean separate things. Direct oversight implies a certain amount of involvement in the active political decision-making or the operational decision-making, and we are not involved in the operational decision-making,” at CSIS. [Source]

CA – Fed. P. Commish Urges Caution Over Sex Offender Registry

There is research that supports the view that laws that reduce the privacy of sex offenders makes rehabilitation and reintegration more difficult. Ultimately, this could increase the rate of recidivism. A publicly accessible database also creates a risk of vigilantism, as recognized on provincial dangerous offender websites such as the one in place in Alberta, and increases the risk that fears of being attacked or harassed will drive offenders underground. There is evidence that similar databases in the United States have led to the killing of sex offenders released in the community. [Appearance before the House of Commons Standing Committee on Justice and Human Rights (JUST) on Bill C-26, the Tougher Penalties for Child Predators Act ]

CA – Privacy Commissioners Issue Guidelines for Police on Body-Worn Cameras

Federal, provincial and territorial privacy and personal information protection Ombudspersons and Commissioners issued guidance on law enforcement and the use of body-worn cameras. The guidance notes that a Privacy Impact Assessment, which can help identify and mitigate the potential risks to privacy and personal information, is a highly recommended best practice before launching a body-worn camera program. As well, law enforcement agencies can consult with data protection experts and undertake a pilot project before deploying the cameras broadly. The privacy commissioners’ guidelines point to many concerns, including whether recordings will be made in private homes, if citizens will be informed they are being captured on video, and whether police forces will adequately protect private information caught on camera. Among their recommendations are that recordings be protected by safeguards, such as encryption and strict retention periods. They also suggest rules aimed at minimizing the recording of innocent citizens and innocuous interactions with the public [Press Release] [Source] [Guidance for the use of body-worn cameras by law enforcement authorities] [A new plan out of Ottawa would boost information-sharing between Canadian immigration and border enforcement officials, Employment Canada, Revenue Canada, the RCMP and provinces [The Toronto Star].

CA – Digital Privacy Act, Committee Hears from Federal Privacy Commissioner

Commissioner Therrien told the committee most people — and especially children and recent immigrants — aren’t always able to understand the language used in statements of terms and conditions. That has given rise to questions about whether such “vulnerable people” — as they were referred to by the committee — can legally give consent to the collection of their information. “(S-4) has a potential of improving the definition of consent from children,” he said, noting his office has had to deal with privacy complaints involving children before and recommendations have been made to businesses to use plainer language in the service agreements. “To have this clearly in legislation, that you must think about your clientele, would be useful.” [Source] A new plan out of Ottawa would boost information-sharing between Canadian immigration and border enforcement officials, Employment Canada, Revenue Canada, the RCMP and provinces, [The Toronto Star].

CA – B.C. Should ‘Aggressively Pursue’ Body-Worn Cameras for Police

“Members concluded by strongly supporting the use of body-worn cameras in B.C., and calling on government in the consultation with police and non-police stakeholders to aggressively pursue the steps necessary to implement the use of body-worn cameras by B.C. police members,” the report reads. [Metro News]


US – Consumer Awareness of AdChoices Up, Concerns About Targeted Ads

A new study conducted by Ipsos on behalf of TRUSTe has found that 68% of smartphone users are concerned about being served targeted ads, but consumer awareness of the AdChoices program is up 16% from last year. “Our research shows that the majority of Americans are still uneasy about having their online activity tracked for use in targeted ads, mainly because they feel like they have limited control,” said TRUSTe CEO Chris Babel. “The good news is that awareness of the AdChoices icon … has risen substantially and continues to have the potential for positive impact on consumer attitudes.” [Full Story]

US – DAA Launches Two Privacy Control Tools for Consumers

The Digital Advertising Alliance (DAA) has launched two new tools to help consumers locate and opt out of behavioral advertising. “AppChoices” and “DAA Consumer Choice Page for Mobile Web“ intend to increase transparency and choice for online users. The DAA is offering AppChoices on Google Play, the Apple App Store and the Amazon Store. “Our new mobile choice tools deliver the same reliable, independently enforced, privacy-control experience where consumers and brands engage, both across the Internet and on the go,” said DAA Executive Director Lou Mastria. [Source]


WW – How Would Your Company Rate for Email Security?

The best industry for email security? Social media. The worst? Healthcare. Such are the findings of a survey conducted by Agari, which assessed the security of 147 businesses’ email communications, judging them on how they employ the three major email security protocols: Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication, Reporting and Conformance. As many of the world’s largest data breaches were reportedly the result of a targeted phishing attack, email security is becoming an important front line in the cybersecurity battle. [Fortune]

CA – CRTC Levies 1.1M Spam Fine

nNovation Partner Shaun Brown discusses the Canadian Radio-television and Telecommunications Commission announcement of its first Notice of Violation under Canada’s Anti-Spam Legislation, including a $1.1 million penalty.


UK – Alleged Cyber Criminal Will Not Give Up Encryption Keys

A British man accused of breaching systems at NASA, the FBI, and the US Federal Reserve is refusing to surrender cryptographic keys that would allow authorities in the UK to access devices seized after his October 2013 arrest. Lauri Love is facing charges in three federal districts in the US. He is planning to petition a UK court to compel the National Crime Agency (NCA) to return the computers and data storage devices. [Ars Technica] [BBC]

WW – New Level of Encryption Boosts Browsing Privacy

CloudFlare is deploying a new level of encryption to improve the security, privacy and speed of its websites. ChaCha20-Poly1305, as it’s called, was formerly used only by Google, but all CloudFlare websites now support the new algorithm, the report states. At the moment, about 10% of CloudFlare HTTPS website connections are using it. The algorithm also protects TLS against cyber-attackers inserting fake messages into secure streams. [ZDNet]

EU Developments

EU – Italian DPA to Audit Google on U.S. Soil

Google will be the subject of regular checks by the Italian Data Protection Authority (DPA) to monitor the status of its actions to bring its platform into line with domestic legislation. Italy’s DPA approved the verification protocol referred to in its order of July 2014 to Mountain View. The protocol envisages quarterly updates on progress status and empowers the DPA to carry out on-the-spot checks at Google’s U.S. headquarters to verify whether the measures being implemented are in compliance with Italian law. Is allowing a DPA onto foreign soil for spot checks a sovereignty issue? Without commenting on the Google case specifically, Hunton & Williams’ Lisa Sotto wondered “how welcome the FTC would be if the commission sought to audit Banca d’Italia in Rome. Of course, companies can voluntarily agree to DPA visits, but there certainly would be significant and complex jurisdictional questions should a foreign DPA seek to compel an audit in another country without the agreement of the company.” [Full Story]

EU – Report: Facebook Privacy Policy Still Violates EU Law

A report from the Belgian Privacy Commission says Facebook is acting in violation of European law, despite updating its privacy policy. The study, which was conducted by the Centre of Interdisciplinary Law and ICT at the University of Leuven in Belgium, found Facebook’s privacy policy update last month “only expanded older policy and practices” and still violates EU consumer protection law. The authors said Facebook’s policies on profiling for third-party advertising don’t meet the requirements for legally valid consent and the social network “fails to offer adequate control mechanisms” for the use of user-generated content for commercial purposes. [The Guardian] [WSJ: The Sharpest Jabs From the Facebook Privacy Report] The 61-page “critical analysis” of Facebook’s revised policies says the social network fools its users into thinking they have more control over data and privacy than they actually do. Facebook says it has made its rules clearer and that it is confident it complies with all laws.

UK – ICO Fines Travel Insurance Company Over Breach

The UK Information Commissioner’s Office (ICO) has fined travel insurance company Staysure GBP 175,000 (US $270,000) for lax website security that resulted in 100,000 payment cards being compromised. Of those, about 5,000 were used fraudulently. The breach occurred in October 2013. The ICO’s ensuing investigation focused on Staysure’s lack of effective IT update policies in place at the time. Staysure says it has improved its security posture. [v3.co.uk]

EU – New EU Privacy Rules to Allow Challenges to Irish Regulator

Under a “one-stop-shop” mechanism initially proposed in reforms of EU data protection laws, businesses operating across the 28-nation bloc would only have had to deal with the data protection authority in the country where they are headquartered or have their main European base – even if the alleged mishandling of data affects citizens in another country. But opposition from some member states that do not want their national regulators to lose policing powers over multinationals such as Google, with an Irish base, led to the proposal being altered so that any “concerned” authority could object to a decision. …A majority of member states agreed to scrap an option requiring at least a third of concerned authorities to object, diplomats said, potentially giving a single “concerned” authority the right to complain. [Source]

EU – Regulation May Be Moving Away from One-Stop-Shop Mechanism

“Ireland will not retain sole control over privacy disputes involving companies such as Facebook and Apple under new rules agreed allowing any of its European peers to challenge Irish rulings.” Had a proposed one-stop-shop mechanism been approved, businesses operating in the EU would only have dealt with the regulator where they have they primary European base. But, according to anonymous sources, member states that did not want their regulators to lose policing powers over multinationals pushed for a change allowing any concerned authority to object to a decision, triggering the intervention of the still-to-come European Data Protection Board, the report states. Ministers still have to sign off on Wednesday’s decision when they meet next month. General Data Protection Regulation may be moving away from a one-stop-shop mechanism]

US – U.S. Companies Better Work Harder at Data Protection

European Commissioner for Digital Economy and Society Günther Oettinger said the EU should create a single law to protect its citizens’ data from Facebook and Google. “Americans are in the lead. They have the data, the business models and the power,” Oettinger said. “They come along with their electronic vacuum cleaner and suck up all the data, take it back to California, process it and sell it as a service for money,” Oettinger said. He warned tech giants must do more to comply with the EU’s strict data protection rules or face being “thrown out of the single market.” [USA Today]

UK – First Data the First With Double BCRs Through ICO

U.S.-based First Data began its effort to win approval for its binding corporate rules (BCRs) in 2007, back when the process was young and still evolving. This month, the UK Information Commissioner’s Office (ICO) officially recognized the multinational payment solutions company’s BCRs for data processors. Now able to boast that it’s been approved for both processors and controllers, First Data is also the first company to have done so under the purview of the ICO. [Full Story]

EU – The European Union and State Secrets:

Many LIBE members have considered this statement quite appalling because it allowed the US authorities to be the arbiters of whether or not the Ombudsman may exercise her statutory, democratic power to inspect the document at issue in conformity with EU law. It is worth recalling that art. 3 par. 2 of the Ombusdman statute states that: “The Community institutions and bodies shall be obliged to supply the Ombudsman with any information he has requested from them and give him access to the files concerned. Access to classified information or documents, in particular to sensitive documents within the meaning of Article 9 of Regulation (EC) No 1049/2001, shall be subject to compliance with the rules on security of the Community institution or body concerned.” [Source] IT World: Citing “leaked documents,” civil liberties groups are warning that the EU’s proposed data protection reform is “badly broken.”

Facts & Stats

US – Breach Detection Time is Decreasing

According to FireEye, the time it takes for breaches to be detected is dropping. The median time for breach detection was 205 days in 2014, down from 229 days in 2013 and 243 days in 2012. Less than one-third of breaches were detected by the organizations themselves. The FBI has been notifying companies of activity suggesting that their systems have been compromised. [eWeek]

WW – Cyber Attack Risk Requires $1 Billion Insurance Coverage, Per Company

Companies will need as much as $1bn in cyber insurance coverage as the costs of hacking attacks mount, but some businesses are struggling to secure even a tenth of that. US retailer Target said in November that the price tag for the data breach that affected up to 110m of its customers had reached $248m. [FT.com]


US – Reddit Privacy Policy Bans Involuntary Pornography

Reddit has announced new changes to its privacy policy to help curb so-called revenge porn posts. Moving forward, the posting of images or videos of individuals “in a state of nudity or engaged in any act of sexual conduct” will require prior consent from the individuals in the images. “We also recognize that violent personalized images are a form of harassment that we do not tolerate, and we will remove them when notified,” team Reddit wrote. Meanwhile, Craig Brittain, whose revenge porn website was ordered shut down by the U.S. Federal Trade Commission (FTC), is demanding that Google remove search links and any of his “identity-related information” tied to news accounts of the FTC’s actions. [The Washington Post]


US – TurboTax Blocks Filing of State Returns Not Linked to Federal Returns

TurboTax maker Intuit attributes the recent spike in fraudulent electronic state tax returns to the US Internal Revenue Service’s (IRS’s) improved detection of fraudulent returns at the federal level. TurboTax suspended state tax filings earlier in February because of the high number of reports of fraud; some states have seen a rise in fraudulent tax returns of 3,700 percent. While the IRS has been sharing information about fraudulent returns with state revenue departments, in all but four states, residents may file “unlinked” state returns, meaning they may file a state return without filing a federal return at the same time. TurboTax now blocks users from filing unlinked returns with its software. [Krebs]


WW – Citizenfour Wins Oscar for Best Documentary

A film on Edward Snowden’s efforts to disclose NSA spy programs won an Academy Award last night for Best Documentary. Laura Poitras was present with a camera when Snowden first met investigative journalist Glenn Greenwald and others and documented the tense days leading up to the release to the media of NSA programs such as PRISM and Snowden’s attempts to find asylum. Poitras, together with Greenwald, Mathilde Bonnefoy, Dirk Wilutzky and Laura Mills—Snowden’s girlfriend—accepted the award Sunday night. Snowden released a statement congratulating Poitras for the win. [Full Story]


US – Police Generate Facial Characteristics from Crime Scene DNA

Technology allows crime scene investigators to generate digital facial sketches of suspects from crime scene DNA. Investigators in South Carolina released the digital sketch last month, and according to the report, “It may be the first time a suspect’s face has been put before the public in this way, but it will not be the last.” Additionally, future projects aim to match faces generated from DNA to mug shots in databases. “This is another of these areas where the technology is ahead of the popular debate and discussion,” said New York University Prof. Erin Murphy. [The New York Times]

US – 23andMe Names Kate Black as CPO

Personal genetics company 23andMe has appointed IAPP member Kate Black its privacy officer and corporate counsel. Prior to joining 23andMe, Black worked for the Office of the National Coordinator for Health Information Technology at the Department of Health and Human Services, and she’s served as health privacy counsel for the Center for Democracy & Technology. “The potential impact that 23andMe can have on both individual health and the entire healthcare industry is profound,” Black said. “In appropriately leveraging the 23andMe database, we can significantly advance healthcare delivery, but we will not succeed unless we approach it with the utmost concern about protecting customer privacy and building customer trust.” [Source]

Health / Medical

CA – Patients Can Sue Hospitals for Invasion of Privacy, Appeal Court Rules

The ruling upheld an earlier decision that said the province’s health privacy laws do not bar patients from seeking legal action against hospitals if their privacy is breached. This week’s ruling could have sweeping implications for the province’s 155 hospitals as it has given the green light to a multimillion-dollar privacy class action launched against Peterborough Regional Health Centre. [Source]

US – Study Finds Many Health-Related Searches Are Being Tracked

According to the Pew Internet Project, 72% of U.S. Internet users look up health-related information online, but “an astonishing number of the pages we visit to learn about private health concerns-confidentially, we assume-are tracking our queries.” In 2014, a researcher at the University of Pennsylvania created software to analyze the top 50 search results for nearly 2,000 common diseases and found 91% of the pages were “passing your request for information about the disease along to one or more (and often many, many more) other corporations.” About 70% of the time, data transmitted “contained information exposing specific conditions, treatments and diseases,” the report states. [Motherboard] [Study questions claims that browsing data is anonymous] [How 9/10 Healthcare Pages Leak Private Data]

US – Medical Identity Theft on the Rise

According to a study from the Ponemon Institute, medical identity theft increased by 22% in 2014. An estimated 2.3 million adults in the US and their close family members have had their medical information stolen. The study does not include data from the Anthem breach, which was only recently disclosed. [NBC News]

US – In LabMD FTC Trial, Judge Allows Some Congressional Evidence

The latest developments in the FTC data security case against LabMD include an administrative judge ruling that allows consideration of two letters from the U.S. House Committee on Oversight and Government Reform . Both letters were sent to FTC Chairwoman Edith Ramirez, and in one, findings from a congressional investigation raise questions about the role security firm Tiversa played in the case. LabMD’s position is that Tiversa caused the breach so that it could charge LabMD to repair the damage. Tiversa CEO Robert Boback said, “Frankly, the trial is between FTC and LabMD and should not even include Tiversa,” adding, “In my opinion, LabMD and/or its counsel has gone to great lengths to try to drag Tiversa into this while impugning our character and reputation.” The FTC administrative hearing is set for March 3. [Healthcare Info Security]

US – Despite Significant Breaches, Subsequent Fines Are Few

While regulators say they’re cracking down on insurers, hospitals and doctors’ offices that don’t adequately protect the security and privacy of medical records, the data on enforcement tells a different story. Since October 2009, healthcare organizations have reported more than 1,140 large breaches affecting more than 41 million people to the Office for Civil Rights (OCR). In addition, 120,000 smaller breaches have been reported. The OCR has the authority to fine organizations up to $1.5 million per violation, but some say the agency isn’t flexing its muscles enough. It took the OCR five years, for example, to fine Parkview Health System $800,000 for its breach. Adam Greene, a former OCR official, said the office is “overwhelmed.” [ProPublica]

Horror Stories

US – Target Breach Cost $162 Million; Sony Fights for Coverage

Target has announced the total cost of the massive data breach that hit its systems late in 2013 has reached $162 million. Target said the number would have been higher if it did not have cyber-insurance coverage. In separate news, Sony has asked a New York state appeals court to reverse a “landmark” ruling that freed several insurance companies from covering the Sony PlayStation breach from 2011. [v3.co.uk]

WW – Gemalto Admits Breach, Says SIM-card Encryption Keys Not Stolen

SIM-card maker Gemalto says that it appears that US and UK intelligence agencies did breach its systems, but denies that the cards’ encryption keys were stolen. Gemalto says that after looking at the information released in the document, it is likely that two attacks that occurred in 2010 and 2011 were the work of the intelligence agencies. Gemalto says those attacks penetrated only portions of its networks that do not contain cryptographic keys information. [WIRED] [BBC]

US – Gemalto Shares Findings of NSA, GCHQ Hacking Investigation

Following recent news that the U.S. NSA and the UK Government Communications Headquarters (GCHQ) infiltrated and stole the encryption keys of the world’s largest SIM card manufacturer, Gemalto has released its findings of the incident. According to a Gemalto press release, the company has “reasonable grounds to believe that an operation by NSA and GCHQ probably happened,” but the hack was limited to office networks “and could not have resulted in a massive theft of SIM encryption keys.” Additionally, “intelligence services would only be able to spy on communications on second generation 2G mobile networks” and that 3G and 4G networks “are not vulnerable to this type of attack.” [Full Story]

US – LinkedIn Settles Password Security Class-Action

LinkedIn has settled a class-action lawsuit alleging it falsely assured 800,000 users who paid for its premium service that it had strong security measures to protect their personal information. In June 2012, a file containing 6.5 million encoded LinkedIn user passwords was posted on a Russian hacker site, and because the passwords were protected with a weak form of security, hackers could easily decode them. While there was no indication the breach affected the LinkedIn users who were paying a subscription fee for extra services, the users said the company deceived them about its level of Internet security, the report states. The settlement fund is for $1.25 million. [The New York Times]

US – Judge May Side With Hulu in VPPA Case

In a potentially precedent-setting case , U.S. Magistrate Judge Laurel Beeler said at a hearing that she will likely side with online streaming service Hulu in a case that claims the company violated the Video Privacy Protection Act (VPPA). Referencing the case involving Judge Robert Bork’s video rental history following his Supreme Court nomination, Beeler said, “It just doesn’t feel like the Bork transmission of personal information.” Plaintiff counsel Scott Kamber countered by saying, “We believe strongly that if this case does not show knowledge in the situation, that one cannot make a reasonable inference of knowledge from documents presented to the court there can never be a VPPA violation in the realm of the Internet … That may sound bombastic, but I think there is clearly a Judge Bork disclosure here.” [Courthouse News Service] [History][US Courts Continue To Find That Unique Device Identifiers Are Not Personally Identifiable Information (PII) Under The Video Privacy Protection Act (VPPA)  ]

WW – Lenovo Under Fire for Default Adware Installation

Security researchers uncovered software preinstalled on Lenovo computers that injects advertising into websites on browsers and installs a self-generated root certificate that essentially acts as a man-in-the-middle attack to create ads on encrypted HTTPS websites. An array of information security experts see the Superfish adware as “a weakness that hackers could potentially use to steal sensitive data like banking credentials or just observe your web surfing activities.” The Superfish software has been shipping on Lenovo computers since mid-2014 and by January of this year, Lenovo said it was removing Superfish due to unspecified “issues.” A Lenovo representative said the company is “thoroughly investigating all and any new concerns raised regarding Superfish.” [PC World]

WW – Lenovo Laptops Shipped with Adware and Persistent Vulnerability

Lenovo has been shipping laptops loaded with Superfish, adware designed to steal Internet traffic. Superfish is designed to “help users find and discover products visually.” It also injects ads into web pages. Superfish hijacks encrypted web sessions, and could easily be misused to conduct man-in-the-middle attacks. Lenovo has stopped including Superfish on its new machines. [Ars Technica] [Forbes] [ZDNet] [BBC] [The Register] [Lenovo]

WW — Lenovo Releases Superfish Removal Tool

Lenovo has released a tool that removes the malicious adware known as Superfish that cane pre-installed on some of its laptops. Lenovo also says it is working with McAfee and Microsoft to automatically quarantine or remove Superfish and the certificate from computers of users who do not know about the issue. McAfee and Microsoft products come factory installed on Lenovo devices; the security community has been calling on Lenovo and others to stop the practice of adding “bloatware.” [ComputerWorld] [v3.co.uk]

WW – Fallout from Lenovo Adware Installation Continues

The security community remains up in arms about Lenovo’s decision to install Superfish software—essentially undermining HTTPS encryption without the user knowing—into a commercial line of its computers. In a column for Slate, David Auerbach railed against the company, saying it “betrayed its customers and sold out their security.” Security researcher Marc Rogers said the move is “quite possibly the single worst thing I have seen a manufacturer do to its customer base.” In a blog post, Center for Democracy & Technology’s Justin Brookman wrote , “The law is far from settled, but I believe that absent very clear disclosure to users, breaking encryption likely violates—at the very least—consumer protection law that prohibits deceptive and unfair business practices.” [Full Story]

WW – Mozilla Updates Firefox to Remove Superfish Certificate

A Firefox update released on Friday, February 27, scrubs the Superfish self-signed certificate from the browser. Mozilla released the hotfix to detect whether Superfish has been removed from browsers; if it has been removed, the certificate is removed as well. If Superfish is still installed, the certificate is left in place, as removing it would prevent users from accessing HTTPS websites. [ComputerWorld]

US – Revenge Porn “King” Gets Jail Sentence

Prof. Danielle Citron reports on the latest in the trial against so-called revenge porn “king” Hunter Moore and how he will face jail time for his role illicitly obtaining and posting nude photos of women without their consent. On Wednesday, Moore entered into a plea agreement with the U.S. Attorney’s Office of the Central District of California, which includes aiding and abetting hacking and aggravated identity theft. “Unless he backs out of his guilty plea,” Citron notes, “Moore is going to serve jail time.” He is next expected in court on February 25, while his co-defendant is set to go to trial in March. [Forbes]

US – Uber Reports Breach Affecting 50,000 Drivers

Uber has reported it discovered one of its databases had a point-of-entry for unauthorized users. A “one-time unauthorized access to an Uber database by a third party” occurred on May 13, 2014, the company said in a statement last week. The database contained driver names and license numbers. The breach impacted approximately 50,000 drivers across multiple states, according to Uber’s managing counsel of data privacy, who added Uber hasn’t received any reports of identity theft. The company is alerting affected drivers and offering them one year of identity monitoring and has filed a “John Doe” lawsuit in an effort to reveal the responsible party. [Ars Technica] [ZDNet] [ComputerWorld] [SC Magazine] [Uber Statement]

US – Police Pay Ransomware Demand in Bitcoins

A suburban Chicago police department paid US $500 in bitcoins to cyber criminals who locked up the department’s computer system with ransomware. Last month, someone in the department opened an email containing Cryptoware malware. [Ars Technica]

EU – Dutch Semi-Conductor Company Admits Breach

Dutch computer chip company ASML has acknowledged that its systems were breached. According to a statement, ASML detected the breach shortly after it occurred. [The Register] [Dutch News]

US – Anthem Says Database Breach Affected 78.8 Million Records

Anthem now says that the breach of its database affected 78.8 million records. Of those, 14 million are incomplete, meaning they lack sufficient information to link them to members. [ComputerWorld] [Numbers broken down by state based on information available]

US – Anthem Breach Affected Some Non-Anthem Customers

The Anthem data security breach reportedly affected some US federal employees who were not Anthem customers. Anthem has not said how many federal employees were affected by the breach. [NextGov]

US – FBI is Close to Identifying Anthem Attack Culprit

The FBI says that it is “close” to identifying the parties responsible for the Anthem breach, but will not disclose the information until it is “absolutely sure.” [ZDNet] [Bloomberg] [The Hill]

US – National Archives Breached

Meanwhile, law enforcement is investigating a potential intrusion into the National Archives. According to The Hill , “A data breach at the National Archives could endanger the personal information of former high-ranking administration officials and family members of former presidents.”

Identity Issues

WW – El Emam Disputes the Shopping Mall Re-identification Study

Science magazine recently dedicated an entire issue to the alleged “death of privacy” and included a study on the re-identification of shoppers who made credit card purchases. One of the study’s key conclusions is that by using only four transactions, 90% of the 1.1 million individuals studied could be re-identified. “This conclusion has then been repeated uncritically by the science and general media communities,” writes Privacy Analytics CEO Khaled El Emam. In this post for Privacy Tech, El Emam critiques the researchers’ conclusions to make the case for a responsible data sharing future. [Full Story]

UK – Scottish Plans for Central Identity Database Spark Privacy Criticism

Campaigners alarmed after ministers quietly publish plans they say echo doomed ID card scheme. Critics claim the plans for the wholesale use in Scotland of the unique citizen reference number (UCRN) were extremely similar to the national ID card proposals by the UK Labour government, which were dropped on privacy and civil rights grounds after the coalition took office in 2010. … The Scottish Council for Voluntary Organisations (SCVO), the umbrella group for Scotland’s charities, said it would be pressing the first minister, Nicola Sturgeon, to abandon the proposals. It raised the very real risk of a massive data breach if an official lost a laptop or a database was hacked, undermining trust in public services, said Ruchir Shah, SCVO’s head of policy and research. [Source]

Internet / WWW

WW – New CAPTCHA Alternative Could Hurt User Privacy

A new alternative to CAPTCHAs, an anti-SPAM log-in to prove a user is not a robot, may collect personal information from its users. In December, Google launched the “No Captcha ReCAPTCHA” to verify a human user by analyzing behavior of the mouse’s movement and the way a user types. Device recognition company AdTruth, however, claims it has evidence the new service collects more information than mouse coordinates and has the potential to share user behavior with advertisers. According to the report, the new program collects personally identifiable information. [Business Insider]


US – Company Using Drones to Track Cell Location for Ads

One company is flying small drones over the San Fernando Valley in Los Angeles, CA, in order to determine cell-phone locations for targeted advertising. The small, unmanned aerial vehicles apparently are determining cell-phone location by “WiFi and cellular transmission signals.” The move is part of an experiment by Singapore-based location-marketing firm Adnear. Smriti Kataria, Adnear’s director of marketing and research, said the devices do not collect conversations or personally identifiable information but rather use cell-phone triangulation and signal strength to determine location. According to the report, “A mobile user needs to have an app open that is transmitting via cellular or WiFi for this mapping to occur.” [VentureBeat]

US – First Lady’s Location Leaked Via Instagram Feed

First Lady Michelle Obama’s Instagram feed is leaking details about her location or that of her staff. The account’s manager has opted into also sharing their location, and that data can reveal details right down to the building “where someone was located when they uploaded a picture to the service.” A picture of a Christmas tree coming into the White House was posted from outside of Allentown, PA, for example. “Politicians’ locations when they post Instagram pictures became an item of interest after the Press this week found that Rep. Aaron Schock (R-IL) was using taxpayer and campaign money to fly on private jets by examining the locations leaked through his Instagram account,” the report states. [The Hill]

US – How Journalists Use Time, Location in Public Posts to Get Stories

Investigative journalism publications use public posts on Instagram to find leads for stories. In one such story, a reporter wrote about a weekend getaway attended by new House Financial Services Committee Chairman Jeb Hensarling (R-TX) and banking industry officials. The reporter found out who was attending the getaway by using one banking lobbyist’s public Instagram post and looking at the time and location. Though Instagram has no search function, it does have an application programming interface with a “Media Search” endpoint “that returns data both by timeframe and distance from a certain latitude and longitude,” the report states. [ProPublica]


HK – Hong Kong Puts Restrictions on Cross-Border Transfers

Taking a step closer to following the EU restrictions on oversees data transfers, the Hong Kong Privacy Commissioner for Personal Data recently issued “Guidance on Personal Data Protection in Cross-border Data Transfer.” While the guidance doesn’t impose any new limitations or obligations on personal data transfers out of Hong Kong, it appears to be a harbinger of transfer restrictions coming into force in the near future, report Dana Post and Victoria White in this exclusive for The Privacy Advisor. [Full Story]

BR – Draft Bill for a Personal Data Protection Law

The Ministry of Justice of Brazil recently opened two public consultations, one on the Marco Civil da Internet and the other on the Draft Bill for a Personal Data Protection Law (APL). Gustavo Artese offers an outline of the draft APL presented, saying, “much of the protection regime foreseen by the APL has been inspired by … the EU proposed regulation.” Similarities occur specifically in its definition of personally identifiable information, the rights of data subjects and the principles of data processing. Uncertainties remain, however, “as to whether a supervisory authority will be created.” [Full Story]

Online Privacy

WW – Chrome Will Warn Users When They Try to Visit Sketchy Sites

Google’s Chrome browser will warn users when they try to visit sites that may harm their computers through surreptitiously changing the browser’s home page or placing certain ads on pages. The warning will appear before the domain is displayed. Google is also taking steps to minimize the presence of deceptive sites in search results. [The Register] [ComputerWorld]

US – NAI: No One Should Be Outed By Ads

While court decisions and legislation have produced significant gains for the lesbian, gay, bisexual and transgendered (LGBT) community, prejudices remain and, too often, the LGBT community is “confronted with serious discrimination,” Network Advertising Initiative (NAI) President and CEO Marc Groman, writes in this post for Privacy Perspectives . He notes the NAI’s update to its Self-Regulatory Code of Conduct in 2013 included the addition of sexual orientation as sensitive information, prohibiting NAI members from creating audience segments or interest categories for interest-based advertising “based on an individual’s status or perceived status as LGBT without obtaining opt-in consent.” Groman writes that “this practice was the right thing to do for consumer trust and privacy … This is how self-regulation is supposed to work.” [Full Story] [NAI Appoints Leigh Freund New President and CEO]

US – Can Intellectual Privacy Survive in the Digital Age?

Evan Selinger talks to Washington University Prof. Neil Richards about his new book, Intellectual Privacy: Rethinking Civil Liberties in the Digital Age. Richards says intellectual privacy “is about needing to have protections from being watched and interfered with when we’re making up our minds about the world-when we’re reading, surfing the web, talking on the phone and sending email to confidants.” Richards adds our intellectual property and, therefore, our free society are currently being threatened because “companies and the government have so much control over our intimate information that people live in a state of perpetual uncertainty and sometimes fear.” [The Christian Science Monitor]

US – Koppie Koppie Puts Your Child’s Photo Up for Sale

In a translated post for, Dimitri Tokmetzis discusses an experiment conducted with designer Yuri Veerman called Koppie Koppie. The online store sells mugs with photos of children Tokmetzis and Veerman legally collected off Flickr. They put the images on coffee mugs and then sell them in their store, Koppie Koppie. “Aren’t we violating the privacy of these children and their families by commercializing these intimate family moments?” Tokmetzis asks, adding, “We share your concern.” He describes three ways people’s privacy is being violated by their commercial venture, including the lack of user control over personal information, lack of confidentiality and lack of privacy in context. [Medium] [Koppie Koppie sells photos of your kids to prove you shouldn’t post them online]

US – Spotify Log-In Requirements Mean “Enormous” Data Insights

At a recent conference in California, Spotify’s Brian Benedik discussed the amount of data the company collects on its users. Because of its requirement that every user, paying or non-paying, sign in to use the service, the company collects an “enormous amount of data on what people are listening to, where and in what context. It really gives us an insight into what these people are doing,” Benedik said. Because users register both directly through the site and via Facebook logins, Spotify knows a lot about users’ age, gender and location, he added. [Full Story]

US – Behind the Scenes With the New DAA AppChoices Program

The Digital Advertising Alliance has announced an extension of its AdChoices program beyond the desktop. AppChoices, an app consumers can download (with an attendant web page), allows consumers, for example, to choose not to allow advertisers to target them based on their location on mobile devices like phones and tablets. Now, why would a company like xAd, whose very business model involves targeting consumers by location, want to participate in such a program? [FPrivacy Advisor]

US – Case Against Pandora’s Facebook Integration Could Go to Highest Court

Michigan resident Peter Deacon is appealing a 2012 ruling issued by U.S. District Court Judge Saundra Brown Armstrong dismissing his potential class-action lawsuit against Pandora. In 2011, Deacon alleged Pandora’s integration with Facebook violated Michigan’s Video Rental Privacy Act, which prohibits companies that rent, lend or sell music from disclosing customers’ identities without their consent. A lawyer for Deacon told an appeals court this week that the pro-Pandora decision “guts the protections” lawmakers intended for consumers. Some of the judges’ questions in court suggest the matter could be sent to the Michigan Supreme Court, the report states. [MediaPost ]

Other Jurisdictions

Privacy (US)

US – White House Releases Draft of Consumer Privacy Bill

Companies are also required to take “reasonable steps” to mitigate privacy risks and make them clear to users, and the FTC will need to establish rules for privacy reviews. If a company violates the terms of the act, it’s subject to lawsuits from the FTC, users, and state attorneys general. The bill creates exemptions for small operators, including people who process data for 10,000 or fewer people a year or have no more than five employees, which the White House says can ease the burden for small businesses. [The Verge] [Initial Thoughts on Obama Administration’s “Privacy Bill of Rights” Proposal]

US – Court Case Could Set Precedent on Breach Coverage

An upcoming decision from the Connecticut Supreme Court could set a new precedent for data breach insurance coverage litigation. The case involves a dispute over the exposed sensitive personal information of 500,000 IBM employees. An appellate court had ruled to nix the coverage of more than $6 million in losses in a 2007 data breach incident. According to the report, the high court is expected to rule on what constitutes a “publication” that triggers data breach coverage with data that is compromised, effectively “reshaping” how such cases are litigated. [Law360]

US – FTC Eyes Privacy Issues in Merger Reviews

The head of the FTC Bureau of Competition has said the agency could expand its coverage of merger reviews to include privacy issues. The expansion is seen, in part, as a result of companies competing on privacy. FTC Bureau of Competition Director Deborah L. Feinstein made the remarks at a conference held by BakerHostetler. “Privacy could be a form of non-price competition important to customers,” Feinstein said. [Law360]

US – YouTube Kids Could Raise COPPA Questions;

Google has announced the much-anticipated release of a child-friendly YouTube service, YouTube Kids, reports. “The app will no doubt be analyzed for its safety, and-as with any issue regarding children and the Internet-it calls up issues of compliance with the Children’s Online Privacy Protection Act,” the report states. [Inside Counsel]

US – Plaintiffs Appeal Nick.com Decision

Representatives of a group of young children are appealing a judge’s decision to dismiss a lawsuit accusing Google and Viacom of violating a federal video privacy law. The suit “centers on allegations that Viacom allows Google to set tracking cookies on the kids’ site Nick.com,” the report states.

US – Clapper v. Amnesty International’s Impact on the Harm Threshold

“Amid the storm of cybersecurity incidents in the last year, plaintiffs still face an uphill battle convincing courts that they suffered actual-and not hypothetical-harm from data breaches,” Cheryl Howard and Dana Post write. “In several recent decisions, however, courts have found that plaintiffs alleging future harm had adequately pleaded Article III standing, giving renewed vigor to data breach cases.” Howard and Post consider the Supreme Court’s 2013 ruling in Clapper v. Amnesty International—that Article III standing requires threatened injury must “be certainly impending to constitute an injury in fact”-and the case’s implications. [Full Story]

US – CDT Launches Breach Notification Multi-Stakeholder Effort

CDT has announced it is launching a multi-stakeholder effort to find innovative solutions to data breach issues. The Common Ground Data Breach Forum will first meet on March 17 and brings together leaders from the CDT’s Internet Privacy Working Group and the Digital Privacy & Security Working Group. The announcement comes a week after the CDT and law firm Jones Day brought together representatives from government, industry and nonprofit organizations. [Full Story]

US – Judges, FTC Commissioners to Discuss Section 5 Use

BakerHostetler will host current and former commissioners from the FTC and decision-makers from three branches of government to discuss the FTC’s use of Section 5 in antitrust and consumer protection enforcement actions. The Section 5 Symposium will be held in Washington, DC, and will also be webcast. Symposium topics include the origins, past and present use and future parameters of Section 5 as an enforcement vehicle, and it will feature FTC Commissioners Joshua Wright and Maureen Ohlhausen. Other panelists include The Hons. Douglas Ginsburg, William Kovacic and Terry Calvani and the FTC’s Jessica Rich. [Full Story]

US – DoE Releases Model Terms of Service, Training Video

The Department of Education’s Privacy Technical Assistance Center released a “Model Terms of Service” document to assist school districts in complying with the “Requirements and Best Practices“ document the department released in February 2014. It contains, significantly, a table of definitions that “cannot or should not be included in TOS” by education technology providers. Concurrently, the department released a video for schools and districts to use on in-service days and in other training environments to educate educators about privacy issues and their responsibilities with student data. [Full Story]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Silent Circle Set for “World’s First” Privacy Ecosystem

Privacy-enhancing technology provider Silent Circle is set to unveil the “world’s first privacy ecosystem” together with new devices, software and services at the upcoming Mobile World Congress in Spain. Silent Circle has raised nearly $50 million in a funding round, noting there’s a “strong demand” to keep communications private. Cofounder and Executive Chairman Mike Janke said Silent Circle has “created an integrated suite of secure enterprise communication products that are challenging the status quo.” Silent Circle President and CEO Bill Conner said, “As the nature and volume of data breaches increase, institutional trust is eroding … In short, in a post-Sony and Gemalto world, security breaches have been made both enterprise and personal so it’s no longer an issue affecting just the boardroom.” [ZDNet]

US – CDD Says Call for Drone Multi-stakeholder Approach Misguided

Privacy advocacy group the Center for Digital Democracy (CDD) does not agree with President Barack Obama’s call for a multi-stakeholder approach for developing privacy codes of conduct for drone use. CDD Executive Director Jeffrey Chester said the multi-stakeholder approach “is practically a guarantee that either no rules will ever be written or, if they are, will favor the ubiquitous and always advancing big data-driven collection system already in place (across our devices, applications, etc.).” The National Telecommunications& Information Administration (NTIA) disagreed with Chester’s assessment. “NTIA’s multi-stakeholder meetings are open to anyone who wants to participate, and we encourage participation from a broad range of stakeholders including civil society,” an NTIA spokeswoman said. [Multichannel News]


WW – Physical Cookies Aim to Replicate Cookies, Eliminate Privacy Woes

A plastic RFID device called a “Physical Cookie” works just like online cookies, studying shoppers’ preferences and tailoring deals and messages accordingly. A mall in Finland recently offered targeted deals to shoppers who agreed to carry the “cookie.” Instead of logging users’ histories, though, Physical Cookies just looks at the time spent during mall shopping. Meanwhile, another tool called the Rately Merchant Platform “addresses privacy problems by not creating them in the first place,” Forbes reports . It allows consumers to opt in when visiting a website, tag items they’re interested in and, if they allow it, see promos based on those tags. But retailers don’t get data on the anonymized personas or see which in-browser notifications get clicked on. [Mashable]


US – NIST Budget Could Reach $1.1 Billion

The National Institute of Standards and Technology (NIST) could see a boost in its annual funding if President Barack Obama’s proposed budget is passed by Congress, Capital News Service reports. NIST could stand to gain an additional $225.8 million—for funding totaling $1.1 billion—if the budget is passed. The cybersecurity portion of NIST’s budget would gain an additional $7 million. Earlier this month, Rep. Elijah Cummings (D-MD) said, “Congress and the Executive Branch must do all we can to mitigate risks at federal agencies and ensure that American consumers are protected when they provide their personal information to private companies.” [Full Story]

WW – HP’s 2015 Cyber Risk Report Says Companies Not Patching Properly

Hewlett-Packard’s 2015 Cyber Risk Report, released on February 23, found that nearly 45% of breaches could be attributed to vulnerabilities for which patches have been available for two or more years. Of those unpatched flaws, server misconfigurations topped the list. [eWeek] [SC Magazine]

US – Teen Makes $15 Device, Hacks Connected Car

A 14-year-old has built an electronic remote communications device capable of connecting to and controlling a vehicle’s internal computer network by using $15 worth of parts. A number of automotive executives expressed their surprise at a Center for Automotive Research conference last week. The teen, along with 30 others ranging from high school students to PhD candidates, were taking part in the third annual Battelle CyberAuto Challenge. Though the event happened last summer, a recent report on the security vulnerabilities of connected cars by Sen. Edward Markey (D-MA) has brought the issue back into the spotlight. Delphi Automotive Chief Technologist Andrew Brown, Jr., said the hack “was mind-blowing.” The lead scientist for the auto challenge said the event intends to keep the auto industry “on its toes.” [PCWorld]

US – NIST’s Risk Management for Replication Devices

The US National Institute of Standards and Technology (NIST) has released an internal report titled Risk Management for Replication Devices, which include copiers, printers, and scanners. Among the issues that need to be addressed are unchanged default passwords, data that are stored and transmitted without encryption, and unpatched or outdated operating systems and firmware. [GCN]

US – ‘Breakthrough’ NSA Spyware Shows Deep Grasp of Makers’ Hard Drives

‘All-powerful’ spyware on hard drives an unprecedented technique, experts say. The U.S. National Security Agency reportedly figured out how to conceal spyware in hard drives years ago, according to former operatives, who say a new Kaspersky Lab cybersecurity report analyzing the espionage operation is correct. Tom Keenan, a cybersecurity expert and fellow at the Canadian Defence and Foreign Affairs Institute, explains that malware hidden on firmware would be nearly impossible to detect. “There’s no anti-virus program, no software that can protect you from someone who’s going to attack your firmware because all those programs have to talk to the firmware, and the firmware is doing what it pleases” [CBC] [Russian Researchers Expose Breakthrough in U.S. Spying Program]


WW – Google: FBI’s Expanded Surveillance Plan Seriously Violates Constitution

Google is warning that the government’s quiet plan to expand the FBI’s authority to remotely access computer files is a “monumental constitutional concern.” Google submitted public comments earlier this week opposing a Justice Department proposal that would grant judges more leeway in how they can approve search warrants for electronic data, the report states. Google’s director for law enforcement and information security, Richard Salgado, said the plan “raises a number of monumental and highly complex constitutional, legal and geopolitical concerns that should be left to Congress to decide.” [National Journal]

US – TSA Rethinking Expanding Commercial Data-Mining Program

The Transportation Security Administration (TSA) is reassessing an expansion of its PreCheck program that would mine commercial data to analyze travelers. On February 7, the TSA “rescinded a December request for proposals asking vendors for solutions that would expand the PreCheck passenger screening program to collect publicly available and commercial data on potential participants,” the report states. Critics say such a process would do more than expand PreCheck, putting private companies “in charge of determining who poses a security threat to the traveling public.” The Center for Democracy & Technology’s Chris Calabrese said there’s no science indicating it’s even possible to data-mine to pick out terrorists. [Federal Times]

US – Jeb Bush Backs NSA’s Bulk Collection of Phone Data

Former Florida Governor and potential presidential candidate Jeb Bush has said he supports the U.S. NSA’s program that collects in bulk the phone metadata of U.S. citizens. “This is a hugely important program to use these technologies to keep us safe,” he said on Wednesday. “For the life of me, I don’t understand (how) the debate has gotten off track,” noting that following the program’s rules does “protect our civil liberties.” Bush’s stance on the controversial program is at odds with two other potential Republican presidential candidates, Sens. Rand Paul (R-KY) and Ted Cruz (R-TX). Bush made privacy news last week after he released a trove of unredacted emails while serving as governor from 1999 to 2007. [The Hill]

Telecom / TV

CN – China Removes Tech Companies from Approved for Government Use List

China has taken several high-profile US technology companies off its list of products approved for use by Chinese government agencies. The recently removed companies include Cisco, Apple, McAfee, and Citrix. The policy is seen as an attempt to boost Chinese use of its domestic technology, such as Huawei and ZTE. [BBC]

US – FCC Passes Net Neutrality Rules

The US FCC has passed net neutrality rules, which include reclassifying broadband as a telecommunications service; prohibiting broadband providers from throttling or speeding up connections for a fee; and prohibiting providers from making paid prioritization deals. The US Telecommunications Industry Association said to expect legal action from broadband providers. One of the demands from the Chinese government was for tech companies to surrender their encryption keys and subject their source code for inspection. [CS Monitor] [SC Magazine] [BBC]

WW – Malware Can Track Smartphones by Power Use

Researchers from Stanford University have discovered a vulnerability that would allow smartphone location tracking by how the phone’s power is used. Yan Michalevsky and a team said, “Our approach enables known route identification, real-time tracking and identification of a new route by only analyzing the phone’s power consumption.” A phone’s power usage depends on how far away it is from a base station. As a user moves, that power use changes in relation to a base station. The team’s work , the report states, demonstrates how easily privacy can be undermined and serves as “a warning that whatever steps are taken to protect personal data, there will always be ways that it can leak unexpectedly.” [MIT Technology Review]

US – ACLU Obtains Warrant Revealing FBI Knew Stingray Disrupted Devices

The US Justice Department has maintained that the secrecy surrounding stingray cell phone surveillance technology was necessary to prevent criminals from figuring out how to elude its reach. However, the American Civil Liberties Union (ACLU) recently obtained a warrant application for stingray use and found that the FBI has knows that stingrays can disrupt cellular service for all phones and mobile devices in the vicinity of the targeted device that use the same network. [WIRED] [WIRED] See also: [Senator Questions Stingray Use]

US – Advocates Hope Net Neutrality Will Be Privacy Win

The FCC made history on Thursday by classifying ISPs as public utilities. The vote was aimed at ensuring net neutrality, but the reclassification means the FCC will now have more oversight of privacy practices of ISPs, and privacy advocates say it also probably means better protections for consumers because it means ISPs “will now have to abide by a specific set of rules designed to protect the privacy of communications.” [The Washington Post]

UK – Parliament Wants Government to Classify Broadband as Utility

In a report titled Make or Break: The UK’s Digital Future, members of the UK’s House of Lords call on the government to reclassify Internet access as a public utility, ensuring that it is available to all citizens. The report also notes that the UK is lagging behind other countries with regard to high-speed Internet access, which could have a negative effect on the country’s international competitiveness. [Silicon Republic] [Ars Technica] [UK Parliament]

US Legislation

US – White House Privacy Bill Met With Criticism from All Sides

The White House released what it’s calling a “discussion draft“ of its Consumer Privacy Bill of Rights (CPBR) to “establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.” Though the highly anticipated CPBR did receive some support, for the most part industry, lawmakers, regulators and privacy advocates all expressed concerns with the legislation. [Full Story]

US – Obama’s Personal Data Notification & Protection Act

The proposed legislation’s ultimate success likely will turn on whether both sides can reach agreement on a middle ground and recognize that neither businesses nor privacy advocates will be able to cherry-pick all of their favorite provisions from existing state laws and earlier federal proposals. The following is a brief analysis of the proposed bill’s key provisions. [Mondaq]

US – California May Limit Law Enforcement’s Warrantless Data Collection

SB 178, known as the Electronic Communications Privacy Act (or CalECPA, for short), curtails California’s law enforcement agencies ability to compel companies providing “electronic communications services” from producing “electronic communication information” without a warrant, a wiretap order, or a showing of exigent circumstances. It also limits law enforcements’ ability to conduct warrantless searches of mobile devices. [Source]

US – California Lawmakers Consider Drone Privacy Bill

Jackson has introduced SB 142, which she said would protect people from aerial invasions of privacy. “If you were to jump over your neighbor’s fence and stand in their yard recording what they had to say, that’s a trespass,” she said. “Why should it be any different with a drone?” [Legislation would apply trespass rules to the air]

US – Missouri Bill Would Keep Most Police Camera Footage from Public View

Taxpayers deserve to know how the police officers they fund behave. Yet Libla’s proposed legislation would make it prohibitively difficult for members of the public to view footage of police officers doing their job. Under Libla’s proposal, footage of serious police misconduct could be released by court order during an investigation. However, if implemented, the legislation would mean that in cases in which a victim of police abuse or misconduct is unwilling or unable to sue or press criminal charges, the relevant body camera footage would not be made public. Suing the government is an expensive and time-consuming endeavor with no guarantee of success. Many people who live paycheck to paycheck simply cannot afford a lawyer’s retainer for several thousand dollars to just get into the courtroom to ask for the video to be released. [Source]

US – Other Legislative News:

  1. Sens. Edward Markey (D-MA), Richard Blumenthal (D-CT), Sheldon Whitehouse (D-RI) and Al Franken (D-MN) have reintroduced the Data Broker Accountability and Transparency Act, which would allow consumers “to order the companies to stop using, sharing or selling data about them for marketing purposes.” [The Hill]
  2. The Christian Science Monitor’s Passcode offers an overview of new U.S. senators’ privacy stances going into the elections and how their commitment is shaping up now that they’re in office.
  3. Sen. Bob Menendez (D-NJ) and others are pushing a bill proposed last May that would “create a nationwide standard for data security and require companies to tell customers about data breaches within 60 days [The Jersey Journal]
  4. Indiana Attorney General Greg Zoeller met with the Federal Communications Commission to convince the agency to deny requests made by finance industry groups to weaken the Telephone Consumer Protection Act [WISHTV]
  5. JDSupra: drone bills in California and Florida.
  6. KFBK: a package of 10 privacy bills introduced, or soon to be, in the California legislature targeting connected cars, drones, infant DNA and more.
  7. Two bills in front of the Illinois Senate aim to put restrictions on the use of automated license-plate reader systems [The Tenther]
  8. New Hampshire’s House will vote on a student privacy bill this week that would prohibit schools from demanding access to students’ online accounts [NHPR]
  9. Oregon Attorney General Ellen Rosenblum has introduced the Oregon Student Information Protection Act, aiming to protect students’ personal and academic data while enabling innovation and research [Common Sense Media]
  10. The executive director of the ACLU of Virginia tells WDBJ about the Virginia General Assembly session that included a Stingray bill, a drone bill and a license-plate reader bill.
  11. A Virginia bill that started off requiring officials at state colleges and universities to notify parents when a student exhibits suicidal tendencies or behavior has passed with significant changes due to privacy concerns, among others. [The Daily Progress]
  12. Sen. Edward Markey (D-MA) and Rep. Peter Welch (D-VT) have proposed the Drone Aircraft Privacy and Transparency Act to protect individuals’ privacy in light of the expanded use of drones.
  13. The Arizona House approved a revised version of its “revenge porn” bill, but civil liberties advocates who sued to block the law said the changes don’t allay their concerns about the legislation. [Arizona Daily Star]
  14. The Arkansas House has passed a bill that would require employees of organizations that serve youth to “friend” their employers [The Huffington Post]
  15. California Sen. Mark Leno (D-San Francisco) introduced SB 576 that would require vendors to explain to consumers their location information practices upon installing a new app. [THE Journal]
  16. The Colorado Senate Education Committee unanimously approved a bill preventing the sharing or selling of personally identifiably student data by software, database and app companies, but added an amendment that may complicate the disclosure requirements. [Chalkbeat]
  17. The Colorado House Judiciary Committee has delayed a vote on a drone bill over concerns of how to prevent penalizing individuals for everyday photography [Associated Press]
  18. An Iowa Senate subcommittee has voted in support of a bill that includes provisions that would block the public from accessing gun permit-holders’ names. [WQAD]
  19. Missouri Rep. Diane Franklin (R-District 123) has introduced a bill that would require childcare centers to notify parents upon request of children in their care who haven’t been vaccinated. [HealthIT Security]
  20. Michigan’s House has delayed a bill that would require mobile phone providers to disclose to police without a warrant the location of a user that is believed to be in danger of harm. [MLive]
  21. New York Assemblyman Ed Braunstein (D-Queens) has proposed legislation that would make it a felony to film patients receiving medical treatment without prior consent. [ProPublica]
  22. Rhode Island is considering restricting government use of drones. [The Tenther]
  23. Texas Sen. Craig Estes (R-Wichita Falls) filed a bill to protect individuals’ location information from warrantless search and seizure. [Mineral Wells Index]
  24. A Utah House committee has approved a bill to restrict the collection and retention of student data by Utah schools. [The Salt Lake Tribune]


01-15 February 2015


WW – Facebook Rolls Out New Facial Recognition Technology

Facebook is rolling out a new facial recognition technology called “DeepFace,” which was developed for Facebook by an Israeli company it acquired in 2012. The technology can recognize a human face in a new photo by comparing it with a previously uploaded photo with 97.25% accuracy. The company tested the technology by having it match tagged photos with a database of more than four million images representing more than 4,000 different people. DeepFace is only available to some users thus far, and Facebook is allowing users to opt out if they wish by changing their privacy settings. [MediaPost] See also: [Biometric Update reports market research firm Goode Intelligence has published a whitepaper entitled The Impact of Privacy and Data Protection Legislation on Biometric Authentication].

US – Millions of DNA Samples Stored In Warehouse Worry Privacy Advocates

Privacy advocates are calling for more safeguards related to a state collection of DNA samples from 16 million Californians in a nondescript government warehouse in the Bay Area. The biobank holds blood taken with the prick of a heel from almost every baby born in California for the last three decades. It is used to screen for 80 health disorders, such as cystic fibrosis and sickle cell anemia. Unlike most states, California keeps the frozen samples indefinitely and shares them with genetic researchers, for a fee. State officials say the samples are secure and are used to save lives. But the privacy advocates and an influential state lawmaker, concerned about the potential misuse of DNA information, say parents and donors should have a clear choice about whether the state can keep theirs. [LA Times]

UK – 100 X Thousands of ‘Innocent People’ in Cop Photos Database

They include photos of [“hundreds of thousands” of] people never charged, or others cleared of an offence, and were uploaded without Home Office approval. Biometrics Commissioner Alastair MacGregor QC said he was concerned about the implications of the system for privacy and civil liberties. Speaking in his first interview, he said that police forces had begun setting up a searchable database of police mugshots last year, without telling either him or the Home Office. Almost every police force in England and Wales had now supplied photographs, he said. [‘Innocent people’ on police photos database]

Big Data

US – Podesta Shares Privacy Progress Report

John Podesta looks at big data and privacy in The White House Blog. “Today, we’re releasing an interim progress report detailing the progress we have made—and what we still have ahead,” he writes, discussing the commitment President Barack Obama has made “to ensure that student educational data is used only for educational purposes” and the administration’s work “with a bipartisan group of legislators “ that plans to introduce “legislation to fulfill that promise.” Podesta also discusses price discrimination and consumer protection. “Big data will continue to contribute to and shape our society, and the Obama administration will continue working to ensure that government and civil society strive to harness the power of these technologies while protecting privacy and preventing harmful outcomes,” he writes. [Full Story]

US – White House Releases Report on Differential Pricing

The Obama administration has released a 22-page report on big data and the issues around so-called price discrimination. “One of the many questions raised by big data is whether companies will use the information they harvest to more effectively charge different prices to different customers, a practice that economists call price discrimination,” the report states. The confluence of big data analysis and price differentiation has raised concerns, and “many companies already use big data for targeted marketing, and some are experimenting with personalized pricing,” the report states. It suggests many concerns “can be addressed by enforcing existing antidiscrimination, privacy and consumer protection laws” and calls for increased transparency on how consumer data is used and shared. [Full Story]

US – The Big Data Picture – Just How Anonymous Are “Anonymous” Records?

It’s vague enough that when the authors knew the details of any four transactions you’d made during the three month data period, as, for example, would any shop that you had visited four times, they had a chance lower than 15% of guessing which anonymous tag in the file was yours. But with 10 known transactions, something you might easily rack up with multiple retailers due to daily habits at at a coffee shop, a parking lot, or a newsagent, their chance of pinpointing you rose above 80%. Loosely speaking, the anonymous data they had access to, even when coarsened astonishingly, turned out to be not-so-anonymous after all. [Naked Security]

US – FTC Asked to Investigate Big Data Acquisitions

The Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and Public Citizen said last week the FTC should launch an investigation into the growing consolidation of big data analytics firms and digital marketing companies. The groups are concerned about a “recent spate of acquisitions in the big data and digital marketing industries,” the report states. In a letter to FTC Chairwoman Edith Ramirez, the groups wrote about companies “amassing vast holdings of the key element that drives much of online commerce”-information about consumers. The groups are particularly concerned about Oracle’s recent acquisition of data broker Datalogix, the report states. [PCWorld] [IAPP VP of Research and Education Omer Tene writes that a speech Federal Trade Commission Bureau of Consumer Protection Director Jessica Rich gave last week “maps out the state of play at the intersection of technology, law and policy”]

WW – Big Data And Insurance: Should There Be A Code Of Practice?

Association of British Insurers (ABI) chairman Paul Evans called on the insurance industry to “anticipate regulators” and develop its own big data code of practice in a recent interview with the Financial Times, which makes a lot of sense. So what are the issues that a code might cover? We can all imagine privacy and data protection issues, but the use of big data in insurance touches on a number of other important legal issues. [Source]

US – Palantir Buys Start-Up, Adds Retail Analytics

Palantir, which is known for its data analytics platform and is used in law enforcement, financial research, healthcare and other areas, can now “add retail and shopping data to the mix” with its purchase of start-up Fancy That. Fancy That “has built a platform to help retailers with their omnichannel strategies across physical stores, online, mobile and other platforms where they sell goods and communicate with customers,” the report states, noting Fancy That “incorporates elements of machine learning, mobile, and sensor technologies into its services. It works on both software and hardware technologies.” The terms of the Fancy That deal have not been disclosed. [TechCrunch]


CA – Bill C-51: The Anti-Terrorism Act, 2015

The federal Conservative Government introduced a sweeping anti-terrorism bill (Bill C-51, the Anti-terrorism Act, 2015). Much of the media attention on Bill C-51 has rightly focused on the creation of a new criminal offence of knowingly advocating or promoting the commission of terrorism offences and the new judicial power to remove terrorist propaganda from websites using Canadian Internet service providers. These have significant implications for freedom of expression. However, this multi-part review of the privacy implications of Bill C-51 begins with the new Security of Canada Information Sharing Act, self-declared purpose is “to encourage and facilitate the sharing of information among Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada” (s. 3). [Source]

CA – Canada’s New Anti-Terror Bill C-51 Concerns Privacy Commissioner

Privacy Commissioner Daniel Therrien says he is concerned that the government’s new anti-terror bill does not respect the privacy rights of Canadians. Bill C-51 proposes to lower the threshold of what’s required for police to make an arrest in a terror case. Previously an arrest could be made only if a terror act “will be” carried out, but C-51 would allow police to arrest a suspect if an attack “may be” about to happen. It would also broadly expand the powers of Canada’s spy agency, CSIS, to “counter-message” or “disrupt” terrorist websites, Twitter accounts and the like. “This Act would seemingly allow departments and agencies to share the personal information of all individuals, including ordinary Canadians who may not be suspected of terrorist activities, for the purpose of detecting and identifying new security threats,” Therrien said. “ It is not clear that this would be a proportional measure that respects the privacy rights of Canadians.” [Toronto Sun] [Full Story] [Statement from the Privacy Commissioner of Canada following the tabling of Bill C-51] [CBC: Bill C-51 aims to ‘remove terrorist propaganda’ from internet and [Anti-terrorism powers: What’s in the legislation?] [PM Harper admits proposed anti-terror law would not have stopped Ottawa attack] [Canada’s New Anti-Terror Bill Gives the Government Sweeping New Powers] [Additional oversight for security agencies just ‘needless red tape’: Government] [Former CSIS officer warns new federal anti-terror bill will ‘lead to lawsuits, embarrassment’] [It’s easy to imagine Bill C-51 actually undermining Canada’s anti-terrorism strategy] [Barbara McIsaac: Bill C-51 and the Sharing of Personal Information]

CA – CSIS’s New Powers: How the New Legislation Will Affect Security Agencies

The federal government has unveiled security legislation. Here’s a breakdown of what the new powers will allow and how the legislation will affect Canada’s spy and security services.

NEW POWERS: Canada’s spy service would become an agency that actively tries to derail terror plots at home and abroad – not just one that collects intelligence and hands it off to the RCMP.

NEW OFFENCES: The bill would give authorities the power to order the removal of “terrorist propaganda” from websites. It would also create a new criminal offence of encouraging someone to carry out a terrorist attack.

LOWER THRESHOLDS: Authorities could apply to a court if they believe terrorist activity “may be carried out.” The previous threshold called on authorities to state they believed an act “will be carried out.”

LONGER DETENTION: The bill extends the length of time authorities can detain suspected terrorists for up to seven days from three and expands the no-fly regime to cover those travelling by air to take part in terrorist activities.

INFORMATION SHARING: The bill grants government departments explicit authority to share private information, including passport applications or confidential commercial data, with law-enforcement agencies. [Globe & Mail] [Editorial: Worrying new powers for CSIS]

CA – Ed: Why Is The Opposition Silent On The Terror Bill?

Why is the opposition silent on the government’s anti-terror bill? This is a complex, far-reaching piece of legislation with serious implications for good and ill, one that deserves the most searching democratic scrutiny. All the more surprising, then, that Canada’s two main opposition parties have had so little to say about it. Apart from arguing in favour of increased oversight — preferably by a parliamentary committee — neither New Democratic Party leader Thomas Mulcair nor Liberal leader Justin Trudeau have addressed the content of the legislation in any detail. [National Post]:

CA – BC IPC: Federal Terror Bill A “Privacy Game-Changer”

“This kind of broad sharing of information is a privacy game-changer and it’s not clear as to whose information we’ll share with national security agencies, for what specific purposes and whether there are any safeguards in place,” Elizabeth Denham told Thompson Rivers University law students Wednesday afternoon. “We need to watch the watchers,” Denham said. [Source]

CA – Anti-Terrorism Bill Will Unleash CSIS on a Lot More than Terrorists

Liberal Leader Justin Trudeau has announced his party will support the government’s new anti-terrorism bill and sort out any vexing details later on. That’s a bit like buying a bull because you hope its excrement can be sold as perfume. The NDP – the Official Opposition – actually intends to do its job and oppose the legislation. Here are some questions to help it along: [Globe & Mail]

CA – Tories Defend Expanded Powers of CSIS Amid Calls for Greater Oversight

Ottawa is rejecting calls for parliamentary oversight of the nation’s spies, dismissing such increased scrutiny as “needless red tape.” Conservatives defended their controversial new anti-terrorism legislation, which has faced criticism for massively expanding the powers of the CSIS without added public oversight. Public Safety Minister Steven Blaney argued the Security Intelligence Review Committee, a five-member body that investigates complaints against CSIS, is enough. “We can be very proud of what they are doing,” he said about SIRC on CTV’s Question Period. “Anything additional would be just duplication.” The anti-terrorism legislation would give CSIS the right to disrupt terrorist activity, such as by pulling suspected terrorists off planes or messing with their bank accounts. A judge would have to sign off on such actions ahead of time. The legislation would also make it easier to arrest people for promoting terrorism. Critics say there are not enough checks on these new powers. “What is absolutely missing in this legislation is oversight, oversight, oversight,” Liberal MP Wayne Easter, a former solicitor-general, said on Question Period. “That’s what’s needed for two things. One: to ensure that the new powers in this new legislation that agencies will be granted will not infringe on the privacy rights of Canadians. Two: to ensure that the agencies are using their powers within the law.” Tory MP Roxanne James hit back. “We are not interested in creating needless red tape.” [The Globe and Mail]

CA – Supreme Court to Hear Dispute Over CSIS Powers to Spy on Canadians

The case pits CSIS against the Federal Court of Canada in a confrontation over whether the court has the authority to approve CSIS warrant applications to electronically spy on Canadians overseas. The federal court insists it has no such power. CSIS and the government argue it does. The competing positions are layered in complex legal arguments laid out in secret courtroom hearings. [Source]

CA – Edward Snowden Right to Urge Caution on Anti-Terror Measures: Editorial

Whistleblower and international fugitive Edward Snowden is right in urging Canadians to be extraordinarily cautious regarding Ottawa’s new Anti-Terrorism Act. Prime Minister Stephen Harper is right to be concerned about terrorist activities, and it’s vital that agencies protecting Canadians from such threats be adequately empowered. But so far, the government has not made a convincing case that its proposed new law would have stopped the earlier attacks, or would prevent future ones. [Source] [Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise ]

CA – Walkom: Craven Opposition Letting Terror Bill Sail Through

The Liberals and NDP are afraid to criticize the substance of Bill C-51. Too bad. There is a lot they could say. …the Canadian Civil Liberties Association asked the most trenchant question: Why are these extraordinary new security powers needed? “There are still no answers as to why our existing laws and powers didn’t work — or if they didn’t work,” CCLA executive director Sukanya Pillay wrote. She also pointed out that criminalizing something as vague as the advocacy of terrorism could have a chilling effect on academics and journalists. The British Columbia Civil Liberties Association has gone even further, saying that Bill C-51 would create “an unprecedented expansion of powers that will harm innocent Canadians and not increase public safety.” [Weak-kneed opposition lets Conservative terror bill sail through: Walkom] [CA – Elizabeth May Condemns Bill C-51, Saying It Would Create A Secret Police Force]

CA – Inside the Orwellian Launch of Tories’ Anti-Terrorism Act

During the question-and-answer period, reporters asked how the government would decide who is supporting terrorism. Stephen Maher from Postmedia asked if someone would be breaking the law if they posted material encouraging attacks by Ukrainian militants on Russian targets in Crimea. The row of bureaucrats at the front of the room said they wouldn’t speculate on hypothetical situations. Many answers seemed scripted to the point where one reporter asked if they were just reading parts of the backgrounder as their answers. The staffer replied that they weren’t. [Locked up reporters, denied a look at the bill, revolt] [How terrorists succeeded in making us go bonkers ] [Bill C-51: Harper’s Attempt to ‘Arrest His Way out of Terrorism’ ]

CA – The Fiasco of Bill C-51

But the first thing to get out of the way about Bill C-51 is that the proposed law is not just about terrorism. It’s also about securing to the government a fairly sweeping range of national-security and police powers to target activity that “undermines the security of Canada” by interfering with federal capabilities in relation to the country’s “economic or financial stability.” This doesn’t make things any more reassuring, mind you. The government’s recent record on that front isn’t exactly unblemished. [Ottawa Citizen] [Fighting Terror: Privacy vs. Security]

CA – Bill C-51 Has Troubling to Civil Liberties Issues for Air Travelers

Bill C-51 would enact the Secure Air Travel Act. This legislation would amend Canada’s approach to its “do-not-fly” list under what is known as the “Passenger Protect Program”. …there are a number of features that are likely to be troubling to civil liberties advocates. In particular, the lowered threshold and expanded grounds for being placed on the “Specified Persons List” which functions as Canada’s “do-not-fly” list are likely to be of concern given the potential sharing of information with foreign governments. It is expected that advocacy groups may be concerned that this information sharing, combined with lower thresholds and expanded grounds, could increase the risk of the detention of Canadians abroad merely on “suspicion” of knowingly contributing to terrorist activities. [Canada’s Proposed Secure Air Travel Act]

CA – Mere Oversight Won’t Fix Tory Surveillance Bill: Geist

Bill C-51’s potential to harm privacy and civil liberties requires a detailed, non-partisan review. Bill C-51 appears to allow Canada’s spy agency “to effectively ignore any law (domestic or otherwise), and do whatever is deemed necessary to counter activities that extend far beyond just terrorism.” [Star] [Anti-terrorism legislation requires vigilance: Editorial]

CA – Secrecy Shrouds Ottawa’s Information-Sharing Deal With Five Eyes Allies

A veil of secrecy has dropped around a series of immigration information-sharing agreements between Canada and its “Five Eyes” allies. The federal privacy commissioner’s office said it has raised concerns with the department about unauthorized use, disclosure of transfer of information that goes beyond Canada’s borders, both under the deal with the U.S. and the five-country information sharing initiative. Anne-Marie Hayden, a spokeswoman for Privacy Commissioner Daniel Therrien, said the office has advised the department that “refugee claimants are a particularly vulnerable group and information sharing should continue to be done on a limited, case-by-case basis. Sharing of this sensitive information should be undertaken with caution and under strict safeguards and protocols.” [The Star] [How Canada compares to ‘Five Eyes’ members in intelligence oversight : Canada is the only member of the “Five Eyes” intelligence-sharing alliance that does not have legislative oversight of its security agencies].

CA – MacKay Once Backed Intelligence Oversight Now Rejected by Tories

As deputy leader of the Conservative Party in 2005, Mr. MacKay argued forcefully for giving MPs and senators a role in overseeing Canadian spies. “When you talk about a credible oversight body, I would suggest … that a parliamentary body is going to have more credibility because of its independence and because of the fact that there is also parliamentary accountability that will be brought to bear,” Mr. MacKay said in October of that year. “To that end, I suggest that it would also cause a little bit more diligence on the part of the security agents themselves, just knowing that this oversight body was in place.” [Globe & Mail]

CA – Canada Revenue Agency Can Now Provide Police With Evidence of Crimes

The Canada Revenue Agency gained the little-noticed new authority, which does not require a judicial warrant, through an amendment tucked into the government’s most recent omnibus budget bill. Previously, confidentiality provisions in the law prevented the agency from handing information about suspected wrongdoing, on its own initiative, to law enforcement. The exception was information that pointed to tax-related crimes. The new provisions apply to offences including breaking and entering, vehicle theft, arson, corruption and kidnapping. They also allow authorities to pass along information about any offence with a minimum prison term, or one with a maximum sentence of 14 years. [Source]

CA – 80% of Canadians Will Choose A Business on Its Privacy Reputation: Survey

According to a new survey nine in 10 Canadians are concerned about privacy — including 34% who say they are extremely concerned. That’s according to a new poll released by the federal privacy commissioner to mark Data Privacy Day. The number who said they are extremely concerned is up almost 10% from the survey done in in 2012.

  • Almost eight in 10 people surveyed (78%) have become less willing to share their personal information with organizations in the wake of media stories about sensitive information being lost, stolen or made public;
  • Eight in 10 (81%) are more likely to choose to do business with a company specifically because it has a good reputation for privacy practices.

The privacy commission’s survey also found

  • A significant majority (78%) expressed concern about how personal information about them online might be used in the context of government surveillance;
  • More than half of Canadians (57%) said they were “not comfortable” with government departments and agencies requesting personal information from telecommunications companies without a warrant;
  • Canadians expressed particular concern about what might happen to the personal information stored on a mobile device if it was lost or stolen, with nearly half (49%) saying they were extremely concerned;
  • Nearly 30% of respondents said they had been negatively affected by a breach. Most felt it is at least somewhat likely that their privacy may be breached by someone using their credit or debit card (78%), stealing their identity (78%), or accessing personal information stored on their computer or mobile device (74%).

Roughly half of Canadians said they don’t have a good understanding of what businesses and government will do with their personal information. [IT World] [Privacy survey is a wakeup call for CIOs ]

CA – Saanich Disables Covert Monitoring Software at Municipal Hall

Privacy commissioner Elizabeth Denham launched an investigation last month after newly elected Mayor Richard Atwell alleged that spyware had been installed on his work computer without his consent. Denham, acting on her own, said her investigation will examine whether the district’s use of employee-monitoring software complies with the Freedom of Information and Protection of Privacy Act. She expects to finish her review by the end of March and make her findings public. Laidlaw [Saanich Chief Administrative Officer] said Saanich may revisit the issue after Denham reports. [Times-Colonist]

CA – Watchdog cum Lobbyist Loukidelis Now Acts for Vancouver Publisher.

Once paid to ensure that the privacy of British Columbians was protected, Loukidelis is now lobbying the government to amend provincial rules to permit digital information about British Columbia high school students to be sent to China. The Vancouver publisher has printed yearbooks in China since 2007 and is seeking a ministerial directive to allow it to continue to send student information — including names, photographs and year of study — overseas on a temporary basis. [Source]


WW – Poll Exposes Drone Opinions

In a new Reuters/Ipsos online poll, 73% of respondents said they “want regulations” on privately owned drones. Reuters reports various concerns from respondents, including being “uneasy about potential invasions of privacy by drones carrying cameras or other devices.” The report also found 42% of respondents opposed “private ownership of drones, suggesting they prefer restricting them to officials or experts trained in safe operation.”. [Full Story]

US – AT&T Lets Users Opt Out of Tracking, But With a Price

AT&T’s gigabit fiber-to-the-home service telecom charges customers based on their privacy preferences. The GigaPower service is the same price as Google Fiber, but users who do not want their web browsing activity tracked must pay an additional $29 per month. AT&T says it tracks “the webpages you visit, the time you spend on each, the links or ads you see and follow, and the search terms you enter… AT&T Internet Preferences works independently of your browser’s privacy settings regarding cookies, do-not-track and private browsing. If you opt-in to AT&T Internet Preferences, AT&T will still be able to collect and use your web browsing information independent of those settings.” [Ars Technica]

US – ADL Says RTBF “Has No Place in the U.S.”

In a blog post, the Anti-Defamation League (ADL) says it supports a decision made by Google’s Advisory Council that right-to-be-forgotten takedown requests should only be honored in the EU. The ADL reiterated its own policy position from last November, stating that “individuals should not have the right to have links to old and/or embarrassing information about themselves removed from Internet search results.” They explain, “Doing so is tantamount to taking a scalpel to library books, allowing people to tear from public record things about themselves from the past that they simply do not like.” For example, it could allow “a white suprema­cist to erase all traces of his history of bigoted rhetoric before running for public office, denying the pub­lic access to make a fully informed decision.” [Full Story]

US – Researcher: Some Pledge-Signers Still Vulnerable

A security researcher has found several companies that have signed the Student Privacy Pledge do not use basic data security, The New York Times reports. Of the 60 or so companies that have currently signed the pledge, approximately 20 percent of them did not use Secure Socket Layer encryption during the log-in process for students, parents and teachers. Though there is no evidence the weak security has allowed any breaches, the vulnerabilities could easily be exploited, the report states. Company executives confirmed the log-ins aren’t currently encrypted and said “they had been caught in the process of updating their security measures,” the report states. [Full Story]


US – Considering Legislation to Let Non-Americans Seek Judicial Redress

The U.S. intelligence community and its EU counterparts are negotiating legislation that would enable non-Americans to “seek judicial redress for intentional or willful disclosures of protected information,” citing comments by Robert Litt, general counsel for the U.S. Office of the Director of National Intelligence, during a discussion at the Brookings Institution on Wednesday. “We are working on legislation right now,” Litt said. “We’ve been discussing this with representatives of the EU as well.” [Sputnik]

US – FTC Joins Agencies Adding Security Layer to Consumer Sites

The Federal Trade Commission (FTC) has joined a number of other federal agencies in deploying additional security best practices for public consumer websites donotcall.gov, ftccomplaintassistant.gov and hsr.gov. The websites have enabled a feature called HTTP Strict Transport Security (HSTS), which hardcodes all future communications to be encrypted by default so when visitors attempt to visit the sites, HSTS-enabled browsers will automatically encrypt the connection with any additional instruction from the website, reducing the potential for an attacker to impersonate an FTC website when connecting from open WiFi hotpots or insecure networks, the FTC’s blog reports. [Full Story]

WW – Report Highlights UK Public Sector Cloud Concerns

Nearly half of all public sector respondents to a survey on cloud computing have responded that security is their highest concern. After security, the second most worrisome elements of implementing public sector cloud-based applications were found to be the use of cloud apps sourced or commissioned without involving the IT department (12%) and managing the increasing number of cloud apps in use’ (also 12%). [Public Technology] [Canadian Treasury Board Gov’t-Wide Policy: keep cloud storage local]


US – Congress Takes Up Email Privacy Reform. Again.

Reforming the rules regarding email privacy is a mere step in the walk towards correcting the mass surveillance that the United States government executes, but it is an important piece of progress all the same. [TechCrunch]

Electronic Records

US – Medine: Section 215 Can and Should Be Shut Down

Privacy and Civil Liberties Oversight Board Chairman David Medine writes in a Lawfare post that the National Security Agency’s metadata surveillance program can and should be shut down. He notes that Section 215 of the USA PATRIOT Act should be “abandoned in favor of targeted queries to individual telephone companies based on individualized suspicion,” because it’s “not only more privacy protective but better for national security.” [Full Story]

US – Debate Heats Up Over Safety of Electronic Health Records

But Ross Koppel, a University of Pennsylvania professor who has published extensively on the topic in medical journals, called the federal government’s stance at the conference “a whitewash.” “They are systematically selecting studies and study methods that minimize the hundreds of thousands of errors related to HIT,” he said. “Of course, there was a safety problem with paper, but there are new, different and more wicked problems with HIT.” If the ability to cut and paste information from one chart to another causes it to balloon from three to 3,000 pages, physicians may not even be able to find the “nugget of needed information,” Koppel says. [Source]

US – No Encryption Standard Raises Health Care Privacy Questions

The main federal health privacy law – the Health Insurance Portability and Accountability Act, or HIPAA – encourages encryption, but doesn’t require it. The lack of a clear encryption standard undermines public confidence, some experts say, even as the government plows ahead to spread the use of computerized medical records and promote electronic information sharing among hospitals, doctors and insurers. …T the Senate Health, Education, Labor and Pensions committee said it’s planning to examine encryption requirements as part of a bipartisan review of health information security. “We will consider whether there are ways to strengthen current protections,” said Jim Jeffries, spokesman for chairman Lamar Alexander, R-Tenn. [Source] [The Toronto Star: Ontario is lagging behind other health jurisdictions on the protection of patient privacy]


US – Box Hands Cloud Encryption Keys Over To Its Customers

Key management system keeps data safer from intrusion—and government demands. Box needs permission from the customer when decrypting files. “Before we can use our key, we need the customer to decrypt it inside the HSM,” the company said. “It’s a layered encryption model. So while the data itself is not encrypted with the customer’s key, the customer key is the gatekeeper for decrypting it. In effect, our key is useless until it’s decrypted by the customer.” Each time Box needs temporary access to decrypt files, “we go back to the customer to request access (by sending over the document key for decryption). Each request is captured in the logs controlled exclusively by the customer. Customers can monitor that log to see how the data is accessed and how the keys are being used, and we have no way of modifying that log.” The customer doesn’t have to manually approve each request, but anything out of the ordinary would be flagged. [Ars Technica]

WW – Developer Reveals Flaw in WhatsApp Privacy Settings

A developer from The Netherlands has revealed that WhatsApp’s privacy settings can be bypassed with a simple bit of software. The software kit, released by Maikel Zweerink, allows a user to see whether other WhatsApp users are online, even if their status is set to “private” session. His goal with the release of the software, he wrote in a blog post, is to demonstrate that the popular messaging service is “broken … in terms of privacy.” He added, “This is not a ‘hack’ or an ‘exploit,’” it is “broken by design.” [International Business Times]

WW – Email Encryption Developer Was Going Broke; Facebook, Others Chip In

The developer of one of the world’s most-used email encryption services, Werner Koch, was almost out of funds to stay in business when ProPublica published a report on the developer of Gnu Privacy Guard, a service used by investigative journalists, whistleblowers—including Edward Snowden—and dissidents. Koch “has been almost single-handedly keeping it alive with patches and updates from his home” in Germany, the report states, earning a fraction of what he could have made in private industry and falling short of paying himself and hiring a programmer. Facebook and payment provider Stripe, however, each agreed to donate $50,000 a year toward the open-sourced project; the Linux Foundation’s Core Infrastructure Initiative has provided a one-time grant of $60,000, and other donations have come in since the article was first published. [Full Story]

EU Developments

UK – GCHQ Mass Internet Surveillance Was Unlawful, IPT Rules

The Investigatory Powers Tribunal has considered unlawful the GCHQ access to information gathered by the NSA through its massive surveillance programs….The ruling would trigger massive claims against the intelligence services, principal organizations for the defense of Human Rights will request to access records related to their activities and members. On the other hand, the Intelligence agencies are already reorganizing their TTPs to continue to operate and protect their Homeland Security. [Security Affairs] See also: [EurActiv reports MEPs approved a law allowing member states “to share information on car registries”]

EU – DPAs Form Task Force Following Facebook Privacy Policy Changes

A group of European data protection authorities (DPAs) formed a task force in reaction to the latest changes to Facebook’s privacy policy. The group will be led by Belgium, The Netherlands, Germany and “perhaps” Italy, a spokesman from Belgium’s state secretary for privacy said. At issue are the company’s practice of tracking users when they are not on its site and using information from profiles for commercial purposes, the report states. Germany’s DPA has taken issue with how Facebook processes personal data, particularly between other services it already owns, such as WhatsApp and Instagram. [IDG News Service] [EU data protection authorities get serious about Facebook’s privacy policy ]

EU – Working Party Clarifies Health Data Definition in Apps

The Article 29 Working Party (WP29) has responded to a request from the European Commission made in the framework of its mHealth initiative to clarify the definition of data concerning health in lifestyle and well-being apps. The WP29 responded that it supports a broad definition of health data, distinguishing the following three categories: Data is inherently/clearly medical data; data is raw sensor data that can be used in itself or in combination with other data to make conclusions about a person’s health status or risk, or conclusions are drawn about a person’s health status or risk. The WP29 considers “explicit consent as the most likely legal ground” for processing health data. [National Law Review]

UK – ICO’s Data Protection Audit Powers Extended to Cover NHS bodies

NHS bodies in the UK can now be forced to open themselves up to data protection audits under new powers handed to the Information Commissioner’s Office (ICO). The ICO had long campaigned for the compulsory audit powers they have under the Data Protection Act to be extended to the public health sector. Previously, the ICO could only compel central government departments to participate in a data protection audit and needed the consent of other organisations to investigate their procedures. [Source] [Hackers will target online NHS medical data, warns ICO] [UK NHS authorities may be subject to compulsory audits of their data protection initiatives by the Information Commissioner’s Office]

EU – Ministers Call for More Border Checks

EU interior ministers have called for more border checks to fight terrorism in the wake of recent attacks in France and Belgium. The ministers want to change the rules governing the passport-free Schengen area to allow for “systematic checks against databases relevant to the fight against terrorism” when people enter and exit the area. Currently such checks can only be carried out on an ad hoc basis. EU home affairs commissioner Dimitris Avramopoulos noted that changes for faster data exchange within the Schengen system have already been adopted and that checks are currently possible, too. Avramopoulos agreed that member states need to improve their data exchanges. “Europol needs to receive all relevant information in order to track the travel routes of terrorists,” he said. [EU Observer] See also: [MEPs have “agreed to work towards a deal to share airline passenger data” before the year’s end.] [The U.S. intelligence community and its EU counterparts are negotiating legislation that would enable non-Americans to “seek judicial redress for intentional or willful disclosures of protected information”].

UK – UK Lords Try to Sneak Through Snooper’s Charter Once Again

A week ago, we noted that a group of UK Lords were trying to rush through the “Snooper’s Charter” that had previously been rejected by the UK. The bill, of course, was about giving the government tremendous levels of access to everyone’s electronic data with little oversight. Thankfully, despite having little notice, the attempt caused a flurry of attention and the Lords were forced to back off the plan. It seemed like another good “win” for supporters of privacy and democracy. Many people still expected the UK government to try again, but few expected it would happen so soon. Yes, less than a week after having the last attempt rejected vocally, the same group of Lords are trying yet again: On Saturday, ahead of a “report stage” debate on Monday (the Counter-Terrorism and Security Bill is almost fully baked), Lords West, Blair, Carlile and King introduced a new amendment that appears to be almost identical to the last, and to the Communications Data Bill before it. Again, this new amendment would force “telecommunications operators” – which these days includes the likes of Facebook and Skype, as well as traditional telcos – to store communications metadata for up to a year and hand it over to U.K. authorities when requested. This data retention regime may require the providers to install “specified equipment or systems.” [Source] [UK – Q&A: The UK’s controversial draft counter-terrorism laws]

EU – Germany’s BND Muscles in on Metadata Mass Surveillance

The leaked intelligence docs revealed that approximately one per cent of the metadata trawl every day is stored for up to 10 years. The remainder is discarded after weeks or months. Privacy group Access Now, which according to its website “defends and extends the digital rights of users at risk around the world”, called on the BND to curtail its NSA-style “collect-it-all” programme, with Germany being one of the most vocal international critics of NSA surveillance. [Vacuumed info flows into NSA-wannabe branch offices ] See also: [ European Commission is considering requiring telecoms to store communications data of EU citizens in order to fight terrorism] | [France’s interior minister is lobbying MEPs that a passenger name record bill “is an essential tool, among many others, needed to fight terrorism.”] | [Germany’s government has announced plans to widen data retention].

EU – German Bill to Bring Fundamental Change to Data Protection Law

Germany’s federal cabinet has approved a bill that will allow consumer organisations to take businesses to court if they do not comply with the country’s data protection laws. To date, consumer associations in Germany have had difficulty in challenging data protection shortcomings by companies, Appt said. The law previously required them to prove that a provision in a privacy policy is designed either to regulate market behaviour or to protect consumers, and civil courts have not generally qualified these provisions under either category. [Source] [What data protection reform will mean for obtaining ‘customer consent’] [Out-Law.com reports on the potential changes that may come with a German bill to extend consumer rights organizations’ ability to sue on behalf of consumers] | [The German government has approved a draft law that would, among other things, empower consumers to initiate legal action for injunctive relief against companies violating the data protection law: The National Law Review] SEE ALSO: Telecompaper: the lower house of the Dutch parliament has approved legislation requiring organizations to report data breaches] and [Telecompaper: the Dutch government responded to questions from Parliament saying its data retention legislation was implemented legally, and the justice minister reiterated the intent to maintain the law].

Facts & Stats

US – Survey: General Counsel Concerned with Ethics, Compliance, Breaches

According to the latest annual survey of general counsel and chief legal officers, 96% said the function of ethics and compliance was “important” for 2015 and about 25% said it was “extremely important,” more so than all other categories. Not far behind, however, are concerns about data breaches and protection of corporate data. Responsibility for compliance functions is increasingly being tucked back inside companies rather than outsourced to law firms, said Veta Richardson, CEO of the Association of Corporate Counsel, which conducted the survey. Other topics listed as concerns include privacy and whistleblower claims. [The Wall Street Journal]

WW – Survey: In-House Counsels have Data Breaches on Their Minds

For every Target Corp., it seems, there are several others that see their data systems breached. More than a quarter of the GCs surveyed reported experiencing a data breach within the last two years, a figure that reached a full 50% within the health-care industry. (As the WSJ reported last fall, general counsel in the financial industry are, among other things, demanding that their law firms do more to protect sensitive information to ensure that they don’t become back doors for hackers.) [Nation’s In-House Counsel are Worried About Ethics, Data and ‘Trolls’  ]


WW – New Technology May Bolster Cryptocurrencies’ Success

Despite setbacks including a 67% drop in value last year, cryptocurrency advocates remain optimistic about Bitcoin’s future. And thanks to a new technology development, they may have good reason. Crypto 2.0 may help push cryptocurrencies to the mainstream. It’s essentially a layer built on top of Bitcoin’s underlying blockchain technology that enables a variety of applications—and they can be decentralized so they aren’t subject to one controlling authority. [Techonomy ]

CN – China Wants Banking Backdoors

Chinese authorities reportedly want to see the source code for all software and hardware that gets sold to its banking sector, as well as see vendors submit to rigorous audits and build government-approved backdoors into their products. But Western technology firms have reacted with alarm at the proposed “cybersecurity review regime,” and warned that it may soon be expanded to cover much more than just the banking sector. The draft Chinese banking regulations were contained in a 22-page report that was finalized at the end of 2014, and which is expected to be officially unveiled in the coming months as part of a Beijing-led cybersecurity push. The current version of the letter from Chinese authorities – which has reportedly been circulating in draft form in recent months, triggering escalating alarm from foreign technology firms – says 75% of the software and hardware products used by the Chinese financial services sector must be “secure and controllable” by 2019. The letter does not define what it means by those terms, but includes a chart specifying that for many types of computing and network equipment, vendors would have to share their source code with Chinese authorities. [Bank Info Security]


WW – 7 Things to Love About reddit’s First Transparency Report

We’re impressed by reddit’s first transparency report. In fact, the report tracks remarkably closely to EFF’s annual Who Has Your Back report, which rates companies on factors like requiring a warrant for content and informing users about government data requests. While we have no way to know whether reddit could have done more to fight government requests for user data, we can say with certainty that it adopted industry best practices in first-ever transparency report. [Source]

US – Canary Watch Tracks Sites FBI, NSA Haven’t Hit Up

While Internet service companies often want to be transparent about user privacy, they’re sometimes forced by law to stay mum on when they receive specific data requests from the National Security Agency or Federal Bureau of Investigation. However, there’s nothing stopping them from saying they haven’t received such requests, which is where a new website called Canary Watch comes in. The site tracks statements by websites like Pinterest, for example, saying they haven’t received national security requests, the report states. If those disclosures disappear, Canary Watch will flag that, “indicating that the site was likely served a warrant.” [Engadget]

WW – Governments’ Twitter Data Requests Up 40 Percent

Twitter released its biannual transparency report detailing the number of government requests for user data and noting a dramatic rise in the number of those requests. Government requests—coming in from more than 50 different countries—rose by 40% since its last report in July 2014. The U.S. “continues to make the majority of requests for account information,” Twitter stated in its report, “comprising 56% of all requests received.” In a column for The Atlantic reacting to the latest report, Adrienne LaFrance writes, “All of this is a reminder of one of the core principles of modern communication: that nothing is private on the Internet.” [The New York Times]

US – Jeb Bush Releases Emails But Doesn’t Redact PII

In a bid to be more transparent in anticipation of a possible run for the 2016 presidential election, former Florida Gov. Jeb Bush on Tuesday released all of his email transactions when serving as governor between 1999 and 2007. However, in his attempt to be more transparent for political reasons, Bush did not redact any personal information from the emails, including email addresses, contact information, medical data and Social Security numbers. [Full Story]


UK – Bioethics Report: “Consent” Is Not Enough

Obtaining individuals’ lawful consent to the processing of their health data does not on its own validate the processing as ethical, a health research body has said. The NCoB said that anonymising personal data and using it to advance medical science or health care was also not, on its own, sufficient to “guarantee” that the use of the data “is morally acceptable”. It said there was a need for “effective governance of the use of data”, after highlighting the potential clash between the public interest in using health data to further medical research and the sometimes competing public interest in protecting “individual privacy”. [Medical researchers and health care providers must consider moral as well as legal questions on data use, says bioethics body] [‘Public should be consulted on NHS medical data-sharing scheme‘]

US – DNA Database Raises Privacy Concerns

A state database containing DNA samples of 16 million Californians is raising concerns among privacy advocates and a state lawmaker. Samples are taken from virtually every baby born in the state to screen for more than 80 health disorders. The frozen samples are stored indefinitely and are shared with genetic researchers for a fee. California officials say the biobank is secure, but some are concerned the sensitive data can be misused. “Throughout the process,” Council for Responsible Genetics President Jeremy Gruber said, public knowledge and consent is “almost completely” absent. Assemblyman Mike Gatto (D-Glendale) said, “Imagine the discrimination a person might face if their HIV status or genetic predisposition to a mental disorder were revealed to the public.” [Los Angeles Times]

US – DNA Volunteers Concerned About Privacy

Science Magazine recently announced “the end of privacy” and, in an interview with NPR, Jennifer Couzin-Frankel, who writes for the magazine, discusses the privacy concerns hundreds of thousands of volunteers have about donating their DNA for medical research. Those concerns include, “Who’s going to have access to the DNA sample that I’m handing over?” or “How much control do I have over who studies it, what they do with it?,” Couzin-Frankel explains. While it was believed for some time that DNA samples could remain anonymous, recent examples have proven DNA sequences can be retraced, the report states. [Full Story]

Health / Medical

US – Data Security, Privacy Top Concerns for FDA, CMS

Officials from the Food and Drug Administration (FDA) and the Centers for Medicare and Medicaid Services (CMS) have said that data security and privacy are top concerns for their agencies. FDA Senior Technical Advisor Joe Klosky said the agency bakes in security and encrypts data, but operational and management controls are needed as well. CMS Office of Technology Solutions Director Janet Vogel said, “Because of the private nature of our data, we’re very sensitive to both privacy and security … Making it easy to have data protected at rest and in transit and in use is a really important feature that we’re looking for.” [Fierce Government IT]

US – Interoperability and Privacy are Buzzwords at 2015 ONC Annual Meeting

Lucia Savage, ONC’s chief privacy officer, emphasized that inconsistent rules about permissions to access, use, and disclose patient data are a key barrier to developing functional and interoperable systems nationwide. She noted that the current system is governed by a patchwork of state rules and often relies on handwritten patient consent—a fundamentally non-interoperable technology. [ONC (Health Info Tech) Meeting: Privacy a Buzzword ]

US – WPF Issues Report on Medical Data Protection in Schools

In light of recent news about measles outbreaks across the U.S., the World Privacy Forum (WPF) has released Student Privacy 101: Health Privacy in Schools—What Law Applies? to guide parents about what laws apply to medical data requests of students in schools. “School health privacy can be quite messy,” the WPF post states. “In some private schools, no health privacy law may apply at all,” whereas, in others, the Family Educational Rights and Privacy Act or Health Insurance Portability and Accountability Act may apply. The WPF’s new report “covers the basics of what laws apply, when and where.” [Full Story]

US – HIMSS Calls for Enhanced Privacy

The Healthcare Information and Management Systems Society (HIMSS) recently sent a letter to Congress calling for enhanced privacy measures and healthcare security initiatives. HIMSS has told Congress it must “recognize how important interoperability in health information technology is for the transformation of healthcare in the nation,” the report states, and has called for the public and private sectors to work together. “As the nation enters the fourth year of the Meaningful Use Program, we are at a critical juncture in using IT to improve patient care outcomes via nationwide adoption of EHRs and creating the ability to exchange health information privately and securely,” HIMSS stated. [HealthIT Security] [The Healthcare Information and Management Systems Society recently sent a letter to Congress calling for enhanced privacy measures and healthcare security initiatives]

US – Federal, State Health Sites Still Contain Ad Trackers

HealthCare.gov and 16 state-based healthcare exchange websites still contain ad trackers weeks after an Associated Press report claimed the sites were leaking sensitive personal information. The Centers for Medicare and Medicaid Services (CMS), which recently said it improved site encryption and narrowed the amount of data flowing to third parties, stated, “One of the most cost-effective and best ways to reach the uninsured is through digital media and advertising.” The Center for Democracy & Technology’s Justin Brookman said, it’s “bad site design” adding, “Given that they collect such sensitive data, and given that they’re government services where people might not have a choice about visiting, I feel like these sites should really only share data with third parties when absolutely necessary.” [Advertising Age]

Horror Stories

US – Hack Hits 80 Million Anthem Customers

The country’s second-largest health insurer has announced hackers accessed and obtained tens of millions of current and former customer and employee accounts. Compromised data includes names, birthdates, Social Security numbers, contact information and other employee data. In a public letter, Anthem CEO Joseph Swedish, himself a victim of the hack, said, “As soon as we learned about the attack, we immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.” Anthem has provided customers with an AnthemFacts.com web page, complete with Swedish’s letter, FAQs and a tab to ask questions. Rep. Michael McCaul (R-TX) said, “This attack is another reminder of the persistent threats we face.” [Bloomberg] [Anthem Breach May Have Started in April 2014 ] [China To Blame in Anthem Hack? ]

WW – Malware Attack Could Be the Biggest Bank Theft on Record

The New York Times reports on what is potentially one of the largest bank thefts ever. Kaspersky Lab was recently called to Ukraine to investigate the crime, which went down without any of the normal signs of a robbery. More than 100 banks in more than 30 nations were involved when a group of international hackers penetrated the banks’ internal computers via malware that allowed them to mimic every move being made on the computers by bank employees. The software remained for months, allowing the criminals to see the banks’ daily routines and then impersonate employees—transferring funds in dummy accounts set up in other countries. Thefts thus far total $300 million, but that number is expected to triple. [Full Story]

WW – Kaspersky Lab: Bank Hackers Steal $100s of Millions via Malware

total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms. The majority of the targets were in Russia, but many were in Japan, the United States and Europe. No bank has come forward acknowledging the theft, a common problem that President Obama alluded to on Friday when he attended the first White House summit meeting on cybersecurity and consumer protection at Stanford University. He urged passage of a law that would require public disclosure of any breach that compromised personal or financial information. [New York Times]

US – Could the Anthem Hack Happen Again? New Report Analyzes Insurers’ Cyber Security Programs

The New York State Department of Financial Services Report analyzes survey data collected from 43 insurance entities that collectively hold a staggering $3.2 trillion of combined assets. Of these 43 entities, 21 are health insurance providers, 12 are property and casualty insurance providers, and 10 are life insurance providers. The Report’s questions address six main topics: (1) the insurer’s information security framework; (2) the use and frequency of penetration testing and results; (3) the budget and costs associated with cyber security; (4) corporate governance around cyber security; (5) the frequency, nature, cost of, and response to cyber security breaches; and (6) the company’s future plans on cyber security. In an effort to obtain a broader understanding of the context of these cyber security programs within the insurers’ overall risk management strategy, the Report also analyzes the statutorily required enterprise risk management (“ERM”) reports that certain insurers filed with the Department. [Health Law Policy]

US – LinkedIn Settlement Moves Ahead; Google Buzz Case Thrown Out

A federal judge has tentatively approved a $1.25 million data breach class-action settlement with LinkedIn. U.S. District Court Judge Edward Davila said, “The settlement agreement falls within the range of possible approval as fair, reasonable, adequate and in the best interests of the class.” The preliminary judgment still leaves Davila room to reject the settlement after a final hearing, the report states. Meanwhile, a federal judge in California has thrown out a putative class-action contesting Google’s $8.5 million Google Buzz settlement. [MediaPost]

WW – TurboTax Halts E-Filing After Stolen Data Used To File Claims

TurboTax has halted electronic filing of all state returns amid reports from states of criminal attempts to obtain refunds through its systems. Intuit said its TurboTax unit took action last week after seeing individuals were making attempts to use stolen personal information to file returns, the report states. Intuit does not believe its systems were breached. Rather “the information used to file fraudulent returns was obtained from other sources outside the tax preparation process,” the company said, adding that an examination is ongoing. [The Wall Street Journal] | [J.F. Rice: A Look back at the top 20 data breaches of 2014]

Identity Issues

US – Data De-Identification: Useful Tool, But No Magic Bullet

FERPA regulations require educational agencies and institutions–and other parties that release de-identified education records–to take into account information that is “linked or linkable to a specific student”, as well as other reasonably available information about a student, so that the cumulative effect does not allow a “reasonable person in the school community to identify the student with reasonable certainty.” De-identification is not a single on-off switch. Nor is it a magic bullet. Instead, it’s a process. [Source] [Khaled El Emam: Is it safe to anonymize data?]

US – NIST Launches Grant Competition

The National Institute of Standards and Technology (NIST) is launching a competition for U.S. companies to earn grants to pilot online identity-verification systems that help improve the privacy, security and convenience of online transactions. According to the release, NIST intends to fund multiple grants of $1 million to $2 million per year, per project, for up to two years. Eligible institutions include higher education, nonprofits, commercial organizations and state, local and U.S. tribal government entities. Abbreviated applications will be accepted through March 17, and NIST will provide guidance in the form of an applicant’s conference and other avenues. [Full Story]

Internet / WWW

US – Federal ‘Internet of Things’ Report Triggers Debate, Senate Inquiry

The FTC report noted that despite the potential risks associated with expanding connectivity, new legislation dealing specifically with the IoT would be inappropriate. “Regarding legislation, staff concurs with many stakeholders that any IoT-specific legislation would be premature at this point given the rapidly evolving nature of the technology,” the FTC said in a statement. Sen. John Thune, (R-S.D.), chair of the Senate Commerce Committee agrees. “Standing on the cusp of technological innovations that will improve both the safety and convenience of everyday items, we shouldn’t let government needlessly slow the pace of new development. By engaging early in this debate, Congress can ensure that any government efforts to protect consumers are tailored for actual problems and avoid regulatory overreach,” Thune said in a statement on the IoT hearing. [Source]

UK – Microsoft Adopts Cloud Privacy Standard

In a blog post, Microsoft General Counsel & Executive Vice President Brad Smith writes that it is the “first major cloud provider to adopt the world’s first international standard for cloud privacy.” ISO/IEC 27018 seeks to establish uniform and global standards for protecting personal information in the cloud. The British Standards Institute has independently verified that Microsoft Azure, Office 365 and Dynamics CRM Online are all in line with the new standards. According to Smith, this matters because it gives users control of their data as well as an understanding about what is happening to it. Smith said strong security has been implemented to protect data and none of it will be used for advertising. Users will also be informed when a government has requested their data. [Full Story]

WW – Cisco Forecasts Global Wireless Data Traffic To Increase Tenfold by 2019

The increased use of smartphones and Internet-of-Things devices will precipitate a massive jump in wireless traffic around the world. A new forecast from Cisco predicts that global wireless traffic will increase by 10 times in the next four years. In 2014, wireless traffic reached approximately 30 exabytes (30 billion gigabytes) and will reach nearly 300 exabytes by 2019. The number of mobile users is expected to jump from 4.3 billion to 5.2 billion, or nearly 70% of the global population. Additionally, Cisco expects there to be 3.2 billion additional devices for machine-to-machine communication and 578 million wearable devices. Data from wearables alone could increase by a factor of 18, the report states. [Re/code]

US – FTC’s Soltani Warns About IoT Security

In a FTC blog post, Chief Technologist Ashkan Soltani discusses the security shelf-life of the Internet of Things (IoT). “I’d like to briefly explain why I believe IoT security is so important and why the IoT ecosystem presents a unique set of factors that give rise for special attention to security,” Soltani writes. He cites attributes including the ease of reprogramming small devices for reasons other than what was originally intended; the lack of interfaces for the consumer; the possibility of vulnerabilities to manifest across a large class of devices; the likelihood that inexperienced businesses will create new devices without appropriate protections, and the lack of incentives for manufacturers to provide consumers with security patches for low-cost devices such as lightbulbs and webcams. [Full Story]

Law Enforcement

CA – Kelowna RCMP ‘Routinely’ Breach Privacy During Strip Searches: Judge

“Videotaping inside strip search rooms and simultaneous broadcasting to a central monitoring location is a routine policy at the Kelowna detachment. That ‘routine policy’, breaches the intent and spirit of (case law). The interests of the police of maintaining safety in the search rooms and preserving evidence are not so compelling that they outweigh (the) expectation of privacy that her strip search not be videotaped and monitored remotely.” [Judge Ellen Burdett]


US – Advocates Concerned About FCC Location Data Requirements

“Americans dial 911 nearly 240 million times a year, and 70% of the calls are made on cell phones,” Newsweek reports, noting a 2013 study found that more than 10,000 people die each year because the location data wireless providers transmit to emergency personnel is insufficiently precise. So the Federal Communications Commission on Thursday voted 5-0 to improve the indoor location of wireless 911 calls, requiring major telecommunications companies to provide horizontal-location information, within 50 meters of a caller, and vertical information—what floor a caller is on—for 67% of emergency calls. In five years, they’d be required to provide that information for 80% of emergency calls. Civil liberties groups say the plan lacks any mention of privacy safeguards. [Full Story]

WW – Visa to Use Location Tracking To Detect Fraud

Visa will roll out a feature this spring that will allow its cardholders to automatically inform their banks when they are using the location function found in nearly every smartphone. Privacy experts are applauding the feature, saying, if used properly, it could cut down on credit card fraud and protect users. The feature is optional and can be deactivated at any time, the report states. Banks will be able to update their smartphone apps to include Visa’s new location-tracking software. If a customer opts in, the Visa software will establish a customer’s home area within a 50-mile radius and transactions that occur within that radius will be considered low risk. [The Associated Press]


WW – APEC Meetings Focus on Future of CBPRs, Updating Privacy Framework

From January 30 to February 3, the APEC Data Privacy Subgroup and its parent committee, the Electronic Commerce Steering Group, met in the Philippines for another round of negotiations and meetings. The meetings focused on implementing APEC’s Cross-Border Privacy Rules (CBPR) system; developing a corollary APEC recognition mechanism for data processors, and updating the APEC Privacy Framework, the report states. The CBPR system currently comprises the U.S., Mexico and Japan and will likely be joined by Canada later this month. Thus far, 10 companies have earned their CBPR certification under APEC-recognized accountability agent TRUSTe. The next round of meetings will be held in August. [Hunton & Williams Privacy and Information Security Law Blog] [Huntons] [Thailand has announced new regulations that, if implemented, would make shooting video with drones “illegal activity for civilians lacking prior permission“]. [Biometric Update: the United Arab Emirates intends to establish a free zone for financial services on Al Maryah Island and employee privacy will be a major component of the effort]

Online Privacy

WW – Google Advisors Recommend Limited RTBF Scope

An eight-person advisory panel appointed by Google released its much-anticipated report on how best to apply the Court of Justice of the European Union’s ruling on the right to be forgotten, recommending delisting only apply in Europe. The recommendations run counter to guidance provided by the Article 29 Working Party (WP29) but include a dissenting opinion from former German Justice Minister Sabine Leutheusser-Schnarrenberger. The report does recognize a global application “may ensure more absolute protection of a data subject’s rights,” pointing out that people outside of Europe have the right to access data online. The advisory council also expressed “concerns about the precedent set by such measures, particularly if repressive regimes point to such a precedent” to censor information in their nations. [GigaOM]

WW – Google Advisory Council: Right To Be Forgotten Should Not Go Beyond Europe

After listening to evidence about the ability to block international sites, the council was also concerned about a government’s ability to truly block specific websites and the precedence such a move would set. “The Council has concerns about the precedent set by such measures, particularly if repressive regimes point to such a precedent in an effort to ‘lock’ their users into heavily censored versions of search results,” said the report. “It is also unclear whether such measures would be meaningfully more effective than Google’s existing model, given the widespread availability of tools to circumvent such blocks.” [Source]

WW – Apps Will Share Data With Google Now

In a bid to bolster its hold on the online search market, Google plans to allow a host of third-party apps—including Airbnb, eBay and Lyft-to share data with Google Now, The Wall Street Journal reports. Google Now is a predictive search app, available for Android phones and wearables as well as the Chrome web browser. If users have the updated Google app and the Airbnb app on their phones, for example, the search history from Airbnb will be shared with Now. Previously, Google acquired search data from a user’s Google account search history. According to the report, more than 30 third-party apps will share data with Google Now. [Full Story]

EU – France – Paris Court’s Move to Export R2BF Worldwide

In the judgment for Mr. Shefet, the French judge relied on a specific point of the recent privacy ruling that said a company’s local subsidiary could be held liable for the activities of its parent. The judge ordered Google’s French subsidiary to pay daily fines of roughly $1,100 until links to the defamatory content were removed from all searches worldwide. [A Question Over the Reach of Europe’s ‘Right to Be Forgotten’ ]

Privacy (US)

US – Obama Issues Executive Order Promoting Cyber Info Sharing

Speaking at Stanford University, U.S. President Barack Obama announced a new executive order designed to promote private sector cybersecurity information sharing. Obama also said a national conversation on data encryption is needed. “I lean probably further in the direction of strong encryption than some do inside of law enforcement,” he said, “But I am sympathetic to law enforcement because I know the kind of pressure they’re under to keep us safe.” Sen. Tom Carper (D-DE) said the executive order “complements” his cyber info-sharing bill. Meanwhile, also speaking at Stanford, Apple CEO Tim Cook said, “We believe deeply that everyone has a right to privacy and security.” He added, “If those of us in positions of responsibility fail to do everything in our power to protect the right to privacy we risk something far more valuable than money—we risk our way of life.” [Full Story] [Privacy experts question Obama’s plan for new agency to counter cyber threats  ]

US – Data Protection Lacking Across Ed-Tech Sector

The New York Times reports on classroom technology for students and teachers and the apparent industry-wide gap in data security and privacy protection. One software engineer with two kids in elementary school said, “A lot of education sites have glaring security problems,” adding, “A big part of the problem is that there’s not even any consensus of what ‘good security’ means for an educational website or app.” After reviewing nearly 20 education technology products, the software engineer found other potential privacy vulnerabilities, including in districts’ social networks, cl assroom assessment programs and learning apps. [Full Story]

US – Franken Probes Samsung, LG Smart TV Privacy Practices

In the wake of privacy concerns stemming from the privacy policy of Samsung’s Smart TV Voice Recognition feature, Sen. Al Franken (D-MN) has sent letters to both Samsung and LG asking for more details about their data collection practices. “If such communications are unnecessarily captured along with voice commands,” Franken wrote, “is it possible to extract that data before transmission to a third party?” Samsung said it “supports Senator Franken’s commitment to consumer privacy and we appreciate the opportunity to respond to his inquiries regarding the voice recognition feature on our Smart TVs.” [PCWorld]

US – FTC Denies Proposed Verifiable Consent Method Under COPPA

Recognizing the importance of encouraging the development of new consent mechanisms and to provide transparency, COPPA allows parties to request that the FTC approve parental consent methods not enumerated in COPPA. The goal of this provision is to encourage the development of new verification methods that provide businesses with more flexibility. The process requires a detailed description of the proposed parental consent method and an analysis of how the method is reasonably calculated to ensure that the person providing consent is the child’s parent. The application is then published in the Federal Register for public comment. [HLDA]

US – Markey Report Reveals Automobile Security and Privacy Vulnerabilities

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” said Senator Markey, a member of the Commerce, Science and Transportation Committee. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.” [Markey]]

US – EFF Files Supreme Court Amicus Brief Over Warrantless Searches of Hotel Records

Central to City of Los Angeles v. Patel is a city ordinance requiring hotel operators to retain certain guest registry information, which they must make available to police officers on demand. Hotel operators aren’t allowed to challenge requests for guest information in court in advance and can be punished with a jail or fine if they refuse to comply. Citizens Have a Right to Challenge Laws That Violate the Fourth Amendment [EFF]

US – Does the Government Require Your Hotel to Spy on You?

The question is not whether private parties’ privacy expectations are reasonable. The Fourth Amendment asks whether government agents’ searches and seizures are reasonable. The petitions submitted by the City of Los Angeles and the U.S. government both treat the idea of “frequent, unannounced inspections” as a virtue of the statute. According to the government parties, innocent business owners, who are not suspects of any crime, should be subject to routine surprise inspections by government agents to make sure that they are performing surveillance of their guests for the government. … The Court should revisit the third-party doctrine and the “reasonable expectation of privacy test,” which produced it. [CATO]

US – Justice Department Drops Court Battle; Hands Document to Privacy Group

The Justice Department has agreed to turn over a legal opinion on surveillance and census data following a yearlong court battle with the Electronic Frontier Foundation (EFF). The department on Thursday dropped its appeal of a federal judge’s decision requiring it to provide the opinion to the EFF. The group sued to obtain documents on government surveillance, including a document that analyzed law enforcement access to census data, under the USA PATRIOT Act. A Justice Department spokeswoman said on Friday the department will turn over the document to the EFF. [Associated Press]

US – Judge: Heightened Risk of ID Theft Doesn’t Constitute Standing to Sue

A federal judge has ruled that the “heightened risk of future identity theft” isn’t enough to establish standing for a woman who filed a class-action lawsuit after her personal data was compromised in the 2014 hack of St. Joseph Health Systems. U.S. District Judge Kenneth Hoyt dismissed the suit after St. Joseph argued the woman had not suffered an injury traceable to the breach and hadn’t proved any quantifiable damage or loss. In his ruling, Hoyt cited Clapper v. Amnesty International USA, stating the plaintiff’s allegation that risk has increased doesn’t translate into “cognizable injury.” [Courthouse News Service]

US – Congress Considers IoT Regulation

The Internet of Things (IoT) was front-and-center during a Senate Committee on Commerce, Science and Transportation hearing that featured testimony from a wide spectrum of witnesses across industry sectors. At issue in the now Republican-controlled Senate committee hearing was whether the IoT and its many benefits can flourish unfettered in a free marketplace or if regulations are needed to mandate strong security, ensure privacy protections and manage other more technical issues around spectrum availability. [Full Story ] [CA – What Canadians can learn from FTC’s Internet of Things report]

WW – Managing Privacy in the Internet of Things

The data from all these things will be valuable not just to the companies that deploy them, but also to people or companies operating in other domains. For example, your thermostat might talk to your neighbor’s weather station to determine an appropriate temperature setting, and then switch on the heating when your phone’s GPS tells it that you’re nearing home. It’s this many-to-many and cross-domain aspect of connectivity that distinguishes IoT from earlier remote monitoring/control systems and M2M (machine-to-machine) systems, where only one organization created, owned, and used the data. In the IoT, each connection won’t be predetermined; these things should be able to structure their conversations on the fly, in an automated and ad-hoc manner. But this raises a number of questions and concerns around privacy, interoperability, and data-access privileges. [Source]

US – AGs Tell Anthem Notification Took Too Long

A group of 10 state attorneys general (AGs) sent Anthem a letter complaining about the length of time it took for the country’s second-largest health insurer to notify the public of its recent breach, Reuters reports. “The delay in notifying those impacted is unreasonable and is causing unnecessary added worry to an already concerned population of Anthem customers,” wrote Connecticut AG George Jepson, adding, “Anthem must commit to reimbursing consumers for any losses associated with this breach during the time period between the breach and the date that the company provides access to credit and identity theft safeguards.” The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island. The breach could cost more than $100 million. [Full Story]

US – POTUS to Announce New SIGINT Rules; ODNI Releases Report on Privacy Reforms

President Barack Obama will announce new rules “requiring intelligence analysts to delete private information they may incidentally collect about Americans” and plans to “institutionalize a regular White House-led review of the National Security Agency’s monitoring of foreign leaders.” Subsequently, the Office of the Director of National Intelligence (ODNI) has released a report outlining how it has implemented signals intelligence privacy and civil liberties reforms. An ODNI blog post notes that over the last 18 months, reforms have strengthened privacy, limited SIGINT data collection and use and increased transparency. “As this report shows, the intelligence community has made significant progress implementing many reforms,” the ODNI wrote, adding, “However, our work is not done.” [The New York Times]

US – Brill on Obama’s Proposals; Researchers on Adequate Privacy Protection

Last week was a busy one for Carnegie Mellon University (CMU): Three researchers published a review on people’s attitudes toward privacy and how they change given context, and the Federal Trade Commission’s Julie Brill spoke on the Internet’s “accelerating encroachment into our private lives.” During her talk, Brill advocated for the passage of three new laws unveiled recently by President Barack Obama. “I do think there’s a place for industry self-regulation,” Brill said, though thus far it’s proved insufficient. Meanwhile, “approaches that rely exclusively on informing or ‘empowering’ the individual are unlikely to provide adequate protection against the risks posed by recent information technologies,” CMU’s Alessandro Acquisti, Laura Brandimarte and George Loewenstein wrote in their review. [TNS]

US – Obama’s OLC Says Section 215 Cannot Apply to Census Data

In a First, Government Acknowledges the Limits of Section 215 ..the government released an opinion (pdf), written by the Office of Legal Counsel (OLC) in 2010, that concluded that Section 215—the provision of the Patriot Act the NSA relies on to collect millions of Americans’ phone records—does have a limit: census data. [Source]

US – Uber to Implement Privacy Program Recommendations

Uber announced it is strengthening its privacy programs as the result of an outside privacy assessment, laid out in a 40-page review. The ride-sharing start-up retained Hogan Lovells Partner Harriet Pearson, CIPP/US, and her team last November after a number of reports surfaced about the company’s controversial use of consumer data, leading some to apply the name “Ubergate.” This exclusive for The Privacy Advisor reports on the detailed review and includes comments from Pearson and Uber Counsel of Data Privacy Katherine Tassi. [Full Story ]

US – First-Ever Revenge Porn Conviction Handed Out

In a first-of-its-kind case, a San Diego man was convicted under a new California revenge porn law. Kevin Bollaert was found guilty of 27 felony counts for creating a website that hosted revenge porn and a secondary site used to extort hundreds of dollars from victims. The now-defunct website YouGotPosted.com included sexually explicit photos of tens of thousands of women with links to their social media accounts. If a victim requested a takedown, she was directed to another site, ChangeMyReputation.com, where victims had to pay for the images’ removal. They were also instructed to provide pictures of themselves holding signs with their birth dates. Bollaert now faces up to 20 years in prison. [NBC] [In a column for The Atlantic, Profs. Danielle Citron and Woodrow Hartzog explain the significance of the Federal Trade Commission settlement with the founder of a revenge porn website]

US – Why the FTC’s Revenge Porn Settlement Is a Big Deal

Danielle Citron and Woodrow Hartzog explain the significance of last week’s Federal Trade Commission settlement with the founder of a revenge porn website. Until recently, the law has “struggled to address emerging privacy threats, including invasion of sexual privacy,” for a number of reasons, including free speech and certain protections for online publishers. Citron and Hartzog note, however, a “budding movement … recognizing that information shared in confidential relationships deserves protection.” Plus, businesses “are now on notice that it is illegal to exploit information shared in confidence and with an expectation of privacy,” and, “Repurposing confidential relationships, and the information shared in them, for commercial gain could prompt action by consumer-protection agencies.” [The Atlantic]

US – Seattle Creates Set of Privacy Principles

Seattle launched its Privacy Initiative in November , led by the Seattle Police Department and Department of Information Technology, to define how the city collects, uses and disposes of data to both meet the city’s needs and build public trust. The City Council received a set of privacy principles that aim to establish a core foundation from which city employees will approach decision-making where their work intersects with personal data. The principles include provisions on valuing privacy; collecting and keeping only what’s needed; granting citizens choices when possible on how their data is used; staying accountable, and requiring third-party vendors to meet the city’s privacy standards. [Full Story]

US – Taking Photos Up Girl’s Skirt Appalling, But Not A Crime, Judge Rules

Defense attorney Mark Lawrence argued that Buono had taken the images in public, a place where no one can reasonably expect privacy. The law bans clandestine photography in bathrooms, locker rooms, dressing rooms and tanning booths — all places where people should expect privacy. But the aisle in Target was plainly public, Lawrence said. Plus, up-skirt sightings can occur by happenstance, he said, citing the famous photos of a wind-swept Marilyn Monroe. It could happen to anyone riding an upward-bound escalator, taking a spill, exiting a car. “These things are not only seen but video-recorded,” Lawrence said. “It’s incumbent on us as citizens to cover up whatever we don’t want filmed in public places.” On top of that, Lawrence noted, the girl was wearing underwear, and therefore was not nude, which the invasion of privacy statute requires. [Source]

US – After 18 Years at the CDT, Dempsey Moves to Berkeley

For Jim Dempsey, the decision to leave the Center for Democracy & Technology after 18 years was pragmatic. Traveling from his home in California to Washington, DC, as frequently as he was—a frequency that only increased with his involvement in the Privacy and Civil Liberties Oversight Board and his efforts toward ECPA reform—left him somewhat exhausted. But the pragmatism of his decision doesn’t mean he’s any less excited about where he finds himself now as a result of his decision to stay put: He’ll head up the Berkeley Center for Law & Technology as its executive director. [Full Story]

Privacy Enhancing Technologies (PETs)

WW – “Privacy-Aware Research” Among Aggregated Health Competition Winners

The Health Data Exploration project has announced five recipients in its $200,000 Agile Research Project Competition. The project is based at the California Institute for Telecommunications and Information Technology and supported by the Robert Wood Johnson Foundation. The recipients were selected for their capacity to advance the use of aggregated and anonymous personal health data for research. They are Rumi Chunara of New York University, Julie Kientz of the University of Washington, Emil Chiauzzi from PatientsLikeMe, Michelle De Mooy of the Center for Democracy & Technology (CDT) and Eric Hekler of Arizona State University. The CDT’s De Mooy’s submission, entitled “Towards Privacy-Aware Research and Development in Wearable Health,” received $50,000 in funding. [Full Story]

WW – A Reverse-Engineering “Crypto Trick”; the Power of White Hat Hacking

Wired reports that security researcher Jacob Torry will present a new scheme that would make reverse-engineering code virtually impossible. The Hardened Anti-Reverse Engineering System (HARES) encrypts code that only allows decryption by the computer’s processor just before the code is executed, the report states. “It protects software algorithms from reverse engineering, and it prevents software from being mined for vulnerabilities that can be turned into exploits.” Gizmodo reports on a security researcher who figured out how to delete any photo album on Facebook using only four lines of code. Instead of exploiting it, the researcher reported it to Facebook. Meanwhile, Apple has announced it has extended two-factor authentication to Facetime and iMessage. [Full Story]

WW – Venture Capital Firm Invests in “Instagram for Doctors”

Venture capital firm Union Square Partners late last year “made an investment that was a bit unusual,” leading a $4 million funding round for Figure 1, a start-up targeting the medical industry with a social network that allows doctors, nurses, EMTs and other medical professionals to share medical images. Figure 1 “takes a popular and effective UI and applies it to an industry in desperate need of change,” said Union Square’s Fred Wilson. “In other words, an Instagram-like app dedicated to picture-sharing between medical professionals,” the report states, noting that because it “deals with medical data, its restrained by a host of privacy laws.” [FastCompany]


US – Obama Introduces Cyber-Enforcement Squad, Seeks $14 Billion for Cyber Defense

The White House has announced a new $20 million cyber unit to oversee dot-gov network security. The “E-gov Cyber” unit will also ensure that agencies notify victims of data breaches. Acting U.S. Chief Information Officer Lisa Schlosser said the division will “conduct data-driven, risk-based oversight of agency government-wide security programs.” Reuters reports that as part of the White House’s budget proposal, President Barack Obama is asking Congress for $14 billion in funding for cybersecurity across the U.S. government. A White House summary said, “Cyber threats targeting the private sector, critical infrastructure and the federal government demonstrate that no sector, network or system is immune to infiltration by those seeking to steal” sensitive data. [NextGov]

WW – 100% of IoT-Connected Home Security Systems Tested Security FAIL

HP researchers tested 10 of the newest connected home security systems and discovered the Internet of Things-connected security systems are full of security FAIL. “The biggest takeaway is the fact that we were able to brute force against all 10 systems, meaning they had the trifecta of fail (enumerable usernames, weak password policy, and no account lockout), meaning we could gather and watch home video remotely,” wrote HP’s Daniel Miessler. …HP Fortify found an “alarmingly high number of authentication and authorization issues along with concerns regarding mobile and cloud-based web interfaces.” …In a previous report, HP Fortify researchers found about 25 security vulnerabilities per Internet of Things device. In the report about home security systems, HP researchers said they don’t want to dampen your enthusiasm, but they do want you to be informed about the risks before activating these systems. Wouldn’t we be better informed if we knew precisely what IoT devices and security systems are full of fail? [ComputerWorld]

WW – Report: Most Malicious Apps Come From U.S.

A new report says the U.S. is the top developer of malicious and privacy-invasive applications, despite the fact that “conventional wisdom … often places the problem squarely in Asia.” The research was done by Marble Security and looked at countries with developers that published applications that were either directly malicious, handled data insecurely or posed a potential privacy risk, the report states. It focused on app marketplaces considered the most secure, Google Play and Apple’s App Store, and found that more than 42 percent of the dangerous apps came from companies or publishers identified as being in the U.S. [PCWorld]

WW – Russian Researchers Uncover Deeply Embedded Spyware

A Russian-based security firm has uncovered a highly secretive means of spying deep within the software used in most of the world’s hard drives. According to the Kaspersky Lab, personal computers in as many as 30 countries were infected with one or more spying programs. The report calls the implants part of the “Equation Group,” which according to The New York Times , is a “veiled reference to the National Security Agency” and the U.S. Cyber Command. Prof. Peter Swire told Reuters the disclosure could impact U.S. trade and diplomatic relations. “There can be serious negative effects on other U.S. interests,” he added. [Reuters]

US – Hacked Hotel Phones Fueled Bank Phishing Scams

Over the past two weeks, fraudsters have been blasting out SMS messages to hundreds of thousands of mobile users in the Houston, Texas area. The messages alerted recipients about supposed problems with their bank account, urging them to call a supplied number and follow the automated voice prompts to validate or verify their credit card account information. [Krebs]

WW – Product Puts Encryption Keys in Customers’ Hands

Key management system Box, which has been talking about letting customers manage their own encryption keys so they can store their data in the cloud and maintain control over who gets access to it, says its new product, Enterprise Key Management (EKM), does just that by putting “encryption keys inside a customer’s own data center and in a special security module stored in an Amazon data center.” While Box must still access customer data to enable sharing, it only happens when the customer wants it to, the company says. “Without EKM, Box could be forced to hand data over to the government without notifying the customer if the government request is valid and requires Box to keep it secret,” the report states. [Ars Technica]


US – EFF Has NSA Suit Partially Denied, Files Suit Over Airborne Surveillance

A federal judge has thrown out part of an Electronic Frontier Foundation (EFF) lawsuit against the National Security Agency (NSA), citing national security. U.S. District Court Judge Jeffrey Wright issued a 10-page order denying a portion of the suit against the NSA over its Internet surveillance of Americans’ communications but said he can’t fully explain his decision because doing so could pose “grave danger to national security.” Meanwhile, the EFF has also filed a lawsuit “seeking details of a Justice Department surveillance program that uses secret airborne technology to scan large numbers of Americans’ cell phones while hunting criminal suspects.” [The Wall Street Journal reports]

US – Canary Watch Site Will Keep an Eye Out for Vanishing Warrant Canaries

The way canaries work is that companies inform us, in their transparency reports, when their customers have not been served with a secret government subpoena. Such secret subpoenas, such as the National Security Letters empowered by the USA Patriot Act, come with gag orders that keep companies from telling customers they’ve been served. When a company publishes the dates that it hasn’t received a subpoena, customers can then infer – from the missing information – the dates that the company must have been served with the subpoena. [Source]

US – FAA Releases New Rules for Drones;

Over the weekend, the U.S. Federal Aviation Administration (FAA) released a highly anticipated framework of regulations for unmanned aircraft systems (UAS), or drones. President Barack Obama released a memorandum to federal agencies on Sunday to ensure the government is respectful of citizens’ privacy and civil liberties when drones collect data while in flight. Obama made his first attempt to address the concerns that privacy advocates have raised about the increasing use of drones by government agencies. The directive orders agencies to limit the collection and retention of data gathered by unmanned aircraft. Local and state agencies receiving federal grants must also create drone privacy policies, according to the memorandum. While praising the effort as helpful, the ACLU said the directive fell short of the organization’s goal. [Bloomberg]

US – NTIA to Head Up Multistakeholder Process

Obama and the FAA issued an executive order calling on the National Telecommunications & Information Administration (NTIA) to carry out a multi-stakeholder process to create a code of conduct for protecting the privacy of U.S. citizens. The NTIA will have 90 days to initiate a framework for “privacy, accountability and transparency for commercial and private UAS use.” An NPR report notes the FAA proposal highlights safety over privacy. [Full Story]

US – Few Privacy Limitations Exist on How Police Use Drones

Members in the House and Senate introduced bills in the previous Congress that would have required police everywhere in the country to obtain a warrant before using drones for surveillance, but the bills died at the end of the year. “In the states that don’t require warrants, it’s pretty much a Wild West” in terms of what’s allowed, says Jay Stanley, senior policy analyst at the American Civil Liberties Union. “There’s nothing stopping a police department from using [drones] in all kinds of ways to spy, except for the Constitution.” [Only 14 states require law enforcement get a warrant to use drones for surveillance] Meanwhile, in Thailand, new regulations would make shooting video with drones “illegal activity for civilians lacking prior permission,” Slate reports

US – Poll: Folks OK With Police Drones – Private Ownership, Not So Much

Some 73% of respondents to a Reuters/Ipsos online poll said they want regulations for the lightweight, remote-control planes that reportedly have been involved in an increasing number of close calls with aircraft and crowds. People are also uneasy about potential invasions of privacy by drones carrying cameras or other devices. Forty-two percent went as far as to oppose private ownership of drones, suggesting they prefer restricting them to officials or experts trained in safe operation. Another 30% said private drone ownership was fine, and 28% were not sure, according to the survey of more than 2,000 respondents, conducted Jan. 21-27. [Americans : Poll]

US – Noflyzone Aims to Keep the Airspace Over Your Home Drone-Free

NoFlyZone.org registers each address along with its GPS coordinates, which are then relayed to drone manufacturers to create a geofence around the home and render their products unable to fly over the property. …The few drone makers who’ve signed on include HEXO+, Ehang, DroneDeploy, Yuneec, Horizon Hobby, PixiePath and RCFlyMaps. That list leaves out major drone makers DJI and 3D Robotics: big omissions, given that, according to TechCrunch, DJI alone “probably accounts for the vast majority of drone sales in the United States.” Even if the major drone makers do agree to go along with geofencing people’s homes at their request, it’s not clear that NoFlyZone has the right to protect personal airspace, which, at least in the US, is under the control of the Federal Aviation Administration. [NakedSecurity]

Telecom / TV

WW – Today in Creepy Privacy Policies, Samsung’s Eavesdropping TV

As an Electronic Frontier Foundation activist pointed out earlier today, via Twitter, the concept of a TV screen that might be snooping on your private conversations — and thus broadcasting a chilling effect by inculcating self-censorship within its viewers — is straight out of George Orwell’s 1984 …The Samsung example is just the latest privacy-related concern involving smart TVs — many of which routinely require users to agree to having their viewing data sent back to the TV maker and shared by them with advertisers and others simply in order for them to gain access to the service. But the clarity of wording in Samsung’s privacy policy is impressive — given it amounts to a warning not to talk about private stuff in front of your telescreen because multiple unknown entities can listen in. [TechCrunch]

WW – Privacy Worries Over Samsung TVs

Privacy Commissioner John Edwards said the function appeared to breach collection principles under the Privacy Act. “It is hard to imagine a lawful purpose for a TV manufacturer to collect voice communications not directed at the TV.” He said he would also look into the adequacy of the privacy policy disclosure. “Even if there was a disclosure of the fact of that kind of collection in the privacy policy, I’d be prepared to look at the fairness and intrusiveness of the practice.” [Source] [CBC: CA – Samsung SmartTV an ‘Absurd’ Privacy Intruder, Ann Cavoukian says]

WW – Samsung Says TVs Do Not Monitor Conversations

In a blog post, Samsung responds to media reports that, according to the company’s privacy policy, its new Smart TVs are capable of sharing private conversations with third parties—prompting some to compare it to George Orwell’s 1984. In the post, Samsung says its “products are designed with privacy in mind” and that voice recognition features “are enabled only when users agree to the separate Samsung Privacy Policy and Terms of Use regarding this function when initially setting up the TV.” Additionally, the company notes, users can activate and deactivate the service at any time. [Full Story]

WW – Samsung Edits Orwellian Clause Out of TV Privacy Policy

Relying on vague wording to obfuscate function and keep users in the dark as to how their technology really operates does no one any favors. It breeds mistrust and triggers overblown concerns. If the privacy policy sounds creepy, the implication is the service provider is also doing something creepy — or at the very least trying to hide its activity from plain sight. Which makes people naturally suspicious. …As the smart home takes shape, consumers are going to be asking increasingly probing questions about what previously-innocuous-but-now-connected-to-the-cloud home gizmos are actually doing with the data they’re sniffing. To keep buyers on side, device makers will not only need great services; they’ll need sparkling privacy and spectacular security too. A core part of the solution will be privacy by design, and privacy policies written in plain language that are displayed proudly, as an asset, held up in plain sight. [TechCrunch]

US – Senators to Push Privacy, Security Legislation for IoT

Sen. Edward Markey plans to introduce legislation to require security measures in connected cars. Markey’s legislation will require makers of wireless access points on connected cars to use penetration testing technologies and that collected data is encrypted. The legislation will also require that the car manufacturer or a security vendor be able to detect and respond to hacking attempts in real time. The bill will also require car makers to explain their data collection practices to drivers and allow them to opt out of data collection without having to disable navigation. [Source] [Will the internet of things finally kill privacy? [Why the FTC’s new report doesn’t go far enough]

US Government Programs

US – Majority of Journalists Believe U.S. Gov’t Has Spied on Them

A new report from Pew Research Center reveals that 64% of journalists surveyed think the U.S. government has collected information about their phone calls, emails or online communications, while eight out of 10 believe that simply being a journalist increases the likelihood of such intelligence gathering. However, only 14% of those surveyed said that such concerns have prevented them from covering a story about surveillance. Meanwhile, a UK tribunal ruled that some parts of intelligence gathering and sharing between the U.S. and UK are illegal. The Investigatory Powers Tribunal ruled that UK intelligence agency GCHQ broke the law when it received intelligence on millions of Britons from the U.S. National Security Agency. [Full Story]

US – New Agency Raises Privacy Concerns

The Guardian reports on concerns expressed by privacy advocates about President Barack Obama’s plans for a new Cyber Threat Intelligence Integration Center . “Given the number of other agencies that have cybersecurity threat integration responsibilities, it’s not clear that a new agency is needed,” said the Center for Democracy & Technology’s Greg Nojeim, adding, “We are keen to hear from the White House about the measures it will impose to ensure that this new agency operates transparently, with effective independent oversight, and does not become a repository for personal information unnecessary to counter cyber threats.” FireEye’s Tony Cole said, “They really could have just restructured” how the National Cybersecurity and Communications Integration Center works. [Full Story]

US – Senator Releases Harsh Report on Connected Car Privacy

Sen. Ed Markey (D-MA) has released a report warning of the data security and privacy issues with virtually every auto manufacturer. After sending inquiries to 20 automakers last year, Markey wrote, “unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions … Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.” Nearly every connected car on the market includes technologies “that could pose vulnerabilities to hacking or privacy intrusions,” the report found. Markey suggests industry work with cybersecurity experts “to establish clear rules of the road-not voluntary agreements” to better protect consumer privacy. [The Washington Post]

US Legislation

US – Trio of Reps Introduces ECPA Update

A bipartisan trio of House members is reintroducing a bill that would require warrants to obtain email or location information. Reps. Zoe Lofgren (D-CA), Suzan DelBene (D-WA) and Ted Poe (R-TX) are introducing the Online Communications and Geolocation Protection Act, an update to the Electronic Communications Privacy Act of 1986. “Fourth Amendment protections don’t stop at the Internet, and Americans rightly expect constitutional protections to extend to their online communications and location data,” Lofgren said. Similar bills have failed to get the votes needed to make it out of subcommittee. Other lawmakers are preparing to present a separate bill specifically focused on electronic communication, the report states. [The Hill]

US – State Bill Would Require Warrants for Digital Data

A bill that would require law enforcement agencies to secure a warrant before seizing U.S. citizens’ digital communications and electronic devices was reintroduced Monday in the California legislature. State Sen. Mark Leno (D-San Francisco) proposed the California Electronic Communications Privacy Act, which would prohibit government entities from forcing service providers to hand over electronic communication information without a warrant and from getting information from an electronic device from anyone except the “authorized possessor of the device,” the report states. A warrant would be required to get personal information from mobile devices, emails, text messages, contact lists and photos as well as for location information. [Courthouse News Service ]

US – Obama Student Bill Gaining Bipartisan Support

Behind-the-scenes efforts by the White House and lawmakers to get a student privacy bill off the ground. Presidential advisor John Podesta said, “I think there’s much more pressure now to move legislation and we’re certainly going to use all of the resources we have, including the president’s time, to ensure that the Congress takes this up.” In the coming weeks, Reps. Luke Messner (R-IN) and Jared Polis (D-CO) will unveil their student privacy bill. “Protecting America’s children from big data shouldn’t be a partisan issue,” Messner said, adding, “I’m glad to work across the aisle to find the appropriate balance between technology in the classroom and a parent’s right to protect their child’s privacy.” [Full Story] [The Flaws in Obama’s Cybersecurity Initiative]

US – Congress Tries ECPA Reform Once Again

Lawmakers in both houses of Congress are making a bid at revamping the 1986 Electronic Communications Privacy Act (ECPA). Reps. Kevin Yoder (R-KS) and Jared Polis (D-CO) are expected to introduce the Email Privacy Act with 223 cosponsors. Additionally, Sens. Patrick Leahy (D-VT) and Mike Lee (R-UT) will introduce a companion bill in the Senate. Though the numbers for reform are high, an attempt last year, which failed, had the support of 272 cosponsors. “We’re starting at a much stronger place,” Polis said. “We’re able to pick up the momentum from last time, show there’s overwhelming support for this bill.” [Full Story]

US – Bill Would Nix Access to Overseas Data

Sen. Orrin Hatch (R-UT) has proposed the Law Enforcement Access to Data Stored Abroad (LEADS) Act, which would require U.S. companies to turn over data stored on overseas servers only if the warrant targets a “U.S. person.” Hatch says the legislation would “promote international comity and law enforcement cooperation,” and Microsoft agrees that it would be a “very important step.” However, Internet Association President Michael Beckerman opposes the bill , saying it could weaken individuals’ online privacy. Acknowledging the problems government surveillance powers pose for Internet companies globally, Beckerman said, “the LEADS Act, as currently written, could incentivize data localization and therefore weaken user privacy.” [Ars Technica]

US – California Introduces Bill to Ban Warrantless Spying

“Especially after revelations of warrantless surveillance by the NSA, it is time for California to catch up with other states across the nation, including Texas and Maine, which have already updated their privacy laws for the modern digital world,” said Nicole Ozer, Technology and Civil Liberties Policy Director for the ACLU of California. [Source]

US – Bill Aims to Block U.S. from Reading People’s Old Email Without Warrant

A bill seeks to prevent the U.S. government from being able to look at Americans’ old emails without a warrant. “The government is essentially using an arcane loophole to breach the privacy rights of Americans,” Yoder said. “They couldn’t kick down your door and seize the documents on your desk, but they could send a request to Google and ask for all the documents that are in your Gmail account. And I don’t think Americans believe that the Constitution ends with the invention of the Internet.” [Source]

US – Proposed Bill Limits Reach of US Search Warrants on Overseas Servers

“Electronic communications are used extensively by criminals,” DOJ says. “In the end, we must strengthen privacy in the digital age and promote trust in US technologies worldwide by safeguarding data stored abroad, while still enabling law enforcement to fulfill its important public safety mission,” Hatch said. The bill was co-sponsored with Sens. Chris Coons (D-Del.) and Dean Heller (R-Nev.). [Ars Technica]

US – New Delaware Law Gives Executors More Access to Online Data

A controversial new state law is making it easier for estate executors to access digital data—such as email, photos and social-media postings—after the account holder dies. Many Internet companies strictly limit access to their customers’ accounts to the account holder, in accordance, they say, with federal privacy law. When an account holder dies, estate executors typically have to seek a court order to access the account, which can be expensive and time consuming—sometimes taking half a year or more—and isn’t always successful. But under a Delaware law passed last summer, executors can now access online accounts without a court order, unless the deceased has instructed otherwise. Similar legislation is under consideration in several other states. That’s an encouraging development to people like Andy Blair, an estate lawyer in Raleigh, N.C., who says his parents have thousands of family photos stored online. “Without a law like this,” he says, “I may never get access to those” after his parents die. But a group of Internet firms opposed the Delaware law, saying that it violates consumer privacy and may conflict with existing federal privacy law. [WSJ]

US – Other Legislation


16-31 January 2015


US – DHS to Roll Out Facial Recognition Along Border

The Department of Homeland Security (DHS) will unveil iris- and facial-recognition services along U.S. borders starting this summer. The U.S. Border Patrol will use the technology in conjunction with the FBI’s Next Generation Identification system. The move is part of an overhaul of the “IDENT” biometric system, which currently possesses more than 170 million fingerprints and facial images of non-U.S. citizens along with 600,000 iris templates, the report states. “While the photos do not satisfy some quality requirements for facial matching,” the DHS said it’s looking for ways to use the biometric data “with strong privacy and security protections in place to improve the accuracy of biometric identification/ /verification.” [Defense One] SEE ASLO: [Ars Technica: Law Enforcement, Advocate Face Off in Debate on Biometrics]

US Military Wants to Replace Passwords With “Cognitive Fingerprints”

Transparent, behaviour-based biometrics could provide the nudge that’s needed to push biometrics into the mainstream, but there are two major obstacles to overcome before that happens. The first is that you can’t change your biometrics – so what’s the equivalent of changing your password if you’re compromised? The second is that for all the frustration that comes with remembering (and forgetting) our passwords, we know and feel, tangibly, that they’re under our control. [NakedSecurity]

WW – The Rise of Emotion-Detection Tech

A number of companies are developing emotion-detection technology and the privacy concerns of emotion-detection’s pioneer, Paul Ekman. Ekman, an 80-year-old psychologist, fears he may have created a monster, according to the report. Start-ups such as Emotient, Affectiva and Eyeris are using Ekman’s research to drive their software. These companies are also compiling a large database “seeking patterns that can predict emotional reactions and behavior on a massive scale.” Ekman, who also serves as an advisor to Emotient, says he is torn between the technology’s potential and privacy issues including surveillance and notice and consent. [The Wall Street Journal]

WW – Psychological Profile-Based Security – Could It Work?

Fujitsu claims that its technology can assign security countermeasures based on a user’s psychological profile and risk tendencies – warning them ahead of time, before an attack can be carried out successfully. …Computer-based behavioral profiling is becoming very popular – recent research has found that algorithms can be more accurate at identifying personality traits and predicting behaviors than a person’s closest friends. Fujitsu says its behavior-based security tool can recognize what types of risks an individual is prone to, and direct countermeasures most appropriate to that person. [Naked Security]

Big Data

WW – Using Search Data to Explore “Socially Sensitive” Questions

Seth Stephens-Davidowitz shares his data-mining research on people’s perceptions and questions about sex by using Google search data. “Call it everything you always wanted to know about sex but didn’t have the data to ask,” he writes, noting that traditional surveys are not reliable in relation to such questions. By mining Google searches, Stephens-Davidowitz explores some of society’s more sensitive questions but wonders if he’s gone too far. Prof. Dan Ariely cautioned readers about the interpretation of this data, saying it may be skewed as, “Google is a reflection of what people don’t know and need extra information about.” [The New York Times]

UK – The Big Data Issue: Think Tank Calls for New Office of Responsibility

The proposed Office of Data Responsibility would help build British citizens’ trust in public bodies that use their data …For example the NHS’s care.data scheme, under which patient data will be shared between GP surgeries and hospitals, was met with strong opposition. The failed implementation of a national ID cards scheme under former Prime Minister Gordon Brown is another case in point which shows public mistrust in the handling of data by public bodies. [Misco]

US – Big Data’s Disconnect: CXO Vs Employee Views

Executives other than CEOs, and especially lower-level managers, see the current status and benefits of data initiatives far differently than the CEOs, the survey shows. While 47% of CEOs think all employees have access to the data they need, only 27% of all respondents agree that they do. [Source]


CA – CSE Tracks Millions of Downloads Daily: Snowden Documents

Global sites for sharing movies, photos, music targeted in mass anti-terror surveillance: CBC analyzed the document in collaboration with the U.S. news website The Intercept, which obtained it from Snowden. The presentation provides a rare glimpse into Canada’s cyber-sleuthing capabilities and its use of its spy partners’ immense databases to track the online traffic of millions of people around the world, including Canadians. That glimpse may be of even greater interest now that the Harper government plans to introduce new legislation increasing the powers of Canada’s security agencies. [CBC]

CA – Federal Government’s New Terror Law Concerns Privacy Watchdog

Privacy watchdog is concerned about info sharing provisions in the Conservatives new terror laws, as PM Harper heads to Toronto to sell them. Privacy commissioner Daniel Therrien says he will be closely watching the wording of provisions aimed at increasing information sharing among government agencies. [The Toronto Star] See also: [The Canadian government may revise “the Passenger Protect system to make it easier to keep individuals from boarding planes.”]

CA – Expert Says Spy Agencies ‘Drowning in Data’ and Unable to Follow Leads

U.S. reports question effectiveness of bulk collection in hunt for terrorists. Under Levitation, the electronic spy agency was sifting through up to 15 million uploads or downloads each day from around the world as part of a counterterrorism effort. But, according to the presentation, only 350 downloads each month triggered any kind of follow-up — an extremely small portion of the indiscriminately collected data. The way the program worked was that the CSE tapped into collected metadata on those downloads. It then used the computer’s IP addresses to cross-reference that through at least two wide-reaching databases of metadata held by Canada’s spying partners to try to figure out a suspect’s identity and to further monitor that person’s online activity. [CBC]

CA – Project Levitation: Politicians Call for Cybersurveillance Oversight

Surveillance meant to protect homeland security may not protect Canadians’ privacy rights. Some politicians are calling for heavier oversight of the Communications Security Establishment’s eavesdropping service that accesses everyday Canadians’ online activity. [CBC]

CA – Anti-Terror Bill to Give Agencies More Authority to Share Private Info

The changes would allow information submitted in passport applications and on the movement of items such as automatic weapons, GPS systems or controlled goods that could be used in terrorist attacks to be shared with Canadian security agencies. Other measures Ottawa is preparing include reducing the threshold required to make preventive arrests or detentions of suspected extremists. [G&M] [G&M: Harper’s Anti-Terror Bill to Criminalize the ‘Promotion of Terrorism’] [Ottawa Citizen: Anti-Terror Bill: Can Government Balance Security and Civil Rights?]

CA – Canadian Police Spent $1.6 Million on an Unconstitutional Spying Program

VICE’s analysis of the records show that the RCMP paid over $1.6 million to Canada’s cellphone companies since 2010 in order to skirt the normal process of having these requests approved by a judge. [Source]

CA – Bill C-13: Cyberbullying Bill Introduces New Lawful Access Measures

According to many commentators, the current Act, by combining both cyberbullying and lawful access concepts into a single piece of legislation, has served to reduce public controversy as legislating to attack the increasing problem of cyberbullying is a popular proposition. As well, the lawful access measures contained in the Act are a far cry from those much more robust powers that were being proposed for law enforcement in the earlier lawful access bills. For instance, Bill C-30 provided for warrantless mandatory disclosure of basic subscriber information, a controversial provision that did not resurface in the current Act. Nevertheless, the Act has still served as a bit of a lightning rod for controversy in the media and with the public. [JDSupra] Canada reports on the effect the country’s new cyberbullying bill could have on business.

CA – Changes to Police Record-Check Policies to Remove Embarrassing Details

B.C.’s privacy commissioner says police forces across the province are implementing new policies preventing them from revealing embarrassing details in record checks. “We assume the presumption of innocence as well, so information that relates to a complaint that doesn’t go anywhere, a complaint to the police by say a frustrated neighbour, again that shouldn’t find its way into an employment check.”… Denham said the greatest number of complaints they heard were about disclosure of information of suicide attempts or apprehensions under the Mental Health Act. [Vancouver Sun] [Times Colonist: Police Told to Restrict Background-Check Detail]

CA – New N.W.T. Health Care Legislation Raises Privacy Concerns

Privacy Commissioner says Bill 36 could allow access to confidential health records. “This Act, this bill, says an investigator may demand any information from any person and it goes on to say you can’t refuse to provide that information,” says Keenan Bengts, Information and Privacy Commissioner for the N.W.T. That, she says, could put people in a position where they have to decide whether to comply with Access to Information laws or face up to $5,000 in fines. [CBC] [In Northwest Territories, legislation that would allow the regulation of naturopaths and psychologists has prompted concerns from Information and Privacy Commissioner Keenan Bengts that the bill could violate privacy] See also: [New Brunswick is reviewing its legislation governing access to information and protection of privacy, and the public is asked to provide feedback through March 31]

CA – B.C.’s Privacy Commissioner to Investigate Saanich Spyware Concerns

Saanich Mayor Richard Atwell revealed to media Jan. 12 his concerns about the installation of employee monitoring software on his and other computers at Saanich municipal hall. “My office has been closely following recent events in the District of Saanich, where allegations have been made that spyware is being used on district-owned computers to monitor employees with or without their consent,” Denham said. “In light of many outstanding questions and concerns, I have decided to act on my own motion and initiate an investigation into whether the District’s use of employee monitoring software complies with the Freedom of Information and Protection of Privacy Act.” [Source] [Embattled Saanich Mayor Could Have the Last Laugh] [Times Colonist: Mayor Atwell Received Computer Security Form, Didn’t Sign It]

CA – Commissioner Advises Businesses on Importance of Protecting Information

Therrien said his message isn’t just for major companies but for the thousands of smaller businesses operating across Canada as 98% of companies employ fewer than 100 people. …businesses that don’t have strong privacy controls risk losing their competitive advantage in today’s increasingly privacy conscious marketplace. …About a third of all private sector privacy complaints under Canada’s federal private sector privacy law appear to involve smaller businesses. Landlords, hotels, real estate agencies, collection agencies, travel agencies, independent local retailers and financial planners are among the types of businesses in the community that are at the centre of these complaints. [Source] [Federal Privacy Commissioner Embarks on Private Privacy Campaign]

CA – What Obama’s Mandatory Data Breach Reporting Law Could Mean for Canada

Some Canadian privacy advocates are hopeful that if Obama’s proposed law has teeth, they will be able to brandish it in front of Canadian lawmakers and demand changes for Bill S-4, which is currently in front of a House of Commons committee for review. Like other privacy advocacy groups, John Lawford and his team have made a request to appear in front of this committee. [IT Business]

CA – B.C. Agency Drops Unlawful Seizure Case Without Explanation

Mr. Schwarz’s 16-month fight to keep the home ended this week, when the office abandoned the attempt without explanation. The case — described by a civil liberties expert as “outrageous” — was another black mark for the agency, which has been criticized for the aggressiveness of its operations. Some have called it a cash cow. B.C.’s Civil Forfeiture Office has seized $6-million more in property than a similar agency in Ontario that was opened three years earlier. The B.C. office does not need criminal charges or a conviction to pursue a case. [Globe & Mail]

CA – New Canadian Certification Program Puts Privacy First

“If you can embed privacy as the default setting in every practice and program, whatever the default condition is, it will prevail 80% of the time,” said Cavoukian. “If you can give that kind of assurance to your customers, they will thank you with their repeat business and attract new business opportunities.” In order to promote this outlook in Canada, Cavoukian announced a “Privacy by Design” certification program that Ryerson University will be launching in partnership with audit firm Deloitte. It’s a program that will be rolled out in the coming months to any company, including those in the channel, who want to meet a benchmark for security and privacy in the solutions they offer. It tries to take a proactive approach to preventing data loss. [Computer Dealer News] [Practical Webcast Q&A: Financial Innovation – Building an Analytic Foundation Through Privacy by Design]


CA – Concern for Privacy Has Jumped, Survey of Canadians Finds

More than seven in 10 Canadians (73%) said they feel they have less protection of their personal information in their daily lives – the highest level in a decade. Meanwhile, 60% say they have little expectation of privacy today, either online or in the real world because there are so many ways in which their privacy can be compromised. The survey of more than 1,500 Canadians was commissioned by the Office of the Privacy Commissioner of Canada and published today on the occasion of Data Privacy Day.

[News Release – Office of the Privacy Commissioner of Canada] [CBC: Cyber Surveillance Worries Most Canadians: Privacy Czar’s Poll] [Daniel Therrien: Consumers Care About How Companies Treat Privacy] [Online Privacy and Banks: Has Anyone Asked the Millennials]

US – Study: Amazon Most Trusted Company for Privacy in 2014

The Ponemon Institute released the results of its 2014 Most Trusted Companies for Privacy Study. According to the study, Amazon was the most trusted company for privacy. Other companies named in the top 10 include American Express, PayPal, Hewlett Packard, IBM, Nationwide, USAA, LinkedIn, Apple, USPS, Intuit and Mozilla. “What these companies have in common is a strong orientation to respecting their customers and providing the best possible customer service,” the Ponemon study stated. Meanwhile, according to a new study by Truste , 45% of U.S. citizens think online privacy is more important than national security. [Full Story]

US – Survey: Customers Less Willing to Share Data

A survey of Media Network readers and members on issues facing the media industry on topics ranging from data usage to remote working to privacy. The most resounding responses were related to data and its use, the report states. Only 15% of members surveyed said they feel their customers are becoming more willing to share their data; the vast majority said they feel customers are “clamming up in the face of companies requesting increasing amounts of data.” Two-thirds of respondents said it’s clear customers are concerned about their data privacy. [The Guardian] See also: [Calgary Herald: How to Legally Fly a Drone in Canada]

WW – Global Survey Finds Tech in Need of Privacy Rules

A new survey released at the World Economic Forum finds divergent opinion about issues raised by technology but also consensus on the need for stronger privacy protections. Conducted by Microsoft, Views from Around the Globe: 2nd Annual Poll on How Personal Technology Is Changing Our Lives surveyed 12,002 Internet users from 12 countries over the course of the last year. “After the broad consensus about how the web brings us great deals and boosts business, there’s a deep divergence on many issues,” said Microsoft Chief Strategy Officer Mark Penn. With the exception of India, a majority of those surveyed believe technology has had a negative effect on privacy, while every country except India and Indonesia said current legal protections for tech users are not enough. [USA Today]

US – Young Americans Split on Favoring Security Over Privacy

Overall, 63% of respondents said that they would forgo personal privacy in order to allow the government to investigate possible terror threats. Only 32% deemed it more important to preserve privacy. However, younger Americans appear to put more value on personal privacy than do their elder counterparts. Among respondents ages 18-39, 52% favored the investigation of terror threats, while 45% put more weight on privacy. In comparison, 67% of those ages 40-64 labeled investigating threats more important, as did 75% of individuals age 65 and older. Almost 95% of users aged 14–17 had checked or changed their privacy settings on social network systems, compared to an average of just 65% across all age groups. The figure dropped to 77% and 67% for users aged 18–24 and 25–34 respectively. These younger age groups, all sitting above the broad average, contrasted with figures for older users – just under 55% of those aged between 45 and 54 had checked or changed their settings, falling to 52.7% for 55 to 64-year-olds, and 32.5% for seniors. … Young people are constantly learning to navigate new norms of privacy in these emerging and shifting social contexts. A 14-year-old may be concerned about whether her mother reads her Facebook posts to her boyfriend. A 17-year-old might worry about what potential employers think of party photos. And a 19-year-old may grapple with what is appropriate to post about her working day. [Source] [Source]

WW – A Retreat for Google Glass;a Case Study in the Perils of Making Hardware

The device was pre-emptively banned by bars and large parts of Las Vegas. Legislators in West Virginia tried to make it illegal to use the gadget while driving. “There’s no vision for why people actually need this device,” Mr. Gownder said. “That’s a problem. When you don’t have that, people fill that in with their own assumptions, and right now the assumption is that this is a device for recording people.” [NYT blog]


CA – CRTC Reports First Action Under CASL

Faced with uncertainties, organizations seeking in good faith to comply have awaited with anticipation the first decisions of the regulators, in the hope that the details of these decisions will assist in clarifying their compliance obligations. Unfortunately, those hopes will likely be dashed … The report is not a “report” per se, but rather is a press Release. Partially as a result of this, the Release reads more like a dispatch from the frontlines then a useful report on a CASL inquiry. [Lexology] [Financial Post: What You Need to Know About the Hidden, Rolling CASL Deadlines]

WW – The “Dirty Dozen” SPAMPIONSHIP: Who’s the biggest? Who’s the worst?

For years, the USA has come out at the top of our spam by volume chart. That has been a simple side-effect of cheap and fast internet access available to a large population that owns lots of computers. But China has been flirting with top spot for the previous year, and finally cracked that dubious honour in the last quarter of 2014. [Naked Security]

Electronic Records

CA – Anti-Abortion Activist Fired In Patient Privacy Breach

Anti-abortion activist fired after a hospital privacy breach in which hundreds of patient records and abortion files were inappropriately accessed. Ontario’s acting privacy commissioner, Brian Beamish, says that an investigation was launched after Peterborough hospital informed his office about a privacy breach. The commission found that the hospital had “responded reasonably” to the breach, he said. [Star]


US – Obama’s Data Security Plan: Do as I Say, Not as I Do

A recent report on data security practices, programs and defenses at the Department of Homeland Security points toward what may well be a horrible train wreck to come. According to the report, “Widespread weaknesses in the federal government’s information security practices represent a significant vulnerability that could be exploited by adversaries, creating a potential threat to national security and American citizens.” [ABC News]

WW – Global Encryption Market Could Top $2B

A new report from Allied Market Research states that the global encryption software market will reach as much as $2.16 billion in the next five years. And encrypted messaging company Wickr has released a new self-destructing photo feed that uses cat memes to encrypt data.

EU Developments

EU – Council of Europe: Mass Surveillance Does Not Stop Terrorists

The Council of Europe says mass surveillance is ineffective in the fight against terrorism, threatens human rights and violates the privacy enshrined in European law. A 35-page document drafted by Dutch MP Pieter Omtzigt says the EU’s member states should take measures before “the industrial-surveillance complex spins out of control.” The report provides recommendations to the European Court of Human Rights. [Vice News]

US – Report Finds No Substitute to Gathering Bulk Intelligence

“There are no technical alternatives that can accomplish the same functions as bulk collection and serve as a complete substitute for it; there is no technological magic,” the report said. … However, a blue-ribbon panel set up by Obama following Snowden’s revelations reported it could find no evidence that sweeping collection of the telephone metadata of Americans led to a single major counter-terrorism breakthrough. [Reuters]

EU – DPAs to Meet on Safe Harbor’s Future

German data privacy commissioners will meet in Berlin for their annual conference to discuss whether the Safe Harbor agreement between the EU and the U.S. should be scrapped. The meeting will allow German regulators to voice ongoing frustration over the lack of reform following the Snowden revelations, which revealed the NSA was collecting German citizens’ data. “I, as well as several of my German colleagues, have serious doubts about whether U.S. companies that have self-certified under the agreement can be considered to be in a safe harbor,” said Berlin’s commissioner for data and information. [ZDNet] [DPA: Data-Transfer Agreement Needed Now]

EU – Facebook Class-Action to Commence in April

A court date for a class-action lawsuit against Facebook has been set by an Austrian court. Scheduled for this April, the Vienna Regional Court will hear a case involving Max Schrems and his group Europe-v-Facebook. In the case, Schrems claims Facebook violates EU law by tracking users on external websites via social plugins. [PC World]

EU – Reding: Legislation Needed to Level Tech Playing Field

MEP Viviane Reding said European legislators are seeking to finalize negotiations on a digital single market that aims to level the playing field for European technology companies. “For months, European government officials and regulators have clashed with the likes of Google, Amazon.com and Facebook over everything from taxes to privacy,” the report states. Reding said she wants to see single-market legislation this year. “American companies come from outside and act as if it was a lawless environment to which they are coming. There are conflicts not only about competition rules but also simply about obeying the rules,” she said. [The Wall Street Journal] [The European Commission says it wants to have a single cross-continent data protection law in place by the end of the year, claiming it will bring major benefits to consumers and businesses]

EU – EDPS Buttarelli Says EU Must Be Global Voice Amidst Tensions With U.S.

“Europe needs to be at the forefront in shaping a global digital standard for privacy and data protection which centres on the right of the individual,” said European Data Protection Supervisor Giovanni Buttarelli. These comments came during a speech, as data protection tensions between the EU and U.S. rise. Buttarelli said he and Assistant Data Protection Supervisor Wojciech Wiewiórowski want to alter the office’s role to become advisory and supervisory, the report states. “The goal for my mandate is for the EU to speak with one voice on data protection, a voice which is credible, informed and relevant,” he added. [Euractiv]

EU – Other News

Facts & Stats

WW – Legislators, Industry Busy on Data Privacy Day

Lawmakers and other industry groups showed solidarity with Data Privacy Day. Senators sent U.S. Attorney General Eric Holder a letter questioning the Drug Enforcement Agency’s vehicle-tracking database. Co-chairs of the Congressional Bi-Partisan Privacy Caucus called for better privacy protections. Additionally, some industry groups called for a revamp of the Electronic Communications Privacy Act (ECPA). Sens. Patrick Leahy (D-VT) and Mike Lee (R-UT) also renewed attempts to overhaul ECPA. Separately, a Senate panel began work crafting cybersecurity legislation. Loretta Lynch, the current nominee for U.S. Attorney General, said electronic privacy protection will be a priority for her. Meanwhile, SC Magazine reports on how organizations can prepare for privacy legislation in 2015. [Broadcasting & Cable]

US – Benchmarking on Industry Use of PIAs

TRUSTe revealed results from a comprehensive survey of privacy professionals working across the globe and industry sectors for large organizations on how they implement privacy impact assessments (PIAs). Up to this point, there has not been much data available on industry use of PIAs. The two biggest obstacles for implementing PIAs, according to TRUSTe, are budgetary concerns and available time to conduct them. [Privacy Advisor]

US – OTA: More Than 90% of Breaches Preventable

A report released from the Online Trust Alliance (OTA) found that more than 90% of the data breaches that occurred from January to June 2014 could have been prevented. The OTA’s 2015 Data Protection Best Practices and Risk Assessment guides found 40% of the thousands of breaches analyzed were due to external intrusions; 29% by employees—either accidentally, maliciously or due to a lack of controls—and 18% resulted from lost or stolen devices. The report recommends companies enforce effective password management with multi-factor authentication and permit only authorized wireless devices to connect to company networks, among other recommendations. [MediaPost]

US – Info Security Leads All IT Spending

ESG research indicates “security/IT risk management initiatives” are the leading area for IT spending in the upcoming year, jumping from 34% of all responses in 2014 to 46% of all responses in 2015. Security issues have never before topped the list. It’s certainly not surprising, given reports like SC Magazine’s that “PCI compliance is not synonymous with security“ and SplashData’s that “123456” yet again tops the list of the most popular passwords . Perhaps, however, the private sector can look to its colleagues in the public sector. Nextgov reports survey results find that government agencies are actually better at responding to hacks than the private sector. [NetworkWorld]


WW – OECD, G20 Unanimously Endorse Global Automatic Information Exchange

This global automatic information exchange initiative is based on each jurisdiction’s participation in the OECD’s Multi-lateral Convention on Mutual Administrative Assistance in Tax Matters. The information exchange itself will follow the OECD’s Standard for Automatic Exchange of Financial Account Information in Tax Matters (first released in July 2014). This automatic information exchange “draws extensively on the intergovernmental approach to implementing FATCA” and is designed to be implemented via a combination of multi-lateral conventions and bi-lateral competent authority agreements….This is a significant development in the global trend towards information sharing. [Mondaq] [JD Supra: FATCA Data Sharing Goes Online] SEE ALSO: [WW – ‘The Age of Financial Privacy is Over’]

US – Credit Union Industry Wants Retailers Held to Equal Standards

The Credit Union National Association sent a letter to Congress saying retailers and banks should be held to the same standard. “The financial industry is required by law to develop and maintain robust internal protections to combat and address criminal attacks and (is) required to protect consumer financial information and notify consumers when a breach occurs” that could put customers at risk, the letter said. “The same cannot be said for other industries, like retailers, that routinely handle this same information and increasingly store it for their own purposes.” [The Hill] SEE ALSO: [The New York Times: Future of Lending May Focus on Behavior, Not Credit History]

CA – RBC Customer’s Bank Accounts Looted 3 Times by Identity Thieves

Bank says it took ‘reasonable steps’ to protect Meghann Johnston’s accounts, “I was extremely upset that time. This is the third time and they had accessed funds that I had delegated to something else and [RBC] had accepted the same fraudulent ID and this person just walked out with, again, thousands of dollars of my money.” Johnston says her wallet has never been stolen, so she doesn’t know how the fraudster or fraudsters got hold of her personal information. “I do not blame RBC for that, but I do blame them for refusing to institute higher security procedures for my account to prevent the fraudsters from doing this over and over again.” [CBC] [Krebs: How Was Your Credit Card Stolen? ]

WW – Improving the Privacy of the Internet Currency Bitcoin

Several Bitcoin users form a sort of sworn community in advance. To hide the source of their transactions, each one of them conforms to a certain pre-determined succession of actions – the so-called CoinShuffle protocol, which was developed by Kate and his team. Every participant decodes the list of recipient addresses he has received, adds his own to it and forwards the encrypted list to the next participant. This process is repeated with every participant. In this way they shuffle the order of the addresses and hence the traces to the recipient, similar to shuffling a deck of cards. [ECN Mag]


US – Library Strives to Archive the Internet

Is it true that what is on the Internet will stay there forever? “Chances are, though, that it actually won’t.” The report details posts and stories that have disappeared amidst the concerns that those embarrassing details live forever on the web. “Web pages don’t have to be deliberately deleted to disappear. Sites hosted by corporations tend to die with their hosts. When MySpace, GeoCities, and Friendster were reconfigured or sold, millions of accounts vanished,” the report states. With one study showing many URLs have ceased to link to the original information being cited, approximately 1,000 librarians and activists from across the globe are identifying acquisitions for the Internet Archive, a nonprofit library. [The New Yorker]


US – DNA Database Raises Privacy Concerns

A state database containing DNA samples of 16 million Californians is raising concerns among privacy advocates and a state lawmaker. Samples are taken from virtually every baby born in the state to screen for more than 80 health disorders. The frozen samples are stored indefinitely and are shared with genetic researchers for a fee. California officials say the biobank is secure, but some are concerned the sensitive data can be misused. “Throughout the process,” Council for Responsible Genetics President Jeremy Gruber said, public knowledge and consent is “almost completely” absent. Assemblyman Mike Gatto (D-Glendale) said, “Imagine the discrimination a person might face if their HIV status or genetic predisposition to a mental disorder were revealed to the public.” [Los Angeles Times]

Health / Medical

US – President Unveils Medical Research Plan

President Barack Obama wants to dedicate $215 million in next year’s budget to a research initiative that would be aimed at helping doctors develop personalized medical treatments for their patients. Obama unveiled his “Precision Medicine Initiative,” for which he says he has bipartisan support. [MSNBC]

US – Healthcare Privacy, Security Measures Included in ONC Draft

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology’s new draft roadmap. “Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap Version 1“ aims to help share healthcare information and also maintain privacy. [HealthIT Security]

US – HealthCare.gov Raises New Privacy Concerns

New privacy concerns have been raised about the HealthCare.gov website that helps U.S. citizens get health insurance. A number of third-party vendors are embedded into the site, giving them potential access to user ages, incomes and zip codes as well as other details such as whether the user smokes or is pregnant. Although there is no evidence any such data has been misused, the amount of outside connections to the site worries some. Corporate cybersecurity consultant Theresa Payton said, “Vendor management can often be the weakest link in your privacy and security chain.” A spokesman for Medicare said vendors “are prohibited from using information from these tools on HealthCare.gov for their companies’ purposes.” [Associated Press] [New Privacy Concerns Over Health Care Website]

US – Advocates Want More from HealthCare.gov

Privacy advocates say the Obama administration needs to make more changes to protect consumer privacy on the government’s health insurance website. The administration scaled back the release of personal information from HealthCare.gov following a report that such details as consumers’ income and tobacco use were going to private companies that have “a commercial interest in the data,” the report states. The Department of Health and Human Services is adding a layer of encryption to the site. Advocates, however, continue to push for more protections. [PBS]

US – Lawmakers Concerned About HealthCare.gov Data-Sharing

Lawmakers pressed officials about consumer data on HealthCare.gov being shared with outside companies during a House hearing. The hearing follows revelations last week that the website was giving sensitive information about enrollees to private companies for advertising and data analysis, the report states, resulting in renewed privacy concerns. “They sell that information to any number of people,” said Rep. Dan Newhouse (R-WA), wondering “whether that makes the website more vulnerable.” Newhouse questioned an official from the National Institute of Standards and Technology on the issue, who declined to speak on specifics but said privacy concerns “are taken into account.” [The Hil]

US – Researchers: Health Apps Need to Get Better at Privacy

New research suggests security and privacy worries “are likely impeding the widespread use of thousands of mobile health applications since an overwhelming majority require access to sensitive personal data.” A team of researchers from Germany’s University of Cologne reviewed more than 24,400 English-language smartphone and tablet apps available in 2013. Nearly 95% of the apps “could cause ‘potential damage’ to users’ security and privacy through information leaks, manipulation, loss and value to third parties,” the report states. The researchers recommend app developers “be sensitized to potential threats” the researchers said, and focus on improved security and privacy protections. [FierceMobileGovernment]

US – OCR Criticized for Lack of Robust HIPAA Enforcement

Various privacy and security experts are criticizing the lack of robust enforcement of HIPAA violations by the Department of Health and Human Services’ Office for Civil Rights (OCR). Last year, the OCR said it would ramp up HIPAA audits of nearly 350 covered entities and 50 business associates, but, according to the report, that next phase has been delayed. At a media briefing last week, OCR Director Jocelyn Samuels said the agency will launch its next phase “expeditiously” but did not detail exactly when. Security consultant Tom Walsh said, “The delay could be like the ‘boy who cried wolf’ … After a while, organizations will begin to think, ‘It will never happen.’ Or, ‘It will never happen to us.’” [Gov Info Security]

US – Healthcare Breaches Need a Cure for Human Errors

As digital health records increase by the millions, criminals know that the biggest weakness in securing them is human, not technology. “Hackers are generally efficient – they look for the easiest path to exploit,” Berger said. “Unfortunately today, the weakest link is the employee population and their lack of security awareness. Phishing attacks are disturbingly successful. And it only takes one employee to get duped for the hacker possibly to gain their credentials and pivot to exploiting a database of PHI.” [CIO]

Horror Stories

US – VPPA Class Actions Remain

A number of U.S. courts are weighing privacy class-actions. federal judge dismissed a class-action claiming Dow Jones violated the Video Privacy Protection Act (VPPA), while Law360 reports that a recent court dismissal of VPPA claims against Google will not end such class-actions. Hulu viewers, for example, allege the company violated the VPPA when it shared data with Facebook. Separately, the Seventh Circuit has been urged to revive a data breach lawsuit against Nieman Marcus.

US – Privacy Concerns Over State’s Medical Marijuana Email to Patients

More than 6,800 patients received e-mails in the last three months telling them they’d been approved for Massachusetts’s medical marijuana program. The e-mails contained detailed personal information, much to patient advocates’ dismay. The state’s health department has started altering its emails, removing references to medical marijuana from the subject line and removing patients’ full names and unique program registration numbers from the body of the message. A Massachusetts attorney said the email notification violates a 2008 consumer protection statute by former governor Duval Patrick. [Boston Globe] See also: [Turbotax’s Database Knows Your Secrets]

AU – Teenage Hacker Leaks 870K ATC Records

In what Will Ockenden described in an ABC News report as “a privacy breach that touches some of the country’s most senior figures in the courts, police, government, business and media,” more than 870,000 personal records from the December breach of insurer Aussie Travel Cover (ATC) have been shared on the Internet by a teenage hacker. “ATC was notified of the intrusion on December 23, but failed to immediately notify customers and policy-holders,” noting Queensland-based hacker Abdilo “stole troves of data from two of the company’s databases, which contained a total of more than 870,000 personal records” including names, addresses and partial credit-card numbers. [SC Magazine]

US – Home Depot Has Until July to Respond to Suits

Following one of the first court hearings for the class-action lawsuit following Home Depot’s data breach, the court gave the retailer “until July to respond to allegations that its massive data breach was caused by the company failing in its obligation to comply with security standards and to protect its customers’ personal information.” At a hearing last week in a U.S. District Court in Atlanta, GA, Judge Thomas Thrash also “established two separate tracks for the litigation, one for consumers and a second for financial institutions,” the report states, and gave Home Depot until July 1 to respond to consumer’s allegations and July 15 to respond to those of financial institutions. [Atlanta Business Chronicle]

Private Details Leaked After Travel Insurance Company Hacked

It’s a privacy breach that touches some of the country’s most senior figures in the courts, police, government, business and media. But it’s not just the influential who’ve had their private details stolen. Database logs show it could affect hundreds of thousands of Australians. [ABC]

MX – Liverpool Systems Hack Could Cost More than $1M

A December attack on retailer Liverpool systems in Mexico could cost at least 107 million pesos (approximately one million USD), including compensation for damage to the company’s clients and any fines imposed by the data protection authority (IFAI). In the attack, cybercriminals accessed bank account information, addresses and personal information of customers. IFAI could fine the company 18 million pesos. Liverpool is the third largest issuer of credit cards in Mexico. (Article in Spanish.) [Full Story]

WW – If You Use Either of These WordPress Themes Update Them Now

Older versions of the Platform theme contain a remote code execution bug that could allow any attacker to completely take over a website running the vulnerable theme. Older versions of both Platform and PageLines contain a privilege escalation bug that could allow users with an account to turn themselves into an administrator with total control of a site. [Naked Security]

NZ – Abortion Data Handed Out By Mistake

The personal medical information from 2011-13 confirms the terminations took place in Tokoroa Hospital, Thames Hospital, Waikato Hospital and Anglesea Procedure Centre. The medical information includes dates of birth, National Health Index numbers, ethnic descriptions, termination details and the suburb in the town where the women live. The Ministry of Health is investigating and the health board has apologised for the breach. [Source]

US – 11th Circuit Allows FTC Data Breach Case Against LABMD to Proceed

The Eleventh Circuit did not address the issue of the FTC’s authority to enforce healthcare privacy standards. Instead, the Eleventh Circuit held that before a federal court will review the case, LabMD must first exhaust its administrative remedies, which means LabMD must first go through the FTC administrative hearing process until the FTC makes a final decision. The Eleventh Circuit ruled that only then will LabMD be able to ask the federal courts to weigh in on the FTC’s authority. [National Law Review]

US – Warehouse Fire Exposes Sensitive Documents

A highly visible fire in Brooklyn, NY, has exposed reams of sensitive documents, including decades’ worth of medical records, court documents and financial data. One observer said of the documents, “They’re like treasure maps but with people’s personal information all over them.” The city has sent a disaster-recovery team to collect the exposed documents, even though “beachcombers sifted freely through the trove of documents, picking their way through remnants of the days when many records were on paper and the city government was one of the few takers for north Brooklyn’s waterfront land.” [The New York Times]

Identity Issues

WW – Researchers Can Identify Anonymous Shoppers

By using relatively few pieces of data, researchers were able to identify “anonymous” shoppers. In a study called “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata,” a group of data scientists analyzed credit card transactions of 1.1 million shoppers in 10,000 stores during a three-month period. Though the data had been stripped of personal details, including names and account numbers, knowing four random pieces of data was enough to reidentify 90% of the shoppers, the report states. The research is part of a larger special issue of Science , dedicated to “The End of Privacy.” [The New York Times] [Associated Press]

US – Experian Launch Fraud Surveillance and ID Theft Resolution Offering

ProtectMyID® now includes payment card fraud monitoring at consumers’ fingertips with the BillGuard mobile app … Members of Experian’s ProtectMyID can now download the BillGuard mobile app and access both their ProtectMyID alerts and BillGuard features within the BillGuard mobile app. [NewsWire]

Intellectual Property

WW – How to Hide Your Online Identity With a VPN Service

VPN services mask user’s locations and help them stay hidden on the internet. It’s still unclear if VPN services located in Canada or operating within the country will be subject to the section of Canada’s Copyright Modernization Act that forces ISPs to send out notice-and-notice letters to their customers, given how ambiguous the language in the act currently is. Some VPN services like Toronto-based Tunnelbear have already banned the use of Torrents on their network in order to avoid future legal complications. [Source]

Internet / WWW

US – FTC Report on Internet of Things Urges Companies to Adopt Best Practices to Address Consumer Privacy and Security Risks

A new FTC report recognizes that rapid growth of connected devices offers societal benefits, but also poses risks that could undermine consumer confidence. The report takes a flexible approach to data minimization. Under the recommendations, companies can choose to collect no data, data limited to the categories required to provide the service offered by the device, less sensitive data; or choose to de-identify the data collected. [FTC] SEE ALSO: [Privacy Law Blog: US and UK Regulators Position Themselves to Meet the Needs of the IoT Market] | [Tech Liberation: Some Initial Thoughts on the FTC Internet of Things Report] | [TechCrunch: What Happens to Privacy When the Internet is in Everything?] | [CSO Online: Five Myths (Debunked) About Security and Privacy for Internet of Things]

UK – Regulator Calls for International Standards

Ofcom, a telecommunications regulator in the UK, has called for international industry standards on privacy in the Internet of Things (IoT). In an outline published the same day the U.S. FTC released a highly anticipated report on IoT , Ofcom wrote, “We have concluded that a common framework that allows consumers easily and transparently to authorize the conditions under which data collected by their devices is used and shared by others will be critical to future development of the IoT sector,” adding, “We consider that these approaches should ideally be agreed internationally where possible, so as not to inhibit sale and use of IoT devices and services across international boundaries…” [GigaOM]

WW – At World Economic Forum: Researchers Say Privacy is Dead

Harvard professors at the World Economic Forum in Davos pronounced that privacy is effectively dead. “Privacy as we knew it in the past is no longer feasible,” said Margo Seltzer, a professor in computer science at Harvard University. Another researcher said intelligence agencies’ use of personal genetic information will increasingly enter the public sphere and that, “We are at the dawn of the age of genetic McCarthyism.” [The Daily Mail] [Privacy Is Dead, Davos Hears]

WW – Commissioner Calls for New UN Agency

In Davos this week, the European Commissioner for the Digital Economy said a UN agency for data protection and data security is needed to protect the confidential and personal information of citizens around the world.

US – Microsoft’s Smith: Laws Need to Be Modernized

Microsoft’s Brad Smith “has called for an accord between the EU and the U.S. to make it easier for law enforcement authorities to access and share citizens’ data,” Financial Times reports. Meanwhile, during the Charlie Hebdo attacks in France, “Microsoft Corp. handed the FBI data linked to the Charlie Hebdo probe within an hour of being asked,” prompting Smith to point out “the system can work and that extra snooping should only happen if strictly regulated,” the report states. Smith noted laws should “be ‘modernized’ to allow the rule of law, including the Internet, to work across national borders,” the report states. [Bloomberg Businessweek]

UK – ICO Investigation Prompts Google to Change Privacy Policy

The UK Information Commissioner’s Office (ICO) has announced Google will sign an undertaking requiring it to be more transparent about how it collects and uses personal data through its services. According to an ICO press release, Google has been too vague in how it processes users’ data. ICO Head of Enforcement Steve Eckersley said, “Google’s commitment today to make these necessary changes will improve the information UK consumers receive when using their online services and products,” adding that organizations need “to properly understand the impact of their actions and the requirement to comply with data protection law.” Google must now make the necessary changes by June 30 and “take further steps over the next two years.” [Full Story]

WW – TRUSTe Approved as APEC Accountability Agent

The 21 APEC Member Economies have unanimously approved TRUSTe as an Accountability Agent for its Cross-Border Privacy Rules (CBPR) System. The CBPR System is a self-regulatory code of conduct addressing cross-border data flow between member economies; currently Japan, Mexico and the U.S. participate in the program. “As an Accountability Agent, TRUSTe will continue to review, certify, monitor and enforce the privacy practices of participating U.S.-based companies or subsidiaries to ensure compliance with the CBPR system,” the release states. [Full Story]

Law Enforcement

US – Gov’t to Pay for Impersonating Woman on Facebook

In a settlement announced this week, the federal government agreed to pay $134,000 to a New York woman, Sondra Arquiett, who accused a Drug Enforcement Administration agent of impersonating her on Facebook without her permission. In 2011, the agents impersonated Arquiett by creating a Facebook page of her posing with her son and niece to investigate an alleged drug ring. Privacy advocates are worried such tactics pose unique threats, the report states. Meanwhile, lawmakers on the Senate Judiciary Committee raised concerns yesterday about radar devices that allow police officers to effectively see into suspects’ homes. [The Wall Street Journal]

US – Body Cameras for L.A. Police: Access to Video, Privacy Among Concerns

Some San Fernando Valley residents are concerned about privacy and access to LAPD body-camera footage. “We’re going to be having on-body cameras,” Soboroff said. “American law enforcement is going to have on-body cameras. It’s a transformational movement in law enforcement.” [LA Times]

US – Law Firm Takes on Revenge Porn

In September, Pittsburgh-based law firm K&L Gates launched its Cyber Civil Rights Legal Project in order to advise victims of revenge porn, and it now has about 50 lawyers volunteering their time. The program advises victims on legal steps to sue for damages and “works with victims to consider the pros and cons of reporting online abuse to prosecutors.” One novel approach the firm takes is to use copyright law to sue people for unauthorized posting of images. “Copyright is not designed to deal with revenge porn; it just happens to give you a remedy,” says K&L Gates Partner David Bateman, noting it’s not “perfect and won’t be available in all situations.” [The New York Times]

US – FTC Charges Website Operator for Revenge Porn Deception

The FTC has charged an operator of an alleged revenge porn website for using deception to acquire intimate photos of women then referring them to another website he owned where they could have their photos removed for hundreds of dollars. Craig Brittain is banned from publicly sharing such intimate photos without the subjects’ affirmative express consent. He must also destroy the photos in his possession and the contacts made while operating the site. FTC Bureau of Consumer Protection Director Jessica Rich said, “This behavior is not only illegal but reprehensible,” adding, “I am pleased that as a result of this settlement, the illegally collected images and information will be deleted and this individual can never return to the so-called ‘revenge porn’ business.” [FTC press release]

US – Gov’t Has Massive License-Plate Database; Police Want Waze to Go Away

The U.S. Department of Justice has built a nationwide database to track the movement of vehicles in real time. The covert intelligence program scans and retains hundreds of millions of motorists’ records. According to documents acquired by the American Civil Liberties Union (ACLU), more than 100 cameras in at least seven states have been set up to snap shots of and store license plates of every passing vehicle. Records on vehicles that are not part of existing investigations have their images deleted after six months, a time period the ACLU argues is “far too long.” Meanwhile, some law enforcement officials are concerned that mobile traffic app Waze can be used by bad actors to hunt and harm police officers. [The Wall Street Journal] [Police Can’t Have It Both ‘Waze’ on Expectation of Privacy In Public]

US – GPS Act Would Restrict Cops’ Use of ‘Stingrays’ and Other Phone Surveillance Tech

Many local, state and federal police agencies using Stingrays first bought them with the stated intention to use them to fight terrorism. Since Stingrays have become more prominent, police have reluctantly admitted using them to investigate crimes including murder and cell phone robbery. A November Wall Street Journal report revealed that the U.S. Marshals Service has flown Cessna airplanes equipped with Stingray-like devices known as “dirtboxes” in the sky over at least five major U.S. airports. [IB Times]

US – Lawmakers Push to Require a Warrant for GPS Tracking by Police

“Buying a smartphone shouldn’t be interpreted as giving the government a free pass to track your movements,” Sen. Ron Wyden (D-Ore.), one of the bill’s authors, said in a statement. “GPS data can be a valuable tool for law enforcement, but our laws need to keep up with technology and set out exactly when and how the government can collect Americans’ electronic location data.” Courts have so far been mixed about which legal protections apply for information about people’s location. [The Hill]

US – New Police Radars Can ‘See’ Inside Homes

At least 50 U.S. law enforcement agencies quietly deployed radars that let them effectively see inside homes, with little notice to the courts or the public. Those agencies, including the FBI and the U.S. Marshals Service, began deploying the radar systems more than two years ago with little notice to the courts and no public disclosure of when or how they would be used. The technology raises legal and privacy issues because the U.S. Supreme Court has said officers generally cannot use high-tech sensors to tell them about the inside of a person’s house without first obtaining a search warrant. [USA Today]

US – Video Rule for TTC Hampers Hunt for Sex Attacker

Efforts to track the man down have been hampered because security camera footage from the bus was erased by the time investigators went looking for it…After 15 hours of operation, video stored within cameras on buses and streetcars is “overwritten,” explaining that time limit was mandated by Ontario’s privacy commissioner when the TTC installed the cameras. [Toronto Sun]

US –Seized-Asset Sharing Process Split Billions With Local, State Police

Attorney General Eric Holder is barring local and state police from using federal law to seize cash, cars and other property without proof that a crime occurred – the most sweeping check on police power to confiscate personal property since the seizures began three decades ago. Holder’s decision allows limited exceptions, including illegal firearms, ammunition, explosives and property associated with child pornography, a small fraction of the total. This would eliminate virtually all cash and vehicle seizures made by local and state police from the program. [Washington Post] [PBS: Will Federal Reforms on Civil Forfeiture Mean More Police Accountability?]


US – Advocates Concerned About FCC Location Data Requirements

“Americans dial 911 nearly 240 million times a year, and 70% of the calls are made on cell phones,” noted a 2013 study that found that more than 10,000 people die each year because the location data wireless providers transmit to emergency personnel is insufficiently precise. So the FCC voted 5-0 to improve the indoor location of wireless 911 calls, requiring major telecommunications companies to provide horizontal-location information, within 50 meters of a caller, and vertical information—what floor a caller is on—for 67% of emergency calls. In five years, they’d be required to provide that information for 80% of emergency calls. Civil liberties groups say the plan lacks any mention of privacy safeguards. [Newsweek]

US – Using the FTC Casebook to Find Your Geolocation Strategy

The IAPP Westin Research Center has launched its FTC Casebook. This digital resource, free only to IAPP members, contains the more than 180 FTC privacy and data security enforcement actions the FTC has initiated since 1998, each one tagged, indexed and full-text searchable. The Casebook’s benefits and functionality (which have been described, narrated and reviewed over the past week) were developed with the intention of making IAPP members roles as a privacy professionals a little easier.


The Compliance Challenges That Can No Longer Be Ignored

APEC members Singapore, Malaysia, the Philippines, South Korea and Taiwan, have all passed comprehensive data privacy regimes in the past five years. India enacted an IT law in 2011, which tracks a similar principle-based approach to data privacy. Perhaps most significantly, China has also passed a whole raft of legislation in this area in recent years, both industry specific and of more general application. [HLDA]

Online Privacy

US – No ‘Right to Be Forgotten’ Even if Record is Expunged: 2nd Circuit

After her record was expunged, Martin asked news organizations to take down the articles. Hearst and News 12 Interactive refused, arguing that they had accurately reported the fact of Martin’s arrest. So in July 2012, Martin sued Hearst and News 12 in federal court in New Haven, Connecticut, for libel, invasion of privacy and infliction of emotional harm. The news stories they refused to change or delete, her lawyers said, may have been accurate at the time of her arrest. But once the state erased her record, they argued, stories of her arrest were false and defamatory. The 2nd U.S. Court of Appeals sided with the news organizations and upheld the dismissal of Martin’s case. The erasure of Martin’s record, wrote Judge Richard Wesley for a panel that also included Judges John Walker and Dennis Jacobs, does not change historical truth, however much she might wish otherwise. “The Moving Finger has moved on,” Wesley wrote, paraphrasing Omar Khayyam. The opinion also cited previous rulings in which state courts in New Jersey, Oregon and Massachusetts held that expungement statutes don’t change history, merely what former defendants are permitted to say about the past. [Reuters] [Courthouse News: Woman Can’t Scrub Arrest from the Internet]

US – Circuit: Reports of Dismissed Arrest Not Libel

“In short, the Erasure Statute requires the state to erase certain official records of an arrest and grants the defendant the legal status of one who has not been arrested,” Wesley said. “The statute creates legal fictions, but it does not and cannot undo historical facts or convert once-true facts into falsehoods.” Here, it was uncontroverted that Martin was arrested and the reports of her arrest were true. “Neither the Erasure Statute nor any amount of wishing can undo that historical truth,” he said. “The Moving Finger has written and moved on.” [New York Law Journal] [Wall Street Journal: Some Things Should Not Be ‘Forgotten’] | [Right To Be Forgotten and Right To Be Remembered]

US – Verizon to Allow Opt-Out of “Supercookies”

Verizon has agreed to allow users to opt out of “supercookies” after criticism from privacy advocates and others that included a consumer petition circulated by the EFF and calls from Consumer Watchdog for regulators to tighten the data-sharing regulations on wireless carriers. Sen. Bill Nelson (D-FL) said the Commerce Committee will investigate the company for its use of “supercookies,” and in a letter for Fusion , tech reporter Kashmir Hill tells the company, “Putting a tracking code on my Internet activity without telling me or giving me a right to say no is not okay.” While this change represents an about-face, EFF Lawyer Nate Cardozo says, “What they really should be doing is opt-in.” [New York Times] [EFF: How Verizon and Turn Defeat Browser Privacy Protections]

US –Turn Suspends “Zombie” Cookie Program

After a ProPublica report on so-called “zombie” cookies used by Turn and Verizon, Turn has announced it is suspending the program pending re-evaluation. Turn Chief Privacy Officer Max Ochoa wrote, “We are confident that our practices, including the re-association of a Turn cookie ID with a Verizon UIDH (Unique Identifier Header) comply with self-regulatory guidelines and principles regarding consumer opt-out through these tools,” but added, “we have heard the concerns and are actively re-evaluating this method.” He said by February, Turn will not “respawn” cookie IDs associated with Verizon’s UIDH. Ochoa also noted that, “As part of this re-evaluation, Turn is engaging with media and industry participants including advocates to further educate and inform regarding industry-wide practices.” A Verizon spokeswoman told AdAge, “The intent of the UIDH is to be used as part of our advertising programs, which have robust privacy protections, not as described in recent media reports.” [Full Story]

WW – Datacoup Wants Users to Monetize Their Data

Yahoo CEO Marissa Mayer said technology firms must give users the ability to control their data in order to strengthen trust in the digital marketplace. “I think controlled consent, the idea that you are actively acknowledging what you’re doing and are being very open about how the data is being used and where it’s going to flow” is the future, she said, adding, “We take active commercial decisions not to do certain things with data.” CNBC reports on Datacoup, a company attempting to give users the ability to aggregate and monetize their personal data. “If people begin to understand what their data is worth by using a service like Datacoup, Google’s revenue model (could) collapse,” one analyst said. [The Drum]

UK – Data Protection Issues of Growing Importance to Retailers, Says Expert

Addressing data privacy and security issues is becoming an increasingly critical function of UK retailers’ business, a legal expert in the retail sector has said. “Cyber security is sufficiently important to demand the attention of senior managers and board room members in the retail sector,” Leman said. “For the chief information officer, they will want to know just how good the security measures deployed by their company are, whilst general counsels need to be confident that they can demonstrate their business did everything it could to protect data and had an effective incident response plan the company acted on in the event of a breach. The Target data breach case in the US highlighted the importance of IT security to retailers as well as the consequences there can be for senior executives and their jobs.” [Out-Law]

US – Companies Launch Offline-Online Ad Retargeting Platform

A Norway-based startup and a U.S. location-based marketing firm have announced plans to launch a global partnership with the ability to use data gleaned from in-store beacons to retarget consumers online. Together, Unacast and Total Communicator Solutions hope to accomplish an industry first by connecting the offline and online shopping worlds. The platform works when shoppers install the app and turn on Bluetooth on their phones. If they’ve opted in, when they walk into a store to look at shoes, for example, they’ll receive a personalized message; plus, days, weeks or months later, they will likely see ads for the products they browsed while in the store. [Business Insider] [Now Advertisers Can Use Beacons to Make the Shoes You Were Looking at Inside a Physical Store Follow You Around the Internet

US – FTC’s Rich Warns Ad Industry About Privacy

FTC Consumer Protection Director Jessica Rich expressed strong words to ad companies at an industry event. She said the industry should not “play games about what ‘sensitive data’ means, such as defining medical data to mean only official medical records.” Rich also discussed the self-regulatory codes of the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA), noting that both define “sensitive” data differently. “The NAI code is stronger than DAA’s in this regard,” she noted. Recognizing that behavioral ads do have some benefits, Rich also discussed enhanced forms of online tracking and that consumers “who know about tracking and want to avoid it can’t do so effectively.” [MediaPost]

WW – Mozilla Tightens Referrers for Improved Privacy

Mozilla is tweaking its referrer header to help websites protect their users’ privacy, according to a Mozilla blog post. Principal Security and Privacy Engineer Sid Stamm writes, “as the web got more complex, the amount of information in the referrer header ballooned, leading to bigger privacy problems.” Stamm notes that “HTTP Referrer provides a wealth of information about where you came from to the sites you visit, but this context isn’t always necessary (or desired) … What’s needed is a better way for referring sites to reduce the amount of data transmitted and thus providing a more uniform referrer that’s less privacy-invasive.” [Full Story]

Other Jurisdictions

WW – Introducing: The DPAs Alumni Network

Former UK Information Commissioner Richard Thomas, now global strategy advisor to the Centre for Information Policy Leadership, has announced the creation of a new Alumni Network for former privacy and data protection commissioners around the globe. A relatively informal network, the group has already collected more than 30 former commissioners and is looking to spread the word and expand. [The Privacy Advisor]

CN – New Rules in China Upset Western Tech Companies

The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software. …The new rules, laid out in a 22-page document approved at the end of last year, are the first in a series of policies expected to be unveiled in the coming months that Beijing says are intended to strengthen cybersecurity in critical Chinese industries. As copies have spread in the past month, the regulations have heightened concern among foreign companies that the authorities are trying to force them out of one of the largest and fastest-growing markets. [NYTimes]

EU – Spanish Court Rules on RTBF; Google’s Position “Doesn’t Make Sense”

A Spanish court has ruled Google must remove links from a search on a man’s name. The ruling comes eight months after an EU court confirmed the right to be forgotten. The Spanish court ruling means Google must cut the link to a notice on social security debtors in La Vanguardia newspaper because the information about the man is now outdated. Freedom of information rights aren’t being infringed upon, however, because the original content is still available in the newspaper’s online archive, the court said. Meanwhile, EPIC’s Marc Rotenberg said Google’s general position, that it doesn’t want to apply the right to be forgotten outside of Europe, “does not make sense.” [Bloomberg]

WW –Will Google Apply RTBF Beyond the EU?

Contrary to regulators’ guidelines, Google is only removing search results from European websites when individuals invoke their “right to be forgotten.” But the company says it will review that approach soon. By month’s end, Google’s advisory council, which has held public meetings across Europe for the last four months, is expected to report its conclusions on a review of whether Google’s data removals should apply only to its European websites or globally. “We’ll take the report, along with the Article 29 input and other input, and arrive at an approach,” said Google Chief Legal Officer David Drummond. “It’s our strong view that there needs to be some way of limiting the concept, because it is a European concept.” [Reuters]

MX – IFAI Could Impose Sanctions on Google in RTBF Case

Mexico’s Federal Institute for Information Access and Data Protection (IFAI) has started proceedings that could impose sanctions on Google for an alleged breach of the nation’s data protection law. The IFAI initiated the proceedings after Google Mexico did not agree to a take-down request from a Mexican citizen wishing to have personal data removed from the search engine. According to the report, Mexican law could fine an organization in breach of national data protection law up to $1.53 million. [Reuters] See also: Brazil held its first open consultation to debate and shape the Marco Civil, reports BNamericas.

Privacy (US)

US – Justice Department Drops Court Battle; Hands Document to Privacy Group

The Justice Department has agreed to turn over a legal opinion on surveillance and census data following a yearlong court battle with the Electronic Frontier Foundation (EFF). The department dropped its appeal of a federal judge’s decision requiring it to provide the opinion to the EFF. The group sued to obtain documents on government surveillance, including a document that analyzed law enforcement access to census data, under the USA PATRIOT Act. A Justice Department spokeswoman said the department will turn over the document to the EFF. [Associated Press]

US – White House Proposes National Data Breach Notification Standard

The FTC would enforce the law, with violations constituting an unfair or deceptive practice, and the FTC would be given broad rule making authority to issue whatever regulations it seems necessary to carry out its duties with respect to the law. The proposed legislation would require that the FTC coordinate with other agencies in the issuance of regulations when such regulations would affect entities subject to regulation by the FCC or the Consumer Financial Protection Bureau. State Attorneys General would also have the authority to enforce the law, subject to certain FTC rights to intervene, stay, or remove the proceeding. The proposed law does not create, or make any mention of, a private right of action. [Source]

US – Data-Privacy Advocates Welcome Obama’s Support, With Caveats

“Right now the companies are following the strongest state laws,” said Pam Dixon of the World Privacy Forum. She said a draft of the proposal posted on the White House website “doesn’t come close to the strongest state law, so the best thing would be to leave state protections in place.” Mark M. Jaycox of the Electronic Frontier Foundation warned that the White House language would strip states’ attorneys general of the power to respond aggressively to data breaches. He also voiced concern that the bill would allow companies to avoid notifying customers simply by reporting breaches to the FTC. [Source]

US – Obama Calls for New Law to Meet ‘Evolving Threat of Cyberattacks’

A key stumbling block in the effort to rewrite laws remains the concern from some U.S. companies that sharing information with the government could expose them to shareholder lawsuits or a customer exodus, and they have also complained that certain government agencies aren’t being forthcoming enough with certain intelligence. [WSJ] [CNET: Will Obama Finally Change Cybersecurity In America?] [Gizmodo: Obama’s War on Hackers Is Turning Everyone into a Suspect] [AdAge: Where’s the Breach? Obama Leaves Out Domestic Data Issues]

US – Obama Abandons Telephone Data Spying Reform Proposal: U.S. Officials

Under the proposal floated by a Presidential review panel, telephone call “metadata” generated inside the United States, which NSA began collecting in bulk after the Sept. 11, 2001 attacks, could instead be collected and retained by an unspecified private third party. The Obama administration has decided, however, that the option of having a private third party collect and retain the telephone metadata is unworkable for both legal and practical reasons. “I think that’s accurate for right now,” a senior U.S. security official said. [The National Law Review] [HLDA: The 2015 State of the Union Addresses Cybersecurity, Data Security, and Privacy]

US – Obama Supports Cybersecurity and Privacy; Experts Warn of Unintended Impacts

The President outlined three broad areas to focus on: cybersecurity information sharing, modernization of law enforcement agencies’ weapons against cybercrime, and national data breach reporting. Those are all worthy goals, however, they’re not necessarily the more urgent ones. Security experts disagree on how—or whether—these goals can even be achieved. [PC World]

US – 5 Things to Know About Obama’s New Cybersecurity Proposals

Christopher Soghoian, the principal technologist at the American Civil Liberties Union, said “nothing” the president is proposing “would do anything to actually improve cybersecurity.” The Electronic Frontier Foundation (EFF), a leading digital rights advocacy group, called the president’s cybersecurity proposals a “mishmash of old, outdated policy solutions,” and argued that the information-sharing proposals risk exposing Americans’ private information. It’s not just privacy advocates. Cybersecurity experts are also not big fans of Obama’s proposals. [Mashable]

US – White House Gets It Wrong, Credit Scores Poor Tool for Detecting ID Theft

The credit scores that are being given away are general use FICO and VantageScore risk scores. … They are not, and have never been, designed to be a fraud detection tool. …When someone applies for credit in your name, there are a variety of changes that can occur on your credit reports. The following is a list of those credit report changes, and any impact they would have on your credit scores. Remember, the White House would have you believe seeing your credit scores for free every month would somehow alert you that you’ve been the victim of identity theft. [Huffington Post]

US – PCLOB to White House: You’re Getting There…

In a nod to the one-year and six-month anniversaries of its reports on Section 215 and Section 702, respectively, the Privacy and Civil Liberties Oversight Board (PCLOB) released an assessment of how well the White House has implemented its recommendations for amending programs that collect telephone records in bulk and guide the Foreign Intelligence Surveillance Court. Most significantly, the PCLOB notes that the administration has not implemented its recommendation to halt the NSA’s telephone records program, “which it could do at any time without congressional involvement,” nor has the White House created a way to assess the value of this kind of record collection. “At some point, you have to draw the line and say you have to act on your own,” PCLOB Chairman David Medine told The Guardian, “because this program isn’t particularly effective.” [Full Story]

US – Cam Kerry on Consumer Bill of Rights: “Making Up for Lost Time”

Nearly three years after President Barack Obama first announced a “privacy blueprint” laying out the Consumer Privacy Bill of Rights, the wheels are now in motion. The initial blueprint provided a framework for what legislation should look like. “As the leader of the administration’s work on consumer privacy,” writes Cameron Kerry, “I worked over the following year with my staff in the Commerce Department’s Office of General Counsel and NTIA to put this roadmap into legislative language and pave the way for introduction of a bill.” [Privacy Perspectives]

US – FTC Releases IoT Report

The FTC released its report on the Internet of Things (IoT). The FTC recommends businesses take a number of steps to enhance and protect the privacy of consumers. “The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” FTC Chairwoman Edith Ramirez writes. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.” Commissioner Joshua Wright provided a dissent here. [Full Story]

US – FTC CPO Resigns, Joins Firm as Senior Counsel

FTC Chief Privacy Officer (CPO) Peter Miller has resigned and joined law firm Crowell & Moring as senior counsel for its advertising and product risk management and privacy and cybersecurity groups. Miller has been with the FTC for 10 years, including as an attorney within the Division of Advertising Practices and assistant director for regional operations for the Bureau of Consumer Protection, the report states. He’s held his post as CPO since 2012 and used the post to publicly urge other federal agencies to be more proactive about building privacy protection into IT systems from the ground up. [FCW]

US – FTC Denies Second Proposed Verifiable Consent Method

The FTC has denied AgeCheq’s second proposed COPPA Rule verifiable parental consent method. AgeCheq had proposed a device-signed parental consent form using a multistep process involving the entry of a code sent via text. In its letter to AgeCheq, the FTC stated the company’s proposed method, specifically the type of data collected to verify a parent’s identity, was not compliant with COPPA. The FTC also noted the proposal “did not meet the rule’s requirements that it be reasonably calculated to ensure the person providing the consent is the child’s parent or guardian,” as the individual trying to obtain consent “could easily be the child using the very device on which an app seeking consent was downloaded.” [Full Story]

US – Uber to Implement Privacy Program Recommendations

Uber announced that it is strengthening its privacy programs as the result of an outside privacy assessment, laid out in a 40-page review. The ride-sharing start-up retained Hogan Lovells Partner Harriet Pearson and her team last November after a number of reports surfaced about the company’s controversial use of consumer data, leading some to apply the name “Ubergate.” [Source]

SK – Uber Faces Legal Trouble from Regulator

South Korean telecommunications regulator Korea Communication Commission (KCC) has reported ride-sharing service Uber to local prosecutors for potential violations of the country’s information protection laws. According to national legislation, businesses using geolocation data must report such activity to related authorities, and the KCC claims Uber did not do so. A company spokesman said it will comply with local laws as much as possible, the report states. [CNET]

US – CA Privacy Committee Could Be “Key Committee” to Watch

The newest and perhaps “hottest” committee in the coming state legislative session, the new Committee on Privacy and Consumer Protection “is the key committee to watch in the coming session.” Created earlier this month by California Assembly Speaker Toni Atkins (D-San Diego), the panel is designed to take on growing consumer privacy issues and the use of health, financial, educational and consumer habits of the millions of state residents. “California has a strong history of protecting consumer privacy while spurring an innovative economy,” Atkins said. Demand by Assembly members for inclusion on the panel was high, she added. One pick was Assemblyman Mike Gatto (D-Los Angeles), who has initiated a wiki page allowing Internet users to help draft state privacy legislation. [Los Angeles Times]

US – Bipartisan GPS Bill Introduced

Sen. Jeff Flake (R-AZ) will lead the Senate Judiciary Subcommittee on Privacy, Technology and the Law, it was announced. Two new lawmakers, Sens. David Perdue (R-GA) and Thom Tillis (R-NC), will join the subcommittee also. Meanwhile, with their introduction of the Geolocation Privacy and Surveillance Act, lawmakers in both parties are pushing to require police to have a warrant before tracking people’s locations via their cell phones and other GPS devices. “Buying a smartphone shouldn’t be interpreted as giving the government a free pass to track your movements,” said Sen. Ron Wyden (D-OR), one of the bill’s authors. [The Hill]

US – Judge Dismisses Wiretap Act Claim,

A California federal judge dismissed claims in a multidistrict proposed class-action lawsuit that JTC Corp., Samsung Electronics Co. and other device makers violated the Wiretap Act by illegally collecting consumers’ data from their phones, “saying the plaintiffs didn’t sufficiently allege they intended to intercept communications.” [Law360]

US – N.Y. AG Seeks to Toughen Data Safeguards: Plan Would Require Businesses to Fortify Privacy Measures

The legislative proposal would provide a safe harbor to businesses that comply with the new requirements, meaning that a good-faith effort could shield them from liability actions resulting from a breach. To receive liability protection, businesses must be certified by an approved third-party auditor. [Data Breach Today]

US — Insurance Company Brings Breach Claim, Whole Foods Denies Fault

Travelers Casualty and Surety Co. of America has sued an Illinois-based Web design company, saying its negligence in designing and maintaining a community bank’s website contributed to a data breach, and Whole Foods Market Group Inc. told a Florida federal court this week that a former employee’s claim it fails to comply with federal privacy law when it screens prospective employees through credit checks is “blatantly false.”

US – Congress to Hold Breach Notification Hearing

The new Congress will hold its first hearing on data breach notification legislation next Tuesday. Rep. Michael Burgess (R-TX) said, “We need a plan in place that will help prevent data from being stolen in the first place and will also alleviate consequences if hackers are successful.” [The Hill]

US – Sony Hack Details to Come

Sony is expected to share details of its highly publicized hack with the House Oversight and Government Reform Committee. “We’ve talked to Sony, and they have agreed to get us the information,” said Rep. Elijah Cummings (D-MD). “They just need a little bit more time.”

WW – Bughunter Cracks “Absolute Privacy” Blackphone – by Sending It A Text Message

The details provided by Dowd amount to full disclosure, although he hasn’t included a proof-of-concept that would allow you to start exploiting the hole at will. He made the disclosure only after Blackphone had published a patch. Indeed, he publicly praised Blackphone on Twitter for the way it dealt with his bug report. [Naked Security] [Techcrunch: In Communications, Privacy And Security Are Illusions]

US – LabMD: Tiversa Misled FTC

In a new court filing, LabMD argues that Tiversa hacked into its computer systems and used data gleaned from the hack to mislead the FTC into believing sensitive data on 10,000 patients was unprotected. When LabMD refused to use Tiversa’s services, the filing claims, Tiversa went to the FTC with a data breach complaint. LabMD alleges the move was part of a conspiracy to “decimate” the now-defunct medical company. [Law360]

US – Google, Viacom Tracking Suit Dismissed

Google and Viacom Inc. won the dismissal of a lawsuit alleging the two companies illegally tracked the Internet activity of children under the age of 13 who visited Nickelodeon’s website to send targeted advertising, Fortune reports. The suit accused both companies of dropping cookies onto children’s computers that gathered information advertisers could use. But U.S. District Court Judge Stanley Chesler found “no showing that Google and Viacom could identify which children streamed specific videos or played specific video games, as opposed to identifying children generally,” the report states. He also said he found no showing the companies engaged in “highly offensive” behavior for which they could be held liable. [Reuters]

WW – Google, Khan Academy, 13 More Sign Pledge

Following President Barack Obama’s comments urging companies to sign the Future of Privacy Forum (FPF) Student Privacy Pledge, 15 more companies have signed on, including Google and the popular YouTube-based Khan Academy. The latest wave of companies joins the 75 that signed on last week, the report states, noting the pledge includes a “promise not to sell student information or to use behaviorally targeted advertising on education products. It also promises to make it easy for parents to see their students’ data and to be transparent about how those data are collected and used.” The FPF’s Jules Polonetsky noted, “There’s been an explosion of technology in schools, and with that has come a privacy backlash.” [The Washington Post]

US – Judge Caps Breach Liability Payment

A federal judge has placed a cap on the liability Schnuck Markets is responsible to pay its payment-processing vendors in the wake of a data breach. Judge John Ross ruled that First Data Merchant Services and Citicorp Payment Services could only withhold up to $500,000 in funds. It is not yet known how much was originally withheld from Schnucks. The company recently agreed to pay customers for fraudulent charges stemming from a breach that exposed 2.4 million payment cards. [St. Louis Business Journal]

US – Apple Says Privacy Fraud Claims Vague

Apple wants a federal judge to dismiss a consolidated class-action lawsuit alleging applications available in Apple’s App Store breached users’ privacy by taking users’ contact data, Law360 reports.

US – Journalist Sentenced to Five Years in Prison for Linking Hacked Data

U.S. journalist Barrett Brown has been sentenced for linking to hacked information from global intelligence company Statfor. Brown, who allegedly has a “loose affiliation” with hacktivist collective Anonymous, received five years in prison and must pay $890,000 in restitution. “The government exposed me to decades of prison time for copying and pasting a link to a publicly available file that other journalists were also linking to without being prosecuted,” he wrote, adding, “The U.S. government decided today that because I did such a good job investigating the cyber-industrial complex, they’re now going to send me to investigate the prison-industrial complex.” Jeremy Hammond, the hacker responsible for the breach is serving a 10-year sentence. [Time]

US – School Rule-Breakers to Hand Over Facebook and Twitter Passwords

The fact that passwords are to be demanded in the case of any rule-breaking sounds too strong. That’s the conclusion reached by Kade Crockford, director of Massachusetts’ ACLU. She dubbed Illinois’s move “government overreach” and said that either the law or schools’ implementation of that law may well be unconstitutional. [NakedSecurity]

US – Data Breaches Hit the Board Room: How to Address Claims Against Directors and Officers

The traditional aftermath of a data breach can involve regulatory investigations and lawsuits against the company by consumers or financial institutions claiming to have been harmed by the data breach. In recent years, a new trend also is emerging: shareholder derivative cases and securities class actions filed against directors and officers alleging claims for breach of fiduciary duty, or even securities fraud, relating to the data breach. The recent dismissal of one such lawsuit against the directors and officers of Wyndham Worldwide Corporation (Wyndham) provides insight on steps directors and officers can take to protect themselves from claims of breach of fiduciary duty in these lawsuits. [HLDA]

US – Arsenic Case Pits Privacy Rights Versus Historical Research

Supreme Court ponders privacy rights as they pertain to medical documents FOIC’s Harmon replied, public figure status is sometimes conferred on individuals by the swirl of events and circumstances. While a criminal or politician may have taken affirmative, voluntary steps that waive their expectation of private citizen treatment, someone who, for example, is released from prison after a wrongful conviction also falls into the same legal territory whether they want to or not. There is a societal benefit to these types of people losing their privacy protection, said Harmon, in that members of the public “get to know about their heroes, leaders, villains and victims.” [Source]

Privacy Enhancing Technologies (PETs)

WW – Tor : Crowd Source Security and Anonymity Concerns

Many “bad actors,” from criminals to nation states, run Tor nodes for the purposes of tracking or otherwise harming users. For a fairly modest investment, attackers can acquire and operate enough relays to make the probability that they will control the first and last hoops in a chain fairly good, at least over a period of time. Just 5% of relays transport 50% of the traffic. If an attacker runs both, they can fairly easily identify users with their activities. [Source]

US – Harvard Aims to Reengineer Privacy

Harvard’s School of Engineering and Applied Sciences reports on a symposium it held earlier this week on “Privacy in a Networked World.” Panelists included Pew Internet Research’s Lee Rainie and former FTC Chief Technologist Latanya Sweeney, and the event featured a video interview of Edward Snowden by Bruce Schneier. [Full Story]

US – App Developers Alliance Launches Developer Competition

Anticipating the burgeoning Internet of Things (IoT) landscape, the App Developers Alliance (ADA) has announced IoT(Accelerate)Berlin. The contest is designed for developers and pre-launch startups and is organized in partnership with Google and Ericsson. ADA Executive Director Jake Ward said, “IoT is experiencing substantial growth, and the opportunity for European developers and startups to help shape its future is clear. From connected cars and homes to health, wearables or big data solutions, the competition will help developers conceptualize and produce innovative products for this growing market.” The competition is focused around a three-day period, March 27-29, in Berlin, Germany. [Full Story]

WW – Users Get More Control Over Data in Latest Firefox Beta

To help users keep control of such data, Mozilla has been working on changes to Firefox’s Gecko rendering engine to make it easier for users or browser extensions to control referrer data. And it has created a feature called “meta referrer” in the Firefox 36 beta that allows webmasters to include a tag in HTML documents specifying a referrer policy and what data can be sent. [CIO]

WW – How to Remain (Mostly) Invisible Online

While complete anonymity these days is nearly impossible, experts have some tips, and tools, they recommend for maintaining privacy and keeping your digital footprint as minimal as possible. Internet users can better protect their privacy online “by thinking of their private information as gold; do not give it away,” Frank Ahearn says. “Place a personal value on private information and recognize that sites want to profit [from] the information they extract. The best way to combat that is to supply untrue information. Deception has a positive purpose in the digital world,” and in fact is the best ally a user has to truly protect his online information. [Source]

US – Start-Up Looks to Capitalize on Differential Privacy

In some corners of the privacy world, de-identification has become something akin to the privacy community’s white whale: always just out of reach. Thus, into the breach steps the start-up Leap Year Innovations, a firm based in Philadelphia that is currently pitching “differential privacy” as a service, and soon hopes to offer it as a software package. What’s behind this alternative to De-ID and how does it work? [The Privacy Advisor]


US – Lawmakers Reintroduce Bipartisan Data-Security Bill

Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) have reintroduced a bill that would require companies to meet data security standards when processing users’ personal information. The bill would prompt the FTC to set a nationwide data-security standard for companies handling personal data. Companies that suffer breaches would have to notify customers and the FTC. “They also could face civil penalties of up to $5 million if they hadn’t adhered to the commission’s security standards,” the report states. Rush and Barton will hold a public briefing on the bill on February 6. The House Energy and Commerce Subcommittee held a hearing on data breach notification this week. [The Hill]

US – Obama Takes on Google With Law to Protect Privacy of U.S. Kids

Obama’s proposed Student Digital Privacy Act, details of which haven’t been released, would make explicit the responsibility of vendors to safeguard data. The pledge, though voluntary, could expose signatories that break it to enforcement actions by the FTC or state attorneys general. [Bloomberg]

US – How Much Security Is Enough? Check the FTC Casebook

One of the most important issues on the FTC docket is the determination of whether a given data security practice is reasonable or not. Which is fine. But how will you know what the FTC deemed unreasonable in dozens of enforcement actions? Sure, you can go to the FTC website to seek, download and plough through all of the more than 180 FTC privacy and data security cases. But, as of last week, there’s a far better way: The IAPP Westin Research Center has launched its FTC Casebook, which is available at no additional charge to IAPP members. The Casebook makes the task of determining what the FTC regards as reasonable data security seamless, even fun! A digital resource, the FTC Casebook contains all of the FTC enforcement actions in the field, tagged, indexed, full-text searchable and annotated. But don’t take our word for it-let us walk you through just how it works. [Full Story]

US – Over 90% of Data Breaches in First Half of 2014 Were Preventable

The Online Trust Alliance says that a high percentage of data breaches were the result of staff mistakes — rather than external hacking. After analyzing over a thousand breaches involving PII, the non-profit has put together 12 ‘critical’ security practices in another guide that companies should follow in order to lessen the risk of a cyberattack — as well as minimize potential damage in a threat landscape which is becoming more dangerous by the year. [ZD Net] See also: 2015 Data Protection & Breach Readiness Guide

US, UK Establish a Joint Hacker A-Team to Conduct Cyber War Games

It’s been quite a week for British Prime Minister David Cameron. In addition to announcing the formation of the cyber cell, he had a meeting with Obama where he asked him to block companies like Apple, Facebook and Google from rolling out encryption services to users, which would allow users to communicate with one another more securely but which the British government claims could hurt intelligence collection. [Defense 1]

Smart Cars

US – Will Big Brother Eventually Monitor Driving Habits? Car Data Proposal Sparks Privacy Fears

But now the California Air Resources Board is proposing regulations (for a May board hearing) requiring manufacturers to significantly expand the kind of information on-board computer software collects about our driving habits. The software could track miles per gallon, driving distances, how often one stops and starts the car, and how fast one drives. Newer cars already tell us most of this information on those nifty trip computers in the dashboard. The difference, of course, is the regulations would require our cars to also tell government officials the information. [Source]

WW – BMW Sounds Alarm Over Tech Companies Seeking Connected Car Data

Concerns over fine line taken by the automotive industry between functionality and privacy . “There’s plenty of people out there saying, ‘Give us all the data you’ve got and we can tell you what we can do with it’,” he said on the sidelines of the Detroit motor show, adding that this included “Silicon Valley” companies, as well as advertising groups. “And we’re saying, ‘No thank you’.” … most drivers would be surprised by the scale and granularity of the data collected by modern vehicles. In a sinister illustration of the potential data that could be sacrificed by carmakers, Mr Robertson said BMW knew whether a child was in the car, based on weight sensors in the seats that linked up with the airbag system. [Irish Times]

US – “Cheaper Car Insurance” Dongle Could Lead to a Privacy Wreck

In short, you’d certainly hope that the Snapshot hardware designers and programmers took data security seriously during development. Otherwise, the very dongle that was supposed to help you learn to be a safer driver might leave you more exposed from a privacy and online security perspective … even if you conducted yourself impeccably behind the wheel, merely being out driving could harm the rest of your digital life. [Source]

US – California Mulling More Government Access to Cars’ On-Board Computers

Will Big Brother monitor our driving habits? But what if the traffic cop were a computer that always is transmitting data about our driving habits to a government agency? That question increasingly is being asked given technological advancements and a new proposal by the state’s air-quality control agency to expand the information your car’s computer would be required to collect and potentially transmit to officials. … the California Air Resources Board is proposing regulations (for a May board hearing) requiring manufacturers to significantly expand the kind of information on-board computer software collects about our driving habits. [Source]

US – U.S. Spies on Millions of Cars

The database raises new questions about privacy and the scope of government surveillance. The existence of the program and its expansion were described in interviews with current and former government officials, and in documents obtained by the American Civil Liberties Union through a Freedom of Information Act request and reviewed by The Wall Street Journal. It is unclear if any court oversees or approves the intelligence-gathering. …”Any database that collects detailed location information about Americans not suspected of crimes raises very serious privacy questions,’’ said Jay Stanley, a senior policy analyst at the ACLU. “It’s unconscionable that technology with such far-reaching potential would be deployed in such secrecy. People might disagree about exactly how we should use such powerful surveillance technologies, but it should be democratically decided, it shouldn’t be done in secret.’’ [Wall Street Journal]

US – The DEA Is Spying on Millions of Cars All Over the U.S.

With sweeping power to monitor the movements of so many Americans, the federal agency will continue to lose the hopeless drug war. We’ve traded our freedom to drive around without being tracked for next to nothing. Those who would cede essential liberty for the promise of security may deserve neither, but ceding it for the promise of a drug-free America is just delusional. The federal government could imprison every recreational drug user in America and it still couldn’t win the drug war because, among other things, the federal government can’t even prevent heavy drug use within the federal prison system. http://www.theatlantic.com/politics/archive/2015/01/the-dea-is-spying-on-millions-of-cars/384864/

US – Federal Agency Weighed Spying on Cars at Gun Shows

2009 DEA Proposal to Record Cars at Gun Shows Was Never Carried Out, Justice Department Officials Say. The Justice Department has been building a real-time database to track vehicle movement around the U.S. and has raised worries over government surveillance. [WSJ]

US – Massive DEA License Plate Reader Program Tracks Millions of Americans

According to the DEA, the program targets roadways it believes are used to transport contraband. It’s not clear what criteria the agency uses to classify a road as such. With so much information redacted it’s hard to say we’ve got the full picture here, but it’s also easy to understand why this capability is useful for law enforcement. Furthermore, identifying cars and users based on their license plates is nothing new – it’s what they’re for: license plates are public, unique identifiers. And of course we have always had the ability to follow a person or a car by spotting the right number plate and watching where it goes. So in some ways this is nothing new. But in other ways it’s very new indeed. [Naked Security]


CA – Secret ‘BADASS’ Intelligence Program Spied on Smartphones

CSE and GCHQ intelligence agents applied BADASS software filters to streams of intercepted internet traffic, plucking from that traffic unencrypted uploads from smartphones to servers run by advertising and analytics companies …the smartphone data routinely provided to ad and analytics companies represents a major privacy threat. When combined together, the information fragments can be used to identify specific users, and when concentrated in the hands of a small number of companies, they have proven to be irresistibly convenient targets for those engaged in mass surveillance. Although the BADASS presentation appears to be roughly four years old, at least one player in the mobile advertising and analytics space, Google, acknowledges that its servers still routinely receive unencrypted uploads from Google code embedded in apps. [Source]

WW – Software Makes Spying Real Easy, and It May Be on Your Phone

Spyware is readily available to any insecure spouse, overzealous boss, overbearing parent or crazy stalker. It’s sold legally, and “if it’s already on your phone, there’s no way you can tell,” the report states. Spyware companies like mSpy and flexiSPY make money off the secret surveillance of millions of people’s devices, the report states. While spyware has been around for decades, “the current crop is especially invasive” because if someone is alone with a device for a few minutes or if they have their target’s iCloud credentials, they can upload sophisticated tracking software that will let them follow whatever’s happening on the target device. [Gizmodo]

WW – Apps Will Share Data With Google Now

In a bid to bolster its hold on the online search market, Google plans to allow a host of third-party apps—including Airbnb, eBay and Lyft-to share data with Google Now. Google Now is a predictive search app, available for Android phones and wearables as well as the Chrome web browser. If users have the updated Google app and the Airbnb app on their phones, for example, the search history from Airbnb will be shared with Now. Previously, Google acquired search data from a user’s Google account search history. According to the report, more than 30 third-party apps will share data with Google Now. [The Wall Street Journal]

WW – Cookies Are So Yesterday; Cross-Device Tracking Is In

The cookie is out, and cross-device tracking is in. After all, one recent study found users can switch from laptop to smartphone to tablet an average of 21 times in a single hour. But how do you sell cross-device tracking to your users while avoiding the privacy pitfalls the cookie faced during its ascension? Michael Whitener lists the things marketers can do to keep both companies and consumers safe while taking advantage of the insights such tracking can provide. [The Privacy Advisor]

WW – Using Video to Expose Corruption, Abuse

Videre uses tiny cameras and an “army” of individuals armed with them to expose corruption and abuse, “shaming governments into action,” Erin Burnett explains in this. Oren Yakobovich is head of the human rights organization Videre, which “uncovers, verifies and publicizes human-rights abuses that the world needs to witness.” Yakobovich is also featured in a TED Talk about his efforts to use surveillance on its head. “This can stop corruption,” Yakobovich says, but some question how the camera could be misused to violate privacy or solicit bribes. [CNN video report]

US – EFF’s Game Plan for Ending Global Mass Surveillance

For years, we’ve been working on a strategy to end mass surveillance of digital communications of innocent people worldwide. Today we’re laying out the plan, so you can understand how all the pieces fit together—that is, how U.S. advocacy and policy efforts connect to the international fight and vice versa. Decide for yourself where you can get involved to make the biggest difference. This plan isn’t for the next two weeks or three months. It’s a multi-year battle that may need to be revised many times as we better understand the tools and authorities of entities engaged in mass surveillance and as more disclosures by whistleblowers help shine light on surveillance abuses. [EFF]

US – Law Enforcement Radar Can See Through Walls

As many as 50 law enforcement agencies across the country have deployed radar technology capable of seeing inside homes to determine if someone is present, all with little or no public disclosure or court oversight. The technology uses radio waves to detect movement—such as breathing—to determine if someone is home. The use of the radar raises legal and privacy concerns, particularly since the U.S. Supreme Court has said law enforcement needs to obtain a warrant prior to using high-tech sensors on an individual’s home. The ACLU’s Christopher Soghoian said, “Technologies that allow the police to look inside of a home are among the intrusive tools that police have.” [USA Today]

US – Prenuptial Snooping Is Booming, Say Private Investigators

Private detectives say there has been a dramatic increase of prenuptial investigations. “It’s worth it to them to spend a little in advance to figure out whether they’re hooked up with a loser or a longtime candidate,” said AAA Detective Agency Owner Jerry Bussard. The trend stems from the increased use of online dating and embellished online profiles. “The Internet, they say, is like a gateway drug to professional snooping,” the report states. “In a manner of speaking, it’s the new prenuptial,” said another private investigator, adding, the main difference is the “party being investigated doesn’t have to sign off or agree to be under surveillance.” [The Wall Street Journal]

EU – Danish Surveillance Push Meets Opposition from Network Providers

According to the draft the Danish Defence Intelligence Service’s cyber defense unit will also be given authority to delay transactions to review security aspects. The industry says this will amount to de facto powers to block mergers and other deals. The Justice Ministry’s plan to demand that network operators resume keeping logs on traffic, also revives measures that were banned by a European court last year. [Bloomberg]

UK – British Spies Seized Emails to Reporters

There is no explanation of why the vast collection of messages was sucked into the global system of electronic surveillance created and maintained by British and American spies. But code words within the document suggest that it may be a glimpse of the colossal amount of information gathered each day before being “minimized,” or stripped of irrelevant material. …Why email messages traveling to reporters with news organizations were captured is also left unexplained in the document. Some of the captured messages contain email addresses associated with The Washington Post, Reuters, Le Monde and The Baltimore Sun. Messages to at least four New York Times reporters were intercepted. [NY Times]

EU – France Vows Forceful Measures Against Terrorism

Prime Minister Manuel Valls announced “exceptional measures,” including plans to spend an additional 425 million euros, or more than $490 million, to create over 2,500 new jobs to buttress the fight against terrorism and monitor nearly 3,000 people the police consider surveillance targets. A bill aimed at updating the legal framework for intelligence and surveillance operations will be introduced in Parliament in March, he said. [NY Times]

AU – Australia’s Privacy Commissioner Tim Pilgrim Fears Telco Metadata Breaches

Timothy Pilgrim says Australians should be warned if their their privacy is breached as a result of leaked metadata. The legislation, dubbed the Data Retention Bill, requires Australian phone and internet providers to store various customer metadata for up to two years for law-enforcement agencies’ access. No warrant is required to access the data, only a requesting agency senior officer’s sign off. Exactly what metadata the government wants providers to store remains unclear, as the final “data set” will be in the bill’s regulations, which have not yet been released and can be changed by the Attorney-General of the day without Parliament’s approval. Instead, a “proposed data set“ document that doesn’t specify exactly what data should be retained, has been circulated. [Source]

UK – Ex-UK Spy Chief Says Accord Needed With Tech Firms to Stop Terrorism

Prime Minister David Cameron has promised laws giving greater access to online communication if he wins the May general election, but some of his rivals oppose the scale of his proposals. Sawers backed Cameron’s stance, saying that while he understood the value of online communication services like Facebook’s WhatsApp and Apple’s FaceTime, and used them himself, they could not be beyond the reach of monitoring agencies. http://www.reuters.com/article/2015/01/20/us-britain-security-sawers-idUSKBN0KT10Z20150120

UK – Privacy Activists Irate As British Lords Try to Sneak Surveillance Bill Into Anti-Terror Laws

According to Mike Harris, from the Don’t Spy On Us campaign group, the Lords have actually made the original bill tougher, by not mentioning many useful safeguards. As it stands, the proposed amendments would allow the home secretary, Theresa May, to force internet service providers to hold onto communications data for 12 months. That information would be accessible to any “relevant public authorities”, which could even allow local councils to grab data on citizens. The only barrier the secretary of state has to overcome is in consulting Ofcom, the communications regulator. [Forbes]

UK – UK Declares War on Privacy Under the Facade of “National Security”

Great Britain just isn’t that great anymore. An astounding erosion of my home country’s fundamental civil liberties and freedoms has made it difficult to envision one day returning home.

Put simply: at the next election, the U.K. population will vote on whether or not it gives the U.K. government the mandate to spy and snoop unrelentingly under the unproved and illogical assumption it will prevent future terror attacks. [ZDNet] [Europe Pivots Between Safety And Privacy Online]

AU – ‘Invasive’ Data Retention Bill Should Be Scrapped

“[Mandatory data retention] is characteristic of a police state,” the LIV wrote, quoting the Office of the Victorian Privacy Commissioner. “It is premised on the assumption that all citizens should be monitored. Not only does this completely remove the presumption of innocence, … it goes against one of the essential dimensions of human rights and privacy law: freedom from surveillance and arbitrary intrusions into a person’s life.” [Lawyers Weekly]

AU – Everyone Has Something to Hide If Universal Data Retention Becomes Law in Australia

Metadata can provide an alarming amount of information about an innocent individual’s activities, friends and beliefs. It’s simply not necessary. What would a telephone call or Google search placed in front of a brothel, gay bar or abortion clinic reveal? Imagine the caller were not me – with my classical liberal views – but a conservative Christian politician. What mischief could be had at his or her expense? [The Guardian]

AU – Privacy Commissioner Hits Out at ‘Ill-Defined’ Data Retention Plans

The Victorian Commissioner for Privacy and Data Protection said the government’s data retention proposal was ill-defined and insecure in a submission to the parliamentary inquiry investigating the scheme. This vast reservoir of highly sensitive, distributed data will not be adequately secured because the scheme does not properly address the security issues associated with the transmission and storage of the retained data …It is so vague and opaque as to make it impossible to clearly determine the risks it poses or to suggest appropriate mitigation measures. [AFR]

US – With Snowden in the Background, Privacy Takes a Back Seat to Security

In a rare streak of bipartisanship, there is virtually no distance between Republicans and Democrats on this issue. Roughly seven in 10 Democrats and Republicans alike prioritize the investigation of threats over personal privacy (71 and 68%, respectively). Even liberal Democrats, by 62-34%, side with investigation over privacy. Political independents drop to 56% preferring investigation. [Washington Post] [Goodbye Privacy: White House Sides with UK, Wants Backdoor to Encrypted Data]

TH – Cyber Bill Powers to Be Scaled Back: Government Yields to Public Pressure

The Cybersecurity Bill was among eight digital economy-related bills which earned cabinet backing early this month, on top of two others which received preliminary approval last month. But is has since been subject to complaints from experts and privacy activists who have urged a revision to prevent abuse of power by the state… Thailand is ranked third in globally for cybersecurity risk, with hackers frequently using the country as a base for major attacks, including the recent high-profile cyberhack against US-based Sony Pictures Entertainment. [Bangkok Post]

US – Marco Rubio Wants to Permanently Extend NSA Mass Surveillance

Rubio for years has positioned himself as a vocal defense hawk in Congress, and he has repeatedly defended the NSA’s spy programs revealed to the public by former agency contractor Edward Snowden. But Rubio’s call to permanently extend the legal framework that allows the NSA to collect the bulk U.S. phone metadata—language that Congress has tweaked and in many cases made more permissive since 9/11—is particularly forceful. It comes in the wake of terrorist attacks by Islamic extremists in France at a satirical newspaper and a kosher deli that left 17 dead—violence that has prompted European officials to publicly consider whether more forceful surveillance laws are needed. It also underscores the divisions among Rubio and his fellow Republican senators expected to jockey for the White House—namely, Sens. Ted Cruz of Texas and Rand Paul of Kentucky. [GovExec]

Telecom / TV

US – Group Urges FCC to Impose Privacy Rules on Broadband Providers

Consumer advocacy group Consumer Watchdog is urging the Federal Communications Commission (FCC) to place new privacy regulations on broadband providers. In a letter to the FCC , Consumer Watchdog wrote, “If consumers believe that their broadband provider substantially threatens their privacy, they are less likely to use the Internet.” The FCC should reclassify broadband service as a utility, Consumer Watchdog argues, and follow the same privacy rules set up for telephone providers. “This vital protection should exist related to private information secured from digital networks,” Consumer Watchdog wrote, adding, “The FCC must adopt regulations to ensure that the integrity and privacy of data gathered on the broadband networks we use are maintained.” [MediaPost]

US – Court Filing: Law Enforcement Kept Call Database Without Court Approval

Until last year, U.S. law enforcement maintained a database of international phone calls obtained from telecommunications companies under subpoenas that don’t require court approval. The U.S. Drug Enforcement Administration said in a court filing last week that the database tracked phone numbers and the time and duration of the calls and allowed investigators to query a number if they had a “reasonable articulable suspicion” that it was linked to a federal criminal investigation. The database was discussed during a federal court case involving a person suspected of illegally transporting U.S. goods and technology to Iran, the report states. [Bloomberg ]

US – Apple iPhone with Secret iFeature Allows Government to Spy on You

It is not clear if the “special software” being referred to in the interview is made up of standard diagnostic tools, or if the NSA whistleblower thinks intelligence agencies from the United States have found a way to compromise the mobile operating system developed by Apple. [TechTimes]

US Government Programs

US – U.S. Drug Enforcement Agency Halts Huge Secret Data Program

The program, run by DEA’s Special Operations Division, collected international U.S. phone records to create a database primarily used for domestic criminal cases – not national security investigations, according to records and sources involved. Two people briefed on the DEA program said that it began in the late 1990s. Records show it involved the use of administrative subpoenas, which can be issued by federal agents – rather than grand jury subpoenas, which must be approved by prosecutors, or search warrants, which must be approved by a federal judge. [Reuters]

US – The Many Problems with the DEA’s Bulk Phone Records Collection Program

The government’s claimed authority for this bulk collection was 21 U.S.C. § 876, which empowers the Attorney General to issue administrative subpoenas—not approved ahead of time by a grand jury or judge—which compel the production of records that are relevant and material to an investigation relating to drug crimes. But bulk collection of all call records based solely on the country a person called could never satisfy the statute, because most of the records are irrelevant to an active investigation. To be sure, the government may only have queried the database for records relevant to an active investigation, but the government was using § 876 to collect all records in anticipation of some future investigation. In other words, unless every person in the US who has ever made a phone call to someone in Iran or some other country contained in the database is considered a criminal suspect, the vast majority of records are irrelevant to any investigation. [EFF]

US – U.S. Discloses New Trove of Phone Call Records

The D.E.A. program was one of several troves of information on Americans’ phone records revealed in recent years. The most extensive and controversial one is kept by the NSA and contains records on every American phone call. Counterterrorism officials use it when conducting investigations, but civil liberties advocates have continued to raise questions about the programs. [NY Times]

US – New Report: DHS Is a Mess of Cybersecurity Incompetence

A large, embarrassing, and alarming Federal oversight report [by Senator Tom Coburn] finds major problems and grave shortcomings with Department of Homeland Security cybersecurity programs and practices which are “unlikely to protect us”. The report says (and echoes the sentiments of many civilian infosec professionals) that the DHS approach on vuln mitigation is nothing but a losing strategy. “The nature of cybersecurity threats — and the ability of adversaries to continuously develop new tools to defeat network defenses — means that DHS’s strategy for cybersecurity, which focuses primarily on vulnerability mitigation, will not protect the nation from the most sophisticated attacks and cybersecurity threats.”[ZDNet] [Slate: Step Aside, States?]

US – NSA Creating Privacy Internship Program

One of the central thrusts of the research is to determine if certain data presents more or less risk to privacy and civil liberties, and if the same can be done in terms of how the data is being used. [FedScoop]

US – Privacy Advocates Say NSA Reform Doesn’t Require ‘Technological Magic’

Just because a new federal report found no software solution to recreate the full scale of current National Security Agency surveillance does not mean that’s the right policy, privacy pros say. At a press conference with British Prime Minister David Cameron, President Obama said the US needs to preserve its capability to track electronic communications of terrorist suspects, but is working with companies to ensure the government meets “legitimate privacy concerns.” Obama has already proposed some surveillance reforms, including nixing the government’s storage of the phone records and forcing the NSA to gather them from company databases instead. “We just have to work through, in many cases what are technical issues,” Obama said. [CS Monitor]

US – As Terror Threats Rise, Privacy Is Now More Important Than Ever

Snowden’s revelations tipped the needle in favor of greater privacy and security, but recent attacks have thrown much of that effort under the bus. Does now really seem like the best time to compromise on security by calling for encryption to be outlawed, in the process stripping Internet users of their privacy, and opening them up to hacks, attacks, and identity theft? U.K. prime minister David Cameron thinks so, and he’s counting on Obama’s support for implementing backdoors in the tech companies. [ZDNet]

US Legislation

US – Tech Companies and Advocates Join Forces to Push ECPA Reform

Companies including Amazon, eBay and Facebook have joined the Electronic Frontier Foundation and dozens of other groups in sending letters to Congress demanding lawmakers finalize a bill that would require officials to get a warrant before searching people’s old emails or other items stored in the cloud. “Because of all its benefits, there is an extraordinary consensus around … reform—one unmatched by any other technology and privacy issue,” the groups wrote to leaders of the House and Senate Judiciary Committees, adding that passing a bill “sends a powerful message—Congress can act swiftly on crucial, widely supported, bipartisan legislation.” [The Hill]

US – Obama Proposal to Consider Impact of New Technologies

President Barack Obama has proposed federal legislation to safeguard student privacy in the face of new technologies that collect sensitive personal information about students in order to help tailor learning plans. While the White House hasn’t publicized details of the proposed legislation, Obama indicated in his speech unveiling the plan that it would be modeled on a California law that passed last year. “This is a huge step forward,” said James Steyer, CEO of nonprofit child advocacy group Common Sense Media. However, another activist said he considers the California bill a “very weak proposal.” [The Washington Post]

US – Proposed Indiana Law Would Raise Bar for Security and Privacy Requirements

These requirements are a substantial change from most existing U.S. privacy laws, and designing and implementing the necessary procedures could be a challenge for many companies. …Failure to comply with the bill’s requirements would constitute a deceptive act under state consumer protection law. While only the attorney general may bring an enforcement action, if a court determines that the violation was “done knowingly,” penalties include a fine of $50 for each affected Indiana resident, with a minimum fine of at least $5,000 and maximum fine of $150,000 per deceptive act. [Source] The Indiana Office of the Attorney General has recommended the 2015 legislature pass a bill that would tighten state laws governing data collection.

US – Other US Privacy News


Workplace Privacy

US – Job Searching? Get Ready to Hand Over Some Intimate Details

Rob Walker describes efforts to find a job and the online component that seems to accompany every search. “In addition to asking for your address, gender, race, etc., the questions have been more specific … I’ve also seen forms asking whether the applicant has been found to have depression, anxiety or behavioral or medical ‘disabilities.’ Generally, you cannot submit the application without providing all the requested data.” Prof. John Sullivan of San Francisco State University says companies are moving away from such practices but mainly because they can find that information by searching what candidates, themselves, have already put online. [The New York Times]

US – How to Talk to Employees During a Breach

While many companies are working with security firms and encrypting data, “they may be neglecting an important piece of the puzzle.” The article lists ways to communicate with employees during a cyber attack. Companies should be proactive when communicating with employees, the report states, instructing them on how they can help minimize the impact of the breach; be open and honest about what they do and don’t know; communicate frequently, and encourage employees to voice their questions and concerns, the report states. [Fast Company]


01-15 January 2015

Big Data

US – Federal Study Says Mass Data Collection Irreplaceable

The National Academy of Sciences has released an in-depth report informed by communications and cybersecurity experts as well as former intelligence officials concluding that there is no effective alternative to bulk data collection for intelligence purposes. According to the study, “no software-based technique can fully replace the bulk collection of signals intelligence.” However, the report did conclude there are ways to “control the usage of collected data” including, notably, placing strong privacy protections on the collected data once it’s in the government’s hands. [The New York Times]

WW – Big Corps Want to Know How You Feel; Defense Contractors Are Happy to Help

It’s no secret that businesses track consumers online and study social media to learn more about their shopping habits. But the public backlash against Sony after its response to being hacked, criticism of Target’s handling of its 2013 cyberattack and other examples of corporate embarrassment have put a spotlight on another type of analysis — measuring public sentiment about a business. Now, contractors that traditionally performed this type of work for government intelligence agencies are offering their skills to large corporations. Corporations are increasingly looking for early warnings to manage potential disruptions. Not everyone is excited by the prospect. The thought of government contractors offering intelligence-level expertise to corporations worries some privacy advocates. “This is the creation of a digital blacklist,” said Jeffrey Chester, who leads the Center for Digital Democracy. “A system designed for defense use should not be unleashed on the everyday goings-on of Americans.” [The Washington Post]

US – Why Uber Is Sharing Ride Data With the City of Boston

Uber said it will begin sharing trip data with the city of Boston with the goal of helping to reduce traffic congestion and assist urban planners. Under the first-of-its-kind deal, the car booking app said it will give city officials granular reports about every trip taken with Uber in the city. Riders’ personal information will not be included in the report, Uber said. What city officials will see, according to Uber, is an anonymized report showing the time, date and ZIP code of where a rider was picked up and where and when their trip with Uber ended. The data will also allow city planners to study the duration of the ride and come up with solutions to ease traffic congestion, including adding more public transportation options.[ABC News]

US – Pasquale on the Black Boxes of Data-Mining

Author Frank Pasquale discusses the lack of transparency and redress in big data profiling, both for students and employees. Though he applauds President Barack Obama’s privacy initiatives rolled out earlier this week, Pasquale writes, “it’s time for policy-makers to aim higher” because, through big data algorithms, individuals can easily be stigmatized without knowing they’ve been flagged as a high-risk student or employee. “Students should not be ranked and rated by mysterious computer formulas,” he writes, adding, “They should know when they’ve been marked for special treatment.” [Los Angeles Times]


CA – Watchdog to Study ‘Privacy Compliance’ Among Canadian Advertisers

The Office of the Privacy Commissioner of Canada is launching a research project to examine advertising on popular websites in Canada. The goal is to determine whether advertisers are complying with Canadian privacy laws. As “big data” becomes more crucial to advertisers who hope to reach consumers with messages that might be relevant to their needs, the industry has also been working to ease concerns about privacy. Industry groups representing Canadian advertisers and their agencies launched a self-regulatory group, the Digital Advertising Alliance of Canada (DAAC), in 2013. Despite the publication of the OPC’s guidelines, and the launch of the DAAC, “informal observations of major websites viewed by Canadians show that privacy compliance may still be an issue,” Privacy Commissioner Daniel Therrien wrote in a letter to the Interactive Advertising Bureau of Canada in mid-December, giving notice of the upcoming study. Similar letters were sent to the other industry groups including the DAAC. Results of the study will likely be published in the spring. [The Globe and Mail]

CA – New Sask. Privacy Commissioner to Continue Pushing for Police to Be Included in Legislation

For 10 years, former privacy commissioner Gary Dickson regularly recommended that municipal police be brought under the authority of Saskatchewan’s privacy legislation. His successor, Ronald Kruzeniski, intends to do the same. Aside from Prince Edward Island, which doesn’t have a Local Authority Freedom of Information and Protection of Privacy Act (LAFOIPP), Saskatchewan is the only province in Canada in which municipal police aren’t legislated under access and privacy laws. The RCMP, which operates in smaller centres in the province, is covered under federal privacy laws. This means anyone wishing to get access to municipal police information or file a privacy complaint through Kruzeniski’s office is unable to do so. Citizens wishing to file complaints with municipal police can currently do so through the Public Complaints Commission. Kruzeniski intends to officially make the recommendation at some point this year, and plans to meet with the Saskatchewan Association of Chiefs of Police. [Leader-Post] SEE ALSO: Ontario Acting Privacy Commissioner Brian Beamish “is calling for changes in legislation to make it harder for hospitals to handle privacy breaches internally without reporting them to the privacy office.” [Hospitals should report privacy breaches to commissioner: Editorial] [ON: Hundreds of hospital privacy violations go unreported

CA – RCMP Refusing to Pay Rogers’ New Cellphone Fees

The RCMP and many other police forces are refusing to pay new fees imposed by Rogers Communications for helping track suspects through their mobile phones. Police say the telecommunications firm is legally obligated to provide such court-ordered services and to cover the cost as part of its duty to society. Rogers says while it picks up the tab for most judicially approved requests, in some cases it will charge a minimal fee. The quietly simmering dispute underscores long-standing tensions over who should pay when police call on telephone and Internet providers to help investigate cases. Although they have concerns about the new Rogers fees, the Mounties did pay more than $2 million to telecom firms in 2012-13 in connection with customer information and intercept-related activities, the force says. [The Star]

CA – Debate Shaping Up About New Law to Fight Terror in Canada

Only 17 people have been convicted of terrorism and related offences in Canada since 2001. Five others await trial in three separate cases. In July, a sixth Canadian was charged with taking up arms in Syria and has not returned to Canada. Conservative Senator Dan Lang, chair of the Senate’s national security and defence committee, and other politicians are demanding to know why the numbers are so relatively low compared with the United States and Britain. This past week, while expressing solidarity with France over the shooting attack on the Paris office of satirical magazine Charlie Hebdo, Prime Minister Stephen Harper said a new anti-terrorism bill giving the state additional powers to watch, detain and arrest extremists will be tabled shortly after Parliament resumes in late January. [The Ottawa Citizen] SEE ALSO: Legislation will be tabled this month that “will provide national security agencies with explicit authority to obtain and share information that is now subject to privacy limits]

CA – Serious Offenders Among Dozens Mistakenly Released From Ontario Jails

Prisoners who were supposed to be locked up on charges of attempted murder, sexual assault, armed robbery and assault with a weapon were mistakenly released from Ontario jails during the last six years. In total, 98prisoners were freed prematurely between 2009 and 2013, mostly because of clerical errors. Four of these prisoners committed new offences while they should have been behind bars, the government acknowledged for the first time in December. [Toronto Star]

CA – Torontonian Uses Big Data and Privacy Expertise to Create Anonymous Index of Sexual Assault

Lauren Reid is a 30-year-old Toronto resident using her professional background in big data and privacy to push for a national, anonymous, user-controlled and self-reported database on sexual assault. It is an ambitious project, unprecedented in its scope, but it comes with its own set of complicated challenges and concerns.” The goal is to create a database that allows us insights into ‘Why didn’t you report it?’“ among other things, and also try to gauge how many people are sexually assaulted more than once, if people didn’t know it was rape at the time, if they were drinking or drugged and so on. Users would enter their stories and add or change information any time. The database would need to maintain clear definitions of sexual assault, she said, and it would be fully anonymous — no naming of names allowed. Even those who support the intention of such a database worry about privacy concerns, legal implications and false reports. “The purpose is to generate knowledge about a problem,” Ms. Reid said. “It isn’t to prosecute people.” [National Post]

CA – To Guard Government Computers from Hacking, Ottawa to Spend $100-Million on Security

Ottawa will spend as much as $100-million to safeguard Canadian government computers after a Chinese state-backed hacker broke into the National Research Council’s system last summer – and the 2015 budget is expected to help underwrite the bill for upgrading network security. There’s a request from inside government for extra money in the 2015 federal budget to fund long-term cyberprotection measures. This request is a sign of how seriously the increased threat of Chinese state hacking is being taken inside Ottawa. [The Globe and Mail] [CA – Canadian passports stolen at gunpoint in Caracas]

CA – Search Warrants’ Surge Denounced by Defence Lawyer

Search warrants have become much too easy for Toronto police to obtain, says a veteran defence lawyer who is calling on the courts to “bring some control to the situation that’s become like the Wild West.” New documents show the number of search warrants executed by Toronto police has almost tripled in a nine-year period. In roughly half the cases, nothing illegal was found and no charges laid. A 50% “failure rate” is a “huge problem,” lawyer David Bayliss said. [Toronto Star] [Interview: Privacy guru Ann Cavoukian] [ON: Hundreds Of Hospital Privacy Violations Go Unreported] and [Mondaq News: $7,500 in Damages Awarded for Intrusion Upon Seclusion] AND [Canadian Lawyer Magazine: Is Google Search Evidence Admissible?]

CA – Auto Lenders Quietly Install a Digital Repo-Man

A little-known black box buried in the guts of many GTA vehicles makes drivers with poor credit the hapless targets of what is becoming a 24-hour surveillance culture. Known as a starter interrupter, the GPS-equipped, wallet-sized box is popular with auto loan companies: If the owner stops making payments, the lender can send a signal to the box, disabling the vehicle by shutting off the starter. The GPS function also allows for tracking the customer’s movements. Thousands of starter interrupters have been on the roads in Canada for years, but in Ontario, little has been said about how they’re used and the information they allow lenders to collect. Consumer protection laws have curtailed their use in Quebec, and serious questions are being raised about their safety in the United States, following reports about moving cars being shut down remotely. [Toronto Star]


US – Art Indicates Teens Have Complex Understandings of Privacy Threats

Privacy Illustrated, a project Carnegie Mellon University (CMU) researchers unveiled last week. It includes art submitted by 175 people from kindergarteners to senior citizens, but some of the most complex images on threats to privacy came from teens. “Teens actually value privacy a lot, but their threat models are very different from adult threat models,” said Lorrie Faith Cranor, director of CMU’s Cylab Usable Privacy and Security Lab, who led the initiative. According to the teens’ drawings, they’re “acutely concerned about prying parents, siblings and schoolmates and worried about a spying government.” View the art here. [Pittsburg Post-Gazette] [The New York Times: ThinkUp Helps the Social Network User See the Online Self]

WW – Apple Spotlight Runs Roughshod Over Mail Privacy Settings

Apple’s Spotlight desktop search engine in OS X Yosemite ignores privacy settings in the Mail email client. The searches results could include pictures and other files linked to email messages, even if users have told Mail not to load remote content. HTTP requests sent to the pages hosting the content will reveal users’ IP addresses. Users can prevent this leak by unchecking “Mail & Mailboxes” in Spotlight System Preferences. [The Register] [ComputerWorld] [ArsTechnica]


WW – Beware Governments’ ‘Big Data’ Promises

The so-called ‘Big Data Revolution’ has governments enthralled. The BC government sees itself as a leader in bringing about ‘transformation’ with the use of data. The promises are that 1) the government is going to free itself up in its use of citizens’ personal data and this will bring convenience and make money, and 2) the government is going to free up government data and this will bring transparency and ‘digital engagement,’ and make money too. The data will be free and we will be wiser, happier and richer. At least, that’s what the glossy brochure says. You may not be too surprised to discover it’s not actually working out quite that way on the ground. In actual practice, part of this formula looks a lot like old ‘e-government’ initiatives that have been soundly criticized for costly failures and privacy fiascos. [British Columbia Civil Liberties Association]

Electronic Records

CA – City, Province to Work on Electronic Patient Reporting Across Manitoba

The way Winnipeg deals with electronic records for patients could eventually be used province-wide. This week, a city committee approved a motion for the province and city to work together to have the city’s electronic patient care system implemented across the province. Winnipeg Fire Paramedic Service Chief John Lane said Winnipeg was one of the first municipalities in Canada to use the electronic system. He said most other places use paper-based record keeping. The system uses Bluetooth to send the information from emergency crews to hospitals, and “provides absolutely seemless record keeping in terms of care,” Lane said. In 2013, the province reviewed its emergency medical services, and one of the recommendations was to find a common platform to be used across Manitoba to capture patients’ records electronically. The committee passed a motion that will allow the Winnipeg Fire Paramedic Service to start working with the province on a potential rollout of their system across the province. [CBC News]


UK – UK PM Wants to Ban Encrypted Communication

UK Prime Minister David Cameron has said that if he wins reelection, he will initiate legislation that would provide law enforcement with a means to access private, encrypted online communications. Under the plans put forth by Cameron, encrypted messaging services such as WhatsApp, iMessage, Skype and CryptoCat would not be legal. “The first duty of any government is to keep our country safe and our people safe,” he said. Privacy International’s Mike Rispoli said , “The UK simply cannot command foreign manufacturers and providers of services … to accommodate the desires of British spies.” In a blog post, Cory Doctorow wrote, “there’s no back door that only lets the good guys go through it.” [Computerworld] ameron is urging President Obama to pressure Apple, Google and Facebook to stop using stronger encryption in their communications products. An article published in The Guardian includes details from a 2009 report from the US National Intelligence Council that has surfaced expresses concern that both government and private computers are not adequately protected because encryption is not being implemented as quickly as it ideally should be. [ZDNet] [CNET] [The Register] [Ars Technica] [Ars Technica] [David Cameron seeks cooperation of US president over encryption crackdown]

US – New York Prosecutor Calls for Law to Fight Apple Data Encryption

Apple Inc. and Google Inc. should be legally required to give police access to customer data necessary to investigate crimes, New York County’s top prosecutor said. Federal and state governments should consider passing laws that forbid smartphones, tablets and other such devices from being “sealed off from law enforcement,” Manhattan District Attorney Cyrus Vance said today in an interview at a cybersecurity conference in New York. Apple and Google’s mobile operating systems together accounted for more than 95% of smartphone shipments through the first three quarters of last year. [Bloomberg]

UK – PM Makes Apple CEO Tim Cook a Global Privacy Champ

“I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services,” Apple CEO, Tim Cook wrote last year. “We have also never allowed access to our servers. And we never will.” Now, it looks like Apple will need to fight to maintain customer privacy, as British Prime Minister David Cameron wants to ban services that encrypt messages so they cannot be intercepted by spies, criminals or anyone other than those in the conversation. This directly impacts Apple’s iMessage or FaceTime, which offer end-to-end encryption. [computerworld.com]

EU – Paris Airport Security Made Security Expert Decrypt Laptop Hard Drive

When security expert Katie Moussouris was traveling through Paris’s Charles de Gaulle airport on her way back to the US after a conference, she was asked by security personnel there not only to power up her laptop, but also to enter her passwords to decrypt the machine’s hard drive. The laptop was not confiscated. [The Register]

EU Developments

EU – New Data Privacy Law Could Be Delayed Until 2016

Europe’s long-awaited new data protection law may be delayed until 2016, partly because of resistance by the UK Government. That’s the warning last week from MEP Jan Philipp Albrecht, vice chairman of the European Parliament committee overseeing the bill. The new General Data Protection Regulation(GDPR) is due to be finalised by the end of 2015 – but failure to agree the new rules is leaving European citizens exposed to snooping from foreign and European intelligence agencies and companies, Albrecht said. At a 7 January briefing in the European Parliament, he warned that delays to the law – which was first proposed in 2012 and has been hit by nearly 4,000 amendments – are “bad for democracy”. [SC Magazine]

UK – Theresa May: Data Law Could Have Helped Catch More Paedophiles

The home secretary, Theresa May, has told a child abuse summit that so-called snooper’s charter laws could have helped law enforcement officers catch more paedophiles online. May told representatives from more than 50 countries, 23 technology companies and nine non-governmental organisations that gaps remained in law enforcement and intelligence agencies’ capabilities to track down child abusers. Last month new powers were announced for police to force internet firms to hand over details that could help identify suspected terrorists and paedophiles. The counter-terrorism and security bill will oblige ISPs to retain information linking internet protocol addresses to individual users. [The Guardian] SEE also: [UK Prime Minister David Cameron has called for a ban on encrypted communications] [French data protection authority, the CNIL, published its standard defining accountability in practice, and companies demonstrating compliance will receive accountability seals from the data protection authority]. [the CNIL has issued new standards for call-monitoring and recording by employers] AND In The Netherlands next month, the District Court of the Hague will hear a legal challenge of the Dutch data retention law “filed by a broad coalition of organizations.”]

EU – Finland Gets Tough on Privacy

Finland is cracking down on social media and online messaging providers ahead of a big European Union review. On 1 January, the ‘Information Society Code’ passed into law. The Code is a major new umbrella act revising the country’s electronic communications legislation, which has four main goals: simplifying existing rules; improving consumer protection; boosting information security; and creating more equal telecoms markets. The greatest potential consequence of the Information Society Code comes from its increased regulatory powers over the information society. Most notable is the new requirement to ensure confidentiality of communications rules apply to all electronic communication distributors, including social media companies.[zdnet.com]

UK – Wellers’ Child Privacy Case: Peers Urged To Change Law

It follows a campaign by the wife of the rock star Paul Weller, who won a high court battle last year over unpixelated photos of their children published by a newspaper website. Hannah Weller’s cause is being supported by the Labour peer Angela Smith, who raised it in the Lords. The government said a balance had to be struck between privacy and free speech. Hannah Weller set up a campaign group to make it illegal to publish unpixelated pictures of children without parental consent. She insists there would be exceptions granted for pictures published in the public interest, those taken of a crowd or where there is implied consent, such as a red carpet event. The Labour peer and Shadow Home Office Minister, Angela Smith, is supporting the campaign, arguing that civil law could be changed to prevent specific abuses of privacy without threatening free speech. [BBC News]

EU – IRE: Concern Over Personal Info Database for Every Primary Student

Concern is being expressed about a new Primary Online Database being established by the Department of Education. Under the plan, all children’s PPS numbers along with details of their religion and ethnic backgrounds will be included on the database, which the Department said will be used to develop education policy into the future. Parents of all primary school children are being sent letters outlining how the new POD will work and what information will be stored, the letter states that the information will be kept until the child reaches the age of 30. The Department claims the database will eliminate the existing annual school census, facilitate transfers between schools, and keep track of students who do not go on to secondary school. [breakingnews.ie]


US – Marriott to Stop Blocking Personal Wi-Fi Hotspots

Marriott International will no longer block personal wi-fi hotspots in its hotels. The US Federal Communications Commission (FCC) investigated the issue after a customer complained, and found that a hotel in Tennessee was using a monitoring system that de-authenticated guests’ hotspots. The FCC fined Marriott US $600,000. Marriott believed it was acting within its rights to block the hotspots and maintained that blocking customers’ wi-fi hotspots was a security measure. [BBC] [Silicon Republic] See also: [Manitoba: Hotel Wi-Fi exposes woman’s passport, credit card numbers]

US – Writers Say They Feel Censored by Surveillance

A survey of writers around the world by the PEN American Center has found that a significant majority said they were deeply concerned with government surveillance, with many reporting that they have avoided, or have considered avoiding, controversial topics in their work or in personal communications as a result. The findings show that writers consider freedom of expression to be under significant threat around the world in democratic and nondemocratic countries. Some 75% of respondents in countries classified as “free,” 84% in “partly free” countries, and 80% in countries that were “not free” said that they were “very” or “somewhat” worried about government surveillance in their countries. Smaller numbers said they avoided or considered avoiding writing or speaking on certain subjects, with 34% in countries classified as free, 44% in partly free countries and 61% in not free countries reporting self-censorship. Respondents in similar percentages reported curtailing social media activity, or said they were considering it, because of surveillance. [nytimes.com]


US – SEC Considers CyberSecurity Disclosure Rules

The Securities and Exchange Commission (SEC) is “advancing measures” that would require publicly owned businesses to share more data about their cybersecurity vulnerabilities, including data breaches. The move would likely prompt businesses to tighten their security because the public would know how well companies are protecting data. “It’s a harbinger of what’s to come, and I think it will change the way companies think about and report on cyber,” said Squire Patton Boggs’ Norma Krayem. Former Securities and Exchange Commissioner Roberta Karmel said, “It’s kind of a recent trend that Congress seems to think federal security laws should cover absolutely everything that goes on in terms of the conduct at public companies.” [The HIll]

US – Regulator Criticized for Breach Response

In the wake of a breach during a regulatory exam, a federal banking regulator is getting a chilly reception to its plans to consider new rules related to encryption of data shared with examiners. Michael Fryzel, a former NCUA chairman, says consideration of a new encryption regulation is premature. Instead, the NCUA should focus on establishing a working group to review the agency’s security practices during examinations, he says. [bankinfosecurity.com]


MB – Refusal to Release Info Revisited

The City of Winnipeg is rethinking its refusal to divulge part of the rationale for pursuing the $210-million Winnipeg police headquarters project. The ombudsman’s report grew out of a February 2014 Free Press request for information that led city officials to recommend purchasing the Canada Post building in 2009 and renovating it into a new police headquarters instead of fixing the Public Safety Building. The city denied access the following month, prompting the complaint to the ombudsman. After nine months of investigating, the ombudsman concluded while the city could invoke the “advice to a public body” exception, it did not provide any reason why it made that decision and predetermined its decision as a refusal. Mayor Brian Bowman made a campaign promise to stop the city from the frequent use of the discretionary exceptions as a means of denying access-to-information requests. [winnipegfreepress.com]


WW – New DNA Technique May Reveal Face of Killer in Unsolved Double-Murder

There were no witnesses to the gruesome murder of a South Carolina mother and her 3-year-old daughter inside a busy apartment complex four years ago. But a new technology that can create an image of someone using DNA samples left at crime scenes might bring police closer to catching the killer. Reston, Va.-based Parabon Nanolabs, with funding from the Department of Defense, has debuted a breakthrough type of analysis called DNA phenotyping which the company says can predict a person’s physical appearance from the tiniest DNA samples, like a speck of blood or strand of hair. The DNA phenotyping service, commercially known as “Snapshot,” could put a face on millions of unsolved cases, including international ones, and generate investigative leads when the trail has gone cold. “Traditional forensic analysis treats DNA as a fingerprint, whereas Snapshot treats it as a blueprint — a genetic description of a person from which physical appearance can be inferred,” Greytak said. [Fox News] See also: [Surprise! With $60 Million Genentech Deal, 23andMe Has A Business Plan]

Health / Medical

CA – Confidentiality Agreement Handcuffs Assisted-Suicide Researcher

A professor who has successfully defended his right to protect the subjects of his research on assisted suicide wants to return to teaching at a university in Surrey, B.C., but a confidentiality agreement is blocking the way. Russel Ogden is drawing a yearly salary – more than $87,000 in 2014 – from Kwantlen Polytechnic University, but unable to teach or conduct research in its name since 2008 as a result of the deal he signed with the school. [The Globe and Mail]

Horror Stories

US – Park ‘N Fly Confirms Breach

Following a breach of its e-commerce website, Park ‘N Fly has been notifying “an undisclosed number of customers that their payment card information was exposed.” “Airport parking lots are attractive targets for fraudsters because they are often used by business travelers utilizing business or commercial credit cards,” the report states, quoting one card-issuer that noted such cards have “high lines, low decline rates and less scrutiny on a day-to-day basis by cardholders.” Park ‘N Fly is working with law enforcement and credit card issuers to investigate the incident, and those affected are being offered one year of free credit monitoring and identity protection services. [BankInfoSecurity]

US – NCUA Accepts Responsibility for Breach, Pays $50,000

The National Credit Union Administration (NCUA) announced that its board approved a payment of $50,000 to Palm Springs Federal Credit Union (PSFCU) to help cover expenses related to a data breach. In October, PSFCU notified its members that an unencrypted flash drive was lost when it was given to an NCUA examiner. The drive contained member names, addresses and Social Security numbers. NCUA, which at first faced criticism for not taking responsibility for the breach , now says it is “reinforcing training on protecting sensitive information and reviewing regulations, policies and procedures” and is considering adopting additional safeguards for electronic data. [Bank Info Security]

US – Heartland Provides Breach Warranty as Retail Encryption Need Grows

One of the country’s largest retail payment processors, Heartland Payment Systems, has announced it will offer a new breach warranty for users. The program will reimburse merchants that use Heartland for cost impacts from data breaches, the report states. Heartland Executive Director of Product Development Mike English said, “There is no bad time to ensure the businesses that process cards with us are safe … Hackers and criminals don’t wait until the busy times to breach a retail or restaurant network.” English also said the warranty also offers a “forensic audit by a PCI-certified Qualified Security Assessor.” [eWeek]

US – LinkedIn Account Credentials Targeted in Phishing Scheme

Attackers are using phony security alerts to steal LinkedIn account access credentials. The messages pretend to come from LinkedIn support staff saying that users must download an attachment that will tell users how to install an update. The attachment appears to be the LinkedIn website but it sends entered data to the attackers. Users can protect themselves by activating LinkedIn’s two-factor authentication. [v3.co.uk] [SCMagazine]

US – US Military Social Media Accounts Hijacked

The Twitter and YouTube accounts of the US military’s Central Command (Centcom) have reportedly been hijacked by people claiming to be operating on behalf of Islamic State. Both accounts were temporarily suspended. Centcom has called the incident vandalism, and says it did not affect operations, nor was it a serious data breach. Some information about military personnel was posted, but it came from the Massachusetts Institute of Technology (MIT), not from military systems. The compromised accounts were taken offline. [BBC] [WIRED] [CNET] [SCMagazine] [NextGov] [ZDNet] [Washington Post]

US – United Mileage Plus Accounts Compromised

using logon information obtained from a third-party managed to access about 35 United Airlines Mileage Plus accounts and arranged free travel and upgrades. United was not the source of the breach; the access credentials were used in attacks against other companies as well. [ComputerWorld] [Washington Post]

US – Possible Breach of Chick-fil-A Payment Systems

According to information from several US financial institutions, fast-food chain Chick-fil-A may have experienced a payment system breach. The financial institutions note a pattern of fraud connected with payment cards used at the restaurants in the US. At one financial institution alone, nearly 9,000 cards appear to have been affected. Brian Krebs notes that in similar cases, the particular franchises affected were those that had outsourced point-of-sale system management to a third party. [Krebs] [DarkReading]

US – Morgan Stanley Employee Fired Over Alleged Customer Data Theft

Morgan Stanley has fired an employee for allegedly stealing customer data, including account access credentials, and offering them for sale online. The breach affected approximately 10% of the company’s 3.5 million wealth management customers. The employee had worked at Morgan Stanley since 2008. [Bloomberg] [NYTimes] [SC Magazine]

US – USPS Breach Affected Some Health Data

Additional details being released about the September 2014 intrusion of US Postal Service computers indicates that certain health information was compromised as well. The affected data are related to workers’ compensation claims. Because the compromised health data are not part of an insurance plan, the breach will not incur health data security fines. [NextGov]

Identity Issues

US – New York City ID Opens Doors — and Privacy Concerns

In New York City, Mayor Bill de Blasio made a pitch for a piece of plastic — a new ID card for New York City residents, regardless of immigration status. New Yorkers 14 and older can now join the largest municipal identification program in the country. De Blasio said renting an apartment, opening a bank account and entering a school building will now be easier for the city’s estimated half-million unauthorized immigrants. And the IDNYC program doesn’t leave out New Yorkers who already have ID. Here’s how the mayor sweetened the deal: “A free, one-year membership to 33 cultural institutions! That did get the attention of many New Yorkers,” he said. Los Angeles is preparing to roll out an ID similar to New York’s. They join cities like San Francisco; Oakland, Calif.; and New Haven, Conn., where only about 10 percent of the city’s population has applied since 2007. New York officials hope their program will be more widely adopted. [NPR] See also: [[US – A plan to put your driver’s license on your phone] and [National Post editorial board: Good riddance to carding]

US – Debra J. Farber: Identity Management’s Role in Data Privacy

UnboundID: What are the biggest challenges at organizations right now when it comes to protecting customer privacy? Farber: Companies are struggling to know exactly where their data is located, how many copies of that data exist, who has access to it, and for how long it is stored. They don’t have the staff to manually govern this. On top of this, there are varied laws depending on your industry and the states and countries where your business operates. Usually, there’s only a high-level business process understanding as to why data is collected, from which sources, and where it resides. There’s usually confusion about “ownership,” which means that nobody knows who should make decisions about personal data. Adding to the mix is that large organizations usually have legacy systems, which have not yet been decommissioned, but which are still collecting data. Generally, companies need to tighten their processes around data lifecycle management. With the movement toward big data, the tendency for many organizations now is to collect and store as much data as possible with the hopes that insights may be gleaned in the future. Though, from a privacy perspective, that’s a bad practice. Most privacy laws require a company to collect, store, and share personal data for a specific purpose. [UnboundID]

Intellectual Property

CA – Canadian VPN Services Could Be Forced to Alert Pirating Customers

It’s unclear if VPN services will be forced to keep customer records under Canada’s new Copyright Modernization Act. Virtual Private Network (VPN) services are legal and until now, believed to be completely unregulated in Canada, making them particularly popular for internet users interested in online privacy protection, accessing geolocked content via streaming services like Netflix and U.S.-only Hulu, or for those interested in more nefarious activities like piracy-focused Torrent downloading or criminal activity. However, new legislation, which went into effect on Jan. 1, doesn’t clearly state whether Canada’s Copyright Modernization Act pertains to VPN platforms in Bill C-11’s section 41.25 (a). An integral aspect of the new law requires internet service providers (ISPs) to relay copyright infringement allegations to customers (an act that has already been occurring for years), and to also keep a record of these allegations for six months in case the copyright holder makes the decision to take legal action. Over the next few years virtual private networks could potentially become significantly less private in Canada. [Canada.com]

Internet / WWW

US – Lawmakers Launch Congressional IoT Caucus

U.S. Reps. Suzan DelBene (D-WA) and Darrell Issa (R-CA) have announced the creation of a new Congressional Caucus dedicated to the Internet of Things (IoT). “Policy-makers will need to be engaged and educated on how we can best protect consumers while also enabling these new technologies to thrive,” DelBene said, adding, “It’s important that our laws keep up with technology, and I look forward to co-chairing the IoT caucus.” Issa, who chairs the Subcommittee on Intellectual Property, Courts and the Internet, said, “It’s critical that lawmakers remain educated about the fast-paced evolution of the Internet of Things and have informed policy discussions about the government’s role in access and use of these devices.” [Press Release] [U.S. Reps. Suzan DelBene (D-WA) and Darrell Issa (R-CA) have announced the creation of a new Congressional Caucus dedicated to the Internet of Things.]

US – FTC Chair Says Internet of Things Presents “Significant Privacy and Security Implications”

In a speech at the International Consumer Electronics Show in Las Vegas, US FTC chairperson Edith Ramirez warned that the Internet of Things (IoT) presents “significant” privacy issues. The billions of connected device collect, store, and in some cases transmit data. Ramirez urged companies to make security a part of their product development process, to collect the minimum amount of data necessary, and to notify consumers of unexpected use of their data and provide simplified choices regarding this use. [BBC] [Ars Technica] [v3.co.uk] [Text of speech]

US – Cullen Joins Accountability Foundation to Work on “Accountability 2.0”

The Information Accountability Foundation (IAF), a nonprofit organization headed by Marty Abrams, announced this week that Peter Cullen, formerly GM and chief privacy strategist for Microsoft’s Trustworthy Computing Group, is joining the organization as executive strategist, policy innovation. He will be tasked with leading the IAF’s work “in developing a Holistic Governance Policy Model,” which Abrams called “an essential building block of Information Accountability 2.0 .” [Full Story]

WW – Surveys and Predictions 2015 Roundup

[Top Tech News: The Future of Your Privacy Doesn’t Look Good | Pew Internet Report] [Experts say privacy soon to be a ‘luxury’] [EFF: 2014 in Review: Mobile Privacy and Security Takes Two Steps Forward, One Step Back] [Harvard Business Review: The Tech Trends You Can’t Ignore in 2015]

Law Enforcement

US – Body-Worn Camera Plans Have Residents Worried

L.A. residents’ have privacy concerns over proposed body cameras for Los Angeles Police Department (LAPD) officers. The plan is for nearly 900 cameras to be issued in the first quarter of the year, which will record interactions between LAPD officers and members of the public. The LAPD is one of many police departments considering such a measure. Meanwhile, city police officers in Pittsburgh are required to sign a policy forbidding them from releasing information to the public without authorization. Releasing the information could result in termination. Editor’s Note: The IAPP will host a web conference on January 30 from 1 to 2:30 p.m. EST on Law Enforcement Use of Body-Worn Cameras. [NBC] See also: [North Dakota State Rep. Kim Koppelman (R-West Fargo) has introduced a bill that would exempt images from police-worn body cameras from open records requirements]

US – Spokane: Police Body Camera Pilot Ends; Review and Implementation Next

A four-month pilot program to outfit Spokane police officers with body cameras will formally come to an end this week, but little is expected to immediately change in the department’s day-to-day use of the cameras. Officers who began wearing the cameras during the pilot will be able to continue wearing them on a volunteer basis going into 2015, said Tim Schwering, director of the department’s Office of Professional Oversight. Additional officers may also elect to begin wearing cameras. Over the next several months, he said, police will review use of the cameras and work to develop estimates on the video storage capacity and staff time to respond to record requests that a full body camera program would require. The department also will create a permanent policy governing camera use and will create a stakeholder commission to help with that process, Schwering said. He said the policy will be revised and updated to reflect any forthcoming changes in state law addressing video footage and public records. Once the pilot program has been reviewed, Schwering said, cameras will be phased in for patrol officers gradually, with the goal of outfitting all patrol officers by the end of 2015. [The Spokesman-Review]

US – FBI Says Warrants Not Necessary to Use Stingray in Public

US Senators are questioning the FBI’s use of cell-tower spoofing technology known familiarly as Stingray. The agency says it does not need a warrant to harvest data. Senators Patrick Leahy (D-Vermont) and Chuck Grassley (R-Iowa), chairman and ranking member of the Senate Judiciary Committee, have written a letter expressing concern “about whether the FBI and other law enforcement agencies have adequately considered [American’s] privacy interests,” and seeking additional information on the technology’s use. [Ars Technica] [Washington Post]


US – Plans to Deploy Drones Draws Backlash

A move by law enforcement agencies in the San Francisco Bay Area to deploy drones has provoked a privacy backlash. The University of California, Berkeley, would be one of the places subject to drone monitoring. “Berkeley and the Bay Area have a long history of political discussion, protests and debate, and there’s a real concern around the use of these drones under those circumstances and the broader privacy issues,” said Jesse Arreguin of the Berkeley City Council. The ACLU has released a model ordinance for municipal drone use “that would require notifying the public and developing a policy for how the device is used, what data it collects and keeps and who can access it,” the report states. [Bloomberg] [DOD wants to build drones that can buzz into bad guys’ doorways]

Online Privacy

US – Ad Company Using Verizon Tracking Header

An advertising company appears to be using Verizon unique identifier token headers (UIDH) to track users’ online behavior. Clearing cookie caches will not prevent this tracking. [ComputerWorld] [The Register] [PC World]

WW – Report: New Super Cookies Can Even Track Your Privacy-Mode Browsing

A chink in the HTTP Strict Transport Security protocol makes it possible to fingerprint users who browse sites, even when they’re using a privacy mode like Chrome’s Incognito Browsing. HTTP Strict Transport Security is usually used to ensure that users only interact with the correct servers when using HTTPS connections, by flagging how one type of encryption should be used for all future interactions. But security researcher Sam Greenhalgh has used the feature to create a new tool called HSTS Super Cookies. Just like normal cookies, they fingerprint a user when they’re browsing without a privacy feature turned on, so they can be used to identify them at a later date. But these new cookies are visible even when using privacy modes, and can also be read by websites from multiple domain names, not just the original provide. Combined, that means that these super cookies will allow any number of websites to track a users movements on the web, even when they’re using a private browsing mode. [Gizmodo]

Privacy (US)

US – 75 Companies Sign Pledge, But Google’s Not One

Google’s has decided not to sign the Student Privacy Pledge created by the Future of Privacy Forum (FPF) and endorsed by President Barack Obama, who said , “If you don’t join this effort … we intend to make sure those schools and parents know you haven’t joined this effort.” Google has said its “contracts and policies demonstrate a commitment to student privacy,” the report states. FPF’s Jules Polonetsky said Google agrees with “the substance of the commitments listed in the pledge,” noting the pledge is one way to convey how companies use student data, “But certainly it’s not the only way … Some companies may choose privacy seals or prominent privacy policy statements or other ways to communicate and self-regulate.” [The Wall Street Journal]

US – FTC Casebook Tool Unveiled by Westin Privacy Research Center

After a great deal of work, the IAPP Westin Research Center has launched its casebook of FTC privacy and data security enforcement actions. The casebook is a digital resource, collecting all 180 FTC enforcement actions (for now) and making them easily accessible, full-text searchable, tagged, indexed and annotated. To help users better understand the benefits and functionality of this tool, they have developed several use cases displaying how users might search the casebook and make use of the results.

US – New Data Breach Preparedness, Response Guidance

New to the IAPP Resource Center is the Washington Legal Foundation (WLF) Monograph Data Security Breaches: Incident Preparedness and Response. Authored by Jena Valdetero, and David Zetoony of Bryan Cave LLP with a forward by Federal Trade Commissioner Maureen Ohlhausen, the handbook provides a basic framework to assist in-house legal departments with handling a security incident. It explains security incidents, outlines ways in-house counsel can help prepare for an incident and offers steps that should be taken in responding to an incident as well as costs involved. “I believe this WLF Monograph will be a useful reference for in-house counsel as they prepare for and encounter security incidents,” Ohlhausen writes. [Full Story]

The IAPP’s Westin Research Center released the FTC Casebook, in which all FTC complaints and consent decrees and attendant documents are searchable by keyword, tag or case home page.

Privacy Enhancing Technologies (PETs)

WW – Google Patents Method for Enabling Private Browsing Automatically

While users who want to browse the Internet incognito usually must explicitly enable their browsers’ privacy settings to avoid being tracked, a new technology from Google may soon eliminate the step. The company has been granted a U.S. patent for a method that would allow private browsing automatically via certain websites. Browsers equipped with the technology would be able to tell when the website’s content might prompt users to opt for private browsing, the report states. Google’s description of the service says, “The privacy mode can be enabled to prevent storage of webpage user information generated as the user browses the webpage.” [eWeek]

US – Wearable Start-Up Raises $16M in Funding

A San Francisco-based healthcare start-up has raised $16 million in venture capital funding—$23 million in total funding—to bring Google Glass into the healthcare world. Augmedix uses the wearable technology to minimize the amount of time clinicians spend with electronic health records to increase the time spent with patients. The company’s chief executive officer said, “In terms of economic impact, we’ve repeatedly shown that our service effectively turns three doctors into four.” [Healthcare IT News]

US – Mining Your Genes

Fusion reports on the potential for pharmaceutical companies to mine people’s genes. “Imagine a world where genetic sequencing is free, like Gmail,” the report states. “That’s where we’re headed.”

US – On the Importance of Building Privacy Into Apps and Reddit AMAs

Massachusetts Institute of Technology’s Jean Yang and her team are working on Jeeves, a framework for programmers to implement privacy policies directly into the code. “If it works as foreseen—and there is still a lot to do around performance—a developer could write policies—who can see what and when—right into the application,” the report states. For example, an app might share GPS data only when the user is in a given ZIP code. [GigaOM]


WW – This is the Cyberattack that Keeps Edward Snowden Up At Night

In an interview with James Bamford published by NOVA, Edward Snowden said that when it came to cyber warfare, the United States has “more to lose than any other nation on earth.” And he’s not just talking about attacks on systems with obvious effects on the physical world, but the potential fallout of attacks aimed at crippling the Internet itself. The United States is among the most digitally reliant nations out there, which opens up more avenues for cyberattacks. [The Washington Post]

WW – Majority of PHP Installations are Unsecure

More than three-quarters of PHP installations contain at least one security issue. Other software packages were found to contain flaws as well: 38 percent of sites running Apache web server were found to be unsecure, as were 36% of sites running Nginx, 22% of sites running Python, and 18% of sites running Perl. [The Register] [IRC Maxwell]

Smart Cars and Devices

WW – BMW Sounds Alarm Over Tech Companies Seeking Connected Car Data

BMW says technology companies and advertisers are putting increasing pressure on carmakers to hand over data collected by connected cars, “underlining the fine line being taken by the automotive industry between functionality and privacy.” BMW’s Ian Robertson said every car the company makes now offers some kind of wireless connectivity and there’s plenty of people saying, “Give us all the data you’ve got and we can tell you what we can do with it … and we’re saying ‘No thank you.’” Robertson said the data cars can collect now is as granular as being able to detect whether a child is in the car based on weight sensors. [The Irish Times]

CN – Even China’s Academy of Science thinks wearables are privacy problem

Researchers from the Chinese Academy of Sciences, the Australian National University, Dakota State University, Sydney University and Australia’s Commonwealth Scientific and Industrial Research Organisation (CSIRO) have looked over the state of play in the Internet of Things, and find that concern for privacy is lacking. Their paper at Arxiv notes that the current enthusiasm for wearables involves consumers handing over far more data (much of it highly personal and sensitive) than the mere boat-loads of data collected by outfits like Facebook. The paper offers a summary of areas the group says research is needed to develop both technologies and behaviours to protect user privacy in the IoT era. Problems highlighted by the report include:

  • User consent – somehow, the report says, users need to be able to give informed consent to data collection. Users, however, have limited time and technical knowledge.
  • Freedom of choice – both privacy protections and underlying standards should promote freedom of choice. For example, the study notes, users need a free choice of vendors in their smart homes; and they need the ability to revoke or revise their privacy choices.
  • Anonymity – IoT platforms pay scant attention to user anonymity when transmitting data, the researchers note. Future platforms could, for example, use TOR or similar technologies so that users can’t be too deeply profiled based on the behaviours of their “things”. [The Register]


WW – Paris Attacks Prompt Call for Intelligence-Sharing

Following the terrorist attacks in Paris, EU interior ministers pledged to increase intelligence-sharing, while data regulators warn surveillance programs under consideration must strike the right balance between privacy and security, Bloomberg reports. German Chancellor Angela Merkel has said she will press for new EU rules on data retention to help in the fight against terrorism; UK Prime Minister David Cameron says he will urge U.S. President Barack Obama to pressure Internet firms to cooperate more with intelligence agencies tracking the online activities of extremists, and European Council President Donald Tusk “has implored MEPs to accept the creation of a single, shared database of personal information on air passengers arriving in, or leaving, the EU.” Meanwhile, the European Commission said Monday it does not plan to launch an EU-wide intelligence agency. [Full Story]

US: FBI Says Search Warrants Not Needed to Use “Stingrays” In Public Places

The Federal Bureau of Investigation is taking the position that court warrants are not required when deploying cell-site simulators in public places. Nicknamed “stingrays,” the devices are decoy cell towers that capture locations and identities of mobile phone users and can intercept calls and texts. The FBI made its position known during private briefings with staff members of Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Sen. Chuck Grassley (R-Iowa). In response, the two lawmakers wrote Attorney General Eric Holder and Homeland Security chief Jeh Johnson, maintaining they were “concerned about whether the FBI and other law enforcement agencies have adequately considered the privacy interests” of Americans. According to the letter, which was released last week: “For example, we understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.” [Slashdot] See also: [Hacked emails reveal China’s elaborate and absurd internet propaganda machine]

US – F.B.I. Is Broadening Surveillance Role, Report Shows

Although the government’s warrantless surveillance program is associated with the NSA, the FBI has gradually become a significant player in administering it, a newly declassified report shows. In 2008, according to the report, the F.B.I. assumed the power to review email accounts the N.S.A. wanted to collect through the “Prism” system, which collects emails of foreigners from providers like Yahoo and Google. The bureau’s top lawyer, Valerie E. Caproni, who is now a Federal District Court judge, developed procedures to make sure no such accounts belonged to Americans. Then, in October 2009, the F.B.I. started retaining copies of unprocessed communications gathered without a warrant to analyze for its own purposes. And in April 2012, the bureau began nominating new email accounts and phone numbers belonging to foreigners for collection, including through the N.S.A.’s “upstream” system, which collects communications transiting network switches. That information is in a 231-page study by the Justice Department’s inspector general about the F.B.I.’s activities under the FISA Amendments Act of 2008, which authorized the surveillance program. The report was entirely classified when completed in September 2012. But the government has now made a semi-redacted version of the report public in response to a Freedom of Information Act lawsuit filed by The New York Times. The Times filed the lawsuit after a wave of declassifications about government surveillance activities in response to leaks by the former intelligence contractor Edward J. Snowden. [nytimes.com]

US – Citizenfour Earns Oscar Nod; Snowden Talks from Moscow

It’s just been announced that Citizenfour, the documentary portraying the Snowden disclosures, has been nominated for an Oscar. Eric Jones reviews the film, noting it refrains from any narrative defense of Snowden’s actions and instead reveals Snowden’s slowly developing apprehension and also his lack of panic or regret. “The net effect is a sympathetic portrayal of a man, misguided or not, who views himself as doing the right thing and is only in this moment seeing the monumental consequences of his actions,” he writes. Meanwhile, James Bamford of PBS has published an interview with Snowden from Moscow on cyberattacks. [Privacy Advisor]

WW – Welcome to ‘Uber-Veillance’ Says Australian Privacy Foundation

Regulators are way behind the game when it comes to wearable and IoT privacy, and users are willingly conspiring with companies that don’t care about them to help create a society of “uber-veillance”. That’s the grim conclusion reached by Australian Privacy Foundation (APF) board member and University of Wollongong researcher Katina Michael in conversation with The Register. [theregister.co.uk]

WW – Ex MS Privacy Head Had Warned of Cloud Spying, But Lost His Job

Two years before Snowden in 2011, Microsoft’s then Chief Privacy Officer Caspar Bowden tried to warn his company that any cloud computing solutions sold to foreign governments would mean unlimited mass surveillance on their clients by the NSA. Two months later Bowden was fired from Redmond. [NetworksAsia]

Telecom / TV

US – Mayer Identifies Zombie Cookies

The latest technological find in the device-tracking landscape is ominously called “zombie cookies.” Initially discovered by Stanford’s Jonathan Mayer, zombie cookies stem from a “hidden undeletable number“ placed on users of Verizon smartphones and tablets and used by advertising company Turn. The Verizon number is used “to respawn tracking cookies that users have deleted,” the report states. Turn Chief Privacy Officer Max Ochoa said, “We are trying to use the most persistent identifier that we can in order to do what we do.” Verizon’s “perma cookie” caused a stir in the news last year, and AT&T dropped a similar ID number after those reports surfaced. In a blog post, Mayer wrote that given the tracking practice, “I think there’s also a good FCC, FTC or state deception case against Verizon.” [ProPublica]

US – EFF Wants Verizon to Ditch Tracking Technology

The Electronic Frontier Foundation (EFF) is urging Verizon Wireless to ditch a tracking technology that allows ad networks to collect data and send targeted ads to mobile users even in cases in which the user has tried to avoid tracking by deleting cookies. “It is clear that Verizon does not understand the privacy risks it is imposing on customers,” the EFF said. Verizon’s tracking system, which came to light last November, allows third-party advertisers to develop a “deep, permanent profile” of web-browsing habits. “Going forward, the company should undertake to obtain genuine prior, informed consent for any future tracking activities,” the EFF said. [MediaPost]

UK – ‘Burglar’s Shopping List’ Security Flaw Fixed

An online service recommended by most of the UK’s police forces has fixed a privacy flaw after being alerted by a security expert. Immobilise allows members of the public to add records to the National Property Register, detailing valuables in their homes. But security consultant Paul Moore discovered a flaw that made it possible to access other people’s records. Recipero, operators of Immobilise, said it had fixed the vulnerability. [BBC News]

US Government Programs

US – NSA to Begin Internship Program This Fall

The NSA will begin accepting applications this fall for its first privacy and civil liberties internship program. At least one student will be chosen for the 2016 summer program to work in the NSA’s newly created Civil Liberties and Privacy Office, the report states. NSA Director of Civil Liberties and Privacy Rebecca Richards said interns are an opportunity for her office. “Exposing the agency to newly minted college grads as well as exposing those newly minted college grads to what the agency does can only bring benefits to this conversation” around NSA surveillance practices, Richards said. [Fedscoop]

US Legislation

US – Obama Lays Out Legislative Proposals

President Barack Obama announced a new legislative proposal to enable cybersecurity information-sharing between the public and private sectors. Specifically, the private sector is encouraged to share threat data with the Department of Homeland Security (DHS). Additionally, the proposal includes modernizing law enforcement authorities by providing tools to fight cybercrime—including the sale of botnets, stolen credit card data and malware. The Center for Democracy & Technology’s Harley Geiger said the proposal includes further privacy-protecting measures than the Cyber Intelligence and Sharing Act, but it “allows companies to share user information with the (DHS) regardless of any privacy law” and allows the DHS to share with other law enforcement “for purposes unrelated to cybersecurity.” [Full Story]

US – Obama Releases Breach Bill Text; NY AG Proposing Data Security Bill

The Obama administration has released the text of its proposed data breach notification bill. While the proposal would strip states of the ability to make their own rules, state AGs could still keep pressure on companies by using state laws that aren’t preempted by the measure. Meanwhile, New York Attorney General (AG) Eric Schneiderman said he will propose legislation to make the state’s data security law the strongest in the country, and Schneiderman and 18 other state AGs have asked JP Morgan for more evidence on last year’s data breach. And The Hill reports credit unions want Congress to create a bipartisan working group to address the ongoing rash of data breaches. [Law360]

US – Obama Wants Breach Disclosure Law

President Obama is asking legislators to pass a bill that would require companies to disclose data security breaches that expose customer data within 30 days. The move is a response to recent breaches that have compromised the personal information of millions of people. Obama also wants the bill to include a provision prohibiting companies from selling students’ information to third party companies. [DarkReading] [TheRegister] [ComputerWorld] [CNET] [President Barack Obama announced a new legislative proposal to enable cybersecurity information-sharing between the public and private sectors] [The Hill reports on comments made by Rep. Zoe Lofgren (D-CA) on the Cyber Intelligence Sharing and Protection Act, saying its “astonishingly broad and overly vague information-sharing regime does more harm than good when it comes to Americans’ privacy.” [Reed Freeman, IAPP Privacy Perspectives] [US – Obama’s Data-Breach Initiative Has Privacy Advocates Optimistic, Cautious] and [After a long delay, Obama declines to fire U.S. attorneys over Aaron Swartz’s suicide]

US – Senator to Introduce Breach Bill; Business Happy with Obama Proposal

Sen. Bill Nelson (D-FL), the ranking member on the Senate Commerce Committee, will soon introduce a data breach notification bill that closely resembles a proposal President Barack Obama called for during his speech Monday. “Now is the time Congress must act,” Nelson said. Meanwhile, NationalJournal reports business groups and Republicans are cheering rather than jeering Obama’s proposal, largely because it would uncomplicate the patchwork state laws businesses must now comply with, but Nextgov asks the question: why wouldn’t the legislation apply to government agencies? [The Hill]

US: New Tennessee Law Protects Employees’ Online Privacy

Now that 2015 is here, the new year means lots of new laws take effect in Tennessee. That includes a change that protects employees’ private information on Facebook, Twitter, and other social media accounts from nosy bosses. Tennessee now joins a list of dozens of states that have passed an Employee Online Privacy Act. McCarty says it protects people who make their online settings private, not the information someone shares with the entire world wide web. The new law says employers cannot force an employee or job applicant to provide access to private information. There are some exceptions that allow employers to pry, such as social media accounts that are specifically for work and identified as affiliated with an employer. [WBIR TV]

US: Delaware’s New Laws: Privacy Protection, Digital Assets

As of midnight Jan. 1, new Delaware laws went into effect to protect the privacy of consumer information; allow access to digital assets of an incapacitated family member; require new disclosure around campaign contributions; and require notice of cancellation of an insurance policy. [The News Journal]

US: Illinois Passes New ‘Revenge Porn’ Law That Includes Harsh Penalties

Illinois became the latest state to criminalize “revenge porn,” crafting what its creators hope will become a model for federal legislation. Gov. Pat Quinn signed a measure making the “non-consensual dissemination of private sexual images” a felony offense in Illinois. The new “revenge porn” law goes into effect June 1, 2015, and will punish offenders with one to three years in prison and up to a $25,000 fine. [Huffington Post]

US – N.D. Bill on Teacher ‘Privacy’ Introduced

A bill introduced to the State Legislature would restrict access to school district records and is the latest in a trio of bills aiming to exempt certain information from the state’s open records laws. Senate Bill 2153 would seal relevant records in a school district employee’s file should that employee be charged with a crime in district court. The records would become publicly available after the criminal complaint against the employee was resolved. The bill is the third this legislative session to attempt to create exemptions to the state’s open records laws. Senate Bill 2133 would remove university students’ email, home and mailing addresses, as well as phone numbers, from the public record. The bill, introduced Tuesday, is a reaction to a mass open records request for students’ contact information by Odney Advertising, which consults for the Republican Party. Senate Bill 2134 would allow the State Board of Higher Education to discuss in private the hiring or firing of a chancellor. It would also make confidential all records used to prepare performance evaluations of top education officials. [The Bismarck Tribune] See also: [US – Teen’s computer-privacy tussle with his Wayzata school goes viral]

Workplace Privacy

UK – BBC Accused of ‘Spying’ After 150 Staff Emails Accessed or Monitored

The BBC has been accused of “spying” on its own staff after it was revealed that nearly 150 staff email accounts were accessed or monitored over the past two years. In response to a Freedom of Information request from the Press Gazette, the BBC said 37 staff email accounts had been monitored because of leak investigations in 2013 and 2014. Other staff accounts had been looked into as a result of a variety of complaints and inquiries, including allegations of fraud, assault, harassment and disciplinary cases. Michelle Stanistreet, general secretary of the National Union of Journalists, said: “The BBC has previously denied any significant monitoring of staff email accounts, and only in criminal or disciplinary investigations, but these figures cast doubt on that explanation and the NUJ will work with our network of reps to get to the bottom of the kind of spying that has been taking place.” [The Guardian]


16-31 December 2014


WW – Hacker Clones Politician’s Fingerprint from Photos

Chaos Computer Club’s Jan Krissler said he successfully replicated the fingerprint of a German politician by using commercial software and several photos taken during a press conference. Krissler said, “politicians will presumably wear gloves when talking in public.” Prof. Alan Woodward noted, “Biometrics that rely on static information like face recognition or fingerprints—it’s not trivial to forge them, but most people have accepted that they are not a great form of security because they can be faked,” adding, “People are starting to look for things where the biometric is alive—vein recognition in fingers, gait analysis—they are also biometrics, but they are chosen because the person has to be in possession of them and exhibiting them in real life.” [BBC News] [Hacker claims you can steal fingerprints with only a camera]


CA – Most Canadians Trust Government to Protect Their Privacy: Poll

According to a survey by Environics Institute and the Ottawa-based Institute on Governance (IOG), most Canadians are reasonably confident the federal government is protecting the personal information it collects about them, and support the idea of sharing that data between departments to improve service. And they accept government surveillance on Canadians for national security as “important” — unless it applies to them. That’s when the majority feel government snooping on their phone records and Internet activity would be a violation of privacy. The survey found 9% of those asked strongly agreed with the notion that the government is “adequately” protecting the personal information it gathers when they fill out their taxes, apply for a passport, cross a border or apply for employment insurance. 48% “somewhat” agreed; 31% aren’t very confident and 12% say they aren’t at all confident that their privacy is protected. [National Post] see also [Schneier: Over 700 Million People Taking Steps to Avoid NSA Surveillance]

CA – Canada: $7,500 In Damages Awarded for Intrusion Upon Seclusion

In McIntosh v Legal Aid Ontario, Superior Court Justice Cornell awarded the plaintiff damages of $7,500 after finding a breach under the relatively new tort of intrusion upon seclusion. This tort was first recognized in Ontario in Jones v. Tsige, 2012 ONCA 32 (CanLII), in which the Court of Appeal for Ontario allowed a civil action for damages for the invasion of personal privacy in Ontario and awarded the plaintiff $10,000 in damages. [Lexology]

CA – Ontario Liberals Paid $10,000 to Have Gas Plant Data Erased: OPP

IT consultant Peter Faist, who is the spouse of former Ontario premier Dalton McGuinty’s deputy chief of staff, was paid $10,000 by the Liberal caucus to wipe data off approximately 20 government computers, police claim. The allegation, unproven in court, comes from an Ontario Provincial Police Information to Obtain document released by the Ontario Superior Court on Thursday. The document was used to get a search warrant, which was executed at a government office in late November.The data Faist is said to have deleted relates to the cancellation of two gas plants in the Toronto-area prior to an election campaign. Police suspect the data were internal email conversations regarding the cancellation of the gas plants. David Livingston, McGuinty’s chief of staff, is accused of ordering the deletion of the emails. [CBC News]

CA – Canada Revenue Agency Destroys Staffers’ Texts

The Canada Revenue Agency has destroyed all text message records of its employees and has disabled logging of these messages in the future. Emails, released through access to information legislation, reveal that Shared Services Canada, the federal organization responsible for information technology services, destroyed the records in the middle of a business day in August. The Canada Revenue Agency has confirmed that it instructed the organization to destroy those records and also no longer log the instant messages, including PINs, BBMs and regular texts, going forward. “Since SMS and BBM messaging are non-secure, transitory methods of communication are used only for routine and nonbusiness related purposes; there is no requirement to maintain the transitory information,” said Philippe Brideau, a CRA spokesman. [Toronto Star]

CA – Alberta Amends PIPA to Address Concerns Between Freedom of Expression and Privacy

Alberta’s amendments to the Personal Information Protection Act have narrowly addressed the Supreme Court of Canada’s concerns about the appropriate balance between freedom of expression and rights to privacy, leaving a number of larger questions to another day. [Lexology] SEE ALSO Michael Geist offers an alphabet of Canadian tech policy in this report.

CA – RCMP Broke Privacy Laws by Sharing Medical Histories of Officers: Report

The RCMP committed a “serious privacy breach” and broke federal privacy laws when it shared sensitive medical information about five of its officers while throwing accusations at their psychologist, according to a privacy commissioner’s report written last month. The five Mounties went to the Office of the Privacy Commissioner of Canada two years ago, after discovering the RCMP had submitted portions of their personal medical histories to the College of Psychologists of B.C. [National Post]

CA – Ontario Fails to Track Complaints Against Crown Attorneys

Ontario’s Ministry of the Attorney General has no idea how many complaints have been lodged against its nearly one thousand prosecutors from across the province, or how many have been disciplined for misconduct in recent years. The lack of organized, accountable oversight, legal observers say, marks a “failure” by the government to properly scrutinize complaints against its Crown attorneys: public servants responsible for making important decisions such as who to prosecute for crimes and recommending sentences for those found guilty. [Mississauga News]

CA – Future Saskatchewan Licences to Prevent Fraud]

SGI is looking to add facial recognition services to their future driver licences and identification cards to help prevent fraud. With SGI’s current five-year contract for driver’s licence and identification card production expiring in 2016, SGI is asking vendors to offer their proposal for a contract by Feb. 13, 2015. “In addition to proposals for regular driver’s license production services, were also asking for proposals for facial recognition services,” said Kelley Brinkworth, manager of media relations for SGI communications. [Moose Jaw Times Herald]

CA – Ontario Privacy Commissioner Slams Hospital’s Lax Privacy Controls

More than a year after discovering a massive privacy breach, Rouge Valley Hospital still has no way of finding out whether any confidential patient records have been inappropriately accessed, Ontario’s privacy watchdog revealed. An investigation by the privacy commissioner found the hospital’s computer system preserves only two weeks of user history. It was only after one careless employee admitted to stealing records and another left patient information in a printer that the privacy breaches were discovered. Privacy Commissioner Brian Beamish ordered Rouge Valley to overhaul its system so that all access to patient files can be tracked. He also ordered the hospital to improve confidentiality training and privacy breach management procedures. He has given the hospital until Sept. 16, 2015, to comply, but declined to name the people or financial institution involved in the breach. This summer, Rouge Valley revealed that two employees had accessed the records of more than 14,000 mothers who gave birth there between 2009 and 2013, so as to sell them Registered Education Savings Plans (RESPs). [Toronto Star]


WW – UN Approves Privacy Resolution in Major Victory for Human Rights

The UN General Assembly formally approved a major resolution on the right to privacy, by consensus. The resolution spotlights the privacy violations that are enabled by advances in technology, overbearing government surveillance, and corporate complicity. As communications have gone global, so too must privacy protections. Privacy rights limited by national borders are increasingly meaningless. As detailed in November, this resolution contains strong language that definitively places mass surveillance under international human rights law. The Human Rights Council has a chance in March to follow through and create a permanent mechanism to safeguard the right to privacy at an international level. The resolution calls for a permanent office on the right to privacy. For that to happen, though, the Human Rights Council in Geneva will have to take action in March by creating a new “special rapporteur” on the right to privacy. If so, in 2015, the world will have its first independent authority examining and promoting the right to privacy with the power to admonish governments for violations. [AccessNow]

WW – The Privacy and Security Winner and Loser Was the User in 2014

In last year’s “unofficial contest to determine computer security and privacy winners and losers,” the award goes to “you, the user,” Kim Zetter writes, with “a host of new products and services … to help protect the privacy and security of your data and communications” and court rulings providing “better protection against the warrantless seizure of your data.” But, the user was also the loser, Zetter notes, with reports suggesting spy agencies across the globe “will not rest until they’ve seized or deciphered every bit of your data.” Zetter lists privacy and security’s other winners and losers: Apple, WhatsApp, the Florida Supreme Court, U.S. Supreme Court, Yahoo and Google Project won, while Sony, President Barack Obama, the U.S. Marshals, Verizon and Gamma International lost. [WIRED]

US – Pew Research Reports on the Future of Privacy

The Pew Research Internet Project has released a new study on the future of privacy. The survey interviewed more than 2,500 experts in conjunction with Elon University’s Imagining the Internet Center and found a split in what respondents think 2025 will look like. For example, 45% said there would likely be “a secure, popularly accepted and trusted privacy-rights infrastructure by 2025,” while the remaining 55% said there are not enough incentives for governments or industry to create such an infrastructure. Stanford University Prof. Paul Saffo said, “Privacy has already shifted from being a right to a good that is purchased.” [Pew Research] and [Experts believe digital privacy may be entirely gone by 2025] and [US: Data privacy important to farmers, study shows]


US – Possible Breach Affects Files of 40,000 Federal Workers

The data of more than 40,000 federal employees may have been compromised in a cyberattack on federal contractor KeyPoint Government Solutions. The Office of Personnel Management (OPM) has started notifying affected workers and will offer free credit monitoring. KeyPoint specializes in background screening and investigations of federal workers and is the second such company to be breached this year. A representative for the OPM said officials concluded an investigation into the incident, finding “no conclusive evidence to confirm sensitive information was removed from the system” and that “Keypoint has worked closely with OPM to implement additional security controls.” [Associated Press]


US – Mediation Attempt in Yahoo Case Fails

U.S. District Court Judge Lucy Koh received this week a status report saying a class-action lawsuit between web users and Yahoo could not be resolved through out-of-court mediation. The plaintiffs argue that Yahoo “violates the federal Electronic Communications Privacy Act by intercepting emails and scanning them for keywords.” Koh rejected Yahoo’s bid to get the lawsuit dismissed earlier this year, but has yet to rule on whether the case can move forward as a class-action. [MediaPost]

EU – Ireland Chimes in on Microsoft Data Privacy Case

Ireland has filed a friend-of-the-court brief in support of Microsoft’s refusal to provide the US government with customer email held on a server in Ireland. The document asks the US to respect Ireland’s sovereignty. Microsoft maintains that the US’s Electronic Communications Privacy Act (ECPA) stored communications provisions are not applicable outside US borders. The data pertain to a criminal case in the US. [CNET] [Why Microsoft, Apple, Fox News and NPR Are Suddenly Working Together] [Tech Giants Rally Around Microsoft to Protect Your Data Overseas]


US – Snowden Leak Shows Which Encryption Agencies Can’t Crack

The latest leak from Edward Snowden details how the U.S. National Security Agency (NSA) and the UK GCHQ have undertaken efforts to “crack all types of encrypted Internet communication.” The leaks did reveal which encrypted services the NSA could not break, including Tor, Truecrypt and PGP. [Der Spiegel]

WW – Google Plans to Warn Chrome Users on All HTTP Connections

Google plans to flag all HTTP traffic as unsecure in its Chrome browser.Chrome users will see alerts when they attempt to visit HTTP sites. Google plans to implement the change in 2015. [The Register] [BBC] [eWeek]

EU Developments

EU – Commission Releases 2015 Agenda; Privacy Bridges Project to Release Consensus Report

The European Commission made public its work agenda for 2015. High on the list is the ongoing effort to break down national barriers to create a digital single market. The commission aims to keep pushing for new telecom legislation including provisions on net neutrality; new data protection rules and a long-term digital strategy for the years ahead, among other goals. Meanwhile, the University of Amsterdam and the Massachusetts Institute of Technology have issued a press release about two recent meetings of the EU-U.S. Privacy Bridges Project—a group of EU and U.S. privacy experts aiming to bridge the gap between EU and U.S privacy regimes—in Washington, DC. The group will release a report in 2015. [PCWorld]

EU – Gov’t Leaders Push for Passenger Name Record Legislation

European Union governments are pushing EU lawmakers to end their opposition to proposals that would make it easier to track airline passengers. UK Prime Minister David Cameron said the stalemate is putting lives at risk. Talks on the passenger name record legislation, which would force airline carriers to give EU countries information about passengers entering or leaving the EU, have been deadlocked since its introduction in 2011. MEPs who oppose the legislation say it undermines data privacy. But Cameron said at a recent summit of EU leaders that lawmakers shouldn’t prevent a mechanism that could keep innocent people from being killed. [Bloomberg]

UK – UK Gov’t Seeks to Water Down Meaning of ‘Consent’

The UK government has raised objections to current EU proposals that would require businesses seeking to rely on ‘consent’ as the lawful basis for processing personal data to ensure that that consent has been unambiguously given “for one or more specific purposes”. It said those proposals are “unjustified” and called on EU law makers to instead turn to the definition of consent under existing EU data protection rules instead for setting the legal standard businesses would need to achieve for consent under the draft new General Data Protection Regulation. Under the 1995 Data Protection Directive, set to be replaced by the Regulation, individuals’ consent is defined as “any freely given specific and informed indication of … wishes by which the data subject signifies his agreement to personal data relating to him being processed”. However, organisations wishing to rely on individuals’ consent to process their data are obliged to ensure that “the data subject has unambiguously given his consent”. The UK government is arguing for this requirement to be removed. Its concerns are detailed in a Council of Ministers (Council) document published by information law business Amberhawk Training. [Out-Law.com]

EU – The Dutch Government Has Published New Draft Bill Implementing EU Data Retention Regulations.

The Dutch government has published its draft concept adapting the regulations on the retention of online data and is calling on all interested parties to send in comments. The proposal was adjusted according to the Telecommunications Act and the Code of Criminal Procedure, in response to an earlier ruling by the European Union’s Court of Justice. The ruling said the Dutch telecom data retention law was invalid. Despite calls from the opposition to scrap the data retention law, the government said the law is essential for the investigation and prosecution of serious criminal offenses and must therefore be sharpened. The latest proposal presents more stringent time limits for storing telephony data. Data will have to be kept for 12 months or even longer in case of a serious offense where the sentence is of at least 8 years. For crimes with a sentence of less than 8 years, data will have to be retained for 6 months instead of the current twelve. The retention law will be further restricted to data that is strictly required by the government for the investigation and prosecution of serious crimes. In addition, the data will have to be stored exclusively on EU territory. Access to data will in the future have to go through a judge. That is not the present case. [Telecompaper]

EU – Funding for Irish DPA Doubled

Funding for Ireland’s Office of the Data Protection Commissioner has doubled. The office will now receive a total of 3.65 million euros, up from 1.89 euros in 2014. Minister of State for Data Protection Dara Murphy said the funding exemplifies the government’s willingness to protect personal data, “irrespective of the nationality of the individuals concerned.” Murphy added, “Organizations in both the public and private sectors, including government departments, state bodies, multinationals and SMEs all need to be mindful of their obligations when dealing with data entrusted to them by citizens.” [Irish Times]


CN – Gmail Blocked in China

China is reportedly blocking access to Gmail inside the country. China began blocking various Google services in 2009 and started blocking Gmail access earlier this year. Users have been seeking third party email clients to access their accounts, and now those have been blocked as well. The only way to access Gmail in China now is through virtual private networks (VPNs). [CS Monitor] [ZDNet] [Ars Technica] [NYTimes] [GreatFire] SEE ALSO [Hacked emails reveal China’s elaborate and absurd internet propaganda machine]


US – FTC Charges Data Broker; Warns Children’s App Maker

The U.S. FTC has charged a data broker with selling “the sensitive personal information of hundreds of thousands of consumers … to scammers who allegedly debited millions from their accounts.” The FTC complaint says data broker LeapLab purchased payday loan applications of financially disadvantaged consumers “and then sold that information to marketers whom it knew had no legitimate need for it,” the FTC press release states. FTC Bureau of Consumer Protection Director Jessica Rich said, “Defendants like those in this case harm consumers twice: first by facilitating the theft of their money and second by undermining consumers’ confidence about providing their personal information to legitimate lenders.” Meanwhile, the FTC has sent a warning letter to a Chinese-based developer that makes the children’s app BabyBus alleging the app collects geolocation information without parental consent and that such actions could violate the Children’s Online Privacy Protection Act. [Source] SEE ALSO: [Hong Kong: Privacy czar hits leaky holiday agency app]


AU – Watchdog Exposes Tricks Public Servants Use to Avoid Sharing Information With the Public

A government watchdog has exposed some of the techniques federal public servants use to wrongfully prevent citizens from accessing their own records. The Information Commissioner’s investigation of the bureaucracy’s biggest workplace, the Department of Human Services, revealed an organisation obsessed with process, that preferred legalese to plain English and had increasingly lost sight of its duty to share information. In one Kafkaesque case, freedom of information officers told a man that recordings of his own voice breached his ex-partner’s privacy because he had mentioned her. Rather than give him the readily available recordings of his phone calls to the Child Support Agency, the FOI team proposed spending weeks of staff time going through each call and censoring the moments he spoke about his ex-partner. Another FOI applicant had asked for a copy of an “actual conversation” he had with department staff. The department refused his request, saying it had no audio recording of the phone call. But it did not tell him it had a written record of it. The report also cited an applicant who wanted details of a call an official had made to another organisation, within a specific date range, that “apparently infers that I was attempting to extort money”. The department denied that request, too, saying there was no document that mentioned “extortion”, even though it had a similar record that matched the request. The commissioner, Professor John McMillan, began investigating the department, which includes Centrelink and Medicare, after noticing a huge increase in the number of times it invoked its “practical refusal” power. Under FOI law, government agencies can knock back requests for documents if processing them would “unreasonably” waste time and resources. However, the department used this power 777 times last financial year, a more than twentyfold increase from two years earlier. Professor McMillan said he had also received many complaints about a change in the department’s culture. [Canberra Times]

JP – Site Aims to Allow Whistleblowing Without Retribution

A Japanese Internet activist and academic who’s challenging a new state-secrets law by setting up a website aimed at making it easier for government officials to leak sensitive information to the media without getting caught. The website was unveiled and uses an open-source platform called GlobaLeaks. “I want to create a secure channel that people can use to transfer information without putting themselves in jeopardy,” said creator Masayuki Hatta. The site responds to a state-secrets law that went into effect last week that establishes prison terms of up to 10 years for public servants or others who leak state secrets. Reporters Without Borders called the law “an unprecedented threat to freedom of information.” [Reuters] [Right to privacy still tentative in Japan] SEE ALSO: [MB: Ombudsman prods city on HQ]

US – NSA Releases 12 Years’ Worth of Internal Reports

On December 24, the US National Security Agency (NSA) made public 12 years worth of internal reports for the President’s Intelligence Oversight Board. Even so, the reports indicate that the NSA conducted illegal surveillance with mild or no consequences. The reports, which are heavily redacted, were released in response to a Freedom of Information Act (FOIA) lawsuit brought by the ACLU. [Ars Technica] [The Register]


UK – Foreign Criminals’ Data Taken Off Police Records

Biometrics commissioner warns privacy laws meant to protect innocent could also guard those committing offences abroad: Thousands of foreign criminals who have been convicted of offences outside England and Wales have had their DNA profiles and fingerprint details deleted from British police databases, a Home Office watchdog has revealed. Alastair MacGregor QC, the biometrics commissioner, has warned the Home Office that this “obviously unsatisfactory state of affairs” might be putting the public at unnecessary risk. The commissioner says there is a gap in the law as a result of new rules designed to remove DNA profiles and fingerprints of innocent people from the police national computer. He says this gap means the biometric details of those arrested but not charged with an offence in Britain cannot be held indefinitely solely because they have been convicted of an offence outside England and Wales. “If the police wish to retain the biometric records of such individuals and have no other basis for doing so, they have no option but to go back to those individuals and (re-arresting them) to take further samples and fingerprints from them,” said the commissioner, voicing concern about the burden this places on forces. MacGregor says re-arresting and re-sampling a suspect following his conviction outside England and Wales could prove a greater invasion of their privacy than simply holding onto the DNA and fingerprints samples already taken from them. The commissioner also says rules that restrict the holding of DNA and fingerprint details of foreign-national criminals on the police national computer of foreign criminals have severely limited the practical use of the powers for British police forces. [The Guardian]

Health / Medical

US – Better Communication Can Mitigating Patient Privacy Concerns: Research

Research reveals that patient privacy concerns could be alleviated by improved communication between individuals and the primary care physician. The survey, conducted by Xerox, found that data security remains a top concern; nearly 35% did not use a portal to interact with their electronic health records. “With providers facing regulatory changes, mounting costs, and patients who increasingly seek access to more information, our survey points to an opportunity to address issues by simply opening dialogue with patients about patient portals,” said Xerox Commercial Healthcare Chief Innovation Officer Tamara St. Claire, adding, “Educating patients will empower them to participate more fully in their own care while helping providers demonstrate that electronic health records are being used in a meaningful way.” [Health IT Security]

US – Consumer Watchdog Tells Insurance Customers to Boycott Medical Database

Consumer Watchdog is calling on customers of Anthem and Blue Shield to boycott a new healthcare database. Backed by $80 million from the two insurance companies, the California Integrated Data Exchange, or Cal Index, would provide state hospitals and doctors with a one-stop database for patient medical records, but Consumer Watchdog argues the plan is being rushed ahead without considering privacy vulnerabilities. The insurers have already sent out nine million notices to customers advising them of their inclusion in the database unless they opt out. “We urge people to opt out because Anthem and Blue Shield have failed to notify consumers of everything they plan to do with their medical information,” said Consumer Watchdog’s Carmen Balber, adding the insurers “have jumped the gun.” [Los Angeles Times] [California Health Database Must Address Privacy, Consumer Group Says]

US – Many Patients Block Access to Electronic Records in Study

Nearly half of the patients who were allowed to choose whether or not to share their electronic records with physicians, nurses, or other clinic employees chose to block the access of some providers to all or a subset of their health information in a study conducted at an Indianapolis safety net clinic. In a companion article about provider reactions to patient control over access to information, the majority of physicians supported the principle of patient control of EHRs but expressed concern over the consequences for the quality of care and the physician–patient relationship. The two studies were part of a group of related papers published online and in a January supplement to the Journal of General Internal Medicine. The research was sponsored by the Office of the National Coordinator of Health IT and conducted by Indianapolis’ Regenstrief Institute. [MedScape] SEE ALSO: [High noon for federal health records program?] and [Neil Wilkinson, former chair of Capital Health, claimed $450,000 in honoraria]

US – Expanded Newborn Screening Raises Privacy Concerns

President Barack Obama is expected this week to sign into law a $100 million bill renewing federal funding for newborn screening. Involving a pinprick to a baby’s heel and a few drops of blood, newborn screening is intended to identify serious disorders within a few days of birth. But privacy advocates worry about the government collection and long-term storage of newborn DNA. The federal law, first authorized in 2008, now includes for the first time an amendment acknowledging privacy concerns over dried blood spots stored on cards and kept on file by state governments: For blood spots used in federally funded research, scientists must obtain a consent form signed by the parents. (The consent requirement will remain in place for up to two years, until the Department of Health and Human Services updates rules governing research on human subjects.) [WorldMag]

US – Insurance Company Sued for Mail-Order Policy for AIDs Drugs

A San Diego man and Consumer Watchdog have filed a lawsuit against Aetna alleging the insurer violates the privacy of individuals with HIV and AIDs by requiring them to get necessary medications through mail-order delivery. An Aetna spokeswoman said the policy is part of a strategy to keep health plans affordable. Consumer Watchdog Attorney Jerry Flanagan said, “Requiring health plans to offer coverage for patients with a preexisting condition means little if the insurer can charge these patients exorbitant co-insurance or only cover care through inconvenient and ineffective mail-order requirements that put the patients’ health and privacy at risk.” [Associated Press]

Horror Stories

US – The Latest in Breaches, and a Prediction for 2015

Chick-Fil-A has announced it is investigating a possible data breach after it “received reports of potential unusual activity involving payment cards used at a few of our restaurants,” stating also that the breach may be the common link in the loss of 9,000 sets of card details. A group of hackers associated with the activist group Anonymous has taken responsibility for hacking the online retailer Amazon, compromising customers’ user names, passwords and credit card information. Experian’s Second Annual Data Breach Industry Forecasts that estimates healthcare data breaches will cost $5.6 billion in 2015. [Source] [Security in 2015: Will you care about the next big breach?] [Top hack attacks of 2014: Love, nudity and politics] [US: 10 recent data breaches]

WW – ICANN Reports November Hack

Unknown attackers hacked sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), which allowed them to take control of employee email accounts and access personal information of business contacts. ICANN said, in a release, the breach also gave attackers administrative access to files stored in its centralized zone data system and personal information of account holders who used the system. The breach occurred last month, ICANN says. The group controls the Internet’s domain name system and so is a prime target for hacking attacks that aim to get data that can be used to then breach other targets, the report states. [Ars Technica]

US – Federal, Health Cyber Attacks “Skyrocketing”

A review of cyberattacks against federal agencies during the past year concludes that the number of government system breaches is “skyrocketing.” FireEye’s Tony Cole said, “This is a global problem. We don’t have a malware problem. We have an adversary problem. There are people being paid to try to get into our systems 24/7.” Meanwhile, GovInfoSecurity profiles the biggest health data breaches in 2014, according to the latest federal tally, noting that security incidents involve a range of causes, including insider threats, missteps by business associates and hackers. Additionally, the National Credit Union Administration, itself a federal regulator, will review its data security policies following the loss of sensitive consumer data during an audit. [CNN] [Star investigation: 3 GTA hospitals don’t proactively audit access-to-patient files]\

US – Class-Action: Kmart Breach Due to Brand’s Failure to Protect

A federal class action claims Kmart’s failure to protect customer information with “elementary” security measures left banks liable for the resulting fraud. First NBC Bank filed the class-action against Kmart Corp. and its parent, Sears Holding Corp., over an announcement hackers had breached Kmart’s payment data systems in September, the report states. First NBC Bank says the hack occurred because of Kmart’s outdated anti-virus system, which hadn’t been updated to detect the malware hackers used. Kmart has not disclosed how many were affected by the breach. [Courthouse News Service]

US – Staples Confirms Breach of 1.2 Million Credit Cards

Staples confirmed that hackers had compromised approximately 1.2 million customer credit cards. The confirmation by the company is an update on the breach that was originally announced in October. Cyber criminals, in this case, deployed malware to point-of-sale systems in 115 stores across the U.S. According to Staples’ investigation, criminals may have had access to “cardholder names, payment card numbers, expiration dates and card verification codes.” [US: Staples data breach unlikely to dampen holiday shopping] SEE ALSO: [130K users’ data leaked via China’s train ticketing site]

US – Customers Sue Target

In related news, a federal judge ruled that a consumer lawsuit against Target can proceed. U.S. District Court Judge Paul Magnuson wrote, “Plaintiffs’ allegations plausibly allege that they suffered injuries that are ‘fairly traceable’ to Target’s conduct.” Meanwhile, Boston Children’s Hospital agreed to pay $40,000 and strengthen its data security after a breach affected 2,100 patients. [USA Today]

Identity Issues

US – IOWA: Driver’s License App On a Smartphone Raises Privacy Issues

A smartphone app that drivers in Iowa will be able to use as an official driver’s license could lead to privacy abuses by law enforcement. In 2015, the Iowa Department of Transportation (DOT) plans to become the first to offer the apps to drivers for free, according to published reports. “The way things are going, we may be the first in the nation,” Iowa DOT Director Paul Trombino was quoted as saying in a report published in The Des Moines Register. Iowa police will accept the driver’s license app during traffic stops and by airport security officers screening travelers, Trombino said. Thirty states already allow drivers to show proof of insurance via a smartphone app, so allowing them to also identify themselves as licensed drivers on a smartphone is a natural extension. However, handing police officers or security screeners your smartphone gives them access to a lot more than your license, according to Forrester analyst Heidi Shey. “The privacy concerns that have been brought up already about this are all worth considering. Putting a driver’s license on a smartphone app leaves the door open to privacy violations simply due to device access,” Shey said. For example, if a police officer pulls over a driver for a traffic violation, the officer typically takes the license and registration back to the patrol vehicle to process the information. While the U.S. Supreme Court ruled in Riley v. California that a warrant must first be obtained prior to searching the contents of a cell phone, that ruling could be thwarted by officers citing “probable cause” or “exigent circumstances.” “Once well-recognized exception [to a warranted search] applies when ‘the exigencies of the situation’ make the needs of law enforcement so compelling that a warrantless search is objectively reasonable under the Fourth Amendment,” the Supreme Court wrote in its decision. The Electronic Privacy Information Center, a research group in Washington, filed a brief as part of the Riley case before the Supreme Court. Alan Butler, EPIC’s senior counsel in Washington, said while there’s “no direct application of Riley” because the Iowa mobile app is being built to act only as an ID, it still raises a host of privacy concerns – not the least of which is all the searchable private information on a smartphone. Additionally, what if the driver were to get a phone call or text message while the smartphone was in a police officer’s possession? “And, what is the app doing? Is it collecting additional information about me, whether intentionally or unintentionally?” Butler said. “What is my device doing when it’s using the app? Is it leaking private information about me without my knowledge?” There are also practical reasons a smartphone could fail as a means of legal ID, including a dead battery. [ComputerWorld]

Internet / WWW

WW – CSA: Cloud Privacy Top Issue

The Cloud Security Alliance (CSA) has said data privacy is a top issue for industry in 2015 across the globe, citing “Microsoft’s ongoing battle with the U.S. government over emails contained in an offshore data center as prime example of the battles that lie ahead.” CSA’s Jim Reavis described the Microsoft case as “one of the biggest issues we’ve seen” for cloud security and adoption. Meanwhile, Iceland could become the “Switzerland of information,” with data centers located in a country that “is in the initial stage of implementing the most progressive data-privacy laws in the world.” [TechTarget] [The Irish government has sided with Microsoft against demands by the U.S. government for the company to share data held on servers in Ireland]

WW – Cloud Computing Standard Released, but Will It Be Obeyed?

While cloud computing is emerging, transparency, confidentiality and control are key concerns of potential cloud clients. Cloud clients often lack the necessary information on how the information moved to the cloud is safeguarded, processed, and what happens in case they want to move to another provider or their provider terminates its operation or changes the terms of its policies? At the European Commission’s urging, the national data protection authorities and the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) developed the new standard ISO/IEC 27108. The acceptance of the standard and the ability to live up to the expectations of its developers still remains to be seen in practice. [Full Story]

Law Enforcement

US – Duluth Case Shows Police Body Camera Footage Is New Legal Battleground

When a man in Duluth, Minnesota, barricaded himself in a garage at his home and threatened to kill himself with a knife, police officers shot him twice. The incident, which happened in August, was captured on police body cameras. Months later, city officials who want the body camera video kept secret are in a battle with advocates of police accountability that many believe will be fought out in the Minnesota legislature. The man who was shot by police, 34-year-old Joe Zontelli, survived. The two officers involved were cleared of wrongdoing. But the incident made news in the midwest city of 86,000, and after an investigation was completed by the St Louis County attorney Mark S Rubin, reporters expected the video to be released. It was not. Tom Olsen, a reporter for the Duluth News Tribune who filed a public records request for the police body camera videos, said that under normal circumstances, reporters would have received their information requests after an investigation was complete and a press conference held. The county prosecutor reviewed body camera footage, but authorities didn’t release the videos. Gunnar Johnson, the Duluth city attorney, instead used a legal maneuver to try to temporarily classify the video – and future videos from other cases. Duluth requested the state clarify what body camera footage is public and what should be kept private, through an unusual request to Minnesota’s information policy analysis division. The office denied Duluth’s request, in what will be the final word on the issue unless the legislature picks it up this spring. Johnson said his office was now “working” with the decision, “with the support of other municipalities”. [The Guardian] [The Minnesota Department of Administration has declined an application by the Duluth Police Department that would restrict public access to police body-camera video] SEE ALSO: [Spokane: Police body camera pilot ends; review and implementation next] and [LAPD to buy 7,000 body cameras] and [Cops with cameras coming to Durham, Ontario] and [Calgary Police chief says new tech ‘absolutely’ compliant with privacy laws] and [US: Seattle Police Held a Hackathon to Figure Out How to Redact Body Cam Video Streams] and, finally, [U.S. Army will launch 2 missile surveillance blimps over Maryland]


WW – TTIP Negotiations Continue, While Leaked TISA Negotiation Proposals Have Critics Speaking Out

Progress between the EU and U.S. on the Transatlantic Trade and Investment Partnership (TTIP), a deal to cut tariffs and regulatory barriers to trade. While supporters say it will open up new markets and reduce trade costs, opponents are concerned the agreement threatens privacy by encouraging surveillance of personal data. Meanwhile, negotiations are also underway for the Trade in Service Agreement, in which the U.S. aims to free up data flows online. Leaked proposals in the negotiations have an Australian advocate saying they include rules that would “threaten privacy and civil rights protections for digital personal data.” [BBC News]

Online Privacy

WW – Facebook Has New Search Feature; Class-Action Over Ads Will Continue

Facebook’s new keyword search feature has “enormous implications” for advertising, developers and Facebook itself. With the new feature, users can search stories from their friends and surrounding network, which could add up to more than a trillion posts, according to CEO Mark Zuckerberg. “Privacy by obscurity is basically dead … Now anyone armed with the right, or wrong, keywords can pull up your worst moments and either quietly judge or publicly shame you,” the article states. Meanwhile, a federal judge has denied Facebook’s request to dismiss a class-action suit claiming it violated the U.S. Wiretap Act, saying because of “Facebook’s unwillingness to offer any details regarding its targeted advertising practice” she couldn’t determine whether the practice falls under an “ordinary course of business” exception. [TechCrunch] See also: [ThinkUp Helps the Social Network User See the Online Self] See also [The Slow Death of ‘Do Not Track’]

EU – Dutch DPA Investigating Facebook Privacy Policy

A day after warning Google it may fine it nearly 18 million euros for alleged privacy violations, the Dutch Data Protection Authority (DPA) has said it is also investigating Facebook’s recently revamped privacy policy. The changes, set to go live in January, attempt to simplify the site’s privacy policy, but the policy also states Facebook may use data it collects to sell advertising. The Dutch DPA is looking into that and has asked the company to delay rolling out its new privacy policy until the investigation is completed. “We were surprised and disappointed to learn about the inquiry,” Facebook said, noting it “routinely” reviews such updates with Ireland’s Office of the Data Protection Commissioner for compliance with the EU Data Protection Directive. [The New York Times] see also: [Google Faces $19M Fine Over Privacy Policy]

Other Jurisdictions

RU – Data Protection Law to Become Effective One Year Earlier Than Planned

On December 17, the lower chamber of the Russian Parliament passed legislation that would change the effective date of Russia’s new law requiring local storage of Russian citizens’ personal data from September 2016 to September 2015. Impacted businesses hoped the law would not go into effect until 2016 because of practical considerations that would require the reworking of IT systems to meet the deadline. The Federation Council and president must now approve the change, which would mean businesses “will lose a year of reviewing and implemented their compliance obligations under the law,” the report states. [Hogan Lovells’ Chronicle of Data Protection]

CH – Chilean Bill Aims to Establish Enforcement Body

The Chilean government will soon introduce legislation to create an autonomous body to oversee data protection issues, according to Deputy Economy Minister Katia Trusich. the new law would also require companies to register databases containing personal information but would aim to strike a balance between protecting personal data and allowing it to circulate, Trusich said. “This is an urgent issue for Chile,” Trusich said. Chile’s current data protection framework was enacted in 1999 and is based on Spain’s model. While it aims to protect individuals’ personal information, it doesn’t contain a provision for an enforcement agency or provide sanctions for violations. The new bill aims to close the gaps. [Bloomberg BNA]

NZ – Privacy Commissioner to ‘Name and Shame’ Wayward Corporates

Until recently, Privacy Commissioners rarely named wayward corporates. Instead they relied on bringing tribunal proceedings, which are steps that are time consuming and expensive, and therefore taken only on limited occasions. Now, like other regulators such as the Commerce Commission, the Privacy Commissioner will, in appropriate cases, ‘name and shame’. For many corporates that is a much bigger negative than, say, being ordered to pay a penalty. With greater regulatory exposure, corporates should up their privacy compliance. Plus, when the Privacy Commissioner starts to investigate they should be proactive and careful in managing the situation. [Lexology] SEE ALSO: [NZ: Veil of privacy could be lifted on suspect surgeons] See also [US – Another Voice: Campaign finance disclosure laws may invade citizens’ privacy

AU – South Australia’s Worst Fine Evaders Have A ‘Right To Privacy’, Civil Liberties Group Says

Naming South Australia’s worst individual fine evaders online is an invasion of privacy, according to the SA Council for Civil Liberties. The State Government yesterday published the five worst individual offenders and the three worst companies in an effort to embarrass them into paying hundreds of thousands of dollars in unpaid fines.Attorney-General John Rau said the Government had some success in the past by “naming and shaming” those with outstanding debts. But the council’s spokesperson, George Mancini, said the Government needed to recognise peoples’ right to privacy. He said he was concerned because the information would not normally be available to the public, despite legislation enabling the Government’s fines recovery unit to publish the names of anyone who has not paid a fine. “One of the reasons it’s not available is because it’s confidential, or it’s private information, even just your name and the fact that you have a fine, your date of birth and the amount of the fine,” Mr Mancini said.”Their identity is all information that is not ordinarily available to anybody.” [ABC Net]

WW – Rest of the World News Roundup

Privacy (US)

US – FTC Finalizes Charges with Snapchat

The FTC has finalized a settlement with Snapchat, according to the agency. The complaint, which was originally announced last May, alleges the company deceived customers with guarantees that messages would be deleted and that appropriate security measures had been taken to protect data. The final order states the company must not misrepresent how it handles the data of its customers and that Snapchat “must implement a comprehensive privacy program monitored by an independent privacy professional for the next 20 years.” [FTC]

US – Advocates File Suit to Block Use of Driver Databases for Immigrant Deportation

Immigrant advocates filed a lawsuit over concerns that federal immigration agents could use state driver’s license databases to track down people for deportation. The National Immigration Law Center sued the Department of Homeland Security demanding documents detailing how federal immigration agents access and use driver’s license data. The lawsuit comes after immigrant advocates in Maryland received reports that federal agents earlier this year arrested several immigrants with prior deportation orders after apparently identifying them with help from a driver’s license photo and vehicle information. It also comes about two weeks before California starts issuing driver’s licenses to immigrants in the country illegally. More than 1 million people are expected to apply over the next three years. “We need to at least know what the current policy is,” said Melissa Keaney, an attorney at the Los Angeles-based advocacy organization. “We don’t want to cause unnecessary panic, but we don’t want to cause a repeat of what happened in Maryland.” The lawsuit aims to compel Homeland Security and Immigration and Customs Enforcement (ICE) to release records under the Freedom of Information Act that were requested in April. ICE declined to comment on the suit. The agency does not use driver databases to identify immigration enforcement targets but “like other law enforcement agencies, ICE may use DMV data in support of ongoing criminal investigations or to aid in locating individuals who pose a national security risk or public safety threat,” said Gillian Christensen, an agency spokeswoman. Ten states have approved driver’s licenses for immigrants in the country illegally, many of them with a distinct marker so the documents can be distinguished from those carried by US citizens and permanent residents. Meanwhile, a ruling by the US supreme court has moved thousands of young immigrants a step closer to obtaining driver’s licenses in Arizona. [The Guardian]

US – Oracle Acquires Datalogix, FTC Called Upon to Investigate

Oracle announced that is has acquired Datalogix, drawing criticism from privacy advocates worried the deal could give the company too much access to consumer data. According to an Oracle press release, Datalogix aggregates and provides analysis on more than $2 trillion in consumer spending, from offline to online advertising. In response, the Center for Digital Democracy’s Jeffrey Chester has called on the FTC to investigate the deal, noting it could violate Facebook’s consent decree with the agency. “Through the data it gathers on what we buy, and with its relationship with Facebook and other powerful marketers, Datalogix consists of a online treasure trove of data on Americans,” Chester said. [Full Story]

Privacy Enhancing Technologies (PETs)

WW – App Maker Pitches Self-Destruct Messaging To Hollywood

A startup is eyeing Hollywood in the wake of the Sony Pictures hack by offering a messaging app that never reveals the full text and then automatically destroys the conversation after it’s read. The app maker, Confide, launched an ad campaign on Tuesday, offering the business version of its self-destruct tool to entertainment studios, networks and labels for free, in perpetuity. [CNET] SEE ALSO: [8 Free Privacy Programs Worth Your Year-End Donations] and [Can New Messaging Apps Inadvertently Cause Spoliation? ]

US – Boeing and Blackberry Create ‘Self-Destructing’ Phone

BlackBerry will help Boeing with its self-destructing “Black” phone, which has been in planning since 2012 and is capable of wiping all data if someone tries to access its content inappropriately. The phone is designed for government agencies with a need for secrecy. [The Telegraph] SEE ALSO: [The Affair: the fashion brand making stealth tech stylish]


US – FBI Investigating “Revenge Hacking”; Sony Hack May Have Been Inside Job

The U.S. FBI is looking into so-called “revenge hacking” by companies that have been breached by criminal hackers. The recent hack of Sony has generated “an intensifying and largely unspoken sense of unease inside many companies,” the report states, prompting some to “push the limits of existing law” to find ways of hacking back. Rep. Michael McCaul (R-TX) said, “It’s kind of a Wild West right now,” and some businesses may be conducting reactive hacking operations “without getting permission” from the federal government first. Similarly, The Washington Post published a Q&A with the Lizard Squad, the hackers who allegedly took down the PlayStation and Xbox networks on Christmas Day, which claims to have provided the Guardians of Peace—the group that released stolen data from Sony—with employee log-in credentials. Investigators familiar with the Sony hack now say the cause of the breach may have been a combination of a disgruntled employee and a piracy group and not North Korea as the FBI argues. [Full Story] and [Sony says PlayStation still has problems, gradually coming back online] [US: Hacked Sony ex-employees sue for privacy violations] and The recent Sony Pictures hack has transformed the debate over cybersecurity legislation in Congress and may spur lawmakers to make changes.

US – Simple Fix Could Have Thwarted JP Morgan Data Breach

A preliminary investigation of the massive breach at JP Morgan Chase last summer revealed that a simple security fix to an overlooked server could have prevented the damaging incident. Last spring, hackers stole the login credentials of an employee, but one of the servers did not have the two-factor authentication necessary to prevent unauthorized access, leaving the company vulnerable to attack. In response, JP Morgan has set up a “business control group” comprising technology and cybersecurity executives to analyze the incident and prevent another such attack. [The New York Times] [Two-factor authentication oversight led to JPMorgan breach, investigators reportedly found]

US – Seattle Police Hold Hackathon to Test Body Camera Footage Privacy

Seattle Police are planning to test body cameras on officers in the field, and in a “hackathon” They attempted to find a balance between releasing footage and redacting private details. Approximately 80 people attended the hackathon, working on techniques to redact such details as people’s faces or license plate numbers captured on film. Police departments in New York City and Los Angeles are also prepping to test body cameras. “With 1,612,554 videos already on our servers—and more on the way through our upcoming body cam pilot program—our department is looking for a better, faster way redact those videos and make them accessible as public records,” Seattle police said in an announcement. [Slate]

Smart Devices

US – Despite Voluntary Code of Conduct, Smart Meters Privacy Worries Persist

Concerns persist about the smart grid’s impact on consumer privacy via smart meters. The Department of Energy will publish the final draft of a voluntary code of conduct on data privacy for smart meters this month. Thirty-eight million have already been installed in the U.S., the report states, gathering information about household electricity consumption at a granular level. Despite the voluntary code of conduct, critics are worried consumers will still be “cajoled or conned into giving up their data,” the report states, to power companies but also to third-party aggregators. “I think the data is going to be worth a lot more than the commodity that’s being consumed to generate the data,” said Miles Keogh of the National Association of Regulatory Utility Commissioners. [Politico]

US – Ford Names Data Analytics Officer; Advocates Worry About the Data Use

Ford has hired an executive to oversee its collection and management of the information it captures from its cars and trucks. Ford has hired Paul Ballew, a research expert, to be its chief data and analytics officer-a new title at the 113-year-old company. The data collection aims to enhance driver services, but it also has some worried that privacy and security will diminish. “There’s another facet that comes with them being able to provide all these services,” said Julia Horwitz, consumer protection counsel at the Electronic Privacy Information Center. “What are they going to do with your data?” Editors Note: The automotive industry recently unveiled privacy principles, but one U.S. Senator says they don’t go far enough. [International Business Times]


US – Senators Ask for Clarification on Cell-Phone Surveillance

In a letter to the Departments of Justice and Homeland Security, Sens. Patrick Leahy (D-VT) and Chuck Grassley (R-IA) have requested clarification on behalf of the Judiciary Committee on how federal law enforcement agencies use cell-phone data collection. Of particular concern is technology like “Stingray,” which is a device that mimics a cell-phone tower in order to sweep up the data of phone users in the area. The letter “demanded answers about how the FBI and other law-enforcement agencies protect the privacy of people whose cell-phone information is collected, even when they’re not targeted or suspected of wrongdoing.” [Source]

US – EFF Argues Privacy Case in Jewel v. NSA

The Electronic Frontier Foundation (EFF) told a federal judge that the NSA has illegally searched and seized U.S. citizens’ Internet communications. The privacy advocacy group argued in Jewel v. NSA that the agency violates the Constitution when it uses a method called “upstream” to access data, in this case, from AT&T customers. The class-action lawsuit was originally filed six years ago and dismissed in 2010 for lack of standing, but that was overturned in 2011. According to the report, “The case showcases the challenge of litigating matters that engulf both individual liberties and national security.” [Courthouse News Service]

US – IoT, Connected Cars, Wearable Tech to Make Big Showing at CES

The 2015 Consumer Electronics Association’s 2015 International Consumer Electronics Show starts next week. Connected cars will be represented at the show more than ever before; Audi, BMW, Chrysler and Ford will all be showcasing the new technology, among others. Wearable tech is also anticipated to make a big showing, and the Internet of Things (IoT) will be a main theme at the show, with more than 900 exhibitors showing products. Meanwhile, IoT continues to grow in popularity despite consumers’ privacy concerns, citing a new study indicating 65% of U.S. consumers are “moderately or extremely open to the idea of adopting smart home technology.” [CBS News]

US – Judge Throws Out Evidence Collected from Webcam

A federal judge this week threw out evidence collected from a webcam that was nailed to a utility pole near a suspected drug dealer’s house during a six-week period. The U.S. Justice Department argued the placement of the webcam is no different than posting a police officer to make the necessary observations. U.S. District Court Judge Edward Shea said a warrant is necessary to post a webcam controlled by the local police. Shea said, “The American people have a reasonable expectation of privacy in the activities occurring in and around the front yard of their homes, particularly where the home is located in a very rural, isolated setting,” and that such a reasonable expectation “prohibits the warrantless, continuous and covert recording” of the defendant. [Ars Technica] SEE ALSO: [Neighbourhood watch: how domestic CCTV is sweeping the UK]

Telecom / TV

EU – German Researchers Discover Flaw to Let Anyone Listen to Cell Calls

German researchers have discovered a flaw that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale. The flaws are to be reported at a hacker conference in Germany this month and describe insecurities on SS7, the global network that allows cellular carriers to route calls, texts and other services to each other, the report states. Even while carriers work to secure their systems, they still have to communicate with each other over SS7, “leaving them open to any of thousands of companies worldwide with access to the network,” so a single carrier in Kazakhstan could be used to hack into networks in the U.S., for example. [Washington Post]

WW – Researchers Find Apps Exploit Permissions

Android apps “really do use those permissions they ask for to access users’ personal information.” French researchers found, for example, that one online store records a phone’s location up to 10 times a minute. To conduct the experiment, researchers had volunteers use monitoring app Mobilitics, which was developed by researchers in conjunction with the French data protection authority, CNIL. Over a three-month period, Mobilitics recorded every time an app accessed personal data on the phone and whether that data was transferred to an external server, finding location was one of the most frequently accessed data points. Meanwhile, Hong Kong’s privacy commissioner has found Android apps “are able to access a user’s personal photos and files on Android version 4.3 or older without notifying them.” [PCWorld]

US Government Programs

US – NSA Reports Detail Decade’s Worth of Privacy Violations

On Christmas Eve, the NSA released more than a decade of reports detailing internal privacy violations. The reports include instances of employees accessing unauthorized information to spy on U.S. citizens. Meanwhile, there are five cases involving NSA surveillance that the U.S. Supreme Court could hear in 2015. [The Hill] [US: NSA reports detail decade’s worth of privacy violations]

US – Secret Service Has Not Submitted Digital Cyber Defense Reports: Auditor

According to a report from an internal auditor, the US Secret Service does not use two-factor authentication for network access and it does not abide by established rules for government agencies regarding network security monitoring. The DHS Office of Inspector General found the Secret Service refused to hand over mandatory data on its computer security systems to DHS in 2014. The office found that the Secret Service’s refusal to provide the required data “created a significant deficiency in the Department’s information security program,” the report states. The USSS CIO was concerned about “operational security” of data feeds [The Hill]. [NextGov] [DHS]

US – Obama Wants Congress to Introduce Information Sharing Legislation

At his end-of-year press conference, President Obama indicated that he would like to see the reintroduction of an intelligence-sharing bill in this legislative session. In the wake of the Sony Pictures breach, Obama said that he has a team working on seeing what can be done to prevent such attacks in the future, and that he would like to see Congress focus on “stronger cyber security laws that allow for information sharing across private sector platforms as well as the public sector.” [ZDNet]

US Legislation

US – Obama Signs Five Cyber-Related Bills into Law

For the first time in more than 12 years, major cybersecurity bills have become law after President Barack Obama signed five of them on Thursday. The five new bills include the Federal Information Security Modernization Act, the Homeland Security Workforce Assessment Act, the Cybersecurity Workforce Assessment Act, the National Cybersecurity Protection Act and the Cybersecurity Enhancement Act. [GovInfoSecurity] This FEDweek report outlines changes in cyber-incident reporting that come with the newly enacted Federal Information Security Modernization Act of 2014.

US – 2014 legislative Roundup

US – State Legislative News Roundup

Workplace Privacy

WW – Whether Working or Job Seeking, the Algorithm Is Watching

Are you perusing LinkedIn at work more than usual? That small change in behavior could set off alerts in computer analytics programs used to surveil and rank employees, according to a forthcoming book, “The Reputation Economy: How to Optimize Your Digital Footprint in a World Where Your Reputation Is Your Most Valuable Asset.” If your LinkedIn browsing is noticed “by a recruiter, look forward to increased cold calls trying to lure you into new jobs,” the authors write. “If it’s caught by your company, look forward to either a conversation about what it would take to keep you — or a swift kick toward the door.” In my latest Sunday Business column, I wrote about “The Reputation Economy” and another coming book, “The Black Box Society: The Secret Algorithms That Control Money and Information.” Both books examine how companies are increasingly using sophisticated computer scanning systems to score people on their health risks, financial wherewithal and purchasing patterns — ranking systems of which consumers are often unaware.But the books’ descriptions of employee scoring systems are particularly noteworthy, whether you are currently a satisfied employee or seeking a new job.”The Reputation Economy,” for instance, describes how human resource departments and search firms are increasingly turning to software programs to automate the process of weeding out applicants with weaker résumés as well as identify job candidates to interview. Companies also use such scoring programs, the authors write, to rate their own workers — on productivity, teamwork, creativity and so on — and to identify promising employees to select for promotion or management training programs. [NY Times]

US – FBI Unit Studying How to ID Insider Threats

The profiling unit of the FBI, the FBI Cyber Behavioral Analysis Center, has begun a multi-year project studying how technology can help identify insider threats. “Is there a similarity between the person who is putting a logic bomb on your network and the person who is going to throw a bomb in your office?” asked Supervisory Special Agent Kevin Burton. “Are the behaviors different? Do they intersect?” Those are some of the questions the unit aims to answer to help federal managers detect otherwise hidden behavioral patterns, doing so within the bounds of privacy, the report states, adding that ultimately human beings—not computers—are behind breaches. [NextGov]

UK – Welsh Council Rapped for Covert Spying on Sick Leave Worker

A council that ordered covert surveillance of a sick employee has been ordered to review its practices following an investigation by data privacy watchdogs. An Information Commissioner’s Office (ICO) investigation found that Caerphilly Council breached the Data Protection Act when it ordered the surveillance of an employee suspected of fraudulently claiming to be sick. The surveillance was only authorised on anecdotal evidence and began only four weeks into the employee’s sickness absence. Caerphilly Council went straight to snooping on its worker using a private investigation firm without properly considering other options. The covert surveillance was used to compile a report, which was ultimately shelved having gone unused. The ICO determined the council did not have sufficient grounds to undertake the surveillance, especially at such an early stage of the employee’s absence, as an agreed data protection undertaking (PDF) explains. Anne Jones, assistant information commissioner for Wales, commented: “It shouldn’t need to be said that spying on employees is incredibly intrusive and must only be done as the last resort.” “Organisations need to be absolutely clear why they need to carry out covert surveillance and consider all other alternatives first. If it cannot be completely justified, it shouldn’t be done,” she added in a statement on the case. The ICO accepts covert surveillance of employees can be justified in some exceptional circumstances, such as suspicions the employee is engaged in criminal activity or equivalent malpractice. Covert surveillance should be used as a last resort when alternatives which respect the employee’s privacy have been considered and ruled out as inappropriate. The ICO’s Employment Practices Code, which covers monitoring of employees at work, can be found here (PDF)

Xmas / Seasonal

WW – Santa Claus Breaks the Law Every Year

Each year when the nights start growing longer, everyone’s favourite rotund old man emerges from his wintry hideaway in the fastness of the North Pole and dashes around the globe in a red and white blur, delivering presents and generally spreading goodwill to the people of the world. Who can criticise such good intentions? Despite this noble cause, Father Christmas is running an unconventional operation at best. At worst, the jolly old fool is flagrantly flaunting the law and his reckless behaviour should see him standing before a jury of his peers. Admittedly, it would be a challenge to find eleven other omnipotent, eternally-old, portly men with a penchant for elves. Read on to find out four shocking laws Santa breaks every year. But be warned; this is just the tip of an iceberg of criminality that dates back centuries! [Source] SEE ALSO: [Elf on the Shelf: festive fun or Santa’s sinister spy?] AND [UK: Make sure gadget gifts are safe for youngsters] and [UK: Drones given as Christmas gifts will lead to soaring privacy complaints, watchdog warns] AND [Horrifying ‘sexy’ Santa selfies remind you to check your online privacy settings] AND [Ho, ho, ho! NSA reports on its spying naughtiness]


1-15 December 2014

Big Data

US – Does Data-Mining Have a Place at the Guggenheim?

A new trend across the country is seeing museums mining “increasingly detailed layers of information about their guests, employing some of the same strategies that companies like Macy’s, Netflix and Walmart have used in recent years to boost sales by tracking customer behavior.” Museums are using the data to make decisions about exhibit design, donor outreach and gift shop marketing strategies, the report states. But such data-mining has some critics questioning whether the big data revolution “has a place in the nonprofit arts world.” [The Wall Street Journal]

US – ‘Womb-to-Workforce’ Data-Mining Scheme Sparks Revolt

Privacy advocates are calling for a moratorium on the Pennsylvania school system’s sweeping data-collection program, which they say is part of the federal government’s goal of being able to track the development of every child “womb to workforce.” All 50 states have been mandated by the U.S. Department of Education to establish inter-connected “longitudinal databases” accumulating information on every student from pre-kindergarten through college. Two groups, Pennsylvania Against Common Core and Pennsylvanians Restoring Education, are asking Gov. Tom Corbett to place a moratorium on data collection in the Pennsylvania Information Management System or PIMS. The system gathers information on students in all 500 school districts across the state and some schools have started collecting behavioral data that goes beyond testing for academic knowledge, according to the two organizations. The two groups are also asking the state attorney general’s office to launch an investigation into possible violations of student privacy laws. [Source]


US – Stakeholders Work on Facial Recognition Code of Conduct

Attempts to create a multi-stakeholder, voluntary code of conduct for the commercial use of facial recognition continued at the Commerce Department, as the “National Telecommunications & Information Association’s John Verdi moderated a wide-ranging discussion about language on issues including data retention/disposal, security and deletion.” The focus this week was on the language surrounding the retention, security and disposal of biometric images. The Center for Digital Democracy’s Jeff Chester urged the group to include more specific language on data use, but a representative from Facebook said that too much “granularity” would make the code too prescriptive. [Broadcasting & Cable]

WW – The Vending Machine of the Future Is Here, and It Knows Who You Are

The “vending machine of the future” is the first vending machine with facial-recognition technology. The machines are able to “identify and greet a user, remember a person’s preferences and even refuse to vend a certain product based on a shopper’s age, medical record, dietary requirements or purchase history,” the report states. A school can in fact link the machine with its database and direct it to refuse to sell certain products to underage students, or a gym could program the machine with its membership database so the machine wouldn’t vend sugary or high-fat products to a person on a diet, for example. [The Telegraph]

US – Pizza Hut Launches Digital Menu that Reads Your Mind by Tracking Eye Movement… And Tells You What to Order In 2.5 Seconds

It can tell you what you want to eat in the blink of an eye, simply by tracking the movement of your retina. In exactly 2.5 seconds the subconscious menu reads the minds of customers, by using a mathematical algorithm to identify a customer’s perfect pizza. The incredible software was developed for Pizza Hut by Swedish eye tracking technology pioneers Tobii Technology. Taking six months to build, the menu is completely controlled by the customer’s retina. [The Daily Mail]


CA – Supreme Court: Limited Warrantless Phone Searches Are Legal

In a 4-3 decision, the Supreme Court of Canada has ruled police may conduct limited searches of suspects’ cell phones without getting search warrants if they follow strict rules.. “When is it okay for the police to conduct a warrantless search of a cell phone when making an arrest? The short answer, according to the Supreme Court’s decision in R. v. Fearon, is ‘sometimes,’” he writes. Beyond that point, Brown writes, “I’m really only sure about a couple of things. First, there is no reason to worry that the police are about to start searching everyone’s mobile device. Second, the law can be incomprehensible and impractical at times.” [IAPP Privacy Tracker] See also: [Privacy Commissioner Daniel Therrien told the House Privacy Committee if Bill C-13 passes without amendment, it could face a Charter challenge] [Canada: Missing Persons Act ‘broadly worded,’ says lawyer Mike King] and [Alberta privacy commissioner to investigate leak of Lukaszuk phone bill] and [A new paper in The John Marshall Journal of Information Technology & Privacy Law contends Canada’s federal anti-spam legislation, CASL, “creates unconstitutional limits on free speech,” stating CASL violates freedom-of-expression guarantees in the Charter of Rights and Freedoms.]

CA – Province to Legislate What Police Can Disclose About Innocent Ontarians

Ontario will table legislation in the new year detailing for the first time what information police can — and cannot — disclose to employers, volunteer agencies and academic institutions about Ontarians who have not been convicted of a crime, the Star has learned. A lengthy Toronto Star investigation earlier this year detailed how the routine release of police-held information about innocent Ontarians has ended careers, undermined job prospects, forced students out of university and college programs and ended up in the country’s criminal records database which is accessed by U.S. border officials who have used it to restrict the travel of Canadians. Once a policy is developed it will go before a cabinet committee for review, then to cabinet for approval, he said. If approved, legislation will be drafted. He said he expects tabling in the legislature by spring. [Source] See also: [Revealing ‘sensitive’ surveillance details worried Ottawa: memo]

CA – Former Privacy Commissioner and Journalist Bruce Phillips Dead at 84

Former journalist and federal privacy commissioner Bruce Phillips has died. He was 84. A statement from his family says he died of kidney failure on Saturday in Penticton, B.C. The statement says he suffered a stroke in June. Phillips worked for a number of media outlets during his career including CTV news in the 70’s and 80’s. Among his other duties he hosted the CTV show “Question Period.” He later served as Canada’s privacy commissioner between 1991 and 2000. Phillips was invested in the Order of Canada in 2010. After leaving the office of the privacy commissioner, Phillips retired to B.C.’s Okanagan region to be near his two daughters. [The Canadian Press] See also: [2014 Year in Review]


US – Retailers Dabbling With In-Store Beacon Technology

Stores are turning to beacons to help communicate with and entice in-store shoppers. Macy’s, for example, has installed the low-frequency technology in all 840 of its stores, while Kohl’s is testing them out in various locations. Shelfbucks CEO Erik McMillan said the technology will “skyrocket” from the 50,000 that are currently being used to as high as 10 million in the next year. A survey conducted by Swirl revealed 30% of in-store customers made a purchase after receiving a beacon-enabled “push ad.” Still, some are concerned about being tracked. One IT administrator said, “If a retailer really wants to draw me into their store, showing me deals before I get to the mall is a better way.” [Associated Press]

US – Consumer Privacy to Be “Major Factor” in 2015

Over the past year, privacy has become a political and business issue. That’s according to a report that cites recent surveys indicating consumer privacy “will likely become a major factor for businesses in 2015.” The report considers the many privacy-focused products companies have launched and cites a Ponemon Institute survey that found “more than half of U.S. companies and about two-thirds of EU companies placed more trust in open-source commercial code to reduce privacy risks, compared with closed-source code.” Larry Ponemon said, “The problem for many companies is that proprietary software potentially may be doing things with your data that you might not know.” [eWeek] [US: Data Privacy Became a National Political, Business Issue in 2014]

CA – British Columbians Becoming More Concerned About Sharing Their Health Data

Half of British Columbians are “very willing” to allow health researchers to study their personal health records provided the information is anonymous, but that number has been dropping over growing privacy and security concerns, a new Mustel Group poll reveals. Last year, 63% of British Columbians polled as very willing. “Concerns about sharing data is growing in the public’s mind,” Mustel research consultant Phil Giborski told participants at The Data Effect conference in Vancouver Monday. “Their main concerns are that they will not remain anonymous and guarantees against hacking cannot be provided.” [Source]


US – Gas Tax Tracking Raises Privacy, Fairness Concerns

As more California drivers shift toward using energy-efficient vehicles, state officials are trying to come up with alternative revenue generators for the highway budget. A main source of the revenue is from a gas tax, but a mileage-based concept is being considered in California as well as nine other states. In order to track vehicles’ mileage, cars would have to be equipped with odometer readers, smartphone applications and GPS technology, all of which raise privacy concerns. Privacy advocates are worried the data could potentially be used not only to track total mileage but to learn when and where people drive. [Los Angeles Times]

US – Iowa Mobile ID Program Raises Privacy Questions

The state of Iowa is proposing using a mobile app as an alternative to a traditional driver’s license and may be the first in the nation to do so. The idea has been proposed by Iowa Department of Transportation Director Paul Trombino, who promises the free, government-developed app would be secure. He describes the digital license as an “identity vault app” that would require Iowans to use PINs to verify their identity. But opponents to the plan worry about what happens if a police officer takes a smartphone back to the cruiser to check a driver’s license and the driver has sensitive content on the device they’d rather not make available to police. Questions arise, such as, would the digital license app display only the phone ID or also have access to the entire phone? [InformationWeek] See also: [It’s 10pm, Do You Know Where Your Kids Are? (This App Does)] and [NZ: Husband of ex-MP loses job for peek at records]


US – Microsoft Draws Support for Fight Against Government Demand for Customer eMails

Major tech companies, including Apple, Verizon, and eBay, are lending their support to Microsoft in its effort to resist a US Justice Department demand for information held on a company server in Ireland. The companies, along with business associations and news media outlets have filed briefs urging that the Justice Department’s warrant be thrown out. Many noted that to require Microsoft to surrender the data would cause damage to US businesses. In a blog post, Microsoft General Counsel Brad Smith wrote, “This case involves not a narrow legal question, but a broad policy issue that is fundamental to the future of global technology.” [NextGov] [CS Monitor] [WIRED] [ComputerWorld] [Microsoft Makes Argument in Email Privacy Case] See also: [Damning emails withheld from media, opposition: Manitoba ombudsman]

Electronic Records

WW – Study Calls Nymity Accountability Framework Most Relevant

The recent “Privacy Accountability Management Framework for Data Controllers Operating across Asia “ study, which examined six privacy accountability frameworks, named the “Nymity Accountability Framework as the most creditable, practical and relevant framework to address the data protection laws of nine Asian jurisdictions,” according to a media release. Nymity’s Terry McQuay said, “We are absolutely flattered at the recognition as we had no knowledge that this study was being conducted … Based on the feedback provided in the study, we have modified the Nymity Privacy Management Accountability Framework to ensure 100-percent coverage for compliance.” [PR Newswire]


US – Prosecutors Want Phone Makers to Help Them Access Data on Encrypted Devices

Federal prosecutors have invoked an 18th century law, the All Writs Act, to compel smartphone makers to decrypt seized devices in two separate cases. Judges in both cases ordered the device manufacturer to provide “reasonable technical assistance” to help decrypt the information. [Ars Technica] [The Register] SEE ALSO: [People Want Safe Communications, Not Usable Cryptography]

US – Encryption Standard Will Allow Law Enforcement Access

“Verizon is the latest big company to enter the post-Snowden market for secure communication, and it’s doing so with an encryption standard,” Bloomberg Businessweek reports. The product, known as Verizon Voice Cypher, was introduced with encryption company Cellcrypt and “offers business and government customers end-to-end encryption for voice calls on iOS, Android or BlackBerry devices equipped with a special app,” the report states, noting it provides secure communications “regardless of their wireless carrier, and it can also connect to an organization’s secure phone system.” Verizon and Cellcrypt said law enforcement will have the ability to access Voice Cypher communications if they can “prove that there’s a legitimate law enforcement reason for doing so,” the report states. [BusinessWeek]

EU Developments

UK – Court Rules Gov’t Intel Spying Legal; WP29 Releases Working Doc

A British court that oversees the nation’s intelligence agencies has ruled that mass electronic surveillance of citizens’ cell phones and online activity is legal. A complaint against the programs had been brought by a group of privacy advocates and Amnesty International. The groups have said they will appeal to the European Court of Human Rights. Privacy International Deputy Director Eric King said the decision “is a worrying sign for us all.” [The New York Times] SEE ALSO: [The Article 29 Working Party released its Working Document on surveillance of electronic communications for intelligence and national security purposes. This is the legal analysis of the group’s opinion on electronic surveillance for national security] and [UK: Fight against terror should not trump privacy rights – Human Rights Commissioner]

EU – Commission Enacts Gag Order for Safe Harbor Talks

The EU Commission is imposing gag orders on MEPs and preventing journalist access to discussions at the European Parliament’s LIBE Committee. Such clampdowns occur whenever an official is to speak on ongoing negotiations with the U.S. about Safe Harbor, the report states. MEPs face the risk of sanctions if they discuss the issue outside of the room during these “in-camera” sessions, as they’re called. Last week, Dutch MEP Sophie in ‘t Veld and German MEP Cornelia Ernst voted to suspend the Safe Harbor session but were outvoted and the meeting was kept secret. “We hear absolutely nothing that justifies the in-camera. Nothing,” in ‘t Veld said. [EUObserver]

EU – WP29 Seeks Consistent Data-Transfer Agreement Approach

The Article 29 Working Party has agreed on a new “Co-Operation Procedure for Issuing Common Opinions on Contractual Clauses” that aims to help companies that want to rely on model contracts to export personal information from the European Economic Area (EEA). “The procedure adopted by the Article 29 Working Party recognizes the need for a truly harmonized approach to handling data-transfer agreements throughout the EEA,” Jan Dhont and David Dumont of Lorenz write, adding, “Consistent approaches will become even more important under the future General Data Protection Regulation, which exempts model contracts from prior DPA authorization.” [The Privacy Advisor]

EU – Falque-Pierrotin Criticizes Risk-Based Approach

CNIL President and Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin has warned that too much reliance on the so-called “risk-based approach“ to privacy could undermine fundamental human rights. Addressing the French Parliamentary Commission on Digital Rights, Falque-Pierrotin said the risk-based approach is useful “as a guide to allocate resources but should not affect the underlying rights of the data subject.” She also said that accountability should be applied to all processing, including low-risk processing. [Hogan Lovells Chronicle of Data Protection] See also: [French data protection agency, the CNIL, has undergone a reorganization leading to the creation of a compliance directorate with the goal of supporting data controllers in compliance efforts] AND [The French data protection authority, the CNIL, has published a Methodology for Privacy Risk Management, while the UK Information Commissioner’s Office has issued a code of practice for conducting privacy impact assessments (PIAs) and commissioned a research study on PIAs and risk management. More recently, the Article 29 Working Party issued a new opinion on legitimate interests of the data controller.

UK – Social Media Urged to Simplify Terms and Conditions by UK Parliament

A report issued by the House of Commons Science and Technology Committee is calling on the government to work with the Information Commissioner’s Office (ICO) to develop a set of information standards that would commit websites and apps to explain how they use personal data in clear, concise and simple terms. The committee’s report suggests that an internationally recognised Kitemark could be the first step towards ensuring the responsible use of UK citizens’ data by social media platforms and other organisations. [Source]

EU – EU Privacy News Roundup

Facts & Stats

US – Uber Disciplines One Employee; Faces Class-Action from Another

Uber Technologies has taken unspecified disciplinary action against a manager for tracking a journalist’s movements. The car-booking company had been investigating the actions of a general manager at its New York business for monitoring the whereabouts of a reporter without her permission. Meanwhile, Business Insider reports on the amount of data Uber and Lyft collect according to their Android privacy policies, and an Uber driver has filed a lawsuit in California seeking class-action status. The suit claims Uber accessed his credit report to unfairly fire him. [Today] and [Why Uber has a Canadian privacy problem]


US – US Treasury Department Says Tor is a Major Source of Financial Account Takeovers

In a non-public report, the US Treasury Department says that many bank account hijackings could have been prevented if financial institutions had known to block transactions that came through the Tor network. The Treasury Department’s Financial Crimes Enforcement Network analyzed suspicious activity reports that banks filed between August 2001 and July 2014. [Krebs]

US – Intruders Stole Insider Information to Beat Wall Street

Information thieves used phishing messages to gain access to systems at more than 100 publicly traded companies and stole data about merger discussions, product information, and legal action, which could be used to help inform investment decisions. The majority of affected companies are in the health care and pharmaceutical industries. [Ars Technica] [CNN]


CA – Ontario Passes Legislation That Makes It Illegal to Destroy Government Records

Based on some of the recommendations of the IPC report, Deleting Accountability: Record Management Practices of Political Staff – A Special Investigation Report, the Ontario government yesterday passed Bill 8, The Public Sector and MPP Accountability and Transparency Act. The legislation makes it an offence to alter, conceal or destroy records with intent to deny an access request, with a penalty of up to $5,000. [Information and Privacy Commissioner, Ontario] See also: [AU: Freedom of information laws upheld by two men working from home] See also: [ON: Horwath pressures Liberals about more power for IPC]

CA – PEI: Freedom of Information Should Apply to UPEI, Say Students

‘Public money should equal public access,’ says UPEI Student Union president Lucas MacArthur. Student union president Lucas MacArthur will meet with Premier Robert Ghiz. MacArthur said P.E.I. is the only province in Canada that hasn’t brought post-secondary institutions under the law. The student union has already met with Minister of Labour and Justice Janice Sherry, the standing committee on education, and UPEI administration about freedom of information at the university. MacArthur said UPEI does have a freedom of information office, but it is not accountable to the government and it should be. [CBC News ]

CA – Billings By Ontario Doctors Are Secret: Should They Be?

Nineteen physicians billed Ontario’s publicly funded health insurance plan more than $2 million each in 2012-13. But you can’t know who they are. Revealing their names would be an unjustified invasion of privacy, according to the health ministry’s privacy office, which denied that part of a freedom-of-information request from the Star. But the release of physician-identified billing records in the United States earlier this year has reignited a decades-old debate about public disclosure of such information in Ontario. Even the province’s acting information and privacy commissioner has indicated the time may have come to rethink keeping the data under wraps. [Source]


US – Courts Strike Down DNA Collection and Drug Testing Laws

In two separate cases, courts struck down state laws involving the collection of DNA and drug-testing data. A California appeals court ruled the state’s law requiring the collection of DNA from anyone suspected of a felony is unconstitutional. Presiding Justice J. Anthony Kline said, “We conclude that the DNA Act … unreasonably intrudes on such arrestees’ expectation of privacy.” Meanwhile, a federal appeals court ruled Wednesday that a Florida law requiring welfare applicants to submit to drug tests prior to receiving benefits violates the Fourth Amendment. Judge Stanley Marcus wrote, “If we are to give meaning to the Fourth Amendment’s prohibition on blanket government searches” the law “crosses the constitutional line.” [The Associated Press]

Health / Medical

US – Dozens of Federal Agencies Could Get Access to PHI

Under a proposed Federal Health IT Strategic Plan 2015-2020, 38 government agencies would have the ability to collect, share and use the personal health information of U.S. citizens. “While I’m a big fan of NASA, why the heck does NASA need access to my health records?” she asks. “A better question … why the heck does the Bureau of Prisons need to access the health records of non-felons?” The draft plan is still open for public comment until February 6. [NetworkWorld] See also: [Pharma Teaming with Web Biz To Target Prescription Ads] Sewe also: [BC: Privacy probe to investigate medical records faxed to wrong numbers] and [Staffers snooped into 500 patients’ files at Lakeridge Health] AND [ON: Six hospital staff fired for accessing patient files after in-hospital suicide]

US – Research Group Wants HIPAA Amended for Data Use Without Consent

The American Medical Informatics Association (AMIA) says allowing health researchers to access patients’ personal health information (PHI) without their permission could be beneficial. The group’s board chair and vice president of policy and development, Ross Martin, wrote a letter to Rep. Fred Upton (R-MI) suggesting Congress amend HIPAA to allow for increased data-sharing. Martin said exemptions for access to PHI should be made for “observational or data research.” The AMIA letter made recommendations that HIPAA amend the definition of healthcare operations so covered entities and their business associates can be trusted “with the responsibility of conducting research with health data to improve the health of our nation as a whole.” [HealthITSecurity]

Horror Stories

WW – Sony Employees Offered Reprieve by Hackers, with a Twist

The alleged hackers of Sony Pictures Entertainment (SPE) have offered to withhold email correspondences of employees, but only if each employee writes in and asks the hackers. “Message to SPE Staffers,” the hackers’ post states. “We have a plan to release emails and privacy of the Sony Pictures employees. If you don’t want your privacy to be released, tell us your name and business title to take off your data.” Meanwhile, attorneys for SPE are reaching out to publishers, telling them not to report and publish the “stolen data” and to delete what they do have. In an op-ed for The Christian Science Monitor’s Passcode feature, Prof. Evan Selinger argues that publishing hacked emails is a privacy violation. [Re/Code] See also: [Sony Pictures Allegedly Hacking the Hackers] and [SONY Private Key Leaked, Used in PoC to sign malware]

WW – Hack Could Cost Sony $100 million; Employees Mull Class-Action

Fallout from the unprecedented hack and release of massive amounts of information from Sony Pictures continues, with news the attack could cost the company as much as $100 million. Several former Sony Pictures employees who had their personal information disclosed say a class-action lawsuit is in the works. “We’re all worried about our identities, privacy and our families, and Sony so far hasn’t done much to address the situation,” said one former employee. U.S. Federal Bureau of Investigation agents will be on hand at Sony Pictures headquarters this week to advise and update employees on the investigation. Meanwhile, a Ponemon survey of employees of organizations in the U.S., UK, France and Germany found 71 percent have access to data they should not. [Reuters]

US – Sands Casino Network Hit by Cyber Attack

In February 2014, staff at the Las Vegas Sands Corp. noticed things starting to go very wrong very quickly with its computer network. Hard drives at the headquarters of the world’s largest gaming company were being wiped. Early on, Iran was suspected of being behind the campaign, an apparent retaliation for remarks made by casino CEO and majority shareholder Sheldon Adelson. Sands spends millions on security, protecting Adelson and his family, and protecting the company’s assets, but cyber security was lagging. The attackers made their way into one system at a casino in Pennsylvania and eventually worked their way to the company’s Las Vegas servers. When the extent of the attackers’ intended destruction became apparent, the Sands severed itself from the Internet. The attack, which was kept largely under wraps, is similar to the recent attack on Sony Pictures because the perpetrators are seeking not financial gain, but retribution. The attacks are far-reaching, but because they do not pose a threat to national security, the government is unlikely to take action. [BusinessWeek]

US – MA AG: TD Bank Must Pay $625K for Breach

Massachusetts Attorney General Martha Coakley has announced TD Bank will pay a $625,000 fine and must take actions to improve its security practices following a 2012 data breach involving lost backup tapes that contained the personal information of more than 90,000 state residents. According to Coakley, the bank also delayed notice of the incident to her office. Coakley filed an assurance of discontinuance on Monday and in it alleged the bank lost two unencrypted computer server backups that were to be transported by a third party. TD Bank has said there is no evidence the loss of data has led to any fraud or unauthorized access or use. [WCVB] see also: [US: The Case of the $1.7 Million Laptop]

US – Target to Argue No-Harm, No-Foul in Breach Suit

Following a federal court’s ruling to allow a class-action lawsuit against Target to proceed, Bloomberg reports the company plans to use a “no-harm, no-foul” defense based on a 2013 Supreme Court ruling. The high court ruling stated citizens have no basis to seek damages as a result of mass surveillance because they cannot prove they were in imminent danger. Likewise, Target argues that customers were not in imminent danger of identity theft or financial harm, the report states. Meanwhile, the Pennsylvania Superior Court will allow a plaintiff a second chance to certify a class-action alleging Keystone Mercy Health Plan violated the law when it lost a flash drive containing sensitive personal information of approximately 286,000 subscribers, and in California, IKEA is seeking decertification in a ZIP code case. [Source] SEE ALSO: [7 Lessons from Target’s Breach]

Identity Issues

WW – Tech Alliance FIDO Releases Specifications for Two-Factor Authentication

The FIDO (Fast Identity Online) Alliance, a consortium of high-profile tech companies, has released the first specifications for manufacturers to develop two-factor and biometric authentication systems that will work on different devices. The document addresses two login systems: the Universal Authentication Framework (UAF), and Universal 2nd Factor (U2F). FIDO members will share patent licensing on the developed technologies, which should hasten their adoption. [ComputerWorld] [SC Magazine] [The Register] [FIDO Press Release]

US – City’s New Municipal IDs to Employ Facial Recognition

New York City has hired nearly two dozen investigators and will employ high-tech facial recognition software to deal with security concerns about the new municipal IDs being issued next month. The program is designed to become one of the largest of its kind in the country, the report states, and aims to give undocumented immigrants a chance to participate in the community. Concerns about information being stored in government databases are being addressed by limiting access to only high-level administrators, and law enforcement must obtain warrants to access data. [New York Post] [NYC to Issue ID Cards with Free Benefits to Illegal Aliens] See also: [For Afghans, Name and Birthdate Census Questions Are Not So Simple]

WW – Google Rethinking CAPTCHA

Google is retooling the way it implements CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) authentication to incorporate behavioral information. Google’s new system will ask users to click on a box indicating that they are not robots. The technology takes into account how the user moves the mouse. Google also uses other, undisclosed behavioral information. If the single click is inconclusive, users will be given a traditional CAPTCHA. [Google Can Now Tell You’re Not a Robot With Just One Click] [WIRED] [The Register] [ComputerWorld] [Google Online Security Blog]

Intellectual Property

EU – Police Shutter Websites Hawking Counterfeit and Pirated Products

Law enforcement agencies in Europe have seized nearly 300 domains associated with selling counterfeit electronics and medications as well as pirated movies and music. No arrests have been made yet. [BBC] [Computer Weekly]

WW – The Pirate Bay Offline After Swedish Authorities Seize Servers

Authorities in Sweden have raided seized the servers of The Pirate Bay, causing the torrent tracking website to go dark. The site has been taken down before but previously has always returned quickly. This time, the site does not appear to be bouncing back as quickly. One of The Pirate Bay’s founders, Peter Sunde, says he is fine with the site’s disappearance, because he does not like what it has become. Other filesharing sites reportedly also went down on the same day, but it is not clear if the incidents are related. [eWeek] [BBC] [WIRED] [ComputerWorld]

Internet / WWW

WW – Commissioners to App Marketplaces: Make Developers Share Privacy Policies

A total of 23 privacy enforcement partners from across the globe are telling app marketplaces, including Google Play and Apple’s App Store, “to make it mandatory for mobile app developers to post links to privacy policies prior to download if they’re going to collect personal information,” Canada’s Office of the Privacy Commissioner announced. In an open letter to the operators of seven app marketplaces, the data protection and privacy commissioners wrote that many apps that appear to collect personal information do not have privacy policies, “thus removing the ability for individuals to be meaningfully informed when making decisions about the collection, use and/or disclosure of their personal information.” The joint recommendation follows the Global Privacy Enforcement Network’s mobile app privacy sweep. [Source] [A total of 23 privacy enforcement partners from across the globe are telling app marketplaces “to make it mandatory for mobile app developers to post links to privacy policies prior to download if they’re going to collect personal information,” Canada’s Office of the Privacy Commissioner announced].

US – Think Tank Publishes IoT Guidelines

A Washington think-tank funded in part by corporate backers has published guidelines for collection and use of data gathered via the Internet of Things (IoT). The Information Technology and Innovation Foundation’s (ITIF) Center for Data Innovation published the 10 guidelines in conjunction with a bipartisan event featuring senators who sent a letter in October to Commerce Committee leaders requesting an oversight hearing on IoT, the report states. “We’re hoping that (the principles) will help to direct the conversation in Washington,” said Daniel Castro, a senior analyst at ITIF, adding, the Federal Trade Commission, which held an IoT workshop recently, should focus more on actual scenarios than hypotheticals. [Advertising Age] See also: [IoT, Trust, And The Emerging Market Of One] and [Omer Tene: Customers in the Maze: Ethics Heat Up the Flatirons]

US – Mobile Apps Still Collect Vast Amounts of Personal Data on Kids, Despite FTC Privacy Rule

According to privacy and consumer advocates, more than a year after federal regulators issued privacy rules for kids’ mobile apps, online stores are flooded with software programs that “quietly collect vast amounts of data on the youngest consumers,” including location data and even voice recordings. The FTC expanded the Children’s Online Privacy Protection Act in July 2013 to require app developers to get parental consent before collecting data on anyone younger than 13. “Kids are such a lucrative market, especially for apps,” said the Center for Digital Democracy’s Jeff Chester. “Unfortunately, there are still companies out there that are more concerned about generating revenue than protecting the privacy of kids.” [Associated Press]

WW – BBB: Native Ads Must Comply with Privacy Code

Native advertising, which Mashable previously described as one of the biggest trends in advertising, “must comply with the industry’s privacy code.” That’s the word from the Better Business Bureau (BBB) in a compliance warning that states, “Native advertisements personalized for consumers based on their prior browsing across websites must comply with the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising (OBA) … Companies involved in interest-based native ads are responsible for meeting all the requirements of the OBA principles, just as they would be with respect to any other” ads based on interest. The BBB also advised web publishers “must provide ‘enhanced’ notice when data about visitors is used to serve them native ads on other sites,” the report states. [MediaPost]

EU – In-Car Emergency Systems Will Meet Privacy Concerns

A proposal that would mandate all cars in the EU have automatic emergency calling systems has been approved after meeting privacy concerns. The “eCall” system would allow cars to automatically call emergency services after an accident. The system needs to transmit sensitive data, including location information, which has many concerned about their privacy being violated. However, a deal has been reached addressing such concerns. “The new rules will ensure that eCall works only as a safety device,” said MEP Olga Sehnalova, rapporteur on the issue, adding, “It will be illegal to use it to track a driver’s movements or to misuse location data, which must be sent only to the emergency services.” [PCWorld]

Law Enforcement

UK – UK Police Not Receiving Adequate Cyber Crime Training

According to a survey of UK police intelligence analysts, British police are not receiving adequate training to equip them with what they need to know to fight cyber crime. Just 30 percent of respondents said they felt they had the necessary skills to deal effectively with cyber crime. [Independent] [PA Consulting] See also: [SSK: Police chief says privacy practices sometimes too restrictive] and [Spotting terrorist behaviour online is harder than finding child abuse images] and [RCMP accidentally sent woman’s assault complaint to media]

UK – Child Abuse Database Containing Millions of Images to Launch

Data taken from tens of millions of child abuse photos and videos will shortly be used as part of a new police system to aid investigations into suspected paedophiles across the UK. The obscene material was seized during previous operations. The project, called the Child Abuse Image Database (Caid), will be launched by the Prime Minister at an internet safety event on Thursday 11 December. But one expert warned its success depended on it being properly staffed. [Source] See also: [Ottawa firm’s emergency response portal could help first responders]

US – Body-Worn Cameras Seem Imminent and So Do Privacy Concerns

Just one year ago, the idea of police officers wearing body cameras seemed novel. But within the past few months, big cities including Washington, DC, Los Angeles and New York have been piloting programs. After the events in Ferguson, MO , it’s no longer a question, the report states. “The body camera is here to stay,” said one privacy law expert. President Barack Obama proposed earlier this week to reimburse communities half the cost of buying cameras and storing video, which prompted privacy questions regarding when officers should turn cameras on and off, how to store the massive amount of data and how long to keep the footage. [The Washington Post] See also: [Body cameras: Can they reduce confrontations with police?] and [Data from wearable devices could soon land you in jail]

US – New York Flags 278 Gun Owners as Mentally Unstable

New York State’s tough new SAFE Act gun control law has flagged 278 gun owners who could lose their weapons because they have been deemed mentally unstable, a new report shows. Gov. Andrew Cuomo urged lawmakers to pass the SAFE Act quickly after the 2012 mass shooting at the Sandy Hook elementary school in Newtown, Conn. Since the law’s enactment, the state has collected 38,718 names in a database of individuals who have been found at-risk for owning guns by psychiatrists and other health professionals. The paper said when the database was checked against a list of pistol permit holders in the state, there were 278 matches, less than 1 percent. [The Syracuse Post-Standard]


WW – IAPP Resource Center: Location Data Privacy Guidelines

The Location Forum, in partnership with the IAPP, is now offering IAPP members free access to its Location Data Privacy: Guidelines, Assessment and Recommendations through the IAPP Resource Center. These guidelines were developed by the forum to bring attention to critical issues and provide a framework for developers, managers, marketers and executives to follow. They aim to help organizations understand the potential risk areas related to location privacy and offer a risk assessment scorecard as well as transparency recommendations that provide a comprehensive overview of the business, technology and user issues associated with handling location data. (IAPP member login required) and [AU: Mental health group questions using tracking devices on patients]

US – Lyft Cofounder Says Company “Open” to Privacy Options

Lyft Cofounder John Zimmer says the company “is ‘open’ to considering any options to increase people’s privacy.” That’s after Sen. Al Franken (D-MN) wrote to the company earlier this week criticizing it for allegedly allowing employees to track users’ locations. Zimmer said, “If you look at our company and our company’s values and the way we operate internally, we’ve always respected users’ privacy.” He added that, in recent weeks, the company has upgraded its policy to limit the number of people who can access information about a customer’s ride and that he’s open to working with Franken. [The Hill]

US – Senator Franken Unhappy With Uber Response

Sen. Al Franken (D-MN) is unhappy with the answers he received from rideshare service Uber about its privacy practices, saying the company lacked details and, in some cases, avoided answering questions altogether, PCWorld reports. “Quite frankly, they did not answer many of the questions I posed directly to them,” he wrote in a blog post. “Most importantly, it still remains unclear how Uber defines legitimate business purposes for accessing, retaining and sharing customer data. I will continue pressing for answers to these questions.” [PC World] See also: [Franken Turns Attention From Uber to Lyft]


TW – Gov’t Probe Reveals Smartphones Violate Privacy Law

A regulatory agency of the Taiwanese government has found 12 smartphone makers violate the region’s privacy rules. A two-month-long probe revealed some of the smartphones collect user data without consent while others contain “imperfections” that do not meet the law. Taiwan National Communications Commission Vice Chairman Hsiao-Cheng Yu said the agency’s report will be released in the coming weeks and the government will ask the phone makers to modify their handsets to comply with the privacy standards or face monetary fines or bans on their products. [Reuters] [UK: Rory McIlroy ‘wiped important data from electronic devices’, court is told]

Online Privacy

WW – Hackers Are Getting Personal Information Easier Than Before: Symantec

In the mobile app world, when hackers want access to personal information, they simply need to ask for it. That’s according to a recent survey by Symantec of more than 6,000 smartphone users globally that found many are willing to forgo privacy for free entertainment. Symantec is aiming to change that by implementing its “App Advisor” functionality to preemptively scan apps for privacy issues and alert users of the necessity of app permissions in real time prior to the download process. “When you download an app, the term ‘free’ rarely comes without a cost,” said Symantec’s product manager of mobile applications, James Nguyen, adding it’s good for users to think about whether the data they’re giving up is worth the trade-off. [Computer Dealer News] [Norton] [Safe Practices] [Infographic] See also: [Zuckerberg admits Facebook deserves criticism for how it handles its privacy messaging] and [That privacy notice you’re posting to Facebook? It won’t work]

WW – Google to Develop Products Aimed at Kids

Beginning next year, Google plans to create specific versions of its most popular products for users age 12 and under. Kids under 13 have typically been off-limits to tech companies. “We expect this to be controversial, but the simple truth is kids already have the technology in schools and at home,” said Google’s vice president of engineering, adding, “So the better approach is to simply see to it that the tech is used in a better way.” The move follows other recent “kid-centric efforts,” including Google’s virtual Maker Camp, Doodle 4 Google competition and Made with Code initiative, the report states. [USA Today] See also: [Managing Your Online Presence after Death]

US – Online Curriculum Helps Teach Kids About Privacy, Security

Increased use of technology by children in the classroom and at home and how McAfee has teamed up with Discovery Education to unveil a free online curriculum to teach children about online privacy and safety. The program, thinkbeforeyoulink.com , is aimed at children between the ages of eight and 11 and uses interactive scenes that children may come across in the real world—such as sites asking them to share their addresses or the names of their schools. The program, co-developed by McAfee CPO Michelle Dennedy also teaches children about cybercriminals and how they use personal details to get into their parents’ bank accounts or place harmful software on computers. [The New York Times]

WW – Kickstarter Campaign Results in Facebook Alternative

NPR reports on Diaspora, a nonprofit social network born out of a New York University (NYU) computer lab. Four undergrads were given “a global commission to rebottle the genie of personal privacy” after they were granted $200,000 thanks to a Kickstarter campaign. Jim Dwyer wrote a book, More Awesome Than Money, on the NYU grads’ creation of Diaspora, which aims to resist “the surveillance economy that underwrites so much of what goes on online.” [NPR] See also: [Facebook Swipe At Apple On Privacy Is The Real News]

WW – Twitter Improves Tools for Users to Report Harassment

Twitter has always prided itself on being a forum for free speech, even if that speech is vile and hateful. So it has tread more carefully than other public message services when it comes to blocking users that spew abuse at others. It didn’t even have a button for reporting abuse until July 2013, shortly before it sought to raise money from the public through an initial stock offering. Now, after numerous cases involving vile language and threats of rape or death made to Twitter users — and slowing use of the service — the company appears to have a new approach. It wants to do more to make Twitter an appealing place to hang out online. The company has announced new tools to make it easier to report harassment, which will be gradually introduced this month to its 284 million active users. In particular, Twitter intends to simplify the forms that a user has to fill out to report abuse, especially for mobile users, who have been forced to navigate a clunky interface. The company will also encourage bystanders to report abuse they witness, which will improve the ability of Twitter’s safety team to respond quickly and fairly. [The New York Times]

Other Jurisdictions

HK – Hong Kong’s First Prison Sentence Under the Personal Data Ordinance

The Hong Kong Privacy Commissioner for Personal Data (PCPD) announced that a former insurance agent has received a prison sentence in respect of offences under the Personal Data (Privacy) Ordinance (the Ordinance). This case is important in that it marks the first custodial sentence being imposed pursuant to the Ordinance. [Source] See also: [‘Right to be forgotten’ on the Internet gains traction in Japan]

AU – ANZEN Privacy News Roundup

Privacy (US)

US – Judge: NSA Should Have Unlimited Collection Ability

The NSA should have an unlimited ability to collect digital information in the name of protecting the country against terrorism and other threats, said a federal judge at an event in Washington, DC. Judge Richard Posner of the U.S. Court of Appeals for the Seventh Circuit said, “I think privacy is actually overvalued,” adding, “Much of what passes for the name of privacy is really just trying to conceal the disreputable parts of your conduct.” Meanwhile, The Intercept reports on Snowden documents indicating the NSA plans to “secretly introduce new flaws into communications systems so that they can be tapped into,” with an operation codenamed AURORAGOLD. [PCWorld]

US – Court Demands More Info on Secret Spying Program

A federal judge ordered the federal government to provide more detail on a “mysterious” law enforcement database that sparked the investigation of a man charged with violating the trade embargo against Iran. The U.S. government maintains that Homeland Security investigators did not spy on defendant Shantia Hassanshahi using the National Security Agency’s bulk telephony metadata program, which collects individuals’ phone calls and records. But Hassanshahi argues that the government used the mass surveillance program, or at least something like it, to access telephone records that helped secure his arrest. [Source]

US – FISMA Reform to Make DHS More Efficient; FBI Calls for Data-Sharing Laws

Phyllis Schneck’s job as deputy undersecretary at the Department of Homeland Security (DHS) should get easier when President Barack Obama signs the Federal Information Security Management Act (FISMA) reform legislation that passed Congress this week. For example, after the Heartbleed bug threatened IT systems earlier this year, Schneck’s team had to get permission from other federal agencies for DHS to scan their IT systems to check for vulnerabilities. FISMA would allow DHS to do so without permission. Meanwhile, FBI officials are calling for updates to the Computer Fraud and Abuse Act and for new laws to allow data sharing on threats. [BankInfoSecurity] See also: [White House silent on privacy debate]

US – FCC Settles TV Station Investigation for $35,000

The Federal Communications Commission (FCC) has settled an investigation of a television station licensee. Newport Television LLC, former licensee of KTVC Salt Lake City, will pay a $35,000 civil penalty to settle an investigation “involving the station’s recording and broadcast of a person’s telephone conversation as part of a news segment without first telling the person that the call was being recorded and would be broadcast,” the report states. Doing so was a violation of the FCC’s Telephone Broadcast Rule. “We hold broadcasters to high standards and will ensure that they fully respect the privacy rights of consumers,” said the FCC’s Travis LeBlanc. [TVNewsCheck]

US – Supreme Court to Hear Online Free Speech Case

Beginning today, the Supreme Court will hear a landmark case about threats on the Internet. In Elonis v. U.S., Anthony Elonis claims threats he wrote about his wife and coworkers on his Facebook page weren’t meant to be taken seriously. Elonis was jailed for the posts, which has First Amendment advocates worried about free speech rights. But the government and others say making a threat is a crime itself, despite intent. [The Hill]

US – Oregon AG Calls for Student Privacy Bill of Rights

Oregon Attorney General Ellen Rosenblum has called on the state’s legislature to adopt legislation that would prevent the collection and sale of student information to third-party advertisers. She said current law is outdated and does not appropriately protect personal information. “We essentially need a consumer bill of rights so that people know what their rights are online,” she said, adding, “There’s great things about technology, but we have to inform the people; we have to inform parents and the kids so we can be protected better online as well as offline.” [TNS]

US – Ad Company Agrees to Pay $750K for Violations

An online advertising company has agreed to pay $750,000 to six states for bypassing some users’ privacy settings. PointRoll, owned by Gannett, has agreed to the settlement with New York, New Jersey, Connecticut, Florida, Maryland and Illinois for going around users’ Safari privacy settings to place cookies to track user behavior. “Every company is expected to play by the same set of rules: No one should have to fear a business is violating their privacy by bypassing personal settings on their computers or mobile devices,” said New York AG Eric Schneiderman. [Bloomberg]

US – FTC Settles with Medical Billing Provider, Former CEO for Deceptive Data Collection

The FTC has settled with a medical billing provider and its former CEO for misleading “thousands of consumers who signed up for an online billing portal by failing to adequately inform them that the company would seek highly detailed medical information from pharmacies, medical labs and insurance companies.” In complaints against PaymentsMD and former CEO Michael C. Hughes, the FTC alleged the patient portal provided a means by which sensitive health information could be acquired. “Consumers’ health information is as sensitive as it gets,” said FTC Bureau of Consumer Protection Director Jessica Rich. “Using deceptive tactics to gain consumers’ ‘permission’ to collect their full health history is contrary to the most basic privacy principles.” [FTC] [FTC: Online billing service deceptively collected medical records]

US – Union Files Charge Against USPS Over Breach

Following its data breach that may have compromised the personal data of approximately 800,000 employees, the USPS is now facing a new problem. After employees were notified of the breach in November, the American Postal Workers Union filed an unfair labor practice charge with the National Labor Relations Board alleging the USPS violated the National Labor Relations Act, which “requires an employer to bargain in good faith with the union representing its employees.” The USPS failed to provide the union with an opportunity to bargain over the impacts of the breach on employees, the charge alleges. [The National Law Review] and [Breach Delays USPS Financial Report]

US – White House Weighs Drone Integration and Privacy

The next few weeks may determine how drones will be integrated into U.S. airspace. The White House Office of Information and Regulatory Affairs is reviewing the Federal Aviation Administration’s (FAA) sUAS rule as well as privacy issues, while the FAA is set to publicly release its rules for drones weighing less than 55 pounds. The rules will include requiring operators to have licenses and limiting flights. The White House is also creating an executive order on privacy issues. Columnist Gregory McNeil writes, “If small drone businesses want to have a voice, they will need to work with experienced professionals individually or organize and hire someone to represent their views collectively.” [Forbes] See also: [US: Private drone market threatens our privacy] [The White House Office of Information and Regulatory Affairs is reviewing the Federal Aviation Administration (FAA) sUAS rule as well as privacy issues, while the FAA is set to publicly release its rules for drones weighing less than 55 pounds] and [The FAA’s new drone rules will include requiring operators to have licenses and limiting flights.]

US – PCLOB Budget Could Double Under Proposed Spending Bill

A proposed spending bill released on Tuesday could more than double the current budget of the Privacy and Civil Liberties Oversight Board (PCLOB). The PCLOB has been busy during the last year, examining various U.S. intelligence surveillance programs to determine whether they are legal and have proper oversight. Under the proposed bill, the PCLOB budget would increase from $3.1 million to $7.5 million next year. The additional funding “will enable the PCLOB to pursue its mission without delay,” Senate Democrats said in a summary of the bill. [The Hill]

US – Groups Allege Candy Contest Violated COPPA, Ask FTC to Investigate

Earlier this year, the company behind popular candy Ring Pop, Topps Company, ran a contest called #RockThatRock, inviting users to post photos on Facebook, Twitter and Instagram of themselves wearing the candy ring and using the hashtag. The winning photos were featured by a pop-rock band popular with preteens and teens. Some of the photos posted on the brand’s Facebook and Twitter pages used contestants’ social media names and some showed teenage girls—and younger—in provocative poses. Now, 10 advocacy groups have asked the FTC to investigate Topps Company, alleging it violated COPPA by using names and pictures of children under 13. [The New York Times]

US – CA’s First “Revenge Porn” Conviction

A man has been sentenced to one year in jail for violating California’s newly enacted “revenge porn” law. Noe Iniquez, after breaking up with his girlfriend, posted topless photos of her on her employer’s Facebook page in an attempt to get her fired. Previously, such actions were outside the reach of law, but now they are a misdemeanor crime. “We are breaking ground in California on an issue that is affecting people around the country,” said California AG Kamala Harris. Prof. Mary Ann Franks notes the law still needs tweaking, explaining, “it requires that the victim demonstrate that she suffered serious emotional distress, which is unnecessary, burdensome and potentially requires the victim to expose even more of her private life to the public eye.” [Los Angeles Times]

US – VPPA Case Dismissed

A potential class-action lawsuit against ESPN for allegedly violating the Video Privacy Protection Act (VPPA) has been dismissed by a federal judge. U.S. District Court Judge Thomas Zilly said the court papers did not contain enough facts to back up claims the company disclosed a plaintiff’s name to a third party without his consent. Zilly said the transmission of “anonymous” data—in this case, the serial number of plaintiff’s Roku device—to Adobe for data analytics is not a violation of the VPPA. Zilly added, “Even if Adobe does ‘possess a wealth of information’ about individual consumers, it is speculative to state that it can, and does, identify specific persons as having watched or requested specific video materials.” [MediaPost]

US – PwC Releases Report on CMO’s Role in Privacy

PricewaterhouseCoopers has released a report on the role chief marketing officers (CMOs) play in privacy. The report notes that, traditionally, privacy has not been on the radar of many CMOs, and asks whether CMOs are familiar with their organizations’ privacy policies. “Do you know who leads privacy aspects for your organization?” the report asks, adding, “Once that area was the sole realm of the chief privacy officer or the general counsel; now it’s time for CMOs to take a more active role in managing and protecting consumers’ data.” [Source]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Quantum Security for Passports and Credit Cards?

Researchers in The Netherlands are proposing what they believe will be a way “to make it impossible for criminals to forge passports, ID cards or credit cards.” University of Twente researchers have developed a way to authenticate documents “using principles derived from quantum physics,” the report states, noting each card is painted with “a thin white strip of nanoparticles” and when the card is issued “a laser fires tiny bundles of light into it, which bounce around like pinballs among the nanoparticles, creating a unique pattern that is all but impossible to copy.” However, the report states, such cards “could still be stolen and used. That is why Pinkse envisions that the method will likely be used in combination with others, such as biometrics.” [CNBC] See also: [Change all of your passwords at once with Dashlane] and [Should we expect every messaging app to offer full privacy?]


CA – 60% of Canadian Businesses Don’t Have a Security Strategy: Report

According to new research from Cisco, Canadian businesses are not equipped to respond to security threats within their networks. The study, which combines the views of Canadian businesses and consumers about security at work, also found there are discrepancies between the preparedness of large and small businesses. [canadiansecuritymag.com] SEE ALSO: [Canadian firms seeing fewer data breaches – why that could actually be bad]

US – Cybersecurity Guidance Predicted to Include Coverage for Third Parties

It now seems likely new cybersecurity guidance expected from federal banking regulators in 2015 will include recommendations for investments in cyber-insurance. The December 10 New York State Department of Financial Services notice to New York banking institutions on expanded IT examination procedures specifically notes state banking regulators expect to see policies related to cybersecurity insurance for not only the bank but also any third parties with which the bank works. That move could foreshadow federal expectations for banking institutions by the Federal Financial Institutions Examination Council, the report states. [BankInfoSecurity] and [A Boost for Cybersecurity Policy Analysis: $45 Million in Grants to Support 3 Universities’ Initiatives]

US – Another Large Retail Breach; Another Push for Cyber-Threat Sharing Bill

Thieves have stolen credit and debit card data from Bebe Stores, Inc., a nationwide chain of women’s clothing stores. While officials for Bebe have not responded to requests for comment, various banks have reported a pattern of fraudulent charges on customer credit cards that had all been used previously at a Bebe store. Meanwhile, major retail and financial industries came together to press Congress to pass legislation that would allow industry to exchange cyber-threat information with the government. [KrebsOnSecurity]

WW – Credit Cards, Healthcare Data on Hackers’ Hit List For 2015: Experian

It seems like there were headlines highlighting yet another data breach almost every week in 2014. Bad news for sure, and what’s worse is that we haven’t heard the last of them yet. So what’s in store for data breaches in 2015? Turns out cybercriminals will still be after credit card data – but that’s no surprise, given criminals always look for the ultimate payload, which is usually financial data they can use to their advantage. Yet what’s also striking is that they’ll be eyeing healthcare data as well, according to Experian, a global information services group providing consulting services in finance, security, and regulatory compliance. [Source]

US – Privacy Issues Stall Newborn Screening Bill

A bill that would support newborn screening nationwide has stalled in Congress because some Republican senators have privacy concerns about genetic research funded by the legislation. The senators won’t comment individually, but the Senate Steering Committee has indicated it wants a provision added to the bill to require parental consent before genetic research and genomic sequencing could be done on a child’s newborn screening sample.[Milwaukee Journal Sentinel]


US – ISP Sues Gov’t Over Gag Order

A small Internet provider is challenging the Justice Department concerning a 10-year-old gag order served by the FBI for the company’s customer records. The now-defunct Calyx Internet Access first sued the FBI in 2004 for being served warrantless National Security Letters. In a lawsuit filed on Thursday, Calyx Founder Nicholas Merrill, who now runs the Calyx Institute , argued the U.S. government, in placing a permanent gag order on a case that is now closed, has violated his First-Amendment rights. “It’s really long past due that we have an open and public discussion about how warrantless searches are being used against Americans,” Merrill said. [The Washington Post] Dee also: Meanwhile, a 2006 memo indicates former President George W. Bush’s administration told a secret court it was justified in spying on communications without warrants to prevent terror attacks, according to a legal memo released recently, and new reports indicate UK Government Communications Headquarters hacked Belgium’s largest telecommunications provider, Belgacom. See also: [Canadian Telcos Want to Build Surveillance-Ready Networks] and [UK Lawyers’ bid to protect client talks from spies] AND [The unstoppable rise of the global surveillance profiteers]

US – Senator Argues Against Back Doors for Government

Noting that a back door placed in software and electronic communication devices to allow government access is also a backdoor that could be exploited by entities with malicious intents, US Senator Ron Wyden (D-Oregon) has proposed legislation that would prohibit government agencies from requiring back doors in digital products. [The Register] [Wyden’s Op/Ed in LA Times]

US – CA Sheriff Could Have State’s First Authorized Drones

Alameda County Sheriff Gregory Ahern formally announced Wednesday that the county has acquired two drones. With Federal Aviation Administration approval, which could come next year, it could “become the first law enforcement agency in California to deploy an authorized drone,” the report states. County citizens had “vociferously” opposed the agency’s proposed acquisition of the technology. “The reason for specifically acquiring this is search and rescue,” Ahern said. A representative from the Electronic Frontier Foundation, however, said, “The sheriff has done nothing to address the concerns expressed by the community at the February 2013 hearing.” The sheriff’s office has released a new draft order, but privacy advocates worry the language in the draft lacks substantial privacy safeguards. [Ars Technica] see also: [India: Police Drones To Patrol Delhi Streets After Alleged Uber Rape]

EU – BND Says it Can Spy on Citizens if They Work for Foreign Entity

German intelligence agency BND claims it has the authority to spy on German citizens if those citizens work for a foreign organization. German law forbids intelligence agencies in that country to spy on German citizens, but BND claims a loophole in this case for communications attributed to the foreign employer. [Ars Technica]

WW – Using Surveillance to End the Impunity of Oppressors

The words “hidden camera” raise privacy red flags immediately, but for Oren Yakobovich, head of the human rights organization Videre, privacy concerns take a back seat to exposing the atrocities of oppressive regimes. Arming activists with micro-cameras, Yakobovich “uncovers, verifies and publicizes human-rights abuses that the world needs to witness.” In his recently released TED Talk from a conference in Rio, he outlines how he came to a life of turning the idea of surveillance on its head. [YouTube] See also: [Automakers Working To Gain Consumer Trust on Smart Cars] and [Car Insurers Promise Discounts If Big Brother Watches You]

Telecom / TV

WW – Blackphone to Open Privacy-Focused App Store

Makers of the anti-surveillance Blackphone are set to unveil a privacy-focused app store and the ability to run separate operations for private and pseudonymous accounts and applications. The new app store will be released in January and will feature apps approved by Blackphone. Plus, the privacy-focused smartphone will roll out a new feature, called Spaces, in the phone’s operating system that allows for separate and varying levels of privacy and security. “The addition of Spaces and the Blackphone app store is the most significant update to PrivatOS since its inception,” Blackphone CEO Toby Weir-Jones said . “We are delighted to have developed the Silent Space, alongside Graphite Software, who share our core values of privacy and security.” [GigaOM]

US – Law Firm Faces Class-Action for Text Message Violations

A law firm is facing a putative class-action lawsuit for allegedly violating the Telephone Consumer Protection Act. Pullin Law Firm allegedly sent text messages to an unknown number of users to generate business. The case could be a signal to law firms to avoid such marketing tactics. According to the complaint , “In a misguided effort to offer legal services to financially vulnerable consumers, Defendant engaged in an invasive and unlawful form of marketing: the unauthorized transmission of advertisements in the form of ‘text message’ calls to the cellular telephones of consumers throughout the country.” The suit seeks a minimum of $500 per violation. [Law360]

US Government Programs

US – NSA Surveillance Practices Create Trade Barrier

Paul Nemitz, a director in the European Commission’s Justice Department who is tasked with leading the overhaul of the EU data protection law, has said the law allowing the U.S. National Security Agency’s surveillance practices “is a real trade barrier to a European digital company to provide services to Americans inside America.” Nemitz’s concern that “U.S. citizens are deterred from using European email providers because they do not get the same protection as they would by using U.S. providers.” Meanwhile, a Council of Europe report states, “Unless the U.S.A. improves compliance with international human rights standards in its activities that affect the Internet and global communication systems, the movement towards such a truncated Internet will be difficult to stop.” [Reuters] See also: [US: Congress Passes Bill Giving Police Unlimited Access to Citizens’ Private Communications]

US – DoJ Creates Unit to Fight Cybercrime

U.S. Assistant Attorney General Leslie Caldwell has announced the Department of Justice is creating a dedicated cybersecurity unit within the department’s Computer Crime and Intellectual Property Section. The unit was formed in response to significant crimes like the “cyberheist campaign last year (that) caused $45 million in losses in a matter of hours,” the report states. “Prosecutors from the Cybersecurity Unit will provide a central hub for expert advice and legal guidance regarding the criminal electronic statutes for both U.S. and international law enforcement conducting complex cyber investigations to ensure that the powerful law enforcement tools are effectively used to bring the perpetrators to justice while also protecting the privacy of everyday Americans,” said Caldwell. [eSecurity Planet]

US Legislation

US – FISMA Now Awaits President’s Signature

A cybersecurity bill that will change the way federal agencies respond to and manage data breaches has now passed both houses of Congress and awaits President Barack Obama’s signature. The House of Representatives approved the Federal Information Security Modernization Act (FISMA) a day after the Senate did the same . FISMA authorizes the Office of Management and Budget to set federal information security policies and requires the Department of Homeland Security to help implement the policies. Senate Homeland Security and Governmental Affairs Committee Chairman Tom Carper (D-DE) said, “This bill will modernize our outdated federal network security laws, provide the tools and authorities needed to improve security at our federal agencies and increase transparency and accountability for data breaches at federal agencies.” [The Hill] [Senate Approves Bill To Help Federal Agencies Avoid Data Breaches]

US – Outlook for State Data Security Laws: More than Breach Notification

Forty-seven states have breach notification laws on the books, at least 31 have data destruction or disposal laws, 12 have imposed broad data security requirements and a few more have more granular laws. “Is data security legislation coming to a state near you?” Delving into New York’s proposed A 10190, the team suggests “the bill may be a harbinger of legislation to come, with potentially significant implications for corporate security and compliance resources and budgets.” F [Hogan Lovells for Privacy Tracker]

US – Legislative News Roundup

Workplace Privacy

WW – Employers’ Use of IoT: The New Panopticon?

Employers are increasingly using Internet of Things (IoT) technology to monitor and measure employee productivity and movements, but the University of Illinois’ Jerome McDonough suggests the technology allows for “a new form of panopticon for employees,” calling the trend “very troubling.” Courts have traditionally granted broad rights to record employees while at work, but the growing use of IoT gives unprecedented surveillance capabilities to employers. “The law is very slow to react,” said University of Denver Prof. Corey Ciocchetti, who predicts “it’s only getting worse for employees.” [San Jose Mercury News] See also: [NZ: Credit union admits privacy breach: The head of a credit union in Napier has admitted the company breached the privacy of a former employee by taking a private Facebook image and distributing it to employment agencies.]

US – Background Check Practices Prompt Lawsuit, Questions

A putative class-action filed in a New Jersey federal court alleges Michaels Stores violates state and federal consumer protection laws by burying disclosures alerting job applicants the company will procure background checks on them during the application process. A woman filed the suit last week claiming Michaels only tells prospective employees it will obtain background checks by a disclosure at the end of its written and online job applications, the report states. Meanwhile, the strength of car service Uber’s background checks on drivers has come into question. [Law360]

US – How Much Access to PII Do Your Employees Have?

In response to several stories during the last year about employee access to intimate details they shouldn’t have—from the NSA employees using “surveillance to collect data on love interests” to an Uber employee tracking a reporter’s location, 29 tech companies including social networks, fitness trackers and dating sites 10 questions about their internal privacy policies for accessing user data. Of those questioned, “only 13 responded,” the report states, and of the 10 that provided comment, responses ranged from serious to “boilerplate” commentary. “All told, the collective responses offer a complex and, in many cases, unsettling survey of the current data privacy landscape.” [Buzzfeed]


16-30 November 2014


CA – Privacy Czar Doesn’t Get Chance to Testify on CSIS Powers

Federal Privacy Commissioner Daniel Therrien has flagged concerns about legislation to broaden CSIS’s foreign spying powers, saying the Conservatives’ bill does not include adequate safeguards against possible future human rights violations, or enough oversight. But the Conservative-dominated committee studying the bill swiftly wrapped up testimony without accepting Therrien’s request to appear. In fact, over the objections of opposition MPs and civil libertarians who wanted to testify, no more witnesses will be called. [Windsor Star] See [CBC News: Privacy Commissioner Daniel Therrien has warned senators “that the increased police powers proposed in the government’s cyberbullying and Internet surveillance bill need to be matched with ways of tracking their use.”] and [Geist: Choosing Between Privacy and Cyberbullying: My Appearance on Bill C-13 Before the Senate Legal and Constitutional Affairs Committee] [The Supreme Court of Canada dismissed the appeal of a BC man who says his rights were violated when the RCMP handed over the results of wiretaps to U.S. authorities]

CA – Privacy Commissioner Signs MOU on Cooperation

The purpose of this Memorandum of Understanding is to set out a framework to support federal/provincial collaboration and co-operation; each participant in the Memorandum of Understanding will allow the OPC, OIPC AB and OIPC BC share information between offices for the following purposes – assess jurisdiction and transfer complaints as necessary, evaluate whether or not investigations or complaints relate to the same or similar matters in order to assess whether or not a parallel or joint investigation is appropriate, conduct parallel or joint investigations, and otherwise assist in the conduct of an ongoing or potential investigation of a complaint or, where applicable, audit. [Source] See also: [Privacy and Access Council of Canada (PACC): The overall privacy landscape in Canada]

CA – Alberta Considers Privacy Amendments Allowing Union Intrusions

The Alberta Legislature is considering privacy legislation amendments giving unions considerable scope to collect and disclose personal information. The amendments, which have already been endorsed by the Privacy Commissioner of Alberta, respond to a 2013 Supreme Court of Canada decision striking down the province’s Personal Information Protection Act. The province has until April 30, 2015 to remedy the constitutional deficiencies before the decision takes effect. If the legislation is passed, trade unions will be able to collect, use and disclose personal information without consent when the purpose is to inform the public about a matter of significant public interest or importance relating to a labour relations dispute involving the trade union; the collection, use or disclosure is reasonably necessary for the purpose; and it is reasonable to collect, use or disclose the personal information without consent for that purpose, taking into consideration all relevant circumstances, including the nature and sensitivity of the information. More changes may be in the offing as PIPA requires a review of its provisions as of July 1, 2015. [Financial Post] and [AB: Union says province’s privacy act changes ignore spirit of top court ruling] See also: [AB: Opposition want Alberta’s Privacy Commissioner called in after phone bill leak]

CA – Canadians Growing Concerned Over Internet Privacy, Poll Shows

Canadians are growing more wary about their privacy on the Internet, according to a new survey commissioned by the Centre for International Governance Innovation. The poll found that nearly 70% of Canadians are worried about hackers stealing their banking information or personal messages and photos. The same percentage of Canadians reported they’re concerned about private companies tracking their Internet usage and attempting to monetize their information. More than half (52%) reported that they’re concerned about government and law enforcement authorities monitoring their Internet activity. The poll comes as the governing Conservatives are moving two controversial pieces of legislation on Internet monitoring and information sharing through Parliament. Bill C-13, introduced in the name of cyberbullying victims, gives private companies legal immunity for handing over their users’ personal information to authorities. [Source]

CA – FB Info Sharing Created Zoosk.Com Dating Profile for Married Woman

Online privacy advocates say current legislation fails to protect Canadians’ privacy online. Last January, Mari Sherkin, married for 25 years, says she got a pop-up ad on Facebook from Zoosk.com. “I didn’t know what it was,” she said. “So I clicked on the X to close it. At least I thought I did. She says that within minutes, she started getting messages in her Facebook inbox from men. “‘A Zoosk member wants to meet you,’ [it read]. I was absolutely unaware of what was going on. “So I opened it and found out — unbeknownst to me — Zoosk had created a dating profile for me.” Dating profile used Facebook photo. Sherkin says she was horrified to see the dating profile, which used her Facebook photo, her name and her postal code. And Mari isn’t the only one. There are many similar complaints online from women who say they have no idea how a dating profile was created for them on Zoosk. Zoosk Victims is just one of the Facebook pages that feature dozens of complaints about the dating website and how it creates profiles. Graham Williams, a Vancouver-based technology expert, points to what is known as an “open authentication protocol” — or OAuth — where people often unwittingly share personal information with third-party websites. “This open authentication scheme is used by Facebook, it’s used by Google, it’s used by Twitter. “And it is basically saying to users out there — you don’t want to have to remember 100 different passwords or 100 different log-ins, so we’re going to let you log in with your Facebook credentials.” So, by logging in with Facebook, for example, you automatically agree to share your private information with other websites. [Source]

CA – Fitbit Data Now Being Used in the Courtroom

A Calgary-based law firm is currently working on the first known personal injury case using data gleaned from a client’s Fitbit, Forbes reports. The client in question was once a personal trainer, but because of an accident four years ago, the lawyers want to demonstrate with the device that her physical activity levels are below that of her age and profession. McLeod Law’s Simon Muller said the data will “back up what she’s been saying.” The report notes what is “intriguing” and “a little creepy” is such cases could make it possible for such data to be used in prosecutions as well. Muller added, “Insurers will want it as much as plaintiffs will.” [Forbes] See also: [Canada: The Fitbit detectives that could be using your data in court]


US – Are Consumers’ Privacy Expectations Hypocritical?

Two reports focus on consumer expectations of privacy and the trade-offs provided by smart technology. CNet looks into Amazon’s newest product, Echo, and it’s lack of a privacy policy. The virtual assistant is voice-activated and gets smarter with continued use. One consumer said the product is “a bit creepy, but I’d totally use one in my classroom,” adding he understands businesses make money off him by using his data. “It’s a trade-off,” he said. A report for The Guardian questions whether the Internet has turned consumers into hypocrites, noting people worry about their privacy but happily share their personal information online, leading columnist John Naughton to ask, “could it be that what we’re getting is not the Internet we say we want but the Internet we deserve?” [CNET]

US – Pew Internet Survey Reveals Privacy Policies Misunderstood

The Pew Center for Internet and American Life released a new survey to shed light on the average consumer’s “Web IQ,” or their digital literacy. Questions included identifying famous leaders of technology companies, such as Bill Gates and Sheryl Sandberg, and basic digital meanings, including whether a kilobyte is larger than a megabyte. Noticeably, however, was a general lack of understanding by consumers about what a privacy policy protects. More than half of the respondents said they thought it was true that privacy policies ensure “that the company keeps confidential all the information it collects on users.” Hayley Tsukayama wrote, “But that is not at all what privacy policies do; in fact, they are generally there to tell you exactly how companies are not keeping your data confidential and how they’re sharing your information with their partners.” [Pew Internet Research]

US – Public Perceptions of Privacy and Security in the Post-Snowden Era

The Pew Research Foundation has released its Public Perceptions of Privacy and Security in a Post-Snowden Era based on a survey of U.S. adults, noting, “Across the board, there is a universal lack of confidence among adults in the security of everyday communications channels—particularly when it comes to the use of online tools.” Justin McNaughton asks whether the post-Snowden perceptions of privacy will change the way consumers and organizations treat privacy policies. With the U.S. Federal Trade Commission cracking down on violations and recently releasing guidance, McNaughton offers some things to address in your company’s policy. Meanwhile, the makers of the game Fruit Ninja will soon update its privacy policy to better inform consumers of its practices. [Mondaq Report]

US – Studies Offer Insight on Breach Response Times, Consumer Fears

A study from FireEye shows the average time it takes organizations to detect a breach is 229 days. The report states one reason for the lengthy timeframe is that two-thirds of organizations find out about a breach through a third party, and it recommends data minimization and proactive issue spotting to hasten the process. A separate study has found that 23% of consumers plan to do less online shopping due to privacy concerns and 64% believe they will be the victim of a breach within the next year. [BankInfoSecurity]

US – Home Depot Spent $43 Million on Data Breach In Just One Quarter

Home Depot has announced it is facing at least 44 civil lawsuits and “investigations by a number of state and federal agencies” related to its breach earlier this year, which, it says, “may adversely affect how we operate our business, divert the attention of management from the operation of the business, and result in additional costs and fines.” [Ars Technica] [Source]

Electronic Records

US – ClassDojo Revises Data Deletion Policy

Student behavioral tracking app ClassDojo has announced it will change its data deletion policy and now retain records on students for one year, which recently ran a story on the privacy concerns related to this app and others like it. “We are not a data company. So we have no need to keep any data beyond allowing it to be communicated between teachers, parents and students,” said Sam Chaudhary, the cofounder of ClassDojo. The new deletion policy directly addresses concerns about the possibility of sharing student data with third parties; however, the debate over use of the app also touches on its ability to publicly display behavior scores and parents’ ability to access them. [The New York Times]

US – ClassDojo Sparks Privacy Concerns

ClassDojo and other apps that help teachers “automate the task of recording classroom conduct” and “communicate directly with parents” are raising privacy concerns. ClassDojo is being used in roughly one out of three U.S. schools, the report states, and “some parents, teachers and privacy law scholars say ClassDojo, along with other unproven technologies that record sensitive information about students” are being adopted without fully considering “the ramifications for data privacy and fairness, like where and how the data might eventually be used.” [Source]

US – Law Firm Releases 8,000 Students’ Info

Meanwhile, Seattle Public Schools is seeking the U.S. Department of Education’s after a law firm contracted with the school department released the personal information of 8,000 students receiving special education services. [Seattle Times]


WW – Internet Architecture Board Calls for Default Encryption;

The Internet Architecture Board (IAB) has issued a statement calling for encryption to be the standard across the web, saying it “now believes it is important for protocol designers, developers and operators to make encryption the norm for Internet traffic.” The IAB also said default encryption at all levels of the Internet “will help restore the trust users must have in the Internet.” [IAB Statement on Internet Confidentiaity]

US – AT&T Stops Using Undeletable Phone Tracking IDs

AT&T has stopped its controversial tracking program that assigned undeleteable identification numbers to its mobile customers’ online activity. Verizon has said it will continue its program, but added, “as with any program, we’re constantly evaluating.” Though it has put the brakes on its “Relevant Advertising” program, an AT&T spokeswoman said, “we could have one in the future.” [ProPublica]

US – Case Suggests How Government May Get Around Phone Encryption

The U.S. Department of Justice is using a novel legal maneuver to get around smartphone encryption by using a law created in 1789 called the All Writs Act. In October, prosecutors convinced a Manhattan-based federal magistrate to order an unnamed phone maker to provide “reasonable technical assistance” for unlocking an encrypted cell phone. The All Writs Act gives courts broad authority to carry out their duties such as this, the report states. Stanford University Center for Internet and Society Civil Liberties Director Jennifer Grannick said, “It’s part of what I think is going to be the next biggest fight that we see on surveillance as everyone starts to implement encryption,” adding, “Does this mean you have to do something to your product to make it surveillance friendly?” [The Wall Street Journal] See also: [Privacy groups have sent a letter to the National Institute for Standards and Technology calling for encryption standards that are “free from back doors or other known vulnerabilities | Letter]

WW – WhatsApp Adopts End-to-End Encryption

In what is being called the largest implementation to date, messaging services WhatsApp has announced it will now bring end-to-end encryption to its 600 million users. The new security feature will be included in the company’s latest security update for Android. Open WhisperSystems, which has helped develop the feature, said it will take time to get it out to all of its users, but Android will be the first mobile platform to receive it. [Gizmodo] WhatsApp has upped its encryption game to offer better protection for messages sent from Android devices running the app. The change means that WhatsApp will not be able to decrypt users’ messages. The encryption system WhatsApp has chosen to use encrypts messages from the time they leave one device until they arrive at the recipient’s device. [v3.co.uk] [NBCNews] [SCMagazine] [Ars Technica]

US – EFF Launches Certificate Authority

The Electronic Frontier Foundation has announced the unveiling of Let’s Encrypt, a certificate authority it plans to launch in 2015 in conjunction with Mozilla, Cisco, Akamai, IdenTrust and University of Michigan researchers. The initiative seeks to help transition the web from HTTP to encrypted HTTPS. Let’s Encrypt will offer free encryption services to any website.

EU Developments

EU – A29 to Google: Forget the .Com Links, too

Just as Google announced new capabilities for users to monitor the devices that are accessing their Google accounts, the Article 29 Working Party in the EU has released a new set of guidelines that runs contrary to Google’s current compliance with the so-called “right to be forgotten” court decision. As recounted from the DPC stage last week, Google has been removing references to specific people only on its country-specific URLs, like those with .de for Germany or .es for Spain. However, the new guidelines from A29 say web sites should apply the right to be forgotten to all domains, including Google.com. “The court says the delisting decision has to be effective,” A29 Chair Isabelle Falque-Pierrotin told the WSJ. “These decisions should not be easily circumvented by anybody.” [The Wall Street Journal] SEE [Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” c-131/121] and Out-Law.com: The European Parliament’s Civil Liberties, Justice and Home Affairs Committee has said the Court of Justice of the EU’s decision on the Data Retention Directive needs to be reviewed “before they agree to a new EU Passenger Name Record Directive’”

EU – EU Considers Binding Powers for Privacy Regulators

Italy, which currently holds the EU presidency, has issued a new proposal that would give a a new body of European data protection authorities “the power to adopt legally binding decisions in cross-border disputes over a company’s misuse of personal data.” The so-called European Data Protection Board would be an alternative to the controversial “one-stop-shop” proposal that has divided member states and slowed the reform process. Some governments, the report states, are concerned, however, that the process will get more complicated by allowing multiple authorities to intervene in a case. [Reuters] See also: [UK: Look out: That data protection watchdog can bite] [Reuters: Italy has issued a new proposal for a European Data Protection Board with “the power to adopt legally binding decisions in cross-border disputes over a company’s misuse of personal data.”] [The proposed EU General Data Protection Regulation will be finalized in 2015] The Dutch data retention legislation will remain in place, despite an EU court ruling earlier this year that struck down the associated EU directive.

EU – Giovanni Buttarelli Named New Data Protection Watchdog

The next European Data Protection Supervisor (EDPS) will be Giovanni Buttarelli, Parliament’s President Martin Schulz announced. His Assistant Supervisor will be Wojciech Rafal Wiewiórowski. Messrs Buttarelli and Wiewiórowski were listed as Parliament’s top candidates for the two posts after hearings in the Civil Liberties Committee on 20 October. [Source] See also: [60 things European legislators don’t want Canada to learn about air passengers] [RTE News: The Irish government is seeking “the support of the European Commission in a legal battle involving the U.S. federal authorities and tech giant Microsoft.”] and [U.S. Federal Trade Commissioner Julie Brill and Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin discussed Safe Harbor at the IAPP Data Protection Congress.

UK – Phone Data of 1,700 Murdoch Staff Probed

Scotland Yard has examined the mobile phone records of more than 1,700 journalists, lawyers and staff working for News UK, it emerged last night. In a major breach of privacy laws, Vodafone handed over data from phones belonging to journalists, lawyers, secretarial staff and senior executives working for The Times, The Sunday Times and The Sun newspapers between 2005 and 2007 to the Metropolitan Police. Detectives working on Operation Elveden, which is investigating alleged payments by journalists to ‘public officials’, requested data last October from the phone of one reporter who had been arrested. But when the telecoms giant mistakenly disclosed a mass of staff phone records, police held onto the material for seven months despite requests to return it. It is feared that the data could have compromised confidential journalistic sources. Detectives conducted an analysis of the records and built a spreadsheet listing outgoing calls made from 1,757 phones, even know they knew the information relating to innocent journalists had been passed on improperly. The data breach is now being investigated by the privacy watchdog bodies, the Information Commissioner (ICO) and the Interception of Communications Commissioner’s Office (IOCCO). The latter, which is also investigating police use of surveillance powers against journalists, said the case was of ‘very significant concern’ and it has urged the publisher News UK to take up the matter with the Investigatory Powers Tribunal. The case comes amid concerns about the extent to which police use surveillance powers under the Regulation of Investigatory Powers Act (Ripa) against journalists and their sources. [Source]

Facts & Stats

WW – Nearly a Billion Records Were Compromised in 2014

In first nine months of 2014, after 1,922 confirmed incidents, criminals managed to compromise 904 million records. Many of the incidents reported in 2014 were record setting, including twenty of them that resulted in the compromise of more than a million records each. According to data given to CSO Online by Risk Based Security, nearly 85% of the records exposed in the first nine months of this year were due to hacking (external influence), accounting for 74% of the reported incidents. Another lesson learned this year centers on keeping all of one’s eggs in a single basket. As mentioned, twenty incidents reported in 2014 exposed one million records or more in each instance, but three of them resulted in the compromise of a combined 489 million records. [Source] Untangling Breach Loss Liability: Target says that it is not liable for losses incurred by banks as a result of the retailer’s massive breach during the holiday shopping season a year ago. Five of the banks that issued the compromised cards – there were at least 40 million card numbers affected – have filed a federal lawsuit against the company. Target’s legal team said that the company is not liable for the banks’ losses because payments are processed by third parties. [Ars Technica] [Insurance Journal]

US – Colleges Finding Less Damaging Material Online

A poll of 403 undergraduate admissions officers by Kaplan Test Prep indicates fewer “are finding online material that could derail a student’s chance of admission, even though an increasing number of college admissions officers consider the public social media accounts of applicants as fair game.” Of those polled, 35% indicated they had visited applicants’ social networking pages, up 9% from 2012, but those who found “information online that had hurt a student’s application” had dropped from 35% in 2012 to 16 percent in the most recent poll. “Students are more aware that any impression they leave on social media is leaving a digital fingerprint,” said Kaplan’s Seppy Basili. [The New York Times]


EU – French ‘Right to be Forgotten’ Decision Takes Link Removal Beyond Europe

A recent decision by a French court that relied on the European ‘right to be forgotten’ has landed Google’s subsidiary there with a €1,000 per day fine unless it stops linking to a defamatory article. The case involved Dan Shefet, a lawyer who sued Google in France last August to counter a “defamation campaign” aimed at his firm, which he details here. He won a court order for Google to remove certain URLs on a worldwide basis, however, the search company only took them down from google.fr and, according to Shefet, ignored subsequent demands based on that order. Shefet told The Guardian that the court’s decision means that people in any EU country may obtain an injunction against their local Google subsidiary if they want a result that can only be completed by the parent company. Previously, if the complainant wanted a result removed from google.com, they would need to sue Google in the US since Google Inc controls the search engine worldwide. “Until now a subsidiary could not be legally forced under the threat of daily penalties to deliver a result which was beyond its control.” [Source] [Google Removal Tool] and See also: [Doxxing defense: Remove your personal info from data brokers] [Google’s advisory council meetings on the RTBF led to more questions than answers] and also: [Office of the Privacy Commissioner of Canada contacts search engine over individual’s complaint]


WW – PCI SSC Hopes Emerging Tech Will Help Thwart Breaches

As “one of the worst ever” years for data security nears its end, CSO reports the Payment Card Industry Security Standards Council (PCI SSC) hopes emerging technologies will help prevent future breaches. PCI SSC International Director Jeremy King said, “We hope to get better. Unfortunately, the criminals are getting better.” As of January 1, organizations must be compliant with PCI-DSS 3.0, the report states. Meanwhile, a “brightening economic picture spurred more people to buy homes and renovate them,” resulting in gains for Home Depot and easing concern the retailer’s recent breach “would scare customers away,” The New York Times reports. In a blog for ComputerworldUK, Forrester Analysts discuss privacy as a competitive differentiator, suggesting data can “be the downfall for an organization when improperly handled or lost.” [PCI Council] ALSO: [Financial Sector Terrorism Threat Grows] and [The Consumer Financial Protection Bureau has finalized a rule allowing financial institutions to post their annual privacy notices online rather than having to mail them to customers individually]


UK – Highest Court Urged to Overturn Decision to Allow Royal Correspondence to Politicians to Be Released

Seven justices at the Supreme Court in London are hearing the latest round of a lengthy legal dispute over disclosure of the royal correspondence. The Attorney General, the Government’s principal legal adviser, is challenging a decision by three Court of Appeal judges earlier this year that he has unlawfully prevented the public seeing the letters. In March they unanimously ruled that he has “no good reason” for using his ministerial veto and overriding the decision of an independent tribunal, chaired by a High Court judge, in favour of disclosure. In 2005 Guardian journalist Rob Evans applied to see a number of written communications between Charles and various government ministers between September 2004 and April 2005. [Source]

Health / Medical

US – How Worried Are Americans About Their Health Information?

To what degree are American citizens concerned with the privacy of their personal health information? According to the NPR-Truven Health Analytics poll, “in general, worries don’t run very high.” Nearly 75% of those surveyed have doctors who use electronic health records, but only 14% had privacy concerns with their hospitals. Additionally, two-thirds of respondents said they were willing to share health data with researchers as long as it was de-identified, the report states. [NPR]

US – Government Storing Baby Blood Data Raises Privacy Concerns

The Nafkes of Apex have two healthy daughters, and their girls are among the millions of children already screened. Both of their results came back perfectly normal. But it’s what the government is doing with your child’s DNA after the children are screened for diseases that is raising ethical concerns. The Nafkes had no idea that DNA left over from their daughter’s newborn screening tests, called dried blood spots, are stored in a government facility for up to five years in North Carolina. [Source]

US – Providers Vindicated in Patient Privacy Case

A California Superior Court sided with Prime Healthcare Services and Shasta Regional Medical Center in a civil case over an alleged violation of patient privacy rights. The healthcare providers accurately contended that “the patient had implicitly waived her privacy rights” when, at the behest of the United Healthcare Workers West union (SEIU-UHW), she had agreed to share her medical information from Shasta Regional with the media. General Counsel Troy Schell commented the suit was “part of SEIU-UHW’s malicious corporate campaign against the company and hospital,” adding the providers are committed to protecting patient rights. [PR Newswire release] see also: [BC: Privacy breach at Island Health leads to dismissals] and [A recent Connecticut Supreme Court ruling may offer a way for individuals to bring claims against healthcare providers and others who engaged in activities that violate HIPAA].

CA – NL: Western Health Privacy Breach Court Decision Favours Plaintiffs

The Supreme Court of Newfoundland and Labrador has decided that a group of patients who had their health information inappropriately accessed by a Western Health employee have grounds to continue with a class action lawsuit against the health authority. The legal action was launched in light of the privacy breaches involving Donna Colbourne, a clerk at Western Memorial Regional Hospital. She was fired from her position in 2012 after she allegedly inappropriately accessed patient files while on the job. Those who had their health information accessed applied for certification of a class action law suit. The application was divided into two stages, with the first stage determining whether the pleadings disclosed a cause of action and whether the proposed class was identifiable. In his decision, Goodridge agreed that the pleadings disclosed a cause of action. He said the proposed class, as long as it was limited to the 1,043 people known to be affected, would be identifiable and acceptable for certification purposes. The civil action is still not certified at this stage. The determination of whether the action is appropriate for certification has been deferred until completion of the second stage of the application. [Source] See also: [UK: Pharmacist Fined for Spying on Friends’ Medical Records]

Horror Stories

CA – Canada Tax Agency Breach Reveals Info of High-Profile Citizens

A Canada Revenue Agency spreadsheet was mistakenly sent to CBC News revealing the value of tax credits granted to hundreds of high-profile Canadians. The likes of author Margaret Atwood and former Prime Minister Jean Chrétien were affected by the detailing of tax-deductible donations of items like manuscripts, fine art and other items of value to non-profit organizations, along with home addresses and the value ascribed to the donation. One affected party donated a Rubens work valued at $200 million. It was an erroneous response to a request for unrelated records under the Access to Information Act. Revenue Minister Kerry-Lynne Findlay told the CBC it acknowledges the breach and has notified the House of Commons and the privacy commissioner, along with affected parties. [CBC News] See also: [How sweet it isn’t: Godiva notifies employees that stolen laptop held their data] and [NZ: Error exposes carparkers’ details] See also: [No data breached in City of Ottawa website hack, mayor says]

US – Beth Israel to Pay $100,000 Fine for 2012 Breach

Beth Israel Deaconess Medical Center will pay a $100,000 fine for a 2012 data breach that exposed sensitive personal information of nearly 4,000 patients. Massachusetts Attorney General Martha Coakley said the organization failed to follow data protection policies and to appropriately notify those affected, as required by law. Beth Israel Chief Information Officer John Halamka said they have worked “to ensure that (the hospital) adopts state-of-the-art security policies and technologies,” adding, “Every device we purchase is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted.” Meanwhile, a server containing sensitive personal information of 48,000 Visionworks’ customers may have been compromised, and a breach hit approximately 10,000 public school employees. [The Boston Globe] See also: [ON: Rouge Valley hospital clerk charged with misusing confidential patients records]

US – Lawyer: $1.4M Judgment Sets National Precedent

The Indiana Court of Appeals has upheld a $1.4 million verdict for a Walgreens customer whose prescription information was provided to a third party in what the attorney who argued the case is calling “a national precedent.” Attorney Neal Eggeson said this marks the first time a healthcare provider “has been held liable” for Health Insurance Portability and Accountability Act (HIPAA) violations committed by employees. Meanwhile, emerging trends in healthcare privacy and security mean that “risks have upped the ante for HIPAA security and privacy officers and increased fines have many on edge.” [Indianapolis Business Journal]

US – Breach May Have Compromised SSNs; Courts Asked to Amend Lawsuits

Thomson Reuters is notifying subscribers to Westlaw of a data breach that may have compromised their Social Security and driver’s license numbers, as well as other personal information. Individuals are thought to have used valid subscriber login information to infiltrate the public records database and conduct unauthorized searches. Meanwhile, CNN wants a federal judge to dismiss a lawsuit claiming the company’s iPhone app violates the Video Privacy Protection Act, and Community Health Systems and its subsidiaries have asked an Alabama judge to dismiss portions of a proposed class-action related to its recent data breach, saying that few injuries are described. [InfoDocket]

WW – Sony Pictures Security Breach

Sony Pictures is in digital lockdown while it investigates a breach in which intruders reportedly stole more than 200MB of data and defaced employees’ workstations. Sony Pictures staff are being asked to disconnect computers and personal devices from the network and to shut down virtual private networks (VPNs). [The Register] [NextGov]

Identity Issues

US – Who’s Anonymous Now? KKK Members Losing Their Digital Hoods

As a grand jury prepares to deliver the outcome of its investigation, things are again heating up in Ferguson, MO, where this summer’s racially charged events prompted hacktivist collective Anonymous to use PII as a weapon against those who would harm the city’s protestors. Jedidiah Bracy examines the cyber-war Anonymous has declared on the Ku Klux Klan (KKK) by disclosing its leaders’ personal information and conducting cyber-attacks against its websites. “The KKK has always operated under a hood, fueled by hatred. Remaining anonymous, ironically, has been important for its members,” Bracy writes. While even 10 years ago the techniques Anonymous is using to fight discrimination would not have been possible, the control of PII is a powerful, double-edged sword in the Digital Age. [Source] See also: [Ottawa: Hackers pledge more attacks] See also: [New Tricks to Deanonymize Tor Users] San Francisco Chronicle: a federal appeals court has barred California from enforcing a law that would require more than 70,000 registered sex offenders to disclose their Internet identities to police

WW – A New Service Will Help You Wrest Your Online Identity from Google

A new group called Indie Hosters is looking to remedy the potential privacy concerns of letting your favorite social network or search provider as your login for “countless other services across the net.” Now in its earliest stages Indie Hosters aims to provide web identities that its users control. “So far, there are only two members of the network, the project’s founders Michiel de Jong and Pierre Ozoux. But they hope more hosts will join them,” the report states, noting the pair has “launched a crowdfunding campaign to work on building the tools and network to make that happen.” [Wired] See also: [5 Web Cookie Myths Exposed] The Wall Street Journal: A new report from the Information Technology and Innovation Foundation states the EU’s cookie notification policy costs billions of euros per year and offers few benefits.

Internet / WWW

WW – UN Panel Approves Anti-Bulk Surveillance Resolution

A UN panel has approved a resolution prompting the General Assembly to call on member nations to respect and protect digital privacy. The draft, called “Right to privacy in the digital age,” was sponsored by Brazil and Germany and would mostly be considered a symbolic move by the UN. The new resolution also included a mention of protecting metadata in the context of digital surveillance, the report states. Ambassador Harald Braun, Germany’s permanent representative to the UN, said, “This means that human rights obligations of states also apply when they use private companies for surveillance purposes.” [PC World]

Law Enforcement

CA – AG: Police Need Better Data on Criminals Returning From Abroad

An audit of government efforts to support the fight against transnational crime found Foreign Affairs, Trade and Development Canada does not notify the RCMP because of restrictions in the Privacy Act and Charter of Rights. Police can gain access to the information when it clearly relates to criminal investigations, or when the public interest outweighs any invasion of privacy from disclosure. Still, of 34 such requests in 2010-14, only 17 were met. [Source]

ON – Hamilton Police Launch Online Crime Mapping Tool

Hamilton police have launched at crime mapping tool that allows residents to search when and where certain types of crimes have happened in the city. The new tool, which was introduced at the monthly Hamilton Police Services Board meeting, tracks the following types of crimes for the past 60 days: The crimes are posted with a one-day delay. To protect victims’ privacy, crime locations are randomly offset, and addresses are mapped to the block level. For example, 123 King St. becomes 1xx King St. In addition to the mapping feature, the tool is also equipped with basic analytical features that show crime density, crime type by day of the week and other trends. Residents can set up crime alerts to receive email and text notifications of crimes in their chosen areas. An iPhone app is also available for this purpose. A new feature will also be added soon to allow residents and businesses to register their security cameras to help police build a database of cameras and turn them into law enforcement tools. To help residents navigate the new tool and its features, police have posted a tutorial video on YouTube. Hamilton is the second police agency in Canada to work with the company for the mapping service. London, Ont., police have been using the mapping tool for less than a year, according to the presentation. [Source]

US – State AG: Cops Don’t Need to Ask Permission to Use Body-Cams

Washington Attorney General Bob Ferguson says police do not have to ask permission to use body cameras to record their interactions with the public in most circumstances. Ferguson said citizens must assume interactions with on-duty police are public and so officers are under no obligation to turn off body cameras even when asked, the report states. Ferguson added, citizens have the same right to film uniformed police officers in public. Ferguson referred to the Supreme Court opinion recognizing that “a conversation between a police officer and a member of the public that occurs in the performance of the officer’s duties is not private.” [The Seattle Times]


US – Will Rideshare Incident Prompt Location Privacy Law?

Some are calling it “the gaping hole in the nation’s privacy laws” for protecting users’ location information. “Right now we protect health data, we protect financial data, we protect kids’ data, but location isn’t protected,” said Georgetown University Center on Privacy and Technology Executive Director Alvaro Bedoya. “As long as a company is not deceiving you about how they’re using the data, they can pretty much do whatever they want.” In response to last week’s news that Uber may have misused some of its users’ data, Uber competitor Lyft has changed its internal privacy policies to limit employee access to user data. The company said it has implemented “tiered access controls.” [The Hill] [Uber touts “strict” privacy rules, but terms suggest broad access] [U.S. Senator Al Franken questions Uber’s privacy policies]


Online Privacy

WW – Yahoo to Honor DNT in Firefox; Tweets Become Searchable

Mozilla has announced Yahoo will now be the default search engine in its Firefox browser for users in the U.S., but other search options will continue to be available, according to a blog post by the company. As part of the partnership, Yahoo agreed to honor the Do-Not-Track option for U.S. customers using Firefox but will not do so for users of other browsers. “We will now focus on expanding our work with motivated partners,” Mozilla writes, “to explore innovative new search interfaces, content experiences and privacy enhancements across desktop and mobile.” Meanwhile, Twitter has announced it will make every public tweet since 2006 available to search, raising privacy concerns for some who may have posted regrettable content in the past. [Mozilla Blog]

WW – Group Launches Transparency Index Tool

Digital rights organization Access has announced the release of its Transparency Reporting Index, a tool designed to help users “see whether their favorite app or service discloses user data and to learn about corporate policies on government demands for data and disruptions.” According to Access, “Transparency reporting is one of the strongest ways for technology companies to disclose threats to user privacy” and can help educate the public about government access to user data. The tool includes a list of companies that have issued transparency reports and links to them. [Source] [Doxxing defense: Remove your personal info from data brokers]

UK – Owner Shuts Down Webcam Website

Following calls from data protection authorities (DPAs), the owner of a Russian-based website connecting to tens of thousands of webcam streams has shut down, BBC News reports. The site, which at one point connected to more than 73,000 webcams using default password settings, prompted concerns from DPAs in the UK, Canada and others. UK Information Commissioner Christopher Graham said, “If we can take one lesson away from this experience, it is that default passwords do not provide protection from the threats that exist in the modern world.” Foscam’s Chase Rhymes said, “An analogy best describing this would be just because someone leaves their window open it does not give permission for an unauthorized individual to set up a camera outside their window and broadcast the feed worldwide.” [BBC] See also: [The Big Data Security Risks Of Little Things] [Australia, Canada, UK and China weigh in on Insecam privacy issue] See also: [Algorithms Are Great and All, But They Can Also Ruin Lives] and [Public Health Surveillance and Privacy in the Age of Ebola]

WW – Image Search, Analysis Emerge as Powerful Tools, Privacy Threat

The rise in smarter image systems, including recent technology called neural net artificial intelligence (AI), is raising some personal privacy concerns. Neural net AI allows computers to understand what is occurring in a given picture—for example, recognizing that a boy is throwing a Frisbee to a dog. “Combine this technology with facial recognition,” the article states, “and anyone with access (which will be everyone) will be able to search the web for people doing things or involved with or associated with some activity.” Combined with mass photo surveillance, such technology could present equally positive and negative uses. “Love it or fear it,” the article adds, “this technology is happening now.” [eWeek] See also: [Toronto police considering facial recognition software to identify suspects] AND:

WW – Facebook Tests Buy Button, Tweaks Basic Privacy Settings

Starting January 2015, users of social networking giant Facebook may be able to buy things online—and, hopefully, have more control over what they share. Facebook said these tweaks are contained in its terms and policies, as well as in its newly rolled out Privacy Basics. Also, Facebook will continue to improve ads based on the apps and sites people use off Facebook and expanding users’ control over the ads they see. “Privacy Basics” is a how-to guide on the new features and controls available to Facebook users. Updates to Facebook policies include:

  • Discover what’s going on around you: Facebook explains how it gets location information depending on the features users avail of.
  • Make purchases more convenient: in some regions, Facebook is testing a Buy button that helps people discover and purchase products without leaving Facebook.
  • Find information about privacy on Facebook at the moment you need it: moving tips and suggestions to Privacy Basics. Facebook’s data policy is shorter and clearer, making it easier to read.
  • Understand how Facebook uses the information it receives.
  • Users’ information and advertising: Facebook will continue to help advertisers reach people with relevant ads without telling them who its users are. [Source] See also: [Social media terms of service may be trumped by Canadian law]

Privacy (US)

US – FTC Settles With TRUSTe

The FTC announced a settlement with privacy seal provider TRUSTe on charges the company “deceived customers about its recertification program for company’s privacy practices, as well as perpetuated its misrepresentation as a nonprofit entity.” FTC Chairwoman Edith Ramirez said, “TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge … Self-regulation plays an important role in helping to protect consumers. But when companies fail to live up to their promises to consumers, the FTC will not hesitate to take action.” In a blog post, TRUSTe CEO Chris Babel wrote, “we take very seriously the role we play in the privacy ecosystem” and that both issues raised by the FTC have been addressed. [FTC] [FTC says firm that offered online privacy certificates didn’t check compliance] The FTC announced a settlement with privacy seal provider TRUSTe on charges the company “deceive customers about its recertification program for company’s privacy practices, as well as perpetuated its misrepresentation as a nonprofit entity.”

US – FTC: Two ‘Tech Support’ Firms Tricked Customers Out of $120 Million

The Federal Trade Commission announced that it has temporarily shut down two telemarketing operations that, the agency alleges, were dedicated to tricking customers into buying fake technical support. The agency announced action against two separate operations, both based in Florida. One case includes charges against the makers and sellers of software called “ PC Cleaner”; the other names companies doing business as Boost Software Inc. and OMG Tech Help. The FTC says the two companies have cheated consumers out of $120 million. [Source]

US – FTC Denies AgeCheq COPPA Verifiable Parental Consent Method

After a window for public comment and review, the FTC has denied AgeCheq, Inc.’s application for its proposed Children’s Online Privacy Protection Act (COPPA) verifiable consent method. In a letter to AgeCheq, the FTC stated that the company’s proposed method “incorporates methods already enumerated in the (COPPA) Rule …” AgeCheq recently proposed another verifiable consent method and that is currently open for public comment. [FTC]

US – Judge Dismisses Some Claims in Apple Class-Action

U.S. District Judge Lucy Koh “dismissed some but not all claims in a class-action accusing Apple of intercepting and failing to deliver text messages sent from iPhones to non-Apple cell phones” that alleged Apple violated the Stored Communications Act, the Electronic Communications Privacy Act and California’s unfair competition and consumer laws. Meanwhile, a class-action has been filed against Jimmy John’s Gourmet Sandwiches following a breach involving customers’ credit and debit cards, and a New Jersey woman has filed a suit against a law firm “that works with debt collection agencies for putting her account number on the collection notice sent to her home.” [Courthouse News Service] and [US: Judge threatens detective with contempt for declining to reveal cellphone tracking methods]

US – CNN Wants Video Privacy Case Thrown Out

CNN is asking a federal judge to dismiss a lawsuit alleging that the company’s iPhone app violates a federal privacy law by sending information about users’ devices to the analytics company Bango. The company argues in papers filed on Friday that any information transmitted to Bango is “anonymous” and doesn’t personally identify users. CNN argues that the federal Video Privacy Protection Act – a 1988 law that prohibits video rental companies from disclosing consumers’ personally identifiable information – doesn’t apply when companies transmit device identifiers. “The history of the VPPA and recent case law confirm that a random numerical string associated with an electronic device is outside the VPPA’s scope,” CNN argues. “No court has accepted the contention that a number that identifies a device (e.g., a computer, tablet, modem, set-top-box or phone) constitutes PII.” The lawsuit, filed this February by Illinois resident Rick Perry, centers on allegations that CNN sends Bango information about the clips that iPhone users watch, along with their 12-digit Media Access Control addresses. A similar lawsuit against Dow Jones was dismissed in October. In that matter, U.S. District Court Judge Thomas Thrash, Jr. ruled that an Android ID isn’t personally identifiable information. The consumer who sued, Mark Ellis, is appealing that ruling. [Source]

US – Other News

US – Legislators Seeking Answers on Breaches

Senate and House Democrats have sent letters to 16 financial institutions seeking information on recent breaches. Those receiving letters from Sen. Elizabeth Warren (D-MA) of the Senate Banking Committee and Rep. Elijah Cummings (D-MD) of the House Oversight and Government Reform Committee included banks and investment firms. “The increasing number of cyber-attacks and data breaches is unprecedented and poses a clear and present danger to our nation’s economic security,” Cummings and Warren wrote. Meanwhile, Staples has said it is not yet “reasonably” able to estimate the costs it will incur in connection with last month’s breach. [Reuters]

Privacy Enhancing Technologies (PETs)

WW – New Product Aims to Ease Data Transfer

IBM has patented a design for a privacy engine that it says will “eventually enable businesses to aggregate international requirements for data transfers on individual projects and flag any cross-border privacy issues.” The engine, still in its infancy, will also ease data-sharing between private clouds. IBM Chief Privacy Officer Christina Peters says the invention “provides a privacy technique that helps businesses navigate an increasingly complex compliance landscape of regulations to help companies avoid unknowingly sharing data that could put their business at risk.” [ZDNet]

WW – Detekt Lets You See If Somebody’s Watching Your Computer

Detekt is a free tool released by a coalition of privacy and civil liberties groups including Amnesty International, Electronic Frontier Foundation, Privacy International and Germany’s Digitale Gesellschaft. Detekt is designed for those who might be targets of government scrutiny, including journalists and human rights advocates and looks for spyware that “might be collecting emails, listening to Skype video calls, observing through a computer camera or even monitoring keystrokes to determine passwords and Internet activity,” the report states. The coalition cautioned there are few regulations “to safeguard against these technologies being sold or used by repressive governments or others … for serious human rights violations and abuses.” Meanwhile, NameRemoval.com recently launched to provide “robust powerful privacy and reputation management services to businesses and individuals.” [The Hill]

WW – Yik Yak Raises $73M

Anonymous messaging app Yik Yak has closed a $62 million round of financing led by a venture capital firm. The total amount raised in three rounds is about $73 million. The app allows users to chat anonymously with one another based on location. [IAPP]


WW – Small Biz Thinks Workers Are Weak Cybersecurity Link

In a new report from security firm CloudEntr, 77% of Internet technology managers at small- to medium-sized businesses say employees are their biggest security concern. “The empoloyee factor is huge,” said one executive. “For most companies it’s the single biggest exposure point.” Another survey finds companies plan to increase spending on cybersecurity budgets by $2 billion over the next two years. Meanwhile, the U.S. State Department shut down its unclassified computer network over the weekend due to concerns it was hacked. In a column for The Hill, former Minnesota Gov. Tim Pawlenty writes that “notifying customers of a problem after it occurs does not prevent the problem … Legislation is also necessary to ensure businesses are held to a higher standard” for protecting customer information. [CNBC] and [10 security mistakes that will get you fired] [The National Institute of Standards and Technology has released draft guidelines to help organizations share information about cyber-attacks]


UK – DPAs Warn About Webcam Website

A website connecting to more than 73,000 unsecure webcams has gotten the attention of data protection regulators around the world. They are warning the public about the site and asking its operators to shut it down. UK Information Commissioner Christopher Graham said he aimed to “sound a general alert,” to warn the public “there are people out there who are snooping.” Graham said the baby-monitor webcam access is “spooky,” adding, “But after all, it is the responsibility of the parents to set a proper password if you want remote access.” The ICO’s Simon Rice also wrote a blog post today about the site. [BBC News] and [AUS: Topless neighbour’s drone picture prompts calls for privacy law overhaul]

US – AT&T Wants Warrants from Law Enforcement for Location Data

An amicus brief filed by AT&T that states law enforcement may need to obtain warrants prior to accessing user cell phone data. The brief was filed in a federal appeals case and asks courts to set a clear standard of what type of approval law enforcement must get to obtain user data. Meanwhile, responding to reports that law enforcement is accessing cell phone data from airplanes, [The Wall Street Journal]

US – Franken Wants Answers on Airplane Spying

Sen. Al Franken (D-MN) wants more information about the programs from U.S. Attorney General Eric Holder. “While I understand that law enforcement agents need to be able to track down and catch dangerous suspects, this should not come at the expense of innocent Americans’ privacy,” wrote Franken.

US – Markey: Auto Privacy Principles Don’t Go Far Enough

Sen. Edward Markey (D-MA) says he plans to investigate the automotive industry’s privacy and security practices and will release the findings. The statement comes a week after a coalition of automakers issued a privacy pledge . Markey said the principles “represent an important first step toward protecting the information collected by modern technology in our cars … However, the proposed principles fall short in two key areas: choice and transparency.” The senator said, in addition to releasing his findings, “I will call for clear rules-not voluntary commitments-to ensure the privacy and safety of American drivers is protected.” The Future of Privacy Forum has released a paper exploring connected cars and privacy. [Source] See also: [Car Camera Network Could Produce Virtual Maps of Pedestrians] and [US: #HappyTracksgiving : How your travels are tracked this holiday season]

Telecom / TV

US – Secret US technology Said to Intercept Cellular Communications

Fake cell phone signal receivers on airplanes gather cell traffic in a secret government program, a new report reveals. The next time you use your cell phone in a crowd, the US Marshals may be listening in. The way it works is through a specialized box affixed to an airplane flying overhead, according to a report from The Wall Street Journal. That box is designed to trick mobile phones into communicating with it, sending all sorts of information through the air and into the device. And innocent Americans are just as likely to have their information collected as anyone else. The Justice Department, which houses the Marshals Service, did not immediately respond to a request for comment. [Source]

US – Judges Require Stricter Rules for Stingray Use

Law enforcement agencies in Pierce County in Washington state must now specify when they will use stingray technology in their investigations and must also swear in the affidavit that they will not retain data belonging to people who are not the target of the order. The 22 Pierce County Superior Court judges have approved a new requirement for law enforcement agencies “… requir[ing] language in pen register applications that spells out [that] police intend to use the [tracking] device.” [Ars Technica] [SC Magazine] [The News Tribune]

UK – Bill Would Expand Law Enforcement Access to Internet User Information

UK home secretary Theresa May is expected to propose a bill that would require companies to provide law enforcement agencies with information about the identities of people using computers and mobile devices. The bill would require service providers to retain data that links users to devices based on IP addresses, which are often shared by multiple users and often change. The data retention changes are expected to be part of the Counter-Terrorism and Security Bill. The plan has met with criticism because it allows for broad surveillance of online activity. The Lib Dems insisted that the communications data bill – branded the “snooper’s charter” – was “dead and buried.” Emma Carr, director of campaign group Big Brother Watch, said: “It is perfectly reasonable that powers to provide the police with the ability to match an IP address to the person using that service is investigated. “However, if such a power is required, then it should be subject to the widespread consultation and comprehensive scrutiny that has been sorely lacking to date with industry, civil society and the wider public when it comes to introducing new surveillance powers. “Before setting her sights on reviving the snooper’s charter, the home secretary should address the fact that one of the biggest challenges facing the police is making use of the huge volume of data that is already available, including data from social media and internet companies. The snooper’s charter would not have addressed this, while diverting billions from investing in skills and training for the police.” [Source] [BBC] [v3.co.uk]

US Government Programs

US – Reports Critical of DHS, VA Privacy Practices

A new report from Department of Homeland Security (DHS) Inspector General John Roth reveals the agency is struggling to protect personally identifiable information and create an effective management system to secure and protect data. “DHS did not take appropriate steps to identify and mitigate physical risks to the security and confidentiality of records,” Roth stated. “We observed instances in which passwords, sensitive IT information … could be accessed by individuals without a ‘need to know,’“ he added. A separate report from the Government Accountability Office indicates the Department of Veterans Affairs has not fully addressed its cybersecurity vulnerabilities and has not done enough to mitigate them. [GovInfoSecurity]

US Legislation

US –Senate NSA Bill Blocked in Procedural Vote

By a narrow margin, the US Senate has blocked a bill aimed at curtailing NSA data gathering practices from reaching the floor. The USA Freedom Act was two votes short of the 60 it needed to pass. The bill would have ended bulk phone metadata collection, instead leaving those data under the control of telecommunications companies from which the NSA can access them with court orders from the Foreign Intelligence Surveillance Court. It would also have required the NSA to focus its search terms more narrowly to ensure that only relevant records are accessed. It would also have granted telecommunications companies more transparency in disclosing the number and types of data requests it receives. The bill’s author, Sen. Patrick Leahy (D-VT) said, “I am disappointed by tonight’s vote, but I am not new to this fight,” adding Republicans failed to work “productively to protect Americans’ basic privacy rights and our national security.” In a strongly worded column responding to the vote, The Intercept’s Glenn Greenwald writes, “the last place one should look to impose limits on the power of the U.S. government is … the U.S. government.” However, the White House says it will pursue a new bill in 2015.[NationalJournal] [WIRED] [CNET]

US – Tech Coalition Urges Surveillance Reform; DoJ Defends “Dirtbox” Spying

A group of technology giants have published an open letter to the U.S. Senate urging it to pass the USA FREEDOM Act. The legislation, which may be voted upon this week, would limit the National Security Agency’s bulk collection of phone data. Aol, Apple, Dropbox, Evernote, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo all support the bill, which they say “both protects national security and reaffirms America’s commitment to the freedoms we all cherish.” In separate surveillance news, the Justice Department is defending a practice that uses “dirtboxes” on airplanes to collect cell-phone data of suspected criminals, saying the program is legal. Sen. Edward Markey (D-MA), however, has sent a letter of inquiry about the program to Attorney General Eric Holder. [Source] See also: The Hill reports on a number of technology and privacy issues that policy-makers will look into in the coming months, including National Security Agency and email privacy reform. Jeff Kosseff explores 10 ways the recent election could affect privacy and data security law.

US – Other News

Workplace Privacy

US – Slack Alters Privacy Policy to Let Bosses Read Your Messages

Slack, a workplace communication tool, has announced it will begin selling a number of tools aimed at system administrators. Stack Plus will give companies the ability to request every message employees have sent on the service from that point forward, including direct messages to coworkers. Slack has revised its privacy policy to communicate the changes. [Source] See also: [Oklahoma’s social media privacy law went into effect November 1, meaning employers are prohibited from requiring employees or prospective employees to hand over social media log-in information]

US – Court Finds Deletion of Fired Employee’s Info Not a Violation

A federal judge has ruled that no privacy rights were violated when a company deleted personal information from a fired worker’s cell phone. The company asks its employees to use personal devices to carry out various work functions, and the plaintiff used his iPhone to access email. According to the claim, Design Tech, after firing the worker, remote-accessed his iPhone and, without warning, “wiped or erased all of the information on the plaintiff’s device, including all of plaintiff’s personal and professional information.” The plaintiff claimed the action violated the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, but a judge disagreed, saying he had “not produced evidence of any costs he incurred” from the action. [Courthouse News Service]


01-15 November 2014


US – Judge Rules FBI Facial Recognition Database Needs Scrutiny

A federal judge has ruled the Federal Bureau of Investigation’s (FBI) facial-recognition database needs scrutinizing due to its size and scope. U.S. District Judge Tanya Chutkan wrote of the FBI’s Next Generation system, “There can be little dispute that the general public has a genuine, tangible interest in a system designed to store and manipulate significant quantities of its own biometric data, particularly given the great numbers of people from whom such data will be gathered.” The ruling validates an Electronic Privacy Information Center (EPIC) lawsuit. EPIC National Security Counsel Jeramie Scott said, “The opinion strongly supports the work of open-government organizations and validates their focus on trying to inform the public about government surveillance programs.” [National Journal] See also: [US: Virginia police can now force you to unlock your smartphone with your fingerprint]

CA – Royal Bank to Test Toronto Company’s Nymi Technology

The Royal Bank of Canada has paired with Toronto-based technology developer Bionym to test a wristband called Nymi (pronounced Nim-ee), which identifies owners through their unique heartbeat and then lets them charge purchases to their credit card. The device looks like a watch, and will soon grace the wrists of 250 RBC clients and staff under a pilot project in Toronto that runs through February. Eventually, the bank hopes to roll out its RBC PayBand across the country. For now, the Nymi band will only work with MasterCard, though eventually the Royal Bank hopes to allow debit transactions. [The Canadian Press, cbc.ca] [Globe & Mail] and [This Startup Is Turning the Human Body Into a Next Gen Design Platform]

US – ‘This Call May Be Monitored’ — To Study Your Voice Print

You may not know it, but banks like Wells Fargo may be already using voice biometrics to make sure you’re really you. JP Morgan Chase & Co., Wells Fargo & Co. and other banks are using customer calls to record biometric voiceprints, using the data to help screen out later fraud. The technology is used to help create voiceprint “blacklists” of criminal who break into customer accounts by fooling call-center workers. But the practice has some pitfalls — some states prohibit collecting biometric data, and privacy lawyers said that the boilerplate “this call may be monitored” statement doesn’t give banks the authority to store customer biometrics.. [Minneapolis Business Journal]

Big Data

US – Groups Tell FTC Approved Merger Must Be Rethought

The Center for Digital Democracy and U.S. PIRG called on the FTC to rethink its decision to approve a marketing corporation merger. The groups told the FTC the $2.3 million merger of direct marketing company Alliance Data Systems and Conversant “raises serious privacy concerns” and the FTC’s approval of the transaction without appropriate safeguards “directly undermines its role as the country’s chief privacy regulator.” The merger amounts to “expanded commercial surveillance of the American people,” the groups said, calling for the FTC to launch a formal review of consolidations of companies that deal with big data. [The Hill] SEE ALSO: [Big Data, Underground Railroad: History says unfettered collection of data is a bad idea] and [Fox and Macaulay: IoT and Privacy Can Thrive Together] and [Forbes: Everything You Need To Know About The Internet Of Things] and [Top 10 Big Data Technologies of Present Times] and [How Can Healthcare Ensure Its Big Data is Smart Enough?] and [Big Data Survey: Trouble Brewing For IT] and [$$$ Cloud will make up 3/4 of all data center traffic in 3-4 years]


CA – RCMP Record Keeping Needs Work, Says Privacy Commissioner

Canada’s Royal Canadian Mounted Police (RCMP) cannot tell whether it complies with federal privacy law when gathering information about citizens without a warrant, according to the Canadian Privacy Commissioner’s annual privacy report. The Commissioner attempted to audit the RCMP’s collection of subscriber data from telecommunications service providers without warrants. It searched the organization’s records, but found that it couldn’t extract the relevant data. The RCMP said that it would establish a working group to better monitor and report on warrantless requests for subscriber information. It will report back to its Departmental Audit Committee in April 2015. The Commissioner’s report also highlighted a record high in voluntarily reported data breaches by government organizations. It received reports of 228 data breaches across the federal government, up from 109 in the prior year. Among the biggest offenders was Correctional Service Canada, which reported 22 incidents. The Canada Revenue Agency reported 33 incidents, while Citizenship and Immigration Canada revealed 54 privacy breaches. The leader, however, was Veterans Affairs Canada, which reported 60 privacy incidents. It was responsible for over a quarter of all federal agency breaches documented throughout the year. [SC Magazine] See also: [Geist: Ontario Provincial Police Recommend Ending Anonymity on the Internet] and [How Canada’s privacy deficit undermines our economy] and [Canada: More Disturbing Questions about Warrantless Data Disclosures]

CA – British Columbia: Committee to Review PIPA on Breach Notification

The Special Committee to Review the British Columbia’s Personal Information Protection Act (PIPA) (‘the Committee’) will issue a report to the Legislative Assembly, on 25 February 2015, on the results of its review. The Committee, which sought further input on the effectiveness of PIPA, held a public hearing in Victoria on 7 October 2014 and received submissions from stakeholders and the public. A number of the submissions suggested that PIPA should be amended to include a specific notification requirement for information security breaches. Currently, British Columbia’s PIPA does not contain such a provision. British Columbia’s Freedom of Information and Privacy Association recommended that mandatory breach notification be incorporated into PIPA. Also, British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, advised the Committee that mandatory breach provisions would bring PIPA in line with other jurisdictions. [Data Guidance] See also: [November 1st – 10th Anniversary of PHIPA]


US – US Privacy Confidence at New Low, Survey Indicates

A new Pew Research report reveals that 91% of U.S. citizens believe that consumers have lost control of how their personal information is collected and used by corporations and 80% said there should be concerns about government surveillance. The report’s author, Mary Madden, said, “There is both widespread concern about government surveillance among the American public and a lack of confidence in the security of core communications channels.” She added, “At the same time, there’s an overwhelming sense that consumers have lost control over the way their personal information is collected and used by companies.” [BBC News] See also [PCWorld: U.S. Concerns About Online Privacy Present Opportunity, Experts Say]

US – Online Privacy Should Be Marketed More Like Snowboarding

Wickr and r00tz Asylum CEO and Cofounder Nico Sell says there are ways to make privacy products exciting for kids. “Don’t use the words privacy and security,” Sell explained. “When kids ask me, ‘What’s Wickr?’ I say it’s an app that spies use to send secret messages,” Sell said, adding kids then respond, “Wow! Can I use it?” Sell calls on her past career as a snowboarder as an example: “If we would have gone to kids and said, ‘Hey, snowboarding makes your legs strong and your heart healthy,’ it wouldn’t have worked” Instead, she says, the focus should be, “It’s rebellious; it’s what the cool kids do; it’s what parents don’t know how to do.” [Slate]


CA – Ottawa Finalizes Action Plan 2.0 on Open Government

New portal launched with calls for open government on non-sensitive data by default. The second chapter of the federal government’s open government strategy now has a confirmed action plan. Treasury Board said this week that the action plan — a document that civil servants have to follow over the next two years — for what it calls Open Government 2.0 has been issued following a consultation period. The plan includes a directive that federal employees treat open by default for the handling of non-sensitive information. There’s a commitment to develop a federated open data search service that provides what the government calls a “no wrong door approach”; an enhanced set of tools and resources to make it easier to search and compare government spending across federal departments; and a new government-wide consultation portal to promote opportunities for public participation. [IT World Canada] See also: [Ottawa announces second action plan on open data ] | [Treasury Board has 15 apps that prove its open data strategy is working

US – Voter Data Use Fails the Creepy Test

According to a KSN report, a group calling itself the Kansas State Voter Report has been sending out flyers to citizens that include their names, addresses and whether or not they voted in past elections. The disclosed data is public information, but it has voters up in arms. “I don’t think that’s anyone’s business,” one voter said. The local county elections commission said it did not know who the group was or who funded the group. Likewise, last week a similar instance was reported in New York. [Privacy Perspectives] [US – Voters Angry About Mailers]

US – Seattle Launches Sweeping, Ethics-Based Privacy Overhaul

The City of Seattle this week launched a citywide privacy initiative aimed at providing greater transparency into its data collection and use practices by convening a group of stakeholders. Called the Privacy Advisory Committee, the group comprises various government departments to look at the ways the city is using data collected from practices as common as utility bill payments and renewing pet licenses, or during the administration of emergency services like police and fire. By this summer, the committee will deliver to the City Council suggested principles and a privacy statement. Chief Technology Officer Michael Mattmiller is responsible for privacy in the progressive city and said city leadership agrees the city’s policy on privacy should be ethics-based: It will answer the question, “Who do we want to be as a city, and how do we want to operate?” [Source]

US – Federal Agencies Can Now Require Contractors to Get Privacy Training

Contractors with access to government records may have to start training their employees on how to appropriately process sensitive personal information. This week, a final rule was issued giving federal agencies-such as the Department of Defense, General Services Administration and NASA-the flexibility to either offer privacy training to contract employees or require the contractors to do the privacy training themselves. The Federal Acquisition Regulation now requires contractors to keep records of employees who have completed the training, which can be requested by federal agencies at any time. “Without proper proof of training, contracted employees will not be given access to federal records,” the report states. [The Hill]


WW – Google Releases Results of Email Hijacking Study

A new report from Google suggests that the perpetrators of manual account hijacking often approach this type of digital invasion as a job. “These are really professional people with a very specific playbook on how to scam victims,” says Elie Bursztein, the lead author of the report. While the volume of these attacks are low — nine incidents per million users per day, according to Google’s analysis — their toll can be devastating. The report, released on Google’s security blog, is the result of years of research by a team that works on account abuse. [Study] [Washington Post] See also: [Verizon tells customers not to give out passwords—and disregards its own advice] and also: [3rd Skillsoft email raises privacy concerns in N.B.]

Electronic Records

CA – Revenue Canada Adds Internal Fraud Detection

The online activities of civil servants at the Canada Revenue Agency are going to watched more closely after the government chose an Israeli software surveillance solution to ensure staff don’t improperly access income tax and other files, part of a policy of toughening up procedures after embarrassing revelations of staff violating privacy procedures. [Source]


US – EFF: ISP is Stripping STARTTLS Flags from eMail

According to the Electronic Frontier Foundation (EFF), a US Internet service provider (ISP) is removing encryption from the traffic between customers and email servers, stripping the communications of the expected level of privacy. There have been incidents in which the ISP intercepted email to remove STARTTLS flags, which signal requests for encryption while communicating with another server or client. If the flag is removed, the email is sent in clear text. Some firewalls use this technique to prevent spam from emanating from their servers, but when it affects legitimate email, the unencrypted messages become vulnerable to interception and eavesdropping. [Ars Technica] [The Register] [EFF.org]

US – The New York Times Challenges News Sites to Embrace HTTPS

Staff members from The New York Times are calling on news sites to encrypt their online traffic by deploying HTTPS. The paper’s software engineering architect and its chief technology officer, together with a cybersecurity and technology strategist, write, “If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of 2015 and pledge your support with the hashtag #https2015.” In addition to being more secure, HTTPS protects the privacy of users by preventing their search and reading histories from being transmitted “for anyone to see.” [Source]

US – AIDS Websites that Leaked Location Data Now Encrypting User Traffic

Two federal websites that help individuals seek AIDS-related medical services have started encrypting user traffic after years of no protections. The lack of basic encryption could have potentially revealed the identities and location of those seeking such highly sensitive services. “We started requiring SSL (Secure Sockets Layer) for the (services) Locator because we understood that information should be encrypted to protect privacy,” said the director of AIDS.gov. The site, which is run by the Department of Health and Human Services, also added encryption to its related smartphone apps. Another site, run by the Centers for Disease Control and Prevention, has also upgraded its security controls. [The Washington Post]

WW – New Google Tool Detects Crypto Flaws

Google engineers have released an open-source tool to help developers detect bugs and other crypto flaws to prevent the leaking of sensitive information. Called “nogotofail,” a play on a flaw in Apple’s iOS and OSX devices, the tool “provides an easy way to confirm that the devices or applications you are using are safe against known TSL/SSL vulnerabilities and misconfigurations,” the engineers wrote in a blog post, adding, it works with “any device you use to connect to the Internet.” [Ars Technica]

WW – Privacy Tools: The Best Encrypted Messaging Programs

Working with Princeton’s Joseph Bonneau and the Electronic Frontier Foundation’s Peter Eckersley, Julia Angwin has compiled a review and analysis of the best available encrypted messaging services to date. However, Bonneau notes, “It’s important to realize we’re mostly grading for effort here and not execution.” [ProPublica] See also: [Critics bash the EFF Secure Messaging Scorecard]

EU Developments

EU – Council Proposes Amendment to EU Data Protection Regulation, Chapter IV

The Council of the European Union has proposed amendments to Chapter IV of the EU General Data Protection Regulation as it relates to compliance obligations of data controllers and data processors including – privacy impact assessments will only be required for processing activities likely to involve high risk to the rights and freedoms of individuals (such as discrimination, identity theft, fraud, or financial loss), only processing which would result in a high degree of risk would require that the data authority be consulting prior to the commencement of processing activities, and the appointment of a data protection officer is voluntary unless the national law of the relevant member state provides otherwise. [Source] See also: [The Proposed General Data Protection Regulation: Suggested Amendments to the Definition of Personal Data – Douwe Korff, Professor of International Law, EU Law Analysis] and [EU Regulation: A Tipping Point Has Been Reached] See also: [Nemitz: Google Meetings Are Passive-Aggressive Lobbying Efforts] According to leading lights of the EU data protection scene, the proposed EU General Data Protection Regulation will be finalized in 2015. As the new European Commission starts its five-year term, plans include working toward agreement on the EU’s new data protection rules, a European Parliament media release states. With a new EU Commission in place and operational, Hogan Lovells Partner Eduardo Ustaran discusses the three key players with “ultimate responsibility” for the commission’s place in the data protection reform process. French data protection authority the CNIL requires businesses operating in France to declare all personal data processing tools and communicate the decision to operate such tools to employee representatives.A report from the Information Technology and Innovation Foundation states the EU’s cookie notification policy costs billions of euros per year and offers few benefits, The Wall Street Journal reports.

EU – German Apps Struggle to Comply with Strict U.S. Patient Data Rules; Portuguese, French Start-Ups Focus on Privacy

The U.S.’s strict patient data rules are a struggle for some German healthcare apps to comply with despite Germany’s reputation as one of the strictest privacy jurisdictions. Meanwhile, a small start-up from Portugal tells the story of how difficult it is to launch a tech business that relies on people’s data given Europe’s ever-stricter rules on data privacy. It’s been working for two years to get a privacy seal from EuroPriSe GmbH, a pan-European certification company. And Computerworld reports on French start-ups taking a more privacy-centric approach to file-sharing offerings for consumers and organizations. [The Wall Street Journal] See also: [Are your file sharing tools leaking data?]

PO – New Law Would Up the Ante for DPOs, Ease Data Transfers

With a draft data protection law having passed its third reading in Poland’s lower house, there’s a good probability it will become law—meaning new responsibilities for organizations and, in particular, data protection officers (DPOs). In this Privacy Tracker blog post, Marcin Lewoszewski of CMS writes about provisions in the bill that would ease cross-border data transfer and require organizations to appoint a DPO with “appropriate knowledge in the field of personal data protection,” among other things. “However,” writes Lewoszewski, “there is no information in the new law about how a candidate’s ‘appropriate’ knowledge in the field of privacy should be verified or certified, or about who should do it.” Poland’s draft data protection law would mean new responsibilities for organizations and, in particular, data protection officers]

Facts & Stats

WW – IAPP Study: Benchmarking Privacy Investments of the Fortune 1000

How is the average Fortune 1000 privacy program organized? What is its annual budget? To whom does the privacy lead report, and what are the privacy team’s responsibilities? How much does the company spend on privacy per dollar of revenue or per employee? All of these questions and more are answered in the IAPP’s first annual study, Benchmarking Privacy Management and Investments of the Fortune 1000, which establishes the Privacy Industry Index, an estimate of the total spend of the Fortune 1000 on privacy, along with important data for understanding how privacy is done in major corporations throughout the U.S. [Full Story] See also: Center for Democracy & Technology CEO Nuala O’Connor is struck that every company is now a tech company and “those that respect privacy and have strong security practices in place are the ones that consumers are increasingly turning to for a variety of services.” Merck CPO Hilary Wandall similarly notes that “today’s businesses can’t run without data,” but the study’s results cause her to wonder: If “sales and profits are everyone’s responsibility, shouldn’t privacy be too?” Se ealso [IAPP: A New Home for Privacy Industry Research and Information]

QWW – Malware Masquerades as Trusted App; Carnegie Mellon Launches PrivacyGrade

A new and potentially invasive malware makes nearly 95% of iPhone and iPad devices vulnerable. A vulnerability in Apple’s iOS allows hackers to replace official apps, such as a Gmail or a banking app, with a malicious one, called the Masque Attack, which can access sensitive personal information. “Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced,” researchers said. “These data may contain cached emails, or even login-tokens, which the malware can use to log into the user’s account directly.” Meanwhile, researchers at Carnegie Mellon have created “PrivacyGrade,” a site that provides “privacy summaries that highlight the most unexpected behaviors of an app.” [The Hacker News]

EU – Report Suggests EU Cookie Policy Costs Billions, with Few Benefits

A new report from the Information Technology and Innovation Foundation states the EU’s cookie notification policy costs billions of euros per year and offers few benefits. “There are compliance costs for websites, and we don’t see much benefit,” said one of the report’s authors, Daniel Castro. “These banners don’t really educate users, and there has been no noticeable change in user behavior since cookie warnings were introduced, so the directive appears to be a waste of resources,” he added. [The Wall Street Journal]


US – FCC Chairman Tells Silicon Valley He’s Open to Obama Net Neutrality Plan

President Barack Obama went public with his support of an aggressive approach to protecting net neutrality. Shortly after that, Federal Communications Commission Chairman Tom Wheeler told a gathering of business representatives and public interest groups that he was taking the president’s comments under advisement and that he would need the groups’ support in the coming fight over net neutrality, according to multiple sources in the meeting. The sources said that Wheeler did not, as had been reported earlier, say that he had decided to go in a different direction from what the White House wanted.” [Huffington Post] See also: [Obama’s call for an open Internet puts him at odds with regulators] and [US: The split between Obama and the FCC on net neutrality, in plain English] The U.S. Federal Communications Commission has issued clarification on its 2006 Junk Fax Order confirming that fax ads must contain an opt-out provision, reports The National Law Review.


US – OCC: Law Should Hold Retailers Accountable for Breach Costs

“Congress must move forward with legislation that would put retailers, and not just banks, on the hook for at least some of the costs related to data breaches,” citing comments from Comptroller of the Currency Thomas Curry. While many recent headline-making breaches “occurred through retailer computer systems, it is banks who have been put in the position of replacing debit and credit cards, monitoring accounts and repaying customers,” the report states. Also last week at the IAPP Practical Privacy Series, regulators including Office of the Comptroller of the Currency National Bank Examiner Melissa Love-Greenfield offered insight into where they are focusing their efforts and what financial services companies can do to avoid their wrath. [Law360]


UK – Facebook’s Government User Data Requests Up 24%

Requests by governments for Facebook’s user data are up by nearly a quarter in the first half of this year compared with the previous six months. Global government requests were up by 24% to almost 35,000 in the first six months, the social media giant said. The amount of Facebook content restricted because of local laws also rose about 19% in the same period. News of the increase comes as Facebook fights its largest ever US court order to hand over data from 400 people. [BBC News]

CA – P.E.I. Govt Creates New Office to Handle Freedom of Information Requests

The P.E.I. government has created a new office to handle all Freedom of Information requests due to a big increase in the number of requests being made. A new Access and Privacy Services office has replaced individual co-ordinators within each of the 13 departments and executive government offices. Kathryn Dickson, manager of this new office, says the number of Freedom of Information and Protection of Privacy (FOIPP) requests coming into the province has doubled over the last five years. Previously, each government department had its own FOIPP coordinator, but these were made up of existing departmental staff with other duties and responsibilities. The province’s privacy commissioner has repeatedly raised concerns about backlogs in her office as a result of FOIPP requests denied. The new Access and Privacy Services office is located within the Department of Environment, Labour and Justice. [Charlottetown Guardian] See also: [B.C. Health Ministry ordered to release papers related to firings]


WW – Would You Put Your Genome in the Cloud?

Google Genomics may eventually possess millions of genomes on its servers, Sarah Zhang asks, “Are there legitimate privacy concerns here?” Genomic research works better with bigger sets of genomic data, and Google aims to centralize them into one database, a potential boon for researchers. “This is the infrastructure for personalized medicine,” she writes, noting that bigger databases create bigger privacy concerns, and “the privacy worries aren’t unique to Google Genomics … but the sheer scale of their envisioned database magnifies the potential problems.” If it succeeds, she writes, “it’ll be because it forces us to reckon with the privacy issues that lie behind genome sequencing.” [Gizmodo] See also: [UK – Major genome data project can deliver increasingly personalised drug treatments] and [Genomic Researchers Seeking Balance Between Ethics and Patient Privacy]

Health / Medical

US – FTC asking Apple About Health Data Protection

The U.S. Federal Trade Commission is seeking assurances from Apple Inc. that it will prevent sensitive health data collected by its upcoming smartwatch and other mobile devices from being used without owners’ consent,” two sources said. “The two people, both familiar with the FTC’s thinking, said Apple representatives have met on multiple occasions with agency officials in recent months to stress that it will not sell its users’ health data to third-party entities such as marketers or allow third-party developers to do so.” [Wall Street Journal] See also: [Privacy attorney: Med device cybersecurity guidance ‘is the future’ ] [Wearable Health Tech: New Privacy Risks]

US – Connecticut Court Court Allows HIPAA Negligence Claim

“Since the implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in 2003, injured or wronged individuals (and their lawyers) have been looking for ways to bring claims against healthcare providers and others who engaged in activities that appeared to violate these rules,” writes Kirk Nahra of Wiley Rein. It appears that the Connecticut Supreme Court has just given them some hope. In Byrne v. Avery Center for Obstetrics and Gynecology, P.C., the court found that “HIPAA does not preempt the plaintiff’s state common-law causes of action for negligence …” However, Nahra writes, “Neither side should overreact to this decision. Plaintiffs now can move a claim forward but still have a long way to go to prove their case.” [GovInfoSecurity] [Privacy Tracker] See also: [Legal aid employee to pay $7,500 for intrusion upon seclusion] and also: [Insurer Includes Sensitive Data in Email Subject Lines] and [CA – Winnipeg patient alarmed to hear medical details broadcast in clinic] and [UK – ICO interest in digital health initiatives likely to grow]

US – Healthcare Privacy Policies Must Be Stronger, Says AMA

The American Medical Association (AMA), at its interim meeting, released policies calling for increased diligence in protecting patients’ health data, particularly at insurance companies. “The disclosure of potentially sensitive medical information on standard insurance forms has become more of a concern as the Affordable Care Act allows an increasing number of young adults to obtain health insurance as dependents of their parents, guardians, spouses or domestic partners,” AMA President Robert Wah said. “The AMA’s new policy promotes a multi-pronged approach to protect the privacy interests of patients and preserve the financial interests of policyholders.” [HealthITSecurity] See also: [ONC CPO: We Need To Explain HIPAA Better] See also: [US – HHS Issues Ebola Privacy Guidance | US – Office for Civil Rights (OCR) Issues Ebola Guidance on HIPAA Privacy ]

WW – Insurer Publishes Guide on Avoiding Breaches

TechInsurance, an insurance provider for small technology businesses, has published The Small-Business Owner’s Guide to Identity Theft Prevention and Data Security, a free e-book that offers small businesses data security tips. The guide offers tips on how to strengthen security to prevent data breaches; tips on what to do when a data breach occurs; simple steps to boost security, and checklists aimed at preventing, responding to and recovering from breaches. The guide also includes a recent study finding 29 percent of businesses “incorrectly believe their cyber exposures are covered under an existing insurance policy.” [Security IT]

Horror Stories

WW – Home Depot: 53 Million E-Mails Stolen

Home Depot on Nov. 6 offered an update to the findings of its data breach investigation, saying that, in addition to 56 million cards being compromised, approximately 53 million e-mail addresses were also taken. The latest news follows weeks of investigation involving law enforcement and third-party IT security experts, Home Depot says. In order to evade detection, the criminals involved in the cyber-attack against Home Depot used custom-built malware, which has not been used in other attacks. The malware, which was present on Home Depot’s payment systems between April and September, has since been eliminated from its U.S. and Canadian networks, the retailer says. [Source]

US – NOAA Breach

The US National Oceanic and Atmospheric Administration (NOAA) suffered a security breach in September. To prevent further infiltration, the government shut down some services. When satellite data suddenly became unavailable in October, NOAA attributed it to “unscheduled maintenance.” Officials say that NOAA did not notify the necessary authorities when it learned of the attack. [Washington Post] [eWeek] [ZDNet] [The Register] [CNN] [SC Magazine] [ComputerWorld] [ITNews]

US – USPS Breach Affects Employee Data

A breach of US Postal Service (USPS) information systems compromised personally identifiable information of more than 600,000 employees, including employees of the US Postal Regulatory Commission. The breach was detected in September. Customers who contacted the USPS customer care center by phone or email between January and August 2014 may be affected as well. The FBI is investigating. [ComputerWorld] [NextGov] [ArsTechnica]

EU – HSBC Turkey Confirms Card Breach

HSBC Turkey confirms that a recent cyber-attack exposed payment card information for 2.7 million customers. Information compromised in the breach includes debit and credit cardholder names, account numbers and expiration dates. The bank says that, so far, it has not seen any evidence of fraud or other suspicious activity arising from the incident. HSBC Turkey detected the attack in the past week through its internal security controls, according to an FAQ. The attack was limited to Turkey, and all card operations have been restored to normal functioning, the bank says. No other details about the nature of the incident were revealed. An investigation is under way in collaboration with the Banking Regulation and Supervision Agency of Turkey and other relevant authorities, HSBC Turkey says. Turkey’s Public Prosecutor’s Office has also been notified about the incident. [Bank Information Security]

WW – Scammers Victimize 10,000 Booking.com Customers

As many as 10,000 users of hotel booking site Booking.com have been the victims of a scam using a list of email addresses that were allegedly obtained fraudulently. According to the BBC’s “Money Box,” the criminals accessed Booking.com reservations to gather contact details of customers for the purpose of phishing. Booking.com insists it was not breached but that the scammers contacted individual hotels to gather the data. The incident has affected customers in the UK, U.S. France, Italy, Portugal and the United Arab Emirates. [International Business Times]

US – What CIOs Can Learn From the Biggest Data Breaches

Several lessons may be gleaned from some of this year’s largest data breaches, including Adobe, eBay, JP Morgan Chase, Target and Home Depot. Among the lessons, Hexis Cyber Solutions VP of Corporate Development Todd Weller said that in addition to encrypting its data, eBay should have educated its employees about various phishing scams that could lead to hacker infiltration. Other lessons include investing in intrusion detection and identifying vulnerabilities. [CIO] [Tracking Data Breaches]

US – Lawmaker Seeks Info on Cyber-Attacks; More Orgs Breached

U.S. Rep. Elijah Cummings (D-MD) has sent letters to the chief executives of five companies—including Home Depot, Target and Kmart—seeking more information on the cyber-attacks each suffered. The ranking Democrat on the House Oversight and Government Reform Committee, Cummings said, “The increased frequency and sophistication of cyber-attacks on both public and private entities highlights the need for greater collaboration to improve data security.” Chinese hackers have infiltrated computer systems overseen by the U.S. National Oceanic and Atmospheric Agency and the Turkish unit of HSBC was breached, resulting in the theft of 2.7 million customers’ bank data. Back in the U.S., banking trade groups are calling on Congress to implement cybersecurity regulations for retailers. [Reuters] see also: [British Columbia’s provincial government is notifying 15,000 individuals after a privacy breach in its Wildfire Management Branch] [AU – Immigration Department breached privacy of 9,250 asylum seekers by publishing their details online] and [Dentist’s patient information found scattered on Toronto street]

Identity Issues

UK – Gov UK Quietly Disrupts the Problem of Online Identity Login

A new “verified identity” scheme for gov.uk is making it simpler to apply for a new driving licence, passport or to file a tax return online, allowing users to register securely using one log in that connects and securely stores their personal data. After nearly a year of closed testing with a few thousand Britons, the “Gov.UK Verify” scheme quietly opened to general users on 14 October, expanding across more services. It could have as many as half a million users with a year. The team behind the system claim this is a world first. Those countries that have developed advanced government services online, such as Estonia, rely on state identity cards – which the UK has rejected. “This is a federated model of identity, not a centralised one,” said Janet Hughes, head of policy and engagement at the Government Digital Service’s identity assurance program, which developed and tested the system. The Verify system has taken three years to develop, and involves checking a user’s identity against details from a range of sources, including credit reference agencies, utility bills, driving licences and mobile provider bills. But it does not retain those pieces of information, and the credit checking companies do not know what service is being used. Only a mobile or landline number is kept in order to send verification codes for subsequent logins. When people subsequently log in, they would have to provide a user ID and password, and verify their identity by entering a code sent to related stored phone number. The US, Canada and New Zealand have also expressed interest in following up the UK’s lead in the system, which requires separate pieces of verified information about themselves from different sources. The level of confidence in an individual’s identity is split into four levels. The lowest is for the creation of simple accounts to receive reports or updates: “we don’t need to know who it is, only that it’s the same person returning.” The service has been built in consultation with privacy pressure groups including No2ID, Big Brother Watch, the University of Oxford’s Internet Institute, the Consumers Association, and the privacy regulator, the Information Commissioner’s Office. … Privacy groups have worked with the government to create a list of principles for interacting with the Verify system. [The Guardian]

US – Android User Takes Privacy Battle With Cartoon Network to Appellate Court

Android user Mark Ellis has appealed the dismissal of his privacy lawsuit against Cartoon Network for allegedly violating the Video Privacy Protection Act (VPPA). Ellis filed the appeal with the 11th Circuit Court of Appeals, claiming Cartoon Network’s app transmitted his Android ID together with his video viewing history to a third party. U.S. District Court Judge Thomas Thrash dismissed the lawsuit last month saying that “an Android ID does not identify a specific person.” [MediaPost] [Would you like to put an Ontario card in your wallet? Bureaucrats are in charge, not governments]

Internet / WWW

WW – Germany, Brazil Urge U.N. to Strengthen Digital Spying Resolution

Both Germany and Brazil are urging the United Nations (UN) to strengthen a digital spying resolution to include metadata. The draft notes that arbitrary surveillance, communications interception and the collection of metadata are “highly intrusive acts” and “violate the right to privacy and can interfere with the freedom of expression and may contradict the tenets of a democratic society, especially when undertaken on a mass scale.” The draft also calls on the UN Human Rights Council to appoint a special rapporteur for privacy rights standards clarification. Germany’s UN ambassador said, “As the universal guardian of human rights, the United Nations must play a key role in defending the right to privacy, as well as freedom of opinions and expression in our digital world.” [Reuters] Telecompaper reports the German interior ministry has introduced a revised version of its bill on improving IT security that includes a new data retention clause.

US – NIST – US Government Cloud Computing Technology Roadmap, Volume II, – Useful Information for Cloud Adopters: Special Publication 500-293

Security challenges unique to cloud computing include that broad network access has the potential to introduce new cyber threats and the lack of visibility and control over the IT assets often runs counter to the existing security policies and practices that assume complete organizational ownership and physical security boundaries; recommendation include – process-oriented requirements (such as clarity of security roles and responsibilities, detailing privacy requirements in contracts and service-level agreements) and technical requirements (such as encrypting data at rest and in transit, applying application partitioning, logical separation and physical separation, and controlling VM and Virtual Networks). [Source] See also: [FFIEC Regulators: Banks Need to Share Cyber-Threat Info] [DOD’s Vision for a Commercial Cloud Ecosystem]

WW – CSA Releases Security Guidance for Critical Areas of Cloud Computing

Best practices regarding information management and data security in the cloud include understanding the cloud storage architecture in use and using the data lifecycle to identify security exposures and determine controls, monitoring key internal databases and file repositories with database activity monitoring and file activity monitoring to identify large data migrations, encrypting all sensitive data (paying particular attention to key management), and ensuring removal of data from a cloud vendor is covered in the service level agreement (e.g. deletion of user accounts, migration/deletion of data from primary/redundant storage, and transfer of keys). [Source]

WW – Apple Users Raise Privacy Concerns After Hard-Drive Files Uploaded to Servers

Security researcher Jeffrey Paul’s discovery that several of his personal files found their way to the cloud after he upgraded the operating system on his MacBook Pro. He thought the files only lived on his encrypted hard drive. Cryptography experts Bruce Schneier and Matthew Green had similar experiences. All three have publicly written about their dismay over the finding. [The Guardian] UPDATE: [Clarification of iCloud Autosave Issue Earlier this week we ran a story about documents being saved to iCloud without notifying users. The headline suggested that the issue affected all documents, when in fact, the feature is on by default for iWork apps, Preview, and TextEdit. It does not affect Word. Apple describes the autosave default in an August 2014 support document

Law Enforcement

CA – RCMP Reveals Details of Plan for 700-Km Surveillance Fence Along Canada-U.S. Border

A massive intelligence-gathering network of RCMP video cameras, radar, ground sensors, thermal radiation detectors and more will be erected along the U.S.-Canada border in Ontario and Quebec by 2018, the Mounties said this week. The $92-million surveillance web, formally known as the Border Integrity Technology Enhancement Project, will be concentrated in more than 100 “high-risk” cross-border crime zones spanning 700 kilometres of eastern Canada, said Assistant Commissioner Joe Oliver, the RCMP’s head of technical operations. [Source]

CA – Alberta Privacy Commissioner to Investigate Police Use of Body Worn Cameras and Facial Recognition Software

Alberta’s Privacy Commissioner Jill Clayton has ordered an investigation into some potentially scary tools being employed by the local police department — tools with the capability of seriously infringing on a citizen’s right to privacy if not used correctly. On Wednesday, just two days after Calgary cops announced they would become the first police service in Canada to adopt facial recognition software capable of matching any photograph or video image to their databank of 300,000 mugshots, Clayton stepped in. “Information and Privacy Commissioner Jill Clayton has initiated an investigation of the Calgary Police Service’s use of body-worn cameras and facial recognition software,” read the stern-sounding release.[Source] Alberta Privacy Commissioner Jill Clayton has launched an investigation into BWCS after being dissatisfied with the lack of evidence of a privacy assessment by a local police service. It is too early to tell whether that investigation will have any meaningful effect on the implementation of BWCS in Canada. [Privacy Advisor] [Calgary police service looks to put a face to crime, adds facial recognition software NeoFace to its investigative arsenal] AND ALSO: [Influx of records requests may force police to drop body cams]

US – Private License Plate Data Raises Privacy Flags

Privately owned license-plate imaging systems are popping up around Rochester and upstate New York — in parking lots, shopping malls and, soon, on at least a few parts of the New York state Thruway. Most surprisingly, the digital cameras are mounted on cars and trucks driven by a small army of repo men. Shadowing a practice of U.S. law enforcement that some find objectionable, records collected by the repo companies are added to an ever-growing database of license-plate records that is made available to government and commercial buyers. At present that database has 2.3 billion permanent records. On average, the whereabouts of every vehicle in the United States appears in that database nine times. Todd Hodnett, founder of the company that aggregates and sells that data, defends the activity as lawful and harmless. “We’re just photographing things that are publicly visible,” he said. Many private-sector camera operators, like parking companies, say they do not know the names and addresses behind the plates they scan. Others, like universities, say they discard the records almost immediately. But that doesn’t satisfy critics. No matter how benign the intentions of camera system operators, they say, their data may prove irresistible to government or private parties bent on snooping. Only five states have adopted laws regulating or banning private use of license-plate readers, also known as LPRs, with legislative bodies in as many more states having considered such measures. Lee Tien of EFF, a leading digital privacy group, said advocates have been trying without success to get a clear picture of who is getting access to DRN’s data. But they know state and federal regulations leave room for a wide range of clients. “As a general matter, the limit is what they’re currently willing and able to do to monetize the data,” he said. [Democrat & Chronicle]


US – Carmakers Unite Around Privacy Protections

19 automakers accounting for most of the passenger cars and trucks sold in the U.S. have signed onto a set of principles they say will protect motorists’ privacy in an era when computerized cars pass along more information about their drivers than many motorists realize. The principles were delivered in a letter to the FTC, which has the authority to force corporations to live up to their promises to consumers. Industry officials say they want to assure their customers that the information that their cars stream back to automakers or that is downloaded from the vehicle’s computers won’t be handed over to authorities without a court order, sold to insurance companies or used to bombard them with ads for pizza parlors, gas stations or other businesses they drive past, without their permission. The principles also commit automakers to “implement reasonable measures” to protect personal information from unauthorized access. The automakers’ principles leave open the possibility of deals with advertisers who want to target motorists based on their location and other personal data, but only if customers agree ahead of time that they want to receive such information, industry officials said in a briefing with reporters. Industry officials say they oppose federal legislation to require privacy protections, saying that would be too “prescriptive.” But Marc Rotenberg, executive director of the Electronic Privacy Information Center, said legislation is needed to ensure automakers don’t back off the principles when they become inconvenient. [ABC News] [Hogan Lovells] [Auto Alliance Press Release]

Online Privacy

WW – Facebook Rewrites Its Privacy Policy So that Humans Can Understand It

Facebook has announced that it has expanded its data use policy and has also made an effort to rewrite the language in a way normal people can understand. To do that, Facebook has taken some information on how the site itself works – and how users can set their privacy on Facebook – and created a new “Privacy Basics” page that walks users through its most-used privacy features. That includes step-by-step instructions on how to control who sees posts you create or items you “like.” The data use policy will now be displayed on an interactive, colorful site aimed at making it easy to navigate. But there are some changes to the language, as well — again aimed at making it easier to understand, getting rid of some of the confusing legalese. Unchanged was how the company uses data for research. The current guidelines, which give Facebook the broad right to conduct “research,” remain effective. As per Facebook’s usual way of operating, the changes are only a proposal for now. Users will have seven days to comment on the policy changes, which Facebook will then review before making the policy final. Once Facebook’s announces its final changes, the policy will take effect in 30 days. Facebook is also rolling out a tool that lets users give Facebook more information about ads they do — or don’t — want to see on the site in Europe. This option had previously only been available in the United States. Egan said that Facebook users will also be able to apply their ad preferences, such as requests to opt out of seeing personalized ads, across mobile and desktop devices — something that they can’t do now. [The Washington Post] See also [The Canadian government wants to pay more people to creep your Facebook] and also: [A new poll conducted for CNBC.com found 45% of those surveyed are most concerned about Facebook regarding personal data collection. And [ZDNet: Users can’t tell Facebook from a scam] A NY District Court ruling “says that by merely agreeing to AOL’s terms of service,” users have waived their Fourth Amendment rights.

US – Facebook Campaign Aims to Assure Advertisers Their Data Is Safe

In an effort to assure brands that their data is safe when they share their consumers’ information to buy ads on Facebook, the social networking giant has been meeting with marketers in recent weeks to make them comfortable with the platform. Facebook’s new ad server, Atlas, and ad product, Custom Audiences, lets brands use their email lists and other customer information to target marketing, the report states. Brands have been nervous about sharing data with anyone in a time when hacks and breaches involving stolen email lists can be devastating to brand reputation. Some say Facebook’s recent interest in talking about good stewardship of sensitive information is a sign of its “maturing advertising business.” [Adweek]

EU – CJEU Case on ‘Screen-Scraping’ Has Potential to Affect Business Models

Some price comparison websites and other online businesses could be forced to alter their business models if the EU’s highest court takes steps to prevent unauthorised ‘screen-scraping’ of data, an expert has said. This week, the Court of Justice of the EU (CJEU) is due to hear arguments from Ryanair and a Dutch price comparison business about the extent to which rules contained in the EU’s Database Directive apply to data that is not protected by copyright or a ‘sui generis’ database right. The CJEU’s judgment on the matter, which is unlikely to be issued for many months, will determine the extent to which businesses can apply contractual restrictions, in the absence of having copyright or database rights protection for their data, to prevent others from using that data. Screen scraping involves the use of software to automatically collect information from websites and systems. [The application to the CJEU] [Out-Law]

WW – Snapchat Starts Actively Warning Users That Third-Party Apps Aren’t Safe

Following the exposure of users’ private “snaps,” ephemeral messaging app Snapchat is warning users to not use third-party apps with its service. Snapchat said companies that claim to offer Snapchat services violate its terms of service and are untrustworthy. “We’ve enjoyed some of the ways that developers have tried to make Snapchat better,” the company wrote. “Unfortunately, some developers build services that trick Snapchatters and compromise their accounts.” Meanwhile, Reuters reports that consumers who are concerned about over-sharing are turning to private messaging services like Snapchat. [PCWorld]

AU – Samaritans Radar Depression App Raises Twitter Privacy Concerns

A newly launched app by a UK suicide prevention charity is raising massive privacy concerns by monitoring Twitter accounts without user consent. The new web app — called Samaritans Radar – works by proxy. When a user downloads and signs up to Samaritans Radar, the app then has access to the Twitter accounts followed by that user. It will monitor those accounts, looking for key phrases in public Tweets. These include the terms such as “depressed”, “help me” (probably not parsing for Star Wars fandom), “tired of being alone”, “hate myself” and “need someone to talk to”. When it finds one of these phrases, it will alert the user via email, offering support on how to reach out to the depressed party; if the user is reported as suicidal, the report will be verified by Twitter Trust & Safety, and both the Radar user and the reported account will be contacted by Samaritans. So far, the app has had over 3,000 users sign up, with more than 1.6 million accounts being monitored — and, according to The Register, a mere 4 percent of the Tweets flagged by the app have been validated as genuine. Meanwhile, a Change.org petition addresses Twitter, noting that it has no faith in Samaritans to address user concerns, and requesting that the social network deny the app access to user data, effectively shutting it down. [Source] See also: [The Truth About Teenagers, The Internet, And Privacy] See also: [Somebody’s Already Using Verizon’s ID to Track Users]

WW – 81% of Tor Users Can Be De-Anonymised by Analysing Router Information, Research Indicates

Research undertaken between 2008 and 2014 suggests that more than 81% of Tor clients can be ‘de-anonymised’ – their originating IP addresses revealed – by exploiting the ‘Netflow’ technology that Cisco has built into its router protocols, and similar traffic analysis software running by default in the hardware of other manufacturers. [The Stack]

WW –73,000 Unsecured Webcams Available for View

A website offers video feeds and links to more than 73,000 unsecured webcams from around the globe. “Eerily, the site is very user-friendly. You can search by country … by manufacturer … or, like an iTunes playlist, you can hit shuffle and view a random camera feed. Plus, many of the connected cameras include location coordinates and a handy Google Map pinpoint.” Highlighting several recent examples in the news of bad actors out there “trying to hack their way into our lives,” Bracy writes, “The last thing we need is for poor design practices and wanting consumer education to make it easier for those adversaries.” [NetworkWorld] see also: [NY Woman Suing Landlords for Secretly Installing Cameras]

Other Jurisdictions

AU – Australian Law Reform Commission Issues Final Report on Serious Invasions of Privacy in the Digital Era

The final report regarding serious invasions of privacy recommend the following – a new tort of serious invasion of privacy in a new federal law (either by intrusion upon seclusion or misuse of private information, only actionable by a natural person who has a reasonable expectation of privacy, and not requiring proof of actual damage); a general statute of limitations (1-3 years) would apply. The Act should provide for specified defences (e.g. consent, absolute privilege), and exemptions (minors); a court may consider countervailing public interest matters (e.g. freedom of expression, national security), and award damages (but not aggravated damages). The Privacy Commissioner’s powers should be extended to make declarations about serious invasions of privacy complaints, and (with court leave) to assist a court as amicus curiae and intervene in court proceedings. [Summary Report] [Final Report] The Australian Communications and Media Authority and the Office of the Privacy Commissioner have signed a memorandum of understanding formalizing their streamlined approach to telecommunications, spam and telemarketing matters. See also: The Australian state of Victoria has made unsolicited “sexting, sharing unwanted ‘intimate images’ and even threatening to distribute such images” illegal under new laws designed to protect digital privacy. AND [NZ – Beneficiary awarded more than $20,000 in case of over collection of information] Hogan Lovells’ Chronicle of Data Protection offers an update on South Africa’s data protection regime. And also [Data Privacy Regulation Comes of Age in Asia]

Privacy (US)

US – FTC Refutes Wyndham’s Challenge; Unreasonable Security Is “Unfair”

Generating a flurry of conversation among privacy professionals worldwide, the U.S. Federal Trade Commission (FTC) last week filed its response to Wyndham Worldwide Corporation’s interlocutory appeal in the Third Circuit. It’s the most recent activity in a case that began in 2012, when the FTC issued a complaint against Wyndham alleging data security failures that enabled three data breaches between 2008 and 2009. The FTC’s response outlines and affirmatively answers the three questions presented in Wyndham’s appeal, including whether unreasonable failure to protect the security of consumer data constitutes an unfair act or practice. [Privacy Advisor] [What’s Reasonable Security? A Moving Target]

US – FTC v. Pairsys, Inc. – Stipulated Preliminary Injunction – U.S. District Court for the Northern District of New York

The Court granted a preliminary injunction against a company that mislead consumers by claiming to remove spyware and viruses from the consumer’s computers (the company exploited consumers’ concerns about malware infection and claimed to represent legitimate computer software companies). The company is restrained and enjoined from making false or misleading statements to induce any person to pay for goods or services in violation of the Telemarketing Sales Rule, or initiating an outbound telephone call to a telephone number within a given area code, without first paying the required annual fee for access to the National Do Not Call Registry. [Complaint] [Preliminary Injunction]

US – FTC Says Debt Broker Disclosed Too Much

The FTC has sued a debt broker for posting debt portfolios containing sensitive personal information of approximately 28,000 consumers online without adequate protections. Bayview Solutions buys and sells portfolios of consumer debt for debt collectors. The FTC complaint alleges “one particular website used by defendants is a public website that is readily accessible to anyone with Internet access,” and, “There are not passwords or other security methods” to restrict access. The unencrypted data included names, dates of birth, contact information and bank account and driver’s license numbers. Plus, the consumers affected “would be unlikely to know that defendants possess, and are openly disclosing, their information,” the complaint states. [Courthouse News Service] [FTC sends dozens of warning letters to companies over advertising disclosures]

US – Carrier IQ Agrees “in Principle” to Settle Suit

“Carrier IQ has agreed in principle to resolve a class-action lawsuit alleging that its software for mobile devices violated consumers’ privacy.” The settlement would resolve allegations the software was capable of logging users’ keystrokes, the report states. The allegations came as the result of a researcher’s video report, and consumers subsequently filed class-action lawsuits against Carrier IQ and six device manufacturers, including HTC, Samsung and LG Electronics. The device manufacturers have not yet agreed to settle the lawsuit. [MediaPost]

US – TRUSTe’s DPM Platform Beta Commences at Capacity

TRUSTe has announced that the beta program for its Data Privacy Management (DPM) Platform, a privacy compliance solution where businesses can manage privacy initiatives from a single dashboard, has commenced at capacity. “Privacy professionals have struggled to keep pace with the evolving privacy and regulatory landscape and are looking for solutions to reduce these risks and protect their brands,” TRUSTe’s Chris Babel explained, noting the platform “provides an easy way to manage these complex privacy initiatives across multiple business units from a single interface.” [The Privacy Advisor]

US – Making the Case for Data-Driven Education; Student Sues School for Privacy Violations

An in-depth report explores the rise of data-driven education and its effect on students and policy-makers. U.S Department of Education Chief Privacy Officer Kathleen Styles said she receives 12,000 calls and 2,000 emails a year from schools looking for assistance with the Family Education Rights and Privacy Act and approximately 300 to 400 complaints from parents concerned the law has been broken. She added that states, on the whole, do a “solid job” protecting student data. Additionally, the Family Online Safety Institute has released the report, Parenting in the Digital Age: How Parents Weigh the Potential Benefits and Harms of Their Children’s Technology Use. Meanwhile, a University of Montana (UM) student is suing the school on behalf of the student body, claiming UM illegally shared students’ personal information with a Connecticut-based vendor. [Government Technology] See also: [US – FOSI Calls for “Redefining Internet Safety”]

US – White House Names Next US Chief Technology Officer

The White House announced that it has named its next Chief Technology Officer, Megan Smith, a Google executive with decades of experience in Silicon Valley. The Obama administration named as deputy U.S. CTO, Alexander Macgillivray, a former Twitter lawyer known as a staunch defender of the free flow of information online. The New York Times and NPR feature interviews with new U.S. Chief Technology Officer (CTO) Megan Smith. “I actually think that working in the federal government, or state or local, is one of the most significant things that a technical person can do,” Smith tells The New York Times. But there are challenges. “Smith will have to call on all her powers to turn government agencies into more tech startup-type cultures.” “One agency still saves data on floppy disks.” Looking to the future, Smith’s focus is on people. “We want to create an environment where, in addition to amazing policy groups … tech teams feel comfortable, included and are in leadership positions here,” she said. [Washington Post] [New York Times: From Silicon Valley To White House, New U.S. Tech Chief Makes Change]

US – Ramirez: Businesses Need To Get Better at Notice

Federal Trade Commission Chairwoman Edith Ramirez said that online service providers must get better at disclosing their information collection and processing practices. “It’s crucial to provide some form of notice, like in the initial setup of a device or app, about what information is collected, how it’s used and with whom it’s shared,” she said. [Computerworld]

US – FISMA Reforms Stalled

Changes to the 2002 Federal Information Security Management Act (FISMA) may not be as easily brought about as legislators would like. The compliance requirements of the original plan were correctly criticized for generating vast quantities of paper reports (and vast fees for consultants) while providing little true assurance of security. The changes would require a move toward continuous monitoring. While including the FISMA changes in the 2015 National Defense Authorization Act is one a possibility, sources say that its inclusion is unlikely, particularly because “there are provisions in FISMA that are raising concerns.” [NextGov]

US – Justice Department Seeks to Expand Judges’ Search Warrant Purview

The US Department of Justice (DOJ) has petitioned the Advisory Committee on Criminal Rules to expand magistrate judges’ reach in granting search warrants. Rule 41 of the Federal Rules of Criminal Procedure allows judges to issue search warrants within their judicial district. DOJ wants to broaden the judges’ purviews to allow them to issue warrants for electronic surveillance regardless of the device’s location. Opponents say that the change DOJ is asking for would threaten the Fourth Amendment’s limitations on search and seizure, and that it could allow for unprecedented access to foreign networks. [NextGov] [RT.COM]

US – Dating Site Faces $16.5 Million Penalty in Privacy Case

A jury in California rendered a verdict late last month of $16.5 million for the plaintiff in a case involving a dating website for individuals with sexually transmitted diseases (STDs). The website PositiveSingles was found guilty of sharing photos and other sensitive information of its users with other dating websites even though it claimed to be a “confidential” service. According to a press release , the service promised it would not share data with third parties, but “it turned out that PositiveSingles was simply one of over a thousand different websites, funneling member profiles and personal information into a single database that in fact shared that information with third parties.” The verdict was rendered under the California Legal Remedies Act, the report states, with $1.5 million stemming from compensatory damages and $15 million in punitive damages. A related case is still active. [BBC News]

Privacy Enhancing Technologies (PETs)

WW – Mozilla Unveils Polaris Privacy Initiative with CDT, Tor

Mozilla has announced a new strategic initiative called Polaris to help privacy leaders in the industry “collaborate more effectively, more explicitly and more directly to bring more privacy features into our products.” The project aims to give users better privacy technology and more control, awareness and protection, a Mozilla blog post states. Mozilla is joined by the Center of Democracy & Technology and the Tor Project, which “will support and advise Polaris projects and help us align them with policy goals.” Mozilla has also introduced a new “forget” button and added private search engine DuckDuckGo. [Mozilla]

WW – Changes in Firefox 33.1 Focus on Privacy

Mozilla has released version 33.1 of its Firefox browser. While incremental updates usually go unannounced, this update is notable for the Forget Button, which allows users to delete recent history and cookies for the last five minutes, two hours, or 24 hours, with a simple click. The button is new, but the capability is not – until version 33.1, it has been buried in the Firefox menu. Firefox also has a Private Mode that has been available since version 3.1, released in 2008. [eWeek]

WW – Tor Reacts to Silk Road Operation Onymous; NSF Awards Privacy Grant

The international sweep that took down some parts of the online drug and criminal underworld continues to elicit reaction. The Tor blog offers a detailed account of what the developers know and don’t know about what is known as Operation Onymous. In trying to understand how the anonymous network was so thoroughly infiltrated by law enforcement, the blog states that when the time comes to prosecute those arrested, “the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical Internet-facing services.” Meanwhile, the U.S. National Science Foundation has awarded a University of Texas at Arlington computer scientist with a $250,000 grant to improve online privacy and protections against adversaries. [Source]

WW – New Apps Meet Need for More Privacy After Oversharing

Consumers concerned about oversharing on public social networks are turning to private messaging apps to share texts, photos and videos with a limited group of people. Downloads of private social messaging apps increased 200% in 2013 over 2012, making them the fastest-growing category of apps, according to San Francisco-based mobile analytics firm Flurry. The apps provide more private connections and allow users to express themselves without worrying about how they are perceived by their entire networks. [Source]


US – NIST Releases Cyber-Threat Sharing Draft Guidance

The National Institute of Standards and Technology (NIST) has released draft guidelines to help organizations share information with one another about cyber-attacks. “Organizations can gain valuable insights about their adversaries,” said Christopher Johnson, one of the authors of the guidelines. “They can learn the types of systems and information being targeted, the techniques used to gain access and indicators of compromise.” The window for comment on the guidelines is open until November 28. [FierceHealthIT]

EU – ENISA Publishes Technical Guidelines on Incident Reporting version 2.1

Electronic communications network and service providers are required to report significant incidents to their National Regulatory Authority (“NRA”); however, member states are taking different approaches (such as setting thresholds for national reporting relatively high, keeping track of major security incidents and intervene whenever network and service provides fail to improve on security issues, or monitoring security networks and service to improve security). When reporting to ENISA, NRA’s should assess whether or not an incident is relevant for NRA’s in other countries and include an incident report which includes – service and number of users affected, duration, root cause and a description of the response action and lessons learned. [Source] See also: [Practical Information Security Management and Data Breach Response – Kelly Friedman, Partner, Davis LLP]

WW – DarkNet Domains Seized, Black Market Websites Shuttered

In an international effort, law enforcement officials seized and shut down hundreds of dark net domains associated with black market websites. Seventeen people have also been arrested. Among the seized domains are 414 .onion domains, addresses used by the Tor anonymity software. Last week, news of the arrest of alleged Silk Road 2.0 operator Blake Benthall made headlines, but that arrest was just part of Operation Onymous, the larger effort to dismantle online black markets. [WIRED] Update: [Europol have corrected the statement regarding over 400 domains being seized. The figure is closer to 27, the 400 number refers to URL links pointing back to the domains]

HK – Hong Kong Monetary Authority Guidance on Customer Data Protection

Controls for preventing and detecting customer data loss or leakage should include the following – develop formal security policies and procedures (covering system controls, physical security, mobile computing, and outside service providers), implement logical access controls (the rights to access customer data and transmit customer data to external parties should be granted on a need-to-have basis only), implement controls over data transmission (prohibit unauthorized transmission of consumer data from internal systems to outside networks/systems via Internet services that could store data – e.g., using peer-to-peer file sharing software), and conduct periodic audits over customer data protection. [Source]

WW – The Staggering Complexity of Application Security

During the past few decades of high-speed coding we have automated our businesses so fast that we are now incapable of securing what we have built. [Dark Reading] See also: [Stanford: Guidelines for Securing Mobile Computing Devices] [Mobile Security Guide – Everything You Need to Know] [Mobile Phone Security Tips] [Ultimate Library of ICS Cyber Security Resources] [Data Security Confidence Index] [E&Y: Global Information Security Survey 2014]

Smart Devices

WW – Smart TV, Dumb Policy

A 46-page privacy policy which is now included in all newly purchased Samsung Smart TVs states that voice recognition technology “may capture voice commands and associated texts” in order to “improve the features” of the system. The policy, a summary of which is also posted online, ominously advises users to, “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.” Writing about the privacy policy for Salon.com, Michael Price, counsel in the Liberty and National Security Program at the Brennan Center for Justice at NYU School of Law, said he was now “terrified” of his new TV, noting that voice recognition is just one feature that could be used to spy on users. The television also logs website visits, has a built-in camera for facial recognition and uses tracking cookies to detect “when you have viewed particular content or a particular email message.” “I do not doubt that this data is important to providing customized content and convenience, but it is also incredibly personal, constitutionally protected information that should not be for sale to advertisers and should require a warrant for law enforcement to access,” writes Price, adding that current privacy laws offer little protection against “third party” data. [Source]


US – Americans’ Cellphones Targeted in Secret U.S. Spy Program

The Justice Department is scooping up data from thousands of cellphones through fake communications towers deployed on airplanes, a high-tech hunt for criminal suspects that is snagging a large number of innocent Americans, according to people familiar with the operations.” “The U.S. Marshals Service program, which became fully functional around 2007, operates Cessna aircraft from at least five metropolitan-area airports, with a flying range covering most of the U.S. population, according to people familiar with the program.” [Wall Street Journal] See also: [Cam Kerry: Surveillance Should Not Overshadow Civil Liberties] [UK – UK intelligence agencies spying on lawyers in sensitive security cases] and [Tomgram: Shamsi and Harwood, An Electronic Archipelago of Domestic Surveillance] and [Craig Forcese: Does the State belong in the computers of the nation? (audio)] and [PRISM scandal threatens EU-US ‘Safe Harbour’ agreement]

US – Justice Department Walks Back Transparency on National Security Letters

The government is retracting an argument made on appeal in a case challenging the constitutionality of an investigative tool widely used by the FBI to obtain data on Americans without court oversight,” reports The Washington Post’s Ellen Nakashima. “In a case being heard by the Ninth Circuit Court of Appeals in San Francisco, a Justice Department lawyer last month asserted that companies that receive national security letters — an administrative subpoena that can be issued by a field office supervisor — can comment on the ‘quality’ of NSLs they receive, including whether they think that ‘the government is asking for too much.’ “ [Washington Post]

WW – Director Says NSA Will Deal With Encryption Challenges; GCHQ Says Tech Firms In Denial; Germany, Brazil Make Anti-NSA Moves

U.S. NSA Director Michael S. Rogers visited Silicon Valley and said that “a fundamentally strong Internet is in the best interest of the U.S,” The New York Times reports. Increased encryption of services by U.S. tech giants is “a challenge” for law enforcement, he said, adding, “And we’ll deal with it.” The new head of the UK’s GCHQ says some U.S. tech companies have become “command-and-control networks … for terrorists and criminals” and that British intelligence agencies could not tackle the challenges of increased encryption “at scale” without the help of the private sector. Meanwhile, Germany may enact a law that would require national clouds be built on local technologies, and Brazil, to avoid U.S. surveillance has started laying its own undersea Internet cables. [New York Times]

US – Silicon Valley Privacy Push Sets Up Arms Race With World’s Spies

There is an arms race developing between Silicon Valley and government intelligence programs, and so far, Silicon Valley “shows no sign it plans to give in.” Government requests place tech companies in a Catch-22: If they comply, they risk alienating their customers; if they don’t, they face continued allegations from law enforcement for aiding criminals and terrorists. Specifically, Microsoft General Counsel Brad Smith has called for arms-control talks. [Bloomberg] See also: Facebook has reported a 24% increase in government requests in the first half of 2014. A federal appeals court urged to strike down the NSA bulk phone metadata program and the Supreme Court considered how to balance whistleblower protections with national security. Finally, some are calling Sen. Mark Udall’s (D-CO) reelection loss a “blow for privacy and transparency advocates, as Udall was one of the NSA and CIA’s most outspoken and consistent critics.” The Privacy Advisor recently reported on the “ national emergency“ that is potentially brewing in this arena. [Bloomberg]

UK – ICO Issues Data Protection Code of Practice for Surveillance Cameras

The Information Commissioner’s Office release a Code of Practice (the “Code”) – which provides guidance on the operation of CCTV or other surveillance camera devices (e.g. body worn video cameras, and unmanned aerial systems ); organisations should take into account the nature of the problem the organisation is seeking to address, whether a surveillance system would be a justified and effective solution, what effect its use may have on individuals, and if its use is a proportionate response to the problem. Organisation should establish who is responsible for the control of the information, how the information is used, and to whom it may be disclosed. [Source]

EU – German Data Protection Authority Issues Guidelines on Video Surveillance

Use of video surveillance cameras in public places requires notification to the Data Protection Authority; special consideration should be given to monitoring in the following situations – retail establishments (cameras should not be used in areas where customers have an expectation of privacy, such as fitting and change rooms), shopping malls (video surveillance should be avoided in locations such as ATMs, relaxation areas, washrooms, and locker areas), employee monitoring (constant monitoring of employees is usually inadmissible, unless they are working in a vulnerable area such as point of sale, jewelry or warehousing operations), and dashcams (dashcams infringe on the privacy rights of pedestrians and fellow motorists, due to the ongoing monitoring while the car is running). [Source] See also: [US: Woman Claims Landlord Hid Cameras In Her Upper West Side Apartment] and [Can We Afford Privacy from Surveillance?] and [UK – Drone use puts operators at risk of ‘collateral privacy intrusion’, says data watchdog]

EU – German Spy Agency Seeks Millions To Monitor Social Networks Outside Germany And Crack SSL

The BND also wants to spend EUR4.5 million to crack and monitor HTTPS (Hypertext Transfer Protocol Secure) encrypted Internet traffic. By 2020 some of that money may be spent [on] the black market to buy zero day exploits, unpublicized vulnerabilities that can be exploited by hackers. [IT World]

US – Brookings Institution Tells Congress Drone Privacy Concerns Inflated

The Brookings Institution has published a report urging Congress to not respond to privacy concerns raised by the future implementation of drones by drafting anti-drone legislation. Gregory McNeal, the author of the report, says drones and other automated surveillance may actually bolster privacy protections. He noted that state anti-drone legislation has “focused on the technology (drones), not the harm (pervasive surveillance),” adding, “In many cases, this technology-centric approach creates perverse results, allowing the use of extremely sophisticated pervasive surveillance technologies from manned aircraft while disallowing benign uses of drones for mundane tasks like accident and crime scene documentation or monitoring of industrial pollution and other environmental harms.” [Ars Technica] see also: [Will the EU Beat the U.S. to Commercial Drones?]

US – Harvard Secretly Photographed Students to Study Attendance

Students and faculty raise concerns after Harvard University announced it had secretly photographed undisclosed classrooms in a study researching student attendance, The Boston Globe reports. “Just because technology can be used to answer a question doesn’t mean that it should be,” one professor said, adding, “And if you watch people electronically and don’t tell them ahead of time, you should tell them afterwards.” Harvard President Drew Faust said she is taking the matter “very seriously” and will have the incident reviewed by a recently created panel that already oversees the school’s electronic communications policies. Harvard was criticized a year-and-a-half ago after news spread that administrators had been secretly searching school email accounts. [Full Story]

US Government Programs

US – NSA’s Richards Introduces New Privacy Assessment Process

Since the Snowden disclosures in June of 2013, the NSA has become the poster child for over-collection both in the U.S. and abroad. But NSA Civil Liberties and Privacy Officer Rebecca Richards, wants to change that by bringing the agency’s civil liberties and privacy program beyond a compliance system that just checks off boxes. Speaking at a recent Privacy and Civil Liberties Oversight Board hearing on “Defining Privacy,” Richards said, “We have an opportunity to bring NSA’s approach to privacy together with a broader approach” that takes into consideration people’s legitimate privacy interests. As part of this new approach, Richards said she is testing a new privacy and civil liberties assessment process that includes frameworks from the private sector and non-intelligence agencies. [Privacy Advisor]

US Legislation

US – What the Midterm Elections Mean for Privacy Legislation

As the dust settles from this week’s midterm elections, Wired reports on what it calls the last bipartisan issue: reform of the NSA. Two senators helping to lead the charge for reform—Sens. Mark Udall (D-CO) and Mark Begich (D-AK)—were ousted this week, but, the report states, “a Republican majority in the House and Senate is not the devastating blow to privacy you might have expected it to be.” However, one of Congress’ loudest data security advocates , Rep. Lee Terry (R-NE), was unseated this week as well. Outside of Congress, California Attorney General Kamala Harris defeated her challenger one week after releasing the state’s first data breach report in two years. Experts say she plans to build upon cybersecurity policies in the upcoming term. [WIRED]

US – Senate May Vote on NSA Reform Next Week

The U.S. Senate could vote on ending the National Security Agency’s bulk collection of phone records as early as next week. If passed, the House could vote on the legislation by year’s end, which would “clear the decks for incoming Senate Majority Leader Mitch McConnell (R-KY),” the report states. “The American people are wondering whether Congress can get anything done,” said Sen. Patrick Leahy (D-VT), author of the bill. “The answer is yes. Congress can and should take up and pass the bipartisan USA FREEDOM Act without delay.” [The Washington Post]

Workplace Privacy

US – Postal Workers Union Files Complaint to NLRB After Data Breach

Following a breach affecting 800,000 U.S. Postal Service (USPS) employees, the American Postal Workers Union (APWU) has filed a complaint with the National Labor Relations Board. The APWU alleges the USPS “didn’t work with them to address the issue during the two months between the breach’s discovery and the Post Office’s public announcement on Monday,” the report states. APWU President Mark Dimondstein said the USPS was aware of the security problems, “they kept you and your union leadership in the dark … We do not know at this point whether management did everything in their power to protect our privacy, but they bear the ultimate responsibility.” [The Hill] Update: [House To Question USPS] See also: [Analytics in HR and in the Cloud]

US – Employee Mistakes Undermine US Government Data Security

According to an Associated Press analysis of information obtained through Freedom of Information Act (FOIA) requests, at least half of US government IT security incidents are the result of mistakes made by workers. Employees have violated workplace policies; lost or had stolen devices containing sensitive information; and shared sensitive information. [The Guardian] [A final rule was issued giving federal agencies the flexibility to either offer privacy training to contract employees or require the contractors to do the privacy training themselves]

US – DoD Puts Contractors on Notice For Insider Threats

New rule requires US government contractors to gather and report information on insider threat activity on classified networks. According to a 2012 financial services sector study by the Software Engineering Institute (SEI), the impact of insider attacks is considerable. Each attack, which, on average, remains undetected for 32 months, costs the victim between $382,750 and $479,000. The impact of the unwitting insider threat is huge. According to a report published by the Ponemon Institute in December 2013, the costs to remediate damage caused by an advanced persistent threat (APT) attack run as high as $18 million ($9.4 million in reputational damage, $3.1 million in lost user productivity, $3 million in lost revenue and business disruption, and $2.5 million in technical support costs). Approximately 50% of known APT attacks are initiated through phishing attacks – the other half of successful APT attacks succeed because of users with poor cyber hygiene habits, or unwitting insider threat actors, [Dark Reading]

US – Cybersecurity Codes Being Added to All Federal Job Descriptions

By the end of 2015, the Office of Personnel Management plans to have every position within the federal government labeled with a descriptive code detailing the cybersecurity functions – if any – required of the employees performing that job function. Federal employees active in cybersecurity account for some 4 percent of the workforce but, until recently, there were no standard job descriptions for the work being done. Prior to OPM’s efforts, there were no clear definitions on cybersecurity workflow in federal agencies and no baseline for hiring managers on what related skills were needed across a variety of positions. [Federal Times]

US – Coca-Cola Faces Class-Action

A former employee of Coca-Cola has filed a class-action lawsuit against the company for failing to protect and notify the loss of personal information of more than 70,000 current and former employees. Over a six-year period, 55 laptops were allegedly stolen from the company’s Atlanta headquarters. They reportedly contained Social Security numbers, driver’s license records, physical addresses and financial information. The plaintiff is seeking $5 million in damages. [The Pennsylvania Record]

US – Former Law Firm Employee Sues Over Photos

A woman is suing her former employer for uploading compromising photos of her to the firm’s computer server. Aubrey Fullmer, former receptionist of Simpson Logback Lynch & Norris, was allegedly dating one of the firm’s lawyers, Benjamin Simon, who decided to leave to start a new firm. The firm “confiscated his laptop computer,” which contained revealing photos of Fullmer. She claims the firm accessed personal files that were not stored on the confiscated computer but rather Simpson’s “personal GoogleDrive”—a cloud-based server. The suit claims the firm eventually moved them to the firm’s shared server where any employee could view the images. [Courthouse News Service]


16-31 October 2014


US – Court: Police Can Compel Defendants to Give Up Fingerprints but Not Passwords

A circuit court judge has ruled that defendants can be compelled to give up fingerprints but not passwords to law enforcement in cell-phone search cases. Judge Steven C. Frucci said that disclosing a fingerprint is like giving up one’s DNA or handwriting sample and thus not a violation of the Fifth Amendment protecting against self-incrimination. However, a password requires defendants to share knowledge, which is protected by the Fifth Amendment. Last year, privacy advocate and lawyer Marcia Hofmann predicted that Apple’s fingerprint ID could mean that users would not be able to plead the Fifth in cellphone search cases. [The Virginian-Pilot]

WW – This MasterCard with a built-in fingerprint sensor is coming in 2015

MasterCard has announced the world’s first contactless payment card that uses your fingerprint to authenticate payments. It’s partnered with Zwipe, the company behind this biometric technology, on a card that will only permit charges if your thumb is resting on the built-in sensor. You can wave it near an NFC reader for contactless payments, and it’s also fully compatible with chip terminals. Fingerprint data is all stored locally inside the card’s secure element and is never transmitted to MasterCard. And since biometric authentication obviates any need to enter a PIN, Zwipe says this is fundamentally more secure than the chip and PIN system. The company already ran a pilot with Norway’s Sparebanken DIN bank, but the prototype card used was far from perfect. It had a battery inside, which made it a bit more unwieldy compared to your everyday plastic. [Source]

AU – Opposition Grows to Storage of Photo and Biometric Data

Photographs of millions of Australians will be stored by the Immigration Department, and this “biometric data” gathering could extend to fingerprinting and iris scanning under the Abbott government’s controversial counterterrorism laws. The “foreign fighters” bill means there will be a major expansion of facial recognition imaging of Australians passing through international airports in a crackdown on passport fraud that could eventually apply to a wide range of biometric data – which could be shared with other government agencies. Critics say the danger of such information being hacked is profound, given many personal electronic devices are now secured by fingerprints and iris scans. The sheer scale of the personal information that would stream into the government’s databanks is set to open one of the first fissures in the largely bipartisan approach to national security, with Labor warning that the legislation poses a danger to privacy. [Source]


CA – Legislative News Roundup

Canada Introduces New Anti-Terror Legislation After Ottawa Attacks C-44: [Canada’s Public Safety Minister Steven Blaney introduced Bill C-44, which would broaden the powers of CSIS including authorizing Canadian spies abroad to break the laws of a foreign country when investigating threats to the security of Canada] | S-4: [The Canadian House of Commons is discussing Bill S-4, which would amend the Personal Information Protection and Electronic Documents Act to include mandatory breach notification provisions] [Canada’s House of Commons Industry Committee will now review Bill S-4, the Digital Privacy Act] and [Canada Mulls Mandatory Data Breach Notifications] | C-13 [Canadian Justice Minister Peter MacKay is getting criticism from both parties over Bill C-13, also known as the cyberbullying bill] and AB PIPA [Alberta has “formally filed” a motion to extend the deadline for the province to amend its Personal Information Protection Act (PIPA) with the Supreme Court] [Tighter privacy laws were among the issues highlighted by the Saskatchewan government in last week’s throne speech] and finally: Canada’s Conservatives’ latest budget bill includes the creation of a national missing persons’ DNA databank] [November 1st – 10th Anniversary of PHIPA] and finally: [CASL Enforcement: Much Ado About Nothing]

CA – Statement of the Privacy and Information Commissioners of Canada on National Security and Law Enforcement Measures

Privacy and Information Commissioners of Canada attending their annual meeting noted with sadness last week’s events in Saint-Jean-sur-Richelieu, Quebec, and in Ottawa, Ontario. “The following days, weeks and months will be critical in determining the future course of action to ensure not only that Canada remains a safe country, but also that our fundamental rights and freedoms are upheld. Legislative changes being contemplated may alter the powers of intelligence and law enforcement agencies. We acknowledge that security is essential to maintaining our democratic rights. At the same time, the response to such events must be measured and proportionate, and crafted so as to preserve our democratic values. To that end, the Privacy and Information Commissioners of Canada call on the federal Government:

  • To adopt an evidence-based approach as to the need for any new legislative proposal granting additional powers for intelligence and law enforcement agencies;
  • To engage Canadians in an open and transparent dialogue on whether new measures are required, and if so, on their nature, scope, and impact on rights and freedoms;
  • To ensure that effective oversight be included in any legislation establishing additional powers for intelligence and law enforcement agencies.

Canadians both expect and are entitled to equal protection for their privacy and access rights and for their security. We must uphold these fundamental rights that lie at the heart of Canada’s democracy. The statement is available on the website of the Office of the Privacy Commissioner of Canada and the Office of the Information Commissioner of Canada. [Source]

CA – Ruling Prevented Sharing of Data on Men Who Killed Soldiers

Canada didn’t share “some intelligence” with the U.S. about the two men who committed fatal acts last week because of a 2013 court ruling limiting the transfer of personal data, according to a Canadian official. U.S. authorities knew little about Michael Zehaf-Bibeau or Martin Roulou, who each killed a solider last week in Canada. A court ruling last year said the Canadian Intelligence Service was breaking privacy laws by passing data about Canadian citizens to the “Five Eyes” intelligence-sharing network, comprising Canada, the U.S., Australia, New Zealand and the UK. [Reuters] See also: [The Canadian Forces Counter Intelligence Unit has issued a new directive regarding social media practices in the wake of last month’s attacks]

CA – Classroom Behavior App Has Commissioners Worried

Privacy commissioners in Canada are concerned about a new computer program, increasingly used in Canadian schools, that collects and stores information about the in-class behavior of students. ClassDojo allows teachers to assign or deduct points for students based on their behavior, creating a competition for the best behavior among classmates and allowing parents to monitor how their kids are doing in real time. ClassDojo collects information on 53 million students globally on a minute-by-minute basis and stores it on a private company’s servers in the U.S. that is not subject to Canadian privacy laws, the report states. [Ottawa Citizen] See also: [Toronto: Rate My Classmate site meant to call out group-project slackers] and [Canadian university athletes must waive privacy to play: CIS] and [If a teacher’s decades-old erotic films can resurface online, what rights should we have to digital privacy?]

CA – Privacy Commissioner Issues Annual Report, MetaData Research Paper

The Office of the Privacy Commissioner (OPC) has released its annual report and a privacy research paper entitled Metadata and Privacy: A Technical and Legal Overview. See also: [Dentons Bernier Shares Tips from a Former Privacy Regulator]

CA – Alberta Privacy Commissioner Worried About Calgary Police Service’s Body-Worn Camera Plans

Growing worries over the Calgary Police Service’s plans to equip 550 officers with body cameras forced Jill Clayton, Alberta’s privacy commissioner, to voice concerns in a letter to Chief Rick Hanson. In September, deputy police Chief Trevor Daroux told Metro his pilot program ran through 2012 to 2013, recorded 2,700 videos and helped in 32 criminal cases. After completing the project, CPS announced they would move forward with body-worn cameras in 2015. This announcement sparked privacy concerns from the public and a civil liberty group. Clayton told Metro she was concerned about the project because she hasn’t heard from anyone at CPS. In her letter, which was later posted the her website, Clayton urges CPS to file a Privacy Impact Assessment. This report would address the CPS’s ability to handle the endless amounts of private information they would gather from using body-worn cameras. Though not required, she has been lobbying for legislation to make PIAs mandatory. [Source]


US – Study Finds Discriminatory Pricing “Much More Widespread”

A new study of top e-commerce websites has found “price steering”—when companies use consumer profiles to personalize prices—is much more widespread than previously understood. The study, which was conducted by a team of computer scientists at Northeastern University, tracked searches on 16 popular e-commerce sites and found six of the sites used the pricing technique but none alerted consumers of it. [The Wall Street Journal]

US – Vladeck, Calo Examine Digital Marketing Manipulation

David Vladeck, former director of the Federal Trade Commission’s Bureau of Consumer Protection, discusses a recent article by Prof. Ryan Calo in which Calo writes about the potential for digital marketing to manipulate consumer choice. Vladeck writes that Calo’s “arguments are powerful and persuasive” but suggests the risks might be “less pronounced” than Calo asserts, noting there are ways “regulators are already responding to the risks that manipulative digital advertising poses to consumers.” Reiterating that any disagreements he has with Calo’s article are “gentle caveats,” Vladeck concludes that Calo “has responsibly sounded an alarm to prompt regulators into action.” [The George Washington University Law Review]

WW – Study Spotlights PII Collection, Impact on Consumer Behavior

LexisNexis Risk Solutions has released a study focusing on why industries collect, store and process personally identifiable information (PII) and its corresponding effect on consumer behavior. The study surveyed more than 3,000 consumers regarding their willingness to share their PII in low, medium and high-risk transactions, and the study also interviewed 22 executives in the financial, healthcare, retail and government sectors to reveal how each uses PII for identity verification. LexisNexis Risk Solutions VP Dennis Becker said, “Organizations need to be cognizant of how consumers’ fears and experiences affect their willingness to share sensitive data and seek ways to minimize the amount of personal information being requested.” [BusinessWire] One survey has found nearly half of holiday shoppers said they will not shop at stores that have been hacked. See also: [Nico Sell of Wickr: Privacy Is the New Fame]


WW – Facebook and Yahoo Develop Mechanism to Protect Recycled eMail Addresses from Abuse

Facebook and Yahoo are taking steps to prevent users of recycled email addresses from taking control of other accounts. When Yahoo began recycling email addresses last year, critics were concerned that the information could be used to change passwords on accounts that used the old email address for password change confirmation, and that the new email user could possibly receive sensitive messages intended for the former user. Yahoo and Facebook have together developed a mechanism for preventing such abuse. Using Simple Mail Transfer Protocol (STMP), sensitive email messages will include a field within the header that notes the date since the sender has known the address. If the address is determined to have changed ownership since that date, the message will not be delivered. [ComputerWorld] [WIRED] See also: [After Nova Peris and Barry Spurr, should we all give up on email in the name of privacy?]

WW – Mobile ISP Cricket was Thwarting Encrypted Emails, Researchers Find

Engineers from digital security and privacy firm Golden Frog found some customers of Cricket, a prepaid mobile company, were prevented from sending encrypted emails for months. The findings were shared with the FCC and released in a media report earlier this month, but without the company’s name, the report states. “Golden Frog said that Cricket customers were unable to send encrypted messages and said its testing found that the problem ended shortly after the TechDirt article was published,” the report states. “It is unclear how long or how many customers were affected.” [The Washington Post] See also: [Mondaq looks at Canada’s Anti-Spam Law provisions “concerning the distribution and installation of computer programs,” suggesting they should “be of particular concern to all businesses who distribute or intend on distributing software either alone or as part of their product or service offerings.”]


WW – China Using Phony Apple Certificate to Snoop on iCloud

A group that monitors Chinese government censorship, GreatFire.org, says that censors in China are conducting man-in-the-middle attacks on Apple’s iCloud in that country. Technical information suggests that a phony Apple certificate is being used to intercept the traffic. [GreatFire] [ArsTechnica] [InformationWeek] [v3.co.uk] [ComputerWorld] See also: [Apple Chief Vouches for China’s Pro-Privacy Stance

WW – Apple Issues iCloud Security Advisory

Apple has issued a security warning about attacks attempting to steal information from iCloud users with fraudulent certificates. An Apple support page warns users to heed invalid certificate warnings while visiting iCloud and that they should never enter login information into websites that present certificate warnings. [Apple] [TheRegister] [CSMonitor] [v3.co.uk] [Adobe eReader now using SSL to phone home] [Analysis of Samsung KNOX] See also: T-Mobile is “quietly” hardening its network to a more sophisticated form of encryption, making it more difficult for bulk surveillance

WW – Apple to Stop Using SSL 3.0 for Push Notifications

Apple plans to stop using the Secure Sockets Layer 3.0 (SSL 3.0) encryption standard for its Apple Push Notification service following the disclosure of a vulnerability. Developers have until October 29 to update their apps. More information on the SSL 3.0 flaw can be found here and [ZDNet] [CNET]

EU Developments

EU – Parliament Approves New Commission

President-Elect Jean Claude Juncker has secured confirmation for his new European Commission with 423 Members of the European Parliament voting in favor and 209 voting against. Juncker said the commission will focus on digital matters. Harmonizing tech-related policy and laws across the EU will be the responsibility of two new commissioners, Andrus Ansip and Günther Oettinger, who will replace outgoing Commissioner for the Digital Agenda Neelie Kroes. And Access has published an extensive look at the incoming group of EU commissioners, suggesting, “In the five years ahead a certain number of these incoming commissioners will have a huge influence on digital rights and security issues that impact the lives of European citizens and, indirectly, the rest of the world.” [EurActiv] [Germany’s government is calling for “EU-wide retention of flight passenger data to combat the risk of terror,” and that move is “sparking opposition in the European Parliament.”] [During a meeting in Luxembourg, EU justice ministers for the first time “sounded out their political views on the balance between the right to be forgotten and the right to know“][The parliamentary committee in Italy’s Chamber of Deputies has published the initial draft of an “Internet Bill of Rights” it has been working on since August] [The ICO has updated its code of practice for surveillance cameras and personal information, cautioning that surveillance cameras “must only be used as necessary and proportionate to address real and pressing concerns.”] [The Paris Court of First Instance has found for the plaintiffs in a suit on the right to be forgotten]

EU – Commission to Focus on Data Protection

As the new European Commission starts its five-year term, plans include working toward agreement on the EU’s new data protection rules, a European Parliament media release states. Data protection will be a key area of focus. “The EU hopes that the legislative package, which has always had the complete support of the European Parliament, will be adopted in 2015,” the report starts, citing the European Commission Director for Fundamental Rights and Union Citizenship Paul Nemitz as indicating “if the political will exists, the council will adopt the package.” As Nemitz put it, “This reform will pave the way for a digital age with a fair competitive environment for European SMEs.” [EurActiv] See also: [Hogan Lovells Partner Eduardo Ustaran writes in a blog post, “2015 may be the year that sees the culmination of a legal modernisation process that has been running for the best part of four years.”] and [UK: Coming Down The Tracks: The Legislation That Will Make Data Protection Law Even Worse!] and [Hunton & Williams’ Privacy and Information Security Law Blog examines the Council of the EU’s proposed revisions to the compliance obligations of data controllers and data processors and the risk-based approach to compliance] [Christian Wiese Svanberg of Plesner Law Firm offers an overview of the recent EU Council of Ministers discussions on the proposed data protection regulation, noting “the reform now appears unstoppable, and fundamental changes to the scope and legal form of the proposal are becoming increasingly unlikely.”] [Christian Wiese Svanberg offers an overview of the EU Council of Ministers’ discussions of the proposed General Data Protection Regulation and the highly debated right to be forgotten] [Olivier Proust writes about the “burdensome exercise” that is notifying data protection authorities of data processing, noting it is still necessary.]

EU – No Details Being Shared on the DPC’s “Significant” LinkedIn Audit

The Office of the Data Protection Commissioner’s (DPC) has issued a “raft of ‘significant’ recommendations” last month for LinkedIn to improve the privacy of its 1.2 million Irish users. “The recommendations, delivered on behalf of all European citizens, represent the culmination of a year-long investigation,” the report states, noting the DPC “is not releasing any details of those ‘significant’ recommendations. Nor is it indicating what problems it may have discovered in relation to how LinkedIn treats our personal information.” The reason, a DPC spokeswoman explains, is that it is up to organizations “to decide whether to publish an audit report carried out by this office.” The report states LinkedIn has declined to share the findings of the audit. [Independent.ie] See also: [While it hasn’t yet received the increase funding expected, the Irish Office of the Data Protection Commissioner is getting a “range of measures designed to strengthen the office“]

EU – Amazon Web Services Opens German Location to Quell Privacy Concerns

Confirming a report from this summer, Amazon Web Services has opened a location in Frankfurt, Germany. The move is designed to help diminish the post-Snowden privacy concerns of Europeans, especially Germans. Gartner Research Director Gregor Petri said, “The customers who are the hardest to convince to move workloads out of the country are mostly from Germany.” Forrester Research’s Stefan Ried said, “With the announcement, Amazon sets itself up to address not only the typically higher legal compliance and security concerns of European customers but also gets more credibility with the usually more conservative CIOs across Europe.” [PCWorld] see also: [A German court wants clarification from the European Court of Justice on whether dynamic IP addresses constitute private data] See also: [UK: GCHQ’s outgoing director warns spies must monitor the internet]

Facts & Stats

WW – Attacks Up 48%; Data Security Legal Practice Booming

A new PricewaterhouseCoopers (PwC) study reveals that the number of detected cyber-attacks has gone up 48% since 2013. There will be approximately 42.8 million cyber-attacks this year alone, or about 117,339 attacks per day. The study notes, “It is no surprise to find that as the number of information-security incidents continues to mount, so do financial losses.” Meanwhile, corporate “legal spending on cybersecurity and data privacy issues is expected to grow at the highest rate of any practice area in 2015, as clients look to ramp up their efforts to address the increasingly prevalent and sophisticated threats to the sensitive data they hold.” Plus, New York’s banking regulator says law firms, as a vendor, need to be carefully watched to develop strong data security practices. [The Hill]


WW – Google Changes Search Algorithm to Help Fight Piracy

Google made changes to its search algorithm that have had a noticeable effect on the number of video streaming and torrent sites that appear at the tops of results. Visibility of many sites known to offer pirated content has been significantly reduced. [Ars Technica] See also: [Montreal woman wins cash from Google for Street View cleavage]

WW – Survey Shows Orgs Disable Firewall to Improve Network Performance

According to a report from McAfee, while 60% of 504 surveyed IT professionals say security is paramount in network design, about 30% of organizations responding to the survey said that firewall security features are often disabled to boost network performance. McAfee senior director of network security Jennifer Geisler noted that “the way most firewalls are designed, it forces the trade-off so this is not a negative reflection on the administrator.” [Source]


US – Obama Signs Federal Card Security Order; MasterCard Unveils Biometric Cards; Apple Pay Available Today

President Barack Obama has signed an Executive Order that will bolster security for federal credit cards, a move designed to urge private-sector banks and retailers to follow suit. Starting in January, federal credit cards will use chip-and-PIN technology, and the White House said that Home Depot, Target, Walgreen and Wal-Mart will roll out chip-and-PIN-compatible terminals in all stores by January. Obama also called on Congress to enact data breach notification legislation, but that won’t happen this year. [Reuters] MasterCard announced it will introduce built-in fingerprint sensors for contactless payment cards in 2015. Starting this month, Apple Pay will work with iPhone 6 devices. [President Barack Obama signed an executive order that will bolster security for federal credit cards, a move designed to urge private-sector banks and retailers to follow suit, Reuters reports] [The U.S. Consumer Financial Protection Bureau finalized a rule allowing certain financial institutions to post annual privacy notices online rather than by paper delivery] and [In a filing with the FCC, the American Bankers Association (ABA) said banks that call or text customers run the risk of being sued under the Telephone Consumer Protection Act, a 23-year-old law that requires consumers’ consent to being called on their mobile phones] and [The California Superior Court has ordered Bank of America to turn over call recordings made with borrowers during the period of the Excessive Forbearance Remediation Project in 2013, subject to the Privacy Notice]

US – PCI Issues Security Awareness Guidance

PCI leaders have for months stressed the need for merchants to implement more structured employee education programs around data security. Now the PCI Security Standards Council has outlined just how it expects businesses that handle card data to address employee education. In a 28-page supplement to security awareness program best practices, the council reiterates that continuing employee education about how to detect and mitigate data security risks is a PCI compliance requirement. Three key points noted in the guidance include:

  • The need to assemble a security awareness team, which is responsible for the development, delivery and maintenance of the security awareness program;
  • Why developing security awareness content for the business plays a critical role in developing appropriate content and training information; and
  • How business can use security-awareness checklists to monitor and security awareness training programs.

The guidance’s appendix also includes a detailed checklist with specific compliance recommendations for each of the PCI-DSS requirements included in version 3.0. While this guidance is directed at requirement 12.6, which deals with information security policies and awareness programs, it touches on a range of security best practices – a comprehensive take on PCI compliance that industry security experts agree is needed. [Bank Information Security]

WW – Home Depot Breach Costs Twice Target’s

A new survey reveals that credit unions spent $60 million after the data breach at Home Depot last September, a cost that is more than double that of Target’s. The Credit Union National Association (CUNA) survey noted that 7.2 million consumer cards at credit unions were affected, and that, on average, it costs $8.02 to reissue a card. CUNA’s president and CEO said, “The bottom line is that credit union members end up paying the costs—despite the fact that the credit unions they own had nothing to do with causing the breach in the first place.” Retail groups pushed back in a letter sent to CUNA. “Even after absorbing substantial fraud losses,” the letter stated, “merchants are subject to massive fines by Visa and MasterCard networks and hundreds of millions of dollars in restitution through private litigation for cybersecurity breaches.” [The Hill]

WW – Coalition Launches Bitcoin Principles; EFF Aims to Stop NY Bitcoin Rules

A coalition of cryptocurrency companies has endorsed a new principles-based framework aimed at bolstering identity security, trust and access to a shared data Internet. The initiative was spearheaded by the institute for Data Driven Design out of the MIT Media Lab, and the resources—called the Windhover Principles—are being implemented on an open source platform, the report states. “The Windhover Principles for Digital Identity and Trust are deeply rooted in the belief that individuals should have control of their digital personal identities and personal data,” an announcement said. “Underlying this core value is the principle of ensuring innovation in trust and privacy.” Meanwhile, the Electronic Frontier Foundation has launched a “Stop the BitLicense” initiative, arguing New York’s proposed Bitcoin rules could threaten privacy rights. [InsideBitcoins] See also: [India: Swiss authority willing to disclose info on black money:Centre]


CA – NB Ombudsman, Privacy Boss Call for More Open Government

Observers and officials are calling on Premier Brian Gallant to steer a cultural shift in New Brunswick’s civil service toward more transparency and less partisanship. The province’s Right to Information and Privacy Commissioner and the Ombudsman both say there needs to be a real change. A focus on government secrecy and partisanship in the civil service follows on some recent revelations:According to a poll commissioned by CBC News ahead of the Sept. 22 provincial election, New Brunswickers care more about transparency and integrity than they do about public education, taxation and shale gas. Residents have been largely left in the dark by their government on some major undertakings. Both the previous Liberal government’s move to sell NB Power and the Alward government’s forestry deal were criticized over secrecy. [Source] and also: [Alberta care homes fight to prevent release of financial reports]

CA – UPEI Student Union Wants University Included Under FOI Legislation

If a UPEI student wants information about the P.E.I. Sports Hall of Fame, they can file a freedom of information request and appeal a denied request. If that student wanted to do the same thing with their university, they would be out of luck. It’s a point UPEI student union president Lucas MacArthur made when he pitched the idea of including the university in Freedom of Information and Privacy Protection legislation to the education and innovation committee. MacArthur said P.E.I. is the only province that doesn’t include post-secondary institutions in its access to information law. The student union executives are meeting with Justice Minister Janice Sherry on Nov. 26 to discuss the issue. [Source] See also: [Toronto: School trustees not compelled to post details of expenses] and [Toronto school board trustees tampered with FOI request for expense reports, emails suggest]


CA – Ottawa Proposes DNA Database

Ottawa is one step closer to creating a DNA-based national missing-persons tool it says will assist coroners and police in solving cases and identifying human remains – a victory for families who have long pressed for the database despite privacy concerns and funding obstacles. The proposed legislation, introduced in the Conservatives’ latest budget bill, is the culmination of more than a decade of advocacy by those calling for a system that can compare missing persons’ DNA with samples culled from unidentified human remains. Victims’ families say the national database will give them the comfort of knowing that if their missing loved one is in a morgue somewhere, at least they’ll know. The budget bill is aimed at creating a missing-persons index, a human-remains index and an index for relatives whose profiles may be valuable in locating loved ones or identifying remains. The new indexes will be housed within the RCMP’s National DNA Data Bank facility, which already holds a crime-scene index and a convicted-offenders index. The legislation says profiles uploaded to the missing-persons index and the human-remains index can be compared against those in the crime-scene index and the convicted-offenders index – a move that could set up a battle with the Office of the Privacy Commissioner, which said it doesn’t object to a missing-persons database so long as it’s tightly secured and independent from the criminal indexes. The Privacy Commissioner’s Office told The Globe and Mail it is reviewing the proposed amendments to the DNA Identification Act and will be looking closely at the relationship between the new indexes and the existing criminal ones. The Criminal Lawyers’ Association has also raised concerns about linking the various indexes, saying it’s possible an intentionally “missing” person’s DNA could innocently end up at a crime scene. The association argues police might then become aware of that person’s whereabouts, infringing on privacy rights. [Source] See also: [Nevada’s four-month-old law requiring DNA samples be taken form all individuals arrested for a felony has received little pushback]

Health / Medical

US – DHS ICS-CERT Investigating Medical Device Vulnerabilities

An unnamed official at the US Department of Homeland Security (DHS) said that the agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is investigating approximately two dozen cases of vulnerabilities in medical devices. While there have been no reported attacks exploiting these flaws, DHS is concerned that they could be exploited to cause heart implants and drug infusion pumps to malfunction. [ArsTechnica] [InformationWeek] [BBC] [SCMagazine] [IBT]

US – Federal Court Rules No HIPAA Violation in Malpractice Reform

A Florida federal appeals court recently ruled that physician defendants may have equal access to the health information of plaintiffs and that such access does not violate the Health Insurance Portability and Accountability Act. A tort reform law, which was upheld by this decision, states that prospective plaintiffs must submit a written request that authorizes defendants to access health records and conduct ex parte interviews. Jeff Scott of the Florida Medical Association said, “The impact is: It’s going to level the playing field in medical malpractice cases by giving defendant physicians the same access to crucial expert witnesses that the plaintiff has.” [Health IT Security] See also: [A Florida court has ruled that physician defendants may have equal access to the health information of plaintiffs and that such access does not violate the Health Insurance Portability and Accountability Act] and [Bloomberg BNA reports on the ambiguities that occur when the U.S. Health Insurance Portability and Accountability Act and the Telephone Consumer Protection Act intersect] See also [US: Potential Health Data Breach, Medical Records Fly off Truck] and [Hospital privacy violations rife in Ontario] and [Yellowknife woman’s psychiatric report lands in employer’s hands] and [Ford’s records accessed at second hospital]

US – Apple’s Ban on Sharing HealthKit Data with Advertisers OK by FTC

Apple’s decision to bar HealthKit app developers from sharing user data with brokers or advertisers was a “welcome move” to FTC Chairwoman Edith Ramirez, Re/code reports. “Steps like this are, I believe, critical to fostering consumer trust,” Ramirez said during a conference Monday on connected devices. “Consumers will enthusiastically invite the Internet of Things into their homes, cars and workplaces only if they are confident that they remain in control over their data,” she said. The FTC has been looking into whether the government needs to get more involved in how companies are using Internet of Things data, and Ramirez has noted concerns about how such data is protected from hackers. [ReCode] See also: [US: Medical Information More Valuable To Hackers Than Credit Card Numbers] and [Beware of gift iPads]

Horror Stories

CA – Federal Data Breaches Up Again

The number of data breaches reported to the federal privacy commissioner by bureaucrats increased, hitting a record high according to a new report. Privacy commissioner Daniel Therrien said in his annual report to Parliament that 228 data breaches across the federal government were reported for the 12 month period ending March 31. Human error accounted for just over two-thirds of those breaches. The number was more than twice the number reported for the previous fiscal year. As a result the commissioner’s office issued a four-page tip sheet with checklists on four controls for protecting against breaches. Physical controls, for example, stress the importance of protecting devices not in use by placing them in locked cabinets or in storage areas where access is restricted. Technological controls would include encryption or strong passwords, with training for employees in each. Imprinting serial numbers on devices so they can be tracked is another recommendation. So is using portable storage devices to store personal information only as a last resort. Personnel security controls include regular mandatory training about security and privacy, and monitoring the use of personal storage devices by employees to ensure policies and procedures are being followed. Also in the report, the privacy commissioner’s office said it wants to get a better idea of how bureaucrats use portable storage, so it has started to study how into 17 departments and agencies use the devices and whether they have implemented policies and adequate controls. It hopes to have the report done in the next year. [Source]

US – Staples Breached

Staples said its computer systems were compromised, affecting customers’ payment card information. The office supplier is working with law enforcement to determine the extent of the breach and has not revealed when the attack occurred, at which stores or how many customers were affected. The Massachusetts-based office supply store chain has contacted law enforcement. Information from sources at banks in the northeastern US suggest that the breach affects stores in Pennsylvania, New York, and New Jersey. [Krebs] [The New York Times] See also: [The personal information of nearly 100,000 people seeking their high school transcripts was recently exposed on a site that helps students obtain their records] and [Canada: Staples investigating potential security breach of credit cards]

WW – D&T Report Offers Guidance for Determining Veracity of Data Leak Claims

Deloitte & Touche has published a paper that contains advice for determining whether data found on the Internet are actually data stolen from a company or if posted information is fake. Companies can check to see if the posted data are duplicates of data that has been posted previously; they can also check to see if the listed usernames actually exist, and if the passwords abide by the company’s password policy. [SC Magazine] [Krebs] [DarkReading] [Deloitte Report]

US – BBB Goes After Five Web Publishers for Lack of Enhanced Notice

The enforcement wing of the Better Business Bureau (BBB) has gone after five web publishers for not complying with the ad industry’s self-regulatory privacy guidelines. Answers Corporation, Best Buy, BuzzFeed, Go.com and Yelp ha