Facebook has been hit with a class-action complaint over its biometrics slurpage, with millions of possible plaintiffs who may claim damages if the advertising giant is found to have acted unlawfully. The complaint (PDF) states that “Facebook has created, collected and stored over a billion ‘face templates’ (or ‘face prints’)”, which, ostensibly, are as uniquely identifiable as fingerprints. These have been gathered “from over a billion individuals, millions of whom reside in the State of Illinois”. It is alleged that in doing this, the ZuckerBorg is in violation of the Illinois Biometric Information Privacy Act (BIPA), which was passed by the state legislature in 2008. As noted in the complaint, under BIPA a private entity such as Facebook is prohibited from obtaining or possessing an individual’s biometrics unless it achieves suitable consent, which is constituted by:
- Informing that person in writing that biometric identifiers or information will be collected or stored
- Informing that person in writing of the specific purpose and length of term for which such biometric identifiers or biometric information is being collected, stored and used
- Receiving a written release from the person for the collection of his or her biometric identifiers or information
- Publishing publicly available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information
The complaint alleges that: In direct violation of… BIPA, Facebook is actively collecting, storing, and using – without providing notice, obtaining informed written consent or publishing data retention policies – the biometrics of its users and unwitting non-users. The plaintiff asserts that he does not have, and has never had, a Facebook account, but notes that a Facebook user uploaded to Facebook at least one photograph depicting him which has resulted in the non-consensual creation of a biometric template of his face. The action is brought on behalf of a class of similarly situated individuals, defined as: The class action complaint was filed in the United States District Court, Northern District of Illinois, and is case number 1:15-cv-07681. [The Register]
New papers were filed in the case of an Illinois resident suing Shutterfly after his “faceprint” was added to its database without his knowledge. Plaintiff Robert Norberg is arguing that the move was illegal under the Illinois Biometric Privacy Law. Shutterfly moved to dismiss earlier this summer, saying the 2008 statute doesn’t regulate faceprints. However, “(b)y Defendants’ logic, nothing would stop them from amassing a tremendous, Orwellian electronic database of face scans with no permission whatsoever so long as the database were derived from photographs,” Norberg’s team wrote in court filings. “And indeed, that appears to be exactly what they are doing.” [MediaPost]
The Australian government has announced it is spending $18.5 million on what has been hailed as Australia’s newest national security weapon – facial recognition technology. The Capability – short for The National Facial Biometric Matching Capability – will allow law enforcement and security agencies to quickly scan through up to 100 million facial images held in databases around Australia. The images can come from drivers’ licences, passport photos or security cameras in your local shopping centre. Justice Minister Michael Keenan said The Capability had been informed by independent privacy assessments and will help combat identity fraud and theft as well as terrorism and organised crime. But privacy advocates said people should always be asked or at least notified before their faces are scanned, which under law, can happen from a distance without a person’s knowledge. [Lateline News]
Porsche’s model Mission E will come with an eye-reading, emotion-gauging camera,. The device, located in the rearview mirror, “recognizes the driver’s good mood and shows it as an emoticon,” the report states, noting the emoticon “can then be shared via social media, alongside the car’s route and speed.” Some analysts find the emoticon and camera strange, the report states. “We’re not just making cars anymore. We’re making personal expressions,” said Kelley Blue Book’s Karl Brauer, adding, “If you’re the kind of person to spend more than $100,000 on a sports car, you might just be the kind of person wanting to share pictures of yourself, too.” [The Washington Post] [Porsche’s Tesla killer: A superfast electric sports car that can read your emotions]
If Toronto police officers began switching on their body-worn cameras during informal interactions with the public, it would “completely disrupt” the force’s nearly year-long trial of the popular policing technology, turning it into “something very different and problematic,” according to Toronto police chief Mark Saunders. Currently, rather than running at all times, the cameras are only activated by the officers under certain circumstances, including when making an arrest, answering to calls for service, responding to a crime in progress and more. [Toronto Star]
Manitobans are invited to share their views on a proposed all-in-one Personal Identification Card (PIC) that would combine a person’s driver’s licence, photo ID, health and travel card. The PIC, a joint proposal by Manitoba Health, Healthy Living and Seniors, and Manitoba Public Insurance, could eventually eliminate the paper Manitoba Health card by placing an individual’s personal health ID number on the back of the security enhanced, tamper-free PIC. While there are many potential benefits “we also recognize that this proposal may affect different Manitobans in different ways,” said Health Minister Sharon Blady. “So we need to hear from those who access and provide health services in our province before we choose a path forward.” In addition to seeking input from individuals, consultation will take place with numerous groups, including First Nations and Metis organizations and communities, Manitobans with disabilities, health care providers and the Manitoba Ombudsman. “The ultimate goal of the PIC is to better protect Manitobans against identity theft, forgery and fraud while ensuring that private information stays confidential,” said Manitoba Public Insurance President and CEO Dan Guimond. [CBC News] [Copy of Discussion Paper]
Researchers, public policy advocates, statisticians, business groups, economists — and the Liberal and NDP parties — continue to call for the mandatory long-form questionnaire to be brought back, arguing that important statistical data is getting lost. In a package of recently proposed reforms on transparency, the Liberals are promising to immediately restore the mandatory long form if they form government in the Oct. 19 federal election. And Jean Ong, a spokesperson for the NDP, said in a statement that the party has long advocated for the restoration of the long-form census and continues to do so. The lost data has massive implications for public policy decisions, business planning and a host of other areas, proponents of the mandatory long survey say. [Toronto Star] [CA – Why Internet privacy should be a key election issue: Geist] [Why privacy matters in this Canadian election] [Prank calls, #peegate — and a party’s weird approach to privacy]
A recent Ontario Superior Court of Justice ruling appears to open the way to adding invasion of privacy claims to defamation lawsuits against journalists, says a defamation lawyer. On Aug. 31, Justice Graeme Mew released the reasons for his July 17 decision on a motion in Chandra v. CBC. The motion, brought by the CBC, sought to have the court decide that it shouldn’t put an invasion of privacy claim to the jury that the plaintiff had added to his original defamation case. “Can a plaintiff who has sued a broadcaster for defamation in connection with a television program also maintain a claim for general damages for invasion of privacy?” Mew asked at the beginning of his reasons for his decision. His answer: Yes, but in this case at least, with some limitations. [Law Times]
A plan to film people illegally dumping garbage will be considered by the City of Winnipeg. Coun. Ross Eadie (Mynarski) and Coun. Devi Sharma (Old Kildonan) raised the issue in a June city council meeting, and now a report is recommending the city spend $55,000 on six surveillance cameras to catch people dumping garbage in private lots. It is a rampant problem that should be met with stiff fines, Eadie said, suggesting penalties up to $2,500 for an individual and $6,000 for a business. Eadie said the city’s innovation committee would have to approve a budget increase to purchase the cameras. “The money that comes in will more than likely offset the cost of the video camera,” he said. Eadie said he believes city council will vote on it some time in December. [The Winnipeg Sun]
The federal government is bringing in major changes to the way Canadian passports are issued, changes that could speed up the renewal process but also invite forgery, fraud and identity theft at a time of heightened global security. An internal notice from Citizenship and Immigration Canada reveals the changes coming this fall would allow online applications and no longer require the return of the old passport — even if it remains valid for six more months. Instead, applicants will be told to “cut the corners” of the document through an honour system. The change is to take effect on Nov. 1, 2015, for online applications and Dec. 14, 2015, for paper-based applications that are mailed or handed in to a passport office, according to the document. [CBC News]
In order to simplify and clarify how we handle different types of complaints under the Personal Health Information Protection Act (PHIPA), we are updating our existing processes. In coming months, we will test the new procedures to ensure we continue to resolve PHIPA matters in a fair, just and timely way. Although we resolve many files at an early stage, we can also conduct a review under PHIPA, which gives us greater powers to investigate and issue orders. In our updated processes, we will: provide similar processes for all types of complaints, distinguish between complainant-initiated files and breaches reported by custodians or files we initiated, and clarify roles and responsibilities of Intake, Investigation/Mediation and Adjudication — the three stages of our tribunal processes. [Source]
Understanding why access to government-held information and the protection of privacy are important public values will prepare students to become active participants in our democratic society. To assist teachers in meeting the Ministry of Education’s curriculum expectations, The IPC created two resource guides that are tailored for grade 10 and grade 11/12 classes. The guides were developed in consultation with teachers and offer step-by-step activities, handouts, quizzes and evaluation criteria on subjects such as open government, online privacy and identify theft. For summaries of the guides, see the Grade 10 and Grade 11/12 fact sheets. [Source] [Access and Privacy in the Classroom: Resources for Parents, Teachers and School Administrators] See also: [Why social media can be a minefield for teachers: Tightening up privacy settings might not be enough to protect teacher’s reputations, experts say
Alberta’s privacy commissioner helped design a new course aimed at teaching Grade 7 and 8 students how to be safer online. The “Kids’ Privacy Sweep Lesson Plan” shows children how they can unknowingly share private details when they use websites and apps. The lesson defines what cookies, IP addresses and geo-locations are. It also shows students how companies collect and share data with third parties. Students are asked to look at popular apps and websites to see what personal information users are asked to provide. The lesson was developed after the Global Privacy Enforcement Network [GPEN] conducted a privacy sweep of 1,494 websites and smartphone and tablet apps targeted at children. The investigation found that 67% collected children’s personal information and 50% shared that information with other organizations. The lesson is now available for teachers to use in schools across Canada. [CBC News] [Data Privacy Is an Uphill Battle] [WW – Digital privacy concerns ‘the new normal’ as users pay with personal information] [WW – 7 worst apps that violate your privacy] [CSO Online: Attackers go on malware-free diet] [UK: Man who changed ex-girlfriend’s Facebook profile picture to sexually explicit image jailed for over four years] [‘Sexting panic’: Why the law struggles to keep up with reality]
New Brunswick’s information commissioner is pushing back against two government proposals for overhauling the right-to-information system. A report recommends looking at reinstating fees for people who use the Right to Information and Protection of Privacy Act to request government documents and records. It also suggests giving bureaucrats the power to decide for themselves whether they can ignore a request they consider “frivolous or vexatious” under the act. That recommendation is now subject to review by Information Commissioner Anne Bertrand, who says she’s leery of the provincial government giving itself the power to make that determination. [CBC News]
A chicken farm should not be used to dispose of sensitive health documents, Saskatchewan’s privacy and information commissioner says. The matter came up in a report recently issued by commissioner Ron Kruzeniski concerning the Spruce Manor Special Care Home in Dalmeny, about 23 kilometres north of Saskatoon. The privacy office had been investigating the home earlier in the year after some of the residents’ health cards ended up in a recycling bin. In the course of that investigation, it found that in May, the home had signed a deal with an undisclosed chicken farm to destroy its confidential records. In the agreement, the farm said it would “agree to accept full responsibility to maintain the security and confidentiality of all documents” received from Spruce Manor Special Care Home. That’s “unacceptable,” Kruzeniski said in his report, noting that the agreement does not specify how the chicken farm is to “maintain the security and confidentiality” of the personal health information it has received. “I recommend that Spruce Manor Special Care Home no longer use [a] chicken farm to destroy records in spite of the former administrator asserting he had no problems/concerns with the use of the chicken farm,” Kruzeniski said in the report. [CBC News]
While rhetoric has focused increasingly on drivers’ privacy concerns as connected cars become a reality, a recent survey indicates drivers may not be as worried as has been believed. The survey was conducted by McKinsey & Co. and found more than half of respondents said they had “no problem” allowing their car to collect data and “send it anonymously to the auto maker” in the name of improvements to the vehicle. “The number jumped to 76% if auto makers guaranteed the data will only be used to improve vehicles and not shared with anyone else,” the report states, noting 70% said they’re already sharing their data with smartphone apps. [The Wall Street Journal] [U.S. Automakers Take The Wheel On Cybersecurity – But Can Canadian Manufacturers Hitch A Ride?]
A host of tech companies—including Apple, Google and Microsoft—have been tangling with the U.S. government about law enforcement’s access to user data. Most notably, this week, the Second U.S. Circuit Court of Appeals in Manhattan is set to hear a long-standing case between the U.S. Department of Justice and Microsoft over emails the agency wants access to but that are stored in Ireland. Companies including Amazon, Verizon and Cisco have all submitted amicus briefs on behalf of Microsoft in the case. A ruling against Microsoft would likely garner more distrust of U.S. companies by foreign users, the report states. In a column for Fusion, Prof. Ryan Calo writes that tech companies may be the best defense and brightest hope against too much government surveillance. [The New York Times] [What does the Microsoft privacy battle mean for the future of internet security? ] [CNET: Apple, Microsoft Tussle With Feds Over Access to User Data] [If you care about privacy, you should be using and supporting Apple]
The majority of US states use electronic voting systems that are at least 10 years old, according to a report from the Brennan Center for Justice at the New York University School of Law. Not only are the systems out of step with the latest technological advances, but there are also reports of equipment degradation and unreliability. Many of the machines are running versions of Windows XP, and some machine manufacturers are no longer in business. [Wired]
Representatives from the Department of Justice (DoJ) and Microsoft each made their arguments before the Second Circuit Court of Appeals in a case that could determine what rights governments have in accessing information contained in the cloud. Microsoft’s counsel told the court that compelling it to hand over data stored on servers in Ireland “is an execution of law enforcement seizure on their land … We would go crazy if China did this to us.” The DoJ argues that the emails should be considered business records, meaning a search warrant would suffice. However, Microsoft argues they are customers’ personal documents. The three-judge panel could hand down a decision as early as October or as late as February, the report states. [The Guardian] [Silicon Republic] [Washington Post] [The Hill] [WW – Microsoft Slips User-Tracking Tools into Windows 7, 8 Amidst Windows 10 Privacy Storm]
A Department of Justice (DoJ) court order demanding Apple provide authorities with real-time access to a suspect’s iMessages sent between iPhones. The company allegedly told the DoJ that the data is encrypted, preventing law enforcement from gaining access. Johns Hopkins Prof. Matthew Green asked, “Could a court force (Apple) to modify their technology in order to make eavesdropping possible?” One way the government could compel a company to provide court-ordered data is to levy fines, the report states, something Yahoo faced years ago. Sen. Chuck Grassley (R-IA) has asked the DoJ to brief him on the Apple iMessage case. [ZDNet]
The White House has indicated it will not seek legislation to mandate backdoors to encrypted communication services. The Obama administration is also considering “whether to publicly reject a law requiring firms to be able to unlock their customers’ smartphones and apps under court order,” the report states. A White House official said, “The encryption issue … both in this country and abroad is going to have a major impact on how law enforcement and intelligence do their jobs.” Meanwhile, government officials—including from the FBI and Department of Justice—and cryptographers debated the role of encryption in electronic communications Tuesday. [The Washington Post]
The Kilton Public Library in Lebanon, New Hampshire library was selected as a pilot location for a Tor relay program organized by the Library Freedom project and The Tor Project. Shortly after the library announced its participation in the program, the US Department of Homeland Security (DHS) contacted the town’s police department. When the police voiced concerns about Tor to the library board, they suspended the library’s participation in the program. The board will vote on September 15 whether or not to restart participation. [Ars Technica] [EFF]
Over the summer, the US Justice Department served a court order on Apple, demanding that the company provide DOJ with real-time text messages sent between suspects in a case involving guns and drugs. Apple replied that it was unable to comply because the iMessage system encrypts communications on individual devices and Apple does not have the key. Apple only has copies of messages if users save them to iCloud. [Schneier] [The Guardian] [ZDNet] [NYTimes]
The EU and U.S. have reached an agreement that would protect personal data used for law enforcement purposes. However, though the text has been finalized, the European Commission has said it will not be signed until the U.S. passes legislation giving EU citizens the right to judicial redress in the U.S. Meanwhile, Europe’s Advocate General is expected to issue a long-awaited legal opinion on Facebook’s sharing of personal information with the National Security Agency under the agency’s PRISM program. The opinion, which is non-binding but influences the 15 judges on the European Court of Justice, will likely affect the EU-U.S. Safe Harbor Agreement. The opinion’s expected delivery date is now September 23. [Reuters]
The Article 29 Data Protection Working Party (WP29) published its opinion concerning data and privacy protection issues relating to the use of unmanned aircraft systems (UAS) in Civil Aviation which is addressed both at national (CAAs) and European legislators. The WP29 gives indications and recommendations to policy makers and sector regulators, manufacturers and/or operators. In the WP29’s opinion, the introduction of no-fly zones could be envisaged, and maps could be printed out to inform the users about the designated areas. This might represent a solution to ensure the protection of private areas (such as gardens, courtyards, terraces). Manufacturers could involve a Data Production Officer in the design and make drones as visible as possible. The WP29 also recommends the adoption of Codes of Conduct, containing sanctions in case signatories violate the norms, which might help operators prevent infringements. The WP29 emphasises the importance of transparency and proportionality principles. Data subjects must be aware of the collection and the processing of their personal data (Article 6 of the Directive) and also informed (Article 11) publically by means of social media, leaflets, websites etc. In conclusion, the Working Party calls on European and national policy makers, as well as Civil Aviation Authorities (CAAs) and Data Protection Authorities (DAPs) to cooperate and to promulgate a comprehensive legislation. The main scope is to make data processing legitimate in compliance with Article 7 of the Data Protection Directive. [Mondaq News] [States are pushing to pass their own regulations on drones in the absence of federal laws] [Unwanted visitor: Peeping drone raises privacy concerns for Island family]
The European Data Protection Supervisor (EDPS) issued a surprise opinion last week on the tech industry and is planning the implementation of an international board on tech ethics,. EDPS Giovanni Buttarelli said the ethics board will advise on “the relationships between human rights, technology, markets and business models in the 21st century” and will not be strictly EU-based. He said U.S. advisors could also be on the board. Buttarelli’s opinion looked at emerging tech trends that “raise the most important ethical and practical questions for the application of data protection principles.” He is expected to meet with officials from the U.S. FTC and the White House this week. [EurActiv]
In a whitepaper, the UK Information Commissioner’s Office (ICO) offers its thoughts on the current negotiations over competing texts for the General Data Protection Regulation (GDPR), currently in the trilogue process. “We thought it would be useful,” the paper reads, “to set out our observations on the parts of the Council text that we consider to be most in need of improvement.” The highlights include a warning against the proliferation of “different data protection regimes” stemming from a weakening of the one-stop shop mechanism; the need for a single definition of “personal data”; the “confusing” nature of the allowance for further data processing; the need for a definition of “child”; a preference for “right to erasure” over “right to be forgotten,” and a concern that data breach notifications will overwhelm the ICO unless notification is limited to “high-risk” breaches. [Source]
In its efforts to ensure GOV.UK Verify meets privacy requirements and gives its users what they expect, Government Digital Service (GDS) has created a new privacy officer’s position. Toby Stevens, GOV.UK Verify’s independent privacy adviser, is “taking on the privacy officer duties on an interim basis” while GDS fills the role, the report states. “The privacy officer will provide a focal point for decisions that may affect the use of personal data, and manage the dialogue between developers at GDS, GOV.UK Verify users, certified companies and departments offering services through GOV.UK Verify,” Stevens said, noting the privacy officer will also work with organizations such as the Information Commissioner’s Office. [Computing]
The Information Commissioner’s Office (ICO) is investigating the data-sharing practices of the charity sector after reports that some organizations may be profiting from donor contact data. Information Commissioner Christopher Graham described the allegations as “clearly concerning” and said the ICO is currently trying to “work out exactly what has happened.” Some of the charities named in the investigation have defended their practices. Separately, the ICO has said there are “strong levels of interest” from businesses in its privacy seals project, which it expects to be “up and running” in advance of when the EU General Data Protection Regulation comes into force. [Full Story] See also: [UK: Information watchdog investigates ‘charity data sales’ ] and [UK Charities face scrutiny over trading of elderly man’s data]
A draft government bill aimed at reforming intelligence-gathering that is prompting privacy concerns. The Netherlands Institute for Human Rights is concerned that the bill “will grant security agencies far-reaching surveillance powers with insufficient protection of privacy,” the report states. The government, however, believes the bill brings “badly needed modernization of intelligence-gathering methods and improve(s) internal security, without violating privacy,” the report states. Government spokesman Tijs Manten said, “We think that the balance between safety and privacy in the draft is just,” while the institute points to the draft legislation allowing the government “to authorize tapping of private Internet and telephone data” as reason for concern. [Reuters] [Dutch intelligence-gathering reform bill sparks privacy concerns]
Radio 1 DJ Sara Cox has won a landmark privacy case against a national newspaper after it published naked photographs of her on honeymoon. The DJ sued the People newspaper after it published the pictures of her and her husband Jon Carter while holidaying in the Seychelles in 2001. The case, settled in the High Court, came despite the People providing an official apology at the time – following a complaint to the Press Complaints Commission. The newspaper was sued under article 8 of the Human Rights Act, which works to protect an individual’s right to a private life. [Daily Mail]
- Several banks are lobbying officials in Brussels over concerns that specific aspects of the proposed General Data Protection Regulation would make it more difficult for lenders to detect fraud, efficiently extend loans and effectively provide other online services,.
- The EU and U.S. have reached an agreement that would protect personal data used for law enforcement purposes, but the European Commission says it will not be signed until the U.S. passes legislation giving EU citizens the right to judicial redress in the U.S.
- Edouard Geffray, general secretary of French Data Protection Authority the CNIL, has said that monitoring drone sound recordings is a new “point of vigilance,”
- The proposed General Data Protection Regulation is too onerous for cloud providers.
The projected economic difference between a future “where cybersecurity is considered a human right” versus one where the online world is “plagued by cybercrime” with security as “a luxury good”—it’s about $120 trillion. That’s according to research from Atlantic Council and Zurich Insurance, which worked with the University of Denver’s Pardee Center for International Futures “to determine if the global benefits the Internet brings … would outpace—or be overshadowed by—digital threats.” Their report suggests, “Tens and even hundreds of trillions of dollars are at stake … not to mention the social and cultural impact … with perhaps a small window of a few years to pull back and reorient towards a more secure and more resilient Internet.” [CSM Passcode]
Digital security firm Gemalto has released its Breach Level Indexfor the first half of 2015. It reports 888 breaches thus far, affecting the records of 246 million individuals around the world, a 10-percent increase in the number of breaches vs. the first half of 2014. Meanwhile, in the U.S., the personal information of nearly 80,000 students across eight Cal State campuses was breached. The students were all enrolled in an online sexual violence prevention course. Compromised data includes passwords, user names, email addresses, gender, race, relationship status and sexual identity. Cal State officials are currently investigating the incident. [Los Angeles Times]
Aimia, a marketing and “loyalty analytics” firm, recently conducted its second annual survey to determine how consumers feel about how businesses use their data. The study found that “less than one in 10” of Canadians believed that the data they shared with organizations got them some sort of beneficial dividend. “I’m surprised marketers aren’t delivering on their part of the bargain,” said Aimia CMO John Boynton. “Why would people give you their data?” he asked. “There’s an expectation. If all you’re doing is collecting data, and your marketing programs are the same, you’re in trouble. And you may not get a second chance.” [The Globe and Mail]
A recent study estimated publishers will lose $21.8 billion in revenue this year due to the 198 million people around the world who use ad blockers. The Interactive Advertising Bureau (IAB) is looking for ways to get ahead of this issue, hosting a leadership summit this past July to “get the options on the table,” according to Scott Cunningham, a senior VP at the IAB and general manager of its Technology Lab. Options included getting the top 100 websites to stop showing content to users with ad blockers on the same day and suing the ad-blocking companies. IAB working groups continue to look into other options and CEOs from anti-ad blocking companies attended a meeting in August. [Advertising Age]
A new study conducted by data-loss prevention vendor Clearswift finds surveyed data-security specialists are most concerned about threats stemming from the finance and HR departments. Further, nearly 90 percent of the 500 global professionals surveyed said they had experienced a “security incident” in the past year, and 73% of those came from “people they knew, such as employees, past employees or customers/suppliers.” Finally, 79% replied that men were more of a threat to cause a data-security incident than women. [SC Magazine]
Phone conversations are no longer the “haven” they once were for traders looking to say whatever they pleased, as the U.S. government and even individual banks listen to and store audio files per 2010’s Dodd-Frank legislation. “We have seen a 100-percent increase in the volume of audio data recorded and analyzed by banks,” said Clutch Group President Brandon Daniels. Banks are employing sophisticated software for tracking purposes, and the move has brought casualties, with Deutsche Bank AG terminating two of its traders after communication reviews. While banks “make sure that their people are being policed the right way … a lot of the guys are probably thinking twice about whether they’re in the right profession,” said Options Group CEO Michael Karp. [The Wall Street Journal] [Bank privacy notices are a joke: Here’s why] [Carnegie Mellon University did a study that suggested some banks don’t even follow the very liberal regulations set out in their privacy notices]
The German Union of Journalists has criticized Parliament’s data retention initiatives, arguing they “impair the freedom of the press and broadcasting, as they weaken protection for those who provide information, as well as editorial confidentiality.” Media outlets like the German Press Council also “consider that the planned regulations are not compatible with the jurisprudence of the European Court of Justice,” the report continues. Parliament will discuss data retention later this month, but “the current planning does not envisage that representatives of the media will be heard,” the report states. [Telecompaper] See also: [Opinion: We should nurture the principle of open courts]
Health care app maker AirStrip has found a clever way to comply with strict federal privacy laws: using Apple Watch’s abilities to confirm a doctor’s identity. AirStrip’s co-founder Cameron Powell demonstrated the app’s power at an Apple event in San Francisco. The app shows patients’ information, including their diagnoses and lab results, on the watch screen and allows doctors to send them secure messages. The app also lets doctors communicate with other health care providers about patients. The Airstrip app taps into the Apple Watch’s ability to sense who is wearing the device. That allows the AirStrip app to comply with HIPAA, a federal law that strictly protects a patient’s private health information. Any electronic health record system has to comply with this law, and the Apple Watch is no exception. [CNET]
The Drug Enforcement Administration has been sifting through hundreds of supposedly private medical files, looking for Texas doctors and patients to prosecute without the use of warrants. Instead, the agents are tricking doctors and nurses into thinking they’re with the Texas Medical Board. When that doesn’t work, they’re sending doctors subpoenas demanding medical records without court approval. The DEA can’t even count how many times it has resorted to the practice nationwide. A spokesman estimated it was in the thousands. But, as a legal brief filed last week points out, lawyers for the federal government can’t find a single case in which a court has “authorized the use of such a broad array of patient information with such a sparse record as to why it needs such information.” Earlier this year, a federal judge in Texas did just that, setting up a showdown in the 5th Circuit Court of Appeals over whether the DEA needs a reason to go rummaging through private medical records in search of pill mills and prescription drug abusers. Without the legalese, the issue is simple: How good a reason does the DEA need to get access to medical records? The DEA doesn’t think it needs much of one. [Watchdog.org]
A federal judge has granted class-action status to lawsuits by financial institutions that were victims of Target’s 2013 breach,. “The decision may force Target to pay more than it previously estimated to banks that want the retailer to pay their costs for when consumers sought new credit cards after the breach,” the report states. Meanwhile, Charlotte-Mecklenburg Schools’ trouble has just begun, with the district having to notify 7,600 job applicants that their Social Security numbers were shared sans authorization. And, Engadget reports that Vladimir Drinkman has pleaded guilty to the theft of more than 160 million credit card numbers since 2003, in what the Department of Justice called the “largest such scheme ever prosecuted in the United States.” [The Star Tribune]
A New York state-based healthcare insurance company Excellus Bluecross BlueShield and its affiliate, Lifetime Healthcare, have experienced a data breach. Excellus learned last month that intruders had initially accessed the system in December 2013. As many as 10.5 million people may be affected by the breach. [The Hill] [SCMagazine] [NBCNews]
Programming errors and shortcuts have resulted in improper encryption of the passwords of at least 15 million hacked Ashley Madison (AM) accounts. A group of hobbyists claim to have cracked the passwords in a matter of 10 days. Gabor Szathmari, an information-security consultant, writes in a blog post that the “source code contains AWS tokens, database credentials, certificate private keys and other secret credentials,” resulting in “a much more vulnerable infrastructure.” Another security consultant notes that users who have used an AM password for another account “need to change it immediately.” [ComputerWeekly] [Big hacks, big data add up to blackmailer’s dream]
Robin Levinson King questions whether things will ever be the same following the Ashley Madison breach. “Beyond the sex and the secrecy is a story about what privacy means in the digital age and what responsibility both companies and Internet users have towards protecting others’ privacy,” King writes. Meanwhile, the BC government is investigating the government emails uncovered in the breach. According to the Ministry of Technology, Innovation and Citizen Services, there were 14 email addresses implicated. Five of them are inactive accounts. “Our primary concern is security at this time,” the ministry said. [The Toronto Star]
Several class-action lawsuits have arisen in the wake of the hack of Ashley Madison and efforts to make personal data stolen from the infidelity website legally toxic. Specifically, a new lawsuit aims to hold websites and hosting services liable for aiding and abetting the hackers by making the sensitive data searchable online. The complaint states that while these “entities may labor under the belief that their actions are entrepreneurial rather than criminal … the fact remains that they are in willful possession of stolen property.” Meanwhile, a U.S. pastor whose name was allegedly among those leaked has committed suicide; police in Canada have said at least two other individuals have killed themselves after the release of their information as well. [Fusion] [Ashley Madison Says It’s Still Gaining Users Amidst Privacy Woes] [We’re not talking about data security, and that’s a problem]
A breach of Excellus BlueCross BlueShield’s systems has affected more than 10 million records. The data loss was discovered when the organization conducted an external forensic assessment after other healthcare organizations, such as Anthem and Prema, reported breaches of their own. According to investigators, the breach started as early as 2013. “We are taking additional actions to strengthen and enhance the security of our IT systems moving forward,” Excellus said in a statement. Meanwhile, “thousands” of clients’ data was stolen from UK-based Lloyds Premiere Banking. [ComputerWeekly]
The leaked data stolen from infidelity site Ashley Madisoncontinues to pose problems for individuals in new and malicious ways, according to two separate reports. Fraudsters are currently trying to take advantage of the leaked data, and data stolen from Carphone Warehouse, to trick people into disclosing their bank details. Meanwhile, according to The Telegraph, UK intelligence agencies are mining Ashley Madison data to see if their own staff could be targeted for blackmail while also using it to find potential intelligence targets. [The Independent][US: Data Privacy: Wyndham Hotel’s Wake Up Call Should Be Your Own]
In a settlement with the Department of Health and Human Services (DHHS) over potential HIPAA violations, Cancer Care Group has agreed to pay $750,000 and adopt a “robust corrective action plan to correct deficiencies in its HIPAA compliance program,” according to a DHHS press release. The settlement follows a breach three years ago after an unencrypted server backup and laptop were stolen from the car of an employee of the oncology practice. Meanwhile, the Association of American Physicians and Surgeonshas filed an amicus brief with the U.S. Supreme Court, urging the court to dismiss the state of Vermont’s appeal of the Second Circuit’s decision to block “enforcement of Vermont’s database requirement against Liberty Mutual Insurance Company” due to privacy concerns. [DHHS] See also: [CA – Rouge Valley Hospital Clerk Pleads Guilty to Stealing, Selling Patient Records] [CA – Ajax woman disturbed over alleged suggestive texts from Sleep Country staffer] [UK London HIV clinic accidentally reveals hundreds of patients’ identities]
Norway’s Data Protection Authority (DPA), Datatilsynet, has issued a guide on anonymising personal information. The DPA’s guide “provides practical guidance for data controllers on the considerations to be made prior to anonymising data and highlights Datatilsynet’s opinion on the effectiveness of different anonymisation methods,” the report states. DLA Piper’s Cecilie Ronnevik notes the guide is needed because “Datatilsynet has, over the years, found that there are severe misunderstandings regarding the definition of identifiable personal data.” Along with anonymisation, the guide also considers the topic of pseudonymisation, the report notes. [Privacy This Week]
A federal judge has upheld part of Arizona’s contentious immigration law, rejecting claims that the so-called “show your papers” section of the law discriminated against Hispanics. The ruling by U.S. District Judge Susan Bolton was on the last of seven challenges to the 2010 law. The section being upheld allows police in Arizona to check the immigration status of anyone they stop. Bolton ruled that immigration rights activists failed to show that police would enforce the law differently for Hispanics than other people. The section is sometimes called the “show your papers” provision. The judge also upheld a section that let police check to see if a detainee is in the United States illegally. Bolton voided any laws targeting day laborers. Bolton’s ruling came two days after a federal judge approved a deal between the U.S. Department of Justice and Arizona’s Maricopa County to resolve accusations of civil rights abuses and dismissed the department’s lawsuit against Sheriff Joe Arpaio and his deputies. [Reuters]
The Department of Defense (DoD), Office of Personnel Management (OPM) and General Services Administration have awarded a $133.3-million contract to Identity Theft Guard Solutions to provide personal data protection services to the 21.5 million victims of the second OPM hack. The contract is part of a larger $500-million Blanket Purchase Agreement for responding to the devastating data breach and potential future breaches stemming from the hack. Unlike the response to the first hack, the DoD—and not the contractor—will notify victims, and the Pentagon will cover the contract cost. Acting OPM Director Beth Cobert said notifications would not go out until the “end of the month.” [GovExec]
Russia has postponed the enforcement of a new national law requiring technology companies that handle the personal data of Russian citizens to install data centers within the country’s national borders. The law officially goes into effect today, but Russian regulators have told companies such as Facebook, Google and Twitter they will not check for compliance until January. A spokesman for Russian communications regulator Roskomnadzor said, “We understand that in transnational companies where offices are spread globally, it takes a while to make a decision.” The spokesman also pointed out that Roskomnadzor does not yet have the resources to check that every company is in compliance. [The Wall Street Journal]
The provincial government cannot compel Ontario’s police forces to hand over their data on street checks — including information as to how many times the controversial practice has helped solve crimes, according to Minister of Community Safety and Correctional Services Yasir Naqvi. That means that as the province continues its review of street checks, commonly known as “carding,” it will do so without knowing how often the practice has actually proved useful to investigations, by leading to an arrest, to the discovery of a weapon or drugs, or more. Naqvi said his ministry has been consulting with Ontario’s Information and Privacy Commissioner about how to gain access to this policing data in aggregate form, stripped of any personal information. [Metro News]
The Intercept reports U.S. District Court Judge Victor Marrero has “fully lifted an 11-year-old gag order that the FBI imposed on Nicholas Merrill … to prevent him from speaking about a National Security Letter served on him in 2004.” Merrill was the founder of a small Internet service provider and, upon being served the order, was told he couldn’t speak of it to anyone. The lifting of the order is the first time such an order has been fully lifted since the USA PATRIOT Act of 2001 permitted the FBI to issue letters demanding information for national security purposes. Merrill and the ACLU have been fighting to lift the order since 2004. [Full Story]
US – Undercover FBI Agents Spy On Burning Man Festival to Prevent ‘Terrorism’ and Test Out New ‘Intelligence Collection’ Technology
The FBI has admitted to gathering secret intelligence about the annual Burning Man festival since 2010. In response to a request under the 2012 Freedom of Information Act, the security service said its Special Events Management unit has kept files on festival-goers, known as ‘burners’ – to ‘aid in the prevention of terrorist activities and intelligence collection’. But the FBI’s 16-page response to the question by Inkoo Kang is heavily redacted, with information about the technology being used to secretly gather the information being blanked out. The revelation comes as the 29th Burning Man takes place in the Black Rock Desert in Nevada. [Mail Online]
The Diet passed an amendment to the Act on the Protection of Personal Information that permits the creation of a Personal Information Protection Commission (PIPC), effective in January. The PIPC “will be established as an independent authority,” the report states, in an effort “to bolster Japan’s expected request for a determination of adequacy by the European Commission.” Updates to the law were also found in Article 24, which “imposes restrictions on the transfer of personal information of Japanese citizens to third parties in foreign countries,” the report continues, adding that “draft rules for implementing Article 24 specifically call out a company’s APEC Cross Border Privacy Rules certification as satisfying this requirement.” [TRUSTe Blog]
The digital privacy of Australians ends on October 13. On that day this country’s entire communications industry will be turned into a surveillance and monitoring arm of at least 21 agencies of executive government. The electronically logged data of mobile, landline voice (including missed and failed) calls and text messages, all emails, download volumes and location information will be mandatorily retained by Australian telcos and ISPs. Intelligence and law enforcement agencies will have immediate, warrantless and accumulating access to all telephone and internet metadata required by law, with a $2 million penalty for telcos and ISPs that don’t comply. There is no sunset clause in the Abbott government’s legislation, which was waved through parliament by Bill Shorten’s Labor with only minor tweaks. The service providers are to keep a secret register of the agency seeking access to metadata and the identity of the persons being targeted. There is nothing in the Act to prevent investigative “fishing expeditions” or systemic abuse of power except for retrospective oversight by the Commonwealth Ombudsman. That’s if you somehow found out about an agency looking into your metadata – which is unlikely, as there’s a two-year jail sentence for anyone caught revealing information about instances of metadata access. [TNT Report]
Following discussions with Ireland’s Office of the Data Protection Commissioner, Facebook will now allow users across the globe to modify the way they see ads in the site’s own settings instead of utilizing a third party to get the same results. “We’re introducing an additional way for people to turn off this kind of advertising from the ad settings page right on Facebook,” said Facebook Global Deputy CPO Stephen Deadman. “If you choose to use this tool, it will become the master control for online interest-based advertising across all of your devices and browsers where you use Facebook.” Meanwhile, Facebook hopes that a U.S. appeals court will permit its $20 million settlement regarding the “challenge to its use of social media images in advertising features” to stand. [The Independent] [Facebook’s new digital assistant ‘M’ will need to earn your trust
After examining almost 1,500 apps and websites aimed at children, the Global Privacy Enforcement Network found 67% harvest personal information with only 31% employing controls. Adam Scott of the UK Information Commissioner’s Office said, “The attitude shown by a number of these websites and apps suggested little regard for how anyone’s personal information should be handled, let alone that of children.” Though Canadian Privacy Commissioner Daniel Therrien noted a small number of websites and apps “did not collect any personal information at all, demonstrating it is possible to have a successful, appealing and dynamic product that is also child friendly and worry-free for parents.” Meanwhile, Microsoft is working to ensure children’s privacy regulations are observed in app advertising. [Source] [Kid-friendly websites, mobile apps often putting children’s privacy at risk, probe finds] [Canada’s privacy watchdog’s ‘bad blood’ with Taylor Swift]
TRUSTe has announced its TRUSTed Ads Compliance Manager has a new component: Dynamic Platform Protection. The program employs a “single smart tag” that companies can use to streamline opt-out functions on both desktop and mobile devices. “With the addition of Dynamic Platform Detection, TRUSTe is taking the industry one step closer to a universal opt-out which can be supported and guaranteed across a variety of connected advertising environments.” “Many consumers are embracing the convenience and benefits of connected devices,” said TRUSTe CEO Chris Babel. “However, the use of different tracking technologies to serve relevant ads across these platforms remains a privacy concern for consumers and a challenge to industry seeking to deliver and honor advertising preferences.” [TRUSTe Blog]
A new law has been implemented in Russia that in theory demands companies store data about Russian citizens on Russian territory, throwing thousands of firms with online operations into a legal grey area. The law, which came into operation this week, is part of an attempt to wrest control of the internet, which president Vladimir Putin has called a “CIA project”. The Russian authorities are keen to ensure greater access for domestic security services to online data, and lessen the potential for foreign states, especially the US, to have the same access. The law has created disquiet among internet giants such as Facebook, Twitter and Google, which would have to move data on Russian users to servers inside Russia and notify the Russian internet watchdog, Roskomnadzor, about their location. As is often the case with Russian legislation, the exact scope of the law is unclear. It could be left largely unimplemented, but always available as a tool to use when required. [theguardian.com]
Hong Kong Broadband Network (HKBN) has been “fined HK$30,000 in a landmark trial over using customer data for direct marketing despite receiving an opt-out request.” HKBN had pleaded not guilty, the report states, noting this is the first case “since an amendment to the Personal Data (Privacy) Ordinance took effect on April 1, 2013.” The Office of the Privacy Commissioner for Personal Data (PCPD) has received more than 500 complaints about direct marketing since the ordinance was amended, the report states, noting PCPD Stephen Wong has indicated organizations should regularly update their opt-out lists as those convicted “are liable to a maximum fine of HK$500,000 and imprisonment for three years.” HKBN has said it plans to appeal the fine. [The Standard] [Hong Kong Broadband Network received a fine of HK$30,000 for using customer data for direct marketing despite receiving an opt-out request. The fine is the first since amendments to the Personal Data (Privacy) Ordinance went into effect.]
Privacy Commissioner for Personal Data (PCPD) Stephen Wong said of the 40 cases involving the misuse of data in marketing referred to police in the last two years, “only three have made it to court.” Wong said the “benchmark for prosecution of such cases is high,” the report states. According to a study by the PCPD’s office and the University of Hong Kong, only 30% of complaints can be investigated; while Hong Kong residents are keenly aware of privacy rights, they aren’t as aware of the limitations of privacy law, the report states. Wong said his office receives about 18,000 inquiries a year, and last year received 1,700 complaints. [The Standard]
The Constitution Bench of the Supreme Court of India will soon pronounce whether the right to privacy is fundamental, and while India’s constitution doesn’t explicitly guarantee its citizens a right to privacy, the court has noted that “many of the fundamental rights of citizens can be described as contributing to the right to privacy.” Sudhanshu Ranjan writes, “In many subsequent cases, the right to dignity was held as a non-negotiable right. It is evident that the right to dignity is hollow without the right to privacy.” Though the court is still in this process, the government intends to introduce the DNA Profiling Bill soon, which includes “no safeguard against the misuse of data proposed to be collected under the bill.” [The Asian Age]
- Japan’s amended privacy law restricts cross-border sharing of personal data and specifically points to certification in APEC Cross Border Privacy Rules as satisfying the new requirements |. Noteworthy changes here.
- South Africa’s Department of Justice and Constitutional Development has released a draft Cybercrimes and Cybersecurity Bill for public consultation.
- During its recent privacy gathering in the Philippines, the Asia-Pacific Economic Cooperation cemented the APEC Cross-Border Privacy Rules Privacy Recognition for Processors.
- Mexico’s National Institute for Transparency, Access to Information and Protection of Personal Data decision to hand down three fines to financial institution Banorte for an action in contravention of the provisions of the Federal Law on Protection of Personal Data Held by Private and its regulations.
After allegedly breaking its 90-day, post-test deletion promise with Rutgers University, online proctoring software company Verificent deleted the biometric and personal student data gleaned from its Proctortrack program,. “The data has been deleted in compliance with the agreement; spring semester student data was purged on September 1,” said a Rutgers University spokesman, adding, “Any student data obtained during an online exam is used only by Proctortrack to ensure compliance with testing policies” and “notice of the deletion began going out to the more 3,000 students who chose to use the Proctortrack software.” Rutgers has said the company used the academic calendar and holidays to calculate the 90 days, which added to the delay. [Ars Technica]
Activist Theodore Frank has filed papers asking the Ninth Circuit Court of Appeals to vacate an $8.5 million settlement with Google. Frank alleges the settlement, which “requires Google to pay around $6 million to six nonprofits … and more than $2 million to the attorneys who brought the lawsuit” amounts to a payment to attorneys “with a change in accounting entries for another $6 million of Google money from its every-day charitable donations to a … settlement fund.” Meanwhile, a California appeals court has found that the rights of defendants in criminal cases to access “information that will aid in their defense does not extend before trial to social networking posts that are protected under federal law.” [MediaPost]
A group of 15 privacy scholars have filed a brief with the Supreme Court regarding Spokeo, Inc v. Robbins. To disallow the class-action against Spokeo would present significant detriment to the Fair Credit Reporting Act (FCRA), they suggest. “The FCRA’s consumer transparency requirements and remedial provisions were designed to encourage steady improvement in consumer reporting practices and to relieve pressure on public enforcement authorities,” the document abstract states, noting, “The Petitioner’s claim that Respondents cannot pursue it for its violations of the FCRA would unravel that bargain, preserving consumer reporting agencies’ broad immunity from suit while diminishing incentives to handle data fairly.” [Paper]
The news surrounding the Spokeo case continues with the White House throwing its hat in the ring via a 49-page brief that exhorts a Supreme Court ruling in favor of consumers. “Congress could reasonably conclude that the inclusion of false information in a report … should be treated as a legally cognizable injury to the individual consumer involved, even though the precise nature and extent of any later consequential harms may be difficult to verify in individual cases,” the brief states. [MediaPost]
A federal appellate court ruled unanimously that a class-action against Sony claiming the company violated the Video Privacy Protection Act (VPPA) cannot go forward. The court stated the law doesn’t provide a private right of action for retaining records beyond a time limitation, only by divulging that information. A California court cleared the University of California Los Angeles Health System of responsibility for the unauthorized release of a woman’s medical records. The incident occurred when a temporary worker—a “romantic rival”—used a doctor’s username and password to access a woman’s medical records and then texted them to others. [MediaPost]
Anti-abortion groups access information on women seeking abortions and then publish information on their websites. A few years back, Jonathan Bloedow filed a series of requests under Washington state’s Public Records Act asking for details on pregnancies terminated at abortion clinics around the state. For every abortion, he wanted information on the woman’s age and race, where she lived, how long she had been pregnant and how past pregnancies had ended. He also wanted to know about any complications, but he didn’t ask for names. This is all information that Washington’s health department, as those in other states, collects to track vital statistics. Bloedow, is an anti-abortion activist who had previously sued Planned Parenthood, accusing the group of overcharging the government for contraception. The health department had already given him data for one provider, he said, and was on the verge of turning over more information when Planned Parenthood and other clinics sued, arguing that releasing the records would violate health-department rules and privacy laws. The legal skirmish, and others like it nationwide, reveal a quiet evolution in the nation’s abortion battle. Increasingly, abortion opponents are pursuing personal and medical information on women undergoing abortions and the doctors who perform them. They often file complaints with authorities based on what they learn. [ProPublica, seattletimes.com]
Parents and lawmakers want more safeguards to prevent exposure of student data. Laptops, tablets and smartphones each year play a more prominent role in schools, despite lingering concerns that private companies and government agencies are using such devices to collect massive amounts of data that can be used to profile students. [US News]
A little more than 20 months after the EuroPriSe privacy certification seal changed hands on January 1, 2014, the new operation has awarded its first Website Certification Seal to theWebsite of Versorgungsanstalt des Bundes und der Länder, Germany’s Pension Institution of the Federal Republic and the Länder. Previously, seals were only awarded to IT-based services for confirmation that data processing and collection met European data protection law. . [Privacy Advisor]
More debates around online privacy are likely to emerge in the coming weeks with Apple’s expected release of its new operating system, iOS9, which will include a new content-blocking feature allowing developers to block cookies, images and other trackers. Apple is also expected to implement new security and encryption features called App Transport Security, essentially providing HTTPS for apps. The move could have profound effects on the ad ecosystem, the report states. [Ad Exchanger] [Apple Moving Forward In App Privacy; Google…Not So Much?]
A new privacy-focused project by the Defense Advanced Research Projects Agency (DARPA). Counter to the post-9/11 Total Information Awareness program that was eventually shuttered, “Brandeis” aims to cultivate technology for protecting individual privacy. DARPA Program Director John Launchbury, a cryptographer and computer scientist, said, “Privacy is a key enabler to things we care desperately about, like democracy and innovation.” DARPA is looking to collaborate with leading researchers and entrepreneurs and expects the project to last approximately four-and-a-half years, with a budget in the “tens of millions of dollars.” The early-stage research efforts DARPA will support include advanced cryptography, multiparty differential privacy and artificial intelligence for predicting an individual’s privacy preferences. [The New York Times]
According to new online program Onionview, which permits users to see where Tor nodes have been activated, there are now more than 6,000 such systems in use,. “People think that Tor is 10 people running computers in their basements,” said Onionview creator Luke Millanta. “When people see the map,” he said, they can see “what 6,000 nodes around the world looks like.” The data also indicates a five-year peak in Tor nodes. In 2010, the count “consisted of less than 2,000 nodes, compared with 6,425 today,” the report states, adding that Germany and the U.S. lead the world in Tor use. [Wired] [This program lets you snap a photo of whoever’s trying to hack you]
WW – Report: Overheated Rhetoric Creates a ‘Privacy Panic Cycle’ for New Technologies, Warns Policymakers Not to Overreact
The Information Technology and Innovation Foundation (ITIF) today released a comprehensive analysis of how privacy advocates trigger waves of public fear about new technologies in a recurring “privacy panic cycle.” ITIF urged policymakers to recognize these panics and not allow hypothetical, speculative, or unverified claims to distort the policy process or inhibit new innovation. In a new report released today, “The Privacy Panic Cycle: A Guide to Public Fears About New Technologies,” ITIF outlines the stages of public panic and the factors and trends influencing these stages, along with examples of how the panic cycle has repeatedly played out throughout modern history—from the first portable camera to search engines to drones. [Infographic summary of the report] [Full Report] [WASHINGTON PRWEB]
In an interview with Slate, Finn Brunton, co-author of Obfuscation: A User’s Guide for Privacy and Protest, with fellow NYU Prof. Helen Nissenbaum, discusses the nature of online privacy and a new tactic—obfuscation—in the fight for relative Internet ambiguity. In their book, Brunton and Nissenbaum describe obfuscation as “the deliberate addition of ambiguous, confusing or misleading information to interfere with surveillance and data collection,” the report states. “Part of what we like about obfuscation is that it’s an approach that doesn’t rely on perfect technology perfectly implemented, or everyone getting onboard at the same time,” Brunton notes, adding it’s “not a replacement, but rather a supplement, a complement that we would see added to the existing toolkit of privacy protection practices.” [Full Story]
To date, the debate on Internet of Things (IoT) technologies has focused on companies’ abilities to keep their Internet-connected devices secure and government efforts to make sure proper privacy protections are in place. But at last week’s Security of Things Forum, both government and industry panelists said industry has to do more to protect consumers. That’s because consumers don’t always totally understand the privacy implications at hand when using IoT devices. But Andrea Matwyshyn, a law professor at Northeastern University, also said regulators have to be careful when policy-making that they understand the technology as well, or risk overregulating. “In this case, we need a regulatory scalpel, not a regulatory axe,” she said. [The Christian Science Monitor] Republican commissioners from the FTC and the FCC warn the FCC’s move into the FTC’s Internet privacy jurisdiction will lead to excessive enforcement and uncertainty,.
During the Intelligence & National Security Summit, Bill Evanina, director of the National Counterintelligence and Security Center (NCSC), introduced the NCSC’s new Know the Risk, Raise Your Shield campaign to raise spear-phishing awareness. Evanina said “91 percent of the breaches we’ve seen in the last few years have emanated from spear phishing,” adding, “Our adversaries do not need to use sophisticated attacks—it all starts with e-mails.” Understanding the danger of clicking mysterious links is “something we all need to do,” he said, noting, “If just a few people don’t click the link, it could prevent another huge breach in the future.” [Ars Technica]
Aiming to help organizations report threats, the Cloud Security Alliance is proposing establishing a scheme that would allow for the anonymous sharing of information. The Cloud Cyber Incident Sharing Centre would take in threat information and then, using algorithms, would “provide near-real-time correlation with reports supplied by other vetted members. If similarities are discovered, members can be alerted and provided with the related reports that contain additional attack indicators, valuable context and mitigation advice,” reads a CSA white paper outlining the proposal. Threat-sharing is especially important for the cloud industry because of how harmful a widespread attack could be given the cloud’s central role in IT structures. [Full Story]
The US Office of management and Budget’s draft guidance on cybersecurity for federal contractors is facing criticism for being too lenient and too vague. In a letter responding to the draft, the US Chamber of Commerce wrote, “The guidance needs to be dynamic and not become an ossified checklist of requirements that fails to respond to actual threats.” And the US Professional Services Council called the guidance “too little, too late, and too flexible.” [FederalTimes] [The Hill] [WeLiveSecurity] [FedScoop]
Governor Jerry Brown (CA-D) signed into existence the California Cybersecurity Integration Center, a new agency with a chief goal of protecting the data of state organizations from breaches. “The center will serve as a central hub for the state’s online security and coordinate with state departments, federal agencies and tribal governments, utilities and other service providers, academic institutions and non-governmental organizations,” the report continues, adding that the move follows instances of IT non-compliance found by state auditors. [CBS Sacramento]
According to a study from Rapid7, several Internet-connected baby monitors lack basic security. Some of the monitors do not encrypt their data streams, and some use unchangeable administrator passwords, which are easy to obtain. Because the monitors are Internet-connected, once compromised, they could be used to jump to other devices on the same network. “Eight of the nine cameras got an F and one got a D-minus,” said researcher Mark Stanislav.” [Fusion] [The Hill] [The Register] [ZDNet] [Rapid7 Paper]
According to a new study by Microsoft, many types of electronic medical record databases are vulnerable to data leaks even if they’re encrypted. In the paper, researchers describe gaining access to such information as sex, race, age and admission information using actual patient records from 200 U.S. hospitals, the report states. Given that, the researchers recommend such databases not be used, the paper states. The risk lies in that encrypted data must be decrypted often to be effective, and that data gets stored in a computer’s memory, which would be dangerous if cybercriminals gained access. The paper will be presented at a security conference next month. [IDG News Service] [Microsoft researchers warn that some encrypted databases used for medical records aren’t so secure]
UN Special Rapporteur on Privacy Joseph Cannataci said the lack of oversight for UK surveillance activities is “worse than a bad joke” and possibly “downright dangerous.” Specifically, he said the three bodies with oversight powers, the Information Commissioner’s Office, the Intelligence and Security Committee and the Investigatory Powers Tribunal, are all under-resourced and incapable of undertaking the work necessary to keep in check “one of the largest intelligence set-ups in the Western world.” [Full Story] [UK: Man fined for flying drone at football matches and Buckingham Palace]
The NSA’s controversial program for the bulk collection of domestic phone call records has been granted extension for the last time, according to documents released. Under an order by the secret Foreign Intelligence Surveillance Court, the NSA is now allowed to continue collecting the data for a three-month period until Nov. 28. The permission was extended in June to Aug. 28. U.S. President Barack Obama approved as law in June the USA Freedom Act, legislation that reins in the program by leaving the phone records database in the hands of the telecommunications operators, while allowing only a targeted search of the data by the NSA for investigations. While some provisions of the Act took effect immediately upon enactment, the ban on bulk collection of call records allowed for a 180-day transition of the program. After Nov. 28, the NSA’s access to phone data collected so far, for the purpose of analysis, will end, according to a joint statement by the Department of Justice and the Office of the Director of National Intelligence. The data will, however, not be immediately deleted. If the court approves, the agency aims to keep the data for another three months and give technical personnel access to it “solely for data integrity purposes to verify the records produced under the new targeted production mechanism” permitted by the USA Freedom Act. In a related development, the U.S. Court of Appeals for the District of Columbia Circuit reversed a preliminary injunction on the collection of phone records by Judge Richard Leon of the U.S. District Court for the District of Columbia. The judge had earlier ruled that the NSA’s bulk collection of domestic phone records likely violated the U.S. Constitution. [pcworld.com] [Judges seem hesitant to stop NSA bulk collection before ban takes effect] The U.S. Court of Appeals for the District of Columbia Circuit Court ruled that the National Security Agency’s collection of metadata under the USA Freedom Act could continue until the bill’s expiration in November.
Vodafone failed to inform a Fairfax journalist that her phone records had been accessed by the company in a bid to uncover the source of her stories, despite senior staff acknowledging that the conduct was potentially illegal. The telco giant admitted in a statement that one of its employees had accessed “some recent text messages and call records” of investigative journalist Natalie O’Brien in January 2011. But O’Brien said the telco giant never informed her of the breach, which occurred shortly after she exposed major security flaws with Vodafone’s Siebel data system in a page one story on January 9, 2011. [stuff.co.nz]
Intelligence agencies in Colombia have been building robust tools to automatically collect vast amounts of data without judicial warrants and in defiance of a pledge to better protect privacy following a series of domestic spying scandals, according to a new report by Privacy International. The report published by the London-based advocacy group provides a comprehensive look at the reach and questionable oversight of surveillance technologies as used by police and state security agencies in Colombia. One tool developed is capable of monitoring 3G phone cell and trunk lines carrying voice and data communications for the whole country, according to the report. The system, called Integrated Record System, was built by police intelligence starting in 2005 and had the capacity of collecting 100 million cell data and 20 million text message records per day without service providers’ knowledge, according to the report’s authors. The report doesn’t say how the technology was used but such mass, automated collection of data isn’t explicitly authorized under Colombian law, according to the group, which based its findings on purchase orders and documents, many never seen before, and confidential testimony by people working in Colombia’s vast surveillance industry.[usnews.com]
To most Twitter users, URL link shorteners are a convenient way to stuff more into a 140-character message. But a proposed class action lawsuit filed this week alleges that the social media service is using them in violation of the Electronic Communications Privacy Act and California’s privacy law. The complaint brought in federal court in San Francisco from Wilford Raney and others similarly situated is claiming that despite Twitter’s assurances that users are allowed to “talk privately” among one another, “Twitter surreptitiously eavesdrops on its users’ private Direct Message communications. As soon as a user sends a Direct Message, Twitter intercepts, reads, and, at times, even alters the message.” The lawsuit uses a link to The New York Times as an example. The new lawsuit aims to represent two classes — every American on Twitter who has ever received a direct message and every American on Twitter who has ever sent a direct message. The claimed damages are as high as $100 per day for each Twitter user whose privacy was violated. Here’s the full complaint. [Hollywood Reporter]
September 1 marked the beginning of a new enforcement regime in the mobile ad space as the Council of Better Business Bureau’s (CBBB) Online Interest-Based Advertising Accountability Program starts cracking down on the Digital Advertising Alliance’s Self-Regulatory Principles in the mobile environment. With exclusive comments from the CBBB’s Accountability Program Vice President and Director Genie Barton, this report examines what the CBBB will focus on enforcing and what businesses and app developers need to know in order to avoid an unwanted self-regulatory knock at the door. [The Privacy Advisor]
The US Justice Department (DOJ) has published a new policy regarding its use of cell-site simulator devices commonly known as Stingrays. Government agents will need to obtain a warrant before using the technology to locate mobile devices. They will be prohibited from gathering communication content, including pictures, and must regularly purge the data they do collect. [The Hill] [ComputerWorld] [Wired] [Ars Technica] [DOJ Policy Guidance]
The Department of Justice (DoJ) has announced a new policy for its use of cell-site simulators—known as stingrays—according to a DoJ press release. The policy requires law enforcement to obtain a warrant before deploying the technology. “Cell-site simulator technology has been instrumental in aiding law enforcement in a broad array of investigations, including kidnappings, fugitive investigations and complicated narcotics cases,” said Deputy Attorney General Sally Quillian Yates. “This new policy ensures our protocols for this technology are consistent, well-managed and respectful of individuals’ privacy and civil liberties.” The department-wide policy goes into effect immediately. Privacy advocates, however, say the new policy is flawed because of “substantial loopholes.” [Full Story
Lawmakers and tech companies — including Google — are calling for the U.S. to extend certain Privacy Act rights to non-U.S. citizens. At issue is a data sharing “umbrella agreement” that U.S. and European Union negotiators agreed to earlier this week. The E.U. says that if Congress does not pass legislation extending the right to seek legal redress for privacy violations to non-U.S. citizens, the agreement is a no-go. The Judicial Redress Act, introduced by Sen. Chris Murphy (D-Conn.) and co-sponsored by Sen. Orrin Hatch (R-Utah), would allow the Attorney General to work with other agencies to designate certain countries whose citizens would have the right to enforce their data protection rights in U.S. courts. The lawmakers have cast the bill as urgent in light of its significance in the umbrella agreement negotiations. [The Hill]
The inspector general (IG) in charge of reviewing the Department of Homeland Security (DHS) issued a new report this week saying that the agency needs to improve the security of its information systems and establish a cyber-training program for analysts and investigators. “Without developing the department-wide training program, component personnel may not possess the skills necessary to perform their assigned incident response duties or investigative responsibilities in the event of a cyber attack,” the IG report states, adding, “We identified vulnerabilities on internal websites … that may allow unauthorized individuals to gain access to sensitive data.” The audit did say, however, that the DHS has improved coordination between agencies and set out nine recommendations for improvement. [Reuters]
The government is developing the National Intelligence Grid (NATGRID), which will fuse 21 personal information databases of Indian citizens, as well as National Population Register (NPR) information and biometric data from the Unique Identification Authority of India (UIDAI), accounting for 1.2 billion people. “The government’s defense is that it can anyway get access to such information under the Code of Criminal Procedure and NATGRID will expedite the process,” the report states. With the privacy and data protection bill still not approved after four years, the report suggests “the government wants to buy more time till UIDAI and the NPR complete the process of capturing biometric data in the entire country.” [The Business Standard]
A coming Senate Judiciary hearing on reforming the Electronic Communications Privacy Act (ECPA), will see legislators looking back to the 1967 Supreme Court case Katz v. United States to “revisit the ECPA’s roots” instead of simply reforming the “flawed” 1986 statute. The full committee hearing is set for 10 a.m. EST and will feature two panels of witnesses, including representatives from the Department of Justice, SEC and FTC, as well as the Tennessee Bureau of Investigation, Google, the Center for Democracy & Technology and the Software Alliance. [Full Story]
The recent IRS breach affecting more than 300,000 individuals has inspired the Senate Finance Committee to develop bipartisan taxpayer identity-fraud legislation, which will be debated Wednesday. “We need to do a better job of protecting taxpayers,” said Sen. Ron Wyden (D-OR). The bill would aim to “enhance taxpayer notifications regarding identity theft, push employers to file tax forms earlier and improve the electronic tax-filing system to speed processing and uncover more fraud” while intensifying sanctions for criminals. Meanwhile, the IRS confirmed that, for tax purposes, breach victims do not need to report identity-theft protection they receive. [The Hill]
- The Email Privacy Bill will get a markup in the Judiciary Committee this fall.
- 26 states have now passed drone-related legislation, and according to Government Technology, Kentucky may soon join them.
- Three California bills regulating drone use that are awaiting the signature of Gov. Jerry Brown, Media groups are pushing for a veto.
- A Maryland commission intends to write to the General Assembly asking it to consider amending the Maryland Public Information Act in order to put some restrictions on access to police body-camera recordings.
- Texas’s revenge porn law went into effect September 1
- Some of the 22 amendments to the Cybersecurity Information-Sharing Act may not see a vote due to time constraints and other priorities in the Senate.
- Federal tech legislation that’s worth watching, including smart cars, breach notification and drones.
- During a House Judiciary Committee Subcommittee hearing, Rep. Darrell Issa (R-CA) said the Obama administration and the Federal Aviation Administration haven’t done enough on drone privacy issues.
- California’s Assembly has passed CalECPA, which aims to protect online communications from warrantless access. The bill now heads to the Senate for concurrence and then to the Governor for signing into law.
- California Assemblyman Ian Calderon (D-Whittie) has introduced the Privacy Expectation Afterlife and Choices Act, aiming to protect online privacy post-mortem.
- Illinois Gov. Bruce Rauner has vetoed “the most troublesome parts” of a bill to expand the scope of information subject to the state’s data privacy laws.
A Wakefield Research survey on behalf of Citrix Systems finds that breach awareness versus employee-to-employee breach defensiveness is growing disproportionately. While “U.S. workers are aware of threats to security and data and are feeling vulnerable … many fail to take basic security steps to protect their data … and some are not confident their companies are focused enough on the issue,” the report states. The survey found that 92% of “American workers believe security and data protection are priorities for the companies they work for,” but “88% believe companies say their data is more secure than it actually is,” the report states. [eWeek]
Some National Football League (NFL) teams now employ technology company Zebra’s radio frequency identification device (RFID), a uniform-attached tracking mechanism that collects data that may impact NFL goings-on from practice schedules to betting. “Every movement of every player now could be monitored within an accuracy level of all but a few inches,” the report states, adding, “But its most unexpected impact will have nothing to do with sports at all … Fortune 500 companies are watching the NFL closely, examining how they might incorporate the RFID chip to monitor every move of their onsite employees from the construction site, the office and beyond.” [Ars Technica] [How the NFL—not the NSA—is impacting data gathering well beyond the gridiron] SEE ALSO: [CBC News: How games, social media are changing the hiring game] | [CBC News: How new data-collection technology might change office culture] | [CBC News: WW – Companies Monitoring Personal Time, for ‘Self-Improvement’]
The discovery of a camera hidden in an exit sign at the Ontario Federation of Labour has prompted shaken employees to demand a complete electronic sweep of their office. Meanwhile, concerns have also been raised about other cameras contained in what appear to just be smoke detectors in public areas of the building, partly owned by the OFL. The Star has learned the demand for an office sweep is included in a grievance filed by the Canadian Office and Professional Employees Union (COPE), the union representing the employees. The grievance is scheduled to go to arbitration on Oct. 8. An email statement said that “every security camera in the OFL building is located in a public area where no one would have the expectation of privacy, and each security camera is trained on an entrance, a stairwell or an elevator.” “They are not, and have never been, used to monitor or discipline staff of the OFL or the OntFed building. These security cameras were installed on the advice of police because of persistent situations involving intruders who were harassing staff of the building and because of break-ins and thefts in the building.” [The Star] [US man loses job offer after sending naked selfies to boss]