13-20 July 2016

Canada

CA – OICC Recommends Reform to Access to Information Act

The Information Commissioner of Canada provided an opinion on the Access to Information Act. Priority recommendations to bring the Access to Information Act up to date include extending coverage to ministers’ offices and institutions supporting Parliament and the courts, establishing a comprehensive legal duty to document (with appropriate sanctions for non-compliance), addressing delays, repealing the exclusion for Cabinet confidences and replacing it with mandatory exemption, narrowing the exemption for advice and recommendations, and ensuring mandatory periodic review. [Office of the Information Commissioner of Canada – The Act is Ripe for Amendments | Consultation]

CA – Federal Warrant Reports Understate True Police Activity

“Clear gaps” in how the federal government reports invasive surveillance practices may hide the true scope of police activities, according to documents prepared for Canada’s privacy watchdog. Although the number of authorized wiretaps has “plummeted” since 2002, a January briefing for Privacy Commissioner Daniel Therrien suggests those numbers may mask police surveillance practices. “It would be erroneous to infer from the drop in overall warrants issued that surveillance is affecting fewer individuals,” reads the document, obtained under access to information law. “While federal authorities issued just over a hundred surveillance warrants last year (2014), they issued 792 notifications of surveillance to individuals previously targeted. From this, one can conclude more and more individuals are being named as targets in a warrant application. “With a single warrant from the Federal Court (police) may list dozens of individuals for surveillance targeting.” [Chronicle Herald]

CA – Ontario Privacy Watchdog Drops Case Against Toronto Police Over Attempted Suicide Info

Ontario’s privacy commissioner is no longer taking legal action against Toronto police over the sharing of attempted suicide-related information with U.S. border services. The Information and Privacy Commissioner’s office says it has withdrawn its case because the force has developed new procedures to better protect people’s privacy. The privacy commissioner’s office, which investigated the issue, said since launching its legal action, Toronto police worked with the RCMP to create a new mechanism allowing all police services to suppress suicide-related entries from being accessed by U.S. users of the Canadian Police Information Centre database. [GlobalNews]

CA – OIPC AB: Access to PI Puts Individuals at Risk of ID Theft and Fraud

The Alberta OIPC reviewed a breach notification for ABS-CBN Canada Remittance Inc., pursuant to the Personal Information Protection Act. The incident resulted from a deliberate attempt to obtain unauthorized access to personal information, and the information was successfully used to process fraudulent transactions; the personal information involved was sensitive information, including name, address, identification document and number, place of issue and expiry date (if SIN was listed, only last 4 digits recorded), and information about whether an individual or family member is a politically exposed foreign person. [OIPC AB – P2016-ND-31 – ABS-CBN Canada Remittance Inc.]

EU Developments

UK – ICO Issues Guidance on ‘Internal Breach Reporting Procedure’

Although it remains unclear whether the General Data Protection Regulation (GDPR) will directly apply in the UK in light of the country’s vote to leave the EU, the UK watchdog has published a new piece of general guidance to help companies understand what their duties are under the new legislation. In its overview of the GDPR, the ICO explained, among other things, what organisations should do to prepare for new data breach notification rules. Those rules require them to tell data protection authorities and the public about personal data breaches they experience in certain circumstances. Organisations should put in place an “internal breach reporting procedure” so that they can comply with their obligations to notify personal data breaches under new EU data protection laws, the UK ICO has said. “You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data,” the ICO said. “You should ensure that you have an internal breach reporting procedure is in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public.” [Out-Law] See also: U.K. Information Commissioner has issued guidance on the General Data Protection Regulation and what the country’s imminent exit from the EU does to implementation.

EU – UK’s ICO Pushes Alternative to Consent as Based Cookie Rules

In response to a European Commission consultation on potential reforms to the EU’s Privacy and Electronic Communications (e-Privacy) Directive, the ICO said the rules should be updated and “seek to achieve a proportionate balance between the legitimate interests of information society services and the privacy rights of individuals”. “There is a case for an exemption or an alternative basis for processing other than consent, particularly in cases where the privacy impact on the individual is minimal,” the ICO said. In its consultation response the ICO also said that all forms of direct marketing via electronic communications should be subject to an opt-in consent requirement. Currently, some types of direct marketing activity can be carried out on an opt-out basis. Some social media communications should be considered subject to the e-Privacy rules on direct marketing. The ICO criticised rules that place restrictions on the processing of location and traffic data by internet service providers and mobile network operators. It urged the provisions to be deleted as conditions on such data processing are “covered by the GDPR”. The GDPR, or General Data Protection Regulation, is the EU’s new broad data protection framework which and will come into effect in May 2018. The ICO said: “Revised e-Privacy rules should avoid dictating business models, especially where there is minimal privacy impact for the individual.” The watchdog also said that the penalties regime for infringement of e-Privacy rules should not necessarily reflect that outlined under data protection laws since breaches do not always concern personal data. At the moment, the maximum fine for infringement, of £500,000, that can be issued under the UK’s Privacy and Electronic Communications is the same as that which can be issued under the Data Protection Act. [The ICO’s consultation response] [Out-Law News]

EU – Study: More than 75% of Cloud Apps Not in Line with GDPR Regulation

A Netskope survey of 22,000 cloud apps has found that more than 75 percent are out of compliance with the General Data Protection Regulation that will go into effect in less than two years. “This is the first time that data processors [cloud providers] actually have a direct compliance risk and obligation under the regulation,” said Intralinks Global Data Privacy Officer. “Now, it’s actually both data processors and data controllers. They would be liable and they have their own obligations under the GDPR.” As such, “Every organization should be keeping a frequently updated and well-documented data security risk assessment within easy reach,” said ESET’s Stephen Cobb. “You should be doing that regardless of GDPR, but GDPR is one more reason you should be doing it.” [SearchSecurity]

Filtering

CA – Google Faces Landmark Legal Fight, Advocacy Groups Rally in Support

The Supreme Court of Canada will soon have to assess whether Canadian courts have the authority to block search results outside of Canada’s borders, and under which circumstances a litigant can seek an injunction against a “non-party” that had nothing to do with the original lawsuit — in this case, Google. A spokesperson has confirmed that it submitted its brief to the Supreme Court last month, and it expects the court to hear the case in early December. The Wikimedia Foundation isn’t the only body to file a motion in support of Google — according to the SCC’s official proceedings page, the following entities have recently filed motions to intervene: Software Freedom Law Centre, Center for Technology and Society, Dow Jones & Company, Reporters Committee for Freedom of the Press, American Society of News Editors, Association of Alternative Newsmedia, The Center for Investigative Reporting, First Amendment Coalition, First Look Media Works, Human Rights Watch, and others. [Venturebeat]

US – Judge Reignites Debate Over Researching Jurors Online

Mining prospective jurors’ Facebook, Twitter and other social media accounts is common practice for many attorneys looking to spot biases that might cost their clients a fair trial. The American Bar Association has said the searches are ethical, and a ruling by the Missouri Supreme Court bolstered arguments that attorneys have a duty to do online research of prospective jurors. Still, some judges have deemed the online searches invasive and banned them. Now a federal judge’s ruling in a copyright battle between Silicon Valley heavyweights Oracle and Google has reignited debate about the practice while also offering a potential middle ground. U.S. District Judge William Alsup, raising concerns about prospective jurors’ privacy, said attorneys could research the jury panel, but would have to inform it in advance of the scope of the online sleuthing and give the potential jurors a chance to change online privacy settings. Otherwise, they had to agree to forego the searches. The ruling prompted a fresh wave of discussion in legal circles about how aggressively attorneys should be allowed to investigate jurors’ online personas and how beneficial the searches are. [Source]

Finance

UK – Bitcoin Benefits System Criticized On Privacy, Security Grounds

Much to the consternation of privacy advocates, the Department for Work and Pensions has begun a test of the GovCoin Systems’ bitcoin and blockchain program to provide welfare recipients with their benefits. While some maintain that blockchain payments increase security, others, like the Open Data Institute, aren’t so sure. “Experimenting with putting highly personal data in immutable data stores is fraught with danger,” said ODI Technical and Deputy Director. “To avoid undermining trust in government’s use of data, DWP should be much more open and transparent about the policy objective of these trials.” Both GovCoin and the DWP said they were aware of the security concerns and were continuing to develop safeguards. [Financial Times]

FOI

CA – OIPC SK Issues Guide to Exemptions for FOIP and LA FOIP

The OIPC SK has published guidance on exemptions pursuant to Saskatchewan’s: The Freedom of Information and Protection of Privacy Act; and The Local Authority Freedom of Information and Protection of Privacy Act. Exemptions in both statutes can be distinguished by the wording of the provision; use of the phrase “shall refuse” indicates a mandatory exemption, but some exemptions specify the conditions under which a public body may still release information. Many discretionary exemptions require the application of a multi-part test that must be met in order for the exemption to apply, and/or a clear cause and effect relationship between the disclosure of a record and the harm that is alleged to reasonably result. [OIPC SK – IPC Guide to Exemptions for FOIP and LA FOIP]

US – Database of Excuses the Govt Uses to Withhold Public Info Being Built

We’ve entered something of a golden era of government transparency—or at least, a golden era of journalists and interested citizens filing information requests with government agencies. Freedom of Information Act requests have increased greatly as the internet and services such as Muckrock, a tool that fills out sample language for information requests and then tracks them, have made filing easier. But there’s one major problem: Federal agencies use lots of different tactics to avoid actually releasing all sorts of documents, and few journalists actually know how to fight back against the system. It’s not entirely their fault: Enforcement of different FOI “exemptions” varies by agency and often depends on which specific FOIA officer handles the request. At the state level, where a patchwork of “sunshine” laws govern what records are public well, things are even more of a mess. By creating a central repository for FOI exemptions, Muckrock is in a better place to challenge them and to effect change. If most states, for example, allow FOI requesters to obtain police body camera footage but a couple exempt that data, Muckrock and others can push for greater transparency in those states that don’t allow it by floating model FOI legislation with friendly lawmakers. Crowdsourcing data on which FOI exemptions are most common will also help Muckrock identify problem areas—if certain states are inappropriately claiming that certain records are part of “internal deliberations” (a common FOI exemption in many states) when they shouldn’t be, there may be grounds for a lawsuit or a public shaming campaign that could help change things. [Motherboard]

CA – Edmonton Council Votes to Review Privacy Rules

City council voted to review its privacy rules this week, with some councillors musing more information should become public once sensitive matters have been decided. Edmonton has no automatic process for declassifying information. Coun. Michael Oshry wasn’t sure if the audio of the discussions should ever be public, even after 10 or 15 years. Coun. Mike Nickel put the privacy issue on the agenda, suggesting all private discussions should eventually become public and asking administration to come back with a list of policy options. He filed a two-page inquiry that Mayor Don Iveson ruled had to be entered as a motion. Council voted unanimously to accept it. Nickel also wants a policy to make council memos public, especially when they are a followup to a question asked at a public meeting. He also wants Edmonton to review its freedom of information process and add a review so redacted information can be released when it’s no longer sensitive. [Edmonton Journal]

CA – Canadian Researchers Who Commit Scientific Fraud Are Protected by Privacy Laws

78 Canadian scientists have fabricated data, plagiarized, misused grants, or engaged in dodgy scientific practices in projects backed by public funds, a Star analysis has found. But the publicly funded agency responsible for policing scientific fraud is keeping secret the details surrounding these researchers. The scientists’ names, where they worked and what they did wrong is not made public because that information is protected under federal privacy laws. “If you were going to be a fraudulent scientist or plagiarist, or you want to steal grant money, Canada is an excellent place to live,” said Amir Attaran, a professor in the faculties of law and medicine at the University of Ottawa. Making public the names of research wrong-doers and their transgressions, he said, would “keep scientists honest.” And because the agency doesn’t follow up with police, it’s not known if any of the researchers faced criminal charges. [The Star]

WW – Google Says Government Requests for User Data at All-Time High

Government requests worldwide for user data related to search engine traffic on Google increased 29% from 2014 to 2015, according to the search site’s most recent Transparency Report, which was published today. Google reports on the government requests every six months. In the second half of 2015, it said it received more than 40,000 requests for data related to more than 81,000 user accounts; That compares to the first half of the year when Google received about 35,000 requests related to about 69,000 accounts. In the second half of 2014, Google received 31,140 requests from U.S. entities for user information related to more than 50,000 accounts. By far, the U.S. leads the world in government requests for data, followed by Germany with 11,562 requests. Google agreed to hand over “some” user data for 64% of the requests worldwide, but it handed over data for U.S. government requests 79% of the time. [ComputerWorld] Google’s latest transparency report shows record government data requests | How Google became a champion for government transparency.

Health / Medical

US – HHS: HIPAA Struggling to Keep Up with Health Apps, Wearables

A U.S. Department of Health and Human Services study found HIPAA is struggling to keep up with the growing number of wearable fitness trackers, mobile health apps and online patient communities. “Health privacy and security law experts have a reasonably clear idea of where HIPAA protections end, but the layperson likely does not,” said the HHS’ Office of the National Coordinator for Health Information Technology report. “Moreover, even entrepreneurs, particularly those outside the health care industry … may not have a clear understanding of where HIPAA oversight begins and ends.” The HHS report, which was originally due in 2010, does not offer any suggestions to filling the lapses in legislation. “At the end of the day, it’s a very complicated environment that we find ourselves in,” said ONC for Health Information Technology Chief Privacy Officer. “We believe we’re fulfilling our duties. If Congress has concerns about that, I’m sure that we will hear about them.” [ProPublica] [Morning Consult: US – Lawmakers Call for Privacy Safeguards in Health Apps, Wearables] [Health Data Management: US – Privacy, Security Concerns Continue to Cloud Mhealth’s Future]

US – NIST and ONC Host White Paper Challenge on Blockchain in Health Care

The Office of the National Coordinator for Health Information Technology and the National Institute of Standards and Technology have created a challenge asking for white papers on the potential benefits of blockchain technology in health care. The “Blockchain and Its Emerging Role in Healthcare and Health-related Research” asks for submissions addressing the “privacy, security and scalability of health records.” Submissions are accepted through Aug. 20, and winners will present their papers at an ONC and NIST workshop. [HealthITSecurity]

WW – Active Market for Healthcare Records Looms as Newest Cyber Threat

Offers to sell patient records with protected health information on the “Dark Web” market represent a new level of threat for healthcare organizations trying to protect health information, offering further monetary inducement to hackers trying to access records. The addition of a new potential for profiting from hacking could increase the “demand” side of the equation for records, increasing the likelihood of attacks and the need for healthcare organizations to stiffen defenses. In late June, a hacker known as “The Dark Overlord” reported the theft of nearly 10 million patient medical records from providers and a major insurer and put them on the Dark Web market where hackers conduct buy and sell data taken from a variety of sources. The extent of the data theft has not been verified by outside sources. But what this hacker started—the creation of a new market for patient records—will only expand, cybersecurity professionals believe. OWL Cybersecurity said the information that is available is unencrypted plain text that includes usernames and passwords, It said the Dark Overlord reported the total includes 48,000 records from a provider in Farmington, Mo.; 210,000 records from a healthcare organization in the Midwest; 397,000 records from a provider in the Atlanta region; 34,000 records from a provider in New York State; and 9.3 million records from an unidentified insurer. Those figures have not been independently verified. [Info Management]

US – HHS Releases Healthcare Ransomware, HIPAA Guidance

According to new HIPAA guidance, ransomware attacks must be reported to the Department of Health and Human Services (HHS). The guidance “describes ransomware attack prevention and recovery from a healthcare sector perspective, including how HIPAA breach notification processes should be managed in response to a ransomware attack.” HHS has created a fact sheet to help covered entities keep ePHI secure and follow HIPAA regulations. Conducting a risk analysis, regular user training, and maintaining an overall contingency plan are just a few of the recommendations from the Department of Health and Human Services (HHS) in its recent healthcare ransomware and HIPAA guidance. The new guidance is meant to help covered entities and business associates reinforce their adherence to HIPAA regulations, and also better prevent, detect, contain, and respond to threats. Electronic data being compromised through cybersecurity threats, including ransomware, is one of the biggest current threats to the industry, Office for Civil Rights Director Jocelyn Samuels explained in a blog post. [HealthIT Security]

Horror Stories

CA – Doctor Fired for Unauthorized Access to Patient Files

Vitalité Health Authority has fired a doctor who accessed more than 100 sensitive medical records of young women. A New Brunswick College of Physicians and Surgeons notice said Dr. Fernando Rojas violated the ethics of the Canadian Medical Association and the College of Physicians and Surgeons. Vitalité CEO Gilles Lanteigne said processes are being implemented to prevent a similar breach from happening in the future. He said, “We put in place the systems where as we would receive red lights way sooner in the process, so that’s one thing we’ve learned,” adding, “The other thing is that the magnitude of the impact of the breach has on a person, you know, it really brought this to light how important that is.” [CBC] See also: [P.E.I. care home employee fired after photo of deceased resident shared on Snapchat]

CA – Phoenix Pay System Also Breached Federal Workers’ Privacy

A dysfunctional compensation system that’s withholding paycheques from federal workers has also been breaching their privacy. Newly released documents show senior officials were warned as early as Jan. 18 that the new Phoenix system has a flaw that allows widespread access to employees’ personnel records, including social insurance numbers. Despite the warning, the faulty software was broadly implemented this spring — without alerting the unions or any employees that their private details were no longer secure. The disclosure of a massive privacy breach appears in documents obtained by CBC News under the Access to Information Act, deepening a crisis that has already touched some 80,000 public servants and triggered a wave of hiring to patch the problems. The briefing material prepared by Public Services and Procurement Canada indicates that up to 70,000 public servants had access to the personal details of all 300,000 employees covered by the system. A spokeswoman for Canada’s privacy commissioner confirmed the department “has reported this matter to our office and we have followed up with them.” Valerie Lawton said she could provide no further details. [CBC]

Identity Issues

CA – OPCC Issues Guidance on Customer Identification and Authentication

The Office of the Privacy Commissioner of Canada has published updated guidance on identification and authentication of individuals. Organizations should only identify or authenticate customers when necessary (i.e. to fulfill the transaction), individuals should provide appropriate consent for provision of personal information, and authentication levels (e.g. single factor, multi-layer, or multi-factor) should be commensurate with identified risks; reliable audit records should be maintained (including date, time, and failed attempted authentications) with the level of detail reflecting associated risks. [OPC Canada – Guidelines for Identification and Authentication]

Law Enforcement

US – Boston Police Body Camera Pilot Program Raises Privacy Questions

A group of 100 Boston Police officers will soon volunteer to take part in a six-month pilot program that would explore the use of body cameras by the department, the mayor’s office announced last week. The program incorporates recommendations from several privacy and police accountability groups they believe balance privacy with improving department transparency. The ACLU, along with the Boston NAACP and the Boston Police Camera Action Team, praised the Boston Police Department for incorporating recommendations it felt balanced civilian protection while improving transparency in police interactions with the public. Those include a requirement officers activate the cameras when engaged in most “potentially adversarial” encounters with the public; privacy protections for those in homes or other sensitive situations with an expectation of privacy; an explicit ban on using the cameras to record civilians based only on their “political or religious beliefs or upon the exercise of the civilians’ First Amendment rights;” and a ban on any kind of biometric capabilities in the camera — including face recognition technology. [Source]

US – Taser Plans to Livestream Police Body Cam Footage to the Cloud by 2017

Could police officers someday identify criminals just by looking at them? That’s the vision being touted by Taser International, which holds a monopoly on “conducted electrical weapons” for law enforcement and is aiming to build one for police body cameras. Facial recognition has been part of Taser’s plan. It’s been mentioned in Taser press releases as far back as 2009. In 2010, a Taser spokesman told GQ that Axon would turn “every cop [into] RoboCop.” “You’ve already got the ability to use cameras to tap into databases to find the license plates of stolen vehicles and overdue parking tickets,” said Stan Ross, CEO of Digital Ally, one of a growing number of companies fighting for market share in the fast-growing body camera industry. The business case for facial recognition is obvious. Cops and police chiefs who are aware of facial recognition “are really excited to try it.” Robert Vanman of WatchGuard—another body camera competitor—had similar thoughts. “In regards to facial recognition, WatchGuard will certainly be deploying that technology in the future,” he said. “We are the clear technology leader in hardware, and we plan to keep it that way.” But Vanman brought the discussion down to earth. “Facial recognition will require enough pixel resolution to be effective (to get good recognition results the image needs to contain about 50 pixels between the eyes),” he wrote. “To run facial recognition algorithms in real time will require substantial processing power and an on-camera database (which will require frequent updating). Those elements work against the battery life needs.” So there are practical challenges—video resolution that isn’t yet crisp enough; and battery life that isn’t yet long enough. Not to mention that some police departments can’t even get decent enough internet speeds to download their body cam footage to in-house servers, let alone livestream them to the cloud. [Motherboard]

Online Privacy

US – Nobody Reads Terms of Service, Privacy Policies: Study

A new study found that nearly three-quarters of the 543 university students surveyed skipped over the terms of service of a social media site they thought was real. Researchers included clauses that users agreed to, that they had until 2050 to give up their firstborn and that their data will be shared directly with the U.S. National Security Agency. The paper, titled “The biggest lie on the Internet: Ignoring the privacy policies and terms of service policies of social networking services,” was written by York University communication technology professor Jonathan Obar and University of Connecticut communications assistant professor Anne Oeldorf-Hirsch. For those few who did read the terms of service and privacy policy, they on average spent 51 seconds and 73 seconds on each respectively. [Ars Technica] [PC World]

Privacy (US)

US – Court: U.S. Agents Can’t Access Data Held On Overseas Computers

Microsoft Corp. won a major legal battle with the U.S. Justice Department Thursday when a federal appeals court ruled that the government can’t force the company to turn over emails or other personal data stored on computers overseas. The case, closely watched by Silicon Valley, comes amid tensions between Europe and the U.S. over government access to data that resides on the computers of social-media and other internet companies. The ruling is another setback for the Justice Department’s efforts to force technology companies to comply with government orders for data, following the collapse earlier this year of two cases involving Apple Inc.’s refusal to help open locked iPhones. The ramifications of Thursday’s ruling by the Second U.S. Circuit Court of Appeals in Manhattan could be sweeping. If the appeals court’s legal rationale stands, it could influence companies’ and their customers’ decisions about how and where to store data. It also alters the course of talks between the U.S. and other governments, in terrorism and criminal cases, about access to evidence stored in servers on foreign soil. In a statement, Microsoft President and Chief Legal Officer Brad Smith called the decision “a major victory for the protection of people’s privacy rights under their own laws, rather than the reach of foreign governments.” [Wall Street Journal]

US – US Plans Would Allow Foreign Gov’ts to Serve Warrants on US Tech Firms

In the wake of last week’s U.S. court decision in the Microsoft warrant case, the Justice Department plans to secure a series of international agreements with certain countries that would allow them to serve warrants on U.S. internet companies. Justice Department senior official Brad Wiegmann said the deals would allow governments — for example, the U.K. — to serve warrants directly on U.S. companies. Such an arrangement between the U.S. and U.K., however, would require legislative approval from both nations. “These agreements will not be for everyone,” Wiegmann explained. “There will be countries that don’t meet the standards.” The Center for Democracy & Technology’s Greg Nojeim expressed concern about the plan, noting it would be “swapping out the U.S. law for foreign law,” arguing the U.K. has less robust warrant requirements. A British diplomat disputed Nojeim’s assessment, stating the U.K. would apply strict judicial scrutiny of such warrants. [The Wall Street Journal]

US – Appeals Court Rules Mugshots Do Not Need Public Release

The 6th U.S. Circuit Court of Appeals ruled mugshots do not need to be released to the public, but instead, can be reviewed on a case-by-case basis. The hearing was held en banc, with a 9-7 vote in favor of the notion that arrested individuals have a privacy interest in not having their mugshots publicized, overturning a decision the same court made in 1996. Judge Deborah Cook said booking photos falls under the Freedom of Information Act exemption criteria 7(c), which includes potentially “embarrassing” personal information. “Booking photos — snapped ‘in the vulnerable and embarrassing moments immediately after [an individual is] accused, taken into custody, and deprived of most liberties’ — fit squarely within this realm of embarrassing and humiliating information,” Cook wrote. The Detroit Free Press may ask the Supreme Court for further review. [Courthouse News Service]

US – Precedent Set for Stingray-Gleaned Evidence

In a first-of-its-kind ruling, U.S. District Judge William Pauley has decided that the U.S. Drug Enforcement Administration’s use of stingrays when collecting evidence against defendant Raymond Lambis was a violation of his rights. Agency officials had used the device to determine the location of Lambis’ cellphone for a drug-trafficking case, evidence that Judge Pauley suppressed. “Absent a search warrant, the government may not turn a citizen’s cellphone into a tracking device,” Pauley said in his decision. The third party doctrine does not apply; cell phone users do not voluntarily submit their location data to their provider, and there is no third party (with the cell-site simulator, the government cuts out the provider and obtains the information directly). The ACLU hailed the move as one that “strongly reinforces the strength of our constitutional privacy rights in the digital age.” While the prosecutors can pursue an appeal, they have not yet moved to do so, the report states. [Reuters: Precedent Set for Stingray-Gleaned Evidence] [United States of America v. Raymond Lambis – 2016 U.S. Dist. LEXIS 90085 – United States District Court For The Southern District Of New York]

Security

WW – Ponemon Study: Companies Lack Resources to Spot Cyberattacks

According to a report from the Ponemon Institute, nearly 80% of businesses say they do not have sufficient infrastructure or personnel to monitor their networks for and defend their networks against cyberattacks. Only 17% say they have established formal, company-wide intelligence gathering processes. [ZDNet]

UK – UK ICO Issues Basic Security Guidance on Baby Monitors

Two years after it was revealed that a creepy Russian website was allowing users to watch more than 73,000 live streams from unsecure baby monitors, the UK’s data watchdog has warned that manufacturers still aren’t doing enough to keep their devices safe from hackers. The privacy breaches have prompted the ICO to issue guidance to help users guard against opportunistic hackers, and people using the murky likes of the Shodan search engine to browse the Internet of Things. The ICO lists six basic steps parents can take to help prevent casual hackers:

  • Research the most secure products
  • Secure your router with a strong password
  • Secure the device by changing its default password
  • Check manufacturer’s websites for security updates to out-of-the-box software
  • Read the manual to see if there are extra measures listed
  • Use two-step authentication, if you can

The ICO declined to name any of the sites where streams are available, but a spokesperson said that “you can connect to these devices directly, so there’s no intermediary website as such.” [Ars Technica]

Surveillance

US – FAA Drone Bill Drops Key Privacy Provisions

A Federal Aviation Administration reauthorization bill that was passed by the Senate this week has excluded key privacy provisions, including a requirement that commercial and government users of drones must disclose if they collect personally identifiable information of a person. The provisions would put checks on the collection of personal data by drone operators, including the government. The bill passed this week would prohibit drones from interfering with emergency response activities, such as wildfire suppression and law enforcement, and provides for civil penalties of not more than US$20,000 for those found in violation. Drones are also to be used for firefighting and restoration of utilities. The bill, which is a compromise short-term extension to ensure continued funding at current levels to the FAA, was passed by the Senate and goes to President Barack Obama to be signed into law, two days before the current authorization is to expire. It was earlier passed by the House of Representatives. But Senator Edward J. Markey, a Democrat from Massachusetts and a member of the Commerce, Science, and Transportation Committee, said that the new bill, called the FAA Extension, Safety, and Security Act of 2016, was “a missed opportunity.” It does not include drone privacy provisions that he authored and were included in the Senate version of the FAA reauthorization bill that passed in April this year, the senator said in a statement. [PC World]

US Legislation

US – Legislative Roundup

+++

 

 

5-12 July 2016

Biometrics

UK – NHS Sending 1M Eye Scans to Google’s DeepMind

Google’s DeepMind division will receive 1 million anonymized eye scans from Moorfields Eye Hospital to help train its artificial intelligence system to identify signs of disease. DeepMind’s machine learning algorithms will examine the scans for symptoms of diseases such as macular degeneration and diabetes-related vision loss. The collaboration, however, has already raised some privacy concerns. In a letter to Moorfields, tech journalist Gareth Corfield cited the Data Protection Act, writing, “To be crystal clear, I have not consented for my personal data to be used by Moorfields NHS Trust for any purpose other than treating me for genuine medical purposes.” The announcement comes after Google’s AI system faced criticism for its collaborations with three small London hospitals. [BBC]

Big Data

WW – IDEAS Conference to Address Digital Privacy Issues in an Era of Big Data

All it takes is 300 “likes” while you’re scrolling through your newsfeed — that’s the point at which Facebook knows you better than your own spouse or your best friend. So if you’re averaging 10 “likes” a day, it will take just a month for the social network behemoth to have you figured out more accurately than the people you consider your soul mates. And if you’re a compulsive clicker of the “thumbs up” icon, Facebook may have insight into your innermost thoughts and feelings in a mere week-and-a-half. [Montreal Gazette]

Canada

CA – PIPEDA Amendments Creating General Obligation to Notify Individuals and Privacy Commissioner of a Breach Not Yet in Force

Canada’s federal privacy law does not currently include a general obligation to provide notification of breaches (the OPC has issued best practice guidelines that strongly encourage such notification); after the amendments to PIPEDA come into effect, organizations will be required to notify the OPC and affected individuals of any breach where it is reasonable to believe that the breach creates a real risk of significant harm to the individual. [Global Guide to Data Breach Notification – Canada – Peter Ruby and Rachel Ouellette, Goodmans LLP and George Pollack, Davies Ward Phillips & Vineberg] (Pages 22 – 32)] See also: the Office of the Privacy Commissioner of Canada has issued a call for proposals seeking applicants to organize and host the next research symposium in the Office’s Pathways to Privacy series. Learn more

CA – Toronto Real Estate Board Increases Efforts to Overturn Tribunal’s Ruling

The Toronto Real Estate Board is stepping up its efforts in court to overturn a decision by the federal Competition Tribunal that allows more detailed home sales data to be released on the Internet. TREB reiterated its concerns that the tribunal’s April 27 order mandating wider access to the industry’s Multiple Listing Service (MLS) database violates privacy law and the rights of buyers and sellers. On May 27, the real estate board filed a notice of appeal to challenge the ruling in the Federal Court of Appeal and last week, it asked the court to stay the tribunal’s decision. After a subsequent hearing last month to work out the details of its ruling, the Competition Tribunal said TREB’s active realtor members would be allowed to publish information online that is not currently being widely disseminated, including sales figures, pending sales and broker commissions. As part of this arrangement, virtual brokers would be permitted to display and analyze this data as freely over the Internet as other realtors currently share such information with their clients in person, by fax or over e-mail. Even as TREB continues to contest the decision in court, its information technology staff are working to upgrade its systems so it’s ready to comply with the order, which is set to come into effect on Aug. 3. [The Globe and Mail]

CA – Do Photographs Taken by a Landlord for Marketing a Rental Unit Offend Privacy Rights?

A recent decision of the Ontario Divisional Court has ruled that landlords of residential tenancies are not permitted to enter into a tenant’s premises to take photographs in order to market the property for sale while it is occupied by another tenant, unless there is a consent of that tenant or a specific provision in the lease permitting the taking and publication of photographs. In Juhasz v. Hymas (2016 ONSC 1650,) the Ontario Divisional Court noted that the lease and legislation did allow the landlord to show the premises to prospective tenants or purchasers but that that the lease did not contain a clause permitting entry by a real estate agent to take photographs for marketing the property for sale. [Source]

E-Government

US – How Presidential Candidates Sell Supporters’ PII to Other Candidates

What do failed presidential candidates do with their supporters’ email addresses once they drop out of the race for the White House? Nearly every GOP candidate in the 2016 presidential election has sold, rented or loaned their supporters’ addresses to other candidates, marketing companies, charities or private firms, CNNMoney found through an analysis of thousands of emails and Federal Election Commission records. The failed candidates have been able to make thousands of dollars through data sharing, with Marco Rubio taking home $504,651 and Rand Paul making $212,495. The practice is not illegal, as the campaign tells donors what will happen with their personal information when they give money to a particular candidate. [CNN Money]

E-Mail

CA – Private Right of Action Under Canada’s Anti-Spam Law (CASL)

As of July 1, 2017, individuals and organizations will be entitled to institute a “private right of action” before the courts against those that contravene certain provisions of Canada’s Anti-Spam Law (“CASL”). In the event of a contravention of the message rules in CASL, a monetary penalty up to a maximum of $1,000,000 per day may be imposed. This private right of action should be taken seriously right now. From this perspective and building on previous publications, this bulletin discusses this new mechanism. [Fasken] See also: [Emerging Limits on the Certification of Privacy Class Actions]

Encryption

WW – Facebook Testing Encryption for Messenger

Facebook has begun testing Secret Conversations, an end-to-end encryption feature for Messenger. Users will be able to create secret conversations that can be read on only one of the recipient’s devices. The cryptographic keys “are generated or derived on-device,” which means that Facebook never has possession of the keys. Secret Conversations will also let users determine how long the message will be visible. Starting July 8, a select number of Facebook Messenger users will test the social media site’s opt-in, end-to-end encrypted “secret conversations” feature. The site’s will make its “secret conversations” widely accessible starting “later this summer or in early fall.” [SC Magazine: Facebook testing ‘Secret Conversations’ end-to-end encryption feature for Messenger | Quartz: Facebook is testing encrypted, self-destructing messages | CNET: Facebook adds encryption to Messenger | Facebook: Messenger Starts Testing End-to-End Encryption with Secret Conversations] [WIRED]

CA – Encryption Keeping Police Out, Government Documents Indicate

Encryption and privacy technologies are making Canadian law enforcement’s ability to use data in an investigatory capacity increasingly difficult. “Canadians are increasingly using mobile phone networks, the internet, and other electronic means to communicate and execute transactions with each other,” wrote public safety officials in the documents addressed to Minister Ralph Goodale. “This has led to a significant gap between the technologies available for criminal exploitation and our means to enforce Canada’s laws and keep Canadians safe.” The documents suggested having a “thoughtful discussion” on the best legal framework for encryption technology that benefits all, the report adds. [The Star]

WW – Google Testing New Encryption That Protects Against Quantum Attacks

Google has begun testing a new form of encryption in its Chrome browser designed to protect systems from quantum attacks. Google is adding a post-quantum key-exchange algorithm to a small number of connections between the desktop version of Chrome and Google’s servers. [Wired: Google Tests New Crypto in Chrome to Fend Off Quantum Attacks | ZDNet: Google is experimenting with post-quantum cryptography]

EU Developments

EU – EU Governments Approve Privacy Shield

The European Union’s 28 member states have approved Privacy Shield, the EU-US data transfer agreement crafted to replace Safe harbor, which the EU high court struck down last autumn. Once the European Commission approves Privacy Shield, the agreement will take effect. European privacy groups are likely to challenge the agreement in court because they believe it does not go far enough to protect EU citizens’ privacy. [The Hill: Week ahead: EU set to finalize new data pact | eWeek: European Member States Approve Privacy Shield Agreement | BBC: Privacy Shield data pact gets European approval | SC Magazine: Privacy Shield gets nod from EU, ripe for judicial challenge]

EU – EU-U.S. Privacy Shield 2.0 Signed, Sealed and Delivered

The European Commission and the U.S. Department of Commerce-approved updated version of the EU-U.S. Privacy Shield was green lighted by a regulatory committee of EU countries July 8 and will be formally adopted and finalized the following week, the authors write as they discuss the outlines of the new data transfer pact. The updated Decision also clarifies that while the general rule will be that the Principles apply to a U.S. business immediately upon filing of the self-certification documents with the U.S. Department of Commerce, there will be an exception for cases where an organization has a pre-existing relationship with third parties. [BNA] [EU-US Privacy Shield agreement goes into effect: Tech companies welcome new data transfer agreement, but activists say it doesn’t do enough to protect privacy | New ‘Privacy Shield’ deal between U.S. and Europe is already catching flak | Say hello to the General Data Protection Regulation |

EU – European Parliament Approves Cybersecurity Law

The European Parliament has approved cybersecurity legislation that “establish[es] a common level of network and information security and enhance[s] cooperation among EU member states, which will help prevent cyberattacks on Europe’s important interconnected infrastructures.” The new rules affect a broad spectrum of business sectors, including finance, energy, transportation, and technology. [Bloomberg Technology | ZDNet: European lawmakers approve new cybersecurity law | Bloomberg: European Union’s First Cybersecurity Law Gets Green Light | European Parliament Press Release: Cybersecurity: MEPs back rules to help vital services resist online threats | European Parliament Press Release: Cyber security: new rules to protect Europe’s infrastructure] See also: The Digital Economy Bill had its first reading in the U.K. Parliament. The bill would allow for sharing of information between public bodies when there is a public benefit, increase online protection for minors, offer universal broadband access and more.

EU – EU Planning $2B Cybersecurity Research Investment

The European Union wants a $2 billion investment into cybersecurity research. The EU is planning on contributing $500 million to it and is asking industry to contribute the remaining $1.5 billion. The European Commission fears the EU economy is susceptible to cyberattacks, saying the incidents “could undermine the digital single market and economic and social life as a whole.” The $2 billion cybersecurity public-private partnership is “intended [to] boost cross-border research into cybersecurity, and to aid development of security products and services for the energy, health, transport and finance industries,” said the European Commission in a report published Tuesday. Developing strong levels of cybersecurity can also be a big advantage for the EU over other countries, the European Commission said, as IT security continues to accelerate in growth worldwide. [PCWorld]

EU – Norwegian DPA Critiques Facebook at Work’s Terms of Use

The Norwegian Data Protection Authority has reviewed Facebook at Work and found its terms of use do not stand up to the national Personal Data Act. The agency said businesses using Facebook at Work to conduct internal communications must create their own terms for Facebook’s part as the provider, as those companies are liable for protecting privacy and maintaining information security. Since Facebook is acting as the provider, and given the social network’s history of mining user data, the DPA said, “Facebook’s entry to the Norwegian workplace therefore requires vigilance in terms of privacy implications.” The agency expects to release a more in-depth analysis this September. [Telecompaper]

EU – Helen Dixon: DPC’s Resources Tied Up by ‘Ambulance Chasers’

Ireland Data Protection Commissioner Helen Dixon says her agency’s resources are being gummed up by “digital ambulance chasing.” At issue are a number of complaints about issues that could be considered “embarrassing or distressing” but not necessarily critical. “On this note,” she said, “I think we are starting to see the rise in digital ambulance chasers in terms of certain legal firms presenting volumes of cases to the office where essentially their goal is to obtain a formal determination of the data protection commissioner that organization x,y,z is in breach of data protection legislation.” Dixon said she wonders if these type of complaints “really represents anyone’s interests well,” noting they tie up the DPC when the “controller has already acknowledged the contravention and attempted to right the wrong.” [The Irish Times]

Finance

EU – Commission Places Stronger Controls on Bitcoin, Pre-Paid Credit Cards

The European Commission is looking to strengthen its efforts to stop financial crimes and terrorism funding by placing tighter controls on bitcoin transactions and pre-paid credit cards. “Today’s proposals will help national authorities to track down people who hide their finances in order to commit crimes such as terrorism,” said European Commission First Vice President Frans Timmermans. “Member States will be able to get and share vital information about who really owns companies or trusts, who is dealing in online currencies, and who is using pre-paid cards.” Virtual currency exchanges must now conduct stricter customer identification checks on customers exchanging fiat for bitcoin and other digital currency. To cut down on the number of anonymous transactions, pre-paid credit card thresholds for identification have been lowered from 250 euros to 150 euros. [Law360]

FOI

US – Private-Account Email Can Be Subject to FOIA: Court

On the same day that the FBI announced that the criminal investigation of Hillary Clinton’s use of a private email server is likely to conclude without any charges, a federal appeals court issued a ruling that could complicate and prolong a slew of ongoing civil lawsuits over access to the messages Clinton and her top aides traded on personal accounts. In a decision Tuesday in a case not involving Clinton directly, the U.S. Court of Appeals for the D.C. Circuit held that messages contained in a personal email account can sometimes be considered government records subject to Freedom of Information Act requests. The case ruled on by the D.C. Circuit focused on a relatively obscure White House unit: the Office of Science and Technology Policy. At least one federal judge handling a FOIA suit focused on Clinton’s emails said last month he was watching to see how the D.C. Circuit ruled in the dispute involving Obama science adviser John Holdren and an account he kept on a server at the non-profit Woods Hole Research Center in Massachusetts. After the free-market-oriented Competitive Enterprise Institute filed suit over a request for work-related emails sent to or from that private account used by Holdren, U.S. District Court Judge Gladys Kessler ruled last year that the government had no duty to search an email account that wasn’t part of OSTP’s official system. But the three D.C. Circuit judges who ruled Tuesday all said Kessler was too rash in throwing out the suit and they agreed the case should be reinstated. While the opinions in the case make no mention of Clinton or her private server, it seems evident that all three appeals judges involved are aware of the obvious analogy. [Source]

Genetics

EU – Sweden May Open National DNA Database to Law Enforcement

The Swedish government may allow law enforcement and possibly private insurance companies to access its massive DNA database. The PKU Registry contains the genetic information of every single Swedish citizen under the age of 43, as the government allowed blood samples to be collected of every newborn since 1975 in order to aid medical research. Privacy advocates are pushing back against opening up the database. The Pirate Party’s Rick Falkvinge believes the decision would be “an outrageous and audacious breach of contract with the parents who were promised the sample would be used only for the good of humanity in terms of medical research.” Falkvinge argues the insinuation of opening the database to police will stop individuals from providing samples in the future. [Ars Technica]

Health / Medical

CA – OIPC AB Provides Guidance for Safeguarding Electronic Health Systems

This OIPC guidance is intended for custodians and their information managers (i.e. EHR service providers) to assess the safeguards in electronic health record system. Practices include a system design that restricts access on a need-to-know basis, a system ability to reduce access, view or disclosure capability based on an individual’s request, tracking of research requests for disclosure of health information, the inclusion of privacy statements or reminders on system screens, availability of backup and restoration procedures (including the audit log information) at an offsite location, and systems/processes to securely dispose of health information where authorized. [OIPC AB – Guidance for Electronic Health Record Systems]

UK – Patients Should Have More Control Over How Their Medical Data Is Used, Says Caldicott

The national data guardian in England recommended that a new consent and opt-out model for data sharing be implemented in the NHS in England in a report presented at the end of her review of health and care data security and consent, which had been commissioned by the UK government. Dame Fiona said that NHS bodies should generally be free to share patients’ medical data for the purposes of delivering care directly to those people. However, patients should be given control over any other proposed uses of their health records, she said. “People should be able to opt out of their personal confidential data being used for purposes beyond their direct care unless there is a mandatory legal requirement or an overriding public interest,” Dame Fiona said. “Relevant information about a patient should continue to be shared between health professionals in support of their care. An individual will still be able to ask their doctor or other healthcare professional not to share a particular piece of information with others involved in providing their care and should be asked for their explicit consent before access to their whole record is given,” she said. Dame Fiona said that the new opt out and consent model could consist of either asking patients a single question about whether they will allow their data to be used for purposes beyond direct care or a “two-part” mechanism that would allow patients to be more specific about the way their data can be used. [Source]

US – Nursing Home Operator Agrees to Pay $640,000 for ePHI Breach

The Department of Health and Human Services, Office for Civil Rights entered into an agreement with the Catholic Health Care Services of the Archdiocese of Philadelphia a business associate, to settle alleged violations of the HIPAA Security Rule. An operator-provided smartphone was stolen that was unencrypted and not password protected and contained social security numbers, diagnosis/treatment information, medical procedures and names of family members/legal guardians; the operator must conduct a risk analysis, implement prescribed policies and procedures (e.g. regarding the encryption of ePHI, password management, security incident response, and mobile device controls), implement training programs, and submit reportable events and implementation and annual reports. [HHS – Resolution Agreement – Catholic Health Care Services of the Archdiocese of Philadelphia Press Release | Resolution Agreement] [Business Associates Beware: First HIPAA Settlement with Business Associate]

UK – Gov’t Takes Surgeon’s Knife to Controversial NHS Care.Data Scheme

A recent review published by National Data Guardian Dame Fiona Caldicott suggests moving forward with the data sharing plans of the U.K.’s now-extinct Care.data health database for the U.K.’s national health care system. In her review, Calidcott recommended “new data security standards for the NHS and social care, a method for testing compliance against the standards, and a new opt out to make clear how people’s health and care information will be used and in what circumstances they can opt out.” Meanwhile, Polly Toynbee criticizes the privacy concern-borne criticism that led to the demise of Care.data in an op-ed for the Guardian, calling it a “loss” for the country. [Ars Technica]

Horror Stories

WW – Analysts Concerned by ‘Insider Threat’ Trend

Insider threats are growing increasingly more dangerous than external hackers, some security analysts predict. “A lot of companies are really worried about employees walking off with their data,” said Gartner’s Avivah Litan. “Insider threats have become a major issue because external criminals are actively recruiting insiders to help perpetrate their crimes, while disgruntled employees are actively making their insider services available.” The influence of the Dark Web has incentivized these threats, he added. “Disgruntled employees, especially those working in data-rich organizations like financial services companies, pharmaceutical firms, and in government are being actively recruited by and selling access to network credentials and corporate data to criminals on the Dark Web.” An Intel report from September 2015 determined that insiders could be blamed for 43% of lost data, and Verizon’s 2016 breach report blamed disgruntled insiders for roughly one in ten security incidents. [Christian Science Monitor] See also: [Former SaskPower employee illicitly accessed more than 4,000 HR files]

UK – Police Departments Commit 10 Data Breaches a Week: Study

A study from civil liberties group Big Brother Watch finds police forces in the U.K. are responsible for 10 data breaches a week. Big Brother Watch’s report, “Safe in Police Hands?“ found police departments committed 2,315 data breaches between June 2011 and December 2015. Incidents include officers illicitly using information for financial gain and passing sensitive information to organized crime syndicates. More than half of the breaches resulted in no formal disciplinary action, with 13% resulting in a resignation or termination. “While there have been improvements in how forces ensure data is handled correctly, this report reveals there is still room for improvement. Forces must look closely at the controls in place to prevent misuse and abuse,” the report said. [Computer Weekly]

US – Wendy’s Payment Card Data Breach Affected More Than 1,000 Locations

Wendy’s fast food restaurant chain now says that malware was found on point-of-sale systems at more than 1,025 of its franchises, considerably more than the 300 initially reported earlier this year. The malware targeted: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. The investigation is still active. Fraudulent activity involving some of those accounts was first detected in fall 2015. [BBC: Food chain Wendy’s hit by massive hack | CNET: Wendy’s says payment card info accessed in malware attack | ZDNet: Wendy’s admits credit card hack is far worse than first thought | SecurityWeek: Over 1,000 Wendy’s Restaurants Hit by PoS Malware | USA Today: Wendy’s: Credit card numbers disclosed in cyber attack ]

Identity Issues

WW – ID Theft Cases Increased 57% as Thieves Mine Social Media

A study from fraud prevention service Cifas found the number of identity theft victims in the U.K. rose 57% in 2015. Cifas said there were 148,000 victims of identity theft last year, up from the 94,500 reported cases in 2014. The majority of the cases involved thieves assuming the identity of a real person, using their name, date of birth, address and bank details. Social media networks are becoming a popular place for identity thieves to garner the information necessary to commit the crimes. “The likes of Facebook, Twitter, LinkedIn and other online platforms are much more than just social media sites — they are now a hunting ground for identity thieves,” said Cifas Chief Executive Simon Dukes. “We are urging people to check their privacy settings today and think twice about what they share.” [BBC]

CA – OPC Releases Guidance on De-Identification

The OIPC Ontario outlined key issues to consider when de-identifying personal information in the form of structured data. An acceptable re-identification risk should assess information sensitivity, the level of detail of the information, the number of individuals, potential harms/injuries from a breach, and individual consent for disclosure; public and semi-public release should have a maximum risk measurement applied (non-public releases have an average risk), and agreements with recipients should prohibit re-identification, linking to external data sets, or sharing without permission. [IPC ON – De-identification Guidelines for Structured Data]

Internet / WWW

WW – The Cloud and Filing Cabinets Should Have the Same Privacy Rights

According to a civil complaint filed by Microsoft against the government in federal court, the U.S. government issued more than 5,600 demands to Microsoft over an 18-month period, seeking access to customer information hosted in the cloud. More than 2,500 of those demands came with court-issued secrecy orders that prevented Microsoft from alerting its customers that their information — including personal communications, business records and confidential documents — was being given to the government. Microsoft’s lawsuit challenges this abuse with a simple premise: citizens and businesses that store information on remote data centers are entitled to the same degree of privacy and freedom from unlawful seizure as those who store such information in filing cabinets or personal computers. [Source]

Law Enforcement

US – Minnesota Law Classifies Public and Private Law Enforcement Body-Worn Camera Footage

SB 498, classifying police body-worn camera data, has been signed into law by the Governor and is effective August 1, 2016. Footage is public data if it documents firearm discharge in the course of an officer’s duty, use of force that results in substantial bodily harm, and agencies may redact or withhold access to portion of public data that are clearly offensive to common sensibilities; individuals who are the subject of the footage may request access to a copy of the data, however data on other individuals who do not consent to its release must be redacted. [Senate Bill 498 – A Bill for an Act Relating to Portable Recording System Data – Minnesota Legislature]

UK – Police Suffered 2,315 Data Breaches in Last Five Years but Want More Data

A report from UK privacy watchdog Big Brother Watch (BBW) reveals that UK police suffered 2,315 data breaches between June 2011 and December 2015 as a result of insiders abusing their access to the data. BBW says that, in 869 cases, police officers accessed citizens private data without a work-related purpose, and in 877 incidents, police officers shared data with unauthorized third-parties. Few police officers who caused the breaches were punished. Despite the flagrant abuse, in 1,283 cases, authorities decided to take no disciplinary action against the individual that broke procedures. Only 297 cases resulted in the resignation or dismissal of the guilty employee. Authorities did decide to press charges, and for 70 cases, the investigation concluded with a criminal conviction or a caution warning. For 258 less flagrant cases, officers received a written or verbal warning. [Source]

EU – Swedish DPA Greenlights Security Police Registry of Terrorist Group Supporters

Swedish security police Säpo has received permission from the country’s data protection authority to register individuals who express support for ISIS and other terrorist groups. The authority deemed that public support of an EU or U.N.-recognized terror organization was not “sensitive personal information,” the report states. However, “according to Säpo, the decision from the Data Inspection Board does not mean that information can be registered based on political and religious beliefs, which is not generally allowed in Sweden,” the report adds. The move “will allow us to further streamline our work,” said Säpo Press Secretary Simon Bynert. “We will be able to register relevant tips and will be able to get a better overall picture of the people we follow.” [The Local]

Location

US – Researchers Develop Method for Stronger Location Data Control

A group of UCLA researchers are proposing a way to give users more granular control over their location in light of the growing amount of Internet of Things devices. Joshua Joy, Minh Lee, and Mario Gerla have come up with LocationSafe, a privacy module implemented directly into the GPSD of a user’s device, allowing the user to dictate the manner location data is provided before other applications can use it. “User applications requesting data of users is a binary permission, either I share my data or I don’t. However, sensitive data such as location needs finer control on how accurate and how often the location information is released,” the authors said in their paper. [Motherboard]

Online Privacy

EU – EU Submits Draft Code of Conduct on Privacy for Mobile Health Apps to Article 29 Working Party for Approval

the European Commission submitted a draft code of conduct for privacy for mobile health apps to the Article 29 Data Protection Working Party for its considerations and approval. The EC functioned as a facilitator with industry members who drafted a Code of Conduct. The Code of Conduct, once approved, can be voluntarily signed by app developers with a commitment to following its rules, including data protection principles (such as transparency and privacy by design), requires valid explicit consent for collect/use of data subject data, permits secondary use of data for scientific research or Big Data, and acknowledges that it can be difficult to irreversibly anonymise health data when a retention period expires. [European Commission – Draft Code of Conduct on Privacy for Mobile Health Applications Press Release | Draft Code of Conduct | Hogan Lovells]

EU – Tech Industry Gangs Up On European Commission, Calls for Cookie Law To Be Scrapped

A massive coalition of tech and telco companies have called for the EU’s so-called cookie law to be repealed. Ars reported yesterday that the European Commission was working to overhaul the current ePrivacy Directive, and had held a public consultation soliciting feedback. But a group of 12 trade bodies has now called for it to be scrapped altogether. The coalition includes the European Telecommunications and Network Operators association (ETNO), the European Competitive Telecommunications Association (ECTA), the GSMA representing mobile operators, the Computer and Communications Industry Association (CCIA), IAB, the interactive advertising bureau, and DigitalEurope. “We believe that simplifying and streamlining regulation will benefit consumers by ensuring they are provided with a simple, consistent, and meaningful set of rules designed to protect their personal data,” said the group. “At the same time, it will encourage innovation across the digital value chain and drive new growth and social opportunities. This is critical at a time when digital companies are striving to launch new innovative services and working to build a 5G Europe.” The coalition brings together telco operators, online service providers, hardware manufacturers, and online publishers. [Source]

US – MIT Researchers Develop Anonymity Network That Rivals TOR

Anonymity networks protect people living under repressive regimes from surveillance of their Internet use. But the recent discovery of vulnerabilities in the most popular of these networks — Tor — has prompted computer scientists to try to come up with more secure anonymity schemes. At the Privacy Enhancing Technologies Symposium in July, researchers at MIT’s Computer Science and Artificial Intelligence Laboratory and the École Polytechnique Fédérale de Lausanne will present a new anonymity scheme that provides strong security guarantees but uses bandwidth much more efficiently than its predecessors. In experiments, the researchers’ system required only one-tenth as much time as existing systems to transfer a large file between anonymous users. The system …employs several existing cryptographic techniques but combines them in a novel manner. The heart of the system is a series of servers called a mixnet. Each server permutes the order in which it receives messages before passing them on to the next. If, for instance, messages from senders Alice, Bob, and Carol reach the first server in the order A, B, C, that server would send them to the second server in a different order — say, C, B, A. The second server would permute them before sending them to the third, and so on. [MIT News]

Privacy (US)

US – Obama Administration Unveils National Privacy Research Strategy

The White House has announced the National Privacy Research Strategy, a program which aims to foster more sophisticated privacy research alongside the development of innovative data use. This strategy proposes the following priorities for privacy research:

  • Foster a multidisciplinary approach to privacy research and solutions;
  • Understand and measure privacy desires and impacts;
  • Develop system design methods that incorporate privacy desires, requirements, and controls;
  • Increase transparency of data collection, sharing, use, and retention;
  • Assure that information flows and use are consistent with privacy rules;
  • Develop approaches for remediation and recovery; and
  • Reduce privacy risks of analytical algorithms.

“With this strategy, our goal is to produce knowledge and technology that will enable individuals, commercial entities, and the federal government to benefit from technological advancements and data use while proactively identifying and mitigating privacy risks.” The strategy suggests increased transparency of data use; a more “multidisciplinary approach” to privacy research, and the creation of system design methods that satisfy privacy requirements. The new Federal Privacy R&D Interagency Working Group will help facilitate these efforts. [Press Release]

US – DEA Changes Wiretap Procedure After Questionable Eavesdropping Cases

Following criticism for its dubious surveillance program in the L.A. suburbs, the Drug Enforcement Administration is overhauling its procedures for agents to secure permission for wiretaps. DEA agents must discuss any plans for a wiretap with federal prosecutors, and then receive permission from a senior DEA official before taking their request to a state court. The change comes after an investigation discovered the DEA had a wiretapping program monitoring millions of calls and texts in the Los Angeles area, getting approval from a single state court judge while bypassing Justice Department lawyers. “With federal courts, there’s a significant amount of scrutiny on something before you get a wiretap, and there’s a lot of layers of protection for privacy that don’t exist in state court,” said Louisville defense lawyer Brian Butler, who is challenging the legality of the DEA’s past surveillance efforts. [USA Today]

US – Sports Authority’s Post-Bankruptcy Data Sale Sparks Privacy Concerns

After Dick’s Sporting Goods bid on and won the now-bankrupt Sports Authority’s trove of an estimated 25 million email addresses and 14 million shoppers’ files for $15 million, former Sports Authority consumers are now concerned about the potential ramifications on their privacy. “It’s extremely valuable data for companies to identify customers who are looking for a new home,” said SSP Blue’s Hemu Nigam. “Customer emails are stolen every day [but] they lack awareness that this is a possibility,” Nigam said. “The auction is raising awareness of another way customer data can be sold without even thinking about it.” Representatives from Dick’s Sporting Goods and Sports Authority declined to comment, the report states. [Los Angeles Times]

US – CFPB Proposes Privacy Notice Requirement Amendment

The Consumer Financial Protection Bureau is pitching to amend the privacy notice requirement under the Gramm-Leach-Bliley Act and has opened up a request for public comment. “The bureau is proposing to amend Regulation P, which requires, among other things, that financial institutions provide an annual notice describing their privacy policies and practices to their customers,” the report said. The CFPB alteration installs a December 2015 statutory amendment to the act, “providing an exception to this annual notice requirement for financial institutions that meet certain conditions.” The report also states, “If financial institutions share certain consumer information with particular types of third parties, the annual notices must also provide customers with an opportunity to opt out of the sharing.” [Consumer Finance]

US – Facebook 3rd-Party Data Sharing Case Will Move Forward with One Plaintiff

U.S. District Judge Ronald Whyte has ruled that plaintiff Wendy Marfeo’s suit against Facebook for allegedly sharing her information with a third-party site via “referrer headers” will move forward. Whyte found “that she had suffered harm by Facebook sharing her personal and private information despite the tech company’s many assertions it would not do so,” the report states. The judge did respect Facebook’s motion to dismiss co-plaintiff Katherine Pohl’s allegations that the company had shared her information with a third party, the report adds. “We are pleased that the court ruled in our favor and determined that the case should not proceed as a class action,” said a Facebook representative. [Courthouse News Service]

US – EFF and ACLU-led Coalition Opposes Dangerous “Model” Employee and Student “Privacy” Legislation

EFF, ACLU, and a coalition of nearly two-dozen civil liberties and advocacy organizations and a union representative are urging the Uniform Law Commission (ULC) to vote down dangerous model employee and student privacy legislation. The bill, the Employee and Student Online Privacy Protection Act (ESOPPA), is ostensibly aimed at protecting employee and student privacy. But its broad and vaguely worded exceptions and limitations overshadow any protections the bill attempts to provide. As our joint letter explains, ESOPPA will result in only further invasions of student and employee privacy. ESOPPA does next to nothing to prevent school administrators and employers—including public school employees and state officials—from coercing or requiring students and employees to turn over private, non-publicly available information from social media accounts. Furthermore, ESOPPA applies only to students at the college level and beyond, leaving the privacy of students at the high school level and below completely exposed. That’s why we’re asking the ULC to either address ESOPPA’s deficiencies or reject the bill outright at its upcoming meeting. Other organizations, including the Foundation for Individual Rights in Education (FIRE), have also sent their own letter to the ULC opposing the current draft of ESOPPA. You can read the full text of the letter below or access a PDF of the original letter here. Special thanks to all of our coalition partners, listed in full below. [Source]

US – More Than 95% of Public Comments Pan FCC Privacy Plans

More than 95% of public comments on a proposal by the Federal Communications Commission to regulate the privacy practices of broadband providers have been critical of that idea, according to a report. The figures were provided by “Protect Internet Freedom,” a nonprofit group that established an online platform for users to submit feedback to the FCC. “A total of 259,539 opposition comments were filed against the [rules], an overwhelming majority of the 271,669 total comments filed in the docket as the commenting deadline nears,” the group said in a press release. The public comment period is set to close this week. Democrats on the commission moved to issue the notice of proposed rulemaking, which would restrict how Internet providers are allowed to collect and use customer data. Critics say that tech companies like Google and Facebook represent a more significant threat and would be given an unfair advantage because the rule wouldn’t apply to them. [Washington Examiner]

RFID / IoT

US – Senator Asks FTC to Boost Privacy Efforts in IoT for Children

Sen. Mark Warner, D-Va., wrote a letter to FTC Chairwoman Edith Ramirez on her agency’s efforts to protect the privacy of the “Internet of Playthings.” In his letter, Warner says the FTC must work with Congress to safeguard children’s personal information as “smart toys” rise in popularity. “The ever-declining cost of digital storage and internet connectivity have made it possible to connect an unimaginable range of product and services,” Warner said in his letter. The senator cited researchers hacking into talking dolls and altering their responses and the ease of hacking the cloud to obtain conversations recorded by children’s toys as reasons for the FTC to take action. Warner also questioned Ramirez whether the FTC had enough authority to guard children’s privacy under the Children’s’ Online Privacy Protection Act with IoT on the rise. [Multichannel News]

Security

WW – Infrared Light Could Shut Off Forthcoming iPhones’ Camera

Apple has been granted a patent for an unnamed system that allows those with infrared-capable devices to disable the filming capabilities of proximate iPhones. While the system was initially developed to prevent bootlegging of films or illegal filming of concerts, there is concern that law enforcement agencies could manipulate it. “Given how police have secretly adapted new kinds of technology, from Stingrays that can intercept text messages in transit to license plate scanners, it’s not hard to predict how police could take [it] on as part of their arsenal, regardless of Apple’s recent anti-surveillance track record.” At the time of publication, Tech.Mic was still awaiting a potential response from Apple. [Tech.Mic]

US – Password Sharing Is a Federal Crime, Appeals Court Rules

One of the nation’s most powerful appeals courts ruled that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all “hacking” law that has been widely used to prosecute behavior that bears no resemblance to hacking. In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal’s use of a former coworker’s password to access one of the firm’s databases was an “unauthorized” use of a computer system under the CFAA. The decision is a nightmare scenario for civil liberties groups, who say that such a broad interpretation of the CFAA means that millions of Americans are unwittingly violating federal law by sharing accounts on things like Netflix, HBO, Spotify, and Facebook. Stephen Reinhardt, the dissenting judge in the case, noted that the decision “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.” At issue is language in the CFAA that makes it illegal to access a computer system “without authorization.” McKeown said that “without authorization” is “an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who? [Motherboard] [Reuters]

WW – D-Link Camera Vulnerability Found in Other Devices

A vulnerability initially detected in D-Link wireless IP surveillance cameras is now known to affect as many as 400,000 devices, because the flawed software component was used in other D-Link devices. D-Link was notified of the issue by researchers; the company performed its own analysis of its devices and determined that 120 different products contain the vulnerable component. The flaw allows attackers to take control of the administrator account on the devices. There is currently no patch available. [ SANS ISC InfoSec Forums: Pentesters (and Attackers) Love Internet Connected Security Cameras! | SC Magazine: D-Link flaw affects 400,000 devices | The Register: 414,949 D-Link cameras, IoT devices can be hijacked over the net]

WW – Home Entertainment, Health Care Tools’ Security Ranks Most Vulnerable

Recent studies have found that while consumers are concerned with the overall costs and privacy implications of Internet of Things devices, security professionals have identified specific technologies as most vulnerable to attack. A survey by Lastline found that home entertainment systems, health care-related tools, and connected cars were among the top-ranking devices that troubled IT analysts the most. “The very nature of hacking dictates that people will find the new and innovative hacking targets, such as hacking into toys, smart TVs and refrigerators which are seemingly harmless, and try and compromise them — simply because they can,” said Lastline’s Brian Laing. “IoT presents one of those unchartered territories.” [MediaPost]

US – HHS Publishes HIPAA, Ransomware Fact Sheet

The Department of Health and Human Services has released a fact sheet on ransomware and HIPAA, noting that adhering to the rule’s requirements can help businesses prevent and recover from a data-hostage situation. Under HIPAA, “some of these required security measures include implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information and implementing security measures to mitigate or remediate those identified risks,” the report states. HIPAA’s data backup requirements are also helpful should a ransomware occur, the fact sheet adds. Meanwhile, Becker’s Health IT and CIO Review reports that June was the worst month so far for hospital breaches in 2016, with more than 11 million patient records compromised. [Fact Sheet: Ransomware and HIPAA]

Surveillance

UK – 15 Secretive Orders ‘Allow Spy Agencies to Collect Communications Data’

A new report published by the Interception of Communications Commissioner’s Office (IOCCO) disclosed that there were a total of 23 “extant” section 94 directions within the scope of its oversight. They were all given by the Home Secretary or Foreign Secretary at various times between 2001 and 2016 on behalf of MI5, GCHQ, the three intelligence agencies collectively – MI5, GCHQ, and MI6 – or the Metropolitan Police’s counter-terrorism command. Fifteen of the directions relate to the acquisition of bulk communications data, while t he remaining eight directions relate to the provision of services in emergencies, for “civil contingency purposes” or to help agencies in safeguarding the security of their personnel and operations. [Source]

EU – Police Scotland to Dump Millions of ANPR Records Over Privacy Fears

A freedom of information request made earlier this year revealed that Police Scotland kept records of every recorded vehicle movement dating back to 2012, even though data protection rules prohibit forces from keeping records that are not linked to criminal activity being kept for longer than two years. Now a trove of official documents on ANPR published by The Ferret shows that senior officers were aware that they could be breaking data protection rules by retaining ANPR records as early as 2013. [The Ferret] [ANPR records retained by Police Scotland ]

Telecom / TV

EU – Vodafone Customers Exposed to Potential Privacy Breach

The Data Protection Commissioner of Ireland will look into an alleged Vodafone breach after users discovered that anyone with knowledge of their phone number can check their balance without passing through security controls. Vodafone maintains that the service is both acclaimed and unproblematic. The company “does not view this as a data protection breach on the basis that the balance given is not identifiable personal data,” Vodafone said in a statement. “The privacy of Vodafone’s customers is afforded the highest priority and the company continuously seeks feedback from our customers on the services we provide as well as regularly reviewing the IVR (interactive voice response) functionality.” [Independent.ie]

US – FCC Rules Government Can Make Robo-Calls

A ruling from the Federal Communications Commission clarified that federal government employees and their contractors are exempt from robo-call regulations. The regulations specifically prevent “persons” from making the calls, defined as “an individual, partnership, association, joint-stock company, trust, or corporation.” The FCC felt that the U.S. government does not fit in those categories, and was therefore free to make these calls until the law changes to specifically prohibit them. “The implications of the decision could be far-reaching,” the report states. “It validates the ability of federal agencies to perform surveys and polls on the effectiveness of their programs. … It also affirms the ability of contractors to make robo-calls to inform people of their Social Security benefits.” [The Washington Post]

US – Federal Judge Rules Automated Calls Can Cause Harm, Cites Spokeo

A West Virginia federal judge ruled the plaintiff accusing Got Warranty Inc., N.C.W.C. Inc. and Palmer Administrative Services Inc., of violating the Telephone Consumer Protection Act can move forward with her lawsuit. U.S. District Judge John Preston Bailey cited the Spokeo decision in the ruling, saying Diana Mey’s suit against the companies proved she suffered both tangible and intangible harm. Mey alleges the companies sent her numerous automated phone calls causing her harm in the form of lost battery life, lost phone minutes, and the “intrusion upon and occupation of the capacity of the consumer’s cellphone,” said Bailey. [Law 360]

US Government Programs

US – OMB Leadership Mandates Breach-Response Contracts

According to a memo issued by Office of Management and Budget Chief Acquisition Officer Anne Rung, all government agencies providing credit monitoring and identity theft protection must contract via the General Services Administration’s Identity Monitoring Data Breach Response and Protection Services blanket purchase agreement. “Taking advantage of the IPS BPAs ensures agencies can meet their needs for expeditious delivery of best-in-class solutions from pre-approved and vetted companies at competitive pricing,” Rung wrote. “For these reasons, the IPS BPAs shall be treated as a preferred source for federal agencies.” This would help avoid violation of federal laws, as the inspector general said the Office of Personnel Management did after “choosing the wrong contract vehicle” in the wake of its 2015 breach, the report states. [Federal Times]

US – NSA Labels Privacy-Centric Internet Users as Extremists

The NSA is not making any friends these days, and their latest statement on privacy-centric journalists is not helping matters much either. To be more precise, an investigation by the agency revealed how they are continuing to target the Tor network. Moreover, The Linux Journal is referred to as an “extremist forum”. Quite a strong sentiment, and possibly completely misguided as well. [The Merkle]

US Legislation

US – Ohio Bill Would Provide Privacy Exemptions for Releasing Police Body Cam Videos

The bill introduced by Rep. Niraj Antani, a Miamisburg Republican, maintains that camera videos are public records but adds exemptions to address privacy concerns. Body camera use has proliferated in recent years as have the legal issues surrounding their public release. Antani said he’s not aware of any Ohio cases where privacy was invaded on body camera video, but that lawmakers should be proactive considering more police departments are using them. [Source]

Workplace Privacy

US – Employees Express Workplace Wearables, BYOD Security Concerns

A Tech Pro Research survey found that while mobile devices are nearly universally used in the workplace, not all employees feel their devices are completely secure, ZDNet reports. The respondents expressed specific concern over wearables’ security. “Only 57% of respondents said their companies require user IDs and passwords, and less than a quarter used data encryption or device management software,” the report states. Bring-your-own-device security was also called into question. While 76% of respondents’ employers allowed the practice, “IT departments are still divided about supporting these devices,” the report adds. [Full Story]

WW – Business Travellers Putting Organisations’ Cyber-Security at Risk

Business travellers are more likely to be targeted for their access to private and corporate data than be mugged, according to a new report. A survey by Kaspersky Lab of 11,850 people from across Europe, Russia, Latin America, Asia Pacific and the US found that the pressure from work to get online is clouding the judgment of business travellers when connecting to the internet. It said that three in five (59%) of people in senior roles say they try to log on as quickly as possible upon arrival abroad because there is an expectation at work that they will stay connected. The research also found that 47% think that employers, if they send staff overseas, must accept any security risks that go with it. Almost half (48%) of senior managers and more than two in five (43%) of mid-level managers use unsecure public access Wi-Fi networks to connect their work devices when abroad. At least two in five (44% and 40%, respectively) use Wi-Fi to transmit work emails with sensitive or confidential attachments. One of the main reasons for business travellers acting the way they do on business is down to a widely held assumption that their work devices are inherently more secure than private communications tools, regardless of their connectivity. Two in five (41%) expect their employers to have set strong security measures. This is most pronounced among business leaders (53%) and mid-level executives (46%). One in five (20%) senior executives admit to using work devices to access websites of a sensitive nature via Wi-Fi – compared to an average 12%. One in four (27%) have done the same for online banking – compared to an average 16%. Kaspersky Lab said that the report showed that cyber-crime is a real hazard while traveling and employees are putting confidential business information at risk. [Source]

+++

 

25 June – 04 July 2016

Big Data

WW – Perspectives on Big Data, Ethics, and Society

A white paper has been published from the Council for Big Data, Ethics, and Society. The paper consolidates conversations and ideas from two years of meetings and discussions and identifies policy changes that would encourage greater engagement and reflection on ethics topics. It also indicates a number of pedagogical needs for data science instructors; explores cultural and institutional barriers to collaboration between ethicists, social scientists and data scientists in academia and industry around ethics challenges; and offers recommendations geared toward those who are invested in a future for data science, big data analytics, and artificial intelligence guided by ethical considerations along with technical merit. [Full Story]

US – What Algorithmic Injustice Looks Like in Real Life

Courtrooms across the nation are using computer programs to predict who will be a future criminal. The programs help inform decisions on everything from bail to sentencing. They are meant to make the criminal justice system fairer — and to weed out human biases. ProPublica tested one such program and found that it’s often wrong — and biased against blacks. (Read our story.) We looked at the risk scores the program spit out for more than 7,000 people arrested in Broward County, Florida in 2013 and 2014. We checked to see how many defendants were charged with new crimes over the next two years — the same benchmark used by the creators of the algorithm. Our analysis showed:

  • The formula was particularly likely to falsely flag black defendants as future criminals, wrongly labeling them this way at almost twice the rate as white defendants.
  • White defendants were mislabeled as low risk more often than black defendants. [Source]

Canada

CA – Ontario IPC Releases 2015 Annual Report

The Information and Privacy Commissioner of Ontario has published his 2015 annual report. Commissioner Brian Beamish has made four overarching suggestions for the year ahead. They include expanding the jurisdiction of established privacy laws, creating order-making power for privacy complaints, review address changing technologies, and enacting “mandatory proactive disclosure of identified categories of records.” He also recommended updating FIPPA and MFIPPA. “A public review and update of the acts will ensure greater transparency and accountability of government institutions, meet the growing expectations of the public and ensure that Ontarians benefit from the same access and privacy rights as other Canadians.” [IPC]

CA – Nova Scotia Still Missing Key Privacy Protections Says Annual Report

Nova Scotia’s information and privacy commissioner says the province needs a statutory duty to report breaches of individual privacy. Commissioner Catherine Tully published her office’s annual report on Nova Scotia’s access to information and protection of privacy laws. It found that personal information held by public bodies was “likely breached between 10 and 154 times” over the last year. Tully writes that her office is notified of minor breaches of privacy, but not major ones, and she’s “increasingly concerned” about those breaches that go unreported. The privacy office claims the number of minor breaches of private health information increased 75% this past year. It’s currently impossible to determine if there was an equal increase in major breaches. According to the annual report, there was also a 41% increase in new cases for the OIPC over this past year, along with a jump of 569% (from four to 58) in external consultations about file requests. Despite the heavier workload, the office boasts that it’s resolved 10% more complaints than 2014/15, with an average turnaround time of 65 days. [The Coast] [Global News] [Nova Scotians need better notification of privacy breaches, report says]

CA – PC Says Saskatchewan Health Care Laws Need Revisions: Annual Report

The Office of the Saskatchewan Information and Privacy Commissioner released its 2015-2016 Annual Report “Striking a Balance“. Saskatchewan Privacy Commissioner Ronald Kruzeniski recommended updates to the province’s 2003 Health Information Privacy Act in his 2015-2016 annual report. The health care law currently does not regulate post-breach patient notification, an omission Kruzeniski finds problematic. He further emphasized that “the act should also specify how long personal health information should be retained.” [Global News] [Sask. health minister considering beefing up privacy rules]

CA – Manitoba OIPC Releases Annual Report

Manitoba’s Ombudsman issued its 2015 Annual Report relating to the Freedom of Information and Protection of Privacy Act, the Personal Health Information Act, and the Public Interest Disclosure (Whistleblower Protection) Act. [Source]

CA – Drew McArthur Named British Columbia’s Acting Commissioner

Drew McArthur has been named acting information and privacy commissioner for British Columbia. McArthur will be taking the role vacated by Elizabeth Denham, who will be taking over the role of U.K. Information Commissioner from Christopher Graham. McArthur had served for six years on the Office of the Information and Privacy Commissioner’s external advisory board, while helping develop and install the privacy policy for Telus as its chief compliance officer. [Castanet]

E-Government

UK – Government Websites Must Switch to HTTPS with HSTS

All UK Government Digital Services websites will be required to adopt HTTPS encryption by October 1, 2016. The sites will also be required to use HTTP Strict Transport Security (HSTS) to protect them from downgrade attacks, and to publish a Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy for email systems. [V3: GDS to demand that all government websites go HTTPS from 1 October | Tom’s Hardware: UK Government Websites To Be Secured By HTTPS, HSTS, DMARC By October 2016 | GDS Guidance (February 2016): Domain-based Message Authentication, Reporting and Conformance (DMARC)]

Encryption

US – House Encryption Report Says No Current Bills Appropriate Solution

The House Subcommittee on Homeland Security released a report that states no current bills in Congress appropriately address the current encryption-government access issue. The report was based on “more than a hundred meetings” with privacy advocates, technologists, cryptographers and law enforcement. Though it does not present a way forward, it does reject the viability of all current bills, including the controversial Burr-Feinstein bill. The Subcommittee published a “primer” regarding the encryption debate in the legislature. The paper is based on “extensive discussions with stakeholders,” and says that no legislation yet proposed adequately addresses the issue, noting that “Lawmakers need to develop a far deeper understanding of this complex issue before they attempt a legislative fix,” the report states. [Wired] [Wired: Even Congress Is Slamming That Crummy Crypto Bill | US House: Going Dark, Going Forward: A Primer on the Encryption Debate] See also: [Pending Russian Legislation Would Require Companies to Decrypt Communications]

EU Developments

EU – New US-EU Data Transfer Agreement Expected to Win Approval

The New York Times reports that the EU is expected to approve the new draft of the US-EU Privacy Shield data transfer agreement. The new framework, developed to replace the Safe Harbor agreement that the European Court of Justice struck down last year, “protects the fundamental rights of Europeans and ensures legal certainty for businesses,” according to European Commission spokesman Christian Wigand. The absence of an agreement has left US companies in limbo regarding European customer data. In early June, the Hamburg (Germany) Data Commissioner fined three companies for using the defunct Safe Harbor agreement to transfer European customer data to the US. While agreement may have been reached, a number of hurdles stand in the way of passage. The first is that each of the member states of the EU have to pass the agreement. From there it will then be passed on to the College of Commissioners who will then validate the adequacy of the agreement. [New York Times: Europe Is Expected to Approve E.U.-U.S. Data Transfer Pact | Reuters: German privacy regulator fines three firms over U.S. data transfers] and European Commission sends new Shield to Article 31, vote expected this week.

EU – Belgian DPA Loses Privacy Case Against Facebook

The data protection authority in Belgium has said it lost its privacy case against Facebook. The Belgian DPA wanted the social network to stop tracking non-users of Facebook in Belgium who go to Facebook pages. Facebook has argued the so-called datr cookie is a security measure. A spokeswoman for the Belgian Privacy Commission said the case was dismissed by the Brussels Appeals Court because the regulator does not have jurisdiction over Facebook. The company’s European headquarters is located in Ireland. [Reuters]

UK – Christopher Graham Says Goodbye to ICO in Final Annual Report

Outgoing U.K. Information Commissioner Christopher Graham spoke highly of the agency in the last year as its head in his final annual report. “We have delivered on our objectives, responded to new challenges and prepared for big changes, particularly in the data protection and privacy field,” said Graham, who also discussed the agency’s work handling data breaches and other privacy violations. “The ICO also took part in the debate on surveillance and security and the Investigatory Powers Bill. And, in its responses following the Schrems judgment, with all the implications for trans-Atlantic data flows, the ICO’s influential counsel helped to avert a meltdown,” said Graham. The departing information commissioner also bid farewell on the ICO’s YouTube page, while calling the upcoming months and years ahead an exciting time for his successor, Elizabeth Denham. [Computer Weekly]

Facts & Stats

WW – Study: More Than 50% of SMBs Suffered Breaches Within Last Year

Security organization Keeper Security released the results of a study it conducted with Ponemon Institute on the rate small- and medium-sized businesses are hit with data breaches. The survey found more than 50% of SMBs suffered a breach within the last 12 months, and only 14% of the organizations polled felt their ability to stop attacks are highly effective. Phishing and social engineering attacks were the most common types of incidents, and while anti-virus software was deemed useful, companies felt they could not count on them to stop breaches. “Cyberattack prevention is now everyone’s responsibility,” said CEO of Keeper Security. “As both frequency and size of data breaches increases, SMBs must face the reality that a material adverse financial impact on their business is a real possibility.” [Market Wired]

Finance

WW – World-Check Terrorism Database Leaks Online

A financial crime database used by banks has been leaked on to the net. World-Check Risk Screening contains details about people and organisations suspected of being involved in terrorism, organised crime and money laundering, among other offences. Access is supposed to be restricted under European privacy laws. But the database’s creator, Thomson Reuters, has confirmed an unnamed third-party has exposed an “out of date” version online. The leak was discovered by security researcher Chris Vickery and made public by the Register, which reported it contained more than two million records and was two years old. “There was no protection at all. No username or password required to see the records,” Mr Vickery told the BBC. [BBC News]

FOI

CA – Ontario Doctors Challenge Ruling That Would Identify Top OHIP Billers

The Ontario Medical Association (OMA) is seeking to overturn a landmark decision by the province’s privacy commissioner to release the names of top-billing doctors. In addition, a group of about 40 doctors and one physician acting alone who are on the list have made separate applications for a judicial review of an order from the privacy commissioner to release to the Toronto Star the identities of the top 100 billers. The three parties filed applications this week with the province’s divisional court to quash the ruling made June 1 by the Information and Privacy Commissioner of Ontario. In seeking a judicial review of Higgins’ decision, the OMA, which represents the province’s 29,000 doctors, is arguing that it is not in keeping with previous rulings by the commissioner. “We continue to advocate that this is personal information and, without the proper context, OHIP billings will be misconstrued as income, which is false,” OMA president Dr. Virginia Walley said in a written statement. “OHIP billings do not provide insight into the number of hours doctors work, the complexity of care they provide to patients, or the overhead costs they bear in order to staff, equip and run their clinics.” Among the organization’s other arguments: the ruling is incorrect and/or unreasonable, the adjudicator failed to consider submissions from doctors, and the ruling was made without proper legal or factual bases. The two other physician parties are making similar arguments. They are asking the courts for a special order permitting them to proceed with the judicial review without their identities being made public. The physician acting alone, described only as “Dr. A.B.,” also argues that he was never informed about the case by the privacy commissioner even though he is among the top billers. He was never given the opportunity to argue his case, unlike other affected doctors, his application states. [Toronto Star]

CA – OIPC BC Finds Public Body Must Disclose Internal Investigative Information

The Office of the BC Information and Privacy Commissioner reviewed a decision by the Independent Investigations Office to deny access to records requested pursuant to the Freedom of Information and Protection of Privacy Act. Disclosure of the information would not harm the effectiveness of investigative techniques and procedures used; techniques used are obvious and clearly known to the general public (employee interviews and examining electronic equipment), and other information withheld was administrative (e.g. details about scheduling, general protocol and procedures, non-sensitive information about investigations the requestor was working on when employed by the public body). [OIPC BC – Order F16-28 – Independent Investigations Office]

Health / Medical

CA – Education Key to Preventing Medical Record Snooping: Commissioner

The latest case of medical record snooping uncovered in Ontario — in which at least six Mississauga patients had their files probed — highlights the ongoing challenge to protect patient privacy in the digital age, the province’s privacy commissioner says. Since formally assuming the role in 2015 — in the midst of controversies over a spate of snooping incidents of patient record across the province — Ontario privacy commissioner Brian Beamish has emphasized stiffer punishments for what he calls “higher-end cases.” That’s why five of the six snooping cases that have ever been referred to the attorney general for breaking the province’s health privacy legislation have occurred on Beamish’s watch, he said. “Snooping was a continuing, recurring problem, and we started to think: what else can we do to reinforce that this is unacceptable?” Beamish told the Star in an interview. On Monday, the College of Physicians and Surgeons of Ontario held its first-ever disciplinary hearing for one of its members accused of snooping. Dr. Douglas Brooks, a general practice physician in Sault Ste. Marie, was found to have improperly probed the electronic medical records of two non-patients several times, college spokesperson Kathryn Clarke said in an emailed statement. Brooks had his college certification suspended for five months, must participate in medical ethics training, and was ordered to pay $5,000 in costs for the hearing, Clarke said. There are three more discipline hearings scheduled in the coming months for alleged snooping by other doctors. [The Star]

US – States Pass Laws Requiring Dependents’ Care Remain Confidential

Several states have passed laws and regulations ensuring medical communications for dependents remain confidential. With the Affordable Care Act allowing young adults to remain on their parents’ insurance until they are 26, policyholders can receive notices from insurers every time their child gets medical care. California, Colorado and other states are starting to fill in gaps not covered by HIPAA requiring insurers to keep those encounters private for the patients’ safety. “There’s a longstanding awareness that disclosures by insurers could create dangers for individuals,” said Center for Adolescent Health and the Law Director Abigail English. “But there was an added impetus to concerns about the confidentiality of insurance information with the dramatic increase in the number of young adults staying on their parents’ plan until age 26.” [Kaiser Health News] [US: States Offer Privacy Protection For Young Adults On Parent’s Health Plan]

Horror Stories

WW – List of ‘Heightened-Risk Individuals’ Not Secure Enough, Researcher Says

Security researcher Chris Vickery has discovered a global terror watchlist containing more than 2.7 million entries of “heightened-risk individuals.” Vickery found the list on a server “configured for public access,” making the sensitive information too easy to investigate, he said. “If governments and banks are going to alter lives based upon information in a database like this, then there needs to be some sort of oversight,” Vickery added. There’s also the issue of data revision or deletion. “Those who are named in the database have little or no recourse to have their data corrected or removed,” the report adds. [ZDNet] [ZDNet: A massive financial crime and terrorism database has leaked]

Identity Issues

CA – Trudeau Says Canada Will Explore Gender-Neutral ID Cards

Canada is exploring the use of gender-neutral options on identity cards, Justin Trudeau told a television station as he became the first Canadian prime minister to march in a gay pride parade. Trudeau, who participated in the downtown Toronto parade along with other politicians, did not give details, saying only the government was exploring the “best way” and studying other jurisdictions. Last week, the Canadian province of Ontario said it would allow the use of a third gender indicator, X, for driver’s licenses, which are commonly used in North America to provide identification. Countries including Australia, New Zealand and Nepal already allow the use of the X gender indicator. [Source] [Fake fingerprints: The latest tactic for protecting privacy]

US – FOIA Improvement Act Becomes Law

President Obama has signed the Freedom of Information Act Improvement Act into law. It “codifies a statutory presumption of openness,” clarifying the need for agencies to justify their decision to withhold information rather than placing the burden of justification on the entity making the request. The bill also places a 25-year limit on the length of time agencies may keep internal deliberations confidential, and it requires the Office of Management and Budget (OMB) to create a single-access website for making FOIA requests. [SC Magazine: Obama signs FOIA reform bill into law | Federal News Radio: Obama celebrates 50th anniversary of FOIA by signing update into law | White House: Fact Sheet: New Steps Toward Ensuring Openness and Transparency in Government]

Law Enforcement

EU – Disgruntled Ex-Employee Leaks Info On 112,000 Police Officers

A file containing the home addresses and telephone numbers of 112,000 French police officers was uploaded to Google Drive with minimal protection. The data’s only means of protection was a “simple password,” and an investigation has been launched to determine if the compromised data was accessed. The data reportedly originated from a health and benefit insurance firm tied to the police and was uploaded by a disgruntled ex-employee in what is described as “an act of revenge.” The situation comes after French police work to implement extra privacy measures for their officers following the murder of a police officer by an ISIS jihadi in early June. [International Business Times]

Location

WW – Location Data Can Help Facebook Make Friend Suggestions

Facebook’s “People You May Know” feature now uses location data in addition to other features to suggest potential connections on its mobile app. If users have their Facebook app location settings switched to “always have access,” the company’s algorithms can identify and suggest users who have shared GPS and network connections as potential friends. Not everyone is comfortable with the practice. “Using location data this way is dangerous,” said Samford University’s Woodrow Hartzog. “People need to keep their visits to places like doctor’s offices, rehab and support centers discreet.” Facebook countered that location isn’t the sole factor in its suggestion process. “That’s why location is only one of the factors we use to suggest people you may know,” a Facebook representative said. [Fusion] [Facebook admits to using your location to suggest friends]

Online Privacy

US – Google Beats Children’s Web Privacy Appeal, Viacom to Face One Claim

Google and Viacom defeated an appeal in a nationwide class action lawsuit by parents who claimed the companies illegally tracked the online activity of children under the age of 13 who watched videos and played video games on Nickelodeon’s website. By a 3-0 vote, the 3rd U.S. Circuit Court of Appeals said Google, a unit of Alphabet, and Viacom were not liable under several federal and state laws for planting “cookies” on boys’ and girls’ computers, to gather data that advertisers could use to send targeted ads. The court also revived one state law privacy claim against Viacom, claiming that it promised on the Nick.com website not to collect children’s personal information, but did so anyway. Monday’s decision largely upheld a January 2015 ruling by U.S. District Judge Stanley Chesler in Newark, New Jersey. It returned the surviving claim to him. [Source]

US – Browse Free or Die? New Hampshire Library Is at Privacy Fore

A small library in New Hampshire sits at the forefront of global efforts to promote privacy and fight government surveillance—to the consternation of law enforcement. The Kilton Public Library in Lebanon, a city of 13,000, last year became the nation’s first library to use Tor, software that masks the location and identity of internet users, in a pilot project initiated by the Cambridge, Massachusetts-based Library Freedom Project. Users the world over can—and do—have their searches randomly routed through the library. [Source]

Other Jurisdictions

AU – Victorian Watchdog Develops Protocols for Agencies

Victorian Commissioner for Data and Privacy Protection David Watts has established regulations that would require agency heads to adhere to a minimum standard of data protection principles. The rules, dubbed the Victorian Protective Data Security Framework require agencies to have “a formal incident management plan; an organization-specific security management framework; and an access management regime,” among others. The rules also give the commissioner’s office “free and full access to data or data systems when requested.” [iTnews]

Privacy (US)

US – ACLU Files Legal Challenge to Computer Fraud and Abuse Act

The ACLU has filed a lawsuit challenging the Computer Fraud and Abuse Act (CFAA) on behalf of journalists, computer scientists, and academic researchers investigating online discrimination. The lawsuit focuses on a problematic CFAA provision: the prohibition against “exceeding authorized access” has often been interpreted to include violations of websites’ terms of service. [Washington Post: Does this cybercrime law actually keep us from fighting discrimination? | Computerworld: ACLU lawsuit challenges U.S. computer hacking law | Wired: Researchers Sue the Government Over Computer Hacking Law | CNET: ACLU sues to kill decades-old hacking law | SC Magazine: ACLU suit challenges CFAA for thwarting studies on discrimination | ACLU: ACLU Challenges Law Preventing Studies on ‘Big Data’ Discrimination | ACLU: SANDVIG V. LYNCH – COMPLAINT]

US – CDT Criticizes DHS’ Cyber-Threat Sharing Model

The Center for Democracy and Technology criticized the Department of Homeland Security’s cyber-threat sharing model. “The guidance fails to address many of the foundational issues in the law itself, and we remain concerned that [the Cybersecurity Information Sharing Act] will result in the sharing of sensitive personal information [that] could then be used for purposes that go far beyond ‘cybersecurity,’” the CDT said in a report. The CDT was highly critical of the four DHS guidelines for private organizations to share cyber-threat indicators with the government and amongst themselves. “None of the guidelines address one baseline issue — the overly permissive ‘use’ provision that allows cybersecurity information to be shared and then used for non-cybersecurity purposes,” the CDT said. [The Hill]

Privacy Enhancing Technologies (PETs)

WW – $6.1M Raised to Fund Data Startup

Data-sharing startup Digi.me has received $6.1 million in funding from its Series A push, most of which came from global re-insurer Swiss Re. The move is “is one key plank of a strategy for bagging the critical mass of users needed to deliver on a radical rethink of how personal data is collected and shared online,” the report states. For Digi.me founder Julian Ranger, the service is about empowering each user. Digi.me is “bringing data together for the individual and we were doing it on the individual’s own devices — which is the key thing for Digi.me is that we don’t see, touch, nor hold any data ever; it’s all only held by the individual — and that’s when the whole idea for [the current business vision] came about,” he said. [TechCrunch]

RFID / IoT

US – Broadband Advisory Group to Study Privacy, Security of IoT

The Broadband Internet Technical Advisory Group has announced a study on the technical aspects to the Internet of Things industry’s privacy and security. The multistakeholder nonprofit will study mobile phones, computers, tablets and other devices. “To address the technical issues underlying these security- and privacy-related concerns, BITAG’s technical working group will analyze this topic and issue a report that will describe the issue in-depth, highlight technical observations, and suggest appropriate best practices,” the group said in a statement. The BITAG aims to release the results of the study in the fall, the report states. [Broadcasting & Cable]

Security

WW – 67% of Drives for Sale Still Contain Sensitive Data: Study

Security organization Blancco Technology Group (BTG) found that 67% of 200 analyzed hard drives purchased from eBay and Craigslist still contained previous users’ personally identifiable information. An additional 11% contained “sensitive corporate data.” Companies must “test that [their] deletion methods are adequate,” said BTG. “Remaining data can still be accessed and recovered unless the data is securely and permanently erased.” This can lead to data breaches, loss of consumer trust, and even enforcement action. The U.K. ICO fined the Brighton and Sussex University Hospitals NHS Trust 325,000 GBP in 2012 for selling unclean drives online. [InfoSecurity]

Surveillance

US – Courts 2015 Wiretap Report

According to the US Courts 2015 Wiretap Report, the total number of federal and state wiretaps issued in 2015 was 4,148, a 17% increase from the number granted in 2014. No requests were reported as denied in 2015. While law enforcement encountered encryption in just 13 of those cases, the FBI indicated that it does not seek wiretap orders in cases where it knows it will encounter encryption. The report does not include wiretap requests made to the Foreign Intelligence Surveillance Court. [Encryption, wiretaps and the Feds: THE TRUTH | US courts didn’t reject a single wiretap request in 2015, says report | Wiretaps harvest fewer encrypted communications | Wiretap Report 2015]

UK – Surveillance Bill Web Activity Logging a Huge Risk to Privacy, Peers Warn

A former senior chief in the U.K.’s Met Police and now a Lib Dem peer in the House of Lords has warned about major risks to the privacy of web users’ personal data from a provision in the Investigatory Powers bill that would require ISPs to retain information on the websites and services accessed by their users for a full 12 months — so called Internet Connection Records (ICRs). Lord Paddick noted that the provision is not being requested by the security services, who have additional investigatory tools to obtain the data they need, so is purely a power on the police’s wish-list — going on to argue that the catch-all nature of ICRs is disproportionate given the warrantless access the bill affords police to this personal data on all U.K. web users. Any “reasonably high-profile individual” could be at risk of being accused of a crime they did not commit — resulting in their entire personal web access history being handed over to the police, Paddick argued. The draft bill has still to go through committee and report stages, so is certain to be subject to further amendments. Lib Dem peers are certainly mounting a concerted effort to tackle some of the more controversial elements of the bill, with Lord Strasburger also speaking out against ICRs, noting that a similar move was abandoned in Denmark in 2014 and warning the bill creates a “new theft risk” for internet users. Other elements concerning the Lib Dem peers at this stage include threats to privileged communications, such as between lawyers and their clients; so-called “request filters,” which imply a behind the scenes attempt by the government to build a searchable database of citizen data (including pulling in data from ICRs); the “vexed question” (as Strasburger put it) of bulk powers — currently under independent review by QC David Anderson, which was another concession pushed for by the Labour party; inconsistencies in authorization mechanisms for intercept warrants; and the need to ensure judicial commissioners, who are set to approve and review warrants, are rigorously independent of the government that appoints them. Strasburger also pointed to the current turmoil in the U.K. political landscape following the Brexit vote, noting “how quickly ruthless politicians can replace leaders” and warning of associated risks to freedom and democracy if such intrusive legislation passes onto the statute books unamended. “In the hands of an extreme government the IP bill is a toolkit for tyranny,” he warned. [techcrunch.com]

Telecom / TV

CA – 911 System Framework Should Limit Info Required for Communications

The OPC comments on the CRTC’s Notice of Consultation regarding a regulatory framework for next-generation 911. Existing policy states that individuals’ name, location, telephone number, and service class are provided for responding to calls; however other information will likely be collected (e.g. health information, voice and location information, personal medical alert systems, and intelligent transportation systems), and there should be boundaries to limit information required, and how the information is accessed. [OPC Canada – Establishment of a Regulatory Framework for Next-Generation 911 in Canada – Submission to the CRTC]

WW – Norton Releases New App Protecting Data Over Public Wi-Fi Networks

FREE Wi-Fi is no different to a filthy public toilet, water fountain or payphone. That’s according to antivirus firm Norton, which has released a new app designed to stop hackers from stealing users’ private information over unsecured Wi-Fi. According to Norton, more than one quarter of Australians have accessed banking or financial information while using public Wi-Fi — but most people can’t tell the difference between a secure and unsecure connection. The firm says hackers are eavesdropping and intercepting consumer information regularly, but 63% of Australians think their data is protected. Commonly available tools can easily see traffic, potentially exposing passwords, emails, social media accounts, photos, videos and financial information. The Norton Wi-Fi Privacy app, launched globally this week for iOS and Android, is designed to protect that data by routing all traffic through a virtual private network (VPN). It will also block advertisers from placing tracking cookies on your device. [news.com.au] [Yahoo] [Norton launches privacy app to combat hackers]

US Government Programs

US – FTC Closes 70% of Its Security Investigations

During a Heritage Foundation discussion on federal online data security regulations, Federal Trade Commission Commissioner Maureen Ohlhausen said her agency closes approximately 70% of the security investigations it opens. “The touchstone of our data security is reasonableness,” Ohlhausen said. “A company’s data security measures must be reasonable, in light of the sensitivity and volume of the consumer information it holds, the size and complexity of its data operations, and the cost of the available tools to improve security and reduce vulnerabilities.” Ohlhausen said the FTC doesn’t investigate companies over a single flaw, but rather, it investigates companies that have major issues with their overall security programs. If a company’s security is “reasonable, or even good,” she said, the investigation can be wrapped up quickly if the company resolves the issue in a timely manner. [FedScoop]

 

 

18-24 June 2016

Biometrics

WW – IBIA Approves New Facial Recognition Best Practices

The International Biometrics + Identity Association voiced its approval of a new set of facial recognition best practices. The guidelines were created by the Department of Commerce’s National Telecommunications and Information Administration, and have been hailed by the IBIA as a flexible guideline for numerous applications of the technology, including authentication and social media. “The clear benefits of facial recognition technology come with a responsibility to users and consumers,” said IBIA Managing Director Tovah LaDier. “These privacy best practices will help to assure the public that facial recognition is being used responsibly and accountably. They also demonstrate the strong commitment of the industry to protecting the public’s privacy, even as new technologies and applications emerge.” [Planet Biometrics] [NTIA group agrees on face recognition code of conduct]

Canada

CA – The OPCC has Released Its Annual Report for 2015-2016. [Source]

CA – PI Contained in Public Court or Tribunal Decisions is Publicly Available Information: OPC

The Office of the Privacy Commissioner investigated a complaint about an online legal database pursuant to PIPEDA. The OPC dismissed a complaint alleging an online legal database unlawfully published an individual’s PI by publishing a court decision about her; the PI appeared in a public judicial document for which there was no publication ban, and the company’s subscription-based research tools and services do not undermine the balance between privacy and the open courts principle. [OPC Canada – PIPEDA Report of Findings #2015-013 – Online legal database doesn’t need consent to use publicly available court decisions, in support of the open court principle]

CA – Decision Provides Rare Insight on the Applicability of RTBF in Québec

On April 14th, 2016, the Commission d’accès à l’information (the “CAI”) issued a decision discussing the relevance of the “right to be forgotten” with regards to the “right to rectification” found in the Act Respecting the Protection of Personal Information in the Private Sector, CQLR, c. P-39.1. The CAI interestingly noted that a person’s right to rectification with respect to inaccurate, incomplete or equivocal information is distinct from the “right to be forgotten.” This right, which is recognized in the European Union, allows individuals to stop search engines from providing links to information about them that is deemed “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue.”  As a result of this decision, it is now clear that the right to be forgotten is irrelevant to the examination of the right to rectification, as the two rights are different, both conceptually and practically. [Source]

CA – Therrien to Trudeau: Government Privacy Law Outdated

In a letter to Prime Minister Justin Trudeau, Privacy Commissioner Daniel Therrien warns that without renewal, protections under Canada’s Privacy Act “are proving to be increasingly out of touch with Canadians and their engagement with the digital world.” The act, which governs federal government data handling, was passed in 1983 and no substantial changes have been made to it since, reports The Star, even while advances in technology have dramatically changed the way government does business. A representative for the prime minister says the issue is a priority and they “are committed to working with the commissioner on an active and ongoing basis,” noting the minister of justice is reviewing the recommendations. [Source]

CA – BCCLA Says Warrantless Spying on Canadians Must End

In the latest step in a court case launched in 2013, the British Columbia Civil Liberties Association is asking the federal court to allow access to government documents that would shed light on the surveillance activities of the Communications Security Establishment. Specifically, the BCCLA objects to the warrantless collection of information on Canadian citizens, and points to recent data mishandling by the CSE as part of its participation in the Five Eyes program with Australia, New Zealand, the U.K. and the U.S. “The CSE is engaged in what is surely one of the largest warrantless activities directed at Canadians,” the BCCLA Litigation Director Grace Pastine told On the Coast guest host Michelle Eliot. [CBC News]

CA – Federal Court Finds Individual’s Request for Review of OPC Report Misdirected

The Federal Court hears E.W’s request for review of the findings of the Privacy Commissioner of Canada in response to her privacy complaint against the Department of Human Resources and Skills Development Canada. The OPC (after an investigation of the individual’s complaint of alleged improper collection of personal information without her consent) could not reach a finding, since 12 years had passed since the alleged collection, and the file retention period for the information had elapsed; the individual was provided opportunity to make submissions, all relevant evidence was investigated by the OPC, and the individual’s grievance lies with the institution that collected the data, not the OPC. [E.W. v. Privacy Commissioner of Canada – Federal Court – 2015 FC 1420]

CA – Proposed Manitoba Bill to Protect Kids Draws Privacy Criticism

Proposed legislation that would make it easier for Manitoba agencies and police to share information about at-risk children is raising privacy concerns. The Progressive Conservative government introduced Bill 8, the Protecting Children (Information Sharing) Act, earlier this week. The bill authorizes organizations and others who provide services to at-risk and vulnerable children to collect, use and disclose personal information or personal health information about them. The act would apply not only to children in the care of CFS or those involved in the criminal justice system, but also to those who require disability services, mental-health services, addiction services, victim services and to schoolchildren with special needs who require an individual education plan. Information could be disclosed about parents or guardians of the children.  Michelle Falk, executive director of the Manitoba Association for Rights and Liberties, said it appears the bill would give “ordinary bureaucrats” the power to make judgment calls that could have long-term implications for children in care and their families. “It gives unfettered authority to any government department, agency or the police department to share any information to any other department,” she said Thursday. [Winnipeg Free Press]

CA – Other Canadian News

Consumer

CA – New Online Tool Allows Users to Ask Companies About Their Data

A new version of a Canadian website allows individuals to contact companies to see what information they have collected. Access My Info Canada originally was created to message telecommunications companies, but the new version launched by developer Andrew Hilts now gives users the chance to reach out to companies making fitness trackers and dating apps. “This can help people answer questions if they’ve ever wondered if their cellphone provider is logging their location, or if their online dating app is ever sharing their sexual preferences,” said Hilts. Access My Info has been created to help consumers understand their rights under Canadian privacy laws, while also giving them information on what data could be compromised if a company were to suffer a data breach. [CBC News]

US – For Consumers, Injury Is Hard to Prove in Data-Breach Cases

The Wall Street Journal reports on consumer lawsuits following data breaches, and whether companies should be forced to compensate customers for attacks exposing sensitive information. Judges dismiss the majority of lawsuits spawning from major data breaches, including those in attacks against Target and Home Depot because customers have not been able to prove the breaches have caused any tangible harm. Companies argue having personal data exposed doesn’t equate to harm requiring compensation, and when stolen credit card information results in fraudulent purchases, customers often cannot prove the fraud was a result of the breach. Federal judges in Illinois and California, however, have let lawsuits proceed, possibly opening a door for corporate liability. [Wall Street Journal]

US – Privacy by the Numbers: A Deep Dive into the Structure of Privacy Policies

As researchers from the Common Sense District Privacy Evaluation Initiative analyze the correlation between the content and stylistic infrastructure of privacy policies, they have flagged “potential indicators” that they say will help them to analyze them more efficiently, the group’s Bill Fitzgerald writes. While Fitzgerald said he and his researchers “do not think we will find any direct correlation between policy structures and whether terms are good or bad,” technical elements of the policies, such as reading level, length of terms and structure, create patterns that matter. “It’s difficult to say what constitutes a ‘normal’ policy without a baseline, and the work we will be launching this summer will help create a clearer picture — supported by openly available data — of what a typical policy looks like,” he wrote. [The Journal]

E-Mail

US – Supreme Court Decision May Support Microsoft’s Position in Ireland Server Data Case

In a decision released earlier this week, the US Supreme Court wrote, “absent clearly expressed congressional intent to the contrary, federal laws will be construed to have only domestic application.” The ruling was made in a RICO (Racketeer Influences and Corrupt Organizations) Act case. While unrelated to the Microsoft case in which the company is refusing to surrender data held on a server in Ireland to US officials, the decision could provide support for Microsoft’s position that the Electronic Communications Privacy Act (ECPA) does not say that congress intended it to “reach private emails stored on provider’s computers in foreign countries.” [Computerworld: Microsoft invokes Supreme Court opinion in Ireland email case]

WW – Board Members Increasingly Targeted by Spearphishing Schemes

A growing trend is corporate boards of directors falling victim to spearphishing attacks. Board members can be hit by these schemes by receiving malicious emails that ask for tax information and bank transfer requests and sending it to another employee who handles the response. Members have lost financial statements, cybersecurity documents and intellectual property, mainly through a lack of education on identifying spearphishing emails. “Most board members use personal email accounts to handle board communications so they don’t get mixed with the emails from the companies where they work,” said Experian Information Solutions Vice President, Data Breach Resolution Michael Bruemmer. “These are less secure, and we have seen examples of these accounts having been compromised.” [CSO Online]

Encryption

US – Apple Makes Encrypted Operating System Public

In a surprising move, Apple has exposed the inner workings of its encryption-based operating system for the first time. The tech giant did not reveal whether the disclosure of its kernel was by design, but many in the security industry believe Apple made the code public in order to help locate possible security weaknesses in the software. To date, Apple has not run any bug bounty programs. The move comes after Apple’s well-publicized battle with the FBI in the San Bernardino case. By choosing to expose its software rather than starting a bug bounty program, Apple is taking a big risk, the report states. “This is a gamble,” said forensic scientist Jonathan Zdziarski. “But I can see the possible reason that Apple may have decided to make this wager.” [MIT Technology Review]

EU Developments

EU – German Court Ruling: WhatsApp Must Translate English TOS and Privacy Policy to German

German courts have ruled WhatsApp has violated the country’s Telemedia Act by forcing users to agree to the app’s terms of service in English. When the judgement is finalized, WhatsApp will be required to translate its terms of service and privacy policy into German, or face a $283,000 fine. Klaus Muller, CEO of the Federation of German Consumer Organizations, said companies make it difficult for consumers to comprehend terms of services, and WhatsApp has made it even harder for German users with the conditions written in a foreign language. The courts ruled WhatsApp’s violation stems from not allowing users to contact a German country representative if they have any questions or concerns . WhatsApp has not announced whether it will appeal the ruling. [Neurogadget]

Facts & Stats

CA – Average Cost of a Data Breach Up 12.5% Among Canadian Firms: Report

Canadian CISOs who want more hard data to convince the C-suite and boards to devote more resources to cybersecurity have a new report to show. If a study of 24 Canadian organizations is accurate, the total cost over a recent 12 month period of a breach of over 1,000 records went up 12.5 per cent compared to 2014 to just over $6 million. Another way of looking at it is the average cost per record stolen or lost went up 10.6% to $278 compared to the same period the year before. These numbers come from a study released last week by the Ponemon Institute that was funded by IBM. The costs were based upon estimates provided by participating victim organizations. The report is part of an annual global study of breaches in 13 countries (United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates, Saudi Arabia, Canada and, for the first time, South Africa), which last year covered 383 organizations. The average cost of a breach across all those firms was US$4 million. [IT World Canada]

Filtering

UK – Mandatory Web Monitoring in Schools Opens a Slippery Can of Worms

Without Parliamentary or public discussion, children’s internet use will be monitored by third parties from September. This is despite widespread associated concerns – including choking off free speech, religious freedom, and staff feeling vulnerable – presented to the Joint Select Committee for Human Rights by experts in education and security legislation. The brief paragraph 75 in The Department for Education (DfE) “New measures to keep children safe online at school and at home“ statutory guidance Safeguarding in Schools, will impose a change from a duty ‘to consider’ web monitoring to one that ‘should ensure’ it for educational establishments, excluding 16-19 academies and free schools. The supporting advice to which the Government response points, suggests actively monitoring all screen activity during a lesson from a central console using appropriate technology as a solution, even in circumstances that suggest low risk. And that logfile information should be able to identify an individual user, and be reviewed regularly. Pro-active monitoring is suggested where alerts are managed by a third-party provider. The Department for Education’s summary response and advice however offers little practical support to school leaders how to concretely take these things into account, while still meeting human rights legislation. Without explicit clarity on the practice of monitoring personal electronic devices not owned by the school, we risk a slippery descent into schools made complicit in a privacy invasion of family life. [Schoolweek]

FOI

CA – Audit Finds Vancouver Failing to Meet FOI Deadlines, Deleting Emails

City hall has received a stern talking to from the province’s information and privacy commissioner following an audit of Vancouver’s compliance with freedom-of-information (FOI) laws. “It is clear to me there is a need for change to the approach city staff use in processing access requests,” commissioner Elizabeth Denham said in a June 23 media release. “We observed shortcomings in almost every step of the freedom of information process—from receipt of the request, to searching for records, to the timeliness of response to the applicant and the content of the response itself.” The audit, conducted by the Office of the Information and Privacy Commissioner of B.C., mostly focuses on FOI response times and delays that appear to target requests filed by members of the media. But the report’s most troubling findings concern the alleged deletion of records and evasion of FOI laws. The OIPC, however, found that an examination of these concerns fell outside the scope of its investigation. [Straight]

CA – NFLD Public Bodies Should Not Allow Staff Use of Personal Email Accounts for Work

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador (“OIPC”) issues guidelines relating to the use of personal email accounts for public business. Use of personal email accounts does not relieve the duty to thoroughly search for records responsive FOI requests and produce them, however, officers and employees may be reluctant to produce records from these accounts or provide access for FOI purposes; personal accounts are less likely to meet requirements to protect personal information under a public body’s custody or control (terms of service may allow for third-party access, and security features may not be adequate). [OIPC NFLD – Use of Personal Email Accounts for Public Business]

US – Dropbox’s New Transparency Report Includes State-By-State Breakdown

Releasing its biannual transparency report, Dropbox has included a state-by-state breakdown of government requests in their July-December 2015 study. Dropbox received 574 requests for user data from around the globe, including 348 search warrants and 206 subpoenas, providing information on the vast majority of inquiries. California had more requests than any state in the U.S. with 70, followed by Texas with 49, Florida with 48, and Virginia with 32. “Although we continue to see an increase in requests from U.S. law enforcement, the numbers remain small compared to our user base of over half a billion users,” Dropbox said in a blog post. The company also detailed the joint efforts with tech companies to oppose government legislation forcing organizations to undermine their security protocols. [Dropbox Blog Post]

Genetics

CA – Supreme Court Rules Police Can Swab Suspected Rapist Without Warrant

In a ruling that adds to police powers in investigating rape, the Supreme Court of Canada says police have the right to take a penile swab (without a warrant) from suspected attackers, forcibly if necessary, as long as they do so in a private cell and have reasonable grounds to believe they will find relevant evidence. Just two Supreme Court judges, both of them women, said a penile swab should be deemed an illegal search. In a strong dissent in the case, Justice Andromache Karakatsanis accused the majority of straying from precedents that found a “close relationship between bodily privacy and human dignity.” Justice Rosalie Abella said she would have disallowed the penile swab and barred the evidence from being used. [G&M]

Health / Medical

CA – Trillium Health Partners Hit With Privacy Class Action

A class-action lawsuit has been filed against Trillium Health Partners, alleging a doctor’s assistant used patient credentials to access medical records. Former patient Katie Mallinson filed the suit against Dr. Tony Vettese and his assistant Lisa Lyons, claiming Lyons accessed Trillium’s database to review the confidential records of an unknown number of patients for many years. The records contain sensitive medical information, including medication history, treatments received and diseases suffered. The suit seeks $2 million in general damages, while stating Trillium’s privacy policies and procedures are “inadequate, underfunded and unenforced.” Trillium was not aware of Lyons’ improper access until Mallinson first became suspicious of illicit activity. [Press Release] See also: [397 medical records snooped at Hamilton General Hospital]

US – Workers May Soon Have to Share Health Data — Or Pay A Penalty

New Equal Employment Opportunity Commission regulations may force employees to share medical data in order to qualify for benefits, or face penalties. If employees choose not to share medical data with their employers, they face increases in health premiums and the possibility of the EEOC suing their organization. Privacy advocates are concerned employees will have to pay more for their privacy as well as face potential discrimination if an employee chooses to opt out of the program. Wellness programs also have access to medical records and insurance claims data, meaning employers can learn about genetic test results and access information on employee family history. “Our argument is participation in a wellness program is simply no longer voluntary if employees can be penalized in this way,” said American Society of Human Genetics Science Policy Director Derek Scholes. [BuzzFeed]

WW – Google Unveils Symptom-Search Functionality

Google has announced it will list related conditions when users search the site using health symptoms as keywords. “We create the list of symptoms by looking for health conditions mentioned in web results, and then checking [sic] them against high-quality medical information we’ve collected from doctors for our Knowledge Graph,” the report states. The move is an effort to simplify accessing and understanding online health information. The feature will go live in “the next few days” in the U.S. and will expand internationally in the future. [Google Blog]

US – OCR Releases Video Guidance on Provision of Medical Records

The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services. The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. That guidance is essential reading for companies operating in the medical records space, as it sets forth OCR’s views on such topics as how records must be provided upon request, methods for calculating reasonable fees for copies, and provision of medical records to third parties at a patient’s direction. [Source]

Horror Stories

US – Three Hacked Hospital Databases Up For Sale on Deep Web

Breaches of three separate health databases by one hacker has resulted in more than 650,000 medical records for sale on the deep web. The hacker was able to tap into a vulnerability in each database’s Remote Desktop Protocol. One database from Georgia containing more than 400,000 records is priced at 607 bitcoin, the report states. “Although it remains unclear as to which hospital was attacked, this story goes to show how lackluster IT security keeps plaguing the health care industry,” the report adds. Meanwhile, a TrapX Security study has found that hackers are increasingly targeting medical devices used within hospital systems, ZDNet reports. These tools “often contain backdoors, botnet connections and remote access tunnels for cyberattackers to manipulate devices,” the report adds. [The Merkle]

WW – Hacker Plans to Release 100,000 Escort Site User Records

Moroccan hacker ElSurveillance has breached and defaced an additional 37 escort sites, which are mostly from the U.K., and pledged to leak 100,000 users’ data online in the coming week. This is not the first instance of ElSurveillance’s breach activity, with the hacker claiming 79 defacement incidents of similar sites in January, the report states. The hacks are religiously motivated. “[O]ur bodies are gifted from Allah to us to look after and not to destroy,” the hacker said. “Unlike [ElSurveillance’s] fellow ISIS-affiliated colleagues who spread fear, threats and warnings of violence, he’s spreading a message of peace and a religious-rooted message,” the report adds. [Softpedia]

CA – Personal Info in 100,000 IT Requests Compromised in SFU Privacy Breach

More than 100,000 Simon Fraser University information technology service requests from 2013-2016 were inadvertently stored in an unprotected server for four months. The data compromised included 20,294 email addresses, contact information and other personal data, the report states. The school’s IT team discovered the breach May 16 and brought the information offline the next day, notifying the affected students in early June, the report adds. “We have no evidence that any third party accessed the database during the time it was unprotected, nor do we have any evidence that there was any misuse of the information contained in the database,” said SFU Communications Director Kurt Heinrich. He added that the school was reviewing and modifying additional breach protections. [Burnabynow]

Identity Issues

WW – Dashcam Smartphone App to Employ License-Plate Detection

A new smartphone app takes all of the features of a dashcam and adds license-plate detection to warn users of potentially dangerous drivers. The Nexar app uses a smartphone’s camera to detect and record automotive activity and collisions. It also plans to add “real-time warnings” to help drivers avoid cars with bad track records. Nexar uses machine vision and artificial intelligence algorithms to locate license plates and record drivers who speed and perform illegal maneuvers. Privacy concerns will likely arise, but the recording process is likely legal. “Courts generally say that people generally have little or no expectation of privacy in the movements of their cars on public roads,” said University of Chicago law professor Lior Strahilevitz, “as long as cars aren’t being tracked everywhere they go for a lengthy period of time.” [PC Magazine]

Location

US – Ad Network Settles with FTC, Will Pay $950,000 for Location Tracking

The FTC announced it has settled with the Singapore-based mobile advertising company InMobi under charges that it “deceptively tracked” the locations of hundreds of millions of consumers — including children — without notification or consent. As part of the settlement, InMobi will pay $950,000 in civil penalties and implement a comprehensive privacy program. The FTC alleges that the company — whose ad software reaches nearly 1 billion consumers worldwide — also violated COPPA by collecting location information from apps directed at children. “This settlement ensures that InMobi will honor consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises,” said FTC Bureau of Consumer Protection Director Jessica Rich. [FTC] – Ars Technica: Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users | – Computerworld: Mobile advertiser tracked users’ locations without their consent, FTC alleges | – FTC: Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission]

Online Privacy

US – Senate Rejects Measure That Would Allow FBI to Search Browsing Histories Without a Warrant

US legislators have rejected an amendment to a criminal justice funding bill that would have allowed the FBI to conduct warrantless searchers of people’s browsing histories. While the measure garnered a majority of the votes, it failed to obtain the necessary 60 votes to advance. The issue may come up for consideration as soon as next week, however, because Senate majority leader Mitch McConnell submitted a motion to reconsider it. Sources: – CNET: Senate nixes plan for warrantless FBI searches of internet browsing histories | – ZDNet: Senate rejects FBI bid for warrantless access to internet browsing histories | – Washington Post: After Orlando, Senate rejects plan to allow FBI Web searches without court order]

WW – New Firefox Feature Allows Users to Create Individual ‘Personalities’

A new feature from Mozilla will allow users to separate their web history within their browser. Firefox Containers divides the browser into individual “personalities.” Each persona can be used for different internet activities, such as banking, work, shopping and for personal use. The browsing histories and cookies are kept within a “fully segregated cookie jar” by keeping each persona’s caches separate, according to a Mozilla blog post. “We all portray different characteristics of ourselves in different situations,” said Mozilla Security Engineer Tanvi Vyas. “But when I use the web, I can’t do that very well. There is no easy way to segregate my identities such that my browsing behavior while shopping for toddler clothes doesn’t cross over to my browsing behavior while working.” [The Christian Science Monitor]

US – Cloud-Based EHR Company Settles FTC Complaint It Failed to Advise that Reviews of Doctors Containing Patient Information Would Be Made Public

This FTC agreement settles allegations that Practice Fusion, Inc. failed to disclose that consumer reviews containing sensitive personal information would be publicly disclosed in violation of the FTC Act. The company is prohibited from misrepresenting the extent to which it makes certain information (e.g. health information) publicly available (including by posting on the Internet); prior to such disclosure, the company must provide notice and obtain express consent from consumers, and must not maintain any healthcare provider review information (except for review and retrieval by its healthcare provider customers, or as permitted by law, regulation or legal process). FTC – In the Matter of Practice Fusion, Inc. – Complaint and Agreement Containing Consent Order | Press Release | Complaint]

Other Jurisdictions

IS – Judge Approves $400 Million Class Action Against Facebook for Violating Privacy

Israel’s Central District Court has approved a $400 million privacy class-action suit against Facebook, ruling that the company’s terms-of-use requirement for all lawsuits to be heard in California was invalid. The suit alleged that the company both breached privacy protocols by targeting advertisements based off of users’ private posts, and failed to register its database in Israel’s national database registry as mandated by the country’s law, the report states. “Perhaps the time has come to examine the issue from a different angle, from the customer’s standpoint, especially when he’s the customer of huge international corporations that deal with customers all over the world,” said Judge Esther Stemmer. The court gave Facebook 90 days to respond to the suit. [Haaretz]

Privacy (US)

US – Tech Companies Oppose Government Hacking Rule Change

A group of 50 organizations including Google and the American Civil Liberties Union has called upon Congress to block “dangerously broad” changes that, effective Dec. 1, increase judges’ warrant jurisdiction. The changes to Rule 41 of the Federal Criminal Procedure “invite law enforcement to seek warrants authorizing them to hack thousands of computers at once — which it is hard to imagine would not be in direct violation of the Fourth Amendment,” the later states. Meanwhile, in an additional report from Morning Consult, Sen. John McCain, R-Ariz., expressed his support for FBI Director James Comey’s surveillance perspectives over those of privacy advocates. “I have great sympathy for them but I respect more the view of Director Comey,” he said. [Morning Consult]

US – NTIA Publishes Revised Best Drone Practices Guidance

The National Telecommunications and Information Administration has released an updated best drone practices guidance. The guide is the culmination of a two-month public comment session and subsequent May 18 meeting on drone privacy and transparency issues. Meanwhile, the Federal Aviation Administration has published a 600-page drone regulation document that does not include specific privacy protocols, The Intercept reports. The Electronic Privacy Information Center responded to the announcement with a statement on its website, recalling its 2015 suit of the FAA for failing to regulate drone privacy. [NTIA]

US – Obama Administration Approves FAA Rules for Small Drones

The Obama administration has approved the commercial use of small drones. The Federal Aviation Administration created a new class of rules for drones weighing less than 55 pounds, fly up to 400 feet, and below 100 miles per hour. Drone operators now have the ability to fly the unmanned aircraft without special permission, but must be at least 16 years old. Drones will not be allowed to fly at night, unless they have special lighting and stay at least 5 miles from an airport. Transportation Secretary Anthony Foxx said, “As this new technology continues to grow and develop, we want to make sure we strike the right balance between innovation and safety.” [Reuters] [Op-ed: FAA’s rules for small drones are flawed]

US – AG Enforcement, Algorithmic Discrimination Top PLSC Line-Up

The Privacy Law Scholars Conference held its ninth annual gathering in Washington at the beginning of this month, bringing together academics and practitioners to present papers that are still in development. The workshop environment is a closed circuit — no tweeting or blogging about what happens there is allowed, and papers may or may not ever be published. However, papers and ideas inevitably rise to the top, and the IAPP recognizes two of those with its annual IAPP Papers Award, voted on by attendees. [IAPP]

Privacy Enhancing Technologies (PETs)

WW – Silent Circle Launches Virtual Security Assistant Privacy Meter

Silent Circle has announced its Silent OS 3.0 for Android mobile phones will include a program that will regularly scan a device, alerting the user if any apps, services or settings contain privacy-compromising elements. The program, dubbed “Privacy Meter,” is automatically embedded into the operating system, the report states. “Think of it as an assistant that is always next to you helping you maintain the most awareness of your Privacy Profile,” said Silent Circle’s David Puron. “Whether you have available software updates, your browsing certificates have been altered, or an app is sharing your location, the Privacy Meter will show you what is happening then guide you through the appropriate configurations, if desired.” [ZDNet]

RFID / IoT

US – Chicago Needs More Detail in Array of Things Privacy Policy, Experts Say

The city of Chicago is preparing to install a network of sensors that will track people on city streets — walking, biking, driving — and privacy experts say it needs to better spell out how it will use that information. The nine-page privacy policy includes just a few paragraphs on how the data will be collected, used and shared. The city plans to install 500 Array of Things devices across the city by the end of 2018. They will house sensors including a low-grade camera and microphone that can capture images and sound from passersby, bringing a new scale of data collection to busy intersections. Officials say the project will help improve city life by analyzing patterns in environmental and human behavior. City officials are seeking public input on the policy before installing the first 42 devices, slated to go up around the city starting in late July. The second of two public forums on the policy is from 5:30 to 7 p.m. Wednesday at the Harold Washington Library downtown. [Chicago Tribune]

Smart Cards

US – California County Approves Ordinance Restricting Government Use of New Technologies

The Board of Supervisors of Santa Clara County approved Ordinance No. NS-300.897, relating to surveillance technology and community safety. Law enforcement must seek approval of the County Board before purchasing any new surveillance technologies (e.g. drones, automated license plate readers, GPS, cell-site simulators, RFIDs, facial recognition, biometric identification); annual surveillance reports must be submitted to the Board detailing usage, complaints, internal audits, and how successful different technologies have been. [Ordinance No. NS-300.897 – Surveillance Technology and Community Safety – Board of Supervisors of Santa Clara County]

US Government Programs

US – DHS Wants to Snoop on Travelers’ Facebook, Twitter, and Instagram Accounts

The Department of Homeland Security has opened its proposal to include an optional field to disclose social media handles in travel documents to public comment. The documents in question are the Electronic System for Travel Authorization and Form I-94W, a document foreign travelers complete when leaving and entering the U.S., the report states. “Please enter information associated with your online presence — Provider/Platform — Social media identifier,” the forms would read if the proposal is accepted. “As phrased that could include your Twitter handle, the URL for your Facebook page, your OkCupid or Grindr handle …” the report adds. “Where does it end?” DHS will accept comments here until Aug. 22. [Fusion]

US Legislation

US – McConnell Pushes Measure to Expand Surveillance Tools

Senate Majority Leader Mitch McConnell, R-Ky., has proposed an amendment to the bill funding the Department of Justice and Department of Commerce that would both increase federal law enforcement surveillance powers and “permanently extend” elements of the PATRIOT Act. “Both measures have been criticized by privacy and civil liberties advocates, who have fought the proposals on multiple fronts in recent months,” the report states. The bill is considered similar to the legislative revisions Senate Republicans aim to make to the Electronic Communications Privacy Act, the report adds. A procedural vote on McConnell’s amendment is predicted for Wednesday. [The Hill]

US – Other Privacy News

Workplace Privacy

WW – BYOD Can Pose Privacy Risks to Employees: Study

Companies that use remote device management software to oversee employee devices used for business have the ability to collect a lot more information than employees may be comfortable with, according to a report released today. “The intent of these MDM solutions is not to spy on employees, but to monitor for things like malware and general security,” said Salim Hafid, product manager at Bitglass, which produced the report. But if the company wants to, these tools provide the ability to do a lot more, he said. That includes seeing where the phone is located, what apps are on the phone, and even what websites the user was accessing. “We were able to see virtually all the activity on the device,” he said. “We could see that some of our employees search for health information on the web.” [CSO Online]

WW – Russian Technology Allows Employers to Monitor Phone Calls

A Moscow security firm has created technology allowing companies to listen in on mobile calls made on their property. InfoWatch, a former subsidiary of Kaspersky Lab, says it has created the product for companies trying to curb information leaks by scanning employee phone calls for key terms that may prompt an investigation. While InfoWatch is legal in Russia, installing it in western countries would be very difficult. “This technology may become a hot ticket for any company seeking to protect its commercial secrets,” said Gartner analyst Petr Gorodetskiy. “But it can’t be rolled out in markets where it may trigger court claims.” Others question whether the product is truly functional. “The part that puzzles me is how successful speech recognition, transcription and automated analysis of texts can be,” said Polytechnic University of Milan professor Stefano Zanero “I would be surprised if any major company decided to buy into this.” [Bloomberg]

+++

 

10-17 June 2016

Biometrics

US – GAO Criticizes FBI on Facial Recognition Database

The Government Accountability Office has issued an in-depth report critical of the FBI’s use of facial recognition technology. Specifically, the GAO has “concerns regarding both the effectiveness of the technology” and the “protection of privacy and individual civil liberties.” The FBI has collected 411 million photos in various databases. “The FBI has entered into agreements to search and access external databases — including millions of U.S. citizens’ driver’s license and passport photos,” the GAO states, but until the FBI can assure the data they receive is accurate, “it is unclear whether such agreements are beneficial to the FBI.” Meanwhile, the National Telecommunications and Information Administration released suggested best practices derived from its multi-stakeholder process on facial recognition. Several consumer and privacy advocacy organizations have come out against the guidelines. [ZDNet] [Huge FBI facial recognition database falls short on privacy and accuracy, auditor says ]

AU – Australian Cops Want to Use Fingerprint Scanners to ID People In Public

The South Australian state parliament is considering a proposal to give police the power to scan fingerprints in public. If passed, the bill will give police the ability to request fingerprints from anyone they suspect of committing a crime—and anyone they think may be able to assist with an inquiry. Police are currently able to stop anyone on the street and request to see some form of traditional ID, but fingerprints are only allowed to be taken once a person has been charged. If the bill gets passed, suspects will be required to have their prints scanned upon request. Since 2014, the SA Government has trialled 150 scanners sporadically across the state and plans to spend $3.4 million on the technology if approved. The new scanners would be wirelessly linked to the National Automated Fingerprint Identification System, which will allow officers to access criminal records within a minute of scanning a suspect’s prints. Deputy Premier John Rau has released a statement arguing why fingerprint scanners are a good idea. “Legislative reform is necessary to enable police to use the scanners in wider circumstances, where a person does not have to give consent and police can scan for prints without the need to arrest,” he said. However, there’s been considerable backlash from both sides about the ramifications for privacy and civil liberties. Greens leader Mark Parnell likened the changes to something out of George Orwell’s 1984. “This is the realm of science fiction and it should send shivers down everyone’s spine,” he told The ABC. “It enables all manner of biometric testing and it does actually lead to a situation where the state could hold a database of every single person’s fingerprints.” [Source]

WW – Apple’s New Photo System to Include Facial Recognition

An update to Apple’s Photos software will include facial recognition technology. The upgrade will catalog photos within the app by the face of the person within the image. Apple’s new feature comes as Facebook and Google are locked in lawsuits over facial recognition capabilities, specifically possible violations of the Illinois Biometric Information Privacy Act. Apple Senior VP of Software Engineering Craig Federighi said the system uses local data rather than storing it on company servers. Though Apple’s features differ from that of Google and Facebook, it is not yet known if they would violate the Illinois law. [The Verge]

Canada

CA – New Spy Watchdog Will Have Power to Examine ‘Any Activity, Any Operation’

Sweeping powers to scrutinize “any issue, any activity, any operation” will be granted to a new committee of parliamentarians to watch over federal spying and other clandestine security and intelligence activities, the government has announced. The long-promised Bill C-22 tabled in the Commons proposes to create an unprecedented “national security and intelligence committee of parliamentarians” to hold to greater account the nation’s two chief spy services and at least 15 other departments and agencies with national security responsibilities. The move fulfils a major Liberal election promise to increase parliamentary scrutiny of national security operations to offset the expansive and controversial counterterrorism powers under the Anti-terrorism Act of 2015, formerly Bill C-51, to investigate, detain, arrest, silence or otherwise thwart individuals suspected as threats to the security of Canada. The all-party committee of nine MPs and two Senators, to be chosen by Prime Minister Justin Trudeau and supported by a small secretariat, would be sworn to permanent secrecy and handed a broad mandate to probe, mainly ex post facto, any and all national security activities to gauge whether they are effective, efficient and legal. Its primary investigative tool would be a statutory power to access many of the nation’s most guarded secrets. “They will be able to ask questions and conduct inquiries and satisfy themselves that two important objectives are being met: to make sure our security and intelligence agencies are being effective in keeping Canadians safe and to make sure they are safeguarding the rights and freedoms of Canadians.” Though the legislation clearly empowers the committee to explore and review the country’s deepest confidences, it also offers government a handful of disclosure escape clauses. Chief among them is the state’s power to deny the committee information “injurious to national security,” a catch-all clause that past governments have used to slam the door on politically sensitive or otherwise damaging inquiries. [National Post]

CA – New Bill Would Allow Border Guards to Collect Data on Those Leaving Canada

Public Safety Minister Ralph Goodale has proposed revisions to the Customs Act that would allow the federal government access to the personal data of Canadian travelers leaving the country. The information collected wouldn’t extend beyond information collected in a passport’s second page — meaning “full name, nationality, date of birth, gender and issuing authority of the passport,” the report states. “Having this data will allow us to better respond to Amber Alerts, for example, on missing children,” Goodale said. “It will help us deal with human trafficking. It will help us deal better with illegal travel by terrorist fighters.” [CBC News]

CA – Privacy Watchdog Seeks More Stringent Laws in Wake of Health Breach

B.C.’s privacy commissioner is calling on the province to step up its privacy laws and impose fines of up to $50,000 for health-care workers found snooping. “It’s a significant issue of public trust when one or more individuals access electronic health records without authorization,” B.C. privacy commissioner Elizabeth Denham said in an interview. B.C.’s privacy laws are outdated when it comes to protecting electronic health records from general snooping, Denham said. [Times Colonist] See also: 2 BC health workers fired in breach that included high-profile people

CA – Sask Cops, MLAs & Ministers to Fall Under FOI Legislation

New legislative amendments brought forward by the Saskatchewan government on Monday could soon mean police in the province will be subject to freedom of information requests. The proposed amendments to Saskatchewan’s FOI and privacy laws received first reading in the Legislature on June 13. One of the proposed changes is to extend the FOI legislation to include police services. Other changes include creating a new offence for snooping, extending privacy requirements to include MLA and cabinet ministers’ offices and increasing penalties for privacy violations. The Saskatchewan Information and Privacy Commissioner, Ronald Kruzeniski, said in a statement he is pleased with the proposed amendments and will work further on FOI regulations once the amendment is passed. [Global News]

CA – Frustration Over Health Disclosure Doesn’t Trump Privacy Protection: Experts

After a case involving a 21-year-old taking her own life following a battle with depression, Nova Scotia is examining whether it needs to review its health privacy laws for disclosing mental health issues to a patient’s family. Currently, Nova Scotia law allows for mental health disclosures when it’s determined there is an immediate threat to the health of any person, including the patient. Nova Scotia Privacy Commissioner Catherine Tully is apprehensive about whether officials and government body officials have enough knowledge to determine what can and cannot be disclosed. “It is absolutely a training issue,” said Tully. “I have travelled around the province and talked to hundreds of people responsible for administering our privacy laws and training is a very key issue and one that requires constant work.” [Global News]

Consumer

WW – Privacy Concerns Around Alternative Credit Reporting

Companies are trying alternative credit reporting using nontraditional data to determine a candidate’s reliability and creditworthiness, but privacy concerns surround the tactics. In addition to privacy concerns, efforts to determine an individual’s chances for receiving a loan, house, or a job often hurt those in low-income brackets. Though companies are using a wide range of ways to determine a person’s creditworthiness and reliability — as students, prospective employees, or credit applicants — the methods of doing so fall in a legal area that’s murky at best. Overseas, companies in parts of Africa and Latin America monitor cellphones and social media to evaluate potential loan recipients. While U.K. startup Tenant Assured has started a service mining social media accounts, selling information to landlords and other parties. [The Atlantic]

US – Data Breach Simulation Explores Notification Timing

During a mock data breach at Stanford University’s Hoover Institution, a group of journalists studied the art of post-breach notification, learning that sometimes waiting to sort out technical errors before notifying victims is the wisest route to take. “It takes time to figure out what happened, and sometimes notification can cause more damage because you haven’t had time to remediate it,” said Intel Chief Privacy and Security Counsel. [Los Angeles Times]

E-Government

US – Board of Elections Posts DC’s Compete Voter List Online

D.C. makes it shockingly easy to snoop on your fellow voters. A little-known law in the nation’s capital is leading to complaints over the way it lets anyone on the Internet find out D.C. voters’ names, addresses, voting history and political affiliations, with little more than a click or two. It’s not the existence of the file itself that’s shocking, critics say. It’s the fact that the D.C. Board of Elections made it available on the Internet. Typically, every state has this kind of voter information; it’s just held at the statehouse or at the public library where you have to physically retrieve it from the stacks — probably with the help of a staffer — in order to see it. Putting that data on the open Internet changes the game because it allows virtually anyone, from anywhere, to view the data with no questions asked. [The Washington Post] [Washington voter registry publication sparks debate]

UK – 36% of Public Trust Government to Protect Their Data: ICO SUrvey

An ICO survey, published on 15 June, asked more than 1,200 people for their views on data protection. It found that the public were only slightly more likely to trust government with their information as they were to trust energy providers. Just 36% of respondents to the survey said they trusted government departments with their information. High street banks garnered the highest overall levels of trust, with 53% saying they trusted them with their information. However, trust in government increased for those in the higher socio-economic group AB1, at 41%, and millennials, at 43%. The survey also found that almost half of respondents disagreed with the statement that existing policy and regulation were sufficient to protect their data. Just 20% said policies were sufficient, which shows little change since the ICO’s 2014 survey, when 19% said policies were sufficient. [Public Technology]

E-Mail

CA – CRTC Partners With International Agencies to Fight Spam, Unsolicited Calls

The Canadian Radio-television and Telecommunications Commission (CRTC) announced that it has signed a memorandum of understanding with ten enforcement agencies from across the globe, including the Office of the Privacy Commissioner of Canada, to fight unlawful spam and unsolicited telecommunications. The agreement promotes cooperation between the CRTC and its international counterparts in enforcing Canadian and international spam and unsolicited telecommunications laws. The agencies have committed to sharing information and intelligence, where permitted by the laws of its jurisdiction, regarding unsolicited communications. By working closely with its partners, the CRTC will be able to more effectively ensure that all those who engage in unsolicited communications, whether local or foreign, comply with the Unsolicited Telecommunications Rules and Canada’s Anti-Spam legislation. [Press Release]

EU Developments

UK – IP Bill Extends GCHQ Snooping Powers to All Law Enforcement

The Investigatory Powers Bill, which was passed by the House of Commons last week, will effectively give the police and other authorities the same powers of surveillance that are currently enjoyed by GCHQ. That’s according to Raegan MacDonald, senior policy manager EU principal at Mozilla. “It’s about legally justifying the previously secret practices of GCHQ and also allowing those powers to go to all levels of law enforcement.” The IP Bill, commonly known as the Snooper’s Charter, requires telecoms companies and ISPs to store records of telephone and internet communications for one year. What is less widely known is that the Home Office is also building a search engine for all this data known as “request filter”, which will allow authorities to conduct detailed searches across all of this data. These queries will be subject to the “filtering” oversight of the Investigatory Powers Commissioner, and for this reason request filter is being sold by the Home Office as a privacy enhancing measure. “The request filter, when used, acts as an additional safeguard for communications data requests made by public authorities, to ensure that the data they acquire is limited only to that which is absolutely necessary,” says the government in a fact sheet. But pointing out that the Bill is short on mechanisms to ensure that oversight is effective, Jim Killock, executive director of Open Rights Group, questioned how this will work in practice. [Source] See also: The U.K. House of Commons passed the controversial Investigatory Powers Bill with a 444-69 vote. The bill now moves to the upper house of Parliament, the House of Lords.

EU – 75% of Cloud Apps Are Not Ready for New EU Data Protection Rules

More than 75% of cloud apps in the EU lack key capabilities to ensure compliance under the new EU General Data Protection Regulation (GDPR), according to a new study by Netskope. In particular, these businesses failed to meet the minimum requirements of new regulations in areas like deleting personal data in a timely manner and violating data portability requirements. Netskope tracked 22,000 cloud apps in use in the EU by giving them a rating between 1 and 100 in terms of GDPR readiness.

  • Just under 28% of cloud apps were deemed unready.
  • Half (48%) were scored as somewhat ready.
  • Only 25% were deemed ready.

The results of the report are especially troubling for businesses, as the adoption of mobile and cloud strategies gains momentum. The shift to cloud brings with it increasing complexity and a greater volume of security challenges for enterprises. Chief among them is the need to comply with new GDPR laws. These businesses have less than two years to ensure their cloud apps are up to regulation or face fines of either $22 million, or 4% of their global turnover (whichever is higher). [Source]

US – Ransomware Attacks Taking Huge Toll on Healthcare Resources

Healthcare organizations are aware of the omnipresent threat of ransomware on their information systems, and the danger it poses to their HIPAA compliance efforts and reputations, and are struggling to bear the expense of shoring up their defenses. The rising number of ransomware attacks against providers is prompting security professionals to intensify data security efforts, as well as consider entirely different approaches to security. Ransomware is turning the tables on how healthcare organizations now deal with security. For years, top security professionals have struggled with thefts that took data out of an organization’s control—for example, through the theft of data on stolen unencrypted laptops or through employee snooping of records that contain protected health information. The incentive for avoiding these types of breaches was to avoid landing on the HHS Office for Civil Rights’ web site of major breaches, and possibly face OCR-imposed financial sanctions and corrective action plans. But ransomware is different. Information remains in a provider’s system but is inaccessible, locked away until a provider makes a financial payment to free it. That scenario in large part has not been considered as a possibility until recently. Consequently, intensified data security is not the answer in the ransomware era, he believes; organizations must look at different approaches to data protection. [Source]

EU – Google Announces EU-Based Machine Learning Research Group

Google has struck a research group in Switzerland dedicated to machine learning. Machine learning consists of “systems that can learn things and come up with predictions from sets of data, without being specifically programmed to do so.” Machine learning currently powers Google’s translation engine, its Inbox “smart reply” feature, spam recognition in Gmail, and assists Google’s driverless cars examine their surroundings. The research group will work on machine intelligence, speech recognition, natural language processing, and machine perception, such as identifying images in photos and recognizing handwriting. “We look forward to collaborating with all the excellent computer science research that is coming from the region, and hope to contribute towards the wider academic community through our publications and academic support,” wrote Emmanuel Mogenet, head of Google Research in Europe. [Fortune]

EU – Other EU News

Facts & Stats

WW – Data Breach Costs Up 29% Since 2013: Study

A study from the Ponemon Institute and IBM found the average cost of a data breach is $4 million, a 29% increase from 2013. Ponemon’s study examined 283 companies, finding the average cost per compromised record was $158 in 2016, up from $154 last year. The study also revealed a 26% probability of an enterprise suffering one or more data breach where 10,000 records will be compromised over the next two years. Ponemon found that the healthcare industry has the highest costs per breached record, and that U.S. data breaches were the most costly per record, coming in at $223, with the average total cost estimated at $7.01 million. In related news, hackers have stolen the information of more than 45 million users of car, sports and tech sites in what could be one of the largest data breaches ever. Compromised data appears to include email and IP addresses, usernames and passwords. [ZDNet]

CA –Data Breaches Detection, Escalation Costs Highest in Canada: Report

Detection and escalation costs related to data breaches were the highest in Canada and lowest in India, note findings of a new global survey. The average detection and escalation costs for Canada was US$1.60. In contrast, the average costs were US$0.53,” states 2016 Cost of Data Breach Study: Global Analysis, benchmark research sponsored by IBM and conducted by Ponemon Institute LLC. “Data breach costs associated with detection and escalation are forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and Board of Directors,” notes the report. …The average cost per record to resolve being US$170 compared to US$138 per record for system glitches and US$133 per record for human error or negligence. Canada held a distinction in this respect. “Companies in the U.S. and Canada spent the most to resolve a malicious or criminal attack (US$236 and US$230 per record, respectively),” the report states. [Canadian Underwriter]

WW – Study: Most Companies Struggle to Restrict Sharing of Confidential Data

A new study found only 36% of surveyed IT practitioners from large companies are able to control how confidential data is shared with third parties. The study of more than 600 IT professionals also found that companies are rarely able to track where their most sensitive documents go. Only 27% of the those surveyed were able to restrict the sharing of confidential data between employees. According to the survey, conducted by the Ponemon Institute on behalf of Fasoo, 58% of companies say their employees use free online file sharing applications, and almost half say their employees, on occasion, keep confidential documents on their home computers or personal mobile devices. In addition, 68% of those surveyed say they don’t even know where their company’s confidential information is located. The study also revealed a deficiency in employee education about protecting data. Of the respondents, 56% said their companies did not educate their employees about protecting confidential information. The study found that careless employees were the primary cause of company data losses 56% of the time. The second most common cause was lost or stolen devices. In March, a SailPoint survey revealed that more than a quarter of employees said they uploaded sensitive information to cloud apps intending to share the information outside the company. According to Gartner, more than 70% of unauthorized access to data is committed by an organization’s own employees. Employees are frequently the cause of many security weaknesses in the enterprise. Most of these insider threats actually carry no malicious intent, but instead are the result of weak access controls and a lack of employee awareness. [CIO Dive] CSO: Study: Most companies can’t protect confidential documents

Finance

US – Home Depot Suit Claims U.S. Credit-Card Firms Block Security Upgrades

The Home Depot has alleged that MasterCard and Visa use faulty security measures prone to fraud in a new federal lawsuit. The company accused the financial institutions of putting cybersecurity behind economic gain and “dominant market positions,” calling its reliance on chip cards behind other, more secure, global methods. “Regardless of how the cardholder’s identity is confirmed, the chip makes data much more secure, rendering it almost useless to create fraudulent cards or transactions,” said a MasterCard spokesman. Meanwhile, Bob Hedges urged banks to engage in privacy debates in an op-ed for American Banker. “If they don’t, they run the risk that the public policy debate could eventually hurt their historical ‘trusted agent’ position,” he said. [The Seattle Times]

FOI

EU – ENISA Creates Free Personal Data Breach Notification Tool

ENISA, in co-operation with the Office of the Federal Commissioner for Data Protection and Freedom of Information of Germany (German DPA), developed a tool for the notification of personal data breaches. In particular, the purpose of the tool is to provide for the online completion and submission of a personal data breach notification by the data controller to the competent authority (DPA/NRA). It covers all types of personal data breaches and all types of business sectors, public or private. Based on the input of the notification, the tool also provides to the competent authority an assessment of the severity of the breach. The assessment is based on the relevant Personal Data Breach Severity Assessment Methodology developed by ENISA in co-operation with the DPAs of Greece and Germany. The tool is free for use by any interested party, in particular national competent authorities who would like to facilitate the notification of personal data breaches by data controllers in their countries. [Source]

Health / Medical

US – Oregon Prescription Database Access Ignites Privacy Debate

The Drug Enforcement Administration hopes to access Oregon’s Prescription Drug Monitor Program database in an effort to curb drug abuse, causing privacy concerns. The agency is fighting a 2014 U.S. 9th Circuit Court of Appeals ruling that decided warrantless seizure of the data was illegal. The DEA countered that as the PDMP is a third-party data host, users shouldn’t have an expectation of privacy, the report states. Not everyone agrees. “The primary purpose of PDMPs is health care, not law enforcement,” said the American Medical Association in an amicus brief. The database wasn’t created to be “a tool or repository for law enforcement to initiate access to gather information,” the AMA added. [The Daily Beast]

CN – China Pledges Tighter Privacy as it Centralises Personal Health Data

Chinese Premier Li Keqiang has announced the Chinese government’s intention to increase privacy regulations as it increases developments for health care data systems. “Enhancing the development of medical big data is a pressing task now,” Keqiang said. “It is also an important project for public welfare, in the context of a growing need for health and medical services.” To that end, “more comprehensive regulation and legislation in personal information and data protection” is necessary, he added. The State Council’s plans would call for the creation a countrywide health database, as well as a guide for medical record portability, the report states. [The Register]

Horror Stories

US – Cyber Insurer Seeks to Void Data Breach Coverage Because of Purported Misstatements in Policy Application

Cyber insurers commonly require insureds to complete detailed applications, often including extensive technical disclosure and risk self-assessments. The complaint recently filed by the insurer in Columbia Casualty Co. v. Cottage Health System illustrates the pitfalls in these requirements. Cottage Health, an operator of a hospital network, suffered a data breach in 2013 resulting in thousands of its patients’ private medical information being publicly disclosed. In addition to other losses, Cottage Health paid $4.125 million to settle a putative class action in 2014 and faces additional proceedings arising from the breach. Columbia’s lawsuit denies all coverage for the breach and seeks to rescind its policy due to the insured’s alleged failure to comply with the cybersecurity practices described in its application. In its complaint Columbia contends, first, that the “Failure to Follow Minimum Required Practices” exclusion in its cyber policy—applying to losses from, among other things, the Insured’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application”—precludes coverage for Cottage Health’s losses. Columbia further contends that it has a right to void its policy altogether due to alleged misstatements in the “Risk Control Self Assessment” that Cottage Health completed as part of its cyber insurance application. Any new cyber policy wording requires expert legal scrutiny before purchase, because these specialty insurance products can contain gaps or hidden traps. For example, Cottage Health might have averted its dispute with Columbia if the policy’s potentially onerous “Failure to Follow Minimum Required Practices” exclusion had been modified or deleted. [Source] See also: [Cyber insurance is changing the way we look at risk ]

WW – Other Horror Stories

Identity Issues

WW – Apple to Use ‘Differential Privacy’ in New Software

Apple is using a special technique to balance user privacy with its data collection efforts. Apple’s Senior VP of Software Engineering Craig Federighi discussed “differential privacy” during his company’s Worldwide Developers Conference in San Francisco. “We believe you should have great features and great privacy,” Federighi said during the conference. “Differential privacy is a research topic in the areas of statistics and data analytics that uses hashing, subsampling and noise injection to enable … crowdsourced learning while keeping the data of individual users completely private. Apple has been doing some super-important work in this area to enable differential privacy to be deployed at scale.” [Wired] See also: [What Apple’s differential privacy means for your data and the future of machine learning] and [A Few Thoughts on Cryptographic Engineering]

IN – Alibaba Launches App With Face Recognition Lock Feature In India

Alibaba has unveiled Privacy Knight in India, a free app-lock that uses a one-second selfie to verify and grant access to users’ protected apps, BiometricUpdate.com reports. According to Alibaba, the program’s facial recognition with blink detection has 99.47% accuracy, the report states. “Face lock is set to change the way people protect their privacy,” said Alibaba’s Mobile Business Group. [Full Story]

Internet / WWW

WW – Microsoft’s Acquisition of Linkedin Faces Some Privacy Concerns

While Microsoft’s purchase of LinkedIn will benefit both companies, some are raising privacy concerns. BigID CEO Dimitri Sirota said the purchase is meaningful as Microsoft is acquiring “the world’s second largest personal database,” but the use of the data will determine the success of the sale. “Given that the value of the purchase will derive from the usage of personal data it will be natural to ask how this data usage gets governed so it doesn’t compromise either personal privacy or many privacy regulations,” said Sirota. Acquiring large amounts of personal data is an issue many companies now deal with, he said, adding, “Organizations gain tremendous marketing, sales and intelligence value from collecting and aggregating as much customer data as they can, but the tools to govern the privacy risk and compliance of the aggregated ‘identity’ data are only now being developed.” [TechRepublic]

Law Enforcement

CA – Constable Fired for Accessing Data

A Gatineau police officer was fired this week after pleading guilty in April to illegally accessing police records. For the crime of unauthorized use of a computer, whereby the constable checked information on three former friends in police databases, she received no jail time, but had to make a donation of $1,000 to a crime victims’ assistance center. Despite no data being passed to a third party, nor the constable apparently seeing any benefit from the access to the data, the Gatineau Police Service released a statement saying she was fired because it “requires its police officers meet the highest ethical standards and professional standards.” [Ottawa Citizen]

Online Privacy

US – OTA Releases Privacy Assessment of Consumer-Facing Websites

Consumer services websites are improving privacy practices while news sites need vast improvements. That’s according to the release of the 8th annual Online Trust Audit & Honor Roll. Conducted by the Online Trust Alliance, this wide-ranging audit looks at nearly 1,000 consumer-facing websites to assess their consumer protections, privacy practices and data security. [Full Story]

Other Jurisdictions

SG – Singapore PDPC Publishes Data Protection Guidelines

The Personal Data Protection Commission of Singapore has published a number of guidelines for data access, notification and privacy protection, among other related subjects, on its official website. Its newest guideline, Guide to Handling Access Requests, details “information and considerations for organizations in handling requests for access to personal data, including sample access request and acknowledgement forms,” the site states. [Full Story]

IN – TRAI Consultation Paper Talks Cloud Computing

The Telecom Regulatory Authority of India has released a 119-page consultation paper on cloud computing regulation. The paper’s six sections cover interoperability, cloud security, and bringing cloud services to governments, among other topics. Frameworks for cloud services remain a major focus, the report adds. “Regulations should be put in place to protect the interests of both cloud services providers and the consumers,” the paper states. “Legal framework under which the cloud operates becomes very important.” [The Wire]

Privacy (US)

US – FBI Says Utility Pole Surveillance Cam Locations Must Be Kept Secret

The US FBI has successfully convinced a federal judge to block the disclosure of where the bureau has attached surveillance cams on Seattle utility poles. The decision stopping Seattle City Light from divulging the information was expected, as claims of national security tend to trump the public’s right to know. However, this privacy dispute highlights a powerful and clandestine tool the authorities are employing across the country to snoop on the public—sometimes with warrants, sometimes without. Just last month, for example, this powerful surveillance measure—which sometimes allows the authorities to control the camera’s focus point remotely—helped crack a sex trafficking ring in suburban Chicago. Meanwhile, in stopping the release of the Seattle surveillance cam location information—in a public records act case request brought by activist Phil Mocek—US District Judge Richard Jones agreed with the FBI’s contention that releasing the data would harm national security. “If the Protected Information is released, the United States will not be able to obtain its return; the confidentiality of the Protected Information will be destroyed, and the recipients will be free to publish it or post the sensitive information wherever they choose, including on the Internet, where it would harm important federal law enforcement operational interests as well as the personal privacy of innocent third parties,” Jones ruled. [Ars Technica]

US – More States Adopt Education Privacy Protections

As students’ online presence grows due to schools’ growing reliance on digital third-party student databases, lawmakers and privacy advocates have expressed concern for the potential mishandling of students’ information. Some states have turned to stricter privacy laws, with nine states adopting new data regulations in 2016. “The conversation is looking different in every state and district at this point,” said the Data Quality Campaign’s Rachel Anderson. “Some states are really taking the approach of parents can decide if they want to opt-in or out of these additional recommendations.” In 2014, 21 states passed 26 student data laws mostly targeted at states and school districts. Many echoed a 2013 Oklahoma law that requires state approval to release student data and mandates that only aggregated data — no data tied to individual students — can be released. By last year, lawmakers had shifted their focus to third-party companies. They passed 28 student privacy laws, in many cases mirroring a California statute that prohibits service providers from using data to target ads to students, selling student information, and creating student profiles for commercial purposes. This year nine states — Arizona, Connecticut, Hawaii, Kansas, New Hampshire,Tennessee, Utah, Virginia and West Virginia — have added 11 new student data laws, mostly based on the California standard. A similar proposal is awaiting the signature of Colorado’s governor. Between 2014 and 2015, state legislators introduced 98 bills that included opt-in or opt-out provisions, and this year Arizona passed a law requiring schools to obtain parents’ permission before collecting certain data. [PBS Newshour]

RFID / IoT

US – Health and Human Services IG to Assess Medical Device Security Monitoring

The US Department of Health and Human Services (HHS) Office of Inspector General’s Fiscal Year 2016 Mid-Year Work Plan calls for an assessment of the Food and Drug Administration’s (FDA’s) review of cybersecurity control on wireless and Internet-connected medical devices. The HHS IG also plans to look into state Medicaid agency and contractor breach notification practices and responses. [GovInfoSecurity]

US – NSA Could Use Internet-Connected Medical Devices for Surveillance

NSA Deputy Director Richard Ledgett told an audience at the Defense One Tech Summit in Washington, DC, last week that the agency is examining ways to exploit the Internet of Things (IoT) to conduct covert monitoring. Ledgett said that the NSA is “looking at it sort of theoretically from a research point of view right now,” and noted that conducting surveillance through medical devices could be “a tool in the toolbox.” [ComputerWorld] [The Intercept]

US – Chicago Seeks Input on Privacy Policy for Sensor Network

Chicago officials will soon release their privacy policy for the city’s traffic sensor project, the Array of Things, for citizen input. The first of 500 devices will go live in July, collecting vehicular and environmental data, the report states. The policy aims to protect collateral information that could identify an individual. “We’ve always been focused on making sure there was a privacy policy to inform the public about how the data that the nodes are collecting is going to be managed,” said Department of Innovation and Technology Commissioner and Chicago Chief Innovation Officer Brenna Berman. Open policy screenings begin June 14, the report adds. [Chicago Tribune]

CA – Who is Watching You on B.C. Highways?

At any time thousands of drivers are on B.C. highways trying to get places as soon as they can. And there is a team of people keeping an eye on all of that that traffic – in a building nestled between Highway 1 and Lougheed Highway in Coquitlam. Transportation Management Centre staff keep watch on over 600 cameras throughout the province. And when you are on the Lions Gate Bridge, Penny Martin is watching and decides when to flip the counterflow lane. There are sensors and computers but Martin says it is often simply watching the causeway cameras for volume that will guide her decision to flip the lane. And it’s not just for Metro Vancouver. With the flick of a mouse people here can change the speed limits on the Sea to Sky or Coquihalla highways using the new variable speed limit signs. Centre manager Brigid Canil says they use advanced traffic management software to change speed limits, almost instantly, based on weather or traffic conditions. But what if the speed limit changes from 120 kilometres an hour to 80 km/hr and police pull you over? “We would know exactly what times the signs would change and be able to correlate what time the ticket was written to ensure the individual is treated fairly,” said Transportation Minister Todd Stone. Another big issue is privacy. On the Drive BC website you can see a “Replay the Day” video of many locations – but they say they don’t keep piles of surveillance. “We don’t keep the data and that is directly in response to concerns about privacy,” said Stone. [Global News]

Security

WW – Study: Weak Passwords, Phishing Attacks Top Breaches

Verizon’s 2016 Data Breach Investigations Report has found that 63% of recent breaches were due to weak passwords. Phishing scams are also a major culprit, the report states. Nearly one-third of the analyzed phishing emails were opened by recipients. While the sophistication and success rate of these attacks is growing, strategies for keeping oneself safe remains the same. “The surest anti-phishing protection is also one of the rarest assets around: common sense,” the report adds. “No matter who an email comes from, never click on a link in an email — instead cut and paste it into a web browser and read the address. If it smells phishy, it probably is.” [TechCrunch] [Employee Error Accounts for Most Security Breaches]

US – FICO to Offer ‘Enterprise Security Scores’

Fair Isaac Corp. has acquired cybersecurity startup QuadMetrics to create an industrywide “enterprise security score” for businesses. The security score will act as an equivalent to the FICO consumer-credit scores, giving chief information officers and other IT professionals an “easy-to-understand” metric to determine their company’s online risks, while handling other possible issues from third-party software vendors and acting as a guide for cyber breach insurance underwriting. “Just as the FICO Score gave credit markets a single metric for understanding credit risk, this product will give the industry a common view of enterprise security risk,” said FICO’s Vice President of Cybersecurity Solutions Doug Clare. [The Wall Street Journal]

Surveillance

CA – RCMP Can Spy on Your Cellphone, Court Records Reveal

A judge lifted the publication ban on information surrounding a suspected mafia murder, revealing different surveillance methods used by the RCMP. While investigating the 2011 murder of Salvatore Montagna, the RCMP used IMSI catchers, commonly known as “Stingrays,” to mimic cellphone towers in order to obtain information on a suspect’s phone. The RCMP used the collected information to intercept and decode BlackBerry PIN-to-PIN messages as part of the murder cover-up. “Our biggest concern with Stingrays is there’s really no regulation or oversight as to how they’re being used,” said OpenMedia Digital Rights Specialist Laura Tribe. “We right now, as the Canadian public, have no idea where they’re being used, when, what the requirements are for these technologies being used and what’s happening to the data of everyone being caught up in their sweep.” [CBC News] See also: [VPD admits to not owning a Stingray surveillance device, but is it ‘borrowing’ one?] and [Santa Clara County, California, has approved an ordinance that requires government agencies to put policies in place before acquiring or activating new surveillance technologies.]

US Government Programs

US – Federal Government Releases Final Guidance on CISA

The Department of Homeland Security (“DHS”) and Department of Justice released final guidance as required by Title I of the Cybersecurity Act of 2015 (“CISA”), which was enacted into law this past December. The guidance was prepared in consultation with several additional federal agencies, and includes four separate documents.

  1. The first document (“sharing guidance”) provides guidance for non-federal entities (including state governments) that elect to share cybersecurity information with the federal government under CISA.
  2. The second document establishes “privacy and civil liberties guidelines governing the receipt, retention, use, and dissemination” of cyber threat indicators and defensive measures by the federal government.
  3. The third document, which was released in final form on February 16, describes procedures through which information is shared by the federal government to participating non-federal entities.
  4. The fourth document describes procedures for the receipt of cyber threat indicators and defensive measures by the federal government. [Inside Privacy]

 

+++

 

 

03-09 June 2016

Biometrics

CA – Federal Photo-Matching Scheme Quietly Singles Out Passport Fraudsters

Federal officials used photo-matching technology to identify 15 high-risk people – all wanted on immigration warrants – who used false identities to apply for travel documents. The Liberal government might make the facial-recognition scheme permanent to help find and arrest people ineligible to remain in Canada due to involvement with terrorism, organized crime or human rights violations. The photo-matching idea emerged from concerns that people wanted by the Canada Border Services Agency might use fake names to obtain genuine Canadian travel documents from the Immigration Department’s passport program, say internal memos released under the Access to Information Act. The privacy commissioner’s office has not been consulted on the project. However, both the border agency and the passport program have shared information about other facial-recognition initiatives with the commissioner. Passport officials have used the image-matching technology for years to see if someone has applied for multiple travel documents in different names. The border agency has quietly been working with other agencies since at least 2011 to gauge the ability of devices to extract usable facial images from video footage. [Source]

Canada

CA – Court Rules that Health Records Do Not Require Vetting Prior to Disclosure to Childrens Aid Society

The Court considers a request for a protection application for the production of records from non-parties. The records, containing mental health information of a parent, do not require vetting by counsel for the society or the parent (this approach could give either party an unfair advantage in litigation), or the Court (the mental health records are relevant to whether the parent’s children are in need of protection, and the production order will be structured to preserve the parent’s privacy interests). [Catholic Children’s Aid Society of Hamilton v. L.K. – 2016 CanLII 15148 (ONSC) – Superior Court of Justice of Ontario]

CA – BC Appeals Court Finds Senders of Texts and Emails Have a Reasonable Expectation of Privacy in the Content of the Message

a review of impact of the BC Court of Appeal’s decision in R. v. Craig. Senders have a reasonable expectation that their text messages will be confidential; senders do not abandon their right to privacy in the content of the message, to the extent that they should be able to count on the recipient’s duty of confidentiality. While there is inherent risk in any human interaction, the risk that a message might be improperly shared (i.e. breach of confidentiality) is not enough to vitiate a reasonable expectation of privacy. ‘[Privacy, technology, and instant messaging – The British Columbia Court of Appeal sends a (instant) message – Dara Jospé, Michael Shortt, and Antoine Guilmain – Fasken Martineau, Montréal]

CA – Other Canada News

E-Government

US – Survey: A Year After the OPM Hack, Victims Don’t Feel Safer

A Federal News Radio survey on the Office of Personnel Management breach has found that roughly 55% of government employees and contractors don’t feel their personal information is safer a year after the hack. George Mason University’s Jim Jones said one reason for these responses is that many acknowledge that the risks move faster than security efforts. “The threat is so flexible and responsive in the sense that when we do something, we close one hole they simply move on to another one,” he said. Meanwhile, NPR also examines the changes in security practices at the OPM in a subsequent report. [Federal News Radio]

E-Mail

CA – OIPC ON Cautions Against Using Personal Email and Instant Messaging When Doing Public Business

Ontario’s Information and Privacy Commissioner, Brian Beamish, is calling on the leaders of all public institutions to educate staff and enact policies to strictly control the use of personal email and messaging tools, such as BlackBerry Messenger, to conduct business. All public servants should be aware that records relating to government business are subject to provincial access legislation, even if they are created, sent or received through instant messaging tools or personal email accounts. The use of these tools and accounts can create a number of challenges for institutions in meeting their obligations under Ontario’s access and privacy laws. To avoid these issues, Beamish is asking all Ontario institutions to either strictly control the use of personal email or instant messaging when doing business, and implement clear policies to help public servants meet their legal obligations. If it is necessary to use these tools, institutions must plan for compliance by conducting thorough risk assessments and implementing appropriate administrative and technical measures to ensure that records are saved. A new guide to assist Ontario’s public institutions, Instant Messaging and Personal Email Accounts: Meeting Your Access and Privacy Obligations, is now available. [Office of the Information and Privacy Commissioner of Ontario]

Electronic Records

CA – Alberta OIPC Issues Guidance for EHR Systems

The OIPC of Alberta has published Guidance for Electronic Health Record Systems. This guide was developed to assess the safeguards in electronic health record (EHR) systems. Custodians and their EHR service providers may use this document to support a Privacy Impact Assessment on an EHR system, or to examine whether changes to a system comply with Health Information Act requirements. Two versions of the document are available on our website. A PDF version and an editable Word document:

EU Developments

US – US and EU Officially Ink Umbrella Agreement

Officials from the EU and U.S. officially signed the so-called Umbrella Agreement, which sets privacy protections on European citizens’ personal data when transferred to the U.S. for law enforcement purposes. It will give EU citizens judicial redress in U.S. courts — something the EU already provides for U.S. citizens. U.S. Attorney General Loretta Lynch, Dutch Minister Ard van der Steur, and EU Justice Commissioner Věra Jourová signed the deal Thursday. Privacy advocates, however, have expressed concern about the deal. Access Now’s Estelle Massé said the new rules are “toothless” and that it “should absolutely be brought back to the drawing board.” [Ars Technica]

EU – British Lawmakers Pass New Digital Surveillance Law

The House of Commons passed the controversial Investigatory Powers Bill, which would provide security agencies with stronger monitoring abilities. The bill was approved 444-69. Interior Minister Theresa May said the new law will help “keep us safe in an uncertain world.” While May noted the scrutiny of the Investigatory Powers Bill was “unprecedented,” a new privacy clause has been added requiring agencies to contemplate less intrusive ways to surveil, while also offering special protections for lawmakers, journalists and lawyers. “It provides far greater transparency, overhauled safeguards and adds protections for privacy and introduces a new and world-leading oversight regime,” May said. The bill now moves to the upper house of Parliament, the House of Lords. [Reuters]

EU – European Commission Creates Code of Conduct for Mobile Health Apps

The European Commission has formally submitted a code of conduct to the Article 29 Working Party to increase privacy capabilities on mobile health apps. The code has been handed in for comments, and once approved, app developers can voluntarily commit to them. The European Commission code is based on EU data protection legislation, and aims to raise awareness for all parties, including small and medium enterprises as well as individual developers who may not have legal teams on hand, and “increase compliance at the EU level for app developers.” The code covers numerous issues, including user consent, purpose limitation, privacy by design and default, and data security. The European Commission also covered advertising within mHealth apps, disclosing data to third parties, children’s privacy, and data transfers. [Telecompaper] [Press Release] [Public Consultation]

EU – EDPS Announces New Accountability Initiative

European Data Protection Supervisor Giovanni Buttarelli announced a new accountability initiative to help EU bodies transition to the General Data Protection Regulation. The EDPS started working on a project to enhance accountability in data processing in 2015, when the agency examined itself as an institution. “We developed a specific tool to ensure and demonstrate our accountability as an organisation, to plan and to keep track of related actions. This document consists of a set of questions for the supervisors, the director, the staff responsible for managing processing operations and our data protection officer,” Buttarelli wrote in a blog post. “This year, we aim to visit — and have already started — small, medium, and large EU bodies to explain the new obligations,” he continued, adding, “As part of our efforts … we will recommend our accountability document during these visits and suggest that they tailor it to suit their specific needs.” [EDPS Blog Post]

Finance

WW – Facebook is Using Your Phone to Listen to Everything You Say: Professor

Facebook admits to using people’s microphones to listen to what they say, but they claim this is somehow a good thing. Kelli Burns, mass communication professor at the University of South Florida claims to have tested devices running the Facebook mobile app, and found that all of them are listening to everything you say, providing customized ads based on what you are saying. “I’m really interested in going on an African safari. I think it’d be wonderful to ride in one of those jeeps,” she said out loud with her phone in hand. According to the NBC report, less than a minute later, the first story in her Facebook feed was about a safari. And a car ad soon appeared on her page – go figure. Of course, this is not scientific evidence at this point, but Burns is not one to shun. Before becoming an academic, she spent seven years in corporate marketing and is a well-known figure in social media circles. Facebook didn’t deny the claims. Instead, it admitted that it picks up sounds from users, but said that it only does this to recommend they post things on Facebook. It’s not the first time Facebook has come under fire for something like this. Last years it was also accused of the same thing, and they said at the time that users had to turn their microphone on in order for this to work. But now, the microphone is on by default, so this does seem to confirm that Facebook is listening to you. [zmescience.com]

FOI

CA – Ontario Health Ministry Ordered to Disclose Names on OHIP Billings

Ontario’s privacy watchdog has ordered the province to publish the names of the 100 doctors whose billings to the Ontario Health Insurance Plan are highest. An adjudicator, ruling on an access-to-information request from the Toronto Star, said the billings are “not personal information” and, even if they were, it would be in the public interest to reveal them. The Ontario Medical Association, which represents the province’s 28,000 physicians, opposed release of the data, saying it could be misconstrued. (Billings are not salaries but gross payments from which doctors must pay office overhead, benefits and pension.) The OMA has not yet decided if it will appeal the ruling. If it does not, the data will be made public on July 8. [Source] [IPC Decision] [54-page order] [Ontario Doctors’ Billings: Transparency is the Best Medicine] [End the secrecy over doctors’ billings: Editorial]

CA – OIPC NFLD Expects Redaction to be Used Sparingly

The Office of the Newfoundland and Labrador Information and Privacy Commissioner provided its expectations for Public Body Coordinators on handling non-responsive information in an access request, pursuant to the Access to Information and Protection of Privacy Act. Redact non-responsive information only where necessary and appropriate; best practices include, releasing the information if it is just as easy as claiming non-responsive (this will save time-consuming consultations and time weighing discretionary exceptions), avoid breaking the flow of information (do not claim non-responsive within sentences or paragraphs), and explain what non-responsive means in the final response to the Applicant, and that information has been redacted on this basis. [Newfoundland and Labrador OIPC – Practice Bulletin – Redacting Non-Responsive Information in a Responsive Document]

US – Snowden Questioned NSA’s ‘Interpretation of Legal Authorities’ Before Leak

Former government contractor Edward Snowden attempted to contact the NSA about its surveillance programs before exposing a trove of documents to the public. In response to a “long-running” Freedom-of-Information-Act lawsuit, the Office of the Director of National Intelligence released more than 800 pages of communications to Vice News revealing Snowden tried to ask questions about the “interpretation of legal authorities” related to the programs. The documents also reveal Snowden’s face-to-face interaction with an official, details about Snowden’s work with the agency, and efforts by the NSA, the White House and U.S. Senator Dianne Feinstein, D-Calif., to discredit Snowden. [Full Story]

Genetics

US – Biden Unveils Launch of Major, Open-Access Database to Advance Cancer Research

Vice President Joe Biden will unveil a 12,000-patient, open-access cancer research database called the Genomic Data Commons today. The database will include “raw genomic and clinical data” as well as information regarding patients’ treatment types and their bodies’ response to it, the report states. “This is good news in the fight against cancer,” Biden said. “Increasing the pool of researchers who can access data and decreasing the time it takes for them to review and find new patterns in that data is critical to speeding up development of lifesaving treatments for patients.” The GDC will have privacy protections in place, with representatives from cancer centers drafting a model consent form, the report adds. [Washington Post] See also: [Canada: Genetic Discrimination And Canadian Law] and [How new DNA testing is cracking open long-stalled cold cases]

Health / Medical

US – OCR: Sharing Electronic Patient Data Crucial, Requires Cooperation

A slew of breakthroughs will put the pressure on health care leaders to start becoming more transparent with data. Deputy Director of Health Information Privacy in the Department of Health and Human Services’ Office for Civil Rights Deven McGraw highlighted this during the Office of the National Coordinator for Health Information Technology’s annual meeting in Washington, where she said cooperation will be key for successfully sharing patient data. “I can enforce people to comply with the law, but the culture change that makes a difference is not because the government is going to force it down people’s throat,” said McGraw. “It’s going to happen because people want it and demand it.” McGraw said providers should release electronic patient data at their request. “Whatever the patient wants to do with that information, it’s her right to have it and to have it in the form or format that she wants it,” McGraw said. [Healthcare IT News]

Horror Stories

WW – 32M Twitter Passwords Held at Ransom

A hacker with purported ties to the LinkedIn, Myspace, and Tumblr breaches is now claiming to have a database of 32 million Twitter login credentials at ransom. “The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” said a statement from breach-notification company LeakedSource, which analyzed the database and was able to verify accounts. The company added that the passwords taken were most likely in plain text with no hashing. “The lesson here? It’s not just companies that can be hacked, users need to be careful too,” the statement said. [ZDNet]

EU – Dutch DPA Receives More Than 1,500 Breach Notifications in First 4 Months

Review of the first 4 months of new breach notification requirements in the Netherlands shows that, in approximately two-thirds of breaches, the DPA had reason to more closely examine the circumstances of the breach or it opened formal investigations; subsequent action was taken against about 70 organisations. DPA’s classification of breaches found that 3 of the four categories related to inadvertent disclosures by the organisation (e.g. loss of unencrypted devices, insecure disposal, or insecure transfers); the remaining category related to malicious access to databases and ransomware. [130 days, 1,500 notifications: Does Dutch breach rule foreshadow GDPR? – Lokke Moerel and Alex van der Wolk, Morrison & Foerster LLP]

Identity Issues

WW – Search Queries Could Leave Medical Clues: Study

A Microsoft study published June 7 has found that by analyzing large sets of anonymized search engine queries, scientists may be able to detect those internet searchers with pancreatic cancer before an official diagnosis. “We asked ourselves, ‘If we heard the whispers of people online, would it provide strong evidence or a clue that something’s going on?’” researcher Dr. Eric Horvitz said. He acknowledged that using data in this way was uncharted territory for the health care industry. Regardless, “We’re hoping that this stimulates quite a bit of interesting conversation,” he said. [The New York Times]

WW – Inventor of the Web Creates Identity on Bitcoin Blockchain

Sir Timothy Berners-Lee, an english computer scientist and the inventor of the World Wide Web has created his first Bitcoin blockchain ID on June 9, through the popular blockstack-based platform Onename. Built on the decentralized, privacy-centric, and Bitcoin blockchain-secured database Blockstack, Onename is an open source platform which enables users to register their social media accounts and IDs through the Bitcoin blockchain network. The concept of embedding an account on the Bitcoin blockchain is fairly simple. Each Bitcoin transaction has a feature which allows users to store data apart from the core transaction information, creating space for anyone to embed small pieces of data in accordance with transaction data in a full transaction. Through the Blockstack nodes, Onename then verifies and authenticates various social media accounts, linking it to their network and enabling users to identify others through the account. “With the Blockstack software, a network of computers collectively maintain a global registry of identities, public keys and names. When you run a Blockstack node, you join this network, which is more secure by design than traditional identity, naming, and digital registry systems,” explains the Blockstack team. [Source]

Law Enforcement

CA – BC Police Act Violates Charter (sec.8), Suspended Vic Chief Says

Suspended Victoria Police Chief Frank Elsner is asking the courts to declare that sections of B.C.’s Police Act violate the Charter of Rights and Freedoms’ search and seizure provisions and are therefore not enforceable. Under the act, independent investigators with the Office of the Police Complaint Commissioner are not required to obtain warrants to search police premises, equipment and records when looking into allegations of misconduct at municipal departments. Those provisions violate Section 8 of the charter, because they relate to matters to which there is a high expectation of privacy, Elsner says. Section 8 protects against unreasonable search and seizure. [The Victoria Times Colonist]

Online Privacy

US – Android Users Seek Class-Action in Privacy Battle Over App Purchases

Android users are requesting to go forward with a class-action lawsuit against Google’s app store for allegedly disclosing personal information to developers. The lawsuit, started by Illinois resident Alice Svenson in 2013, is on behalf of numerous Android users who made purchases on the Google app store. “Casting aside the express promises made in their own terms of use, for years, defendants have routinely and systematically disclosed to third-parties, their buyers’ personal contact and billing information — including, names and email addresses — which they now admit was not necessary to complete the transactions or otherwise authorized for disclosure,” the users’ lawyers wrote in the motion. Svenson’s initial lawsuit was thrown out, but after revising her complaint by saying the disclosure lessened the value of her personal data, it was allowed to proceed. Last year, U.S. District Court Magistrate Paul Grewal in San Jose dismissed a separate lawsuit that also alleged Google violated app purchasers’ privacy by sending their names to developers. [MediaPost]

EU – Researchers Re-identify 40% of RTBF Subjects

One of the world’s most widespread efforts to protect people’s privacy online —RTBF— may not be as effective as many policymakers think, according to research by computer scientists based, in part, at New York University. The academic team said that in roughly a third of the cases examined, the researchers were able to discover the names of people who had asked for links to be removed. Those results, based on the researchers’ use of basic coding, came despite the individuals’ expressed efforts to remove their names from searches. The research paper raises questions about how successful Europe’s “right to be forgotten” can be if the identities can still be found with just a few clicks of a mouse. The paper says such breaches undermine “the spirit” of the right to be forgotten. The research also will add increased pressure on some European authorities, particularly the French privacy regulator, who would like Google and other online search engines like Microsoft’s Bing to extend the reach of the right to be forgotten across all of the companies’ global domains, including Google.com in the United States. “This poses a threat to whether the ‘right to be forgotten’ can be maintained in the long-term,” said Keith Ross, dean of engineering and computer science at NYU Shanghai, who led the project and who said he had contacted Google with his research. “If a hacker can easily find 30 or 40% of people’s names from delisted articles, what is the point?” he said. [New York Times]

Privacy (US)

US – Federal Appeals Court Says No Warrant Needed for Stingray Use

The Fourth US Circuit Court of Appeals has overturned a lower court verdict that ruled law enforcement must obtain warrants before using cell-site simulators to determine a suspect’s location. According to the ruling, obtaining the information does not violate a suspect’s Fourth Amendment rights because the information is already being shared with the suspect’s wireless carrier” “Whenever [an individual] expects his phone to work, he is permitting – indeed, requesting – the service provider to establish a connection between his phone and a nearby cell tower.” [ZDNet]

US – Yahoo Publishes National Security Letters

Yahoo has published three National Security letters it has received from the federal government. National Security Letters allow federal law enforcement officers to demand customer records and transaction information from communication companies without the need for a warrant. The letters also carried a gag order that until recently never expired – anyone or organization receiving an NSL was not permitted to disclose its contents or even its existence. The USA Freedom Act, which became law last year, changed those requirements. The FBI must now review gag orders once the investigation is closed or three years after it was opened, to determine if lifting the order will or will not be detrimental to the investigation. Yahoo’s disclosure is the first since the USA Freedom Act passed. [Wired] [eWeek] [Redacted letters] [Yahoo’s position]

US – NTIA Issues Best Practices for Operators of Commercial and Private Drones

The National Telecommunications and Information Administration released its best practices for use of drones by operators for private and commercial uses. Public comments were sought in 2015. Operators should making a reasonable effort to provide prior notice to individuals of the general timeframe and area in which they intend to operate a drone to collect data; provide a publicly available privacy policy that includes the purposes of collection, the types of data the drone will collect, the operator’s data retention and de-identification practices, the types of entities with which data will be shared, how to submit privacy/security complaints or concerns, and a description of response practices to law enforcement requests. [National Telecommunications and Information Administration – Voluntary Best Practices for UAS Privacy, Transparency, and Accountability]

US – Snowden Questioned NSA’s ‘Interpretation of Legal Authorities’ Before Leak

Former government contractor Edward Snowden attempted to contact the NSA about its surveillance programs before exposing a trove of documents to the public. In response to a “long-running” Freedom-of-Information-Act lawsuit, the Office of the Director of National Intelligence released more than 800 pages of communications revealing Snowden tried to ask questions about the “interpretation of legal authorities” related to the programs. The documents also reveal Snowden’s face-to-face interaction with an official, details about Snowden’s work with the agency, and efforts by the NSA, the White House and U.S. Senator Dianne Feinstein, D-Calif., to discredit Snowden. [Vice News] [Snowden and the NSA Gets Curiouser and Curiouser]

US – Court Certifies Class Action Alleging Social Networking Site Unlawfully Scanned Users’ Private Messages

A US Court has considered a motion for class certification of a complaint alleging Facebook violates users’ privacy by scanning their private messages. The Court accepted the Plaintiffs’ argument that injunctive relief is appropriate for the class as a whole because Facebook has utilized a uniform system architecture and source code to intercept and catalog its users’ private message content; the Court rejects the social networking site’s argument that individual proof will show that many class members impliedly consented to the challenged practices. [Matthew Campbell et al. v. Facebook, Inc. – 2016 U.S. Dist. LEXIS 66267 – United States District Court For The Northern District Of California]

US – Electronic Health Records Company Settles FTC Charges It Deceived Consumers About Privacy of Doctor Reviews

The FTC announced electronic health records company Practice Fusion has settled with the agency over claims it mislead customers by asking for reviews of its doctors without telling customers the reviews would be made public, resulting in the disclosure of sensitive medical data. “Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Companies that collect personal health information must be clear about how they will use it — especially before posting such information publicly on the internet.” In its settlement with the FTC, Practice Fusion is prohibited from making deceptive statements about the privacy and confidentiality of consumer information it collects, while requiring consumer opt-in before disclosing any information in the future. [Full Story]

Security

US – Three Bills Approved To Boost Security for California’s IT systems

California lawmakers passed three bills designed to strengthen the security of the state’s information technology systems. One of the bills would mandate a statewide response plan for cybersecurity threats on critical infrastructure by July 1, 2017. “Ensuring that these preparations are made for cybersecurity will make our state networks more resilient, improve response coordination, reduce recovery time and costs and ultimately limit the damage that is done,” said bill author Jacqui Irwin, D-Thousand Oaks. Another bill requiring state agencies to create detailed data breach response plans was unanimously approved by the California Senate, along with legislation making it illegal to knowingly put ransomware on a computer’s system, network or data. [Techwire]

CA – New Conference Board Centre to Focus on Cyber Security Policy

A new Conference Board of Canada research Centre is working to tackle cyber security issues that affect all Canadian citizens, starting with the critical issue of personal data privacy in the digital world. The first research from the Centre aims to get decision-makers and Canadians up-to-speed on privacy regulations and capable of making smart decisions. The report, Private Matters: Regulating Privacy in Canada, the European Union and the United States, highlights key trends that firms should address in order to maintain proactive privacy compliance. They include:

  • Consent—The broad concepts of informed and implied consent are no longer sufficient. Regulators are increasingly demanding that consent be active, explicit, and easily understood.
  • Breach notification—Enhanced regulations require organizations to report privacy breaches in a timely, comprehensive way. Failure to do so can result in steep fines and costs to a firm’s reputation.
  • Territoriality—Privacy will have to balance the rights of national citizens against the borderless nature of e-commerce. The new EU-U.S. Privacy Shield will have an impact on this debate. If EU demands prevail, EU citizens’ right to privacy will travel with their data.
  • Individual rights after consent—As regulators and industry get closer to figuring out how to get consent right, they will need begin enumerating the rights of individuals who have consented to data collection. They will also need to determine the appropriate remedies when those rights are violated.
  • Answering public demands—As the pace and pervasiveness of technology continue to accelerate, regulators will have to strike a balance between protecting the public and insisting the public more meaningfully contributes to its own protection.

The Conference Board of Canada’s new Cyber Security Centre examines the evolving nature of cyber security at the strategic and policy level, in order to meet the needs of senior executives and board members across all sectors and industries. [Conference Board of Canada News Release]

Surveillance

CA – BlackBerry Hands Over User Data to Help Police ‘Kick Ass,’ Insider Says

A specialized unit inside mobile firm BlackBerry has for years enthusiastically helped intercept user data — including BBM messages — to help in hundreds of police investigations in dozens of countries, a CBC News investigation reveals. CBC News has gained a rare glimpse inside the struggling smartphone maker’s Public Safety Operations team, which at one point numbered 15 people, and has long kept its handling of warrants and police requests for taps on user information confidential. A number of insiders, none of whom were authorized to speak, say that behind the scenes the company has been actively assisting police in a wide range of high profile investigations. But unlike many other technology companies, which regularly publish transparency reports, it is not clear how many requests BlackBerry receives each year, nor the number of requests it has fulfilled. [Source] See also: [More Canadian telcos should detail police data requests: Privacy commissioner]

US – Google Wants Privacy Lawsuit Dismissed, Cites Spokeo Case

Citing the Supreme Court’s decision in the Spokeo case, Google is asking a U.S. district judge to dismiss claims it disregards privacy laws. Google filed court papers in response to allegations it violates federal and state privacy laws by scanning emails in order to serve ads. A lawsuit from San Francisco resident Dan Matera claims Google illegally “intercepts” email messages, which forced him to interact with Gmail users, even though he did not have a Gmail account. Thanks to the result of the Spokeo case, Google wants Matera’s case thrown out, saying he cannot show a concrete injury, the report states. “Plaintiff does not allege, for example, that the alleged violations led to the disclosure of his confidential information to third parties, or that he suffered any other purported harm from the alleged ‘interceptions’ of his emails,” Google wrote in the papers. [MediaPost]

UK – Spies Circumvented Surveillance Laws With No ‘Meaningful’ Oversight

Privacy International has released previously confidential government documents that shed light on how British spy agencies circumvented legal restraints on their surveillance powers, with little interference from the commissioner charged with overseeing them. The documents detail correspondence carried out in 2004 between lawyers for two UK spy agencies — the Government Communications Headquarters (GCHQ) and MI5 — and Sir Swinton Thomas, the Interception of Communications Commissioner at the time. Thomas was responsible for overseeing the two agencies, but Privacy International, a London-based watchdog organization, says his correspondence with the GCHQ and MI5 “exposes the lack of meaningful restraint of the agencies’ over-reaching and intrusive powers.” The release of the document comes ahead of a Parliamentary debate on the controversial Investigatory Powers (IP) Bill. Introduced last year, the bill aims to provide a legal framework for bulk data collection, while increasing transparency and strengthening oversight for British spy agencies. But privacy advocates, internet service providers, and major technology companies have expressed alarm over the law — referred to by critics as the “snooper’s charter” — arguing that it gives police and intelligence agencies broad surveillance powers under vaguely defined terms. Privacy International says that the correspondence released today demonstrates the flimsiness of existing oversight mechanisms. [The Verge] [UK: Official correspondence reveals lack of scrutiny of MI5’s data collection]

+++

 

27 May – 02 June 2016

Biometrics

WW – Car’s Computer Can ‘Fingerprint’ You in 5 Min Based on How You Drive

The way you drive is surprisingly unique. And in an era when automobiles have become data-harvesting, multi-ton mobile computers, the data collected by your car—or one you rent or borrow—can probably identify you based on that driving style after as little as a few minutes behind the wheel. In a study they plan to present at the PETs Symposium in Germany this July, a group of researchers from the University of Washington and the University of California at San Diego found that they could “fingerprint” drivers based only on data they collected from internal computer network of the vehicle their test subjects were driving, what’s known as a car’s CAN bus. In fact, they found that the data collected from a car’s brake pedal alone could let them correctly distinguish the correct driver out of 15 individuals about nine times out of ten, after just 15 minutes of driving. With 90 minutes driving data or monitoring more car components, they could pick out the correct driver fully 100 percent of the time. “With very limited amounts of driving data we can enable very powerful and accurate inferences about the driver’s identity.” And the researchers argue that ability to pinpoint could have unexpected privacy implications: Everything from letting insurance companies punish drivers who loan their cars to their teenage kids, to confirming the identity of a driver who violated traffic laws or caused a collision. [Wired] [Is driving style the next biometric?]

US – Tattoo Recognition Research Threatens Free Speech and Privacy: EFF

An EFF Investigation Finds NIST/FBI Experimented with Religious Tattoos, Exploited Prisoners, and Handed Private Data to Third Parties Without Thorough Oversight …Now, with NIST and the FBI on the precipice of a new, larger experiment that will use upwards of 100,000 tattoo images, officials must suspend any further research into tattoo recognition technology until they address the First Amendment, ethical, and privacy concerns EFF has identified. [Source] See also: [Six Things You Need to Know Before Collecting Biometric Information]

Canada

CA – Company Scraps ‘Bad Tenant List’ After OPC Upholds Complaint

A property management company that maintained a “bad tenant” list for a landlord association has agreed to scrap it after the office of federal Privacy Commissioner Daniel Therrien concluded the personal information it contained was improperly collected. Therrien’s office investigated after receiving a complaint in February 2014 from a single parent with a disabled child. The unidentified woman had applied to the company for new rental accommodation that was fully accessible to her child, but was turned down. She was told by the company that her inclusion on the bad tenant list — for allegedly having skipped payments and for owing money for damages — was one of the reasons it was denying her housing services. The management company, which wasn’t named, told privacy commissioner investigators that members of the unidentified landlords association added the names of “bad tenants” to the list. The personal information on the list included the tenant’s name, the alleged incident for which the individual’s name was added to the list and the rental accommodation where the problem occurred. The company said the information was used to help landlords “avoid credit default” by potential tenants and determine “valid renters.” The complainant said she never consented to her personal information being collected for that purpose and wasn’t allowed to see the information about her or find out which landlord had added her name to the list. The property management company pointed to a clause in its rental agreement authorizing the landlord to obtain credit reports “or other information as may be deemed necessary.” But in a recently posted decision, the privacy commissioner’s office says it did not see how those words “would lead individuals to understand they were consenting to their personal information being collected, used and disclosed for the purposes of a ‘bad tenant’ list.” [Source]

CA – Office of the Privacy Commissioner Announces First Investigation Under Address Harvesting Provisions

The OPC announced its report of findings against Compu-Finder, a Quebec-based company that offers face-to-face professional training courses. The OPC alleges Compu-Finder used address harvesting programs to search and collect e-mails on the internet. This marks the first investigation by the OPC involving its address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). The OPC concluded that Compu-Finder did use e-mail addresses of individuals to send e-mails promoting its business activities, without the consent of the individuals concerned. Compu-Finder was unable to demonstrate it had the appropriate consent for the collection and use for many of the e-mail addresses. Further, the OPC found Compu-Finder lacked basic privacy knowledge of its obligations and failed in demonstrating accountability and openness of its privacy practices. This investigation also debuts the OPC’s compliance agreement power since the tool was added by the Digital Privacy Act on June 18, 2015. The compliance agreement between the Privacy Commissioner of Canada and Compu-Finder lists over ten remedial measures imposed on Compu-Finder. Some of the following measures that Compu-Finder has agreed to implement, include:

  • collect and use only e-mail addresses with proper consent;
  • destroy all e-mail addresses in its possessions which were collected without obtaining consent;
  • refrain from collecting any electronic addresses of individuals through the use of a harvesting computer program;
  • develop and implement a privacy program; and
  • obtain a third-party audit of its privacy program.

Compu-Finder is also under investigation by the CRTC, who issued a Notice of Violation against Compu-Finder pursuant to Canada’s Anti-Spam Legislation (CASL) on March 5, 2016. The OPC acknowledged the CRTC shared investigative information with the OPC pursuant to CASL and a Memorandum of Understanding between the two agencies. The CRTC’s proceedings against Compu-Finder are still on going. You can read the full report of findings and compliance agreement online here. [Source]

CA – Spy Agency Accidentally Shared Canadians’ Data With Allies for Years

A federal spy agency inadvertently shared logs of Canadians’ phone calls and Internet exchanges with intelligence allies such as the United States for years, a newly disclosed report says. The revelation that the CSE compromised Canadians’ privacy while sharing clandestinely captured data appears in a confidential watchdog’s report obtained from court filings related to a lawsuit against the Canadian government. The report said software that was supposed to remove identifying information on Canadians from material CSE captured during international surveillance operations had failed. This meant that Canada’s intelligence allies received data that Canadian laws say they should not see. The confidential report was written by Jean-Pierre Plouffe, a retired Quebec judge who heads the Office of the CSE Commissioner, the spy agency’s watchdog agency. In it, he suggests the unlawful seepage of Canadians’ phone and Internet records to foreign intelligence agencies could date back to the mid-2000s, and that the overall amount of compromised material is unclear. Given this, Mr. Plouffe is urging Parliament to pass laws spelling out how it wants the spy agency to function. “As CSE’s collection posture has strengthened, … the volume of metadata collected has increased considerably,” Mr. Plouffe writes in his 2015 report. He urged federal politicians to give clearer direction on surveillance. [The Globe and Mail]

CA – TREB Seeks ‘Opt-In’ Consent for MLS Data to Protect Consumer Privacy

Canada’s largest real estate board is urging the federal Competition Tribunal to protect consumer privacy by requiring homeowners to consent to sharing their housing information over the Internet. In filings posted on the tribunal’s website ahead of a hearing on Thursday in Ottawa, the Toronto Real Estate Board argues that electronic access to the board’s Multiple Listings Service should be made available to online real estate brokerages only after both buyers and sellers have checked an “opt-in” box on their sale and purchase agreement. TREB also asked the tribunal to make electronic home-sales data available for only six months after a house has sold, and said the data should not contain details of house sales that occurred before the tribunal issues its final order. It also argued that online brokers should not be able to use its MLS information for “data analytics” – such as building home-price heat maps or neighbourhood-level price trends – without the explicit consent of both buyers and sellers. The hearing comes a month after a three-member panel of the Competition Tribunal ruled that TREB was stifling competition in the Greater Toronto Area’s real estate industry by restricting how member realtors who run online brokerages access and share electronic data about homes that have sold. [The Globe and Mail]

Consumer

CA – Majority of Canadians Feel Their PI is Vulnerable to Security Breach

A report released earlier this month has indicated that the majority of Canadians believe the personal data the government holds on them, is vulnerable to a security breach. The study, conducted by Ipsos on behalf of Accenture Cyber, indicated that Canadians feel distrustful of their data in the hands of municipal, provincial and federal governments. A total of 54% of Canadians believe that personal information held by the federal government is vulnerable to a security breach. 20% of those surveyed feel they are “very vulnerable” and 33% feel they are “somewhat vulnerable,” according to the results of the survey. Albertans feel most distrustful of their governments, as 62% of those in the province report feeling vulnerable, followed by those from British Columbia (58%), Ontario (55%), and Atlantic Canada (53%). Quebec, Saskatchewan and Manitoba tied for last place with 49 % feeling their data could be compromised. On average, the results also say that women feel more vulnerable than men, and older Canadians are more skeptical of the safety of their data than younger ones. [Source]

E-Government

US – Uber Says New York Can’t Be Trusted With Its Data

Uber has gone to court to ensure confidentiality over records it provided for New York’s investigation of how the ride-sharing service secures data. New York began collecting the information two years ago after media reports surfaced about real-time tracking of rides — known internally as “God View” — that included personal information about riders. Uber provided the information at issue in response to an attorney general’s probe, so the company “thus enjoys categorical exemption from disclosure,” the petition states. Attorney General Eric Schneiderman’s office would only discourage similar cooperation from companies if it released the confidential information, the petition continues. [Source]

Electronic Records

US – Certified EHR Technology Now Widely Used at U.S. Hospitals

Nearly all of the country’s hospitals have adopted certified electronic health records, according to new survey data released May 31 by the Office of the National Coordinator for Health Information Technology. Results of the survey show the industry has a long way to go in sharing and then using from other healthcare organizations in treating patients—only a minority say they use patient information from outside their organization in treating patients. Based on the American Hospital Association IT Supplement to the AHA annual survey, the adoption rate of certified EHRs has increased from almost 72% in 2011 to 96% in 2015. Last year, 84% of hospitals adopted at least a basic EHR system, representing a nine-fold increase since 2008. ONC defines basic EHR adoption as a minimum use of core functionality determined to be essential to an EHR system, including clinician notes. The set of EHR functions must be implemented in at least one clinical unit to be considered basic EHR adoption. While small, rural, and critical access hospitals continue to have significantly lower basic EHR adoption rates compared with all hospitals, ONC notes that the new data show that adoption rates for these hospitals has increased significantly. Since 2014, small and rural hospitals increased their adoption of basic EHRs by at least 14 percentage points and CAHs increased their adoption of basic EHRs by 18 percentage points. Currently, about eight out of 10 small, rural, and CAHs have adopted a basic EHR. [Source]

Encryption

US – Proposed Senate Bill Requiring Backdoors in Encryption Appears Dead

A proposed anti-encryption bill has stalled out in the US Senate. The draft legislation would have required that encryption be breakable so investigators could access communications. The bill lacked White House support, and the intelligence community were reportedly “ambivalent” because the law could have impeded their own encryption efforts. [Reuters] [The Register] [CNET] [ComputerWorld] [ZDNet]

EU Developments

EU – Privacy Shield Doesn’t Hold Up: EDPS

European Data Protection Supervisor Giovanni Buttarelli has published his opinion on the EU-U.S. Privacy Shield, which he says is “not robust enough to withstand future legal scrutiny.” While he expressed appreciation for the legislative effort behind the agreement, “significant improvements are needed should the European Commission wish to adopt an adequacy decision,” he wrote. Buttarelli isn’t the only recent Privacy Shield critic. “We keep thinking we’re going to reach a date and from that date onwards we won’t have any more issues. That won’t happen,” said Intel Global Privacy Officer David Hoffman. “The idea that we’re going to solve the international data transfer issue with Privacy Shield, to me, is an incorrect assumption.” [v3] [BBC: EU Data Protection Supervisor Rejects Privacy Shield Agreement]

Facts & Stats

US – Most 2016 Healthcare Data Breaches from Unauthorized Access

Last year is often referred to as the “Year of the Hack” for healthcare, with the majority of healthcare data breaches being caused by third-party cyber attacks. The top three incidents alone combined to potentially affect nearly 100 million individuals, and were all involved hacking. So far, 2016 is not immune from healthcare data breaches, but the leading cause of incidents is unauthorized access, according to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach reporting database. There have been 114 incidents reported to OCR between Jan. 1, 2016 and June 1, 2016. Of those, 47 were classified as being caused by unauthorized access or disclosure. The rest of the classification breakdown is as follows:

  • 34 – hacking/IT incident
  • 26 – theft
  • 5 – loss
  • 2 – improper disposal

However, the largest healthcare data breach so far this year was due to a hacking incident. [Source] Top 10 Healthcare Data Breaches of 2015

UK – Sloppy Human Error Still Prime Cause of Data Breaches: ICO

FOI data from ICO reveals usual failings: loss of paperwork, data sent to wrong recipients, insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data …Of the sectors compared over the three years, 66% reported an increase in data breach incidents, with the courts and justice sector recording a rise of 500% over the period. Healthcare organisations continue to top the list for total number of reported incidents at 184. Human error continues to be mainly to blame. For January – April 2016, human error accounted for almost two-thirds (62%) of the incidents reported to the ICO, outstripping other causes such as insecure webpages and hacking, which stands at just 9% combined. Despite this, market attention and resource continues to focus on external threats, notably cyber-attacks and hackers. [Source] See also: [Human error causes more data loss than malicious attacksHuman Error to Blame as UK Data Breaches Soar | Courts and justice sector see 500 per cent rise in data breaches]

Filtering

CA – BC Supreme Court Orders Search Engine to Deny Access to Defamatory Statements

An individual seeks an injunction against a website that allegedly posted defamatory comments. An individual who filed a defamation lawsuit against two individuals and a website was granted a permanent injunction against those U.S. Defendants (who are prohibited from publishing such statements) in light of the possibility that they may resist enforcement of a monetary judgment of a Canadian court; a permanent injunction was also granted against a search engine, through which links can be obtained to the defamatory statements. [Nazerali v. Mitchell – 2016 BCSC 810 – In The Supreme Court of British Columbia]

CA – Officials Examining ‘Right-To-Be-Forgotten’ Potential in Canadian Law

As Google and the CNIL continue their battle over Europe’s “right-to-be-forgotten” law in France, Canadian officials are mulling whether the law has a place in their own legal system. A case involving Google and Datalink Technologies Gateways, Inc., has drawn parallels to the case in France, as the search engine is challenging an order in front of the Canadian Supreme Court to remove listings of Datalink, which is being accused of trademark violations across its worldwide search. To address their course on the RTBF, the Office of the Privacy Commissioner of Canada has received 23 formal submissions on the subject. “The law is broadly struggling to address these issues, and so we thought it was a legitimate question to ask,” said Patricia Kosseim, director general of the Legal Services, Policy, Research and Technology Analysis branch of the OPC. [The Globe and Mail]

FOI

CA – OPC Urges Committee to Rethink Information Commissioner’s Legal Jurisdiction

Privacy Commissioner of Canada Daniel Therrien suggested limiting the “proposed authority” for Information Commissioner Suzanne Legault in a brief to the Commons committee considering the Access to Information Act. Therrien argued that the current balance of power “illustrates the healthy tension between opposing interpretations” of what the law defines personal information to be. Said balance should be taken into consideration before revising job descriptions, he added. Instead, he suggested “the matter should only be discussed two years from now, when the government does a full-scale review of the access law,” the report states. [CTV News]

Health / Medical

CA – Saskatchewan Adopts Anti-Snooping Law for Health Records

The government is toughening up its laws around the protection of personal health information in Saskatchewan. The changes are in response to a member of the public finding thousands of medical records in a Regina dumpster in 2012, something the privacy commissioner at the time called the “worst breach of patient information” his office had ever seen. Despite that, there were no prosecutions. That incident sparked the government to create a working group made up of doctors, nurses, government officials and a patient representative to come up with stronger rules. The amendments to the Health Information Protection Act (HIPA) are effective June 1. They include a reverse onus clause for trustees of medical records to show they took reasonable steps to prevent their abandonment. [Source]

AU – Australian HealthCare Providers Must Protect Against Insider Risk

Recommendations for Australian healthcare providers to protect health information. Providers should adopt an approach that manages the risk of an external attack and aims to prevent internal data breaches from negligent or malicious staff; ensure employees have a high level of cybersecurity awareness (training and policies), encrypt all portable devices and allow for remote wiping, and revoke employee access to the network immediately after notice of termination is given. [Cybersecurity and the Risk of Inside Jobs – Marie Feltham, Special Counsel and Leonard Lozina, Lawyer – DibbsBarker]

CA – Ontario Health Ministry Ordered to Disclose Names on OHIP Billings

The province’s privacy commission has ordered the health ministry to release the names of doctors along with their OHIP billings, in the interests of transparency and accountability. The decision comes two years after the Toronto Star began requesting physician-identified billings from the health ministry, and brings the province more in line with other jurisdictions that are opting to disclose public funds paid to doctors. In granting an appeal the IPC said physician-identified billings are not “personal information” and are, therefore, not exempt from disclosure under the province’s Freedom of Information and Protection of Privacy Act. Even if they were deemed personal, a compelling public interest in their disclosure would outweigh the purpose of the act’s privacy exemption, the IPC wrote in a 54-page order released Wednesday and received by the Star Thursday. The IPC has ordered the health ministry to release the information to the Star by July 8. [Source]

Horror Stories

WW – Recently Confirmed Myspace Hack Could Be the Largest Yet

A report from LeakedSource.com says that there are over 360 million accounts involved. Each record contains an email address, a password, and in some cases, a second password. As some accounts have multiple passwords, that means there are over 427 million total passwords available for sale. Despite the fact that this data breach dates back several years, the size of the data set in question makes it notable. Security researchers at Sophos say that this could be the largest data breach of all time, easily topping the whopping 117 million LinkedIn emails and passwords that recently surfaced online from a 2012 hack. That estimation seems to hold up – while there are a number of other large-scale data breaches, even some of the biggest were not of this size. The U.S. voter database breach included 191 million records, Anthem’s was 80 million, eBay was 145 million, Target was 70 million, Experian 200 million, Heartland 130 million, and so on. [Source]

WW – LinkedIn Sends Out Breach Notification Emails

Users of LinkedIn likely received breach notification emails from the social network earlier this week. The emails come four years after a 2012 hack of the service in which millions of passwords and usernames were accessed. The incident was widely reported in 2012, but came back into the spotlight last week with news that 117 million email and password combinations — significantly more than the 6.5 million originally reported in 2012 — were for sale on the Dark Web. “While we do all we can, we always suggest that our members visit our safety center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible,” the email stated. [Fortune] See also: [Unencrypted Laptops Expose Over 400,000 Patients’ Medical Data]

WW – Hackers Stole 65 Million Passwords from Tumblr, New Analysis Reveals

On May 12, Tumblr revealed that it had just found out about a 2013 data breach affecting “a set” of users’ email addresses and passwords, but the company refused to reveal how many users were affected. As it turns out, that number is 65 million, according to an independent analysis of the data. Troy Hunt, a security researcher who maintains the data breach awareness portal Have I Been Pwned, recently obtained a copy of the stolen data set. Hunt said the data contained 65,469,298 unique emails and passwords. The passwords, however, were not in plaintext, but were “hashed,” a process that turns the actual password into a different string of digits. The company also added a series of random bytes at the end of the passwords before hashing them, or “salted” them, as Tumblr said when it disclosed the breach. The company, however, didn’t say exactly what algorithm it used to hash the passwords. Since Tumblr’s announcement, the hacked data appears to have been circulating within the internet underground. A hacker known as Peace, who also claims to have the data and was selling it on the darknet marketplace The Real Deal, said Tumblr used SHA1 to hash the passwords. Given that it also used salt, they are very hard for hackers to crack. [Source]

Identity Issues

US – Doctors Fire Back at Bad Yelp Reviews – and Reveal PHI Online

Burned by negative reviews, some health providers are casting their patients’ privacy aside and sharing intimate details online as they try to rebut criticism. In the course of these arguments — which have spilled out publicly on ratings sites like Yelp – doctors, dentists, chiropractors and massage therapists, among others, have divulged details of patients’ diagnoses, treatments and idiosyncrasies. [Source]

Internet / WWW

US – Tech in U.S. Schools Collects Student Data for Marketing Purposes: Report

The National Education Policy Center has issued its 18th annual report about commercialization of student information. Current regulatory frameworks do not effectively protect against application service providers using student’s personal information for marketing purposes; legislators should eliminate loopholes that provide companies with opportunities to collect and exploit children’s data, and pass enforceable legislation that holds schools, districts, and companies with access to student data accountable for violations of student privacy. [NEPC: Learning to be Watched: Surveillance Culture at School]

Law Enforcement

US – ACLU joins Microsoft’s Challenge to DoJ Gag Orders

The American Civil Liberties Union has filed a motion to join Microsoft’s challenge to the Justice Department’s use of gag orders that prevent companies from telling users when the government is demanding access to their data. “A basic promise of our Constitution is that the government must notify you at some point when it searches or seizes your private information,” said ACLU Senior Staff Attorney Alex Abdo. “Notice serves as a crucial check on executive power, and it has been a regular and constitutionally required feature of searches and seizures since the nation’s founding.” A Microsoft spokesman said the company “appreciates the support from the ACLU and many others in the business, legal and policy communities who are concerned about secrecy becoming the norm rather than the exception.” [USA Today]

Location

US – Appeals Court Delivers Blow to Cellphone-Privacy Advocates

Courts across the country are grappling with a key question for the information age: When law enforcement asks a company for cellphone records to track location data in an investigation, is that a search under the Fourth Amendment? By a 12-3 vote, appellate court judges in Richmond, Virginia, on Monday ruled that it is not — and therefore does not require a warrant. The 4th Circuit Court of Appeals upheld what is known as the third-party doctrine: a legal theory suggesting that consumers who knowingly and willingly surrender information to third parties therefore have “no reasonable expectation of privacy” in that information — regardless of how much information there is, or how revealing it is. Research clearly shows that cell-site location data collected over time can reveal a tremendous amount of personal information — like where you live, where you work, when you travel, who you meet with, and who you sleep with. And it’s impossible to make a call without giving up your location to the cellphone company. [The Intercept]

WW – Collaborative Project Maps Areas Where Governments Spy on People

The Digital Freedom Alliance has launched a collaborative open source project to map places in the world where governments use malware to conduct surveillance on journalists, activists, lawyers, and NGOs. The project gathers information from a variety of sources and maps the locations, noting the dates, targets, and type of malware used. [Wired]

Online Privacy

WW – Facebook to Begin Sending Targeted Ads to Nonusers

In an attempt to grow its online ad network, Facebook will display ads to consumers who do not have accounts with the social media network. Facebook plans to reach nonmembers through cookies, “like” buttons, and plug-ins on third-party sites. While Facebook says its new method will better serve relevant ads to nonusers, European regulators have cited privacy concerns in their criticism of the practices. Facebook feels they are in a great position to target nonmembers through the large amounts of data it holds on current users. “Because we have a core audience of over a billion people [on Facebook] who we do understand, we have a greater opportunity than other companies using the same type of mechanism,” said VP of Facebook’s Ad and Business Platform Andrew Bosworth to the Journal. [The Verge] See also: [You Should Go Check Facebook’s New Privacy Settings]

WW – Googling Yourself Now Leads to Personal Privacy Controls

Soon, all you’ll need to do is Google yourself if you’re wondering how deeply Google has been digging into your digital life. In coming weeks, a shortcut to personal account information will appear at the top of Google’s search results whenever logged-in users enter their own names in the query box. The feature is part of an update to the “My Account” hub that Google introduced a year ago to make it easier for people to manage the privacy and security controls on the internet company’s services. While Google isn’t making any additional information available, it is making it easier to find. The link to personal accounts will appear at the top right of the listings for searches done on personal computers and at the top of requests entered on smartphones. Google is making the change because it learned that many users doing a “vanity search” under their name wanted a quicker way to find out what the company knew about them, as well as to see how they are depicted on various sites across the internet, said Guemmy Kim, a Google product manager. A new feature on Google’s mobile app will also quickly take users to their account information with a spoken request. All that will be required are the words: “OK Google, show me my Google account.” This option initially will only be available in English. [Source]

WW – IETF Publishes RFC for DNS Encryption

The Internet Engineering Task Force has released an RFC (request for comments) proposing that DNS requests be encrypted with Transport Layer Security (TLS). DNS requests and responses are often collected by law enforcement because they are classified as metadata. [The Register] [RFC]

Privacy (US)

US – Report: Employee Cybersecurity Knowledge Low, Despite Training Programs

A study from Experian and the Ponemon Institute reveals security training programs aren’t efficient enough at altering workers’ unsafe online behavior. “Managing Insider Risk through Training & Culture” is a survey of companies providing data protection courses to their employees. The study revealed 60% of respondents said their employees were either not knowledgeable or had no knowledge of cybersecurity, despite having training available. Only 35% said senior executives placed a high priority on employee data threat education, and 43% said their corporate training consisted of one course covering all departments. Low numbers were also reported on courses containing information on phishing and social engineering. “Phishing and social engineering attacks have been shown to result in data breaches. Training programs should show the consequences of these attacks and how to avoid falling prey to them.” [SC Magazine]

US – Obama Releases Final Privacy Framework for Precision Medicine Initiative

The White House announced the release of the final Data Security Policy Principles and Framework for its Precision Medicine Initiative. The framework is based on the administration’s cybersecurity framework and creates data security expectations and a risk-management approach for organizations taking part in the initiative. All federal PMI agencies will also integrate the framework across all PMI activities. President Barack Obama said, “We’re going to make sure that protecting patient privacy is built into our efforts from day one.” [White House]

US – Other Privacy News

Security

US – New System Monitors Govt Employees for Potential “Insider Threats”

The Defense Department is creating a system designed to expose potential “insider threats” by monitoring national security personnel. The Pentagon is hiring a team of “cross-functional experts” who are trained in cybersecurity, privacy, law enforcement, intelligence, and psychology to help discover potential traitors. The DOD Component Insider Threat Records System will also examine employees’ social media posts, and their digital work habits, while also incorporating keystroke tracking, screen captures and email. Civil liberties advocates are voicing their opposition to the system, saying the constant surveillance will stop whistleblowers from coming forward. “When you read the insider threat material, what they view as a threat is somebody reporting information about government activity to the press, which is, in a democratic society, not only important but necessary,” said FBI veteran Michael German. [Nextgov]

US – DOD is Creating an Insider Threat Database

The US Defense Department (DOD) is creating a system that contains information about national security personnel and other people with security clearances to help identify potential insider threats. The DOD Component Insider Threat Records System was created in response to the Pfc. Chelsea Manning data leaks that occurred in 2010. [NextGov]

WW – CIOs Say Organized Cybercrime is Top Threat to Business Operations

According to the Harvey Nash/KPMG 2016 CIO Survey, one-third of the respondents said they had dealt with a significant IT emergency or a cyberattack over the past two years. CIOs say organized cybercrime is the biggest cyber-threat to their organizations. The report found that 46% of CDOs (chief digital officers) report to their organization’s CEO, while just 21% report to the CIO. And 65% of respondents said they believe that a shortage of technical talent will hinder their ability to keep pace with the changing digital landscape. The survey comprises data gathered from 3,352 CIOs and technology leaders in 82 countries. [Press Release] [v3.co.uk] [v3.co.uk]

US – Medical Devices Could Be Used as Point of Entry into Healthcare Networks

The US Department of Veterans Affairs (VA) deputy director of health information security told Nextgov that attackers are more likely to break into Internet-connected medical devices to gain access to a hospital network than to disrupt a patient’s treatment. Medical records are a valuable commodity on the data black market. Medical devices are not as readily patched as computers and phones. Lynette Sherrill also said that her agency removes devices that are found to be infected with malware, even if it means cancelling appointments. [NextGov]

WW – ICSA Launches IoT Certification Testing Program

ICSA Labs has launched its IoT (Internet of Things) Certification Testing program. The devices that pass muster will receive the ICSA seal of approval. The ICSA program will test both consumer products and enterprise products over six components: alerts and logging; cryptography; authentication; communications; physical security, and platform security. Earlier this year, Underwriters Laboratories launched its Cybersecurity Assurance Program (UL CAP). [DarkReading] [ComputerWorld]

WW – Microsoft Ends Common Password Use and Password Lockout

Microsoft has announced plans to dynamically prohibit common passwords, like the word “password,” while congruently using the smart password lockout system. The lockout program would keep hackers from continually attempting to access users’ accounts while not freezing out legitimate users at the same time, the report states. The changes respond to the recent hacker dump of LinkedIn data, the report adds. Reddit also took action in light of the breach, announcing it would reset user passwords, SC Magazine reports. Meanwhile, a hacker is selling more than 65 million Tumblr passwords on the Dark Web, while 427 million MySpace passwords were found for sale online for $2800. [SC Magazine]

WW – Unbox Your Laptop, and Say Hello to Security Risks

Powering up a new laptop can be exhilarating. It can also be full of security risks. Software update tools that are preinstalled on Acer, Asus, Dell, HP and Lenovo laptops all contained at least one critical security vulnerability that hackers could easily exploit, said Duo Labs, the research arm of Duo Security, in the results of an investigation published Tuesday. In total, Duo Labs uncovered 12 different OEM software vulnerabilities across all the computer makers. OEM (original equipment manufacturer) software includes programs like product registration and 30-day free trials that come installed on a laptop right out of the box. They’re often referred to as bloatware since they’re largely unnecessary and weren’t installed at the user’s request. Not only is bloatware superfluous, it’s often a weak link in the security chain, according to Duo Labs. “The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant — meaning, trivial,” wrote Darren Kemp, a security researcher with Duo Labs, in a blog post Tuesday. [Source]

Surveillance

WW – Governments Turn to Commercial Spyware to Intimidate Dissidents

A growing number of U.S. companies are teaching foreign law enforcement agencies to code unique surveillance devices, often to track dissidents. The tools can override encryption measures, the report states. “There’s no substantial regulation,” said Bill Marczak of the University of Toronto’s Munk School of Global Affairs. “Any government who wants spyware can buy it outright or hire someone to develop it for you. And when we see the poorest countries deploying spyware, it’s clear money is no longer a barrier.” [New York Times]

CA – Interim RCMP Policy Sets Body Cam Guidelines

A new RCMP policy will require Mounties wearing small video cameras to hit record when they believe force will be used against a suspect. The interim policy is being considered with two purposes in mind: To gather evidence for prosecution against criminal behavior, and to answer any questions surrounding the aftermath of an incident. “Police are making use of a relatively new technology to hold both police officers, and members of the public we interact with, accountable for any actions taken,” the RCMP says. Other privacy concerns addressed in the interim policy include telling an individual when officers are wearing cameras, teaching RCMP members of best video policies and practices, and making sure recordings are uploaded securely. [The Canadian Press] See also: [As More Police Wear Body-Cams, States Set New Rules Limiting Access to Footage] [Minnesota’s police body camera law is bringing privacy concerns.]

WW – Sports World Embraces Data Analytics

The Seattle Mariners’ use of sleep tracking tool Readiband last year is a window into the professional athletics’ community’s adoption of data-collecting tools. This use of data analytics is changing how coaches and players interact, Chicago Cubs Baseball Operations Assistant John Baker argues. “Welcome to the next frontier in baseball’s analytic revolution,” the report states. “Many of this revolution’s tenets will be familiar to anyone who works for a living — the ever-growing digitization and quantification of things never-before measured and tracked, for instance, or the ever-expanding workplace, the blurring distinction between the professional and the personal, and the cult of self-improvement for self-improvement’s sake.” [Vice Sports]

AU – ACT Govt Launches Review Into Civil Surveillance

The ACT government has announced a review of the use and conduct of civil surveillance in the territory that could lead to Australia’s first law to allow victims to sue over privacy intrusions. According to the statement, the review’s terms of reference be looking at a range of issues including:

  • Surveillance in civil litigation claims
  • Surveillance businesses
  • Surveillance technology and practices, such as geo-tagging
  • Expansion of the existing Listening Devices Act 1992 to capture video surveillance and electronic monitoring
  • Possible need for a tort of breach of privacy
  • Current regulation of civil surveillance and the Information Privacy Act 2014.

An independent reviewer will be engaged by the Justice and Community Safety Directorate in order to undertake the review. [Source]

Telecom / TV

WW – Charging Mobile Devices Could Put Data at Risk

Smartphones can be compromised when charged using a standard USB connection connected to a computer, Kaspersky Lab experts have discovered in a proof-of-concept experiment. The researchers are now evaluating what the impact of such an incident might be. To learn more, read the blog post available at Securelist.com. [Kaspersky Corporate News]

US Legislation

US – Legislative Roundup

+++

 

19-26 May 2016

Biometrics

WW – Google’s Biometric Tool Aims to Kill Password Logins

A new Google feature could spell the end for password logins. Trust API will be tested at “several very large financial institutions” in June, said Google’s Daniel Kaufman. Google’s new service looks to use multiple indicators to create one viable identifier. Trust API will use biometrics in its mission to eliminate passwords, including shaping a user’s face and voice patterns, to how a user moves and types and how they swipe on the screen. “Biometric authentication is a powerful enabler, allowing businesses smart enough to deploy it to significantly increase rates of registration, gaining data and insight about their customers, while also increasing customer security,” said Richard Lack from customer identity management firm Gigya. “This is a win-win scenario which sounds the death-knell for awkward and insecure passwords sooner than we may imagine.” [The Guardian] [Can Google replace passwords by tracking you more thoroughly?]

WW – ‘Faception’ Tech Can Determine Terrorists from Just a Face Scan

Israeli startup and facial recognition company Faception says a homeland security agency has hired it to help discover terrorists. The company says its technology is so precise it can identify “great poker players to extroverts, pedophiles, geniuses and white collar-criminals,” just from a face scan. The tech is not without critics. “Can I predict that you’re an ax murderer by looking at your face and therefore should I arrest you?” said the University of Washington’s Pedro Domingos. “You can see how this would be controversial.” Meanwhile, advertising company Mattersight Corporation will start using publicly available facial data from avenues like YouTube and Vine to gather personality profiles. [Washington Post] [ComputerWorld]

Big Data

US – Big Data: White House Issues Report on Primary Challenges and Opportunities

The Executive Office of the President has issued a report on Big Data that examines:

  • instances where big data methods and systems are being used in the public and private sectors in order to illustrate the potential for positive and negative outcomes; and
  • the extent to which “equal opportunity by design” safeguards may help address harms.

The primary challenges of Big Data are inputs to an algorithm (e.g. poorly selected data, incomplete/incorrect or outdated data, selection bias, and unintentional perpetuation/promotion of historical biases), and the design of algorithmic systems and machine learning (e.g. poorly designed matching systems, personalization and recommendation services that narrow user options, decision-making systems that assume correlation implies causation, and data sets that lack information or disproportionately represent certain populations). [Big Data: A Report on Algorithmic Systems, Opportunity, and Civil Rights – Executive Office of the President: Press Release | Report]

Canada

CA – New Recommendations for British Columbia’s FIPPA

Timothy Banks writes about the report tabled this month by the special committee appointed to review the B.C. Freedom of Information and Protection of Privacy Act. The committee made 39 recommendations to the legislature, several of which, if accepted, “would provide needed updates to improve public sector transparency. Regrettably, however, the committee has recommended that the legislature retain the controversial data sovereignty provisions of FIPPA that preclude transfers of personal information outside of Canada.” In this post, Banks examines four interesting recommendations made by the committee dealing with mandatory breach reporting, duty to document, data destruction, and data sovereignty. [Full Story] See also: Timothy Banks offers an analysis of Ontario’s new Health Information Protection Act and the ways it has amended the Ontario Personal Health Information Protection Act, 2004]

CA – Alberta Premier Rebuts Privacy Concerns Over Carbon Tax Law

Premier Rachel Notley is dismissing opposition accusations that her NDP government’s carbon tax bill contains invasive and arbitrary rules on search and seizure. …Under Bill 20, officials who believe there are breaches of the levy can get a search warrant to go on properties, check fuel tanks, vehicles, buildings and computer hard drives. If they feel that someone is at immediate risk of harm or evidence might be destroyed they can proceed without a search warrant, but a search warrant or the owner’s permission is needed to get into someone’s home. [The Canadian Press]

CA – NS Government to Consider Mental Health Care Improvements

Premier Stephen McNeil and other Nova Scotian liberal politicians will investigate whether the province’s privacy laws are preventing youths with mental illnesses from receiving proper care. During a recent news conference on the matter, Carolyn Fox described how health care privacy laws prevented doctors from alerting her about her daughter’s three hospital visits, knowledge of which she felt could have prevented her daughter’s January suicide. “Because of the privacy law I was not contacted,” Fox said. There were “no red flags as to say this girl has been here three times, released, and told she was fine. This is not acceptable.” McNeil agreed. He acknowledged, however, that there was “a whole host of issues” accompanying revisiting notification protocol, “not the least of which is the breaching of someone’s privacy,” he said. [CBC News]

CA – Newfoundland Supreme Court Finds General Warrant Can Be Used to Retrieve Historical Text Messages

The Supreme Court of Newfoundland and Labrador considers whether authorisation under the Criminal Code is necessary prior to search of a cellphone’s historical data. An individual argued that police unlawfully searched his mobile phone because a general warrant was obtained for the search (which does not authorize interception of private communications); although his text messages qualify as a private communication, retrieval of prior stored messages does not qualify as an interception (messages would not be retrieved in the course of the communication process). [Her Majesty the Queen v. Rex Rideout – Supreme Court of Newfoundland and Labrador – 2016 CanLII 24896]

CA – Courts & Privacy Issues Around Production of Text Messages

There can be no doubt that text messages are normally producible under any rules of civil procedure, if they are relevant to the issues set out in the pleadings of an action and are only between the parties in the litigation. But in any number of types of civil proceedings there are surely many other relevant texts in which either the sender or receiver are not a party to the litigation, or are texts that have been intercepted by someone not a sender, or receiver, of that text. Whether production of those texts is subject to some scrutiny regarding privacy rights is an open question. While production of some of these types of texts might be sanctioned by way of a motion for third-party production, the more immediate question for a plaintiff, or defendant, in a civil proceeding is whether or not to initially produce such a text without breaching an expectation of privacy and privacy rights of a non-party. [The Lawyers Weekly Canada]

Consumer

UK – Two-Thirds of Brits think Snooper’s Charter Extracts Are from Dystopian Fiction: Research

Research from popular VPN service, HideMyAss, has revealed that when presented with extracts from the [Investigatory Power Bill, also known as the Snooper’s Charter], two-thirds of Brits thought it was from dystopian fiction …On average, one in five of those (20%) suspected the quotes derived from George Orwell’s 1984, one in ten (10%) thought they were from Enemy of the State, and 7% believed the quotes were from The Hunger Games. What’s more, 8% of those polled even believed the quotes were from North Korean propaganda. [Source]

NO – Consumer Council Hosting Live-Streamed Reading of Privacy Policies

The Norwegian Consumer Council will livestream a reading of the terms of service and privacy policies from apps on an average mobile phone. The NCC predicts the event, featuring 33 apps in total, will take more than 24 hours, “as the combined texts are longer than the New Testament,” the report states. “The current state of terms and conditions for digital services is bordering on the absurd,” said Norwegian Consumer Council Digital Policy Director Finn Myrstad. “Their scope, length and complexity mean it is virtually impossible to make good and informed decisions.” The agency hopes the event will highlight the inapproachability of long policies, the report states. [Fortune]

E-Mail

US – Tech Companies Urge Senate to Pass Email Privacy Act Without Changes

As the Senate Judiciary Committee plans to examine, and possibly change, the Email Privacy Act, a group of 70 major tech companies are asking senators to approve the bill without any alterations. The organizations sent a letter to the Senate urging it to ratify the “carefully negotiated compromise” immediately, without any amendments added to “weaken” the bill. Signatories of the letter include Adobe, Amazon, Apple, Facebook, Google, IBM, Microsoft, and Yahoo. Despite questions about what version of the Email Privacy Act will be examined by the panel, the Senate Judiciary Committee will vote on the exact same text as the one unanimously passed by the House of Representatives. [The Hill] See also: [Email Privacy Act could face changes]

Encryption

EU – Cybersecurity and Police Chiefs Reach Breakthrough Agreement on Encryption

Leaders from the EU Agency for Network and Information Security (ENISA) and Europol have reached an agreement about the legal lengths to which law enforcement groups may go to access personal information. The move is what the report calls a “surprise turn” in discussions between cybersecurity group ENISA’s Udo Helmbrecht and Europol Director Rob Wainwright. Both spoke in favor of strong encryption and stated their dual opposition to back-door encryption. “While this would give investigators lawful access in the event of serious crimes or terrorist threats, it would also increase the attack surface for malicious abuse, which, consequently, would have much wider implications for society,” they said in a statement. [EurActiv]

EU Developments

EU – Parliament Finds Privacy Shield Does Not Provide Substantial Improvements to Safe Harbour

The European Parliament issued its opinion on the EU-US Privacy Shield. The Shield does not provide an equivalent set of principles (there are no requirements for consent or data minimisation, processing for incompatible purposes is allowed, and blanket permission is given for all types of processing), allows for bulk collection of EU citizens’ personal data and communications (in breach of CJEU and ECHR judgments), and supervisory powers of the Department of Commerce, FTC and the Ombudsperson are not comparable to EU supervisory authorities. [EU Parliament – Motion for a Resolution on Transatlantic Data Flows]

EU – Privacy Seal Schemes Gradually Taking Shape in Europe

The EU is moving ever closer to having a widely recognized privacy seal scheme — or rather, several of them — for Web services. EuroPriSe is a company that spun out of the data protection authority of Germany’s Schleswig-Holstein state a few years back, with funding from the European Commission. It’s pushing to expand its scope across the EU and beyond, and last month it started offering website operators a privacy seal indicating to the world that they stick to EU data protection law. And it’s not the only player in the game. “Europe’s privacy kitemark scene may be fragmented and in its early stages, but at least the many players are talking to one another. [Full Story] See also: [Op-ed: UL certification program for IoT devices a ‘step in the right direction’ ]

Finance

US – Campaign Hopes to Inspire Congress to Better Protect Financial Data

A group of seven trade organizations have banded together to create a Stop the Data Breaches campaign. The group wants to publicize the costs of breaches for financial institutions in an effort to garner attention and legislative support from Congress, the report states. “Credit unions and other financial institutions are continuing to pay the tab for retailer data breaches, and consumers’ data remains vulnerable,” said the National Association of Federal Credit Unions’ Brad Thaler. “It’s long overdue for Congress to pass legislation ensuring that everyone has a similar mandate to keep customer data safe,” added Financial Services Roundtable’s Jason Kratovil. [Associations Now]

FOI

CA – Rogers Releases New Transparency Report

In its third annual transparency report, Rogers Communications revealed that, of the more than 86,000 requests, it refused to hand over consumer data to law enforcement 3% of the time. This is the first time one of the “Big Three” telecoms has disclosed how many times it has refused government requests for data. “It’s so that people understand that we do not just accept requests at face value,” said Rogers Chief Privacy Officer Dave Watt. “We really feel strongly about protecting customer information.” Open Media’s Laura Tribe said the report could improve, but said Rogers’ more detailed report is a “positive example,” adding, “This type of reporting is essential if we are to shed light on the government’s attempts to obtain our private information.” [Financial Post]

CA – Alberta OIPC Finds FOIP and HIA Do Not Apply When Information is Collected in an Employee’s Personal Capacity

The Office of the Alberta Information and Privacy Commissioner reviewed a decision made by a health organization to deny access to personal information. The letters collected by the employee were written specifically for her, discussed incidents that took place in the health clinic, and had a very personal tone; the applicant purposefully provided the letters in the parking lot of the clinic so he would not be handing over information as a patient to a health facility and specifically requested that the employee destroy them immediately after reading them. [OIPC Alberta – Order H2016-05/F2016-13 – Alberta Health Services]

CA – Federal Interim Directive Commits to More Open and Transparent Government

The federal government issued a request for feedback on its proposals to improve the Access to Information Act. Effective May 5, 2016, all non-application fees are waived, and requesters must generally receive information in a computer-readable format; a full review of the Act, scheduled for 2018, would incorporate these changes, ensure the Act applies to the office of Ministers and the Prime Minister, and permit the refusal of frivolous/vexatious requests. [Government Proposals to Revitalize Access to Information – Government of Canada Consultation | Interim Directive | Additional Information ]

Genetics

US – Myriad Genetics Hit with ACLU Complaint to HHS

A complaint has been filed against genetic testing company Myriad Genetics, Inc. for not adhering to the requests of four patients wishing to view personal genetic information. The ACLU filed the complaint to the U.S. Department of Health and Human Services’ Office for Civil Rights, saying Myriad’s refusal to provide the information was a HIPAA violation. Despite Myriad providing the information to the patients at a later date, the ACLU will still go forward with the complaint. Myriad spokesman Ron Rogers said delivering the information was not done to prevent an ACLU complaint, and the company promises to honor future requests. “As far as we’re concerned, the matter is resolved,” Rogers said. “We think the ACLU’s claim is without merit.” [Reuters]

US – Final Rule Prohibits Employer Wellness Programs from Collecting Employee and Spousal Health Data Unless Prescribed Standards Are Met

The Equal Employment Opportunity Commission has issued final rules amending the Regulations Under the Americans With Disabilities Act (“Part 1630”), and the Genetic Information Nondiscrimination Act (“Part 1635”) – the rules are:

  • effective July 18, 2016; and
  • applicable beginning January 1, 2017.

Employers are subject to incentive limits in regards to encouraging employee participation in wellness programs (which include medical exams); no incentives are permitted in exchange for the current/past health status information of employees’ children or for specified genetic information of an employee, and an employee’s spouse and/or children.[Equal Employment Opportunity Commission – Final Rules 29 CFR Parts 1630 and 1635 – Employer Wellness Programs – Regulations Under the Americans Disabilities Act; Genetic Information Nondiscrimination Act | Press Release ] Federal Register (Regulations Under the Americans Disabilities Act; Genetic Information Nondiscrimination Act)

Health / Medical

WW – Google Health App Halted as Enforcement Agencies Examine Data Use

Streams, the health data app borne of a controversial alliance between Google’s DeepMind and the NHS Royal Free Trust, is not currently active. The app served to discover hospital patients in danger from acute kidney disease, but critics took umbrage with the amount of data the app used to deliver so specific a diagnosis, the report states. As a result, the Medicines & Healthcare Products Regulatory Agency is “in discussions” with the organizations to determine whether the app needs to be registered as a medical device, the report states. This announcement comes on the heels of the decision by the U.K. Information Commissioner’s Office to investigate a “small number of complaints” about Streams’ data use. [TechCrunch]

Horror Stories

WW – Database of 2M Mexicans’ Voter Data Found Online

A data breach researcher discovered a database of the personal information of more than 2 million Mexicans posted online. MacKeeper’s Chris Vickery, who discovered the breach, is the same researcher who recently found a similar database of 93.4 million Mexican voting records leaked online. This time, he found the new database by conducting a “random search,” the report states. After an investigation, Mexico’s voting authority confirmed the information was voting data from Sinaloa, and the data has since been taken down. “I think the sudden appearance of multiple [voter registry] databases is a symptom of giving out too many copies,” said Vickery. “I think the [voting authority] is making good changes in the future by not allowing so much information to be so widespread.” [Fortune]

Identity Issues

WW – Hartzog: ‘Public’ Data Sets Are Not Fair Game

In the wake of research that published a data set on 70,000 users of OKCupid, professor Woodrow Hartzog argues that traditional notions of “public” data are now misguided and outdated. Justifying the release of data because it’s considered public “is fundamentally wrong,” he writes. “Not just because we should be able to expect a certain amount of privacy in public, but because, despite frequency of use and seeming self-evidence, we actually don’t even know what the term public even means.” He warns that the public data argument is “gaining steam” in policy discussions, but adds, “The ‘public information’ justification is a simple way to avoid answering hard questions about the privacy interests in data.” [Slate] See also: [Published personal data on 70,000 OkCupid users taken down after DMCA order]

EU – EU Advocate General Opinion States IP Addresses Are Personal Data

Manuel Campus Sanchez-Bordona, the EU advocate general, has determined that dynamic IP addresses qualify as personal data, according to a blog post from Covington. Sanchez-Bordona’s opinion is in relation to Patrick Breyer v. Germany, a case currently pending in the EU Court of Justice. The advocate general’s opinion details how even if a website operator cannot determine the user behind an IP address, Internet service providers have data that, when connected with an IP address, can identify the individual. The opinion also covered how the collection and use of IP address data, when used to ensure a website is functioning, could be acceptable on the basis of the “balancing of legitimate interests” test in the GDPR. While the court doesn’t have to follow the advocate general’s opinion, it could have broad implications for the EU if followed by the Court of Justice. [Full Story] [Review of Opinion]

Law Enforcement

CA – RCMP Under Fire for ‘Misrepresenting’ Stingray Use

Recently disclosed court documents indicate that the Royal Canadian Mounted Police used Stingray devices during two 2014 criminal investigations, but the defendants’ lawyers in the cases argue that the RCMP allegedly “misrepresented” how they would use the tools. The undisclosed details include the Stingrays’ range, phone location pinpointing abilities, and their “potential for interference with 911 calls,” the lawyers argue. However, RCMP lawyers countered that nondisclosure agreements keep the law enforcement agency from elaborating on the Stingrays’ capabilities, among other details. A hearing on the matter was postponed from May 17 to a later date, at which time the defense will seek more information on the RCMP’s precise use of the tools, the report states. [Vice News]

US – Commentary: FBI, Locals Team Up to Invade Citizens’ Privacy

StingRay deployments have been confirmed in at least 24 states and the District of Columbia, and there is every reason to believe many of the remaining states possess them and simply haven’t been forced to disclose it. Different departments have different deployment policies, but cities such as Baltimore have admitted to deploying the devices in thousands of investigations. Given such widespread use, and such obvious and troubling privacy implications, one would expect to find a large body of court rulings on the constitutionality of warrantless StingRay surveillance. One would be mistaken. [Source]

US – New System Would Give Law Enforcement Access to Public Cameras

Computer scientists at Purdue University have developed tools allowing law enforcement to access cameras that aren’t password protected to help determine the best way to respond to a crime. While in proof of concept form, the Visual Analytics Law Enforcement Toolkit overlays the rate and location of crimes to the location of police surveillance cameras, while CAM2 reveals the locations and positions of public network cameras. Registered users only have limited access. The terms of service state, “you agree not to use the platform to determine the identity of any specific individuals contained in any video or video stream,” but those safeguards aren’t enough to quell privacy advocates’ concerns. “I can certainly see the utility for first responders,” says EFF investigative researcher Dave Maass. “But it does open up the potential for some unseemly surveillance.” [Wired]

CA – Mounties Wearing Video Cameras Told to Record Use of Force

Mounties wearing tiny video cameras must hit the record button when there is “a high likelihood” they’ll use force against someone, says an interim RCMP policy on use of the devices. …RCMP detachments in Wood Buffalo, Alta., and Windsor and Indian Head, N.S., took part in the 2015 tests. In addition, the Mounties have advised the federal privacy commissioner of ad-hoc evaluations of the technology. “For example, they have used the cameras at protests in New Brunswick and in Burnaby, B.C.,” said Tobi Cohen, a spokeswoman for the privacy commissioner. [Source]

Online Privacy

WW – Default Settings Criticized in New Google Messaging App

Last week, Google unveiled a number of new products, one being a new messaging app called Allo. The app features strong, end-to-end encryption, but it’s not the default setting. Users have to turn it on, and that has some privacy advocates up in arms. Edward Snowden tweeted that not having it on by default “is dangerous, and makes it unsafe.” New America’s Open Technology Institute Director Kevin Bankston, however, said, “I, too, would prefer that Allo be encrypted by default,” but added, “all in all, this is going to be a net increase in the amount of encrypted messaging out in the world. And that is ultimately a good thing.” [The Washington Post] [Allo Chat Privacy Concerns Are Way Overblown] See also: [This Fitness App Tracks You Too Much, Consumer Advocates Claim [ Runkeeper in Hot Water] and [Grindr users can have location tracked, even with adjusted settings]

Other Jurisdictions

WW – Global Guide to Data Breach Notifications 2016

A new guide from World Law Group provides information organizations need to know when facing a data breach in one or more countries. Produced by the WLG’s Privacy & Data Protection Group, it provides summaries of relevant law, data breach reporting requirements, contact information for relevant data protection authorities and more for 60 countries. [Read Now] [Full Story]

AU – Victoria to Create Info Commissioner Role to Oversee Privacy and FOI

The new body will be created as part of an overhaul of the state’s FOI regime, which will also include introducing the ability to review ministerial and departmental FOI decisions including under Cabinet exemptions; reducing the time to respond to an FOI request from 45 days to 30 days; and reducing the time that agencies have to seek a review by the Victorian Civil and Administrative Tribunal from 60 days to 14 days. [Source]

Privacy (US)

 FTC to Host Disclosure Workshop

The Federal Trade Commission will host “Putting Disclosures to the Test“ on Sept. 15 a free, public workshop that will evaluate companies’ claims and privacy practice disclosures, according to a press release. The event will “explore how to test the effectiveness of these disclosures to ensure consumers notice them, understand them, and can use them in their decision-making,” the report states. Interested parties may submit proposals for the event to disclosuretesting@ftc.gov. [FTC Press Release]

US – Educator’s Guide Takes the Mystery Out of Student Data Privacy

Now that technology is an imperative in our personal and professional lives, it is also a necessary part of education. More than that, technology is making it possible for more students and teachers across the country to collaborate, create, and get access to high quality resources. At the same time parents and policymakers are increasingly concerned about the student data those tools create and track. How can a classroom teacher or a building level administrator who knows and loves education technology balance student privacy with powerful student learning? ConnectSafely and the Future of Privacy Forum have partnered to write The Educator’s Guide to Student Data Privacy. The authors wanted to create an easily accessible resource that teachers and administrators could use right away. Using an online collaborative document, the authors integrated varied perspectives from classroom education, media, policy, connected technologies, and parenting. This guide includes a ten question checklist to help educators as they consider using a new tool with students, will make managing privacy manageable for educators. [Education Week] [PDF of Guide]

US – Federal Procurement Regs Adopt Simple Security Controls

This week the Federal Acquisition Regulations were updated to focus on basic security hygiene. [Source] [Pescatore blog]

Security

WW – Survey: Baby Boomers Better at Password Security than Millennials

According to survey results, Baby Boomers – people aged 51-69 – are the demographic most likely to use the security best practice of having a unique password for each and every online account: 65% of respondents said they have 5 or more passwords across their online accounts, compared with just 44% of millennials (ages 18-34). The report didn’t give the figures on people ages 35-50, but it did say that only 16% of people follow best practices overall. [Source]

Smart Cars

CA – Tighter Rules Needed for Police Access to Event Data Recorders

Are tighter rules needed on recording devices in cars? ‘I think if a device is surveilling you … that there have to be restrictions on it’ Most vehicles built since the early 2000s contain event data recorders that silently log everything, such as braking, speed, steering and whether a seatbelt is buckled. …However, that constant data collection is raising questions. Both the Canadian Automobile Association and the Automobile Protection Association are asking for clearer rules on how that data is obtained and used by police, car manufacturers and insurance companies. [Source]

Surveillance

UK – 22 BILLION Police ANPR Photos Stored, 34 Million Added Daily

A police network of ‘Big Brother’ spy cameras takes photos of about 34million number plates each day, new figures have revealed. Around 9,000 surveillance cameras have been placed along Britain’s roads and senior officers claim they are invaluable in preventing and solving serious crimes and terrorist attacks. The Automatic Number Plate Recognition (ANPR) technology is also fitted to police vehicles, and is used to find stolen cars and tackle uninsured drivers. But privacy campaigners have argued that the system, which allows officers to access 22 BILLION records held for up to two years, is intrusive and heightens fears of an Orwellian surveillance state. Searches of the database by police officers have soared by more than 50% in just two years – from 194,317 in 2012 to 300,758 in 2014. In the last 12 months, evidence from ANPR cameras has been used in more than 200 court cases to secure convictions for a offences including robbery, kidnapping, drugs and murder. Information Commissioner raised questions about the scale of surveillance – But police forces say it is critical to monitor criminal activity on the roads [The Daily Mail]

EU – German Court Accepts Footage from Single Dashcam to Convict Driver

A decision by a German court to accept footage from a dashcam as the sole evidence to convict a driver who drove through a red light sparked a debate in the media on Friday about privacy and surveillance. …”After the court decision, might amateur ‘sheriffs’ now feel empowered to film and report people behaving badly?” the Sueddeutsche Zeitung wrote in a front page article on Friday. [Source]

CA – Winnipeg to Expand Back-Lane Cameras to Private Property

City administrators want permission to set up motion-activated cameras on private property to catch illegal garbage dumping. The city launched a pilot program last month in which cameras were set up on city property. So far, two cameras have been placed at dumping hot spots. Now, the administration wants the ability to place cameras on private property. Six mobile, high-definition cameras were purchased at a cost of $54,000. Images from the cameras can be downloaded remotely. The manufacturer states the cameras can capture clear images from up to 30 metres, even at night. The administration wants council to give its chief administrative officer the authority to approve legal agreements with private property owners. …Winnipeg lawyer Andrew Buck, who specializes in privacy law, said concerns about privacy violations need to be considered within the context of the neighbourhood concerns and the problems tied to illegal dumping. [City wants to boost effort to catch illegal dumping]

US Government Programs

US – OMB Helping Privacy Professionals Become More Tech Savvy

The Office of Management and Budget has been working to help privacy and security pros work together. OMB Senior Privacy Advisor Marc Groman said privacy and security can work “perfectly in concert” if professionals from both fields work on projects from their genesis. The OMB has started offering technical training to help privacy professionals have more meaningful roles in discussions. “It is my personal belief that you cannot be a privacy professional in 2016 and not understand tech,” Groman said. “And so we are building a technology curriculum for federal government privacy professionals so that when they sit across the table from all of you, as you’re building a new system or discussing enterprise architecture, they have a baseline understanding of tech, just like I hope you all will have a baseline understanding of privacy.” [FCW]

US Legislation

US – Federal Bill Proposed to Limit Use of Stingays

The federal bill requires State and local law enforcement agencies to conform to federal guidelines when using cell simulator devices H.R. Bill 5154 – Fourth Amendment Integrity Restoration (“F.A.I.R.”) in Surveillance Act 2016 was

  • introduced in the House of Representatives:
  • the bill was referred to the Committee on the Judiciary.

Any coordination or agreement between a Federal and State or local law enforcement agency, pertaining to the acquisition or use by that agency of any cell simulator device, must require that the use will conform to the guidance and policies that apply to the Federal agency on the use of such devices. [H.R.5154 – F.A.I.R. Surveillance Act of 2016]

+++

 

 

12-19 May 2016

Biometrics

WW – Facebook Launches Facial Recognition App Without Facial Recognition Technology

Facebook is releasing its photo app Moments in Europe, but with some important changes in order to comply with EU privacy laws. While the U.S. version of Moments features facial recognition technology, the European version will not, in part because of Facebook’s battle with the Irish data protection commissioner over the legality of the technology. The app uses facial recognition technology to identify individuals within photos bundled from the same event. The European version will still group photos from a particular event, but users will have to manually tag their friends. One major difference allows European users to share their photos privately, in a move geared toward the more privacy-cautious EU userbase. [The Guardian]

US – FBI Doesn’t Want Privacy Laws to Apply to Its Biometric Database

The FBI has been building a massive biometric database for the last eight years. The Next Generation Identification System (NGIS) starts with millions of photos of criminals (and non-criminals) and builds from there. Palm prints, fingerprints, iris scans, tattoos and biographies are all part of the mix. Despite having promised to deliver a Privacy Impact Assessment of the database back in 2012, the FBI’s system went live towards the end of 2014 without one. That’s a big problem, considering the database’s blend of guilty/innocent Americans, along with its troublesome error rate. The FBI obviously hopes the false positive rate will continue to decline as tech capabilities improve, but any qualms about bogus hits have been placed on the back burner while the agency dumps every piece of data it can find into the database. The FBI has shown little motivation to address Americans’ privacy concerns by providing an updated Impact Assessment (the one it does have dates back to the program’s inception in 2008), but has wasted no time in alerting legislators about its own privacy concerns. On Thursday, the Justice Department agency plans to propose the database be exempt from several provisions of the Privacy Act — legislation that requires federal agencies to share information about the records they collect with the individual subject of those records, allowing them to verify and correct them if needed. The DOJ’s comments reflect the FBI’s desire to keep its newest tracking toy as secret as possible. It asks for a number of exceptions and justifies those with the same excuses it uses to withhold information from both courts and FOIA requesters. [Source]

UK – PwC White Paper Points to Best Privacy Practices When Using Biometric Matching for Authentication

Nok Nok Labs, a member of the FIDO (Fast IDentity Online) Alliance, published a White Paper from PwC Legal comparing key privacy implications of on-device and on-server matching of biometric data. For organisations considering biometrics as they move away from reliance on usernames and passwords, the report highlights why device-side matching of biometric data is a compelling approach to satisfy key privacy requirements on cross-border personal data transfers, as well as providing the benefits of individual choice and control around such personal data. Other key findings in the White Paper include:

  • Freely given, informed user consent is required before processing biometric data in almost every jurisdiction covered in the White Paper
  • With centralised storage of biometric data, the potential for large-scale loss of data is significantly increased
  • On-device authentication will generally avoid international cross-border biometric data transfer implications. Conversely, on-server authentication for a global network of biometric users results in international transfers of data; transfer of personal data, including biometric data, out of a jurisdiction is generally restricted

“Biometrics are a compelling way to improve mobile application usability and avoid the security pitfalls of username/passwords, but significant privacy concerns come into play,” said Phillip Dunkelberger, President & CEO of Nok Nok Labs. “With biometrics, it is crucial to understand the difference between on-device and on-server matching, as the difference between the two approaches significantly affects the risk and exposure of data in a breach. The on-device approach, as used by Nok Nok Labs technology, ensures optimal privacy for biometric information.” [Source] [FedScoop: PwC Study: Device-Side Biometrics Preferred Over Server-Side]

AU – OAIC Seeks Feedback on Draft Guide to Big Data & Privacy

The Office of the Australian Information Commissioner is seeking feedback on a draft guide to the interaction between so-called big data and Australian privacy law. In particular, the draft examines how the Australian Privacy Principles (APPs) apply to big data. “There is no doubt that big data practices challenge us to think about how key existing privacy principles — including notice and consent, data collection, use limitation, and retention minimisation, — work in practice,” acting Australian Information Commissioner Timothy Pilgrim said. “However, the APPs [Australian Privacy Principles] are technologically neutral, and structured to reflect the entirety of the information lifecycle. This means entities have the flexibility to tailor their personal information handling practices to respond to the privacy challenges of big data uses.” “The draft guide is aimed at facilitating big data activities while protecting personal information. It encourages entities to take a risk management approach and to use existing privacy tools to get privacy right for big data,” Pilgrim said. [Source] The document is available from the OAIC’s website. The deadline for submissions on the draft is 26 July.

Canada

CA – OPC Starts Consultations on the Realities of Customer Consent

“It seems clear that reading privacy policies could be a full-time pursuit with untold hours of overtime,” federal privacy commissioner Daniel Therrien told a privacy conference in Toronto. “It is no longer entirely clear who is processing our data and for what purposes – creating challenges for meaningful consent.” That’s why his office has started a consultation with chief privacy officers and other executives, researchers as well as the public on whether the consent model — largely instituted by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) — should be improved or should there be more focus on accountability and ethical uses of personal information by organizations, which would place the responsibility for oversight on regulators. [Source]

CA – OPC Releases Publication Highlighting Independent Privacy Research Projects Funded by Contributions Program

The Office of the Privacy Commissioner of Canada (OPC) has released the latest edition of Real Results—a publication highlighting the innovative and socially relevant independent privacy research and knowledge translation projects funded by the OPC Contributions Program over the past few years. The new edition of Real Results features funded projects that explore a range of emerging privacy issues—police background checks, the use of genealogical information, and telematics systems in cars—as well as some innovative approaches for helping young people learn to protect their privacy. The stories feature key findings of the projects, as well as commentaries and ideas from the researchers themselves that illustrate the issues and the impact of their work. The OPC Contributions Program funds independent privacy research and related knowledge translation initiatives. These projects not only advance the collective knowledge on privacy, they provide real, tangible research results that Canadians can use to make decisions about privacy protection in their own lives. To explore all research and knowledge translation projects funded by the OPC Contributions Program, see the Contributions Program projects listed by year on our website. [Source]

CA – NWT Government Seeking Comments on Reforms to ATIPPA

The Department of Justice for the Northwest Territories has issued a consultation on reform of the Access to Information and Protection of Privacy Act. Comments will be accepted until June 15, 2016. A comprehensive review of the Act is being conducted to address identified issues related to the purposes of the Act, the scope of the Act, time limits for responding to access to information requests, mandatory and discretionary exceptions to disclosure, circumstances allowing disclosures of personal information, the powers of the IPC, and current levels of fines for offences under the Act. [NWT Government – Public Engagement on the Comprehensive Review of the Access to Information and Protection of Privacy Act]

CA – Gov’t Minister Veto Could Trump Proposed Info Commish Powers

The Liberal government is floating the idea of a ministerial veto over planned new powers for the information commissioner — a move that would give cabinet the power to block release of documents. …Currently the commissioner, an ombudsman for users of the access law, can investigate complaints and recommend that records be released. But she cannot force a government agency to do so, and must head to court to pursue the matter further. Provincial commissioners in British Columbia, Alberta, Ontario, Quebec and Prince Edward Island have the power to order the release of government information. Many openness advocates have called for the federal commissioner to have similar authority. [Source]

CA – Quebec Info Commish Blasts School Board Over Data Sent to US

Quebec’s Information Commissioner has condemned Lester B. Pearson School Board (LBPSB) for sharing confidential personal information far too freely. Judge Cynthia Chassigneux ruled that LBPSB grossly violated its stakeholders’ rights by sharing their personal information with a private California database firm Blackboard Connect, where it is subject to disclosure to American authorities under the Patriot Act. [The Suburban]

CA – Ontario Court of Appeal to re-Examine Shielding Data from US Probes

What happens to data being stored in Canada and whether it can be accessed by foreign law enforcement agencies is a question Canadian courts are currently grappling with. Two decisions — one in Ontario, the other in British Columbia — have determined that information held in servers in Canada can’t be shielded for review by American investigators. But the Ontario Court of Appeal has decided to re-examine one of those cases. [Law Times]

CA – BC Court of Appeal Rules on Privacy, Technology, and Instant Messaging

In its recent decision R. v. Craig, 2016 BCCA 154, the B.C. Court of Appeal recognized a reasonable expectation of privacy in private instant messages shared on a social network. Even though the context was criminal law, the reasoning underlying the decision is of interest to any practitioner confronted with protection of privacy issues. This bulletin discusses this case first by presenting the facts, followed by the legal issues, the “reasonable expectation of privacy” test, and the court’s guidance for the future. “In our opinion, this decision can be summed up in two words as it pertains to reasonable expectation of privacy: tradition and progress. Legal tradition, because the Court of Appeal reiterated and affirmed the doctrine of confidentiality in private communications: the sender is not supposed to know that the recipient will share the message with third parties. Technical progress, because the Court of Appeal applied this doctrine, with the necessary adaptations, to the digital universe, by explaining that private instant messages shared on a social media website are entitled to an objective expectation of privacy. Most importantly, from a much broader perspective, this principle would apply to any private technological communication.” [Fasken]

CA — OPC Releases Survey Results on Canadian Businesses

The Office of the Privacy Commissioner of Canada recently commissioned a telephone survey of 1,016 Canadian companies to find out how Canadian businesses fare with their privacy knowledge and protections. The informative report on the survey is the 2015 Public Opinion Research with Canadian Businesses on Privacy-Related Issues. Canadian businesses report increased knowledge of privacy issues, but little progress in implementing privacy policies or response plans for data breaches – placing them at risk for new enforcement activities and fines. [Source]

CA – RCMP Surveilled Journalists for 9 Days Without Authorization

Mounties probing CSIS leak conducted unauthorized surveillance of 2 journalists Officers spent 9 days watching Ottawa-based journalists, new document reveals. Only after the surveillance of the reporters had occurred did officers ask their RCMP bosses for the required permission. They were immediately denied authorization, and told to cease the surveillance. The bombshell revelation about a national police agency spying without authorization on Canadian journalists appears in a document obtained by CBC News under the Access to Information Act. The partly censored briefing note for Public Safety Minister Ralph Goodale was written after media reports appeared last November detailing Project Standard. That was the official name of the Mountie probe into the leak of a 2003 secret document, created by the Canadian Security Intelligence Service (CSIS), to journalists working for the Montreal newspaper La Presse. [CBC] [Trudeau: ‘Unacceptable’ That Rogue Canadian Cops Spied on Two Journalists] See also: [Mulcair calls for inquiry into RCMP surveillance of journalists] [RCMP commissioner speaks out on unauthorized surveillance]

CA – Privacy Laws for Mental Health Care in Nova Scotia Could Soon Be Reviewed

The governing Liberals are ready to examine whether Nova Scotia’s privacy law is preventing young adults from getting the support they need when they are suffering from a mental illness. The issue was front and centre at Province House on Tuesday during a visit to the legislature by Carolyn Fox. Her daughter, Cayley, 21, killed herself on Jan. 22. [Source] See also: [Nova Scotia mental health care privacy laws unlikely to change: former health czar]

Consumer

CA – Ipsos Survey Finds Most Canucks Don’t Trust Gov’t With Their Info

A majority of Canadians believe that their personal, confidential information held by all levels of government is vulnerable to a security breach, including non-authorized internal access or an external data hack and theft, according to a new Ipsos poll conducted on behalf of Accenture. Municipal governments top the list, with 56% of Canadians describing them as vulnerable (16% very/41% somewhat) to threats when it comes to personal data for things such as property tax, water/sewage and traffic fines. A minority (44%) does not see their information as vulnerable (9% not at all/34% not very). Other levels of government don’t perform much better, as many feel the same way about their provincial government, which stores confidential data for drivers’ licenses, health cards and birth certificates: a slim majority (55%) say entities at the provincial level are vulnerable to data security breaches (20% very/35% somewhat), while nearly half (45%) say they aren’t vulnerable (13% not at all/32% not very). When sharing their personal, confidential data with the Federal government – for anything from taxes to SIN cards to passport renewals – 53% of Canadians feel their data is vulnerable to a security breach (20% very/33% somewhat), while fewer than half (47%) do not (15% not at all/32% not very). While most Canadians likely trust their doctor, many are less convinced about the security of their health records. Half (55%) feel records held at their doctor’s office or hospital are vulnerable (20% very/35% somewhat) to a security breach, while 45% do not (14% not at all/31% not very). Other institutions are not exempt from data protection concerns. Half of Canadians (52%) feel their hydro electricity provider is vulnerable to a data security breach (14% very/38% somewhat), while the other half (48%) does not feel their information held by their hydro provider is vulnerable (10% not at all/38% not very). [Source] [Press Release | Detailed Tables 1 | Detailed Tables 2

US – NTIA study: Privacy Concerns Curtailing Americans’ Online Activity

A National Telecommunications & Information Administration survey found Americans are concerned about online privacy and security and are curtailing their activities as a result. The survey revealed 19% of Internet-using households, equaling around 19 million, have been hit by a negative event, including a security breach or identity theft in the 12 months before the July 2015 survey. When asked about online concerns, 84 percent of participants named at least one online security concern, with identity theft cited as the most pressing issue, coming in at 63%. These fears are affecting online habits, the report states, as 45% of households said concerns stopped them from activities such as financial transactions, posting on social media or buying goods or services, with 30 percent saying it stopped them from performing at least two of those actions. [NTIA] [Privacy And Security Concerns Are Keeping Many Americans Offline]

UK – High-Profile Data Breaches Affecting Consumer Trust in Big Brands

A survey of 1,000 UK consumers commissioned by FireEye has revealed that last year’s high-profile data breaches have dented long term consumer trust in major brands. Findings highlighted rising public concerns over a perceived lack of board-level concern for data privacy, with almost three quarters (72%) of consumers stating that they were likely to stop purchasing from a company if a data breach was found to be linked to the boardroom failing to prioritise cyber security. A data breach linked to a lack of board-level attention was deemed less acceptable than if a data breach had occurred as a result of human error – with only 38% of consumers stating that they would be likely to stop purchasing if this was the reason. 29% of consumers said that data breaches had diminished their loyalty as current or potential customers of affected brands, and 38% said that they felt more negatively about companies that suffer data breaches, indicating that consumers are still largely viewing the organisations breached as the parties at fault, rather than victims of cyber crime. In addition to this, over a quarter of consumers (27%) indicated that persistent data breaches have negatively affected their perception of organisations that they buy from in general, indicating that persistent reports of data breaches is not just harming the reputation of affected organisations, but having a wider impact on consumer trust. The findings also reveal the potential long-term financial impact of data breaches on major brands, with 52% of consumers warning they would take legal action against companies if a data breach resulted in their personal details being stolen or used for criminal purposes. 62% of consumers also reported that they will now share fewer personal details with companies, which could hit the revenues of organisations – from social media platforms to search engines – that rely on collecting detailed consumer data for advertisers. [Source]

E-Government

AU – Vic.P.Commish Says Compulsory Census A Bad Precedent

Australian jurisdictions are highlighting privacy and data control this month, but disquiet remains about The Australian Bureau of Statistics’ recent reversal of a longstanding policy and plan for mandatory retention of names and addresses with this year’s national census. Victoria’s privacy chief worries compulsory collection of information for purposes other than law enforcement “could set a really bad precedent”. The census collects a huge array of personal data in one place — a potential honeypot for those involved in identity crime. “One of the privacy principles is data minimisation and that’s contrary to what the census is about, so I have reservations about it,” he says. [Source] [CA— Ex-MP Dean Del Mastro says long-form census may violate right to privacy]

CA – Microsoft Opens Azure Cloud Floodgates for Canadian Businesses

Microsoft has finally made its Azure Cloud services generally available in Canada post a short limited availability experiment in March. To provide Canadian businesses with the satisfaction that their data isn’t leaving the country, all users will be provided cloud services through local datacentre regions located in Toronto and Quebec City. Microsoft has also said that its Office 365 customers will also be provided data residency through the local datacentres. “With so much momentum in the cloud, we are thrilled to welcome Bell Canada as the first Canadian telecommunications partner for Azure ExpressRoute,” said Canadian MSFT CEO Janet Kennedy. [Source]

E-Mail

CA – CRTC Fines Company $194,000 for Unsolicited Telemarketing Calls

The Canadian Radio-television and Telecommunications Commission issued a Notice of Violation to Thee Future Web Ltd. for violations of the Unsolicited Telecommunications Rules. The company made calls to individuals registered on the National Do Not Call List, had not registered or subscribed to the Do Not Call List, and did not provide the appropriate information in a clear manner upon reaching the individual. [CRTC – Notice of Violation – Thee Future Web Ltd] See also: [CRTC Fines Company $30,000 For Unsolicited Telemarketing Calls: Notice of Violation – Century 21 Innovative Realty Inc.] and [CRTC Fines Company $65,000 For Unsolicited Telemarketing Calls: Notice of Violation: Right at Home Realty Inc. – PDR 9174-1603]

Electronic Records

SA – South Africa: 32% of Business Not Confident in Cloud Data Security

Despite the many benefits of moving to the cloud, South African businesses are still hesitant to make the transition. There is still much uncertainty about the move and how it will affect business. …Here are five extra reasons why adopting the cloud could work for your business. According to Vodacom Business, 32% of South African businesses are not confident that data is secure when using a cloud service. There are several reasons why wariness of transitioning to the cloud exists such as:

  • Loss of control.
  • Handing the performance of your business over to a 3rd
  • What if the system fails?
  • What position will the business be in if it isn’t able to perform?
  • The fear of operations being affected.
  • Security concerns. [Source]

Encryption

EU – Europol Director: Encryption Affects 75% of Agency’s Cases

Rob Wainwright, director of Europol, says encryption is a major problem in most of the cases the agency handles, Motherboard reports. Wainwright responded to an op-ed written by John Naughton for the Guardian on Twitter, proclaiming how encryption has been plaguing Europol cases. “Encryption dilemma must be solved soon. Real problem in 75% of all Europol cases” Wainwright tweeted. While Wainwright did not elaborate on the types of encryption troubling Europol, Claire Georges, a member from the agency’s corporate communications, said technology such as Tor and bitcoin are part of the problem. “Technology in general is used not only by cybercriminals, but also by drug dealers, child sexual offenders and other criminals involved in different illegal activities. Encryption is commonly used in secure communications and is becoming a standard protection feature in many products, such as e-wallets for virtual currencies,” Georges said. [Full Story]

EU Developments

EU – European Court Advisor: Dynamic IP Addresses Are Personal Data

Dynamic IP addresses are subject to privacy protection rules, the EU Advocate General said in a non-binding opinion. …The opinion, issued by Advocate General Manuel Campos Sánchez-Bordona, is online but has yet to be translated into English. The advocate general’s opinions are non-binding but they typically dictate how the European Court of Justice will rule. [Electronic Privacy Information Center] [CBS] [EU Advocate General Considers “Dynamic IP Addresses” as “Personal Data”: an Extension of Personal Data Scope?]

UK – ICO Issues Guidance for Direct Marketing by Charities & Business

Following a year that saw investigations into direct marketing by charities and a change in the law that led to the UK Information Commissioner’s Office setting record fines for nuisance calls and texts, ICO’s recent update of its guidance on direct marketing comes at a critical time. In light of the new guidance – as well as the new EU data protection regulation and expected review of the e-privacy directive – it’s more important than ever that those involved in direct marketing understand how to apply this complex area of law. Most of the new guidance focusses on helping charities to comply with the law, but it also gives helpful clarification for businesses that do direct marketing: particularly on the issue of what constitutes consent to use data, including ‘indirect’ consent. This article highlights the changes to ICO’s guidance, and what else is on the horizon that might affect how businesses conduct direct marketing. [Source]

Facts & Stats

UK – Survey Finds Brits ‘Confused’ About Security & Privacy Priorities

An F5 survey exploring the attitudes of data and security handling found half of UK respondents agree that tech firms should prioritise national security over consumer privacy. Only 26% of Brits agreed that privacy should be prioritised over security. The survey found that two-thirds of respondents were concerned about their privacy being compromised, while 72% had no confidence in social networks to protect their data from hackers effectively. But despite this, more than half were willing to share personal information for free access to a company service. People it seems are willing to share date of birth (53%), marital status (51%) and personal interests (50%) in return for a free service. But almost a third (31%) see no value in giving their personal data to companies. Nearly all consumers (88 percent) feel strongly that organisations should improve authentication for greater security. [Source]

Filtering

WW – Study: Google has denied 75% of RTBF requests

The organization behind the right to be forgotten application site Forget.me, Reputation VIP, has released a new report which found in the two years since Google began accepting RTBF requests, the company has refused 70 to 75 percent of them. Germany and U.K. residents most frequently make RTBF entreaties, the report states. While “invasion of privacy” tops the catalyst for most applications, “Google most frequently denies removal requests that concern professional activity,” the report states. “Following that, Google often denies requests where the individual involved is the source of the content sought to be removed.” [Search Engine Land]

Finance

AU – Database Makes Australian Credit Scores Public

A new credit rating database allows Australians to look up the credit scores of other civilians by address. Dubbed Georisk, the publicly accessible system exists for companies to “keep track” of consumers’ financial history while helping predict customers’ credit worthiness. It then ranks the scores on a risk factor from one to 10. The database has frustrated privacy advocates, the report states. “I think most people are going to feel their privacy is being grossly invaded by public disclosure of this information for anyone who wants to look at it for any purpose whatsoever,” said Civil Liberties NSW’s Stephen Blanks. [Yahoo7 News]

AU – Privacy Issues With Household Credit Ratings Posted Online

Civil libertarians have been left outraged by a public database which shows household credit ratings. It’s information anyone can look up, all that is needed is an address. Credit rating companies keep track of past financial behaviour to predict a person’s credit worthiness. Now companies are able to access a credit risk rating that has been applied to every household in Australia. Georisk aims to measure an individual’s financial risk, by putting consumers in a range from one to ten. The ratings are publicly available to anyone who wants to search it on a computer. Not everyone was pleased to know their information was publicly visible online. However the creators have defended the website, saying they weren’t offering anything that was sensitive to the individual. To see what your home’s credit risk rating is click here. [Video: Outrage over private household information being released on public database] [Source]

WW – Payday Loan Ads Prohibited on Google

Google will no longer permit “payday loan ads” on its site. The Wednesday announcement is a concession to critics who argue that the lending practices exploit “the poor and vulnerable,” the report states. They pose a privacy concern as well. “You search the Internet when you need help — and as a result you may give search engines some really sensitive information about your finances,” said Georgetown Law Center on Privacy & Technology’s Alvaro Bedoya. He called Google’s decision a “principled stance,” adding that it will set a precedent for other search engines. [Full Story]

WW – Verizon 2016 Report Confirms People Are #1 Source of Data Breaches

Verizon has just published its 2016 Data Breach Investigation Report. In preparation for this publication, Verizon reviewed more than 100,000 incidents (reported by a plethora of technology companies, law firms, government agencies, and insurance companies, as well as through its own investigations), of which 3,141 were confirmed data breaches. The report yielded several interesting trends. Not surprisingly, most data breaches are about money — thieves stealing data because of its value. 63% of confirmed data breaches involved leveraging weak, default, or stolen passwords, proving that data thieves will exploit vulnerabilities to take the easiest route. Phishing continues to trend upward. People seemingly just can’t help clicking on authentic-sounding “click here to reset your banking password” e-mails. For example, Verizon found 30% of phishing messages were opened, unfortunately an increase from 23% in 2014. 12% then proceeded to open the malicious attachment or click the link, no doubt to their peril. Overall, 95% of breaches, and 86% of incidents across all industries, predictably fell into nine identified patterns:

  • miscellaneous errors (17.7%),
  • insider and privilege misuse (16.3%),
  • physical theft and loss (15.1%),
  • denial of service (15%),
  • crimeware (12.4%),
  • web app attacks (8.3%),
  • point-of-sale intrusions (0.8%),
  • cyber-espionage (0.4%),
  • and payment card skimmers (0.2%).
  • the bucket “everything else” category covered 13.8%.

Interestingly, many of the data breaches reported were not caused by super-secret and sophisticated Mission Impossible-style attacks involving hacking or the wearing of black ninja gear while scaling walls. Instead, many breaches fall into what I think of as the “people are people” category — highlighting human greed/avarice and our basic capacity to make dumb mistakes. [Source]

FOI

CA – Court Rules Severance Payment Information Is Exempted from Disclosure Under New Brunswick FOI Legislation

The Court considered an appeal of the Access to Information and Privacy Commissioner’s decision recommending St. Thomas University release information requested under New Brunswick’s Right to Information and Protection of Privacy Act. The Court ruled that, contrary to the Privacy Commissioner’s recommendation, an organization does not have to disclose severance payment information to a requester; such information is neither a “benefit” (it does not bestow an advantage or betterment on a recipient) nor “discretionary” (it is made only to avoid or settle litigation). [Elizabeth Hans v. St. Thomas University – 2016 NBQB 049 – In the Court of Queen’s Bench of New Brunswick, Trial Division, Judicial District of Fredericton]

CA – Information Commissioner Opposes Government Veto Power Over Releasing Files

Information Commissioner Suzanne Legault says giving the government a veto over the release of files would turn her federal watchdog role into “a mirage.” Legault told a Commons committee studying reform of the Access to Information Act that she firmly opposes the idea of a ministerial trump card over proposed new order-making powers for her office. The Liberals promised the information commissioner could issue “binding orders” during last year’s election campaign. …[Now] the Liberal government is floating the notion of a veto that would give the federal cabinet power to block release of documents even if [Information Commissioner] Legault ordered disclosure. [Source]

WW – The Intercept Is Broadening Access to the Snowden Archive

The Intercept has announced two innovations in how they report on and publish the Snowden Archives. Both measures are designed to ensure that reporting on the archive continues in as expeditious and informative a manner as possible, in accordance with the agreements we entered into with our source about how these materials would be disclosed, a framework that he, and we, have publicly described on numerous occasions. The first measure involves the publication of large batches of documents. We are, beginning today, publishing in installments the NSA’s internal SIDtoday newsletters, which span more than a decade beginning after 9/11. We are starting with the oldest SIDtoday articles, from 2003, and working our way through the most recent in our archive, from 2012. Our first release today contains 166 documents, all from 2003, and we will periodically release batches until we have made public the entire set. The documents are available on a special section of The Intercept. Accompanying the release of these documents are summaries of the content of each, along with a story about NSA’s role in Guantánamo interrogations, a lengthy roundup of other intriguing information gleaned from these files, and a profile of SIDtoday. We encourage other journalists, researchers, and interested parties to comb through these documents, along with future published batches, to find additional material of interest. Others may well find stories, or clues that lead to stories, that we did not. (To contact us about such finds, see the instructions here.) A primary objective of these batch releases is to make that kind of exploration possible. Consistent with the requirements of our agreement with our source, our editors and reporters have carefully examined each document, redacted names of low-level functionaries and other information that could impose serious harm on innocent individuals, and given the NSA an opportunity to comment on the documents to be published (the NSA’s comments resulted in no redactions other than two names of relatively low-level employees that we agreed, consistent with our long-standing policy, to redact). Further information about how we prepared the documents for publication is available in a separate article. We believe these releases will enhance public understanding of these extremely powerful and secretive surveillance agencies. [Source]

US – Appeals Court: DPPA Doesn’t Cover Traffic Accident Reports

A Wisconsin state appeals court has ruled that the Driver’s Privacy Protection Act doesn’t require law enforcement agencies looking to comply with open records laws to redact names from accident reports. DPPA in fact includes an exception for unredacted, non-Department of Motor Vehicles-supplied accident reports. The ruling came at the relief of Wisconsin officials who had “begun blacking out drivers’ names and other information that normally would be public in accident reports” for fear of DPPA violations, the report states. The court did, however, encourage a state circuit court to decide if the unredacted traffic accident information served a purpose beyond compliance, the report adds. [FierceGovernmentIT]

Genetics

US – Vanderbilt Receives $4M to Study Genetic Data Privacy

The National Institutes of Health awarded researchers at the Vanderbilt University School of Medicine a $4 million, four-year grant to study the privacy ramifications surrounding genomic data use. “We’re really broadening our horizons to think about how history and public opinion and literature affect the way individuals and communities think about privacy concerns,” said primary investigator Ellen Wright Clayton. “Ultimately, the goal is to develop policy recommendations that address the complexity of what’s at stake.” Johns Hopkins University, University of Utah, and University of Oklahoma also received similar grants, the report states. [EurekAlert!

Health / Medical

CA – OIPC SK Releases Comprehensive Guidance for Health Information Protection Act

The OIPC SK has provided trustees with guidance to interpret The Health Information Protection Act, including:

  • guidance on when to disclose personal health information to family and friends;
  • guidance on de-identified PHI;
  • guidance on faxing PHI;
  • recommended safeguards;
  • best practices for data sharing agreements; and
  • privacy breach guidelines.

The guidance includes circumstances under which PHI may be disclosed to family/friends, de-identification of PHI (including an explanatory list of techniques), considerations for data sharing agreements with providers, recommended security measures (including faxing considerations), and a 4-step privacy breach process. [OIPC SK – IPC Guide to HIPA]

WW – Providers Seek Cloud Solutions for Healthcare Data Security

Healthcare data security has become a top priority for IT professionals when it comes to investing in cloud applications in 2016, reported the survey. In the 2014 survey, only 31.3% of survey participants stated that their organization planned on investing in cloud solutions for disaster recovery purposes, which often includes healthcare data security measures. Researchers also found that respondents were implementing cloud services to develop more comprehensive incident recovery plans. When participants were asked to assess the motivation factor from 1 (least motivating) to 7 (highly motivating), healthcare data security response was evaluated at 5.11. [Source]

WW – Healthcare Suffers Estimated $6.2 Billion in Data Breaches

Nearly 90 percent of healthcare organizations were slammed by a breach in the past two years. …The most commonly exposed data in healthcare breaches are medical records, followed by billing and insurance records, and payment information. Some 64% of attacks targeted medical files and billing and insurance records, up from 45%. Nearly 40% of healthcare organizations and 26% of their business partners say they know of medical identity theft incidents affecting their patients and customers, but 64% of healthcare organizations don’t offer credit protection services for victims, and 67% of business partners don’t have procedures in place to correct errors in medical records—a gap that could be life-threatening in the case of an identify thief using a patient’s medical information for fraudulent purposes, the Ponemon report notes. [Source] [Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute]

Study: 90% of Health Care Organizations Suffered Data Breach

A Ponemon Institute report found nearly 90% of health care organizations suffered at least one data breach during the past two years, costing the industry $6.2 billion, InformationWeek reports. Ponemon’s “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data” discovered 79% of those organizations suffered two or more breaches, with 45% saying they had been hit by more than five breaches. With most of the breaches exposing less than 500 records, the incidents are not reported to the Department of Health and Human Services. The report also discovered health care budgets for security have either dropped, or remained the same during the past year. In related news, Vormetric released a study revealing 90% of security pros in the financial sector feel vulnerable to data threats, with 44 percent already experiencing a breach. [Full Story] [The Star reports on the first person ever charged under Ontario’s new health care privacy law.]

US – World Privacy Forum Questions Adequacy of PMI Privacy Principles

The World Privacy Forum says privacy principles set forth for the Precision Medicine Initiative “lack detail and fail to address underlying legal requirements and protections.” In a research paper published this week, the organization notes that the HIPAA Privacy Rule will not apply to the research, and that the principles “appear to be voluntary and lack important legal and administrative details.” The current privacy principles in place for the initiative were created by the White House with help from experts working both inside and outside the government. They include categories such as transparency to participants and the public; respect for participant preferences; and appropriate data sharing, access and use. In the paper, WPF outlines its privacy concerns for the PMI and identifies issues that should be addressed. Some recommendations the authors make include:

  • The structure and organization of the initiative must be detailed so privacy protections can be assessed, and participants must know who will maintain their data.
  • Uses and disclosures of the data for security and law enforcement purposes should be clarified.
  • There is “immediate need” for a Privacy Impact Assessment, which then should be open for public comment.
  • Privacy rules should be described as covering health records, administrative records and monitoring from health devices and mHealth tools. [Source]

Horror Stories

WW – LinkedIn Resets Passwords as 117M Logins for Sale on Dark Web

LinkedIn has confirmed a significant breach from 2012 was worse than first thought, with the number of leaked usernames and passwords rising from 6.5 million to a purported 117 million. Earlier this week, fresh LinkedIn credentials went on sale on a dark web market known as The Real Deal. 117 million LinkedIn usernames and passwords will cost 5 Bitcoins, worth approximately $2,200. LinkedIn is in the process of resetting user passwords for every member who joined before 2012 who had not changed their password since the previously-reported breach. It confirmed the action in a blog post, in which it added: “We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply. In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.” [Forbes]

Identity Issues

US – Firms Suffering Data Breaches Can Tap Free Customer Fraud Protection

Organizations that suffer data breaches may now be able to offer free fraud protection to their customers through a new program announced this week. Austin, Texas-based data security and analytics company XOR Data Exchange has launched a new platform, the Compromised Identity Exchange, which “aims to protect U.S. consumers, businesses and government entities from data breach-related identity theft and fraud.” Participation in the exchange is free to organizations that have suffered a data breach of personally identifiable information in order to drive widespread protection for breach victims. According to the firm, The Compromised Identity Exchange synthesizes breached records with ongoing fraud analysis to offer banks, financial lenders and other service providers “unprecedented insight into which of their accounts and applications carry a higher risk of fraud related to one or more data breaches.” It does this without the need for ongoing data sharing from breached entities, the firm stressed. [Source]

US – Stanford Study: Basic Phone Logs Can Reveal Your Intimate Details

Following Edward Snowden’s revelations about surveillance, officials have downplayed its programs as being concerned not with the actual content of email or phone calls, but “just” with collecting metadata, as if metadata didn’t reveal just about as much about us as does the content itself. Metadata, when it comes to phone communications, includes who we call or text, who they contact (that’s called a “hop”), when we call or text, and the duration of each call or length of each message. Since the surveillance revelations, there have been various studies about how much can be gleaned about us from metadata. The answer: a lot. Now, researchers at Stanford University in the US have done another study, and their findings confirm that basic, supposedly anonymous phone logs can be used to glean people’s names, where they live, their partners’ names, and intimate personal details. A sample of the researchers’ vignettes show the type of things they managed to infer:

  • Somebody’s planning to grow weed. Within less than 3 weeks, the subject made calls to a hardware outlet, locksmiths, a hydroponics store, and a head shop.
  • Somebody’s got heart problems. The evidence included a long call from the cardiology group at a regional medical center, brief calls with a medical laboratory, several short calls from a local drugstore, and brief calls to a self-reporting hotline for a cardiac arrhythmia monitoring device.
  • Somebody’s pregnant. Early one morning, the subject was on the phone with her sister for a long time. Two days later, she called a nearby Planned Parenthood clinic several times. Two weeks later, she placed more brief calls to Planned Parenthood, and she placed another short call a month after.

The study involved 823 participants who volunteered to have their metadata collected via an Android app on their phones. The researchers also required participants to have a Facebook account, so as to verify that they were over the age of 18, as well as to verify the accuracy of their results. [Naked Security] [TechCrunch][“Evaluating the privacy properties of telephone metadata“]

US – Feds & States Continue to Expose SSNs on Mailed Documents

Americans Collecting Disability and Unemployment are at Risk of Identity Theft. Members of the FTC and consumer groups criticized the Employment Development Department’s (EDD) practice of using the numbers as identifiers on mailed documents and state lawmakers from both sides of the aisle demanded the EDD make changes. The coverage ultimately shamed the EDD into doing what it had long insisted was impossible. Three months after our first report, the agency began redacting social security numbers on the most commonly mailed documents. However, now we’ve discovered the EDD is still printing the number on many other mailed documents, including those sent to claimants collecting disability. The EDD is not alone in mailing sensitive information. ConsumerWatch reached out to every state in the nation and only 8 of the 42 states that responded say they redact Social Security numbers on all mailed documents. Like California, 17 admit they still mail the full number on documents to both claimants and employers. Another 17 states say they only print the full SSN on documents mailed to employers. However, that is just as concerning for many who don’t trust that their former employers will take the same care that they would to properly dispose of the documents. [Source]

Intellectual Property

CA – Ann Cavoukian Launches Global Council on PbD Standards

Ann Cavoukian, former Ontario, Canada information and privacy commissioner, will form a new international council to advocate and set standards for privacy by design. The International Council on Global Privacy and Security: By Design will work with companies, national privacy commissioners and technology professionals to educate the public and raise awareness for privacy by design. Cavoukian set out three goals for the council:

  •  educate politicians, businesses, government, media and the public that systems can and must be engineered to protect both privacy and security;
  •  create policy templates that can show how privacy can be applied to technologies in the digital age; and
  •  foster technology innovation in academic institutions around the world to foster privacy and public safety, as well as privacy and business interests, such as big data and data analytics, without sacrificing either privacy or security. [Source]

Internet / WWW

WW – Study: Facebook, Google own top-used third parties

Google and Facebook-owned third parties are among the top-used on the Internet’s most-viewed sites, a new study from the Princeton Web Census shows. “Google owns seven of the 10 most loaded third-party domains,” the report states, adding Google Analytics was by far the most popular. “The remaining three are all owned by Facebook.” While the study found the amount of third parties a typical Internet user would engage with is “relatively small,” new websites are among those with the highest number of trackers. “Since many of these sites provide articles for free and lack an external funding source [these sites] are pressured to monetize page views with significantly more advertising,” the study states. [Full Story]

Law Enforcement

US – National Institute of Justice to Review Body Worn Cameras, Seeks Input
The National Institute of Justice (“NIJ”) is soliciting information in support of the upcoming National Criminal Justice Technology Research, Test, and Evaluation Center (NIJ RT&E Center) “Market Survey of Body Worn Camera (BWC) Technologies”; input is due May 31, 2016. [Source]

Location

WW – Study: Just 8 Tweets Can Reveal Precise Location

MIT and Oxford University researchers say with just eight tweets, “a relatively low-tech snooper” can deduce a user’s whereabouts using location stamps. A paper presented by researchers Ilaria Liccardi, Alfie Abdul-Rahman and Min Chen at a recent conference says while Twitter’s location notation is opt-in, many users reportedly engage the services. “With this study, what we wanted to show is that when you send location data as a secondary piece of information, it is extremely simple for people with very little technical knowledge to find out where you work or live,” Liccardi said. Their work was a part of MIT’s Internet Policy Research Initiative, a program geared toward increasing social media privacy awareness. [MIT News]

Online Privacy

WW – Researchers Publish Information on Nearly 70,000 OkCupid Users

Nearly 70,000 OkCupid users had their data published by researchers, including their usernames, location, sexual turn-ons and sexual orientation. Two Danish researchers, Emil O. W. Kirkegaard and Julius D. Bjerrekær, collected the data from the dating website using a scraper, a tool saving certain segments of a Web page. The scraper targeted random profiles who had answered numerous OkCupid multiple-choice questions. While the researchers’ actions were legal, criticism has been levied at the project. Scott B. Weingart, digital humanities specialist at Carnegie Mellon University, said in a tweet he could use the information to re-identify the actual identities of OkCupid users. Weingart claimed he could with 90 percent accuracy connect sexual preferences and histories to real names of over 10,000 of the OkCupid users. [MotherBoard]

WW – OKCupid Study Raises New Questions About ‘Public’ Data

When you sign up for a dating website, you are making your information available for other users to see. But does that mean your information is “public”? Experts are now mulling this question after a group of researchers released a data set of nearly 70,000 users from the online dating site OkCupid. The researchers used a “scraper,” or a browser extension designed to collect data from web pages, to collect the data. In other words, they collected the data without OkCupid’s permission, breaking the site’s terms of usage and the Computer Fraud and Abuse Act. The data was uploaded on Open Science Framework, an online forum that encourages researchers to share data for easy collaborations, but it has since been removed. The scraped data revealed many user details including name, age, gender, religion, and detailed information about users’ habits and preferences. When asked whether the researchers took measures to anonymize the data, Mr. Kirkegaard, the lead researcher responded, “No. Data is already public… All the data found in the dataset are or were already publicly available, so releasing this dataset merely presents it in a more useful form.” But even if the data is available to other users, should it be shared publicly? Some experts don’t think so. While OkCupid lets registered users view profiles of other users on the site, that doesn’t justify anyone releasing this information to the public, they say. In this case, the researchers breached the ethics of Social Science Research, which requires researchers to obtain consent from subjects as well as ensure that researchers are maintaining confidentiality before they can publicly share personal information. The OkCupid profiles include very personal information on everything from political views to sexual habits. OkCupid asks its users hundreds of questions to help its algorithm generate better matches. Though the researchers didn’t release real names with the data, just profile user names, that is not considered maintaining confidentiality, say experts. One Twitter user claimed that he could link some bits of data to actual names of more than 10,000 users on OkCupid. [The Christian Science Monitor] See also: [OkCupid Study Reveals the Perils of Big-Data Science]

WW – Study: 16% of Apps Access Info Sans Consent

Deloitte published its annual privacy index 10 May, which found that of 88 brands’ apps, from various industries in Australia, 16% accessed users’ phone data without notifying them. The surveyed brands were not named, although Deloitte’s Tommy Viljoenhen called them among “the most trusted.” He added, “What’s happening with the brands we don’t know about? As consumers, are we even aware of the extent to which information is being collected without our knowledge?” [Mashable]

Other Jurisdictions

US – Report: Schools ‘Soft Targets’ for Data Collection

A new report details how schools are “soft targets” for companies looking to obtain data and market to children. “Learning to be Watched: Surveillance Culture at School,” from the National Center for Education Policy at the University of Colorado at Boulder, discusses how student privacy has been compromised by organizations creating relationships with schools, often through free technology. The report also discusses how laws created to protect student privacy, including the Children’s Online Privacy Protection Act, have major weaknesses. “Schools have proven to be a soft target for data gathering and marketing. Not only are they eager to adopt technology that promises better learning, but their lack of resources makes them susceptible to offers of free technology, free programs and activities, free educational materials, and help with fundraising,” the report said. [The Washington Post]

Privacy (US)

US – SCOTUS on Spokeo: Life Just Got Harder for Class-Action Lawyers As Court Rejects ‘No-Injury’ Cases

Plaintiff lawyers who have built a lucrative business over the past few decades suing companies over minor legal breaches that arguably harmed no one may have a tougher time bringing cases following the U.S. Supreme Court’s decision in Spokeo v. Robins, requiring plaintiffs to plead a “concrete” injury to proceed in federal court. The decision wasn’t a complete win for corporate defendants as the court left plenty of room for creative lawyers to craft complaints that allege their clients suffered an injury, no matter how small, from miscues like data breaches or incorrectly worded mortgage documents. But by stating clearly that some injury is required under Article III of the Constitution, the court may have ended the long-profitable business of suing companies over nothing more than statutory damages provided under laws like the anti-robocalling Telephone Consumer Protection Act. Spokeo was sued by Thomas Robins, who claimed the online information site inflated his education credentials and made other errors that may have caused him to have a harder time finding a job. I say “may have,” since it is extremely unlikely any potential employers actually looked at his entry on Spokeo and Robins didn’t provide any evidence supporting the idea he was harmed. [Forbes] See also: [Brace for more class action challenges post-Spokeo]

US – EFF Releases Annual Report

The Electronic Frontier Foundation released its 2015 annual report, covering all of the work the organization has achieved during the past year. The group celebrated more than 500,000 installations of its Privacy Badger browser extension and the two-millionth certificate of its Let’s Encrypt service. The EFF also touted major activism and law efforts it has completed in the past year. “We fight to make sure people have access to the speech platforms and privacy tools that help them take control of their world,” said EFF Executive Director Cindy Cohn, adding, “Based in part on our near decade of activism and legal work, Congress also passed the USA Freedom Act, the first real restrictions and oversight imposed on the NSA’s surveillance powers since 1978.” [Full Story]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Acronis Applying Blockchain to Data Protection Problems

Acronis has announced a new strategic initiative to develop applications of Blockchain technology for data protection. The company announced the initiative at its 2016 VIP Partner Summit held in Singapore this week. Acronis is taking a unique and targeted approach at how Blockchain can be used to solve specific data protection problems by seeking and developing use cases that exist today. Data and transactions that are protected from tampering by Blockchain can be used for those use cases where individuals or businesses absolutely must maintain the integrity of the original information. [Source] See also: [IBM Touts Blockchain to National Cyber Security Commission]

Security

WW – Almost Half of Companies Don’t Teach Staff Data Security

44% of companies do not think it should be compulsory for staff to be trained around data security, even though they have formal data protection processes in place. This is despite the security firm finding more than 22% of IT professionals have shared confidential information using an unsecure file sharing platform such as Google Drive, OneDrive or Dropbox, while 10% said they have shared data with people outside the company. Employees are also no strangers to data loss. 13% of the 2,000 IT professionals questioned admitted they have lost data while at work and 5% said they have experienced a data breach. Egnyte also explained that 14% of staff had opened an unsecure link that had been sent to their work email and 12% had used a public Wi-Fi network to work on confidential documents. “File sharing technology is sound from a security perspective… The root cause of mishaps is simply lack of awareness. With conscious effort to educate end users, enterprises can secure their data at little real cost. “Additional measures as simple as creating a checklist of content protection recommendations and making it readily available to employees, or integrating content management best practices into onboarding, can move the needle.” [Source]

Surveillance

US – Privacy Groups, Industry Agree to Best Practices for Drone Use

Stakeholders taking part in the National Telecommunications & Information Administration Multi-Stakeholder process have agreed to a set of best practices for drones. The practices are designed to provide flexibility for drone use, especially for smaller operators, while providing strong privacy standards. Groups agreeing to the practices include Amazon, the Software & Information Industry Association, and the Consumer Technology Association. “These standards will help ensure these technologies are deployed with privacy in mind,” said Future of Privacy Forum CEO Jules Polonetsky,. In a blog post, Center for Democracy & Technology Vice President of Policy Chris Calabrese said, “As the nascent drone industry is starting to take-off, adopting these best practices will help ensure that drones fly safely, ethically and respectfully.” [FPF]

US – CDT, Fitbit Collaborate On Best R&D Privacy Practices for Wearables

The Center for Democracy & Technology joined forces with Fitbit to release a report detailing the best privacy practices for research and development teams working in wearable technologies. Together with Fitbit, the CDT conducted interviews, surveys and other research to assess industry trends and best practices. “R&D teams in wearable technology can and should also be laboratories of privacy and ethical research best practices,” wrote CDT and Fitbit. The paper also offers “practical guidance on privacy-protective and ethical internal research procedures at wearable technology companies,” they add. Other key takeaways include the need for a culture of privacy, security and ethics in R&D, successful management of many different forms of trust with consumers, and the need for policies and procedures for handling ethical questions on R&D teams. [Full Story]

Telecom / TV

US – Tracking Apps Raise Security, Privacy and Legality Questions: GAO

Tracking apps can be useful in a variety of ways, such as, letting consenting spouses know each other’s locations. However, location data from mobile devices can be highly personal …”GAO found that some federal laws apply or potentially apply to smartphone tracking apps, particularly those that surreptitiously intercept communications such as e-mails or texts, but may not apply to some instances involving surreptitiously tracking location. Statutes that may be applicable to surreptitious tracking apps, depending on the circumstances of their sale or use, are statutes related to wiretapping, unfair or deceptive trade practices, computer fraud, and stalking. [Experts the GAO interviewed] also expressed concerns over what they perceived to be limited enforcement of laws related to tracking apps and stalking,” the GAO stated. [Network World]

US Legislation

US – Legislative Roundup

Workplace Privacy

US – FTC Releases FCRA Guidance

The FTC has published new guidance to assist employment background checking agencies with Fair Credit Reporting Act compliance, the agency announced in a statement. The guidance is primarily concerned with showing companies what work would qualify them as a consumer reporting agency and, given that, what their legal obligations may be. [FTC]

US – Social Media Posts Now Fair Game for Security-Clearance Applications

Director of National Intelligence James Clapper released a policy May 13 that confirms federal agencies will begin using public information from social media sites when looking at security clearance applications. Information the government finds irrelevant will be deleted from their servers, the report states. Some lawmakers expressed concern. “How do we flag the serious from the trivia?” asked Rep. Gerry Connolly, D-Va. “How do we make sure we don’t have some enormous depository of government information” that is held? [The Washington Post]

US – Workplace Monitoring Gets Easier Under New Law

“Companies that monitor their employees’ emails or Internet activity now have new protections from potential allegations of wiretap violations: Under the Cybersecurity Act of 2015, companies enjoy liability protection for the monitoring of their information systems for ‘cybersecurity purposes.’” “The act’s inclusion of liability protections for cybersecurity activities to safeguard theconfidentiality of information suggests that monitoring in order to protect trade secrets and intellectual property could receive liability relief in addition to monitoring for general network security.” [Full Story]

CA – Suncor Wins Legal Round for Random Oilsands Drug Testing

A Court of Queen’s Bench judge has quashed a 2014 arbitration panel ruling that determined the proposed testing plan would violate the privacy of union workers represented by Unifor. Justice Blair Nixon said the panel should have considered evidence about alcohol and drug incidents involving all workers at Suncor, including non-union contract employees. “By focusing only on the bargaining unit, the majority (of the panel) expressly excluded consideration of relevant evidence,” Nixon wrote. “The majority ignored evidence pertaining to some two-thirds of the individuals working in the oilsands operation.” [Source]

+++

 

7-11 May 2016

Biometrics

US – Federal Judge Says Facebook Photo-Tagging Suit Can Continue

A San Francisco federal judge is allowing a case against Facebook’s facial recognition, photo-tagging feature to proceed. Plaintiffs have argued the feature violates users’ privacy, as the facial recognition technology goes against Illinois’ Biometric Information Privacy Act, which requires companies to obtain explicit consent from users before gathering biometric data. While Facebook argued the feature is covered in its terms of service, and that the suit should be dismissed, U.S. District Judge James Donato disagreed. “Trying to cabin this purpose within a specific in-person data collection technique has no support in the words and structure of the statute, and is antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology,” Donato wrote in his ruling. [USA Today] See also: [Facial-recognition tech used for anti-theft initiatives] and [Italy’s Data Protection Authority has mandated that Facebook disclose details of an instance of trolling in a case where the user claims the social network responded unsatisfactorily, International Business Times reports]

EU – EU Proposes Minority Report-Style Facial Recognition for Refugees 

In its attempts to bring the refugee crisis to heel, the European Commission wants to expand its fingerprint database, introduce facial recognition software, store the information for even longer than before and include minors in the process. The EU is planning wholesale changes to the bloc’s asylum law. In addition to a “fairer” distribution system for refugees and an extension of border controls within the Schengen area, the Eurodac fingerprint database, which is currently used to identify asylum seekers and irregular migrants, is to be enlarged. The system is set to be supplemented with facial recognition software and personal data will be stored for a longer period of time, with the aim of ensuring that irregular migrants stay on the authorities’ radar; the information of underage refugees will also be kept. The upgrade will cost some E30 million. [Source]

US – Illinois Anger Over Elementary School Student Thumbprint Scanner

Privacy advocates are concerned about what looks to them like Big Brother overreach in an Illinois elementary school. The Harrison Street Elementary School in Geneva has installed a new thumbprint scanner for students to pay for their meals and keep track of their accounts. The thumb scanners replaced another biometric device by PushCoin Inc. that the school used last year. These types of devices are growing in popularity and other districts are looking to implement the scanners. But not everyone thinks they are a good idea. Parents are able to opt out and use a card if they want to. [Source] [Daily Herald]

Canada

CA – OIPC SK Releases Guidance Regarding Access to Personal Information of a Child Under the Age of 18

The Office of the Saskatchewan Information and Privacy Commissioner has released guidance relating to obtaining personal information of a child under the age of 18 years: Included is a list of common questions and responses. Unless otherwise ordered by a Court or a custodial agreement, the Children’s Law Act, FOIP, LA FOIP and HIPA confer the right or power of a legal custodian to request access to personal information of a child under the age of 18; trustees need to exercise discretion when determining if the disclosure is reasonable or will constitute as an invasion of the child’s privacy, such as when the child expresses they don’t want a parent to know or if the information is highly sensitive. [Office of the Saskatchewan Information and Privacy Commissioner – Who Signs for a Child?]

Consumer

NZ – Privacy Commissioner Survey Finds Privacy a Major Concern

New Zealanders are becoming increasingly worried about their privacy, according to a new survey. In the new UMR public opinion survey, commissioned by the Privacy Commissioner, 46% of the 751 people questioned said they were growing more worried about individual privacy, and their online information in particular. That is especially the case for young people and those with a university education. Privacy Commissioner John Edwards said there was a high level of concern about identity theft as well as financial and health information. About 80% of those surveyed were worried about identity theft and their credit card and banking details being stolen. Nearly all respondents – 87% – were concerned about the personal information children upload to the internet. The survey also found that 62% felt personal data should not be shared between government organisations, as the risk to people’s privacy and security outweighed the benefits. But they were more open to data sharing when safeguards were put in place, with a small majority willing to share data as long as they could opt out if they chose, of if there were strict controls on who could access the data and how it was used. [Source] [Survey]

WW – Snowden’s Surveillance Leaks Made People Less Likely to Read About Surveillance

A new Oxford University study has published empirical evidence showing that government mass surveillance programs like those exposed by Edward Snowden make us significantly less likely to read about surveillance and other national security-related topics online. The study looks at Wikipedia traffic before and after Snowden’s surveillance revelations to offer some new insight into the phenomenon of “chilling effects,” which privacy advocates frequently cite as a damaging consequence of unchecked government surveillance. What it found is that traffic on “privacy-sensitive” articles dropped significantly following what author Jon Penney describes as an “exogenous shock” caused by revelations of the NSA’s mass surveillance programs and the resulting media coverage. The articles were chosen based on keywords from a list of terms flagged by the Department of Homeland Security, used for monitoring social media for terrorism and “suspicious” activity. For example, Wikipedia articles containing the 48 terrorism-related terms the DHS identified—including “al-Qaeda,” “carbomb” and “Taliban”—saw their traffic drop by 20%. The results also mirror a similar MIT study from last year which found that users were less likely to run Google searches containing privacy and national security-related terms that might make them suspicious in the eyes of the government. Perhaps even more alarmingly, the study seems to show a long-term drop in article views on these topics that lasts well past the initial shock of Snowden’s revelations, suggesting that people’s’ calculations about what to read on Wikipedia may have been permanently affected. [Source]

Encryption

US – Former Officer Is Jailed Months Without Charges, Over Encrypted Drives  

A former police sergeant has been held without charges in a federal detention cell in Philadelphia, part of an effort by the authorities to pressure him to decrypt two computer hard drives believed to contain child pornography. The case reveals yet another battle line for law enforcement and digital privacy advocates over encryption, this time on an Apple computer, not an iPhone. The sergeant, Francis Rawls, was ordered by a federal court last August to hand over the two hard drives, which were seized from his home because they were suspected to contain the illegal pornography. When he refused to decrypt the drives, claiming he could not remember the passwords, he was taken into custody, and this week he started his eighth month in a federal detention center, all without ever being charged with a crime. Mr. Rawls’s case is the latest in a growing number of legal battles over digital privacy in the United States. The challenges are playing out in courts across the country, propelling a national debate over when the government can compel individuals or companies to disclose codes or passwords giving access to private data. “Not only is he presently being held without charges, but he has never in his life been charged with a crime,” Keith M. Donoghue, his federal public defender, wrote in a motion last week seeking his client’s release. [Source]

EU Developments

EU – GDPR, Directive 2016/680, PNR Officially Published

It’s finally final for three separate pieces of privacy legislation in the EU. On 4 May, the Official Journal of the European Union published the texts of the General Data Protection Regulation, officially Regulation 2016/679; Directive 2016/680, governing the handling of data in law enforcement situations; and the Passenger Name Record Directive, officially Directive 2016/681. This creates something of a countdown clock for privacy professionals. As the GDPR goes into effect two years and 20 days following its publishing in the Official Journal, 25 May 2018, takes on new portent. [Lex-Europea] See also: [The European Parliament is struggling to set a date for a plenary vote on the EU-U.S. Privacy Shield] [The US Supreme Court has updated Rule 41, allowing federal judges to issue warrants for computers outside of their jurisdiction, potentially threatening the EU-U.S. Privacy Shield.]

UK – Employers Vicariously Liable for Data Breaches Caused by Rogue Employees

In April 2016, the High Court of England and Wales issued its judgment in Axon v Ministry of Defence [2016] EWHC 787 (QB). The court emphasised (albeit obiter) the fact that employers can be liable for data breaches caused by rogue employees (in the present case, an employee who had passed on certain information to journalists without the permission of her employer). The impact of this decision on employers is potentially significant, and it serves as another reminder to employers to implement proper data protection processes and procedures, and to ensure that employees receive appropriate training on these issues. [Source] [PDF]

EU – CJEU to Rule on Test Data Case

The Supreme Court of Ireland has referred to the Court of Justice of the European Union to decide whether a man’s accounting exam is considered personal data under the Data Protection Act. After being denied access to his test by both his school and the Data Protection Commissioner, plaintiff Peter Nowak argued in the Circuit Court and then appealed to the High Court that his handwritten test qualified as biometric, and therefore personal data, the report states. He further argued that as exam results are “considered personal,” the test and exam comments ought to be too. [Independent]

Facts & Stats

WW – UNCTAD Publishes Report on Data Flows, International Trade

Late last month, the United Nations Conference on Trade and Development released a new study on privacy law, trans-border data flow and their implications on international trade and development. The in-depth and substantive report also places a focus on developing nations. “The study reviews the current landscape and analyzes possible options for making data protection policies internationally more compatible,” the report states. Contributors to the report include international organizations, government bodies, the private sector and civil society. “The findings of the study should help to inform the much needed multi-stakeholder dialogue on how to enhance international compatibility in the protection of data and privacy,” the report adds. [UNCTAD]

FOI

CA – BC Makes Changes to Freedom of Information Law

B.C. cabinet’s travel receipts, calendars to automatically be made public: Finance Minister Mike de Jong has issued a rare order under B.C.’s Freedom of Information law to ensure that travel receipts and daily calendars for cabinet ministers and their senior officials are automatically made public. The change was part of a series of directives issued by Mr. de Jong to respond to criticism that his government has deliberately thwarted the release of information to the public through the practice of triple-deleting e-mails within government and relying on oral reports to avoid the creation of documents that could be accessed. Vincent Gogolek, executive director of the BC FIPA, said Mr. de Jong’s changes are both minimal and long overdue. “They are not doing nothing, but they are doing the least possible,” Mr. Gogolek predicted one of Mr. de Jong’s new initiatives will be counterproductive. Starting this month, the government will publish all active access-to-information (FOI) requests, a measure that Mr. de Jong said will provide more transparency on government response times. However, Mr. Gogelek said the change could discourage access requests. “This is exposing FOI requesters. The privacy commissioner has asked for anonymity for those making information requests, and this seems to be going in the opposite direction.” [Source]

CA – B.C. Privacy Commissioner Mainly Positive Toward New FOI Policies

British Columbia’s Information and Privacy Commissioner is praising the province’s expansion of its Access-to-Information policies, but she’s also concerned about the potential “unintended consequences” of a decision to post information requests as they are received. Elizabeth Denham issued a statement on Tuesday that offered a largely positive assessment of the changes, which were announced a day earlier, but singled out the disclosure of Freedom-of-Information (FOI) requests as a potential concern. “I wish to examine all possible implications, including any unintended consequences, of publicly disclosing a description of an applicant’s request for records before they have received those records,” Ms. Denham said in her statement. [Source]

CA – OIPC BC Finds Ministry Properly Withheld Information Relating to Tolling Framework

The OIPC BC reconsidered Order F14-20, pursuant to a court order, where the Ministry of Transportation and Infrastructure refused to disclose information requested under the Freedom of Information and Protection of Privacy Act. Disclosure of the information would reveal the substance of the Ministry’s deliberations because it contained financial implications of the framework, and a presentation that formed the basis of the Priorities and Planning Committee’s deliberations; although the decision to impose a toll was made public and implemented, the information should not be disclosed because it related directly to the issues the Committee considered. OIPC BC – Order F16-22 – Ministry of Transportation and Infrastructure [Re-consideration Order – F16-22] [Original Order – F14-20]

US – ODNI Releases Documents as Part of FOIA Pilot Program

The US Office of the Director of National Intelligence released several documents as part of a pilot program with the Freedom of Information Act. The ODNI is one of seven federal agencies contributing to the program, with the goal of making FOIA record requests available to the public. During the program, the ODNI will announce the release of “proactive disclosures.” Among the first group of documents released include, “Unlocking the Secrets: How to Use the Intelligence Community“ and “Semiannual Report to the Director of National Intelligence – Office of the Inspector General of the Intelligence Community.” [Full Story]

Genetics

CA – Looking for an ‘Internet of DNA’

The Star reports on calls by some researchers to create an “Internet of DNA” to help treat rare genetic diseases and psychological disorders. “If we’re looking to 2025, I see a kind of World Wide Web for health, a true Internet for health, which doesn’t exist today,” said Dr. Tom Hudson, a genomics researcher and president of the Ontario Institute for Cancer Research. “We are transforming a lot of information into digital bits and that information is huge,” he added. Such a DNA network could transform medicine and how diseases are cured, researchers argue. Currently, valuable medical data is contained in silos, “while legal, technical and cultural barriers prevent scientists from easily sharing their data troves,” the report states. “If nothing is done, there is a risk that balkanized systems will soon become established,” the Global Alliance’s website points out. [Full Story]

Health / Medical

CA – Northern Canadian Hospital Confirms Staff Wrongly Accessed Patient Records

Security experts emphasize that organizations have to limit access to databases with sensitive information. However, they also have to carefully design information systems themselves so sensitive data doesn’t appear on screens users have legitimate reasons to see. That appears to have failed at a health authority in Canada’s far north, which confirmed that employees inappropriately accessed patient health records through an online scheduling system in what appears to be a case of employee snooping. CBC News reported that some staff the Beaufort-Delta Health and Social Services Authority, which serves 6,700 residents of the Beaufort Delta Region in the Northwest Territories including the Inuvik Regional Hospital have been disciplined for wrongly accessing records of  67 patients. The information “had been inappropriately accessed by staff outside a legitimate scope of duties,” Arlene Jorgensen, CEO of the Inuvik Health Authority, was quoted as saying. The institution’s scheduling system includes expected information such as appointment times and check-out dates. But it also lists the reason patients were at the hospital. Several staff members who had accessed this information did not need it to do their jobs, according to the health authority. The authority emphasized that detailed information, such as diagnoses were not accessed during the breach. [Source]

CA – Ontario Appeals Board Finds Regulatory Committee Failed to Adequately Investigate Complaint Alleging Physician Inappropriately Accessed Patient Files

The Board reviewed the decision of the Inquiries, Complaints and Reports Committee of the College of Physicians and Surgeons regarding a complaint made against a physician. The regulatory committee failed to properly examine whether the access took place after the physician left a clinic, may have improperly concluded that the access was due to the nature of the filing system (computer logs may support a different conclusion), and failed to consider that the alleged breach is a serious matter under PHIPA; mandatory further investigation should include direct questioning of the physician, examining how the electronic filing system operates, and determining what system access is allowed a non-treating professional. [F.J.S., MD v. S.S.E., MD – 2016 CanLII (ON HPHARB) – Health Professions Appeal and Review Board]

CA – Ontario Appeal Board Upholds Verbal Caution to Pharmacist Regarding Confidentiality

the Health Professions Appeal and Review Board reviewed an investigation of the Inquiries, Complaints and Reports Committee of the Ontario College of Pharmacists, into a pharmacist’s solicitation of new business. The pharmacist obtained patient information from his previous employer and used it to establish clientele for his new business; the Committee found that this active solicitation of business was inappropriate, and warned the pharmacist that he must maintain patient confidentiality, not use patient information for improper purposes, demonstrate professionalism and ethical principles, and respect patients’ right of self-determination. [J.J. v G.C., 2016 CanLII 21553 (ON HPARB) – File#15-CRV-0181]

US – OCR Cautions Hospitals to Prepare for Breaches at Business Associates

With many healthcare organizations questioning their data security arrangements with business partners, the Office of Civil Rights (OCR) of the Department of Health and Human Services, sent out an alert suggesting steps to mitigate damage from breaches resulting from those associations. The alert OCR sent last week said that following the 2015 hack of U.S. Office of Personnel Management (OPM), many healthcare organizations believe the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have not stopped breaches and have not allayed their fears. “Not only do a large percentage of HIPAA covered entities believe they will not be notified of security breaches or cyberattacks by their HIPAA business associates, they also think it is difficult to manage security incidents involving business associates, and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach,” the alert said. As a result, HIPAA-covered organizations and their HIPAA business associates should consider how they will confront a breach at their business associates or subcontractors. [Source] See also: [Ontario’s legislature has passed the Health Information Protection Act in its third reading. The act aims to improve privacy, accountability and transparency in health care, according to a news release]

US – Brookings Calls Out OCR on HIPAA Audits, Offers Security Tips for Healthcare Organizations  

With the healthcare industry suddenly accounting for nearly 25% of all data breaches, a new study from The Brookings Institution suggests some new cybersecurity strategies are needed. Niam Yaraghi, a Brookings fellow, conducted in-depth interviews with 22 healthcare organizations – providers, payers and business associates – that had each experienced at least one  data breach. He found some things in common across them, and some differences. But his biggest takeaway was that guidance and enforcement from the federal government isn’t doing enough to keep patient data safe, and that a more concerted private-sector strategy is needed to help ensure security best practices. In his report, “Hackers, phishers, and disappearing thumb drives: Lessons learned from major healthcare data breaches,” Yaraghi offered a series of suggestions for both the HHS Office of Civil Rights and those working in the healthcare trenches. [Source] See also: [Status report: OCR’s effort to guide HIPAA compliance in mobile health] [Earlier HIPAA Audits Help Healthcare Data Breach Prevention]

Horror Stories

CA – Two Convicted of Snooping on Rob Ford

An Ontario court has convicted two health care workers for unauthorized access to the late mayor Rob Ford’s medical records, the first such conviction under the province’s health privacy law. Both workers pleaded guilty under PHIPA to “willfully collecting, using or disclosing personal health information,” the report states. The former employees have also each been fined $2,505 for the incident. There is no evidence the workers shared the health records they accessed. [The Star] SEE ALSO College of Nurses of Ontario disciplines nurse who snooped into patient records. Mandy Gayle Edgerton – Results of Past Hearings – College of Nurses of Ontario Results of Past Hearings | Toronto Star ]

UK – London HIV Clinic Fined £180,000 for ‘Serious’ Data Breach

A London HIV clinic that leaked data on 781 of its patients has been fined £180,000. 56 Dean Street, based in London’s Soho, sent an email newsletter with all patient email addresses in the ‘To’ field, rather than the ‘Bcc’ field. The email addresses allowed for the identification of the patients – 730 of the 781 contained people’s full names – and constituted a “serious breach” of data protection rules, the Information Commissioner’s Office (ICO) said. The Option E newsletter was intended for people using the clinic’s sexual health services and gave general details for treatment and support. The ICO said the breach was “likely to have caused substantial distress” to those who were included on the list. Under data protection rules, information about a person’s health or sexual life is deemed as sensitive and the organisation issued the monetary penalty after an investigation. “It is clear that this breach caused a great deal of upset to the people affected,” Information Commissioner Chris Graham said in a statement. “We recalled/deleted the email as soon as we realised what happened. If it is still in your inbox please The NHS Trust can appeal the decision but if it decides to pay the fine before June 2 it will be reduced to £144,000. Medical director and caldicott guardian Zoe Penn, from the clinic, said that it “fully accept[s]” the decision of the ICO and that the organisation had made changes to its procedures. [Source]

Internet / WWW

WW – Twitter Bans US Spying Agencies from Terrorism Early Alert Service

In the growing fury over terrorism, surveillance and privacy, Twitter has shoved the US government further away by closing down US spy agencies’ access to a data-mining service that spots terror attacks. The company hadn’t announced the news as of Monday morning. Rather, a senior official in the intelligence community, along with others privy to the matter, told the Wall Street Journal about it. The service in question is Dataminr: a real-time information discovery service that analyzes the output of Twitter’s firehose of real-time public tweets, geolocation data, traffic data, news wires and other data streams, to turn up breaking news such as natural disasters, political unrest and terror attacks. [Source]

Law Enforcement

US – Digital Rights Group Challenges Legality of ‘Thematic Warrants’

Privacy International has filed a judicial review challenging a decision regarding the sanctioned use of “thematic warrants.” The digital rights group sent the review to the U.K. High Court, appealing an earlier decision by an oversight tribunal of the security agencies in the U.K. over the use of the warrants. Privacy International is arguing the legality of the “thematic warrants” — orders giving the government major invasive investigatory powers covering wide classes of people and property. The group first challenged the use of the warrants in 2014, saying they violate Articles 8 and 10 of the European Convention on Human Rights. In related news, the Guardian reports on another privacy advocacy group using an interesting face to don on their campaign against the Investigatory Powers Bill: North Korean leader Kim Jong-un. [TechCrunch]

US – New Hampshire State Claims that Secret Recording of Police Is a Crime

New Hampshire outlaws recording conversations when any party to the conversation “has a reasonable expectation that the communication is not subject to interception, under circumstances justifying such expectation,” thus requiring the knowledge of all parties before such a conversation can be recorded. Most states require only “one-party consent,” under which you can record a conversation to which you are a party, because you consent to the recording, even if the others don’t. But some states — including New Hampshire — require “all-party consent,” or at least all-party knowledge, that the conversation is being recorded. And New Hampshire authorities read this as applying even when someone is recording his conversation with the police. Indeed, Alfredo Valentin is under indictment for recording such a conversation, between himself and the police officers who were searching his home. The U.S. Court of Appeals for the 1st Circuit, which is in charge of cases from New Hampshire, has held (Glik v. Cunniffe) that a similar Massachusetts law violates the First Amendment; but that case involved someone openly recording the police, and the court stressed that fact in the Fourth Amendment portion of the Glik opinion. New Hampshire authorities appear to take the view that secret recording of the police can be banned, even if open recording cannot be. [Source] See also: [New Jersey Governor Chris Christie has approved a bill making it illegal to surreptitiously record or photograph a person’s undergarments.]

Privacy (US)

US – FTC and FCC Join Forces to Examine Mobile Security

The FTC and the FCC are working together to examine the current state of mobile security. The FTC is issuing orders to eight mobile device manufacturers, requiring them to give the agency information on their procedures for issuing security updates to remedy device vulnerabilities. Among the companies receiving orders include Apple, Google, Microsoft and Samsung. The eight companies must provide details such as “the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device” and “detailed data on the specific mobile devices they have offered for sale to consumers since August 2013.” The FCC issued a press release announcing their cooperation with the FTC, and how they will send letters to mobile companies on how they evaluate and deliver security updates. [FTC] See also: [The Senate Judiciary Committee’s subcommittee on Privacy, Technology and the Law will host a May 11 hearing on the Federal Communications Commission’s proposed privacy rules] and [The New Privacy Cop Patrolling the Internet And it’s armed with new data-privacy rules]

US – Neopets, Global Email Addresses Among this Week’s Biggest Breaches

A dataset from JumpStart’s online game Neopets was posted online, with Motherboard reporting that the number of customers affected allegedly numbered more than 70 million. The information compromised varied from customer to customer, but no credit card or home addresses were breached, said JumpStart’s Jim Czulewicz. While the dataset appeared to be dated before JumpStart acquired Neopets in 2014, the company planned to alert customers regardless. Independent.ie reports that out of the recent global breach of more than 272.3 million email accounts, an estimated 42,000 accounts are Irish. [NextGov]

US – Lyft, Uber Among EFF Data-Sharing Report Top Scorers

The Electronic Frontier Foundation awarded Uber and Lyft with perfect scores on the group’s sharing economy data protection study. When grading organizations, the EFF considered whether they published transparency reports and if companies required government agencies to provide a warrant before they shared user data, the report states. “Consumers should be able to understand their privacy rights by reading the policies of the companies that hold their data,” EFF’s study states. [Fortune]

WW – Bark Helps Parents Keep Kids Safe Online Without Invading Their Privacy

Launching today at TechCrunch Disrupt NY 2016 is a new service called Bark, aimed at parents who want to keep their kids safe online. Unlike traditional “parental control” software or net nanny-type watchdog applications, Bark’s goal is to strike the correct balance between respecting a child’s right to privacy and protecting them from online predators and cyberbullying, while also looking out for issues like sexting or mental health concerns. To use the service, parents sign up online at the Bark website, add their kids, then work with the children to connect their social accounts. Once set up and configured, Bark uses machine learning techniques to look for incidents of dangerous activity, whether that’s cyberbullying, sexting, a child interacting with an older stranger who could be grooming them (as online predators do) or even signals that the child could be experiencing a mental health concern like depression or suicidal thoughts. When Bark finds something questionable, it sends an alert to the parent that not only contains the relevant conversation, when and where it took place, but also recommended ways of handling the issue appropriately. Bark competes with a handful of other solutions, including VISR, more traditional software programs and cyberbullying-specific solutions like ReThink or STOPit. [Source]

Security

WW – Stop Resetting Your Passwords, Says UK Govt’s Spy Network

The UK government has, on World Password Day, repeated its advice against the common security practice of routinely changing passwords. “In 2015, we explicitly advised against [the practice],” a post by GCHQ’s Communications-Electronics Security Group (CESG) notes. “This article explains why we made this unexpected recommendation, and why we think it’s the right way forward.” As tech advice goes, this is one that people will actually want to hear, and the CESG has put out a 16-page document called “Simplifying Your Approach” that explains what you should do to get your information secure without driving your users crazy. Those in favor of automatically and regularly resetting passwords believe it makes historical password information useless; it forces users to periodically think about security; it increases the likelihood that people will use a password they do not use for other services; and it creates more of a moving target for potential hackers. “The problem is that this doesn’t take into account the inconvenience to users – the ‘usability costs’ – of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember.” The problem is our rubbish brains: “While we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.” The result, according to CESG, is that we are more likely to write our password down. Or forget the password altogether, forcing service desks to reset them, chewing up time and resources. As a result, CESG “now recommend organisations do not force regular password expiry.” Instead, it says, companies should introduce system monitoring tools such as showing a user the last time they logged in to flag if someone else is using their account. [Source] See also: [Don’t do it! 5 ways to upgrade your passwords this PasswordDay]

WW – Security Defenses Improving at Many Firms, Study Reveals 

Many organizations have made significant improvements in IT security preparedness and effectiveness, taking steps to improve their security posture, according to new research from SolarWinds, a provider of IT management software. The company’s survey of IT professionals in North America showed that more than half (55%) said their organizations did not experience any security breaches in 2015. About 30% said they had experienced a breach. Half of the respondents said their organizations were less vulnerable than they were a year ago, compared with 12% who said they are more vulnerable. “The most surprising finding of the survey is just how many organizations are less vulnerable today than they were a year ago, and, on a related note, how many have implemented security technologies and better security training,” said SolarWinds. [2016 IT Security Survey, North America] [Source] See also: [Microsoft has published the 20th edition of its Security Intelligence Report covering the period July 2015 to December 2015]

Surveillance

US – Justice Department Building Wearable Camera Catalog for Police

The Justice Department is crafting a catalog to assist police departments buying wearable cameras, including information on the devices’ privacy capabilities. Fears surrounding hackers infiltrating body cameras will be addressed in the catalog, with data protection and privacy controls among the characteristics listed in the guide. Each device will have five areas of information to properly inform departments of what they are purchasing, covering vendor, camera, video storage software, ease of use, and installation. Included within those five categories are details on facial recognition, “privacy masking” to blur out certain images and protect personal privacy, and encryption features to protect data from cyberattacks. Sheila Jerusalem, a spokeswoman for the Justice Department’s National Institute of Justice, said the organization wants the guide available by December 2016. [Nextgov]

US Legislation

US – California Bill Would Dictate What Happens to Digital Footprint Post-Death

A new California bill could set a national precedent for the handling of an individual’s digital footprint after they pass away, Fusion reports. The Revised Uniform Fiduciary Access to Digital Assets Act would create rules for how companies can share a deceased person’s digital records. The rules first defer to the late party’s directions for how those records would be handled, then look toward a will. If no instructions have been left, all decisions will be made by the site’s terms of service. Despite revisions being made to the bill, privacy advocates are still concerned. “Is it possible that they might make mistakes both by releasing too much information or releasing it to the wrong person?” said Kevin Baker, legislative director for the ACLU of Northern California. “We think the history of the treatment of digital records shows that there likely will be mistakes.” [Full Story]

+++

 

Follow

Get every new post delivered to your Inbox.