Biometrics
WW – Advancements in Facial Recognition Raise Privacy Questions
Facial recognition technology is rapidly evolving, “using frame-by-frame video analysis to read subtle muscular changes that flash across our faces in milliseconds, signaling emotions like happiness, sadness and disgust.” While there may be benefits to such face-reading software—such as recognizing confusion on the face of an online student and offering tutoring options—one U.S. privacy attorney notes such technology raises concerns. “The unguarded expressions that flit across our faces aren’t always the ones we want other people to readily identify,” Ginger McCall said, adding, “Private companies are developing this technology now. But you can be sure government agencies, especially in security, are taking an interest, too.” [The New York Times]
WW – How Reflections in Victim’s Eyes Could Help Identify Perpetrators in Hostage Situations
New research suggests that police investigating crimes in which the victims were photographed may find hidden clues by looking for reflections in victims’ eyes. Pupils, the researchers said, can reveal “surprisingly rich” information, as they essentially act as a “black mirror.” By zooming in on the eyes and adjusting the contrast, police investigators could potentially use high-resolution photographs to identify a victim’s surroundings, including their assailant. The article was written by psychologists Rob Jenkins, of the University of York in England, and Christie Kerr, of the University of Glasgow. To test their theory, the researchers shot “passport-style” photographs of individuals and then zoomed in to recover facial images of bystanders in the reflections of subjects’ eyes. The reflected facial images were typically about 30,000 times smaller than the subjects’ faces. Thus, the quality of the images was not great, the researchers wrote. Despite the poor quality, study participants who were shown eye-reflected images of people they did not know were still able to identify them later in a face-matching test 71% of the time. When shown eye-reflected images of people they did know, study participants were able to identify them 84% of the time. “Our findings thus highlight the remarkable robustness of human face recognition, as well as the untapped potential of high-resolution photography,” Jenkins said in a news release. [The National Post]
WW – Can Robots Better Spot Terrorists at Airports?
Aviation and government authorities are starting to use machines in lieu of people to verify the identities of fliers by scanning their faces, irises or fingerprints. Dozens of airports in Europe, Australia and the U.S. already employ such technology so passengers can pass immigration checks without showing identification to, or talking with, a person. Now, several major airports in Europe have started using these automated ID checks at security checkpoints and boarding gates. Ultimately, the technology could “get rid of the boarding pass completely,” with fliers’ faces serving as their tickets, said Michael Ibbitson, chief information officer of London Gatwick Airport. Gatwick performed a trial this year in which it processed 3,000 British Airways fliers without boarding passes. The fliers scanned their irises when checking in, enabling cameras at security checkpoints and boarding gates to automatically recognize them. “We’re only just starting to see what biometrics can do,” he said. Critics, however, worry that relying too much on automation will dull the senses of human screeners and remove the human intuition that can detect when something just doesn’t seem right. About 28% of the world’s airports now use biometric technology, up from 18% in 2008, according to a survey by SITA, an airline IT provider. [Wall Sttreet Journal]
US – Tech Giants and Privacy Advocates Square Off Over Facial Recognition
Facebook Inc., Wal-Mart Stores Inc. and other companies planning to use facial recognition scans for security or tailored sales pitches will help write rules for how images and online profiles can be used. The U.S. Department of Commerce will start meeting with industry and privacy advocates in February to draft a voluntary code of conduct for using facial recognition products, according to a public notice. The draft will ready by June. The code of conduct will apply only to commercial use, not to how law enforcement or spy agencies may use it. [The Vancouver Sun] [Facebook facial recognition matches abused child's image to aid in arrest]
Canada
CA – Stoddart Departs Commissioner’s Post
Privacy Commissioner Jennifer Stoddart is departing from office and the work she did while there, including taking on big companies like Google and Facebook in defence of Canada’s privacy laws. She’s also been an “outspoken critic” of how the federal government handles and protects Canadians’ personal information and has called for an update to the Privacy Act and the Personal Information Protection and Electronic Documents Act. Stoddart recently gave an exit interview in which she discussed the problems Canada faces, including protecting privacy rights in the face of new technologies such as drones and facial recognition. Assistant Privacy Commissioner Chantal Bernier has stepped up as interim privacy commissioner until Stoddart is replaced. [Vancouver Sun]
CA – Cavoukian Investigating Report of Data-Sharing with Border Services
Ontario Information and Privacy Commissioner Ann Cavoukian will investigate reports of private health information “being shared with U.S. border services, saying it’s a matter ‘of grave concern’ to her.” In an e-mail to the provinces’ New Democrats (NDP), who sought her help, Cavoukian noted her office “will investigate the matter and ensure that the personal health information of Ontarians is not being compromised by any organizations under my jurisdiction,” the report states, noting the NDP’s France Gélinas indicated being “contacted by three people who have been denied entry” into the U.S. based on personal health reasons. “All Ontarians need to be assured that their personal information is never shared without their consent,” Gélinas said. [Huffington Post] SEE ALSO: [Cavoukian Discusses Privacy by Design on U.S. Public Radio] and [Canadian spy watchdog decries ‘misinformation’ flowing from recent Snowden leaks]
CA – Commissioner Calls on Ministry to Take Action After Breach
Saskatchewan Privacy Commissioner Gary Dickson says the Ministry of Highways must take further action after a worker snooped on a driver. Following a traffic incident between a transport compliance branch employee and another driver, the employee looked up the driver’s personal details via the Saskatchewan Government Insurance (SGI) database and then contacted the driver, the report states. The driver then complained to SGI and the Royal Canadian Mounted Police. Employees of the transport compliance branch are permitted to use the SGI database only for certain purposes. The employee has been suspended for 20 days without pay, according to the highways minister, but the privacy commissioner wants stronger action. [Times-Colonist]
CA – Commissioner: Pharmacy Employee Broke Province’s Rules
Alberta Privacy Commissioner Jill Clayton has said a “casual employee at a pharmacy inside a southeast Calgary Shoppers Drug Mart contravened the province’s Health Information Act last year when he phoned and tried to Facebook ‘friend’ a woman who had filed a prescription.” “Employers have a responsibility to inform and train their staff on the appropriate use of health information,” Clayton said, adding, “Health information systems are for healthcare, not matchmaking.” Clayton’s investigation found the employee, who is no longer employed at the pharmacy, misused health information while the pharmacy’s manager did not implement appropriate safeguards. [CBC News]
CA – Opinion: Bill C-13 Is Unnecessary
In a National Post op-ed, George Jonas examines the Protecting Canadians from Online Crime Act, often referred to us Bill C-13 or the anti-cyberbullying law, noting that while he “wasn’t unduly concerned about it when it was being attacked by its critics,” his perspective has shifted “when the government started defending it.” He writes that the critics did little to persuade him that Bill C-13 was a bad law, but “the defenders have convinced me that the law is worse than bad: It’s unnecessary. What it outlaws for a good reason is already against the law; the rest is just the state trying to enter the nation’s computer rooms.” [National Post]
CA – CSEC Sends Strong Message of Privacy to New Recruits
Watch out for foreign spies, hackers, terrorist sympathizers and disgruntled employees. Tell acquaintances you work for a “generic” government agency. Leave any iPods, USB sticks, and cellphones at home. At day’s end, turn off your computers, lock down files, and make sure not to take home anything classified. Spilling secrets means risking going to jail. The “CSEC 101: Foundational Learning Curriculum,” comprises dozens of PowerPoint decks that are intended to help new employees at the Ottawa agency find their feet. The Globe and Mail obtained the 650-page manual through Access to Information laws. [Globe and Mail]
Consumer
WW – Study: People Willing to Exchange Privacy for Cost Savings
A new survey indicates just how much privacy people are willing to trade in exchange for monetary benefits. The Intel and Penn Schoen Berland survey, which polled people in eight countries, found that 70% would be willing to share data from a “smart toilet” if it meant lower healthcare costs, and 84% would be willing to share vital statistics such as blood pressure or lab tests. The survey also found 75% would be willing to share data obtained via a health monitor they could swallow. [WIRE] See also: [Data-Driven Dating: How Data Are Shaping Our Most Intimate Personal Relationships] And also: [Yes, Consent Is Dead. Further, Continuing To Give It A Central Role Is Dangerous]
US – Customized Airline Deals Raise Privacy Concerns
When you go online to search for an airfare, you often see the lowest price appear at the top of your computer screen. But what if your airline search site instead offered you a customized flight package deal—adding extras like wireless Internet access and a seat with extra legroom—based on what you have booked in the past? In the future, airlines will increasingly offer you customized airfares based on detailed information carriers have collected, even data about your income, the neighborhood where you live and your travel patterns, according to industry experts. It’s a trend that worries consumer advocates. “It will be the death of comparison shopping,” said Charles Leocha, director of the nonprofit Consumer Travel Alliance and author on travelers rights. A consumer protection panel, appointed by the U.S. Department of Transportation, will meet in Washington to discuss customized airfare pricing. The panel could recommend a new federal rule that requires airlines to disclose what information they are collecting from travelers. [LA Times]
WW – Study: Consumers Will Pay $5 for an App That Respects Their Privacy
A new report finds that people are weary of the hidden costs of free. A new study from economists at the University of Colorado finds that the average consumer would prefer to pay small fees for their apps, in exchange for keeping their information private and their screens uncluttered. In their study, Scott J. Savage and Donald M. Waldman surveyed 1,700 smartphone users, presenting them with a set of apps they could purchase. One of the apps was a real, free app, currently available in the iTunes and Google Play stores. Five other apps were also suggested, and were said to have exactly the same functionality as the free app. But these five came with varying levels of privacy and advertising protections (some protected location data, others address book contents, and so on), and all had a price tag. What Savage and Waldman found is that consumers were willing to spend a bit more to keep their data to themselves, and just how much depended on which data were at stake. For example, on average, consumers were willing to spend $2.28 for an app that would not read their browser history; $4.05 for an app that would not have access to their contacts; $1.19 for an app that did not track their location; $1.75 for an app that did not obtain their phone’s ID number; $3.58 to prevent an app from having access to the contents of their text messages; and $2.12 for an app that had no advertising. Because the “average” app (as determined from a sample of more than 15,000 Android apps) has both advertising and access to a person’s location and their phone’s ID, Savage and Waldman say that paid versions of such apps could rake in somewhere around $5 per download. That’s way, way more than the pocket change that most free apps bring in per download. What’s more, Savage and Waldman use that $5 figure and to do some back-of-the-envelope figuring: Given that the average consumer in their study has 23 apps, and given how many smartphone users there are in the U.S., they calculated the total amount that consumers would spend, if only the apps were there for them to buy: $16 billion. And that’s the conservative, lower-bound estimate. [Reuters]
WW – Privacy Messages Sent Through Art
Last year, approximately 4.7 million passwords were stolen from LinkedIn and leaked online. To many, it was a concerning development, but for one person, the event provided an opportunity to make art. Conceptual artist Aram Bartholl has unveiled “Forgot Your Password,” an exhibit featuring eight books containing all the passwords arranged in alphabetical order, now on display in Germany. This is just one of countless artistic creations riffing on privacy in the modern world. This Privacy Perspectives post looks into a variety of artistic expressions of privacy, including a look at the IAPP’s Art Gallery. [Source]
US – Consumers Warming Up to Smart Meters
Consumers’ fears over smart meters are beginning to dissipate. That’s according to a survey by Navigant Research, which found the percentage of customers who have “favorable” or “very favorable” attitudes toward smart meters has increased from about 37 percent in 2010 to about 43 percent in 2013. While the numbers are improving, “utilities still have some distance to go in building majority support for these technologies.” [FierceSmartGrid]
E-Government
US – State Employee Downloaded SSNs to Personal Computer
Despite a warning on computer security, a state employee who resigned last week says he downloaded data on 6,300 teachers so he could work from home. The 24-year-old former Tennessee Department of Treasury worker told authorities he e-mailed data from a state computer system with a personal account. He uploaded a Tennessee Consolidated Retirement System file containing Social Security numbers on active teachers, violating the treasury’s privacy policy. The man has not been charged with a crime, but all affected teachers have been notified. [The Tennessean]
US – Voter Info for Sale in Oregon
The Oregon Secretary of State’s Office has made nearly $90,000 off fees during the past five years by selling voter information to political parties or campaigns and, sometimes, to private corporations who turn around and sell the data for a profit. The state charges $500 for the database, which includes full names, addresses, phone numbers, date of birth, party registration and voter history. It does not include how anyone voted. The people who buy the database are not supposed to use it for commercial purposes, said Tony Green, a spokesman for Secretary of State Kate Brown. In fact, they must sign a form agreeing not to do so. Records show that many for-profit companies have purchased the entire database during the past five years. Green said the law does not define “commercial purposes,” and the state relies on complaints before enforcement. First-time violators are fined $75. Just one complaint has been filed since 2006, and it was against Oregon Health & Science University, which is “a public corporation and not considered operating for commercial purposes,” Green said. Other states, including California and Washington, have similar restrictions on how data can be used; however, they levy very different consequences. In Washington, for example, misuse of the data is a class C felony punishable by up to five years in prison and/or a $10,000 fine. Records show Oregon has sold the database to companies all over theU.S. who are using it to make a profit despite having signed the affidavit. [Statesman Journal]
US – US Federal Election Commission Audit Finds Computer Security Issues Unaddressed
An audit report from the Office of Inspector General of the Federal Election Commission (FEC) says the agency has not taken steps to improve computer security. An intrusion in 2012 compromised a Commissioner’s user account so that the attackers could use it to access confidential information. FEC has suffered two additional intrusions since August 2013. The audit report notes, “Failure to develop a strong IT security program places FEC at high risk of continued network intrusions.” [Rollcall] [Report]
US – Kerry to Work on Privacy, Big Data at MIT
Cameron Kerry, former acting secretary and general counsel of the Department of Commerce, will join the MIT Media Lab as a visiting scholar. Kerry will work with Prof. Alex “Sandy” Pentland and the Human Dynamics research group on topics related to privacy and personal data ownership as well as on Pentland’s Big Data for Public Good research initiative, the report states. Pentland said Kerry will be “instrumental in bringing together key players, including governments, multilateral organizations and multinational corporations.” [MIT News]
WW – Time to Rethink E-mail Privacy?
The world of privacy is changing, including a recent change to the terms of service for Rogers Communications, a service managed by Yahoo. The new terms include the notice that Yahoo “identifies words, links, people and subjects from your e-mail messages and other messages archived” in order for the company to better deliver relevant ads, among others. One journalist, according to the report, thinks the changes ask him to give up too much privacy, and a Canadian-based regulatory group has joined a global effort to urge advertisers to disclose to users when ads are derived from such e-mail tracking. [Globe & Mail]
Electronic Records
UK – Finra Fines Barclays Capital Over Improper Electronic Record Keeping
The Financial Industry Regulatory Authority said it fined Barclays PLC’s capital arm $3.75 million for failing to keep electronic records properly for at least 10 years. Finra said that from at least 2002 to 2012 Barclays Capital Inc. allegedly didn’t preserve many of its required electronic books and records, including order and trade ticket data, trade confirmations, account records and other items in the proper format. Business-related electronic records must be kept in a non-rewritable, non-erasable format, according to Finra and federal securities law. Finra said these issues were widespread across all of Barclay’s businesses, so the firm was unable to determine whether all records were kept in an unaltered condition or not. In addition, Barclays failed to keep certain attachments to emails sent via systems maintained by financial information provider Bloomberg LP between May 2007 and May 2010, along with 3.3 million Bloomberg instant messages between October 2008 and May 2010, the industry self-regulatory body said. Finra said that failure violates Securities and Exchange Commission, National Association of Securities Dealers and its own rules and regulations and affected Barclay’s ability to respond to electronic communications requests. Barclays also didn’t establish and maintain a system and written procedures to ensure compliance with SEC, NASD and Finra rules, Finra said. “Ensuring the integrity, accuracy and accessibility of electronic books and records is essential to a firm’s ability to meet its compliance obligations,” said Brad Bennett, Finra’s executive vice president and chief of enforcement. [WSJ.COM]
Encryption
WW – RSA Denies Accepting US $10 Million from NSA to Use Faulty PRNG
RSA has denied allegations that it was paid US $10 million by the NSA to use a flawed PRNG (pseudo-random number generating) algorithm in its BSafe crypto library. According to a Reuters story, RSA’s use of the Dual Elliptic Curve Deterministic Random Bit Generator allowed the NSA to identify its use in government systems and push for its inclusion in the National Institute of Standards and Technology’s (NIST’s) Recommendation for Random Number Generation Using Deterministic Random Bit generators. In a blog post, RSA said, “we never have entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.” [The Register] [ZDNet] [BBC] [ArsTechnica] [ArsTechnica] [RSA Post]
WW – Researchers Steal Encryption Keys by Listening to Computer’s Sounds
Researchers have demonstrated that it is possible to steal RSA decryption keys simply by listening to the sounds a computer makes while running decrypt routines. The technique has limitations. It would be necessary to send thousands of encrypted messages to a system that opens the messages automatically. Also, the targeted key could not be password protected. [ArsTechnica] [The Register] [NBC News] [Research Paper]
EU Developments
EU – EDPS Releases 2014 Inventory
The European Data Protection Supervisor (EDPS) has released its 2014 inventory, a strategic planning document highlighting key areas of focus for the year ahead. “As the second mandate of the EDPS will come to an end in early 2014, it is appropriate to highlight that privacy and data protection have now become relevant in a wide range of EU policies,” said outgoing EDPS Peter Hustinx, adding, “The recognition of privacy and data protection as fundamental rights means that their delivery in practice must remain a high priority on the EU political agenda.” Among the key areas of strategic importance for 2014 are a new legal framework for data protection and rebuilding trust in global data flows. Full Story
EU – German Parliament Elects New Federal Data Protection Commissioner
With Peter Schaar leaving the position of German Federal Data Protection Commissioner on December 17 after 10 years of service, the coalition German government needed to nominate a replacement for confirmation in the Bundestag. On Thursday, they appointed Andrea Voßhoff, a member of the conservative-leaning Christian Democratic Union who served in the Bundestag from 1998 through 2013. Generally unknown to the privacy community, Voßhoff has received a negative initial reception from some privacy advocates: German MEP Jan Philip Albrecht strenuously objected to her nomination, saying on Twitter that her confirmation would amount to an “abolition” of the office. In this exclusive for The Privacy Advisor, Jörg Hladjk, counsel at Hunton & Williams and German-qualified attorney with a German PhD in privacy, expounds upon the three main challenges Voßhoff faces as she enters her five-year term. [Privacy Advisor]
EU – Yes, Consent Is Dead and Giving It a Central Role Is Dangerous
At the just-concluded IAPP Data Protection Congress in Brussels, the audience heard a bold proposal from closing keynote Viktor Mayer-Schönberger: “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” Contemporary ideas of notice and consent, he argued, are a farce. In this installment of Privacy Perspectives, Field Fisher Waterhouse Partner Eduardo Ustaran explores the role of consent, noting that EU data protection law is predicated on it. “But does this approach still hold true?” he asks. “Can we—as individuals—really have a meaningful degree of control over the vast amount of information we generate?” Full Story
EU – LIBE Committee: Suspend Safe Harbor, Create EU Cloud, Don’t Negotiate on Privacy
A preliminary conclusion by the European Parliament’s Civil Liberties Committee (LIBE) into the surveillance of EU citizens by the U.S. National Security Agency recommends that the parliament agree to a trade deal with the U.S. only if it does not mention data protection and that Safe Harbor be suspended, according to its website. Lead MEP Claude Moraes also recommended the “swift” creation of an EU data storage cloud and judicial redress for EU citizens to protect their data in the U.S. Meanwhile, the UN General Assembly unanimously adopted a resolution calling for protecting the right to privacy against unlawful surveillance, according to the Associated Press. The resolution calls on all 193 UN member states “to respect and protect the right to privacy, including in the context of digital communication.” Full Story
EU – Parliament Backs New Cloud Resolution
The European Parliament is backing a new cloud computing resolution “in response to actions the European Commission (EC) has set out under its cloud computing strategy.” The EC is engaging the European Telecommunications Standards Institute (ETSI) to help determine the new standards required for cloud services, the report states. In their resolution, MEPs welcomed ETSI’s participation, noting the standards “should enable easy and complete data and service portability, and a high degree of interoperability between cloud services, in order to increase rather than limit competitiveness.” The resolution also asks the commission to provide guidelines for businesses to “ensure full compliance with the EU’s fundamental rights and data protection obligations.” [Out-Law.com]
EU – CNIL Issues Cookie Guidance, Calls for Debate on “Surveillance Society”
The CNIL has released FAQs, along with technical tools, “providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements. “The CNIL’s guidance indicates that this obligation applies to website publishers, operating system and application publishers, advertising networks, social networks and website analytics solutions providers,” and “only certain cookies are exempt from the consent requirement under French data protection law,” the report states. Meanwhile, the CNIL’s Isabelle Falque-Pierrotin is calling for a national debate on the “surveillance society.” [Hunton & Williams’ Privacy and Information Security Law Blog]
EU – DPC Makes Headlines; Official Says Regulation Won’t Hurt Business
At the IAPP’s Data Protection Congress in Brussels, experts discussed the forthcoming European privacy requirements, which are “almost certain to slow the current headlong rush toward massive data collection, analysis, use and sale. European Commission Director of Fundamental Rights Paul Nemitz dismissed concerns that the regulation will hurt business, saying privacy will instead become a competitive advantage. Out-Law.com quotes European Commissioner Neelie Kroes speech, delivered at the event by Kroes’ Head of Cabinet Constantijn van Oranje-Nassau, in favor of such reforms as companies being able to process pseudonymized data without consent, and U.S. Federal Trade Commissioner Julie Brill is defending the Safe Harbor program during the DPC’s opening session. [DataInformed] [Steelie Neelie: EU biz can use YOUR private data WITHOUT PERMISSION]
EU – Supreme Court Acquits Google Execs in Privacy Case
According to his personal blog, Google Global Privacy Counsel Peter Fleischer and two additional “Googlers” have been acquitted by the Italian Supreme Court of violating Italian privacy law. In 2010, an Italian court convicted the three employees for failing to comply with Italian privacy code in the case of a disparaging video of a young person that appeared online. “An eight-year legal saga has now come to an end,” wrote Fleischer, adding, “And although I have never met him, I hope that young man who was humiliated in the video that generated this case lives with dignity and happiness.” Fleischer also said the Supreme Court “will issue its written opinion in due course.” Full Story
EU – Ten Years and Two Terms Later, a Look at Peter Hustinx’s Legacy
European Data Protection Supervisor (EDPS) Peter Hustinx’s second five-year term ends this month, and a new leader will soon be appointed. It is worth taking time to note that those who live and breathe European data protection nearly universally agree Hustinx leaves behind both a sterling reputation and an agency that’s evolved into an influential and highly respected supervisory authority since its establishment in 2004. [The Privacy Advisor].
Facts & Stats
WW – Site Picks “Privacy” as Word of the Year, Tracks Users
Ashkan Soltani and Andrea Peterson report that Dictionary.com has chosen “privacy” as its word of the year, citing, among other reasons for the pick, this year’s NSA revelations. “But it has a ring of irony due to the site’s particularly robust consumer-tracking efforts,” they write. The site places 90 cookies on visiting users’ computers and has the most “beacons”—software that can track what a user does on a given webpage—of any site studied in The Wall Street Journal’s 2010 investigation, the report states. [The Washington Post]
Filtering
WW – Browser Extension Circumvents Internet Filters
A browser extension for Google Chrome help users get around the pornography-blocking filters that UK Internet service providers (ISPs) have been ordered to put in place. Last week, ISP BT announced that new customers will have the filters implemented by default, and that over the course of the next year, existing customers will be contacted and notified and given the option of activating the filters. The plan aims at protecting children from inappropriate content. However, the filters have already proven faulty, as they are allowing some pornography through while blocking websites that contain information about sex education and organizations that help abused women. [WIRED]
Finance
US – Senators Call for Consumer Financial Data Security Hearing in Wake of Target Breach
Three US senators have asked the Committee on Banking, Housing, and Urban Affairs to hold a hearing on the Target breach “as soon as reasonably possible.” The senators want to address the questions of whether or not marketplace entities “are taking all appropriate actions to safeguard consumer data and protect against fraud, identity theft, and other harmful consequences, and whether we need stronger industry-wide cyber security standards.” The senators want to discuss the possibility of accelerated adoption of EMV chip-based cards and they want to know if financial regulators “have the necessary tools, information, and authority to ensure that financial companies and service providers are doing enough to protect consumer data.” [SC Magazine] [Bank Info Security] [Senators’ Letter to the Committee]
US – Weak Credit Card Security Makes U.S. Prime Target for Data Breaches
The U.S. is the juiciest target for hackers hunting credit card information. And experts say incidents like the recent data theft at Target’s stores will get worse before they get better. That’s in part because U.S. credit and debit cards rely on an easy-to-copy magnetic strip on the back of the card, which stores account information using the same technology as cassette tapes. “We are using 20th century cards against 21st century hackers,” says Mallory Duncan, general counsel at the National Retail Federation. “The thieves have moved on but the cards have not.” In most countries outside the U.S., people carry cards that use digital chips to hold account information. The chip generates a unique code every time it’s used. That makes the cards more difficult for criminals to replicate. So difficult that they generally don’t bother. “The U.S. is the top victim location for card counterfeit attacks like this,” says Jason Oxman, chief executive of the Electronic Transactions Association. [Associated Press]
FOI
CA – Access Denied: How Perceived Info Blocking Has Dogged Tories in Newfoundland
Newfoundland Premier Kathy Dunderdale was defiant during a recent exchange in the legislature when she touted Newfoundland and Labrador as one of Canada’s most open governments. It’s a claim she has made repeatedly over the last 18 months after her Progressive Conservatives passed access to information changes that national accountability watchdogs called shockingly regressive. Amendments to the Access to Information and Protection of Privacy Act in June 2012 blocked release of ministerial briefing notes, increased protections for cabinet records, hiked fees and allowed ministers to reject requests as “frivolous” or “vexatious.” Accusations of secrecy have dogged the Tories ever since. Opposition Liberal Leader Dwight Ball says his first act if he wins the next election in 2015 would be to repeal those changes and launch a full review of access to government documents. He challenged Dunderdale in the house of assembly on Nov. 18 to overturn “the most secretive bill that this house has ever seen.” Dunderdale was unfazed. She cited a 2012 study on access to information by the Halifax-based Centre for Law and Democracy that found “we are open and transparent, far ahead of other provinces in this country … and the federal government,” she told the legislature. [The Canadian Press]
US – Verizon to Issue Transparency Report
Starting in 2014, Verizon will publish semi-annual transparency reports about government requests for information. Verizon will be the first US telecommunications company to publish a transparency report, which are already published by technology companies such as Google, Microsoft, and Facebook. Verizon was named in the first of the NSA documents leaked earlier this year, which revealed that the intelligence agency had been gathering large swaths of information from the company. [Washington Post] [ZDNet]
WW – Google’s Transparency Report Shows Sharp Increase in Takedown and Data Requests
Google’s most recent transparency report shows that the number of government takedown requests is increasing steadily. In the first half of 2013, Google received more than 3,800 requests from governments around the world to remove content they deemed defamatory, pornographic, or even just embarrassing. Google’s report indicates that it complied with fewer than half of the requests. According to the report, the number of government requests for user data is also increasing rapidly. The US government submitted more than 10,000 requests for information about 21,683 Google users. The data do not include requests for data made under Foreign Intelligence Surveillance Act programs. [Washington Post] [CNET]
EU – Spain’s DPA Fines Google $1.2M
Spain’s data protection authority (DPA) has fined Google $1.2 million (900,000 euros) for the illegal collection and use of consumers’ personal data. The company is charged with “three serious violations” by the DPA for not providing details “about what data it collects, what it uses it for and without obtaining a valid consent.” Google was fined 300,000 euros for each of the three violations and is required take the “necessary measures without any delay to comply with the legal requirements.” In a statement, Google said, “We’ve engaged fully with the Spanish (authority) throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services, and we’ll continue to do so,” adding “We’ll be reading their report closely to determine next steps.” [Bloomberg]
Health / Medical
US – Electronic Death Records Effective Influenza Surveillance Tool
The use of electronic death certificates may be an effective means of monitoring influenza outbreaks, according to new data. Unlike traditional methods of surveillance, an electronic death reporting system (EDRS) does not require medical records to track the severity of influenza seasons. Therefore, it requires fewer resources and would be less taxing on hospitals and public health personnel, researchers reported in Emerging Infectious Diseases. [Source]
CA – Pharmacist’s Facebook Request Broke Alberta’s Health Rules
A Calgary pharmacist shouldn’t have dug into a woman’s health information for “matchmaking” purposes, according to Alberta’s privacy commissioner. A casual employee at a pharmacy inside a southeast Calgary Shoppers Drug Mart contravened the province’s Health Information Act last year when he phoned and tried to Facebook “friend” a woman who had filed a prescription, said Jill Clayton. [CBC News]
Horror Stories
US – Target: PINs Were Stolen in Breach
Target now admits that PINs were stolen during a security breach of its in-store payment systems that affected 40 million accounts, but says that the data are encrypted. The PINs are reportedly encrypted at the keypads with Triple DES encryption; Target does not store or even have access to the key necessary to decrypt the data. [DarkReading] [ComputerWorld] [CNET] [CNN] [GovInfoSecurity] See also: [Target Payment Processor Denies it Was Breached] and [Is This Man Selling The Stolen Target Data?]
US – Target Breach Incites Action; Snapchat Is Latest High-Profile Breach Victim
Following the breach at Target affecting approximately 40 million consumers, Sens. Robert Menendez (D-NJ), Mark Warner (D-VA) and Charles Schumer (D-NY) have called for a Senate Banking Committee hearing to examine whether stronger industry-wide standards are needed and if all necessary actions are being taken to safeguard consumer data against fraud and identity theft. Missouri’s attorney general and a New York assemblyman are also looking into the breach, and a number of consumers have filed lawsuits. Meanwhile, a number of breaches spanning the globe affected healthcare providers, bankers and casino frequenters, among others that include private-texting provider Snapchat, which lost 4.6 million usernames and phone numbers. [The Privacy Advisor] See also: [Following hack, RegistratioNation discovers some customer data was inadvertently being stored on its server] [FL: Barry University notifies patients that records with personal, financial, and medical information may have been compromised] and [Woman finds her private information from rental application posted online]
WW – Snapchat Data Stolen; App Will Be Updated
A database of Snapchat 4.6 million usernames and some associated telephone numbers with the last two digits blurred has been posted online. The site where the stolen data were posted has been taken down. The people behind the attack say they exploited recent changes made to Snapchat to access the information. A message on Twitter from Snapchat CEO Evan Spiegel says that the company is “working with law enforcement [and] will update when we can.” [CNN] [ZDNet] [Washington Post] [The Register] [CNET] Update: Snapchat has announced that it will release an updated version of the app that will allow users “to opt out of appearing in Find Friends after they have verified their phone number.” The company said that it is also implementing other changes “to address future attempts to abuse our service.” [Source]
WW – Snapchat API and Exploits Published
Hackers have published Snapchat’s API (application programming interface) and exploit code for a pair of vulnerabilities that could be used to match phone numbers with usernames and create phony Snapchat accounts. The hackers say they released the information because Snapchat developers ignored their notifications about the vulnerabilities. [ArsTechnica] [Forbes] [ZDNet]
NZ – Huge Increase in IRD Privacy Breaches
Confirmed privacy breaches at Inland Revenue have jumped by almost 400% in the past year despite a crackdown after a spate of failings. In 2012 there were 32 separate privacy breaches but ONE News can reveal that has shot up to 151 incidents this year. The figures, obtained under the Official Information Act, show more New Zealanders’ confidential details are ending up in the wrong hands. And while the total number of people affected in the breaches has dropped from 6379 to 1158, hundreds more people are victims of serious breaches. In 2012, 638 people were caught up in three serious breaches while in 2013, 946 people were affected by 43 serious breaches where Inland Revenue has had to put security measures in place to protect people from identity theft. Labour’s revenue spokesperson David Clark said it’s a huge increase.”At this rate of increase pretty soon every New Zealander’s private banking data will be available to anyone that wants it and that’s a frightening prospect,” he said. [ONE News]
Identity Issues
US – Metadata Not Anonymous at All, Stanford Researchers Show
If you’re not concerned about government surveillance of your phone because the National Security Agency (NSA) only collects metadata, think again. A study from Stanford University shows that connecting “anonymous” metadata to compromising personal information is trivially easy. Documents leaked in June by former NSA contractor Edward Snowden revealed that the organization was collecting metadata about calls placed to and from Verizon telephone lines. Although this revelation was potentially troubling, metadata collection is, in theory, not cause for concern. The metadata about your phone calls does not reveal your name or identity, or the content of your conversations, but it does track the numbers you call, how long the calls last, and which other companies have your phone number in their directories. Although the specific documents leaked in June concerned Verizon landlines, the NSA has since admitted that it collects metadata about mobile telephone calls and text messages as well. Sen. Dianne Feinstein (D-Calif.), who heads the Senate Intelligence Committee, has said that collecting metadata is “not surveillance.” Because the information, by itself, cannot identify individuals, Feinstein and the NSA hold that it is practically harmless for the government to collect it. A research team operating out of Stanford University disagrees, and hopes to prove its point with a new Android app called MetaPhone. By accessing your phone number and your Facebook page, this app does what any NSA program could do: It acquires your metadata, then correlates it with your social-media information to see how much it can learn about you. [Tom's Guide US]
BA – Bahamas: National ID Card Being Considered By Government
Immigration Minister Fred Mitchell said the Government is considering introducing a National Identification Card as well as charging persons who knowingly hire illegal immigrants in an effort to deal with the country’s long standing illegal migration problem. Mr Mitchell said in 2014 the issue of immigration will be “front and centre” on the government’s agenda. [The Tribune]
Internet / WWW
AU – Top Websites Pose Privacy Threat
Some of Australia’s most popular websites are also those that pose the greatest privacy threat, a new index created by University of Canberra cyber security experts has found. In an Australian first, the University’s Centre for Internet Safety has produced the 2013 Australian Online Privacy Index to rate the websites most visited by Australians. While Australian-based sites rank among the best, the majority are not compliant with changes to the Privacy Act which comes into force in March 2014. Co-director Alastair MacGibbon explained that to develop the index, the researchers looked at how websites collect, use, disclose, transfer and store customers’ personally identifying information.“This report demonstrates the majority of organisations are not ready for the new regulatory changes,” he said. The new index will allow consumers and regulators to assess the privacy implications of interacting with popular websites. It will also allow businesses to compare themselves with peers in their own sector, as well as to know how their sector fares against others. [The University of Canberra]
Law Enforcement
US – Commercial UAV Use in U.S. Takes Next Step Forward
While the use of unmanned aerial vehicles (UAVs) is regulated in various ways across the globe, the Federal Aviation Administration (FAA) still tightly controls their use in the U.S. Currently, only law enforcement operations and certain educational institutions, or those who’ve expressly received clearance, are allowed to use what have commonly come to be referred to as “drones.” However, CNN reports, the FAA approved six research sites in late December at which it will test the best ways in which to safely, and with consideration for privacy, bring UAVs into “the heavily used U.S. airspace.” In this roundup for The Privacy Advisor, we look at the latest news in the use of UAVs from the holiday season. [The Privacy Advisor] See also: [Unbelievably lenient sentence for cop who fingered suspects’ anuses]
CA – OPP first to Target Suspended Drivers Through Licence Plate Program
Driving with a suspended licence is about to get much riskier for drivers as the Ontario Provincial Police (OPP) become the first police service in Ontario and one of the first in Canada to target suspended drivers with their Licence Plate Recognition Program (ALPR). “Thanks to our continued partnership with the Ministry of Transportation Ontario (MTO) and the Ontario Information and Privacy Commissioner (IPC), our roads will be much safer now that we have the resources to remove the threat that suspended drivers pose to all road users. The additional 27 vehicles will allow us to scan thousands more plates every day over a broader geographic range in the province,” said OPP Deputy Commissioner Bill Blair, Provincial Commander of Traffic Safety and Operational Support. The OPP is also expanding its ALPR program to include an additional 27 ALPR equipped vehicles to its existing fleet of four which, according to the OPP, will make it more difficult for suspended drivers, drivers of stolen vehicles and other vehicles with plates in poor standing to drive undetected on Ontario roads and highways. “Our partnerships with the OPP and all our road safety partners have allowed us to lead the way with some of the most advanced road safety programs, tough laws and strong enforcement. This is why Ontario is a North American leader in road safety,” stated Glen Murray, Minister of Transportation and Minister of Infrastructure. “Ontario motorists expect to be protected from unsafe drivers, but also not to be tracked as they go about their daily lives. We are pleased to report that the OPP used a Privacy by Design approach in developing its Automatic License Plate Recognition system, and that when a scanned license plate does not match the list of unsafe drivers, it will be deleted from the system within minutes,” added Ann Cavoukian, Ph.D. Information and Privacy Commissioner, Ontario, Canada. Approximately 250,000 Highway Traffic Act licence suspensions are issued annually in Ontario. OPP ALPR vehicles now have access to an MTO database that contains all Ontario licence plates of vehicles whose registered owners’ driver’s licences are suspended. [Ottawa Valley] [Ontario getting 27 vehicles equipped with Automatic Licence Plate Recognition program technology]
Location
WW – Some Older Webcams Activation Indicator Lights Can be Disabled
Researchers at Johns Hopkins University have found that it is possible to disable activation indicator lights by modifying the firmware on some webcams on older Mac computers. The issue affects iSight webcams in Macs and MacBooks released prior to 2008. [Washington Post] [ComputerWorld] [CNET] [ArsTechnica] [iSpy: Prof finds some Apple webcams can be activated without warning light]
WW – A New Twist in International Relations: The Corporate Keep-My-Data-Out-of-the-U.S. Clause
By now, we’ve heard from tech companies such as Facebook, Google and Cisco Systems that the National Security Agency’s spying poses a threat to their international business and, in Cisco’s case, is already hurting it. So what does that threat look like, exactly, at ground level? Some companies are apparently so concerned about the NSA snooping on their data that they’re requiring – in writing – that their technology suppliers store their data outside the U.S. [Bloomberg]
Online Privacy
WW – Instagram Rolls Out Nuanced Photo-Sharing
Instagram Direct is a new messaging service that allows users to document granular parts of their day to clusters of friends. As our “notions of privacy are constantly evolving and, in many cases, being eroded altogether,” we are “learning how to cope by adapting ourselves and our sharing behaviors by deciding which version of ourselves to present based on the number of people who will be able to see it,” the report states, suggesting the new service seems to respond to that adaptation. [The New York Times] [Instagram Direct and the Fracturing of Privacy]
WW – Bilton: “Anyone Who Can Watch You Will”
Nick Bilton writes that amidst reports of online tracking, “outfits like Snapchat have exploded onto the scene … holding out the promise that all those selfies, texts and e-mails will simply vanish … But the fact is, many services that claim to offer that rarest of digital commodities—privacy—don’t really deliver.” Princeton Prof. Edward Felten weighs in, cautioning, “Just because information is unavailable to you and you don’t see it doesn’t mean that it is not being captured, stored or even seen by someone else in transit.” The ACLU’s Ben Wizner suggests “change can happen” if “technologists that are disillusioned by the incessant tracking will use their skills to make surveillance more costly.” [New York Times]
US – Are Your Books Reading You?
New services track our habits—including an exercise game that monitors our fitness and e-books that “read” us. For example, the report states, start-ups “get reading data from subscribers who, for a flat monthly fee, buy access to an array of titles, which they can read on a variety of devices. The idea is to do for books what Netflix did for movies and Spotify for music.” As one author put it, “What writer would pass up the opportunity to peer into the reader’s mind?” Meanwhile, Gregory Schmidt writes a column on his use of Nintendo’s Wii Fit Meter. The device “ clips on a belt or waistband and records your activity,” which can then be downloaded to the Wii U controller. [The New York Times]
Other Jurisdictions
WW – United Nations Signs Off on ‘Right to Privacy in the Digital Age’
The United Nations (UN) has unanimously voted to adopt a resolution calling for online privacy to be recognised as a human right. The gesture is politically notable because it shows the world is willing to be seen to do something in the wake of The Year Of Snowden. The resolution extends the general human right of privacy to the online world and clearly takes aim at the USA for its recently-revealed activities in clause 4, which “Calls upon all States” to perform the following actions.
a) To respect and protect the right to privacy, including in the context of digital communication;
b) To take measures to put an end to violations of those rights and to create the conditions to prevent such violations, including by ensuring that relevant national legislation complies with their obligations under international human rights law;
c) (c)To review their procedures, practices and legislation regarding the surveillance of communications, their interception and collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law;
d) To establish or maintain existing independent, effective domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception and collection of personal data;
Sadly, UN resolutions of this sort aren’t binding and can be flouted without consequence.
On the upside, the UN has explicitly recognised “that the same rights that people have offline must also be protected online, including the right to privacy” and noted that “the global and open nature of the Internet and the rapid advancement in information and communication technologies as a driving force in accelerating progress towards development in its various forms”. [The Register] [UK: Internet privacy as important as human rights, says UN's Navi Pillay]
AU – Overview of the Australia Privacy Principles (APPs)
A guide to the new privacy landscape for the Commonwealth Government. Bottom Line: the amendments tighten up the rules around how agencies can collect, use and disclose personal information. For the first time, new Australian Privacy Principles will apply to both the private and public sectors. There is a new requirement for agencies to develop detailed privacy policies and make them clear and easily accessible. The Principles require a higher standard of protection to be afforded to “sensitive information”. The Privacy Commissioner will also be able to obtain enforceable undertakings from an organisation and apply to the court for a civil penalty order against agencies. The main changes to the Privacy Act result from the replacement of the current Information Privacy Principles (IPPs) with the Australian Privacy Principles (APPs). Importantly, the APPs align more closely with the current National Privacy Principles, which apply to the private sector, than the IPPs. [See Full Summary and discussion at: Mondaq News]
Privacy (US)
US – Judge Dismisses Challenge to Suspicionless Border Searches of Electronics
A federal judge in New York dismissed a suit brought by the ACLU in 2010 that challenged the Customs and Border Patrol’s authority to conduct searches of electronic devices at border crossings without reasonable suspicion. Judge Edward Korman said the likelihood of such a search was small and that there are procedures in place for privileged content, such as journalists’ sources and attorneys’ client communications. The second Bush administration established suspicionless electronics searches in 2008, adding them to the existing border search exemption that allows routine searches and seizures without a warrant or probable cause. The ACLU is appealing the ruling. [ComputerWorld] [Ars Technica] [NextGov] [WIRED] [ComputerWorld] [Decision] [Notice of Appeal]
US – FTC’s Accretive Settlement Means 20 Years of Audits
Medical billing and revenue management services firm Accretive Health has settled charges with the Federal Trade Commission (FTC) that its inadequate data security exposed sensitive consumer information. The FTC said the company, which had access to such sensitive data as birthdays, names, Social Security numbers and billing information, failed to provide “reasonable and appropriate” security measures to protect the data and failed to ensure employees destroyed data that was no longer needed. Accretive must now establish a comprehensive program to be audited every two years for the next 20 years. Meanwhile, FTC Commissioner Julie Brill has recused herself from the case against LabMD. [FTC Press Release]
US – NY Parents, Districts Worry About Database Privacy
Even as their students’ grades, attendance and other personal information are about to be fed into a new statewide database, district administrators and parents around New York say they remain unconvinced the information won’t creep out over time or hurt students later when they apply for college or work. There are also questions about why the database pulling together hundreds of pieces of information in one place is needed, and a key state lawmaker has called for delaying the process set to start after Jan. 1. New York has signed up with Atlanta-based inBloom, which has struggled to get other states to participate, to create a system that stores student information on servers in the so-called cloud, accessed through the Internet. It’s seen as a tool to track student progress, personalize instruction and identify students who may be in danger of not graduating. Parents can also check on how their children are doing. But weeks of assurances by the state Education Department still haven’t satisfied critics’ privacy concerns. About three dozen of the state’s 695 districts say they won’t use the portal, forfeiting their shares of more than $700 million in federal Race to the Top funding won in 2010 and tied by the state to the database. State lawyers are due to respond this week to a legal challenge by 12 New York City parents seeking to block the state from sharing student information for the database, which is expected to go live in March. [Associated Press]
US – Judge Finds Accounting Firm Stole From Cloud in Landmark Ruling
In a landmark ruling that could impact Internet data rights nationwide, a judge found a Midtown-based accounting firm liable for stealing information from the online storage system known as “the cloud.” Manhattan Federal Judge Robert Sweet ruled that Weiser Capital Management took wealth manager Debra Schatzki’s valuable business records off the cloud without her permission and locked her out of her own database — a move that could cost the company millions of dollars when damages are decided at a civil trial next month. The valuable records included years of personal financial information for 12,300 of Schatzki’s clients, including high-net-worth real estate and architecture execs. Her lawyer believes the ruling last month may be the first time a judge has held someone liable for taking information from the cloud, and could have a sweeping impact because more and more people are using cloud tools such as Google Drive and Dropbox to store and share files. “By ruling as he did, Judge Sweet is protecting all businesses and individuals who elect to keep confidential materials on the cloud,” said Schatzki’s lawyer James Mahon. [NEW YORK DAILY NEWS] See also: [Ars Technica’s Four Tech Legal Cases to Watch in 2014]
US – Judge: Hulu Privacy Lawsuit Will Continue
A federal judge has ruled that a privacy lawsuit against video-streaming service Hulu must continue. U.S. Magistrate Judge Laurel Beeler rejected an argument submitted by the company that users must show actual injury to recover damages, even if they could be considered “aggrieved” persons under the Video Privacy Protection Act. The now-rejected argument by Hulu stated the law “was not adopted to impose multi-billion dollar liability on the transmission of anonymous data where no one suffers any actual injury.” Beeler ruled that “the statute requires only injury in the form of wrongful disclosure…” The judge did not rule on the merits of the case. Courthouse News Service reports that a summary judgment hearing is scheduled for February 6. [Reuters]
US – Coalition of Internet Firms Worried About NIST Framework
Some major Internet companies comprising the Internet Commerce Coalition say the National Institute of Standards and Technology’s proposed privacy framework would be “potentially burdensome,” therefore discouraging some organizations from adopting it. The final draft of the framework is to be released in February, and privacy is built into its requirements. The coalition says it favors a methodology developed by Hogan Lovells’ Harriet Pearson under which firms would be required to follow a more general scheme rather than the privacy appendix suggested in the framework now. [FierceGovernmentIT]
Privacy Enhancing Technologies (PETs)
AU – Privacy Issues in Designing Mobile Apps
The Office of the Australian Information Commissioner (OAIC) recently released a guide under the title “Mobile Privacy: A better practice guide for mobile app developers” (the Guide). The intention of the Guide is to assist app developers with building “privacy-friendly” apps to ensure better privacy practices and also ensure compliance with Australian privacy laws, both under the existing National Privacy Principles, and the incoming Australian Privacy Principles, which will commence from 12 March 2014. The Guide encourages developers to adopt a “privacy by design” approach that aims at building privacy and data protection up front, into the design specifications and architecture of the technology used as part of the app. Such an approach will ensure that privacy considerations are incorporated into each stage of app development. The Guide also sets out a number of “essentials” that an app developer should consider when designing their app. [mondaq.com] See also: [US FTC Says App Developers Must Shine More Light on How They Use Data]
Security
US – DOE Inspector General’s Report Notes Lack of Patching as Contributing Factor to Breach
The US Department of Energy (DOE) system breached earlier this year was not kept current with patches. According to a report from the Office of Inspector General of DOE, “Critical security vulnerabilities in certain software supporting the management information system (MIS) application had not been patched or otherwise hardened for a number of years.” Database administrators may be reluctant to apply patches because they can have the added effect of introducing “behavioral changes.” [DarkReading] Background:
www.history.navy.mil/library/online/computerattack.htm | hwww.sans.org/critical-security-controls/guidelines.php | http://ist.mit.edu/security/patches ]
US – NSA Tailored Access Operations Unit Provides Specialized Hacking Services
According to a story published in German magazine Der Spiegel, a special NSA unit has a “catalog” of hacking tools that can be used to infiltrate systems and individual computers, steal data, plant backdoors, impersonate GSM base stations to intercept mobile phone calls, and perform a multitude of other high-end cyberespionage tasks. The unit, known as the Office of Tailored Access Operations (TAO), also reportedly hijacks Microsoft’s crash reporting system to help gain access to targeted machines. [Spiegel] [WIRED] [CS Monitor] [DarkReading] [ComputerWorld] SEE ALSO: [U.S., Russia Hold Cybersecurity Talks] See also: [Internet privacy to be key IT security topic of 2014]
WW – Researchers Create Malware Able to Jump Non-Connected Devices
Newly developed malware is capable of communicating between devices not connected to any active networks. The malware now threatens the “air gap” often used to protect data, the report states. Researchers were able to use the built-in microphones and speakers within PCs to establish communication via inaudible audio signals within a distance of 65 feet. The proof-of-concept software has been outlined in the Journal of Communications. In the report, the researchers said, “The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered.” [Ars Technica]
CA – Feds Sought to Ban USB Drives to Curb Risk of Privacy Breaches
Fearing it may lose sensitive information on First Nations peoples, the Department of Aboriginal Affairs decided earlier this year to ban the use of USB keys to transport data — then realized instituting the new rule without an alternate plan was doomed to fail. That conclusion came after a security blitz in March that found “vulnerabilities that needed to be addressed” within the department, according to a briefing note to the deputy minister. That briefing note went on to say that a ban on the use of portable data devices “is known,” but enshrining it in policy was no simple task. “Issuing direction before it can be enforced and before the tools are available to support compliance, encourages people to disregard it. This increases the risk of intentional breaches,” the note says. [Calgary Herald]
Surveillance
US – NSA Developed Backdoor for iPhones
A news story in German magazine Der Spiegel said that NSA spyware known as DROPOUTJEEP can give anyone using it access to most everything on infected iPhones. The tool harvests text messages and voicemail and is capable of switching on the device’s microphone and camera remotely. Apple has denied that it worked with the NSA to put the backdoor in iPhones. In a statement to the Wall Street Journal, Apple officials said. “Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products.” [NBC News] [SC Magazine] [ZDNet] [CNET] [ComputerWorld] SEE ALSO: [Backdoor in Certain Combination Wireless Router/DSL Modems] see also: [Companies Investigating Reports of NSA Backdoors in Their Products]
US – NSA Intercepts Computer Deliveries, Says Report
A German magazine lifted the lid on the operations of the NSA’s hacking unit, reporting that American spies intercept computer deliveries, exploit hardware vulnerabilities, and even hijack Microsoft’s internal reporting system to spy on their targets. Der Spiegel’s revelations relate to a division of the NSA known as Tailored Access Operations, or TAO, which is painted as an elite team of hackers specializing in stealing data from the toughest of targets. Der Spiegel said TAO had a catalogue of high-tech gadgets for particularly hard-to-crack cases, including computer monitor cables specially modified to record what is being typed across the screen, USB sticks secretly fitted with radio transmitters to broadcast stolen data over the airwaves, and fake base stations intended to intercept mobile phone signals on the go. The NSA doesn’t just rely on James Bond-style spy gear, the magazine said. Some of the attacks described by Der Spiegel exploit weaknesses in the architecture of the Internet to deliver malicious software to specific computers. Others take advantage of weaknesses in hardware or software distributed by some of the world’s leading information technology companies, including Cisco Systems, Inc. and China’s Huawei Technologies Ltd., the magazine reported. Der Spiegel cited a 2008 mail order catalogue-style list of vulnerabilities that NSA spies could exploit from companies such as Irvine, California-based Western Digital Corp. or Round Rock, Texas-based Dell Inc. The magazine said that suggested the agency was “compromising the technology and products of American companies.” Old-fashioned methods get a mention too. Der Spiegel said that if the NSA tracked a target ordering a new computer or other electronic accessories, TAO could tap its allies in the FBI and the CIA, intercept the hardware in transit, and take it to a secret workshop where it could be discretely fitted with espionage software before being sent on its way. Intercepting computer equipment in such a way is among the NSA’s “most productive operations,” and has helped harvest intelligence from around the world, one document cited by Der Spiegel stated. One of the most striking reported revelations concerned the NSA’s alleged ability to spy on Microsoft Corp.’s crash reports, familiar to many users of the Windows operating system as the dialogue box which pops up when a game freezes or a Word document dies. The reporting system is intended to help Microsoft engineers improve their products and fix bugs, but Der Spiegel said the NSA was also sifting through the reports to help spies break into machines running Windows. [Der Spiegel]
US – If NSA Can’t Store Phone Data, Who Will?
Following the revelation that the NSA has been storing vast quantities of phone call metadata and a federal judge’s opinion that the practice is “almost certainly” unconstitutional, the government is considering alternatives to the agency holding the data. Some have suggested requiring the phone companies themselves to retain the data and requiring that the NSA meet strict guidelines when requesting to look at them, but that involves expense and puts the telecoms in the position of being the target of data breaches. Furthermore, unless the data retention arrangement was clearly specified to be for counterterrorism purposes only, the companies could find themselves receiving data requests from federal agents as well as state and local governments. A proposal that would establish a third-party entity to retain the data poses similar problems; as one unnamed senior Senate aide observed, “You’d have to demonstrate why that organization having those records provides any less privacy concern than giving it to the NSA, which operates under very strict privacy guidelines.” [Washington Post] SEE ALSO: [How the Grinch steals Christmas — he tracks your kid online] and [‘Tis the season: Retailers collecting customer data to boost sales]
US – Opinion: Nation Needs Reforms
In an op-ed piece, members of the President’s Review Group on Intelligence and Communications Technologies, appointed in August, write that “the nation needs a package of reforms that will allow the intelligence community to continue to protect Americans, as well as our friends and allies, while at the same time affirming enduring values, involving both privacy and liberty.” The group has made 46 recommendations to President Barack Obama. Another NYT article discusses the repercussions if Obama adopts the advisory group’s most far-reaching recommendations, which may “go a long way toward determining the legacy of his presidency.” Meanwhile, author David Eggers says U.S. writers must take a stand on U.S. surveillance. [New York Times]
US – NSA Review Panel Urges Major Oversight, Some Restrictions
A review panel of outside intelligence and legal experts on Wednesday released its report to President Barack Obama recommending increased oversight and some restrictions on the National Security Agency (NSA) surveillance programs. Among the 46 recommendations, the panel urged Obama to restructure the NSA’s metadata collection program by having telecommunications companies or a private consortium hold the data and only share it after the agency provides an approved court order “for queries and data mining.” The panel also recommended the agency halt its practice of creating “backdoors” into hardware and software as a secret way to manipulate devices and online systems. Sen. Ron Wyden (D-OR) said, “This has been a big week for the cause of intelligence reform,” and the Center for Democracy and Technology’s Greg Nojeim called the report “remarkably strong.” Obama reportedly said he was “open to many” of the recommendations. [The New York Times] [Analyzing the NSA Review Panel Report]
US – Federal Judge Rules NSA Program Likely Unconstitutional
A federal judge has ruled that the U.S. National Security Agency’s phone metadata collection program is likely unconstitutional. U.S. District Court Judge Richard Leon, an appointee of former President George W. Bush, said the program appears to violate the Fourth Amendment and the Justice Department has not successfully demonstrated that the program has thwarted terrorism. This roundup for The Privacy Advisor looks into the ruling and gathers together media reactions. [Politico]
US – Judge Rules NSA’s Data Collection is Legal
A federal judge in New York has ruled that the NSA’s wholesale collection of phone call metadata is legal. US District Judge William Pauley said the data collection is allowed under Section 215 of the Patriot Act, because telecommunications companies collect the data. The ruling comes in a lawsuit brought by the American Civil Liberties Union (ACLU), which challenged the NSA’s data collection program. In contrast, a ruling from another district judge earlier this month described the program as “likely unconstitutional.” [CNET] [ArsTechnica] [The Register] [RULING] See also: [The most Kafkaesque paragraph from today’s NSA ruling]
US – NSA Data Gathering Cases Raise Question of Legal Precedent’s Validity in the Digital Age
The two diametrically opposed opinions on the legality of the NSA’s telephony metadata collection raise the question of whether a 34-year-old US Supreme Court ruling applies in the case. In 1979’s Smith v. Maryland, US Supreme Court found that people do not have a “reasonable expectation of privacy” for information that they have voluntarily disclosed to a third party. Last week, US District Judge William Pauley ruled that the precedent does apply and that the NSA’s data collection program is legal. However, several weeks ago, US District Judge Richard Leon wrote, “When do present-day circumstances … become so thoroughly unlike those considered by the Supreme Court thirty-four years ago that a precedent like Smith does not apply? The answer … is now.” [The Atlantic]
US – Tech Giants Meet with Obama, Talk NSA
A high-level meeting took place between President Barack Obama and chief executives from 15 of the country’s largest technology companies to discuss, in part, National Security Agency (NSA) surveillance programs. In a post-meeting statement, the executives said they urged Obama “to move aggressively on reform…” They also raised concerns that foreign countries, such as Brazil, may prevent user data from flowing to the U.S., which could hurt the executives’ businesses as well as the U.S.’s start-up economy. Though the White House made no commitments, it reportedly expressed sympathy with the web companies’ call for more transparency about government requests for user data, and it told the executives that government action to reform NSA surveillance would happen in the new year, the report states. Meanwhile, Bloomberg reports Monday’s ruling on the NSA could move to the Supreme Court. [The New York Times]
Telecom / TV
UK – Kate Middleton & Prince Harry’s Phones Hacked, Court Hears
Rupert Murdoch’s ‘News of the World’ intercepted Kate Middleton and Prince Harry’s voicemails, prosecutors alleged in a London court. Kate Middleton and Prince Harry had their phones hacked by Rupert Murdoch’s biggest selling newspaper, a court in London heard. It is the first time the Murdoch media empire has been accused of illegally accessing the phone of a member of the royal family: previous allegations have centered on the hacking of phones used by royal aides. The now-shuttered Sunday tabloid, the News of the World, is accused of accessing Middleton’s voicemails to gain embarrassing personal details about her and Prince William. [The Daily Beast]
US Government Programs
US – 2014 National Defense Authorization Act Attempts to Address Cybersecurity Issues
The newly-passed US 2014 National Defense Authorization Act increases funding for CyberCom (US military’s Cyber Command) but the organization still lacks clarity about the rules of cyber engagement and is struggling with finding enough talented people. The bill also requires federal agencies to develop “intelligence, law enforcement, and financial sanctions” mechanisms to “suppress the trade in cyber tools and infrastructure that are or can be used for criminal, terrorist, or military activities while preserving the ability of governments and the private sector to use such tools for legitimate purposes of self-defense.” Legislators are particularly concerned about zero-day vulnerabilities being sold on the black market. The bill also requires the administration to develop “principles for controlling the proliferation of cyberweapons that can lead to expanded cooperation and engagement with international partners.” The bill does not, however, define “cyberweapon.” [NextGov] [Politico] [Politico]
US – Can Plaintiffs’ Lawyers Fill the DPA Role?
Recent Privacy Perspectives blog posts have discussed whether the Federal Trade Commission (FTC) and state attorneys general serve as de facto data protection authorities in the U.S. “Both sides are correct,” writes Jeff Kosseff, CIPP/US, “The FTC and state attorneys general help set the general requirements for privacy and data security, just as DPAs do in Europe.” Kosseff, a privacy and communications associate for Covington & Burling, writes, “But another group is playing a role in the shaping of U.S. privacy and not always in a way that benefits society.” In this installment of Perspectives, Kosseff points out that “the priorities of plaintiffs’ lawyers differ from those of independent government data protection authorities” and that “some have argued that class-action lawyers often lead to settlements that provide substantial attorneys’ fees for plaintiffs’ counsel and very little for individual class members.” [Source]
US Legislation
US – What Will 2014 Hold for the NSA and Snowden?
The tail end of 2013 brought with it continued news and reaction to the disclosures of the U.S. National Security Agency’s (NSA) surveillance programs by former contractor Edward Snowden. Perhaps most significantly, a U.S. federal judge on Friday December 27 ruled the NSA’s bulk collection of metadata on phone calls was legal. The ruling came less than two weeks after another federal judge came to virtually the opposite conclusion. In this roundup for The Privacy Advisor, we gather together the major developments and opinion stemming from Snowden’s disclosures and what may lay ahead in for the NSA in 2014. [Full Story] See also: [Snowden's Christmas message: Privacy counts] [Snowden in open letter: NSA's indiscriminate spying is 'collapsing'] [2013 Privacy Law Review] [The Year’s Top 10 Stories in The Privacy Advisor] [The Year’s Top 10 Privacy Perspectives Posts] and [Five Interviews Shed Light On What Is Going On Inside NSA] [2013 a big year for privacy? You ain’t seen nothing yet!] [The NSA and the Corrosion of Silicon Valley] [2013 is the year that proved your ‘paranoid’ friend right] and [The Dumbest Privacy Cases Of 2014 and Is Privacy Law Stupid?]
US – U.S. Court Strikes Down Drug Screening for Welfare Recipients
U.S. District Court Judge Mary Scriven has deemed unconstitutional a Florida law requiring welfare recipients to submit to drug screening. The law went into effect in July of 2011, but in October the 11th Circuit Court issued a temporary injunction. While the state fought the injunction, this latest ruling agreed with the 11th Circuit that “There is nothing so special or immediate about the government’s interest in ensuring that TANF recipients are drug free so as to warrant suspension of the Fourth Amendment.” Gov. Rick Scott has vowed to appeal the decision. [The Miami Herald]
WW – Expect APEC Privacy “Stocktake” in 2014
Australia Privacy Commissioner Timothy Pilgrim has said officials charged with developing a privacy policy for the Asia-Pacific Economic Cooperation (APEC) are planning a “stocktake” of the APEC Privacy Framework. Pilgrim also said APEC’s Data Privacy Subgroup will work with the EU to map the APEC’s Cross Border Privacy Rules system with the EU binding corporate rules system. “The idea there is to see if they can identify any gaps for the purposes of possible future interoperability between the systems,” Pilgrim said, adding, “The next step is to sit down and identify where are the similarities and where are the gaps if we want to try to move to interoperability.” [Bloomberg BNA]
US – Judge: Hulu Privacy Lawsuit Will Continue
A federal judge has ruled that a privacy lawsuit against video-streaming service Hulu must continue. U.S. Magistrate Judge Laurel Beeler rejected an argument submitted by the company that users must show actual injury to recover damages, even if they could be considered “aggrieved” persons under the Video Privacy Protection Act, Reuters reports. The now-rejected argument by Hulu stated the law “was not adopted to impose multi-billion dollar liability on the transmission of anonymous data where no one suffers any actual injury.” Beeler ruled that “the statute requires only injury in the form of wrongful disclosure…” The judge did not rule on the merits of the case. Courthouse News Service reports that a summary judgment hearing is scheduled for February 6. Full Story
US – TN Sen. Proposes Cellphone Privacy Bill
Tennessee State Sen. Mae Beavers (R–District 17) has proposed a bill that would require police to acquire a warrant before collecting cell phone data including the number dialed, from where and at what time. Tthe bill is similar to a drone surveillance law passed recently. “If you don’t get a search warrant, you can’t use it as evidence. So hopefully this will sail right through as a privacy issue to protect the innocent,” said Beavers. [WREG]
US – Kids Online Privacy Workgroup Submits Final Report
After six month of discussions, Maryland Attorney General Douglas Gansler submitted the final report of the Workgroup on Children’s Online Privacy Protection offering suggestions for better protecting children’s personal information online. The report proposes requiring the encryption of sensitive information collected from children and updating state statutory definitions of personal information, among other recommendations. The Maryland House Economic Matters Committee and the Senate Finance Committee will review the report. [Legal Newsline]
US – Sen. Proposes Employee Credit Privacy Bill
Sen. Elizabeth Warren (D-MA) has introduced the Equal Employment for All Act, which would prohibit employers from requiring job applicants to disclose their credit history as part of the application process, repots International Business Times. Warren says the practice stacks the deck against poorer workers and can create a vicious cycle. Norm Magnuson, vice president of public affairs for the Consumer Data Industry Association says the organization supports the use of credit reports in qualifying potential employees, adding that in some cases the reports could show a pattern of irresponsible behavior.
US – How CalOPPA Changes Affect the App Industry
This article from Wired outlines the impact recently passed amendments to the California Online Privacy Protection Act will have on the app industry. The provision stating that publishers must “disclose whether third parties may collect Personally Identifiable Information over time from different websites” poses particular concern to app developers because of their methods of tracking users. The report also states, “Browser and app developers need to decide what ‘Do-Not-Track’ signals their products should offer and how to communicate the functionality to consumers and operators of commercial websites or online services.”
US – Congresswoman Pushes for Health Exchange Notification Law
Rep. Diane Black (R-TN) has introduced legislation to require the government to notify individuals if their personal information is breached through the Affordable Care Act’s insurance exchanges. H.R.3731 is part of a larger partisan campaign maintaining that “the exchanges are putting personal data at risk.” [National Journal]
US – Ohio Passes Student Data Privacy Bill
The Ohio House of Representatives has passed HB 181, legislation that prohibits schools from sharing students’ personal information with any federal, state or local entity without school board authorization, except in certain circumstances. The law also requires the state department of education to publish data inventory policies and procedures yearly as well as provide data collection information to the General Assembly. [The Perry Tribune]
US – Two Education Privacy Bills Pass Committee in Wyoming
The Select Committee on Education Accountability has approved two bills sponsored by Sen. Bill Landen (R-Casper) involving the state’s Department of Education. The first would create a provision in the current law barring it from committing the state to “federal oversight or regulation” and also giving it the “authority to develop an education program without excessive oversight.” The second requires the department’s directors and those of the Department of Enterprise Services to develop a data security plan and contains language used in other state’s student privacy laws. [Star-Tribune]
US – Will GAO Report Spur Action from Congress?
Last year, U.S. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) asked the Government Accountability Office (GAO) to investigate privacy issues pertaining to companies that collect, aggregate and sell personal information about consumers. In late November, the GAO publicly released the resulting report, “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace.” The report recommends that Congress “consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information.” Rockefeller is expected shortly to issue his own report on the topic, and the Federal Trade Commission is also preparing a report expected in early 2014. In this exclusive for Privacy Tracker, the Hogan Lovells privacy team looks at what the GAO examined and, in the short term, how Congress might respond to the GAO’s findings and, when they are published, Rockefeller’s. Are stronger consumer privacy protections on the way? Full Story
US – Federal Judge Rules NSA Program Likely Unconstitutional
A federal judge has ruled that the U.S. National Security Agency’s phone metadata collection program is likely unconstitutional. U.S. District Court Judge Richard Leon, an appointee of former President George W. Bush, said the program appears to violate the Fourth Amendment and the Justice Department has not successfully demonstrated that the program has thwarted terrorism. This roundup for The Privacy Advisor looks into the ruling and gathers together media reactions. [Full Story] [Politico]
US – Unpacking the Klayman v. Obama Decision
On December 16, the District Court in the District of Columbia issued an opinion finding that the National Security Agency’s (NSA) surveillance program was likely unconstitutional. In Klayman v. Obama, five plaintiffs sued a variety of government officials and private companies seeking preliminary injunctive relief based upon the assertion that the NSA program was unconstitutional and violated other statutes. In what ended up making big news, the court concluded there was a substantial likelihood the plaintiffs would prevail on their Fourth Amendment claims and issued an injunction. In this Privacy Tracker blog post, Andrew Serwin unpacks the court’s decision. Full Story
US – Can Plaintiffs’ Lawyers Fill the DPA Role?
Recent Privacy Perspectives blog posts have discussed whether the Federal Trade Commission (FTC) and state attorneys general serve as de facto data protection authorities in the U.S. “Both sides are correct,” writes Jeff Kosseff, “The FTC and state attorneys general help set the general requirements for privacy and data security, just as DPAs do in Europe.” Kosseff, a privacy and communications associate for Covington & Burling, writes, “But another group is playing a role in the shaping of U.S. privacy and not always in a way that benefits society.” In this installment of Perspectives, Kosseff points out that “the priorities of plaintiffs’ lawyers differ from those of independent government data protection authorities” and that “some have argued that class-action lawyers often lead to settlements that provide substantial attornies’ fees for plaintiffs’ counsel and very little for individual class members.” Full Story
US – Sen. Tells Data Broker Industry They’re On Notice
In a Senate Commerce Committee hearing, Sen. Jay Rockefeller (D-WV) had harsh words for the consumer data broker industry. “We have a feeling people are getting scammed or screwed,” he said. The hearing focused on the use of consumer marketing data and followed the release of Rockefeller’s report on the industry, which said that Acxiom, Epsilon and Experian were not as forthcoming with their answers to Rockefeller’s investigation as he would have liked. Rockefeller warned he may use more forceful means of getting them to share such insights. Experian Senior VP of Government Affairs and Public Policy Tony Hadley defended his company’s practices and said it has safeguards to ensure bad actors do not get consumer lists. In chilling testimony, the World Privacy Forum’s Pam Dixon discussed some of the disturbing use of data, including the selling of rape victim lists, home addresses of police officers and names of those with genetic illnesses. Rockefeller said the committee will continue to shine a spotlight on the industry. [AdAge]
Workplace Privacy
WW – Recruiters Mining Medical Data to Target Subjects
Healthcare companies are probing readily available information from data brokers, pharmacies and social networks in order to recruit patients for clinical trials. Blue Chip Marketing Worldwide, for example, found patients to experiment with an obesity drug by targeting people who presumably live sedentary lifestyles, such as those who subscribe to premium cable TV or eat at fast-food chains frequently, the report states. ”We are now at a point where, based on your credit-card history … we can get a very, very close read on whether or not you have the disease we’re looking at,” said a spokesman from one pharmaceutical product development company. [The Wall Street Journal]
US – On The 10th Day Of Privacy, My Employer Gave To Me …..
As use of social media and other technologies continue to raise serious employment-related privacy issues in the workplace, expect to see a flurry of activity in 2014 from federal and state legislatures, administrative bodies and courthouses throughout the country addressing those issues. Here are five developments that we are monitoring (pun intended) as we enter the New Year.
1. The Law Starts to Catch up With the Technology
2. So Tell Us Your Honor, What Do These Laws Mean?
3. Your Greatest Strength May Be One of Your Biggest Weaknesses
4. Wait, Our Employees work in an office not in a factory, what’s the NLRB doing here?
5. When did We Start Living in the World of George Jetson? [Mondaq News]
CA – BYOD: It Can Be Privacy and Security Protective
On December 11, 2013, Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, and TELUS released a new whitepaper applying the principles of Privacy by Design to employee owned devices in the workplace. The whitepaper, entitled “Bring Your Own Device: Is Your Organization Ready?”, sets out a five-step process for developing and implementing a BYOD program.:
- Step One: Establishing Requirements – End-User Segmentation. This involves identifying user needs.
- Step Two: Technology Alignment and Device Choice. This involves aligning permitted devices to user needs and operational considerations, as well as the level of access permitted based on the device characteristics.
- Step Three: Policy Development. In this step, the organization is to develop policies and procedures governing information security, monitoring, privacy, guidance on the use of wifi, termination of employment and other issues engaged by BYOD.
- Step Four: Security. This step requires the organization to evaluate existing and implement additional administrative, technical and physical security controls to enhance or maintain the security of the organization’s IT infrastructure and the integrity and privacy of personal information.
- Step Five: Support. In this final step, an organization to have a plan to support employees, including with respect to lost or misplaced devices.
[Mondaq News] See also: [BYOD – It can be privacy protective from Dentons] and [BYOD Participation Agreement from Dentons]
US – BYOD Became the ‘New Normal’ in 2013
A shift in the adoption of bring-your-own-device (BYOD) policies in 2013. A poll taken in January found that three of four respondents had a program in place, but two-thirds had an “anything goes” philosophy. This year, CIOs began shifting IT department cultures to embrace mobile apps in an effort to manage BYOD. “The education cycle by the vendors and analysts began to sink in,” said one expert. “Line of business managers don’t want this liability on their hands.” [Computerworld]
NZ – New Duty to Disclose Health Conditions To Employers
Employees will have to tell their employers if they have medical conditions or are taking prescription drugs that affect their productivity or expose others to harm, under provisions in a proposed bill. The Employment Relations (Safe and Healthy Workplaces) Amendment Bill is the work of police officer and anti-drugs crusader turned MP Mike Sabin. The bill would provide a legislative framework with clear obligations for employees and employers when it comes to workplace safety and drug and alcohol use. There is currently no legislative framework to guide employers and employees when managing health, safety and productivity concerns stemming from the direct and indirect effects of drug and alcohol use, Mr Sabin says. “The aim here is not to infringe on privacy or the rights of the individual…it’s simply to be able to identify a hazard and manage it,” Mr Sabin says. In the US, problems with prescription drugs are on the increase, he says. New Zealand is typically five years behind US drug-use trends and Mr Hilson hopes this bill would get introduced before prescription drug abuse becomes a bigger. [nzdoctor.co.nz]
EU – Revelations That Ikea Spied on Its Employees Stir Outrage in France
A regional court in Versailles, near Paris, is examining whether Ikea executives in France broke the law by ordering personal investigations of hundreds of people over the course of a decade. A review of the court records by The New York Times indicates that Ikea’s investigations were conducted for various reasons, including the vetting of job applicants, efforts to build cases against employees accused of wrongdoing, and even attempts to undermine the arguments of consumers bringing complaints against the company. The going rate charged by the private investigators was 80 to 180 euros, or $110 to $247, per inquiry, court documents show. Between 2002 and 2012, the finance department of Ikea France approved more than €475,000 in invoices from investigators. The case has caused public outrage in France, not only because of the company’s large consumer following in this country — Ikea’s third-largest market after Germany and the United States — but because the spying cases occurred in a country that, in the digital age, has elevated privacy to a level nearly equal to the national trinity of Liberté, Égalité and Fraternité. [The New York Times]
+++