21 January – 03 February 2017


AU – Biometric ID for 90% at Airports Raises Privacy Concerns

The Australian Department of Immigration and Border Protection is tendering for a company to provide it with an “automated processing solution” to allow for the automated processing of passengers using biometric identification. Tender documents say 90% of passengers would go through through automated processing points, which would rely on biometric capturing “including but not limited to facial, iris and fingerprints”. Biometrics Expert Prof Katina Michael said such technology had not been proven to have improved security or airport efficiency. Michael said the plan posed a risk to individual privacy and raised ethical dilemmas that had not been properly explained to the public. Michael said recent threats to the security of government-held data such as the census failure should raise real concerns about the storage of biometric data en masse. But others have played down concerns about the government’s plan. Information security expert and reporter Patrick Gray said airport passengers were already the subject of heavy surveillance and biometric testing. “Airports are already among the most surveilled places on the planet. The time to be worrying about this is when someone seriously proposes running live facial recognition against CCTV in public places like city streets and train stations with insufficient oversight on use. Then we’ve got a problem,” he said. “Better, highly-automated facial recognition is going to be a massive privacy issue one day, but the technology at least makes sense in airports.” [The Guardian]

US – Memo: New York Called for Face Recognition Cameras at Bridges, Tunnels

The state of New York has privately asked surveillance companies to pitch a vast camera system that would scan and identify people who drive in and out of New York City, according to a December memo obtained by Vocativ. which asks for surveillance at nine NYC ‘crossing points’ The call for private companies to submit plans is part of Governor Andrew Cuomo’s major infrastructure package, which he introduced in October. Though much of the related proposals would be indisputably welcome to most New Yorkers — renovating airports and improving public transportation — a little-noticed detail included installing cameras to “test emerging facial recognition software and equipment.” “This is a highly advanced system they’re asking for,” said Clare Garvie, an associate at Georgetown University’s Center for Privacy and Technology, and who specializes in police use of face recognition technologies. “This is going to be terabytes — if not petabytes — of data, and multiple cameras running 24 hours a day. In order to be face recognition compliant they probably have to be pretty high definition.” The proposed system would both scan drivers as they approached or crossed most of the city’s bridges and tunnels at high speeds, and would also capture and pair those photos with the license plates of their cars. “The biggest risk that comes with a system like this is its ability to track people, by location, by their face,” Garvie said. “So what needs to be put in place is a prohibition on the use of these cameras and the technology as a location tracking tool.” New York City wouldn’t be the first in the U.S. to have a network of facial recognition cameras for law enforcement. In 2013, for instance, the Los Angeles Police Department admitted it had deployed 16 cameras equipped with face recognition software, designed to search for particular suspects. [Vocativ]


CA – Secret Bans, Secret Trials: The Canadian ‘No-Fly’ Lists

First in a series to help you participate in the federal consultation on national security. Anti-Terrorism Act (Bill C-51) passed last year brought in the Secure Air Travel Act, which modifies the Canadian “no-fly” scheme People on one of the lists are not permitted to board airplanes (“no-fly”). People on another list are subjected to additional security scrutiny when they try to board airplanes (“slow fly”). Under the new law it is illegal to tell an individual if they are on the no-fly list or not. If you are denied boarding or delayed in security, neither the government nor the airline can confirm or deny listing. Travellers on these lists are deemed too dangerous to fly, and yet too harmless to arrest. They are restricted from boarding aircraft, but not trains, ferries, subways, or buses. The new scheme provides for an appalling and probably unconstitutional lack of due process for people listed. There is no timely and appropriate mechanism for appeal of the minister’s secret decision. Canada should repeal the Secure Air Travel Act and keep suspected terrorists away from airplanes using the existing tools under the criminal law. Micheal Vonn – September 22, 2016 – TheTyee.ca | Canada’s Secretive No-Fly List Is Only Getting Worse | Time to overhaul Canada’s no-fly program | Thousands flagged by Canada’s new air passenger screening system | Canada’s no-fly list is ‘very mysterious’ and leaves targets little recourse, say critics | . [CBC News: Kids Still Caught By No-Fly Lists Despite New Redress Office]

CA – Majority of Canadians Support Privacy Act Reform, Greater Transparency

Canadians want tougher privacy laws and for government institutions and private sector organizations to be more upfront about how they collect and use personal information, according to a new survey commissioned by the OPC that found a majority of Canadians support amendments to the Privacy Act, which covers the personal information handling practices of federal government institutions. Canadians broadly support requiring government institutions to properly safeguard the personal information they collect about Canadians (78%) and that the Privacy Act be expanded to the Prime Minister’s Office and the offices of cabinet ministers (71%). Another 69% of Canadians support granting the Privacy Commissioner order-making power to enforce recommendations made following an investigation, while 66% think government institutions should be required to take steps to assess the privacy risks of any new program or law. “Canadians agree it’s time to modernize the Privacy Act, which has gone largely unchanged since it was introduced in 1983,” says Commissioner Daniel Therrien, who recently proposed a series of amendments which were largely supported by a parliamentary committee. “This survey also confirms that Canadians are increasingly concerned about what happens to their personal information in the age of big data, biometrics and the Internet of Things. They want more transparency in their dealings with both business and government.” [Office of the Privacy Commissioner of Canada]

CA – 75% Canadians Want a National Inquiry into Surveillance of Journalists

According to a new national public opinion survey released by Canadian Journalists for Free Expression (CJFE), 70% support a new law that would allow journalists to protect the identity of confidential sources and whistleblowers. 70% of Canadians agree that placing journalists under surveillance undermines press freedom. Only 27% of Canadians agree that the CSIS or the police should use public resources to monitor organizations and advocacy groups which do not pose a known threat to national security. The potential monitoring of such groups was a core concern voiced by advocates when Bill C-51 was first introduced. The inability or unwillingness of CSIS to verify the precise number of journalists spied on in the course of federal national security investigations leaves serious questions about the state of press freedom nationwide. 72% of Canadians believe that there should be an independent crosscountry inquiry into the surveillance of journalists by police. CJFE is supporting the passage of Private Member’s Senate Bill S-231 [see here ], which would create legal protections for journalists and the sources, including whistleblowers, who allow them to undertake in-depth investigative work. 70% of Canadians support a press shield law such as Bill S-231, and 77% of Canadians feel that journalists should investigate public authorities such as the government, the police and state companies. [Canadian Journalists for Free Expression | See also: Hey Big Brother, are you listening in? How Canada is quickly becoming a surveillance nation | Canadian journalists push for ‘shield law’ to protect sources | Quebec announces details of inquiry into surveillance of reporters | ‘We were a bit naive’ about police surveillance, journalist panel says | Media surveillance highlights privacy risk to all Canadians | Canadian police spied on reporters, raising questions of press freedom | Quebec must uphold freedom of the press | Why spying on the press damages our democracy | How Montreal police were able to use legal means to track a journalist | Quebec to hold public inquiry into police surveillance of journalists | An unprecedented crisis’: Quebec government calls inquiry into spying on journalists by police | Quebec launches commission of inquiry into police spying on journalists | How Canada’s Anti-Cyberbullying Law Is Being Used to Spy on Journalists ]

CA – Govts Can Use Big Data Without Sacrificing Privacy: Ontario Commissioner

Though Brian Beamish believes that municipal, provincial, and federal governments alike have much to gain from big data, which he says could be used in sectors ranging from education to the environment to health care, it will require fundamental changes to privacy legislation involving government, citizens, and the private sector alike. Current legislation decrees that any personal information collected must be certified as “necessary,” while big data, which Beamish called “equal parts buzzword and concept,” tends to be indirectly obtained. Big data carries potential risks, Beamish acknowledged: since by definition it’s often collected automatically, and without a goal in mind, it may be inaccurate, lack information, disproportionately represent specific populations while excluding others, or be poorly collected, and applied based on pseudo-scientific insights confusing correlation with causation. The worst-case scenario, therefore, could be not only a surveillance state, but poorly delivered government services, he says. [ITBusiness.ca]

CA – OPC Investigating Complaints Around Sharing Economy

In documents obtained under access to information law, privacy commissioner Daniel Therrien’s office suggested sharing-economy companies such as Uber and Airbnb are creating a “growing risk” to Canadians’ private information. The key question, according to the documents, is who ultimately controls extremely sensitive personal information such as location data and financial information. “In the sharing economy, certain personal information — going well beyond that traditionally needed for reserving lodging and hailing taxis — is collected to establish identity and trust,” the documents read. “It is of great concern what might happen with (personal information) in the sharing economy in the event of a breach, especially given lack of clarity regarding accountability.” [The Star]


UK – 75% Brits Afraid for their Personal Data Under President Trump

Four out of five Brits are afraid that the incoming [US] president will use their personal data for his personal gain. That’s according to a poll commissioned by digital rights group Privacy International to coincide with Trump’s inauguration. The online poll was carried out by YouGov, between January 15 and 16, with 1,645 adults surveyed and the data weighted to be representative of the UK population. Why should Brits be afraid of what the incoming president means for their personal data? Because of historical intelligence sharing links between the two nations. And the fact the UK recently passed expansive new surveillance legislation that cements bulk collection as a core state investigatory strategy, including hacking en masse. The vast majority (three-quarters) of respondents to Privacy International’s poll said they want the UK government to explain what safeguards exist against Trump misusing their personal data. Privacy International notes that the historical UKUSA agreement , which was  drafted shortly after World War II , allows UK and US agencies to “share, by default, any raw intelligence, collection equipment, decryption techniques, and translated documents” [TeckCrunch | Four in Five Britons Fearful Trump Will Abuse their Data

US – Privacy Worries Are on the Rise Among US Consumers: Survey

A recent IDC survey found 84% of U.S. consumers are concerned about the privacy of their personal information, with 70% saying their concern is greater today than it was a few years ago. “Consumers can exact punishment for data breaches or mishandled data by changing buyer behavior or shifting loyalty,” said Sean Pike, an analyst at IDC, in a statement. The survey, released last week, polled 2,500 U.S. consumers about their privacy concerns across four verticals: Financial services, healthcare, retail and government. The survey found that shoppers increasingly are willing to evaluate a store’s track record for protecting personal information. “It is in a retailer’s best interest to define what information they are tracking firmly and clearly, and to provide consumers methods to manage those preferences,” IDC’s report said. “Retailers who do not take consumer data protection seriously may find that they permanently lose customers to competitors that offer more transparency and manageability of their Personally Identifiable Information.” [CSO Online]


CA – Privacy Experts Call for Rules on Gov’t Monitoring Social Media

Top privacy advocates are calling for rules to govern how government employees access Canadians’ social media posts, following the revelation that the Canada Revenue Agency checks posts on social media sites like Facebook to catch tax cheats. Privacy commissioner Daniel Therrien and former assistant commissioner Chantal Bernier say the Treasury Board should draft guidelines. Bernier, who now works as a lawyer with the firm Dentons, says it is “urgent” for the government to act. “It has become a normal manner to gather intelligence. So we absolutely must give it a framework. We absolutely must clarify what the limits are.” CBC News reported last week that the Canada Revenue Agency’s compliance section is scrutinizing the social media posts of Canadians it suspects are at “high risk” of cheating on their taxes. Among those the agency considers at high risk are wealthy individuals who have offshore bank accounts. In a 2013 report, the privacy commissioner’s office found the Justice Department and the department of Aboriginal Affairs and Northern Development Canada violated First Nations activist Cindy Blackstock’s privacy by monitoring her personal Facebook page. [CBC News See also: Canada Revenue Agency monitoring Facebook, Twitter posts of some Canadians | Twitter and Instagram ban London, Ont., company for helping police track protesters | Experts divided on social media surveillance  | Police Searches Of Social Media Face Privacy Pushback | Facebook, Instagram, Twitter block social media tool Geofeedia over protest surveillance | Facebook, Instagram, Twitter Block Tool For Cops To Surveil You On Social Media ]

AU – Govt Apologises After Thousands of Gun Owners’ Personal Details Released in Email Error

The Victorian Government has apologised to almost 9,000 gun owners after a “deeply concerning” data breach resulted in thousands of gun owners’ personal details mistakenly being emailed out. Customer service staff at the [Victoria] Department of Environment, Land, Water and Planning last month intended to email gun licence renewal forms, but uploaded the wrong attachment and accidentally sent the names, addresses and gun licence details of 8,709 people. The error occurred on eight separate occasions, with the attached files including between 800 to 1,900 names. The Shooters and Fishers Party said the mistake proves why gun registries should be dumped. On advice from the state’s Privacy Commissioner, the department is posting letters to each of the 8,709 people involved. The department has also contacted Victoria Police. [ABC.net]

EU Developments

EU – Privacy Shield Intact Despite Trump Executive Order

The Information Commissioner’s Office (ICO) says there is no indication that an executive order [ Enhancing Public Safety in the Interior of the United States ] introduced by President Donald Trump revoking protections in the country’s Privacy Act for information held by the state on non-US citizens will impact a major EU data sharing arrangement. the ICO said the US Privacy Act has never offered data protection rights to European citizens. A spokesperson for the European Commission reiterated that the Privacy Shield was one of two instruments introduced to try and safeguard personal information when transferred to the US by companies. The second mechanism, called the EU-US Umbrella Agreement, will come into force on February 1 under law adopted by the US Congress last year. It will be supported by the US Judicial Redress Act that extends benefits of the US Privacy Act to Europeans, allowing them access to the country’s courts to seek legal redress. [Government Computing Network See Also: Trump’s Executive Order Does Not Impact U.S. Privacy Shield Commitments – HoganLovells Chronicle of Data Protection | Privacy Shield: Impact of Trump’s Executive Order – Hunton & Williams | Trump’s executive order won’t destroy Privacy Shield, says EU | A White House Executive Order May Affect Validity of Privacy Shield | U.S.-EU Privacy Shield: Trump Executive Order Puts Privacy Agreement In Jeopardy | Trump order strips privacy rights from non-U.S. citizens, could nix EU-US data flows | Trump Is Killing Obama Plans For World Privacy Rights – Forbes | Trump Order Won’t Harm Privacy Shield Pact Say Attorneys | Trump’s Executive Order Does Not Impact U.S. Privacy Shield Commitments | EU Privacy Shield intact despite Trump executive order | Privacy Shield: Impact of Trump’s Executive Order | Trump’s executive order won’t destroy Privacy Shield, says EU

EU – Trump’s E.O. Doesn’t Impact US Privacy Shield Commitments

Trump’s Executive Order (EO) titled “Enhancing Public Safety in the Interior of the United States,” among other things, removed the ability of federal agencies to extend protections under the Privacy Act to anyone other than U.S. citizens or legal permanent residents. The EO does not impact any of the U.S. commitments under the Privacy Shield, nor does it revoke protections for EU citizens under the Privacy Act provided pursuant to the Judicial Redress Act. Under U.S. Constitutional law, the President cannot enact Executive Orders to overturn statutes duly enacted by Congress. Section 14 of the EO acknowledges this, stating that the EO can only be enforced “to the extent consistent with applicable law.” Therefore it cannot (and does not) revoke coverage from jurisdictions already designated as covered under the Judicial Redress Act or countries that could receive such designation in the future from the Department of Justice pursuant to the Judicial Redress Act. But even if coverage under the Privacy Act were affected by this EO—which it is not—it would not impact any explicit commitments made by the U.S. under Privacy Shield. This is for a simple reason: the Privacy Shield Framework and the European Commission’s official Adequacy Decision approving Privacy Shield did not rely on the Privacy Act’s protections. EU citizen rights under both Privacy Shield and the Privacy Act are not directly affected by this EO. However, going forward, it will be important to pay attention to European officials’ reaction to the EO. It will also be important to watch how the EO may impact the Attorney General’s designations of countries covered under the Judicial Redress Act or countries that could receive such designation in the future. [HL Chronicle of Data Protection (HoganLovells) Also See: Privacy Shield: Impact of Trump’s Executive Order | Trump’s executive order won’t destroy Privacy Shield, says EU | A White House Executive Order May Affect Validity of Privacy Shield | U.S.-EU Privacy Shield: Trump Executive Order Puts Privacy Agreement In Jeopardy | | Trump order strips privacy rights from non-U.S. citizens, could nix EU-US data flows | Trump Is Killing Obama Plans For World Privacy Rights

EU – Collecting Info from Kids, a Comparison of US law and GDPR

In the United States the Children’s Online Privacy Protection Act (“COPPA”) requires that a website obtain parental consent prior to collecting information from children under the age of 13 Historically the European Union’s Directive on data protection did not explicitly mention the privacy rights of minors, but applied the same data protection principles to children and adults alike. The EU’s new General Data Protection Regulation (“GDPR”), which goes into force in Spring 2018, specifically recognizes that “children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights ….” the GDPR also requires that a company obtain the consent of a parent if it offers an information society service to a child The following analysis provides a snapshot of information concerning fines. [Bryan Cave]

Facts & Stats

US – Data Breaches Increase 40% in 2016: ITRC Report

The number of U.S. data breaches tracked in 2016 hit an all-time record high of 1,093, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout (formerly IDT911). This represents a substantial hike of 40% over the near record high of 780 reported in 2015. This raises the question: are there actually more breaches or is it because more states are making this information publicly available? In 2016, the business sector, healthcare/medical industry, education sector and banking/credit /financial sectors led the list of data breach incidents. “For businesses of all sizes, data breaches hit close to home, thanks to a significant rise in CEO spear phishing and ransomware attacks. With the click of a mouse by a naïve employee, companies lose control over their customer, employee and business data. In an age of an unprecedented threat, business leaders need to mitigate risk by developing C-suite strategies and plans for data breach prevention, protection and resolution,” said CyberScout and Vice Chair of ITRC’s Board of Directors. [Identity Theft Resource Center PR | ITRC Breach Package | Overview 2005 – 2016 See also: OCR Settles First Enforcement Action for Untimely Reporting of a Breach | The White House’s Revisions to its Breach Response Policy For Federal Agencies and Departments Also Affect Contractors | U.S. Promotes Risk-Based Data Breach Response Model | OMB Publishes Memorandum on Responding to Data Breaches | White House Issues Data Breach Guidance for Federal Agencies | White House issues gov’t-wide breach notification protocols ]


CA – CRA Transfer Bank Records to US Tax Agency Doubled Last Year

The Canada Revenue Agency transmitted 315,160 banking records to the IRS on Sept. 28, 2016 — a 104% increase over the 154,667 records the agency sent in September 2015. The transmission of banking records of Canadian residents is the result of an agreement worked out in 2014 between Canada and the U.S. after the American government adopted FATCA. The U.S. tax compliance act requires financial institutions around the world to reveal information about bank accounts in a bid to crack down on tax evasion by U.S. taxpayers with foreign accounts. Prime Minister Justin Trudeau, Treasury Board President Scott Brison and Public Safety Minister Ralph Goodale have dropped calls to scrap the deal, which they had made before the Liberals came to power. Privacy Commissioner Daniel Therrien has raised concerns about the information sharing, questioning whether financial institutions are reporting more accounts than necessary. Therrien has also suggested the CRA proactively notify individuals that their financial records had been shared with the IRS. However, the CRA has been reluctant to agree to Therrien’s suggestion. Lynne Swanson, of the Alliance for the Defence of Canadian Sovereignty, which is challenging the information sharing agreement in Federal Court [says] “A foreign government is essentially telling the Canadian government how Canadian citizens and Canadian residents should be treated. It is a violation of the Charter of Rights and Freedoms.” [CBC News See also: FATCA has Americans renouncing citizenship, tax lawyer says | So now the CRA is going after infants? | Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Transfer of Information to the United States Internal Revenue Service (IRS) | The Liberal privacy campaign that died with the election | Liberals flip-flop on privacy rights | Brison, Garneau endorse deal to share Canadian banking records with IRS | Trudeau Liberals reverse position on controversial IRS information sharing deal ]

US – Financial Industry Reg. Authority Seeks Comment on Blockchain

On Jan. 18, 2017, the Financial Industry Regulatory Authority (FINRA) published a report examining the impact of blockchain [distributed ledger technology (DLT)] on the financial services industry. While DLT’s development and implementation across industries are evolving at different rates, a recent World Economic Forum report predicts that, by 2025, 10 percent of GDP will be stored on blockchains or blockchain-related technology, and finds that over the past three years the financial services industry has invested more than $1.4 billion in DLT. According to FINRA, there are several regulatory issues financial service institutions should consider while exploring DLT, including customer data privacy, record keeping, know your customer, and anti-money laundering. More specifically, FINRA recommends that firms participating in a DLT network evaluate and update their procedures and security measures to ensure compliance with customer data privacy rules. FINRA is encouraging all interested parties to provide comments on all aspects of the report by March 31, 2017. Information on how to comment is provided at the end of the report. [Data Privacy Monitor (BakerHostetler) | Chain Previews New Blockchain Privacy Tech ‘Confidential Assets’ See also: A Complete Beginner’s Guide To Blockchain | Blockchain’s brilliant approach to cybersecurity | Crypto-Currency Software Emerges as Tool to Block Cyberattacks | Power Arrangements in Identity Systems | Why Etherium is the most promising Blockchain technology | Privacy fix for blockchain from Blythe Masters | How blockchain can help fight cyberattacks | Using Blockchain to Protect Against Data Tampering | Legal implications of expanded use of blockchain technology ]

Health / Medical

US – HHS Modifies Drug and Alcohol Abuse Confidentiality Regulations, Proposes Additional Revisions

On January 18, 2017, the U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (SAMHSA) released the Final Rule modifying the federal regulations governing the confidentiality of drug and alcohol abuse patient records. Largely following the changes that SAMHSA introduced in the 2016 Notice of Proposed Rulemaking (Proposed Rule), the Final Rule may have fallen short of many providers’ desire for less complexity in the rules and a more practical balance between patient privacy and facilitating the provision of care. The authors consider, these 11 points: 1) Background; 2) Effective Date; 3) New and Expanded Definitions; 4) Patient Consent – Designating the Recipient of Information; 5) List of Disclosures; 6) Additional Modifications to Form of Consent; 7) The Notice to Patients of Federal Confidentiality Requirements; 8) Security for Electronic Records; 9) Re-disclosure Requirements; 10) Additional Disclosures; and, 11) Additional Guidance on Disclosures for Payment and Operations to Follow [Bass, Berry & Sims | Also See: Research Data Privacy Regulations Updated in Final Federal Rule | Researchers, privacy experts clash on new human research rule | Patient advocacy groups worry about lax consent requirements in Common Rule]

CA – Yukon Gov’t Workers’ File Complaint over Privacy of Health Info

The Yukon Employees Union (YEU) says it’s worried about how the government handles sensitive medical information of its 3,700 workers. “Basically what we wanted to find out was, when a department gets some medical information, where does it go, who has custody of it, how long is kept, that type of thing. We couldn’t get a straight answer from anybody,” [Union president Steve] Geick said. Geick said the complaint filed with the Yukon privacy commissioner has triggered what he calls a “government-wide privacy impact assessment.” [CBC See also: Yukon gov’t vows privacy not at risk after commissioner raises concerns | Act doesn’t need overhaul: privacy commissioner | Yukon privacy commissioner sounds alarm over gov’t review | Yukon government releases scathing review of access-to-information laws | Health department, psychiatrist lock horns over sharing of private medical information | Yukon gov’t denies asking doctors for sensitive medical files | Yukon gov’t routinely demands to see patients’ private medical records, doctors say | | Northern Ontario doctors rebel over Health Canada rules that breach First Nation patient’s privacy | Health Canada breaches Indigenous patients’ privacy, MDs say ]

UK – Gov’t Refuses to Enforce Privacy Code on NHS Staff Using Video

The government has rejected a request by the surveillance camera commissioner Tony Porter to monitor CCTV and body-worn video cameras in hospitals. The body cameras are deployed in hospitals in an effort to tackle abuse of frontline health service staff. It emerged that Porter had warned ministers last year that the privacy of millions of NHS patients was put at risk by the unchecked use of the cameras. Porter recommended adding NHS trusts to a list of public bodies required to comply with a code of practice on the use of surveillance A letter to Porter sent last week from the home office minister Brandon Lewis, and released by the government on Wednesday, said the recommendation was unnecessary as: “We had not exhausted the possibilities of increasing voluntary compliance.” Porter said the government’s decision to allow surveillance to go unchecked in the NHS raised a series of questions about the privacy of patients. [Guardian]

Identity Issues

CA – Canada’s ‘Pre-Crime’ Model of Policing Is Sparking Privacy Concerns

In cities across Canada, police are partnering with social service agencies that work in housing, addictions, mental health, and child welfare to identify and intervene with people who they believe are at risk of harming themselves or others. Proponents say this pre-crime approach, called the Hub and COR, is the future of law enforcement and social service delivery. But some experts warn that taking a data-driven approach to solving social problems can lead to discrimination. Hubs rely on public health agencies and social services to share unprecedented amounts of information about their clients with police. The disclosure of personal health information is tightly regulated by provincial law, and while Hub guidelines encourage agencies to get consent before sharing it, agencies can get around these requirements thanks to language in health privacy laws that lets them share an individual’s personal information if a “probability of harm” exists. Hubs inspired by the Prince Albert model have been rolled out in more than two dozen Canadian cities, including Toronto, Ottawa, Surrey, Edmonton and Halifax, with participation from police at the local, provincial and federal levels. Ontario’s IPC hasn’t conducted a formal privacy assessment of Hubs in the province. Beamish said that his office worked with the provincial Ministry of Community Safety and Correctional Services (MCSCS) to develop information sharing guidelines for Hubs, but they’re not necessarily mandatory. Risk-driven policing also involves storing and analyzing the data gathered by Hubs. In Saskatchewan, every Hub in the province has access to a centralized database of information. MCSCS spokesperson Brent Ross said that Ontario Ministry maintains a Hub database that does not contain personally identifying information. Valerie Steeves, a professor of criminology, said that while Hubs have good intentions, the information used to assess young people often doesn’t tell the whole story. “One of the things being used to identify risk of suicide or depression is the posting of ‘emo’ lyrics [online].” said Steeves. She also noted the rise of companies that train school staff how to surveil students on social media to identify risk factors. “This surveillance makes it tough for [kids] to develop relationships of trust with people in the real world who might be better placed to help them.” [Motherboard] Also See: [Calgary police to launch terrorism intervention program | NHS Tayside scraps data sharing form after Named Person court ruling | Health board scraps leaflet after Named Persons ruling | Supreme Court rules against Named Person scheme

CA – Putting A Dollar Figure on Breach of Privacy In Canada

Section 16 of PIPEDA authorizes courts to award damages, including damages for humiliation that a complainant has suffered, arising from a breach of the legislation. Over the past few years there has been an evolution towards courts awarding greater damages amounts. In the notable case of “Chitrakar v. Bell TV” [see here], involving a non-consensual credit check the Federal Court awarded the applicant $10,000 in damages, $10,000 in exemplary damages, plus $1,000 in costs. The court acknowledged the difficulty of assessing damages absent evidence of direct loss, but in a marked departure went on to say “there is no reason to require that the violation be egregious before damages will be awarded”. Nevertheless, given the PIPEDA requirement that a complaint assessment by the Privacy Commissioner be completed prior to an application being filed with the Federal Court, it has been difficult to envision how the statutory damages regime could be leveraged in support of a class action lawsuit. In June of 2014 the first Ontario class action was certified based on the tort of intrusion on seclusion in the case of “Evans v. The Bank of Nova Scotia” [see here ] (there have subsequently been other intrusion on seclusion based class actions certified both in Ontario and elsewhere in Canada). The Evans case was settled in 2016 when the bank agreed to pay each of the identity theft victims an additional amount of approximately $7,000 (giving rise to a total payout of approximately $1.1M plus actual losses suffered) in return for a full release. The settlement in Evans involving a deep-pocketed and well-advised defendant should be seen as important additional evidence that the activist stance taken by Canadian courts in response to innovative lawsuits launched by individuals seeking redress for alleged breaches of privacy rights must be accommodated and that policies, procedures and technologies aimed at minimizing the risk of privacy breaches are to be proactively implemented by organizations operating in this fast changing enhanced risk exposure environment. [Mondaq]

Law Enforcement

CA – Why Police Services Are Not Adopting Body Cameras

Thousands of law enforcement agencies in the U.S. have already implemented BWC technology. Conversely, only a handful of agencies in Canada have adopted body cameras. Among the larger services, only Toronto, Calgary, Edmonton, and Montreal have tested or are currently studying the technology. The only police service in the country to standardize BWCs for its officers is the Amherstburg Police Service — a small agency in southwestern Ontario. Why is body camera adoption in Canada moving at a snail’s pace compared to that of the U.S.? One reason is because of the cost. However, the most important reason agencies in Canada are not rushing to adopt BWCs is because of policy concerns. Creating an effective policy may be one of the most challenging issues regarding this technology. There has yet to be a definitive discussion around privacy, officer discretion over recording, access to footage, and storage. The Office of the Privacy Commissioner of Canada published a guide in 2015 for the use of BWCs by law enforcement agencies. The document addresses the issues around privacy, access, and storage, but it only serves as a guideline for agencies wishing to adopt BWCs. Thus, local agencies are responsible for creating and enforcing a BWC policy. For most police services in Canada, and for the communities they serve, it may be wiser to spend money on necessary resources or invest it back into the communities rather than take a risk on something that has yet to be proven. [Huffington Post Canada | See also: Technical hurdles mean no body-worn cameras for Mounties, for the time being | RCMP decides not to outfit officers with body-worn cameras | Police body cams not ‘worthwhile’ if officers can turn them off, lawyer says | Calgary police say body cameras unreliable in the field; possible legal battle ahead | Mounties wearing video cameras told to record use of force | Canadian police forces moving towards costly body cameras

Online Privacy

US – FTC Extends Privacy Principles to Cross-Device Tracking

Ad-tech companies that track consumers across their smartphones, laptops and other devices should inform consumers — as well as publishers and app developers — about the practice, the Federal Trade Commission recommends in a new report. The agency adds that companies engaged in cross-device tracking should allow consumers to opt out of the practice, and should only track “sensitive” data, including some health and financial information, with consumers’ opt-in consent. The new staff report also advised companies that they should not refer to information that can be linked to users — or their devices — as “anonymous. “Often, raw email addresses and usernames are personally identifiable, in that they include full names,” the report states. “Even hashed email addresses and usernames are persistent identifiers and can be vulnerable to reidentification in some cases.” [MediaPost | Not Much Fresh Advice in FTC Cross-Device Tracking Report | FTC Releases Cross-Device Tracking Report | FTC Staff Report Details Best Practices for Cross-Device Tracking | FTC Staff Issues Long-Awaited Cross-Device Tracking Report | FTC Extends Privacy Principles To Cross-Device Tracking | FTC’s Cross-Device Study Reveals Opacity of Data-Sharing Practices]

WW – Facebook Revamps ‘Privacy Basics’ User Guide

Facebook updated [see here ] its Privacy Basics [introduced in 2014] user guide to make it easier for people to learn how to protect their personal information on its platform. the guide has been updated to answer the most frequently asked questions and reorganized to make it even easier for people to find answers. Facebook said Privacy Basics now has 32 interactive guides available in 44 languages, which should allow many of its 1 billion users to learn how to limit what they share on the social network. Privacy Basics also explains how people can control their ad experience and bolster their account’s security. Facebook said the updated Privacy Basics are part of a broader push to educate people about their privacy The updated Privacy Basics can be found on Facebook’s website. The company also released a short video about the new guide. [Tom’s Hardware]

Other Jurisdictions

AU – Landmark Australian Ruling on What Counts as ‘Personal Information’

A full bench of the Federal Court has served a rebuff to Australian Privacy Commissioner Timothy Pilgrim, who has been fighting to secure a broad definition of personal information in the courts, to ensure that everything that could reasonably be used to identify an individual will fall under the protection of the Privacy Act. But federal court judges dismissed the commissioner’s appeal, siding with Telstra and the Administrative Appeals Tribunal over whether the telco needs to hand a full suite of telecommunications metadata over to Telstra customer and former Fairfax journalist Ben Grubb, under the personal information access provisions of the Act. The case has hinged on whether metadata stored by Telstra is information “about” Ben Grubb or “about” the service delivered to him. Privacy Commissioner Pilgrim warned earlier this year that the case would set the parameters for “arguably the most important term in the Privacy Act”. Today’s ruling establishes a narrower definition of personal information than the Privacy Commissioner would like. [itNews (Australia) See also: Australia’s privacy laws gutted in court ruling on what is ‘personal information’ | The Australian “Ben Grubb” decision and its link to Canada | Federal Court interprets ‘personal information’. What’s it all about people? | Landmark Australian ruling on what counts as ‘personal information’ | Australia’s privacy laws gutted in court ruling on what is ‘personal information’ | [Federal Court interprets ‘personal information’. What’s it all about people? ]

CH – Beijing Clamps Down Tighter On Web Use With New VPN Ban

The Chinese government has announced new restrictions on operating VPNs that in effect make it illegal to offer them without approval to anyone other than large organisations. The officials who run the so-called Great Firewall of China have been experimenting with VPN-blocking for a couple of years, but this is the first time a formal legal clampdown has been put into effect. The best-known providers include VyperVPN (Golden Frog), StrongVPN, Astrill, and ExpressVPN, all of which are based outside China. This raises the obvious question of how China can stop them. With the effect on providers uncertain – disruption has been reported but it’s hard to say how much – this could be another case of a cat chasing an unexpectedly large mouse. According to Golden Frog’s co-CTO, Phil Molter: “China has targeted VPN providers in the past but VyprVPN has been able to quickly and effectively update our service to defeat these blocks.” The VPN clampdown comes only days after China announced a similar tightening of restrictions on mobile app stores, which must now register with the country’s Cyberspace Administration. [Naked Security See also: China Orders Registration of App Stores

Privacy (US)

US – Court Declines to Reconsider Microsoft Email Seizure Ruling

A split U.S. Court of Appeals for the Second Circuit denied rehearing a July decision the Justice Department says handicaps investigators by making it easier for criminals to move incriminating data outside their reach, and that Microsoft defended as a victory for privacy rights. The vote leaves the Supreme Court as the last resort for U.S. investigators trying to get data from Microsoft and other internet service providers who poured into the case as amici. All four of the judges who wanted en banc rehearing issued dissents slamming the July decision [which] explored the limits on extraterritorial application of U.S. laws outlined by Morrison v. National Australia Bank Ltd. , 561 U.S. 247 (2010), and held Congress did not explicitly authorize the offshore reach of the Stored Communications Act. Judges Susan Carney, Robert Katzmann, Peter Hall and Denny Chin voted to deny, with Carney answering the dissents. Carney said the focus of the privacy protections in the SCA is at the place of data storage, so “the execution of the warrant would have its effect when the service provider accessed the data in Ireland, an extraterritorial application of the SCA.” [New York Law Journal] See also: Court Keeps Microsoft’s Irish Servers Safe From U.S. | US government wants Microsoft ‘Irish email’ case reopened | Lawmakers question DOJ’s appeal of Microsoft Irish data case | Microsoft Cloud Warrant Case Edges Closer to Supreme Court | Government Seeks Do-Over On Win For Microsoft And Its Overseas Data | Microsoft’s cloud privacy battle may go to US Supreme Court | Court Declines to Reconsider Microsoft Email Seizure Ruling | Court Keeps Microsoft’s Irish Servers Safe From U.S.  | US government wants Microsoft ‘Irish email’ case reopened ]

US – New Privacy Report Already Removed from White House Site

Following the inauguration of President Donald Trump, the “Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation” report was removed from the White House website (It can still be found here.) the irony seemed particularly fitting. Civil liberties advocates worry about potential privacy infringements that could emerge under an administration that has promised to strengthen law enforcement, enhance surveillance efforts and monitor immigrant groups, steps that could very well involve increased data collection by the U.S. government, some of it derived from the same commercial sources advertisers use. Pam Dixon, executive director of World Privacy Forum, calls this moment a defining one. “The privacy movement has to mature right now,” she said. “The concern that I have is we are going to have very aggressive implementations of technology that are not preceded by policy.” Ms. Dixon cited her most immediate concern, national identity cards. [Adage]

US – Mississippi Attorney General Sues Google Over Student-Data Privacy

Last week, Mississippi state attorney general Jim Hood filed a lawsuit alleging that Google’s policies and practices regarding online tracking of students remain unclear, despite the company’s public pledge to not collect and use student data for commercial purposes, such as targeting advertisements to students. The suit seeks to force Google to be more transparent about its free, web-based G Suite for Education service, used by tens of millions of students worldwide, including more than half of the roughly 500,000 K-12 students in Mississippi. In its lawsuit, the state alleged that Google uses student GSFE accounts to track Mississippi K-12 students in order to build profiles that can be used for advertising. The state also accuses Google of failing to abide by its own privacy policies, terms of service, contracts, and agreements, as well as the public commitment it made in signing the Student Privacy Pledge. Some observers expressed skepticism about the suit. The Future of Privacy Forum, the industry-affiliated Washington think tank responsible for the Student Privacy Pledge, reiterated its belief that “Google’s practices are consistent with its obligations under the pledge.” In a blog post, the group noted that Google clearly states that no ads are served to students using G Suite for Education services. It also pointed out that school administrators must choose to let students use their school accounts to access Google’s consumer services. As a result, the suit’s legal prospects are unclear. [Edweek.org | See also: Mississippi sues Google for allegedly violating student privacy

Privacy Enhancing Technologies (PETs)

WW – Protonmail Combats ‘Totalitarian’ Govt Surveillance With Tor

ProtonMail, the popular Switzerland-based encrypted email provider, has announced it is now offering users the ability to log in to their accounts via the Tor network, a platform favoured by privacy advocates, journalists and activists to surf the web anonymously. the move is aimed at “countering actions by totalitarian governments around the world that are cutting off access to privacy tools”. In a blog post, the outspoken email provider provided users with an “onion” link, which is the term used to describe the Tor network’s version of a traditional website domain. Once Tor is downloaded and installed, it can be found here. [IBTimes]


US – NIST Updates Cybersecurity Framework Guidance

In the past month, the National Institute of Standards and Technology (NIST) has issued a draft update to its flagship cybersecurity framework as well as new standalone guidance on how organizations can plan to recover from cybersecurity events. The publication of these documents demonstrates NIST’s ongoing focus on providing substantive guidance to the private and public sectors alike on cybersecurity risk management. In this post we summarize the highlights of each of these new NIST publications. On January 10, 2017, NIST issued draft version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity (Framework). On December 21, 2016, NIST issued Special Publication 800-184, Guide for Cybersecurity Event Recovery (NIST SP 800-184). Together, these documents signal the United States government’s ongoing substantive focus on the Framework as a vehicle for communicating cybersecurity risk management expectations. [Global Media and Communications Watch]

US – NIST Releases Internet of Things (IoT) Security Guidance

Late last year, the National Institute of Standards and Technology (“NIST”) released  Special Publication 800-160 (the “Guidance”) on implementing security in Internet-of-Things (“IoT”) devices. The Guidance is intended to provide a framework for software engineers to better address security issues and to develop more defensible and survivable systems in a sustainable manner throughout the life cycle of these devices. [It] is designed to help prevent the vulnerabilities that lead to their exploitation and to facilitate “a disciplined, structured, and standards-based set of systems security engineering activities.” To accomplish this, the Guidance focuses on assessing the trustworthiness of various internet-connected devices and their impacts through a series of processes governed by the life cycle of each device. From a legal perspective, the Guidance can be seen as a double-edged sword for organizations that manufacture or use IoT devices. [Data Protection Report see also: NIST Issues Internet of Things (IoT) Guidance | Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress | White House and Homeland Security Publish Cybersecurity Guidelines for IoT Devices | NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors | Ambassador Sepulveda Urges Technology Industry to Ensure the Security and Interoperability of the Internet of Things | Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers | NIST scientists ‘nervous’ about lightweight crypto for IoT | FTC’s Latest Enforcement Action Signals Scrutiny of IoT Industry | D-Link fights back against ‘baseless’ data security lawsuit | FTC vs D-Link: The legal risks of IoT insecurity | Cause of Action Institute to Defend D-Link Systems Against FTC’s Baseless Data Security Charges | FTC sues D-Link for ‘insecure’ routers and IP cameras | FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras | FTC IoT privacy and security push points out D-Link router and webcam flaws | D-Link Calls The FTC’s Router And IP Camera Security Allegations ‘Baseless’ | The FTC Brings Section 5 Charges Against Internet-of-Things Companies | [Pacemaker data used to help indict alleged arsonist | Murder case will test privacy rights of Amazon Echo users | Police mull gathering crime evidence from smart home devices ]

WW – Blockchain Enhances Cybersecurity

Hackers can shut down entire networks, tamper with data, lure unwary users into cybertraps, steal and spoof identities, and carry out other devious attacks by leveraging centralized repositories and single points of failure. The blockchain’s alternative approach to storing and sharing information provides a way out of this security mess. The same technology that has enabled secure transactions with cryptocurrencies such as Bitcoin and Ethereum could now serve as a tool to prevent cyberattacks and security incidents. Blockchains can increase security on three fronts: blocking identity theft, preventing data tampering, and stopping Denial of Service attacks. [Venturebeat | See also: | A Complete Beginner’s Guide To Blockchain | Crypto-Currency Software Emerges as Tool to Block Cyberattacks | Power Arrangements in Identity Systems | Why Etherium is the most promising Blockchain technology | Privacy fix for blockchain from Blythe Masters | How blockchain can help fight cyberattacks | Using Blockchain to Protect Against Data Tampering | Legal implications of expanded use of blockchain technology ]

Smart Cars

WW – FPF & NADA Launch Guide to Privacy in the Connected Car

The Future of Privacy Forum (FPF) and the National Automobile Dealers Association (NADA) released a first-of-its kind consumer guide, Personal Data In Your Car [see 8 pg pdf here https://fpf.org/wp-content/uploads/2017/01/consumerguide.pdf ] . The Guide will help consumers understand the kind of personal information collected by the latest generation of vehicles, which use data to further safety, infotainment, and customer experience. “The release of this Guide is a critical step in communicating to consumers the importance of privacy in the connected car, as well as the benefits that car data can provide,” said FPF CEO Jules Polonetsky. As vehicles become more connected, it will be increasingly important to communicate with consumers how their information is collected and shared. For further information about technology in the car, consumers should contact their local dealer and review their vehicle’s owner’s manual. [Future of Privacy Forum See Also: My pal the car: emotionally intelligent vehicles a technology dream but potential privacy nightmare | Cars Would Be Required to Talk to Each Other Under U.S. Plan | ENISA Jumpstarts Connected Car Cybersecurity Study for EU | Data Privacy, Security, and the Connected Car | European Multi-Stakeholder Group Releases Connected Vehicles Report | Smart cars share revealing personal data, raise privacy concerns ]

CA – The Data You Leave In a Rental Car Could Threaten Your Privacy

Information not deleted from onboard infotainment systems in vehicles is a ‘considerable problem’ CBC checked several cars in Fredericton and found contact information on both rental and pre-owned cars, leaving breadcrumb trails of information visible to the next person who sits behind the wheel. It’s information car rental companies and resellers are often not deleting, leaving a digital footprint that can threaten the privacy of those unsuspecting drivers. “It’s a considerable problem, actually,” said Rajen Akalu, an assistant professor at the University of Ontario Institute of Technology. Akalu did a report for Canada’s privacy commissioner on infotainment platforms in vehicles and their implications for privacy. Ultimately, if you are going to pair your phone, experts suggest finding out how to reset the car to its factory setting. In the case of car rental companies, “they check whether or not the car has a full tank of gas when you return it,” Akalu said. “They can equally ensure that the data is wiped from the unit, right?” [CBC News See also: My pal the car: emotionally intelligent vehicles a technology dream but potential privacy nightmare ]


US – Twitter Reveals FBI NSLs that May Have Infringed On Legal Guidelines

Twitter has for the first time disclosed that it received two national security letters (NSLs) from the FBI. [one in September 2015 and one in June 2016] The firm said that the disclosures mark the first time it was allowed to publicly reveal the NSLs. However, the FBI’s request for Twitter data may have reportedly gone beyond the scope of current legal guidelines. Twitter said in a blog post, “We have provided each of the account holders with copies of the relevant NSLs (certain information redacted to protect privacy) as well as the account data we were compelled to produce. Twitter remains unsatisfied with restrictions on our right to speak more freely about national security requests we may receive. We continue to push for the legal ability to speak more openly on this topic in our lawsuit against the U.S. government, Twitter v. Lynch.” [International Business Times UK See: Did FBI overstep its bounds in requesting information from Twitter? | FBI request for Twitter account data may have overstepped legal guidelines | Cloudflare’s In-House Lawyers Open Up About Privacy Fight With FBI | Progressive Phone Company Discloses Legal Battle Over FBI’s National Security Letters | Google Publishes Eight Secret FBI Requests | What Happens When My Company Receives a National Security Letter? A Primer | Freed From Gag Order, Google Reveals It Received Secret FBI Subpoena | EFF Urges Senate Not to Expand FBI’s Controversial National Security Letter Authority | Senate Intelligence Committee Expands FBI NSL Powers With Secret Amendment To Secret Intelligence Bill | Requests for data rise sharply under secretive U.S. surveillance orders ]

CA – Privacy & Winnipeg’s New TMC With 70 Zoomable Street Cams

The City of Winnipeg unveiled its splashy new Transportation Management Centre and launched its Waze traffic app. City staff at the hub will look to a wall of big screens hooked up to a network of data feeds and 70 cameras already installed at busy intersections. The cameras can zoom in as far as three kilometres from where they’re mounted, said a city engineer. But questions about privacy remain as the city has yet to push through an associated privacy protocol to prevent the unintended use of the network of data and cameras. Mayor Brian Bowman said privacy concerns over the potential misuse of the system by police for surveillance purposes are valid, but he’s been assured the sole purpose of the system is to gather information for traffic management. [CBC | Winnipeg’s traffic centre opens ]

Telecom / TV

CA – Canadians’ Internet Data Affected As Trump Cancels Privacy Rules

Activists and academics are calling on Canada’s privacy commissioner to investigate after an executive order [ see here https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-executive-order-enhancing-public-safety-interior-united ] signed last Wednesday by Donald Trump which declared that federal agencies “shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” Ronald Diebert of the University of Toronto’s Citizen Lab estimated that some 90% of Canadian Internet traffic is routed through the United States. Many have wondered whether any privacy protections really exist for Internet traffic in the U.S. the Obama administration expanded the ability of intelligence agencies to share surveillance data, shortly before leaving office. Trump’s new executive order “has real life implications,” consumer activist group OpenMedia said in a statement. “Everything from your financial status, to your medical history, your sexual orientation, and even your religious and political beliefs are exposed.” [It is] calling for “a reassessment of what information our government chooses to share with the U.S.” [Huffington Post Canada Also See: Trump’s Executive Order Eliminates Privacy Act Protections for Foreigners





14-20 January 2017


US – Court Rules Against Man Forced to Fingerprint-Unlock His Phone

Unlocking a phone like this “is no more testimonial than furnishing a blood sample.” A Minnesota appellate court ruled against a convicted burglar who was forced by a lower state court to depress his fingerprint on his seized phone, which unlocked it. This case, State of Minnesota v. Matthew Vaughn Diamond, marks the latest episode in a string of unrelated cases nationwide that test the limits of digital privacy, modern smartphone-based fingerprint scanners, and constitutional law. As has been reported before, under the Fifth Amendment, defendants cannot generally be compelled to provide self-incriminating testimony (“what you know”). But giving a fingerprint (“what you are”) for the purposes of identification or matching to an unknown fingerprint found at a crime scene has been allowed. It wasn’t until relatively recently, after all, that fingerprints could be used to unlock a smartphone. The crux of the legal theory here is that a compelled fingerprint isn’t testimonial, it’s simply a compelled production—like being forced to hand over a key to a safe. Had the defendant been forced to disclose his passcode (instead of depressing his fingerprint) to his phone, the constitutional analysis likely would have been different. [Ars Technica | To beat crypto, feds have tried to force fingerprint unlocking in 2 cases | Apple’s Touch ID blocks feds—armed with warrant—from unlocking iPhone | Woman ordered to provide her fingerprint to unlock seized iPhone | Minnesota court on the Fifth Amendment and compelling fingerprints to unlock a phone | Here’s Why Feds Are Winning The Fight To Grab iPhone Passcodes And Fingerprints | Cops Could Force Google Pixel Users To Voice-Unlock Their Phones | Feds Walk Into A Building, Demand Everyone’s Fingerprints To Open Phones | How the Feds Justify Collecting Fingerprints to Unlock Everyone’s Phones | Can warrants for digital evidence also require fingerprints to unlock phones? | For the First Time, Federal Judge Says Suspect Must Use Fingerprint to Unlock Smartphone | Search Warrants Could Force You to Unlock Your iPhone via Touch ID]

WW – Researchers Extract Fingerprint Data from Digital Photograph

A pair of Japanese researchers have copied the fingerprint data from a digital picture of an individual making a peace sign. “One can use it to assume another identity, such as accessing a smartphone or breaking and entering into a restricted area such as an apartment,” Japan’s National Institute of Informatics professor Isao Echizen said. Working with fellow researcher Tateo Ogane, Echizen’s fingerprints were extracted from a digital photograph taken three meters away. [Reuters]

CA – Gemalto Wins Privacy Design Award for Biometric ID Verification Solution

Gemalto announced that it has won the ACT Canada IVIE Award in the “Privacy by Design” category for its ID Verification solution. As banks and mobile operators look to provide more convenient services through digital and self-service channels, the need to validate a customer`s identification becomes even more necessary. Gemalto`s ID Verification enables this new convenience while maintaining security by allowing customers to scan their picture ID remotely on their device. The service helps to comply with anti-money laundering and Know Your Customer regulations by providing a way to verify ID documents, such as drivers licenses or passports, across customer service channels – online, face-to-face, ATM or mobile app. Gemalto`s technology validates legitimate IDs, flags counterfeits, and provides a trust score in real time. In a face-to-face scenario, for example, to open a bank or mobile phone account, a representative will use a tablet to scan the customer`s ID, which the system verifies against a database of document templates from 180 countries for visual integrity, data consistency, and ID security features. In a self-service scenario, customers first scan their driver`s license or ID and then take a selfie. The system uses facial biometrics to verify that the picture on the card matches the selfie, and if so, can automatically fill out the name, address and other fields in the bank`s online forms. The award was presented by Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario and now Executive Director of the Privacy and Big Data Institute – Where Big Data meets Big Privacy at Ryerson University. [Yahoo]


CA – Canada Revenue Agency Monitoring Facebook, Twitter Posts of Canadians

The Canada Revenue Agency is scrutinizing the Facebook pages, Twitter feeds and other social media posts of Canadians it suspects could be cheating on their taxes.  The agency is increasing its focus on what it can learn by collecting and analyzing many kinds of data — both its own internally generated information and what it calls “publicly available information.” “The CRA does practice risk-based compliance, so for taxpayers identified as high risk, any relevant, publicly available information relating to the specific risk-based factors for the taxpayer may be consulted as part of our fact-gathering processes,” said a spokesperson. Among those considered high risk are wealthy Canadians with offshore bank accounts. Tobi Cohen, spokesperson for the privacy commissioner, said CRA notified it of its plan to collect publicly available information from social media in connection with “tax fraud and non-compliance risk analysis, audits and investigations.” However, David Christopher, of the advocacy group Open Media, said his organization opposes government agencies monitoring what Canadians are saying on social media. “When Canadians post something on Facebook, they believe that they are sharing that with their friends and with their family. They don’t believe that they are sharing that with some government bureaucrat in Ottawa… Unfortunately, Facebook’s privacy settings are notoriously complex and many people might think that they are posting something to their friends and it ends up getting shared with the whole world.” The revelation that the Canada Revenue Agency is checking social media posts comes as the agency is also expanding its use of cutting-edge technology and data analysis to better catch tax cheats, to target people for audits and to improve its service for Canadians. Business intelligence, also known as big data, is a rapidly growing area within CRA. In 2016 alone, the agency posted three separate privacy impact assessments centred on its plans to use business intelligence techniques in its operations. [CBC News]

CA – Waterloo Rolls Out Licence Plate Scanner, Approves Privacy Rules

The licence plate recognition software the city has been interested in since 2011 will finally be implemented. A review was conducted to find out if bylaw officers taking photos of parked cars will have a negative impact on privacy. “The Licence Recognition Program is supplementing an existing manual process and doesn’t really increase the amount of information being collected. We now have an electronic database and information that includes photographs and GPS location of the vehicle. Other than that, the information we collect is the same” said Julie Scott, deputy city clerk. The new system [has] camera equipment loaded onto the front and back of the clearly marked City of Waterloo vehicle [that] will capture parked cars’ licence plates and tire valves, to see if cars were moved and re-parked. A computer will log the plate numbers, GPS locations of vehicles, dates and times. Non-violator information will be purged immediately, said Scott. Violator information will be housed on secure city servers at city facilities and will be transferred using secure encrypted methods. Any personal information collected accidentally when a picture is taken will be redacted. “Officers who use the system don’t, by virtue of the system, have access to personal information,” said Julie Scott, deputy city clerk. As part of the licence plate recognition software privacy impact assessment, the city collaborated with legal, legislative and enforcement services. It also had guidance from the information privacy commissioner’s office. [Waterloo Chronicle | New tech modernizing parking enforcement in Waterloo | Waterloo approves privacy rules for licence plate scanner]

CA – Manitoba Scraps Plan to Combine Health Cards with Driver’s Licenses

Manitoba will not be going forward with a plan to combine health cards with driver’s licenses. Health Minister Kelvin Goertzen said concerns about additional costs, the work needed to change legislation, and the impact on storing health information were the primary reasons for why the idea will not proceed. Goertzen said if Manitoba wants to revive the idea of a single personal information card, it will need to be done correctly from the start. “We also have to determine how to assess privacy legislation compliance,” said Goertzen. “The work compiled to date will be used to develop and implement a strategy for identity management that can be applied across government.” [The Canadian Press]

CA – MPI Will No Longer Publish Home Addresses on Vehicle Registrations

Privacy concerns are pushing Manitoba Public Insurance to remove home addresses from noncommercial vehicle registrations this spring. “Vehicle registration cards are often left inside the vehicle, which makes them susceptible to being taken should the vehicle be broken into,” Crown Services Minister Ron Schuler said. “Removal of the registered owner address will ensure the privacy, confidentiality and security of registered vehicle owners is maintained in these cases.” As of March 1, anyone renewing their registrations will no longer have their home addresses on the documentation, with the Crown corporation planning to issue the new cards at no extra cost. [CBC News]

CA – Alberta Orgs Push for More Data Sharing in Vulnerable Children Cases

Several organizations called for more information sharing and transparency when handling the data of vulnerable children. Alberta School Boards Association’s Jim Gibbons cited a case where data sharing could have helped in a case where a child had died. Gibbons said the death could have been avoided had all the present information been shared. “We need to protect privacy but also share information, particularly when it pertains to an at-risk child or youth. It could mean the difference between living and dying,” said Gibbons during a review of the Child and Youth Advocate Act. [Edmonton Journal]

CA – OIPC SK: Trustees Can Rely on Deemed Consent

The Office of the Saskatchewan Information and Privacy Commissioner has issued guidance on deemed consent under the Health Information Protection Act. Deemed consent means that the data subject has given no signal that they have consented to, and there is no mechanism to opt-out of, the collection, use or disclosure of personal health information; trustees can forgo express or implied consent only when an individual is unable to give consent, unconscious, or in emergency circumstances. [OIPC SK – Deemed Consent in HIPA – What Is It?]

CA – Full Bell Aliant Contract Should Be Public: PEI Privacy Commissioner

P.E.I.’s privacy watchdog has ordered Bell Aliant to release its telephone services contract with the P.E.I. government in its entirety. Privacy commissioner Karen Rose disagreed with Bell Aliant’s argument that releasing the full document would harm the business interests of the company. “The goals of transparency and accountability would be futile if public bodies were permitted to form contracts whose terms were kept secret from Islanders,” Rose says in her ruling. “Businesses who contract with government should be mindful of government’s accountability to the public. This accountability is especially applicable to government’s expenditure of public funds.” The ruling comes in response to a freedom of information request asking for the full Bell Aliant contract. [The Guardian]


WW – Companies Should Shoulder Most of the Data Protection Efforts: Report

A report from Gemalto finds a majority of consumers believe organizations holding their data are responsible for protecting their information. Surveying 9,000 people from around the world, respondents said 70% of the data protection efforts should fall on the companies, with the remaining 30% going toward consumers. “Consumers have clearly made the decision that they are prepared to take risks when it comes to their security, but should anything go wrong they put the blame with the business,” said Gemalto Chief Technology Officer for Data Protection. “The modern-day consumer is all about convenience and they expect businesses to provide this, while also keeping their data safe.” [ZDNet]

US – Mississippi AG Sues Google for Allegedly Violating Student Privacy

Mississippi Attorney General Jim Hood is suing Google for allegedly violating student privacy. Hood is accusing the tech company of violating the state’s consumer protection law by selling ads using data it collects from services it provides to schools, specifically citing a test involving student accounts from the state-run Mississippi School of Math and Science in Columbus. During the test, targeted ads have appeared from previous searches, and Hood is asking a judge to force Google to stop the practice. “They’re building a profile so they can advertise to them,” Hood said. “They expressly stated in writing that they would not do that.” Hood’s lawsuit said Google could be fined $10,000 per student account, with the total penalties possibly exceeding $1 billion. [The Associated Press]

US – It’s Grades, Not Privacy, That Matter to Generation Z: Study

For generations of students, the prospect of their lecturers prying into their study habits would have been anathema, but for Generation Z it’s not privacy but grades that matter. Three quarters of students would welcome closer monitoring of their study habits as a way to cut drop-out rates, while almost half said it could help them get better grades, according to a new survey. The findings turn on its head the widely-held assumption that students jealously guard their privacy and are highly resistant to efforts to monitor their behaviour outside of the lecture hall. In 2015 Google was forced to defend itself from accusations that it was snooping on students by harvesting data on students using Chromebooks, in order to generate target advertisements. [Forbes]


EU – Institution Web Services Shouldn’t Assume User Consent Is Valid Forever

The European Data Protection Supervisor has issued guidance focusing on specific aspects of web services provided by EU institutions. The processing of personal data on the server side and through tracking and profiling should give the user the possibility to review their decision; periodically remind users that they gave their consent to tracking and of what they consented to, which could be done at least every 6 months, and more frequently in the case of profiling. [EDPS – Guidelines on the Protection of Personal Data Processed Through Web Services Provided by EU Institutions]

EU Developments

EU – New A29WP Guidelines on Data Protection Officers

The EU’s Article 29 Working Party has published new Guidelines on the role of Data Protection Officers under the General Data Protection Regulation. Data Protection Officers are seen as a cornerstone of data protection compliance, and many businesses will be subject to a mandatory obligation to appoint a Data Protection Officer. The Guidelines provide businesses with useful information on the appointment and role of Data Protection Officers. The GDPR will introduce significant new obligations which will require many businesses to appoint DPOs. The GDPR will also implement a much more formal framework around the roles and responsibilities of DPOs. [White & Case]|

UK – CJEU Ruling in Tele2, Takeaways & Impact on Snooper’s Charter

The CJEU’s recent decision in the Tele2/Watson case contains interesting guidance on the rules around the retention of communications data and the safeguards that must be in place to protect it. It may also call the viability of the new Investigatory Powers Act into question. The key issue in the case was whether legislation in Sweden and the UK, which imposed an obligation on public communications providers to retain traffic and location data, was compatible with EU law. The UK legislation required public telecommunications operators to retain all such communications data for a maximum of 12 months where required to by the Secretary of State. The CJEU gave guidance on the aspects of national legislation that would be deemed unlawful under EU law. Here are the most important takeaways from the judgment:

  1. The intrusiveness of traffic and location data;
  2. The purpose for retention must be limited to fighting serious crime;
  3. Retention must be targeted to what is “strictly necessary” to fight serious crime;
  4. Access to the data must be subject to prior review by a court or independent authority;
  5. Data subjects must be informed as soon as possible; and,
  6. Retained data must stay within the EU.

It is clear that many aspects of the new Investigatory Powers Act 2016 (IPA) still fall short of satisfying the CJEU’s criterion above. The UK will need to consider carefully what amendments, if any, it will make to the IPA to bring it into conformity with EU law. [Privacy, Security and Information Law Blog | CJEU holds that mass surveillance must not be general and indiscriminate | The CJEU Gives the UK Government Another Brexit Dilemma | The Court of Justice of the European Union Limits the Scope of National Data Retention Laws | EU court ruling on ISP data retention may influence Canada | In Major Privacy Victory, Top EU Court Rules Against Mass Surveillance | EU’s highest court delivers blow to UK snooper’s charter | EU ruling means UK snooper’s charter may be open to challenge ]

US – Switzerland and US Regulators Agree to Privacy Shield Framework

The Switzerland Government has reached an agreement with the US Department of Commerce on a new Swiss-U.S. Privacy Shield framework (“Swiss Shield”). The Framework is needed for secure, efficient transfers of personal data to the US (which does not have an adequate level of protection), and is similar the EU-US Framework, guaranteeing the same conditions for individuals and businesses in Switzerland; US companies that obtain certification will be recognised as having adequate data protection standards, and Swiss companies will be able to transmit data to these companies without requiring additional contractual guarantees. [Switzerland Federal Council – Swiss-US Privacy Shield – Better Protection for Data Transferred to the USA]

EU – Swedish Government Provides Protection for Whistleblowers

The Swedish Ministry of Employment issued Act 216-749 on Special Protections Against Victimisation of Whistleblowing Employees, which is effective on January 1, 2017. Employees can report incidents to union representatives, using internal reporting procedures, to the employer, or to the public (if the employer does not take reasonable action in response to reporting, or inform the employee of measures taken); employees that incriminate themselves when reporting an incident do not have protections under the law, and employers are prohibited from retaliation against whistleblowing employees (e.g dismissal, redundancy. [Act 2016-749 on Special Protection Against Victimisation of Whistleblowing Workers – Sweden Ministry of Employment]


EU – Mobile Payments Provide Multiple Threat Opportunities

The European Network Information Security Agency has issued guidance on mobile payments and digital wallets applications. Threats includes those from users (phishing), devices (lost/stolen), apps (reverse engineering), merchants (relay attacks on near field communication enabled POS contactless terminals), payment service providers (data connectivity compromise), acquirers (repudiation of mobile payment authorization), payment network providers (token services provider services & servers compromise), issuers (payment fraud), servers & cloud services (DDoS attacks), and digital wallets enrolment (potentially immature code may have security weaknesses. [ENISA – Security of Mobile Payments and Digital Wallets | Press Release]


WW – Study Applies Game Theory to Genomic Privacy

A new study presents an unorthodox approach to protect the privacy of genomic data, showing how optimal trade-offs between privacy risk and scientific utility can be struck as genomic data are released for research. The framework can be used to suppress just enough genomic data to persuade would-be snoops that their best privacy attacks will be unprofitable. [ScienceDaily]

Health / Medical

WW – New Report Assesses State of Data Sharing for Healthcare Analytics

A new report from Privacy Analytics, in collaboration with the Electronic Health Information Laboratory, summarizes the key findings from a survey that assessed the state of data sharing in healthcare and the challenges in disclosing data for secondary use. Secondary use of health data applies to protected health information that is used for reasons other than direct patient care, such as data analysis, research, safety measurement, public health, payment, provider certification or marketing. Key findings:

  • There is a lack of total confidence in the ability to protect privacy: More than two out of three respondents lack complete confidence in their organization’s ability to share data without putting privacy at risk.
  • The demand for data is growing as fast as the amount of data being collected. More than half of the respondents plan to increase the volume of data stored or shared within 12 months and two-thirds currently release data for secondary use.
  • Individuals lack familiarity with advanced methods of de-identifying data. As a result, they release information that has been stripped of its usefulness or share data in a way that puts them at an unacceptably high risk of a breach.
  • Most organizations use approaches that can result in high risk datasets. More than 75% of respondents said that their organization uses one or more of the following: data-sharing agreements, data masking or Safe Harbor.
  • Healthcare organizations are slowly starting to monetize data assets. One in six says they share data with other organizations for profit. [Source]

US – Health Data Breaches Doubled in 2016, but Fewer Records Lost: Report

A Protenus report reveals data breaches nearly doubled in health care organizations last year, but far fewer patient records were lost in the cyberattacks. The report found 27.3 million records were compromised in 2016, down from 113 million in 2015. Health care suffered 450 breaches in 2016, up from 253 in 2015. “While it may seem that there is a significant drop between the total patient records affected by health data breaches from 2015 to 2016, most of that difference is attributable to a single event. Anthem was the largest health data breach of 2015, affecting 80 million patient records. Once this single breach is removed, the side-by-side comparison between 2015 and 2016 isn’t drastically different, 33 million vs. 27 million respectively.” [SC Magazine]

Horror Stories

AU – Accident Leads to Breach of 8,709 Gun Owners’ Details

Staff at the Victorian government’s Department of Environment, Land, Water and Planning accidentally emailed out the personal details of 8,709 gun owners. “The error occurred on eight separate occasions, with the attached files including between 800 to 1,900 names,” the report states. “It really was a simple case of human error,” the department said. “The [staff] concerned are horrified … and have been counselled.” The department contacted the recipients of the eight emails and confirmed that they were either deleted or not received. Additionally, “on advice from the state’s privacy commissioner, the department is posting letters to each of the 8,709 people involved… The department has also contacted Victoria Police.” [ABC]

Identity Issues

EU – UN Free Speech Advocate Criticises UK Plan to Curb Access to Online Porn

The UN’s free speech advocate has warned that British government plans to enforce age verification and some censorship of pornographic websites risk breaking international human rights law and would contribute to a “significant tightening of control over the internet”. David Kaye, the special rapporteur on the promotion and protection of the right to freedom of opinion and expression, called on ministers to conduct a comprehensive review of the digital economy bill, which he said facilitated state surveillance and lacked judicial oversight. The bill, intended to regulate a range of issues relating to the internet and electronic records, also includes measures to increase data sharing between government departments and protect intellectual property. But it is the measures to control pornography that have sparked an outcry amid fears that they will create a database of internet users’ sexual proclivities and roll back Britain’s censorship regime to the pre-internet era. If the bill passes it will outlaw the depiction online of a range of legal-to-perform sex acts. Its passage is highly likely, with support in parliament from both Labour and the Conservatives, and only the Liberal Democrats indicating they will oppose it. Kaye’s objections focus on the risk posed by age verification requirements to individuals’ privacy. In a letter to the UK’s ambassador to the UN, he says he is concerned that the new rules “fall short of the standards of international human rights law”. [The Guardian]

Law Enforcement

CA – Federal Officials Approved Winnipeg Police Purchase of Spying Devices

Federal public safety officials approved a licence that would enable the Winnipeg Police Service to purchase devices from an undisclosed company designed to intercept the private communications of citizens. The licence, was approved for a 12-month period by the assistant deputy minister of Public Safety Canada’s national security branch on June 23, 2016. Approvals were also signed for Durham Regional Police, Ontario Provincial Police, RCMP and the Canadian Security Intelligence Service, according to the records. The records also showed evidence of 93 occasions dating back to 2008 of licence requests processed by Public Safety Canada. Often referred to as IMSI (international mobile subscriber identity) catchers, these covert tools masquerade as conventional cellular towers, causing mobile phones to transmit signals to the rogue device, rather than directly to towers operated by wireless providers. [CBC | Application form for selling spyware in Canada | ATIP release from Public Safety Canada | Winnipeg Mayor & Privacy Lawyer A-OK with Cops Using IMSI | ‘Shady, secretive system’: Public Safety green-lit RCMP, CSIS spying devices, documents reveal | Ottawa should tell the truth about ‘stingrays’: Editorial | Government use of surveillance devices must be restricted: privacy experts | Long-Secret Stingray Manuals Detail How Police Can Spy on Phones | Vancouver police admit using StingRay cellphone surveillance, BCCLA says | Local Police In Canada Used ‘Stingray’ Surveillance Device Without a Warrant | Privacy watchdog to investigate RCMP over alleged ‘stingray’ cellphone surveillance | StingRays breach cell phone privacy]

UK – Police Should Need Warrants to Search Mobile Phones: Campaigners

Police use of data extraction equipment to download information from suspects’ mobile phones should require a search warrant, according to privacy campaigners. The practice is becoming increasingly routine across most forces but is inadequately regulated and being carried out by insufficiently trained officers, Privacy International claimed. Digital forensic equipment has been used under counter-terrorism powers at ports and airports to download data from mobile phones for several years. Concerns over the practice were first raised by the independent reviewer of terrorism legislation, David Anderson QC, in 2012. The technology has now spread to other police forces. Mobile phone data can contain an enormous amount of private information, including photographs. [The Guardian]

Online Privacy

WW – Startup Allows Users to Control Data When Signing Up for Websites

A new startup is working to create a product allowing users to have more control over their data when signing up for websites. Blockstack will be releasing software later this year allowing users to control their digital identity. Whenever a user signs up for a website needing personal information, users will have the ability to grant access under a profile they control. If they wish to stop using a service, the user can revoke the access to the profile and data. Blockstack plans to accomplish this functionality by using blockchain technology to track usernames and associated encryption keys. “We’re trying to turn the existing model on its head,” says Blockstack CEO and co-founder Ryan Shea. “You can try to work with the existing model from within, but sometimes it’s easier to step outside of it and build s something new from a clean slate.” [MIT Technology Review]

EU – Proposed Reputational Profiling Not Compliant with Data Protection Code

The Italian data protection authority considered a request for approval for personal data processing to produce a “reputation rating” by Mevaluate Holdings, Ltd., Mevaluate Italy, and Mevaluate Onlus Association pursuant to the Data Protection Code. Such profiling via web platform would violate multiple statutory requirements; the processing implicates sensitive data that impacts personal dignity, and is not subject to guarantees of impartiality and independence (i.e. the decisions are automated). There are concerns with the reliability of the data (documents used for profiling can be forged), possible misuse (i.e. blacklist purposes), inadequate security measures (encryption only for judicial data), and consent is not freely given (due to the potential for adverse effects of the profiling on individuals. [DPA Italy – Decision No. 488/2016 – Web Platform for Development of Reputational Profiles | Summary available in Italian]

Other Jurisdictions

AU – Pilgrim Cautions Senate Committee Against Drone Deregulation

Australian Privacy and Information Commissioner Timothy Pilgrim has warned against deregulating commercial drone use in a submission “to the Senate committee investigating the safety implications of the new rules that allow commercial operators to fly without a license, drones weighing less than 2 kg.” While drones have economic impact, they also have privacy concerns as well, Pilgrim said. “Privacy risks presented by drone use range from inadvertent privacy breaches through the collection of personal information, such as photographs of individuals and their activities, to potential conduct that meets criminal-offence thresholds such as stalking” Pilgrim said he would “support increased training and education to inform drone pilots of their responsibilities and to protect the privacy of individuals.” [The Australian]

Privacy (US)

US – Obama Releases Report on Privacy, Surveillance and Innovation

In the last week of his presidency, former President Barack Obama released a report summing up his administration’s work on privacy, surveillance and innovation. The report includes the administration’s work on domestic and international privacy initiatives, including the Privacy Shield and APEC frameworks as well as reforms to national surveillance. [Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation]

Privacy Enhancing Technologies (PETs)

US – NIST Publishes Guidance on Privacy Engineering and Risk Management in Federal Systems

This document from NIST provides an introduction to the concepts of privacy engineering and risk management for federal systems. These concepts establish the basis for a common vocabulary to facilitate better understanding and communication of privacy risk within federal systems, and the effective implementation of privacy principles. This publication introduces two key components to support the application of privacy engineering and risk management: privacy engineering objectives and a privacy risk model. [NISTIR 8062 An Introduction to Privacy Engineering and Risk Management in Federal Systems]

Smart Cars / IoT

US – Smart City Prevalence to Increase by 2019: Study

Research firm Gartner has estimated half the citizens within million-people cities will voluntarily fuel smart city enterprises with their data by 2019. “As citizens increasingly use personal technology and social networks to organize their lives, governments and businesses are growing their investments in technology infrastructure and governance,” said Gartner. “This creates open platforms that enable citizens, communities and businesses to innovate and collaborate, and ultimately provide useful solutions that address civic needs.” While machine-readable data is already generated in bulk, “the city becomes ‘smart’ when data is collected and governed in such a way that can produce valuable real-time streams, rather than simply backward-looking statistics or reports,” Gartner’s said. [FZDNet]

AU – Internet-of-things Tools With Augmented Reality Worry Australians: Study

ISACA research has found that 70% of Australians are concerned that internet-of-things devices with augmented reality pose a threat to their privacy, increasing a chance of a breach. “With the proliferation of IoT-enabled devices and the drive to provide enhanced user experiences, IoT and AR have the power to become a source of unprecedented value and opportunity, as well as significant risk,” said ISACA. “Individuals and enterprises should focus on rapidly getting up to speed on these technologies while learning how to manage risk so they do not compromise their company’s ability to innovate.” [iTWire]


UK – Britain’s Draconian Surveillance Laws Called “Disproportionately Dangerous” by New Amnesty International Report

The Investigatory Powers Act, which legalised the bulk surveillance of everyone’s internet activity “threatens to have devastating consequences for privacy and other human rights in the UK and beyond”, according to Amnesty International. The damning verdict on Britain’s surveillance state comes as part of the human rights group’s new “Disproportionately Dangerous” report, which looks at the Europe-wide trend towards more draconian laws that threaten our rights – like the IP Act, which is also known as the Snooper’s Charter. After describing the powers that the law enables, Amnesty concludes that “Such provisions, lacking any requirement for individualized, reasonable suspicion, are contrary to human rights law. Even the allegedly targeted ‘thematic’ warrants are so broad that they will undermine privacy rights well beyond what human rights law allows.” “The last two years, however, have witnessed a profound shift in paradigm across Europe: a move from the view that it is the role of governments to provide security so that people can enjoy their rights, to the view that governments must restrict people’s rights in order to provide security. The result has been an insidious redrawing of the boundaries between the powers of the state and the rights of individuals.” [Gizmodo]

US – Privacy Threat from Always-on Microphones Like the Amazon Echo: ACLU

A warrant from police in Arkansas seeking audio records of a man’s Amazon Echo has sparked an overdue conversation about the privacy implications of “always-on” recording devices. This story should serve as a giant wakeup call about the potential surveillance devices that many people are starting to allow into their own homes. The Amazon echo is not the only such device; others include personal assistants like Google Home, Google Now, Apple’s Siri, Windows Cortana, as well as other devices including televisions, game consoles , cars and toys. We can safely assume that the number of live microphones scattered throughout American homes will only increase to cover a wide range of “Internet of Things” (IoT) devices. Overall, digital assistants and other IoT devices create a triple threat to privacy: from government, corporations, and hackers. We fear that some government agencies will try to argue that they do not need a warrant to access this kind of data. We believe the Constitution is clear, and that, at a minimum, law enforcement needs a warrant based on probable cause to access conversations recorded in the home using such devices. But more protections are needed. Unfortunately the existing statutes governing the interceptions of voice communications are ridiculously tangled and confused and it’s not clear whether or how data recorded by devices in the home are covered by them. Digital assistants, like smart meters and many other IoT devices, split open a contradiction between two legal doctrines that both sit at the core of privacy law: 1) The sanctity of the home; and 2) The third-party doctrine. The contradiction arises when devices inside the home stream data about activities in that home to the servers of a third-party corporation. If microphones are going to be part of our daily lives in our intimate spaces, we need broader awareness of the issues they raise, and to settle on strong protections and best practices as soon as possible. [ACLU | Devices sprout ears: What do Alexa and Siri mean for privacy? | The battle to use Siri as a key witness | Mozilla: ‘IoT will be the first big battle of 2017,’ calls for responsible IoT | Tips on protecting your privacy on Amazon Echo and Google Home | Murder case will test privacy rights of Amazon Echo users | Police mull gathering crime evidence from smart home devices |  ‘IoT will be the first big battle of 2017,’ calls for responsible IoT]

US – Documents Reveal 15 Years-Worth of ‘Cartapping’ Surveillance Efforts

Court documents reveal 15 years-worth of law enforcement requests to vehicle technology providers for handing over real-time audio and location data to aid in investigations. The surveillance actions, known as “cartapping,” include New York police demanding SiriusXM to provide location information to target a car in an alleged illegal gambling ring, and General Motors handing over OnStar data from a Chevrolet Tahoe rented by a suspected crack cocaine dealer. Attempts to have the evidence thrown out of court are normally not successful, as the government possesses a solid argument stating drivers’ right to privacy does not hold up when using services such as OnStar. “I could make an argument to the contrary, which is based on the fact that we are increasingly surrounded by embedded interactive, broadcast technologies and therefore can tend to forget the fact that we may be broadcasting as we hold what we think are private conversations,” said University of Dayton, Ohio, law professor Susan Brenner. [Forbes]

Telecom / TV

AU – Australian Federal Court Sides With Telstra in Metadata Case

The Federal Court of Australia has sided with telecom company Telstra in a case about whether all metadata constitutes personal information. The court ruled Telstra did not need to hand over its telecommunications metadata to former Fairfax journalist Ben Grubb under the Privacy Act. The case rested on whether metadata held by Telstra is information “about Ben Grubb,” or if it’s “about the service delivered to him.” The Administrative Appeals Tribunal sided with Telstra. The appeal filed by Australian Privacy Commissioner Timothy Pilgrim was denied by the Federal Court. “I think the Privacy Commissioner’s lawyers played a high stakes game with a narrow approach to this appeal, and it backfired on them,” said Salinger Privacy’s Anna Johnston. “The Federal Court did not clearly answer the question of what defines personal information because they were not asked to.” [iTnews]

US Government Programs

US – Obama Opens NSA’s Vast Trove of Warrantless Data to Entire Intelligence Community

The Obama administration announced new rules [Executive Order 12333] that will let the NSA share vast amounts of private data gathered without warrant, court orders or congressional authorization with 16 other agencies, including the FBI, the Drug Enforcement Agency, and the Department of Homeland Security. The new rules allow employees doing intelligence work for those agencies to sift through raw data collected under a broad, Reagan-era executive order that gives the NSA virtually unlimited authority to intercept communications abroad. Previously, NSA analysts would filter out information they deemed irrelevant and mask the names of innocent Americans before passing it along. The last-minute adoption of the procedures is one of many examples of the Obama administration making new executive powers established by the Bush administration permanent, on the assumption that the executive branch could be trusted to police itself. Under 12333, the NSA taps phone and internet backbones throughout the world, records the phone calls of entire countries, vacuums up traffic from Google and Yahoo’s data centers overseas, and more. The new rules still ostensibly limit access to authorized foreign intelligence and counterintelligence purposes — not ordinary law enforcement purposes — and require screening before they are more widely shared. But privacy activists are skeptical. [The Intercept | National Security Agency Databases Open for Business | Obama Expands Surveillance Powers on His Way Out | E.O. 12333 Raw SIGINT Availability Procedures: A Quick and Dirty Summary | N.S.A. Gets More Latitude to Share Intercepted Communications | Trump to Inherit Vast Surveillance Powers | Trump to inherit vast surveillance system | Commander-In-Chief Donald Trump Will Have Terrifying Powers. Thanks, Obama]

US – Border Agents Demanding Americans’ Social Media Accounts

Customs and Border Protection agents have been invasively questioning Muslim-Americans at U.S. border crossings about their political and religious beliefs, asking for their social media information, and demanding passwords to open mobile phones, according to a set of complaints filed by the Council on American-Islamic Relations (CAIR). The complaints deal with the cases of nine people who have been stopped at various U.S. border crossings, eight of whom are American citizens, and one Canadian. They were filed to the Department of Homeland Security, Customs and Border Protection and the Department of Justice. While warrants are normally required for federal authorities to search cellphones, this requirement does not apply at border crossings. The complaints filed by CAIR allege that CBP agents have been asking travelers questions including, “are you a devout Muslim”, “what do you think of the United States”, and “what are your views about jihad?” The complaints also say that people have reported being asked whether they attend a mosque and what their opinions are about various terrorist groups. The complaints also allege that border agents have asked American citizens to provide their social media information at the border. The ACLU notes that, although they may suffer delays, “U.S. citizens cannot be denied entry to the United States for refusing to provide passwords or unlock devices.” [The Intercept | See also: Revealed: The FBI’s Secret Methods for Recruiting Informants at the Border | U.S. Border Questionnaire: Is Anyone in Your Family a “Martyr”? | With Power of Social Media Growing, Police Now Monitoring and Criminalizing Online Speech | Will US border officials demand social network handles from visitors? | Surveillance of Everyone: Europe’s “Smart Borders” Would Automatically Monitor Individuals | Op-Ed: Canada to share information with U.S. on land border crossers | New border bill allows sharing of biographic data | New bill would allow border guards to collect biographic data on those leaving Canada | Government must face scrutiny over hacking of migrants’ phones by UK border guards]

US Legislation

US – State Bill Permits Automatic License Plate Readers for Investigations

New York Senate Bill S00023, amending the General Business Law and Executive Law and relating to the use of automatic license plate reader systems, is introduced in the New York Legislature and referred to the Committee on Consumer Protection. Law enforcement agencies may use automated license plate readers for immediate comparisons of captured data held by other government agencies, for the purposes of identifying outstanding parking or traffic violations, violations of vehicle registration or inspection requirements, and stolen vehicle and license plates; operators of ALPRs must preserve captured plate data upon request from law enforcement, and must destroy the data after 14 days or if an application for a disclosure order is denied.[SB S00023 – An Act to Amend General Business Law and the Executive Law in Relation to the Use of Automatic License Plates Reader Systems – State of New York]

US – Bill Increases Public Transparency of Use of Surveillance Technologies

California Senate Bill 21, adding Chapter 15 to Division 2 of Title 5 of California Government Code and relating to law enforcement use of surveillance technology, is introduced and referred to the Committees on Public Security and the Judiciary. Agencies must, as of July 1, 2018, submit to their governing body a policy regarding their use of surveillance technologies (e.g. drones, license plate readers, CCTV, IMSD trackers, GPS, RFID, and biometrics-ID/facial-recognition); the policy must include the types of technologies and authorized purposes, a description of privacy compliance and security measures, restrictions on use/disclosure, any public access to collected data, the data retention period, and the destruction process. [Senate Bill 21 – Relating to Law Enforcement Agencies – California]

Workplace Privacy

US – Court Rules UPMC Under No Obligation to Protect Employee Data

The Superior Court of Pennsylvania ruled workers from the University of Pittsburgh Medical Center had no reasonable expectation their employee data would be secure following a data breach resulting in their information having been used to file phony tax returns. The decision states the UPMC workers turned over their information as a condition of their employment, not for protection. The court also ruled UPMC is not responsible for paying for stolen data resulting in economic loss, and the law should not require employers to take on the costs of enhancing employee data security. “We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether,” the decision states. [Network World]

EU – Deutsche Bank Prohibits Texting, Comms Apps on Company Phones

Deutsche Bank AG will no longer allow employees to send text messages and use communication apps on company-issued phones as the organization attempts to improve compliance standards. Deutsche Bank’s Chief Regulatory Officer Sylvie Matherat and Chief Operating Officer Kim Hammonds sent a staff memo stating the functionality will be turned off this quarter. The policy will also apply to employees’ private phones used for work purposes and includes communication apps such as WhatsApp, Google Talk and iMessage. The move comes as Deutsche Bank works to improve its compliance efforts, as data compiled by Bloomberg found the bank has been slapped with more than $13.9 billion in fines and legal settlements since 2008. [Bloomberg]

US – Federal Privacy Council Launches Hiring Toolkit

The U.S. Federal Privacy Council has launched a new toolkit aimed at assisting federal agency human resources staff and hiring managers in understanding the new world of U.S. government privacy, making decisions about which types of positions they should use in their privacy offices, designing federal privacy positions, and then conducting recruitment and selection activities. [IAPP.org]


Big Data

CA – Ontario Privacy Commissioner Hosting Event on Big Data and Government

The Information and Privacy Commissioner of Ontario is hosting a Privacy Day Event on government and big data. The IPC event, titled “Government and Big Data: Privacy Risks and Solutions,” will discuss the benefits and risks of big data analytics, the potential for bias, and appropriate safeguards. “How can we ensure that the privacy rights of Ontarians are respected and personal information is managed appropriately and fairly in a big data world? How do we ensure transparency and that results and findings are accurate and nondiscriminatory? How can we protect an individual’s right to challenge findings that are based on these powerful analytical tools?” This free event will take place on Jan. 26, at the Toronto Reference Library. [ipc.on.ca | See also: Big data and insureds: A conundrum?]

US – Hintze, Lafever Release White Paper on The GDPR and Data Analytics

Hintze Law’s Mike Hintze and Anonos’ Gary LaFever have released a white paper on balancing General Data Protection Regulation requirements with data analytic abilities. Entitled “Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics: Balancing the Interests of Regulators, Data Controllers and Data Subjects,” the 24-page paper covers topics like “controlled linkable data and the GDPR” and the “benefits of processing controlled linkable data.” [anonos.com] See also: Big Brother collecting big data — and in China, it’s all for sale


CA – Feds Need Help Tackling Cyberthreats, Internal Report Warns

The Canadian government is “simply not up to the overall challenge” of fending off cyberthreats on its own and must partner with the private sector and the United States to tackle the problem, warns a federally commissioned report on cyberthreat information-sharing protocols and policies in Canada and the United States obtained under the Access to Information Act. The report comes amid growing concern about damaging intrusions into computer systems that expose personal information, commercial secrets and sensitive government data — endangering everything from credit ratings to national security. The report, prepared for Public Safety Canada by consulting firm PricewaterhouseCoopers, found the government information-technology community is already overwhelmed with challenges such as aging systems and a move to cloud computing. [CNEWS]

CA – CSIS Assessing ‘Bulk Data’ Collection, Records Show

Canada’s domestic spy service has been trying to figure out ways of obtaining “bulk data” to better feed the holdings of its secretive analytics centre. A 2012 memo by the Canadian Security Intelligence Service speaks of an intelligence-agency pivot with profound implications for privacy and security. Details about the kinds of data being sought by CSIS, and even what exactly it considers bulk data to be, have not been disclosed. But the language used by the spy agency is reminiscent of other so-called bulk-data programs embraced by polarizing U.S. and British intelligence agencies since revealed to have been amassing records relating to the everyday transactions of millions of ordinary people. The Canadian government’s collection practices have never been revealed or debated publicly, even as the closest counterparts of CSIS now openly assert they need bulk data to function. The memo urged all of CSIS to figure out how to better contribute to holdings of the Operational Data Analysis Centre. This secretive facility, known as ODAC, was first publicly exposed by a scathing Federal Court ruling released in the fall of 2016. When the Federal Court of Canada exposed ODAC last year, it urged CSIS to stay mindful that “strictly necessary” is a term that remains the law. Parliament put this limitation on what records CSIS can collect to prevent “an overly expansive interpretation of the agency’s mandate,” the court said in a written ruling. The 14 specially cleared judges who approve CSIS intelligence officers’ wiretap warrants complained that no one ever told them about ODAC during its 10 year of operations. [Globe & Mail]

CA – Snowden Urges UW to Build Tools to Protect Privacy

Edward Snowden urged the University of Waterloo to help develop new technology to defend privacy, to fend off hackers and defeat the government surveillance that he exposed. A campus audience of more than 500 gathered in a theatre to watch him speak and hear his challenge. Snowden said hackers and watchers are using technology to go on the offence against vulnerable citizens who can’t defend their privacy. He’d like to see scholars and university students put their minds to turning that around. “The world needs you to come up with ideas of mixing these communications in ways that not only protects the content of communications … but it protects the fact that communications occurred at all.” Snowden made several Canadian references, about Montreal police spying on journalists, about Canada’s spy agency possibly spying on journalists, and about federal anti-terrorism legislation. The Record | Snowden inspires Waterloo audience]

CA – Clinic Video and Audio Recordings Unauthorized and Excessive: OIPC BC

The Office of the Information and Privacy Commissioner in British Colombia conducted an audit of a private medical clinic’s privacy management program, pursuant to the Personal Information Protection Act. The clinic had 8 cameras located throughout its facility (the lobby, hallways, back exits, workout room); patients, employees and others entering the clinic had not provided express or deemed consent for the surveillance (signage at the entrance was insufficient), there was no evidence monitoring/recording was necessary for safety, security or any other significant issue, and the personal information collected was used for purposes beyond security (liability protection, staff monitoring, internal loss auditing. [OIPC BC – Audit and Compliance Report P16-01 – Surveillance and Privacy Compliance in a Medical Clinic]


WW – Microsoft Announces Privacy Updates for Windows 10

The Windows 10 Creators Update will include a “web-based privacy dashboard“ for users to better understand and control the information Microsoft collects on them. “From the page, Microsoft account holders will be able to clear their browser, Bing search and location activity,” along with digital assistant Cortana-saved information. “On the other side of the equation, Microsoft is trying to help people who install Windows with their data-sharing preferences, guiding them through virtually every data-sharing option, including location, speech recognition and diagnostics.” While the updates aren’t slated until spring 2017, Windows Insiders may download a beta version of the dashboard to test now. Coming later this year in the Windows 10 Creators Update is a reworking of the operating system-level privacy controls. The main thing these will do is to make the choice more explicit. As such, this moves the Windows 10 privacy settings from a model of tacit consent to explicit affirmation. Still missing, however, is the ability for most Windows users to disable telemetry entirely.  [Mashable | Ars Technica: Windows 10 Creators Update to Rejig Privacy Settings in a Move Unlikely to Please Anyone | Windows 10’s privacy settings will be simpler but more limited with Creators’ Update]

WW – The Future of Artificial Intelligence Becoming Top of Mind

A new $27 million fund is designed to promote research into artificial intelligence in the public interest. The Ethics and Governance of Artificial Intelligence Fund aims to support a “cross-section of AI ethics and governance projects and activities” in the U.S. and around the world. Meanwhile a supplementary paper from the World Economic Forum — which just released its Global Risks Report 2017 — raises concerns about weaponized AI, cyberattacks through internet-of-things devices, and the use of biotechnology. Researchers from Oxford University have released a report detailing how the General Data Protection Regulation could heavily impact the rollout of AI and machine learning. Separately, the European Parliament’s Legal Affairs Committee has urged the European Commission to create rules around the ethical use and liability of robotics. [TechCrunch]


US – Minneapolis Settles More Lawsuits Over Snooping in Driver Database

The long list of lawsuits against Minnesota governments for employees improperly snooping into the state driver’s license database is slowly shrinking. A flood of lawsuits hit governments across the state several years ago after it became clear the state’s driver and vehicle services database was being misused. The database contains photographs, addresses and driving records of Minnesotans with a license. A number of those cases have been dismissed or severely narrowed by court decisions regarding the statute of limitations and which lookups will be considered improper. Minneapolis City Attorney Susan Segal said about a half-dozen cases remain active against the city, down from a peak of about 40. Some were settled. [Star Tribune]


CA – Private Right of Action under CASL Coming July 2017

Canada’s Anti-Spam Law came into force on July 1, 2014. Since then, all eyes have been on the CRTC for decisions concerning CASL violations. In the cases made public to date, monetary penalties or settlement payments have ranged from $48,000 to $1.1 million. Whatever steps Canadian and foreign companies have taken to date, 2017 will be the time to revisit CASL compliance. On July 1, 2017, the private right of action (PRA) comes into force under CASL. An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly. While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group. Where the court finds a violation, it may order not only compensation for the applicant’s damages, but also monetary payments. When the court sets the amount to be paid, it must consider the purpose of the payment order – which “is to promote compliance and not to punish”, the nature and scope of the violation, the history of compliance, any financial benefit or compensation from the conduct, ability to pay, and “any other relevant factor”. CASL also provides for extended liability. Directors, officers, agents or mandataries of a corporation may be liable if they directed, authorized, assented to or participated in the contravention. Where an employee’s conduct in the course of his or her employment breaches CASL, the employer may be vicariously liable. [Privacy and Security Law | Why the Private Right of Action afforded by Canada’s Anti-Spam Legislation should concern Insurers who underwrite Risks in Canada | Strap on your Helmet …CASL: The summer of 2017 is going to be brutal | Related: Lessons Learned: E-Learning Company Faces $50K Spam Fine | CRTC Enforcement Advisory – Records to Show Consent | Privacy Law and Anti-Spam – Guidance from the Office of the Privacy Commissioner | Canada’s Anti-Spam Law: Not just for Canadians | CASL Applies to Software January 15 2015 | New CASL Compliance and Enforcement Guidelines |


US – FBI Releases Censored Documents on San Bernardino Encryption Case

The FBI released 100 pages of highly censored documents covering its agreement with an anonymous vendor to hack into the iPhone used by one of the San Bernardino, California, shooters. The censored documents did not show the amount the FBI paid the vendor, the identity of the vendor, or the way the phone was unlocked. The information did include portions of the FBI’s nondisclosure agreement with the vendor and at least three inquiries from companies looking to create a product to unlock the phone. The three companies could not create the solution fast enough for the FBI to use. The records were produced in response to a federal lawsuit filed against the FBI by The Associated Press, Vice Media and Gannett under the U.S. Freedom of Information Act. [The Associated Press]

US – DARPA Announces Plans to Develop Data-Sharing Technology

The Department of Defense’s research branch, the Defense Advanced Research Projects Agency, has begun a project that would allow U.S. troops around the world to securely send and receive “sensitive information” from their own devices. “The program, dubbed SHARE, for Secure Handhelds on Assured Resilient networks at the tactical Edge, would be used on handheld devices, laptops or tactical radios.” “The vision of SHARE is to develop software that moves the multilevel security management function from a handful of data centers down to trusted, handheld devices on the tactical edge,” said DARPA’s Joe Evans. DARPA scheduled a Proposers Day for the initiative on Jan. 31. [ComputerWorld]

EU Developments

EU – EU Releases Proposed e-Privacy Regulation Repealing e-Privacy Directive

The European Commission officially released its proposed draft regulation concerning privacy in electronic communications – the Regulation:

  • enters into force on the 20th day following its publication in the Official Journal;
  • will apply from May 25, 2018; and
  • repeals the e-Privacy Directive from May 25, 2018.

The Regulation applies to OTT providers, does not contain any specific data retention provisions (Member States may create national targeted data retention frameworks, taking into account case-law of the Court of Justice on the interpretation of the ePrivacy Directive), and the Regulation imposes calling line identification requirements (including on calls to third countries originating in the EU and vice-versa); infringements can be subject to administrative fines (up to €20,000,000) or up to 4% of total worldwide financial turnover. [European Commission – Proposal for a Regulation of the European Parliament and of the Council Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (‘Regulation on Privacy and Electronic Communications’)

EU – Commission Proposes High Level of Privacy Rules

The Commission is proposing new legislation to ensure stronger privacy in electronic communications, while opening up new business opportunities. The measures presented today aim to update current rules, extending their scope to all electronic communication providers. They also aim to create new possibilities to process communication data and reinforce trust and security in the Digital Single Market – a key objective of the Digital Single Market strategy. At the same time, the proposal aligns the rules for electronic communications with the new world-class standards of the EU’s General Data Protection Regulation. The Commission is also proposing new rules to ensure that when personal data are handled by EU institutions and bodies privacy is protected in the same way as it is in Member States under the General Data Protection Regulation, as well as setting out a strategic approach to the issues concerning international transfers of personal data. The proposed Regulation on Privacy and Electronic Communications will increase the protection of people’s private life and open up new opportunities for business:

  • New players: 92% of Europeans say it is important that their emails and online messages remain confidential. However, the current ePrivacy Directive only applies to traditional telecoms operators. Privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber.
  • Stronger rules: By updating the current Directive with a directly applicable Regulation, all people and businesses in the EU will enjoy the same level of protection for their electronic communications. Businesses will also benefit from one single set of rules across the EU.
  • Communications content and metadata: Privacy will be guaranteed for both content and metadata derived from electronic communications (e.g. time of a call and location). Both have a high privacy component and, under the proposed rules, will need to be anonymised or deleted if users have not given their consent, unless the data is required for instance for billing purposes.
  • New business opportunities: Once consent is given for communications data, both content and/or metadata, to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services. For example, they could produce heat maps indicating the presence of individuals to help public authorities and transport companies when developing new infrastructure projects.
  • Simpler rules on cookies: The so called “cookie provision”, which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.
  • Protection against spam: Today’s proposal bans unsolicited electronic communication by any means, e.g. by emails, SMS and in principle also by phone calls if users have not given their consent. Member States may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, for example by registering their number on a do-not-call list. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
  • More effective enforcement: The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.

Source: European Commission – Press release | Stronger privacy rules for electronic communications – Questions and Answers | Communication on Exchanging and Protecting Personal Data in a Globalised World – Questions and Answers | Regulation on Privacy and Electronic Communications | Regulation on data protection rules applicable to EU Institutions | Communication on Exchanging and Protecting personal data in a globalised world | More information on ePrivacy | See also: IAPP.org | EU is failing to deliver Digital Single Market, says techUK | EU suggests certification schemes and codes of conduct could offer data transfer tools of the future, says expert | Plans for new e-Privacy Regulation published by European Commission | Facebook, Google face strict EU privacy rules that could hit ad revenues | New Notice and Consent Rules under Proposed EU e-Privacy Regulation | EU privacy proposal could dent Facebook, Gmail ad revenue]

EU – Hogan Lovells, Panthéon-Assas Create First DPO Degree Program

Panthéon-Assas University and Hogan Lovells have teamed up to create the first university degree for training Data Protection Officers under the General Data Protection Regulation. The program will include courses in law, cybersecurity, data analytics, management, and ethics, and will be taught by faculty including law school professors, practicing DPOs, information security specialists, lawyers CNIL regulators, and representatives from major companies, such as Google and Microsoft. [HL Data Protection]

EU – Every French Citizen Presumed to Be Organ Donor Under New Law

France has passed a law making every citizen an organ donor, unless they opt out by registering with a national refusal registry. The presumed consent law, which came into effect on Jan. 1, was passed in hopes of increasing organ and tissue donation. According to France’s national agency for biomedicine, individuals who do not wish to be an organ or tissue donor can either officially register their refusal or express their wishes to family who will be consulted before a donation is made. According to The Guardian, in a matter of one day, 150,000 citizens signed up for the refusal registry. In Canada, organ donation registration is managed provincially or territorially. Registration in Saskatchewan is the lowest in the country with less than one per cent of the province’s eligible residents having registered. In November, Saskatchewan Premier Brad Wall sought to implement the presumed consent model. The province’s Standing Committee on Human Services opposed the plan, but provincial Health Minister Jim Reiter said last month that they were still hoping to pass presumed consent in the province. Ronnie Gavsie, president and CEO of Ontario’s organ donation agency, Trillium Gift of Life, said presumed consent seems like a silver bullet but research shows it’s not. Citing Spain and Singapore as examples of where presumed consent alone didn’t have a dramatic impact on donation rates, Gavsie said implementing better policy and infrastructure to encourage more organ donation has seen increased rates. In Ontario, 30% of eligible donors are registered, up from around 24% in the last five years. Gavsie said new data being released in the next few months indicates a positive trajectory year over year. [Global News]

UK – Report: Children Do Not Comprehend Privacy Policies, Terms of Service

A report from the U.K. Children’s Commissioner revealed young internet users do not understand the privacy policies and terms of service of the social networks they join. Schillings law firm partner Jenny Afia rewrote the terms of service for Instagram in child-friendly language for the report. “One-third of internet users are children, but the internet wasn’t created for children,” Afia said. The report found the only people who could properly comprehend Instagram’s terms of service were people who had postgraduate levels of education. The report offered several suggestions, including rewriting the General Data Protection Regulation in terms children can understand and offering a “digital citizenship” program to teach young children about protecting their privacy online. [Quartz]

UK – Advocacy Group Spearheads Crowdfunding Campaign Against Investigatory Powers Act

Civil liberties group Liberty has started a CrowdJustice funding campaign to fuel a U.K. High Court challenge of the Investigatory Powers Act. Liberty takes particular umbrage with the act’s provision allowing internet service providers to log users’ internet use, calling the records “a goldmine of valuable personal information for criminal hackers and foreign spies.” The group has further called for the High Court to review the act’s “bulk interception, bulk hacking and bulk personal data sets… We’re very confident the High Court will rule that the powers we’re challenging are unlawful,” said a Liberty spokeswoman, who added that depending on the courts, the group could have a decision within the year. [TechCrunch]

EU – Paper Shows EU Affection for New Data-Transfer Mechanisms

Pinsent Masons’ Marc Dautlich has argued that a newly released paper from the European Commission indicates “the EU body’s appetite for new mechanisms for transferring personal data to emerge from certification schemes and codes of conduct provided for by the General Data Protection Regulation.” “Dautlich said that legal uncertainty over the future of some data transfer tools, including to EU model contract clauses, could help encourage the development of alternatives based on GDPR certification schemes and codes of conduct.” He added that a way for organizations to “engage and exercise some control over their international data transfers” is to embrace certification schemes and codes of conduct as ways to establish “more legal certainty over such transfers.” [Out-Law.com]

EU – Commission Unsatisfied With US Reasoning for Yahoo Email Scanning

After asking for clarification on the matter, the European Commission is not satisfied with the U.S. government’s explanation of Yahoo’s email scanning practices for intelligence purposes. The U.S. promised not to participate in bulk surveillance in order to secure the EU-U.S. Privacy Shield. “While Yahoo is not signed up to the Privacy Shield and the scanning took place before the framework existed, the issue is a first test case of how the new system and the U.S. commitments on spying work in practice.” “I am not satisfied because to my taste the answer came relatively late and relatively general, and I will make clear at the first possible opportunity to the American side that this is not how we understand good, quick and full exchange of information,” said EU Justice Commissioner Věra Jourová. [Reuters]

EU – European Commission Clarifies Ad Blocker Detection’s Legality

In a proposed reform of Europe’s privacy law, the European Commission has said that websites’ detection of ad blockers is legal. “To combat the rise of ad blocking technology, which stops online adverts from showing up on websites, many publishers have opted to ban users who refuse to see advertising.” Previously, the move was largely seen as living in a “legal gray area.” EU digital policy head, Andrus Ansip, acknowledged the move might irk privacy advocates and those “people who want free access and couldn’t care [about] editorial costs,” he said. “But legal clarity is needed.” Publishers were pleased with the announcement. “It is vital that we retain the right to protect our content from those who wish to circumvent that value exchange,” said Dennis Publishing Chief Technology Officer Paul Lomax. [Financial Times]

EU – Draft German Law Pushes Private Video Surveillance in Public Areas

The German Government has presented a draft law that facilitates video surveillance for private operators of public areas and public events. The Federal Data Protection Law will be amended to introduce a legal basis for video surveillance. According to the draft law, the protection of life, health and freedom shall be regarded as a “particularly important public interest” that allows video surveillance. Private operators will not be obliged to install cameras. However, the government hopes that they will make more use of them. The German Association of Judges considers that the draft law conflicts with the German Constitution. [Global IP & Privacy Law Blog]


Study: Online Debt Lists Often Go Unencrypted

A Consumer Financial Protection Bureau study has found that lists of debts sold online to “would-be collection companies” are easily available and often unencrypted, including personal information like Social Security numbers and birthdates and other sensitive personal information of the purported debtors. “The Bureau is working to clean up abuses in this industry, and to see that all consumers are treated with fairness, decency, and respect,” CFPB Director Richard Cordray said. The study “expands public understanding of debt collection in the U.S. by providing the first comprehensive and nationally representative data on consumers’ experiences with a multibillion-dollar industry that includes more than 6,000 collection companies.” The bureau will host an event on debt collection in Washington this week. [USA Today]


CA – Nova Scotia’s New FOIPOP Website Welcomed, but ‘Systemic Problems’ Persist: Critics

Nova Scotia is making it easier for people to request and access government information. The government launched a new website with a warm welcome from people who make those requests but critics say more needs to be done to improve transparency. When requests are fulfilled, the applicants’ materials will be posted on the website after seven calendar days for anyone to access. The materials will stay on the website for three years. “These changes are cosmetic in nature, they’re positive, but they’re a small step forward,” said Kevin Lacey, Atlantic director for the Canadian Taxpayers Federation. [Global News]

CA – $180K for GTH Documents ‘Excessive’ and ‘Unreasonable’ –OIPC SK

Saskatchewan’s Information and Privacy Commissioner has rebuked the provincial government for demanding $180,000 for documents about the Global Transportation Hub land deal. In reports directed to each agency, commissioner Ron Kruzeniski concluded “this excessive fee was an unreasonable barrier to access.” In March, CBC filed 13 requests to the ministry and 15 to the GTH related to various aspects of the GTH land deal. Both agencies responded by lumping all the requests together and assessing the massive fee. Kruzeniski found they had “inappropriately issued one estimate of costs to respond to the applicant [CBC].” [CBC | Privacy commissioner calls for GTH land deal documents to be released; province not compelled to do so | Is the Sask. government hiding stuff behind huge info fees? | GTH won’t release land deal appraisal because it could ‘harm the reputation’ of preparer Province worried disclosure of appraisal could affect government negotiations


CA – Life Insurers to Limit Genetic Test Disclosure

Canada’s life insurance industry has announced new measures aimed at protecting consumers from genetic discrimination. Insurance companies have agreed to a voluntary pledge stating they will no longer ask individuals applying for life insurance up to $250,000 for genetic testing information, or incorporate any information from previous genetic tests. The companies may still use tests for any person applying for higher amounts, but won’t inquire for results if the tests were done for medical purposes. Advocates for a federal bill (Bill S-201) making genetic discrimination illegal say the insurance industry’s pledge doesn’t go far enough and will still make citizens vulnerable to insurers, employers and other entities who may discriminate based on genetic testing results. [The Globe and Mail] [The Canadian Press]

Health / Medical

US – OCR Announces First HIPAA Settlement for Untimely Data Breach Reporting

The U.S. Department of Health and Human Services’ Office for Civil Rights announced Presence Health will pay $475,000 for the first HIPAA settlement based on the untimely reporting of a data breach involving unsecured protected health information. Presence Health sent a breach notification to the OCR in January 2014 stating it had discovered paper-based operating room schedules containing the PHI of 836 individuals had gone missing in October 2013. An OCR investigation found Presence Health did not notify the affected individuals, prominent media outlets, and the OCR within 60 days of discovering the breach. “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said the OCR Director. [Full Story]

US – OCR Releases FAQ Clarifying PHI Disclosures Within HIPAA Privacy Rule

The U.S. Department of Health and Human Services’ Office for Civil Rights released a FAQ clarifying aspects of personal health information disclosure policies with patients’ family members and other loved ones under the HIPAA Privacy Rule. The release of the FAQ is partially a response to the confusion surrounding the disclosure of health information following the 2016 Pulse nightclub shooting in Orlando, Florida. “In either circumstance, the person can be a patient’s family member, relative, guardian, caregiver, friend, spouse, or partner,” the FAQ reads. “The Privacy Rule defers to a covered entity’s professional judgment in these cases and does not require the entity to verify that a person is a family member, friend, or otherwise involved in the patient’s care of payment for care.” [HealthITSecurity]

US – Court Rules Reporting Patients Who View Child Porn Does Not Violate Privacy

An appellate court ruled a California law mandating psychotherapists report patients looking at internet child pornography is not a violation of patients’ privacy. The ruling also covers teenagers involved in any form of sexting. “The privacy interest of patients who communicate that they watch child pornography is outweighed by the state’s interest in identifying and protecting sexually abused children,” Division Two of the Second Appellate District ruled. The ruling came after several counselors aimed to block the Child Abuse and Neglect Reporting Act. CANRA required certain professionals to report any patients who made or exchanged child pornography. In 2014, the law was updated to include downloading child porn electronically. While the counselors said the act would scare off patients needing treatment, the three-judge panel said patients cannot expect privacy rights to cover child pornography, as viewing the material is illegal. [Courthouse News]

US – Joint Commission Reinstates Ban on Physicians Texting Patient Orders to Hospitals

The Joint Commission, which accredits and certifies healthcare organizations and programs in the US, issued a statement reinstating its ban on the use of text messaging to send healthcare orders. Privacy and security concerns remain about transmitting text orders even when a secure text messaging system is used; health care organizations should immediately suspend the process and revise their policies and procedures to prohibit the use of unsecured text messaging (computerized provider order entry systems remain the preferred method for electronically transmitting patient care orders. [TJC – Clarification – Use of Secure Text Messaging for Patient Care Orders is Not Acceptable | MWE.com]

US – FDA Discovers Security Vulnerabilities in St. Jude Health Tech

The U.S. Food and Drug Administration has discovered cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and its Merlin@home Transmitter, the agency reports in a safety communication. After FDA review, the agency “confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter… The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.” While no reports of manipulated devices exist, St. Jude issued a patch to fix the technology’s vulnerabilities. [FDA.gov]

Horror Stories

US – 900 GB of Cellebrite Data Stolen and Released

Hackers have accessed and released 900 GB of data from Cellebrite, a “mobile phone hacking” company “popular with U.S. federal and state law enforcement” and potentially with governments like Russia and Turkey. The released information includes customer data, databases and information on Cellebrite’s products, and some appears to be from servers related to the company’s website. “The breach is the latest chapter in a growing trend of hackers taking matters into their own hands, and stealing information from companies that specialize in surveillance or hacking technologies.” After Motherboard informed Cellebrite of the breach, the company launched an investigation and advised Cellebrite users to change their passwords as a precaution. [Motherboard]

US – Big Law, Big Data, Big Problem

2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions exposing everything in the law firm’s network. Law firms are warehouses of client information and how that information is protected is being increasingly regulated and scrutinized. Annually, the ABA conducts a Legal Technology Survey (Survey) [see here] to gauge the state of our industry vis-à-vis technology and data security. The Survey revealed that the largest firms (500 or more attorneys) reported experiencing the most security breaches, with 26% of respondents admitting they had experienced some type of breach. This is a generally upward trend from past years and analysts expect this number only to rise. This is likely because larger firms have more people, more technology and more data so there is a greater exposure surface and many more risk touch-points. The 2016 Survey shows that while many law firms are employing some safeguards and generally increasing and diversifying their use of those safeguards, our industry may not be using common security measures that other industries employ. [Polsinelli on Privacy | Chinese hackers of NY law firms charged | Chinese Traders Charged With Trading on Hacked Nonpublic Information Stolen From Two Law Firms | U.S. Charges Three Chinese Traders With Hacking Law Firms | Chicago Law Firm Accused of Lax Data Security in Lawsuit | Chicago’s Johnson & Bell First US Firm Publicly Named in Data Security Class Action | Law Firms’ Security Cross-Examined | Exclusive: China Stole Data From Major U.S. Law Firms]

Identity Issues

US – REAL ID Warning Signs Appear at Airports

Signs are sprouting up at many airports to alert travelers that beginning Jan. 22, 2018, the Transportation Security Administration will begin strict enforcement of the REAL ID requirements at airport security checkpoints. As it does now, TSA will continue to accept alternate forms of ID at airports, such as a passport, military ID or permanent resident card. But next year, driver’s licenses and state-issued ID cards from the nine states that don’t yet have REAL ID-compliant driver’s licenses and IDs — Kentucky, Maine, Minnesota, Missouri, Montana, Oklahoma, Pennsylvania, South Carolina and Washington — won’t be accepted. While DHS emphasizes that REAL ID “is a national set of standards, not a national identification card,” opponents argue that the act creates a national identity card and allows the federal government to gather and store too much personal information. Citing costs and other issues associated with implementing the standards, many states have opposed the REAL ID Act as well. [USA Today | Our Opinion: Maine shouldn’t cave on Real ID law | DHS: Even-handed Enforcer or Punisher of Select States? | Feds Ramp Up REAL ID Bullying Tactics | Yes, Michael, REAL ID Is a Nationwide Data-Sharing Mandate | REAL ID, Rumor Control, and You] See also: [Power Arrangements in Identity Systems]

Internet / WWW

WW – ‘Datak’ Online Game Looks to Educate Players On Data Privacy

Radio Télévision Suisse has released “a serious game about data protection and privacy” in four languages on its website. The game, “Datak,” looks to “raise awareness of data collection in all areas of life and how it is used,” Radio Télévision Suisse said. The goal is to provide an educational tool but more importantly a fun and informative game that raises awareness without lecturing,” said On en Parle’s Julien Schekter. The online game is recommended for players ages 15 and up, and additionally doesn’t collect users data, Radio Télévision Suisse said. [Infomaniak]

Law Enforcement

CA – Street Checks by Halifax Police Are Unacceptable Says Privacy Lawyer

On Monday, Halifax Regional Police (HRP) released the preliminary analysis of data on “street checks” by patrol officers from 2005-2016. This came as a direct result of an investigative article by CBC, which found black people are three times more likely to be stopped by police in HRM than white individuals. [Halifax privacy lawyer David] Fraser says he was impressed to see HRP’s research coordinator, Chris Giacomantonio, taking a closer look at street checks. Still, he sees the practice as “inherently coercive” if police aren’t advising people that they don’t have to go along with it. He compares the issue to the act of “carding” in Toronto, as well as the more invasive “stop-and-frisk” practices in New York. Although HRP chief Jean-Michel Blais insisted during and after Monday’s board of police commissioners’ meeting that the cases in Halifax and Toronto aren’t the same, Fraser doesn’t see much of a difference. [The Coast | Tory MLA demands Alberta government stop police carding | City police reviewing street data collection amid civil liberties concerns over “carding” | Police stops based on racial profiling a reality, say Calgarians | Support for ‘bold’ Black Lives Matter carding data proposal | Trump Would Expand Stop-and-Frisk Program to Inner Cities Across U.S. | Donald Trump Embraces Wider Use of Stop-and-Frisk by Police | DNA Dragnet: In Some Cities, Police Go From Stop-and-Frisk to Stop-and-Spit ]

CA – Ontario Police Force May Post Names of Alleged Drunk Drivers Online

A major southern Ontario police force is considering naming and shaming alleged impaired drivers on social media, following one of the worst years on record for such offenses and few signs that current efforts will be sufficiently effective in 2017. York Regional Police tweeted about the possible policy change on Monday, following the arrest of a driver found passed out at the wheel in the middle of a busy intersection. “We’ve been discussing posting the names of all charged with impaired driving,” the force tweeted. “More to follow on that one” Impaired driving charges have been on the rise in the region north of Toronto for the past five years. While the practice of identifying those facing criminal charges online is by no means new, York Regional Police Const. Andy Pattenden said individuals charged with impaired driving offences would be listed on a separate page for 30 days and their names would be made public on social media. The strategy would also take aim at those who breach the automatic 90-day licence suspension that comes with an impaired driving charge in Ontario. York Region isn’t the first police force to put an extra spotlight on alleged impaired drivers. Const. Pattenden said Niagara Regional Police Service and Durham Regional Police Service, as well as other in the province, have implemented similar strategies. [CTV News]


US – Uber Makes Urban Traffic Data Available to City Officials, Researchers

As more cities seek access to Uber’s data, the ride-hailing company announced it is making its urban traffic data accessible to city officials and researchers, with future plans to make the information available to the public. Officials can access the data on a website called Uber Movement, allowing users to access Uber’s large amount of traffic information. Uber posted blog entries designed to show the ways urban planners and city officials can use the company’s data. Uber ensured all the information on the website will be private. The data will not include individual rides, but rather the travel times between specific locations. In areas where trips are not prevalent, maps will be grayed out to protect consumer privacy. [The Hill]

Online Privacy

US – TV Anchor Says Live On-Air “Alexa, Order Me A Dollhouse” – Guess What Happens Next

A San Diego TV station sparked complaints after an on-air report about a girl who ordered a dollhouse via her parents’ Amazon Echo caused Echoes in viewers’ homes to also attempt to order dollhouses. Telly station CW-6 said the blunder happened during a morning news package about a Texan six-year-old who racked up big charges while talking to an Echo gadget in her home. According to her parents’ Amazon account, their daughter said: “Can you play dollhouse with me and get me a dollhouse?” Next thing they knew, a $160 KidKraft Sparkle Mansion dollhouse and four pounds of sugar cookies arrived on their doorstep. During that story’s segment, a CW-6 news presenter remarked: “I love the little girl, saying ‘Alexa ordered me a dollhouse’.” That, apparently, was enough to set off Alexa-powered Echo boxes around San Diego on their own shopping sprees. The California station admitted plenty of viewers complained that the TV broadcast caused their voice-controlled personal assistants to try to place orders for dollhouses on Amazon. Voice-command purchasing is enabled by default on Alexa devices. [The Register] See also: [Servant or spy? Law enforcement, privacy advocates grapple with brave new world of AI assistants]

CA – Experts Divided on Social Media Surveillance

Experts are divided on whether actions taken against Media Sonar of London, Ont. [losing access to Twitter], were justified, but are united in the view that the case highlights the elusive balance between public safety and basic privacy rights. Media Sonar touts its social media monitoring software and algorithms as ideal tools for police and corporations to aggregate and filter data to improve safety and protect corporate assets. Twitter cut off the company’s access to its application program interface (API), saying its policies explicitly state that no third party can make use of Twitter data for surveillance purposes. [Waterloo Record | Twitter cuts off third surveillance firm for encouraging police to spy on activists | How Despots Use Twitter to Hunt Dissidents | Police Searches Of Social Media Face Privacy Pushback | Facebook, Instagram, Twitter block social media tool Geofeedia over protest surveillance | Police Use Surveillance Tool to Scan Social Media, A.C.L.U. Says | Facebook, Instagram, and Twitter Provided Data Access for a Surveillance Product Marketed to Target Activists of Color | Social media companies rescind access to Geofeedia, which fed information to police during 2015 unrest | Facebook, Instagram, Twitter Block Tool For Cops To Surveil You On Social Media

US –FTC Study Examines Depths of Cross-Device Tracking

In a paper penned by the FTC Office of Technology Research and Investigation (OTech for short) [see FTC PR here], it was revealed that the majority of Alexa’s 100 most popular websites have policies that reserve the right to allow for third-party tracking and data collection, including browser data. According to the findings only three of the 100 sites tested linked to a privacy policy that clearly acknowledge enabling third-party cross-device tracking. [Read the full report here.] While the report acknowledged several benefits related to cross-device tracking – saving credit card information, past purchase history, shipping information, et cetera – it’s also possible for companies to match cross-device data to offline data without the consumer being aware. Privacy policies were resoundingly mum on whether this was happening or to what extent. [AdExchanger | Advertising Age | FTC’s Cross-Device Study Reveals Opacity of Data-Sharing Practices]

Privacy (US)

US – LabMD Files Review Petition Against Data Breach Allegations

LabMD filed a petition for review on December 27, 2016, following a U.S. federal appeals court granting a stay of an FTC order in the continuing battle between the two parties over data breach allegations. The U.S. Court of Appeals for the 11th Circuit ruled that there was a low possibility of consumer risk or injury from the emotional harm and acts from the security issue. Additionally, the judges maintained that the FTC claims of “unfairness” did not meet the standards of the law that the agency was citing. In its petition for review, LabMD claimed that there had been “significant issues of statutory and constitutional interpretation” from the FTC. The agency overstepped its bounds in authority and “destroyed a small medical testing company.” The agency also did not prove that the document exposure was in any way connected to LabMD being able to “reasonably protect data maintained on its computer network” and it was not proven if those documents were even maintained on or taken from the network. The judge added that the “probability” that a health data breach would occur due to LabMD’s action was not proven. [Health IT Security | FTC Overstepped Data Security Authority: Appeal Briefs | Leaders from medical, business, tech rally around LabMD appeal of FTC ruling | LabMD’s 11th Circuit FTC Appeal: The Opening Shot | LabMD challenges scope of FTC’s cyber authority | The FTC Faces an Embarrassing Set-Back in its Data Security Enforcement Authority as the LabMD Saga Continues | LabMD Presses Appeals Court on FTC Data Security Case | Did the FTC Just Rewrite its Statute? What LabMD Means for Data Security Cases Going Forward]

US – U.S. Promotes Risk-Based Data Breach Response Model

The exiting Obama administration has embraced a risk-based approach to data breach preparation and mitigation for federal agencies in an Office of Management and Budget memorandum Although aimed at agencies, official OMB guidance carries weight in the private sector. The endorsement of a risk-based approach is an acknowledgment that breaches are inevitable and resources should be directed at where the risk of breaches are more likely, the cybersecurity pros said. In addition, the report supports efforts to limit breach notices. The OMB Jan. 3 memo to federal agencies’ senior privacy officials outlined a “framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach as well as guidance on whether and how to provide notification and services to those individuals.” The OMB memo said that agencies should assess “whether and when to notify individuals potentially affected by a breach.” Agencies should “balances the need for transparency with concerns about over-notifying individuals” as notifications may not always be helpful. [BNA.com | OMB Publishes Memorandum on Responding to Data Breaches | White House Issues Data Breach Guidance for Federal Agencies | White House issues gov’t-wide breach notification protocols]

US – Labor Department Sues Google Demanding More Detailed Employee Data

The U.S Department of Labor is suing Google to obtain more detailed employee compensation data, but the Web giant says the agency’s demand is too broad and would reveal personal information. The request for the “compensation snapshot” was sent in September 2015 and Google was supposed to have responded with the data by June 2016. The requested information included job and salary history for certain employees including their starting salaries, starting job levels, starting organization within Google and all changes to their jobs and salaries since being hired by the company. In a statement, the company denied that it was resisting the government’s request to turn over the data to the Department of Labor and said that its actions were based on the fact that the requested data was far too broad and intrusive. [eWeek]

US – D-Link Fights Back Against ‘Baseless’ Data Security Lawsuit

Suing companies for the potential of a data security breach would stifle IoT innovation, the firm representing D-Link against the FTC’s lawsuit has argued. Cause of Action Institute has announced that it will be defending D-Link against the FTC’s “unwarranted and baseless” lawsuit claiming that the technology company put thousands of customers at risk of unauthorised access by failing to secure its IP cameras and routers. [See here ] The FTC should not be able to “bring a lawsuit on the mere potential of a data security breach”, Cause of Action Institute assistant VP Patrick Massari argued, as this would stifle innovation and uptake of the Innovation of Things (IoT). “This lawsuit is another instance of the FTC’s unchecked regulatory overreach nearly every company will be subject to unconstrained and unexplored data security liability. Such limitless liability coupled with FTC’s history of unrelentingly litigious oversight will no doubt have a chilling effect on innovation in the Internet of Things.” D-Link Systems chief information security officer William Brown said the company is committed to fighting the FTC’s “false allegations” alongside Cause of Action Institute, which also represented LabMD in its successful data security suit against the FTC in 2015. [ZDNet | FTC vs D-Link: The legal risks of IoT insecurity | FTC sues D-Link for ‘insecure’ routers and IP cameras | FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras | FTC IoT privacy and security push points out D-Link router and webcam flaws | D-Link Calls The FTC’s Router And IP Camera Security Allegations ‘Baseless’ | The FTC Brings Section 5 Charges Against Internet-of-Things Companies]

WW – Your Data Is Being Held for Ransom. Now What?

Ransomware is an old topic in information security circles. Attackers have been hijacking computers and holding files hostage for years now, typically demanding that ransom be paid in bitcoins. Some might expect that a majority of people are well aware of the threat by now and that they’re taking the appropriate precautions. It’s therefore reasonable to assume that online thieves have moved on to new tactics. Sadly, according to a survey Sophos recently conducted, that’s not the case. According to a survey Sophos recently conducted [which asked 1,250 consumers in five countries about their biggest safety fears, where they sought advice for keeping their computers safe and how much they know about ransomware and other malware.] Consumers still feel in the dark about how ransomware works and how to guard against it. One of the toughest questions is what to do if your data is in fact hijacked. Do you pay the crooks or tell them to take a hike? As always, the best defense is not to get infected in the first place, so we’ve published a guide entitled How to stay protected against ransomware that we think you’ll find useful. [Naked Security] [Extortionists Wipe Thousands of Databases, Victims Who Pay Up Get Stiffed]

US – More States Moving to Include Usernames & Email Addresses as PII

A key issue in determining whether notification is required following a data breach is whether “personal information” (PI) was acquired by an unauthorized person. US states vary significantly in defining what information qualifies as PI. Some data breach notification statutes have been expanding the definition of PI, by adding usernames and email addresses. Illinois, Nebraska, and Nevada are the latest Three other states (California, Florida, and Wyoming) had previously enacted laws mandating that either a username or email address constitutes PI when combined with a password or security question and answer that would permit access to an online account. Private and government entities should also be aware that different jurisdictions apply varying standards to the collection of such information. Under European and many other international data privacy laws, PI includes any information that identifies an individual or from which an individual can be identified when aggregated with other information. [Lawfish]

US – States Making Lists of Breached Companies Public

All but three U.S. states require organizations that experience security breaches affecting their residents to report those breaches. While this information is available if people know to ask for it, four states – California, Indiana, Washington, and Massachusetts – have begun making the information publicly and freely available. [Wired: A Few States Now Actually Help You Figure Out if You’ve Been Hacked]

US – Cybersecurity Law Initiative Opens at GW Law

The George Washington University Law School has announced its Cybersecurity Law Initiative. The initiative aims “to bring together the law school’s nationally recognized strengths with expertise from across the university.” Located in Washington, it hosts “regular events on cybersecurity law and technology that are open to GW students as well as members of the public.” Directed by Orin Kerr, affiliated faculty include Daniel Solove and Jeffrey Rosen. [law.gwu/edu]


US – Montana Bill Prohibits Government Use of License Plate Scanners

Montana introduced House Bill No. 149, amending Montana Code Annotated Title 46, Chapter 5, Part 1 and relating to the use of license plate scanners by State and local government. Exemptions to the prohibition include use of a scanner for planning purposes (subject to anonymisation of vehicle, owner and passenger identity), state regulations concerning weight requirements for vehicles at ports of entry and weight stations, or on the State’s own vehicles; the data may only be accessed by a state employee for the purpose of providing customer service or necessary government statistical, administrative, or legal activities, and may only be retained for a maximum of 18 months. [House Bill No. 149 – An Act Generally Prohibiting the Use of a License Plate Scanner by the State or a Local Government – 65th Legislature, Montana]

EU – ENISA Issues Assessment Criteria for Privacy Enhancing Technologies Used in Online and Mobile Applications

The European Network and Information Security Agency (“ENISA”) has issued a paper on parameters that can be used to assess privacy enhancing technologies for secure messaging applications. The criteria aim to provide a general understanding of how applications take user privacy and security into consideration through assessment of maturity and stability (maintenance, community support, audits/reviews), usability (difficulty of use, personal data when installed, user support), privacy policy implementation (types of data stored, number of times data is accessed, profiling), secure messaging (type of encryption used, security of stored data, user/client server/message authentication), anti-tracking tools (mechanisms used, data recipients, known performance issues), and VPNs (firewalls/kill switches used, type of logs used, protection/mitigation methods). [ENISA – PETs Controls Matrix – A Systematic Approach for Assessing Online and Mobile Privacy Tools]

EU – Institutions Should Ensure Applications Processing Personal Data Comply with Data Protection Principles

The European Data Protection Supervisor issued guidelines on protection of personal data in mobile devices developed and provided by EU institutions. Assessments should be done prior to use of mobile applications, taking into account the nature of the personal data to be processed, specific risks identified, and targeted data protection/security features of the operating system; users should be provided with an easily accessible and high visible layered notice, and must provide specific, freely given consent before installation of the applications, data collected and/or transferred must be strictly necessary, and appropriate risk and vulnerability management processes must be implemented. [EDPS – Guidelines on Protection of Personal Data Processed By Mobile Applications Provided by EU Institutions]


CA – Survey: Organizations Overconfident in Cybersecurity Efforts

An Accenture survey found 65% of cybersecurity and IT executives in Canadian organizations are confident their cybersecurity efforts produce valuable results, but the professional service companies says security pros should not be as assured. Of the 124 respondents, more than three-quarters feel their top strategies are achieving desired business outcomes, but one-third also said they have discovered successful data breaches in the last 12 months. The results indicate “that (Canadian) companies have become and remain complacent,” Accenture’s Canadian Cybersecurity Lead Russell Thomas said. “There’s an over-confidence in the marketplace… We really need a wake-up call. Companies need to pay attention to security. Security is at the heart of systems today, supporting an enabling secure business and trusting business.” [IT World Canada]

US – Cyber-Risk Oversight Guide Aims to Inform Boardroom Decisions

The National Association of Corporate Directors at a press conference in Washington yesterday released guidance for directors struggling to manage cyber risks in the boardroom, Angelique Carson reports. Government officials from the Department of Justice and Department of Homeland Security joined the Internet Security Alliance and the NACD in releasing the “Director’s Handbook on Cyber-Risk Oversight,” and took the opportunity to encourage private-sector businesses to collaborate with the government before a data incident occurs. “Opening the kimono is not just good for one entity, but for everyone involved,” said Danny Toler, acting assistant secretary for cybersecurity and communications at DHS. [The Privacy Advisor]


US – NSA Given Expanded Power to Share Intercepted Communications

The Obama administration has given the National Security Agency expanded power to share globally intercepted personal communications with the other 16 government agencies before any privacy protections are implemented. Privacy advocates are concerned the move will harm the rules in place to protect the privacy of American citizens. “Rather than dramatically expanding government access to so much personal data, we need much stronger rules to protect the privacy of Americans,” American Civil Liberties Union lawyer Patrick Toomey said. “Seventeen different government agencies shouldn’t be rooting through Americans’ emails with family members, friends and colleagues, all without ever obtaining a warrant.” [The New York Times] See also: Best Buy technicians flagged customers’ computers with signs of child porn for FBI, lawyers say.

WW – Researchers: China Knows What Citizens Are Doing at ‘Micro Level’

Researchers from the Citizen Lab at the University of Toronto’s Munk School of Global Affairs contend there is a network inside China’s “Great Firewall” designed to collect information on hundreds of millions of individuals everyday in addition to private and state-owned organizations designed to exploit such data. The lab has used popular messaging apps like WeChat, which serves more than 800 million people in China. Citizen Lab’s Ronald Deibert said Chinese authorities “have a wealth of data at their disposal about what individuals are doing at a micro level in ways they never had before.” He adds, “What the government has managed to do, I think quite successfully, is download the controls to the private sector, to make it incumbent upon them to police their own networks.” [CBC News]

US – Oakland Privacy Commission Passes First-of-Its-Kind Surveillance Ordinance

A local privacy committee has sent a proposed surveillance oversight ordinance to the city council. This is a rare example of a major American city set to impose stricter controls on the acquisition, use, and evaluation of spy gear. The “Surveillance and Community Safety Ordinance“ unanimously passed out of Oakland’s Privacy Advisory Commission, formally moving it to the Oakland City Council. Passage of the ordinance was roundly applauded by local civil liberties advocates and legal scholars, some of whom spoke at the meeting. For years, American cities have often accepted federal, state, or regional grant money to obtain various surveillance equipment for their local law enforcement agencies. Lawmakers often don’t ask questions as to how and in what circumstances such gear will be used, neither do they typically evaluate after the fact whether those tools have been actually effective in reducing crime. Catherine Crump, a law professor at the University of California, Berkeley, and a former ACLU attorney, told the commission that the ordinance it has drafted “is thorough, clear, comprehensive, and has the potential to be adopted nationwide.” The draft ordinance may still be subject to minor changes before being adopted by the city council, particularly as to how it will be enforced. [Ars Technica | Oakland Privacy Commission Holds Hearing on ‘Stingray’ Cell Phone Surveillance Devices | Committee vote on police heat sensors signals cooperation between police, privacy activists | We know where you’ve been: Ars acquires 4.6M license plate scans from the cops | Oakland Poised to Lead in Protecting Privacy]

US – Baltimore Police Use Military Technology to Secretly Track You

When protesters took to the street after police shot and killed Michael Brown in Ferguson, Missouri, they were greeted by law enforcement in full body armor, flanked by armored vehicles. In the two and a half years and countless shootings since, militarized police have become an all too familiar sight. In response, citizens have overwhelmingly begun to film these interactions on their smartphones, making the technology the eyes of our nation. But as we watch the police, they also watch us – only they don’t use an iPhone. Often, they use military grade surveillance equipment that gives them a much broader view than simple cell phone cameras ever could. “They view people as enemy combatants,” says activist, as cops adopt surveillance, tracking, facial recognition programs designed for war zones. The city of Baltimore has, in many ways, become ground zero for the military surveillance technology that is slowly making its way from the battlefields into the hands of police departments across the country. The Baltimore Police Department has used surveillance technology such as large-scale aerial surveillance, advanced cell phone tracking and facial recognition technology on Baltimore’s citizens, yet these technologies have had little to no oversight from city government, and most have a disproportionate impact on communities of color. Examined together, these surveillance technologies demonstrate an extended record of secret surveillance by the Baltimore Police Department. [RollingStone | Baltimore surveillance plane documents reveal ignored pleas to go public, who knew about the program, and differing opinions on privacy | Eye in the sky: the billionaires funding a surveillance project above Baltimore | Secret aerial surveillance by Baltimore police stirs outrage | Secret Cameras Record Baltimore’s Every Move From Above | Baltimore police accused of illegal mobile spectrum use with stingrays | Potential FCC Probe of Police Cellphone Trackers Could Serve as Proxy for Congressional Battle]

CA – Vancouver Using Heat-Vision Camera to ID Poorly Insulated Homes

A new pilot project has been announced that will use a heat-vision camera to help Vancouver homeowners cut down on their energy bills. The images will help pinpoint places that heat is escaping, such as poorly insulated doorways, windows and roofs, but won’t show anything that’s happening inside, said Sean Pander, manager of green buildings for Vancouver. “Privacy is well-protected,” Pander said. “[The camera] can’t see anything inside the house, it just sees the surfaces and the temperatures of the surfaces.” .Imaging capturing could start as early as Jan. 15 if the weather is cold and dry enough for the thermal camera, and is expected to last several weeks. Before that begins, however, the city has promised four public information sessions where people can learn more about the program. People can also opt-out if they’re uncomfortable having a thermal image taken of the outside of their home. [Source]

Telecom / TV

US – Google Wins App Data-Sharing Case Against Customer

A U.S. district judge sided with Google in a case between the tech company and a customer alleging it had illicitly shared her information with an app developer. Illinois resident Alice Svenson bought an app designed to convert SMS messages to emails. Svenson alleged Google shared her personal information with the app’s developer, YCDroid, and in doing so, broke its contract by sharing her information with a third party and lessened the value of her personal data. U.S. District Judge Beth Labson Freeman said in her ruling Svenson did not adequately show she had suffered any damages. “Consequently, Svenson has failed to show the existence of a triable issue of material fact with respect to her claim of injury in fact based on diminution in value of her personal information.” Google also successfully argued there was no evidence YCDroid actually viewed Svenson’s data. [MediaPost]

US Legislation

US – Email Privacy Act Reintroduced in Congress

A bipartisan group of lawmakers has reintroduced the Email Privacy Act [see here]. This law would update the 1986 Electronic Communications Privacy Act (ECPA). ECPA is the main statute governing law enforcement access to email. If passed, government agents would have to get a warrant to look at your emails. Current law allows law enforcement and government agencies to obtain your messages from email service providers without a warrant if they are older than 180 days. Federal agencies, which have heavily relied on keeping the old and outdated ECPA law, have also pushed for there to be no changes to the law. Mary Jo White, head of the Securities and Exchange Commission (SEC), has told the head of the Senate Judiciary Committee that the warrant requirement would block the SEC from obtaining digital content from service providers. Therefore, she asked that the government grant the SEC the power to compel email providers without a warrant. By extension, this would also give such agencies as the Internal Revenue Service (IRS) the right to demand your emails from your provider, say Google Gmail or Microsoft Outlook.com, without a warrant. [ZDNet | Bipartisan House Group Re-Introduces Email Privacy Bill | Email Privacy Act Revived for Another House Vote]

US – Washington Bill Prohibits Operators from Flying Over Private Property Without Consent

House Bill 1049, relating to unmanned aircraft, and adding new sections to Chapter 47.68 and Chapter 4.24 of the Revised Code of Washington, was introduced and scheduled for public hearing in the House Committee on Technology & Economic Development. An owner or occupant of the property may bring an action for trespass if the drone has been flown over the property on at least one previous occasion, and the operator has been previously notified that flight over the property is prohibited; damages can be recovered of up to $500 without proof of special damages, or an injunctive relief may be awarded. [House Bill 1049 – An Act Relating to Unmanned Aircraft – 65th Legislature of the State of Washington]

Workplace Privacy

WW – Departing Employees Greatest Threat to Data Protection: Study

The number one data protection problem faced by organizations – cited by 69% – is the loss of data or knowledge suffered when employees leave the company. That is the finding of a new study by IT research and consulting firm, Osterman Research, entitled, “Best Practices for Protecting Your Data When Employees Leave Your Company“. Many of these problems are related to employees actually taking data with them when they depart, or leaving it in locations that are unknown or inaccessible to corporate data managers. [Information Management | How companies can deal with insider data theft | Thousands and thousand of times: a tale of an insider data breach | Heal Thyself: Insider Threats to Heed, Especially for Industries with Large Amounts of Personal Information | Insider Threats Behind a Sharp Rise in Data Theft

WW – Privacy Third-Highest Concern When Employers Surveil Mobiles: Study

A TSheets study of 1,000 employees in various industries “where monitoring is most prevalent” has found a majority of workers are more concerned with how employer snooping affects battery life and data allotment than privacy, Fortune reports. “From a worker perspective, it apparently doesn’t feel like Big Brother is overreaching… According to TSheets, the majority of workers tracked by GPS said the technology gave them greater ability to track mileage and time, more accountability, and ensuring they got paid what they are owed.” Roughly two-thirds of respondents said that GPS tracking “built trust with employers, and promoted efficiency and safety.” [Fortune]

WW – BYOD a Threat to Business: Study

Bring Your Own Device (BYOD); the concept of allowing employees to work in the office or remotely using their own devices, rather than company owned, has been around for a while now and really makes the most of this ‘personal device era’. It’s convenient for employees to use their own devices, reduces burden on IT admin and saves Capex costs for the business. But, could BYOD end up being the company’s biggest threat? According to the Crowd Research Partners BYOD & Mobile Security 2016 Spotlight Report, it finds that: 72% of respondents are concerned with data leakage and loss, 56% with unauthorized access to company data and systems, 52% with downloading unsafe apps or content by users and 52% with malware. The areas of highest concern within the enterprise are: data leakage and loss, unauthorized access to company data and systems, downloading unsafe apps or content and malware. [Unfortunately] there are no universal set of guidelines for employers and employees to work too. But there are some best practices that security experts recommend. [Beta News | Striking the balance between employee productivity and data security | 6 Best Practices for Managing BYOD Technology | How should companies deal with data security when they have a BYOD policy? | BYOD can pose privacy risks to employees | 72 per cent of organisations support BYOD despite privacy and security concerns



22 Dec 2016 – 06 Jan 2017


SG – Iris Scans Now a Part of Singaporean Registration Process

The Singapore government has begun collecting iris scans for citizens and permanent residents as part of its registration process. Amendments to the National Registration Act legalized the move, and according to the Ministry of Home Affairs, “was part of efforts to improve the ‘effectiveness and efficiency’ of operations undertaken by the Immigration and Checkpoints Authority.” [ZDNet]


CA – Security, Spy Agencies Will Follow ‘Letter and Spirit’ of the Law: Trudeau

Prime Minister Justin Trudeau said the government will make sure security and spy agencies obey the country’s laws following concerns the groups have abused the privacy rights of the country’s journalists. Trudeau said the Liberal government will “make sure that our security agencies and intelligence agencies obey the letter and the spirit of the laws that frame them.” The concerns sprung from the revelation of law enforcement agencies tracking the communications of several journalists. Trudeau spoke on the subject as the Liberal government finished a national consultation on federal security policy. [The Canadian Press]

CA – La Presse Asks Court to Stop Warrants Monitoring Journalist

La Presse is asking a court to stop the 24 warrants allowing Montreal’s police force to monitor its reporter, Patrick Lagacé. The newspaper argues the judicial orders were issued to stop leaks rather than as a part of a legitimate investigation. La Presse also states the Montreal police force went further than other law enforcement agencies in history to discover a journalist’s confidential sources. “In this matter, the Montreal Police Service deliberately created a complete registry of telephone communications by a reporter who was not under investigation, giving itself the means to identify all of the confidential sources that he contacted over a period of many months,” La Presse said in its request for judicial review. [The Globe and Mail]

CA – OIPC BC Issues Guidance to Organizations on the Use of Video Monitoring

The Information and Privacy Commissioner of British Columbia has issued guidance to organizations on the use of video surveillance. Video surveillance should only be used as a last resort after other less privacy-invasive alternatives have been exhausted (such as improved workplace supervision and financial controls), and cameras should not monitor private areas such as change rooms, washrooms, or into windows; organizational needs should be regularly reviewed to ensure that using video surveillance is still required for the original purpose, and monitoring should only take place during the time period that meets the specific purpose. [OIPC BC – Guide to Using Overt Video Surveillance] See also: A Minnesota judge has ordered that prosecutors and defense attorneys must follow guidelines of a law classifying police body camera footage as non-public information, with certain exceptions.

CA – Majority of Manitoba Organizations Do Not Offer Data Breach Training

A survey conducted by Manitoba Ombudsman Charlene Paquin found the majority of institutions within the province do not train their staff on handling data breaches. The survey was sent to 238 organizations, including universities, municipalities, health authorities, and boards, but only 118 organizations fully completed the questionnaire. Of those respondents, 78 percent said they do not offer training on what to do during a data breach, while 29% said they have suffered an incident within the last three years. The survey found the most common form of data breaches involved losing paper records, while 24% of respondents said they suffered a breach due to a stolen computer or other device. [CBC News]

CA – OIPC SK Finds Ministry Was Authorized to Collect Personal Information Directly from Third Parties

The Office of the Saskatchewan Information and Privacy Commissioner reviewed a complaint that the Ministry of Social Services allegedly over collected personal information, pursuant to The Saskatchewan Assistance Act; and the Freedom of Information and Privacy Act. The ministry was authorized to collect the bank statement of a social services applicant directly from the bank for the purpose of verifying the eligibility in a government program when the applicant failed to provide the information herself; although appropriate authorization was obtained in a consent form, it is recommended that the ministry analyze the types of information generally required during the application and review process to more clearly define the types of information being collected, and from where it will be collected. [OIPC SK – Investigation Report 212-2016 – Ministry of Social Services]


UK – Taskforce Finds Half of UK Kids Agree to Murky Social Media Terms

Children’s Commissioner Anne Longfield’s Growing Up Digital taskforce has found that “almost half” of eight- to 11-year-olds have agreed to “impenetrable” terms of and conditions for social media sites. “The yearlong study found children regularly signed up to terms including waiving privacy rights and allowing the content they posted to be sold around the world, without reading or understanding their implications.” Longfield recommends a special ombudsman for children “to represent their rights to social media companies” as well as an obligatory “digital citizenship program” in all schools for students ages four through 14. [The Guardian] See also: [Office of the Australian Information Commissioner – Teens, Privacy and Social Media]


HK – Honest Shanghai App Gives Citizens Public Credit Score

Shanghai’s city government has released a new voluntary app called Honest Shanghai that uses a combination of facial recognition and government data to assign citizens with a “public credit” score. “We want to make Shanghai a global city of excellence,” said Shanghai Municipal Commission of Economy and Informatization’s Shao Zhiqing. “Through this app, we hope our residents learn they’ll be rewarded if they’re honest. That will lead to a positive energy in society.” The app has caused some unease, however. “You’re wrong if I say so,” said Tongji University’s Zhu Dake. “You have bad credit if I say so. Where will this lead? They could easily expand the criteria and start judging people on moral or ideological grounds. They’re using modern technology to create a vision of Orwell’s 1984.” [NPR.org]

CA – CRA Employees Continue to Illicitly Access Confidential Tax Information

Canada Revenue Agency workers are continuing to illicitly access the confidential tax files of businesses, acquaintances and others. The breaches continue despite the CRA spending at least $10.5 million since 2013 to prevent its employees from continuing to access the personal data. CBC News discovered nine major cases since Jan. 1, where tax workers used the government’s electronic records to gather sensitive private information on income, deductions, benefits, payments, and employment. Privacy Commissioner Daniel Therrien wrote in his annual report his office was assured the CRA had implemented nearly all the safeguards it recommended from a 2013 audit. “The agency reports that it has made several important improvements to its management of personal information including introducing new policies, increasing corporate oversight and ensuring more timely assessment of privacy and security risks.” [CBC News]


US – Congressional Encryption Working Group 2016 Year-End Report

According to a report from the Encryption Working Group, weakening encryption by requiring backdoors is contrary to the country’s national interest, yet acknowledges law enforcement’s need to access communications for investigations. The Encryption Working group was created when the FBI and Apple were unable to come to an agreement over the government’s demands that Apple decrypt a shooting suspect’s iPhone. It is composed of members of the US House Judiciary Committee and Energy and Commerce Committee. The Encryption Working Group report argued that there isn’t a “one-size-fits-all” solution to whether or not “data encryption should be utilized by organizations or the government.” “There is no ‘us versus them,’ or ‘pro-encryption versus law enforcement,’” the bipartisan study states. “This conversation implicates everyone and everything that depends on connected technologies — including our law enforcement and intelligence communities.  [HealthITSecurity | eWeek | ZDNet | Encryption Working Group Releases Year-End ReportYear-End Report]

US – Not All Federal Agency Websites Have Met HTTPS Migration Deadline

Roughly 30% of federal government agency websites have not yet implemented HTTPS. The Office of Management and Budget (OMB) mandated that “all publicly accessible federal websites and web services” transition to HTTPS by December 31, 2016. Agencies were instructed to prioritize domains that are used to exchange sensitive data or that receive large volumes of traffic. [FCW.com]

EU Developments

EU – CJEU Rules Against ‘General and Indiscriminate’ Data Retention

EU law unequivocally precludes the “general and indiscriminate retention of traffic data and location data.” This is clear following the judgment of the Court of Justice of the European Union in Tele2, which affirms that Court’s previous judgment in Digital Rights Ireland, from 2014. In that judgment, the CJEU held that the EU’s Data Retention Directive was invalid. Some EU member states, such as Sweden and the U.K., then continued to oblige telecommunications providers to generally retain data under their national laws. This week the EU held that such national laws must similarly comply with EU data protection rules and are thus similarly invalid. [IAPP.org]

EU – EU Regulators Say More Big Data Rules May Be Necessary

European Union regulators believe additional rules could be required to examine the growth of big data. EU banking, insurance and market regulators are concerned big data may lead certain customers to become classified as “undesirable” as companies gather more personal information. The regulators launched a public consultation on the benefits and risks of big data for both consumers and financial firms in order to determine if more “regulatory or supervisory” actions are needed. “For example, consumers seeking household insurance for properties located in areas exposed to high risks such as floods, earthquakes or crime may have to pay very high premiums or might not be offered an insurance coverage,” the regulators said in a joint statement. [Reuters]

EU – German Privacy Laws to Obscure Face of Terrorist Suspect in Photo

As Germany searches for the individual who authorities believe is responsible for the terrorist attack on a Christmas market in Berlin, a photo of the suspect has been released by the German media. The photo of the suspect obscures the man’s face, and police have only identified him as “Anis A.” Photos of the suspect appearing in the U.K.’s press, show the man’s face without any form of obstruction. Journalist David Meyer said Germany’s strict privacy laws are the reason why the country’s media outlets have blocked out the suspect’s face, and why only the initial of his surname has been published. Meyer notes German investigators detained an innocent man earlier in the manhunt, leading to more caution when publishing photos. [Fortune]

EU – A Common Risk Identification and Classification System Should Be Developed for Data Protection Impact Assessments

Hunton & Williams examines risk assessments and data protection impact assessments under the General Data Protection Regulation. Organisations must assess the likelihood and severity of risks to individuals associated with processing activities (taking into account the nature, scope, context, and purpose of processing); an identification and classification system should have a repeatable and consistent framework to identify risks in multiple scenarios and over time, include material and non-material harms, and enable organisations to define the scope of risk management. [Risk, High Risk, Risk Assessments and DPI Assessments under the GDPR – Centre for Information Policy Leadership – Hunton and Williams LLP See also: the European Commission published the results of the public consultation on the ePrivacy Directive and a Eurobarometer survey.

Facts & Stats

UK – CFC Underwriting Sees 78% Increase in Data Breach Claims in 2016

CFC Underwriting handled more than 400 claims on its data breach policies in 2016. CFC Underwriting Chief Innovation Officer Graeme Newman said data breach claims were up 78% from 2015. CFC stated the most common types of attacks involve privacy breaches and the theft of cash. Newman said a “disproportionate” amount of claims were made by British firms. “This is largely down to the fact that on the whole, UK businesses have a lower level of security maturity than their US counterparts,” Newman said, who also added 90% of the claims by volume were made by businesses with less than 50 million GBP in revenue. [BBC]


US – FINRA Fines 12 Financial Institutions $14.4M for Illicit Data Storage

The Financial Industry Regulatory Authority fined 12 financial institutions a total of $14.4 million for improperly storing electronic broker-dealer and customer records. FINRA found the 12 firms did not store the business-related electronic records in a “write once, ready many” format. FINRA’s news release on the penalties stated “each of these 12 firms had WORM deficiencies that affected millions, and in some cases, hundreds of millions, of records pivotal to the firms’ brokerage businesses, spanning multiple systems and categories of records.” The fines ranged from $500,000 to $4 million. “These disciplinary actions are a result of FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records,” said FINRA. [Hunton & Williams’ Privacy and Information Security Law Blog]


CA – OIPC NS Issues Guidelines to Councillors on Disclosure of Municipal Records and Applying Privacy Rules to Personal Information

The Office of the Information and Privacy Commissioner in Nova Scotia has issued guidelines to Councillors on providing access to public records pursuant to the Municipal Government Act and applying privacy rules to personal data. Councillors must understand which municipal records can and cannot be disclosed, as certain reports, minutes and correspondence may be protected from disclosure (such as legal advice, personal information, and confidential business or government information); councillors should use the municipality’s secure email system when conducting municipal business, employ strong passwords (that change regularly and are not shared with others), and encrypt laptops and cellphones. [OIPC NS – Access and Privacy Rules – A Councillor’s Guide Councillor’s Q&A | Brochure]

Health / Medical

US – Majority of Patients Unwilling to Disclose All Medical Information: Survey

A Black Book survey found a majority of patients are skeptical of the use of health IT and are not divulging as much information as they had in the past. Of the 12,090 survey participants, 57% of those who had interacted with technology in a health care setting said they are unsure of the overall benefits of health IT technology. Other findings include 87% of patients were unwilling to disclose all of their medical information in detail during the fourth quarter of 2016, up from the 66% in 2013. The survey revealed 89% of respondents who visited a provider in 2016 withheld health information during visits, with 93% expressing concern regarding the security of their financial information. [Becker’s Hospital Review]

US – FDA Medical Device Postmarket Cybersecurity Guidelines

The U.S. Food and Drug Administration (FDA) has released the final version of security guidance for network-connected medical device manufacturers. The guidelines, which are not mandatory, address post-market cybersecurity issues and are a companion to pre-market guidelines issued in 2014. The FDA believes that “medical device manufacturers should implement a structured and comprehensive program to manage cybersecurity risks,” which would ideally include ensuring a means to monitor and detect vulnerabilities; assessing the risks vulnerabilities pose to patients; establishing a process for vulnerability disclosure; and releasing fixes in a timely fashion.[Govinfosecurity | FDA Postmarket Management of Cybersecurity in Medical Devices]

Identity Issues

CA – Ontario Police No Longer Allowed to ‘Card’ Individuals in Certain Situations

A new law in Canada prohibits Ontario police officers from carding individuals in certain situations. The rule stops officers from collecting identifying information based on a person’s race or presence in a high crime area, or if they are investigating possible criminal activity. The new rule does not apply during traffic stops, executing a warrant, or when an individual is arrested. “These new rules protect the rights of people who are not under investigation while also laying the foundation for more positive, trusting and respectful relationships between police and the public,” said the Ontario Community Safety and Correctional Services Minister. [CBC News]

CA – Mail-Forwarding Fraud Up More Than Seven Times in 2016

The Canadian Anti-Fraud Centre received more than seven times the amount of mail-forwarding fraud complaints in 2016 than in the previous year. The centre handled 479 complaints in 2016, up from 63 in 2015, with centre officials stating the number of complaints are only a fraction of actual fraud activity. Mail-forwarding fraud normally involves an individual impersonating someone and rerouting that person’s mail through Canada Post, either to a different residence or a business address. [CBC News]

US – Massachusetts’ Scanning of ID Cards Raises Privacy Concerns

Privacy advocates are raising concerns about a Massachusetts facial recognition program that uses photos from state-issued driver’s licenses and other ID cards to help law enforcement track down criminals. Those opposed to the practice say the ID scanning is a privacy violation and could lead to false matches that result in investigations of innocent people. Law enforcement agencies in other states are also employing similar programs. “When you go to the DMV to get your license, you do not expect your photo to be part of what has essentially become a law enforcement database used for criminal investigations,” said the ACLU. State officials defended the practice and have said proper measures are in place to address privacy concerns. [The Boston Globe]

US – Privacy Concerns Keeping Maine from Real ID Law Compliance Deadline

Should Maine not comply with the federal Real ID law by Jan. 22, its state licenses will neither function as formal commercial airline nor federal building entrance identification. Maine is one of the five U.S. states to forgo compliance with the law, citing privacy concerns. “This is a tightly aggregated set of data on every single citizen,” said Maine Secretary of State Matthew Dunlap. “That eastern European (Communist Bloc) show-me-your-papers-at-the-border thing, that really turned people off.” Regardless, Democratic Sen. Bill Diamond, is fighting to get the state to comply with the law, as other U.S. states prepare to. “I understand and believe privacy is very important, but we are talking about some minimum standards here.” [Portland Press Herald]

WW – Carnival to Incorporate Smartband Technology on Future Cruises

Carnival Corporation is planning to introduce smartband devices designed to allow customers to customize their vacation. The app, called Ocean Compass, is paired with a small medallion customers can use to pay for food, drinks and merchandise, gamble, and enter rooms without having to remove it from their person. Carnival executives Arnold W. Donald and John Padgett took the idea from a similar system used at Walt Disney World, where they both worked before joining Carnival. Padgett said he expects some customers will have questions regarding the system’s “creepiness factor,” but still expects the majority of visitors to participate. “As long as you benefit the guest, they don’t mind sharing” personal information, Padgett said. [The New York Times]

Law Enforcement

US – Court: Abandoned, Locked Phones Still Have Privacy Protections

A Florida court of appeals ruled abandoned cellphones with a passcode still maintain the user’s privacy expectations. The case involved a teen leaving his phone behind after fleeing a traffic stop. Law enforcement were able to unlock the phone and retrieve information without a warrant. The court determined phones are not locked containers, but are closer to locked houses. Since law enforcement cannot search a locked house without a warrant, the same standards should be held for phones. “While we acknowledge that the physical cell phone in this case was left in the stolen vehicle by the individual, and it was not claimed by anyone at the police station, its contents were still protected by a password, clearly indicating an intention to protect the privacy of all of the digital material on the cell phone or able to be accessed by it,” the court’s ruling stated. [Techdirt | Florida Appeals Court Upholds Decision to Suppress Evidence Obtained By a Warrantless Search of a Cell Phone | State of Florida v. K.C. – No. 4D15-3290 – District Court of Appeal of the State of Florida]

US – Police Ask Amazon for Echo Data in Murder Investigation

Police officers in Arkansas are asking Amazon to produce data from one of the company’s Echo devices for possible evidence in a murder investigation. The police are not sure what information is available on the Echo device, but are hoping for any conversations it may have overheard. The case has raised several privacy concerns. “I think about the fuzzy line of where the privacy of data is out there in the cloud… The question is, will governments or other people be able to access data that you have on request? Will companies comply? How does that work? How does it work in a criminal investigation? Where’s that line — because that’s — that’s the part that is a little mysterious.” MIT Technology Review reports on what Amazon’s role should be in the investigation. [NPR.org]


CA – British Columbia to Allow Drone Use for Search and Rescue

Emergency Management BC approved a pilot program permitting teams across British Columbia to use drones for search and rescue efforts. The drones will be used in situations where helicopters are not available, or the area cannot be reached by aircraft. Coquitlam Search and Rescue Manager Mike Coyle said privacy concerns have limited the widespread use of drones, but the British Columbia privacy commissioner has formally reviewed the drone project. “Even in the wilderness, I think it’s just a way people have seen [drones] as an invasion of privacy,” Coyle said. “Our intent is to just use them to look for missing people in the wilderness and not fly over built up areas, and that’s why I think the privacy commissioner said it’s a good use.” [CBC News]

US – Sen. Franken Asks Uber to Clarify Its Location Data Collection Practices

Sen. Al Franken, D-Minn., has written to Uber requesting it clarify its policies surrounding its storage of users’ location data, “three weeks after the ride-hailing company updated its app to restrict privacy options for sharing location information.” “Franken asked the company to take steps to ‘restore users’ control over their sensitive location information,’ and update its privacy policy to ‘reflect the company’s public assurances and justifications related to the most recent app update,’” in his letter to Uber CEO. He cited “renewed allegations” of Uber employees’ “past abuse of customer data” as part of the reason for his letter. [PCMag]

Online Privacy

WW – Facebook Buying Detailed Data on Users, Advocates Say

ProPublica and other privacy advocates maintain Facebook buys more detailed information about its users from commercial data brokers, such as users’ “income, the types of restaurants they frequent and even how many credit cards are in their wallets.” Facebook doesn’t additionally “show users any of the often remarkably detailed information it gets from those brokers.” The Center for Digital Democracy’s Jeffrey Chester said “Facebook is bundling a dozen different data companies to target an individual customer, and an individual should have access to that bundle as well.” Facebook said “that it doesn’t tell users about the third-party data because it’s widely available and was not collected by Facebook.” [ProPublica]

US – Advocacy groups Ask FTC to Review Google’s Privacy Policy Changes

Consumer Watchdog and Privacy Rights Clearinghouse filed a complaint with the FTC concerning the changes Google made to its privacy policy in June. Google has been able to build profiles of individuals by requesting users to opt-in to the new privacy settings permitting the tech company to merge its browsing history with its search history to generate more personalized ads. The two privacy groups claim the privacy settings violate deceptive- practices laws and a prior FTC order. Google said in a statement it changed the policy “to match the way people use Google today: across many different devices,” and “it is 100% optional — if users do not opt-in to these changes, their Google experience will remain unchanged.” Google also stated it informed regulators around the world about the new policy and incorporated their feedback. [The Wall Street Journal] [In re Google Inc.’s Change in Data Use Policies – Complaint,Request for Investigation, Injunction and Other Relief – Consumer Watchdog and Privacy Rights Clearing House]

Other Jurisdictions

AU – Australian Govt to Extend Data Retention Law to Civil Litigation Information

The Australian Attorney-General’s Department is accepting submissions through 27 Jan., on a government review to potentially extend the Data Retention Act to allow warrantless access of “retained metadata to lawyers acting for clients in civil litigation.” On 13 April, “it will be legally impossible to access data retained by telcos in connection with civil proceedings,” and the government is worried about the potential consequences. However, critics feel this proposed step is one in the wrong direction. “Opening up the data retention scheme to civil matters flies in the face of the government’s claim that it was urgently needed in the fight against terrorism and its assurances that its use would be tightly controlled,” said Internet Australia. [The New Daily | The Australian government is considering making metadata available to courts for civil lawsuits.

US – FTC Settles with Ad-Tech Firm Turn

California-based digital-advertising company Turn has agreed to settle FTC charges that it deceived customers when it used persistent identifiers to track them online and on their mobile apps, even when those customers opted out, according to an FTC press release. The FTC’s complaint and investigation involved Turn’s use of Verizon’s unique, un-deletable identifiers, or so-called “zombie cookies,” and alleged lack of transparency about that use. [IAPP.org]

Privacy (US)

US – LabMD Receives Support in Appeal of FTC Ruling

Several groups have filed amicus briefs in support of LabMD’s appeal against the Federal Trade Commission. The briefs, filed by a group of doctors, cybersecurity professional Gary Miliefsky, TechFreedom, the International Center for Law and Economics, the National Federation of Independent Business Small Business Legal Center, and the National Technology Security Coalition, back the now defunct LabMD, stating the FTC operated outside of its authority when it went after the company for allegedly violating Section 5 of the FTC Act. “I am heartened that leaders from business, healthcare and technology are so supportive of LabMD,” said LabMD President and CEO. “They understand how this case will impact their own compliance efforts.” [SC Magazine]

US – House Committee Presses Congress for Stingray National Standards

The House Oversight and Government Reform Committee released a bipartisan report calling for Congress to pass laws creating national standards for law enforcement’s use of Stingrays. The committee seeks clear rules for government and private entities using the devices, designed to mimic cellphone towers in order to force all phones within range to identify themselves. The report found the Justice Department has 310 devices, while the Department of Homeland Security has 124. Until the standards are created, the committee contends the DOJ and DHS should not fund technology for local law enforcement unless they agree to certain privacy standards. The report concludes the technologies “represent a valuable law enforcement tool, but their domestic use has obvious and serious implications for citizens’ Constitutional rights … There must be a universal and well-understood standard by which these technologies are deployed.” [The Wall Street Journal]

US – Consumer Groups Push Amazon, Wal-Mart to Stop Selling ‘Spying’ Doll

Several consumer groups are asking top retailers such as Amazon and Wal-Mart to stop selling My Friend Cayla due to privacy concerns. The doll, created by Genesis, is designed to listen and respond to children’s questions, and uses a Bluetooth microphone and a mobile app requiring access to a child’s or parent’s devices. The groups are concerned the doll could be compromised by hackers, lead to privacy violations, and other problematic incidents. “My Friend Cayla poses significant security risks that could place children in physical danger,” Campaign for a Commercial-Free Childhood Executive Director Josh Golin wrote in a letter to Amazon CEO Jeff Bezos. “Genesis fails to require basic authentication mechanisms to prevent unauthorized Bluetooth connections between the doll and a smartphone or tablet.” [CBS News]

US – White House Issues Gov’t-Wide Breach Notification Protocols

The U.S. administration may be turning over this month but the Office of Management and Budget is churning out policies even while the boxes are being stuffed with Bubble Wrap. OMB released both a guidance on how government agencies must prepare-for and respond-to data breaches as well as how to comply with the Privacy Act in these modern times. OMB Senior Privacy Advisor Marc Groman said the breach-notification guidance updates a 10-year-old document, revising it to require that agencies take a risk-based approach, and responds to a new, more dangerous threat-landscape. “But it’s important to highlight every breach is different and very context-specific, and therefore the memo must allow for flexibility,” Groman said. [IAPP.org]

US – NYC, Uber Face Off in Privacy Public Hearing

Uber is gearing up to fight against the New York City government in a public hearing on the city’s December-born proposal requiring ride-hailing companies to share more data on their users. “Regulators said it was an effort to combat driver fatigue and help enforce caps of 60 hours a week.” “Uber described the requirement as an invasion of privacy.” Uber has “an obligation to protect our riders’ data, especially in an age when information collected by government agencies like the [NYC Taxi and Limousine Commission] can be hacked, shared, misused or otherwise made public,” said Uber spokeswoman Alix Anfang. The hearing comes on the heels of the company’s own privacy controversy, spurring a letter from Sen. Al Franken, D-Minn. [Bloomberg Technology] See also: [For-hire vehicle base reporting rules a privacy problem, advocates argue in letter]


US – FTC Announces IoT Security Challenge

The US FTC is holding a contest that will award a prize of up to USD 25,000 for the best technical solution to Internet of Things (IoT) security for home networks. The tool could be a physical device that connects to a home network and checks for updates for other connected IoT devices; it could also be an app, a cloud-based service, or a user interface. Registration forms will be available on or about March 1, 2017. The deadline for submissions is May 22, 2017; winners will be announced at the end of July 2017. [KrebsonSecurity | Darkreading | FTC.gov: IoT Home Inspector Challenge]

US – OTA Releases Updated IoT Trust Framework

The Online Trust Alliance released a new version of its IoT Trust Framework. The updated framework is designed to help internet-of-things developers, purchasers and retailers develop products, while offering a risk assessment guide. The framework includes 37 principles, including entries on security, user access, and ensuring companies are compliant with the General Data Protection Regulation and the Children’s Online Privacy Protection Act. “Recent IoT attacks like those which compromised hundreds of thousands of connected devices to take websites like Amazon, Twitter and Netflix offline were just a ‘shot across the bow.’ The next incident could create significant safety issues. While most IoT devices are safe and secure, many still lack security safeguards and privacy controls placing users and the Internet at large at risk,” said OTA Executive Director and President Craig Spiezle. [OTA Alliance]


WW – DDoS Attacks, Ransomware Among Biggest Security Threats in 2017

Wired reports on the biggest security threats coming in 2017. The most pressing concerns in the privacy realm include the increased spread and use of ransomware, a growing divide between the intelligence community and President-elect Donald Trump, and another encryption battle between law enforcement and device makers. “It’s only a matter of time until the FBI or other cops make another legal demand that an encryption-maker assist in cracking its protections for users, setting the conflict in motion again.” Cyberattacks will also continue to be a problem in 2017, as more distributed denial of service attacks appear to be on the horizon. [Wired]

US – Cybersecurity Pro: Carelessness Often to Blame for Breaches

Company carelessness is often to blame for breaches, said cybersecurity professional and BitSight Technologies co-founder Stephen Boyer. “A lot of these breaches happen because somebody had a very obvious detail that they overlooked or a well-known vulnerability that was exploited,” he said. “You think about other controls that [companies] need to put in place such as good password control, multifactor authentication. They need to be able to monitor, protect, not only look at their own systems but their supply chain and monitor and watch that very diligently.” For consumers, it doesn’t come down to avoiding smaller businesses and solely working with larger ones, he said. “It’s not necessarily small versus large, it’s just somebody who’s put in the proper protections to protect the consumers.” [CNBC]

WW – Hackers Can Easily Manipulate Travel Booking Systems: Study

Security Research Labs has found that major travel booking systems like Sabre, Amadeus and Travelport lack the ability to authenticate travelers, allowing hackers to easily manipulate or steal travel details via Passenger Name Records. “While the rest of the Internet is debating which second and third factors to use, [global distribution systems] do not offer a first authentication factor,” the researchers said. “Given only passengers’ last names, their bookings codes can be found over the Internet with little effort,” added SRLabs’ Karsten Nohl. Meanwhile, the Guardian reports that the U.S. government has begun requesting select foreign travelers to disclose their social media activities. [Reuters] See also: [Privacy a casualty of password storing on shared devices?]

US – FTC Suing D-Link Over Unsecure Routers and Cameras

The U.S. FTC has initiated legal action against D-Link for “fail[ing] to take steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access.” The security issues could be exploited to steal information and to spy on consumers. [arstechnica | computerworld | Thehill | Ars Technica: FTC Complaint | FTC.gov]

EU – ‘Find My Phone’ Documentary Uses Decoy Mobile to Spy On Thief

Dutch film student Anthony van der Meer has made a 22-minute documentary, “Find My Phone,” from footage gleaned after downloading security software onto a decoy phone that he got stolen. His inspiration for the film came after having his personal phone pickpocketed and his subsequent frustration with police assistance. “The documentary offers a valuable lesson in cybersecurity (if not also an ethically gray commentary on surveillance).” “Our smartphones often contain our most sensitive data, including photographs, emails and bank information, that can be exploited by thieves in any number of harmful ways.” [The Verge]

UK – EU’s Network and Information Security Directive to Get UK Implementation

The U.K. government will implement the EU’s Network and Information Security Directive, regardless of the Brexit vote. “The NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure… “It will apply to operators of such ‘essential services’ and to ‘digital service providers.’” EU countries have through 9 May 2018 “to implement the Directive into national law,” and the U.K. government added that it was “considering whether additional regulation might be necessary for critical sectors, including in the context of the NIS Directive due to be implemented in 2018 as well as wider national infrastructure considerations.” [Out-Law.com]

US – NIST Publishes Cyber Attack Recovery Guidebook

The US National Institute of Standards and Technology (NIST) has published the Guide for Cybersecurity Event Recovery. The document describes the two phases of recovery: tactical and strategic. Tactical recovery is based on procedures established prior to a cyber attack; strategic recovery involves identifying lessons learned from the event and using those lessons to plan for recovery from future events. Recovery is one of five aspects of NIST’s Cybersecurity Framework. The others are identification, protection, detection, and response. [Federal News Radio | http://nvlpubs.nist.gov: Guide for Cybersecurity Event Recovery]

US – NIST Publishes Report on Privacy Engineering and Risk Management

The National Institute of Standards and Technology has published its Internal Report 8062, “An Introduction to Privacy Engineering and Risk Management in Federal Systems.” In a blog post announcing the report, the authors describe the report as a “document that we believe hardens the way we treat privacy, moving us one step closer to making privacy more science than art.” They continue: “NISTIR 8062 introduces the concept of applying systems engineering practices to privacy and provides a new model for conducting privacy risk assessments on federal systems.” NIST has a history of providing guidance on information security risk management, “but there is no comparable body of work for privacy.” The guidance attempts to bridge the communications gap between the security and privacy fields “and produce processes that are repeatable and could lead to measurable results.” [NSTIC]


AU – Government Considering Allowing Metadata from Retention Laws

The Australian government is considering making metadata stored under the country’s data retention laws available to courts for civil lawsuits. “The bill itself prohibits the use of the data in civil cases, but it includes the ability for the government to make exceptions — through regulations — for ‘appropriate’ cases… The government tweaked the bill after the parliamentary committee on intelligence and security recommended it include the ability to make a regulation allowing for the data to be used in appropriate civil cases.” Initial critics of the data retention law expressed concern that the government would use it for these purposes. The Attorney-General’s Department is seeking public comment on the potential move until 13 Jan. [iTnews]

WW – Media Sonar Tools Used to Surveil American Protests

An American Civil Liberties Union investigation has found that U.S law enforcement used technology from London, Ontario company Media Sonar to monitor protests. Although the company describes the tool as one that scours social media for public safety threats, the ACLU found that police used it to track hashtags like “#BlackLivesMatter, #DontShoot, #ImUnarmed and #PoliceBrutality, to name a few.” “Law enforcement should not be using tools that treat protesters like enemies,” the ACLU said in a blog post on the issue. “The utter lack of transparency, accountability and oversight is particularly troubling.” [National Post]

Telecom / TV

CA – Quebec Court Finds Cell Phone Data Unlawfully Extracted by Law Enforcement Can Be Admitted at Trial

The search of cell phones involved in a telemarketing fraud scheme used sophisticated forensic methods to scour the devices and extract data (which required specific authorization, separate from the warrant issued to seize and search the phones); the extracted data should not be excluded because law enforcement had grounds to justify the search, specific authorization would have been granted if requested, the search did not go further than what was authorized by the warrant, and the evidence is reliable and pivotal to prove the individuals’ offences. [Kamaldin et al. v. USA – Quebec Superior Court – 2016 QCCS 5818 CanLII]

CA – Court Finds Arrest and Warrantless Search by Law Enforcement Breached Individuals’ Charter Rights

The Supreme Court of Newfoundland and Labrador considers whether evidence obtained by law enforcement breached the Charter rights of Luke Wiseman and Ibrahim Nassar. The arresting officer did not have reasonable grounds to arrest 2 individuals suspected of trafficking a controlled substance (a hunch was relied on which lacked any reference to previous drug activity by the individuals, there was no tip of an imminent drug transaction), the officer could have sought a warrant (the address and phone number of the individuals were on the boxes believed to contain drugs), and the individuals were arrested and the boxes searched in a public parking lot. [HMQ v. Luke Wiseman and Ibrahim Nassar – 2016 CanLII 78004 NL SCTD – Supreme Court of Newfoundland and Labrador]

CA – Yukon IPC Issues Advisory on Ransomware

The Yukon Information and Privacy Commissioner has issued an advisory about ransomware. Preventative measures against ransomware include regularly backing up information and system files, testing those backups, installing internet security software and patches, and educating users about phishing attacks (including how to respond in the event of an attack); during a ransomware attack, the affected device or system should be disconnected from the rest of the network and notification to affected individuals should be considered if the intrusion presents a risk of significant harm. [IPC Yukon – Ransomware Advisory]

US Government Programs

US – US Government Shuts Down Registry for Foreigners

The Department of Homeland Security has announced it is canceling an inactive registry system that would require visitors from countries with extremist groups to participate. Dubbed the National Security Entry-Exit Registration Systems program, it began “a year after the Sept. 11, 2001, al-Qaida attacks on the United States” and “expanded within a year to require registration from visitors from 25 countries, most of them with majority-Muslim populations.” In the years since, “DHS concluded that the program, which was suspended in 2011, was redundant and inefficient and did not provide increased security.” The government will publish the change in the Federal Register on Friday, and the dissolution of the registry “takes effect immediately.” [Reuters]

US Legislation

US – California Ransomware Bill Goes into Effect

A new law that took effect in California on January 1, 2017 punishes conviction of distributing ransomware with a prison sentence of up to four years. In the past, ransomware cases were tried under existing extortion statutes. According to the bill’s sponsor, California State Senator Bob Hertzberg, “This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware.” [SCMagazine | Ars Technica | sd18.senate.ca.gov: Gov. Brown Signs Legislation Punishing Ransomware]

Workplace Privacy

WW – Anonymous Plaintiff Sues Employer Over Confidentiality Agreement

A Google employee has sued the company over its confidentiality agreement, contending that its provisions violate California labor laws. “Rules prohibit employees from writing about potential illegal activity within the company, and even from writing works of fiction based on their experiences there.” “The unnecessary and inappropriate breadth of the policies are intended to control Google’s former and current employees, limit competition, infringe on constitutional rights, and prevent the disclosure and reporting of misconduct,” the lawsuit reads. While the identity of the plaintiff is unknown, a person familiar with the matter said he or she “is the same person who filed a similar complaint with the National Labor Relations Board earlier this year.” Google pledged to fight the suit. [PCMag]

EU – French Employees Win ‘Right to Disconnect’ From Work Emails

A new employment law now requires French companies to guarantee their employees do not need to check their emails after hours. The law states any organization with more than 50 employees will have to define the rights of employees to step away from their smartphones when they are not at work. The goal of the law is to stop burnout, while ensuring work does not intrude on employees’ private lives. “There’s a real expectation that companies will seize on the ‘right to disconnect’ as a protective measure,” said Aristat Director Xavier Zunigo. “At the same time, workers don’t want to lose the autonomy and flexibility that digital devices give them.” [Guardian] See also: Illinois’ amended Right to Privacy in the Workplace Act is now in effect, meaning employers may not request access to prospective employees’ social media accounts.

CA – OIPC AB Finds Society Had Reasonable Purpose and Methods for Conducting Employee Background Check

The Office of the Alberta Information and Privacy Commissioner investigated a complaint against REDI Enterprises Society for the alleged unauthorized collection of personal information (“PI”), in violation of the Personal Information Protection Act. The Society screens for previous criminal activity because employees work with vulnerable individuals, and it seeks to ensure a safe and secure environment for those clients; a written, signed account of prospective employees’ criminal activity is collected (applicants have the choice not to provide this information), and current employees may refuse to provide this information without threat to their employment. [OIPC AB – Order P2016-07 – REDI Enterprises Society]



10–21 December 2016


CA – Make Federal Data Protection And Breach Reporting The Law, Mps Say

A group of MPs is advocating for new legislation requiring federal agencies to properly protect personal data and be required to report breaches in a timely manner. The recommendations come from the Commons Committee on Ethics, Information and Privacy and urge updates to the 33-year old Privacy Act. The committee cited the Health Canada breach in 2013, when 41,000 letters housed in windowed envelopes were sent to recipients taking part in the department’s medical marijuana program. The agency, at the time, did not report the incident to the Office of the Privacy Commissioner of Canada. [CBC]

CA – Op-ed: SCISA Statute Greatly Harms Privacy Rights

In an op-ed for the Toronto Star, former Privacy Commissioner of Ontario Ann Cavoukian and British Columbia Civil Liberties Association Policy Director Michael Vonn speak out against the Security of Canada Information Sharing Act statue within Bill C-51. The SCISA allows personal information to be shared among numerous government entities for analysis if it potentially impacts the country’s security. “There is no question that SCISA is a fiasco from the perspective of Canadians’ privacy rights, leaving only the question of whether it is nonetheless necessary for security. While information sharing is necessary for national security purposes, the previous law already made provisions for that.” “We join every privacy commissioner in the country in saying that no compelling explanation has ever been provided as to why our previous laws were inadequate for national security purposes, let alone why a ‘blowing-open-the-barn-door’ approach is the appropriate remedy.” [The Toronto Star]

CA – Quebec Commissioner Recommends Reforms to the Private Sector Act

The Commission d’accès à l’information has proposed recommendations to the Act respecting the protection of personal information in the private sector. It should be prohibited to collect, use and communicate personal information for any purpose other than medical, scientific or legal purposes, or genetic information for employment-related reasons, and express consent should be required for sensitive data processing (consent can be withdrawn at any time); transfers outside Quebec should be assessed for impacts and risks to personal information protection, and implementation of biometrics should require a risk assessment, storage measures, mandatory destruction of original characteristics, and localized databases. [Important Recommendations From the Quebec Privacy Commissioner on the Protection of Personal Information – Eloise Gratton and Raphael Girard – Borden Ladner Gervais LLP]

CA – Ontario Public Institutions Should Implement RIM Practices to Improve Records Access

The OIPC ON has provided guidance to assist institutions in understanding the relationship between good records and information management practices and the ability to meet obligations under FIPPA and MFIPPA. Information that is appropriately created (through proper classification), managed (by assigning responsibility), stored (using appropriate organizational, technical and physical safeguards), and destroyed (consistent with specific retention schedules) is easier for staff to find and use; access to records will then be processed with greater efficiency (staff time associated with searching for records is reduced, and risks from failing to provide records or meet response timelines are reduced. [OIPC ON – Improving Access and Privacy with Records and Information Management]

CA – OIPC SK Issues Privacy Breach Guidelines for Trustees

The Office of the Saskatchewan Information and Privacy Commissioner has issued guidance to health trustees regarding privacy breaches, pursuant to The Health Information Protection Act. Trustees must contain the breach (cease the unauthorized practice and shut down breached systems), investigate the breach (consider what PHI was involved, who was involved, who is affected, and the root cause), and prevent future breaches (determine additional safeguards and training, and whether a policies and procedures are being followed; when employee snooping is suspected, the employee’s access should be suspended, and an interview given to establish if their login information has been shared or if they regularly log off the account. [OIPC SK – Privacy Breach Guidelines for Trustees]

CA – NWT Supreme Court Finds No Harm from Disclosure of Public Body’s Agreement With Third Party

The Supreme Court of the Northwest Territories considered whether the Department of Industry, Tourism and Investment of the Government of the Northwest Territories erred in deciding to release records related to Deepak International Ltd. Release of monitoring, trademark licence and certification agreements would not harm the third party’s business interests; sensitive business information contained in the agreements was redacted by the public body, and the remaining content does not contain information that could impact the third party’s bargaining position, or result in a foreseeable negative impact or loss. [Deepak International Ltd. v. NWT and Hilary Bird – 2016 NWTSC 66 – Supreme Court of the NWT]

CA – Other Privacy News


US – Forrester Offers New Research on Consumer Privacy Expectations

Forrester Principal Analyst Fatemeh Khatibloo discusses how Forrester wanted to create a way for businesses to assess their customers’ feelings toward privacy in order to better implement the privacy frameworks Forrester has created. Khatibloo writes about Forrester’s Consumer Privacy Segmentation, which defined four groups of consumers based on their attitudes and behaviors toward personal data collection and use. The report finds older, less tech-savvy consumers feel helpless to protect their data online, while younger customers tend to hold companies to higher standards. “It turns out that Millennials aren’t as cavalier about their personal data as some people would like to believe. And the moment they hit some key milestones in life — parenthood or homeownership, for example — their privacy attitudes change dramatically. But it’s not just data ethics they care about: they expect the companies they do business with to ‘give back,’ too.” [Forbes]


US – Gmail Scanning Case Reaches Settlement

Google has agreed to change its email processing procedures in order to settle a class action alleging that it scanned non-Gmail users’ messages in violation of state and federal wiretapping laws, The Recorder reports. The Tuesday-released settlement outlines Google’s promise to “eliminate any processing of emails to target ads or build marketing profiles until after messages have arrived in a Gmail users’ inbox” for at least three years, the report states. “Though the technical changes hardly seem to resolve the privacy concerns that spurred the litigation, plaintiffs’ lawyers … deemed them ‘substantial,’“ the report adds. The firms have asked for $2.2 million in fees. U.S. District Judge Lucy Koh, who is overseeing the suit, will either approve or deny the deal. [The Recorder]


WW – New Site Checks News and Media Sites’ Use of Encryption

A new website launched by the Freedom of the Press Foundation (FPF), scans media websites and checks for their use of encryption, including their support of HTTPS. FPF’s Secure the News project checks to see if the sites implement encryption by default and whether the sites are susceptible to HTTPS downgrade attacks, in which browsers are tricked into downloading unencrypted versions of the site. Such attacks can be guarded against through the use of the HTTPS Strict Transport Security (HSTS) feature. Just four of the 104 sites listed received an A while 75 received Ds and Fs. [Wired]

WW – Filmmakers and Photojournalists Want Encrypted Cameras

More than 150 documentary filmmakers and photojournalists have signed an open letter from the Freedom of the Press Foundation asking camera makers to add encryption to the still photo and video cameras so that if the devices are stolen or seized by authorities, they will not immediately offer up sensitive information. Most smartphones encrypt stored data by default, and encrypted storage software is readily available for PCs, but cameras lack similar protections. [Wired.com | The Register | CNet.com]

EU Developments

EU – WP29 Releases Guidance on DPOs, Data Portability, One-Stop Shop

The EU’s Article 29 Working Party emerged from its December plenary meeting with a number of GDPR application guidance documents, including explanations for the mandatory DPO role, the mechanisms for data portability, how a “lead authority” to lead the one-stop shop enforcement mechanism will be established, and some notes on enforcement and the EU-U.S. Privacy Shield. The WP29 welcomes comments on the guidance from stakeholders through January 2017. Feedback can be directed to just-article29wp-sec@ec.europa.eu and presidenceg29@cnil.fr. [IAPP.org] [Guidelines on the Right to Data Portability – Working Paper 242]

EU – New France Law Requires Companies with Over 50 Employees to Implement Whistleblower Procedures

The French legislature has approved the Law on Transparency, the Fight against Corruption and Modernization of Economic Life (“Law”): the Law will come into force after publication of an administrative decree. Companies must implement internal alert procedures to allow employees to disclose criminal offenses, serious and obvious violations of an international commitment, and threats or serious risks to the general interest; companies can be liable for a criminal fine of up to €75,000 for restraining employees from alerting about a crime, and up to €50,000 for revealing information that could lead to identification of a whistleblower. [Law No. 2016-1691 of 9 December 2016 on Transparency and the Fight Against Corruption and Modernisation of the Economy Available in French | Related Article]

Facts & Stats

US – 4% of Americans Are Revenge Porn Victims: Report

A report from the Data & Society Research Institute and the Center for Innovative Public Health Research states 4% of internet users in the U.S. have been victims of nonconsensual pornography. The report found 3% of Americans have had someone threaten to post explicit photos of them online, with 2% stating a photo of them was posted online without their permission. The combined total of revenge porn victims equals roughly 10.4 million Americans. “Nonconsensual pornography can have a devastating and lasting impact on victims, so it’s vital that we understand how common this is and who is affected.” [DataSociety.net See also: The first person was sentenced to jail under Oregon’s recently enacted revenge porn law | New South Wales Attorney General Gabrielle Upton has called for national revenge porn law as state version garners support]

WW – 1.6B Records Compromised in 2016: Report

IT Governance has compiled a list of every data breach in 2016, estimating more than 1.6 billion records were compromised. The number is up from the 480 million breached records in 2015. June and November were the two worst months for data breaches in 2016. Voter breaches in June propelled the number of compromised records to 289,150,000, while 456,403,757 records were compromised in November, one of the worst months for security on record. More than 412 million of the records breached in November came from adult websites. [The Daily Dot]

US – Data Breach Insurance Claims Up in 2016

According to data from CFC Underwriting, the company handled more than 400 cyber breach policy claims in 2016. The majority of claims are from cases involving data breaches and money transfer schemes. [Insurers handling ‘hundreds’ of breach claims | The Register: Cyber insurance brokers: If it makes you feel any better, 2016 was not our year either]


US – Bill Requires Porn Filters on New Computers

A bill introduced in South Carolina would require companies making and selling computers in that state to install filters to prevent users from accessing porn and other sexual content. The goal is to prevent access to sites facilitating prostitution and human trafficking. The South Carolina House Judiciary Committee will consider the bill when legislators reconvene in January. [New state bill wants to put porn blocks on new computers | South Carolina will debate bill to block porn on new computers]


US – Banks Finding Middle Ground for Data Portability

Many banks have resisted calls from data aggregators to make users’ financial data portable, a feature favored by many millennials. Banks have argued the practice is filled with risk and can lead to identity theft, but aggregators contend banks oppose the practice because of competition with other banks. According to a new report, some financial institutions are finding a middle ground by partnering with third-party providers that offer consumers some portability options. Wells Fargo is partnering with data-sharing platform Xero for this purpose. “Anytime a customer shares banking credentials, there’s risk involved,” said Wells Fargo’s Brett Mills. “Because of this, it’s imperative we work toward implementing ways to share information with third parties that don’t require our customers to provide their confidential login credentials.” [American Banker]


US – Google Publishes 21 National Security Letters

Google has released the content of eight National Security letters it received from the FBI between 2010 and 2015. In October, Google received permission from the FBI to publish the documents, which were all accompanied by gag orders when originally issued. The eight letters request information from a total of 21 accounts. [- CSMonitor | – Computer\World |- blog.google: ]

Health / Medical

EU – ENISA Issues Best Practices for Smart Hospitals

ENISA has published a study on information security in EU hospitals, surveying information security officers in more than 10 hospitals across the EU. Hospitals should implement BYOD controls on patient and employee devices, monitor how Internet of Things components interact with medical systems, implement whitelisting for application installation onto the hospital’s system, and ensure high level executives understand the compromise between cyber security measures and the impact on provision of services; industry and the EU should apply medical device regulation to critical infrastructure components, adapt information security standards to healthcare, and involve third parties in testing activities. ENISA – Smart Hospitals | Press Release | ENISA – Smart Hospitals Study]

US – Study: Privacy Concerns Keep Teens and Young Adults from Seeking Sexual Health Assistance

A U.S. National Center for Health Statistics report has found that an estimated 7% of teens and young adults would not seek sexual health assistance due to privacy concerns. “The youngest teens expressed the greatest reluctance… Almost one in five 15- to 17-year-olds said they would not seek that care because their parents could find out. There were also gender-based disparities. While the percentage of females with privacy concerns aged 18-25 and those without differed by 20%, “there were no large differences in the percentages receiving sexual and reproductive services based on confidentiality concerns” for males. “It’s important that we monitor any barriers that youth may experience to obtaining health care,” said the NCHS. [U.S. News & World Report]

US – ONC Creates Contest to Update Model Privacy Notice

The Office of the National Coordinator for Health Information Technology has created a new challenge for health care privacy professionals, software developers, and other stakeholders to enhance the voluntary Model Privacy Notice in order to have them better represent the current mobile health environment. The ONC wants contestants to draw from the existing Model Privacy Notice template “to create an online tool that can generate a user-friendly snapshot of a product’s privacy practices.” The ONC will award $35,000 in prizes and are asking for all entries to be submitted to Challenge.gov by April 10, 2017. [Health Data Management]

US – NGA Releases Report to Help Navigate Medical Privacy Laws

The National Governors Association has released a report designed to help states navigate around conflicting medical privacy laws and policies affecting the flow of health data. The NGA report covers challenges providers face when sharing patient information and highlights examples of states successfully developing strategies for distributing data. Recommendations from the NGA include creating a team of state government officials who have the authority to make policy decisions and an advisory group that can discuss the practical considerations for policy change. The report cites four states the passed legislation to supplant state laws to allow providers and hospitals to share patient information. “There are hundreds and hundreds and hundreds of state medical privacy laws, and the ugly truth is that it’s not possible to comply with all of them” said one attorney. [The Hill]

Horror Stories

WW – Yahoo Confirms 2013 Data Breach Affecting 1B Users, Biggest in History

Following its confirmation of a data breach in 2014 affecting 500 million users, Yahoo said it discovered another cyberattack from 2013, compromising more than 1 billion accounts. Yahoo believes the two incidents are connected and said the breaches are “state-sponsored,” Yahoo CISO Bob Lord wrote in a blog post. The attackers used “forged cookies” to access user accounts without passwords. While using these cookies, hackers could misidentify themselves as the primary user of the account. Yahoo said the compromised information could have possibly included names, email addresses, telephone numbers, dates of births, hashed passwords, and in certain cases, encrypted or unencrypted security questions and answers. Yahoo said no financial information was affected. The company is notifying affected users and asking them to change their passwords. The announcement has prompted Sen. Mark Warner, D-Va., to call for an investigation. [The Guardian | Wired | The Register | ZDnet | Krebsonsecurity]

US – Ashley Madison Settles FTC, State Data Breach Charges

The Federal Trade Commission announced the operators of AshleyMadison.com have agreed to settle FTC and state charges alleging the dating website deceived customers and failed to protect user information following the 2015 data breach affecting 36 million users. Ashley Madison will pay a total of $1.6 million in the settlement and will have to implement a comprehensive data security program, including assessments from third parties. “This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said FTC Chairwoman Edith Ramirez. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.” [FTC.gov | Press Release | Order]

Identity Issues

US – Virginia State Court Rules License Plate Info is Not Personal Information

A Virginia State court considered cross-motions for summary judgment in a complaint against Defendants Fairfax County Police Department and Colonel Edwin C. Roessler, Jr., Fairfax Chief of Police pursuant to Virginia law. License plate numbers do not refer to an individual person, there is no privacy interest in information that is publicly disclosed (even if such disclosure is required by law), and U.S. case law provides that no Fourth Amendment search has occurred when a law enforcement officer runs a check of a license plate; Virginia may therefore deploy and use automatic license plate readers and subsequently store license plate numbers for 364 days under existing State law. [Harrison Neal v. Fairfax County Police Department et al. – Opinion – Nineteenth Judicial Circuit of Virginia]

EU – DPA Iceland Recommends Government Review Mandatory Disclosure of Personal ID Numbers for Health Purposes

The Icelandic data protection authority addressed a query concerning the proportionality of data collection by the Director of Health pursuant to the Data Protection Act. The Medical Association opposes the Directorate of Health’s ongoing request for extensive identifiable patient data, authorized by law, as disproportionate and unnecessary; the DPA advises that it is the courts (not the government) that must consider the constitutionality of the law, a data subject’s objection to processing under the Data Protection Act should be respected, and the Directorate may wish to examine whether changes to the legislation would be appropriate (in light of public opposition in other Nordic countries to such compelled disclosures. [DPA Iceland – Case No. 2016/766 – Directorate of Health]

US – Differential Privacy Integral to Harvard Privacy Tools Project’s Newest Research

A Harvard’s Privacy Tools Project team is developing a privacy tool that uses differential privacy to both share data like disease diagnoses or political leanings to researchers and protect the privacy of the subjects. “The differential privacy tool that the project is developing is a computational tour de force that achieves anonymity for individuals by introducing random noise into the way statistics about the data are computed… The amount of noise is carefully calibrated to hide the contribution of each individual person, but still reveal larger effects,” said Principal Investigator Salil Vadhan. “And so there is a trade-off… You get greater privacy protection the more noise you introduce.” [Harvard Magazine]

Law Enforcement

US – Federal Appeals Court Upholds Law Enforcement’s Use of GPS for Investigation of Minor at Risk

A federal court considered an appeal by an individual convicted of crimes based on evidence obtained through warrantless GPS tracking. Exigent circumstances involving the potential exploitation of a minor justified the tracking of appellant’s cell phone without a warrant (based on discussions with the minor’s birth mother, foster mother and social worker); there was significant risk of bodily injury as the minor may have been forced into prostitution. [United States of America v. Jabar Gilliam – 2016 U.S. App. LEXIS 21448 – United States Court Of Appeals For The Second Circuit]


US – Congressional Report : Use of Stingrays May Be Unconstitutional

According to a report from the US House Committee on Oversight and Reform, the use of cell site simulators, also known as Stingrays, by law enforcement may be unconstitutional. “Absent proper oversight and safeguards, the domestic use (of Stingrays) may well infringe upon the constitutional rights of citizens to be free from unreasonable searches and seizures.” The report recommends that state and local police follow US Justice Department and Department of Homeland security policies, which require that law enforcement agents obtain a warrant prior to using the surveillance technology. It also asks that state and local law enforcement be forthright with the courts regarding the use of Stingrays. [Stingray use could be unconstitutional, House report finds | House.gov: Law Enforcement Use of Cell-Site Simulation Technologies: Privacy Concerns and Recommendations]

Online Privacy

US – Children Uploading YouTube Videos Poses Potential Issues

There is a growing trend of young children posting their activities online and the issues parents potentially face. Popular YouTube channels featuring children can receive millions of views per video. Those channels could result in millions of dollars in revenue, but children are also exposed to online commenters and channels where creators upload videos featuring popular characters performing adult acts. “For the youngest members of the next generation, sometimes called Generation Z, the line between the online world and real life is fading. Parents are having to explain to their toddlers that the children whose whole lives they see on the screen aren’t actually their friends.” [Washington Post]

WW – 45% Don’t Have Expectation of Privacy Online: Study

Auckland University of Technology’s 2015 World Internet Project in New Zealand survey has found that 45% of the 1,377 respondents do not believe privacy exists online. 11% of the surveyed said they had their privacy violated online. A University of Auckland professor in computer sciences thinks the responses indicate a changing attitude about what privacy means on the internet. “They’re shifting so rapidly now… I think many people are starting to become aware of the risks but don’t accept privacy has gone, it’s just that the boundaries are different.” [Stuff.cco.nz]

US – Twitter to Limit What’s Shared With Government Fusion Centers

In an ongoing effort to curb the amount of law enforcement access to its users, Twitter announced it will no longer provide government intelligence centers — also known as fusion centers — access to tools that can be used for bulk surveillance. Dataminr, a company partially owned by the social network, granted law enforcement access to real-time feeds of public posts and tools for filtering the content. Twitter’s decision comes after an ACLU of Northern California investigation found law enforcement used the tool to track activists and protests. [Mashable]

WW – Twitter Terminates Partnership With Third Surveillance Firm

Following its decision to terminate its contracts with Geofeedia and Snaptrends, Twitter has cut ties with a third social network surveillance firm. Twitter stopped Media Sonar from accessing its public API in October. Media Sonar is known for selling surveillance software to police departments across the U.S. Twitter’s partnership with Media Sonar was finished after it was discovered the surveillance firm was encouraging police departments to observe African-American protesters. The social media network ended its relationship with Geofeedia and Snaptrends for similar actions. Twitter said if Media Sonar attempts to create any other API keys, it will delete those as well, and will take further action against the firm. [Daily Dot]

Privacy (US)

US – FTC Releases Agenda for Second Annual Privacycon

The Federal Trade Commission released the agenda for PrivacyCon 2017. The event, taking place in Washington on Jan. 12, is designed to join together leaders from academia, research, consumer advocacy, and industry to discuss the privacy and security implications of new technologies. The public forum will cover five major topics, including the internet of things and big data, mobile privacy, consumer privacy expectations, online behavioral advertising, and information security. PrivacyCon will feature 18 research presentations on consumer privacy and security issues and a closing panel moderated by FTC Bureau of Consumer Protection Director Jessica Rich. [FTC.gov] See also: [FTC organizing privacy researcher meet up in January]

US – Cybersecurity Challenges at the US State Level

A study from the Pell Center for International Relations and Public Policy last year found that of the eight most populous US states, none was “cyber ready,” or adequately equipped to defend its systems against and recover from cyber attacks. A September 2016 study from Deloitte-NASCIO found that while some states are gaining a keener awareness of the importance of cybersecurity, the systems that states have been introducing in the name of helping constituents actually introduce additional cyber risks. [Are states ill-equipped to manage cybersecurity?: | State of the States on Cybersecurity (November 2015) | 2016 Deloitte-NASCIO Cybersecurity Study]

US – Evernote Backtracks on Changes to Privacy Policy After Outcry

Evernote, a popular note-taking app, has announced it will hold off on changes to its privacy policy after users and the media started raising privacy concerns. The proposed change would have allowed employees to read users’ notes to help train the company’s machine learning algorithms. At first, the company defended the changes, but, in a written statement, Evernote CEO later said, “We announced a change to our privacy policy that made it seem like we didn’t care about the privacy of our customers or their notes. This was not our intent, and our customers let us know that we messed up, in no uncertain terms. We heard them, and we’re taking immediate action to fix it.” [PCWorld]

WW – Evernote Changes Policy: Employee to Review User Notes

In a blog post, Evernote said it would have employees reading user notes beginning in early 2017, as a way to ensure its machine learning technologies were functioning properly. While its “computer systems do a pretty good job, sometimes a limited amount of human review is simply unavoidable in order to make sure everything is working exactly as it should.” While the company announced various controls for the process, many customers are frustrated with the changes. While there was speculation the move may be connected to Evernote’s adoption of Google’s cloud computing service, the company denied it. “We want to improve the service and see the advent and availability of many machine learning tools as very promising.” [Fortune]

US – Journal of Intellectual Freedom and Privacy’s First Issue Available

The American Library Association’s Office for Intellectual Freedom has released the first issue of its official publication, the Journal of Intellectual Freedom and Privacy. “JIFP is an expansion of The Newsletter on Intellectual Freedom, published between 1952 and 2015… Ever mindful of serials librarians’ woes, we hereby state that this new publication is a continuation of NIF, but begun over with vol. 1, no. 1.” The journal includes news, features, reviews and an editorial section, and is available in PDF format on the ALA’s website. [ALA.org]

US – Court Grants FTC Order Penalizing Data Brokers for Selling Consumer PI

This Court order settled FTC allegations that Corporate Defendants Sequoia One and Gen X Marketing unfairly sold consumer personal information in violation of the FTC Act. The 2 companies obtained PI from consumers who thought they were applying for payday loans online, and then sold the PI to a scam that withdrew funds from consumers’ bank accounts without their consent; Defendants must pay $45,000 (at which point the remainder of a $7.1 million judgment will be suspended), and are prohibited from disclosing sensitive (financial) PI, and making misrepresentations relating to financial products and services. [Federal Trade Commission v. Sequoia One, LLC, et al. – Default Judgment and Order for Permanent Injunction as to Defendants Sequoia One, LLC and Gen X Marketing Group, LLC – United States District Court District Of Nevada | Press Release | Judgment]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

US – NIST Seeks Tech Collaborators for Privacy-Enhanced ID Project

The National Cybersecurity Center of Excellence, a public-private collaborative initiative under the National Institute of Standards and Technology, has announced it is seeking technology collaborators for a privacy-enhanced identity federation project. The new project will analyze how privacy-enhancing technologies can be implemented within identity federation solutions to help maintain the privacy of users and organizations. The goal of the project is to produce a NIST Cybersecurity Practice Guide, which will be publicly available and include “practical steps needed to implement a cybersecurity reference design,” the NCCoE website states. Questions or suggestions for the project can be sent to petid-nccoe@nist.gov. [NCCOE] [Federal Register Notice | Privacy-Enhanced Identity Federation project description.


WW – 42% of Companies Do Not Have Cyberattack Communications Plans

An EY report finds many companies do not have a plan for communicating with the public following a cyberattack. EY’s annual Global Information Security Survey revealed 50% of the 1,735 participating organizations said they were confident they could detect an attack, but 42% did not have a communications strategy in place if an attack took place. Another 48% said they would not notify impacted customers within the first week. “It’s imperative to address if any weaknesses or failures in the recovery plans become known, because the longer these problems continue, the worse the situation will get. In fact, many of the proposed regulations or laws around reporting of cyberattacks say that companies must notify customers within a certain number of days,” said the report’s author. Blanco Technology Group released a report revealing delays companies face in breach detection and notification and the regulatory challenges this causes for data protection. [CNBC]

Smart Cars / IoT

US – FTC, FCC to Focus on IoT Security in 2017

The Federal Trade Commission and the Federal Communications Commission will focus on internet-of-things security in 2017. The agencies commitment to IoT security comes after the massive DDoS attack affecting large parts of the United States this past October. “As we see the rise of mobile and the internet of things, we’re seeing a multiplicity of actors in the ecosystem,” said the FTC, “There’s going to be a lot of questions about the liability of these various actors.” [AdExchanger]

US – DOT Proposed Rules Would Require Cars to Share Information

The Department of Transportation has proposed a new set of rules requiring the auto industry to have technology allowing vehicles to share information with one another. The National Highway Traffic Safety Administration said the plans could reduce 80% of non-impaired crashes, but privacy advocates are concerned about the plans. “Vehicle-to-vehicle communications must be secure as Fort Knox,” said a the Consumer Union. “Automakers must be required to meet baseline, enforceable standards to protect both privacy and security as they roll out this technology. Communications should be protected through strong encryption, and security measures should be seamlessly updated so that consumers don’t have to worry about getting into a crash because their car has been hacked.” Sens. Edward J. Markey, D-Mass., and Richard Blumenthal, D-Conn., are pressing the DOT to implement strong cybersecurity and privacy protections before the rules are implemented. [Consumer Reports]

US – Study: Privacy Safeguards for Wearable Devices Are Insufficient

A study from the Center for Digital Democracy and the School of Communication at American University states the growing wearable device market raises a number of privacy concerns. Wearable manufacturers collect large amounts of personal data and share the information with other companies. The study finds existing privacy laws do not normally apply to wearable manufacturers, and the “weak and fragmented” U.S. health privacy regulatory system does not give consumers proper privacy safeguards. “Many of these devices are already being integrated into a growing Big Data digital health and marketing ecosystem, which is focused on gathering and monetizing personal and health data in order to influence consumer behavior,” the study says. [PC World]

SG –’City Brain’ Tech to Make Singapore an Internet of Things-Powered Hub

Singapore’s plan to embrace “city brain” technology, utilizing 100 million smart objects in five years, is both groundbreaking and rife with privacy questions. “In theory, a city brain could be used by municipal administrators to check on a wide variety of conditions,” such as weather, elderly housing and transportation issues, the report states. The program may additionally use “the estimated five million smartphones carried by Singaporeans” to make it happen. “Of course, there will be loss of privacy or, worst case, the chance of data being hacked,” said Gartner. “This is not just a Singapore problem; it’s a global problem… any government must still enforce certain laws to prevent misuse.” [Computerworld]


US – U.S. to Release Estimate of Americans Monitored Under Surveillance

A letter from U.S. lawmakers states the country’s intelligence community is planning to disclose the number of American citizens whose electronic communications have been intercepted through online surveillance programs designed for foreigners. The letter, sent to National Intelligence Director James Clapper, said the estimate was requested by the U.S. House of Representatives Judiciary Committee and should be released publicly as early as next month. The estimate would come as Congress is expected to commence the debate over whether to revamp the surveillance provision Section 702, which was added to the Foreign Intelligence Surveillance Act in 2008 and is set to expire Dec. 31, 2017. “ [Reuters]

US – Ex-Employees Claim Uber Continues Unauthorized Surveillance

After stating it had policies preventing employees from accessing trip and geolocation information, five former Uber security professionals reveal the company continued to allow its workers to access sensitive information. The revelation comes two years after Uber was first found using its internal “God View” to track users’ whereabouts in real time without permission. Some of the most recent allegations state Uber deleted files it was legally obligated to hold onto and for encrypting files during law enforcement investigations in its foreign offices. In response to the report, Uber’s Chief Information Security Officer sent an email to the company’s staff reminding them of their privacy obligations. [Reveal News]

Telecom / TV

US – FTC Publishes Do Not Call Registry Data Book for 2016

The Federal Trade Commission has released its National Do Not Call Registry Data Book for Fiscal Year 2016. “Now in its eighth year of publication, the Data Book contains a wealth of information about the Registry for FY 2016 (from October 1, 2015 to September 30, 2016), including: State rankings for National Do Not Call registry” as well as “the number of active registrations and consumer complaints since the Registry began in 2003.” The Data Book states that the Registry contained more than 226 million registered numbers at the end of the 2016 fiscal year, an increase from the 223 million reported at the end of fiscal year 2015. The Florida Record reports. [FTC.gov]

US Government Programs

US – Court of Appeals Upholds Warrantless FISA Surveillance of US National

Mohamed Osman Mohamud appealed from his conviction from use of weapons of mass destruction, in violation of 18 U.S.C. § 2332a(a)(2)(A). Acquisition of the individual’s email communications was lawful, since it resulted from contact with a foreign national being targeted for promoting terrorism (warrantless surveillance of non US persons is permitted); even if a warrant was required, the government’s search of the individual’s emails was reasonable since US persons have a limited expectation of privacy in information revealed to a third party, and applicable FISA procedures to safeguard the individual’s privacy interests were followed. [USA v. Mohamed Osman Mohamud – Opinion – US Court of Appeals for the Ninth Circuit]

US – California Educational Tech Providers Cannot Sell or Disclose Student Information

The Future of Privacy Forum provides an overview of obligations under the California Student Online Personal Information Protection Act. Providers that design and market sites, services and applications used primarily for K-12 school purposes can use student data to conduct legitimate research, and use deidentified information for product improvement, marketing and development; providers cannot sell or disclose student information (except for legal purposes, user safety, for K-12 school purposes), use student information to amass a profile, or use student information to engage in targeted advertising. [FPF Guide to Protecting Student Data Under SOPIPA – For K-12 Administrators and Ed Tech Vendors]

Workplace Privacy

US – Hiring Algorithms Are Not Neutral Sources: Op-Ed

In an op-ed for the Harvard Business Review, Gideon Mann and Cathy O’Neil explain why using algorithms in human resource departments cannot be considered a neutral source. Algorithms are created to mimic human decision making, meaning existing biases will become part of their makeup. “In other words, algorithms are not neutral. When humans build algorithmic screening software, they may unintentionally determine which applicants will be selected or rejected based on outdated information — going back to a time when there were fewer women in the workforce, for example — leading to a legally and morally unacceptable result.” The authors offer suggestions for working around this flaw, including ensuring hiring decisions aren’t based solely on algorithms, and conducting reviews to remove any hiring trends possibly appearing to be biased. [HBR.org]

US – Companies Look to Publicly Report Employees’ Health

A group of companies, including IBM, PepsiCo and Johnson & Johnson are working to find a way to publicly report and measure the health of their employees. The ratings, currently under consideration by a coalition of employers and insurers called the Health Metrics Working Group, would offer shareholders and other high ranking company officials a look into a company’s efforts to improve employee health and whether the efforts are working. The health information will be presented in the aggregate in order to comply with health privacy laws. “All the working group members support the concept of reporting on employee health metrics, but if and how that gets implemented will vary quite widely.” [The Wall Street Journal]



28 Nov —09 Dec 2016


QW – Blippar Introduces Facial Recognition Smartphone App

New software from augmented-reality app Blippar will allow customers to use facial recognition technology on their smartphones. The app allows users to scan an individual’s face in print, on TV, or in real life, then learn their names and other information. “Augmented Reality Face Profiles will change the way we communicate and express ourselves,” said Blippar, Co-Founder and CEO Ambarish Mitra. “Our face is our most expressive form of communication and with this release we are allowing this to become digital for the first time.” Blippar has created a database with 70,000 public figures, but privacy concerns may arise, as users can upload people’s faces without consent. In other news, facial recognition startup Megvii Inc. has received $100 million from investors to improve its technology, while L.A. Tan Enterprises agreed to pay $1.5 million to settle a class-action lawsuit under the Illinois Biometric Information Privacy Act. [Newsweek]

Big Data

CA – Naborly Screenings Compiles 500 Data Points to Assess Renter Credibility

Naborly Inc.’s digital screening solution allowing landlords to examine 500 data points to determine a renter’s credibility. Naborly compiles information from a potential renter’s social media accounts, phone records, and criminal records to assign a score for their “chance of success” as a tenant. “It’s not just trying to gather dirt on you or gather information,” said Naborly Inc. CEO Dylan Lenz. “It basically explains where the risk is. What is the likelihood of a person being late on rent payment, causing property damage, being evicted, jumping out of the lease early?” Privacy concerns with the service have emerged. “The extent of it makes me nervous,” said former Ontario Information and Privacy Commissioner Ann Cavoukian. “I understand why you would want to assure that the person renting the property is solid and reliable, but this company is collecting a ton of very sensitive personal information.” [CTV News | Report landlords who break privacy rules, urges BC agency | Waterloo changes rental bylaw after privacy complaint | Company scraps ‘bad tenant list’ after privacy commissioner upholds complaint ]

WW – IBM’s Watson Beta to Help Fight Cybercrime

Forty companies have been named to take part in IBM’s Watson for Cyber Security beta. The cognitive computing technology will be used to address computer and network security issues. IBM began training Watson in the fundamentals of cybersecurity months ago. Watson is intended not to replace humans, but to help people identify cybersecurity threats. [Wired.com | ZDnet.com | eWeek.com | v3.co.uk]


CA – Privacy Commissioners Urge More Privacy in National Security Policy

All of Canada’s federal, provincial and territorial privacy commissioners have urged the federal government to make privacy a fundamental piece of the country’s national security policy. The commissioners have signed a formal joint submission to the Trudeau government’s security review to address key privacy-related issues, including information sharing, encryption and the collection and use of metadata by national security agencies and law enforcement. Ontario Information and Privacy Commissioner Brian Beamish and Jean Chartier of Quebec appeared Tuesday in Ottawa to discuss the submission. In a press release, Privacy Commissioner of Canada Daniel Therrien said, “In my view, this is not the time to further expand state powers and reduce individual rights. Rather, it is time to enhance both legal standards and oversight to ensure that we do not repeat past mistakes and that we ultimately achieve real balance between security and respect for basic individual rights.” [Times Colonist]

CA – Don’t Repeat Past Mistakes, Privacy Commissioner Warns

Commissioner Therrien and his provincial and territorial counterparts are stressing the need to address privacy risks related to information sharing and collection of metadata; raising concerns about government proposals on police access to basic subscriber data and encrypted communications The importance of strengthening privacy protections is highlighted in a formal submission to the government’s public consultation on Canada’s national security framework signed by Commissioner Daniel Therrien and all provincial and territorial privacy commissioners and ombudspersons. Commissioner Therrien was joined by Jean Chartier, President of the Commission d’accès à l’information du Québec and Brian Beamish, Ontario Information and Privacy Commissioner, at a press conference to unveil and discuss the submission. “In my view, this is not the time to further expand state powers and reduce individual rights. Rather, it is time to enhance both legal standards and oversight to ensure that we do not repeat past mistakes and that we ultimately achieve real balance between security and respect for basic individual rights,” says Commissioner Therrien. [Office of the Privacy Commissioner of Canada News release | Backgrounder: Privacy and Canada’s national security framework | Submission to the Consultation on Canada’s National Security Framework | Statement]

CA – Goodale Keeps Door Open to CSIS Use of Metadata from Innocent People

The federal public safety minister is keeping the door open to the idea of Canada’s spy agency crunching potentially sensitive data about innocent people. Ralph Goodale told MPs at a House of Commons committee he is weighing views on whether the CSIS should be allowed to retain and use such information. Last month Federal Court Justice Simon Noel said CSIS violated the law by keeping electronic data about people who were not actually under investigation. The court ruling means metadata can be kept and used by CSIS only if it relates to a specific threat to Canadian security or if it is of use to an investigation, prosecution, national defence or foreign affairs. NDP public safety critic Matthew Dube expressed concern. “So you’re not closing the door, then, Because to me it seems that if the Federal Court has deemed this illegal, then the answers should be clear.” Conservative public safety critic Tony Clement wondered why CSIS was keeping the data in question at all. [National News Watch | Don’t repeat past mistakes, Privacy Commissioner warns as government reviews national security framework | Spies should not be allowed to keep innocent people’s data, privacy czars say | Former Ontario privacy commissioner wants CSIS metadata deleted | Federal security review to examine CSIS powers in the digital age, Goodale says | What you need to know about the CSIS metadata ruling | In scathing ruling, Federal Court says CSIS bulk data collection illegal | CSIS, Bill C-51 and Canada’s growing metadata collection mess | ‘Difficult to determine’ scope of privacy breach in Five Eyes data sharing

CA – OPCC to Investigate Electoral Reform Survey

The Office of the Privacy Commissioner of Canada will investigate the government’s new electoral reform online survey after privacy concerns were raised. In order for respondents to have their views on electoral reform included in the MyDemocracy.ca survey, they need to disclose information such as gender, age, occupation, combined household income, level of interest in politics, and whether they identify as a specific minority group. “I just think it’s inappropriate in the context of a government consultation to link disclosure of so much demographic information to participation in a consultation,” Ottawa University’s Michael Geist said. A spokeswoman for Privacy Commissioner Daniel Therrien said the office has yet to look into the details of the survey, and his office could not comment. [Toronto Sun] Canada’s Supreme Court offers guidance for the interpretation of the Personal Information Protection and Electronic Documents Act in its Royal Bank of Canada v. Trang ruling.

CA – Alberta Justice Hires Ontario Lawyer to Represent Ministry in FOIP Investigation

Toronto lawyer Murray Segal has been hired to represent Alberta Justice as it faces an investigation into whether the ministry wilfully tried to mislead or obstruct the province’s freedom of information commissioner, or altered or falsified a record to evade FOIP requests. Jill Clayton, Alberta’s freedom of information commissioner, ordered the investigation in October based on a recommendation from former Nova Scotia FOIP commissioner Dulcie McCallum. McCallum is adjudicating an inquiry into how Alberta Justice processed FOIP requests from CBC News and lawyers for the tobacco industry. The requests related to the Alberta government’s ongoing lawsuit against the tobacco industry and its choice of a legal consortium to conduct the litigation. At the time Clayton ordered the investigation, she also requested a special outside prosecutor to avoid a conflict of interest with Alberta Justice. Justice Minister Kathleen Ganley, in another emailed statement, said she asked Ontario to select a special prosecutor and the Ontario Attorney General’s office has identified Mabel Lai to act as counsel for the matter. This is the second investigation of Alberta Justice this year. In September, Clayton ordered an investigation into chronic delays in the ministry’s processing of FOIP requests. [CBC | FOIP commissioner orders investigation of Alberta Justice | Alberta Justice criticized for disrespecting freedom of information commissioner | Waits for access to information get longer in Alberta, report finds | Access to information in Alberta nearing ‘crisis situation,’ FOIP commissioner says ]

CA – OIPC NU Audit Reveals Hospital Needs Improvement

Nunavut’s Information and Privacy Commissioner has stated a lack of leadership at Qikiqtani General Hospital could put patient information at risk. A privacy audit was conducted at the territory’s only hospital. The audit discovered no individual was in charge of making sure staff adhere to privacy regulations, and the hospital has no system to track who is accessing patient data. “What is required is a strong privacy culture within the [Qikiqtani General Hospital] now,” the audit report stated. “Our audit revealed a somewhat confusing array of different ‘privacy’ policies and instruments not well understood by all staff.” The report offered 31 recommendations, including creating policies for faxing information and ensuring former employees cannot access electronic health records after they depart. [CBC News]

CA – Got a Secret? Copy Your Lawyer: Supreme Court Decision Most Recent Threat to Access to Information

A Supreme Court decision released late last month offers a safe haven for government secrets that threatens the basic right of individuals to access personal information about themselves. Sometimes, the government may refuse to disclose information because it is confidential, for example, it is a communication with a lawyer — or what is called “solicitor-client privilege.” A procedural check is in place to ensure that such claims of privilege are not improperly asserted by government. This check is the privacy commissioner’s office which reviews claims of privilege to ensure they are valid or warranted; when they are, the information is not released. Two weeks ago, the Supreme Court of Canada ruled on a case in which an employee involved in a wrongful dismissal action against the University of Calgary was refused information about herself on the basis of solicitor-client privilege. From a policy point of view, government secrets can now be shielded — unchecked — in the safe haven of lawyer files. The legislation must be amended to give the commissioner’s office the unqualified right to review claims of solicitor-client privilege. [Edmonton Journal | Supreme Court of Canada confirms robust protection of solicitor-client and litigation privilege | SCC decision reaffirms protection of solicitor-client privilege | Alberta privacy commissioner cannot compel production of records subject to solicitor-client privilege: Supreme Court | SCC deals blow to privacy commissioner powers – privilege reigns supreme | Alberta’s information and privacy commissioner loses Supreme Court case | Calgary Herald: Alberta Privacy Commissioner Loses Lack-of-Authority Appeal]

CA – OIPC NL Voices Concern Over Drone Harassment

Responding to a series of reports of harassment from drones with cameras, Information and Privacy Commissioner of Newfoundland and Labrador Donovan Molloy expressed his concern over the incidents, saying the drone use is “very troubling.” “We all have a right to our privacy, not to be harassed by others. It’s clear in our own province’s privacy act that if you do that, then you’re liable for damages to the person that you’re harassing.” The commissioner said using drones to spy on individuals could legally qualify as harassment. “The Criminal Code makes an offence of harassment if you’re besetting somebody — watching somebody, repeatedly — and if you are, you must intend to have done it or be reckless or willfully blind.” [CBC News]

CA – OIPC BC Warns Against Illicit Surveillance Camera Use

Following the investigation of a Lower Mainland medical clinic, British Columbia’s Acting Privacy Commissioner Drew McArthur is warning private businesses about illicitly installing video surveillance cameras. McArthur said the clinic likely violated British Columbia’s privacy laws by using the cameras, rejecting the clinic’s argument it implemented the cameras to protect itself against crime, improve security, and to monitor its employees. “The fundamental premise of our private-sector privacy legislation is you require the purpose for collection has to be reasonable for the circumstances,” McArthur said. “In this case, there’s no crime issue or threat-to- security issue, it’s just a medical clinic in a stand-alone location and they have not had a rash of crime or security issues. And so they don’t meet the threshold for reasonableness in terms of the collection of personal information. So where they are, they are over-collecting personal information.” [Vancouver Sun]


NZ – Study: Withholding Information from Social Services Has Adverse Effects

Methodist Mission Southern’s research, supported by the New Zealand Office of the Privacy Commissioner’s Privacy Good Research Fund, has found that not sharing information with social services can exacerbate situations of child abuse and family violence, the Office of the Privacy Commissioner reports. The study “looked at practitioner and organizational competency across a range of agencies relating to Principle 11: Limits on disclosure of personal information and Part 9A: Information sharing of the Privacy Act 1993.” It’s often necessary to share information in order to provide comprehensive and wraparound services for clients.” “The consequences of not sharing information can be significant, with a lack of information sharing a contributing factor in several high profile family violence and child abuse cases.” [Full Story]

CA – Liberal Party Can’t Use Emails Collected on Mydemocracy.ca for Fundraising, Government Says

The government says information collected by an online electoral reform consultation isn’t accessible to the Liberal Party, after an Ontario man alleged he started getting fundraising emails soon after completing the survey. Sean Fullerton, a database analyst in Kitchener, Ont., told the National Post he unsubscribed from Liberal emails more than a year ago, but started receiving them again almost immediately after entering his email address on MyDemocracy.ca, a website being used to gather opinion on democratic values. But both the government and Vox Pop Labs, the company that designed the site, deny email addresses are even being collected. Fullerton explained he found it “really, really odd” when Liberal fundraising emails started pouring into his email account within a few hours of completing the electoral reform consultation Monday. Fullerton insisted he didn’t engage in any other activity, or fill out any other forms, that could’ve caused him to start receiving emails again. That’s why he found it “suspicious.” He plans to make a formal complaint against the Liberal Party for going against anti-spam legislation by sending him emails he doesn’t want to receive. Canada’s privacy czar is looking into the electoral reform survey, but hasn’t said if and when a formal investigation will be conducted. [Vancouver Sun | Liberals’ Electoral Reform Survey A Personal Privacy Nightmare | Your electoral reform survey won’t count if you don’t tell them how much you make | Privacy watchdog to look at electoral reform survey amid privacy concerns | No privacy risks in online electoral reform consultation: Monsef | See also: Liberals’ Electoral Reform Survey A Personal Privacy Nightmare | Your electoral reform survey won’t count if you don’t tell them how much you make | Privacy watchdog to look at electoral reform survey amid privacy concerns | No privacy risks in online electoral reform consultation: Monsef | Privacy watchdog to look at electoral reform survey amid privacy concerns]


US – Encryption App Use Rises 400% After Trump Win

After the recent presidential election of Donald Trump, encrypted communications app Signal, which employs end-to-end encryption, has seen a 400% increase in daily downloads. Moxie Marlinspike, the founder of the company behind Signal, said, “There has never been a single event that has resulted in this kind of sustained, day-over-day increase… Trump is about to be put in control of the most pervasive, largest, and least accountable surveillance infrastructure in the world. People are maybe a bit uncomfortable with him.” [BuzzFeed News]

EU Developments

UK – ICO Fines Charities for ‘Wealth Screening’

An Information Commissioner’s Office investigation has found that the Royal Society for the Prevention of Cruelty to Animals and the British Heart Foundation violated the Data Protection Act by screening donors for wealth in an effort to increase their donations. “The charities also traced and targeted new or lapsed donors by piecing together personal information obtained from other sources.” “And they traded personal details with other charities creating a massive pool of donor data for sale. Donors were not informed of these practices, and so were unable to consent or object.” Information Commissioner Elizabeth Denham fined the RSPCA 25,000 GBP and BHF 18,000 GBP. “This widespread disregard for people’s privacy will be a concern to donors, but so will the thought that the contributions people have made to good causes could now be used to pay a regulator’s fine for their charity’s misuse of personal information,” she added. [ICO.uk]

EU – Under German Law, Some Wearables, Apps Not Up to Data Privacy Snuff

The German Commissioner for Data Protection and Freedom of Information has warned fitness app and wearables developers that many of their practices do not meet legal requirements. An agency study, testing an array of unnamed devices, found “many of the products fail to adequately protect user data,” the report states. “In many cases, privacy statements concerning wearables are overly long, difficult to understand, insufficiently detailed and often not available in German.” “In many cases, health data was processed by external third parties, putting user privacy at risk. While some manufacturers alert users to the potential for data sharing with third parties, users often do not know who these third parties are or how to lodge an objection.” [Telecompaper]

EU – Current Privacy News

Facts & Stats

WW – Experian Releases Fourth Annual ‘Data Breach Resolution’ Report

For the fourth straight year, Experian has released its forecast for the data breach industry for the upcoming year. The “2017 Experian Data Breach Resolution” highlights five predictions for the industry, including the death of the password, the prospects of a cyberwar, more sophisticated attacks on the health care industry, the shift for cybercriminals to focus on payment-based attacks, and the likelihood of international breaches for multinational companies. “As our fourth annual edition, this data breach industry forecast report hopes to shed light on emerging trends companies should know about and prepare for. The industry predictions included here are rooted in Experian’s history helping companies navigate more than 17,000 breaches over the last decade,” the Experian announcement states. [Experian]


WW – Study: Marginalized Groups More Likely to Self-Censor Online

A Data & Society Research Institute and the Center for Innovative Public Health Research report found women, LGBTQ individuals, and people of color are more likely to self-censor their online activity due to fear of harassment. The “Online Harassment, Digital Abuse, and Cyberstalking in America“ report discovered 47% of Americans have experienced online harassment and abuse. While men and women are equally likely to face abuse online, women experience a wider variety of serious online harassment, including cyberstalking and doxing. The study reveals young women, LGB people, and people of color are less likely to contribute online out of fear of suffering some form of attack, while men feel less vulnerable online, and are less likely to report any form of abuse as harassment. [Quartz]

WW – Study Examines Privacy Law, ‘Newsworthiness’ and Algorithms Influence

Georgetown University associate professor of legal research Erin Carroll has released a paper studying newsworthiness, algorithms and how they apply to privacy law. “Given the dominance of platforms like Facebook, the related influence of algorithms on how news is made, and specifically how algorithms are beginning to supplant editorial discretion and the editorial process, courts need to rethink their rationales for deference to the press,” Carroll writes. “In the realm of privacy law, courts have long trusted the Fourth Estate to vet the newsworthiness of a subject before publishing, so that the courts themselves did not have to. Today, that trust is becoming misplaced.” [Wall Street Journal]


CA – OIPC SK Issues Guidance on Retention of Transitory Records

The Office of the Saskatchewan Information and Privacy Commissioner has issued guidance on transitory records and freedom of information requests, pursuant to: the Freedom of Information and Protection of Privacy Act; and the Local Authority Freedom of Information and Protection of Privacy Act. Transitory records are exact copies of official records made for convenience of reference (such as to complete a routine task or prepare an ongoing document), and can come in any format (including post it notes, handwritten notes, emails, and texts); records should be destroyed in accordance with internal disposal procedures one year after a response to an applicant, or in the case of convenience copies, the official record has been identified [OIPC SK – Transitory Records and Access-to-Information Requests]

CA – OIPC Yukon Finds Disclosure of Individual’s Telephone Number Would Be an Invasion of Privacy

The Information and Privacy Commissioner in Yukon reviewed a decision by the Department of Justice to deny access to information requested, pursuant to the Access to Information and Protection of Privacy Act. The telephone number of a property bidder was not provided in the individual’s bid (suggesting they did not intend for it to be publicly disclosed), was handwritten on a piece of paper below the bidder’s name (to be contacted about changes in court dates), and the number was not intentionally provided in the public bid of the property. [IPC YK – Inquiry Report ATP15-037AR – Department of Justice]

CA – OIPC NL: Public Bodies Bear Burden of Proof When Relying on Extraordinary Circumstances Exception

The Office of the Information and Privacy Commissioner of Newfoundland and Labrador provides guidance to public bodies on the use of section 24 of the Access to Information and Protection of Privacy Act. Parties seeking to establish extraordinary circumstances (such as natural disasters, labour disputes, or disruptions of postal service or power services) should present to the OIPC evidence that events were external to the party, unanticipated, and beyond the party’s control (such that exercising due diligence would not have avoided the impact of the event); the time to make an application for an extraordinary circumstances exception does not suspend the time period for responding to an applicant. [OIPC NFLD – Section 24 – Extraordinary Circumstances]


US – InsideDNA’s Genome-Scouring Uses Health Data, Faces Privacy Concerns

Bioinformatics startup InsideDNA is looking to discover the best “drug interaction” for patients. It does this by “using data to look for an association between genes and diseases and then checking if proteins produced by those genes associated with a disease are suitable drug targets.” Health data fuels these connections. While the startup faces myriad critics’ concerns, one of the biggest is privacy. “Patients need to voluntarily offer their DNA data.” “However, accurate diagnoses would rely on a vast and diverse repository of genetic information.” InsideDNA says its more worried about a bigger challenge: “establishing credibility in the biopharma world.” [TechCrunch | See also: Canada’s Genetic Non-Discrimination Act is headed back to the Senate due to the passing of an accompanying clause aimed at protecting the intent of the bill.]

Health / Medical

US – OCR to Conduct More On-Site Hospital Audits in 2017

The Department of Health and Human Services’ Office for Civil Rights will conduct more on-site audits of hospitals in 2017. OCR Senior Advisor Linda Sanches said the agency is currently conducting more than 200 audits with HIPAA-covered entities, with 167 focused on examining providers. Sanches said the audits are designed to discover the risks and vulnerabilities the government is currently unaware of, and would not be able to learn about through filed complaints. “We’re looking for evidence that you are implementing the policies and procedures… Two huge problems we’re seeing are implementation of risk analysis and risk management.” UPMC Vice President and Associate Counsel John Houston voiced concerns about the OCR’s demands. “We do a lot of stuff we consider to be a risk assessment but there’s not clarity on what that really means from OCR’s perspective.” [Healthcare IT News]

CA – Saskatchewan Nurse Disciplined for Social Media Comments

A Saskatchewan nurse was found guilty of professional misconduct after using social media to voice her concerns over a family member’s care. The Saskatchewan Registered Nurses Association ruled Carolyn Strom acted illicitly when she posted on Facebook and Twitter about the staff at St. Joseph’s Health Facility in Macklin, Saskatchewan. Strom is not a nurse at the facility, but staff members at St. Joseph’s filed a complaint regarding Strom’s remarks. The committee ruled Strom’s comments were not protected by free speech, as she identified herself as a registered nurse in the comments. While the committee stated Strom did not act out of malice with her comments, she is still required to conduct herself professionally on social media. [CBC News]

CA – BC Lower Mainland Clinic Scolded for Excessive Surveillance of Patients

BC’s Information and privacy Commissioner is asking a Lower Mainland clinic to immediately stop collecting audio and video surveillance of clients. Acting commissioner Drew McArthur investigated the un-named medical clinic after complaints were brought forward to his office in June. Auditors examined the organization’s use of video and audio surveillance in its lobby, hallways, back exits, and fitness room. The main finding from the privacy commissioner is that the clinic is not authorized to collect personal information through video and audio surveillance. Both B.C.’s privacy commissioner and the privacy commissioner of Canada view video surveillance as highly invasive. Private sector privacy laws require that organizations collect as little information as is reasonable for business purposes. [CBC.ca | Medical clinic collects too much personal info through surveillance: B.C. audit]

Horror Stories

HK – Mobile Apps Leak ‘Billions’ of Users’ Phone Numbers, Including Hong Kong’s Chief Executive

A breach of mobile apps CM Security, Truecaller and Sync.ME leaked the phone numbers of billions of users, including Hong Kong Chief Executive Leung Chun-ying and the Chief Secretary for Administration Carrie Lam Cheng Yuet-ngor. “Users of the apps can trace the names of billions of number holders by inputting their digits into a ‘reverse look-up feature,’” the report states. “Contact details for more than 60 out of 70 sitting lawmakers were available across CM Security and Truecaller.” Additionally, Chinese University’s Stuart Hargreaves said the apps’ violated two privacy laws under the Hong Kong’s Personal Data Privacy Ordinance, as it was “unlikely users would seek permission from every individual in their phone book before agreeing to share their contact details.” [South China Morning Post]

Identity Issues

IS – Interior Minister Urges Joining of National Biometric Database with ID Cards

Israeli Interior Minister Aryeh Deri has “decided to push to mandate” the joining of a national biometric database and identity cards. “It is still unclear whether Deri will garner a Knesset majority to make the requirement law, but every recent interior minister has supported the initiative.” Database initiatives have been controversial in Israel, with the Movement for Digital Rights promising to continue to challenge Deri’s move. In the meantime, “those objecting would still have their fingerprints and facial recognition picture taken, but it would only be connected to their smart-card, not placed in the database.” [The Jerusalem Post]

US – Report: Health Care’s Need to Embrace ID Management Solutions

A new report from Synchronoss details ways the health care industry can better protect sensitive data and reduce risk by using different identity challenges. “Healthcare’s ID Management Challenge” was created by Synchronoss Technologies’ Tracy Hulver, and goes over several subjects, including common characteristics of health care data breaches, the reasons why health care organizations have been slow to implement multifactor authentication, and ways to gain business support for ID management solutions. “Everyone is in danger; all the data has a threat against it… But in other ways healthcare is different because people’s privacy is at the heart of healthcare information, so not only is there a financial component and motivator. but also there’s a strong privacy element as well.” [GovInfoSecurity]

CA – OIPC SK Recommends Municipality De-Identify or Redact Personal Information in Council Meeting Minutes

The Office of the Saskatchewan Information and Privacy Commissioner investigated a complaint regarding the disclosure of personal information on the Rural Municipality of Rosthern’s website, pursuant to The Local Authority Freedom of Information and Protection of Privacy Act. The municipality has the authority to disclose to the public full details included in its council meeting minutes; however, the municipality should record the least amount of personal information necessary in its council meetings (e.g. referring to the individual as “a complainant” or by his initials). [OIPC SK – Investigation Report 237-2016 – Rural Municipality of Rosthern]

Intellectual Property

CA – Google Is Fighting Global Search Censorship in Canada’s Supreme Court

This week Google went in front of the Supreme Court of Canada to argue that the country’s courts shouldn’t have the authority to order the search giant to censor links worldwide. It appears Google’s argument is that if a Canadian court wants to block search results in another country, the court should obtain a court order against the company in the country where it’s based. Google is also reportedly echoing the concerns of Canadian privacy experts who’ve argued that the ability to block search results worldwide could be used to silence legitimate free speech online. It’s a strange case with an even stranger origin, mostly because Google wasn’t even involved in the initial litigation. If the Supreme Court of Canada upholds these previous rulings, then Canadian courts will have a new, global censorship power at their disposal. [Motherboard | Internet freedom at stake in Supreme Court of Canada case | Supreme Court hears arguments in case pitting Google against B.C. firm | Google brings internet free-speech battle to Supreme Court | We Won’t Let You Forget It: Why We Oppose French Attempts to Export the Right To Be Forgotten Worldwide | Global Application of French “Right to Be Forgotten” Law Would Pose Threat to Free Expression | How ‘right to be forgotten’ puts privacy and free speech on a collision course ]

Internet / WWW

WW – McAfee Highlights IoT and Cloud Security Threats, Trends

Internet of Things (IoT) security and cloud security threats are key areas to watch for critical developments in 2017, according to Intel Security’s McAfee Labs 2017 Threats Predictions Report. The report also highlighted 14 trends to keep an eye on in the next year, and also listed the six “most difficult-to-solve” cybersecurity challenges. Overall, the report listed 10 predictions as the most prominent and probable outcomes during the next two to four years, including that “IoT will significantly reduce consumer privacy.” [HealthIT Security | 14 Cyber Security Predictions for 2017]

Law Enforcement

CA – Technical Hurdles Mean No Body-Worn Cameras for Mounties

The RCMP says it is postponing the deployment of body-worn cameras after testing revealed technical problems, including limited battery life and lack of durability. Rolling out the cameras would mean purchasing thousands of units for over 750 detachments. The national police force says that means it must have confidence in the technology and ensure the expenditure is justified. Body-worn cameras generally clip on a uniform, or can be embedded in glasses or a helmet. They are used to gather evidence for prosecution should criminal behaviour be recorded and to bolster accountability if questions arise after an incident. The small video cameras are intended to openly capture an “accurate, unbiased and reliable” audio and video account of incidents from the officer’s perspective, the RCMP said in an interim summary on use of the devices, made public earlier this year. The Mounties began exploring body-worn cameras — including privacy, legal and recording storage issues — three years ago. The interim RCMP policy said Mounties wearing cameras must hit the record button when there is “a high likelihood” they’ll use force against someone. The RCMP has told the federal privacy commissioner another assessment of the technology would be undertaken and provided to the watchdog for comment in advance of any national roll-out of the cameras. [National News Watch | RCMP decides not to outfit officers with body-worn cameras | Police body cams not ‘worthwhile’ if officers can turn them off, lawyer says | Mounties wearing video cameras told to record use of force]

US – Court of Appeals Finds Use of Stingray to Locate Individual was Lawful

Damian Patrick challenges the validity of his arrest by law enforcement: The Electronic Frontier Foundation, the American Civil Liberties Union Foundation and the ACLU of Wisconsin previously filed an Amicus Brief in support of Appellee. Law enforcement was permitted to use a cell-site simulator to execute a location warrant on an individual; he was wanted on probable cause and arrest warrants, was taken into custody in a public place (there was no legitimate expectation of privacy), the simulator was not used to generate the probable cause for his arrest (he was in possession of firearms), and law enforcement did not have to reveal to the warrant-issuing judge that they planned to use a simulator to locate him. [USA v. Damian Patrick – 2016 US App. LEXIS 21090 – US Court of Appeals for the 7th Circuit]

CA – Law Enforcement Seeks Access to Mail to Combat Opioid Deliveries

As illicit opioid use rises in Canada, law enforcement agencies across the country are pushing for revisions to laws forbidding them from investigating mail in transit. Law enforcement is specifically targeting fentanyl, a small drug often sent through Canada’s postal service by traffickers. The Canadian Association of Chiefs of Police has discussed changes to the Canada Post Corporation Act with several groups, but no movement has been made on possible alterations. McInnes Cooper privacy lawyer David Fraser said while he normally doesn’t support the expansion of police powers, the fentanyl issue is an exception. “The Canada Post Act that says that the mail is sacred and it can’t be detained, which is quaint,” said Fraser. “But I think in the circumstances when you’re dealing with very dangerous items that are going through the mail, it does make sense to intercept them at that point before they represent a risk to the public.” [CBC News]

UK – Police Nab Suspect While Phone is Unlocked

Police in London waited until a suspect’s phone was unlocked before arresting him in a bid to gain access to information on the device without having to demand the password. The suspect allegedly manufactured phony payment cards using stolen data; the cards were then used to purchase luxury items. [SCmagazineUK ]


US – Uber Commences Background Collection of User Location Data

The latest Uber app update has changed the way it collects location data from its users. Uber now requests users share their location at all times, rather than only when the app is open. The ride-hailing company wants to have user’s location data from the moment they request their ride to five minutes after reaching their destination. Uber said the change in data collection is to help improve its drop-offs and pickups, while also assisting in enhancing user safety. “We’re always thinking about ways we can improve the rider experience from sharpening our ETA estimates to identifying the best pickup location on any given street,” said an Uber representative, adding, “Location is at the heart of the Uber experience, and we’re asking riders to provide us with more information to achieve these goals.” [TechCrunch]

Online Privacy

HK – Study: Cyber incidents in Hong Kong, China increased by more than 900%

A PwC study has found that China and Hong Kong have had a 969 percent increase in cyber incidents since 2014. “The level of espionage or activity relating to cybersecurity incidents, such as data leakage or data theft is a lot higher [in China and Hong Kong] than any other countries,” said PwC’s Kenneth Wong. The increase of incidents may be credited to the “huge rate of adoption” of internet of things devices without adequate security measures in the region, added Marin Ivezic. [South China Morning Post]

Privacy (US)

US – Chief Data Scientist Rallies Technologists to Embrace Public Service

White House Chief Data Scientist DJ Patil encouraged technologists to embrace public service as data needs continue to grow. “Data is a force multiplier in every level of society… In cancer, the answer isn’t in a database; it’s in thousands of databases… It’s fragmented. The answer is likely out there. We just don’t know how to put it together.” The best way to “put things together” is to add technological voices to the discussion. “When do you jump in? The time is now.” “Why? These problems can’t wait. You can help transform that — city level, nonprofits, the time is now to serve.” [NextGov]

US – Evaluating Digital Risks for Public Companies

As organizations move from compliance-based to risk-based approaches to privacy operations, the natural question arises: How does privacy risk compare with other risks faced by the enterprise? To investigate, the IAPP Westin Research Center combed through the annual 10-K disclosure statements to the U.S. Securities and Exchange Commission of more than 100 publicly traded companies. The findings? Losing customers’ or employees’ personally identifiable information ranks first among disclosed information-related risks. Find in this new IAPP Westin Center report, “Loss of PII Is Top Digital Risk for Public Companies,” how companies rank hacking vs. employee error, which consequences they fear most, and whether the looming GDPR moves the risk needle — plus, find an annex of risk-language used by the world’s biggest organizations. [IAPP.org]


US – Commission on Enhancing National Cyber Security Issues Final Report

The President’s Commission on Cybersecurity has released its final report. Intended to serve as a transition guide for the next administration, the report calls for increasing cooperation between the government, the private sector, academia, and US citizens. It identifies six imperatives for enhancing cybersecurity: Protect, Defend, and Secure Today’s Information Infrastructure and Digital Networks; Innovate and Accelerate Investment for the Security and Growth of Digital Networks and the Digital Economy; Prepare Consumers to Thrive in a Digital Age; Build Cybersecurity Workforce Capabilities; Better Equip Government to Function Effectively and Securely in the Digital Age; and Ensure an Open, Fair, Competitive, and Secure Global Digital Economy. [White House.gov | [NIST | The Hill | WIRED | SCmagazine]

EU – MIT, Amsterdam U Receive Grants to Research Smartphone Privacy

The Internet Policy Research Initiative at the Massachusetts Institute of Technology and the Institute for Information Law at the University of Amsterdam have received grants to research privacy in smartphones. The two groups recently worked together on their EU-U.S. Privacy Bridges project and will join forces to investigate the differences between privacy expectations, preferences and behaviors in the EU and the U.S. “The joint research project will undertake a cross-cultural investigation of how different app ecosystems (Android, Apple iOS) shape privacy and transparency towards users through user control mechanisms, while analyzing the impact of different legal frameworks on smartphone privacy in Europe and the U.S.,” a University of Amsterdam release states. [IVIR.nl]

Smart Cars / IoT

EU – European Commission Publishes Internet-Connected Vehicles Strategy

The European Commission has published a strategy on internet-connected vehicles. The EU plans on having cars become equipped with digital systems warning drivers about traffic, road work, and approaching emergency vehicles by 2019, with newer car models implementing smart parking information and systems designed to protect pedestrians. The European Commission strategy prevents car manufacturers from using, processing, and selling driver data to third parties, a right pushed for by the European Automobile Manufacturers’ Association. “Users must have the assurance that personal data are not a commodity, and know they can effectively control how and for what purposes their data are being used,” the strategy states. [EurActiv]

WW – Researchers Find New Vulnerabilities Within Iot Cameras

Two research groups have found security vulnerabilities in internet-of-things technologies making them vulnerable to cyberattacks. Austrian security firm SEC Consult found two backdoors within Sony IPELA Engine IP Cameras. The firm said the backdoors could be compromised by attackers taking control of web servers built into the cameras. “We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an ‘unauthorized third party’ like in other Cases,” SEC Consult wrote. Security firm Cybereason claimed to have found two security flaws in dozens of white-labeled IP cameras available to consumers through Amazon and eBay. Cybereason found the flaws make the cameras vulnerable to IoT attacks, even if they are behind a firewall. [KrebsOnSecurity]

US – Privacy Groups Call for Investigation of IoT Toymakers

Privacy advocacy groups in the U.S. and Europe are asking consumer protection agencies to investigate two internet-connected toy manufacturers to see if the companies are violating children’s privacy laws. The complaints will be filed in the U.S., France, Sweden, Greece, Belgium, Ireland, the Netherlands, and Norway against Genesis Toys and Nuance Communications. “We are putting the Internet of Things industry on notice that consumer advocacy groups are aggressively watching these developments with alarm, and expect them to create products that protect young people and positively support their psychosocial development,” said Center for Digital Democracy Executive Director Jeffrey Chester. “The industry must adopt safe practices.” [PCWorld]

US – USPS Could Help Development of Smart Cities

The U.S. Postal Service could become a key component for the future of smart cities. A Smart Cities Summit panel in Boston, Massachusetts, mapped out the ways the USPS could help develop smart cities. USPS trucks drive through cities each day, and through their travels, could monitor conditions and the environment. The data would be sent back to the cities to enhance services, and would give the USPS a new stream of revenue to help expand into new services. In order to use the USPS to develop smart cities, interoperability between regions, technologies and data flows would need to be worked upon, while the USPS would also be subjected to new regulatory restrictions. [ZDNet]


US – Class Action Complaint Alleges Software Installed on Cell Phones Collected and Transmitted Personal Data Without Consent

An individual files a class action complaint alleging Blu Products Inc, Inc et al for the installation of firmware on customer cell phones. Firmware was installed on approximately 120,000 phones that allows the phones to continuously capture and transmit personal data (such as text messages, personal contacts, call logs; and physical locations) to a server in China; harm was deliberate as the company knew that by intentionally installing the firmware on the phones it would collect personal and confidential data without the knowledge and consent of the customer. [Aaron Bonds v. Blu Products Inc et al – Case No. 1-16-cv-24892-MGC – United States District Court Southern District of Florida]

UK – TfL Program Tracks London Underground Users’ Access to Wi-Fi

Transport for London has started a four-week trial designed to read Wi-Fi connection-request data from the mobile phones of London Underground passengers. The program aims to discover where citizens move through stations and interchange between services, and determine how crowding develops. TfL only has access to data when people enter and exit the Underground, leaving the interpretation of the results to educated guesswork. Once the data has been taken from the phones, it is “automatically depersonalized” and sent to a private database for analysis. “The trial will work by collecting Wi-Fi connection requests from mobile devices as customers pass through stations. When a device has Wi-Fi enabled, it will continually search for a Wi-Fi network by sending out a unique identifier – known as a Media Access Control address – to nearby routers,” TfL stated. [The Register]

US Government Programs

US – FTC Holds Seminar on Smart TV Privacy Issues

The Federal Trade Commission held a seminar to discuss privacy concerns surrounding smart TVs. Panelists discussed a variety of topics, such as consumer attitudes toward smart TVs, and whether industry self-regulation can properly address privacy concerns with connected devices. “It matters whether consumers think of their smart TV as a PC or a television,” said Director of the FTC’s Bureau of Consumer Protection Jessica Rich. “From the moment we bought our first personal computer, there was data collection and data-driven advertising. By contrast, the television industry did not evolve with data collection as a critical component.” Some panelists are skeptical of industry self-regulation. “Self-regulation in the privacy space has been an abject failure” said University of California, Berkeley’s Serge Egelman. “I’m not saying we need new regulations to regulate how data is shared. But we do need to do much better in terms of disclosure.” [MediaPost] [How the connected toys industry can protect customers’ privacy] [FTC Explores Privacy Concerns Raised By Smart TVs]

US Legislation

US – DoJ Will Seek Legislative Fix to Obtain Evidence Held Abroad

The US Department of Justice (DoJ) plans to submit a legislative fix that would allow it to demand evidence stored on servers in other countries. The action is designed to circumvent a court ruling which said that DoJ could not demand emails from Microsoft because they were held on a server in Ireland. The courts said that there must be an international agreement between the US and a foreign country for US officials to request data stored in that country. [The Hill ]

US – 9th Circuit Upholds Warrantless Email Surveillance of Person in the U.S. Communicating with Foreigners Abroad When the Foreigners are the ‘Targets’

The U.S. Court of Appeals for the 9th Circuit has handed down United States v. Mohamud, an important case on how the Fourth Amendment applies to the global Internet. The case involves monitoring under Section 702 of the Foreign Intelligence Surveillance Act. Warrantless monitoring of a foreign national’s email account from inside the United States revealed emails between the foreign national and Mohamud inside the United States. That led the government to obtain a FISA warrant to monitor Mohamud’s account. Among the questions in the case was whether the initial warrantless collection of the Mohamud’s emails, incidental to the targeting of the foreign national’s emails, was consistent with Fourth Amendment. In an opinion by Judge John Owens, the court ruled that the Fourth Amendment was not violated. Here’s an overview of the reasoning together with a few (mostly critical) comments from me. [Washington Post] [Court: Secret spying of would-be Christmas tree bomber was OK | Terrorism Conviction of a Wiretapped American Is Upheld on Appeal ]

US – FBI’s Expanded Surveillance Powers Take Effect

An attempt by US legislators to block changes to the search and seizure provision of Rule 41 of the Federal Rules of Criminal Procedure did not succeed. The changes grant the FBI expanded surveillance powers, granting judges the authority to issue warrants that allows the government to remotely access computers outside the judge’s jurisdiction, even outside the country, for the purpose of criminal investigations. [ZDnet.com | Computerworld]

US – New Bill Prevents Companies from Punishing Users for Negative Online Reviews

Congress has passed the Consumer Review Fairness Act,making it illegal for companies to retaliate against customers who post negative online reviews. The legislation passed unanimously through the Senate, and had already been approved by the House of Representatives. The bill only needs a signature from President Barack Obama to become law. The act prevents companies from implementing penalties for negative online reviews and gives the Federal Trade Commission the power to enforce the law when necessary. “Every consumer has the right to share their honest experiences and opinions of any business without the fear of legal retaliation, and the passage of our bill brings us one step closer to protecting that right,” said Sen. Brian Schatz, D-Hawaii. [Ars Technica]

US – Other Privacy News


18-27 November 2016


US – Facebook Says Illinois Biometrics Privacy Law Violates Constitution

Facebook Inc. says an Illinois biometrics law that prevents interstate-sharing of facial recognition data violates the U.S. Constitution In August, three class actions against Facebook over allegations that the company’s ‘tag suggestion’ feature violates users’ privacy rights, were moved from Chicago’s federal courts to San Francisco’s. Facebook said that the BIPA infringes on a constitutional protection under the commerce clause, which restricts a state’s ability to pass legislation that would improperly strain or discriminate against interstate commerce. Last month, both Facebook and Google stated that collecting facial biometrics data isn’t against the law, even without the user’s consent. [Biometrics Update | Federal Court in Illinois dismisses biometric data privacy case against Smarte Carte ]


CA – OPC Canada Recommends Amending Federal Privacy Act to Require Breach Notification and Improved OPC Powers.

The federal Privacy Commissioner of Canada appears before a committee studying potential reviews of the Privacy Act. Government institutions should be required to report material breaches of personal information to the OPC in a timely manner and notify affected individuals in certain cases. The ombudsman model for complaint investigation should be replaced with OPC powers to issue binding orders, and the OPC should be granted discretionary power to decline complaints or discontinue investigations on specified grounds, including when the complaint is frivolous, vexatious or made in bad faith. [OPC Canada – Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Study on Review of the Privacy ActOpening Statement | Recommendations]

CA – Therrien Calls on Parliament for Clear Rules on Surveillance

Privacy Commissioner Daniel Therrien has called on Parliament to enact clearer rules around how law enforcement collects, obtains and destroys data on Canadian citizens. He said Bill C-51 needs more protections built in. “Security agencies, with (Bill C-51 powers) and with the absence of rules around retention, for instance, would be able to collect and retain information that they don’t really need,” Therrien said. “I don’t dispute that CSIS needs to analyze information in order to do their job but once the analysis has been completed and the vast majority of people about whom they’re collecting information are found not to be a threat, and that’s the case, then they should destroy that information.” [Toronto Star]

CA – Ottawa Approves Redress System for Canadian Travellers Affected by No-Fly List

The federal government has approved a redress system to protect Canadian travellers, including children who can’t board airline flights due to aviation security lists. Unlike the U.S. stand-alone system, Canada’s no-fly-list database was designed to piggyback on to airline computers, making it more problematic to deal with misunderstandings about passenger identity. Canada is now poised to set up its own independent data system that will be controlled by Public Safety, Transport Canada and the Canada Border Services Agency. The redress system will allow Canadians whose names closely match those on the no-fly list to apply for a unique identification number. They will be able to use the number at the time of ticket purchase to clear their name in advance and prevent flight delays. [Globe & Mail | Six-year-old’s name still on Canada’s no-fly list, mother says | Secret Bans, Secret Trials: The Canadian ‘No-Fly’ Lists | Families say shared Canada-U.S. no-fly lists must include safeguards for children  | Canada’s no-fly list is ‘very mysterious’ and leaves targets little recourse, say critics

CA – Canada Steps Away from Online Redress System, But ‘No Fly List Kids’ Parents Still Waiting

Canada could implement a redress system as early as spring of 2018 to make it easier for children and adults falsely flagged as security threats to get past extra airport security checks when their names match those of people on no-fly lists. Public Safety Minister Ralph Goodale described the future system at a town hall on national security Saturday afternoon in Markham, Ont. Goodale pointed to the American redress model, which provides a redress number to “false-positives” on the list that can be entered online anytime they make a booking to avoid additional screening. “That’s the way the Canadian system should work,” the public safety minister said, adding that once implemented, Canada’s system will be interactive, automatic and done entirely online. But in the meantime, the public safety minister announced no interim solutions for people falsely flagged by the list, something the parents advocacy group No Fly List Kids had been hoping for. “It was a little bit disappointing,” said a spokesperson for the group, who added she was nevertheless encouraged to hear changes are coming. Consultations began on Sept. 8 and will be completed on Dec. 15. Submissions can also be made online. Feedback from the town halls will be compiled into a report that will be made public, the government said. [CBC | Liberals ask public to weigh in online about national security issues | Ontario man stranded in Amsterdam by U.S. no-fly list back home | Markham man still stranded in Amsterdam says his name is on no-fly list | ‘As a Canadian citizen I felt very helpless’: Man on U.S. no-fly list stranded overseas | Mom of boy on no-fly list ‘really looking forward’ to travelling after feds announce plan to end mix-ups | Mother insists plan for Canada-US no-fly list must protect children | Human rights tribunal questions Air Canada’s ‘no-fly list’ policies | Boy, 6, still flagged in no-fly list mix-up, family says | Mother of boy on no-fly list ‘pleased’ by Ottawa’s response | Families affected by no-fly list reach out to mother of Ontario boy | U.S. no-fly list could be behind Canadian air travel nightmares | Ottawa says there’s no need for additional airport security screening for under-18s | Getting on Canada’s no-fly list is ‘a very mysterious process,’ says critic | Ottawa approves redress system for Canadian travellers affected by no-fly list | Secret Bans, Secret Trials: The Canadian ‘No-Fly’ Lists | Families say shared Canada-U.S. no-fly lists must include safeguards for children | Canada’s no-fly list is ‘very mysterious’ and leaves targets little recourse, say critics]

CA – New Brunswick Benefits Bill Changed Due to Privacy Concerns

A benefits bill that details what information is shared between the New Brunswick and federal governments has been altered because of privacy concerns. The bill will simplify the sharing of personal data between the governments deciding which provincial residents are eligible for welfare, housing and nursing home subsidies. One change included a more narrow and specific definition of personal information. Families Minister Stephen Horsman said, “Personal information’ means the name and date of the birth of the person.” Ultimately, he said, the bill will cut down on waiting times so residents can get the services they need more quickly. [CBC]

CA – Nova Scotia Privacy Breach Shows Why Faxing Personal Information Must End

Nova Scotia’s privacy commissioner is urging the provincial health authority to stop allowing doctors to send faxes with sensitive information A number of organizations still use fax machines for sending data, particularly in the health care field where paper is the most trusted form of documentation. But a fax sent to the wrong number can cause a major privacy breach. That’s what has been happening in Nova Scotia, where for years a private business has been receiving faxes from family doctors referring patients to a mental health clinic with a similar fax number. It got bad enough that Catherine Tully, the Information and Privacy Commissioner, stepped in to investigate. [IT World Canada | Privacy commissioner says doctors should move away from faxing patient referrals | Doctors should move away from faxing patient referrals: Nova Scotia Privacy Commissioner]

CA – SCC Decision Reaffirms Protection of Solicitor-Client Privilege

In a pair of decisions, the Supreme Court of Canada has reaffirmed robust protections for solicitor-client privilege, while elevating litigation privilege. In Lizotte v. Aviva Insurance Company of Canada, the Supreme Court upheld a 2015 Quebec Court of Appeal ruling that determined a provincial regulator could not have access to information Aviva Insurance claimed was protected by litigation privilege. In the second decision released Friday, Alberta v. University of Calgary, the court determined a provincial regulator could not abrogate solicitor-client privilege on inference. “…solicitor-client privilege cannot be set aside by inference but only by legislative language that is clear, explicit and unequivocal,” Justice Suzanne Côté wrote for the majority in the decision. [Canadian Lawyer | SCC deals blow to privacy commissioner powers – privilege reigns supreme | Alberta’s information and privacy commissioner loses Supreme Court case

CA – Quebec Government Launches Online Privacy Awareness Campaign

The Quebec government is introducing a new campaign designed to raise online privacy awareness. National Assembly of Quebec Minister Rita de Santis will tour with actor Nicolas Ouellet to explain to teens between the ages of 14 and 17 why they need to be careful about what they share on social media. De Santis also plans to introduce legislation to the National Assembly to increase privacy protections, but admits more needs to be done. “The law alone can’t change how people behave,” de Santis said. The tour will finish in May 2017. [Full Story]

CA – Monsef Says She’s Heard No Concerns on Political Parties’ Big Data Operations

Democratic Institutions Minister Maryam Monsef says she hasn’t heard concerns about political parties’ unfettered ability to collect and use data from Canadians. There are virtually no rules or oversight into how parties collect, store and analyze data collected from Canadian voters. But Monsef said the issue hasn’t come up as she’s crisscrossed the country talking about how to reform Canada’s election system. All three major federal parties have been ramping up their big data operations to help guide their electoral efforts. Data can be drawn from fundraising emails and online petitions, interactions on voters’ doorstep, even social media postings. Privacy Commissioner Daniel Therrien noted that, while government agencies, including intelligence and law enforcement agencies, are subject to strict privacy laws, political parties have no rules or oversight. “All of these rules that apply to government departments, or to private organizations, which are basic privacy safeguards, do not apply to political parties,” [The Star | Political parties need rules for collecting Canadians data, says privacy watchdog | Ottawa may review parties’ use of Canadians’ private data

CA – Ontario Court Determines Customer Consent Allows for Production of Medical Documents

An Ontario Court reviewed a request by Fairview Assessment Centre seeking directions concerning the production of medical documents from non-party insured individuals. The Court ordered the production of medical documents of non-party insured individuals who made claims for statutory accident benefits; by signing the insurance application form, applicants expressly consented to the use and disclosure of their PHI for legitimate purposes (including investigation, adjudication and preventing and detecting fraud), and acknowledged that their PHI can be disclosed for purposes of complying with a legal order or participating in a proceeding as a witness. [Economical Insurance Company v Fairview Assessment Centre Inc. – cv-10-414992 – Superior Court of Justice – Ontario]


WW – MEF Releases White Paper On Personal Data Economy

The Mobile Ecosystem Forum has released a new white paper focused on the personal data economy, the concept of “letting individuals take ownership of their information so they can share it with businesses on their terms.” The white paper, commissioned on behalf of the MEF Consumer Trust Working Group, defines the personal data economy, provides case studies, includes regulation and compliance issues, outlines potential benefits, and details key challenges. [Mobile Ecosystem Forum]


CA – Poll: Only 15% of Citizens Use Encryption

A CBC News and Toronto Star poll found few Canadian citizens use advanced personal security tools to protect their data. While 81% of respondents said they clear cookies and erase their browser histories, only 15% said they use encryption, and only 17% use services such as virtual private networks to hide their identities (and locations) online. The poll found men are more likely to take steps to protect their privacy online than women. [CBC]

CA –Therrien Memo Indicates Support for Encryption

A memo prepared for Privacy Commissioner of Canada Daniel Therrien states that it “would be difficult for any one country to weaken or ban encryption technology.” “Encryption tools very much are now ubiquitous, globally distributed and irrevocable, which plainly no piece of domestic regulation or lawmaking will undo, given that two-thirds of encryption products are produced and sold by non-U.S. firms,” the memo states. While some critics argue that the practice protects criminals, a U.S. committee on homeland security report, summarized within the memo, counters that weakened encryption could have adverse effects on public safety. “What we are really dealing with is not so much a question of ‘privacy versus security,’ but a question of ‘security versus security.” [FToronto Star]

EU Developments

UK – Investigatory Powers Bill Passes Parliament

Britain’s Parliament has passed the Investigatory Powers Bill, a controversial surveillance law that grants UK intelligence agencies what some have called “overreaching, draconian and intrusive” authority to snoop on citizens. The bill is expected to become law before the end of the calendar year. It compels Internet service providers (ISPs) to retain every customer’s browsing history for up to a year; grants intelligence agencies the authority to gather “bulk personal datasets,” which could include information belonging to individuals not associated with an investigation; and requires companies to decrypt information upon demand. [ZDNet | v3.co.uk | SCMagazine | Sweeping UK spy bill dubbed ‘snoopers’ charter’ becomes law | Snoopers’ Charter will face legal challenge as privacy groups decry mass surveillance regime | The Investigatory Powers Bill (Snoopers’ Charter) Is Here, Now What Do We Do? | How to avoid the UK’s new online surveillance powers] See also: [Germany planning to ‘massively’ limit privacy rights]

EU – Other Privacy News

Facts & Stats

CA – CRTC Signs Agreement with FTC to Fight Unlawful Robocalls and Caller ID Spoofing

Effective November 17, 2016, the CRTC signed a memorandum of understanding with the U.S. FTC in regards to enforcing:

  • automated telephone calls (“robocalls”); and
  • inaccurate caller identification laws (“caller ID spoofing”).

The agreement will allow both organizations to work more collaboratively on the growing threat that unwanted robocalls pose to citizens of both countries, and requires both the CRTC and FTC to share complaints and other relevant information, provide investigative assistance, and facilitate a mutual exchange of knowledge and expertise through training programs and staff exchanges. [CRTC – Memorandum of Understanding Between the United States FTC and the CRTC on Mutual Assistance in the Enforcement of Laws on Automated Telephone Calls and Inaccurate Caller Identification | CRTC Press Release | FCC Press Release]


CA – Supreme Court of Canada Holds that Bank Can Disclose Mortgage Discharge Statements to Creditors

Royal Bank of Canada appealed the decision of the Ontario Court of Appeal holding that PIPEDA precludes Scotiabank from disclosing a mortgage statement to RBC. The court overrules lower court decisions by holding that a reasonable mortgagor would be aware that a judgment creditor has a legal right to obtain information necessary to realize their right to recover the debt against the individual’s assets; a creditor should be entitled to a court order requiring disclosure of a mortgage discharge statement if it has obtained judgment, filed a writ of seizure and sale, had the debtor either refuse consent to the disclosure or fail to attend an examination, and served the debtor with a motion to obtain disclosure (PIPEDA does not bar such disclosures). [Royal Bank of Canada v. Trang – 2016 SCC 50 (CanLII) – Supreme Court of Canada]

US – IRS Looking for Bitcoin Users’ Identity, Have Analysts Concerned for the Currency’s Future

The IRS is searching for both the identity of Coinbase users and their transactional activity after evidence suggests they violated U.S. tax laws. “As indicated by the summons, two things are clear: one, the IRS has tracked bitcoin-related activity sufficiently to be able to determine that certain users may not be in compliance with tax law, and two, this activity has been traced back to Coinbase wallets.” The move ultimately has some wondering if bitcoin is “over… Although bitcoin was initially touted as an ‘anonymous’ currency, people who understand the technology have always known it’s actually easily trackable. This sweeping action by the IRS demonstrates why it’s important for the crypto world to be advancing both convenience and anonymity in its currency,” said Dash’s Eric Sammons. [Cointelegraph]

EU – ENISA Examines Insurers’ Assessment Criteria and Best Practices

ENISA issued recommendations on cyber insurance companies and cyber insurance customers. Assessment criteria includes geographic spread of business (size, operations and revenue), business details (activities, outsourced functions and risk exposure), IT dependencies, processing of data (volume, sensitivity and liability), incident history, corporate social media presence, policy/claims history, and requested policy limit; a risk assessment is a best practice which should include review of dedicated resources (CISO), policies and procedures, employee awareness, incident response, security measures, vendor management and Board oversight. [ENISA – Cyber Insurance: Recent Advances, Good Practices and Challenges]


CA – Waits for Access to Information Get Longer in Alberta: Report

Albertans are facing increasingly lengthy waits for the province and its agencies to respond to information requests, says a newly published government report that was itself delayed by more than two years. The report reveals a worsening trend of failures to meet a legally mandated 30-day limit for fulfilling information applications. Newly released statistics from the 2014-15 fiscal year show the government and its agencies hit the deadline for 59% of the requests they received, while nearly a quarter of requests took 60 days or longer to complete. While offering plenty of statistics, the latest annual report offers little insight as to what factors might be behind the response times, such as a lack of FOIP staff, inadequate training, increased volume or complexity of requests, or heightened government scrutiny of requests. The report was released the same week as a new annual report from Information and Privacy Commissioner Jill Clayton, who also expressed confusion at the trend and speculated the government may not have enough FOIP staff. Regardless of what the reasons might be, Clayton said the government’s performance has Alberta “fast approaching a crisis situation” in information access. [Edmonton Journal | The Report | Access to information in Alberta nearing ‘crisis situation,’ FOIP commissioner says]

US – Yahoo Disclosed User Content in 1,115 US Gov’t Requests in First Half of 2016

Yahoo! provides its transparency report on requests for customer information from US and global government agencies between January 1, 2016 and June 30, 2016. The transparency report only includes government data requests. Yahoo received a total of 4,709 requests from US government agencies between January 1, 2016 and June 30, 2016, with most requests relating to criminal investigations; the company scrutinizes each request to ensure that it complies with the law, but may voluntarily disclose information where a disclosure without delay will prevent imminent danger of death or serious physical injury to a person. [Yahoo Transparency Report 2016]


EU – Council of Europe Issues Recommendations for Non-Discrimination in Insurance Contracts

The Committee of Ministers for the Council of Europe issued essential principles to protect the rights of individuals whose personal data are processed for insurance purposes. Predictive genetic tests should only be used if authorised by law, and an independent assessment can confirm that individuals have provided free, express, informed consent, processing is specified, justified and proportional, the quality and validity of the data is in line with generally accepted scientific and clinical standards, and the data has a high positive predictive value. Family members’ health data, and data obtained from the public domain, or for research should not be processed for insurance purposes. [Council of Europe – Recommendation CM-Rec(2016)8 – Processing of Personal Health-Related Data for Insurance Purposes, Including Data Resulting from Genetic Tests]

Health / Medical

CA – OIPC NFLD Finds Physician Names, Specialties and Unique Numbers are not Personal Information

The Office of the Information and Privacy Commissioner of Newfoundland and Labrador reviewed a decision by the Department of Health and Community Services to deny the disclosure of records, pursuant to the Access to Information and Protection of Privacy Act, 2015. A physician’s name and specialty is considered professional or business information, and their gross billing information would not be an accurate representation of their income, such that it would reveal anything of a personal nature; for the purposes of the Access to Information and Protection of Privacy Act, 2015, physicians shall be treated as employees (not third parties), because they practice in the context of a contractual relationship with the government to perform services for the public. [OIPC NFLD – Report A-2016-019 – Department of Health and Community Services]

CA – OAIPC NB Finds 3 Health Custodians Jointly Responsible for Preventable Breach of PHI

A new OAIPC report investigates a privacy breach incident at a hospital pursuant to New Brunswick’s Personal Health Information Protection Act. An employee’s unencrypted and uncabled laptop was stolen from an unlocked office; notification was given to all affected patients, the OAIPC, and law enforcement (the OAIPC agreed it was burdensome to notify 78 other patients who were not easily identifiable). All 3 custodians agreed to undertake appropriate corrective measures; a joint committee establishing policies around devices holding PHI, and a mandatory policy for passwords/encryption on portable devices. [OAIPC NB – 2014-2214-H-640 – Case About a Laptop Containing Unencrypted Personal Health Information Stolen from a Hospital]

UK – DeepMind has Signed a Major New Deal With the NHS Despite Concerns About Patient Privacy

DeepMind, an AI lab acquired by Google for £400 million, has secured a landmark deal with the NHS, paving the way forward for the company’s growing healthcare division. Royal Free London NHS Foundation Trust announced on its website on Tuesday that it will start rolling out DeepMind’s Streams app to clinicians at its hospitals from early 2017. Under the new five-year partnership, DeepMind and the Royal Free intend to expand the app’s abilities so that it can be used to help doctors monitor and detect patients at risk of other conditions, including sepsis and organ failure. DeepMind’s work on the Streams app with the Royal Free was criticised by privacy campaigners in April when New Scientist published an article highlighting the extent of the data-sharing agreement between the two organisations. [Business Insider | DeepMind hits back at criticism of its NHS data-sharing deal | Google company’s access to NHS records raises privacy concerns | DeepMind’s cofounder defended a controversial data-sharing agreement with the NHS | ICO probes Google DeepMind patient data-sharing deal with NHS Hospital Trust | DeepMind NHS health data-sharing deal faces further scrutiny

Horror Stories

US – Dept of Housing and Urban Development Breach of 600,000 Records

A Department of Housing and Urban Development website error led to the exposure of an estimated 600,000 users in August of this year, and victims have just heard of the breach via letters from the agency. While the breach only exposed the partial Social Security numbers and names of public housing residents, “some people who worked for employers that sought HUD/Empowerment Zone-related tax credits, including name, address and full or partial Social Security numbers, was also disclosed,” the letter states. The agency is offering those affected a year’s worth of credit monitoring. [Forbes]

UK – Three UK Suffers Data Breach After Hackers Obtain Employee Login

Hackers may have compromised the information of millions of Three UK customers after gaining access to an employee login. Three UK estimates hackers may have access to the information of two-thirds of its 8.8 million active customers after using the employee login to trigger bonus upgrades for premium smartphones in hopes of intercepting devices before they were delivered to customers. The customer data includes names, phone numbers, addresses and dates of birth. “We’re aware of an attempted fraud issue regarding upgrade devices and are working with police and relevant authorities on the matter. The objective was to steal high-end smartphones from Three, but we’ve already put measures in place to stop the fraudulent activity. We’d like to reassure customers that their financial details are not at risk,” Three UK said in a statement on Facebook. | TechCrunch | ZDNdnet | The Register]

Identity Issues

CA – OIPC AB Finds Public Body Inappropriately Disclosed Individual’s Address to the CRA

The Office of the Information and Privacy Commissioner in Alberta reviewed a decision by Service Alberta to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. After a previous CRA request to the public body for an individual’s residential address, the public body contacted the CRA when the individual renewed her vehicle registration and provided a new address; the individual was not informed about the disclosure, and the CRA’s request for the information did not describe the nature of the investigation against the individual, how the address would be of assistance, or show that the CRA was authorized to obtain her address from the public body. [OIPC AB – Order F2016-41 – Service Alberta]

CA – Quebec Commission Finds Bank’s Collection of Personal Information Excessive for Identification Purposes

The Commission d’Accès à l’Information du Québec investigated a complaint alleging the unnecessary collection of personal information pursuant to the Act respecting the Protection of Personal Information in the Private Sector. The bank’s collection of notices of assessments was justified for the purpose of assessing a customer’s creditworthiness in relation to a credit application; however, the collection of a customer’s SIN, driver’s licence number and health card number for the purposes of identification is not proportionate to the intended use and sensitivity of the documents (e.g. health card is only to be used in relation to health services and SIN is not required if there is no tax implication). [CAI QC – Decision 061063 – Banque Nationale du Canada]

Law Enforcement

US – RCMP Seeks Stronger Surveillance Capabilities from Prime Minister

The Royal Canadian Mounted Police is pushing the Prime Minister’s Office for the ability to circumvent digital roadblocks, including obtaining basic subscriber information without a warrant in matters of national security. RCMP Commissioner Bob Paulson said criminal activity is taking place with technology the police force cannot act upon. “Because of our inability — and the future inability — to protect Canadians, both from garden variety criminality and from the national security threat, I see that as really significant,” Paulson said. “I’m consumed with trying to make sure that we’re able to mitigate the threat.” In an op-ed for Motherboard, however, Jordan Pearson claims the RCMP is using the media to “create moral panic” on the topic of encryption. [CBC News]

CA – RCMP is Overstating Canada’s ‘Surveillance Lag’

The RCMP has been lobbying the government behind the scenes for increased surveillance powers on the faulty premise that their investigative powers are lagging behind those foreign police services. The RCMP lobbying efforts paint an image of crisis where none exists. Surveillance capacities of other countries are overstated, while the formidable powers already available to Canadian agencies are disregarded. the RCMP appears to have convinced the federal government to transform a process intended to curb the excesses of Bill C-51 into one dominated by proposals for additional surveillance powers. The RCMP’s proposal to bypass the courts — historic front line watchdogs of our policing agencies — in favour of direct police access to sensitive digital identifiers is reducible to a desire to save “time and paperwork.” Collectively, the RCMP lobbying efforts paint an image of crisis where none exists. Surveillance capacities of other countries are overstated, while the formidable powers already available to Canadian agencies are disregarded. Far from “going dark,” the amount of data available to policing agencies in Canada and abroad is at historic heights, making this truly the golden age of investigative surveillance. [The Star | The RCMP needs you scared — and the media seems happy to help | Canadian Media Is Selling Citizens Short In a Nationwide Surveillance Debate | The RCMP Is Using the Media to ‘Create Moral Panic’ About Encryption

CA – Should Police Be Able to Force You to Hand Over Your Digital Passwords?

CBC News/Toronto Star demo a $450 device that cracks iPhones to explore existing investigative capabilities. Police say they need the power to compel suspects to hand over cellphone passwords and computer encryption codes in serious crime cases where potential evidence is hidden behind digital walls. But the proposal has not only provoked an outcry from civil liberties advocates, it has even caused division among police leaders. The idea is being floated in a federal government discussion paper and was endorsed by the Canadian Association of Chiefs of Police (CACP) as one measure to help investigators collect evidence on tech-savvy suspects who hide their identities and activities. But legal and civil liberties advocates warn that a law to compel the surrender of passwords flies in the face of the right to remain silent enshrined in the Charter of Rights and Freedoms. Micheal Vonn, policy director of the BC Civil Liberties Association, called it a “a very radical proposal in Canadian law.” Obtaining a suspect’s passwords is only one way for police to access encrypted devices. Critics say law enforcement has developed many other techniques to bypass passcodes and data protections on encrypted phones. CBC News and the Toronto Star asked a local data forensics expert who has worked closely with law enforcement to demonstrate how he can use a device to get past a password. [CBC News | RCMP can spy on your cellphone, court records reveal | Canadians want judicial oversight of any new digital snooping powers for police: Poll | RCMP boss Bob Paulson says force needs warrantless access to ISP user data | RCMP want new powers to bypass digital roadblocks in terrorism, major crime cases | Your cellphone password could hold the key in legal battle over collecting evidence | Canadians support police calls for more digital powers — with a catch: Toronto Star/CBC poll | Top Mountie lobbying PM for greater digital surveillance powers | Top-secret RCMP files show digital roadblocks thwarting criminal investigations in Canada]

CA – Canadians Want Judicial Oversight of New Digital Snooping Powers for Police: Poll

A CBC News/Toronto Star survey finds many willing to sacrifice some privacy under certain conditions Nearly half of the respondents to an Abacus Data survey of 2,500 Canadians agreed that citizens should have a right to complete digital privacy. But many appeared to change their mind when asked if an individual suspected of committing a serious crime should have the same right to keep their identity hidden from police. Respondents were evenly split on whether police should be able to demand suspects or witnesses hand over passwords or codes to unlock devices and encrypted data. But support for granting police this authority increased to 77% if a judge is required to first approve a warrant. Less than half of respondents agreed communications providers should be forced to keep text, email, phone and internet records for two years to assist potential criminal investigations. But support jumped to 66% if access to the stored information is protected and police would need a judge’s order before accessing a suspect’s records. Opposition was strongest to the third proposed new power for police: access to basic subscriber information (such as a user’s name and IP address) without authorization from a judge. Most respondents (78%) said police should need judicial approval to ask a communications company for a person’s basic digital identity, and only 35% said they’d support a system where a senior police officer or prosecutor could sign off. The survey, conducted on behalf of CBC News and the Toronto Star, asked Canadians about their views on three specific proposals to expand police powers, which are raised in a federal discussion paper that’s part of a review of Canada’s Anti-Terrorism Act. [Toronto Star | RCMP boss Bob Paulson says force needs warrantless access to ISP user data RCMP want new powers to bypass digital roadblocks in terrorism, major crime cases | Top Mountie lobbying PM for greater digital surveillance powers | Top-secret RCMP files show digital roadblocks thwarting criminal investigations in Canada | The RCMP Is Using the Media to ‘Create Moral Panic’ About Encryption | Canadians support police calls for more digital powers — with a catch

CA – Commercial Drone Operators Violating Privacy Could Face Criminal Charges

A law firm examines the current state of drones (“UAVs”) in Canada. Drones with cameras raise privacy concerns among the general public; PIPEDA’s consent obligation likely applies to drone footage, and there are criminal code provisions related to covert video surveillance, voyeurism and interception of private communications. Aeronautics fall under federal jurisdiction, but municipalities are starting to regulate the recreational use of drones in public areas (e.g. one B.C. municipality has banned drone flights in city parks and on school grounds). [Canadian Skies Abuzz – The Regulation of Drones and UAVs in Canadian Airspace – Kirsten R. Embree, Partner, and Jawaid Panjwani, Associate, Dentons]

Online Privacy

US – Civil Rights Leaders Fear BPD’s Social Media Tracking Will Target Blacks

Civil rights groups say they want answers from Boston police on how the department will use its $1.4 million social media tracking system — citing fears that it will broadly target young blacks and try to link them to gang activity. The concern is that police efforts to take down violent gangs — with predominantly minority membership — could mean an overly intensive focus on social media use by black youths, including both those who have nothing to do with gangs, and those who may have relationships with gang members but aren’t involved in crime. Advocates say they want police to reveal the search criteria for tracking Facebook and Twitter accounts, and report on the race and locations of people investigated or prosecuted via social media posts. BPD is due to award a $1.4 million contract by Dec. 5 for a system to “proactively alert personnel to threats communicated via social media and/or online open source and/or social media platforms.” [Boston Herald | Council seeks clarity from police on just ‘who is being monitored’ | McGovern: Constitutional dangers lurk in tracking of social media | Boston police set to buy social media monitoring software]

WW – Tor Project Creates Android Smartphone Prototype

The Tor Project has created a prototype of its Tor-enabled Android smartphone. The phone runs the Android firewall, OrWall, to protect user privacy by routing traffic over Tor, while blocking other forms of traffic. Tor developer Mike Perry said, “The prototype is meant to show a possible direction for Tor on mobile,” Perry wrote in a blog post. “We are trying to demonstrate that it is possible to build a phone that respects user choice and freedom, vastly reduces vulnerability surface, and sets a direction for the ecosystem with respect to how to meet the needs of high-security users.” [Ars Technica]

WW – Firefox Focus Browser for iOS is All About Privacy

Mozilla has launched a new browser for iOS. Firefox Focus aims to protect users’ privacy. It blocks ad trackers, analytics trackers, and social trackers by default. All records of a browsing session can be deleted with one tap. [v3.co.uk | TechCrunch.com]

US –FTC Report Covers Rise of App-Based ‘Sharing Economy’ Platforms

The FTC released a new report detailing the rise of internet and app-based “sharing economy” platforms. The study, titled “The ‘Sharing’ Economy: Issues Facing Platforms, Participants, and Regulators,” addresses concerns from state and local regulators and stakeholders worried the sharing economy platforms give new entrants the opportunity to avoid regulations designed to safeguard consumers and promote public safety. “This report provides fresh insights about ‘sharing economy’ platforms that continue to disrupt traditional industries,” said FTC Chairwoman Edith Ramirez. “It is important to allow competition and innovation to continue to flourish, while at the same time ensuring that consumers using these online and app-enabled platforms are adequately protected.” [FTC] [Hogan Lovells Summary]

Privacy (US)

US – IoT Security Takes Center Stage at FBI, DHS, NIST and Congress

In light of recent attacks, there has been an increased focus on IoT security at the FBI, the U.S. Department of Homeland and Security (DHS), the National Institute of Standards and Technology (NIST) and Capitol Hill. [Privacy and CyberSecurity Law | FBI Notification | DHS guidance | NIST guidance | A video of the hearing can be found here | White House and Homeland Security Publish Cybersecurity Guidelines for IoT Devices | NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors | Ambassador Sepulveda Urges Technology Industry to Ensure the Security and Interoperability of the Internet of Things | Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers | NIST scientists ‘nervous’ about lightweight crypto for IoT

US – California AG Guidance for the Ed Tech Industry: 6 Recommendations to Protect Student Data Privacy

Just before the election, California Attorney General Kamala Harris provided a document laying out guidance for those providing education technology (“Ed Tech”). “Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data“ provides practical direction that operators of websites and online services of a site or service used for K-12 purposes can use to implement best practices for their business models. Given the size of the California market, any guidance issued by the California Attorney General’s office should be carefully considered and reviewed. Ed Tech, per the Recommendations, comes in three categories: (1) administrative management systems and tools, such as cloud services that store student data; (2) instructional support, including testing and assessment; (3) content, including curriculum and resources such as websites and mobile apps. The Recommendations recognize the important role that educational technology plays in classrooms by citing the Software & Information Industry Association; the U.S. Market for PreK-12 Ed Tech was estimated at $8.38 billion in 2015. The data that may be gathered by through Ed Tech systems and services can be extremely sensitive, including medical histories, social and emotional assessments and test results. However, according to the Recommendations, federal laws “are widely viewed as having been significantly outdated by new technology.” Attorney General Harris’ office provided six recommendations for Ed Tech providers, especially those that provide services in the pre-kindergarten to twelfth grade space.

  1. Data Collection and Retention: Minimization is the Goal
  2. Data Use: Keep it Educational
  3. Data Disclosure: Make Protections Stick
  4. Individual Control: Respect Users’ Rights
  5. Data Security: Implement Reasonable and Appropriate Safeguards
  6. Transparency: Provide a Meaningful Privacy Policy [Privacy and Security Matters]


CA – Carleton University Recovering from Ransomware Attack

The university said it has made progress on restoring IT services after detecting “an attempt by an external group or individual to hack into the IT network.” However, it isn’t known how many PCs or servers were infected. At one point the university warned the community through its Web site that “any system accessible from the main network, that is Windows based, may have been compromised.” With their large student bodies and valuable research databases, universities are tempting targets. Some students — and universities — are willing to pay up to not have work on their computers unreachable. Earlier this year the University of Calgary paid $20,000 for decryption keys after some 100 PCs ir servers were hit by the malware. It isn’t clear, though, if the university had to use the keys or was able to recover the data either from backups or other ways. [IT World Canada]

US – Guidance for Defending and Responding to Ransomware Attacks

On November 10, 2016, the United States Federal Trade Commission issued basic ransomware guidance (How to defend against ransomware and Ransomware – A closer look) and an accompanying video (Defend against Ransomware) to help consumers and businesses defend against and prepare to respond to ransomware attacks. The FTC’s guidance cautions against paying a ransom, but acknowledges that a ransom payment might be necessary in some circumstances. The FTC’s guidance is consistent with other guidance from Canadian and United States regulators An organization should prepare to respond to a ransomware attack by establishing and testing a detailed incident response plan that will enable the organization to make important technical, business and legal decisions in a timely manner. Those legal decisions may include whether the organization should give notice of the ransomware attack to regulators (e.g. privacy commissioners), affected individuals (e.g. customers), other organizations (e.g. business partners), stakeholders (e.g. shareholders and investors) and insurers. In many circumstances, an organization might have a legal obligation (under statute, generally applicable common or civil law or contract) to give notice of a ransomware attack. In addition, there might be important business reasons to give notice of a ransomware attack even if there is no legal obligation to do so. [BLG] FTC Announces New Guidance on Ransomware

WW – Ransomware May Target ‘Smart Cities,’ Autonomous Cars

A ransomware attack recently hit the San Francisco transport agency, and the attackers asked for $70,000 to unlock the systems. The agency cleared its systems, but we may see many more attacks on public “smart” systems that use outdated or unpatched operating systems and firmware. Ransomware attacks have kept climbing over the past few years. Soon, ransomware may even target autonomous cars and other smart city systems as they become more commonplace. Right now, the biggest threat of insecure Internet of Things devices is that botnets can take them over and then use them in massive distributed denial of service (DDoS) attacks against large companies or organizations. However, ransomware could leverage the same vulnerabilities as well, especially if attacking them could lead to a whole city infrastructure being locked-down Cities are starting to adopt IoT devices [to] power transportation systems, information systems, power plants, water and electricity supply networks, law enforcement, and so on. Once these systems use insecure IoT devices that aren’t well supported, they can become easy targets for ransomware and other types of attacks, which could then create major disruptions in cities. [Source | Warding off the blues of ransomware | 12 Keys For a Ransomware Game Plan | Why it’s time to take new strategies for beating ransomware | [San Francisco Rail System Hacker Hacked | SF Gate: Hacked Muni Refused $73,000 Ransom Demand; Computers Restored | SF Examiner: Alleged Muni ‘Hacker’ Demands $73,000 Ransom, Some Computers in Stations Restored | Info Mgmt News: Healthcare Is Prime Target of Gatak Trojan Malware]

WW – Are Images on Facebook Spreading Ransomware onto Devices?

Check Point researchers claim to have found a Locky ransomware variant doing the rounds on social media, using a unique mode of attack. However, Facebook denies that images on its service are hosting this ransomware [saying in a] statement: “This analysis is incorrect. There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook. We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for nearly a week. We also reported the bad browser extensions to the appropriate parties.” [Silicon Republic]

Smart Cars / IoT

US – NIST Issues Internet of Things (IoT) Guidance

After four years of research and collaboration with stakeholders, the National Institute of Standards and Technology recently released its final version of Special Publication 800-160 to provide much-needed guidance for securing IoT devices and systems throughout their entire life cycle. Special Publication 800-160 emphasizes the vulnerability of devices that rely on post-manufacture features such as firewalls, encryption and systems monitoring to ward off evolving and sophisticated cyber threats. Instead, the NIST encourages commercial and government technology developers to focus on simplifying design architecture and building out functional capability to counter threats, mitigate damage, and recover quickly from successful attacks. The guidance highlights engineering-based solutions and includes a range of technical standards and security principles to consider over the full life cycle of a product or system, including the development phase, upgrades and maintenance, and during retirement. This life cycle approach is intended to ensure that the IoT remains secure and that intellectual property and consumer personal data are also protected [Privacy and Security Matters |Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress | White House and Homeland Security Publish Cybersecurity Guidelines for IoT Devices | NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors | Ambassador Sepulveda Urges Technology Industry to Ensure the Security and Interoperability of the Internet of Things | Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers | NIST scientists ‘nervous’ about lightweight crypto for IoT]

US – Experts Testify Before Congress About IoT Security

Experts told the US House Committee on Energy and Commerce that action must be taken to secure the Internet of Things (IoT). Among the ideas raised were consequences for manufacturers that release products with inadequate security; a federally-funded IoT testing laboratory; and a new federal agency focused on cybersecurity. The committee hearing was a post-mortem of the distributed denial-of-service (DDoS) attack against Dyn last month that caused a number of popular websites to experience temporary outages. [Computerworld | Darkreading | The Register |-The Hill]

US – Google, Other Tech Giants Outline Ways to Improve IoT Security

Broadband Internet Technical Advisory Group (BITAG) laid out its recommendations for a rapidly growing industry within the world of online communication: the Internet of Things. BITAG recommends a handful of security standards for IoT devices, including timely, automated and secure software updates, password protection, and increased testing of customization options. The group also suggests implementing encryption best practices, plus the ability for these devices, particularly home alarm systems, to function if internet connectivity or the cloud fails. BITAG even wants to establish an industry cybersecurity program that includes a seal for certified “secure” devices. [ BITAG | EnGadget | Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress | White House and Homeland Security Publish Cybersecurity Guidelines for IoT Devices | NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors | Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers

US – Lyft Seeks Explicit Consumer Data Protection from NHTSA on Autonomous Vehicles

Lyft has released its extended comments on the National Highway Traffic and Safety Administration’s guidelines on autonomous driving. While Lyft agreed with the NHTSA policy in several areas, the ride-hailing company’s primary complaint stems from the agency’s lack of data collection guarantees. Lyft claims the guidelines do not explicitly state the NHTSA is not interested in collecting consumer data, such as names, phone numbers, credit card info and usage data. “Ultimately, Lyft believes that assuring the public that the data the federal government is seeking on such vehicles is limited to maintaining the safety of the vehicle is key to gaining public acceptance. A belief that “big government” will be sifting through PII and collecting consumer ride history will erode public trust and inhibit public acceptance and adoption of this transformational technology,” the company said in its letter to the NHTSA. [TechCrunch]

US – CDT: NHTSA Should Take Lead in Smart Car Privacy, Security Regs

In a post for the Center for Democracy and Technology, CDT Policy Counsel Joseph Jerome discusses what roles agencies should take in creating privacy and cybersecurity regulations in smart cars. The National Highway Traffic Safety Administration should take the lead in regulating autonomous vehicles, he argues. It has sent mixed signals about whether privacy and cybersecurity are safety priorities and has been even less transparent on how it views driver privacy. “NHTSA must address important privacy considerations regarding driver data, such as when and how to de-identify data, enacting data minimization, and setting data retention limits,” Jerome contends. He also said the Federal Trade Commission should play a secondary role, ensuring it monitors any unfair or deceptive business practices with implementation of security measures, while the Federal Communications Commission should establish privacy and security standards in communication technologies used in autonomous cars. [CDT]


WW – Twitter to Crack Down on Third-Party Surveillance

Twitter announced in a blog post that it will “take on expanded enforcement and compliance efforts” to quell third-party surveillance and misuse of data on its site. “The post is likely to reassure Twitter users and civil liberties groups who are concerned about the use of social media as a surveillance tool” in the wake of reports that third parties use Twitter’s stream of real time data to identify protesters and others, then market their surveillance tools to law enforcement and authoritarian regimes. Twitter has already cut off “firehose” access to some of those companies. In response to questions about recent news of the FBI’s use of Dataminr, a Twitter representative said, “A narrowly tailored news alert product is available to some first responders, like the FBI.” [Fortune]

CA – CSIS Admits Reporters May Have Been Under Surveillance in the Past

A senior CSIS official admitted Monday the spy agency may have spied on the communications of Canadian journalists in the past. The admission comes weeks after Quebeckers were shocked to learn Montreal city police and Quebec provincial police had tracked communications of several high-profile columnists and investigative journalists in that province in attempts to find suspected leaks of information by police sources. It runs contrary to assurances offered by Prime Minister Justin Trudeau, Public Safety Minister Ralph Goodale, RCMP Commissioner Bob Paulson, and the country’s top spook, CSIS director Michel Coulombe, that federal agencies do not target journalists’ communications. [The Star]

CA – Govt Surveillance Overshadows Free Speech for Canadian Journalists

Mass surveillance causes reporters to avoid writing or speaking about some topics, according to a recent survey of journalists by Ryerson’s Centre for Free Expression (CFE). The survey, published Nov. 14, was prepared by Turk. A total of 129 Canadian writers and journalists volunteered to complete the survey between May 27 and June 20. Over 80% of respondents reported they were concerned about government surveillance of their communications and more than 90 per cent said they were concerned with government collection and analysis of metadata. The Eyeopener Read the survey: Chilling Free Expression in Canada: Canadian Writers’ and Journalists’ Views on Mass Surveillance | Canadian journalists push for ‘shield law’ to protect sources | ‘We were a bit naive’ about police surveillance, journalist panel says | Canadian police spied on reporters, raising questions of press freedom | Quebec must uphold freedom of the press | Why spying on the press damages our democracy

US Legislation

US – Privacy Developments

Workplace Privacy

US – Law Prohibits Employers from Forcing Employees to Use Social Media

Illinois employers may be punished for violating state law starting next year if they coerce employees to use their own social media accounts to boost their company’s social media presence. The newly amended Right to Privacy in the Workplace Act makes it illegal for companies to ask or require employees to use personal social media profiles to join their employer’s online accounts. Rulings by the National Labor Relations Board state employers cannot restrict what employees post on their own accounts. “Employers cannot restrain the type of information an employee can post in their own personal online account, according to the NLRB,” Faegre Baker Daniels associate Sylvia B. St. Clair said. “And, as of Jan. 1, 2017, employers cannot request to access an employee’s personal online account or require an employee to authenticate their personal online account pursuant to this act.” [Cook County Record]

US – Privacy Debate Over Employee Wellness Programs Continues

The debate surrounding employee wellness programs and the corresponding privacy trade-off continues. More workplaces are requesting employees’ medical history details for wellness programs, offering cash incentives and insurance premium savings for participating. “Employees are giving up some aspect of their privacy and their personal health information,” Georgetown University Health Policy Institute Assistant Professor Dania Palanker said, adding some workers question “whether their privacy is worth the amount of money that is at stake.” Some health care professionals believe the fears associated with sharing medical information are overblown. “The allegation that somehow you’ve given your health information or your spouse’s health information to your boss and they’re going to use that against you, it’s just to scare people, it’s not real,” said Erisa Industry Committee Senior Vice President of Health Policy James Gelfand. [CNBC]

CA – OPC Commissioner Finds Company’s Disclosure of Employee’s Drug Test Results was Unnecessary

The Office of the Privacy Commissioner of Canada reviewed a complaint of inappropriate disclosure of an individual’s personal information by their employer, an international trucking company. The company disclosed the individual’s drug test results to the worker’s compensation board without his knowledge or consent (the individual had an active claim with the board following a workplace accident); although the drug test results were collected to fulfill the company’s substance abuse policy requirement, disclosure to the board for his claim and return to work process was not necessary to process his claim, and required his consent. [OPC Canada – PIPEDA Case Summary 2016-009 – Trucking Company Inappropriately Disclosed Employee Drug Test Results to WCB]




5-17 November 2016


US – EPIC Sues FBI Over Biometric Database Records

The Electronic Privacy Information Center (EPIC) has filed a lawsuit against the FBI to force the bureau to release all relevant documents about its plan to share a huge amount of biometric information with the Department of Defense. The lawsuit concerns the FBI’s Next Generation Identification system, which comprises fingerprint, iris scan, and facial recognition data, and the bureau has been using it for several years. “With NGI, the FBI will expand the number of uploaded photographs and provide investigators with ‘automated facial recognition search capability.’ The FBI intends to do this by eliminating restrictions on the number of submitted photographs (including photographs that are not accompanied by tenprint fingerprints) and allowing the submission of non-facial photographs (e.g. scars or tattoos),” the EPIC lawsuit says. “The FBI also widely disseminates this NGI data. According to the FBI’s latest NGI fact sheet, 24,510 local, state, tribal, federal and international partners submitted queries to NGI in September 2016.” Privacy advocates, including EPIC, have said that the new database presents serious problems because of the high error rates seen with facial recognition systems. Also, the collection and storage of that data is a significant risk for the people whose information is in the database. [Source]

WW – INTERPOL Calls on Governments to Share Terrorists’ Biometric Data

In an effort to improve global security, INTERPOL’s General Assembly is urging governments around the world to share known terrorists’ biometric data. The move came after the INTERPOL’s General Assembly convened for the 85th ICPO-INTERPOL General Assembly Exhibition in Bali, Indonesia this week. “In a statement, the global police agency said it currently possesses information about 9,000 terrorists, but that only 10 percent of its files feature biometric information, with INTERPOL Secretary General Jürgen Stock calling the lack of such data ‘a weak link’ in the prevention of terrorism.” [FindBiometrics]

WW – Researchers Develop Lip-Reading Tool with 93.4% Accuracy

University of Oxford Computer Science Department researchers have developed a tool called LipNet that can read lips with 93.4 percent accuracy. “Instead of analyzing footage of someone speaking on a word-by-word basis, LipNet goes one step further by taking entire sentences into consideration, using Deep Learning techniques to then backtrack and decipher each word… Running on a smartphone, fed a live feed from a body-worn camera, LipNet could serve as an amazing tool for the hearing impaired. Even if they already know how to lip read, it could help boost their understanding while watching someone speak.” [Gizmodo]

AU – Australia’s New Facial Verification System Goes Live

Australia’s federal police and foreign affairs department are now able to match a person’s facial image against records held by Immigration after the government sent the first phase of its new face verification service live. Last year the federal government handed over $18.5 million to fund the development of a national facial recognition system, proposed by state and federal police ministers and attorneys-general. The face verification service (FVS), which will complement the existing document verification service (DVS), is intended to reduce cross-border criminal activities by letting law enforcement agencies share citizens’ facial images to verify identities and identify unknown individuals. Justice Minister Michael Keenan today said the first phase of the platform – allowing DFAT and the AFP access to images on citizenship applications held by Immigration so they can verify identities – was now live. Other types of images such as visa and passport photos will be added over time, he said, with the government also currently talking to states and territories to bring driver licence images into the FVS. Access will also gradually be expanded to other police and security agencies such as ASIO and Defence. The federal Attorney-General’s Department is the lead agency for the capability and manages access. [IT News]

Big Data

AU – Australia Productivity Commission Calls for Greater Sharing of Datasets amongst Private and Public Sectors

The Australian government’s Productivity Commission issued a draft report on the benefits and costs of increasing the availability and use of public and private sector data (“Big Data”): ◦comments are due by December 12, 2016. A new Data Sharing and Release Act could create a framework for the open release of non-sensitive datasets with few restrictions on their uses; for datasets that should not be publicly released, entities could apply for “trusted user” status, which would then make them eligible to access these restricted datasets. Individuals should have a right to opt-out of a process of data collection, however, this right to cease collection would not prevent the use of data already collected. [Data Availability and Use – Draft Report – Productivity Commission, Australian Government | Overview and Summary]


CA – CSIS: Agency Did Not Deliberately Violate Law When Holding onto Metadata

Canadian Security Intelligence Service Director Michel Coulombe released a statement saying the intelligence agency did not deliberately violate laws when it illegally held metadata on individuals who posed no security threat. The statement came after a federal court ruled CSIS violated the law by holding onto the metadata over a 10-year period. Coulombe said the data was collected legally using warrants, while adding the agency interpreted the CSIS Act in a way allowing it to retain the data. “The federal court has disagreed with this interpretation and we accept their decision. I would like to make it clear that the Service was not knowingly exceeding the scope of the CSIS Act,” Coulombe wrote. In related news, former Ontario Information and Privacy Commissioner Ann Cavoukian said the metadata should have been deleted from CSIS servers, and should not have been collected in the first place. [CBC News] [Spy agency declined to meet Federal Court judges to describe its methods] [Surveillance watchdog says C-22 not likely to be abused]

CA – Court Finds Federal Spy Agency Illegally Retained Metadata Indefinitely

The Canadian Security Intelligence Service applied to the Federal Court for amendments to conditions of draft warrant templates, pursuant to the CSIS Act. The agency retained phone logs and email trails of targets of past investigations, without informing the Court of its intention to do so (at the time it obtained warrants to collect the information) and in violation of its primary mandate (its jurisdiction is restricted to Canadian security threats); information retained must be assessed to determine if it is linked to an identified threat, or can assist with a prosecution, national defense, or international affairs, with all other information being destroyed. [In the Matter of an Application For Warrants Pursuant to the CSIA – Judgment and Reasons – 2016 FC 1105 | Summary]

CA – Quebec Announces Details of Inquiry into Surveillance of Reporters

A judge, a media lawyer and a former police chief …will preside over a 14-month public inquiry into police practices over the past six years, including allegations that calls from politicians led two police forces to spy on reporters. Justice Jacques Chamberland, of the Quebec Court of Appeal, will head the inquiry. A judge since 1993, he is a former Quebec deputy justice minister and deputy attorney general. The two other commissioners are media lawyer Guylaine Bachand and Alexandre Matte, a former Quebec City police chief. The commissioners will hold both closed-door and public hearings and are to publish a report by March 1, 2018. Their mandate will cover police activities beginning in May 2010, when the Supreme Court of Canada spelled out what judges should consider when asked by police to issue a warrant involving the identity of journalists’ sources. Quebec Premier Philippe Couillard announced the inquiry two weeks ago after a public uproar when several surveillance cases came to light. In one case, the SQ obtained six reporters’ phone records after then-Parti Québécois public security minister Stéphane Bergeron asked then-SQ director-general Mario Laprise to look into leaks to the news media about an investigation into union boss Michel Arsenault. In another case, Montreal police obtained a warrant to examine a La Presse reporter’s phone records after Mayor Denis Coderre asked police brass to look into how the reporter had learned Coderre had been given a $444 traffic ticket. [Montreal Gazette] See also: Media surveillance highlights privacy risk to all Canadians | How Montreal police were able to use legal means to track a journalist | How Canada’s Anti-Cyberbullying Law Is Being Used to Spy on Journalists | Quebec to hold public inquiry into police surveillance of journalists | An unprecedented crisis’: Quebec government calls inquiry into spying on journalists by police | Quebec launches commission of inquiry into police spying on journalists

CA – Therrien: Tracking Journalists Highlights Bigger Privacy Issues

In an op-ed, Privacy Commissioner of Canada Daniel Therrien explains why the surveillance requests made against journalists not only affects the media, but the privacy rights of all Canadian citizens. Therrien writes the privacy of all Canadians has been put at risk since the adoption of Bill C-13, making it easier for law enforcement to obtain electronic surveillance records and metadata warrants, possibly revealing sensitive information about Canadian citizens, including political beliefs and sexual orientation. “Recent events also demonstrate the fact that warrants for metadata are not exclusive to individuals suspected of criminal activity. These warrants can involve innocent people believed to have had contact with a suspect under investigation for reasons that may have nothing to do with the commission of a crime,” Therrien wrote. In another op-ed for The Globe and Mail, Yves Boisvert takes a closer look at the privacy battle between the media and law enforcement. [The Globe and Mail]

CA – OIPC NL Orders Eastern Health to Strengthen Security

Following a privacy breach at Eastern Health, Newfoundland and Labrador’s Privacy Commissioner Donovan Molloy issued a report warning the health care organization to shore up its security procedures. Molloy’s report states the incident was “an intentional breach of patient information” when an unknown person illicitly accessed and printed personal health information. The information was obtained from the account of a doctor who failed to log out of patient information software. Molloy told Eastern Health to remind its staff going forward of the importance of logging out. The patient information consisted of patient names, MCP numbers, gender, age, the date they were admitted to the hospital, their attending physician, and the reason for their visit. [CBC News]

CA – OIPC NB Pushes for Mandatory Breach Reporting

New Brunswick’s Privacy Commissioner Anne Bertrand is pushing for stronger legislation to require government departments to report data breaches involving personal information. Bertrand’s request comes as the Liberal government plans to install changes to New Brunswick’s privacy legislation. While health care agencies must alert the commissioner when personal health information is stolen, government departments do not have any requirements to report incidents. Bertrand examined a list of 11 data breaches since 2013, and heard of some of the attacks for the first time. The majority of the incidents involved stolen laptops. “When I see this kind of thing, you almost make a case for an argument that the commissioner’s office be notified, because we can report on that,” Bertrand said. “Reporting on this publicly will encourage concrete actions to be taken.” [CBC News]

CA – OIPC NS Recommends Reforms to the Personal Health Information Act

The OIPC NS has recommended areas of improvement under the Personal Health Information Act. Recommendations to bring PHIA up to date include permitting a substitute decision maker to exercise any right or power conferred on an individual, and setting clear standards for breach identification and notification to affected individuals, health custodians, and the OIPC; provisions should also allow the OIPC to require any relevant record to be produced (regardless of whether the record is subject to the provisions of PHIA), exchange information with extra-provincial commissioners, and receive immunity from privacy-related lawsuits. [OIPC NS – PHIA Review Recommendations]

CA – BC Supreme Court: Production Order for Text Messages Violated Accused’s Charter Rights

The Court considers an application concerning the alleged unconstitutionality of certain provisions of the Criminal Code. The order allowed police to collect more information than a cell phone tracking or number record warrant, and should have required the higher standard of reasonable and probable grounds to believe; there was an expectation of privacy in the messages and billing records, the invasion of privacy was for a long period (4 months), and the content of the messages potentially revealed private “core biographical information” (e.g. personal friends, business interests or communications from counsel). [R. v. Grandison – 2016 BCSC 1712 – In The Supreme Court Of British Columbia]

CA – Quebec Court Orders Court Proceedings to Remain Temporarily Confidential

The Court considered a request for a safeguard order confirming the sealing and non-publication of any defamatory or identifying information about a Plaintiff in relation to his lawsuit against Defendant Google. The Court accepted a Plaintiff’s argument that publicizing court proceedings from his lawsuit against a search engine (stemming from allegedly defamatory and sensitive search results) would invade his privacy rights under the Quebec Charter of Rights and Freedoms; the Court ordered a prohibition on the publication of exhibits and evidence and the redaction of Plaintiff’s name from the court file, but denied his request for a permanent sealing of the file (the trial decision is permitted to be confidential for only 31 days). [AB v. Google, Inc. – 2016 QCCS 4913 – Superior Court of Quebec]

CA – OIPC BC Recommends Improvements to the Govt Use of Mobile Device

The OIPC BC examined the management of mobile devices issued to employees by the B.C. Government, pursuant to the Freedom of Information and Protection of Privacy Act. There was no overarching privacy management program in place, and as a result mobile device usage assessments, reviews or audits were not conducted (there was a lack of capacity, expertise, resources and tools to provide such reviews); the consequences of this meant that there was a lack of personal information inventory (the types of personal information being stored on mobile devices was unknown), unauthorized personal devices were being connected to government servers, and the adoption of security controls and patches was being left to the end-user employee. [OIPC BC – Investigation Report F16-03 – Mobile Device Management in B.C. Government]

CA – OPC Canada Finds Gaps and Weaknesses in Government Agency’s Privacy Management Regime

The Office of the Privacy Commissioner of Canada conducted an audit of the personal information management practices of Employment and Social Development Canada’s Old Age Security Program. The agency did not use accredited or certified IT systems, employee access rights were not always removed on a timely or consistent basis, or limited to the minimum required to perform their duties, audit trails were not proactively reviewed, and electronic files were never deleted; the agency must modify and delete access rights consistently, review audit trails to ensure timely identification of inappropriate access, and implement new retention and disposal schedules. [OPC Canada – Audit of Employment and Social Development Canada’s Old Age Security Program]

CA – OPC Releases Tech Blog Series for Privacy Professionals

The Office of the Privacy Commissioner of Canada announced it has launched a Privacy Tech-Know series of blogs targeted toward privacy professionals looking to increase their technical awareness and knowledge. “The posts will help privacy professionals speak more confidently and accurately about new information technologies and their privacy implications. The series of blog posts planned for the coming months will cover everything from cookie contents to e-voting systems to license plate recognition,” the announcement read. The first entry, titled “Pay me to regain access to your personal information! Ransomware on the rise,” discusses the ransomware problem estimates say affect 1,600 Canadians per day. [priv.gc.ca]


WW – New App from Cloud Insurance Wants Users to ‘Regain Control of Their Digital Footprints’

Sydney-based Cloud Insurance is developing Opt Out, an app that will put data access controls in on the spot, “automates data access permissions” and streamlines users’ ability to “invoke de-identifications rights.” “We need to reassure the public that privacy is not dead,” said Cloud Insurance’s Joanne Cooper. “Privacy is the third and missing leg of a three-legged stool and in the current digital environment we have to make consent, whether you opt in or opt out, central to the topic,” she said. The app ultimately aims to “simplify a complex aspect of the internet by making it easier for internet users to make informed decisions and regain control of their digital footprints.” [The Australian Business Review]

WW – Report: Digital Marketing Affecting Children’s Health, Privacy

The University of Liverpool has teamed up with the World Health Organization and several other organizations to produce a report regarding digital marketing toward children and the ways it affects their health. Digital marketers aim ads toward children for foods high in fats, salt and sugars. Since there are no effective regulations for digital media in many areas in Europe, children are exposed to ads through social media sites and online games. “Children have the right to participate in digital media; and, when they are participating, they have the right to protection of their health and privacy and to not be economically exploited,” said the University of Liverpool’s Dr. Emma Boyland. [EurekAlert]


WW – Study: Governments Pose a Bigger Threat to Privacy than Companies

A study from the Montreal Economic Institute states governments are a bigger threat to privacy than companies. MEI economist Mathieu Bédard said companies gather information through mutual consent, while governments rarely ask individuals before collecting data. The study states it is more profitable for companies to retain information rather than selling it, while governments do not give citizens a choice when gathering information. For example, journalists discovered the RCMP decrypted 1 million private messages from BlackBerrys alone, while the number of intercepted communications by the government rose by 26 percent in 2015. “All of these revelations shatter the widespread prejudice by which companies are less respectful of privacy than governments are.” [Montreal Gazette] [MEI] [Media release: How far does secret government surveillance go?]


EU – European Commission Probes US on Yahoo Email Scanning Allegations

The European Commission has asked the U.S. about allegations of Yahoo scanning thousands of customer emails for law enforcement purposes. The European Commission is concerned the email scanning may be in violation of the Privacy Shield agreement. The commission is asking the U.S. for clarification on the allegations, while asking the U.S. to explain how the email scanning fits with its commitments to the agreement, even if the orders came before Privacy Shield was put in place. “The U.S. will be held accountable to these commitments both through review mechanisms and through redress possibilities, including the newly established ombudsperson mechanism in the U.S. State Department,” European Commission spokesman said. [Reuters]


WW – Encrypted Email Sign-Ups Rise After US Election

Sign-ups for Swiss-based encrypted email service provider ProtonMail are on the rise since last week’s U.S. presidential election. ProtonMail CEO Andy Yen wrote, “the number of new users coming to ProtonMail has doubled compared to the previous week. Telegram, which provides end-to-end encrypted messaging, has also seen a spike in new users since last week. “We did notice more users than usual signing up for Telegram globally,” said Telegram co-founder Pavel Durov. Yen said the rise in new users worried about the incoming administration “really demonstrates that privacy isn’t just a liberal or conservative issue, it is something that we all need to champion, regardless of our political leanings.” He also noted this paradigm shift “could be a potent trigger to accelerate the development of Europe’s tech sector and decrease … dependence on the U.S.” [TechCrunch]

WW – WhatsApp Adds Encrypted Video Calling Amid Unsure Privacy Climate

WhatsApp is adding fully encrypted video calling to its messaging platform. The new feature comes as privacy advocates are concerned about enhanced government surveillance efforts under President-elect Donald Trump’s administration and news that Facebook’s revised privacy policy would access WhatsApp user data. WhatsApp co-founder Jan Koum said the video call feature will be rolled out to 180 countries after it is introduced at an event in India. Koum also said the company will remain committed to security after Trump’s victory. While a Trump administration may require companies such as WhatsApp to redesign their policies to better assist law enforcement investigations, Koum does not feel WhatsApp will be threatened, as many diplomats and officials use the app around the world. “It would be like them shooting themselves in the foot,” Koum said. [Reuters]

EU Developments

EU – French Advisory Commission Objects to Biometric Database

France’s independent advisory commission, CNNum, is calling for the suspension of the biometric database designed to hold the information of the country’s citizens. The group said the biometric database would be a “target of inestimable value” in a time where every system is vulnerable. CNNum also stated the database is a sign democracy is on the wane in both Europe and the U.S. The French Socialists objected to an earlier database proposal submitted by the center-right government in 2012. The Socialist government was able to pass the new database by government decree during a holiday weekend, without France’s National Assembly agreeing to the new proposal. [BBC News]

EU – Ireland’s DOJ Releases Consultation Paper on ‘Digital Age of Consent’

The Department of Justice published a consultation paper on the digital age of consent for online services offered to children. The paper states the rates of children using online services is high, but younger children may be vulnerable to online risks, such as abuse or cyberbullying. “When their physical or emotional safety and welfare is at stake, the need for adequate safeguards for children is beyond question. Parents and guardians have an essential role to play in this context and the best interests of the child remains the paramount guiding principle,” the paper states. The target age for the restrictions is 16, but member states can set it to as low as 13 years of age. Minister for Justice Frances Fitzgerald plans to bring a proposal on the topic to the cabinet later this year, ahead of the General Data Protection Regulation. [The Irish Times]

UK – ICO: Facebook Agrees to Suspend Use of WhatsApp User Data

The U.K. Information Commissioner’s Office announced Facebook has agreed to suspend its use of WhatsApp data collected from users in the U.K.. “We’re pleased that they’ve agreed to pause using data from U.K. WhatsApp users for advertisements or product improvement purposes,” U.K. Information Commissioner Elizabeth Denham said in a statement. “If Facebook starts using the data without valid consent, they may face enforcement action from my office.” The ICO said consumers were not properly protected from the data sharing and asked the two companies to sign a plan to better explain the data sharing agreement to users. A Facebook spokeswoman said the company will work with the ICO to continue addressing any concerns. [Reuters]

Facts & Stats

WW – Study: Cost of Breach Rises to $7M

IBM-sponsored research by the Ponemon Institute has found that the overall cost of a U.S. company’s data breach has risen seven percent to total an average of $7.01 million. “On average, a single breach involved nearly 30,000 records, in a range of 5,125 to 101,520.” The study examined 64 companies and the majority of the breaches studied occurred in 2015. “The study did not include breaches involving more than 100,000 records because ‘they are not indicative of data breaches incurred by most organizations’ and would have artificially skewed the results.’” The research also examined how these numbers compare globally, finding that the cost of a breach was highest in the U.S., with Germany coming in second at $5.01 million. [Yahoo News]


CA – IPC ON Orders Municipality to Release CCTV Footage of Fatal Collision

This IPC ON Order reviews the decision by the City of Ottawa to deny CCTV footage requested under Ontario’s Municipal Freedom of Information and Protection of Privacy Act. The IPC agreed that unblurred footage could reveal an individual’s PI (e.g. personal characteristics, their presence at the accident, their conduct and location); however, the blurred footage does not contain personal information, and police unsuccessfully argued that disclosure of the footage would interfere with an ongoing law enforcement investigation (a federal agency had concluded its investigation, and the police were not conducting a collateral investigation themselves). [IPC ON – Order MO-3358 – City of Ottawa]

Health / Medical

AU – Health Organisations in Australia Must Establish Protocols for the Use of Smartphone Cameras

An overview of the use of smartphone cameras in the Australian healthcare sector, pursuant to the Australian Privacy Principles of the Privacy Act 1988. A photograph can only be taken by a health practitioner with the voluntary, informed consent of the patient, and can be used and disclosed as part of providing clinical care and treatment to a patient; organisations should use systems that will prevent images being automatically uploaded to dia or back-up sites, ensure practitioners delete clinical images from their personal mobile device once saved onto a patient’s health record, and provide mandatory training to all administrative staff. [Smartphone Cameras in Health Practice – Beware the Privacy Issues – Joanne Hayes, Senior Associate and Marie Feltham, Special Counsel, DibbsBarker]

Horror Stories

WW – 412M Friend Finder Network Accounts Breached

A data breach of Friend Finder Network has exposed more than 412 million accounts spanning 20 years. 339 million of the breached accounts come from AdultFriendFinder.com, more than 15 million “deleted” accounts not wiped from the company’s network, and 7 million accounts from Penthouse.com, which FFN sold to Penthouse Global Media in February 2016. The culprit hasn’t been identified, and Revolver “instead blamed users of an underground Russian hacking site” for the breach. [ZDNet] [Computerworld: Biggest hack of 2016: 412 million FriendFinder Networks accounts exposed | ZDnet: AdultFriendFinder network hack exposes e412 million accounts]

US – Car Dealership Data Exposed, Compromising Millions

The personal information of millions of people who recently purchased automobiles at over a hundred car dealerships across the country was discovered online. The information was held on a centralized record system built and operated by DealerBuilt. Security researchers at MacKeeper found 128 dealerships backed up their information on DealerBuilt’s central systems with no encryption or security protocols in place. Names, addresses, phone numbers and Social Security numbers, of both customers and employees, were among the data exposed online. The number of compromised records is currently unknown, but estimates put the number as high as five million. “This massive leak is just another painful lesson of what happens when private and sensitive data is stored without encryption or modern data security practices,” MacKeeper researchers wrote in a blog post. [ZDNet]

US – Job Recruitment Database Leaks Data on Millions

Millions of individuals who used global recruiting firm Michael Page had their personal information compromised when it was discovered a database had been left on the open internet. Capgemini, an outsourcing company, ran the exposed database, containing sensitive information such as the names, contact information, resumes and other personal data of numerous people who signed up with Michael Page. Security researcher and owner of Have I Been Pwned? Troy Hunt was made aware of the breach by a hacker who took a screenshot of a sample of the information. “Just the U.K. file was 780,000 people, and when you look at the list of how many countries are in there, and how big the U.K. is compared to everything else, you would assume that it’s lots of millions, if not more than 10 million,” Hunt said. [Motherboard]

Identity Issues

WW – Are Mobile Numbers the ‘Digital Equivalent’ to Social Security Numbers?

Cellphone numbers are increasingly becoming “key codes” to users’ information, and some analysts say that it is in many ways akin to a Social Security number. “The point is the cellphone number can be a gateway to all sorts of other information,” said the Federal Trade Commission’s Robert Schoshinski. “People should think about it.” The advent of the cellphone number also echoes that of the Social Security number, which “was never meant as a general-purpose identification number… But the strongest identifier and conduit to useful information is the cellphone number, which acts like ‘the digital equivalent of the Social Security number,’ said Affirm’s Max Levchin. Where the two differ is their ability to protect against fraud. “What you can do with the cellphone number and mobile technology represents a pretty substantial advantage in the ongoing war against fraud and identity theft,” said venture investor Rajeev Date. [New York Times]

EU – Web of Trust Add-On Sold User Data Without Proper Anonymization

German broadcaster NDR discovered the firm behind the Web of Trust add-on sold user data without ensuring it was properly anonymized. WoT rates websites’ safety by using information provided by users. The add-on collects data through searched terms, sites users visit, and shared documents. NDR received information WoT sold to one firm, and found personal data including email addresses and phone numbers, making it easy to tie the information to browsing histories and other personal details. WoT said the breakdown was “unacceptable,” and will reform its data handling policies to win back the trust of its users. [BBC News]

EU – Spanish DPA Issued Best Practices for De-Identification of Personal and Confidential Data

the Agencia Española de Protección de Datos has issued guidance on anonymising personal data. The initial stage of the anonymisation process should identify data to be de-identified, determine retention periods, and conduct a pilot project to assess costs and any re-identification risks; anonymisation policies should include risk management objectives, team responsibilities, identification and classification of variables (i.e., what is sensitive and what can be eliminated), terms of access to anonymised data, and control measures. [DPA Spain – Guidelines on Anonymisation of Personal Data]

EU – EMA Issues Guidance on Anonymization in Clinical Trials

The European Medicines Agency (EMA) issued guidance on the implementation of its Policy 0070 on the publication of clinical data for medicines, including with respect to anonymization of clinical reports for publication. Balancing subject privacy and transparency presents drug manufacturers with a difficult task—how to increase transparency of clinical studies while also attenuating the risk of subject reidentification. In its guidance, the EMA discusses three approaches to anonymization of clinical reports:

  • Masking – Described as the simplest method, masking is accomplished with a redaction tool that scrubs specified information.
  • Randomization – Randomization changes the data so it is less identifiable to an individual.
  • Generalization – This method dilutes the “attributes of the data.” For example an individual’s name could be substituted with an age range.

These anonymization techniques can be used separately or in combination. These techniques are consistent with the Article 29 Working Party’s Opinion 05/2014 (WP216) on Anonymisation Techniques. [Data Protection Report]

Internet / WWW

WW – Forrester’s Privacy Heat Map Highlights EU’s Impact on Regulations

Market research company Forrester has updated its data privacy heat map to highlight data protection guidelines and practices in 54 countries. The 2016 update looked back at the past five years of assessments and noted three high-level trends. The three trends included countries such as Nigeria, Argentina and Japan looking toward Europe as the standard for data protection, the General Data Protection Regulation affecting legislation both inside and outside the EU, and efforts to strengthen surveillance that undermines data protection laws. “In a world where privacy has become a competitive differentiator for multinational organizations, businesses must increasingly work with their general counsels and chief privacy officers to understand global data privacy requirements, implementing controls that protect personal data accordingly,” Sherman writes. [Forbes]

WW – Study Ranks Android Apps by Tracker Use

An Opera study of 60 companies in 10 countries has ranked Android apps by their use of data trackers. It found that Bukalapak and OLX “were the worst in terms of how many tracker requests they sent to users’ smartphones.” “Sharing data like bank account information through unsecured Wi-Fi networks can increase the risks of hacking and cybercrime,” said app Opera Max’s Sergey Lossev in the study. “A lot of users give up information without their realization; like when they shop online through their mobile phones.” The report added that “both companies say using trackers in applications is common practice in Indonesia and elsewhere.” [Business Standard]

Law Enforcement

US – FBI Can Access Most of the Encrypted Devices it Faces During an Investigation

During a public meeting in Washington on Nov. 11, FBI General Counsel Jim Baker said that the agency is able to access most of the locked computers or mobile phones during investigations. Analyzing data from the 2016 fiscal year disclosed by Baker, Motherboard calculates that the FBI can crack 87 percent of devices it interacts with. “The fed’s argument is that unbreakable encryption is stumping criminal investigations, making them harder, if not impossible, to sometimes access important evidence on a suspect or a victim’s phone or computer… The numbers disclosed by Baker on Friday, which have never been published before, seem to indicate that the reality, however, is a little different.” The FBI has yet to confirm or deny the accuracy of Motherboard’s calculations. [Motherboard] [Cops Have Given The FBI 6,814 iPhones They Couldn’t Access In 2016]

CA – Top-Secret RCMP Files Show Digital Roadblocks Thwarting Criminal Investigations in Canada

The RCMP has provided unprecedented access to the Toronto Star and the CBC in an effort to make its case that antiquated laws and diminished police powers in the digital age are allowing suspected terrorists, drug gangs and child abusers to operate beyond the law. Journalists from the two media outlets have reviewed the details of 10 high-priority cases after clearing RCMP security checks for access to “top-secret” information. In each case, investigators were stonewalled by legal and technical obstacles in accessing digital evidence, the Mounties say. Most of the suspects remain at large. These cases stand at the centre of an emerging national debate. Police argue they are on the losing side of a digital divide, while on the other side are tech-savvy criminals who are shielded by impenetrable encryption, telecommunication companies and technology manufacturers. Privacy advocates argue that police have never before had such powers of surveillance and that they have failed to provide evidence that the public’s safety is in jeopardy. The audience is Canadians who are alarmed to learn that some criminals are increasingly beyond the reach of the law. They are equally alarmed by the recent Federal Court ruling that denounced the national spy agency, CSIS, for illegally gathering the private information of Canadians, and by news that Quebec police forces intercepted and tracked the cellphones of as many as 10 journalists to discover their sources. [Toronto Star] See also: Secret Bans, Secret Trials: The Canadian ‘No-Fly’ Lists  | Bill C-51: Less Free Speech, Undermines De-radicalization | The ‘New’ CSIS Brings Secret Police to Canada | Curbs Needed on Sweeping Powers to Spy on Canadians | The RCMP Is Using the Media to ‘Create Moral Panic’ About Encryption | Top Mountie lobbying PM for greater digital surveillance powers | RCMP boss Bob Paulson says force needs warrantless access to ISP user data

Online Privacy

WW – Facebook to Stop Ads from Targeting Users Based on Race, Ethnicity

Facebook has announced it will prohibit advertisers from targeting or excluding users based on race and ethnicity. “We are going to turn off, actually prohibit, the use of ethnic affinity marketing for ads that we identify as offering housing, employment and credit,” said Facebook VP of U.S. Public Policy Erin Egan. She also said advertisers must affirm they will not use discriminatory ads on the site. Facebook will offer educational materials to help advertisers become familiar with their new obligations. The changes come shortly after Facebook met with New York Attorney General Eric Schneiderman, Rep. Robin Kelly, D-Ill., the Congressional Black Caucus, Rep. Linda Sanchez, D-Calif., and the Congressional Hispanic Caucus. Egan said the company recently had a “constructive dialogue” with other advocacy groups as well, including the American Civil Liberties Union and Center for Democracy & Technology. “In light of these concerns that have been raised, we are taking this step,” she added. [USA Today]

WW – Google Cracking Down on Websites’ End-Runs Around Security

Google is paying attention when websites take the easy way out of complying with its Safe Browsing terms. If a site is deemed unsecure, users will see warnings in most browsers. Webmasters can ask to have the warnings removed once they have brought their sites into compliance. Google was finding that some sites make changes to get the warnings removed, but quickly revert to unsecure practices. Google’s Safe Browsing rules now include a “repeat offender” category. “Repeat Offenders are websites that repeatedly switch between compliant and policy-violating behavior for the purpose of having a successful review and having warnings removed.” Webmasters of sites identified as repeat offenders must now wait 30 days before requesting a review. Computerworld: Google punished web backsliders in Chrome

Other Jurisdictions

HK – HK Privacy Commissioner Signs Privacy Research Declaration

At the Barun ICT Research Conference 2016 & Asia Privacy Bridge Forum in Seoul, South Korea on Nov. 2, the Hong Kong Office of the Privacy Commissioner for Personal Data, the Korea Internet & Security Agency, Barun ICT Research Center, and others from the Asia-Pacific privacy community signed the Asia Privacy Bridge Forum Joint Declaration 2016, the PCPD announced in a press release. The declaration aims “to strengthen privacy research and education as well as policy cooperation in [the] Asian region.” The declaration “reflects the recognition of our commitment to balancing the free flow of information and personal data privacy protection from our international counterparts,” said Hong Kong Privacy Commissioner for Personal Data Stephen Kai-yi Wong. “I shall be very glad to share our experience in law enforcement as well as promotion and education on data protection in Hong Kong, and explore common interests in joint research topics and policy cooperation initiatives.” [PCPD.org]

Privacy (US)

US – FTC Announces Changing Consumer Demographics Workshop

On Dec. 6, the FTC will host a workshop in Washington examining the changes in consumer demographics, the agency announced in a statement. “According to the U.S. Census Bureau, the population is getting older and more racially and ethnically diverse… Understanding our changing communities will be necessary as the FTC continues its efforts to combat unfair and deceptive practices affecting all consumers.” The workshop will tackle questions of what “the consumers of the future” will look like and how tactics to reach them and protect them from fraud will change. Pre-registration is not required and the event is free and open to the public. Those interested in sharing research should reach out to the workshop team, the report adds. [FTC.org]

US – Court: Incorrectly Identifying Individual as Terrorist in Consumer Report Constitutes Concrete Harm

The Court considered Trans Union, LLC’s request for de-certification of two alleged violations under a class law suit for alleged violations under the Fair Credit Reporting Act. A consumer reporting agency wrongly described an individual as a terrorist, ascribing to him a criminal record that he did not have, and failing to provide him with access to his file; there is core harm in sharing erroneous and damning information about an individual, even if only narrowly disseminated (the report was only shared with a prospective landlord). Preventing a customer from monitoring their file presents of risk of real harm, which can satisfy the requirement of concreteness. [Patel v. Trans Union LLC – Case No. 14-cv-00522-LB – United States District Court Northern District of California]

US – Adobe Settles with States for 2013 Data Breach

Adobe has reached a settlement with the states that sued the company following its 2013 data breach. Adobe will pay $1 million dollars, to be divided evenly between the 15 states, while also enacting stronger security protocols. The states sued Adobe after the breach, claiming it did not take “reasonable security measures” to properly protect the data. “Consumers should have a reasonable expectation that their personal and financial information is properly safeguarded from unauthorized access,” said Connecticut Attorney General George Jepsen, who also praised Adobe for cooperating with the states while the settlement was reached. “Companies have a responsibility to consumers to protect their personal information, and this settlement will ensure Adobe establishes stronger safeguards in the future,” said Illinois Attorney General Lisa Madigan. [ConsumerAffairs]


US – Indiana County Government Will Pay to Remove Ransomware

After ransomware hit the IT systems of Madison County, Indiana government, the county commissioners voted unanimously to pay the ransom. The attack shut down county services for days. The county’s insurance company, Travelers, is covering the cost of the ransom, less a deductible. In a separate story, the Lansing (Michigan) Board of Water & Light acknowledged that it paid $25,000 to regain control of its accounting and email systems earlier this year. [Arstechnica: | Networkworld ]

Smart Cars / IoT

US – Court: Collection of Data from Logging Devices in Commercial Vehicles is Lawful

The Owner-Operator Independent Drivers Association Inc. et alia. argue that the US Department of Transportation Rule requiring installation of electronic logging devices in interstate commercial motor vehicles is contrary to the law. Data collected from the devices (installed in all vehicles required to maintain hours of service records) is intentionally limited in scope – exact vehicle locations are not collected, and recordings are only done when the vehicle is turned on, when the duty status changes, and once per hour while driving; drivers and motor carriers are responsible for maintenance and storage of the data (not the Dept. of Transportation), and personal information is redacted before release of the data (e.g. for civil litigation). [Owner-Operator Independent Drivers Association Inc. et al. v. US Dept. of Transportation et al. – Petition – US Court of Appeals for the 7th Circuit]

US – White House and DHS Publish Cybersecurity Guidelines for IoT Devices

Two independent IoT (Internet of Things) cybersecurity publications were released by the White House and the Department of Homeland Security, covering guidelines and principles for creating IoT devices with in-built security measures, as well as recommended protocols for implementing such measures. The Obama administration ‘rushed’ the NIST publication a month ahead of the planned release, primarily due to the escalated urgency surrounding cybersecurity for IoT devices following last month’s major Distributed Denial of Service attack that disabled parts of the United States’ internet infrastructure. Both publications are aimed at guiding for cybersecurity measures at the design and manufacture stage rather than at the user level. And that brings along with it the cost factor, the biggest question being: can device manufacturers be incentivized enough to make it worth their while to spend time, money and effort on incorporating security hardware and software on their devices? The guidelines themselves target the fundamentals and system lifecycle processes for device manufacture, and provide guidelines for incorporating security protocols as part of the product lifecycle itself. The Homeland Security publication goes a step further and addresses the issues from an industrial consumer standpoint. The purpose of these publications is to initiate a high-level awareness and evoke a sense of urgency in implementing the guidelines and principles outlined in them. As of now, the FCC has said it is not likely to enact any mandatory standards for IoT cybersecurity, but with IoT now permeating through critical industrial areas such as power production, medical technology and transportation infrastructure, the longer things stand the way they are, the greater the risk of such systems being compromised. [Source] NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors


WW – Pre-installed Phone Software Transmitted User Information to China

Security firm Kryptowire discovered certain Android phones had pre-installed software that sends user data to China every 72 hours. Shanghai Adups Technology Company wrote the software and said it is on more than 700 million phones, cars and other smart devices. The software transmitted users’ text messages, contact lists, call logs, location information, and other data to a Chinese server. While Adups intentionally designed the software to monitor user behavior, it was never meant to make its way to the U.S. American phone manufacturer BLU Products said 120,000 of its devices had the software, and has offered updates to remove the feature. BLU’s Chief Executive Samuel Ohev-Zion said Adups told him all the information collected from his customers has been destroyed. [The New York Times] [Budget US Android smartphones found secretly sending personal data to China | Android Phone Maker Ignored Researchers’ Warnings That Their Phones Had Backdoor]

WW – Is Social Media the ‘New Front in Warfare’?

Motherboard has published two reports on how governments are increasingly viewing social media as “a new front in warfare” and tool for the military. A global conference in London with senior military and intelligence personnel reveals social media can be an intelligence source on civilian populations and enemies and a channel for propaganda to influence public opinion. A separate Motherboard article reports on how spies use social media — Tinder, for example — to infiltrate activist groups. Though infiltrating activist groups is nothing new, the crop of personal information found on social media can be used to manipulate and socially engineer intelligence targets. [Full Story]

US – Art Installation Explores Surveillance

Student photographer at SUNY New Paltz Connor Henderson displayed the photos of students taken without their consent for an installation exploring surveillance and privacy. “We all had to create installations involving the ideas of ‘public v.s. private’ and ‘surveillance,’ so the project itself was for a class, [but] the idea for the project and the concept behind it came from me,” Henderson said. He added that he conspicuously took “hundreds of photos” of campus-dwellers walking through the school’s academic quad, but “not one person asked me what I was doing,” he said. “I feel like most people just don’t really realize how much surveillance we have in our society,” he continued. “We really are always being watched.” [The New Paltz Oracle]

US Government Programs

US – Federal Executive Branch Agencies Must Notify Congress of Major Incidents

The US Office of Management and Budget (OMB) released its 2017 FISMA Guidance to government agencies. The newest version of the document defines a major cyber incident as “any incident that is likely to result in demonstrable harm to the security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” Major cyber incidents must be reported to Congress. The guidance defines any breach that exposes records of more than 100,000 to be a Major Breach, even if the other requirements are not met. The guidance also requires use of the NCCIC Cyber Incident Scoring System, which is new. [Federal News Radio: OMB tries again to define a major cyber incident | FCW: White House tweaks incident reporting in FISMA memo | Whitehouse.gov: OMB Memo: Fiscal Year 2016-2017 Guidance on Federal Information Security and Privacy Management Requirements

US Legislation

US – Legislative Roundup




28 Oct – 04 Nov 2016


US – Judge Rejects Facebook’s Constitution Argument in Biometrics Case

U.S. District Judge James Donato presided over a hearing on a motion to dismiss the Facebook biometrics case. Facebook is currently facing three lawsuits claiming it violated the Illinois Biometric Information Privacy Act and another class action in California. The social network’s attorney Lauren Goldman has argued the Supreme Court’s recent Spokeo decision declared plaintiffs cannot sue unless they demonstrate concrete injury, as shown in Article III of the Constitution. Donato rejected Goldman’s argument, but pressed class attorney Rafey Balabanian to describe what kind of privacy injury came from Facebook’s biometric data collection. The judge said if he does decide for Facebook’s motion to dismiss the lawsuits, he will likely remand two of them back to the state jurisdictions in which they started. [Courthouse News Service] See also: A California court has held that a violation of the California Invasion of Privacy Act is, in itself, a concrete and particularized harm.

Big Data

US – Colleges Paying 50¢ per Student to Gain PI for Admissions Decisions

Just as companies pay for consumer data to make informed decisions, it turns out, colleges and universities do the same, according to a report by non-partisan think tank New America. The report, called “The Promise and Peril of Predictive Analytics in Higher Education,” detailed the ways in which colleges pay for student data. For less than 50 cents a name, colleges glean student data from third-party groups. The College Board, which administers the SAT, the ACT, and the National Research Center for College and University Admissions (NRCCUA) all collect student information that schools pay for. All three are non-profits. The students’ demographic information is then used for “predictive analytics,” a little-known x-factor that colleges often use for enrollment management. The process pulls a multitude of data points into a model that predicts the probability a particular student will apply to a school, choose to attend after they’ve been accepted, or perform well once enrolled. The third-parties also have their own predictive models that colleges can pay for, which can include around 300 different data points on students. The report also explained how colleges rank students based on this data. Admissions teams individually score students’ likelihood of becoming an applicant, being admitted, and deciding to enroll, usually on a scale of 0-10 based on factors like: race and ethnicity, zip code, high school, and anticipated major, according to the authors. Predictive analytics raises questions about discrimination. [Business Insider]


CA – BC Supreme Court Compels Newspaper to Disclose Information Related to Professional Association Investigation

The BC Supreme Court considered a motion to quash production orders issued by the Law Society to a journalist and his employer newspaper in relation to an internal investigation. The Legal Profession Act, which includes subpoena powers, applies to non-lawyers, and the production order issued by a law society to the newspaper and journalist for purposes of investigating a member’s conduct was reasonable; the order was not seeking the petitioner’s PI or proprietary corporation information, the petitioners’ article placed the information in the public domain, and the regulation of professions is a compelling objective. [Mulgrew v. The Law Society of British Columbia – 2016 BCSC 1279 – In The Supreme Court of British Columbia]

CA – Professional Regulatory Bodies in Saskatchewan Should Consider De-Identification of Published Disciplinary Decisions

The Office of the Information and Privacy Commissioner in Saskatchewan has issued guidance on publication of disciplinary decisions by professional regulatory bodies. Decisions published on websites of regulatory bodies may contain sensitive personal information or personal health information (wrongdoings, opinions about members, physical or mental health information); staff should consider de-identification of names and other identifiable information (especially of witnesses, complainants, affected individuals), and determine that documents only contain personal information that the regulatory body has the authority to disclose. [OIPC SK – Guidance for Professional Regulatory Bodies – Transparency of Discipline of Members]

CA – OIPC SK: Administrative Tribunals to Redact PI When Posting Decisions

The OIPC SK has examined administrative tribunals’ decisions that are published on the internet. Tribunal decision can involve sensitive issues such as alleged wrongdoings and traumatizing incidents. Key advice for tribunals:

  • determine whether including all PI is necessary when posting a decision
  • ensure staff know about what can and cannot be done with PI
  • notify citizens that some PI may be published online (prior to commencement of the proceedings)
  • If publishing a decision online, consider de-identifying or removing PI or writing the decision in such as way that the parties are de-identified and the least amount of PI is disclosed.

[OIPC SK – Decisions of Administrative Tribunals – How Much Is Too Much? ]

CA – OIPC NS Recommends Reforms to the Personal Health Information Act

The Office of the Information and Privacy Commissioner recommends areas of improvement under the Personal Health Information Act. Recommendations to bring PHIA up to date include permitting a substitute decision maker to exercise any right or power conferred on an individual, and setting clear standards for breach identification and notification to affected individuals, health custodians, and the OIPC; provisions should also allow the OIPC to require any relevant record to be produced (regardless of whether the record is subject to the provisions of PHIA), exchange information with extra-provincial commissioners, and receive immunity from privacy-related lawsuits. [OIPC NS – PHIA Review Recommendations]

CA – OPCC: Political Parties Need Rules for Collecting Canadians Data

Canada’s privacy watchdog said no rules for political parties collecting Canadians’ data a “gap” that needs fixing. Parliament needs to address political parties’ ability to operate outside the Canada’s privacy safeguards, the federal privacy watchdog says. Currently there are no rules governing how political parties collect and use sensitive personal information about Canadians, such as political beliefs, family composition, and financial information. Privacy Commissioner Daniel Therrien has argued for the need for oversight into parties’ data activities. But Therrien isn’t arguing just for oversight — he wants some basic rules. The Star reported that a House of Commons committee is considering looking into how political parties use data harvested from millions of door-to-door interactions, fundraising drives, and other interactions with citizens. Very little is known about the extent of parties’ data operations. All three major parties — Liberals, Conservatives and the NDP — have either recently overhauled their database programs or are in the process of doing so. But all of these data operations are running with, at most, voluntary privacy policies and practices with no independent oversight or governing rules. Therrien said that the kind of information collected by parties is among the most sensitive information Canadians hold. It’s not only internal misuse that’s a danger, the privacy commissioner said. Successive privacy commissioners have done everything they could to move the issue forward, Therrien said, and it remains up to parliamentarians to “actually do something about it.” [The Star]


WW – FOC Releases Cybersecurity Guidelines Protecting Human Rights

The Freedom Online Coalition has released new policy recommendations for human rights-based cybersecurity strategies. The recommendations are targeted toward policy makers and others in the cybersecurity industry, covering issues such as user security online and offline, responding to cyber threats, encryption, and anonymity. “These recommendations are a first step towards ensuring that cybersecurity policies and practices are based upon and fully consistent with human rights — effectively, that cybersecurity policies and practices are rights-respecting by design,” reads the guideline’s preamble. The recommendations received the support of all 30 FOC government member states. The U.S. and Canadian governments and industry representatives such as Mozilla have also backed the guidelines. [APC]


US – NIST Issues Draft eMail Security Guidance

The US National Institute of Standards and Security’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has released daft guidance on email security. The document describes several technologies that, if adopted, could increase the security of email communications. Comments will be accepted through December 19, 2016. [Uncle Sam emits DMS email security guide – now speak your brains] [DNS-Based Secured Email] See also: [Why do people still use email — or at least not secure it?]

EU Developments

EU – Article 29 WP Offers Tentative Support for EU-US Umbrella Agreement

The Article 29 Working Party, in a “revealing statement,” offered signs of support for the EU-U.S. Umbrella Agreement, while also delivering recommendations to ensure the act complies with EU law. The WP29 supports the initiative in creating a general data protection framework to bolster trans-Atlantic cooperation and in protecting and sharing data for law enforcement investigations. While the WP29 said the Umbrella Agreement “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the U.S., some of which were concluded before the development of the EU data protection framework,” the group added clarification may be needed for the agreement to be consistent with EU law, specifically since personal data and data processing have different definitions in EU and U.S law, and restrictions on individuals’ rights to access their data are broad. [Hogan Lovells’ Chronicle of Data Protection]

EU-U.S. Umbrella Agreement Gets ‘Amber Light’ from Article 29 Working Party

The Article 29 Working Party has issued a revealing statement about the so-called EU-U.S. Umbrella Agreement, which is aimed at creating a high-level data protection framework in the context of transatlantic cooperation on criminal law enforcement. While broadly supportive, the Working Party intends to monitor whether the Umbrella Agreement fully satisfies key data protection requirements and whether it is in compliance with Article 7 and Article 8 of the Charter of Fundamental Rights of the European Union. It also recommends requesting further assurances from the US government explaining and confirming the scope of redress rights granted to data subjects in the EU through the Judicial Redress Act, how records from US law enforcement agencies are exempted from the application of the Privacy Act, and the compatibility of these practices with the Umbrella Agreement. The Working Party adds that clarification may be needed to ensure that the level of protection of personal data afforded by the Umbrella Agreement is fully consistent with EU law, particularly given that:

  • The concepts of “personal data” and “data processing” are differently defined by US and EU law.
  • The data retention period is insufficiently strictly defined in relation to the purpose pursued.
  • The restrictions on individuals’ access rights are very broad.
  • Access could be improved by the establishment of an indirect access right mechanism.

Once the Agreement is approved by the European Parliament, the Working Party intends to continue to monitor its implementation and oversight measures to ensure that the rights afforded are effective. As part of this exercise, the Working Party undertakes to follow future developments in legislation and in the courts in the U.S. and the EU. This statement by the Working Party follows its recent announcement that it had created a working group for enforcement actions on organisations targeting several member states, which is yet another sign of the growing international ambitions of the EU data protection authorities. [Source]

EU – Personal Information Management Systems Can Support Data Protection Principles: EDPSR

The European Data Protection Supervisor has explored the concept of technologies and ecosystems that empower individuals to control the sharing of their personal data that are known as personal information management systems (“PIMS”). PIMS are technologies and ecosystems that use local or cloud-based storage to empower individuals to control the sharing of their personal data, using security and data protection as the main drivers (e.g. cryptography, data minimisation and anonymisation); PIMS use consent management and automated mechanisms to achieve the objective of allowing users to define at a granular level how their PI should be used and for what purposes, and enable then to track the way the PI is used. European Data Protection Supervisor – Opinion 9/2016 on Personal Information Management Systems | Press Release]

UK – ICO UK Issues Code of Practice on Privacy Notices

The UK Information Commissioner’s Office has issued key recommendations to develop a clear and effective privacy notice, including:

The GDPR’s rules on notice are more detailed and specific than in the Data Protection Act (e.g. information must be concise, transparent, intelligible and easily accessible, written in clear and plain language, particularly if addressed to a child and free of charge), but data controllers may still consider where the information should be displayed in different layers of a notice; use a privacy notice checklist (i.e. what to include, where to give the notice, when to give the notice, and how to give the notice), and then test it, roll out and continuously review it. [Information Commissioner’s Office, United Kingdom – Privacy Notices, Transparency and Control: A Code of Practice on Communicating Privacy Information to Individuals]

UK – ICO Recommends Personal Liability of Directors for Breaches of Data Protection Law

At a recent Parliamentary meeting to discuss the draft Digital Economy Bill, the UK Information Commissioner recommended imposing personal liability and accountability upon company directors. If such liability is imposed, it will mark a radical departure from the current law, under which directors of companies generally have no personal liability or accountability for breaches of data protection law committed by their companies. The ICO’s recommendations to the Committee

  • Reviewing the Bill against the GDPR, to ensure that the new requirements imposed by the Bill are consistent with the GDPR – in particular, the new rights afforded to individuals.
  • Putting the ICO’s Data Sharing Code of Practice and Direct Marketing Code of Practice on a statutory footing, effectively giving those Codes the force of law (whereas currently they are merely guidance).
  • Obliging companies to make their data sharing activities transparent at two levels, by requiring them to: (i) ensure that the purposes of the data sharing, and how it will occur, are made clear either at the point of collection of data, or in ways that are easily accessible by individuals; and (ii) implement safeguards and transparency in line with the ICO’s Privacy Notice Code of Practice.
  • Ensuring that data sharing, whilst beneficial for public interest reasons, is always kept proportionate, minimised as far as possible and undertaken in accordance with the Data Protection Act 1998.
  • Ensuring that the requirement for age verification does not result in an open-ended approach that allows the relevant websites to take large amounts of personal data from individuals. Secure and accredited third party providers of age verification systems should be used to ensure that the bare minimum of data are disclosed to such website owners.
  • Lowering the threshold for the requirement of ‘harm’, in relation to nuisance calls, to make it easier for the ICO to take enforcement action and issue fines.

Whitecase.com | Regulator seeks further enforcement powers in its fight against nuisance marketing | Lexology

EU – Other EU Developments

Facts & Stats

CA – Tracking of Journalist Highlights Need for Guidance to Courts: Privacy Czar

Parliament has a role to play in instructing the courts on when to grant police a warrant to obtain sensitive data, privacy commissioner Daniel Therrien told a House of Commons committee this week. “This is a very worrisome issue,” Therrien said under questioning at a meeting of the Commons information, ethics and privacy committee, which is conducting a review of the federal Privacy Act. …”It’s one thing to say that the courts are involved,” Therrien said. “That’s a good start. But this case leads me to believe that that’s not adequate in itself. It may be useful to give the court tools so that they’re better able to exercise their power.” Among Therrien’s recommended revisions to the federal privacy regime is a call for agencies involved in law enforcement to publish regular reports on the requests they make to telecommunications companies for information about subscribers. Therrien noted that many communications outlets produce such transparency reports about the data they hand over to police and spies. “It’s one thing for companies to do it. But the ones who should really be transparent are those who ask for and use the information,” he said. Montreal-based La Presse newspaper said this week it had learned at least 24 surveillance warrants were issued for columnist Patrick Lagace’s iPhone this year at the request of city’s police service. Three warrants reportedly authorized police to get the phone numbers for all Lagace’s incoming and outgoing texts and calls, while another allowed them to track the phone’s location via its GPS chip. National News Watch | Police surveillance of journalist ‘worrisome’: Senator Pratte |Premier promises greater protection of journalists, sidesteps call for inquiry | Privacy czar decries tracking of journalist

US – Washington State Attorney General Releases Data Breach Report

The personal information of at least 450,000 Washington state citizens was compromised between July 2015 and July 2016, according to a report from Attorney General Bob Ferguson. The report highlights the 39 data breaches that affected at least 500 individuals as part of the stricter notification rules adopted by the state in 2015. While most breaches affected less than 10,000 individuals, T-Mobile reported an incident where an intruder received the sensitive information of nearly 330,000 people. “Information is power, and this new law gives my office and Washingtonians valuable information about potential risk to their personal information and their businesses,” Ferguson said. “Data breaches are a serious threat to our security, and my office can use this information in our efforts to protect the people of Washington.”[Full Story]


WW – 70 Rights Groups Urge Facebook to Clarify Its Content Removal Policies

In a letter sent to Facebook, more than 70 rights groups have called on the organization to explain its content removal policies, “especially at the behest of governments.” The missive alleges Facebook has removed content concerning police violence or war imagery, the report states. “When the most vulnerable members of society turn to your platform to document and share experiences of injustice, Facebook is morally obligated to protect that speech,” the letter said. While a Facebook spokeswoman said it was reviewing the letter, the company is still facing “international scrutiny amid several controversial takedowns and reversals in recent months, including the company’s handling of an iconic Vietnam War photo showing a naked girl burned by napalm,” the report adds. [Reuters]


WW – Google Releases Transparency Report for First Half of 2016

According to Google’s most recent transparency report, which covers the first six months of 2016, it received nearly 45,000 requests for information regarding more than 76,000 accounts from governments around the world. While the volume of government requests Google receives for data from Google have risen, the proportion of those requests it complies with has remained steady at about 64 percent. The report also notes that the FBI lifted a gag order on a National Security letter issued in the second half of 2015. [Google discloses FBI inquiry | Government Requests for Google User Data Rise Steadily | Building on Surveillance Reform (Google blog)]

CA – Ontario Health-care Watchdogs Making Cautions Issued Over Mistakes or Bad Behaviour Public

Ontario’s health-care watchdogs are lifting the veil of secrecy surrounding cautions given to dentists, nurses, pharmacists and others for mistakes or improper behaviour. Doctors’ cautions became public last year. Until recently, cautions — such as those issued for drug-dispensing errors or delays in sending patients for crucial followup appointments — were kept secret from the public, including future patients critics say deserved to know the track record of each health professional. The decision was prompted by a 2013 Toronto Star investigation. Since the Star stories, Ontario’s health regulatory colleges have been developing measures that would tell the public when their members receive cautions. There are now 26 colleges that regulate the province’s more than 300,000 health-care professionals. Most colleges have decided to post cautions publicly on their websites, while three are considering proposals to do so. The College of Physicians and Surgeons of Ontario began making cautions public last year. [The Star]


US – NIH-Funded Genetic Sequencing Project Filled with Privacy Concerns

A National Institutes of Health-funded genetic sequencing project is offering parents of newborns the opportunity to discover if their infants are more likely to have genetic conditions, but privacy concerns have emerged. Researchers are using the BabySeq project to determine whether discovering a child’s genetic makeup could benefit their health or increase health care costs. However, any results from the genetic sequencing will permanently go on a child’s medical record. Federal law prohibits health care providers and workplaces from discriminating against medical conditions, but life insurers can use the information to determine who receives a policy. “It really gave me pause that this would be part of the medical record that private companies would have access to,” said Lauren Patrick, a parent who declined participating in the project. “That was my full stop in the end.” [Full Story]

Horror Stories

AU – 550,000 Blood Donors’ Data Leaked in Red Cross Blood Service Breach

Australian Red Cross Blood Service CEO Shelly Park has said that a mistake made by a contractor in charge of the organization’s website led to the accidental publication of more than 550,00 blood donor’s personal information on a public-facing, unencrypted development section of the site. The data was accessed and sent to Microsoft’s Troy Hunt, who “reported the person who gained access to the information had contacted him, revealing [his] own personal details and a 1.74GB data file containing the records,” the report states. Park said the organization was looking into the breach and notifying the affected, with Australian Privacy Commissioner Timothy Pilgrim announcing his office’s own investigation. [The Sydney Morning Herald]

Internet / WWW

EU – Merkel: Internet Platform Algorithms Need More Transparency

German Chancellor Angela Merkel is pushing internet platforms to be more transparent with their algorithms. Merkel believes the lack of transparency harms debating culture and advocates for internet users to have a means by which to find out how they received information through search engines. “I’m of the opinion that algorithms must be made more transparent, so that one can inform oneself as an interested citizen about questions like ‘what influences my behaviour on the internet and that of others?’” said Merkel. “Algorithms, when they are not transparent, can lead to a distortion of our perception, they can shrink our expanse of information.” [The Guardian]

UK – Company Says It Can Determine Voters’ Personality to Help Target for Campaigns

Cambridge Analytica CEO Alexander Nix claims that the company can “determine the personality of every single adult in the United States of America,” and the Trump campaign is paying “millions of dollars” for the company’s assistance. “The firm says it can predict how most people will vote by using up to 5,000 pieces of data about every American adult, combined with the result of hundreds of thousands of personality and behavioral surveys, to identify millions of voters who are most open to being persuaded to support Trump,” the report states. Some are critical that the company can do that successfully. Yale University’s Eitan Hersh, author of “Hacking the Electorate,” argues that Cambridge Analytica’s claims are “basically impossible … You can do better randomly guessing.” [The Washington Post]

WW – Facebook Tool Allows Advertisers to Target, Exclude ‘Ethnic Affinities’

Facebook allows advertisers to tailor ads to exclude or target groups it dubs “Ethnic Affinities.” The Civil Rights Act of 1964 and the Fair Housing Act of 1968 make such moves illegal, the report states. “This is horrifying. This is massively illegal,” said civil rights lawyer John Relman. “This is about as blatant a violation of the federal Fair Housing Act as one can find.” Facebook representatives said they would be moving the “Ethnic Affinity” category out of the “Demographics” section of its ad-building tool. “We take a strong stand against advertisers misusing our platform: Our policies prohibit using our targeting options to discriminate, and they require compliance with the law,” said Facebook Privacy and Public Policy Manager Steve Satterfield. [ProPublica]

Law Enforcement

CA – Montreal Cops Have Tracked a Journalist’s Cellphone for the Past Year

On Monday Montreal newspaper La Presse published details on surveillances warrants, at least 24 in total, obtained to surveil journalist Patrick Lagacé. …Lagacé, who works at La Presse, had been in contact with Faycal Djelidi, a Montreal police officer under investigation for a number of crimes, including perjury and obstruction of justice. When Lagacé’s number popped up on Djelidi’s phone, the Montreal police obtained the initial surveillance warrants for the journalist’s device. …The case, just one of many instances of Canadian cops investigating journalists in recent years, shows how willing police are to compromise journalist’s protection of their sources, La Presse said in a statement. [Vice.com | | ‘A Detrimental Chilling Effect’: VICE Pushes Back in Legal Fight With Canadian Police – April 29, 2016 | Media Coalition and Civil Liberties Groups Granted Say in VICE Case Against RCMP  – October 27, 2016 | How Canada’s Anti-Cyberbullying Law Is Being Used to Spy on Journalists | Montreal police spied on La Presse journalist Patrick Lagacé | La Presse columnist says he was put under police surveillance as part of ‘attempt to intimidate’ | We’re spied on more often than you think, journalists groups say | 3 other journalists allegedly under surveillance by Montreal police | Police surveillance scandal: Quebec tightens rules for monitoring journalists

US – On-Demand Cell Phone Searches Hurt Teenagers on Parole

Should law enforcement get an all access, long-term pass to a teenager’s cell phone, just because he or she had a run in with police? That question is in front of California’s highest court, and in an amicus brief filed earlier this month, EFF and the three California offices of the ACLU warned that it was a highly invasive and unconstitutional condition of juvenile parole. In this case, a teenager known in court documents as Ricardo P. admitted to two cases of burglary. One condition of his parole was that he submit his phone to search at any time, whether by his probation officers or any peace officer, even though his phone use had nothing to do with the commission of the crimes. But the U.S. Supreme Court has ruled that you cannot treat personal electronic devices so cavalierly. In 2014, the court in Riley v. California recognized that government searches of cellphones implicate personal privacy in ways that few things do, and rejected the government’s claims that cellphones can be searched without a warrant. After all, cell phones contain the sum of all of our lives, including our religious views, our sexual orientations, our health conditions, or physical movements throughout the day, and more. And the privacy implications go far further than the individual juvenile on parole. Everyone the child talks to also has personal information that is exposed to law enforcement. An on-demand search without any probable cause is like letting the government have a long-running wiretap—unprecedented for a probation condition for a juvenile. [EFF]


US – FedRAMP Improvements Made

FedRAMP (the Federal Risk Authorization and Management Program) has streamlined the process cloud services companies must go through to be approved, which has increased the number of authorized services. FedRAMP has also implemented a new dashboard that is easier for federal agencies to use.[Federal News Radio: FedRAMP overhaul begins paying dividends]

Online Privacy

WW – How Despots Use Twitter to Hunt Dissidents

Twitter’s ‘firehose’ of a half billion tweets a day is incredibly valuable—and just as dangerous. …if Twitter provides a rare outlet for criticism of repressive regimes, it’s also useful to those regimes for tracking down and punishing critics. There have been dozens of Twitter-related prosecutions in Saudi Arabia, according to Human Rights Watch. Twitter is still popular in Saudi Arabia but it no longer hosts much dissent. Activists are careful to tweet in coded language, if they tweet at all. “People don’t openly discuss important things on Twitter anymore,” says Ali Adubisi, a Saudi human-rights activist. “Twitter is totally different, totally silent, totally weak.” [Bloomberg]

WW – Company to Pull Plan to Price Car Insurance Based on Facebook Posts

Admiral has been forced to scrap plans to use Facebook posts to analyse the personalities of car owners and set the price of their insurance after the social media company said the scheme breached its privacy rules. In an embarrassing U-turn, the insurance firm pulled the product less than two hours before it was due to officially launch. The product, called firstcarquote, was launched later with “reduced functionality”: users can log in to the product with Facebook but it will no longer analyse their data. Facebook said protecting the privacy of its users was of the “utmost importance” and that it had clear guidelines about how information obtained from the site should be used. Privacy campaigners welcomed Admiral’s reversal but said that it was only the start of other companies trying to use personal data in a similar way. The scheme would be voluntary and not apply price increases to drivers deemed to be more risky. [The Guardian]

Privacy (US)

US – Judge Rejects Settlement Over Surveillance of Muslims by NYPD

A federal judge has rejected the settlement of a lawsuit stemming from the New York Police Department‘s surveillance of Muslims, saying the proposed deal does not provide enough oversight of an agency that he said had shown a “systemic inclination” to ignore rules protecting free speech and religion. In January, Mayor Bill de Blasio, a Democrat, agreed to appoint a civilian lawyer to monitor the department’s counterterrorism activities as a means of settling two lawsuits accusing the city of violating the rights of Muslims over the past decade. But the judge, Charles S. Haight Jr., in an opinion published on Monday, said the settlement did not go far enough for an agency that had become “accustomed to disregarding” court orders. “The proposed role and powers of the civilian representative,” Judge Haight wrote, “do not furnish sufficient protection from potential violations of the constitutional rights of those law-abiding Muslims and believers in Islam who live, move and have their being in this city.” The decision means lawyers for both sides will have to negotiate changes to the settlement or fight the lawsuit in court. Jethro Eisenstein, a civil rights lawyer in the case, said he and his colleagues planned to discuss the ruling with city lawyers. [New York Times]

US – Judge Rules Anxiety Cannot Be Used To Claim Damages

Plaintiffs in a class-action lawsuit against Barnes & Noble stemming from a 2012 data breach were able to prove their standing, but could not adequately claim they suffered damages. The plaintiffs claimed the book chain invaded their privacy and violated several laws after the incident where cyber criminals hacked Barnes & Noble PIN pad terminals. The plaintiffs’ original complaint was shot down in 2013, and their amended complaint was also rejected by a judge last month. “Plaintiffs did allege monetary harm such as costs associated with renewing identity protection monitoring services,” said Reed Smith Associate Brian Willett. “But the court found that those claims, in addition to suffering anxiety based on the PIN pad tampering, were insufficient to support the suit.” In other news, an appeals court ruled the victims of a Nationwide Insurance data breach do not need to establish their standing to prove they are in danger. [Penn Record]

US – Anthem Breach Victims File Class Action, Seek OPM Audit Data

Victims of the 2015 Anthem data breach have filed a class-action lawsuit against the health insurer. Plaintiffs are also asking for information on an audit conducted by the U.S. Office of Personnel Management on the state of Anthem’s network security. The OPM first conducted an audit in 2013, but Anthem turned down the agency’s request to conduct tests, with the company citing “corporate policy” issues. The OPM conducted its second audit following the breach, but the findings were not released to the public. The plaintiffs claim if the audit discovered security vulnerabilities, then Anthem had the ability to prevent the cyberattack, making it important for the information to be made public. [Modern Healthcare]


WW – Study: One-Third of Targeted Breaches Succeed While Majority of Execs Say their Infosec Practices Work

An Accenture survey of 2,000 security officers from large enterprises worldwide has found that one-third of targeted breaches against companies are successful, but three-quarters of executives are still confident in their infosecurity practices. “To survive in this contradictory and increasingly risky landscape, organizations need to reboot their approaches to cybersecurity,” the report, entitled “Building Confidence: Facing the Cybersecurity Conundrum,” states. “Ultimately, many remain unsure of their ability to manage the internal threats with the greatest cybersecurity impact even as they continue to prioritize external initiatives that produce the lowest return on investment.” Focusing mainly on data protection law compliance isn’t enough to protect data, the study adds. Meanwhile, a BDO USA survey of 160 companies has found that 74% of directors say that their boards are increasingly discussing cybersecurity issues. [Bloomberg Technology]

US – Report: Private Sector Must Incorporate ‘Active Defense’ Into Cybersecurity Efforts

The GW Center for Cyber and Homeland Security has released a report detailing the private sector’s role in implementing cybersecurity protocols. “Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats“ explains why the private sector is responsible for defending itself against attacks while the government will offer assistance by providing a framework for incorporating “active defense” into cybersecurity methodology. “These activities fall into two general categories, the first covering technical interactions between a defender and an attacker. The second category of active defense includes those operations that enable defenders to collect intelligence on threat actors and indicators on the internet, as well as other policy tools that can modify the behavior of malicious actors,” the report states. In other news, research firm Forrester predicts the next president will face a cyber crisis within the first 100 days of his or her term. [Lawfare]

Smart Cities

US – D.C. Plans Streetlights That Save Money, Offer Wi-Fi, Help with Parking

D.C.’s technology office envisions a Washington with streetlights that not only have a motion detector but also offer Wi-Fi and live video of every street in the city, and trash cans that let the city know when they need to be emptied. There are more than 71,000 streetlights in the District, not all of them working. Chief Technology Officer Archana Vemulapalli is leading an effort to convert all of them to smart technology hubs that will one day bring free Wi-Fi to students who don’t have internet connectivity at home, provide police real time video of every street in the District and allow the District’s Department of Transportation to monitor and regulate traffic from one remote location. [NBC]


WW – Holiday Shoppers’ Appetite for New Smartphones Comes With Steep Data Privacy Price

A new research study released by Blancco Technology Group, “Holiday Shopping: When Smartphone Upgrades Go Wrong in a BYOD Workplace“ reveals that 68% of mobile users plan to purchase a new smartphone during the holiday shopping season. But new smartphones and insecure mobile data practices will come with a steep data privacy price – both for smartphone owners and their employers. Key findings from the study include:

  • Promotional incentives and discounts sway holiday shoppers to ditch old phones.
  • Data privacy fears don’t halt holiday shoppers’ plans to trade in and resell old phones.
  • Customer records, patent filings and system login credentials top the list of corporate data loss fears.
  • Despite Fears of Credit Card Numbers, Company Emails and Customer Lists Being Exposed, 72% of Mobile Users Automatically Connect to Available WiFi Connections & 76% Connect to Company Networks.
  • Keeping mobile data safe is thorny issue for users and employers. Over half (56%) of the surveyed mobile users reported storing both personal and corporate information on their smartphones.
  • However, 42% of mobile users said their company does not have visibility into which types and quantities of corporate data are stored on their smartphones. [Newswire]

Telecom / TV

US – FCC Approves New Internet Data Privacy Rules

The US Federal Communications Commission (FCC) has approved new rules aimed at protecting sensitive consumer data. The rules require broadband providers, including Verizon, Comcast, and AT&T, to obtain customers’ permission before sharing data the FCC has deemed to be sensitive. These data include precise geo-location; financial information; health information; children’s information; web browsing and app usage histories; and contents of communications. ISPs also must be clear about what information they collect and with whom they share it. FCC ruling means users must ‘opt in’ to let data be sold | FCC approves new privacy rules for ‘sensitive’ internet data | FCC imposes new consumer privacy rules on ISPs | The FCC just passed sweeping new rules to protect your online privacy | FCC Adopts Privacy Rules to Give Broadband Consumers Increased Choice, Transparency, and Security for Their Personal Data] SEE ALSO: [The FCC’s new privacy rules are toothless]



16 – 27 October 2016


Facebook Class-Action Asks Court to Decide on Facial-Recognition Tool

Here’s what we know: Every time you tag a friend in a Facebook photo, Facebook stores their image in its database. And here’s what we’re about to find out: whether that’s an illegal violation of users’ privacy. This week, a class-action lawsuit alleging that the world’s largest social network is violating its users’ privacy will enter phase two. Specifically, a San Francisco court will assess whether Facebook is breaking the law by using its facial-recognition tool, to identify faces in photographs uploaded by users, or by collecting those photographs into a central database. In use since 2010, Facebook claims its facial-recognition tool is now 97.35% accurate, which is great news if you’re trying to tag overcrowded party pictures, but less so if you’re worried about privacy. Plaintiffs in the case are concerned on a number of fronts: Facebook could be selling identifying information to retailers or other third parties. More importantly, they worry that biometric data is just as susceptible to theft, hacking, and the long and invasive arm of law enforcement as other types of data. “Unique and unchangeable biometric identifiers are proprietary to individuals,” the complaint reads (paywall). It also alleges that Facebook failed to acquire consent before collecting “faceprints.” The class-action suit hinges on a unique Illinois law passed in 2008, called the Biometric Information Privacy Act. It states that if companies fail to get consent from users before storing biometric information, they can be subject to a $5,000 fine, plus $1,000 in damages if the violation shows negligence. That’s per violation. For a company with 7 million users in Illinois, that could mean fines as high as $35 billion. There is some precedent here. In April, photo-sharing website Shutterfly reached a settlement over its facial-recognition technology. Snapchat faced a similar suit over the summer, but has denied storing any biometric information (the company says it uses “object recognition,” not facial recognition). Alphabet’s cloud-based Google Photos service also uses similar technology, and Google is facing privacy lawsuits of its own. [Quartz]

US – Researchers Find Flaws in Police Facial Recognition Technology

Nearly half of all American adults have been entered into searchable law enforcement facial recognition databases, according to a recent report from Georgetown University’s law school. But there are many problems with the accuracy of the technology that could have an impact on a lot of innocent people. Police can run any photo through a facial recognition program to see if it matches any of the license photos. It’s kind of like a very large digital version of a lineup, says Jonathan Frankle, a computer scientist and one of the authors of the report, titled “The Perpetual Line-Up.” “Instead of having a lineup of five people who’ve been brought in off the street to do this, the lineup is you. You’re in that lineup all the time.” Frankle says the photos that police may have of a suspect aren’t always that good — they’re often from a security camera. “Security cameras tend to be mounted on the ceiling,” he says. “They get great views of the top of your head, not very great views of your face. And you can now imagine why this would be a very difficult task, why it’s hard to get an accurate read on anybody’s face and match them with their driver’s license photo.” Frankle says the study also found evidence that facial recognition software didn’t work as well with people who have dark skin. There’s still limited research on why this is. Some critics say the developers aren’t testing the software against a diverse enough group of faces. Or it could be lighting. Findings

  • Law enforcement face recognition networks include over 117 million American adults — and may soon include many more.
  • By running face recognition searches against 16 states’ driver’s license photo databases, the FBI has built a biometric network that primarily includes law-abiding Americans.
  • Major police departments are exploring real-time face recognition on live surveillance camera video.
  • Law enforcement face recognition is unregulated.
  • Police face recognition could be used to stifle free speech.
  • Most law enforcement agencies do little to ensure that their systems are accurate.
  • Without specialized training, human users make the wrong decision about a match half the time.
  • Police face recognition will disproportionately affect African-Americans.


  • Law enforcement face recognition searches should be conditioned on an individualized suspicion of criminal conduct.
  • Mug shot databases used for face recognition should exclude people who were found innocent or who had charges against them dropped or dismissed.
  • Searches of driver’s license and ID photos should occur only under a court order issued upon a showing of probable cause.
  • Limit searches of license photos — and after-the-fact investigative searches — to investigations of serious offenses.
  • Real-time video surveillance should only occur in life-threatening public emergencies under a court order backed by probable cause.
  • Use of face recognition to track people on the basis of their race, ethnicity, religious or political views should be prohibited.
  • The FBI should test its face recognition system for accuracy and racially biased error rates, and make the results public.

[Study: Police Use of Facial Recognition Goes Unregulated | NPR.org | The Perpetual Line-Up | Facial recognition technology is taking over US, says privacy group |Study Urges Tougher Oversight for Police Use of Facial Recognition | Half of US adults are profiled in police facial recognition databases | Maryland’s use of facial recognition software questioned by researchers, civil liberties advocates

Big Data

CA – RCMP’s Counterterrorism Centre Facilitates Information Sharing

The RCMP have created a permanent place for counterterrorism detectives to work shoulder-to-shoulder – and database to database – with federal border guards, immigration officials and spy-agency analysts. The national-security joint-operations centre (NSJOC) in Ottawa is a “real-time and rapid information-sharing” crossroads where federal agents can efficiently swap files, according to recently released records. However, critics fear it will go places no watchdog can follow. The counterterrorism centre was largely unknown until RCMP Commissioner Bob Paulson made a brief reference to it in Parliament earlier this year. The Globe and Mail has acquired the centre’s terms of reference under Access to Information laws. The federal agencies constantly collect data, but under different mandates than that of the Mounties. Federal agents typically shield their files from each other unless they have a compelling reason to share. In some cases, warrants are needed for information handovers. Yet federal agents want to knock down institutional walls in times of crisis, and the RCMP-led centre seeks to keep the bureaucratic barriers to information-sharing low. The centre’s terms of reference says criminal charges are just one approach to fighting terrorism. Pooling knowledge among federal agents makes other interventions possible – such as revoking suspects’ passports, adding people to no-fly lists, or even warning the family and friends of radicalized young people “of the risks associated with violent extremist activity.” Nothing in the terms of reference suggests the agencies got new powers to share information. Federal watchdog agencies have complained for years that they cannot track what information agencies share in the name of national-security. Even as federal-security agencies increasingly swap files, none of their review bodies are legally empowered to see what is happening as it happens, or within more than one agency. “A body like this makes the case for why we need more robust real-time oversight,” says Carmen Cheung, a professor at the University of Toronto’s Munk School of Global Affairs. “It looks like they are all co-located in essentially one room, and that room has direct access to all the databases of all the respective agencies, which is amazing.” A decade ago, a judicial inquiry recommended Canada create a watchdog to track all security agencies at once, but the concept never got off the ground. The finding followed a Canadian counterterrorism investigation in which federal agents swapped information carelessly and several Canadians were wrongly jailed as presumed terrorists in Middle East prisons. [The Globe and Mail]

US – 75% of US Citizens Back Use of Data Fusion Tools: TransUnion

A TransUnion study found 75 percent of Americans support the use of data fusion tools in law enforcement investigations. Of the 1,002 respondents, 81% said law enforcement “has an obligation” to use publicly available information to solve crimes, including names, addresses, phone numbers and bankruptcy records. Support hinged on the fact non-public data, such as phone records, internet search histories, and banking statements are not included in the data gathering, with 59% saying they support data fusion tools because they do not use non-public data. “Law enforcement agencies continue to expand their use of data fusion tools. The value of linking hundreds of millions of records in a short period of time to find cyber evidence on criminals is critical in cases which need timely outcomes — such as solving a murder or finding an abducted child,” said TransUnion’s Jonathan McDonald. [MarketWire]

WW – Google, OpenAI Create Algorithms to Use Personal Data, Protect Privacy

OpenAI and Google have created a method by which artificial intelligence can study and use personal data, despite not having any access to the information. The two companies created a “student” algorithm, one designed to mimic decisions learned from “teacher” algorithms through millions of simulated decisions. Numerous teacher algorithms send information to a student algorithm, allowing the student to process the information, but making it impossible for the information to be deciphered if it were reverse-engineered. “All the research in this space explores a tension between privacy and utility, as more privacy means utility goes down,” said machine learning security researcher Thomas Ristenpart. Meanwhile, artificial intelligence and robotics were a hot topic last week at the 38thInternational Conference of Data Protection and Privacy Commissioners. [Quartz]

WW – AI’s Effect on Insurance Industry Could Lead to Privacy Issues

Advances in big data analytics and artificial intelligence could have a major impact on the insurance industry. Insurance firms could mine social media to determine proper pricing on premiums. An insurance company could look at users’ Twitter accounts and make offers based on the tone of their posts, using analytics to determine their health outlook. While companies such as reinsurer Swiss Re say the advances will drop the price of insurance protection and assist individuals in making better choices through incentive programs, those against the idea say it would violate user privacy, lead to personalized pricing, and minimize any form of shared risk. “In a relatively short period of time, maybe a few years, most of the major insurers will have integrated lessons from behavioral research,” said Swiss Re’s Daniel Ryan. “Undoubtedly, it will lead to a different interaction between insurer and policyholders.” [Reuters]

WW – Why AI May Be the Next Big Privacy Trend (Opinion)

In the past month, we have seen the launch of a major industry effort to explore the policy ramifications of AI, and the U.S. Department of Transportation has released a policy roadmap for autonomous vehicles, suggesting that regulators and policymakers are eager to get into the AI game. Even the White House got involved this spring when it announced a series of workshops to explore the benefits and risks of AI. The first fruits of that White House effort were unveiled last Wednesday with an initial report on the immediate future of these exciting technologies. It includes 23 recommendations aimed at the U.S. government and various federal agencies, and while privacy and data protection are not major focuses of the report, it does introduce a new vocabulary and raises issues that will implicate the privacy space. Writes attorney Joseph Jerome. “If the phenomenon of big data encouraged nearly every company to view itself as a data company, fueling the privacy profession, AI looks to have a similar trajectory for influencing how organizations do business,” he notes. In this post for Privacy Perspectives, Jerome details why “getting a handle on the contours of AI” and how it intersects with privacy, “could be increasingly important.” [Full Story]


CA – Submissions on OPC Consultation Show Lack of Consensus for Trustmarks and Codes of Practice

The OPC releases the submissions provided in response to its consultation on the consent model and possible alternatives. Submissions include beliefs that “one-size-fits-all” sectoral codes of practice, trustmarks, and privacy seals do not reflect the diversity of practices and needs of businesses in the digital economy, and a rejection of the voluntary, industry-drive trustmark model; suggestions include support for a trustmark overseen by a credible organization independent of industry influence (e.g. the OPC or an independent organization supervised by the OPC). [OPC Canada – Overview of Consent Submissions]

WW – Guidelines for Privacy Certifications and Trustbrands

Privacy certifications, or “trustbrands,” are seals licensed by third parties for organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization which has displayed the seal has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. A snapshot of information concerning privacy certifications:

  • Percentage of consumers that are worried about online privacy: 92%
  • Percentage of consumers who claim they look for privacy certifications and seals on a website: 76%
  • Percentage of consumers who say that they would share their interests with advertisers if the advertiser’s privacy policy was “certified: ~50%
  • The number of certifying agencies the FTC has alleged offered deceptive seals: 2

What to think about when considering whether your organization should purchase a privacy certification:

  1. Does the certifying agency have its own privacy or security standards?
  2. Do the certifying agency’s standards exceed legal requirements?
  3. Does your organization’s practices meet the certifying agency’s standards?
  4. If the certifying agency’s standards change, is your organization prepared to modify its practices accordingly?
  5. Has the certifying agency been investigated by the FTC, or another consumer protection authority, for deceptive or unfair practices?
  6. If so, are you confident that the certifying agency’s seal and review process is non-deceptive and that association with the agency will not result in negative publicity?
  7. Have consumers complained to the FTC about the certifying agency?
  8. Does your organization have a mechanism in place to ensure that the license for the seal is renewed each year and/or that the seal is removed from your website if the license expires?
  9. Have plaintiff’s attorneys used the seal against other organizations by alleging that those organizations agreed to a higher standard of care by adopting the seal? [Source]

US – Feds Love to Shred: Spending on Documents Spiked

The Government of Canada has apparently accumulated too much paper. Public Accounts documents show sudden surge in spending on document shredding and storage. The federal government spent approximately $12 million more on hiring companies that offer services like document shredding and storage in the last fiscal year than it did ten years ago. During the 2005-2006 fiscal year, the Health and Transport departments spent about $389,247 on two separate contracts with companies that are in the business of destroying and storing physical and digital documents. By 2013-2014, when the Harper government was enjoying its third term in government, that number had increased to nearly $3 million. But it was the following year that the government went all out. Public Accounts documents for the 2014-2015 fiscal year show the federal government spent nearly $13 million on similar contracts. By that time, many more departments were utilizing these services — including the Canada Revenue Agency, Employment and Social Development, and the Justice department. This past fiscal year — during which Canada underwent a change of government — saw a slight decrease in spending, to just under $12.4 million. The biggest spender in the 2015-2016 fiscal year, by a long shot, was the Canada Revenue Agency, which spent a whopping $8.4 million on contracts with Mobilshred and Shred-It. The year prior, it dished out approximately $10.3 million — which is largely responsible for the sudden spike in document spending by the government that year. The Alberta government experienced a “shred-gate” in early January 2016. The privacy and public interest commissioners found that the outgoing Progressive Conservative government improperly destroyed nearly 350 boxes of shredded documents. [iPolitics]

CA – NWT’s Protection of Health Records Still Needs Work: Commissioner

The Northwest Territories Department of Health has received a slap on the wrist from the territory’s privacy commissioner for the way it handles confidential patient information. The Information and Privacy Commissioner of the N.W.T’s annual report was tabled in the legislative assembly. In it, commissioner Elaine Keenan-Bengts criticizes the territory’s health department for the way it has implemented the N.W.T. Health Information Act that came into effect in October 2015. The act is meant to govern how personal health information is collected and disclosed. In the six months after the act became law, the commissioner says there were seven separate privacy complaints. She says it’s clear that a number of people who deal with private health information don’t properly understand the act. “While there was some training done before the act came into effect, it does not appear that the training was mandatory,” Keenan-Bengts wrote. Keenan-Bengts also says little has been done to educate the public of their rights when it comes to their personal health information. She says the majority of patients don’t know the act gives them the right to put conditions on who has access to their records, such as barring a practitioner, nurse, clerical staff or other employee in any particular office from accessing their file. Despite patients having this right, Keenan-Bengts says the health department doesn’t actually have the ability to do that. Keenan-Bengts recommends better training for health staff on the act as well as better education campaigns for the public. [CBC News]

CA – Does the Surrey RCMP Need A Surveillance Camera Database?

Surrey will soon launch Project Iris, which is based on a CCTV program out of Philadelphia residents and business owners will be able to register their surveillance cameras with the RCMP. Terry Waterhouse [Surrey’s director of Public Safety Strategies] says he has collaborated with the B.C. Privacy Commissioner’s Office to ensure the program doesn’t violate anyone’s rights. “The important parts are that it is completely voluntary and also, it’s voluntary in the sense that if they do have the footage, whether or not they provide it [to police] is voluntary as well,” he said. B.C. Civil Liberties Association policy director Micheal Vonn says she has one small concern about Project Iris. “We don’t want to encourage businesses to over-collect information.” “If you are collecting information on your property and you have appropriate signage, all of that is fine. What you can’t do is, you can’t collect footage in a public space as a private entity. You’re governed by the private sector privacy legislation.” [CBC News]


WW – Millennials ‘Extremely Reluctant’ to Share Data: Study

A Lexis Nexis Risk Solutions study has found millennials are “extremely reluctant” to share personal information even though they use connected devices in large numbers. The study found that more than a quarter of millennials across the globe had no trust that retailers or mobile wallet programs will treat their data “correctly or securely.” “The general discomfort millennials are expressing with information sharing, beyond a couple of the most basic data points, shines a light on the need to educate this major and growing portion of the consumer population,” said Lexis Nexis Risk Solutions’ Kimberly Little Sutherland. “Likewise, it begs the question, are retailers and financial institutions optimizing their business processes for the millennial customer?” [Multichannel Merchant]


US – California Attorney General Releases Caloppa Violation Reporting Tool

California Attorney General Kamala Harris has announced a new tool to help consumers report organizations and other entities that are not complying with the California Online Privacy Protection Act, the California Office of the Attorney General said. “In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy,” said Harris. “As the devices we use each day become increasingly connected and more Americans live their lives online, it’s critical that we implement robust safeguards on what information is shared online and how. By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge.” [OAG]

CA – Watchdogs Find Lax Management of Smartphones and Tablets by BC Government

BC government workers sometimes waited months to report a lost or stolen smart phone or tablet, according to a report on mobile device management by the Acting Information and Privacy Commissioner, Drew McArthur. “On average it took employees two to six days to make a report. At one ministry, employees were advised not to report lost devices for up to three days in case the device was found.” Investigators also found that records of lost and stolen devices were not properly maintained or analysed, so management missed an opportunity to provide additional training. McArthur said investigators found policies were often overlapping, inconsistent and confusing. The ministries also did not keep track of personal information stored on mobile devices or categorise sensitivity of such personal information. “Government is not meeting its statutory obligation to protect personal information stored on mobile devices.” Privacy training was not specific to mobile devices nor was it conducted frequently. Risk assessments were poor and breach and incident protocols were not consistently followed when privacy breaches happened. Auditor General Carol Bellringer also released a report looking at the security aspects of government mobile device management. She noted the size and portability of devices makes them easy to lose or steal and they often become obsolete, meaning fewer security updates as they age. Unlike desktop or laptop computers, mobile devices often remain connected around the clock, putting them in jeopardy of unauthorised access. Bellringer found there were policy gaps, the full life cycle of mobile devices is not well managed, appropriate security controls are not always in place and there is no central monitoring and logging by government of mobile device activity. Both reports said that the government began to make improvements to its policies and procedures while the investigations were underway. [Business Vancouver]

WW – This Is Why We Still Can’t Vote Online

Online voting sounds like a dream: the 64 percent of citizens who own smartphones and the 84 percent of American adults with access to the internet would simply have to pull out their devices to cast a ballot. And Estonia—a northern European country bordering the Baltic Sea and the Gulf of Finland—has been voting online since 2005. But ask cybersecurity experts and they’ll tell you it’s really a nightmare.

We are nowhere close to having an online voting system that is as secure as it needs to be. Ron Rivest, a professor at MIT with a background in computer security and a board member of Verified Voting, said it is a “naive expectation” to even think online voting is on the horizon. In 2010, the District of Columbia’s Board of Elections & Ethics conducted a pilot project where they built an Internet voting system for overseas and military voters in effort to expedite the absentee voting process. The system was simple: voters would log in, receive a ballot, print the ballot, cast their vote, and upload their ballot to the Internet. In the weeks prior to the general election, a public trial was held to see if the system could be infiltrated. J. Alex Halderman, professor of computer science and engineering at the University of Michigan, welcomed the opportunity to try to legally break into government software with his students. Within 36 hours, they found a tiny error that gave them full control of the system. “The flaw that we exploited was just such a small error—in tens of thousands of lines of computer source code, in one specific line the programmer had used double quotation marks instead of single quotation marks and that was enough to let us remotely change all the votes,” said Halderman. [Motherboard]

EU Developments

EU – CJEU Judgement: Dynamic IP Addresses Constitute Personal Data

On October 19, 2016, the Court of Justice of the European Union (CJEU) decided that the dynamic IP address of a website visitor is “personal data” under Directive 95/46EC (Data Protection Directive) in the hands of a website operator that has the means to compel an internet service provider to identify an individual based on the IP address. The case was brought by Patrick Breyer, a German Pirate Party politician. Breyer asserted that the German government’s storage of IP addresses of users visiting German government websites allowed the creation of user profiles and, therefore, was impermissible under Section 15 of the German Telemedia Act (TMA). The CJEU sided with Breyer. The Court largely followed the opinion that the court’s Advocate General issued on May 12, 2016. The CJEU relied on the Recital 26 of the Data Protection Directive, which states that in determining whether a person is identifiable, “account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person.” In applying the test to the German government’s program, the Court found that the website operators were collecting the IP addresses to identify cyber attackers and, in some cases, to bring criminal proceedings against them. In this context, the government would likely have a legitimate reason to demand that the internet service provider correlate the IP address to the account holder, and thus allow the government to re-identify the individual. Therefore, the court held that the reasonable likelihood test was met, concluding that the dynamic IP addresses in these circumstances were personal data. [Data Protection Report | The Ever-Expanding Concept of Personal Data } Your dynamic IP address is now protected personal data under EU law | Websites free to store IP addresses to prevent cyber attacks: EU court IAPP: CJEU Defines Personal Data in Breyer Decision | The Ever-Expanding Concept of Personal Data | Your dynamic IP address is now protected personal data under EU law | Websites free to store IP addresses to prevent cyber attacks: EU court]

UK – Surveillance by Consent: Commissioner Launches UK-Wide CCTV Strategy

Surveillance Camera Commissioner Tony Porter say there are six million CCTV Cameras across the UK, but many of them are poor quality or in the wrong place. Mr Porter said he wants to ensure surveillance cameras are protecting members of the public, rather than spying on them and has issued a 16-page draft national strategy to raise regulatory standards regarding the surveillance of public spaces. Only a year ago, less than 2% of public authorities operating surveillance cameras were doing so in compliance to “any British standard” according to Porter, who says that as of today 85% are now demonstrably “having regard” for the Home Office’s Surveillance Camera Code of Practice | Daily Mail | The Register]

EU – Other EU Privacy News


WW – New PCI Digital Security Standard Introduces Critical Changes

The Payment Card Industry Digital Security Standard (PCI DSS) is an information security standard for organisations that handle credit and debit cards from the major card companies, including Visa, MasterCard and American Express. Organisations that take payments from, process or store, card details are obliged to meet the security standard. Those who fail to observe the standard can find themselves excluded from receiving credit card payments and those who lose credit card numbers, or have them stolen from them, can face hefty fines for failure to meet the standard. A new release (3.2 ) to the standard has significant implications for card providers and their service providers. The standard consists of twelve broad principles:

  1. Install and maintain a firewall configuration to protect cardholder data;
  2. Do not use vendor-supplied defaults for system passwords and other security parameters;
  3. Protect stored cardholder data;
  4. Encrypt transmission of cardholder data across open, public networks;
  5. Use and regularly update anti-virus software on all systems commonly affected by malware;
  6. Develop and maintain secure systems and applications;
  7. Restrict access to cardholder data by business need-to-know;
  8. Assign a unique ID to each person with computer access;
  9. Restrict physical access to cardholder data;
  10. Track and monitor all access to network resources and cardholder data;
  11. Regularly test security systems and processes; and
  12. Maintain a policy that addresses information security.

The standard document describes the processes, policies and settings required to conform to these principles in quite granular detail. Since its release in 2004 only two major releases or revisions have been made to the standard. A new Version 4.0 is expected in early 2017. However, a number of ‘sub-releases’, containing revisions and clarifications, have been made between the three major releases. The most recent, Release 3.2, contains a number of significant changes which may have significantly implications and costs for organisations required to conform to the standard. According to the PCI SSC, these new standards must be implemented by organisations before 31st October 2016, when the prior standard Release, version 3.1, will no longer be valid. Of the changes required by the new PCI DSS Release 3.2 a number appear to arise directly from the lessons learned from the large recent hacking incidents in the US. These include:

  • New Rule 8.3 requires two-factor authentication to access the PCI segment of a network
  • Rule 3.3 require athat card numbers be partially masked when displayed
  • New Rule 10.8 requires that card service providers implement a process for the timely detection and reporting of failures of critical security control systems, setting out a sizeable list of devices over which such reporting is required.
  • Additional Rule 10.8.1 requires service providers to respond to failures in these systems in a timely manner, setting out in some detail what actions such responses should include.
  • New Rule requires that penetration tests be run on networks every six months to ensure that the PCI segment is effectively isolated from the rest of the network.
  • New rule 12.4.1 requires that that a named member of the executive management is responsible and accountable for the maintenance of PCI DSS compliance. It requires that a charter be established, setting out what information must be provided by those directly responsible for PCI compliance to the executive with direct authority.
  • Rule 12.11.1 requires organisations to perform reviews at least quarterly to confirm personnel are following security policies and operational procedures and to correctly document such reviews. The operational procedures which should be reviewed include daily log reviews.

[Mondaq] Se3e also: The PCI SSC said if breaches continue at their current rate, U.K. businesses could face up to 122 billion GBP in fines once the GDPR comes into effect, and recommends organizations work to prevent cyberattacks before 2018.

HK – E-Wallet Programs Store Data Too Long, Consumer Council Finds

The Consumer Council has revealed that some e-wallet companies have problematic data storage procedures, with information on “Alipay customers was stored permanently while Bank of Communications, O!ePay and TNG Wallet would retain the information for six to seven years.” An Alipay spokeswoman countered that only a “small portion” of consumers’ records was stored in the event of a money laundering investigation, and TNG Wallet said it maintained customer records to “meet the same standard established by the Hong Kong Monetary Authority,” the report states. However, council member Michael Hui King-man argued that the Personal Data (Privacy) Ordinance specified that “personal data should not be kept longer than is necessary.” [South China Morning Post]


CA – IPC ON Orders Disclosure of Consultant Report on Public Transit System

The Information and Privacy Commissioner in Ontario reviewed a decision by the Toronto Transit Commission to deny access to records requested, pursuant to the Municipal Freedom of Information and Protection of Privacy Act. The transit system can withhold information detailing its financial exposure and risk since disclosure would it cause severe economic and financial disadvantage during contractor negotiations; however, it must disclose a review of project that assessed performance, identified areas of improvement and recommended improvements for project efficiency. [IPC ON – Order MO-3347 – Toronto Transit Commission]

CA – OIPC SK Issues Guidelines on Conducting a Search for PHI

The Office of the Saskatchewan Information and Privacy Commissioner issued guidance on handling access requests for personal health information, pursuant to The Health Information Protection Act. A trustee of personal health information must make every reasonable effort to assist an applicant and respond to each request openly, accurately, and completely; organizations should communicate with the applicant to clarify the request, talk to people “in the know” (such as record managers), document the search strategy, and keep details of the actual search. [OIPC SK – The Search For Personal Health Information]

CA – OIPC SK Finds Disclosure of Emails, Trip Details and Public Information Does Not Qualify as Commercial Information

The Office of the Information and Privacy Commissioner in Saskatchewan reviewed a decision by Global Transportation Hub Authority to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. A public body incorrectly withheld details of a trip to China, government invitations, public information about an association, and emails about a meeting; disclosure of the information would not harm the public body or a third party, and emails between the parties (where the third party objected to disclosure) cannot retroactively serve as proof that both parties intended for the information to be held in confidence. [OIPC SK – Review Report 158-2016 – Global Transportation Hub Authority]

CA – OIPC BC Orders Transportation Agency to Disclose Smart Card Defects

This OIPC order reviewed the decision by South Coast British Columbia Transportation Authority to deny access to records requested under British Columbia’s Freedom of Information and Protection of Privacy Act. Disclosure of the records would not impede a third party’s ability to obtain new work (the third party did not say how many competitors it has or refer to cases in which prospective customers rejected its bids, and it did not deny that it had been successful in recent bids despite negative media coverage); the third party could not prove that disclosure would give competitors “commercially valuable insight” into its business. [OIPC AB – Order F16-45 – South Coast British Columbia Transportation Authority (Translink)]

CA – NS Court Orders Hospital to Produce De-Identified Medical Records

The Supreme Court of Nova Scotia considered a motion for the production of records by Aberdeen Hospital in a lawsuit, pursuant to the Personal Health Information Act. The doctor seeks the disclosure of patient records with respect to his whereabouts when he was not with a patient leading up to the birth of her infant; the names and personal health information of the patients do not need to be disclosed to meet this requirement, but the hospital must produce this information for the doctor as it is relevant to the lawsuit and the records are in the hospital’s control (the doctor could seek patient consent for the release of records, however the hospital is custodian of the records). [Finney v. Joshi – 2016 NSSC 227 – Supreme Court of Nova Scotia]


CA – Canada’s Genetic Privacy Bills and How They Compare

Timothy Banks writes about two new bills addressing genetic privacy in Canada. “News reports frequently suggest that Canada is alone amongst G-7 countries in not having a law specifically addressing genetic discrimination.” Analyzing these bills and putting them up against laws in the U.K. and U.S., Banks writes that “Canada might be late to the table, but the Canadian anti-discrimination laws, if either were passed, would prohibit the use of genetic testing and genetic characteristics to make distinctions between individuals in far more circumstances than is currently the case in either the U.K. or the U.S.” [Privacy Tracker]

Health / Medical

US – New HHS Guidance Makes Clear HIPAA Applies in the Cloud

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released guidance making clear that cloud service providers (CSPs) that create, receive, maintain, or transmit electronic protected health information (PHI) are covered by HIPAA. The guidance is notable for its broad scope [and] clarifies how and when HIPAA applies in the cloud service context. [Hogan & Lovells]

US – Health Care Lawyers Say Industry at Greatest Risk of Breach: Study

A study conducted by the American Health Lawyers Association and Bloomberg Law found 87% of health law attorneys believe their health care clients are more likely to suffer a cyberattack than other industries. The study polled 290 health care lawyers, with 97% saying they anticipate having greater involvement in their client’s cybersecurity efforts within the next three years, and 75% saying their practices are developing cybersecurity experience to meet the demand. However, 40% fear their plans to respond to an attack are “too generic and lack specific guidance for the types of incidents their organizations or clients might face.” Only 21 percent of the respondents are involved with cybersecurity efforts before a breach, while 46% are asked for counsel after an attack. [Modern health Care]

CA – NS Court Orders Hospital to Produce De-Identified Medical Records for Doctor’s Private Lawsuit

The Supreme Court of Nova Scotia considered a motion for the production of records by Aberdeen Hospital in a lawsuit, pursuant to the Personal Health Information Act. The doctor seeks the disclosure of patient records with respect to his whereabouts when he was not with a patient leading up to the birth of her infant; the names and personal health information of the patients do not need to be disclosed to meet this requirement, but the hospital must produce this information for the doctor as it is relevant to the lawsuit and the records are in the hospital’s control (the doctor could seek patient consent for the release of records, however the hospital is custodian of the records). [Finney v. Joshi – 2016 NSSC 227 – Supreme Court of Nova Scotia]

US – ONC, OCR Announce Updates to HIPAA Security Tool

The Office of the National Coordinator and the Office for Civil Rights have revised and updated the HIPAA Security Risk Assessment Tool. The updates include increased Windows compatibility, a Save As feature, and expanded customization of PDF files, the report states. “You can use the tool as your local repository for your answers, comments and plans,” said the ONC’s Ebony Brice and the OCR’s Nick Heesters. “Your answers are stored wherever you store the tool and neither OCR nor ONC can access your answers. You can use the tool as often as you need to reassess your organization’s health information security risks. We encourage you to conduct risk assessments on an annual basis.” [HealthITSecurity]

US – Doctors Continue to Wage War on HIPAA Requirements, Bad Yelp Reviews

Physicians are working to strike back against sometimes unfair Yelp reviews while working to stay within HIPAA confidentiality requirements. “Yelp is the bane of many doctors’ existence,” said Dr. Jonathan Kaplan. “A patient can be really vocal, but you cannot. It’s not a fair playing field.” Yelp has said it will only remove those reviews that include “hate speech, threats or harassment,” conflict of interest, or exclude “direct experience with the provider.” Otherwise, doctors are on their own. “Patients can post very detailed information about themselves and their providers, but the providers have to be very vague when they respond,” said Planet Hipaa’s Danika Brinda. Many doctors have taken to encouraging patients to leave positive reviews to offset the negative remarks, or have begun reaching out to disgruntled reviewers directly. [San Francisco Chronicle]

Horror Stories

WW – Weebly Suffers Data Breach, Compromising 43M User Accounts

Data breach notification site LeakedSource has said web design platform Weebly suffered a data breach in February, compromising the usernames and passwords of 43 million users. Weebly sent an email to users saying IP addresses were also taken in the breach. The company contends it does not believe any customer websites have been improperly accessed. The passwords taken in the breach are protected by a strong hashing algorithm, and Weebly said it does not store any credit card information, making it unlikely any users will be affected by fraudulent charges. LeakedSource was notified of the breach when an anonymous source gave the site Weebly’s database. LeakedSource then notified Weebly of the incident, and now said Weebly is in the process of resetting user passwords. [TechCrunch]

US – Report Details OPM’s 2015 Hack

A WIRED report covers the 2015 Office of Personnel Management hack, from agency employees’ discovery of the breach, their realization that the attack was most likely an advanced persistent threat, and their subsequent investigation. It also looks to the future, exploring the faults of security tools like unpaired encryption and how the agency can best rebuild. To remedy the loss of data in the attack, “a cybersecurity overhaul of this magnitude will, of course, require an abundance of talent,” the report states. “And that means much depends on how well government recruiters can convince the best engineers that being locked in a high-stakes competition with supervillain-esque adversaries is more exciting than working in Silicon Valley.” [WIRED]

Identity Issues

UK – Porn Age Verification Proposal Outrages Privacy Advocates

The UK has an online age-checking plan to stop kids from watching porn, but porn-browsing adults would also hit an Age Gate which might verify age via banking or social media accounts.The GCHQ has already expressed a Chinese-esque plan to create the Great UK firewall, but now the UK, which previously dabbled in porn blocking, wants online age verification services to ensure that people viewing porn are age 18 or over; the dangerous implementation of the system has outraged privacy advocates.ComputerWorld | Porn viewers could all be added to a country-wide database of viewing habits under new age verification scheme | Protesters gathered around Parliament to voice their disapproval of a digital economy bill penalizing online pornographic websites not asking for “robust” proof they are over 18 before accessing the content. The Department for Culture, Media and Sports cited credit cards or electoral records as possible examples of verification, but no specifics had been made. “There is an impact on privacy,” said lawyer and obscenity laws campaigner Myles Jackman. “We could see age verification be done by private companies; there is no guarantee that your personal details will be kept private, will not be sent to a third party, will not be leaked or hacked Ashley Madison-style.” The bill is currently going through the House of Commons. [BuzzFeed: Protesters Voice Disapproval of Bill Requesting ID to Watch Pornography]

EU – Ireland DPC Publishes Guidance on Anonymisation and Pseudonymisation

The Irish Data Protection Commissioner has published guidance on the use of data anonymisation and pseudonymisation. This follows similar guidance published by EU regulators in 2014. The DPC’s guidance focuses on the effectiveness of anonymisation techniques and provides recommendations for organisations wishing to use these techniques. Anonymisation of data is a technique used to irreversibly prevent an individual being identified from that data. Pseudonymisation, on the other hand, is not a method of anonymisation. Instead, it is a method of replacing one attribute in a record, such as a name, with another, such as a unique number Given this, pseudonymisation still allows an individual to be identified, but indirectly. Importantly, the DPC warns that while pseudonymisation is a useful security measure, pseudonymised data remains ‘personal data’ as defined in the Acts. Despite this, the DPC recognises that effectively anonymised data identified is not personal data and therefore falls outside the scope of the Acts. In the DPC’s view, the threshold for truly anonymised data is extremely high. To meet this threshold, organisations must take appropriate steps to ensure that individuals are not identified by or identifiable from the data in question. In other words, organisations must ensure that the information can no longer be considered personal data. In order to determine whether an individual is identified or identifiable, the DPC suggests that organisations should consider whether a person can be distinguished from other members of a group. A person is identifiable even if identification is merely a possibility (in other words, even if the person has not actually been identified). The effectiveness and strength of any anonymisation technique is primarily based on the likelihood of re-identifying an individual. There are a number of ways in which data can be re-identified, such as ‘singling out’, ‘data linking’, ‘inference’ and ‘personal knowledge’. The DPC accepts that it is impossible to state with any certainty that an individual will never be identified from an anonymised data set. This is because more advanced data de-identification technologies may be developed and additional data sets may be released into the public domain allowing for cross-comparison of data. This, again, sets the bar very high for true anonymisation. In assessing the risk of re-identification, the DPC suggests that organisations should consider whether the data can be re-identified with reasonable effort by someone within the organisation or by a potential “intruder”. In carrying out this analysis, organisations should take into account technological capabilities along with the information that is available for re-identification. If organisations intend to make anonymised data available to the public, the DPC warns that there is a much higher burden on ensuring that the information is effectively anonymised so that individuals cannot be identified. Importantly, the DPC advises that if an organisation retains the underlying source data following anonymisation, the “anonymised” data will still be considered to be personal data. The main takeaway from the DPC’s guidance is the considerable threshold for rendering data truly anonymous. Pseudonymisation alone is not sufficient to render personal data anonymous and the DPC recommends using a combination of anonymisation techniques. [MHC]

Internet / WWW

WW – International DPAs Adopt New Resolutions

At the 38th International Privacy Conference in Marrakech, Morocco, the International Conference of Data Protection & Privacy Commissioners adopted several resolutions, including a resolution for the adoption of an International Competency Framework on Privacy Education, Developing New Metrics of Data Protection Regulation, Human Rights Defenders, and International Enforcement Cooperation. The group also released an International Competency Framework for school students on data protection and privacy. In past years, the ICDPPC has issued resolutions on cooperating with the U.N. Special Rapporteur on the Right to Privacy, big data, web tracking, and cloud computing. [ICDPPC]

WW – Skype, Snapchat Low on Amnesty International Privacy Rankings

Amnesty International has graded 11 of the most popular messaging apps in its Message Privacy Ranking, in which Snapchat and Skype received some of the lowest scores. Amnesty International’s ‘Message Privacy Ranking’ ranks technology companies on a scale of one to 100 based on how well they do five things:

  • Recognize online threats to their users’ privacy and freedom of expression
  • Apply end-to-end encryption as a default
  • Make users aware of threats to their rights, and the level of encryption in place
  • Disclose details of government requests to the company for user data, and how they respond
  • Publish technical details of their encryption systems

Snapchat received a 26 out of 100 on the organization’s scale, while Skype received 40 out of 100. Neither app used end-to-end encryption, which Amnesty argues should be a given in messaging apps. “It is up to tech firms to respond to well-known threats to their users’ privacy and freedom of expression, yet many companies are falling at the first hurdle by failing to provide an adequate level of encryption,” said Amnesty. Press Release | The Huffington Post | Easy guide to encryption and why it matters]

WW – Common Thread Network Launches New Website

U.K. Information Commissioner Elizabeth Denham and Privacy Commissioner of Canada Daniel Therrien co-chaired the Common Thread Network’s Annual General Meeting in Marrakech, Morocco on Oct. 18, where they also announced the group’s new website, the U.K. Information Commissioner’s Office said in a statement. Established in 2014, the Common Thread Network is comprised of 20 data protection leaders from across the globe who work to “further a common approach to respecting citizens’ privacy, to promote and build capacity in the sharing of knowledge and good practices for effective data protection.” “The new website is one among many features which the Common Thread Network intends to use to foster a common approach and create synergies among commonwealth nations to uphold individuals’ privacy and data protection rights.” [ICO.uk]

CA – Can “Cloud Sovereignty” Keep Canadian Data Safe from Global Hacks?

Montreal cloud computing company CloudOps and Chatham, Ontario-based independent telecom provider Teksavvy are partnering to scale cloud.ca, an independent cloud infrastructure services company, in order to give Canadian businesses a stronger domestic platform on which they can more securely innovate on the global stage. Cloud.ca’s Internet-as-a-Service platform appears to be a well-timed answer to the question of whether or not it’s a great idea to run a business on servers south of the border, or to use their term, to reclaim “end-to-end data sovereignty” over how our data crosses borders. “The cloud.ca partnership between TekSavvy and CloudOps brings together leaders in regional networking, data centre, and cloud IaaS that offers a unique competitive advantage for jurisdiction-conscious Canadian customers,” said Philbert Shih, Managing Director of Toronto-based independent research and consulting firm focused on hosting and cloud infrastructure, Structure Research. Whether the appeal to independence, in either a national or “free from the Big Telcos” sense, or nationalism, for either patriotic or pragmatic reasons, is enough to appeal to a large enough user base of Canadian businesses to keep cloud.ca viable remains an open question. [Can Tech]


WW – “Anonymous” Yik Yak Users Can Be Tracked Down, Say Researchers

Researchers have found that Yik Yak anonymity can be erased even without a warrant or Yik Yak’s compliance with US laws that force it to turn over user information. The researchers did it by relying on publicly available location data from the app, mixed with location-spoofing and message-recording on a device outfitted with simple machine learning. [Naked Security]

Online Privacy

WW – Google Has Quietly Dropped Ban on Personally Identifiable Web Tracking

Google is the latest tech company to drop the longstanding wall between anonymous online ad tracking and user’s names this summer, Google quietly erased that last privacy line in the sand – literally crossing out the lines in its privacy policy that promised to keep the two pots of data separate by default. In its place, Google substituted new language that says browsing habits “may be” combined with what the company learns from the use Gmail and other tools. The change is enabled by default for new Google accounts. Existing users were prompted to opt-in to the change To opt-out of Google’s identified tracking, visit the Activity controls on Google’s My Account page, and uncheck the box next to “Include Chrome browsing history and activity from websites and apps that use Google services.” You can also delete past activity from your account. [ProPublica | Google’s ad tracking is as creepy as Facebook’s. Here’s how to disable it]

US – Advertising Alliance to Begin Enforcing Cross-Device Tracking Code in 2017

The Digital Advertising Alliance has announced that it will begin enforcing the industry’s “privacy code for cross-device tracking” beginning in February of 2017. The November 2015-released code “sets out privacy rules governing ad networks, publishers and other companies that collect data from one type of computer  in order to serve ads to different devices used by the same consumer,” the report states. “This restriction means that if a user opts out on a laptop, marketers can’t use data collected from that laptop to serve ads on any device linked to the person.” The DAA’s Lou Mastria added that the agency established its February 2017 start date to allow companies time to adhere to the new code. [MediaPost]

WW – Journal Issue Focuses on Privacy and Ethics in Educational Data Analytics

An issue of the Springer journal, “Education Technology Research and Development,” covered the relationship between ethics and privacy in learning analytics. Professors Dr. Dirk Ifenthaler and Dr. Monica Tracey guest edited the issue, explaining why the growth of educational big data doesn’t necessarily result in better learning environments. Education institutions can use student data such as “socio-demographic information, grades on higher education entrance qualifications, or pass and fail rates” to allocate resources, or determine whether a student will drop out of school. “Consequently, higher education institutions need to address ethics and privacy issues linked to educational data analytics. They need to define who has access to which data, where and how long the data will be stored, and which procedures and algorithms to implement for further use of the available data,” said Ifenthaler. [phys.org See also: [Educational tech, balancing students’ privacy a challenge]

Other Jurisdictions

AU – Australian Bill to Create Mandatory Breach Reporting Regime

Australia’s Privacy Amendment (Notifiable Data Breaches) Bill 2016 received first reading. Notification of a data breach must be provided to both affected individuals and the OAIC if there is a risk of serious harm to affected individuals (determined by consideration of various factors, including the sensitivity of the information and the security measures that were in place) or if directed to do so by the OAIC; notification to affected individuals is to generally take place using the normal method of communication with the individual. [Privacy Amendment (Notifiable Data Breaches) Bill 2016 – House of Representatives, The Parliament of the Commonwealth of Australia Bill | Explanatory Memorandum | Progress of Bill] [New Mandatory Data Breach Notification Bill] See also: The Australian Senate has passed a bill allowing for a cancer screening register after the government amended it with stronger privacy protections suggested by Privacy Commissioner Timothy Pilgrim.

WW – Cavoukian Launches Global Council on Privacy by Design

Ryerson University Executive Director Ann Cavoukian has launched the International Council on Global Privacy and Security, by Design. The mission, according to a press release, “is to dispel the commonly held view that organizations must choose between privacy and public safety or business interests,” and its “goal is to educate stakeholders that public- and private-sector organizations can develop policies and technologies where privacy and public safety, and privacy and big data, can work together” for a better outcome. The council will work with businesses, data protection authorities, and technology professionals to educate and raise awareness of these privacy and public safety issues. [GPSbyDesign.org]

Privacy (US)

US – New FTC Data Breach Response: A Guide for Business

This week, the FTC announced on its Business Blog the release of Data Breach Response: A Guide for Business. The Guide’s release seems to be part of the FTC’s push to position itself as the main federal regulator of data security practices and is available for free on the FTC’s website. The Guide outlines the steps to take and those that should be contacted when there is a data breach; and includes advise on securing systems, how to handle service providers, and network segmentation. In addition, it has tips on notifying law enforcement, affected businesses and individuals. The Guide even has a model data breach letter to notify people whose Social Security numbers have been stolen. The FTC smartly drafted the Guide so that those who are not security and data privacy professionals can understand. Along with the 16-page Guide the FTC released a video. Accompanying the release of the video and blog is an update to the FTC’s guide Protecting Personal Information: A Guide for Business. The FTC has been very active in this area, last year releasing both the Start with Security: A Guide for Business and Careful Connections: Building Security in the Internet of Things. The new Data Breach Response: A Guide for Business gives insight into what the FTC expects businesses to do in the case of a data breach and following the guide will go a long way in convincing the FTC or state regulators that a business took the necessary and sufficient steps after a data breach has occurred. Note that the date of the Guide is September 2016, although the announcement occurred this week. [InfoLawGroup]

US – FTC to Host Public Conference on Identity Theft

The FTC announced it will host an all-day conference studying the current state of identity theft and what it may look like in the future. “Planning for the Future: A Conference About Identity Theft” will take place on May 24, 2017, in Washington and will bring together academics, business and industry representatives, government officials, and consumer advocates to discuss the ways identity theft affects consumers. “The FTC event will look at the full life cycle of identity theft, addressing how identity thieves acquire consumers’ information and what information they seek most often, as well as the cost and ease with which consumers’ data can be acquired. In addition, the conference will examine how identity thieves use information, and how they may attempt to use it in the future.” [FTC]

US – DOJ Wants to Overturn Microsoft V. United States

In July, the Second Circuit Court of Appeals in New York overturned a ruling in Microsoft v. United States that forced Microsoft to hand over private email correspondence and other data to US law enforcement from servers based in Dublin, Ireland. It was a victory for privacy because the Department of Justice (DOJ) was unable to force compliance of the Stored Communications Act. But last week, the DOJ expressed interest in re-hearing Microsoft v. United States, once again jeopardizing domestic and international privacy rights. If the decision is overturned, not only will Microsoft’s security be threatened, but so too will all foreign nations that house data owned by any US-based company. Sponsored Video: Know Right Now: USA Freedom Act Signed Into Law If the July ruling is indeed overturned, the Fourth Amendment will be seriously weakened and taxpayers will have no assurance that continued overreach by the DOJ will be stopped. Not only will future domestic investigations not need a warrant, but neither will those of an international scope. The utter lack of safeguards in place would point to a foreseeable overreach by U.S. investigators and the destruction of the nation’s diplomatic efforts. The U.S. government would assuredly be mad if a foreign country took private data and intelligence from our soil without a warrant. After all, the U.S. has started wars over more trivial matters. So why would any reasonable court believe that the U.S. has a special “hall-pass” to do whatever it pleases with other nations’ data? [IJR.com] See also: [US government wants Microsoft ‘Irish email’ case reopened | Microsoft Cloud Warrant Case Edges Closer to Supreme Court | Government Seeks Do-Over On Win For Microsoft And Its Overseas Data | Lawmakers question DOJ’s appeal of Microsoft Irish data case]

US – Other US Privacy News

Privacy Enhancing Technologies (PETs)

UK – Wearable Badge Could Blur Your Face in Unwanted Social Media Photos

More than 1.8 billion photos are uploaded to the internet every day. From baby showers to funerals and street photography to office parties, nearly every aspect of our life is documented and stored in the cloud indefinitely — sometimes, whether we like it or not. Now, a new physical badge is designed to give people control over their own image by signalling to algorithms that the wearer does not wish to be photographed, so their face can be automatically blurred in photos. The Do Not Snap badge is a physical, wearable symbol. It works by pairing up with software capable of identifying this symbol in different settings, which will then flag it up and automatically blur the face of the wearer on whatever platform the photo is on. Upload a photo of a friend or child wearing it to a social network and that network could censor out their face, for example, respecting their wishes not to have images of them shared online. It’s up to social networks to decide whether to honour the Do Not Snap. [UK Business Insider]


WW – Over 80% of Employees Lack Security/Privacy Awareness: Report

A new study has revealed worryingly low levels of employee cybersecurity and privacy awareness, with 88% described as lacking the requisite skills to prevent an incident. The MediaPro 2016 State of Privacy and Security Awareness Report was compiled from interviews with over 1000 US employees. Only 12% were classed as ‘hero’ – meaning they are able to identify and dispose of information safely, recognize malware and phishing attacks and keep info safe when working remotely. Unfortunately, 72% were classed as ‘novice’ while 16% were judged to exhibit the kind of behaviors that could put their organization at serious risk of a major privacy or security incident. Some 39% of respondents claimed to discard password hints insecurely, for example in a bin; a quarter failed to recognize a phishing email with a suspicious looking attachment and questionable “from address”; and 26% said they thought it was fine to use a personal USB to transfer work documents outside of the office. What’s more, 30% said they thought it was fine to post on behalf of their company to a personal social media account. “This survey clearly shows the human threat vector is still largely unsecured, and most organizations don’t really know whether their employees have the necessary level of data protection awareness to avoid preventable incidents,” said MediaPro founder Steve Conrad. The most recent stats from the Information Commissioner’s Office (ICO) revealed an increase in human error-related data breach incidents reported to the UK privacy watchdog. Incidents involving data being sent by email to an incorrect recipient increased by 60% between the first and second quarters of 2016, while the number of incidents involving failure to redact data jumped by 64% from Q1 to Q2. Yet some experts at Infosecurity Europe this year argued that current training programs are largely ineffective. The focus should be on changing people’s behavior rather than raising awareness, as the latter does little to improve information security, they argued. [InfoSecurity]

Smart Cars

US – NHTSA Releases Guidelines for Automotive Cybersecurity

The National Highway Traffic Safety Administration released a set of guidelines to help improve cybersecurity in vehicles. The 22-page set of best practices is designed to help auto manufacturers handle hacking attempts and to encourage car companies to incorporate security protocols into their vehicles. The NHTSA best practices include recommending a “layered approach,” placing critical system security over other safety-specific features, while endorsing information sharing in “as close to real time as possible” in the event of a cybersecurity incident. The NHTSA also encourages revealing any potential vulnerabilities, as well as holding onto any data used for a self-audit. [TechCrunch]


US – Surveillance up 500 % in D.C.-area Since 2011 –Almost All Sealed Cases

Secret law enforcement requests to conduct electronic surveillance in domestic criminal cases have surged in federal courts In Northern Virginia, electronic-surveillance requests increased 500% in the past five years, from 305 in 2011 to a pace set to pass 1,800 this year. Only one of the total 4,113 applications in those five years had been unsealed as of late July, according to information from the Alexandria division of the U.S. District Court for the Eastern District of Virginia, which covers northern Virginia. The federal court for the District of Columbia had 235 requests in 2012, made by the local U.S. attorney’s office. By 2013, requests in the District had climbed 240 percent, to about 564, according to information released by the court’s chief judge and clerk. Three of the 235 applications from 2012 have been unsealed. [Washington Post]

US – Police Convinced Courts to Let Them Track Cellphones Without Warrant

The Chicago Police Department has acquired and used several varieties of advanced cellphone trackers since at least 2005 to target suspects in robberies, murders, kidnappings, and drug investigations. In most instances, officers only lightly described the devices’ advanced technical surveillance capabilities to courts, which allowed the police to use them, often without a warrant. Now, after a lengthy legal battle waged by Freddy Martinez, a Chicago software technician, court orders and case notes were released, painting a more detailed picture of how the second-largest police precinct in the U.S. uses surveillance technology to track cellphones. According to the purchase records, some of which Martinez had previously obtained in more redacted form, the Chicago Police Department’s Organized Crime Division spent hundreds of thousands of dollars over more than 10 years buying multiple different models of IMSI catchers (cellphone trackers & Cell-site simulators), as well as upgrades, training programs, software, and attachments. The department purchased Harris Corporation’s Stingrays — a popular model used by many police departments across the country, and King Fish — a more powerful cellphone tracker. It also bought DRT boxes, known as dirt boxes — military grade trackers made by Digital Receiver Technology Inc., a subsidiary of Boeing. The Chicago PD also turned over 43 records of times they deployed cellphone trackers in the past 10 years — which Martinez suggests is likely still lower than the actual amount of times the devices were used. [The Intercept]

Telecom / TV

US – Broadband Privacy Rules Approved Despite Industry Pushback

Federal regulators have approved new broadband privacy rules that make internet service providers like Comcast and Verizon ask customers’ permission before using or sharing much of their data, potentially making it more difficult for them to grow advertising businesses. Under the measure, for example, a broadband provider has to ask a customer’s permission before it can tell an advertiser exactly where that customer is by tracking her phone and what interests she has gleaned from the websites she’s visited on it and the apps she’s used. For some information that’s not considered as private, like names and addresses, there’s a more lenient approach. Customers should assume that broadband providers can use that information, but they can “opt-out” of letting them do so. The Federal Communications Commission’s measure was scaled back from an earlier proposal, but was still criticized by the advertising, telecommunications and cable industries, who want to increase revenue from ad businesses of their own. Companies and industry groups say it’s confusing and unfair that the regulations are stricter than the Federal Trade Commission standards that digital-advertising behemoths such as Google and Facebook operate under. The FCC does not regulate such web companies. FCC officials approved the rules on a 3-2 vote Thursday, its latest contentious measure to pass on party lines. “It is the consumer’s information. How it is to be used should be the consumers’ choice, not the choice of some corporate algorithm,” said Tom Wheeler, the Democratic chairman of the FCC who has pushed for the privacy measure and other efforts that have angered phone and cable companies. AT&T and other players have fought the “net neutrality” rules, which went into effect last year, that say ISPs can’t favor their some internet traffic. Another measure that could make the cable-box market more competitive is still waiting for an FCC vote. [Associated Press]

US – Ohm: FCC’s Privacy Proposal is ‘Sensible’

In a post for the Benton Foundation, Georgetown University Law Center professor Paul Ohm argues the pending FCC broadband consumer privacy proposal is “sensible.” He contends ISPs “jeopardize” consumer privacy “in ways the phone company and postal service” do not, pointing out that an ISP is the “mandatory first hop to the rest of the internet” giving ISPs “a nearly-comprehensive picture” of what a user does. He concludes, “If the FCC’s commissioners hold on to their commitments over the next few weeks and resist the continuing barrage from those urging them to water down the new privacy rules, they will accomplish something truly important. They will long be remembered and celebrated for protecting the kind of privacy we need to ensure safe, dynamic, and innovative online spaces. [Benton.org]

Workplace Privacy

US – DOT Screening Program Doesn’t Violate Drivers’ Privacy

The Transportation Department didn’t violate truck drivers’ privacy by providing information about their non-serious safety violations to prospective employers, a federal appeals court decided ( Flock v. U.S. Dep’t of Transp. , 2016 BL 351349, 1st Cir., No. 15-2310, 10/21/16 ). The ruling leaves intact the pre-employment screening program, or PSP, launched in 2010 by the DOT’s Federal Motor Carrier Safety Administration. For a fee, the program gives employers access to commercial driver applicants’ crash and inspection information. Driver consent is required before information is disclosed by the government. In the present case, drivers contended that the PSP database should include only serious safety violations. They claimed that the inclusion of non-serious offenses, such as speeding tickets and other fines, violated their rights under the Privacy Act. The U.S. Court of Appeals for the First Circuit disagreed, upholding the dismissal the drivers’ claim. The law allowing the FMCSA to collect safety information doesn’t restrict the agency’s discretion to disclose non-serious violations to employers, provided they have the drivers’ consent, the court said. The court also rejected the drivers’ argument that the PSP’s consent forms are coercive because they must be signed in order for the drivers to seek employment. Employer use of the PSP is optional, and the drivers didn’t present evidence that their employment chances are “doomed entirely” because of the inclusion of non-serious violations, the court said. [bna.com]

WW – The Changing Face of IT Training

It’s the second-most universal aspect of the job of privacy: organizing and providing privacy-related awareness and training. Not only must privacy pros be steeped in the knowledge of privacy law, but the IAPP-EY Privacy Governance Report says 78% of privacy pros also need to know how to convey some portion of that knowledge to others. Whether it’s HR, marketing or IT, different areas of the organization need different information. [IAPP.org]