Privacy News Highlights: 19-25 April 2016

Canada

CA – Manitoba Ombudsman Lays Charges for “Snooping”

The Manitoba Ombudsman has laid charges for snooping under new provisions in the Personal Health Information Act. Individuals using, accessing or attempting to access personal health information without cause are now committing a fineable offence under the Personal Health Information Act. [Manitoba Ombudsman lays “snooping” charge under The Personal Health Information Act]

CA – Ransomware: OIPC SK Provides Guidance on Preventive Measures

The OIPC in Saskatchewan released guidance to public and private sector organisations on how to manage ransomware. Organizations should install anti-virus software, educate employees about phishing attacks, maintain offline backups of data and have an infection response plan in place; if attacked remove the infection, and attempt to restore the files or system from backup. [Office of the Saskatchewan Information and Privacy Commissioner – Ran$omware…What You Need to Know]

CA – Assisted Dying Bill C-14 Could Violate Charter, Feds Acknowledge

In a written explanation of the reasoning behind the proposed new law on medical assistance in dying, the Justice Department acknowledges that the bill could violate the charter of rights on a number of fronts.

They include:

  • Excluding those who are suffering intolerably but whose natural death is not reasonably foreseeable could violate the right to life, liberty and security of the person.
  • Treating people differently on the basis of their different medical conditions could violate equality rights.
  • Not allowing advance directives could force those with competence-eroding conditions like dementia to take their lives prematurely or risk permanently losing access to medically assisted death once they no longer have capacity to consent, thereby violating equality rights and the right to life, liberty and security of the person.
  • Restricting access to adults at least 18 years of age could violate the right not to be discriminated against based on age.
  • Requiring two independent people to witness a written request for medical assistance in dying could violate privacy rights. [Source]

CA – OPC to Investigate RCMP Over Alleged Stingray Cellphone Surveillance

While the outcome of the Privacy Commissioner’s investigation may hinge on whether the RCMP obtained proper judicial authorization prior to the use of Stingrays in particular cases, the validity of the legislation providing for such authorization could be open to an attack under the Canadian Charter of Rights and Freedoms and might also contravene telecommunications legislation. Whatever the legal outcome, the disclosure of the use of Stingrays has already sparked a public debate that could act as a catalyst for new legislation specifically regulating the use of Stingray devices. [Source]

CA – Brison Pledges to Improve Reporting of Privacy Breaches

Treasury Board will work with Canada’s Privacy Commissioner to improve the reporting of privacy breaches by federal government departments, said Treasury Board President Scott Brison following a committee meeting. “It’s an area that we will work with the commissioner and the commissioner’s office and with departments and agencies to understand fully what we can do to improve results and we’re seized with it.” Brison’s comments come after documents tabled in Parliament last week revealed that federal government departments and agencies breached the privacy of thousands of Canadians last year but only a fraction of those incidents were ever reported to Canada’s Privacy Commissioner Daniel Therrien. While departments don’t have to inform the privacy commissioner’s office of every incident, the documents also revealed that there was a wide range in the proportion of the breaches reported to the Privacy Commissioner’s office. [Source]

CA – RCMP Memo Details Public Safety Risks Via Surveillance Devices

A 2011 internal Royal Canadian Mounted Police memo warns of the ways in which IMSI catchers can negatively affect public safety. The memo mentions how the devices, which mimic cellphone towers to obtain data, can block important phone calls, including people dialing 911. RCMP has been using IMSI to surveil for potential crimes, but the internal memo indicates warnings of a risk to innocent third parties. Details within the memo also hint at expanded use of the devices by the RCMP. “When considering whether the use of the [IMSI catcher] should be authorized … officers should weigh the need to prevent imminent bodily harm, preserve life and investigate serious crimes … against the importance of having a reliable 911 system that Canadians can count on in all circumstances,” the memo reads. [The Globe and Mail]

Consumer

US – Poll: American Voters Overwhelmingly Want Privacy, Encryption

Voters overwhelmingly support encryption and other measures to protect their digital privacy, according to a new poll from ACT | The App Association trade group. In the survey, 93% of respondents said it’s important that the photos, health data or financial information they store on their phones and apps, or share online, stay secure and private. Nearly the same number (92 percent) said they need “powerful, consumer-focused encryption technology” to make sure their information is secure. Meanwhile, the survey also found that 54% of respondents trust tech companies like Apple, Google and Facebook more than federal agencies, like the FBI, to protect personal information on their electronic devices. Only 21% said the reverse. [FedScoop]

US – Study: Trust in Social Media Companies Ranks Very Low

An Environics Communications study found only 26% of those surveyed ranked social media with a five or higher on a seven-point scale of trustworthiness. “These are relatively new industries, they haven’t had a lot of time to accumulate baggage … but there’s something about what’s going on that is not creating trust,” said Environics CEO Bruce MacLellan. Companies’ use of personally identifiable information and other elements of a user’s social media content for targeted advertising may be the source of anxiety. “The whole privacy issue is a huge part of this,” MacLellan said. “People are wary about what’s going on with that content, and how it’s being used.” [The Globe and Mail]

E-Mail

US – Email Privacy Act Expected to Pass in House Vote

House Majority Leader Kevin McCarthy, R-Calif., docketed a vote for the Email Privacy Act in the upcoming week. If passed, the legislation would mandate law enforcement officials get a warrant before accessing users’ electronic communications stored by tech companies, the report states. It came through committee in early April with only minor revisions. While the bill is believed to pass the House with ease due to its more than 300 co-sponsors, its Senate journey might not be so clear-cut, the report adds. Senate Judiciary Committee Chairman Chuck Grassley, R-Iowa, “has previously expressed sympathy for some agencies’ concerns.” [The Hill]

US – Study: Phishing Email Attacks on the Rise

Verizon’s ninth annual Data Breach Report found that phishing emails were the primary catalyst for data loss, with the amount of emails opened growing from 23-30% in the last year. Embracing two-factor authentication is one potential for companies looking to avoid falling prey to phishing attacks, said Verizon’s Bryan Sartin. “It would mitigate an entire swathe of these breaches.” [CSO Online]

Encryption

US – Tech Groups Write Open Letter Criticizing Encryption Bill

Four major tech groups, representing companies including Facebook, Netflix and Google, have written an open letter to a pair of senators regarding their bill requiring all encryption have the ability to be cracked when needed. The bill, by Senators Richard Burr, R-N.C, and Dianne Feinstein, D-Calif., was recently leaked and widely criticized. “We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm,” the letter’s opening reads. The letter arrives at the same time a new survey from ACT reveals that 93% of respondents said it’s important their data is secured, with 92% needing strong encryption on their devices. [TechCrunch]

EU Developments

EU – EDPS Finds Commission Proposal to Exchange Non-EU Citizens’ Criminal Data Disproportionate

The European Data Protection Supervisor provides an opinion on the European Commission’s proposal to extend the European Criminal Records Information System to third country nationals. Member States would be obliged to store the fingerprints of all convicted non-EU citizens to ensure proper identification of individuals; however, not all Member States store fingerprint data or are connected to the national automated fingerprint identification system, and it is not necessary or proportionate to require storage of fingerprint data regardless of States’ sanction thresholds or the nature of the offence. [EDPS – Opinion 3/2016 – Exchange of Information on Third Country Nationals as Regards the European Criminal Records Information System]

EU – German Constitutional Court Finds Police Investigative Powers Too Broad

The German Federal Constitutional Court hears a complaint alleging that certain provisions introduced into the Federal Criminal Police Office Act are unconstitutional. Criteria for collection of personal data do not have requirements that a specific and foreseeable incident is present or an individual’s behavior substantiates a specific probability for terrorist offences, surveillance of private homes is not fully proportionality and constitutes a serious interference with individual privacy (it should focus exclusively on target persons communications), and the body charged with viewing the collected data (members of the police force) are not sufficiently independent. [Germany Federal Constitutional Court Declared BKA Act Partly Unconstitutional]

EU – US Hesitant to Renegotiate Privacy Shield Following EU Regulators’ Opinion

After European privacy regulators articulated concerns with Privacy Shield, the U.S. is reluctant to reopen negotiations. European data protection authorities weren’t pleased with the amount of U.S. surveillance permitted in the new Shield agreement, and while their approval is not needed to finish the deal, they will be enforcing it and aiming to ensure it doesn’t meet the same fate as Safe Harbor. With massive amounts of business on the line, delays to Privacy Shield implementation might be too costly to consider, the report states. “Given the pressure that currently exists with U.S. organizations and even in Europe, with organizations there trying to conduct business, my bet is that we’re going to see the Commission go forward with Privacy Shield,” said a lawyer from Foley & Lardner LLP. [The Hill] [The U.K. Information Commissioner Christopher Graham voiced his disappointment that the U.S. has articulated it isn’t interested in reopening negotiations for the Privacy Shield] U.S. businesses expressed their anxieties after the Article 29 Working Party released its opinion of the E.U-U.S. Privacy Shield agreement.

Finance

CA – Identity Management: FINTRAC Clarifies Which Client ID May Be Requested and/or Recorded for Identity Verification

FINTRAC has issued guidelines to securities dealers on client identification. Acceptable ID must have a unique identifier number, have been issued by a provincial, territorial or federal government, be valid (unexpired), and an original (not a copy); examples include an individual’s birth certificate, driver’s licence, Canadian or foreign passport, record of landing, permanent resident card, or certificate of Indian status or a provincial or territorial identification card (issued by prescribed entities). [Financial Transactions and Reports Analysis Centre of Canada – Guideline 6E: Record Keeping and Client Identification for Securities Dealers]

FOI

CA – Doctors, Pharma Company Funding and Privacy

Your doctor could be getting money from pharmaceutical companies and doesn’t have to tell you. It’s not uncommon for health practitioners to have relationships with industry — companies may be in touch about new drugs, sponsor educational conferences or compensate doctors financially for consultation, for work on advisory boards or in clinical trials. If your doctor’s in the United States, you can search their name in a public database and find each payment itemized by date, company and amount, thanks to the Sunshine Act, part of the Affordable Care Act. The legislation requires any pharmaceutical company giving payments or “transfers of value” of any kind or amount to American doctors to disclose them in detail. Canada has no such law. Canadian pharmaceutical companies are legally required to itemize all of their payments to doctors in Detroit, Fargo, Spokane and Seattle — but none of their payments to doctors in Windsor, Winnipeg, Calgary or Vancouver. Disclosures for presentations, not patients Nav Persaud, a researcher and physician with St. Michael’s Department of Family and Community Medicine in Toronto, wants that to change. “There are requirements to disclose that funding when, for example, you’re giving a talk to your colleagues. What there’s not clear guidance on is whether those gifts or payments need to be disclosed to patients.” Provincial governments could do it easily, Persaud argues: Ontario, for example, could pass a law requiring all the companies manufacturing drugs covered under the Ontario Drug Benefit to disclose and itemize all of their payments to Ontario health practitioners. [Global News]

US – FBI Officials Keep Tactics Secret, Even from Fellow Agents

According to documents recently disclosed under a Freedom of Information Act lawsuit, FBI officials have long aimed to keep their surveillance tactics secret even from fellow law enforcement officials. Officials “once warned agents not to share details even with federal prosecutors for fear they might eventually go on to work as defense attorneys.” Privacy advocates are concerned that secrecy makes court scrutiny of such practices difficult. Meanwhile, it’s been reported that the Drug Enforcement Administration has been taking tips from National Security Agency data. [USA TODAY]

CA – Ontario’s Police Watchdog Lags Behind Others in Transparency

When a BC man died after being Tasered during an arrest last year, the province’s civilian police watchdog launched an investigation that ultimately cleared the five Chilliwack RCMP officers involved in the death. The officers “acted appropriately” when they used the Taser, wrote Chief Civilian Director Richard Rosenthal in his recent report. Their force was not excessive and no officer should be charged in relation to the death. Then Rosenthal backed that decision up — in a detailed, 12-page public report posted on the watchdog’s website, a document that is “virtually identical” to the report sent to B.C.’s Ministry of Justice, according to the watchdog’s spokesperson, Marten Youssef. That report includes: a timeline of 911 and dispatch calls and a description of their content; a breakdown of the evidence provided by two witness officers and five civilian witnesses; a summary of an analysis of the conducted-energy weapon and of the autopsy report; an explanation of the legal issues, including whether the officers used excessive force that resulted in his death; and the director’s analysis of the evidence.

In cases where B.C.’s Independent Investigations Office clears an officer, the agency releases a decision that is as detailed as possible, because in cases with no charges, “there better be an explanation, and a comprehensive one,” Youssef said. He acknowledges that few people will actually read them from start to end, “but it needs to be there.” “It’s a question of transparency,” he said. Ontario — once a leader in civilian oversight after establishing Canada’s first provincial police watchdog, the Special Investigations Unit, in 1990 — is now lagging behind other provinces when it comes to the transparency measures of its independent police oversight agencies. [Source]

Health / Medical

NO – Norwegian Appeals Board Upholds DPA’s Denial of Approval for Health Data Research Project

The Privacy Appeals Board reviewed the Norwegian Data Protection Authority’s decision to reject an application from the University of Oslo’s to process health data for a research project. The research project’s proposed collating of data from various sources, including a national patient register, would have permitted the indirect identification of individuals, which did not sufficiently meet pseudonymisation requirements; the DPA was correct in finding that relevant legislation requires that such pseudonymisation be irreversible. [Privacy Appeals Board, Norway – PVN-2015-12 – University of Oslo Health Research Project]

WW – Health Data: Challenges in Providing Notice to Users of Wearable Devices

Current and future challenges of obtaining meaningful consent, before collecting or processing health-related data generated by individuals’ wearable devices. Organizations collecting mHealth data via wearable devices face challenges in obtaining meaningful consent from users (owing to small screen sizes and the need to provide a privacy statement including proposed uses of the data); prior consent is still required (with limited exceptions, including for preventive medicine, for medical diagnosis) and the new GDPR will impose even more stringent requirements. [mHealth – Wearables, technical innovation and Data Protection – CMS Law]

UK – Privacy Concerns Limit Social Media-Based Health Campaigns: Study

A “qualitative evaluation” of HIV Prevention England’s awareness program, “It Starts With Me,” found that online privacy concerns inhibit the wider reach of social media-mired intervention campaigns. “Nearly all of our participants held concerns about privacy relating to their social media use and their engagement with sexual health interventions,” the researchers said. They added that their study did not contain privacy-specific questions, but that respondents expressed their privacy concerns organically. [NAM Aidsmap] [Witzel TC et al. It Starts With Me: Privacy concerns and stigma in the evaluation of a Facebook health promotion intervention. Sexual Health, 2016]

Horror Stories

WW – BeautifulPeople.com Private Data of 1.1 Million ‘Elite’ Daters for Sale

Sexual preference. Relationship status. Income. Address. These are just some details applicants for the controversial dating site BeautifulPeople.com are asked to supply before their physical appeal is judged by the existing user base, who vote on who is allowed in to the “elite” club based on looks alone. All of this, of course, is supposed to remain confidential. But much of that supposedly-private information is now public, thanks to the leak of a database containing sensitive data of 1.1 million BeautifulPeople.com users. The leak, according to one researcher, also included 15 million private messages between users. Another said the data is now being sold by traders lurking in the murky corners of the web. Other leaked data included weight, height, job, education, body type, eye colour and hair hue, as well as email address and mobile phone number. Location data, in the form of latitude and longitude, were also leaked, along with smoking and drinking habits, interests and favourite TV shows, movies and books. Anyone using the site expecting privacy should now consider themselves exposed, right down to their appearance, whereabouts and interests. “We’re looking at in excess of 100 individual data attributes per person. Everything you’d expect from a site of this nature is in there.” [Source]

US – NY Hospital to Pay $2.2 Million Over Unauthorized Filming of 2 Patients

NewYork-Presbyterian Hospital has agreed to pay a $2.2 million penalty to federal regulators for allowing television crews to film two patients without their consent — one who was dying, the other in significant distress. Regulators said that the hospital allowed filming to continue even after a medical professional asked that it stop. At the same time, regulators clarified the rules regarding the filming of patients, prohibiting health providers from inviting crews into treatment areas without permission from all patients who are present. That could end popular television shows that capture emergencies and traumas in progress, getting permission from patients only afterward. “It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation or voice alteration software) for whom an authorization was not obtained,” the Office for Civil Rights with the federal Department of Health and Human Services said in an online post. “I think this will have a chilling effect on hospitals going forward. Any hospital legal counsel worth his salt or any P.R. director would be committing malpractice in order to allow it to occur. It’s now embodied in a federal directive.” [Source]

US – North Carolina Clinic Settles HIPAA Breach for $750,000

The Raleigh Orthopaedic Clinic must pay $750,000 in a settlement after the Department of Health and Human Services’ Office for Civil Rights discovered it had shared the health data of 17,300 individuals in 2013 without “executing a business associate agreement,” a violation of HIPAA. “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said OCR Director Jocelyn Samuels. “It is critical for entities to know to whom they are handing personal health information and to obtain assurances that the information will be protected.” [Healthcare IT News]

CA – Class Action Lawsuit Filed for Privacy Breach in Lanark, Leeds and Grenville

A Class Action lawsuit has been filed following a massive privacy breach at Family and Children’s Services of Lanark, Leeds and Grenville earlier this week that saw the names of 285 families involved with children’s services leaked on Facebook. The class action filed in the Ontario Superior Court of Justice on behalf of a person identified only as M.M. names the agency, its executive director, Children and Youth Services Minister Tracy MacCharles and John Doe – the person responsible for sharing the information – as defendants. The lawsuit calls for $25-million in general damages, $25-million in special damages and $25-million in punitive, aggravated and exemplary damages on behalf of M.M. the families whose names were shared in a document on the Smiths Falls Swapshop and Families United Facebook pages earlier this week. “This is a very serious breach of privacy, made possible by the Family and Children’s Services of Lanark, Leeds and Grenville,” said Sean Brown of Flaherty McCarthy LLP in Toronto. “That institution made the decision to use an on-line portal system that was easily accessed by an individual without any obvious hacking skills. The most sensitive and confidential information held by that body, specifically the names of those under its investigation, have now been published on the Internet. The damage has been done. That bell can not be unrung.” [CFRA]

Identity Issues

WW – FPF Reports on the Full Spectrum of Practical Data De-Identification

One of the most hotly debated issues in privacy and data security is the notion of identifiability of personal data and its technological corollary, de-identification. De-identification is the process of removing personally identifiable information from data collected, stored and used by organizations. Once viewed as a silver bullet allowing organizations to reap the benefits of data while minimizing privacy and data security risks, de-identification has come under intense scrutiny with academic research papers and popular media reports highlighting its shortcomings. At the same time, organizations around the world necessarily continue to rely on a wide range of technical, administrative and legal measures to reduce the identifiability of personal data to enable critical uses and valuable research while providing protection to individuals’ identity and privacy. This paper proposes parameters for calibrating legal rules to data depending on multiple gradations of identifiability, while also assessing other factors such as an organization’s safeguards and controls, as well as the data’s sensitivity, accessibility and permanence. It builds on emerging scholarship that suggests that rather than treat data as a black or white dichotomy, policymakers should view data in various shades of gray; and provides guidance on where to place important legal and technical boundaries between categories of identifiability. It urges the development of policy that creates incentives for organizations to avoid explicit identification and deploy elaborate safeguards and controls, while at the same time maintaining the utility of data sets. [Source] [Infographic] [Privacy Advisor]

US – Judge: Ashley Madison Breach Victims Must Use Real Names

Victims of the Ashley Madison data breach wishing to be named plaintiffs in the upcoming litigation will need to use their real names. U.S. District Judge John Ross made the decision, saying fake names should only be used in civil litigations in certain cases. “The disclosure of Plaintiffs’ identities could expose their sensitive personal and financial information — information stolen from Avid when its computer systems were hacked — to public scrutiny and exacerbate the privacy violations underlying their lawsuit,” Ross said. “At the same time, there is a compelling public interest in open court proceedings, particularly in the context of a class action, where a plaintiff seeks to represent a class of consumers who have a personal stake in the case and a heightened interest in knowing who purports to represent their interests in the litigation.” Victims have until June 3 to join the class. [Ars Technica]

WW – More than 1 Million Facebook Users Access via TOR Network

It seems that every few weeks or so, a new study about how the dark web is mostly vile and mostly harbors criminals crops up. The majority of people, in fact, would be pretty OK about it were the dark web to be padlocked, according to a recent survey. The battle over anonymizing technologies – encryption and the Tor network that the dark web runs on – is a polemic issue: it often boils down to a simplistic battle between the advocates of innocent individuals’ privacy rights (and of security that isn’t weakened via backdoors) vs. the shielding of criminals. On one side of the argument, Tor is used by whistleblowers, human rights activists, journalists and others to protect their identities. On the other side: it’s also used by people shielding their activities around cybercrime, drugs, illegitimate porn and violent extremism. As it turns out, a large number of people who want to use Facebook secretly without revealing their identities fall into the “legitimate use” side of the battle. Facebook said on Friday that over a million people accessed Facebook through the Tor network this month. That’s up from the 525,000 people who were coming in over Tor over a 30-day period last June, and it follows two years of work to enable people to find the social network on Tor. [Source]

Internet / WWW

WW – Google Beefs Up Chrome Web Store User Data Policy

Google has made changes to the Chrome Web Store User Data Policy to protect users from data theft. Third-party developers must encrypt personal data that they transmit. The revised policy also requires developers to create and publish a privacy policy explaining which data they collect and how it is used. [Register] [Google]

Law Enforcement

CA – Surrey’s License Plate-Scanning & 300 Traffic Cameras Remain Limited

Although the RCMP have now been given 24-hour access to Surrey’s 300 traffic cameras in the fight against gang violence, there is a line Mounties are not attempting to cross. They aren’t proposing to use the 330 city intersection cameras to rapidly scan licence plates and check drivers against policing databases, as now happens with the Automated Licence Plate Recognition (ALPR) system on use on about 40 police cars in B.C. In theory, a stationary system of cameras integrated with ALPR could act as a surveillance network, tracking the movements of known gangsters or quickly identifying suspect vehicles fleeing the scene of a shooting – if that was allowed here as it is in the U.K. “That’s not what exists here in British Columbia or anywhere else in Canada,” RCMP Dep. Commissioner Craig Callens said, giving a short answer of “no” when asked if such a London-style system is being pursued. “I have not been involved in any discussions to this point,” he told Black Press. “And I think to do so would require some considerable consultation with the provincial privacy commissioner.” A University of the Fraser Valley study in 2015 suggested much more could be done with the licence-scanning system to tackle more serious crime. “ALPR is not being used in Surrey to its full potential,” according to the report by UFV criminologists. In other jurisdictions, they noted, the second most common use is for crime intelligence – using ALPR equipped vehicles to patrol high-crime areas to run plates, collect data and identify and track potential suspects. [Source]

Location

US – Support Increases for Legislation to Halt Government Location Tracking

The House Judiciary Committee may consider halting the government’s ability to track citizens’ locations via their cellphones without a warrant sooner rather than later. During its meeting on the Email Privacy Act last week, Chairman Bob Goodlatte, R-Va., said he wants to hold a meeting on how the committee is dedicated to safeguarding geolocation data when the next Congress commences. Goodlatte’s stance is drawing praise from both sides of the aisle and has been compared to legislation from Rep. Zoe Lofgren, D-Calif., requiring the government to seek a warrant in order to intercept or request geolocation data from any citizen. Goodlatte has the support of privacy advocates including Sen. Ron Wyden, D-Ore., who believe location tracking to be a prominent issue to be addressed in the widespread surveillance debate. [Morning Consult]

Privacy (US)

UK – Supreme Court Believes IT Progress Make Privacy Laws ‘Unenforceable’

Lord Neuberger, president of the UK Supreme Court, expressed skepticism about the overall effectiveness of privacy laws, claiming such orders are “unenforceable.” Delivering his opinions in front of lawyers in Edinburgh, Neuberger believes gains in technology have made it impossible to properly enforce privacy laws, and developments in IT have greatly increased the tensions between personal privacy and freedom of expression. “The existence of the Internet inevitably affects what can be practically achieved in terms of enforcement of privacy, and the law should never seek to acknowledge or enforce rights which are in practice unenforceable,” Neuberger said. [Daily Mail]

US – Legislators Lack Unbiased Scientific and Technical Advice

Budget cuts more than twenty years ago eliminated the US Office of Technology Assessment (OTA), which provided legislators with unbiased scientific and technological information. Former congressman Rush Holt, a trained research physicist, tried to bring OTA back, but did not succeed. He noted, “Most members of Congress don’t know enough about science and technology to know what questions to ask, and so they don’t know what answers they’re missing.” [Wired]

Security

US – DHS Red Teams Conduct Penetration Tests on Government Agencies

The US Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) has conducted penetration tests on three unnamed US government civilian agencies. The red teams were able to “own those agencies from top to bottom and side-to-side.” NCCIC now plans to help those agencies fix their network weaknesses. The agencies will also have help developing internal cybersecurity talent so they can continue to conduct similar assessments more frequently. [Source]

US – More Bad News for NASA Cybersecurity

Two more reports have found serious cybersecurity problems at NASA. The agency’s inspector general found that NASA needs to improve continuous monitoring management, configuration management, and risk management. And a private security company, Security Scorecard, ranked NASA last among 600 federal, state, and local government agencies surveyed in its report. Security Scorecard found that NASA had issues with secure sockets layer (SSL) certificates, unsecure open ports, and misconfigured email sender policy frameworks. [Source] [NASA IG Report]

WW – 93 Million Mexican Voter Records Exposed on Cloud

A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken out of the cloud and offline. The database sat exposed to the public for at least eight days after its discovery by a researcher, but originally went public in September 2015. The security researcher discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon’s AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter’s name, address, voter ID number, date of birth, the names of their parents, occupation, and more.

Eventually, after a speaking engagement at Harvard University’s Center for Government and International Studies, the researcher was able to reach someone the Mexican Instituto Nacional Electoral (INE). The database was pulled offline earlier this morning. Given that the database has been online since September 2015, it isn’t clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown. Mexico has strict laws regarding the usage and access of voter information, and the last time such records were in the hands of a company in the U.S., it became an international incident. “Under Mexican law this data is strictly confidential, carrying a penalty of up to 12 years in prison for transfer or extraction for personal gain. The Mexican Elections Commissioner has confirmed that the database is authentic. The data is now secured but the real question is who else had access to this sensitive information, and who put it on a US-based Amazon cloud server?” he said in a brief statement. [Source] [Hacker discovers information on nearly all Mexican registered voters]

EU – Security Frameworks – EDPS Details Components of Information Security Risk Management Process

The European Data Protection Supervisor has released a guidance document on Information Security Risk Management practices in support of requirements found in Article 22 of Regulation 45/2001. Key steps include establishing a company’s context (collecting relevant information, defining scope, assigning roles), identification and assessment of risks, deciding on responses, management sign-off of residual risks, and ongoing monitoring of risks as well as the process itself. [European Data Protection Supervisor – Guidance – Security Measures for Personal Data Processing – Article 22 of Regulation 45/2001]

Surveillance

US – Federal Appeals Court Says Warrant Not Needed for Stingray Use

The 6th US Circuit Court of Appeals has agreed with the federal government that a warrant is not necessary when using cell-site location technology like Stingrays. The majority of federal appeals court rulings share this position; the only federal appeals court that sided against has agreed to rehear the case, so the opinion has been set aside. The issue is unlikely to head to the Supreme Court anytime soon unless more federal appeals courts disagree with the government. [Ars Technica]

UK – Surveillance Bill Would Require Government Vetting of New Communications Technology

Draft surveillance legislation in the UK would require technology and telecommunications companies to run new products, services, and features by the government prior to their release, to ensure that they provide capability for the government to intercept communications or access stored data. [ZDNet] Privacy International has flagged a provision in the U.K.’s draft Investigatory Powers Bill that would mandate tech firms like Google and Apple to inform spies when their technologies were to be upgraded.

UK – Documents Reveal British Intelligence Agencies Collecting Bulk Personal Data Since 1990s

A collection of more than 100 documents reveals how British intelligence agencies, including MI5, MI6 and GCHQ, have been collecting bulk personal data in secret since the late 1990s. The documents show how the agencies have been stockpiling the data, which includes travel records, financial data and communications information, for longer than previously divulged. The internal memos also reveal how the agencies gathered information on individuals who are “unlikely to be of intelligence or security interest.” Other revelations include continuous issues intelligence agencies face regarding data handling errors, resulting in the disciplining of two MI5 and three MI6 agents between 2014 and 2016 for mishandling bulk personal data, while a GCHQ staff member was fired for unauthorized searches. [Guardian]

CA – Saskatchewan OIPC Issues Best Practices on Public Surveillance

The OIPC SK has provided guidance on video surveillance of public areas, aimed at public bodies who may be subject to:

Images of individuals are personal information under privacy legislation; public bodies deploying CCTV cameras (or similar) should consider the following – confirming that the collection is necessary and lawful (i.e., proper authority under the law), minimizing impact on personal privacy (avoid washrooms, post notices that the area is under surveillance), conducting a PIA, and ongoing audit and review of the program. [Video Surveillance Guidelines for Public Bodies – OIPC SK]

Telecom / TV

US – 60 Minutes Segment Demonstrates Ease of Tracking Smartphones

US television investigative news magazine 60 Minutes ran a segment showing just how vulnerable smartphones are to tracking and eavesdropping. US Senator Ted Lieu (D-California) participated in the demonstration. Using just the 10-digit number associated with the smartphone, Security Research Labs’ Karsten Nohl was able to record calls made to and from the device and track its precise location. Nohl exploited a weakness in the Signaling System No. 7 (SS7) routing protocol to access the phone Lieu was using. [Ars Technica] [ComputerWorld] [The Register] [The Hill]

US – FCC to Examine Mobile Network Security

Following a 60 Minutes television news magazine segment that demonstrated a vulnerability that could be exploited to eavesdrop on phone calls, the head of the US Federal Communications Commission’s (FCC) Public Safety Bureau has directed his staff to look into the Signal System 7 (SS7) vulnerability. [SC Magazine] [The Hill]

AU – 60 Minutes Australia Covered SS7 Vulnerability Last Year

The SS7 vulnerability was demonstrated last year on a segment for Australia’s 60 Minutes program, which also noted that a relatively inexpensive and readily obtainable device known as an IMSI catcher, or cell-site simulator, could be used to conduct man-in-the-middle attacks against cellphones. [YouTube] [NDTV]

CA – BC Appeals Court Affirms Its Position on Text Message Privacy

On April 11th, the BC Court of Appeal held that a defendant convicted of internet luring and sexual touching of a minor had a reasonable expectation of privacy in direct messages he sent to the complainant and others via a social media platform. The trial judge had found no such expectation – a finding that rested in part on the nature of the messages. The trial judge held that the messages contained no personal information that the defendant had not posted in his public profile and were not sent to an intimate, trustworthy contact. The Court of Appeal viewed the messages differently – as “flirtatious” – and held that the trial judge rested too heavily on the “risk analysis” that characterizes American Fourth Amendment law. It reasoned: While recognizing that electronic surveillance is a particularly serious invasion of privacy, the reasoning is of assistance in this case. Millions, if not billions, of emails and “messages” are sent and received each day all over the world. Email has become the primary method of communication. When an email is sent, one knows it can be forwarded with ease, printed and circulated, or given to the authorities by the recipient. But it does not follow, in my view, that the sender is deprived of all reasonable expectation of privacy. To find that is the case would permit the authorities to seize emails, without prior judicial authorization, from recipients to investigate crime or simply satisfy their curiosity. The analogy between seizing emails and surreptitious recordings [as considered by the Supreme Court of Canada in R v Duarte] is valid to this extent. In the end, the Court found a breach of section 8 but held the evidence was after conducting its section 24(2) analysis. The Court’s reasonable expectation of privacy finding follows its earlier similar finding in R v Peluco. For the context see this Law Times article. [BCCA affirms its position on text message privacy]

US Government Programs

US – U.S. Administration Refuses Information About Spying On Americans

A group of lawmakers from both parties are unhappy that they are being asked to reauthorize two key surveillance programs without the Obama executive branch answering how much data is being gathered on innocent Americans. The two programs authorized by Section 702 of the Foreign Intelligence Surveillance Act, are PRISM and Upstream. PRISM is a clandestine surveillance program under which the US NSA collects internet communications from at least nine major US internet companies. Since 2001 the US government has increased its scope for such surveillance, and so this program was launched in 2007. The major companies include Facebook, Yahoo, and Skype. Upstream collection involves four different surveillance programs: In a Foreign Intelligence Surveillance Court (FISC) order from October 3, 2011, it’s said that the Upstream collection accounts for approximately 9% of the total number of 250 million internet communications which NSA collects under the authority of section 702 FAA every year. During the first half of 2011, NSA acquired some 13.25 million internet communications through Upstream collection. “The program is unable to exclude domestic communications due to technical difficulties. The government refuses to tell politicians how much data is collected from Americans. Fourteen members of the House Judiciary Committee sent a letter to James Clapper, the Director of National Intelligence, asking for at least a rough estimate of the number. The letter said: “In order that we may properly evaluate these programs, we write to ask that you provide us with a public estimate of the number of communications or transactions involving United States persons subject to Section 702 surveillance on an annual basis.” Senator Rony Wyden has been asking for the number since 2011. The Privacy and Civil Liberties Oversight Board also asked in 2014. More than 30 privacy groups have also asked for the number. [Source] [Clapper: ‘We’ll do our best’ to figure out surveillance numbers]

US Legislation

US – Legislative News Roundup

Workplace Privacy

CA – Employee Privacy: Ontario Arbitration Board Rules that Employer’s Search of Employee’s Personal USB Key Did Not Infringe Charter Rights

An arbitration board heard a termination complaint filed by a union for federal employees against an Ontario government ministry. A supervisor was permitted by a management rights clause in the collective agreement to search the lost USB key (which was reported to contain employer documents) for evidence of employee misconduct. Any Charter-infringing conduct was minor; some degree of intrusion into personal documents was inevitable because the key was used for both personal and work purposes. [Association of Management, Administrative and Professional Crown Employees of Ontario (Bhattacharya) v. The Crown in Right of Ontario (Ministry of Government and Consumer Services) – 2016 CanLII 17002 – The Grievance Settlement Board, Ontario]

CA – ONSC Affirms Damages Award for “Friend’s” Leak of Work Schedule

On April 8th, the Ontario Superior Court of Justice affirmed a $1,500 damages award for a privacy breach that entailed the disclosure of information that the defendant received because she was the plaintiff’s social media friend. The plaintiff and defendant were pilots who worked for the same airline. The plaintiff shared his work schedule with the defendant though an application that allowed him to share his information with “friends” for the purpose of mitigating the demands of travel. The airline also maintained a website that made similar information available to employees. The defendant obtained the schedule information through one or both of these sites and shared it with the plaintiff’s estranged wife. Among the issues raised in this scenario: Is a work schedule, in this context, personal information? Does one have an expectation of privacy in information shared in this context? Does the intrusion upon seclusion tort proscribe a disclosure of personal information? The appeal judgement is rather bottom line. In finding the plaintiff had a protectable privacy interest, the Court drew significance from the airline’s employee privacy policy. [Source]

+++

 

9-18 April 2016

Biometrics

WW – Fingerprint Identification Technology Expanding Beyond Smartphones

Biometric fingerprint technology has surged in popularity among smartphone users, and now companies are looking to bring the technology to new places. Credit card use, rail commuting and entrances to buildings could be the next wave of opportunities to implement fingerprint identification. Specifically, Sweden’s Fingerprint Cards, already leading the market for fingerprint identification sensors in smartphones, believes biometric smart cards could be its most rapidly expanding market by 2018. Security advocates praise fingerprint identification as a superior alternative to pin codes, and the market for the technology continues to grow, with many companies jumping into the business. [Reuters]

WW – Russian Photographer’s Project Shows Ease of Finding People Online

A Russian photographer’s project looks to show how an individual’s private life is becoming less and less private. Egor Tsvetkov created an experiment titled “Your face is big data,” where he took pictures of nearly 100 people sitting across from him on the subway, then used the facial-recognition app FindFace to discover them on VK, a Russian social media site. Tsvetkov located about 60 to 70% of the people he photographed who were between 18 and 35 years old. [PCWorld]

US – Shutterfly Settles Facial Recognition Lawsuit

An undisclosed settlement has been reached between Shutterfly and an Illinois man who brought a lawsuit against the photo-sharing website, claiming the company violated his privacy. Brian Norberg alleged Shutterfly used facial recognition software to identify his face, which ended up in the company’s database after a friend tagged him in a photo in February 2015. Norberg’s suit said Shutterfly analyzed the details of his face and offered other photos he should be tagged in, which the suit asserts violates Norberg’s rights under the Illinois Biometric Information Privacy Act. “Helping a user re-identify his own friends within his own digital photo album does not violate any law,” Shutterfly countered. Had the lawsuit gone to trial, it could have had repercussions for companies using facial recognition software. [Chicago Tribune]

Canada

CA – Nova Scotia to Craft New Cyberbullying Law

The province’s Justice Department says it is working on new cyberbullying legislation to replace the Cyber-safety Act, which was struck down in December by the Nova Scotia Supreme Court. Since then the province has had no law on the books specifically dealing with cyberbullying. Over the next several months the province said it will seek legal expertise to craft a new act that balances the right to freedom of speech with a way to protect the victims of cyberbullying. The earliest new cyberbulling legislation could be introduced is the fall. [Source]

Consumer

WW – Men and Women Differ in Their Approach to Online Privacy and Security

What do internet users want in terms of security and privacy? What do they do to protect their own privacy and security when they use the internet? Hide My Ass! (HMA) commissioned a nationwide survey to find out. The main results revealed a striking disconnect between what people want and what they do while a deeper look uncovered some intriguing differences between men and women. HMA is a VPN (virtual private network) service provider. VPNs hide an internet user’s identity, location and internet activity by encrypting their data and routing their internet connection through multiple IP addresses and remote servers. HMA summarized the results of their survey with an attractive infographic and a more detailed report. While most people want more internet security and privacy, they do very little to make use of the tools and techniques that are available to give them what they want. The survey found that 70% of consumers say they restrict their level of social media use in order to avoid exposing personal information. However, only 25% enable strict privacy restrictions on the social media platforms they use. Likewise, 67% say they want additional layers of security while only 9% use email encryption programs, 11% use a VPN and 13% use two-factor authorization. [Forbes]

WW – RAND Corporation Examines Consumers’ Reactions to Data Breaches

When a data breach occurs within an organization, how do affected consumers respond? It’s the question the RAND Corporation sought to answer in “a nationally representative survey of the consumer experience” following a data breach. Of their findings, RAND reports 26% of respondents, roughly 64 million adults in the U.S., received a breach notification in the 12-month period before the survey, with 44% of those individuals saying they were already aware of the attack from sources other than the affected company. Free credit monitoring was a popular choice among respondents, with 62% of individuals accepting the service. Many were pleased with a company’s reaction to the incidents, with 77 percent reporting high satisfaction with the organization’s post-breach response, and only 11% discontinuing a relationship with the organization following the breach. [Full Story] [Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information]

WW – Firm Releases 2016 Data Breach Litigation Report

Data breach litigation “remains one of the top concerns of general counsel, CEOs and boards alike,” Bryan Cave, a law firm, points out in its latest report on data breach litigation, adding, “there remains a great deal of misinformation reported by the media, the legal press and law firms.” The 2016 Data Breach Litigation Report found a 25% decline in the amount of cases that were filed from its 2015 report. Additionally, when “multiple filings against single defendants” were removed, there were only 21 unique defendants during that 15-month time period, and only 5% of reported data breaches ended up facing class-action litigation. According to the report, such a decline in class actions may derive from an overall decline in reported breaches. [Report]

E-Government

US – Government Agencies Dead Last in Cybersecurity: Report

The cybersecurity protections at U.S. government agencies — from federal to local levels — ranked dead last compared to 17 other private industries, according to a report from security risk startup SecurityScorecard. SecurityScorecard analyzed the security capabilities of major industries across 10 categories, including weaknesses to malware and rates of password exposure. The security startup examined 35 major government data breaches between April 2015 and April 2016, saying agencies had the worst scores on network security, software patching defects and malware. Among the 600 government entities SecurityScorecard examined, NASA was the worst performer, particularly its susceptibility to email spoofing and malware attacks. Other low ranking agencies included education and telecommunications, while information services, food and construction industries received high marks. For more on the report: here. [Reuters] [Newsweek]

E-Mail

US – House Judiciary Committee Unanimously Approves Email Privacy Act

In a 28-0 vote, the Email Privacy Act has been approved by the House Judiciary Committee. The new bill, created to update the 1986 Electronic Communications Privacy Act, requires law enforcement to obtain a warrant before requesting email providers to hand over a suspect’s electronic communications stored for more than 180 days. The bill is expected to pass through the House, but might face opposition in the Senate, as civil enforcement agencies — including the Securities and Exchange Commission and the FTC — are concerned the bill could hamper civil investigations. [Morning Consult]

Electronic Records

US – 96% of Health Care Organizations Susceptible to Data Threats: Report

The results of the Healthcare Edition of the 2016 Vormetric Data Threat Report revealed 96% of health care organizations feel susceptible to data threats, the organization said in a press release. Findings included 63% of respondents saying they have experienced a data breach, with nearly 20% experiencing one in the last year. Meeting compliance requirements was the top IT security spending priority, coming in at 61%, with data breach prevention “well behind at 40%.” Complexity clocked in at 54% as the toughest barrier to overcome for better adoption of data security, with lack of staff coming in second. [Full Story]

EU Developments

EU – WP29 Refuse to Endorse Privacy Shield Scheme

The Article 29 Working Party (WP29) met in Brussels to discuss the European Commission’s Privacy Shield scheme, the proposed replacement for Safe Harbor. As anticipated, WP29 decided that in their view Privacy Shield does not offer adequate protection. Whilst the decision is not binding on the Commission it will be hard to ignore if Privacy Shield is to be successful, especially since enforcement is still in the hands of the data regulators who sat around the table at WP29 and not in the hands of the Commission. WP29’s position is not a surprise, especially given the rumours coming out of Germany. Some German data protection authorities have had a long-held objection to Safe Harbor and they have been the most aggressive in enforcement since Safe Harbor died (for more on this see our alert here).Amongst WP29’s criticisms are:

  • A lack of clarity over the ombudsman role; and
  • Exceptions allowing the US to still collect European bulk data.

Most companies will have to plan for a world without Safe Harbor or Privacy Shield at least in the short term. They will have to explore alternative solutions including EU model terms and Binding Corporate Rules (BCRs). BCRs are likely to gain momentum and sources close to WP29 tell us that we can expect statements soon from regulators removing some of the existing objections to BCRs. In addition BCRs will gain in use once their statutory status is confirmed by the forthcoming General Data Protection Regulation (GDPR) – there is more on this in our GDPR FAQs here. [The WP29 issues draft adequacy decision] [IAPP GDPR Resources] [Data watchdogs do not endorse the EU-US Privacy Shield as drafted] [WP29 Privacy Shield opinion sparks anxieties for US businesses] The Hill also reported on businesses’ Privacy Shield related fears, and the potential challenges of trying to alert the agreement. [WP29 on Privacy Shield: More work needed]

EU – European Commission Seeks Views on ePrivacy Directive

The European Commission seeks stakeholders’ views on the current text of the ePrivacy Directive as well as the possible changes to the existing legal framework to make sure it is up to date with the new challenges of the digital area; the consultation is open until July 5, 2016. Learn more

EU – Passenger Name Record Bill Passes

The European Parliament approved the EU Passenger Name Record bill after five years of discussion. The bill will permit federal law enforcement officials to share airline-passenger information, like name and payment data, across national borders for up to five years in an attempt to curb terrorist activity. “It is one all EU governments and indeed the U.S. government have requested as a very important tool to tackling terrorism,” said U.K. MEP Timothy Kirkhope. Critics in the Green Party disagree. “This EU PNR system is a false solution, based on the flawed political obsession with mass surveillance,” said Green MEP and Home Affairs spokesman Jan Philipp Albrecht in a statement. [EUobserver]

UK – CJEU Hears Case on British Data Retention Laws

The EU’s highest court will hear a legal challenge this week concerning the validity of UK data retention laws. In July last year the High Court in London ruled that DRIPA was incompatible with human rights legislation but that decision was appealed by the UK government to the Court of Appeal. The Court of Appeal has asked the CJEU to rule on whether its previous judgment on the Data Retention Directive sets out “mandatory requirements of EU law applicable to a member state’s domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the EU Charter”. [Source]

EU – Belgian DPA Advises Data Controllers to Have Detailed Cloud Contracts

The Belgian data protection authority issued guidelines for data controllers contracting with cloud service providers regarding compliance with the Data Protection Act. Provisions should include requirements that the provider only process the data upon the controller’s instructions and obtain controller approval for all subcontractors, and a list of the physical locations where the processing takes place for the duration of the contract. [DPA Belgium – Opinion No 10/2016 – Use of Cloud Computing for Data Controllers]

Facts & Stats

CA – Reporting of Government Privacy Breaches Varies Widely

Federal government departments breached the privacy of more than 45,000 Canadians last year but only a small fraction of those breaches were ever reported to Canada’s Privacy Commissioner. Moreover, the proportion of breaches reported to the Privacy Commissioner’s office varied widely from one department to another. For example, while the Justice Department reported 80% of the breaches it discovered, the agency with the largest number of breaches – the Canada Revenue Agency – only revealed less than 1% of its 3,868 breaches to Privacy Commissioner Therrien’s office. While departments are not required to notify Therrien of every breach that occurs, last year he was only notified about 5.3% of the 5,853 privacy breaches discovered by departments. See Chart: Privacy breaches reported to privacy commissioner. [Source] [Document: Order/Address of the House of Commons] [Feds made 5,670 privacy breaches last year; CRA worst offender] [Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Transfer of Information to the United States Internal Revenue Service (IRS) ] [Ottawa open for comments on proposed breach notification regulations]

CA – Half a Billion Identities Were Stolen or Exposed Online in 2015

500 million identities were stolen or exposed online in 2015 according to a report by digital security firm Symantec. The report also revealed that the amount of malware online increased by 36%, with 430 million new pieces of malicious code being created in 2015. Ransomware attacks are also on the increase, with 35% more attacks than the previous year. The UK ranked as the most targeted nation for spear-phishing campaigns that attempt to steal data by targeting employees within a specific organisation. This type of attack increased by 55% in 2015. We’re also beset upon by fake technical support scams and social media fakes, with the UK being the second most targeted nation globally in both categories. Symantec drew particular attention to the increased number of zero-day vulnerabilities in 2015. It identified 54 zero-day vulnerabilities in 2015, the majority of which existed in widely-used pieces of software. Four out of the five most exploited zero-day vulnerabilities were found in Adobe’s much-maligned Flash Player. On average, each data breach exposed more than 1.3 million identities, but Symantec identified nine ‘megabreaches’ – the leaking of over 10 million records in a single attack – in 2015. [Source] [BBC] See also: [The seven types of e-commerce fraud explained]

CA – Hamilton Using Google Maps to Enforce Bylaws

Since 2002, Hamilton city officials have been quietly collecting aerial photographs that allow enforcement staff to investigate breaches of bylaws, especially the requirement that homeowners acquire a building permit before building a deck or some other construction project. Images from past years can be compared to get an idea when a deck, pool or addition was built. If the structure wasn’t there one year, and appeared the next, it means it was built sometime in between. But Jorge Caetano, the manager of plan examination in the city’s building division, says the information is never used to go on fishing expeditions for violators. It’s only consulted after the city receives a complaint. “We use it as a tool. We don’t use it in place of going there in person to investigate, to see the property,” he said. “At this point, we don’t base enforcement on aerial photographs. We would have to go out there physically and inspect the property. We still have to carry out the proper investigation.” He said information from past aerial photographs could be consulted to verify whether a structure has been there for many years and was, say, built by a former owner. A spokesperson from the IPC Ontario said the use of aerial maps would not appear to violate privacy rules: “As defined in Ontario privacy legislation, personal information means recorded information about an identifiable individual. Several IPC decisions have found that information about properties and businesses does not qualify as personal information as it does not reveal something of a personal nature about identifiable individuals.” [Source]

Finance

CA – CRA Should Notify People When Their Bank Records are Shared: Therrien

The CRA should automatically notify individuals when it shares their banking information with the U.S. IRS under a controversial information sharing agreement, says Canada’s Privacy Commissioner. Testifying before Parliament’s Access to information, Privacy and Ethics committee Daniel Therrien said there is no reason for the CRA not to advise people when their information is transferred. “Can it be realized? It is certainly an effort but we know that the government wants to facilitate access to data by citizens so it seems to me that would be a move that would fit in that objective.” Therrien said there are likely electronic ways to notify people when the CRA shares their banking information with the U.S. Therrien said he is also concerned that Canada’s banks and the CRA may be over reporting the number of people considered “U.S. persons” under the information sharing agreement. While the CRA originally estimated that the deal it signed would result in it sending 30,000 to 90,000 banking records to the IRS, it ended up sending 155,000 records. [Source]

US – Insurance Coverage for ‘Malicious Insider’ Breach Depends on Policy Wording

With most data now stored electronically, businesses are facing new challenges in relation to data retention and keeping it secure and safe. Bespoke cyber insurance policies and, increasingly, data protection coverage as part of a general commercial liability policy will generally cover both first and third party liabilities in the event that anything happens to that data – but how will these policies respond in the face of deliberate or criminal behaviour by an employee who decides to release data to harm either colleagues or the business? As insurance contracts are supposed to cover fortuities and not deliberate actions, insurers may be able to reject claims arising out of malicious acts by employees. It is important, therefore, for both insurers and the insured to ensure that policy wordings reflect the regulatory framework surrounding data breaches, as well as the specific types of claim that are likely to arise as a result. In the absence of specific wording, insurers may be able to reject claims arising out of deliberate data breaches by disaffected employees. .As insurance contracts are supposed to cover fortuities and not deliberate actions, insurers may be able to reject claims arising out of malicious acts by employees. It is important, therefore, for both insurers and the insured to ensure that policy wordings reflect the regulatory framework surrounding data breaches, as well as the specific types of claim that are likely to arise as a result.

CA – Privacy Law Gives Insurers a Boost in the Battle Against Fraud

With amendments to federal privacy laws last year, group benefits providers are facing a host of new consent and disclosure-related obligations that can offer helpful tools or signal potential headaches. Bill S-4, the Digital Privacy Act, came into force in June 2015. It amended PIPEDA to include new provisions around obtaining consent, disclosing information without consent and mandatory breach notification. For group benefits providers, the most positive development is likely the new provision that will help them fight fraud by allowing for increased disclosure of information without consent in certain cases. Before the amendment, insurers had to obtain the consent of anyone they had a contract with before disclosing their personal information even if that person was suspected of involvement in fraudulent activity. Many of the amendments also create consistency with privacy legislation in Alberta and British Columbia. Industry efforts will include helping insurers to consider ways to share claims data in order to identify fraud trends that the association says can be hard to pinpoint when each provider is working independently. [Benefits Canada] See also: [Out-Law: Insurance Coverage for ‘Malicious Insider’ Breach Depends on Policy Wording]

FOI

US – Microsoft Sues Justice Department over ECPA Gag Orders

Microsoft is suing the Justice Department for its frequent use of gag orders that prevent the company from telling users when the government has obtained a warrant to search their emails. Microsoft claims the gag order statute in the Electronic Communications Privacy Act is unconstitutional and violates both the First and Fourth Amendments. In its suit, Microsoft argues that the government has “exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.” Brad Smith, the company’s top legal advisor, said, “People should not lose their rights just because they are storing their information in the cloud.” The House Judiciary, earlier this week, unanimously passed a bill that would reform parts of the ECPA. [The New York Times] [Microsoft Corporation Delivers a Reality Check to the U.S. Government – Microsoft Corporation Challenges the Government] [Microsoft Sues Justice Department to Protest Electronic Gag Order Statute]

US – Making Records Accessible on the Internet is a “Publication” –Federal Court

A federal appeals court upheld a ruling against insurance firm Travelers Indemnity Company of America, saying, under the terms of a commercial general liability policy, the company should have defended a client in a lawsuit resulting from an electronic data breach. Travelers was found by a three-judge panel in the 4th U.S. Circuit Court of Appeals in Virginia to have failed to prove its two CGL policies with its client, Portal Healthcare Solutions, excluded the defense of a 2013 class-action lawsuit filed when Portal publicly posted the records of Glens Falls Hospital patients. The trial court summarily rejected the argument that because Portal Healthcare had not intended to release the information, there was no “publication,” stating that “the issue cannot be whether Portal intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Importantly, the court also rejected the argument that because no one had read the records, there was no “publication.” On appeal, the Fourth Circuit “commended” the trial court for its “sound legal analysis,” but did not add more, including on the scope of the term “publication.” The ruling goes against decisions in Connecticut and New York where CGL policies were determined not to cover damages from cyberattacks. “I think it’s a shocker to CGL insurers to see a decision like this,” said a research analyst. “CGL insurers don’t really think that they should be on the hook for this type of claim. They see this as a cyber and privacy claim, not a general liability claim.” [SC Magazine] [Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016)] [Source] [Court Opinion] [Appeal] [Federal Court Rules CGL Insurance Covers Data Breach] [4th Circuit affirms Travelers v. Portal Healthcare breach decision]

CA – BC Judge Calls for Restrictions on Court Database Searches

Thomas Crabtree, Chief Judge of the BC Provincial Court, wants restrictions placed upon searches for individuals who were ultimately not convicted of a crime. Crabtree declared a consultation regarding Court Services Online, an online database providing access to criminal records in the Provincial Court. Crabtree believes individuals who weren’t convicted of a crime should not be stigmatized, and cases ending in acquittals, dismissals and withdrawals will only be available in the database in the 30 days after the information is entered. Media outlets are displeased, believing court records should be fully open. “On balance, the need to protect individuals who have not been convicted from misuse of court record information outweighs the desirability of broad online public access to information about such cases and the individuals affected,” Crabtree wrote in a statement. [The Globe and Mail]

US – NSA appoints First Transparency Officer

The National Security Agency has appointed current Civil Liberties and Privacy Director Rebecca Richards as its first ever transparency officer. An NSA announcement states her dual role “complements ongoing initiatives to ensure that NSA has the best civil liberties and privacy practices.” The new role will serve under the Office of the Director of National Intelligence’s Intelligence Transparency Council, which aims to make “information publicly available in a way that enhances understanding of intelligence activities, while continuing to protect information when disclosure would harm national security.” [The Washington Times]

Health / Medical

CA – GPEN Launches 2016 “Internet of Things” Global Privacy Sweep

The Global Privacy Enforcement Network will focus their 2016 Global Privacy Sweep around the Internet of Things. The group, made up of data protection authorities from around the world, including the IPC, will specifically look into the accountability practices of IoT companies during this year’s Sweep. Regulators participating in the event — taking place April 11 through 15 — will examine the privacy practices of various devices, ranging from wearables to smart TVs. The OPC says it will investigate health devices. The IPC is surveying two dozen class 2 medical devices available for sale in Ontario. DPAs will have the flexibility to focus on actual products taken right off the shelf, by investigating statements on company websites, or by directly connecting with a manufacturer. [Office of the Privacy Commissioner of Canada] [Privacy watchdog to study impact of personal Internet devices]

UK – 15,000 Expectant Parents’ Info Compromised

The personal information of more than 15,000 expectant parents was compromised after hackers breached the National Childbirth Trust. The NCT alerted users of the breach, which exposed information including email addresses, usernames and encrypted passwords. No sensitive personal or financial information was accessed in the incident. The cyberattack has been reported to both the police and the U.K.’s data protection authority. A spokesman for the NCT said the organization reached out to affected individuals, advising them to change their usernames and passwords. NCT also posted information on their Facebook page about the hack, while also sending a message on social media telling users their website may face further disruptions. [The Telegraph]

Horror Stories

US – FDIC Breach of 44,000 Customers Caused by Storage Device

A former employee of the Federal Deposit Insurance Corp. (FDIC) departed the agency with a storage device that contained data and information involving 44,000 FDIC customers. A former FDIC employee departed the agency with a storage device that contained data and information involving 44,000 FDIC customers. While FDIC Chairman Martin J. Gruenberg said in a March 18 memo that the data was downloaded to the storage device “inadvertently and without malicious intent,” the device included customer names, addresses and Social Security numbers, according to a media report. The former employee signed an affidavit indicating the breached information was not used, the representative noted. [Source]

Identity Issues

CA – BC Law Firm’s Request for ID is Contrary to PIPA

The BC OIPC mediated a complaint from an individual who was asked to produce identification during a free initial consultation with a law firm. PIPA prohibits businesses from collecting more information than is required (a law firm requested ID from a potential client to comply with money laundering legislation, however confirmed that the law society did not require this collection when providing free services). [Potential Client Questions Law Firm Demand for Identification (P16-06-MS)]

CA – CAI PQ Reminds Landlords They May Only Collect Limited Contact and Credit Related Information from Prospective Tenants

The Commission d’accès à l’information du Québec issued reminders to landlords regarding privacy issues in light of July 1st, the traditional “moving day” in Quebec. A landlord may request a prospective tenant’s name and current full address, may ask to see ID, collect the name of a previous landlord, and perform a credit check (with tenant consent); the landlord may not collect data from a health card, driver’s license or passport, and should not request a SIN, employment or salary information, car details (e.g. brand, colour, or license plate number), or details of the tenant’s financial institution. [CAI PQ – Leases and Personal Privacy Principles and Guidelines To Be Respected]

Internet / WWW

WW – New Guidelines Help Cloud Providers Handle Data Breaches

Technology law specialist Bryan Tan discusses new guidelines in Singapore designed to help cloud providers and their business clients handle data breaches while following the country’s data protection regime. According to the new guidelines released by the Infocomm Development Authority of Singapore, the cloud outage incident response rules “are not meant to resolve issues due to cybersecurity, malicious act or breach of personal data protection laws.” The cloud outage incident response, or COIR, guidelines explain how the standards work with Singapore’s Personal Data Protection Act when a data breach occurs, discussing security arrangements to protect personal data, and ensuring security measures are compliant with the PDPA. COIR advises cloud providers on assessing and planning for outages, encouraging for response plans for any incidents, while also structuring the severity of the attacks into a four-tier system. [Full Story]

WW – Box to Let Overseas Customers Store Files Locally in Privacy Bid

Box is trying to lure international customers, offering overseas clients concerned about privacy the option to store information locally in cloud datacenters belonging to Amazon.com Inc. or IBM Corp. Starting in May, Box Zones will give customers the choice of locating their files in Germany, Ireland, Japan, and Singapore. The company plans to add more regions in the future, said CEO Aaron Levie, and is looking at further choices in Europe and Asia as well as adding Australia and Latin America. Customers, particularly in some parts of Europe and South America, face laws that require certain types of data to be stored in their country or have strong preferences for that. Storage closer to the customer can also speed up computing. Box runs data centers in the U.S. but didn’t want to incur the costs of building out internationally to attract these customers, and it’s cheaper to pay Amazon and IBM to use their facilities, Levie said. [Source]

Law Enforcement

CA – Report: Canadian Police Have Had BlackBerry Encryption Key Since 2010

The Royal Canadian Mounted Police (RCMP) have had a key to access encrypted BlackBerry messages since 2010, a joint report from Vice News and Motherboard found. According to the report, the RCMP first obtained the key in 2010 as part of an investigation into a series of violent crimes committed between 2010 and 2012. The investigation, dubbed Project CLEMENZA, resulted in the take down of two Italian-based organized crime cells in June 2014. Over the course of the investigation, the RCMP said it read more than one million private messages sent by members of the cell using a PIN to PIN interception technique. The RCMP said the investigation was the first time the encryption-breaking technique was used on such a large scale in a major investigation in North America. Court documents obtained by Vice Canada show the RCMP has a server in Ottawa – called the “Blackberry interception and processing system” – that cracks messages by simulating a mobile device that receives messages as though it were the intended recipient. The documents cite the RCMP’s use of the “correct global key” in decrypting the messages, though the documents do not specify how police obtained the key. [WirelessWeek] [Canadian Law Enforcement Can Intercept, Decrypt Blackberry Messages]

EU – Danish DPA Finds License Plate Information Retained Longer Than Necessary

The Data Protection Authority in Denmark investigated the processing of personal data by a parking lot company pursuant to the Act on Processing of Personal Data. The company retained license plate information on individuals for 15 months (for those exiting within the free parking period), and 5 years (for individuals that made correct payments, and those that did not pay); information for individuals not required to pay and individuals that have provided correct payment should be deleted without delay, and information for individuals that have not paid should be retained until a payment is made or a claim has been settled. [DPA Denmark – File No. 2015-631-0122 – Registration of License Plates in Parking]

CA – Chatham PD Registry of “Vulnerable” People 10% of Population

The Chatham-Kent Police Service is creating a registry of people considered to be vulnerable, through a voluntary online registry service. Data available to police would be submitted by a legal guardian or caregiver to be used by police should they need to interact with or search for them. Chief Gary Conn said the Vulnerable Persons Registry will be implemented with the service through a new online program they purchased called COP Logic. “In two to three weeks it will be soft-launched, so probably at the end of April or beginning of May,” said Conn, who also called the registry, “another investigative tool in our tool kit.” Conn added, “The advantages of the system are pretty self-evident.” He said the information in the vulnerable persons registry could be used, for example, if someone goes missing. If that person’s profile shows they have an attraction to certain places, it could mean finding them more quickly. People who may benefit from listed with the registry would include those who wander, have an inability to communicate, have fascinations or attractions to places of possible danger such as water or construction sites, or who have social responses such as aggression or fear of the police. When police receive a call involving a registered person or flagged address, the responding officers are notified and given the information contained in the registry to help them in responding more effectively to the situation. Acknowledging that the definition of “vulnerable” is a broad one, Conn said up to about 10,000 people in Chatham-Kent – nearly one-10th of the entire population – might meet the mandate of the definition. The information that will be contained in the registry will be treated as confidential by officers, subject to the Personal Health Information Protection Act, and will be used when responding to incidents or investigations involving the registered person. [Source]

Online Privacy

WW – Study: Shortened URLs Not As Private As You Think

In a paper released April 14, researchers at Cornell Tech outlined how Google, Bit.ly, and Microsoft’s shortened URLs can be “brute-forced” by hackers to access and manipulate so-called “private” sites. “With a decent number of machines you can scan the entire space,” said Cornell Tech’s Vitaly Shmatikov. “You just randomly generate the URLs and see what’s behind them.” Once the process is complete, “online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone,” the researchers said in their report. “This leads to serious security and privacy vulnerabilities.” [Wired]

WW – Google Unveils Privacy-Protective Beacon

Seeking an answer to Apple’s iBeacon, Google released new information on its open-source beacon format Eddystone. Eddystone has four different frame types, one for identifying other beacons, a second to send URLs to other devices, and a third that sends diagnostic data on a user’s phone. The fourth option, the Ephemeral Identifiers mode, offers a secure connection between the beacon and user. The EID is the only format to keep device information private and can be used to act as a Bluetooth tracker to locate various objects, like car keys. No identifiable or traceable information is available outside the connection as EIDs are equipped with a constantly changing identifier that alters the beacon ID — anywhere from a couple of seconds to hours at a time — making it difficult for third parties to capture any usable information. [Ars Technica]

WW – How Should Crowdfunding Platforms Deal With Privacy?

Crowdfunding has seen explosive growth, both domestically and globally, in the past few years. As the industry continues to mature, U.S.-based crowdfunding platforms are beginning to find that privacy considerations deeply impact their business. Aside from the usual considerations facing traditional financial service companies, crowdfunding platforms must be conscientious in the type of borrower or sponsor data they choose to display to investors on their website. Depending on the particular measures employed to protect the individual’s identity, the website may end up publishing very sensitive information in violation of strong public policies in favor of identity protection. [Privacy Advisor]

US – NAI Members’ Privacy Practices Up to Snuff: Study

The Network Advertising Initiative published its 2015 Annual Compliance Report, compiled by NAI Counsel and Director of Compliance Anthony Matyjaszewski. The report studied its “members’ adherence to the NAI Code of Conduct,” and found NAI members “­met their obligations under the provisions of the code and demonstrated their commitment to consumer privacy and industry best practices.” The NAI’s Noga Rosenthal said, “NAI is set apart in the industry by its high standards for Internet­-Based Advertising and related business models, and our robust monitoring program that ensures compliance with these standards. The 2015 Compliance Report shows that member companies continue to take their obligations under the code seriously.” [Network Advertising Initiative]

WW – As Friend Network Grows, Facebook Sharing Decreases

Facebook is trying to combat a growing lack of “personal sharing” that occurs as social media users’ friend groups increase and a sense of online intimacy diminishes. The trend of sharing news articles instead of personal status updates has led to what insiders dub a “context collapse,” with “original sharing” of personal anecdotes down 21% since mid-2015, the report states. Instead, users are employing outlets like Instagram and Snapchat to share, where their audience is comparatively small. Facebook’s newer “On This Day” feature is an attempt to combat the trend, the report adds. Meanwhile, a forthcoming Chrome extension, “Data Selfie,” will let users see their data profile as Facebook and other advertisers do, Motherboard reports. [Bloomberg Technology]

Privacy (US)

US – FTC Accepting Research Proposals for 2016 Events

The FTC is accepting proposals via public comment from privacy researchers for its upcoming PrivacyCon and Fall Technology Series events. The FTC’s 2016 focus is on research papers that “quantify consumers’ privacy and security interests, discuss attack trends and responses, and describe research on transparency and control,” the report states. “It is extremely valuable for us to hear from privacy and security researchers about their work,” the report continues. “This helps us stay up-to-date with technology and identify potential areas for investigation and enforcement.” The FTC will accept PrivacyCon submissions until Oct. 3. [Source]

US – Uber to Pay Up To $25M in Driver Background Checks Lawsuit

Uber has settled a civil lawsuit with the district attorneys of L.A. and San Francisco over claims the company deceived customers on its safety practices and driver background checks. In papers filed in a U.S. District Court, Uber will pay $5 million to each of the district attorneys and faces an additional $15 million fine if the terms of the settlement aren’t met within two years. Additionally, the safety-related language Uber uses around the ride fees must be reworded. The lawsuit claimed Uber overstated safety measures used to screen drivers, only requiring a driver pass a background check carried out by a third-party service. [The New York Times]

US – Lawsuit: Seattle Compost Ordinance Is Rotten

A Seattle ordinance that bars people from throwing their coffee grounds, pizza scraps and other potential compost into their trash cans is being challenged by critics who say the liberal city is turning garbage collectors into trash investigators. A group of homeowners has sued the city over the tactic, claiming it violates privacy protections provided by the state Constitution. The rule that went into effect early last year requires trash collectors to tag garbage cans that contain more than 10% compostable material with educational information. The tactic is projected to divert as much as 38,000 tons of extra food waste from a landfill every year. Several other cities have passed similar food waste laws, including Vancouver, B.C., San Francisco and Portland, Oregon. Lawyers for the homeowners cited a case that was argued in front of the Washington Supreme Court in which Port Townsend police searched a man’s garbage for evidence that he was selling drugs after the trash was placed on a curb. The court ruled police needed a warrant to search the rubbish, even if it was in plain view near the sidewalk. Homeowners also presented an affidavit from someone claiming they were tagged for compost violations twice when their trash had been secured in black plastic bags, suggesting collectors opened the bags to search for compost. [Source]

US – Uber has Given US Agencies Data on More than 12 Million Users

Uber has released its first ever transparency report. More than 12 million riders and drivers were affected by regulators’ data demands between July and December 2015. The fact that regulators are doing the demanding is what makes the number so big. Uber’s the first company, it claims, to include regulatory requests. Uber says the reason it’s including regulatory requests is that its business is “different.” Besides regulatory data, Uber provided data on 469 users to state and federal law agencies. The agencies requested information on trips, trip requests, pickup and dropoff areas, fares, vehicles, and drivers. It got 415 requests from law enforcement agencies, the bulk of which came from state governments. It produced data in nearly 85% of these cases. Uber used the transparency report release to push back against regulatory agencies that it thinks could compromise users’ privacy by going after more data than necessary. From the Medium post: In many cases they send blanket requests without explaining why the information is needed, or how it will be used. And while this kind of trip data doesn’t include personal information, it can reveal patterns of behavior  –  and is more than regulators need to do their jobs.It’s why Uber frequently tries to narrow the scope of these demands, though our efforts are typically rebuffed. This isn’t the first time Uber has wrangled with the California Public Utilities Commission (CPUC) over rider and driver data. In January, the CPUC fined Uber $7.6 million for failing to meet data reporting requirements in 2014. The CPUC was after data about accessible cars, the number of rides requested and accepted per ZIP code, and driver safety information. [Source]

Security

UK – Brits Suffer More than 2,000 Ransomware Attacks Each Day

DON’T PANIC but the amount of cyber crime bashing the UK is increasing, at least according to Symantec and one of its regular round robin threat missives. The Symantec 2016 Internet Security Threat Report warned that threats are rising in several areas. The firm logged an international increase of 35% in crypto-ransomware attacks, the UK taking the third largest chunk with up to 2,215 attacks a day. Some of the best advice from the security community is to use strong passwords, a suggestion Symantec makes in its summaries and guidance information. The security firm said that the enemy is now more organised than ever before, and that most groups have the same kind of resources, skills and support as nation-state hacker groups. “ [The Inquirer]

Smart Cars / IoT

US – NTIA Begins Internet of Things Consultation

The National Telecommunications and Information Administration (“NTIA”) has initiated an inquiry regarding the Internet of Things (IoT) to review the current technological and policy landscape; NTIA is seeking input from interested stakeholders on the potential benefits and challenges of these technologies and what role, if any, government should play – comments are due before May 23, 2016. [Source]

Surveillance

CA – RCMP Being Investigated Over Controversial Spy Tech

An OPC spokesperson confirmed that it has opened an investigation into the RCMP’s use of IMSI catchers, or “StingRays.” These devices are essentially fake cell phone towers that force phones in the vicinity to connect and reveal identifying information. The use of such devices has been the topic of much heated discussion and public debate in the US. The Florida Supreme Court ruled that the warrantless use of StingRays by police is unconstitutional in 2014. StingRays are controversial because they target devices within a certain area, and thus risk violating the privacy of innocents. A leaked email from Correctional Services Canada last year indicated that an unnamed, StingRay-like device was installed in an Ontario prison to monitor inmate communications, but also caught innocent people outside the facility in the dragnet. “These are fundamentally tools of mass surveillance,” said David Christopher of OpenMedia, the organization that filed the privacy complaint that spurred OPC’s investigation. Canadian police have been extraordinarily unforthcoming when it comes to the use of IMSI catchers, or StingRays. Last month, seven men accused in a Quebec court case relating to a mafia slaying pleaded guilty, but not before the RCMP was forced to reveal in open court that they had used a so-called “mobile device identifier”—the RCMP’s term for IMSI catchers—in the course of their investigation. The end of the case meant that the RCMP will reveal no more information about its use of IMSI catchers in court. In BC, Vancouver police are embroiled in a public battle to keep the details of their use of IMSI catchers secret. [Source] See also: [Feds back RCMP secrecy on possible use of ‘stingrays’ for surveillance] [Privacy watchdog to investigate RCMP over alleged ‘stingray’ cellphone surveillance]

US – Bill Permits Government Use of Automatic License Plate Reader Systems

HB 93, An Act to Amend Article 1 of Chapter 1 of Title 40 of the Official Code of Georgia, has passed the House and is tabled in the Senate. Law enforcement agencies are permitted to store (immediately upon collection) and exchange license plate data; the data cannot be accessed except for a law enforcement purpose, must be destroyed no later than 1 year after collection, and policies and procedures for use and operation of an automated license plate recognition system must be maintained. [HB 93 – An Act to Amend the Georgia Code to Prohibit Law Enforcement from Retaining License Plate Data Obtained from License Plate Recognition Systems]

Telecom / TV

US – California Says No to Phone Decryption Bill

A California bill that aimed to punish companies for making smartphones that can’t be cracked has failed. The bill, introduced by assembly member Jim Cooper was introduced in January and required any smartphone sold in California to have the ability to be decrypted. It was “rejected without a vote,” the report states. “The bill, both before and after it was amended, posed a serious threat to smartphone security,” said Rainey Reitman of the Electronic Frontier Foundation. “It would have forced companies to dedicate resources to finding ways to defeat their own encryption or insert backdoors to facilitate decryption.” [ZDNet]

WW — Google Changes App Developer Rules

Aiming to improve privacy and mitigate risk, Google has released a new set of users’ data policy rules for its Chrome Web Store. Developers will be required to publish a privacy policy and use encryption for sensitive or personal information, the report states. And if sensitive data is being collected for a reason that isn’t directly related to an app feature, a prominent disclosure is required, separate from the privacy policy. The change comes following the passage of the GDPR, which requires “clear and affirmative consent” when processing personal data, the report states. Google says developers have until July 14 to makes the necessary changes to comply. [ZDNet]

US Government Programs

US – Privacy Orgs Encourage FCC to Ignore Comment Extension Requests

The Center for Digital Democracy, Electronic Privacy Information Privacy, and eight additional agencies have asked the FCC to disregard the Association of National Advertisers’ request to extend the evaluation time of the FCC’s new behavioral advertising regulations. The ANA’s wish for a request for a 60-day deliberation extension is “unwarranted,” as “the public has long had notice of many of the questions the FCC would attempt to address in this proceeding,” the groups said in a letter to the FCC. “This issue is extremely important and timely. In order to protect consumers without undue delay, the FCC should decide it as quickly as possible.” [MediaPost] [Association of National Advertisers seeks extension for comments on FCC’s broadband rule]

US Legislation

US – Draft Crypto Bill Criticized as “Ludicrous, Dangerous, Technically Illiterate”

US senators have introduced legislation that would require technology companies to comply with requests from law enforcement to unlock encrypted devices. A “discussion draft” of the bill was leaked last week. It has been criticized for weakening security and hindering competitiveness. The bill requires compliance with court orders for information, and if the information is “unintelligible,” the bill requires that the information be made “intelligible.” [Wired] [SC Magazine] [CNET] [InformationWeek]

US – House Bill Would Require Verification of Identification to Purchase Pre-Paid Mobile Devices

H.R. 4886, Closing the Pre-Paid Mobile Device Security Gap Act of 2016, was introduced in the House of Representatives and referred to the Committee on Energy and Commerce. Authorized resellers of mobile devices and SIM cards would be required to collect identifying information at time of purchase and share the information with the device’s wireless carrier; failure to comply with these provisions can result civil penalties of $50 for each separate offense. [H.R4886 – To require purchasers of pre-paid mobile devices or SIM cards to provide Identification]

Workplace Privacy

CA – Secret Video Surveillance Allowed In Ontario Dismissal Case

In a preliminary award, an Ontario arbitrator allowed covert video surveillance footage to be used as evidence in a wrongful dismissal grievance. The complainant, Mr. Donnelly, was one of three elementary school custodians dismissed for allegedly smoking marijuana, adjacent to school grounds during working hours. The wrongful dismissal case between Ottawa-Carleton District School Board and Ontario Secondary School Teachers’ Federation, District 25 (Donnelly Grievance) was mediated by Arbitrator Knopf. The three dismissed custodians were reported by a fellow employee who maintained alleged marijuana use and trafficking, while at work. Following the report, the Board’s Director of Human Resources sought approval to hire a private security company to conduct covert video surveillance. The surveillance team was strictly instructed to record only illegal drug use within the vicinity of the school. Following such footage being obtained, the complainant was reprimanded and his employment terminated by the Board. In Donnelly’s defence, the union highlighted the failings of the surveillance footage in adhering to the Board’s policies and procedures. The union maintained that the security company had failed to deliver the video evidence in a secure manner, without proper documentation of the approval process. They argued the video evidence be inadmissible, as policy permitted video surveillance, only to enhance safety, protect property or identify intruders, and not to collect dismissal evidence. Furthermore, they contended such covert video surveillance should only be used as a last resort, which this was not. Privacy rights were taken into account when assessing the admissibility of the video footage, however, Arbitrator Knopf accepted the evidence in light of the management’s right to provide a safe workplace. She decided this was a last resort situation, and the former employee had a low expectation of privacy since he allegedly performed illegal drug use and trafficking in a public space, while at work, and wearing a work uniform. She said that the Board had a reasonable basis to carry out the surveillance, amid credible allegations of illegal behaviour on school grounds. [Source] See also: [Ireland CCTV images of illegal dumpers raise privacy concerns: Data Protection Commissioner contacts Dublin City Council over litter poster]

CA – Tribunal Denies Request by Employer to Submit Surreptitiously Obtained Evidence from Employee’s Social Networking Account

A Quebec labour tribunal considered an appeal of an earlier decision, including a request to consider evidence from an employee’s social networking site. The employer obtained the social networking profile content through the deceptive actions of an unknown third party, and it is not the first occasion on which the employer has done so; the employer has not demonstrated sufficient grounds to justify such an invasion of privacy (i.e. a serious purpose that would appropriately allow the employer to discover dishonest content of the employee’s Facebook page, without the employee’s knowledge). [Maison St-Patrice Inc. v. Julie Cusson – 2016 QCTAT 482 – Administrative Labour Tribunal]

CA – Best Practices: OPC Guidance on Handling Employee “Snooping”

The OPC guides entities on addressing inappropriate employee access to personal information. Organizations must set clear expectations with their employees (through clear communication concerning snooping, its harm and consequences), monitor for unauthorised access to records (audit access logs), and be prepared to respond appropriately when snooping is discovered (conduct of investigation, mitigate harm to affected individuals, and include disciplinary action). [OPC Canada – Ten Tips for Addressing Employee Snooping]

AU – New Legislation Allows Companies to Surveil Suspicious Employees

New Australian legislation allows employers to watch their employees outside of the workplace if there’s suspicion of unlawful activity tied to their job. The law covers 160,000 Canberra workers, UnionsACT Chief Alex White said. “If someone has done the wrong thing, if they are breaking the law or engaging in criminal activity, the appropriate agency to investigate that is the police, it’s not the employer or insurance company,” said White. Justice Minister Shane Rattenbury said strict safeguards are enacted to ensure workers have a right to privacy. “There are important safeguards there with the requirement for a magistrate to permit any sort of surveillance that is undertaken,” said Rattenbury. “We also worked very closely with the Human Rights Commission to make sure that these rights, these new powers, were compliant.” [Full Story]

+++

01-08 April 2016

Biometrics

IN – Indian Gov’t Biometric Database at One Billion-Person Mark

India’s biometric database notched up one billion members this week, as the government sought to allay concerns about privacy breaches in the world’s biggest such scheme. India is home to 1.2 billion people. The database was set up 7 years ago to streamline benefit payments to millions of poor people as well as to cut fraud and wastage. Under the scheme, called Aadhaar, almost 93% of India’s adult population have now registered their fingerprints and iris signatures and been given a biometric ID. IT minister Ravi Shankar said the initiative had enabled millions to receive cash benefits directly rather than dealing with middlemen. He said the government had saved 150 billion rupees ($2.27 billion) on its gas subsidy scheme alone – by paying cash directly to biometric card holders instead of providing cylinders at subsidised rates. He also said all adequate safeguards were in place to ensure the personal details of card holders could not be stolen or misused by authorities given access to the database. His comments come after parliament passed legislation giving government agencies access to the database in the interests of national security. It was passed using a loophole to circumvent the opposition in parliament, where the ruling Bharatiya Janata Party (BJP) lacks a majority in the upper house. [Agence France-Presse]

JP – Fingerprints to be Tested as ‘Currency’ in Japan

Starting this summer, the Japanese government will test a system in which foreign tourists will be able to verify their identities and buy things at stores using only their fingerprints. The government hopes to increase the number of foreign tourists by using the system to prevent crime and relieve users from the necessity of carrying cash or credit cards. It aims to realize the system by the 2020 Tokyo Olympic and Paralympic Games. The experiment will have inbound tourists register their fingerprints and other data, such as credit card information, at airports and elsewhere. Tourists would then be able to conduct tax exemption procedures and make purchases after verifying their identities by placing two fingers on special devices installed at stores. The Inns and Hotels Law requires foreign tourists to show their passports when they check into ryokan inns or hotels. The government plans to substitute fingerprint authentication for that requirement. A total of 300 souvenir shops, restaurants, hotels and other establishments will participate in the experiment. They are located in areas that are popular among foreign tourists. The government plans to gradually expand the experiment by next spring, to cover areas including tourist sites in the Tohoku region and urban districts in Nagoya. It hopes to realize the system throughout the country, including Tokyo, by 2020. [Source]

Canada

CA – CSE and CSIS Looking to Work Together, Say Top Secret Documents

Canada’s top two intelligence agencies looking for new ways to work together, while review bodies remain in silos. The heavily censored documents were sent by CSE chief Greta Bossenmaier and CSIS director Michel Coulombe to Richard Fadden, the national security adviser to the prime minister, in August 2015. Fadden was both a former director of CSIS and the former top bureaucrat at National Defence, which is responsible for CSE. Bossenmaier and Coulombe suggest the two agencies are trying to “leverage (CSE’s) Mandate C authorities,” and set up a working group to “maximize opportunities for operational collaboration.” That could spell trouble for the small group of independent watchdogs reviewing the spy agencies’ activities. Both Security Intelligence Review Committee and the CSE Commissioner’s office can review their respective agencies but can’t conduct joint investigations or see the big picture. [The Star]

CA – Liberals Postpone Full Access-to-Information Reform to 2018

The Liberal government says a full review of the outdated Access to Information Act will have to wait another two years. A comprehensive examination of the access law will begin in 2018, Treasury Board President Scott Brison said. Meantime, the government plans to introduce legislation as soon as this year with quick fixes to the law, based on promises the Liberals made during the election campaign and consultations already under way. The promised changes include giving the information commissioner the power to order government records to be released and ensuring the access law applies to the offices of the prime minister, his cabinet members and administrative institutions that support Parliament and the courts. A Commons committee recently began a study of the Access to Information Act, which has not been substantially updated since it took effect almost 33 years ago. In addition, the government began a public consultation on transparency on Tuesday. People can go to open.canada.ca to offer their views on what should be in the next federal strategy on open government. Officials will also hold in-person discussions across the country and the resulting plan is to be released this summer. [Source] See also: [Canadian officials requested to meet with Information Commissioner Suzanne Legault in order to find “a mutually satisfactory resolution” to a constitutional challenge to a law that protected Mounties after they destroyed data]

Consumer

US – FCC Exploring Supercookie Ban in Verizon Case

As part of the FCC’s proposal to require ISPs to gain consent before tracking consumers’ online behavior for ad purposes, it is also considering banning certain tracking technologies. The FCC is seeking comment on “whether the use of persistent tracking technologies may expose … customers to unique privacy harms and as such, whether the Commission should prohibit (Internet service) providers from employing such practices.” More specifically, it would like to know whether the technologies should require some form of customer consent, and whether the technology, or banning it, has benefits for consumers. [Full Story]

EU – Group of 75 Consumer Orgs Comes Out Against Shield

Trans Atlantic Consumer Dialogue, a collection of 75 consumer-rights groups based in the U.S. and Europe, issued a statement today urging the European Commission “not to adopt the Privacy Shield.” The group criticized the potential adequacy agreement for being a “self-declared, self-regulatory system, which will be adhered to by a limited number of companies” and said the U.S., because it lacks a “robust” privacy framework, cannot guarantee an essentially equivalent level of protection for personal information of European citizens. TACD also urged the Commission to hold off on signing the EU-U.S. Umbrella Agreement for the sharing of data between law-enforcement agencies and to “prompt those Member States engaging in mass surveillance of individuals to put an end to such practices.” [Full Story]

E-Mail

CA – CRTC Enters into MOU with FTC on Spam & DnC

On March 24, 2016, the CRTC signed a memorandum of understanding with the US FTC. The MOU is an effort by Canada and the US to work together on anti-spam enforcement measures, and expressly refers to unsolicited telecommunications, unsolicited commercial electronic messages (spam), and other unlawful electronic threats (e.g., malware and botnets). The MOU will allow the Participants to facilitate research and education related to unauthorized communications. Both Commissions also plan to share knowledge and expertise through training programs and staff exchanges, and to inform each other of developments related to the laws, among other activities. [Source]

US – FBI: $2.3 Billion Lost to CEO Email Scams

The U.S. FBI this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years. In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270% increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries. The FBI estimates that organizations victimized by CEO fraud attacks lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars. [Krebs]

Encryption

WW – WhatsApp Just Switched on Encryption for a Billion People

WhatsApp, an online messaging service now owned by tech giant Facebook, has grown into one of the world’s most important applications. More than a billion people trade messages, make phone calls, send photos, and swap videos using the service. And today, the enigmatic founders of WhatsApp revealed that the company has added end-to-end encryption to every form of communication on its service. This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans roughly a billion devices. [WIRED] See also: [Public Safety, RCMP saying little about WhatsApp encryption]

EU Developments

EU – Deal with EU, Canada to Share Air Travellers’ Data Raises Privacy Fears

An agreement between the EU and Canada to share airline passenger data that they say is key to fighting terrorism drew tough scrutiny at an EU court hearing last week because of privacy concerns. The dispute over the retention and sharing of passenger name records (PNR) has become a shibboleth in Brussels for the debate over balancing people’s privacy with the need to protect against terrorism. The agreement with Canada foresees the retention and sharing with Canadian authorities of airline passenger data by carriers operating flights between the EU and Canada. The Luxembourg-based Court of Justice of the European Union (ECJ) heard arguments for and against the agreement at a six-hour proceeding. Islamist militant attacks in Paris last year and last month’s attacks in Brussels have stoked calls for law enforcement agencies to have easier access to people’s data. Ireland, France, Britain, Spain and Estonia, who intervened in the case, emphasized that PNR do not allow investigators to paint a detailed picture of someone’s private life. But the European Parliament and privacy advocates cast doubt on that assertion. [Reuters]

EU – Other News

Facts & Stats

WW – 2016 Data Security Incident Response Report

BakerHostetler has yet again compiled a year’s worth of breach response data into a compact report that analyzes trends in data breach response, released this year to coincide with the Global Privacy Summit. “Is Your Organization Compromise Ready?” documents lessons learned from more than 300 security incidents in 2015. Some of the major findings? Nearly a quarter of all breaches happened in the healthcare industry. It takes an average of 69 days from occurrence of a breach to its discovery, and an average of 40 days from discovery to notification. And nearly a quarter of incidents led to regulatory investigations or inquiries. [Read More]

Finance

WW – Panama Document Leak Exposes Global Corruption, Secrets of the Rich

The financial secrets of heads of state, athletes, billionaires and drug lords have been exposed in the latest — and biggest ever — leak of records from an offshore tax haven. The leak includes 11.5 million confidential documents shedding light on the assets and murky fiscal dealings of everyone from the prime ministers of Iceland and Pakistan to soccer player Leo Messi, movie star Jackie Chan and associates of Russian President Vladimir Putin. The records, dating as far back as 1977, come from a little-known but highly influential Panama-based law firm called Mossack Fonseca, which has 500 staff working in 40-plus countries. The firm is one of the world’s top creators of shell companies — corporate structures that can be used to hide ownership of assets. German newspaper Süddeutsche Zeitung obtained the files from a source and shared them with global media partners, including CBC News and the Toronto Star, through the Washington-based International Consortium of Investigative Journalists. The release of the leaked documents may prompt governments to seek “concrete sanctions” against jurisdictions and institutions that peddle offshore secrecy. [CBC] News

US – NAIC Seeks Feedback for Insurance Data Security Law

A cybersecurity task force of the National Association of Insurance Commissioners (NAIC) has proposed a new insurance data security model law. The initiative, introduced last month, establishes new standards for data security, breach responses and the roles of the regulator, the organization says. “Because insurance is a data-driven industry, regulators must understand what data is being collected and for what purpose,” the NAIC said. “Today, regulators and companies have a need for data beyond what has been traditionally collected. But what regulators need is greater insight, not just more data.” Early responses to the proposed law have been mixed, with other associations raising concerns about the law’s suggestion that insurance regulations be allowed to vary by state and variations in response allowed for jurisdictional commissioners. After several high-profile hacks in 2015, the insurance industry and its regulators still are learning about the hackers aggressively hunting customer’s personally identifiable information (PII) data, financial records and medical histories. [Source] [See Graphic] See also: [state data security breach notification laws] and also: [Cyber insurance underwriters may want to consider less “absolute” questionnaires: ICRMC speaker]

US – Cyber Insurance Rates Drop

The rates for cyber insurance for organizations usually deemed to be high risk, such as retailers and healthcare organizations, fell during the first three months of 2016 because of a drop in high-profile breaches. The average price for US $1 millions in insurance fell to US $18,756. Last year, in the wake of high profile breaches like those at Target and Home Depot, the average premium was as high as US $21,642. [Reuters]

FOI

CA – NL Teachers Going to Court to Fight Sunshine List Disclosure

The Newfoundland and Labrador Teachers’ Association (NLTA) plans to go to court to block the release of the names of about 300 people who earn more than $100,000 working in the province’s school system. NLTA president Jim Dinn said that when he became aware of an access to information request seeking the names and salaries of teachers, he “immediately” knew the association had to fight it. Dinn said he believes releasing the list of teachers, principals and other educators earning more than $100,000 would be an undue invasion of privacy. Last year, as part of the Progressive Conservative government’s push for greater government openness and transparency, then-minister Steve Kent committed to creating a so-called “sunshine list” that would include the names, positions and remuneration of all government employees earning more than $100,000. The project was never completed because the Tories were tossed from government by voters in the November election. Since they took power, the new Liberal government has been indecisive on whether to follow through. In the meantime, The Telegram filed a suite of access to information requests in an attempt to create an ad hoc sunshine list. Several public bodies — including Memorial University, the core civil service, Nalcor Energy and the Royal Newfoundland Constabulary — have provided the requested information, and that data will be posted online by The Telegram this week. However, the province’s four regional health authorities and the English School District have declined to provide employees’ names. Those five public bodies said they would first inform their employees about the potential disclosure, and if anybody objected, the matter would be sent to the Office of the Information and Privacy Commissioner, or to the courts, for a ruling. [Source]

CA – NL Salary Disclosures OK Under New Access Law, Watchdog Says

Newfoundland and Labrador’s information and privacy commissioner says the new transparency law that replaced Bill 29 permits the public release of salary details of employees of public bodies. “It is our view that such a disclosure is in compliance with the law,” Ed Ring said in a press release issued Monday afternoon. Ring noted that a number of public bodies have already released that information in response to open-records requests. But he said others “have been uncertain in their interpretation of the law,” and have notified affected employees before releasing the information. Ring noted that a panel led by former premier and judge, Clyde Wells, that reviewed access-to-information laws found that disclosure of salary details is not an unreasonable invasion of privacy, and therefore cannot be withheld by a public body. “It is the interpretation of this office that this means that names of public body employees and their salaries are to be disclosed to an access-to-information applicant upon request,” Ring noted. “This type of disclosure is not unusual in Canada, and for example, has been done for many years under different legislation in Ontario.” [Source]

US – The FBI Says a Piece of Code Broke Its FOIA System

In February, activist Michael Best took a novel approach to filing a mass of Freedom of Information Act requests at once: he wrote a script to automatically ask for the files of just under 7,000 dead FBI officials. The FBI has replied, and it is not happy. The agency decided to not accept any of Best’s related requests, and may have also blocked or otherwise filtered further emails sent to the agency’s FOIA department by him. The episode shows that the way FOIAs are processed is very much an antiquated practice, and that perhaps US government agencies should think of new ways to handle requests. “The FBI email portal is designed to provide a convenient, alternative means to all Freedom of Information Act (FOIA) and Privacy Act (PA) requestors [sic] to make requests for FBI records,” a letter from David M. Hardy with the FBI’s Records Management Division to Best, dated March 30, 2016, reads. “On February 29, 2016, the FBI received an exceedingly high volume of submissions from you via the FBI email portal which had been generated by script [sic] using a list of names. This matter of submission interfered with the FBI’s ability to perform its FOIA and PA statutory responsibilities as an agency. Accordingly, the FBI did not accept these submissions on February 29, 2016, via the FBI FOIA email portal,” it continues. Best’s script was simple enough: It took names of special agents and other FBI officials collated from the agency’s own “Dead List,” a list of people the FBI knows to be deceased, and placed each into a request template. The request was for records held concerning the subjects, which can be released after the person is deceased. (For what it’s worth, Best says he didn’t submit his requests via the “email portal” as the FBI’s letter states, but just sent them to the normal FBI FOIA email address.) “I think the letter’s vagueness is counterproductive,” Best told Motherboard in a Twitter message. “’The manner of submission’ could mean almost anything. The volume of requests, or using the script? If it’s the former, I’ve never heard of an agency discarding FOIA requests because there were too many, and if it’s the latter I don’t see how the locally run script would have created a problem.” The requests weren’t even “rejected,” at least in the traditional FOIA context. Requests can be rejected if they are determined to be too burdensome on the agency. But that’s not what happened here—the FBI didn’t even accept the requests in the first place. [Source]

CA – Residential School Abuse Stories Must Be Shredded After 15 Years: Court

Survivors of Canada’s notorious residential school system have the right to see their stories archived if they wish, but their accounts must otherwise be destroyed in 15 years, Ontario’s top court ruled in a split decision last week. At issue are documents related to compensation claims made by as many as 30,000 survivors of Indian residential schools — many heart-rending accounts of sexual, physical and psychological abuse. Compensation claimants never surrendered control of their stories, the Appeal Court said. “Residential school survivors are free to disclose their own experiences, despite any claims that others may make with respect to confidentiality and privacy,” the court said. The court rejected the idea the documents were “government records” but said the material fell under the court’s control. [Source]

US – ESPN Argues Athlete’s Medical Records Matter of Public Concern

Cable sports network ESPN has filed court papers arguing that journalists are entitled to provide the public with visual evidence to corroborate reports, even in cases involving the athlete’s medical records. Last summer, Jason Pierre-Paul, a player in the NFL, blew part of his hand off in a fireworks accident. Reporter Adam Schefter tweeted a picture of Pierre-Paul’s medical record as proof. The football player has sued ESPN, arguing his privacy was violated. The media outlet argues Pierre-Paul’s claims “cannot succeed where, as here, the subject-matter of a news report is a matter of public concern.” [Hollywood Reporter]

CA – Judges Reject Media Ban in Two Assisted-Death Cases

Canadian judges have refused to bar the media from assisted-death cases for the first time. Judges in Ontario and British Columbia both rejected requests to ban the media from the hearings, breaking precedent set in Canada’s first application for an assisted death in late February. While the judges in the two cases understand the request for privacy by the two clients, the cases are “uniquely significant,” and blocking the media would harm the “open court principle,” said Chief Justice Christopher Hinkson of the British Columbia Supreme Court. “Conducting these proceedings in camera would effectively prevent the public from having any information about the case, other than what is volunteered by the parties or provided by the court in its reasons for judgment,” Hinkson said. [The Globe and Mail]

Health / Medical

CA – BC Arbitration Board Rules Nurse Must Be Reinstated Despite Multiple Incidents of Patient Data Snooping

The BC Nurses Union brought a grievance on behalf of a member who was terminated by her employer, the Vancouver Coastal Health Authority, for improperly viewing patient medical records. An arbitrator determined that termination was an excessive response and orders the nurse reinstated, with seniority, but without back pay or benefits; none of the information accessed was disclosed, and the nurse had realized the seriousness of the unauthorized access (she has been out of work a long time and had taken courses to educate herself on the issue). [Vancouver Coastal Health Authority (Olive Devaud Residence) v. British Columbia Nurses Union – 2016 CanLII 11873 (BC LA) – Labour Relations Board]

Horror Stories

PH – Philippines Breach Largest In Government History?

Sensitive information of nearly 55 million Philippine voters has been exposed in possibly the biggest government-related data breach in history. Security researchers believe the entire database of the Philippines’ Commission on Elections has been exposed following a cyberattack compromising the organization’s website by Anonymous Philippines, after which LulzSec Pilipinas, a second hacker group, posted the complete COMELEC database online. The data dump included information such as fingerprints and passport information, although COMELEC officials claim no sensitive information was accessed. Officials also said the national elections being held 9 May will not be affected by the attacks, as the election-related systems will be held on a separate site. During the initial attack, Anonymous Philippines warned COMELEC it should strengthen the security of the voting systems. [The Register]

TU – Nearly 50M national IDs, PII of Turkish citizens leaked online

The national IDs and other personal information of nearly 50 million Turkish citizens — more than half the country’s population — was leaked on a website hosted in Romania. The other personal information included in the data leak included full name and parents’ names of citizens, address and date of birth. Victims of the data breach also include the current president of Turkey, Recep Tayyip Erdoğan and the previous president, Abdullah Gül as well as current Prime Minister Ahmet Davutoğlu. The site features a “lessons to learn” portion that hints on how the data was stolen, and mentions lack of encryption and poor database security. [The Guardian]

CA – Breach at Alberta’s Maintenance Enforcement Program?

An Alberta government employee is under investigation after Edmonton police discovered as many as 60 sensitive files in the province’s maintenance enforcement program may have been accessed inappropriately. The alleged privacy breach was discovered during a larger police investigation, Justice Minister Kathleen Ganley said. The enforcement program collects and enforces court-ordered child and spousal support payments, meaning the files contained financial information and other personal details. “Obviously, we’re deeply concerned because this is the private information of individuals who have come into the program — sometimes very vulnerable individuals,” Ganley said. The employee in question is under investigation by both Edmonton police and Justice Department officials. The employee still has a job with the government, but no longer has access to the client database. “To the best of our knowledge, there is only one individual involved,” she said. [Edmonton Journal]

Identity Issues

CA – Price of Stolen Canadian Identity Plummets On Black Market

The price of a stolen Canadian identity has dropped by half in the space of a few years, says a new report from tech firm Dell. A set of Canadian “fullz” — the basic data needed to steal someone’s identity — now trades for around US$20 on the global market, down from a range of $35 to $45 in 2014, Dell Secureworks said in its latest Underground Hacker Marketplace Report. A set of “fullz” includes a person’s name, date of birth, an identifying government ID like a Social Insurance Number or driver’s licence and some form of financial data, like credit card or bank account numbers. Physical documents are more expensive, with passports going in the thousands of dollars. Fake Canadian passports can run upwards of US$2,600, more than U.S. passports though not as much as those of some European countries. A Canadian SIN card “was observed being sold by cybercriminals out of China for approximately $173,” the report said. The cheaper prices may have to do with a growing supply of stolen identities. The Insurance Bureau of Canada reported last month that there has been an increase in identity theft in Canada in recent years. The Canadian Anti-Fraud Centre said 17,000 Canadians reported being victimized by identity theft in 2015, and losses topped $10.7 million. But the centre warned that, more often than not, identity theft goes unreported. [HuffPost]

US – ONC, NIST Partner on Federated Identity and Health Data Privacy

The National Institute of Standards and Technology is putting up $1 million to find a new approach for patients and providers to access health records in a joint endeavor with the Office of the National Coordinator (ONC) for Health IT. Instead of piling up individual accounts for each provider a patient sees – dentist, specialist, primary care, in the doctor’s office or in the hospital – NIST and ONC are looking for ways to streamline the entire process by enabling a single credential across multiple providers. “For providers, making strides in the efficiency of accessing medical records means time and money saved – and, if done right, better outcomes for security and privacy – what NIST calls a “Federated Identity.’” NIST deputy director Michael Garcia wrote announcing the pilot. ONC, for its part, will participate in the review of applications and also provide technical support regarding implementation and operation of the pilot. “The goal is for hospital systems to work with other regional health systems and provider groups on developing and using a federated identity system,” Garcia explained. “The identity solution must be: privacy enhancing and voluntary; secure and resilient; interoperable; cost effective and easy to use.” NIST said it will fund one award between $750,000 and $1 million for eighteen months Applications can be submitted at Grants.gov until the June 1, 2016 deadline. [Source]

Internet / WWW

WW – Countries that Use Tor Most Are Highly Repressive or Highly Liberal

You might assume that people in the most oppressive regimes wouldn’t use the Tor anonymity network because of severe restrictions on technology or communication. On the other hand, you might think that people in the most liberal settings would have no immediate need for Tor. A new paper shows that Tor usage is in fact highest at both these tips of the political spectrum, peaking in the most oppressed and the most free countries around the world. Eric Jardine, research fellow at the Centre for International Governance Innovation (CIGI), a Canadian think-tank, is the author of the new paper, recently published in peer-reviewed journal New Media & Society. Jardine analysed data from 157 countries, stretching from 2011 to 2013. That information included a rating for a country’s political repression, derived from assessments made by US-based research group Freedom House, and metrics for Tor usage, sourced from the Tor Project’s own figures. Jardine included data for use of both Tor relays, which are nodes of the network users typically route their traffic through, and bridges, which are essentially non-public relays designed to be used in censorship-heavy countries that might block access to normal relays. He also considered a country’s internet penetration rate, intellectual property rights regime, wealth, secondary education levels, and openness to foreign influences. “The results show that, controlling for other relevant factors, political repression does drive usage of the Tor network,” Jardine writes. [Source]

WW – The Art of Privacy

Artist Trevor Paglen has exhibited a sculpture called the Autonomy Cube at museums around the world. The sculpture houses a custom wi-fi router. Museum visitors who connect to it will have their data redirected through the Tor network. The router also serves as a Tor relay. Paglen aims to install Autonomy Cubes in any museum that will pay for their creation. [Wired]

WW – Android Messaging Apps Leaking Data Through ‘Surreptitious Sharing’

German researchers have found a serious flaw in the way many popular Android email and messaging apps – including Skype and even secure systems like Telegram and Signal – share documents, images and videos. Dominik Schürmann and Lars Wolf from Braunschweig University of Technology say the bug, dubbed ‘Surreptitious Sharing’, allows attackers to capture data including passwords, private keys and message histories. They tested 12 popular email and messaging apps and found eight were exploitable. As a result, they said, the flaw is “definitely present in many more apps”. The affected messaging apps are Skype, Threema, Telegram and Signal. The vulnerable email apps are Google’s Gmail and AOSP Mail, K-9 Mail and WEB.DE. Four messaging apps were found to be safe – WhatsApp, Hangouts, Facebook Messenger and Snapchat. The bug lies in the main ‘Intent’ file-sharing API that Android apps use. This allows an attacker to access the receiving app’s private files. Worryingly, even privacy-focused messaging apps were “easily exploitable”, the researchers said. [Source]

Law Enforcement

US – Maryland Appeals Court Upholds Lower Court Stingray Ruling

An appeals court in Maryland recently ruled that police should not have used a stingray cell site simulator device without a warrant. The state had argued that by turning on cell phones, people were consenting to being tracked. The ruling upholds a lower court decision to suppress information gathered with the stingray. It also addresses the obfuscation police used in obtaining a warrant to use the stingray, writing, “A non-disclosure agreement that prevents law enforcement from providing details sufficient to assure the court that a novel method of conducting a search is a reasonable intrusion made in a proper manner and ‘justified by circumstances,” obstructs the court’s ability to make the necessary constitutional appraisal.” [Wired] See also: [Stingray ruling could challenge hundreds of Baltimore convictions]

CA – Canadian Police Forces Moving Towards Costly Body Cameras

Some Canadian cities and police forces already wrestling with cash-flow shortages are moving toward outfitting officers with body cameras despite privacy concerns and scant consensus on the technology’s cost-effectiveness. Body camera programs aren’t cheap, according to multiple forces across the country, and would require hiring more personnel to deal with the hundreds and thousands of hours of footage. Storage costs alone can run in the millions of dollars. Nonetheless, proponents say the cameras provide better evidence, lead to more convictions, improve officers’ interactions with the public and reduce police use-of-force incidents. Others, however, argue the videos invade the privacy of citizens, and worry that administrative duties related to body cameras will keep officers away from policing. [CTV News]

Location

UK – 93% of Mobile Users Have Their Location Tracked Every Day

A new campaign by privacy-focused advocacy group Krowdthink aims to raise aware of the privacy implication of owning a mobile phone in the UK. The ‘Opt Me Out Of Location’ campaign aims to highlight the fact that nearly every single mobile phone owner in the UK (93%) has unwittingly signed up for a contract that permits their location to be tracked. More than this, the data collected allows providers to build up highly detailed customer profiles which Krowdthink warns leaves millions of users just one serious data breach away from having private data exposed to and abused by criminals. Research by Krowdthink says that while most mobile users are suspicious of apps that make use of GPS, few people think about the fact that their location is highly trackable when they connect to wifi hotspots or cell towers. [Source]

Online Privacy

US – Judge Approves Sony Hack Settlement

U.S. District Judge R. Gary Klausner ruled in favor of the estimated 437,000 employees affected by the 2014 Sony hack, approving the settlement that would provide them identity theft protection through 2017. Klausner said the three years of credit monitoring is longer than granted in other class actions, the report states. Sony further agreed to “an optional service that will cover up to $1 million in losses,” with more specific figures relating to the monetary settlement forthcoming. [The Associated Press]

Other Jurisdictions

WW – Nymity and IAPP Announce New Privacy Management Tool

The IAPP and Nymity have announced the Nymity Privacy Management Workbook and supporting materials. Terry McQuay, Nymity’s President stated, “The Privacy Management Workbook is an unlocked Microsoft Excel Spreadsheet that can be used as is, or customized to meet a specific privacy officer’s needs. The Privacy Management Workbook is accompanied with the “Getting Started Manual”, that provides an operationalized approach to privacy management accountability and step by step instructions on how to use the Workbook. For organizations with mature privacy management embedded throughout the organization, there is a second manual called the “Demonstrating Compliance Manual”. This manual outlines an accountability approach to demonstrating compliance with privacy laws that is empowered by the documentation that was collected using the Privacy Management Workbook. [Privacy Management Workbook and the supporting materials]. [Source]

AU – Census Plan “A Massive Invasion of Privacy” Says EFA

Plans to retain people’s names and addresses for this year’s Census have sparked fear that the information could be used by Centrelink, the Tax Office and ASIO and may lead to mass civil disobedience or people lying on their forms, privacy groups believe. The Australian Bureau of Statistics (ABS), which has been around since 1905, conducts a Census every five years. While this has always involved collecting names and addresses, the difference is that this time it wants to hold on to all of this information. The Agency has said it wants to be able to combine Census data with other datasets, such as health and education statistics, to get a “richer and dynamic statistical picture of Australia.” Statisticians argue this could provide insights into many areas, for example, the employment outcomes of different educational programs or designing mental health services, and result in better service planning and delivery. Keeping names and addresses would also make surveys more efficient and reduce the cost and burden on Australian households, said the ABS. But Jon Lawrence from the Electronic Frontiers Australia said retaining such information was unwarranted and intrusive and “an exceptionally bad idea.” “At its very essence, it’s a massive invasion of the privacy of every Australian,” Mr Lawrence said. [Source] See also: [Benefits of the census retaining names and addresses should outweigh privacy fears]

Privacy (US)

US – FTC Releases Agency’s 2015 Annual Highlights Report

FTC Chairwoman Edith Ramirez released the FTC’s 2015 Annual Policy Highlights. The topics covered in the report include the FTC’s noteworthy legal actions in a variety of industries, including health care, technology and other consumer products and services. The report touches upon the FTC’s work to bring actions against technology companies to ensure the protection of consumers’ personal info, including settling a charge with Oracle over the safety provisions in updates to its Java platform. Also touched upon in Ramirez’s report was cross-device tracking, and educating consumers on fraud and deceptive business practices, including IdentityTheft.gov, a website to help people report and recover from identity theft. [FTC Press Release]

US – FTC Fines Organisation $79,659,262 for Payment Fraud Scheme

The FTC is granted an order against Ideal Financial Solutions Inc. for participating in violations of the Federal Trade Commission Act. The company and its subsidiaries are permanently restrained from selling, transferring, or otherwise disclosing a consumer’s personal information to any third party without consent, and misrepresenting that a consumer has authorized or consented to the purchase of a product or service, or the nature or terms of any refund, cancellation, exchange, or repurchase policy. [FTC v Ideal Financial Solutions Inc. – USDC for the District of Nevada]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

US – FTC Releases Web Tool for Mobile Health App Developers

The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply. The interactive developer tool presents users with questions that include topics such as:

  • the type of information the app will create, receive, maintain, and transmit
  • the type of entity creating the app (or on whose behalf the app is created)
  • the purposes of the app
  • the information the app will provide to consumers and/or patients

The answer to each question points the user to the laws and regulations that may likely apply to the app. The tool also directs users to definitions for common regulatory terms, links, tips and guidance regarding compliance, and other federal agency resources. In conjunction with the release of the developer tool, the FTC also released its own guidance aimed at developer compliance with the FTC Act. This guidance follows the release of OCR’s Health App Use Scenarios & HIPAA guidance and discussion portal and FDA Mobile Medical Applications guidance. Together, these agency releases reflect efforts to provide guidance that will help provide clarity to the growing mobile health app ecosystem.

US – DHS Unveils Privacy Guidelines for Mobile Apps

The U.S. Department of Homeland Security has issued a set of privacy rules for mobile applications developed for the agency. The guidelines include a privacy policy requirement as well as a rule that program managers notify a privacy official and the chief information officer prior to an app’s development. App developers must pass their apps through a DHS “Carwash,” a system that scans the app’s code, which are then reviewed by DHS Chief Privacy Officer Karen Neuman. The guidelines also lay out what kinds of personal information can be processed and require that user information in transit must be encrypted and “immediately transferred to a protected internal DHS system that is compliant with existing DHS IT security policy.” [FCW]

US – Market Surges For Outside Privacy Counsel

A significant portion of corporations—76%—employ outside counsel for privacy and data security matters, according to a Bloomberg Law/IAPP survey study on “The Market for Data Privacy Legal Services.” And that demand is growing. The survey report concluded that:

  • A dedicated privacy team and subject matter experience are the most important qualities—along with basic care and feeding of clients—that companies look for in hiring outside counsel.
  • On average corporations spend nearly $170,000 annually on outside counsel handling privacy and data protection matters.
  • Outside privacy attorneys command high hourly rates, an average of $474 for transactional services, $539 for litigation and $623 for specialized privacy and data protection services.

The survey found that privacy pros in companies generally don’t hire outside counsel for operational tasks, such as PIAs and privacy by design application. But at the same time, significant opportunities for lawyers to expand their revenue may be in advising companies on privacy by design/privacy engineering initiatives, the report said. [BNA] See also: [UK and European firms invest in data protection ahead of GDPR]

Security

WW – A Lot Will Plug a Random USB into Their Computer: Study

Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year. As it turns out, it really works. In a new study, the researchers estimate that at least 48% of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98%) were picked up or moved from their original drop location. Very few people said they were concerned about their security. 68% of people said they took no precautions, according to the study. Some 135 people actually opened some files in the drives, according to the study. The researchers didn’t put any malware on the sticks, but had left an HTML file that contained an image allowing the researchers to detect when a file was opened. The HTML file also contained a survey, which had the goal of informing unbeknownst students and faculty that they had become part of an experiment, and trying to figure out why they had picked up the drive and opened files inside. Based on the participants’ survey answers, the researchers concluded that most people did it with “altruistic intentions.” In fact, 68% people said they did it to find the owners, while 18% admitted it was just out of curiosity. However, considering their actions, it seems some overestimated their good intentions. Despite the fact that some USB drives contained a resume file, almost half the users didn’t open that file, and, instead browsed vacation photos first, “overtaken by curiosity,” as the researchers put it. [Source]

US – US, Canada Issue National Alerts on Ransomware

The United States Computer Emergency Readiness Team within the Department of Homeland Security and the Canadian Cyber Incident Response Centre have jointly issued a special alert for both nations on the threat of ransomware and recent variants of the virus. The alert highlights the threat to the healthcare industry in the U.S. and worldwide, as well as threats to other businesses and individuals, outlining important steps to help organizations from falling victim to a ransomware attack, and guidelines for responding in incidents in which an organization is fending off ransom demands. The alert takes a hard line on whether organizations should pay to unlock information or computers, suggesting that there is no guarantee that paying a ransom will result in the release of information. Over the last few weeks, about a half dozen ransomware incidents have been reported among U.S. and Canadian hospitals, and in most cases, the organizations have been able to work around the attacks without paying a ransom. In February, Hollywood Presbyterian Medical Center reported that it paid the equivalent of $17,000 to unlock its information after a ransomware attack crippled the facility’s systems for about a week. The federal alert warns that ransomware is being spread via phishing tactics, as well as through “drive-by downloading,” which occurs when a user unknowingly visits an infected web site and malware is downloaded to the computer. [Source] See also; [Ransomware Threat Hits Critical Mass] and [Should Ransomware Attacks Be Considered Breaches? ]

US – Federal Agencies and Ransomware: Statistics

29 US federal government agencies have reported a total of 321 ransomware incidents since June 2015, according to the Department of Homeland Security. Not all of the incidents resulted in infections, and no incidents resulted in payment of ransom. Last December, Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware), chairman and ranking member of the Senate Homeland Security and Government Affairs Committee, requested information about agencies’ efforts to protect systems from ransomware. Carper has posted the responses to his website. [FCW] [The Hill] [NextGov] [Results on Senator Carper’s Website] [CBC: Ransomware Hits Another (Ontario) Hospital] [SC Magazine]

Smart Cars / IoT

US – NTIA Commences Internet of Things Proceedings

On April 5, 2016, the National Telecommunications and Information Administration (NTIA) initiated an inquiry to review the potential benefits and challenges presented by the Internet of Things (IoT). In its Notice and request for public comment (RFC), NTIA is seeking input on the current IoT technological and policy landscape with a goal of developing recommendations—in the form of a Green Paper—as to whether and how the federal government should play a role in fostering the advancement of IoT technologies. Comments are due on or before May 23, 2016; parties across industry sectors are encouraged to comment. The inquiry is part of the Department of Commerce’s Digital Economy Agenda through which the agency seeks to help develop a free and open Internet and innovation in the digital economy while promoting privacy, security, and broad access. [Source]

WW – IoT Privacy a Concern for 62% Globally, More in U.S.

A newly released study of 5,200 “mobile media users” in Brazil, China, France, Germany, India, South Africa, the U.K., and the U.S. has found 62% of respondents “concerned” about privacy and the Internet of Things. That number rises to 70% in the United States. According to the Mobile Ecosystems Forum, privacy outstrips security (54%), and is a far bigger concern than physical safety (27%) or “machines taking over the Earth” (21%). Which connected devices are most concerning? Respondents answered with their home security as most concerning (30%) followed by their car (12%) and television (10%). [MediaPost]

US – OTA Principles for IoT Privacy and Security Programs

15 months after forming an Internet of Things (IoT) working group, on March 2, 2016, the Online Trust Alliance (OTA) released a final version of its IoT Framework along with a companion Resource Guide that provides explanations and additional resources. The voluntary Framework sets forth thirty suggested guidelines that provide criteria for designing privacy, security, and sustainability into connected devices. The creation of the OTA IoT principles represents a potential starting point for achieving privacy- and security-protective innovation for IoT devices. For now, the Framework focuses on wearable technology and connected home devices. In so doing, it avoids addressing some of the more challenging transparency and consent issues presented by devices lacking a direct buyer-seller relationship, such as those that arise in the retail or infrastructure context. The Framework also excludes connected medical devices and the associated potential life-or-death implications of medical technologies. Though purely voluntary and non-binding, the Framework differentiates between what it posits as “required” and “recommended” guidelines, thereby allowing for a broader consensus in a dynamic environment with many unresolved questions. Certain guidelines will likely be familiar to consumers—such as multi-factor verification for resetting credentials, and user notification after a password change. Other guidelines are particularly tailored to the IoT space—such as disclosure of the duration of patch support, and notice when a device initially pairs with a network. Themes of the Framework include guidelines designed to achieve the following:

CA – Allstate to Offer Albertans Usage-Based Auto-Insurance

A new Alberta insurance program could see motorists save money if they’re willing to install a device that monitors their habits behind the wheel. Allstate is the first company in the province to offer usage-based insurance, which uses technology to collect data on how a vehicle is driven and offer discounts for safe drivers. “It’s a little box you plug in under the steering wheel, and it sends out information,” Edmonton north agency manager Amanda Sawatzky said. “We take the measurements of the data over six months because that’s going to tell us over time what your driving habits are.” The company will check the frequency of hard braking, the time of day customers drive — accidents are more common between 11 p.m. and five a.m. — total kilometres covered and travelling at more than 125 km/h. The information comes from the vehicle’s diagnostic system and is sent out electronically. Drivers can log in to a website and monitor the results. “Hopefully, as you see a hard braking or speed incident, you’re more aware of it and it leads to safer driving habits,” Sawatzky said. After six months, the equipment will be removed and Allstate will offer participants premium discounts of up to 30%, depending on how well they did. Even if they do badly, their premiums won’t rise. Any discount remains as long as they own the vehicle. “It’s empowering drivers and there’s no downside to it. The safer you drive, the more you can save.” It’s unlikely someone will change how they drive for six months, then revert to bad habits once the monitor is out, she said. People who want to see whether they should sign up will receive a 5% premium cut for a year for using a test app. [Edmonton Journal]

Surveillance

US – New Hampshire Bill Regulates Government and Citizen Use of Drones

Last month lawmakers in the New Hampshire House of Representatives passed a bill regulating government and citizen use of drones. The bill includes strong privacy protections that address some of the most common concerns associated with police using flying robots. The legislation is the latest example of local lawmakers improving upon decades-old Supreme Court precedent amid rapidly changing technology. In a world where drones with cameras are well within many law enforcement budgets it is reasonable to ask when police can fly a drone over your backyard. It’s understandable if you think that you have a reasonable expectation of privacy in your backyard, but the fact is that the Supreme Court ruled in two cases from the 1980s (Florida v. Riley and California v. Ciraolo) that you don’t. In both cases justices on the Court held that observations from the air are analogous to observations from public roads. [Forbes] See Also: [FAA committee writing rules permitting small drones over crowds]

US – NTIA Postpones Drone Privacy Meeting

The National Telecommunications & Information Administration has postponed an April 8 multistakeholder meeting on drone privacy, saying some stakeholders said that work on a revised draft of voluntary drone privacy guidelines would not be ready to circulate to the full group until April 22. The meeting will be rescheduled for early May, according to John Verdi, NTIA’s director of privacy initiatives, in a note to stakeholders. The effort is among a number sets of best practices NTIA is trying to help industry and civil society representatives agree on to enforce the Obama administration’s privacy bill of rights. Others include on apps and facial recognition. It has been a year since NTIA sought comment on “privacy, accountability, and transparency issues” surrounding the use of unmanned aircraft systems (UAS), which are being increasingly used in TV news and film production. Those studios told NTIA they do not think there need to be any privacy guidelines for their use in such productions since they are either used on closed sets, or where they are not collecting information from the public. Back in November, major broadcast and print news operations and others in the News Media Coalition (NMC) asked NTIA to make sure it does not limit their First Amendment rights in its ongoing effort to come up with privacy guidelines for the new wave of UAS. [Source]

Telecom / TV

US – Federal Judge Says No Expectation of Privacy in Cell Site Location

In the Seventh Circuit — where there’s currently no Appeals Court precedent on cell site location info (CSLI) — federal judge Pamela Pepper has decided only about half of what other courts have said about this info’s expectation of privacy applies. That would be the half that finds the Third Party Doctrine covers cell phones’ constant connections to cell towers. (via FourthAmendment.com) Three circuits (4th, 5th and 11th) have ruled on whether obtaining CSLI from providers constitutes a search or seizure under the Fourth Amendment. Only the Fourth found that this information deserved greater privacy protections, mainly because of the ubiquitousness of cell phones. The other two held that CSLI is just another business record, even if it is the sort of business record that generates a detailed history of someone’s movements and can be used to track someone in near real-time. The Supreme Court also had something to say about the long-term tracking of people’s movements in its decision about GPS tracking devices. While not exactly the same thing, it was close, and the court here examines this decision as well. The government suggested long-term location tracking might have enough Fourth Amendment implications to justify a warrant requirement, but stopped short of making that call. With these non-precedents in hand, Judge Pepper finds there’s no expectation of privacy in cell location info because — like the government has argued in other cases — everyone should know their phones are acting as ad hoc government tracking devices. [TechDirt] [The ruling is here]

CA – Cases Highlight Legal Debate Over Texting Privacy Rights

The Ontario Court of Appeal is being asked to determine what privacy rights exist in the content of an individual’s text messages when they are obtained by police through the seizure of the phone of the recipient and not that of the sender. It is only the second time that the status of text messages on another person’s phone has been before an appellate court. The B.C. Court of Appeal ruled last year that there are privacy interests for the sender of the communications. At the Ontario Court of Appeal, the issues have been raised in two cases that are being heard together this week. The argument there is no privacy right once a text message has been sent is a very “old school” notion based on control, which does not fit with modern communications, says Laura Berger, acting director of the public safety program at the Canadian Civil Liberties Association. “For an increasing percentage of Canadians, especially younger people, text messages are supplanting voice telephone calls. We need to ensure that privacy protections in place [for phone conversations] are not diluted because of changes in technology,” says Berger. [Law Times]

US Government Programs

US – ODNI Signs Transparency Charter; NSA Sharing Plan Worries Rights Groups

Director of National Intelligence James Clapper signed a charter that formally transitions the Intelligence Community Transparency Working Group into the now permanent IC Transparency Council. Senior officials from across the intelligence community have comprised the working group, which was created two years ago. The council will oversee the Transparency Implementation Plan and ensure that transparency “becomes a comprehensive and sustainable practice” throughout the intelligence community. CSM Passcode reports privacy and civil liberties groups urge the NSA and DNI Clapper to reconsider a proposed data-sharing plan with other law enforcement agencies. Meanwhile, the surprise resignation of David Medine could spell trouble for the Privacy and Civil Liberties Oversight Board. Medine was the only full-time member of the five-member panel. [Full Story]

US Legislation

US – Legislative Roundup

Workplace Privacy

CA – OPC Issues Guidance on How to Prevent Employee Data Snooping

Six years ago a bank employee was caught going through the financial records of another staff member who was in a relationship with her ex-husband. The spying had been going on for four years. In another case hospital employees were caught selling patient data for their own gain. With organizations holding huge amounts of personal data on staff and customers, employee snooping — for curiosity or money — is tempting. The federal privacy commissioner suggested 10 ways employers can prevent staff spying on personal data. “Employee snooping poses a serious privacy risk that if left un-checked can cause significant and lasting financial and reputational damage to both your customers and your organization,” the report warns. “By taking the appropriate steps to address this risk … organizations can go a long way in advancing their reputation as a privacy-conscious business, and more importantly, protect their valued customers’ information, with which they have been entrusted.” [Source] See also: [New OPC Guidance regarding Privacy Impact Assessments: At Two Pages, Why Bother?]

CA – Staff Have Privacy Rights Even if Company Provides Devices, CPOs Told

Talk, not spy technology, should be one of the first weapons employers should use if they suspect employee misuse of enterprise devices or data, two lawyers have told a privacy law conference. “I would be cautious about using all kinds of fun and highly efficient but intrusive technologies to monitor your workers’ productivity,” Emma Phillips, a partner at the Goldblatt Partners LLP law firm, told chief privacy officers in Toronto on Thursday. If management has a reasonable belief there’s been misconduct Canadian law potentially allows staff or a device to be monitored, she added, as long as its done in a reasonable way — for example, don’t install keystroke loggers before warning an individual what inappropriate behaviour is, or put up surveillance cameras that cover broad areas where employees work. [IT World Canada]

WW – Cybersecurity Remains Biggest Barrier to BYOD Adoption: Study

Crowd Research Partners’ recent 2016 BYOD and Mobile Security Report, surveying more than 800 global cybersecurity professionals, reveals that 39% of respondents consider security one of their greatest concerns surrounding bring-your-own-device adoption. An additional 12% expressed fears that BYOD would diminish employee privacy, the report states. The study “reveals that enterprise security risks and mobile data breaches are on the rise.” While these threats are serious, they also pose as “an opportunity for organizations to implement effective cybersecurity solutions to strengthen their security posture and capitalize on the promise of enterprise mobility.” [Security Brief NZ]

+++

 

26 March – April 1, 2016

Biometrics

US – NTIA Face-Recognition Privacy Talks Blasted as ‘Orwellian Farce’

The U.S. Commerce Department’s National Telecommunications and Information Administration held a meeting last week in its ongoing multistakeholder effort to establish face-recognition technology data best practices, and the results disappointed privacy advocates. Advocates argue that representatives from the technology industry “hijacked” discussions on privacy, the report states. The result? “This is no longer a multistakeholder process,” said the Center on Privacy& Technology. “It is an industry stakeholder process. These draft guidelines are a direct consequence of that decision.” Lack of privacy in this sphere is particularly egregious as “you cannot delete your face.” [IB Times]

Big Data

EU – Security Risks Can Be Mitigated with Robust Access Control and Encryption

The EU Agency for Network and Information Security (“ENISA”) examined the security challenges of and best practices for Big Data. Big Data-related security risks include access control and authentication, secure data management, source validation and filtering, and application software security; mitigating measures include strong and scalable encryption, mandated purchasing from authentic suppliers, use of security standard-compliant devices, and assigning confidence levels on endpoint sources. [ENISA – Big Data Security]

Canada

CA – Feds Consulting on Open Government and Access to Information

Treasury Board President Scott Brison invited Canadians to participate in public consultations to help deliver the Government of Canada’s agenda for more openness and transparency. In the context of open dialogue, this series of consultations will be used to develop Canada’s 2016-18 strategy on open government, to be released this summer. Beginning May 1, the Government will also be seeking input from Canadians on how best to implement its commitments to improve the Access to Information Act. Minister Brison will kick-off the consultations on open government by hosting a Google Hangout with leading experts and leaders on April 6. [Source]

CA – Spy Agency Watchdog Facing Huge Budget Cuts

The Security Intelligence Review Committee, which reviews select activities of CSIS, expects to lose, on average, $2.5 million annually in funding starting next spring. The confusion comes as CSIS increasingly flexes its new powers granted under last year’s Bill C-51 national security legislation. The service had long been limited to collecting and analyzing national security intelligence for government, but is now empowered to actively disrupt suspected threats to security and to exchange and collate information on suspect Canadians with other federal departments and agencies, which was not possible before C-51. [National Post]

US – Federal Agencies Sharing Information Under Bill C-51 Provisions

At least four federal agencies have used controversial information-sharing powers in Canada’s new anti-terrorism law, internal government documents show. Privacy commissioner Daniel Therrien said Bill C-51 set the threshold for sharing Canadians’ personal data far too low. It’s not surprising that agencies have begun using the information-sharing act, said University of Ottawa law professor Craig Forcese. “The risk is that it’s being used in ways that are going to be difficult to predict because of the overbreadth and uncertainty of that act, and it’s going to be used in ways that are difficult to police,” said Forcese, co-author of False Security, a book that squarely criticizes the omnibus bill. “It’s added complexity to a complex problem rather than simplifying life.” [Source] [Canada’s new ‘anti-radicalisation’ office met with caution by Muslim community]

CA – Guidance on How CSIS Should Use Anti-Terror Bill C-51 Largely Secret

The federal government has issued guidance to Canada’s spy agency on using contentious new anti-terrorism laws — but most of the instructions won’t be made public. Many passages of the ministerial direction to the Canadian Security Intelligence Service, issued last July, were withheld from release due to provisions of the Access to Information Act concerning security, internal deliberations and cabinet confidences. The federal decision to keep much of the ministerial direction under wraps did nothing to reassure those with concerns about C-51, the omnibus security bill that received royal assent early last summer. The legislation gave CSIS the power to actively disrupt suspected terrorist plots, even allowing the spy service to take actions that breach the Charter of Rights and Freedoms as long as a judge approves. “One of our greatest concerns with C-51 is that CSIS has been given extraordinary new powers, including the power to break the law and violate the Constitution,” said Josh Paterson, executive director of the British Columbia Civil Liberties Association. [Source] [How is the Liberal government using Bill C-51? Good question ] [We Must Question The Timing Of This Terrorism Case ]

CA – BC OIPC Launches Investigation on Phone-Monitoring Tool

BC Privacy Commissioner Elizabeth Denham has kicked off a closed-door inquiry of a surveillance tool known as Stingray, which impersonates a cellphone tower in order to deceive any phone within range and obtain data, possibly storing everything it receives. Law enforcement officials from all over Canada aren’t saying if they use Stingray, as the police work to keep their mass surveillance systems under wraps. The BC Civil Liberties Association’s Micheal Vonn condemned the use of Stingray by police: “What we’re saying here is, does it help to collect the data of tens of thousands of individuals that aren’t the subjects of police investigation? No, of course it doesn’t help.” [Full Story] See also [Maryland Court Says Police Must Disclose Stingray Purpose Before Use]

CA – BC Privacy Commissioner Offers Parting Advice

As Information and Privacy Commissioner Elizabeth Denham prepares to move on to a national posting in the UK, she’s got in mind what the B.C. Liberals could give her in lieu of their tentative offer of a second six-year term here at home.

  • Lobbying reform: Denham’s biggest ask is to change the legislation so what is registered is actual lobbying and not prospective lobbying, “It would make enforcement of the law so much more practical and easier for my office. It would also, I think, help lobbyists because they have to register anyone they might prospectively lobby. It would be more meaningful for the public to be able to see actual lobbying and not prospective lobbying. “
  • Denham favours a stand-alone law governing both public and private health care providers. She also says B.C. should follow other provinces and legislate fines of up to $50,000 for unauthorized snooping by health care staffers. “They’re supposed to look at health information for their own patients, not look up information on celebrities, not look at their ex-spouse’s health information,” said the privacy watchdog. “It’s a serious problem of trust in the system, and we need higher penalties and enforcement.”

Denham is also calling for tougher penalties for the deliberate destruction of public records. Her landmark report from last fall, Access Denied, highlighted a series of concerns in that regard. It also led to recent charges against a government staffer for misleading the commissioner about the destruction of records. The charges are not about the action of unauthorized destruction of records,” explained Denham. “We need that in the Freedom of Information and Protection of Privacy Act. We need an offence provision, and we need the associated penalties.” [The Vancouver Sun]

CA – Legal Community Masses Forces for Set Piece Battle Over Privilege

Organized bar groups are massing at the Supreme Court of Canada again to repel what they contend are state attacks on the adversarial justice system. “When, and under what circumstances, can a regulator pry into a lawyer’s litigation brief, while the litigation is still under way, in order to examine the lawyer’s litigation strategy, trial preparation and other material collected or prepared for the dominant purpose of actual or apprehended litigation?” “If the court finds that litigation privilege can be abrogated by inference, it would expose lawyers’ briefs to regulatory scrutiny while litigation is still under way, in the absence of clear and explicit statutory language. This would dramatically expand the circumstances in which regulators could access information protected by litigation privilege.” [Lawyers Weekly]

WW – Software Flags ‘Suicidal’ Students, Presenting Privacy Dilemma

Ontario Christian Schools (OCS) is a private K-12 school near Los Angeles with about 100 children per grade. Three years ago, the school began buying Google Chromebook laptops for every student in middle and high school. The students would be allowed to take them home. Although Google software, like that of other companies, comes with virus protection and the ability to filter search results and block certain Web sites, Ontario Christian Schools turned to a third party to provide an additional layer of security: a startup called GoGuardian. GoGuardian helped school leaders create a list of off-limits websites: porn, hacking-related sites and “timewasters” like online games, TV and movie streaming. The software also has another feature: It tracks students’ browsing and searches whenever they are using the computer, at home or at school. That’s how OCS was alerted that a student appeared to be in severe emotional distress. Suicide is the third leading cause of death among youth aged 10 to 24. Said a research fellow at NYU’s Information Law Institute and an expert on student privacy and data. “This is a growing trend where schools are monitoring students more and more for safety reasons,” she says. “I think student safety and saving lives is obviously important, and I don’t want to discount that. But I also think there’s a real possibility that this well-meaning attempt to protect students from themselves will result in overreach.” This type of dilemma is almost certainly going to become more common, as school-owned devices and laptops proliferate. In 2015 alone, according to a report released this month, U.S. K-12 districts bought 10.5 million devices like laptops and tablets, a 17.5 percent increase over the year before. [NPR] See also: [Student Privacy at Risk Absent Better Training for All] [U.S. Department of Education guidance]

Consumer

WW – New ‘Commerce VPN’ Site Aims to Make Online Shopping Safer

Launched yesterday, Privacy.com is a VPN for netizens’ credit cards, aiming to spare online shoppers from the fear that their information is stolen, used in targeted ads, or otherwise employed improperly. The site “drops in a one-time credit card number with no connection to you personally” come check out, making it appear as if Privacy.com is the buyer. The site also permits a debit account shopping system, like PayPal, as well as pseudonyms. While the system isn’t bullet proof, the report states, “you get a new layer of insulation from the world of online fraud.” [The Verge]

WW – Internet Users Don’t Understand Security or Privacy: Survey

Canadian think-tank CIGI (the Centre for International Governance and Innovation) reckons ordinary citizens are more comfortable with government oversight of the Internet and their privacy than, for example, Apple. In an international survey (24,000 respondents in 24 countries), the group claims

  • more than 70% want the “dark net” shut down (which rests on the assumption that 70% of people actually know what the “dark net” is).
  • 26% of users don’t trust their governments at all over monitoring their communications without their knowledge (something not highlighted in either of the two CIGI-Ipsos media releases).
  • Only 8.47% of respondents said they trust their governments completely (the citizens that most trust their governments were in Tunisia, at 27%, and Pakistan, at 21%).
  • most respondents don’t understand that unbreakable encryption protects things like their online banking and shopping, as well as protecting criminals: 60% of Americans and 63% of the total sample reckon “companies should not develop technologies that protect law enforcement from accessing the content of a user’s online data”.
  • Regarding access to citizens’ data, the survey says 70% over users think agencies should have access to citizens’ content for “valid national security reasons” (emphasis added), versus 30% who disagreed. [The Register]

E-Mail

US – FTC Signs Agreement with CRTC to Fight Unlawful Spam

The FTC signed a memorandum of understanding with the CRTC in regards to enforcing commercial email and telemarketing laws. The MOU is effective March 24, 2016. The agreement requires both the FTC and the CRTC to limit retention of shared materials, safeguard any shared information containing PII (by using encryption, using a courier with tracking capabilities, using password-protected files for electronic information and locked storage for hard copies, and redaction of publicly released materials), and notify each other of any breaches. [FTC – MoU between the US FTC and the CRTC on Mutual Assistance in the Enforcement of Laws on Commercial Email and Telemarketing| [Press Release]

WW – Google Enhances Gmail Security

Google has made some changes to Gmail to protect users from malicious links and state-sponsored attacks. When users click on suspicious links that arrive in email, Gmail will display a full-page warning them that visiting the site could harm their computer. Users will be able to choose to click through to the site. Google will also display a full-page warning when it believes state-sponsored attackers have targeted users. Google’s blog post also notes the company’s participation in submitting a draft IETF specification for SMTP Strict Transport Security, which aims to “ensure TLS encryption works as intended.” [SC Magazine] [Google Blog]

WW – The Dream of Usable Email Encryption Is Still A Work in Progress

In 2014, in the aftermath of the Edward Snowden revelations, Google and Yahoo, the two largest email providers in the world, promised to change that once and for all with a browser plugin that would make sending encrypted emails so seamless anyone could use it. Yet, Google and Yahoo’s projects on secure end-to-end encrypted email have yet to see the light of day. That’s why some are starting to question how much Google and Yahoo really care about making this happen. In recent interviews with Motherboard, both companies publicly renewed their commitment. “Engineers from Google, Yahoo, and the open source community continue to work together on the End-To-End Mail extension project. It remains a work in progress,” a Google spokesperson said. A Yahoo spokesperson said the team of new security chief Bob Lord “is still cranking on it,” and pointed to the fact that the company even mentioned the project in its amicus brief in support of Apple in the case of the San Bernardino shooter. Neither of the companies, however, dared to venture a prediction on when the final product would be released. [Motherboard]

Electronic Records

US – CyberSecurity Information Sharing Is Here to Stay

The adoption of the Cybersecurity Information Sharing Act in the U.S., among other initiatives both in the U.S. and internationally, are “likely to bring about a significant change in the way information sharing and collaboration works.” Paired with emerging technical standards that “promise to enable efficient information sharing at scale,” we will begin to see how “cyber-threat intelligence is poised to transition from a revenue-generating resource to a public good.” [Hogan Lovells]. See also: [New NIST working group born out of IoT complexities] See also: [Canadian Federal privacy commissioner will watch threat information sharing, says OPCC official] and [IIROC to Focus on Dealer Members’ Cyber Threats Preparedness]

AU – Vic CPDP ‘Catastrophic’ Impact of Info Sharing Failures

Failure to share information effectively between agencies can have “catastrophic consequences”, the report of the Royal Commission into Family Violence has found. It’s not news for Victoria’s Commissioner for Privacy and Data Protection, David Eatts, who said. “It’s disappointing that it takes a royal commission to highlight these issues, because they’re issues our office has been pointing out ever since I was appointed.” Privacy law is often blamed for different agencies being unaware of risks raised elsewhere. Stories abound of justice, drug and alcohol and child protection services, for example, failing to speak to one another and pick up clear warning signs that may have prevented serious harm. But, while the legislation is complicated, Watts argues it’s the overly legalistic and risk averse approach to privacy law, rather than the law itself, that’s the primary problem. Watts’ comments align with those made by his New South Wales counterpart Elizabeth Coombs last year, who argued the problem is with misunderstandings of privacy law, rather than the law itself. [The Mandarin]

Encryption

US – FBI Unlocks iPhone Without Apple’s Help

The FBI has managed to crack the iPhone in the San Bernardino case without intervention from Apple. The Justice Department has dropped its legal case against Apple and “has asked a United States Magistrate Judge in Riverside, California to vacate her order compelling Apple to assist the FBI in unlocking the iPhone.” [CS Monitor] [ZDNet] [ArsTechnica] [Bloomberg] [Wired] [ComputerWorld] See also: [Apple scrambles to restore iPhone security after losing privacy fight]

EU – Silicon Valley Faces Encryption Fight in Europe

There are growing calls in some European countries for access to encrypted communications in the wake of recent terrorist attacks in the region. Though Apple is in a highly publicized debate in the U.S. about encryption in its devices, the company, along with other companies employing the security technology, may find similar fights in Europe. French lawmakers plan to debate new intelligence laws this week, and the U.K. is currently embroiled in the proposed Investigatory Powers Bill, which would give broad new powers to law enforcement. Other countries, however, including Germany and the Netherlands, do not back laws that would mandate access to encrypted devices. In the U.S., Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., are seeking support for their encryption legislation. Rep. Jackie Speier, D-Calif., has released a new bill that would require personal information before purchasing a so-called “burner phone.” [New York Times]

EU Developments

US – Bulk Surveillance Court Cases Could stymie Privacy Shield

The Article 29 Working Party is reportedly looking into three cases that will be heard by the European Court of Justice in weighing its own opinion as to whether the EU-U.S. Privacy Shield is valid. According to Reuters, four individuals familiar with the group’s deliberations said the regulatory body is looking at an airline passenger data sharing pact with Canada as well as two other cases involving data retention by telecommunications companies. According to the report, the three cases are relevant to the Shield because they involve restrictions on bulk surveillance. A senior U.S. government official said, “We have negotiated the Privacy Shield based on the current state of law in the EU … If the law changes, we’ll have to go back and relook at how we handle these things.” [Reuters]

Facts & Stats

US – ACLU Maps DoJ Use of All Writs Act to Force Techs to Crack Devices

The Justice Department said tech companies have accessed phones for it before. So the ACLU tried to find all the cases.  The ACLU on Wednesday published court documents and an interactive map for what it said were dozens of instances when the U.S. government tried to compel tech companies to unlock customer devices, offering a fairly comprehensive look at where and under what circumstances law enforcement sought what now might be seen as controversial help. The civil liberties group said it had confirmed 63 such cases and suspected there could be up to 13 more based on its review of court documents and public statements by government and tech company officials. The ACLU said it published the map to stoke public discussion about the use of the All Writs Act. It is also pursuing a Freedom of Information Act request to learn more. [Washington Post]

Filtering

US – Effects of Copyright Takedown Abuse on Online Free Expression” Study

Three of America’s sharpest copyright scholars have released a landmark study of the impact of copyright takedowns on free expression in America: Notice and Takedown in Everyday Practice, by Jennifer Urban (UC Berkeley), Joe Karaganis (Columbia), and Brianna L. Schofiel (UC Berkeley) uses detailed surveys and interviews and a random sample from over 100,000,000 takedown notices to analyze the proportion of fraudulent, malformed or otherwise incorrect acts of censorship undertaken in copyright’s name, using the Digital Millennium Copyright Act’s takedown procedure. The DMCA is nearly 20 years old, and even before it was passed into law, virtually everyone who was paying attention said that creating a system that allows anything online to be censored through copyright infringement accusations, without due process or even penalties for getting it wrong, would get us into trouble. Now the evidence is in, and it couldn’t be more damning. [Source]

WW – Egypt Blocks Facebook Internet Service After Surveillance Request Denied

After Facebook allegedly prohibited the Egyptian government from using the company’s Free Basics Internet as a surveillance tool, the government blocked the service altogether. Free Basics provides Internet use to those in poverty-stricken areas for free, and Facebook launched the Egyptian version in October of last year. By December, the government suspended the site, saying at the time that permit issues were to blame. Yet sources “close to the situation” maintain that Facebook “was blocked because the company would not allow the government to circumvent the service’s security to conduct surveillance,” the report states. [Reuters]

Finance

WW – Panama Papers: Mossack Fonseca Leak Reveals Elite’s Tax Havens

A huge leak of confidential documents has revealed how the rich and powerful use tax havens to hide their wealth. Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca. They show how Mossack Fonseca has helped clients launder money, dodge sanctions and evade tax. The company says it has operated beyond reproach for 40 years and has never been charged with criminal wrong-doing. The documents show links to 72 current or former heads of state in the data, including dictators accused of looting their own countries. Gerard Ryle, director of the ICIJ, said the documents covered the day-to-day business at Mossack Fonseca over the past 40 years. “I think the leak will prove to be probably the biggest blow the offshore world has ever taken because of the extent of the documents,” he said. [BBC]

FOI

CA – OIPC BC Opposes Many Recommended Amendments to FOI Legislation

The OIPC responded to the recommendations made to the committee reviewing British Columbia’s FIPPA. The OIPC rejects a number of recommendations as unnecessary; the Law Society’s recommendation to exclude from disclosure to the OIPC all records subject to solicitor-client privilege is rejected because such disclosure may be necessary in the course of the OIPC’s functions and is subject to existing statutory confidentiality safeguards. The OIPC recommended that the law be amended to require a public body to automatically waive fees when it fails to meet its legislated timeline for responding to a request. [OIPC BC – OIPC Response to Stakeholder Recommendations to the Special Committee to Review the Freedom of Information and Protection of Privacy Act]

US – Study Offers Best Practices for Transparency Reporting: Institute

A new report from the Open Technology Institute at New America and the Berkman Center for Internet & Society at Harvard University examines best practices for transparency reporting. “The Transparency Reporting Toolkit: Survey & Best Practice Memos.” is a compilation of eight memos highlighting challenges major U.S. Internet and telecommunications companies face when reporting on law enforcement and government requests for user information. Transparency reports came into prominence after the Snowden leaks in 2013, but the study says technology companies, including Google, Twitter and Microsoft, have not utilized best practices when crafting these reports and it is therefore hard to compare metrics. “By conducting this survey, we’ve laid the groundwork for stronger and more comprehensive transparency reporting on government requests for user data and information,” said the Open Technology Institute. [Source] See also: [Reddit removes ‘warrant canary’ from transparency report] [ACLU released an online map tracking instances of the government’s abuse of the All Writs Act.]

CA – Why Was NEB Deleting an Email Sent In the Middle of the Night?

Canada’s pipeline watchdog is under investigation by Parliament’s information commissioner for deleting an email that drew attention to a mistake made by an employee, said the National Energy Board (NEB). An internal NEB email revealed that the employee who made the mistake was the pipeline regulator’s head of security. The NEB staff believe the deleted email contained references to how the regulator’s top security official had given personal information about a co-worker to a private investigator. But the email disappeared from the records of the Calgary-based NEB after a senior bureaucrat instructed staff to delete it. People can go to jail or pay hefty fines in the thousands of dollars for deleting records of the federal government’s day-to-day business and operations, under Canada’s access to information legislation. The NEB denied it broke the law. An NEB spokesman said that the contents of the deleted email had revealed it shared information about its employee with a potential contractor without verifying the firm’s security clearance. The spokesman also told National Observer that NEB staff decided to delete the email to mitigate the risk of “harm” caused to the employee whose name was mentioned in the correspondence. [National Observer] Fifth in an in depth series about the National Energy Board. Part I here, Part II here, Part III here, Part IV here.

WW – Microsoft Transparency Report for Second Half of 2015

Microsoft’s transparency report for the second half of 2015 shows that the company received 11% more legal requests for information than it did in the first half of last year. In all, law enforcement agencies made 39,083 requests for information regarding 64,614 accounts. Microsoft provided subscriber data for two-thirds of the requests. In two percent of the cases, Microsoft surrendered content, such as email, instant messages, and data stored in OneDrive. Microsoft also received 505 emergency requests for information. [ZDNet] [MSFT blog] [MSFT Transparency Hub] [New Microsoft Transparency Report Includes Revenge Porn Removal Stats]

Genetics

US – Law Enforcement Investigators Seek Out Private DNA Databases

Investigators are broadening their DNA searches beyond government databases and demanding genetic information from companies that do ancestry research for their customers. Two major companies that research family lineage for fees around $200 say that over the last two years, they have received law enforcement demands for individual’s genetic information stored in their DNA databases. Ancestry.com and competitor 23andme report a total of five requests from law agencies for the genetic material of six individuals in their growing databases of hundreds of thousands. Ancestry.com turned over one person’s data for an investigation into the murder and rape of an 18-year-old woman in Idaho Falls, Idaho. 23andme has received four other court orders but persuaded investigators to withdraw the requests. The companies say law enforcement demands for genetic information are rare. [Associated Press]

Health / Medical

US – FTC’s Rich Outlines Health Data Protection Efforts, Calls for More Authority

Jessica Rich, the director of the FTC’s Bureau of Consumer Protection, gave testimony to the House Subcommittee on Information Technology and the Subcommittee on Health, Benefits, and Administrative Rules of the Oversight and Government Reform Committee last week, explaining the Commission’s current efforts to safeguard consumer health data, while reinforcing the Commission’s request for expanded authority to go further. Rich spoke about the FTC’s concerns regarding the large amounts of health information data generated on platforms such as websites, wearable technologies and communication portals. While those technologies are not covered under HIPAA, they do fall under FTC jurisdiction. Rich said the Commission has addressed health data privacy and security issues through enforcement, policy initiatives and education, but believes the organization can be more effective in stopping unfair and misleading practices if Congress passes regulation strengthening the Commission’s existing data security authority. [Full Story]

US – Hospital Settles Largest Per Plaintiff Breach Payout in History

A judge ruled that California-based St. Joseph Health System must pay more than $28 million to settle a 31,074-plaintiff class action suit, the largest per-member settlement in data breach history. This result comes after U.S. District Judge Kenneth Hoyt dismissed a similar suit against the organization in 2015, calling the plaintiff’s concern over “heightened risk of future identity theft” insufficient grounds for legal action. As a result of the 2012 breach, the settlement requires defendants to allot $7.5 million for plaintiffs, $7.4 million for lawyers’ fees, $4.5 million for credit monitoring services, and $3 million for identity theft compensation. [Source]

US – Nurse Hands Over License After Texting Compromising Patient Picture

A New York nurse surrendered her license to practice after snapping pictures of an unconscious patient’s genitals and sending them to peers via text. The surrender was part of a plea deal in which Kristen Johnson pleaded guilty to misdemeanor disseminating of unlawful surveillance photos. Her conviction marked the conclusion of a nine-month, Onondaga County District Attorney’s Office investigation after co-workers complained about her texts. [CBS 6 Albany] Police: Former Upstate nurse took pictures of patients’ intimate parts while unconscious | Central NY nurse loses license over cell phone photo]

US – MedStar Health System Infected with Malware

Washington-Baltimore area healthcare provider MedStar Health has shut down some of its computer systems following a malware infection. The organization says its clinical facilities are still open. MedStar operates 10 hospitals and more than 250 outpatient facilities. The FBI is investigating. [eWeek] [The Hill] [Reuters]

Horror Stories

US – Verizon Customer Data Breach

Verizon has acknowledged that a breach of its Verizon Enterprise Solutions unit compromised customer data. Verizon Enterprise Solutions helps companies respond to data breaches. Last week, a post on an underground cybercrime forum offered 1.5 million Verizon Enterprise Solutions customer records for sale. Verizon says the compromised data are “basic contact information [of] enterprise customers.” [Krebs] [eWeek]

US – University of Central Florida Spends $110,000 After Computer Hack

A computer hack affecting the personal information of 63,000 people at the University of Central Florida resulted in a nearly $110,000 invoice for the month of February. The costs include $64,000 to operate the call center where students and staff could learn if their information was compromised, and another $45,000 to print and mail packets warning people of the hack. UCF says their cybersecurity insurance, which comes from an outside company, covered the costs. While UCF has worked to help the victims, the university still faces lawsuits in the aftermath of the data breach. [WFTV 9]

Identity Issues

CA – Ottawa Man Claims Identity Stolen Using Canada Post Website

Mike Wood says someone stole his identity and changed his mailing address using Canada Post’s website. When he called Canada Post, he was told his mail was being forwarded to another address, after someone paid $117 to make the change online. Wood said the postal service official wouldn’t tell him where his mail was ending up, and that police told him they couldn’t help without that information. Wood said Canada Post told him whoever apparently stole his identity would have had to answer multiple security questions. He’s not sure how that’s possible. He added that a Canada Post representative also told him that tax season is a common time for identity theft, because tax forms include social insurance numbers. Canada Post wouldn’t comment about the case, beyond confirming that they are investigating. [CTV News[

Internet / WWW

US – Hogan Lovells Issues Legal Analysis of the EU-U.S. Privacy Shield

Law firm Hogan Lovells has released a 60-plus-page “Legal Analysis of the EU-U.S. Privacy Shield,” whereby the report’s authors assess the likelihood the Shield will withstand legal challenge by referencing jurisprudence of the Court of Justice of the European Union. Their conclusion? “[T]he Privacy Shield Framework provides an ‘essentially equivalent’ level of protection for personal data transferred from the EU to the U.S.” The assembled lawyers, on both sides of the Atlantic, set up “detailed and complex criteria” for assessing the Shield, and “in every instance, we have concluded that each criterion is met.” [HLDA] See also: [Why the cloud makes the EU-US Privacy Shield meaningless  ]

Law Enforcement

CA – Town of Banff Considers RCMP Traffic Camera Use

Banff RCMP want to use the Town of Banff’s downtown traffic cameras to help them solve crimes and nab crooks. At a council meeting last week, council considered a proposal from Banff RCMP to use the traffic cameras to help them solve crimes, but issues of personal privacy first need to be addressed. Town council unanimously directed administration to return with a report considering the Freedom of Information and Protection of Privacy Act (FOIP) implications of using the traffic cameras to help solve crimes. “Banff has a very low crime rate and we live in a very safe community,” said Councillor Karlos Stavros, who voiced support for the move. “We’re not talking about active surveillance at all. It’s about the ability to provide evidence for cases.” The Town of Banff’s traffic cameras, set up at various intersections in the downtown core, are currently used only to capture traffic data to help monitor traffic flow and overall traffic management. One of the camera types takes a still photo every minute and also has potential to take video. Currently, no personal information such as licence plate numbers or car occupant faces is recorded. Banff RCMP wants to expand the purpose of the traffic camera systems, not for ongoing surveillance, but as an investigative tool. [Source]

Online Privacy

EU – France Fines Google Over ‘Right To Be Forgotten’

The French data protection authority said it has fined Google €100,000 for not scrubbing web search results widely enough in response to a European privacy ruling. The only way for Google to uphold the Europeans’ right to privacy was by delisting inaccurate results popping up under name searches across all its websites, the Commission Nationale de l’Informatique et des Libertes (CNIL) said in a statement. [Reuters] [CNIL – Deliberation No. 2016-054 – Google Inc] [Press Release]

Other Jurisdictions

WW – MSFT Creates Special Chinese Government Version of Windows 10

Microsoft is now ready to roll with a version of Windows 10 designed specifically for the Chinese government, it has emerged. Back in December, Microsoft and China Electronics Technology Group Corp  announced they were setting up a Beijing-based joint partnership called C&M Information Technologies. The new organization will develop a specific build of Windows 10 for Middle Kingdom mandarins. This version will be “a government-approved Windows 10 image, including Chinese capabilities such as government selected antivirus software,” and be made available to “state-owned enterprise customers” including “government and critical infrastructure.” C&M “will provide product activation, patch management, deployment services and product support, as needed, to these government customers.” It will also “collect feedback from these government customers on their specific use requirements to inform the creation of the successive updates of the government Windows 10 image, which may be developed by the joint organization.” Presumably this feedback won’t include all the data Windows 10 routinely sends back to Redmond; this telemetry will likely be curtailed seeing as it’s an enterprise-friendly build. [The Register] See also: [US Navy paid millions to stay on Windows XP]

Privacy (US)

US – FCC Votes To Propose New Privacy Rules for ISPs

FCC Chairman Tom Wheeler moved yet another of his controversial proposals forward last week. The commission voted on party lines, 3-2, to advance a proposed rule imposing strong privacy regulations on ISPs. Wheeler wants to improve how ISPs treat individuals’ privacy when the market makes customer data immensely valuable. That data can give providers and analysts a perfect picture of the details making up a person’s everyday life, and the commission’s majority thinks that’s intrusive. The proposed rule would obligate companies to tell their customers what information they collect, how and if they share it with third parties, and how customers can change those privacy preferences. The proposal also would allow ISPs to use consumer data to sell other communications services or share it with outside marketers in that field. But it would allow customers to opt out of those practices. This is only the beginning. Before officials begin drafting final rules, they’ll need to wait for comments from industry members, think tanks and the general public. It’s a controversial idea. Republicans on the commission, GOP lawmakers in the House, and even members of the broadband industry have all pushed back on the proposed rule. The Republican commissioners were vocal about their dissent. The FTC already regulates privacy. [Source] [FCC OKs Proposed Privacy Rules With a Lot of Pushback] [How The FCC’s Proposed Privacy Rules Would Create A False Sense Of Consumer Privacy] [FCC Sparks Turf Wars As It Raises Washington Profile] [EPIC Urges FCC to Broaden Scope, Substance of Draft Privacy Rules]

US – FTC to Host Fall Seminar Series on Emerging Consumer Technology Issues

The FTC will host a series of seminars this fall to examine three new and evolving technologies that are raising critical consumer protection issues. The FTC Fall Technology Series comprises three half-day events that will explore ransomware, drones, and smart TV. In 2014, the Commission held a series of seminars examining the privacy implications of mobile device tracking, consumer generated health data, and alternative scoring techniques. [Drone bazooka is here]

FTC Fall Technology Series: Ransomware – 9 a.m. to noon, September 7, 2016

FTC Fall Technology Series: Drones – 9 a.m. to noon, October 13, 2016

FTC Fall Technology Series: Smart TV – 9 a.m. to noon, December 7, 2016

Security

US – US Federal Agencies and Ransomware

29 US federal government agencies have reported a total of 321 ransomware incidents since June 2015, according to the Department of Homeland Security (DHS). Not all of the incidents resulted in infections, and no incidents resulted in payment of ransom. Last December, Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware), chairman and ranking member of the Senate Homeland Security and Government Affairs Committee, requested information about agencies’ efforts to protect systems from ransomware. Carper has posted the responses to his website. [FCW] [The Hill] [NextGov] [Results on Senator Carper’s Website] [ComputerWorld: Ransomware Uses Windows PowerShell] [CarbonBlack] [Petya Ransomware Encrypt Master File Table]

US – FBI Seeking Help with Ransomware Investigation

Reuters obtained a copy of a confidential “Flash” advisory, dated March 25, 2016, in which FBI asked companies and security experts for help in its investigation of ransomware known as MSIL/Samas.A. This particular malware tries to encrypt data on an entire network rather than encrypting data on an individual computer. [Reuters] [With regards to Ransomware The Computer Incident Response Center Luxembourg (CIRCL) have released an excellent guide on “Proactive defenses and incident response“] In the wake of a number of high-profile attacks against hospitals, [legislators are moving to update cybersecurity laws to include protection against ransomware threats] [Ransomware not covered by e-health record laws]

US – Three More US Hospitals Infected with Ransomware

Three more US hospitals have disclosed that their systems were hit with ransomware. Methodist Hospital in Henderson, Kentucky information systems director Jaime Reid said the cause of the “Internal State of Emergency” at the hospital was Locky ransomware. Chino Valley Medical Center and Desert Valley Hospital in California were also struck with ransomware; both were operating normally by Wednesday, March 23. [Krebs] [BBC] [ArsTechnica] [NBCNews] See also: [Is Ransomware Considered A Health Data Breach Under HIPAA?]

US – Medical Dispensing Systems Have Remotely Exploitable Flaws

More than 1,400 remotely exploitable vulnerabilities were found in CareFusion’s Pyxis SupplyStation medical dispensing systems. More than half of the flaws found were given a severity rating of high or critical. The issues affect Pyxis SupplyStation versions 8.0, 8.1.3, 9.0, 9.1, 9.2, and 9.3 on Windows Server 2003/Windows XP. Version 9.3, 9.4, and 10.0 running on Windows Server 2008/Windows Server 2012/Windows 7 are not affected. The US Department of Homeland Security’s (DHS’s) Industrial Control System CERT has issued an advisory. [The Register] [SCMagazine] [ComputerWorld] [ICS-CERT Advisory]

US – Investigation Finds Security Gaps in State Department Visa Database

Security gaps discovered in a State Department system could allow hackers to doctor visa applications, or steal sensitive data. Several months ago, the State Department conducted an internal review learning its Consular Consolidated Database, the government’s “backbone” for vetting travels, was in danger of being compromised. The CCD, one of the largest biometric databases in the world, holds the personal information of nearly anyone who applied for a passport. A cyberattack could compromise sensitive information, including photographs, fingerprints and Social Security numbers, making it valuable for hackers looking to steal identities. Hackers could also alter records approving visa applications for individuals linked to terrorism who would normally be rejected. The State Department says it has addressed these concerns, and any vulnerabilities would be difficult to exploit. [ABC News]

CA – Keystroke Loggers Found at Concordia University

Keystroke logging devices were found on several workstations in the Webster and Vanier libraries at Concordia University in Montreal, Quebec. School officials have notified local authorities. [SC Magazine] [University Notice]

WW – Macro Blocking Now Available in Office 2016

Microsoft has added a feature to Office 2016 that allows enterprise administrators to block macros from executing. The feature can be configured for each application and is controlled through Group Policy. It can be used to disable macros in documents that come from the Internet zone. [The Register] [ComputerWorld] [MSFT Blog]

Surveillance

CA – Civil-Rights Group Appeals on Police Use of Cellphone Surveillance

Pivot Legal Society, a British Columbia-based legal-advocacy organization, filed an appeal with the province’s privacy commissioner after Vancouver police refused to disclose documents related to whether they use an invasive technology known as Stingray. …Wednesday was the deadline for interveners to file submissions on Pivot Legal’s appeal. Groups such as the B.C. Civil Liberties Association and OpenMedia argue that police are “stonewalling” attempts by the public to know the extent of the device’s use, which is putting Canadians’ constitutional rights at risk and preventing law enforcement from being held accountable. [Globe & Mail] [B.C.’s privacy commissioner launches inquiry into phone-monitoring device] [Canadian Cops Won’t Say if They Use ‘Stingray’ Mass Surveillance Devices] [Guilty pleas end risk of revealing RCMP surveillance technology]

CA – OIPC AB Finds Condominium Used Surveillance PI for Contrary Purposes

The Alberta OIPC investigated the Grandin Manor Ltd., a condominium corporation, for alleged violations of the Personal Information Protection Act. Unit owners of the condominium provided deemed consent for the collection and use of their personal information by the surveillance system because a majority of owners voted to implement the system and there is proper signage about the use of the cameras; however, personal information from the system was retrieved and used to send a warning letter to an individual for conduct unrelated to maintenance of building security. [OIPC AB – Order P2016-02 – Grandin Manor Ltd]

WW – Surveillance Silences Minority Opinions: Study

A new study published in Journalism and Mass Communication Quarterly found that those who felt their opinions on mass surveillance were in the minority were less likely to express them. The questionnaire exposed some to subtle reminders of government surveillance and others not. Once the idea of government surveillance is introduced, researcher Elizabeth Stoycheff found, participants — even those who indicated they support government surveillance for national security — were less likely to speak out about nonconformist ideas. [Washington Post]

US Government Programs

US – EPIC Scrutinizes DHS “Insider Threat” Database

In comments to the Department of Homeland Security, EPIC criticized a proposed “Insider Threat” database that would gather vast amounts of personal data on a wide variety of individuals outside the federal agency. The database would include information from the Standard Form 86, which is a 127-page questionnaire for national security positions. The form includes SSN, passport and driver license number, and medical reports among other sensitive data. The DHS database will cover broad categories of individuals, including persons who are not under investigation. The database will contain records not only on current and former DHS employees and contractors, but also on family members, dependents, relatives, and personal associates of individuals who are under investigation. EPIC urged DHS to narrow the scope of individuals included in the database and limit the amount of data collected. EPIC also urged DHS to significantly narrow the Privacy Act exemptions for its database and withdraw unnecessary proposed routine use disclosures. The Privacy Act exemptions DHS has proposed would allow the agency to ignore complying with a number of Privacy Act safeguards, including requirements to maintain accurate records and to limit collection to only that information necessary for the detection and prevention of insider threats. Moreover, DHS’s proposed routine uses would allow the agency to disclose database records to numerous entities for purposes unrelated to addressing “insider threats,” including hiring decisions and DHS public relations. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DHS data practices pose a risk to federal employees. EPIC has previously advocated for privacy protections in background checks and consistently warned against inaccurate, insecure, and overbroad government databases. s

US Legislation

US – Senate Passes FOIA Reform Bill

The Senate passed by unanimous consent the Freedom of Information Improvement Act of 2015. The bill, cosponsored by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), requires federal agencies to operate under a “presumption of openness,” and places time limits on the FOIA’s Exemption 5. Exemption 5 is most commonly invoked to protect the “deliberative process privilege” of inter- and intra-agency memoranda. The FOIA currently places no time limit on the exemption. The bill also seeks to strengthen the Office of Government Information Services (OGIS) and require new reporting on the use of exemptions and audits of agency FOIA processes. In promoting the legislation, Senator Leahy said the bill “will help open the government to the 300 million Americans it serves and ensure that future administrations place an emphasis on openness and transparency.” The House passed a similar bill in January 2016. Differences between the two versions must now be reconciled before President Obama can sign the bill into law. EPIC and a coalition of open government advocates previously urged the President to support the bipartisan legislation, pressing the President to honor his commitment to an “unprecedented level of openness” in his administration by pushing Congress to update the FOIA. The coalition identified six core ways the FOIA should be updated: (1) codify a presumption of disclosure; (2) require agencies seeking to withhold information to show foreseeable harm; (3) require agencies to weigh the public interest when withholding under Exemption 5; (4) exclude from Exemption 5 records older than 25 years; (5) waive fees when agencies miss statutory deadlines; and (6) expand the role of OGIS.

+++

 

 

18-25 March 2016

Canada

CA – Trudeau Doubles Counter-Radicalization Spending, Zip for SIRC

The Canadian government is doubling its support for programs to prevent radicalization, but couldn’t find any new cash for the overworked agencies that keep tabs on the country’s spies. Amid controversy last year over Justin Trudeau’s support for anti-terrorism Bill C-51, the Liberals pledged to create an office that would tackle radicalization. In its first budget this week, the government revealed the new office of the Community Outreach and Counter-radicalization Co-ordinator will receive an additional $35 million over five years. The officials say the domestic anti-radicalization money supports “a whole-of-government approach” that involves the RCMP, CSIS, border agents, local governments and community groups. [Source] See also: [Ottawa Citizen: PM Says Not ‘At War’ but Increases Use of Hated C-51 Powers]and [Angus Reid Survey Finds Huge Support for C-51]

CA – Canada Endorses Deal to Share Canadian Banking Records with IRS

Two Liberal cabinet ministers who had criticized a controversial agreement to provide Canadian banking records to the U.S. Internal Revenue Service now say they support the deal. Speaking on the way into a cabinet meeting, Treasury Board President Scott Brison and Transport Minister Marc Garneau rallied behind the position adopted last week by Revenue Minister Diane Lebouthillier, supporting the deal struck under the Harper government that saw 155,000 Canadian banking records shared with the IRS last September. [iPolitics] [Revenue Minister Asked to Testify on Records Transfer to IRS]

CA – Could Take Up To a Year to Swear-in a New BC Privacy Commissioner

Premier Christy Clark’s cabinet may appoint a temporary replacement for B.C.’s privacy watchdog, after the abrupt departure of commissioner Elizabeth Denham caught MLAs who were planning to re-appoint her by surprise. Denham told government this week that the United Kingdom had nominated her as its new information commissioner, and she would leave her B.C. post when her term expires on July 6. The all-party committee of the legislature is now faced with the potentially lengthy process of launching a global search for her replacement, which the committee’s deputy chair admits may not be finished before Denham leaves in July. The normal procedure would be for the all-party committee to make a unanimous recommendation to the legislature, and the legislature to affirm that choice. But if the committee can’t agree on a name before Denham leaves in July, cabinet has the power to slot its own candidate as acting commissioner. That person would serve until the committee makes its choice. The entire process, including legislative confirmation, could take up to a year if government doesn’t convene a fall session. [Source] [BC’s Info and Privacy Watchdog Departs for Britain] [B.C. privacy commissioner Elizabeth Denham moving on to bigger things ]

CA – Alberta Court Finds It Is Not Urgent or Necessary for Law Society to Review a Former Member’s Phone and Computer Records

The Law Society of Alberta sought an order compelling Justin Sidhu to produce records in compliance with the Legal Professions Act. An order compelling access to a former member’s cellphone and computer records following his conviction on charges drug trafficking is denied; if the conviction is upheld on appeal that would be proof of the misconduct and therefore the need for the information is neither urgent nor necessary at this time. [Law Society of Alberta v Sidhu – 2016 ABQB 142 CanLII]

CA – Nunavut Making Little Progress on Access to Info Changes

The Government of Nunavut’s efforts to make the administration of its municipalities more transparent has stalled. That’s because consultations with community governments on how to bring their operations under the Access to Information and Protection of Privacy Act are at a “standstill,” according to Nunavut government documents. “In the past year, consultations with municipalities have been at a standstill due to capacity issues within the ATIPP office,” the GN said in a document tabled March 15 in the Nunavut legislature. In the document, the GN responds to 11 recommendations made by a standing committee of MLAs, which reviewed the 2014-15 annual report by Nunavut’s information and privacy commissioner. [Source]

CA – SCC to Hear 2nd Case Involving Jurisdiction and the Internet

On March 10, 2016, the Supreme Court of Canada granted leave on a second recent case involving jurisdictional issues and the internet: Douez v. Facebook, Inc., 2015 BCCA 279. Douez involved a BC resident plaintiff who sought to sue Facebook for a breach of privacy arising from the use of her name and her portrait without her consent. The proposed class action suit would be based on a claim that Facebook’s practice of featuring the name and image of individuals in relation to certain advertisements amounted to a breach of s. 3 of BC’s Privacy Act—a statutory cause of action which only applied within BC. At first instance, the BC Supreme Court concluded that BC was a proper jurisdiction, was not forum non conveniens, and granted certification. However, on appeal that certification was dismissed. The result on appeal arose from a forum selection clause in the Facebook Terms of Use. Applying the established test from Z.I. Pompey Industrie v. ECU-Line N.V., 2003 SCC 27, the BC Court of Appeal concluded that there was not “strong cause” to decline to enforce the forum selection clause, and therefore stayed the proceeding. As with the recent leave to appeal granted in the Equustek case, the Douez decision explores an important aspect of court jurisdiction over disputes involving online conduct. Where Equustek examined cases not governed by binding terms of service, Douez will provide some parallel insight into situations where terms of service purport to limit the ability of Canadian courts to address online disputes, particularly where such terms may come into conflict with geographically limited causes of action. Given the similar jurisdictional issues raised as between Douez and Equustek, and the proximity in time that the cases were granted leave, it is likely that the court will hear and consider both matters together. [Mondaq]

Encryption

US – House Lawmakers Launch Encryption Working Group

The Chairmen of two House Committees have announced the creation of an encryption working group to examine the complicated legal and policy issues surrounding encryption; the group will identify potential solutions that preserve the benefits of strong encryption while also ensuring law enforcement has the tools needed to keep Americans safe and prevent crime. The House Judiciary Committee and Energy and Commerce Committee have primary jurisdiction over encryption and the issues it presents for citizens, law enforcement, and American technology companies. [Committee on Energy & Commerce] [FCW]

EU Developments

UK – ICO Releases 12 Step Guide on the GDPR

The UK Information Commissioner’s Office released its first guidance on the General Data Protection Regulation (GDPR): the 12 steps that businesses can start taking now to prepare for the GDPR. The ICO also launched a new microsite on the GDPR. Here is a summary:

  • Ensure awareness amongst key stakeholders in the organisation.
  • Document the personal data that they hold, where it came from and with whom they share it.
  • Review current privacy notices and put a plan in place for making any necessary changes.
  • Check existing procedures to ensure that they cover all the rights data subjects now have.
  • Look at the various types of data processing they carry out, identify and document legal basis.
  • Ensure process and procedures are documented – to help demonstrate compliance with the accountability requirements. [Source] [Press Release] [blog entry]

EU – EDPS Releases Guidance on Information Security Risk Management

The European Data Protection Supervisor has released new guidance on Information Security Risk Management, “which advises EU institutions on how to ensure a secure and trustworthy digital environment for the information that is essential for the functioning of their services.” “The security of personal data is a legal requirement, but it is also necessary in the interests of organisations that rely on the use of information for their daily business … I urge the hierarchies in the EU institutions to engage in the tailored development and use of information security risk management processes to address the specific needs of their organisation.” [EDPS Press Release]

EU – Other European Privacy News

Finance

CA – MasterCard and Bank of Montreal Launch ‘Selfie Pay’

Bank of Montreal customers who use MasterCard to make online purchases will be taking selfies for a whole new reason this summer, as BMO becomes the first Canadian bank to support MasterCard’s new Identity Check mobile app, colloquially known as “selfie pay,” the companies announced. So far, around 200 BMO employees with corporate credit cards have been signed up for the biometric-based feature, which complements the company’s existing MasterPass service by using facial recognition and fingerprint scanning technology to verify online payments. [IT Business]

FOI

CA – Revised Edition of Sedona Canada Principles is Published

The Sedona Canada Principles are revised in a second edition. Principle 2 (proportionality) has been revised to create a 5-part test for applying the “reasonableness” principle; principle 7 (electronic tools) recommends that the parties agree in advance on the tools to be used, and principle 11 (sanctions) is revised to recommend that the Court consider sanctions where a party fails to meet its discovery obligations. [New Edition of the Sedona Canada Principles for E-Discovery – Kirsten Thompson, Partner, and Nolan Hurlburt, Associate, McCarthy Tetrault]

CA – OIPC BC: Records Fall Outside the Scope of FIPPA and Can Be Withheld

The OIPC BC reviewed a decision by the Office of the Police Complaint Commissioner to deny access to records requested pursuant to FIPPA. For records to be except from FIPPA, due to provisions under the Police Act, they must relate the operational records, but not administrative records; based on the video evidence provided the records at issue are operational records of the Police Complaint Commissioner because they are part of a specific case file and relate to the exercise of the Police Complaint Commissioner’s functions under the Police Act. [OIPC BC – Order F16-13 – Office of the Police Complaint Commissioner]

Health / Medical

US – Next Phase of HIPAA Audits Has Begun

The government’s Phase 2 HIPAA audits began March 21. Phase 2 will consist of 200 desk and on-site audits of both covered entities and business associates. The compliance audits are intended to determine if health-care organizations and their contractors are complying with HIPAA privacy and security rules. The first phase of the HIPAA audits was conducted as a pilot program in 2011 and 2012, focused solely on covered entities, while Phase 2 will include both covered entities and business associates. The desk audits are expected to be completed by December, while the more comprehensive on-site audits will begin later in the year. The OCR has reached nine major settlement agreements regarding HIPAA breaches since last March, resulting in a total of $11 million in fines. Some of the lessons learned as a result of the OCR’s enforcement efforts, included the need for companies to:

  • safeguard all paper records, even if most records have migrated to an electronic format;
  • maintain business associate agreements with all business associates;
  • perform a comprehensive risk analysis of all sources of protected health information, not just electronic health records; and
  • translate the results of a risk analysis into a robust risk management plan.

[OCR fact sheet on the Phase 2 audits] [BNA]

US – GAO Identifies Healthcare.Gov Security Weaknesses

The Government Accountability Office released a report identifying several weaknesses in the security of Healthcare.gov. In a span stretching from October 2013 to March 2015, the Centers for Medicare & Medicaid Services reported 316 security-related incidents affecting the site. The breaches mostly consisted of mailing sensitive information to the wrong recipients and the probing of CMS systems by potential attackers. Despite CMS’ efforts to protect the privacy and security of the data maintained through the systems supporting Healthcare.gov, the GAO noted various trouble spots, including faults in technical controls that could place sensitive information at risk for unauthorized disclosure and controls that protect data flowing through data hubs. The GAO, however, noted that hackers did not successfully compromise any personally identifiable information during that span. [Full Story]

US – Two Hospitals Held For Ransom

Hackers held the computer systems of two California-based Prime Healthcare Services’ hospitals for ransom last week. A Prime Healthcare spokesman said that the incident didn’t cripple the internal systems, hospitals remained “operational,” and the FBI is investigating the incident. While not elaborating on the ransom, he called the situation “similar to challenges hospitals across the country are facing.” Meanwhile, Chubb’s Global Cyber Risk Practice announced the launch of a ransomware service for policyholders. “Many businesses are not equipped to deal with a cyber-extortion attempt, where the timeliness of the response is even more critical,” said Global Cyber Risk. [Kaiser Health News]

WW – Diagnosis by Smartphone Risks Patient Confidentiality: Researchers

Doctors who photograph skin conditions using unsecured, personal mobile phones could be breaching patient privacy. In an article in the Medical Journal of Australia, researchers say using telemedicine for diagnosing dermatological conditions was popular because it sped up treatment and improved patient outcomes, particularly in regional areas where there are few specialists. However doctors and medical institutions endangered patient privacy, as well as their own indemnity insurance and confidentiality clauses of their employment contracts, if they failed to protect confidential patient records by using unsecured mobile phones and emails. [Source]

Internet / WWW

WW – GPEN Issues 2016 Annual Report

The Global Privacy Enforcement Network (“GPEN”), an informal network of 59 privacy enforcement authorities in 43 jurisdictions around the world, has released its 2015 annual report. Highlights:

  • Launched GPEN Alert, a new information sharing system that enables participating authorities to better coordinate international efforts in protecting consumer privacy.
  • 18 teleconferences held in the Atlantic and Pacific regions to connect authorities and to build and share expertise. Two face-to-face meetings in Ottawa and Amsterdam
  • Third annual Privacy Sweep spotlighted the privacy practices of websites and apps targeted specifically at, or popular with, children. [Report]

Law Enforcement

UK – Police Create Mega Crime Database for “Predictive Policing”

The police are to consolidate a number of their large databases into a single “platform” in order to “protect victims and spot potential links to other crimes.” The plans for a “National Law Enforcement Data Programme” were announced by the Home Office this week and will bring together data from the Police National Computer, Police National Database and Automatic Number-Plate Recognition (ANPR) systems “onto a single platform.” However, last year the legality of the ANPR database – which collects a “record for all vehicles passing by a camera… including those for vehicles that are not known to be of interest at the time of the read“ – was called into question by the Surveillance Camera Commissioner. The National ANPR data centre now holds information on 22 billion car journeys. Other measures contained within the Modern Crime Prevention Strategy (PDF) include an “explicit focus on data and technology” and the use of “predictive policing”. [Source] [UK tech industry welcomes government’s new anti-crime strategy]\

US — Study: Punishments for Police Database Misuse Should Increase

Police who abuse official law enforcement databases must receive stronger penalties, says a civilian oversight agency. A study by the Denver Office of the Independent Monitor documented 25 cases of the city’s police misusing the database in the past 10 years. “These databases contain vast amounts of personal information about the American public, including community members in Denver,” said the agency’s Independent Monitor. “When they are misused, reprimands are not commensurate with the seriousness of that violation, and may not be strong enough to deter future abuse.” [New York Times]

CA – Retired Police Chief Keeps (Unwiped) Work Devices

The City of Hamilton Police Services Board did not delete sensitive data from former Chief Glenn De Caire’s police-issued laptop and mobile phone, items he was able to keep post-retirement. This potential oversight sparked privacy concerns, but law enforcement officials say there’s nothing to fear. “I don’t know whether he downloaded anything,” said the Police Services Board Chair Lloyd Ferguson. “I trust Glenn and I don’t know whether he would’ve saved anything to the hard drive.” That problem is bigger than that, argued Ryerson University’s Ann Cavoukian. “It’s not that we don’t trust the former police chief. It’s that accidents happen,” she said. “I don’t want to suggest otherwise, but nonetheless this material has to be governed by strict policies and protocols.” [CBC Hamilton]

CA – Ontario Provincial Police Investigating Unlawful Prison Surveillance

Correctional Service Canada’s use of surveillance inside a federal prison has sparked an official investigation by the Ontario Provincial Police and a lawsuit from the jail guards. Officials used cell-site simulators, or IMSI catchers, to locate prisoners’ contraband cellphones, but the technology also grabbed private data from the guards’ cellphones as well. Indiscriminate surveillance programs can be considered a violation of the Criminal Code, but lawyers argue that this may be tricky to prove, as there is a lack of legal precedent that exists for prison surveillance. Regardless, “CSC officials have recently stopped giving statements to lawyers pursuing the civil suit,” the report adds. [The Globe and Mail]

Online Privacy

US – Medical Organizations, Facebook Sued in Class Action

In a new class-action lawsuit, plaintiffs claim Facebook spied on users who relayed private health information on major cancer institutes’ websites in order to make profit off the data in advertising revenue. Winston Smith has sued Facebook, the American Cancer Society, the American Society of Oncology and five others alleging Facebook uses the private health data it takes from the medical institutes’ websites, which feature a secret “Facebook code” capable of transmitting users’ data to the social media site, to create targeted advertising campaigns. [Courthouse News Service]

WW – Facebook Appeals to Advertisers Seeking Certain Groups Via Race-Based Marketing

Facebook’s has launched new race-based marketing campaigns. In a recent campaign, ads for N.W.A.’s “Straight Outta Compton” were served in different ways to three different audiences: black, white or Hispanic. Facebook calls it “ethnic affinity” targeting, and it’s been pushing it since 2014. It appeals to advertisers seeking a certain group. But Facebook users aren’t required to declare their racial or ethnic identity in their profiles. A Facebook executive explained that to construct a profile of a user’s identity, the company looks at “indicators” like your interests, friends and organizations you belong to. [Ars Technica]

WW – Adobe Unveils Cross-Device Targeting Co-Op

Adobe has announced plans for cross-device targeting, which would not only notify technologists when the same individual is using different devices, but also provides companies a new way to target ads. To do so, members of the new Adobe Marketing Cloud Device Co-op will share data with each other. “So if Company X has been able to use login data to establish that two devices belong to the same person, other members of the co-op take advantage of that fact and tailor their advertising accordingly.” The plan has sparked privacy concerns, but Adobe said the participating advertisers must opt-in, and the shared data is not personally identifiable. [TechCrunch]

WW – The Impact of Your Data Footprint

It’s no mystery to most privacy professionals, but the impact one’s data footprint can have on everyday life is beginning to be well chronicled in mainstream media. Fast Company published a long-form work on the myriad decisions that are made via personal data, often without the data subject’s knowledge. From the presence of police in your neighborhood (or not) to the potential dates you’re presented with on your dating site of choice to the job you are offered (or not), the report details how data may be impacting your life experiences. The article’s conclusion? “[E]thical considerations need to be guiding us.” [Full Story]

Other Jurisdictions

AU – NSW Statutory Cause of Action for Invasions of Privacy?

The NSW Legislative Council Standing Committee on Law and Justice has recommended in its report Remedies for the serious invasion of privacy in New South Wales the establishment of a statutory cause of action for serious invasions of privacy. The Committee recommended that, in establishing the statutory cause of action, it should be based on the Australian Law Reform Commission’s (ALRC) model detailed in its 2014 report Serious Invasions of Privacy in the Digital Era (which was the subject of considerable focus during the Committee’s inquiry). The report’s recommendations were made by MPs from four parties, including those of the Coalition, so this is clearly an idea in the mainstream of NSW political thought. Nothing will happen, however, until the NSW Government’s response to the report, which is expected by 5 September 2016. [Clayton Utz Insights]

Privacy (US)

US – FTC Fines Data Broker $4,000,000 for Selling Sensitive PI Without Consent

The FTC entered into an agreement with Sitesearch Corporation et alia following alleged violations of the FTC Act. The data broker is permanently restrained from selling, transferring, or otherwise disclosing a consumer’s sensitive personal information to any third party without consent, it must not misrepresent that a consumer has authorized or consented to the purchase of a product or service, or the nature or terms of any refund, cancellation, exchange, or repurchase policy. [FTC v. Sitesearch Corporation – Final Judgment and Order for Injunctive and Other Relief – United States District Court for the District of Arizona]

US – NY Contractor Fined $3.1M for Outsourcing Government PI to India

A New York contractor will pay $3.1 million and undergo oversight for the next five years for violating a contract that involved outsourcing the personal information of millions of individuals to a company in India. Focused Technologies Imaging Services was tasked with digitizing 22 million files maintained by the State Division of Criminal Justice Services, which included fingerprints, Social Security numbers, signatures and dates of birth. For $82,000, the company shipped the files of millions of individuals to an Indian-based company for processing. Though the state contract required Focused Technologies’ employees pass background checks prior to processing as an added protection for the records, the company to which the records were outsourced did not conduct background checks on its employees. [The New York Times]

US – Hulk Hogan Wins $115M in Privacy Invasion Case

A jury awarded former wrestler Hulk Hogan $115 million (About $1,138,613 per second) after finding that news site Gawker violated his privacy by publishing a sex tape of Hogan without his consent. The jury awarded Hogan $60 million for emotional distress and an additional $55 million for economic damages, with the possibility of more. “This is a victory for everyone who has had their privacy violated,” said Hogan’s attorney. University of Miami School of Law professor Mary Anne Franks said, “People are thinking a little bit more about the concept of what is newsworthy, because what’s changed is the concept of who a public figure is.” The case comes a week after sports reporter Erin Andrews won $55 million for having her privacy violated by a stalker. [Reuters]

US – Gawker Hit With $25 Million in Punitive Damages

A Florida jury ruled that in addition to its $115 million fine, Gawker must pay $25 million in punitive damages for posting wrestling star Hulk Hogan’s sex tape online without consent. The jury also required the news outlet’s CEO Nick Denton to pay a $10 million fee. “I think we made history today, because I think we protected a lot of people today who may be going through what I went through,” Hogan said. The company said it would appeal the ruling. “We are confident we will win this case ultimately based on not only on the law but also on the truth,” Gawker said in a statement. [Reuters]

Privacy Enhancing Technologies (PETs)

US – Tool Puts Users in the Data-Access Driver’s Seat

Massachusetts Institute of Technology and Harvard University research teams are developing a tool that gives mobile users the “final say” on how and when their data is accessed by applications. The cryptography-based program, called Sieve, encrypts and stores user information in the cloud, dispensing data-access requests to the user when an application wants to employ the data. [ZDNet]

Security

US – Study: Cybersecurity Pros Hesitant to Share Threat Intel

A new McAfee Labs survey of 500 private-sector companies indicated that more than a third of cybersecurity professionals “remain hesitant” to share threat intelligence with members of other industries. 63% of respondents would participate in reciprocal threat sharing. The problem, according to the study, lies in companies’ “misunderstanding” of the information appropriate to share. “When an organization begins to implement a [cyber-threat intelligence] sharing effort, it runs afoul of policies that dictate that no confidential data or [personally identifying information] can leave the organization. This is, of course, generally a good policy but the lack of understanding of the content being shared becomes self-defeating in this case.” [FedScoop]

US – OMB Study: 77,000 Cyber Incidents Hit Government in 2015

An Office of Management and Budget annual performance review found that 77,000 “cyber incidents” befell the U.S. government in 2015, a 10% increase from 2014. The study defines these incidents as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices,” and names the government’s increased ability to identify data breaches and employee security gaffes as partly responsible for the larger total, the report states. Regardless, “malicious actors continue to gain unauthorized access to, and compromise, federal networks, information systems, and data,” the study said. [Reuters]

Surveillance

US – NYCLU Says Cities Free Wifi Building ‘Massive Database’

When New York started replacing its pay phones with wifi kiosks in January, the new free internet access was met with a great deal of excitement, particularly over the network’s speed. The beta launch included just a dozen wifi hubs, but the city plans to convert 7,500 phone booths over the next few years so that free wifi is as ubiquitous as the yellow taxi in New York. But now, concerns about privacy are beginning to emerge. The New York Civil Liberties Union (NYCLU) accused the city of using its new public wifi system, LinkNYC, to “build a massive database,” complaining that the company behind the program, CityBridge, can keep a vast amount of information about wifi users, per its privacy policy. “In order to register for LinkNYC, users must submit their e-mail addresses and agree to allow CityBridge to collect information about what websites they visit on their devices, where and how long they linger on certain information on a webpage, and what links they click on. CityBridge’s privacy policy only offers to make “reasonable efforts” to clear out this massive amount of personally identifiable user information, and even then, only if there have been 12 months of user inactivity. New Yorkers who use LinkNYC regularly will have their personally identifiable information stored for a lifetime and beyond.” The group sent a letter to Mayor Bill de Blasio’s office enumerating their concerns about the vagueness of the privacy policy. The letter lists three main concerns: how long user data will be retained, unclear language about government requests for user data, and whether the “environmental sensors and cameras” that sit on the new wifi hubs will feed into the Domain Awareness System, a city-wide police surveillance network. As of late 2013, 57 cities had municipal wireless systems of some sort, a number that has and will continue to grow.  [Fusion]

Telecom / TV

US – FTC: We’ll Be Watching for TV Habit-Tracking Apps

The FTC is advising mobile app developers that it has its eye on technology that could allow phones to monitor TV viewing habits and relay that to targeted third-party advertisers. In a blog post this week, the FTC pointed out it was sending letters—from the associated director of the Privacy and Identity Protection division—to app developers whose apps use software created by Silverpush that runs in the background and enables phones to “listen” for embedded audio signals in TV programs to determine what TV shows or ads are playing (sort of like a Shazam for TV content), even when the app is not being actively used. The app “could” create a log of such TV content. [Source] [FTC Raps Android Developers For Using SilverPush Software]

Workplace Privacy

US – Study: Employees Deserve Privacy Laws

In a forthcoming California Law Review paper titled “Limitless Worker Surveillance,” the authors argue that the government should establish employee surveillance protection laws that would balance an employer’s right to efficiency and a worker’s right to privacy in an increasingly connected world. “While employers have a reasonable interest in ensuring the productivity of their workers and in dissuading misconduct in the workplace, that interest does not outweigh the human right to privacy and personal liberty in domains that have been traditionally considered as separate from work and the workplace,” the research states. They dub their proposed law the “Employee Privacy Protection Act,” and maintain that the same legal protections should be extended to health care workers, as well. [Information Week]

+++

 

08-18 March 2016

Biometrics

CA – Researchers Considering Iris Biometrics to Help Homeless Get Healthcare

A Canadian research project is looking at the use of iris recognition to help homeless people get around the problem of accessing healthcare without proper identification. The iris recognition project will begin later this month with researchers asking those at select temporary shelters whether they’d be comfortable having their iris image captured to be used as a form of ID. An algorithm developed by engineering students at Western University will turn those images into a number that will become the test subjects’ unique ID numbers. Ontario NDP member of provincial parliament Peggy Sattler said, “This (project) is not intended to stigmatize homeless people. It will shed light on how this could work and it can help homeless people have access to health care.” In fact, the technology could also be expanded for all Ontarians, Sattler said. “There are 100,000 more OHIP (Ontario Health Insurance Program) numbers than there are Ontarians.” “Eventually, you could get an iris scan at your doctor’s office and it would go into some kind of database, and every time you access health care, you don’t need a card.” Details about the storage and protection of the biometric data have yet to be worked out. [London Free Press]

Big Data

WW – Twitter, Dove Using Data to Raise Body-Shaming Awareness

Dove unveiled the newest development in its #SpeakBeautiful campaign last week, a tool developed with Twitter that tracks a user’s body-centric buzzwords on the site. The tool issues a link to a user’s own “custom microsite” after they retweet Dove’s official content. The microsite then shows users their own Twitter data, comparing how their “negative tweets stack up to other women.”“ [AdWeek]

Canada

CA – OPC Outlines Recommendations for Modernizing the Privacy Act

The Privacy Commissioner of Canada welcomes a Parliamentary committee review of the Privacy Act and has unveiled his priorities for modernizing the law governing how the federal government handles personal information, which has remained largely unchanged since it was proclaimed in 1983. The OPC recommended changes under three broad themes: Responding to technological change, legislative modernization and the need for transparency. The Privacy Act should be amended to

  • Require that all information sharing be governed by very explicit written agreements;
  • Create an explicit requirement for institutions to safeguard personal information, as well as a legal requirement to report breaches to the OPC;
  • Broaden the grounds to seek a Federal Court review to include all contraventions of the Privacy Act, not just denials of access to personal information;
  • Require government departments to consult the OPC on bills that impact privacy before they are tabled in Parliament;
  • Allow the OPC to report in a more timely and proactive manner on the privacy practices of federal institutions, beyond annual and special reports to Parliament; and
  • Extend the application of the Privacy Act to all government institutions, including Ministers’ Offices and the Prime Minister’s Office.

Commissioner Therrien also urged Parliament to consider regulating the collection, use and disclosure of personal information by political parties, but noted the Privacy Act is probably not the best instrument to do this. [Commissioner Therrien’s full statement]

CA – Alberta Privacy Commissioner Aims to Bring Non-Profits Under Provincial Privacy Legislation

The AB OIPC has recommended to the standing committee on Alberta’s economic future that nonprofits should comply with privacy legislation. The Calgary Sun reports that more than 20,000 nonprofits have been exempted from complying with privacy legislation. Privacy Commissioner Jill Clayton wants to eliminate this exemption as her office was only able to address 9% of the privacy complaints it received regarding nonprofits last year. [Calgary Sun]

CA – Nova Scotians Not Keen on Tech Saving Them Money on Car Insurance

Several insurance companies in Nova Scotia are offering a program that allows people to save up to 25% on their car insurance, but few people are opting to take part, according to OTC insurance and the Insurance Bureau of Canada. In order to apply for the discount, people have to volunteer to install what’s known as a telematics device in their car. The small device is installed under a car’s steering wheel and records an individual’s driving habits for six months. The device records things like driving distances, the time of day the car is driven, and sudden acceleration or braking. At the end of the six months the device is turned over to the insurance company and it uses the data to determine if the user should get a discount on their insurance. “We’ve been advertising quite heavily on the radio and seems like people are very leery about having this device in their vehicle for the insurance companies to look at.” David Fraser, a privacy lawyer, has mixed feelings about telematics. “Once this information is generated, it exists and it can be used for other purposes. It can be subpoenaed in connection for with a lawsuit, the police could get a search warrant and it just adds to the amount of digital debris that we leave behind in the run of the day.” He also questions how accurate the information will be and how it will be interpreted. [CBC News]

CA – BC Law gives Coroners Wide Power to Protect Privacy of the Dead

The BC Coroners Service has refused to release the medical records of a murder victim asserting the deceased still has privacy rights. There aren’t any Freedom of Information and Protection of Privacy Act provisions that compel “public bodies … to disclose certain types of information,” said Michelle Mitchell, communications officer for the Office of the Information and Privacy Commissioner for British Columbia. “Therefore, it is not within the commissioner’s powers to require a public body to include specific kinds of information in a report,” she added. [Vancouver Sun]

CA – Trudeau Agrees to Hand Over Even More Data About Travelers to the US

Justin Trudeau’s pilgrimage to Washington has produced one clear result. Canada’s new Liberal government says it will push through a long-delayed plan to share with Washington biographic and other information on Canadian citizens travelling overland to the U.S. The Americans, in turn, will reciprocate. [Source] [US Travel cheers expansion of Border Preclearance Program in Canada] The announcement came as a sidenote to the climate change strategy announced by the two leaders, with fanfare, in DC on last week. “The government of Canada has assured the U.S. it will complete the last phase of a coordinated entry and exit information system so the record of land and air entries into one country establishes an exit record from the other,” the statement from the two leaders reads. Obama framed the deal around stemming the flow of foreign fighters between the two countries — even though evidence for that supposed trend appears to be non-existent — but the effects of the deal could impact the privacy rights of all cross-border shoppers, tourists, and anyone else who crosses the world’s largest land border. The entry/exit deal dates back to the 2011 ‘Beyond the Border’ plan to boost security and reduce trade restrictions between the two countries. The 2011 plan commits the two countries to “establish coordinated entry and exit systems at the common land border” and “exchange biographical information on the entry of travelers, including citizens, permanent residents, and third country nationals” whenever they cross one country into the other. But that part of the plan never came into force, at least not as envisioned. Canada began sharing information with its American counterparts on all third-country nationals — border-crossers who were neither American nor Canadian — but never began doing so for its own citizens, even though it committed to start in June 2014. [Source] [Op-Ed: Canada to share information with U.S. on land border crossers] [Canada, U.S. to share more passenger information ] [Trudeau quietly agrees to share info on Canadians with U.S.]

CA – CSIS Head Says New Powers to Disrupt Plots Used Almost 2 Dozen Times

The head of Canada’s spy agency told a Senate committee that his agency has used its extraordinary powers to disrupt extremist plots close to two dozen times since the fall of 2015. Michel Coulombe, director of CSIS, made the admission to the national security and defence committee, revealing for the first time how frequently this power was used. Canada’s spy agency was granted the power to disrupt suspected plots rather than just relay information about those plots to the federal government and the RCMP when Bill C-51 became law this past summer. [CBC] [CSIS hasn’t crossed line with controversial new powers under Bill C-51, director tells Senate committee]

CA – Toronto Fire/Paramedic Services to Post Emergency Call Data Online

City councillors are getting ready to make vital information about fires and medical emergencies available to the public. A council committee approved two motions this week to have the fire and paramedic services make data from their LiveCAD system — which tracks calls for help in real time — open for the public to see and download. Both were instructed to work with the city’s legal department to make the information available without compromising the privacy of Torontonians. One solution proposed to the committee, for example, was releasing the nearest major intersection to each incident rather than the specific address. [Source]

CA – Regina Police Posting Photos of Potential Witnesses, Suspects and Victims

Can you identify this individual? That question is written under photos of various people, usually appearing in security camera footage, posted on the Regina Police Service’s website. Most of the pictures are of men and women entering stores, walking down aisles or buying something at a cash register. A form underneath the photos allows someone to leave a confidential tip. In some photos, police have put more information about why they are seeking someone, usually because they are a suspect in a crime. But in others, no information about why police want to talk to the individual is provided. The practice began shortly after police started posting photos of individuals wanted on outstanding warrants to its website in February. When explaining the “Can You Identify” page, a separate section of the website, police stress the individuals appearing there are not necessarily suspects in a crime. Once the individual has made contact with police, their photo is taken off of the website. Walter said police have had success with the initiative, and some of the individuals have turned out to be suspects. Before beginning the practice, the RPS consulted its legal counsel through the City of Regina. The approval was given on the basis that a person in a public space does not have the expectation of privacy, and their image is not considered personal information. What police are doing is legal, but it still doesn’t sit well with the Canadian Civil Liberties Association. “It’s not clear what they were suspected of doing, or why the police are seeking them. And once the police locate them, it may turn out that these individuals are innocent. However, other members of the community could assume that someone being sought by the police is guilty of some kind of wrongdoing, and this stigma is particularly troubling given how long images can stay on the Internet,” said Berger. [Leader-Post]

CA – Federal Government Launches Consultations on Breach Notification

On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed to PIPEDA pursuant to the Digital Privacy Act (Bill S-4). The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations. The discussion paper not only solicits comments, it identifies issues that may arise in respect of certain regulatory approaches. Following this consultation process, the Canadian Government will publish draft regulations for public comment and further consultation. It is unlikely that we would see breach reporting come into force in Canada before the last quarter of the year. [Source] [Industry Canada] [Discussion document] [Source]

Consumer

WW – How Canadians Feel About Data and Privacy (Survey)

Concern about data privacy and security is down among consumers across the globe, but companies still have a long way to go to earn their trust, according to a new study from SAS. The analytics company conducted an online survey of more than 4,300 adults in 15 countries, including Canada. Globally, 63% of respondents said recent events like hacks and data breaches of government agencies and financial websites have heightened their concerns around sharing personal information, down from 69% in SAS’s 2014 survey. In Canada, 64% of consumers report concern about what businesses do with their personal data; 24% of respondents feel they have no control at all over what businesses do with their information, and only 13% believe they have total control. [Mobility, Vulnerability and the State of Data Privacy] [Marketing Magazine]

US – Time, Mansueto Ventures Sued for Alleged Data-Selling Practices

The ability to sell subscriber information to third parties is at the center of two separate lawsuits. Plaintiffs maintain that both Time Inc., the company behind magazines People and Sports Illustrated, and Mansueto Ventures’ data usage violated their respective states’ privacy legislation. “Unfortunately for its subscribers, Time supplements its sales and advertising revenue by secretly selling their statutorily protected information — including their full names, titles of magazines subscribed to and home addresses (collectively ‘Personal Reading Information’) — to data miners and other unrelated third party companies,” one suit reads. [NY Post]

US – Don’t Post About Me on Social Media, Say Children

Recently, university researchers asked children and parents to describe the rules they thought families should follow related to technology. In most cases, parents and children agreed — don’t text and drive; don’t be online when someone wants to talk to you. But there was one surprising rule that the children wanted that their parents mentioned far less often: Don’t post anything about me on social media without asking me. [New York Times]

E-Government

CA – Canada: Federal Government Lagging on Online Services, Documents Warn

The federal government is lagging behind both private sector offerings and Canadians’ expectations in online services, internal documents warn. A full 77% of federal services still cannot be completed over the Internet. Services like passport applications, requesting access to government information, or obtaining proof of citizenship all require in-person treks to Service Canada locations or mailed application forms. A minority of services, like filing taxes or updating pension information, can be done online through government websites. In addition to raised expectations, the documents note that it takes a long time for the sprawling federal bureaucracy to implement changes in how it delivers services. [Source]

US – California Judge Reverses Court Order on Student Information Release

A federal judge tweaked her initial court order for the release of sensitive student data to a statewide parent group of special education advocates March 1, as a result of a “large number of objections” from parents who mailed in opt-out forms to the U.S. District Court in Sacramento. [The ruling] In her March 1 order, U.S. District Court Judge Kimberly Mueller noted the large number of objections to the potential release of student data received by the court following the posting of the “Notice of Disclosure of Student Records” on Feb. 1. In response, the court ordered that the CDE maintain custody of the most sensitive of its databases—the California Longitudinal Pupil Achievement Data System (CALPADS)—while running searches for information requested by the plaintiffs. The court also reiterated that no student’s personally identifiable information may be released to the plaintiffs unless and until they demonstrate to the satisfaction of the court that the method to be used to store the sensitive student data is secure, the CDE noted. The parties are still litigating the extent of the disclosure of student data. [Morgan Hill Times] See also: [Special ed court case causes stir] [Teachers union supports opt-out option]

E-Mail

CA – Claim that Minister Doesn’t Use Email Adds Questions About B.C. Libs Compliance With FOI Laws

The B.C. finance minister has joined a growing list of senior provincial government officials who either claim they do not use email or who have been caught routinely deleting their emails. The practice has gained prominence following freedom-of-information requests by the media and a damning report by the OIPC BC, which rebuked the Liberal government for failing to adequately create and maintain records. It also singled out specific staff for routinely “triple deleting” emails as a means of permanently destroying records. BC Premier Christy Clark responded with a public statement. “The practice of ‘triple-deleting’ will be prohibited, ministers and political staff will continue to retain sent emails and a new policy and specific training will be developed,” she said in a December 16 media release. Clark also said the government would “study and consider the establishment of duty to document”. According to his press secretary, “(Finance) Minister de Jong has the longstanding practice of requiring information such as briefing notes, decision notes, memos and other correspondence to be delivered to him through his office on paper, rather than to an email account,” it reads. “His choice not to receive information or hold conversations by email is a matter of personal preference as a way to manage and prioritize the volume of information his portfolio already entails,” the statement continues. De Jong’s aversion to the world’s most common form of interoffice communication puts him in good company among Liberal government senior staffers. On December 16, the Straight reported that the premier herself had essentially stopped using email. [Vancouver free press] [Finance Minister Mike de Jong doesn’t do email, says premier — and that’s OK with her] See also: [FOI response suggests B.C. Premier Christy Clark has basically stopped sending emails] and [NDP cites evidence of emails deleted from top government accounts, including premier’s]

CA – Former BC Staffer Charged in E-Mail Deletion Probe

A former B.C. government employee who allegedly deleted e-mails involving the Highway of Tears has been charged with two counts of willfully making false statements to mislead, or attempt to mislead, the province’s information and privacy commissioner. The B.C. Criminal Justice Branch announced the charges Friday – approximately 4 1/2 months after Commissioner Elizabeth Denham released a scathing report that said Premier Christy Clark’s government routinely thwarted freedom-of-information requests through tactics such as triple-deleting e-mails. The charges were laid under FIPPA. Mr. Gretes faces a maximum fine of $5,000 a count. [The Globe and Mail]

Electronic Records

AU – Updated eHealth Record System Still Sparks Criticism

The Australian government’s revised eHealth program, now dubbed “My Health Record,” still faces the criticism of privacy advocates. While this newer iteration of the Personally Controlled Electronic Health Record permits an opt-out function, critics like the Australian Privacy Foundation argue that the program lacked specific instructions for doing so. “There are many people who should be very careful about letting the government put lots of identifying information into a central database,” the APF said in a statement. [Computerworld] [Opt-out e-Health a ‘Fundamental Breach of Trust’: Victorian Regulator]

Encryption

UK – ICO Issues Guidance on Use of Encryption

The U.K.’s Information Commissioner’s Office has released a new set of encryption guidelines, urging companies to embrace the practice before it’s too late. Although encryption practices are relatively simple, companies “often have no idea whether their data is encrypted or not,” the report states. The ICO said in a blog post that while choosing to forgo encryption isn’t illegal, “the ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data,” resulting in a high number of fines and the loss of many a company’s reputation. [ZDNet] See also: [U.K.’s Investigatory Powers Bill would mean even small startups would be required to create backdoors to their systems] and [France Clears Bill That Could Force Apple to Unlock Terror Data] [A bill under consideration in France would impose powerful new penalties for companies that do not provide access to encrypted communications in terrorism-related investigations]

UK – Snooper’s Charter Would Require Even Startups to Build in Backdoors

Should the U.K.’s Investigatory Powers Bill pass through Parliament, even small startups would be required to “bake insecurities into their systems in order to be able to hack users on demand.” And, while Apple has been able to make public the fact that the FBI wants backdoor access in the U.S., the U.K. bill would require companies to keep quiet about law enforcement requests. “They built in systems that would force companies who have more than 10,000 users — which for a startup 10 years ago used to be a hard thing, now you can quite quickly collect 10,000 users no problem — so it’s a very low threshold,” said Privacy International’s Eric King. [TechCrunch]

US – EFF on Why FBI Can’t Force Apple to Sign Code

Code is speech: critical court rulings from the early history of the Electronic Frontier Foundation held that code was a form of expressive speech, protected by the First Amendment. The EFF has just submitted an amicus brief in support of Apple in its fight against the FBI, representing 46 “technologists, researchers and cryptographers,” laying out the case that the First Amendment means that Apple can’t be forced to utter speech to the government’s command, and they especially can’t be forced to sign and endorse that speech. In a “deep dive” post, EFF’s Andrew Crocker and Jamie Williams take you through the argument, step by step. [Source]

US – Encrypted WhatsApp Messages Frustrate New Court-Ordered Wiretap

The US Department of Justice has opened another legal front in the ongoing war over easy-to-use strong encryption. Prosecutors have gone head-to-head with WhatsApp, the messaging app owned by Facebook. Citing anonymous sources, the Times reported that “as recently as this past week,” federal officials have been “discussing how to proceed in a continuing criminal investigation in which a federal judge had approved a wiretap, but investigators were stymied by WhatsApp’s encryption.” The case, which apparently does not involve terrorism, remains under seal. [The New York Times]

WW – Google Adds Worldwide HTTPS Info to Transparency Report

Google has launched a transparency report specifically to track the progress of the Internet’s encryption efforts. The aim is in support of the general push to have encryption available everywhere. Even within the Google universe HTTPS is far short of 100% of traffic. Excluding YouTube traffic, but with Gmail, Drive, Search and increasingly Blogger and advertising traffic over HTTPs, only 75% of what’s served from Google domains is currently encrypted. Google will be updating that reporting each week, the company says. The second plank of the strategy is looking at Certificate Transparency: a public search interface letting users check that a certificate is valid and is being used correctly. [The Register]

EU Developments

EU – MEPs Vote Against Passenger Name Record Vote

Members of the European Parliament voted 7 March against placing the Passenger Name Record on the plenary session agenda, citing privacy objections. “It is true that the Council has never been particularly helpful on the legislative package related to data protection,” said French Socialist Delegation President Pervenche Berès. “But the fact that PNR has still not been adopted in March 2016, after it was promised for December last year, does not give a very good impression of the EU.” MEPs rejected placing PNR on the agenda for “fear a vote on PNR may allow member states to abandon the personal data protection package they have promised as a counterweight to the new surveillance powers.” [EurActiv] See also:

[some analysts are predicting the EU-U.S. Privacy Shield will not stand up to judicial scrutiny in Europe]

EU – EDPS Releases Case Law Overview

The European data protection supervisor has released a working document covering relevant privacy and data protection case law in the EU between Dec. 1, 2014 and Dec. 31, 2015. The case law pertains to the Court of Justice of the EU, European Court of Human Rights, and national courts of member states “on the right to the protection of personal data, the right to protection of private life, access to documents, and the right to freedom of expression,” the EDPS working document states. The overview also includes pending cases and is “intended to provide factual summaries of case law.” [Source]

Facts & Stats

US – Verizon Issues Data Breach Digest Report

Verizon has released a Data Breach Digest Report, a set of 18 case studies that comprise common scenarios that the majority of breaches fall into. The incidents include a water utility at which intruders managed to manipulate water treatment processes and flow; a developer who outsourced his work to China; and pirates (the seafaring variety) who used information stolen from a shipping company’s computers to target specific containers on vessels they boarded. [eWeek] [DarkReading] [Ars Technica] [CSO Online]

US – Businesses Reluctant to Report Attacks: Report

According to a report, Cyber Security: “Underpinning the Digital Economy,” from the Institute of Directors and Barclays bank, many organizations do not report cyberattacks to law enforcement. Just 28% of cyberattacks are reported. The report also found that while most business leaders believe cybersecurity is important, just half have established plans to protect themselves from attacks. [ZDNet]

CA – 53% Have Been ID Theft or Fraud Victims: Equifax Survey

More than half of Canadians (53%) say they have been a victim of financial fraud according to an Equifax Canada survey. Additionally, new data suggests that millennials (Generation Y) are increasingly the ideal target for fraudsters and organized crime syndicates. Throughout Fraud Prevention Month in March, Equifax Canada will work with the Canadian Anti-Fraud Centre (CAFC) to educate consumers, especially millennials about the impact of fraud and how to protect themselves. The CAFC estimates that mass marketing fraud losses to businesses and citizens has grown to greater than $10 billion annually, and it’s believed that almost 80% of all fraud is committed by organized crime groups. [Source]

Finance

US – FTC Wants Details on Credit Card Audit Practices

The FTC has issued orders to nine companies to share their Payment Card Industry Data Security Standards auditing practices, the agency said in a statement. The FTC aims to measure “the state of PCI DSS assessments,” the report states. The agency further hopes to gauge “the ways assessors and companies they assess interact” and to glean “information on additional services provided by the companies, including forensic audits.” [FTC]

FOI

CA – OIPC BC Orders Disclosure of 3rd Party Pricing Info Withheld by Public Body

The BC OIPC reviewed a decision by the Capital Regional District to withhold records requested pursuant to FIPPA. Disclosure of the information would not significantly harm the competitive position of the third party; the information does not directly state hourly rates, is not sufficiently detailed to reveal the hourly rates of individual personnel, and is dated information from 2009 and of limited use to competitors. [Order F16-05 – Capital Regional District]

CA – OIPC BC Orders Elections Body to Disclose Administrative Records

This OIPC order reviewed Elections BC’s refusal to disclose records requested under BC FIPPA. The administrative records are subject to FOI legislation and must be disclosed (e.g. job descriptions and a delegation matrix indicating who the Chief Electoral Officer has chosen to assist with his various functions); operational records do not fall under the legislation and may be withheld (e.g. an event plan that relates to the CEO’s planning of electoral processes, and memorandums of understanding related to the exercise of the CEO’s powers in relation to the prosecution of electoral offences). [Order F16-07 – Elections BC]

CA – OIPC SK Partially Upholds the Decision to Withhold Certain Records

The Saskatchewan OIPC reviews the decision of the Saskatchewan Arts Board’s to withhold records requested pursuant to The Freedom of Information and Protection of Privacy Act. The Board withheld records containing third party information which qualifies as advice, proposals, recommendations, analyses or policy options (such as, the analysis of and recommendations for issues faced by the Board, reports prepared for the Board which included advice and recommendations) that would be part of the Board’s responsibility and were prepared for the purpose of taking action or making a decision. [Review Report 154-2015 – Saskatchewan Arts Board]

Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows

An Advisen study, commissioned by ID Experts, found that the cost of the average data breach is less than most cyber insurance policies’ deductibles. “Most data breaches are small — consisting of fewer than 500 records lost,” the report states. “But most cyber insurance policies are set up to protect against large data breaches, with 90% of respondents having a deductible that is greater than $10,000.” As a result, more than 70% of those surveyed employ internal resources to clean up these smaller incidents. “There’s a lot of misconceptions around cybersecurity insurance — what it does, what it could do. It’s not for everyday occurrences.” [DarkReading]

CA – Commercial Liability Policies Likely Do Not Protect Companies from Data Breach Costs

A law firms examines why Commercial General Liability (CGL) policies may not protect companies in the event of a breach. The standard CGL policy usually requires “compensatory damages” to have been incurred, but the tort of breach of privacy does not require proof of damages; breach notification often requires legal assistance, which is not covered. U.S. case law suggests that CGL coverage for privacy-invasive “publication” does not apply to publication by third parties (e.g. hackers). [Breach: How New Types of Privacy Claims are Changing the Litigation Landscape – Daniel Reid, Associate, Harper Grey, Insurance Brokers Association of BC]

Genetics

UK – Police Hold DNA Profiles of 7,800 Terrorism Suspects

A police counter-terrorism database contains the DNA profiles and fingerprints of more than 7,800 identified individuals, an official government watchdog has revealed. The figure revealed by the biometrics commissioner, Alastair MacGregor QC, in his annual report last week, is far higher than any previous indications of the number of suspected terrorists in Britain. The commissioner reveals that the number of individuals whose DNA profiles and fingerprints are being logged on the little-known database as a result of counter-terrorism investigations is growing rapidly, having risen from 6,500 identified individuals in October 2013. The watchdog also reports that errors and delays in an official drive to delete the biometric records of those who have never been convicted of an offence – which account for 55% or 4,350 of those on the counter-terrorism database – have led to the destruction of a significant number of biometric records of terrorism suspects that should have been kept on national security grounds. In his second annual report, MacGregor says 1.7m DNA profiles and 1.6m sets of fingerprints have been deleted from the police national DNA database since the home secretary, Theresa May, introduced legislation in 2012 requiring the removal of details of those who have never been convicted of a criminal offence. He says the fact that the national DNA database still holds the biometric details of 12.5% of all men and 3% of all women in Britain and has not had any “demonstrably adverse impact” on its effectiveness; indeed, if anything, its overall “match” rate with DNA evidence found at crime scenes has gone up. But the commissioner raises serious concerns about the standalone national counter-terrorism police database. It has been quietly built up under powers in the Terrorism Act 2000 by collating DNA profiles and fingerprints gathered from searches, arrests and crime scenes during counter-terrorism investigations. MacGregor says he decided to publish the number of individuals on the counter-terrorism database after it was suggested to him in 2014 that to do so would be contrary to the interests of national security. He says he was “not wholly persuaded” by the argument and this year he sought and obtained agreement to disclose the number. [The Guardian]

Health / Medical

CA – Ont. Court Docs in Assisted Death Cannot Be Named by Press

An Ontario judge agreed to ban media from reporting the names of doctors for a Toronto man seeking assisted death, arguing that anonymity is needed to ensure health workers keep helping out in such cases. The ruling by Justice Thomas McEwen of the Ontario Superior Court also prohibits identifying the cancer patient and his family, citing the “intensely private and personal matter of his death.” A lawyer representing the National Post and other news media had objected to the scope of the ban requested by the 80-year-old man, saying it was important to make public the physicians’ names, partly to help identify any doctors who might “rubber-stamp” assisted-death requests. But the physicians and other health workers had asked to remain anonymous and they were justified in doing so, said Justice McEwen. “Their wish and concerns are entirely reasonable, in my opinion, given the publicity and controversy surrounding physician-assisted death,” said his 10-page decision. “This is a public interest of great importance … There may be a serious risk (with naming names) of impairing access to physicians willing to assist.” The judge also ruled the patient’s lawyer could edit out the required information from the court file before making it available to the media or their lawyers. [Source]

US – Study: Health Apps Pose Major Privacy Concerns

An Illinois Institute of Technology Chicago-Kent College of Law study of Android mobile apps for diabetes management found privacy practices wanting. “Many health apps transmit sensitive medical information, such as disease status and medication compliance, to third parties, including aggregators and advertising networks,” the report states. More than 80% of the apps had no privacy policies. An undefined legal landscape encourages these behaviors, the researchers argue. “Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that generally is not the case,” they said. [CBS News]

EU – Estonian Citizens to Have World’s Most Hack-Proof Health-Care Records

Estonia is moving its citizens’ health records to a database, based on blockchain technology, that nobody can mess with. While financial institutions rave about the potential for blockchain—the technology that powers bitcoin—as a way to revolutionize the financial world, it can also help keep private data secure. A blockchain is essentially a digital ledger that, thanks to some computational tricks, records every change made to it indelibly. This means it can act as a database for health data. Whenever someone’s health records are accessed, that “event” is recorded on the blockchain, alongside what information was changed or added. That way, the information remains both secure and tamper-proof; nobody can change it without leaving traces. Eventually, there will be a dashboard for the public to see their own health records and any changes made to them. [Estonia using Blockchain to secure health records] [Estonian citizens will soon have the world’s most hack-proof health-care records] [Guardtime secures over a million Estonian healthcare records on the blockchain]

US – Senator Asks Privacy Regulators to Stop Abuse of Nursing Home Residents on Social Media

After a December 2015 ProPublica report documented more than 35 incidents involving employees at assisted living homes sharing photos of residents on social media, U.S. Sen. Tom Carper, D-Del., wrote the Department of Health and Human Services’ Office for Civil Rights asking what it’s doing to curb these instances. Of the photos, which often depict naked, ill residents, Carper said in a statement, “This type of abuse is unacceptable and falls short of our moral obligation to the ‘least of these’ in our society.” The OCR’s Deven McGraw said the office would reply to Carper’s inquiries. [ProPublica] See also: [Newfoundland health worker fired for privacy breach involving 25 patients]

Identity Issues

EU – EMA Published Guidance on De-Identification of Clinical Reports

The European Medicines Agency (EMA) has published guidance on the anonymization of clinical reports according to EMA policy on publication of clinical data for medicinal products for human use (EMA/240810/2013). Under the European Medicines Agency Policy 0070 for medicinal products for human use, manufacturers are required to submit anonymized versions of clinical reports to the agency, as well as a risk analysis report documenting how the risk of re-identification is considered sufficiently small. The specificities of the clinical data should be taken into consideration when selecting the most appropriate anonymisation technique (e.g. masking, randomisation or generalisation); a data controller must continuously follow development in re-identification techniques and, if necessary, reassess the risk of re-identification. These documents will then be made publicly available under two different data sharing mechanisms. Many manufacturers are now trying to figure out how to meet these requirements for their new submissions. [Source] [Webinar by Privacy Analytics – March 31, 2016). [European Medicines Agency – External Guidance on the Implementation of the European Medicines Agency Policy on the Publication of Clinical Data for Medicinal Products for Human Use]

Internet / WWW

UK – New Guide to Help Build Child Safety into Platforms

The U.K. Department for Culture Media & Sport has released a new guide designed to help organizations ingrain online child safety into Web and mobile businesses. The guide, Child Safety Online: A Practical Guide for Providers of Social Media and Interactive Services, uses the six principles of the ICT Coalition for Children Online safety framework, a European industry initiative to make online platforms safer for younger users. The principles include content; parental controls; dealing with abuse/misuse; child abuse or illegal contact; privacy and controls; and education and awareness. [Source]

Law Enforcement

CA – Vancouver Police Investigates Leak About Visiting Photographers

The Vancouver Police Department claims it is still investigating how a local website obtained an internal police bulletin and photographs of three men who were wanted for questioning after they were seen taking photographs at Pacific Centre Mall last January. “As this matter remains under investigation by the Vancouver Police, we are relying on section 15 of the Freedom of Information and Protection of Privacy Act to withhold records related to this issue.” Section 15 of the act consists of a number of provisions that allow government organizations to refuse to release information if doing so would be “harmful to law enforcement”. The Straight filed the requests in question after the local website published photographs that the website later said it had obtained from an internal police bulletin it had received from a member of the VPD. The original post published on January 14 included photographs of the three men wanted for questioning and quoted the VPD internal bulletin describing them as “men who look Middle Eastern”. The following morning, VPD chief Adam Palmer said the force was never planning to go public with a warning about the men. He explained the VPD only responded with information intended for the public after an internal report was leaked to media. The VPD subsequently released a statement that cleared all three men of any wrongdoing. [Source]

US – Use of Stingrays Violates Fourth Amendment: Court

The Maryland Court of Special Appeals upheld a historic decision by a state trial court that the warrantless use of cell-site simulators, or Stingrays, violates the Fourth Amendment. The trial had suppressed evidence obtained by the warrantless use of a Stingray – the first time any court in the nation had done so. Last April, a Baltimore police detective testified that the department has used Stingrays 4,300 times since 2007, usually without notifying judges or defendants. Stingrays mimic cellphone towers, tricking nearby phones into connecting and revealing users’ locations. Stingrays sweep up data on every phone nearby — collecting information on dozens or potentially hundreds of people. The ruling has the potential to set a strong precedent about warrantless location tracking. [Slashdot]

CA – Surveillance Device Used In Prison Sets Off Police Probe

Federal prison authorities are under criminal investigation for possible illegal surveillance. The probe centres on Correctional Service Canada’s use of a dragnet surveillance device inside a penitentiary. Fallout from the 2015 surveillance incident, involving a device that CSC officials called a “cellular grabber,” has led to a lawsuit from jail guards and a criminal inquiry by the Ontario Provincial Police. [Source]

CA – RCMP Fight to Keep Lid on High-Tech Investigation Tool

Police in Canada are fighting to keep secret the specifics of advanced technology they’ve used to spy on mobile phones in a criminal investigation into organized crime. Court documents filed in the Quebec Court of Appeal show government lawyers have acknowledged that the RCMP used an extraordinary communications-interception technique involving “mobile device identifier” equipment. But the Crown will be fighting to keep details of the operation under wraps during a court hearing scheduled for March 30 in Montreal. Chris Parsons, a researcher with the Citizen Lab at the University of Toronto’s Munk School, said this case “wouldn’t be the first time [these devices] have been used – but it would be the first time [authorities] have been caught out in court.” The public is bound to want to know more, Mr. Parsons said. “These are fundamentally devices of mass surveillance,” he said. [Source]

AU – Fears Policing Databases Will Be Exempt from Privacy Laws

National policing databases for firearms, domestic violence and child offenders will no longer be overseen by Australia’s privacy watchdog and could be exempt entirely from privacy laws if they are handed over to the Australian Crime Commission under proposed laws. The information commissioner, Timothy Pilgrim, has warned in a Senate inquiry submission that if a proposed bill to merge Crimtrac’s functions into the Australian Crime Commission is passed the data held by CrimTrac will no longer be subject to Australia’s privacy laws. The federal government has put forward bills that would see the secretive Australian Crime Commission, which has the power to conduct coercive interviews, essentially take over the functions of CrimTrac and other agencies. CrimTrac is the national policing organisation that holds major databases surrounding firearms, domestic violence, child offenders and missing persons. It also assists in the collection of biometric data for the immigration department. As a result it holds large quantities of personal information on millions of Australians. The agency will continue to be overseen by the commonwealth ombudsman and the Australian Commission for Law Enforcement and Integrity. But Pilgrim said the “scope of that oversight differs” from the specific privacy related oversight of the Office of the Australian Information Commissioner. [The Guardian]

Location

UK – Unmasking Banksy: Did ‘Predictive Policing’ Tool Catch An Artist?

A geographic profiling tool, developed to find serial criminals and terrorists, may have helped unmask the mystery identity of Banksy. Researchers say they have identified the elusive artist – creator of million-dollar works of political graffiti – as Robin Gunningham, supporting a theory published by Daily Mail in 2008. Scientists at Queen Mary University of London used a statistical tool to map 140 locations of Banksy’s works around Bristol and London and compare them to the homes of possible candidates, they wrote in the Journal of Spatial Science. That led them to Mr. Gunningham. This mathematical method of analysis, known as criminal and geographic profiling, is often used by law enforcement to identify serial criminals. The idea behind the technique is that people tend to commit crimes close to where they live. The technique has also been used to trace breeding sites for malaria outbreaks or to locate the roosts of wild bats, and the researchers suggested that what helped find one graffiti artist could also help locate terrorists. “More broadly, these results support previous suggestions that analysis of minor terrorism-related acts (e.g., graffiti) could be used to help locate terrorist bases before more serious incidents occur,” they wrote in their abstract. Not everyone accepts that geographical profiling can accurately pinpoint perpetrators, though it’s used by several US police departments. Data-fueled analytics also called “predictive policing,” has drawn considerable critics, arguing that the method is discriminatory and often targets minorities. “What data are they using? How are they weighing variables? What values and biases are coded into them? writes the Guardian. “Even the companies that develop them can’t answer all those questions, and what they do know can’t be divulged because of trade secrets.” “Police departments are opening the way for corporations to have disproportionate influence over what policing means in society. Technologies are not just neutral tools, and they are not divorced from politics; they are designed with certain values and goals in mind.” [Source] See also: [The Crime You Have Not Yet Committed]

Online Privacy

WW – Researchers Translate Privacy Policies into Layman’s Terms

A team of Stanford University, Carnegie Mellon University and Fordham University researchers — during a two-year span — simplified more than 20,000 privacy policies from nearly 200 websites into a more approachable and user-friendly form for their Usable Privacy Project . “Our objective is to produce succinct yet informative summaries that can be included in browser plug-ins or interactively conveyed to users by privacy assistants that inform users about salient privacy practices,” said Carnegie Mellon’s “principal investigator.” [SC Magazine]

WW – Google Agrees to Delist Links More Broadly For RTBF Compliance

Google will begin delisting links more broadly in order to better align with data protection authorities’ interpretation of the EU’s right-to-be forgotten mandate. Previously, the company said it wasn’t responsible for delisting links from Google.com and other non-EU search domains. Now, it will use geolocation data to “restrict access to delisted URLs on all Google search domains accessible from the country of the person making the delisting request,” the report states. Google Global Privacy Counsel Peter Fleischer said that, since the European Court’s ruling, the company has worked hard to find the right implementation balance. “Despite occasional disagreements, we’ve maintained a collaborative dialogue with data protection authorities throughout. We’re committed to continuing to work in this way,” he said. According to Fleischer, Google will apply its new policy retrospectively to all search results it has already delisted following RTBF requests. Google’s Transparency Report shows that the company so far has evaluated more than 1.4 million URLs for removal in response to nearly 399,000 RTBF requests. It has delisted about 43% of the links so far while leaving the remaining 57% in place. [eWEEK]

CA – Controversial Calgary-based App Peeple Launches

Curious about your kid’s soccer coach? Wondering what others think of that guy who asked you out? There’s an app for that. Sort of. The Calgary-conceived app Peeple, announced to a firestorm of controversy late last year, is finally launching Monday after retooling a number of features. Peeple will let users rate each other in three areas: personal, professional, and romantic. In a change from the original concept, reviews are only posted with the consent of the person being reviewed — that is, the service is opt-in and a user can hide their negative reviews. But a planned future paid subscription Cordray called the “truth license” — not available for Monday’s launch — will let users see all reviews, even hidden ones. [Calgary Herald] See also: [Fortney: Peeple app creator stands firm, in a bathroom] [and [‘You can’t possibly be that naive’: Dr. Phil delivers a folksy smackdown on Peeple app co-founder]

UK – ‘HAT’ trick: Service Allows Users to See and Trade Their Data

The Hub of all Things is a new service designed by U.K. researchers and aims to be the one-stop-shop for Internet users wanting to control who accesses their data and for how long. It’s a virtual personal data “store,” which allows users to see the data corporations store about them, then trade it, thus reaping the benefit of its value. Designers have launched an Indiegogo campaign to “mobilize a social movement to put the power of the Internet back into individual hands,” the report states. IOT data has “enormous value,” said HATDEX CEO Paul Tasker. “We believe that if all of us have our own HATs, we will have more power in the future to influence how our data is collected, stored and used; hugely benefitting ourselves and society whilst providing new opportunities to firms wanting to sell to us.” [ZDNet]

Other Jurisdictions

NZ – Privacy Commissioner Overwhelmed As Digital Generation Overshares

During a New South Wales parliamentary oversight committee meeting last week, Australian Privacy Commissioner Elizabeth Coombs argued to an oversight committee last week that expanding her role from part time to full time while increasing her office’s resources are necessary to expand the agency’s influence. “So much sharing of data was increasing the demand for her work,” the report states. It’s now “apparent that the digital generation cares about its privacy,” and as such Coombs “has welcomed the call for a significant expansion of her powers.” [The Sydney Morning Herald]

NZ – NSW Parliamentary Committee Backs New Privacy Laws for Individuals

The New South Wales Parliament’s Standing Committee on Law and Justice has announced its support of new legislation that would provide legal redress for individuals after a privacy breach. The laws would “fill gaps” left by the Commonwealth Privacy Act, as the legislation currently only applies to information and not small businesses or individuals, the report states. “The NSW committee has called on the state government to take a lead in the implementation of individualised privacy rules, in the face of ‘a lack of political will federally’ to put in place uniform national legislation,” the report continued. [iTnews]

NZ – NSW Pawnbrokers Association Criticizes MAC Address Requirement

New state laws require pawnbrokers to collect and store the MAC addresses of any Wi-Fi enabled tools that come through their stores. While police argue it will help track stolen devices, the NSW Pawnbrokers Association believes the requirements have “workability” and privacy problems, the report states. Customers are “averse to giving us that information if they don’t have to because they don’t want us to have access in that privacy sense,” said the association’s spokesman. “Some people don’t care — the computer is just a toy or a novelty item, but for others it’s a serious business tool … and they just don’t want people having unfettered access to that information.” [iTnews]

Privacy (US)

US – Apple Tells Judge that US Gov’t is Well-Meaning but Wrong in Privacy Fight

Apple filed its final court brief in the San Bernardino iPhone case. Apple softened its rhetoric against the Justice Department, which has been heated on both sides of the debate in the last few weeks. The 26-page brief is the last court filing by either side until they meet in court March 22. “The government’s motivations are understandable,” Apple wrote in its latest filing, “but its methods for achieving its objectives are contrary to the rule of law, the democratic process, and the rights of the American people.” According to the report, the Department of Justice said Apple was attempting to usurp power from the federal government, adding, “The Constitution and the laws of the United States do not vest that power in a single corporation.” [the Guardian]

US – Verizon Wireless to Pay $1.35 Million Fine to Settle U.S. Privacy Probe

Verizon will pay a $1.35 million fine and agreed to a three-year consent decree after the FCC said it found the company’s wireless unit violated the privacy of its users. Verizon Wireless agreed to get consumer consent before sending data about “supercookies” from its more than 100 million users, under a settlement. The largest U.S. mobile company inserted unique tracking codes in its users traffic for advertising purposes. Supercookies are unique, undeletable identifiers inserted into web traffic to identify customers in order to deliver targeted ads from Verizon and others. The FCC said Verizon Wireless failed to disclose the practice from late 2012 until 2014, violating a 2010 FCC regulation on Internet transparency. The FCC also said the supercookies overrode consumers privacy practices they had set on web browsers, which led some advocates to call it a “zombie cookie.” Under the agreement, consumers must opt in to allow their information to be shared outside Verizon Wireless, and have the right to “opt out” of sharing information with Verizon. Until March 2015, Verizon Wireless consumers could not opt out of the “supercookies,” but after several U.S. senators raised concerns about the practice, the company agreed to allow an opt-out. [Source]

WW – PWC Releases 2015 Enforcement Guide

PricewaterhouseCoopers has released its Privacy and Security Enforcement Tracker 2015. The second-annual guide aims to reflect on the past year’s most significant regulatory movements in the U.K. and across the globe. “If 2014 sounded an alarm to encourage the controllers and users of networks, computer and communications systems and [personnel] to review and improve their practices for privacy and security, then 2015 was the year when the final alarm was sounded,” the guide states. “The message of 2015 is clear: Entities that fail to take voluntary action to remedy bad practices will be forced to change.” [Source]

US – Erin Andrews Awarded $55M for Privacy Invasion

Sports reporter Erin Andrews was awarded $55 million in an invasion of privacy lawsuit. In 2008, a stalker had surreptitiously recorded the well-known reporter while she was getting dressed in her hotel room, thanks to knowledge supplied by the hotel. Though she had asked for $75 million in the lawsuit, the jury was clearly sending a message, recognizing a very real and lasting privacy harm. [Privacy Perspectives]

US – Drone Regulation Faces Committee Approval

The Senate Committee on Commerce, Science, and Transportation looks to approve legislation that would place drone regulation under the Federal Aviation Administration’s control. “Its key provisions would facilitate specific drone tests with set deadlines for progress reports and ensure that the FAA is involved at every step,” the report states. The bipartisan bill pleases drone industry representatives. “These policies will accelerate the safe use of commercial [unmanned aircraft systems] as well as expand collaborative research and operational efforts,” said the Association of Unmanned Vehicle Systems International’s Brian Wynne. “We urge the Senate to pass this bill quickly, as delaying this measure risks stunting a still-nascent industry and restricting many of the beneficial ways that businesses could use UAS technology.” [Morning Consult] See also: the smattering of state drone laws may conflict in with the drone policies of the Federal Aviation Administration

Security

US – Weak Online Banking Password Policies

An investigation revealed that out of these 17 major banks six of them have a significant weakness in their password policy – they ignore case-sensitivity. In total, this security weakness may impact more than 350 million customers nationally. The researchers attempted to contact the banks to inform them about this issue and tried to ask for a statement why they decided to pursue a weak password policy. It turned out that it is almost impossible to contact and notify them about a security issue. When contacted via telephone hotline, most representatives were only trained for everyday business activities. e.g.:

  • 1 org was adamant that they have a case-sensitive password policy, but testing showed otherwise
  • 1 org was not even aware of the existence of a security / IT-department
  • 1 org simply said that this is their policy without any further statement or explanation [Source]

CA – KPMG Report Identified Five Key Cybersecurity Trends

Increased risks of ransomware and extortion-driven attacks as well as the rise of the Internet of Things (IoT) are challenging Canadian organizations in new ways, according to a recent report from audit, tax and advisory services firm KPMG LLP, who have identified five key cybersecurity trends impacting Canadian businesses in its Cyber Watch Report, released last week. These security risks are putting heightened pressure on organizations to protect, detect and respond to new adversaries and threat tactics, while preserving their trust and reputation with customers. [Daily News]

US – University of California Breach Monitoring System Creates Controversy

After a 2015 cyberattack, University of California President and former Secretary of Homeland Security Janet Napolitano secretly ordered a data monitoring security system installed on all state campuses, a move that, when recently exposed, has started a statewide debate. The system “monitors Internet traffic [and] it also stores it for at least 30 days. The idea is to allow security personnel to go back through the traffic to look for breaches.” Both the monitoring system and the secretiveness surrounding it have sparked ire among students and faculty. “The very substance of higher learning really would not be possible unless the faculty and students have some guarantee of confidentiality,” said the American Association of State Colleges and Universities. [NPR]

WW – Windows 10 Will Add APT Protection

At the RSA conference in San Francisco, Microsoft revealed that it would be adding protection against advanced persistent threats (APTs) to Windows 10. The service, Windows Defender Advanced Threat Protection, detects anomalous system activity. It is currently in private beta on about 500,000 systems. [NextGov] [ArsTechnica]

Surveillance

US – FBI Quietly Changes Privacy Rules for Accessing NSA Data

The FBI has quietly revised its privacy rules for searching data involving Americans’ international communications that was collected by the NSA, US officials have confirmed. The classified revisions were accepted by the secret US court that governs surveillance, during its annual recertification of the agencies’ broad surveillance powers. The new rules affect a set of powers colloquially known as Section 702, the portion of the law that authorizes the NSA’s sweeping “Prism” program to collect internet data. Section 702 falls under the Foreign Intelligence Surveillance Act (FISA), and is a provision set to expire later this year. A government civil liberties watchdog, the Privacy and Civil Liberties Oversight Group (PCLOB), alluded to the change in its recent overview of ongoing surveillance practices. The watchdog confirmed in a 2014 report that the FBI is allowed direct access to the NSA’s massive collections of international emails, texts and phone calls – which often include Americans on one end of the conversation. The activists also expressed concern that the FBI’s “minimization” rules, for removing or limiting sensitive data that could identify Americans, did not reflect the bureau’s easy access to the NSA’s collected international communications. FBI officials can search through the data, using Americans’ identifying information, for what PCLOB called “routine” queries unrelated to national security. The oversight group recommended more safeguards around “the FBI’s use and dissemination of Section 702 data in connection with non-foreign intelligence criminal matters”. As of 2014, the FBI was not even required to make note of when it searched the metadata, which includes the “to” or “from” lines of an email. Nor does it record how many of its data searches involve Americans’ identifying details – a practice that apparently continued through 2015, based on documents released last February. The PCLOB called such searches “substantial”, since the FBI keeps NSA-collected data with the information it acquires through more traditional means, such as individualized warrants. But the PCLOB’s new compliance report, released last month, found that the administration has submitted “revised FBI minimization procedures“ that address at least some of the group’s concerns about “many” FBI agents who use NSA-gathered data. “Changes have been implemented based on PCLOB recommendations, but we cannot comment further due to classification,” said Christopher Allen, a spokesman for the FBI. [The Guardian]

US – Court Approves $9 Million Class Action Settlement to Resolve Allegations of Unauthorized Installation of Tracking Software on Mobile Devices

The Court approved a class action settlement resolving allegations that multiple smartphone and tablet makers installed wiretapping software on their devices. Defendants are the following mobile device manufacturers: HTC; Huawei, LG Electronics, Motorola; Pantech, and Samsung. Net proceeds of the settlement will be awarded equally to class members (after payment of service awards, attorneys’ fees, costs and expense, taxes, and the costs of notice and administration of the settlement); a website must be established to provide class members with notice of the material terms of the settlement, procedures to receive benefits or exclude themselves, and how to provide comments about the settlement. [In Re Carrier IQ Inc. Consumer Privacy Litigation – US District Court Northern District of California – Case No. C-12-md-2330-EMC]

Telecom / TV

US – FCC Proposes New Privacy Rules for ISPs

Federal Communications Commission Chairman Tom Wheeler announced the agency’s highly anticipated proposal for new privacy rules for Internet service providers Thursday. Though the agency did not release the actual proposal, Wheeler described the main points of it — which centered around choice, security and transparency — and offered a three-page fact sheet. Not everyone supports this big move by the agency, however. [Source] See also: [How the FCC’s Privacy Proposal Could Affect More Than ISPs] [U.S. FCC Internet privacy proposal could harm broadband providers – Moody’s] [Wheeler: ‘Customers ought to have a say’]

US Government Programs

US – DHS Cyber Threat Sharing Program Review Shows Privacy Risks

A Department of Homeland Security review has revealed that an information-sharing program required under the Cybersecurity Information Sharing Act, passed in December, has privacy protection issues. According to the DHS report, safeguards put in place to prevent personally identifiable information may not be working. There is “residual privacy risk that these processes may not always identify and remove unrelated [personal information], thereby disseminating more [information] than is directly related to the cybersecurity threat,” DHS wrote. Under CISA, any PII shared through the program must be directly related to a cybersecurity threat, the report states. [Source]

US Legislation

US – Colorado May Ease Student Health Privacy Rules in Response to Shootings

A bipartisan Colorado bill aims to grant private therapists and counselors more legal latitude to communicate with school officials when a patient’s behavior could result in “a dangerous environment in a school,” a move that has some mental health workers concerned about its privacy impact. While the bill emphasizes the confidentiality of disclosure practices, some argue it might not be enough. “The main concern is that confidentiality is the backbone of successful therapy and treatment,” argued Mental Health America of Colorado’s Moe Keller, also a former legislator. “You have to be able to trust the person you’re talking to.” The bill passed in the state’s House of Representatives and is posed for a Senate vote. [The Wall Street Journal]

Workplace Privacy

EU – Netherlands: Companies Should Not Track Workers Through Wearables

Dutch Companies may not use wearables to monitor the health of their employees, even if the employees permission controls. This is in breach of the Data Protection Act. That the Authority Personal (AP) determined after investigation of two companies that used wearables to gain insight into the amount of movement of workers. One of the two employers also had insight into the sleep pattern of the employees. The employees of the companies were free to decide whether or not to participate in the experiment. According to the AP, there is an employment relationship, however, no question of free consent, because the employee financially dependent on the company. [Source] [(Original – in Dutch] [Google translation]

US – Approved Bill Deals with Internet Privacy At Work

A bill preventing employers from accessing their employees’ social media accounts passed the legislature on the final day of the 60-day regular session. Del. Stephen Skinner (D-Jefferson) sponsored the Internet Privacy Protection Act (HB 4364) to establish guidelines when it comes to employees’ online privacy. The legislation would prevent employers from obtaining social media passwords from their employees and also help employers, according to Skinner. There are currently no federal laws in place regarding social media privacy at work, Skinner said. [Source]

+++

 

 

01-07 March 2016

Canada

CA – OIPC SK Finds Health Authority Allowed Technologists to Work Under Each Other’s Log-Ins

The Saskatchewan Information and Privacy Commissioner investigated a breach at the Saskatoon Regional Health Authority. It took 3-5 minutes for technologists to log-in and out of the system between patients which was too time-consuming; a number of solutions are being explored including providing each user with their own workstations (this would be very expensive and there is limited physical space), going paperless (there is still heavy reliance on paper requisitions and communications that require scanning), and having an assistant do all the scanning (this could compromise patient safety). [OIPC SK – Investigation Report 176-2015 – Saskatoon Regional Health Authority] See also: [Regina Leader: Saskatchewan Patient Access to Online Health Records Requires Big Focus on Security]

CA – OPC NS Outlines Privacy Rights for Government Info Sharing Initiatives

The Nova Scotia Information and Privacy Commissioner has released guidance on privacy rights in information sharing initiatives. Government entities should be open and transparent about how information sharing initiatives will be implemented, share the least amount of information needed to satisfy the goals of the initiative, and be accountable by implementing initiatives that establish and follow policies and procedures, risk assessment tools, formal agreements and contracts, and privacy breach reporting protocols. [OIPC NS – Protecting and Promoting Canadians Privacy and Access Rights in Information Sharing Initiatives] See also: Privacy Commissioner of Canada Daniel Therrien addressed the Senate and detailed his privacy goals in a keynote posted on the OPC’s site.

Consumer

WW – Billboards Can Track Your Location; Privacy Advocates Hate It

The next time you see a billboard on the side of the road, it may also be scanning you. A geolocation-tracking feature on billboards owned by Clear Channel Outdoor gives the company new ways to target advertising and measure its effectiveness. The service has caught the eye of privacy advocates, who worry that the so-called Radar tracker will be able to collect massive amounts of information from smartphones in cars driving past. Radar will collect mobile data from three Clear Channel partners, including AT&T. Clear Channel Outdoor receives aggregated and anonymous data from its partners, not personal information, said the VP of corporate communications at the company. The company launched the service in 11 markets earlier this week. [Source] See also: [Hey, Siri and Alexa: Let’s talk privacy practices]

Electronic Records

US – Healthcare Organizations Commit to Improve EHR Information Sharing

Several of the nation’s largest players in the private sector have committed to an initiative to improve the ability of providers and patients to share and use information in electronic health records. The effort has gained support from some of the nation’s largest developers of electronic health records systems, representing 90% of the health records used by U.S. hospitals, said the secretary of the Department of Health and Human Services . And the five largest private provider systems in the country are among a group of 16 hospital and health systems that have also indicated support for the initiative. Several large industry professional organizations—including the American Medical Association, the American Health Information Management Association, HIMSS and the College of Healthcare Information Management Executives—were quick to add support for the movement. The vendors and providers have agreed to implement three core commitments: Consumer access: To help consumers easily and securely access their electronic health information, direct it to any desired location, learn how their information can be shared and used, and be assured that this information will be effectively and safely used to benefit their health and that of their community. No information blocking: To help providers share individuals’ health information for care with other providers and their patients whenever permitted by law, and not block electronic health information (defined as knowingly and unreasonably interfering with information sharing). Standards: Implement federally recognized, national interoperability standards, policies, guidance, and practices for electronic health information and adopt best practices including those related to privacy and security. [Information Management]

Encryption

US – Why N.Y. judge’s All Writs Act Decision Is Huge Win for Apple

U.S. Magistrate Judge James Orenstein of Brooklyn does not have the power to bind other courts. The 50-page opinion he issued this week, denying the Justice Department’s application for an order under the All Writs Act to compel Apple to help the government unlock the phone of a convicted drug dealer, will not end the California federal-court showdown between Apple and the Justice Department over an iPhone belonging to San Bernardino shooter Syed Farook. Judge Orenstein’s decision isn’t even the last word in the Brooklyn case – the Justice Department said that it will ask for the order to be overturned by a district court judge. But Orenstein’s opinion is a milestone in the ongoing debate over privacy and national security. He is the first federal judge to analyze the reach of the All Writs Act in the age of the smartphone, yet he roots his discussion not in technological terms but in fundamental U.S. constitutional principles. Orenstein’s conclusions do not rely on the specific facts of the case before him or on the particulars of the operating system at issue. They are based on his reading of constitutional and Congressional history, providing broad context for his assertion of government overreaching. Judges considering contested All Writs Act requests in other courts may differ with Orenstein but they ought not ignore him. [Source] [Apple and FBI testify in hearing on locked iPhone: What we learned] [Apple’s Tim Cook defends privacy at shareholder meeting]

EU Developments

EU – EU-US Officials Release Privacy Shield Details

The European Commission and U.S. Department of Commerce have released details about the highly anticipated EU-U.S. Privacy Shield arrangement this week. The 132-page Privacy Shield Package includes a set of “Privacy Shield Principles,” two annexes, and letters from the International Trade Administration, U.S. Federal Trade Commission, U.S. Department of Transportation, the U.S. Director of National Intelligence, U.S. Department of State, and the U.S. Department of Justice. The proposed data transfer agreement is being met with criticism from privacy advocates, leaving US companies in limbo regarding the handling of EU citizens’ data. Privacy Shield was created as a replacement for the Safe Harbor Agreement, which the European Court of Justice nullified last October. Privacy Shield now faces scrutiny of EU regulators. [Ars Technica] [The Hill] [ComputerWorld] [Fortune] [The Privacy Advisor]

EU – WP29 Issues Statement on Privacy Shield

The group of EU data protection authorities — the Article 29 Working Party — issued a statement this week in response to the newly published details of the proposed EU-U.S. Privacy Shield arrangement. The group says it “welcomes the publication of the draft ‘adequacy decision’ of the European Commission” and the corresponding texts comprising the arrangement. It also said it will “analyze the safeguards” both in terms of the commercial and national security aspects and will finalize a draft opinion at its next plenary meeting on April 12 and 13. Meanwhile, reaction to the 132-page package is underway, including from Schleswig-Holstein DPA Marit Hansen. [Source]

UK – Techs, Privacy Wonks & Politicos Blast Investigatory Powers Bill

A tweaked version of the Investigatory Powers Bill—which seeks to augment surveillance of Brits’ online activity—landed with a thud in parliament this week, as privacy groups, the tech world, and politicians lined up to attack home secretary Theresa May’s proposed law. Time and time again, the word “disappointment” was bandied around by companies, organisations, and individuals that will be directly affected by the planned legislation. Many critics expressed anger about May’s dismissive response to the key recommendations laid out in three separate parliamentary reports about the Snoopers’ Charter, as it is colloquially known. [Ars Technica] [Everything you need to know about the redrafted IP Bill] [According to opinion polls voters don’t mind mass surveillance] [UK: Surveillance law: Revised bill to add privacy safeguards] [The UK government has been hacking for years—and now it’s legal]

EU – Facebook Hit With German Antitrust Investigation Over User Terms

Germany’s Federal Cartel Office will begin an investigation on Facebook’s data collection and advertising agreements. The unclear terms create “an abusive imposition of unfair conditions on users,” the Bundeskartellamt argued in a statement. “There is considerable doubt as to the admissibility of this procedure, in particular under applicable national data protection law,” the statement continued. “If there is a connection between such an infringement and market dominance, this could also constitute an abusive practice under competition law.” Facebook disagrees. “We are confident that we comply with the law and we look forward to working with the Federal Cartel Office to answer their questions.” [Fortune]

EU – German Privacy Watchdog Plans to Fine US Companies

Hamburg (Germany) Data Protection Authority (DPA) plans to fine three US companies for mishandling EU citizens’ data. The companies were following the Safe Harbor agreement that an EU court nullified last fall. Because there is not a firm new agreement in place, companies that are transferring data are breaking the law. Two other companies are reportedly under investigation. [Fortune] See also: Germany’s new data protection enforcement law went live on Feb. 24, and it could pose “an additional risk” for companies. See also: French data protection authority, CNIL, published its Single Authorization Decision No. 46, which aims to simplify the “administration burden” of legal compliance upon data processing.

Facts & Stats

WW – National Security Trumps Digital Privacy: 24 Country Survey

According to a new survey commissioned by the Centre for International Governance Innovation (CIGI) and conducted by global research company Ipsos, most global citizens favour enabling law enforcement to access private online conversations if they have valid national security reasons to do so, or if they are investigating an individual suspected of committing a crime. The survey also found that a majority of respondents do not want companies to develop technologies that would undermine law enforcement’s ability to access much needed data.

  • Seven in ten (70%) global citizens agree that law enforcement agencies should have a right to access the content of their citizens’ online communications for valid national security reasons, including 69% of Americans and 65% of Canadians who agree.
  • When someone is suspected of a crime, 85% of global citizens agree that governments should be able to find out who their suspects communicated with online, including 80% of Americans who agree.
  • More contentious is the idea of whether companies should be allowed to develop technologies that prevent law enforcement from accessing the content of an individual’s online conversations. On this issue, 63% agree that companies should not develop this technology, including 60% of Americans, and 57% of Canadians whom are most likely to agree with this statement.

Read the news release here. [Centre for International Governance Innovation (CIGI)]

Finance

CA – CRA Automates Most of Your Return, Helping Tax Software

Electronic tax filing is getting easier this year with Auto-fill, a CRA service that enters information for taxpayers using most kinds of certified tax software. The CRA has always had copies of most of the forms about each taxpayer, receiving them from banks and employers before you do. Last year it began a pilot program with the service it calls Auto-fill that allowed chartered accountants and other certified tax professionals to have this data entered onto a personal tax form automatically. This year that program rolls out to everyone. As long as you are filing on a software program that offers the option and have a “MyAccount” file with the CRA, the Auto-fill function will work. Groups such as Open Media and the Canadian Civil Liberties Association say Auto-fill is too new to assess the privacy implications. The CRA insists the Auto-fill function is secure, as information is only available if a taxpayer logs into MyAccount, which requires a robust password. Ann Cavoukian, a former privacy commissioner, said it is right to worry about privacy and security whenever a new feature like this is rolled out. [Source]

WW – Google’s New Payments App Means Never Having to Pull Out Your Wallet

Pay with your voice. Google has released to the public a new app called Hands Free, which lets people pay for items in stores by simply telling the cashier, “I’ll pay with Google.” The app, available for Android and Apple phones, is only being piloted in a few locations in the San Francisco area, including some McDonald’s and Papa John’s restaurants.Hands Free, which is separate from Google’s Android Pay mobile payments app, works by tracking your location using Wi-Fi and other sensors in your smartphone to detect whether you’re near a participating store. After you say “I’ll pay with Google,” the cashier confirms your identity by using your initials and the photo you’ve loaded onto the Hands Free app. At some stores, Google is also experimenting with an in-store camera to verify your identity automatically based on your Hands Free profile picture. Google said images and data from these cameras are deleted immediately and can’t be accessed by the stores. [Source]

FOI

CA – OIPC BC Upholds City’s Decision to Withhold Records

The Office of the BC Information and Privacy Commissioner reviewed a decision by the City of Nanaimo to deny access to records requested pursuant to the Freedom of Information and Protection of Privacy Act. The City was ordered to continue to withhold records which could reveal a motion made at an in camera Committee, emails exchanged between the City and regional district containing explicit markers of confidentiality, and assessment and evaluation records of how a City employee performed his job duties. [OIPC BC – Order F16-03 – City of Nanaimo]

Genetics

US – Obama Says People Who Give Genetic Samples for Research Should Own the Data

During last week’s summit on the Precision Medicine Initiative at the White House, President Barack Obama acknowledged the thorny issues surrounding genetic data ownership, a move some view as unprecedented. “It requires, first of all, us understanding who owns the data,” Obama said. “And I would like to think that if somebody does a test on me or my genes, that that’s mine. But that’s not always how we define these issues, right? So there’s some legal issues involved,” he added. “I had not heard this before from the president or anyone high-up at the White House, said Genetic Alliance’s Sharon Terry. [Slate] See also: [Manitoba DNA sweeps pose wrenching ethical questions: Carol Goar]

Health / Medical

US – Health IT Firms Ally with White House on Initiatives

The Obama administration announced that it has received commitments from various health IT developers to assist the president’s health care modernization initiatives. Among the proposed plans are allowing patients to access their records and test results with greater ease; streamlining data sharing between entities, while ensuring adherence to privacy legislation: and making the “data language” between groups universal, the report states. “We are working to unlock healthcare data and information so that providers are better informed and patients and families can access their healthcare information, making them empowered, active participants in their own care,” said Health and Human Services Secretary Sylvia Burwell. [The Hill]

EU – German Hospitals Hit with Ransomware

Computer systems at two hospitals in Germany were infected with ransomware. The cleanup process is expected to take several weeks. At Lukas Hospital in Neuss, the attack affected an x-ray system, an email server, and other network components. At Klinikum Arnsberg in North Rhine-Westphalia, the attack was detected after it infected one server. There are reports that a third hospital was targeted as well. [ZDNet] [The Register] [SCMagazine] [DW.com] See also: [The “HawkEye” attack: how cybercrooks target small businesses for big money]

UK – NHS Suffers 105 Security Breaches Over Personal Data in Year

Security breaches over personal data held by the NHS nearly doubled to more than 100 during the last financial year. Figures obtained under the Freedom of Information Act show that there were 105 such breaches in hospitals and other bodies in the National Health Service in the financial year 2014-15. This was an increase of 81% on the previous year, with 58 security breaches over personal data. The UK Information Commissioner’s Office said that action was taken to prevent repetitions, including six “enforcement notices” against NHS bodies in 2014-15. [ExaroNews]

Horror Stories

US – IRS Breach Now Estimated to Affect 724,000 People

The number of people affected by the US Internal Revenue Service (IRS) data breach keeps growing. The agency now estimates that the personal information of as many as 724,000 people has been stolen since January 2014. When the breach was first disclosed, the IRS estimated that it affected roughly 100,000 people; that figure was revised to 334,000 on August 2015. [NextGov] [NBCNews] [The Hill] [ComputerWorld] [The Register] [Krebs on Security]

WW – Companies Underestimating Breaches’ ‘Human Element’: Study

The breach catalyzed by a Snapchat employee who fell for a phishing scam is symptomatic of many companies’ data security problems. “Even if your technical security is up to snuff, your people may let you down.” A 2015 CompTIA survey found that more than half of security breaches that year were caused by human error, with 30% of respondents considering the “human element” to be a significant cybersecurity concern. The survey “suggests that companies may not be doing enough to prepare their workers for a world where a new scam might be in their inbox everyday.” [Washington Post] See also: [Hackers Can Steal Passwords, But Not User Behavior: In almost every publicized breach, security analysts ignored the crucial alerts due to the copious amounts of false alarms triggered on a daily basis]

Identity Issues

CA – Manitoba’s Multi-use PID Cards: Convenience Trumps Privacy

On January 11, 2016, Manitoba announced its approval of an all-in-one personal identification card (PIC). The PIC will offer Manitobans a combined driver’s licence, photo ID, Personal Health Identification Number (PHIN) and travel document as early as fall 2017. While the consolidation of identification into one location is a blessing for consumers, it raises privacy concerns and creates some challenges for business. BC introduced a similar combined card in February 2013. But unlike BC, where the province was criticized for not consulting the public, Manitoba Health Minister Sharon Blady emphasized that the move towards PICs came after a five-week public consultation process where overwhelmingly positive responses were reported. 80% of Manitobans surveyed said they agreed with the idea of creating an all-in-one PIC. However, a closer look at Manitoba’s full consultation report reveals interesting data on why PICs were supported. For example, when asked what the most important benefits of the proposed PICs were, 73% of respondents indicated convenience while only 18% cited enhanced protection. Similarly, in an online survey of 1,515 Manitobans, 71% rated convenience as the top benefit while only 16% indicated protection of identity theft/fraud. Public sentiment towards the convenience of PICs illustrates how privacy concerns, which trumped proposals for a national identity card in 2002, could be overlooked in today’s digital age. As a recent survey by the Pew Research Centre demonstrates, people are consistently willing to share personal information in exchange for something of perceived value. For example, 52% of respondents in the Pew survey said they would allow their doctor’s office to upload their personal health information onto a website described as “secure” if it made scheduling appointments easier and facilitated easy access to medical records. [CyberLex Blog (McCarthy Tétrault)]

CA – Inadvertent Sharing of Canadians’ Metadata by Intelligence Agency Shows Weaknesses of De-Identification

Two lawyers examine the sharing of intelligence data between the Five Eyes allies. The agency’s de-identification techniques failed when mixed with its allies’ re-identification capabilities; the risk of re-identification increases significantly where a data set includes data such as location-based data, IP addresses or cookies, or where the attack vector includes significant amounts of secondary data that can be linked to the de-identified dataset. [Why We Need to Reevaluate How We Share Intelligence Data With Allies – Tamir Israel and Christopher Parsons, Just Security]

Internet / WWW

WW – New Project Monitors Social Media for Signs of Mental Illness

Canadian and French researchers are working on algorithm to screen online posts for warning signs. $464,100 has been granted to the University of Ottawa for a three-year-long project called “social web mining and sentiment analysis for mental illness detection.”   “Social media is everywhere,” reads a news release issued by the university. “Internet users are posting, blogging and tweeting about almost everything, including their moods, activities and social interactions.”    The release goes on to explain how scientists from the universities of Ottawa, Alberta and Montpellier in France, will explore the use of social media data in screening for individuals at risk of mental health issues. [CBC]

Law Enforcement

CA – Saskatchewan Police Don’t Have or Want Stingray Tech

Municipal police agencies in Saskatchewan say they’re currently not using — and have no plans to use — “stingray” technology employed by other law enforcement agencies for tracking cellular devices. The technology has come under criticism south of the border from the ACLU; about 60 police agencies across 23 states and the DC in the U.S. have been reported to use the devices. According to a 2015 report from the ACLU, “stingrays,” also known as cell site simulators, are considered “invasive cellphone surveillance devices that mimic cellphone towers and send out signals to trick cellphones in the area into transmitting their locations and identifying information.” Brenda McPhail, director of the Canadian Civil Liberties Association’s privacy, technology and surveillance project, said stingray technology is on the rights advocacy group’s radar. She said requests for information on the devices within the Vancouver Police Department by Vancouver-based advocacy organization Pivot Legal Society, and of the RCMP and the Ontario Provincial Police by the Toronto Star in 2015, have gone largely unanswered. However, McPhail said chances are slim the device is nowhere to be found in Canada. [Saskatoon StarPhoenix] See also: [StingRays breach cell phone privacy]

US – Maryland Bill Permits Govt Use of Automatic License Plate Reader Systems

The State of Maryland has introduced a Bill related to the use of Automated License Plate Readers by law enforcement. Law enforcement agencies are not permitted to use captured data from an automated license plate reader unless the agency has a legitimate law enforcement purposes; the Department of State Police must adopt procedures including an audit process to ensure that information obtained through the use of an automatic license plate reader system is used only for legitimate law enforcement purposes, and safeguards to ensure that staff with access to the automatic license plate reader database are adequately screened and trained. [Maryland Public Safety Code 3-509 – License Plate Readers]

CA – MPPAC: RCMP Commissioner Should Resign Over Breach

The Mounted Police Professional Association of Canada (MPPAC) is calling for the resignation of the RCMP Commissioner Bob Paulson, following an investigation from the Office of the Privacy Commissioner of Canada which found that the release of RCMP members medical information was a “well-founded serious privacy breach.” Commissioner Paulson admitted that he authorized the investigation. Just this week Commissioner Paulson admitted to authorizing the release of sensitive health information of RCMP officers to the College of Psychologists without their permission. Canada’s Privacy Commissioner concluded that by sharing private medical information without the consent of the officers, the RCMP breached the Privacy Act. If the Commissioner does not resign, MPPAC is calling on the Government of Canada to take appropriate action. [Canada NewsWire]

Online Privacy

WW – Protect Your Privacy Online—and See Better Prices Doing It

The prices you see while shopping on the Web are aren’t always the same as the deals displayed to your spouse, neighbors or co-workers. But now, at least one technology company is helping customers see the unadulterated costs of their online purchases. eBlocker is a device that attaches to customers’ Wi-Fi routers to mask their identity from online tracking software. eBlocker protects every device in your home by combining the power of an advertising blocker, an IP address rerouter and by protecting you from being identified by third-party trackers. In other words, when you get online, you get a clean slate as if you’ve never used that device before. You can still use first-party cookies, like those that remember your passwords, but once you leave that website, you’re anonymous again. It’s like a combination of encryption, Adblock Plus and Tor, a so-called onion router often associated with the “dark Web.” But eBlocker avoids the hassle of installing all these on each device. It’s all part of an elaborate industry aimed at stopping a largely opaque phenomenon of online tracking: dynamic pricing. [CNBC]

Other Jurisdictions

AU – NSW May Introduce Tort/Law of Invasions of Privacy

Secret mobile phone recordings and revenge porn-style social media posts could be subject to tough new laws in NSW allowing people to sue for damages for invasion of privacy. The State Parliament’s law and justice committee recommended that NSW should “lead the way” in Australia in creating a new legal action for serious invasions of privacy. The laws could be replicated across the country. Under the plan, a person could sue for damages if their privacy had been invaded intentionally or recklessly. Governments and corporations would be held to a higher standard, and could also be pursued for damages over “big data”-style privacy breaches committed negligently. But experts have raised questions about whether the laws go too far, and might catch a wide range of “common human errors” such as government or corporate employees sending an email containing private information to the wrong recipient. The recommendations, endorsed unanimously by committee members drawn from the ranks of the Coalition, Labor and the Greens, follow renewed debate about the adequacy of existing laws protecting against invasions of privacy. [Sydney Morning Herald]

Privacy (US)

US – Apple Wins Ruling in New York iPhone Hacking Order

U.S. Magistrate Judge James Orenstein denied a government request that Apple help it gather data from an iPhone in a drug case, a ruling that bolsters Apple’s pro-privacy posture and potentially paves the way for similar judgments in other pending cases, including the iPhone of one of the San Bernardino shooters. Orenstein ruled the government was expanding its authority too broadly by using the All Writs Act to compel Apple to extract the locked phone’s data. Apple’s top lawyer, Bruce Sewell will testify in front of Congress today, along with FBI Director James Comey, on encryption and government access for law enforcement purposes. Meanwhile, Sen. Mark Warner, D-Va., and Rep. Michael McCaul, R-Texas, have officially introduced legislation that would create a National Commission on Security and Technology Challenges to help find solutions to the encryption and data security issue. [New York Times] See also: [Privacy groups wary of compromise encryption bill]

US – NY Court Rejects FBI Argument for Breaking iPhone Lockscreen in 2nd Case

Apple just won a victory in an iPhone warrant case although it may not help the company in its San Bernardino trial. The victory comes from a New York district court that’s been facing something legally similar to the higher-profile warrant case playing out in San Bernardino. In a 50-page ruling, Magistrate Judge Orenstein found that the All Writs Act did not justify the government’s request, and denied the government’s request to legally compel Apple’s help. [The Verge] See also: [Huge data cache retrieved from electronic devices belonging to men accused of Tim Bosma murder: OPP]

US – Legislators Speak Out in Support of Apple

Representative Darrell Issa (R-California) has published a column on Wired.com in which he writes, “The FBI cannot mandate that Apple create a backdoor to override the iPhone’s encryption features without creating a dangerous precedent that could cast a long shadow over the future of how we use our phones, laptops, and the internet for years to come.” [Wired] In a letter to FBI Director James Comey, US Congressman Ted Lieu (D-California) writes, “As a computer science major, I have seen far-reaching unintended consequences when government applies outmoded concepts to out fast changing technological world.” [FCW] As the debate surrounding the FBI’s case against Apple continues, two U.S. lawmakers have proposed a new multi-stakeholder commission to investigate data security issues.

US – Digital Equilibrium Project on Privacy and Security in the Connected World

The Digital Equilibrium Project, a collection of privacy and infosecurity veterans from government and industry have launched a white paper to define the issue and announce plans for a summit this summer to tackle what they describe as the “growing tension between privacy and security.” This paper is meant to foster a new, collaborative discussion on the most pressing questions that could determine the future safety and social value of the internet and the digital technologies that depend on it. It urges governments, corporations and privacy advocates to put aside the polarizing arguments that have cast security and privacy as opposing forces, posing 4 fundamental questions that must be addressed to ensure the digital world can evolve in ways that ensure individual privacy while enabling the productivity and commercial gains that can improve quality of life around the globe. Ann Cavoukian is among the authors. [Read Now]

US – California DMV Sued for Alleged Illegal Data Retention

Six plaintiffs maintain that California’s Department of Motor Vehicles breached the Information Practices Act and due process by unlawfully collecting and sharing private criminal records. The court papers, filed last week, argue that the agency has a trove of “upwards of one million” Californians’ data, a move that “violates privacy protections for certain records by retaining them after the statutory period has expired,” the report states. “California employers are aware that the DMV’s loose record retention and reporting practices allow them access to criminal history records they would otherwise be unable to obtain,” the suit states. “They take full advantage of this criminal record reporting loophole.” [Courthouse News]

Privacy Enhancing Technologies (PETs)

US – DHS Awards Yale University $1.7M for Data Privacy Research

Yale University’s “PriFi Networking” project now has $1.7 million from the Department of Homeland Security, a grant from the agency that aims to assist the university’s anti-tracking and surveillance technology development. The gift was thanks to the DHS Science and Technology Cyber Security Division’s Data Privacy program that invests in the creation of cost-effective and approachable pro-privacy tools. “Keeping the homeland secure depends on both guarding and granting access to secure systems, facilities, and other resources,” said DHS Undersecretary for Science and Technology Dr. Reginald Brothers. “Protecting Personally Identifiable Information is vital to the DHS mission and S&T has a long-standing interest in privacy-enhancing technologies.” [Newswise]

Security

US – IBM to Acquire Resilient Systems, Bringing Bruce Schneier on Board

Cybersecurity firm Resilient Systems and its Chief Technology Officer Bruce Schneier will become a part of the IBM family. “The acquisition will give IBM Security the industry’s first integrated end-to-end platform combining analytics, forensics, vulnerability management and incident response,” the report states. “The deal should be good for both companies, and will certainly benefit their respective customers.” [PCWorld]

US – CFPB Dives Into Data Security Enforcement

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) announced its first data security enforcement action in the form of a Consent Order with online payment platform Dwolla, Inc.  The five-year Consent Order is based on CFPB allegations that Dwolla engaged in deceptive acts and practices by misrepresenting to consumers that it had “reasonable and appropriate data security practices.”  Dwolla neither admitted nor denied that it engaged in data security misrepresentations.  The CFPB fined Dwolla $100,000, enjoined it from making further misrepresentations, and is requiring that it develop a written, comprehensive data security program, designate a person responsible for the program, provide employee training, conduct risk assessments, and undergo independent third party audits annually, among other things.  The CFPB also places primary responsibility for compliance with the Consent Order on Dwolla’s board of directors. [HLDA]

WW – Securing Data for Remote Access Users

Business requirements, distributed operations, and cloud deployments are forcing organizations to rethink remote access requirements, including how to secure the data and applications they access. According to a study conducted by software company Intuit, by 2020 more than 40% of the U.S. workforce will be contractors and contingent workers; that’s more than 60 million people. Why so? Because of the almost ubiquitous needs for organizations to share data in such a way that it speeds the flow of business transactions. The result is that most users are outside the enterprises, accessing data and applications as credentialed guests. And hence, the ‘outside-in’ network is the new normal. [Source]

Surveillance

US – California Courts Demand Total Access to Email and Social Media Accounts

The California Electronic Communications Privacy Act. Which took effect on Jan 1, 2016, has privacy advocates concerned that its “Fourth waiver” element railroads the privacy of individuals under probation or parole. This component of the act permits law enforcement to check the laptops or other devices of individuals on parole without a warrant. “Folks on parole, probation, even supervised release, they have a reduced expectation of privacy while they’re under supervision,” said the ACLU of California. “But that’s not the same as no right to privacy online or offline.” [The Intercept]

Telecom / TV

US – Cable/Telecom Operators Offer Up Privacy Framework to FCC

The National Cable & Telecommunications Association and American Cable Association have joined with other trade and tech groups to offer up what is being billed as a consensus privacy framework outlining guiding privacy principles. In essence, the framework is an articulation of NCTA’s argument that rather than come up with new rules and regs, the FCC should, as the new proposal says, “[pursue] reasonable enforcement actions against telecommunications service providers that have clearly violated these principles.” That is the FTC model. The FTC has enforcement authority but very limited authority to promulgate new regulations. The proposal, which was offered up in a letter to FCC chairman Tom Wheeler comes as the FCC prepares a proposal on how to oversee broadband sub privacy–a new authority under its Title II reclassification–as it currently does traditional video CPNI (customer network proprietary information). A vote on that proposal could come as early as this month’s public meeting. NCTA and ACA, joined by USTelecom, CTIA and the Competitive Carriers Association, said the FCC should focus on four things: “(1) transparency; (2) respect for context and consumer choice; (3) data security; and (4) data breach notification.” [Source] See also: [The 5 Things Every Privacy Lawyer Needs to Know about the FTC]

US – Publishing Group Calls on FCC to Regulate Broadband Data Use

As the Federal Communications Commission begins to draft privacy regulations for broadband providers, online publishing group Digital Content Next advised the FCC to ensure broadband companies both inform and empower their customers about the companies’ use of personal data. “In light of their access to sensitive information about consumers, we urge the FCC to require broadband providers to provide consumers with transparency and meaningful choice with regard to the collection and use of personal information,” DCN wrote in its letter to the FCC. “Consumers should have the ability to exercise choice via a mechanism that is easy to use, persistent and universal.” [MediaPost]

US – Swire Study: Encryption, Mobile Devices Curb ISP Knowledge

In a new report, Alston & Bird’s Peter Swire says that the employment of encryption and mobile devices has shrunk Internet service providers’ knowledge regarding their customers’ online habits. His study aims to counter advocacy groups’ “widely-held but mistaken view about Internet service providers and privacy,” he said, one that sees ISPs as entities collecting treasure troves of user data without consent. While staying away from definitive policy suggestions, Swire says overall, “public policy should be consistent and based on an up-to-date and accurate understanding of the facts of this ecosystem.” [MediaPost]

US Government Programs

US – TSA Defends Full-Body Scanners at Airport Checkpoints

Three years, more than 1,000 comments and multiple challenges by advocacy groups later, the TSA issued a rule finalizing its policy for using full-body scanners at airports. While TSA insists the machines are the best way to protect the nation’s travelers from terror attacks, critics challenge the use of devices over privacy and health concerns. The legal battle went all the way to an appeals court, which said TSA could keep the machines if it took legal steps to justify their use. In a 157-page report that summarizes arguments for and against the machines, and their hefty price tag — $2.1 billion from 2008 through 2017 — the agency said the devices provide “the most effective and least intrusive” way to search travelers for weapons hidden under their clothes. And with that, the agency finalized its regulation governing the machines. The rule won’t change anything for travelers. Even as the question wound its way through courts, TSA deployed the machines and now uses 793 full-body scanners at 157 airports. [Source]

US Legislation

US – Legislative Roundup

+++

 

 

Privacy News Highlights: 22-29 February 2016

Biometrics

CA – Mastercard to Bring ‘Selfie Pay’ to Canada This Summer

MasterCard will officially be rolling out its biometric payment service, MasterCard Identity Check – a smartphone app which allows users to verify purchases by taking a selfie instead of entering a password – to 14 countries, including Canada, this summer, the company announced this week according. The service, which MasterCard has tested in app form with nearly 1,000 consumers in the U.S. and Netherlands, requires users to provide a photo of their face when signing up, after which the service measures prominent facial “landmarks” and converts them into an algorithm that can be compared to future pictures. To avoid fooling the app with an existing picture, users must blink while snapping the photo to prove their humanity. Biometrics carry their own set of risks: many of us have posted our faces on multiple websites or had them picked up by surveillance cameras – and it’s difficult, for the average person to change their face. Other smartphone companies such as Apple and Samsung have incorporated biometrics technology including facial recognition and fingerprint scanning software into their devices, and hackers have proven themselves capable of bypassing them. Details regarding the Canadian version of Identity Check, which has already been colloquially dubbed “selfie pay,” are not yet available. [ITBusiness] [video explaining the technology]

Canada

CA – CSE Unlawful Sharing of Metadata Went on for Years

It’s impossible to know how many Canadians had their personal data shared by the country’s electronic spy agency in a metadata glitch, according to its watchdog. Jean-Pierre Plouffe, commissioner of the Communications Security Establishment (CSE), told a Senate committee Monday that data were erased from the agency’s system, making it difficult to find out the number of people impacted. A month ago, Plouffe tabled his annual report in the House of Commons, revealing for the first time that CSE illegally and unintentionally shared metadata with Canada’s Five Eyes intelligence allies: the United States, United Kingdom, Australia and New Zealand. That data may include Canadians’ personal information, including phone numbers or email addresses, but not the content of emails or recordings of phone calls.

“It’s not accidental,” Plouffe said in an interview about the CSE breaking the law. “It’s because of a lack of due diligence.” Metadata is information associated with communication that is used to identify, describe or route information. CSE is supposed to monitor only foreign communications for intelligence that may be of interest to Canada. [CBC] [Canadian electronic spy agency’s unlawful metadata sharing went on for years before being fixed] [Outrage over CSE metadata collection and blunders ‘Difficult to determine’ scope of privacy breach in Five Eyes data sharing ]

CA – CSIS Using New Powers to Disrupt Terrorists Since Bill C-51 Became Law

Powers to disrupt include blocking financial transactions, shutting down websites. The disruption powers allow CSIS to interfere with, telephone calls, travel plans and bank or financial transactions. The agency can also disrupt radical websites and Twitter accounts of groups or people inside and outside of Canada. This provision in the act has garnered criticism from the outset, because there is no clear definition of what “disrupt” means in the legislation, causing some to be concerned the power would be abused by police and intelligence services. [Source] [Canada: CSE can assist in ‘threat reduction’ without a warrant, documents show]

CA – PEI’s OIPC Finds Privacy Breaches by 5 Gov’t Agencies

P.E.I.’s Information and Privacy commissioner has ruled five different provincial government departments and agencies violated the privacy of someone who filed multiple applications under the Freedom of Information and Protection of Privacy Act by circulating his name, mailing address, telephone number, email address and signature with copies of his requests for information. After submitting applications for information from the various government agencies, the applicant filed a complaint with the commissioner, saying his personal information and details about his access requests were shared among them, and as a result, his requests were subjected to an “unequal, prejudicial and arbitrary process.” The privacy commissioner determined a meeting had taken place, but said there was insufficient evidence that “any public body improperly collected the complainant’s personal information” during the meeting. However, the commissioner concluded all five public bodies did violate the privacy of the applicant by circulating his name, mailing address, telephone number, email address and signature with copies of his requests for information. The commissioner said she believed the violation was inadvertent. The commissioner noted all public bodies have since been told to sever personal information from information request forms. The applicant also charged one of the agencies involved, the P.E.I. Liquor Control Commission, violated his privacy by compiling personal information from internet searches, including his photo, employment history and educational background. The commissioner agreed the information was collected, but determined that did not constitute a breach because it was publicly available, and it was gathered in order to respond to the applicant’s privacy complaint. [Source]

Other Ontario News

Consumer

US – Cognitive Dissonance in How Americans Value Privacy: Survey

How much do Americans really value their online privacy? According to study findings, a considerable majority of 63% of respondents experienced some sort of online security issues. But despite the frequency of these issues, just over half of them (56%) actually made permanent behavior changes to guard against their reoccurrence. 24% of respondents admitted to using unsecured public Wi-Fi, meaning that their data is effectively ripe for the picking, “quite often or all the time.” And despite the fact that 67% said they wanted extra layers of privacy, a very small percentage actually utilize available tools to this end. In fact, only 16% use privacy-enhancing browser plug-ins, just 13% use two-factor authentication, only 11% use a VPN, and just 4 percent use anonymity software. [Source]

E-Mail

CA – Legal Trends 2016: Anti-Spam

In each of the three instances in which the CRTC entered into an undertaking in 2015, the undertaking included a monetary payment (ranging from C$48,000 to C$200,000) and an agreement by the company to update and implement a compliance program that would (1) cover elements such as corporate compliance policies and procedures, training and education, monitoring, auditing, and reporting mechanisms, and (2) apply consistent disciplinary procedures. In one enforcement action, the CRTC took issue with the fact that a company was allegedly sending CEMs to email addresses without proof of consent for each recipient. [Mondaq]

Encryption

US – Apple Faces U.S. Demand to Unlock 9 More iPhones

The Justice Department is demanding Apple’s help in unlocking at least nine iPhones nationwide in addition to the phone used by one of the San Bernardino, Calif., attackers. The disclosure appears to buttress the company’s concerns that the dispute could pose a threat to encryption safeguards that goes well beyond the single California case. Apple is fighting the government’s demands in at least seven of the other nine cases. “Apple has not agreed to perform any services on the devices.”. Starting in December, Apple has in a number of cases objected to the Justice Department’s efforts to force its cooperation through a 1789 statute known as the All Writs Act, which says courts can require actions to comply with their orders. [The New York Times] [Apple, the FBI, and the All Writs Act] [The Lowdown on the Apple-FBI Showdown] [Apple calls for commission to discuss FBI’s iPhone unlocking demands]

Facts & Stats

WW – Gov’t Accounted for 43% of 2015 Breaches Worldwide

Digital security firm Gemalto this week released its latest Breach Level Index database report which revealed that 707 million records worldwide were compromised in 1,673 data breaches across the globe during 2015. That breaks down to a staggering 1,938,383 records lost every day, or 22 per second. Unsurprisingly, 1,222 of last year’s incidents occurred in the U.S., and Gemalto estimated 419.7 million records were compromised. Government agencies were hit the hardest in 2015 and comprised 43 percent of all recorded breaches, skyrocketing up a full 476% from the previous year. Unsurprisingly, incidents in the healthcare sector resulted in 134 million compromised records, a 217% jump from 2014. Quieting fears that attackers are mainly after financial information, the report shows that only 22% of incidents were designed to steal financial data. On the other hand, a full 53% were aimed at identity theft. “If security executives needed further evidence that identity theft is a still a serious problem,” said researchers. “This is it.” The report contained a wealth of information and tips aimed at security professionals, but records protection is obviously a concern for records managers as well, so it’s worth a quick read. [Source] [Gemalto’s Breach Live Index Report]

FOI

CA – PEI Province Must Turn Over Documents on E-Gaming Loan

The P.E.I. government has been ordered to release a document that outlines details of a $950,000 government loan that funded the province’s controversial e-gaming scheme. P.E.I. Privacy Commissioner Karen Rose delivered this ruling as a result of a FOI request by TC Media requesting details of this e-gaming loan. The province refused to disclose a one-page document that provides a breakdown of where and how the money from the e-gaming loan was to be spent. In her decision, Rose states the financial e-gaming document is not information that belongs to the Mi’kmaq Confederacy and is thus a public document. She also determined the information within this record was not supplied in confidence nor was there sufficient evidence provided that disclosing the information would significantly harm the confederacy’s competitive or negotiating position. However, she rejected TC Media’s assertion the information falls within the public interest, citing an interpretation that this argument can only be used if it is matter of “compelling public interest,” applying mainly to matters of health or safety and not to political issues. [Source]

CA – OIPC NS Find Jobs Forecast and Actual Jobs Report Can be Released

The Office of the Information and Privacy Commissioner in Nova Scotia reviewed a decision by the Nova Scotia Business, Inc. to refuse to disclose records pursuant to the Freedom of Information and Protection of Privacy Act. The public body successfully claimed that jobs information supplied by third parties applying for financing and rebates was provided in confidence (the proprietary information was submitted on the basis of it being held in the strictest of confidence), but did not establish that there was a reasonable expectation of harm if released (no evidence was provided that it would significantly harm the third party’s planned growth or rebate performance targets). [OIPC NS – Review Report 16-01 – Nova Scotia Business Inc.]

Genetics

CA – OPC Voices Support for Genetic Discrimination Bill, But Wants Changes

Daniel Therrien testified at the Senate human rights committee on Bill S-201, which aims to prevent discrimination against a person based on their genetic testing. He offered broad support to Senator James Cowan’s bill that would prevent unsanctioned access to a person’s genetic test results, but worried that changes it would make to federal privacy laws could cause unintended consequences in future court cases.

“It’s crucial individuals remain in control to their data,” he told the committee. Therrien spoke in favour a clause which would prohibit the collection or use of “the results of a genetic test of the individual without the individual’s written consent.” He said it creates a “good and balanced way to represent the wishes of those who wish to share their genetic test results and those who do not.” But Therrien recommended removing clauses that would add a definition for “personal information” into the Privacy Act by adding the wording “information derived from genetic testing of the individual.” [iPolitics]

Health / Medical

US – OCR Releases mHealth Guidance for App Developers

Following the launch of its mHealth Developer Portal last October, the HHS Office for Civil Rights (OCR) has released guidance clarifying how HIPAA applies to mobile health apps. Ensuring that developers understand their legal obligations is critical to protecting consumer privacy and security, especially now that there are more than 165,000 health apps available in the iTunes and Android app stores. A more clear understanding of how the rules apply can also help bring down barriers to innovation. The guidance, titled “Health App Use Scenarios& HIPAA,” builds on the mHealth Developer Portal, which serves as a platform for users to share difficult use cases and best practices. On the portal, developers can also submit questions to OCR that will inform future guidance releases. OCR announced the guidance with a statement that the agency hopes it will help developers determine “how federal regulations might apply to the products they are building” and reduce uncertainty. The guidance offers developers background information on HIPAA and then details various scenarios, identifying when an app developer is—and is not—acting as a business associate. [Source]

CA – Edmonton Health Worker Fined For Illegally Accessing Patient Information

An Edmonton health worker who admitted to illegally accessing the medical records of seven people has been fined $1,000. Denise Tourneur pleaded guilty Feb. 5 to the violations under the province’s Health Information Act. The Court heard the breaches occurred on 44 separate occasions between September 2011 and September 2013. The guilty plea is the fourth conviction under the Health Information Act since the legislation came into force in 2006. However, the amount of the fine is considerably lower than past penalties. [The Winnipeg Sun]

CA – OIPC AB Orders Public Body to Implement Safeguards to Protect Personal Health Information from Unauthorized Access and Disclosure

The OIPC AB reviewed the results of an investigation conducted by the Alberta Health Services (“public body”) into a potential breach of personal health information by a nurse (“Affiliate”). The policy that a public body had in place regarding the monitoring and auditing of IT resources establish the public body’s intent to protect unauthorized use or access; this policy remained in place when a nurse inappropriately accessed, used, and siclosed the personal health information of a patient; the public body must implement mechanisms to ensure that individual’s are in compliance with policies at all times and that patient health information is safeguarded. [OIPC AB – Order H2016-02 – Alberta Health Services]

Identity Issues

US – Secret Police? Virginia Considers Bill to Withhold All Officers’ Names.

It started with a reporter’s attempt to learn whether problem police officers were moving from department to department. It resulted in legislation that is again bringing national scrutiny to the Virginia General Assembly: a bill that could keep all Virginia police officers’ names secret. The Virginia Senate has already approved Senate Bill 552, which would classify the names of all police officers and fire marshals as “personnel records,” exempting them from mandatory disclosure under the state’s freedom of information law. In a climate where the actions of police nationwide are being watched as never before, supporters say the bill is needed to keep officers safe from people who may harass or harm them. But the effort has drawn the attention of civil rights groups and others who say police should be moving toward more transparency — not less — to ensure that troubled officers are found and removed. If it is made law, experts say the restriction would be unprecedented nationwide. [The Washington Post]

Law Enforcement

US – Fed Judge Limits 1st Amendment Right When Videorecording Cops

Court: No First Amendment right to videorecord police unless you are challenging the police at the time. In recent years, lower federal courts have generally held that the First Amendment protects a right to videorecord (and photograph) in public places, especially when one is recording public servants such as the police. Because recording events that you observe in public places is important to be able to speak effectively about what you observe, courts held, the First Amendment protects such recording. Some restrictions on such recording may be constitutional, but simply prohibiting the recording because the person is recording the police can’t be constitutional. This is the view of all the precedential federal appellate decisions that have considered the issue. [Watch: What you need to know about filming the police]. But Friday’s federal trial court decision in Fields v. City of Philadelphia takes a different, narrower approach: There is no constitutional right to videorecord police, the court says, when the act of recording is unaccompanied by “challenge or criticism” of the police conduct. Therefore, the court held, simply “photograph[ing] approximately twenty police officers standing outside a home hosting a party” and “carr[ying] a camera” to a public protest to videotape “interaction between police and civilians during civil disobedience or protests” wasn’t protected by the First Amendment. [Source]

Privacy (US)

US – Former Employee Deletes Data, Gets Prison Sentence

A US district judge in North Carolina has sentenced Nikhil Nilesh Shah to 30 months in prison for sabotaging his former employer’s servers. Shah was an IT manager at SmartOnline. He left that company in March 2012, and in June of that same year, he sent malicious code to his previous employer’s servers, deleting much of the company’s intellectual property. [The Register] [SCMagazine] [Justice.gov]

US – Asus Settles FTC Charges Over Unsecure Home Routers

Asus has agreed to the terms of a settlement with the US FTC regarding vulnerabilities in its home routers and cloud services. The FTC noted that Asus frequently “did not address security flaws in a timely manner and did not notify customers about the risks posed by the vulnerable routers.” The settlement calls for Asus to establish and maintain a comprehensive security program and to undergo audits every two years for the next 20 years. [FTC] [eWeek] [SCMagazine] [The Register] [ComputerWorld]

RFID / IoT

WW – Obama’s National Action Plan on Cybersecurity Addresses IoT

The White House’s national action plan on cybersecurity addresses concerns about the security of the Internet of Things (IoT). According to the plan, the US Department of Homeland Security (DHS) is working with Underwriters Laboratories to develop a cybersecurity assurance program that could evaluate IoT devices before they go to market. [NextGov]

CA – OPC Releases Research Paper on Internet of Things

The OPC released a research paper titled ‘The Internet of Things (IoT): An introduction to privacy issues with a focus on the retail and home environments’, which examines the key privacy challenges posed by the IoT, such as customer profiling, accountability, transparency, and information security. The Paper assesses whether the definitions of both consent and personal information, as included in the current privacy regulation, are suitable for a ‘fast-developing online environment’ as the IoT. The Paper also considers various technologies used by the retail industry to monitor consumer behaviours, such as wearables and smartphone apps, and to connect the devices among them, namely cellular, Wi-Fi, Bluetooth, Near Field, communication and Radio-Frequency Identification. The Paper does not offer specific guidance to them or propose any new regulatory measures.” [Source]

WW – Microsoft, Cisco, Intel and others Form Open Iot Standards Group

Microsoft is leading a band of tech titans to found a new Internet of Things standards group. The Open Connectivity Foundation (OCF) will seek to define interoperability standards for the billions of internet-connected devices expected to arrive in the next few years. Up until now the OIC was in competition with the Allsee Alliance, another IoT standards group formed in 2013, with members such as Microsoft, Electrolux, and Qualcomm — all of whom are now part of the OCF. There’s also the two-year-old Industrial Internet Association formed by Intel, IBM, ATT, Cisco, and GE. [ZDNet]

WW – IoT: SimpliSafe Alarms Transmit Codes in Plaintext

SimpliSafe wireless home alarm systems are vulnerable to replay attacks.

The system’s keypad uses the same, unencrypted personal identification number each time it sends a message to the base station. Attackers could sniff the code, then replay it to trick the system into thinking that a home is secured when there is actually a break-in occurring. The microcontroller chips used in the system are write-once, which means they cannot be updated with firmware. SimpliSafe is used in more than 200,000 homes. [Ars Technica] [The Register]

Security

WW – Eliminating Browser Plugins Improves Security, Decreases Functionality

In an effort to improve security, browser makers have begun disabling plugins. Oracle said last month that it would end support for its Java plugin. The plugin will be “deprecated” in the next release version of Java Development Kit, which is scheduled for release next year. [eWeek]

US – California AG Says Not Adopting Critical Security Controls Indicates “Failure to Provide Reasonable Security”

A report from the California Attorney General’s Office includes recommendations for organizations to protect their systems from breaches. The “report clearly articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security.” The report recommends organizations adopt the Center for Internet Security’s Critical Security Controls as the start of a comprehensive information security program. The Attorney General’s Office stated “not doing so would be indicative of an organization’s failure to provide reasonable security.” [Source] [SANS Critical Controls]

US – California Data Breach Report Identifies Exploited Flaws and Defines Legal Minimum Standard of Due Care for Cyber Security

The California Data Breach Report “provides an analysis of the data breaches reported to the California attorney general from 2012-2015.” In nearly all cases, the breaches exploited vulnerabilities for which fixes had been available for more than a year. California state law states, “A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature if the information.” The report goes on to say that organizations that do not implement the Center for Internet Security’s (CIS) 20 Critical Security Controls would be found to demonstrate “a lack or reasonable security.” [NextGov] [NatLawReview]

WW – PwC Report: Cybercrime Second Most Reported Economic Crime

According to PwC’s Global Economic Crime Survey 2016, nearly one-third of organizations surveyed said they had experienced cybercrime. The report explains the surprisingly low percentage by noting, “the insidious nature of this threat is such that of the 56% who say they are not victims, many have likely been compromised without knowing it.” The report also found that just 37 percent of organizations have established a cyber incident response plan. “Many boards are not sufficiently proactive regarding cyber threats.” The report draws its statistics from responses from more than 6,000 organizations in 115 countries. [ZDNet] [Newsmarket]

US – IRS reports 400% increase in phishing& malware in the past 12 months

The US tax-filing season has only been under way for a month, but already the IRS is warning that it’s seen a 400% surge in phishing and malware compared with the previous tax year. Phishing messages are asking taxpayers about a wide range of sensitive information, including data related to refunds, filing status, confirmation of personal information, transcript orders and PIN verifications. The messages are rigged to look official, as if they came from the IRS itself or from others in the tax industry, such as tax software companies. The phishing attempts are being seen in every part of the country, the IRS says. [Source]

Surveillance

Texas – City Dumps License Plate Readers for Being “Big-Brotherish”

At the beginning of the year, the City of Kyle, Texas, approved a controversial agreement to install automated license plate recognition (ALPR) technology in its police vehicles. The devices would come at no cost to the city’s budget; instead, police would also be outfitted with credit card readers and use ALPR to catch drivers with outstanding court fees, also known as capias warrants. With each card swipe, an added 25% surcharge would go to Vigilant Solutions, the company providing the system. As an added bonus the company would also get to keep all the data on innocent drivers collected by the license plate readers—indefinitely. But before the license plate readers could even be installed, the Kyle city council voted 6-1 to rescind the order. The reason: public and media outcry over how the system would turn police into debt collectors and data miners. In late January, EFF published a report about Vigilant’s latest business scheme: licensing ALPR systems to law enforcement agencies for free, in exchange for their participation in what Vigilant calls its “Warrant Redemption Program.” In addition to the City of Kyle, the City of Orange and Guadalupe County in Texas had also signed similar deals. [EFF]

US Legislation

US – Obama Signs Bill Extending Privacy Protections to Allies

President Barack Obama signed legislation that would extend some U.S. privacy protections to citizens of allied countries and let foreigners sue the U.S. government if their personal data is unlawfully disclosed. The bill extending certain privacy protections was aimed at shoring up trust among European allies following leaks by former NSA contractor Edward Snowden. Obama said the new law makes sure data is protected under U.S. privacy laws, “not only American citizens, but also foreign citizens.” Even as the U.S. government works to protect American’s security, Obama said “we’re mindful of the privacy that we cherish so much.” Supporters say extending privacy protections helps ensure that other nations will continue sharing law enforcement data with the United States. [The Winnipeg Free Press]

US – Congress Looks to Boost Email Privacy; Increase Social Media Surveillance

While civil liberties advocates are encouraged by the House push to protect Americans’ emails, they are keeping a close eye on separate efforts by lawmakers to increase surveillance of social media. Earlier this month, the Senate Homeland Security and Governmental Affairs Committee approved the bipartisan Combat Terrorist Use of Social Media Act, which requires President Obama to develop a comprehensive strategy to counter terrorists’ use of social media. The Obama administration has been promising such a strategy since late 2011. [Source]

US – DC Introduces Bill Prohibiting Tracking of School Issued Devices

Bill 21-0578, Protecting Students Digital Privacy Act of 2016, was introduced and referred to the Committee on Education. Device location tracking technology cannot be used to track a device given to students unless the student has reported the device missing or stolen, a judicial warrant has been obtained or it is necessary to respond to an imminent threat to life or safety; students cannot be required to or coerced into providing usernames and passwords or providing any school personnel with access to personal social media accounts. [B21-0578 – Protecting Students Digital Privacy Act of 2016]

+++

 

 

15-21 February 2016

Biometrics

US – The American Government Plans to Scan Your Eyes at Border Crossings

The US government is using eye scans and facial recognition technology for the first time to verify the identities of foreigners leaving the country on foot — a trial move aimed at closing a long-standing security gap, officials announced. Before now, foreigners who left the country were rarely checked by U.S. authorities as they walked into Mexico or Canada through ports of entry. The checkout system that launched Feb. 11 at a busy San Diego border crossing with Mexico aims to ensure those who enter the country leave when their visas expire and identify those who violate that. Up to half of people in the U.S. illegally are believed to have overstayed their visas. Authorities are using the trial runs to determine which technology is the fastest, most accurate and least intrusive in screening people coming and going at all land crossings along the 3145-kilometre border with Mexico. Final results are expected this summer, with the goal of expanding the checks to all land, air and sea ports. Federal officials say they will not share or retain the data collected in the trial runs, but it is not clear how the information will be used if the program is adopted permanently. [Source]

Canada

CA – OIPC SK Unable to Determine if Employee Access to Individual’s Personal Information Was for Legitimate Purposes

The Saskatchewan IPC investigated a complaint alleging improper disclosure of personal information by an employee of Saskatchewan Government Insurance. The employee conducted a specific license plate search on a vehicle belonging to the individual; the individual argues that she has a contentious relationship with the employee, however the search was a typical part of the employee’s duties. The government agency must evaluate solutions to determine whether employee access is for legitimate business purposes. [Investigation Report 189-2015 – Saskatchewan Government Insurance]

CA – OIPC AB Upholds Educational Institution’s Disclosure of Student’s PI in the Course of a Conflict Resolution Process

This OIPC AB order investigated the alleged unlawful collection and disclosure of a student’s personal information by Bow Valley College pursuant to Alberta’s Freedom of Information and Protection of Privacy Act. An academic official reasonably communicated PI about one student in emails to 2 supervisors, to ensure that the students did not have contact with one another and to decide if further disciplinary action might be necessary; the student’s PI was secure because email messages remain only within the internal computer network (monitored for security threats, viruses and unauthorized access) and employees’ email accounts are password protected. [Order F2016-01 – Bow Valley College]

CA – Airlines Should Be Able to Exchange Info on Unruly Passengers: Air Canada

Air carriers should be allowed to share information about unruly passengers to help keep the skies safer, Canada’s largest airline says. A carrier can ban people with a history of disruptive behaviour from taking further flights with that airline, Air Canada notes in a submission to the federal government. But legislation does not permit airlines to exchange information about passengers, even when they believe them to be a safety risk to others. In the submission to a federal review of the Canada Transportation Act, Air Canada says safety “should always be first and foremost.” A report flowing from the review — likely to include some recommendations about air safety — is expected to be made public in coming weeks. The federal privacy commissioner’s office said it was unaware of Air Canada’s sharing proposal, had not studied the issue and could provide no comment at this time. [The Canadian Press]

E-Government

WW – New Tool from Nymity Aims to Simplify Privacy Management

Nymity announced its newest privacy management tool, the Nymity Planner. The “activity based” Nymity Planner “helps privacy offices operationalize compliance, document evidence and resources, delegate accountability, and ‘plan’ privacy management throughout the organization,” the report states. It also includes a GDPR add-on, so companies can consider GDPR compliance as they work to increase privacy protections in their organization. Nymity also has plans to include a Privacy Shield add-on. “The solution will prove to be highly valuable for those privacy officers who are looking to embed, manage, and report on structured privacy management across their organization,” said Nymity’s Constantine Karbaliotis, [GlobeNewswire]

E-Mail

CA – Update on CRTC CASL Compliance and Enforcement

On February 10, 2016, Lynne Perrault and Dana-Lynn Wood of the CRTC provided the latest in what is becoming a series of CASL briefings, as part of an “on-going dialogue” with industry. The CRTC now has a year and a half of enforcement experience under its belt for the Commercial Electronic Messages (CEMs) provisions of CASL, so this presentation focused on patterns and issues that have emerged in that period, and some guidance in response to those issues, including complaint statistics, priorities, and enforcement and other compliance issues. [Canadian Tech Law Blog] See also: [If you hate telemarketers, you’ll love this robot designed to waste their time]

Electronic Records

US – ONC: Patient Comfort Levels With EHRs, Data-Sharing On the Rise

A nationwide survey from Office of the National Coordinator for Health IT conducted between 2012 and 2014 indicates patients are growing more comfortable with electronic medical records and support data-sharing, though a summary from the agency notes that the survey took place before several major healthcare data breaches in 2015. Preserving patient trust is an essential part of establishing an interoperable health IT infrastructure. A study from the University of Wisconsin-Milwaukee and Dartmouth College based on the 2012 Health Information National Trends Survey found that 13% of respondents reported having withheld information from their provider because of privacy and security concerns. Privacy concerns can “crash” big data initiatives before they become useful, while the key to success lies in finding the right balance, experts said at a Princeton University event in April 2014. ONC data brief [FierceHealthIT]

Encryption

US – Apple Fights Order to Unlock San Bernardino Gunman’s iPhone

A debate pitting the government against tech companies has now come to a showdown after Apple CEO Tim Cook announced the company will not comply with a federal court order that it help the FBI unlock the iPhone of one of the San Bernardino shooters. In a win for the government, Magistrate Judge Sheri Pym ordered Apple to provide technical assistance to disable the phone’s password-wipe function — after 10 incorrect password attempts, the phone erases its data — so that authorities could “brute force” the phone’s password. Hours later, Cook announced the company would fight the order. In a message to Apple customers, the company wrote, “This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.” [The New York Times] See also: [Can the FBI Force Apple to Write Software to Weaken Its Software? ] [Why Apple Is Right to Challenge an Order to Help the F.B.I.] [Apple’s Line in the Sand Was Over a Year in the Making] [Who does Apple think it is? ] [Apple Said to Get More Time to Fight Order to Unlock IPhone ] [Why you should side with Apple, not the FBI, in the San Bernardino iPhone case ] [Here’s What The FBI Actually Asked Apple To Do It’s more complicated than it seems.] [No, Apple Has Not Unlocked 70 iPhones For Law Enforcement ] [Apple vs. The FBI: Questions Not Asked ] [Apple vs. the FBI: Facebook, Twitter, Google, John McAfee and more are taking sides ] [Apple backdoor court order being watched in Canada] [Read Apple’s unprecedented letter to customers about security] [Tech Reactions on Apple Highlight Issues with Government Requests] and finally: [In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203 – Order Compelling Apple Inc. to Assist Agents in Search – United States District Court For The Central District Of California

EU Developments

EU – Art WP29 Issues Surveillance Benchmarks

In its statement in response to the announcement of the new EU-U.S. Privacy Shield, the Article 29 WP enunciated “four essential guarantees,” derived from “jurisprudence,” that it is using to assess the protections provided to ensure intelligence surveillance respects fundamental rights. These are:

  1. Processing should be based on clear, precise and accessible rules: This means that anyone who is reasonably informed should be able to foresee what might happen with their data where it is transferred;
  2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: A balance needs to be found between the objective for which the data is collected and accessed (generally national security) and the rights of the individual;
  3. An independent oversight mechanism should exist, that is both effective and impartial: This can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
  4. Effective remedies need to be available to the individual: Anyone should have the right to defend her/his rights before an independent body.

These four standards are almost identical to the essential safeguards under the EU legal order used in the Sidley Austin report, “Essentially Equivalent: A comparison of the legal orders for privacy and data protection the European Union and United States,” as a basis to compare surveillance laws in the United States and eight illustrative EU member states. [IAPP] [Article 29 WP – Statement on the 2016 Action Plan for the Implementation of the GDPR Work Programme | Action Plan]

UK – ICO Launches Tool to Help SMEs Assess Compliance

The UK ICO has launched a self-assessment tool to help small and medium organisations assess compliance with the Data Protection Act. The tool outlines obligations for registration of personal data processing, identification of individuals responsible for development, implementation and monitoring of data protection and information security policies, training of staff and disposal of personal data held; security measures should be established for effective malware defences, logging and monitoring of user and system activity, and detection of unauthorised access or anomalous use. [ICO UK – ICO Launches New Data Protection Self Assessment Tool for SMEs]

EU – Other News:

Facts & Stats

US – California Attorney General Releases Data Breach Report

Over the course of the last four years, the personal records of more than 49 million Californians were put at risk, according to a new data breach report from California Attorney General Kamala Harris. Between 2012 and 2015 there were 657 reported breaches, and three out of five state residents were victims of a data breach in just 2015 alone. The report includes information on the most common types of data breached, explains what types of breaches different industry sectors were most susceptible to, and provides recommendations to reduce the frequency and impact of future breaches. The report articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security. The report also includes recommendations for businesses to better protect personal data and maintain “reasonable security.” [Source] [California Data Breach Report February 2016] [California Reports 49 Million Records Breached in Four Years]

Filtering

CA – Google Appeal of Worldwide Injunction Headed to Supreme Court

The Supreme Court of Canada has agreed to hear Google’s appeal of a worldwide injunction which critics warn could turn B.C. into a destination for ‘censorship tourism’. The tech giant is challenging a B.C. Supreme Court ruling made in relation to a Burnaby-based company’s bid to stop another firm from profiting from the sales of stolen technology. Google was a third party in the litigation, dragged into the case because Datalink relies on web search engines to attract potential customers. Google voluntarily removed 345 links from search results in Canada. But Equustek accused Datalink of playing ‘Whack-A-Mole’ by going international with its listings. Hence the worldwide injunction in 2014 from B.C. Supreme Court Justice Lauri Ann Fenlon. “The courts must adapt to the reality of e-commerce with its potential for abuse by those who would take the property of others and sell it through the borderless electronic web of the internet,” Fenlon wrote. “That (injunction) is necessary … to ensure that the defendants cannot continue to flout the court’s orders.” The ruling, which was upheld by the B.C. Court of Appeal, made headlines around the world. It’s one of a growing body of legal decisions struggling to balance rights and responsibilities of technology companies operating across global boundaries.

In agreeing to hear the case, Canada’s highest court defined those questions as follows:

  • “Under what circumstances may a court order a search engine to block search results, having regard to the interest in access to information and freedom of expression, and what limits (either geographic or temporal) must be imposed on those orders?”
  • “Do Canadian courts have the authority to block search results outside of Canada’s borders?”
  • “Under what circumstances, if any, is a litigant entitled to an interlocutory injunction against a non-party that is not alleged to have done anything wrong? [CBC] [Canadian courts wade into free-speech battle with worldwide injunction against Google]

FOI

NZ – Government Made 12,000 Privacy Requests to Just 10 Companies

The New Zealand privacy commissioner revealed that government agencies, including Inland Revenue, Police and Ministry of Social Development made nearly 12,000 requests for citizens’ personal information to only 10 companies from August to October 2015. This information was revealed as part of an Office of the Privacy Commissioner trial transparency program. The OPC further discovered that more than 1,000 information requests were incorrectly labelled as being made under the Privacy Act, which provides no mechanism for government agencies to make requests for personal information. The 10 companies voluntarily complied with the information requests approximately 96 percent of the time, which has left some lawyers and privacy advocates concerned that agencies were misleading companies by using clauses of the Privacy Act to compel sharing of personal information. [NZ Herald]

CA – IPC ON Orders Oshawa to Issue Decision Relating to Email by City Councillor

The Information and Privacy Commissioner in Ontario reviewed a decision by the City of Oshawa to deny access to records requested pursuant to the Municipal Freedom of Information and Protection of Privacy Act. Although the councillor is not an employee of the public body (elected members of a municipal council or not agents or employees of municipal corporations), the record is under the control of the public body; the contents of the record relate to a departmental matter and the public body could reasonably expect to obtain a copy of the record upon request. [IPC ON – Order Mo-3281 – The Corporation of the City of Oshawa]

Health / Medical

US – HHS Releases New HIPAA and Mobile Sharing Guidance

The Department of Health and Human Services’ Office for Civil Rights debuted new scenario-based guidance to help health care providers better understand how to protect patient data and comply with HIPAA on mobile devices. Privacy advocates are pleased. “This guidance is important since some developers still aren’t clear about whether they fall under HIPAA or not — that is, whether or not they are HIPAA-defined business associates,” said The Marblehead Group. The guidance is next in the agency’s “cyber-awareness initiative,” with a manual on HIPAA and cloud computing forthcoming, the report adds. [GovInfoSecurity]

CA – Debate Continues on Ontario Health Privacy Breach Law

A bill proposing to double the fines for violations of Ontario’s Personal Health Information Protection Act was a subject of debate at Queen’s Park in Toronto. Bill 119, the Health Information Protection Act, was tabled Sept. 16 by Liberal Health Minister Eric Hoskins. Among other things, Bill 119, if passed into law, would double the maximum fines for offences, under PHIPA, from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations,” said Indira Naidoo-Harris Liberal MPP for Halton and parliamentary assistant to Hoskins, at Queen’s Park Tuesday. Other changes proposed in Bill 119 “include making it mandatory to report privacy breaches as defined in regulation.” [Canadian Underwriter]

CA – Sask. Residents Can View Their Personal Health Care Information Online

500 Saskatchewan residents were invited to participate in a new pilot program offered by eHealth. The pilot allows residents to view their personal health information online through a secure website. So far, 232 residents have created accounts. The Citizen Health Information Portal (CHIP) pilot will include up to 1,000 participants from across the province. Throughout the six-month trial period, participants can view their personal lab results, immunization history, 25 months of prescription history and hospital visits from anywhere in the world. Participants can add their personal history to the record, including information about allergies and surgeries and medication reminders. Parents can access their children’s health-care information, and travellers can print their health information and take it with them on holidays. [Source] [Saskatchewan patient access to online health records requires big focus on security] [Debate continues on Ontario health privacy breach law]

Horror Stories

US – Ransomware Hits California Hospital

Computer systems at the Hollywood Presbyterian Medical Center in southern California have fallen prey to ransomware. The systems have been offline for more than a week. Employees were not able to access patient files and the hospital declared the situation an internal emergency. The FBI, the L.A. Police Department, and cyberforensics experts are investigating. The attackers have demanded a ransom of 9,000 Bitcoins (approximately US $3.6 million) While the organization is dealing with the attack, its network is offline and “staff are struggling to deal with the loss of email and access to some patient data.” Some patients have also been transferred to other hospitals because of the attack, and registrations and medical records are currently being logged on paper. Meanwhile, a new study by the Cloud Security Alliance and Skyhigh has found that cybersecurity insurance makes companies more likely to pay in ransomware attacks. [CSO Online] [ZDNet] [ComputerWorld] [BBC] UPDATE: [LA Hospital Pays Hackers Nearly $17,000 To Restore Computer Network]

Internet / WWW

US – Google Says it Tracks Personal Student Data, But Not for Advertising

What does Google do with the personal information it collects from children who use Google products at school? Google provided some answers in a seven-page letter to Sen. Al Franken (D-Minn.), the ranking member of the Judiciary Subcommittee on Privacy, Technology and the Law. Google does not use K-12 students’ personal information to serve targeted advertisements, but Google does track data from students for other reasons, including developing and improving Google products. Such tracking happens when students are signed into their Google Apps for Education account but are using certain Google services — such as Search, YouTube, Blogger and Maps — that are considered outside Google’s core educational offerings. Thousands of K-12 schools and universities — and more than 30 million students and teachers — use Google’s Apps for Education, which the company provides to schools free of charge. Franken said that Google’s response was “thorough,” but said he will seek further clarification from Google about some of its privacy policies regarding student data. UC Berkeley students sue Google, alleging their emails were illegally scanned [The Washington Post]

US – 90% of Enterprises in U.S. to Increase Annual Spend On Cloud Computing

A new survey out of the U.S. identifies a cloud computing spending pattern – 90% of respondents say their companies plan to increase or maintain related budgets – that signals a growth opportunity for providers. Cloud service providers are advised to target opportunity in enterprise market, Washington, D.C.-based B2B research firm Clutch suggested in releasing its 2016 Enterprise Cloud Computing Survey last week. [Canadian Underwriter] See also: [Privacy, power concerns drive Canadian data center growth]

Law Enforcement

CA – Group’s Efforts to Review Ottawa Police Sexual Assault Cases Falls Flat

The Ottawa Police Service denied a group’s request to have full disclosure in reviewing sexual assault cases, citing privacy concerns as the main reason. Scassa, a law professor and member of the external advisory committee of the Office of the Privacy Commissioner of Canada, said the (external audit) model could be adopted in Ottawa if the advocates who review cases sign confidentiality agreements. The group that has been lobbying the Ottawa police to adopt the model said they would be willing to do that. “There’s nothing in Ontario privacy law that stops the police here from doing the same thing,” said Scassa. “I think there is a great tendency to use privacy as an excuse for not doing things, or for government institutions to use privacy as an excuse for not doing things they don’t want to do.” [MetroNews]

CA – Ontario Privacy Laws Hamper Social Agencies

The head of a St. Catharines social agency says more missing adults in Ontario could be found if government legislation did not prohibit sharing personal information with family members. “They have rights and responsibilities within the Mental Health Act that precludes us from going and taking them and forcing them into a situation that they’re not comfortable with.” Souter says it is important to respect the privacy of all people, but rules around confidentiality often put an individual at odds with his or her family. [CBC] [Ontario man missing 30 years suddenly remembers own identity] SEE ALSO: [B.C. privacy laws slow efforts to find, compensate children of missing women]

Location

CA – Waterloo Deploys ALPR on Delinquent Parkers

Delinquent parkers beware: it’s going to get a lot harder to dodge a parking ticket if you overstay your welcome in Waterloo’s free parking zones. A new license plate recognition vehicle will begin patrolling the streets in March. The vehicle will use specialized cameras to scan licence plates, capture the GPS coordinates of the vehicle and capture a before and after image of the vehicle’s wheels. It’s an initiative the city has been working on since 2011, said Waterloo’s manager of compliance and standards. Mulhern says part of why it took five years to get the program off the ground was the city’s dedication to ensuring all possible privacy concerns had been addressed. He said the city worked with the privacy commissioner to make sure the system was set up correctly and that data would be stored securely and for no longer than necessary. Labouring over those kinds of details seems to have paid off. When contacted by the CBC, Ontario Civil Liberties Association executive director Joseph Hickey said it appeared the city had addressed privacy concerns, and “therefore this is a minor issue for us.” The city plans to hold an open house Thursday at RIM Park from 12 to 8 p.m. for the public to see the new parking control system and ask questions. [CBC]

Privacy (US)

WW – EY Releases Report on Privacy Trends for 2016

EY has now released a report on privacy trends in 2016, called “Can privacy really be protected anymore?” Of those surveyed, nearly half said they were concerned with having a clear picture of where personal information is stored outside the organization’s systems and services. Additionally, nearly 40% expressed concern that there are not enough people to support their privacy program. “As the onus of accountability shifts from regulators to organizations,” the report states, “organizations need to take heed of where they are in terms of their privacy maturity and what they need to do to make privacy protection part of everything in an organization.” [Source]

US – Tech Company Settles FTC Charges for Installation of Apps Without Consumer Knowledge or Consent

General Workings Inc. entered into a settlement agreement with FTC for alleged violations of section 5(a) of the FTC Act. The company replaced a popular app with its own software program that automatically approved default permissions requests associated with apps that were then installed on consumers’ desktops and mobile devices; the company must delete all consumer personal information in its possession, custody or control, inform consumers of the types of information that will be accessed and display any permissions notice or approval requests prior to installation of the app. [FTC Settlement Agreement with General Workings Inc and Ali Moiz and Murtaza Hussain – File 152-3159] [Press Release] [FTC Complaint]

US — Privacy Owes Much to Attorneys General: Report

The University of Maryland Francis King Carey School of Law’s Danielle Keats Citron argues that state attorneys general are the unsung heroes of developing privacy law in her new research that has been posted to the Social Science Research Network, entitled “Privacy Enforcement Pioneers: The Role of State Attorneys General in the Development of Privacy Law.” In it, she writes, “Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals,” adding, “Crucial agents of regulatory change, however, have been ignored: the state attorneys general.” According to the SSRN abstract, “this article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general.” [Full Story]

US – Tech firms Unite to Form Cybersecurity Coalition

Seven cybersecurity firms banded together to create the Coalition for Cybersecurity Policy and Law, a group committed to developing an online privacy framework with legislators. Cisco, Intel, Arbor Networks, Microsoft, Oracle, Rapid7 and Symantec are the organizations represented in the coalition, which was “founded on three major principles: stimulating the cybersecurity marketplace; encouraging cybersecurity innovation,” and encouraging other companies to embrace cybersecurity from the ground up. “The members of this Coalition are dedicated to building our nation’s public and private cybersecurity infrastructure, and their insight and engagement must play a vital role in the decisions being made by our government on cybersecurity policy,” said Venable’s Ari Schwartz, who serves as the coalition’s coordinator. [FedScoop]

NZ – Nudist Resort Removes Photos of Judge from Site

An unnamed judge recently spent time at the Pineglades Naturist Club in Rolleston where he was photographed lounging and playing games in the nude. The club had posted photos of the naked judge online for promotional purposes. However, the photos were removed from the club’s website after the newspaper made inquiries into them. The Guidelines for Judicial Conduct warn that a judge attracts more attention and scrutiny than most members of the community, so they should accept some restrictions on conduct and activities. The judge is unlikely to be punished though as there are no disciplinary mechanisms for enforcing the guidelines. [The New Zealand Herald]

Security

US – Cyber Threat Information Sharing Guidelines Released by DHS

This week, the Federal government took the first steps toward implementation of the Cybersecurity Information Sharing Act (CISA), enacted into law last December. CISA aims to encourage sharing of cyber threat indicators and defensive measures among private companies and between the private sector and the Federal government by providing liability protection for sharing such information in accordance with the Act.  The DHS Federal Register notice was published this morning here. As required by the Act, the government has released four pieces of guidance designed to assist companies and Federal agencies with respect to sharing, receiving and handling cyber threat information.

WW – Study: Leaked data quickly gobbled up in the Dark Web

Bitglass’ second annual “Where’s Your Data” study found that within “a few days” of leaking false user data, the information was accessed via the Dark Web in “20 countries and multiple continents.” “In total, the team tracked over 1,400 visits to the fake credentials, in addition to the fictitious bank portal,” the report states. The findings are evidence of the need for companies to properly protect their personal information. “Organizations need a comprehensive solution that provides a more secure means of authenticating users and enables IT to quickly identify breaches and control access to sensitive data.” [ZD Net]

Smart Cars

US – Verizon’s “Hum” Device for Your Car Will Rat Out Speeding Teens, Wandering Spouses

The $15/month Verizon “hum” service was originally launched to collect vehicle diagnostics, connect users to roadside assistance, provide maintenance reminders. But this morning Verizon announced that it will be adding a slew of new features for the hum, including: boundary alerts, speed alerts, vehicle location, and driving history. [The Consumerist] SEE ALSO: [Marc Garneau: Canada’s Senate To Study Rules Surrounding Driverless Cars]

Surveillance

WW – 519070 or Blank: The PINs that Can Pwn 80k Online Security Cams

Researchers say up to 80,000 digital video recorders (DVRs) used to record footage from surveillance cameras employ hardcoded passwords – or don’t use one at all – opening avenues for attackers to breach home and business networks and compromise privacy. In one examination, at least 46,000 DVRs were found open to remote hijacking through a hardcoded firmware username and password. Risk-Based Security chief researcher Carsten Eiram says most of the exposed cameras are operating in the US followed by the UK, Canada, Mexico and Argentina.  [The Register]

Telecom / TV

US – Coalition Calls FCC Set-Top-Box Proposal ‘An Assault’ On Privacy

Privacy advocates continue to criticize the Federal Communications Commission’s proposal for new set-top-box TV guidelines, calling them both “an assault on consumer privacy” and an outlet that lets “privacy scofflaws like Google” obtain greater swaths of user data, the Future of TV Coalition said. While FCC Chairman Tom Wheeler maintains the guidelines would have privacy protections, the advocacy group argues the overreaching consequences are too immense. “The Chairman’s approach creates a gaping hole in consumer privacy where none exists today, and leaves our personal viewing histories at the mercy of vast businesses built almost entirely on mining, exploiting, and profiling our personal data,” the Future of TV Coalition said. [MediaPost] [Lawmakers weigh in on FCC set-top box changes]

US Government Programs

US – Interim Guidelines for Cybersecurity Act Released by DHS

The Department of Homeland Security published interim guidelines that illustrate how the agency will collect data under the Cybersecurity Act of 2015. The act-mandated move was an attempt to assuage critics of the legislation, who fear it will conclude with even more citizen data collected by the agency. “We know many cyber intrusions can be prevented if we share cyber threat indicators,” said DHS Secretary Jeh Johnson. “Sharing this kind of information in real-time, and swiftly applying defensive measures, will allow both the government and private sector to more effectively prevent attacks.” The agency has until June to complete a more formal privacy guideline. [The Hill]

US Legislation

US – Roundup:

Workplace Privacy

US – Bosses Tap Outside Firms to Predict Which Workers Might Get Sick

In an attempt to curb the cost expended for health care, companies like Wal-Mart are employing data mining groups to analyze employee information that identifies those with potential health risks. “Companies say the goal is to get employees to improve their own health as a way to cut corporate health care bills,” the report states, but “privacy experts worry that management could obtain workers’ health information, even if by accident, and use it to make workplace decisions.” [Wall Street Journal] [US: Bosses Harness Big Data to Predict Which Workers Might Get Sick]

 

 

+++

 

 

08-14 February 2016

 

Canada

CA – OPC Wants Info on Agency Tracking Peaceful Protests

Canada’s privacy watchdog wants more information on a central government agency keeping tabs on peaceful protests. Privacy commissioner Daniel Therrien’s office has asked the Government Operations Centre (GOC) to review its tracking of lawful protest and dissent. The GOC provides 24/7 “situational awareness” for the federal government, and is supposed to help co-ordinate Ottawa’s response to natural disasters or threats to infrastructure. But in late 2014, it was revealed the GOC has collected information on more than 800 peaceful protests, demonstrations and academic panels since 2006. Documents tabled in Parliament in 2014 showed the GOC had information on events like a rally for veterans on Parliament Hill, a public panel discussion in Toronto on the oilsands, and a number of vigils and marches for missing and murdered indigenous women. In June 2014, the Ottawa Citizen reported that the GOC asked government departments for help in compiling a “comprehensive listing of all known demonstrations” across the country. The revelations drew the ire of the Liberals while in opposition. [The Star]

CA – Premier’s Office in Nova Scotia Broke Law, Privacy Czar’s Report Finds

The office of Nova Scotia Premier Stephen McNeil broke privacy laws when chief of staff Kirby McVicar publicly released sensitive medical information about a former cabinet minister, the province’s privacy commissioner says. McVicar resigned Nov. 24 after stating in several media interviews that Andrew Younger had a brain tumour and had been diagnosed with post-traumatic stress disorder. In a report released Thursday, privacy commissioner Catherine Tully concluded that McVicar violated provisions of the Freedom of Information and Protection of Privacy Act. “The report finds that the disclosure is a breach of the privacy rules,” the report says, though there is no mention of penalties or further investigation. McNeil, speaking after a cabinet meeting, challenged Tully’s main conclusion, saying his office was not to blame because McVicar took sole responsibility for his actions. [Source] [CBC: NS OIPC rules premier’s former chief of staff violated law]

CA – Ontario Professionals Obligated to Share Info About “At Risk” Children

The Information and Privacy Commissioner of Ontario has issued a guide for disclosure of information to child protection workers. Individuals with reasonable grounds to suspect a child is need of protection must immediately report the suspicion to a children’s aid society even if the information is confidential or privileged and despite provisions of any other act; institutions and custodians are protected from liability if they act in good faith and do what is reasonable under the circumstances. [IPC ON – Yes You Can – Dispelling the Myths About Sharing Information with Childrens Aid Society]

E-Mail

WW – Gmail Now Warns Users When They Send and Receive Email Over Unsecured Connections

Google is introducing new authentication features to Gmail to help better identify emails that could prove to be harmful or are not fully secure. The company said last year that it would beef up security measures and identify emails that arrive over an unencrypted connection and now it has implemented that plan for Gmail, which Google just announced has passed one billion active users. Beyond just flagging emails sent over unsecured connections, Google also warns users who are sending. Gmail on the web will alert users when they are sending email to a recipient whose account is not encrypted with a little open lock in the top-right corner. That same lock will appear if you receive an email from an account that is not encrypted. Last year, Google said that 57% of messages that users on other email providers send to Gmail are encrypted, while 81% of outgoing messages from Gmail are, too. Another measure implemented today shows users when they receive a message from an email account that can’t be authenticated. If a sender’s profile picture is a question mark, that means Gmail was not able to authenticate them. Authentication is one method for assessing whether an email is a phishing attempt or another kind of malicious attack designed to snare a user’s data or information. [TechCrunch] [Google Gmail Help]

Encryption

US – Lawmakers Seek to Loosen Encryption on Smartphones

A fight over encryption-protected smartphone data is heating up in California and New York where lawmakers and law enforcement groups are pushing bills to enable investigators to unscramble data to obtain critical evidence in human trafficking, terrorism and child pornography cases. The bills seek to loosen the powerful encryption tools major cell-phone manufacturers have put in place to protect a smartphone user’s privacy and guard against hacking. Supporters argue law enforcement needs access to data that can help them prove or solve criminal cases, while technology and privacy groups are concerned the legislation would put a user’s personal information at risk. [SF Chronicle] [Sen. Feinstein Says Terrorists Only Need The Internet and Encryption To Attack] [US Congress locks and loads three anti-encryption bullets] [Bill Would Ban State Efforts to Weaken Encryption]

US – New Bill Aims to Stop State-Level Decryption Before It Starts

Over the last several months, local legislators have embarked on a curious quest to ban encryption at a state level. For a litany of reasons, this makes no sense. And now, a new bill in Congress will attempt to stop the inanity before it becomes a trend. California Congressman Ted Lieu has introduced the “Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016,” which we’ll call ENCRYPT. It’s a short, straightforward bill with a simple aim: to preempt states from attempting to implement their own anti-encryption policies at a state level. We’ve outlined the reasons that a patchwork of state anti-encryption laws makes no sense before, but it’s worth a quick recap. Lieu himself considers there to be three main issues with allowing government backdoors generally. (He’s also, for what it’s worth, one of four sitting Congressman with a computer science degree). [WIRED]

WW – Report: A Worldwide Survey of Encryption Products

A report from Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar says that mandating backdoors in encryption products would hinder competitiveness for those countries while having little effect on criminals intent on using encryption products that are free of such weaknesses. “Anyone who wants to evade an encryption backdoor in US or UK encryption products has a wide variety of foreign products they can use instead.” [Schneier] [ArsTechnica] [The Register] [NBC News]

EU Developments

EU – WP29 Lays Out 2016 Action Plan for GDPR Implementation

Last week, the Article 29 Working Party published the group’s action plan for the implementation of the General Data Protection Regulation. The Privacy Advisor shares commentary from Falque-Pierrotin during last week’s presser and looks into the official release by the WP29 of its four action plan items, which include the establishment of a European Data Protection Board, preparation for a one-stop shop and consistency mechanism, guidance for controllers and processors, and the creation of an online communication tool around the EDPB and GDPR. [IAPP]

UK – Snooper’s Charter Given Thumbs Up by UK Parliament Report

The UK parliament has published a joint committee report that only feebly challenges the government’s draft Investigatory Powers Bill. In contrast to the scathing report by the Intelligence and Security Committee report published earlier this week, the joint committee accepts nearly all the arguments of the government and intelligence services for wide-ranging and intrusive surveillance powers. In response to the controversy and criticisms of the proposed Snooper’s Charter, the report simply says: “The public debate over these powers is a healthy one, and the Home Office should ensure that it and the security and intelligence agencies are willing to make their case strongly in the months ahead.” In the main, the joint committee calls for only minor tweaking of the plans, but does recommend that a post-legislative review of the Snooper’s Charter should be made five years after it has been enacted. It also wants it to be illegal to ask foreign agencies like the NSA to undertake surveillance that UK intelligence agencies are not authorised to undertake themselves. [Ars Technica] [UK politicians green-light plans to record every citizen’s internet history But recommend that no encryption backdoors should be installed] [Parliamentary Watchdog Savages Snoopers’ Charter: ‘Inconsistent and largely incomprehensible’]

EU – Facebook Ordered to Stop Tracking Non-Users in France

In a 16-page ruling issued this week, France’s CNIL found fault with data collection by Facebook at its own site, and at the sites of outside publishers with “Like” buttons. “While the purpose claimed by the company may seem legitimate (ensuring the security of its services), collecting data on browsing activity by non-account Facebook holders on third-party websites is carried out without their knowledge.” The regulator also said that Facebook violates EU privacy law by placing cookies on the computers of visitors to Facebook.com without first obtaining their consent. Last year, authorities in Belgium also ordered Facebook to stop tracking non-users. Several weeks later, Facebook began preventing non-account holders in Belgium from accessing Facebook.com. In the past, anyone in that country could access many Facebook pages found through search engines, including pages for small businesses, sports teams, celebrities and tourist attractions. The CNIL also said in its ruling that Facebook can’t send data about EU citizens to U.S. servers, due to a ruling last October that invalidated an agreement that enabled the data transfers. While EU and U.S. authorities recently negotiated a new agreement, it has not yet been finalized. [MediaPost] [French data privacy regulator cracks down on Facebook]

UK – UK and US Negotiating on Wiretap Orders and Warrants

US and UK negotiators are working toward an agreement that would allow MI5 to serve US companies with wiretap orders for communications of British citizens in counterterrorism investigations. The arrangement would also allow Britain to serve orders for stored data. The draft proposal would allow MI5 to access data stored on overseas computers that are run by American organizations. The proposal would allow US intelligence the same access in the UK. [The Register] [Wash Post]

Facts & Stats

UK – Data Breaches led 3 Million Brits to Switch Service Provider

In the UK, three million Brits have changed service providers as a direct result of data breaches, according to new research a by Privitar. Concerns over how personal data is stored, used and ultimately protected have led to growing discomfort among consumers, with findings suggesting that perceptions about how well organizations safe-guard their data is a significant consideration when customers are choosing a service. Despite this, more than half (52%) of the 2018 adults surveyed admitted that they struggle to find out how their data is stored and used by companies. With the GDPR due to be implemented across the industry in the coming months it appears companies are faced with the challenge of acting on data privacy and protection to win customer trust, thus avoiding customer churn. After all, 83% of respondents said they would look to switch to another service if they felt it could manage their data better.  [Infosecurity]

Filtering

EU – Google to Scrub Web Search Results More Widely to Soothe EU Objections

Google will start scrubbing search results across all its websites when accessed from a European country to soothe the objections of Europe’s privacy regulators to its implementation of a landmark EU ruling, a person close to the company said. To address the concerns of European authorities, the Internet giant will soon start polishing search results across all its websites when someone conducts a search from the country where the removal request originated, a person close to the company said. That means that if a German resident asks Google to de-list a link popping up under searches for his or her name, the link will not be visible on any version of Google’s website, including Google.com, when the search engine is accessed from Germany. [Reuters] [New York Times] [Google to honor RTBF requests worldwide, for European users]

Finance

UK – National Financial Crime ‘Taskforce’ Launched

The UK’s largest retail banks have joined forces with the Home Office, Bank of England and police to develop a coordinated approach to tackling fraud. Project Sunbird, a collaboration between the Western Australian Police and Western Australian government’s Department of Commerce, is able to analyse international transaction data to detect patterns consistent with fraud and pro-actively reach out to individuals who may have been victims. The new Joint Fraud Taskforce’s early work will focus on improving intelligence-sharing between the financial sector, government and law enforcement, in order to prevent fraudsters from exploiting gaps and vulnerabilities. It will also help to raise public awareness through a list of the 10 ‘most wanted’ fraudsters, and work to establish “a much richer understanding of how fraud happens, and what can be done to stop it”, according to the UK home secretary. Members of the taskforce include the City of London Police, National Crime Agency, the Bank of England, fraud prevention body Cifas, from Financial Fraud Action UK (FFA UK) and the chief executives of the major banks. The new taskforce will report to the Home Office, as well as publishing public updates, the home secretary told MPs. [Source]

Genetics

CA – Senate Bill Prohibits Employers from Taking Disciplinary Action for Employee Refusal to Disclose Genetic Test Results

Bill S-201, An Act to Prohibit and Prevent Genetic Discrimination has received second reading and been referred to the Standing Senate Committee on Human Rights. An employee’s refusal to undergo or disclose the results of a genetic test cannot be used to dismiss, suspend, demote or lay off an employee, impose any penalty on an employee, refuse remuneration, or threaten to take disciplinary action against an employee; no individual can disclose to an employer that an employee had undergone a genetic test or the results of an employee’s genetic test without written consent. [Bill S-201 – An Act to Prohibit and Prevent Genetic Discrimination – Senate of Canada]

Health / Medical

CA – Insurance Company Offers Rebates for Healthy Lifestyle

A Canadian insurance company is set to offer a new insurance program that rewards policy holders for healthy lifestyle choices such as regular exercise, getting an annual health screening or a flu shot. Ontario-based insurance giant Manulife is partnering with Vitality Group to bring the program to Canada, after rolling out similar systems in parts of Africa, Asia and the United States. The company said sign-up process is similar to many insurance policies, in that applicants take an online test to determine their level of overall health and then are offered a premium. Policy holders who enroll in the program receive personalized health goals and can log their activities using online and automated tools, which are integrated with the latest wearable fitness-tracking technology such as Fitbit, Manulife said. Officials at the Office of Canada’s Privacy Commissioner said while they have not studied the insurance product offered by Manulife, they would encourage people to carefully consider the potential implications before sharing any personal information – especially sensitive information. [Source]

US – Privacy Advocates Left Out Of NHS Care.Data ‘Oversight’ Board

Privacy advocates have been secretly expelled from the NHS’s care.data discussions group, while lobbyists backed by biotech corporations have kept their places at the table. The care.data Advisory Group was established in March 2014, after the scheme’s first collapse, as part of a process to get care.data – which intends to centralise patients’ health and social care data so it can be packaged and sold to private corporations – up and running again. A recent study into the scheme carried out by the University of Cambridge found that care.data was “launched in a contradictory regulatory landscape” and wracked with “unrealistic expectations” regarding the potential for patient health and social care data to be sufficiently anonymised when shared. [The Register]

US – Administrative Law Judge Affirms OCR Authority to Enforce HIPAA

An administrative law judge has upheld the authority of the Office for Civil Rights of the Department of Health and Human Services to enforce HIPAA regulations and impose fines, the second time a judge has made such a ruling in OCR’s favor. The decision means Lincare, a healthcare provider of respiratory care, infusion therapy and medical equipment to in-home patients, will have to pay $239,800 in civil money payments for an incident in which patient records were left unsecure. In the case, OCR charged that a Lincare employee took 278 patient records home and later left the records in the house after moving to live elsewhere. Another person who had lived in the home with the employee later found the records. An OCR investigation found that Lincare employees, who provide healthcare services in patients’ homes, regularly removed patient information from the company’s offices. “Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time,” the agency reported. “Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and procedures and strengthen safeguards to ensure compliance with the HIPAA rules.” OCR reported that Lincare denied violating HIPAA, contending that patients’ protected health information was “stolen” by the individual who found the records in the home. In the ensuing court case, the administrative law judge ruled that Lincare was obligated to take reasonable steps to protect PHI. [Source] [Press Release | Notice of Proposed Determination | Decision]

Horror Stories

CA – Thermal Imaging May Lower Power Bill, But Raises Privacy Concerns

The City of Vancouver is beginning a new program that uses thermal imaging to identify older homes that are using excess energy. WATCH: Thermal imaging has been helping homeowners figuring out where they’re losing heat, so they can reduce their power bill, but it’s also adding concerns about a possible invasion of privacy. Beginning in April, the plan is to take images of up to 15,000 homes and then work with about 3,000 homeowners to make their spaces more green, by offering consultation and incentives. Higgins says the cameras can only detect heat, and the photos will only be shared with the homeowner. Once the 18-month pilot project is over, the images will be destroyed. [Global News]

US – Thieves Steal Tax Information from the IRS

The Internal Revenue Service was the target of an attack that used stolen social security numbers and other taxpayer data to obtain PINs that can be used to file tax returns electronically. The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address. Attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it. The personal taxpayer data used during the attack was not obtained from the IRS, but was stolen elsewhere, the agency said in a statement. The IRS is notifying affected taxpayers via mail and will monitor their accounts to protect them from tax-related identity theft. [Source]

Internet / WWW

UK – Privacy Watchdog Warns That IoT Devices Can Track People

The UK ICO has told manufacturers of Internet of Things devices they should make better attempts to notify people that data could be collected on them. Simon Rice, technology group manager at the ICO, said that the IoT industry has to comply with data protection when collecting personal data. There could arguably be some confusion over what constitutes personal data and Rice set out a few examples of where data is personal and where it isn’t. What definitely is personal data are Mac addresses used in smartphones. “An IPv6 address could be personal as it would be specific to that device,” he said. He added that even if individual identification is not the intended purpose, the implications of IoT for privacy and data protection are still significant. [Source] See also: [IoT Could Be Used To Spy, Admits James Clapper] and [US intelligence chief: we might use the internet of things to spy on you]

WW – Data Security Concerns Remain Top Obstacle to IoT Initiatives

Despite the rapid growth of the Internet of Things, concerns over data security remain the number one obstacle to further development. That is the conclusion of a recent study by TEKsystems on the state of Internet of Things (IoT) initiatives. More than 200 IT and business leaders were polled by the Hanover, MD-based firm on project ownership, implementation status, risks, required skill sets and organizational preparedness. The purpose of this survey was to gain a better understanding of how organizations are being impacted by IoT, steps they are taking to prepare, resource barriers and challenges, as well as long-term IoT objectives. Key findings from the study are:

  • While 55% expect IoT initiatives to have a ‘transformational’ or ‘significant’ impact
    – just 22% of IoT initiatives have progressed to the implementation stage.
  • Information security and ROI are cited as the biggest hurdles to address
    – and information security experts are cited as the most difficult skill set to find.
  • Leadership of IoT initiatives still mostly reside with IT.
  • Two-Thirds expect IoT projects to be handled with internal staff, yet most organizations are not highly confident in their “in-house” preparedness [Source]

WW – IoT from “Sensor-to-Insight” to “Sensor-to-Action”

A few months ago, we passed an important milestone: For the first time in history, the mobile network traffic between machines had a higher volume than the mobile network traffic between humans. Imagine that… Internet-of-Things traffic surpasses the traffic generated by selfies, pictures of cute cats, text messages as well as all voice traffic in our mobile networks! Internet-of-Things has been a hot and exciting topic for quite a while, but now we see an important development that accelerates the IoT revolution: For a long time, the most common application for IoT has been to collect data. Sensors on various devices and machines have generated data, we have used clever technology to gather this data, send it to some central system and make sense of it. Let us call it “from Sensor to Insight”. What we see now is that we still gather data from remote devices and sensors, but the data can be used to trigger action. To execute business processes. Or influence already running processes. The focus of Internet-of-Things is moving, from “Sensor-to-Insight” to become “Sensor-to-Action”. [Source] See also: [FTC in no rush to regulate Internet of Things] See also: [Visceral data: After heartbreak, IoT devices give us ‘something to show’ ]

WW – GSMA Unveils IoT Security and Privacy Guidelines

The GSMA released guidelines designed to promote secure Internet of Things (IoT) service development and deployment, a sign that the mobile industry acknowledges a growing cybersecurity threat, as well as burgeoning consumer wariness around data privacy and IoT. The document was developed through consultation with the mobile industry. The rapid growth in IoT take-up increases the possibility of potential vulnerabilities, according to the GSMA. “These can be overcome if the end-to-end security of an IoT service is carefully considered by the service provider when designing their service and an appropriate mitigating technology is deployed.” The guidelines have been designed for all participants in the IoT ecosystem including service providers, device vendors and developers. As well as helping providers to build secure services from the outset, the guidelines also establish the need for assessing the risk of all components in an IoT service to ensure they are designed for secure data collection, storage and exchange. The guidelines went through a consultation with academics, analysts and other industry experts. [Mobile World]

Law Enforcement

US – New Report Shows the Limits of Police Body Cameras

The Brennan Center has just completed a study of the body camera policies in the 24 police departments around the country [PDF version] that have so far implemented them. Of the 24, 9 programs are still in the pilot stage. For comparison, the Brennan Center also included three model programs from the ACLU, the International Association of Chiefs of Police, and the Police Executive Research Forum. The authors of the study then broke the policies down into several charts, “Recording Circumstances,” “Privacy and First Amendment Protections,” “Accountability,” “Retention and Release,” and “Security.” [Wash Post] See also: [Survey: Almost All Police Departments Plan to Use Body Cameras] and [A separate effort by the Leadership Conference on Civil and Human Rights, a coalition of different advocacy groups, is tracking implementation of recommended body camera polices across 25 police departments].SEE ALSO: [Missouri Bill Permits Access to Recordings from Law Enforcement Body Worn Cameras: House Bill 2344, relating to body worn cameras and amending Missouri Revised Code in relation to public records, is introduced and read for a second time]

US – Nebraska Bill Permits Govt Use of ALPR Systems Subject to Restrictions

Legislative Bill 831, the Automatic License Plate Reader Privacy Act, is introduced and referred to the Judiciary Committee. Captured license plate data may only be used by specified law enforcement agencies for specified purposes (e.g. traffic violations, missing persons, stolen vehicles, criminal investigations, electronic toll collection, and controlling access to secured areas); law enforcement may only process privately held plate data no more than 14 days old and subject to a criminal warrant or court order. [Legislative Bill 831 – Automatic License Plate Reader Privacy Act – 104th Legislature of Nebraska]

Other Jurisdictions

WW – Privacy Bar Section of the IAPP Unveiled

IAPP has announced the launch of its Privacy Bar Section, which aims to serve the lawyers that compose more than forty percent of IAPP’s membership. In conjunction, the IAPP has also applied to the American Bar Association to have its privacy certification officially recognized as a legal specialty. [IAPP]

Privacy (US)

US – Obama Establishes ‘Cyber Czar’ and New Privacy Board

President Barack Obama is asking Congress to devote $19 billion to cybersecurity and is issuing new executive orders geared at the protection of both government and private computer networks. In one executive order, Obama directed agencies to implement the Cybersecurity National Action Plan. The CNAP is the broad plan that includes establishing the office of a federal chief information security officer, making budget requests and focusing on training opportunities. The federal chief information security officer marks the first time a senior official will be dedicated solely to developing, managing and coordinating the government’s cybersecurity strategy across multiple agencies, a “cyber czar” of sorts. A separate executive order will create the Federal Privacy Council, which is a multi-agency task force charged with coming up with policies to help the government fight hackers or identity thieves, while also protecting the privacy of individuals. The privacy council will report directly to the president. [The Blaze] [White House Executive Order on Privacy Falls Short]

US – ACLU, Tenth Amendment Center Take on Student Data Privacy

In consultation with the center — a think tank that advocates strict limits on federal power — the ACLU wrote model legislation that both organizations are urging legislators around the country to support. Parts of the bills aimed at bolstering student-privacy protections were written to ensure that “schools don’t become a Constitution-free zone,” and that companies that want to collect student data must first get explicit permission. Over the past two years, 32 states have enacted some sort of data-privacy law, according to the Data Quality Campaign. Some of those laws have been sweeping, such as California’s Student Online Personal Information Privacy Act, which has drawn particular praise from privacy advocates. Other laws are much weaker, experts say. To work around a lack of movement at the federal level over data-privacy protections for students, the activists and lawmakers working with the two organizations are calculating that if they get enough states to adopt a stricter slate of privacy expectations for vendors, companies will have little choice but to raise their standards to a level nationally that would allow them to work in any state. Tthe proposed legislation focuses on stepping up safeguards in four specific areas:

  • Parental or student consent to release student data for noneducational purposes or to third parties;
  • Limits on information that can be gleaned from computing devices loaned to students;
  • Protections from warrantless searches of students on campus; and
  • Restrictions on access to student postings that are behind privacy settings on social media.

The model legislation also calls for professional development to help teachers familiarize themselves with basic student-data-privacy concepts. The Future of Privacy Forum — a Washington-based think tank and a co-author of the Student Privacy Pledge, a commitment by ed-tech companies to safeguard data — offered a measured endorsement of the provisions in the ACLU’s model bill. [Source] See also: [Senate Bill 2171 – Student Privacy in Take-Home Technology Programs – State of Rhode Island General Assembly]

US – ACLU publishes updated privacy guide

The ACLU of Southern California announced its publication of the third edition of “Privacy and Free Speech: It’s Good for Business,” the organization reports on its website. The guide includes “more than 100 case studies and cutting-edge recommendations on everything from privacy policies to security planning to community speech standards,” the report states. “By following some pretty simple steps to incorporate privacy and free speech protections into products, businesses can make their services user friendly and avoid costly mistakes,” the report continues. “As the primer illustrates, doing so is not just good on principle — it’s good for business, too.” The primer is available for free online. [ACLU]

Privacy Enhancing Technologies (PETs)

WW – Britain’s First Anonymous Search Engine

Oscobo is the only UK-based Privacy Search Engine that does not track or store users’ data. The company was founded on the belief that personal data should remain just that, personal, and has set out to turn the tables to favour the Internet user instead of serving interests of big companies. This article will highlight the importance of understanding how user data is being tracked and used by search engines, and how using an anonymous option has clear benefits. [Source]

Security

EU – NIS Directive Establishes First EU-Wide Cyber Security Rules

In December 2015 the EU institutions came to an agreement on the Network and Information Security Directive, establishing a set of EU-wide rules on cyber security for the first time; formal adoption of the Directive by the European Parliament and the Council of the EU is pending at the time of publication. For those businesses that fall under its scope, such as search engines and cloud computing providers, the advent of the NIS Directive will mean that incident handling and notification will take on a more serious role than previously, and numerous security obligations will need to be satisfied. [FieldFisher Privacy Law Blog]

WW – Firms Feel More Confident In Ability to Thwart Data Breaches: Study

A majority of organizations believe they will be more secure against data breaches in 2016, despite the fact that nearly three-quarters of organizations experienced a security threat last year. Why the seeming disconnect? A growing number of organizations are investing in more advanced security solutions and are ramping-up end user training around data security best practices. Those are among the findings of the recent study “Battling the Big Hack“ from Spiceworks, which looked at IT professionals’ perceptions of the biggest IT security threats and the steps they’re taking to prevent security incidents and breaches within their organizations. The study found that while 80% of organizations experienced a security incident in 2015, 71% of IT professionals expect their organizations to be more secure in 2016. There is also good news in the study. “In order to protect end users from breaches on various devices in the workplace, 73% of IT professionals are enforcing end-user security policies and 72% are regularly educating their employees through lessons on topics such as ‘how to avoid malware’ and ‘how to spot phishing scams,’ the study noted. [Source]

WW – Infosec Pros Still Pressured to Release Unsecure Projects: Survey

Despite an increase in the number of data breaches last year infosec pros say they continue to be pressured by the business side to release projects that aren’t fully secure, according to an international survey. The survey, paid for by Trustwave, showed that 77% cent of respondents in five countries — and 7% of Canadians — felt either frequent or periodic pressure to roll out IT projects that weren’t security ready. The good news is that the majority agreed it was once or twice rather than frequently. However, if a bug slips by that could be once too many. Released this week, the survey questioned 1,414 in-house information security professionals from around the world including 210 from Canada. Others were in the U.S., Britain, Australia and Singapore. [IT World Canada]

WW – Removing Administrator Rights Mitigates Most Windows Vulnerabilities

According to a recent report, 85% of critical vulnerabilities in Windows last year could have been mitigated by eliminating administrator rights. Nearly all critical flaws affecting Internet Explorer (IE) could have been mitigated with the same action. [ZDNet] See also: [2009 report states that 92% of critical vulnerabilities would be mitigating by reducing the privileges for users on their systems] and [this guide from the NSA in 2013 also recommends reducing the use of local admin accounts. The use of local admin accounts is a prime example of how ease of use wins out over security. Microsoft has published some guides on how to manage this issue. [TechNet] [Technet]

US – DHS, FBI Employee Data Exposed

Someone posted personal information that seems to cover more than 9,000 US Department of Homeland Security (DHS) employees and 20,000 FBI employees online. The self-proclaimed attacker said that the information was taken from a Department of Justice (DOJ) computer using a compromised DOJ email account. [CNET] [DarkReading] [The Hill] [The Hill] [ComputerWorld] [vice.com]

Smart Cars

EU – European Multi-Stakeholder Group Releases Connected Vehicles Report

In December 2015, a multi-stakeholder group called “C – ITS Working Group 6” created in the context of the ITS and eCall working groups published a report on the possible ways that access might be granted to the data generated by connected cars. European Regulation 758/2015 requires the development of an “interoperable, standardized, secure, open-access platform” for the sharing of data. Originally, the work regarding the data sharing platform was related to the eCall directive, which requires cars to be equipped with communication devices that automatically communicate with emergency services in the event of a serious accident. However, Regulation 758/2015 mandates interoperable, standardized, secure, and open access platforms in the broader context of connected car data, including access to telematics data. [Source]

Surveillance

US – Dstillery Uses Iowa Caucus Data to Paint Voter Picture

In a Marketplace report, “data intelligence” and targeting ad firm Dstillery CEO Tom Phillips discusses how the organization employed data analysis technology to find correlating voter traits from participants in the Iowa caucus. “We watched each of the caucus locations for each party and we collected mobile device ID’s,” Phillips said. “It’s a combination of data from the phone and data from other digital devices.” The result? “NASCAR was the one outlier, for Trump and Clinton,” Phillips said. “In Clinton’s counties, NASCAR way over-indexed.” While Dstillery has only taken a look at Iowa voters, it “anticipates compiling voter data in other primaries” depending on candidate interest, the report states. [Source]

US Government Programs

US – White House Plots Privacy Updates for 2016

Marc Groman, who advises the White House on privacy issues, is focusing on delivering fundamental changes to privacy policy in government operations, including IT, in the next 11 months before President Barack Obama leaves office. “Privacy is not a subset of cybersecurity or IT,” said Groman, senior adviser for privacy at the Office of Management and Budget, during a Department of Homeland Security Data Privacy and Integrity Advisory Committee presentation on Feb. 8. “It has to move with those, but it needs its own council.” He was referring to the Federal Privacy Council, which was announced in December 2015 by OMB Director Shaun Donovan. It will be modeled on the CIO Council and will seek to bolster privacy best practices and operations in the federal government. The council will also try to capitalize on individual agencies’ advances in privacy policy, transform those strategies from reactive to proactive and “professionalize” privacy roles in the federal government, Groman said. “We want to shift from an environment of one-time compliance to one of ongoing risk-based” management that incorporates continuous reevaluation of privacy plans, he added. [FCW]

US Legislation

US – Senate Passes Privacy Bill Key to Two International Agreements

The Judicial Redress Act, which gives EU citizens the right to challenge misuse of their personal data in U.S. court has long been a stated requirement of the umbrella agreement, which would allow the U.S. and EU to exchange more data during criminal and terrorism investigations. Its role in the final approval of so-called Privacy Shield, struck last week, is murkier. The deal replaces a 2000 agreement that permitted some 4,400 U.S. firms to legally handle European citizens’ data, struck down by the EU high court in October over privacy concerns. The bill is also a prerequisite of a law enforcement data-sharing “umbrella” agreement reached last fall. [The Hill] See also: [Judicial Redress Act Would Extend Privacy Act Remedies to Citizens of Designated Foreign Nations] [Senate, House OK Judicial Redress Act, send to Obama to sign] [Laws to give EU citizens right of redress in the US over data handling move closer]

+++

 

 

Follow

Get every new post delivered to your Inbox.