By next year, the Australian government expects to have a plan in place for law-enforcement agencies to share facial-recognition data. As they try to battle organized crime, the report says, law-enforcement officials have been working on a national facial recognition database, which will initially be focused on matching faces to known criminals and then expand to match the faces of unknown criminals in footage or images to those in the general population via images collected for identity documents. The government currently holds some 100 million such images. At least six federal agencies will be able to access the database when it goes live. [IT News]
New South Wales (NSW) police are on the lookout for portable fingerprint scanners that are compatible with Samsung Note 4, a move that will cause minimal privacy waves. The search for the scanners was catalyzed by the police department’s desire to streamline the identity-check process, the report states, noting that while “there has also been strenuous ongoing debate in the country about associated privacy and civil rights issues … the NSW Police efforts in this case are fairly incremental … and are unlikely to spark a major controversy, at least until the police actually start using fingerprint sensors in the field.” [MobileIDWorld]
Facebook has launched a facial recognition tool in India that it withheld in Europe due to privacy concerns. “Moments” groups photo albums together using face recognition algorithms and allows users to search for photos of themselves and friends. American users are already using the tool. In June, Facebook said EU laws prevented it from releasing the app in Europe; regulators told the company it must offer an opt-in choice before unveiling. [Planet Biometrics]
Privacy must be the foundation of the Internet of Things (IoT) as its technology develops, and in order to quell user trepidation, the matter of how to do that “deserves serious thought.” “Privacy, security and trust cannot be an IoT afterthought—after all, these devices are collecting our stories,” the report states, noting data should be thought of as stories that generate insights for those seeking to market products to individuals. “Security has to be baked into the core platform from the beginning in order to explicitly manage what is happening to the information collected, who controls it, who has access to it and what is done with it,” the report states. [Information Age]
The Office of the Privacy Commissioner of Canada, alongside counterparts from British Columbia and Alberta, have issued a document offering guidance for companies looking to implement BYOD programs. Citing “an increased blurring of the lines between professional and personal lives” and “employee concerns that privacy is at risk”, the 16 page missive goes through the various stages of rollout, from getting senior management onside, to privacy impact and threat risk assessments, and testing and enforcing policy. [Appstech News] The Offices of the Privacy Commissioner and of the BC and Alberta Information and Privacy Commissioners have created new guidelines for BYOD programs.
BC Information and Privacy Commissioner Elizabeth Denham believes the province should require mandatory privacy breach reporting. Because BC still has voluntary breach reporting, “Denham said she has no way of knowing whether she’s hearing about all serious cases or whether citizens and consumers are being properly notified,” the report states. Meanwhile, in St. Johns, an attorney has filed a class-action against Kiewit Energy over a privacy breach, and The Canadian Press reports on the call for improved Internet privacy training for both government and private-sector employees to help prevent breaches. “Online privacy awareness training is crucial to protect not only the employees but the employers’ reputation,” said University of Ottawa’s Karen Eltis. [Times Colonist] [Watchdog urges compulsory reporting of B.C. privacy breaches]
Following a highly critical report and unprecedented legal action by Ontario’s privacy commissioner, Toronto police have taken steps to keep U.S. border police from automatically accessing records about a Canadian’s suicide attempts — sensitive personal information that could result in being denied entry. In a report to the Toronto police board released this week, Chief Mark Saunders outlined changes made in the wake of Cavoukian’s 2014 report, Crossing the Line, which chronicled the experiences of Ontarians refused entry into the U.S. based on a past suicide attempt. Cavoukian’s report and a Star investigation probed how U.S. border guards were being alerted to prior suicide attempts through the Canadian Police Information System (CPIC), a national police database operated by the RCMP. In his letter to the board, Saunders described new protocol that “balances public safety with the need to protect Canadians’ privacy” by setting stricter limits on what information can be viewable by U.S. Customs and Border Protection through CPIC. It’s a different solution than Cavoukian’s, which suggested Toronto police halt the practice of automatically uploading or disclosing personal information through CPIC related to suicide threats or attempts. Insistent that a record needs to be shared with other police forces — information about previous suicide attempts or threats “can be instrumental in managing potential risk to the public, the officer and, importantly, the person in crisis,” Saunders writes — Toronto police instead worked with the RCMP to develop a new CPIC function that blocks U.S. border officials from accessing certain information. [thestar.com]
Alberta’s information commissioner is appealing a ruling to the Supreme Court of Canada which significantly limits her powers to hold the government accountable. It also sets a precedent which one expert says could lead to increased secrecy at government ministries across Canada. In April, the Alberta Court of Appeal ruled information and privacy commissioner Jill Clayton does not have the legal authority to compel public organizations – such as government ministries – to hand over records which it claims are subject to solicitor-client privilege. Ottawa lawyer and freedom-of-information expert Michel Drapeau called the ruling a “very, very dangerous precedent” which he believes will be frequently abused by governments seeking to evade transparency and accountability. “We will only receive information which a government institution decides we are entitled to,” Drapeau said. “(Ministries) will block the rest of it by using this very convenient tool: solicitor-client privilege.” [CBC News] Alberta Information and Privacy Commissioner Jill Clayton is appealing a ruling that “significantly limits her powers to hold the government accountable” to Canada’s Supreme Court.
Arguments have now concluded about the constitutionality of Nova Scotia’s ground-breaking legislation designed to combat cyberbullying. After a day and a half of arguments from lawyers, Justice Glen MacDougall reserved his decision to a later date. Privacy lawyer David Fraser brought the Charter challenge to the Nova Scotia Supreme Court, saying the 2013 provincial statute violates Sections 2b and 7 of the Canadian Charter of Rights and Freedoms. Those sections pertain to the freedom of expression and the right to life, liberty and the security of person. “The definition of cyberbullying is too broad and is defective,” said Fraser. He argued in court that any comment made online that could hurt a person’s feelings may constitute cyberbullying. That could result in sweeping communication restrictions to the person who made the comments, Fraser argued. The current legislation, he said, captures everything from political advertising to benign online commentary. Legislation passed at 2013 In defence of the Cyber-Safety Act on behalf of the Attorney General, lawyer Debbie Brown argued the legislation does not infringe on any rights, and that any infringement that does exist is reasonable. Brown told the court that Freedom of Expression protects three categories of speech:
- Pursuit of truth
- Participation in social or political decision making
She argued that cyberbullying — in this specific case and in general — rarely falls into any of these three categories. If the speech is not protected by the Charter, the Act should be allowed to stand, Brown said. Lawyers also tackled a procedural issue. Court orders issued under the current Act can be enforced “ex parte”, meaning without comments from both parties involved. Victims can request a court order under the act, without the accused being notified. That means the first notice an accused cyber-bully may receive, is a document served by police immediately restricting their online communication. Justice Glen MacDougall did not give a precise date when he may return with a decision. [Source]
The Office of the Privacy Commissioner “has commenced an investigation into the matter concerning (Ashley Madison owner) Avid Life Media.” Last week, hackers leaked the personal information of 39 million Ashley Madison users, including emails, credit card information and sexual preferences. “Given that the company is based in Canada, and considering the global scope of the incident, our office will be investigating jointly with the Office of the Australian Information Commissioner, and in cooperation with other international counterparts,” Lawton said. [Source]
CA – Feds Consider Scheme to Circumvent Effect of Ruling That Curbs Police Access to Internet Subscriber Data
A new administrative scheme that would allow police to obtain basic information about Internet subscribers without a warrant is one option being considered by federal officials following a landmark Supreme Court ruling that curbed access to such data, Canadian police chiefs say. The glimpse into federal deliberations about how to address the highly influential court decision comes in a newly published background document from the Canadian Association of Chiefs of Police, which is urging the government to fill the legislative gap. [The Star]
The Personal Information Protection Act (PIPA) has been amended. “As a result of the amendment, organisations that experience a data breach could find themselves faced with court-awarded damages of up to three times the actual damage caused” by the breach, the report states. Once the amendment goes into effect, it is expected it “will lead to a sharp increase in liability lawsuits following personal data breaches. With some organisations holding millions of customers’ data, the enormous potential fine should in turn encourage organisations and others who hold personal data to take greater care to protect personal information,” the report states. [ReedSmith’s Technology Law Dispatch]
Alberta Information and Privacy Commissioner Jill Clayton is appealing a ruling that “significantly limits her powers to hold the government accountable” to Canada’s Supreme Court. University of King’s College’s Dean Jobb writes on an “about face” on police disclosures of those who have died as a result of violent crimes. Tthe Ontario Office of the Information and Privacy Commissioner has found “no evidence of tampering or interference with documents requested“ by the newspaper. And in Saskatchewan, the Office of the Information and Privacy Commissioner found a healthcare employee’s privacy was breached “when his personal information was shared by his employer, the health region and the health ministry.” Meanwhile, in Toronto, “police have taken steps to keep U.S. border police from automatically accessing records about a Canadian’s suicide attempts.” [CBC News]
In a letter to the Honourable Ted McMeekin, Minister of Municipal Affairs and Housing, the Ontario Commissioner applauds the ministry for engaging the public and other stakeholders in its review of Ontario’s municipal legislation. Recognizing this process as an opportunity to improve accountability and transparency, he recommends amendments to the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) relating to municipal councillors’ records. The proposed amendment would broaden the scope of information accessible under MFIPPA. The Commissioner has offered his continued assistance to the minister and his staff. He also asks that our office be consulted on any reforms that involve new collection, use or disclosure of personal information or personal health information. [Source] SEE ALSO: When the Ontario Legislature resumes its sitting in September, it will be looking at the Police Record Checks Reform Act 2015.
- [Micro-targeting is a political tool that can help parties win]
- [Canada: Protecting Your Personal Data]
- [Nova Scotia judge reserves decision on law inspired by Rehtaeh Parsons]
- [Government surveillance of citizens a troubling trend in Canada]
- [New global tax rules could erode your financial privacy]
- [Manitoba civil servants get ‘ethics’ reminder after Ashley Madison leak]
- [SK Care home, health ministry should not have shared personal information: Privacy commissioner]
According to a study by security corporation Intercede, less than five percent of 16- to 35-year-olds in the U.S. and UK trust that their digital identities are adequately protected, with 70 percent believing that these online risks aren’t going anywhere soon. Lubna Dajani, a digital technologist, noted, “Businesses and governments should urgently review current security protocols or else risk the potential to drive innovation and growth.” And The Telegraph reports Google search data indicates concern among UK residents in the wake of recent breaches. Meanwhile, InfoWorldprovides tips on how to protect anonymity online. [ComputerWeekly]
New South Wales (NSW) has a “plan for a whole-of-government data analytics centre,” suggesting that while it highlights “the potential of big data to influence and inform government policy decisions … it’s good to see that a steering committee, composed of NSW’s privacy commissioner, chief scientist, customer service commissioner and information commissioner, has been established to oversee the centre’s establishment.” The report calls the involvement of privacy experts “absolutely crucial because harnessing big data does have its complications”—specifically addressing consumers’ rights and interests, noting that even with anonymous data, “data analytics increasingly gives organisations the ability to drill down to monitor and understand individual behaviour, often without the awareness of those being observed.” [Technology Spectator]
The government “has failed to conduct proper privacy impact assessments (PIAs) on almost 90% of the national security measures it has passed in the last 14 years.” That’s according to independent research by privacy advocate Roger Clarke, the report states, noting that since the Sept. 11, 2001, terrorist attacks, “Australia has passed about 72 security-related measures—from increasing electronic spying, to metadata and biometrics,” but “only 20 of those laws had any kind of PIA, and of those, half were done in secret without any public consultation,” Clarke said, “The track record of government agencies is appalling on this matter.” [ABC News] [AU – Government failed to conduct privacy impact assessments on 90pc of security measures]
Activists are expressing concern about an Irish government policy of publishing the names and addresses of new citizens in Iris Oifigiúil, the official government register. Digital Rights Ireland believes the practice, which has been in place since at least 2005, is in breach of EU law. However, the practice was reviewed in 2011 by the Minister for Justice and it was decided the practice is mandated by a 1956 Act. The Data Protection Commissioner found, too, that the processing of personal information in this way is exempt from the Data Protection Act. In response, the Migrant Rights Centre Ireland has said they are “astounded” that the government has made this information so easily accessible. [Irish Times] See Also: [Government surveillance of citizens a troubling trend in Canada] and [Micro-targeting is a political tool that can help parties win]
Dozens of California state agencies have not fully complied with cybersecurity standards designed to protect Social Security numbers, health records, income tax information and other sensitive data from hackers. That’s according to a report released by auditor Elaine Howl. The audit found 37 executive branch agencies that told the Department of Technology they met security requirements hadn’t done so, and eight won’t finish the necessary tasks until 2020, the report states. Howle’s “high-risk update,” which doesn’t name the agencies, “raised questions about the technology department’s oversight in light of high-profile breaches elsewhere that have exposed confidential records maintained by public agencies,” the report states. [The Recorder]
- Pinsent Mason Consultant Lawyer Kuan Hon warns of new obligations and liabilities for service providers under current versions of the General Data Protection Regulation.
- A broad industry coalition is lobbying the European Union to strike part of the General Data Protection Regulation that could force companies to deny requests for personal data from non-member countries.
- The UK Information Commissioner’s Office has requested Google take down links to article-removal-request stories under the right to be forgotten.
According to a study by security corporation Intercede, less than 5% of 16- to 35-year-olds in the U.S. and UK trust that their digital identities are adequately protected, with 70% believing that these online risks aren’t going anywhere soon. “Millennials have been digitally spoon-fed since birth, yet a general malaise is brewing among this demographic in terms of how safe their online data really is,” said Lubna Dajani, a digital technologist, adding, “Businesses and governments should urgently review current security protocols or else risk the potential to drive innovation and growth.” [ComputerWeekly]
As healthcare providers switch to electronic health records (EHRs), methods for controlling access and accuracy are needed. The Intercept highlights stories of patients’ mental health records being accessed by individuals the patients did not expect to have access—for example, through an open EHR system in an effort toward increased efficiency or through a company’s health-incentive program. Data-matching is also a challenge, with the growth of EHRs and the push for a secure national health data exchange, there is a need for new methods, “such as new algorithms” to improve the process. Meanwhile, Intel and the Knight Cancer Institute recently announced the Collaborative Cancer Cloud, which uses data analysis to advance cancer care. [The Intercept]
A broad industry coalition is lobbying the European Union to strike out part of the General Data Protection Regulation that could force companies to deny requests for personal data from non-member countries. Article 43a of the regulation says companies should not always comply with requests from courts, tribunals and administrative authorities in non-EU countries for the personal data of Europeans—except under law enforcement treaties or relevant agreements between those countries and the EU. The clause could create a quagmire for global companies, according to the Industry Coalition for Data Protection, whose members include Apple, Google and AT&T. It asks that the issues be dealt with in the data protection directive rather than the regulation. [Politico]
UK Information Commissioner Christopher Graham discusses the EU General Data Protection Regulation (GDPR). Graham contrasts his office’s enforcement capabilities with those of the U.S. FTC, which he says can impose “eye-watering fines, which has a major effect in protecting privacy,” while “the most I can fine anyone … is half a million pounds. The FTC wouldn’t cross the road for half a million pounds or dollars.” Meanwhile, Krux’s Joe Reid writes forFourth Source about provisions expected in the forthcoming GDPR and the value of privacy for businesses, noting, “The ability of a business to keep its customer data safe is increasingly becoming a differentiator.” And Computer Weekly reports that “prudent businesses” in the UK “are considering and planning for the new regulation right now.” [Computing]
Since the EU’s embrace of the right to be forgotten, reports citing specific examples of story-removal requests have begun spurring interest in the stories set to be removed. As such, the UK Information Commissioner’s Office has requested Google take down links to those article-removal-request stories as well. The move “could provide an example for other countries, potentially provoking a new wave of takedown requests of stories about takedown requests and a subsequent wave of stories about those new requests,” the report states, adding, “That will also give ammunition to both free speech advocates and privacy activists in their tussle over where to draw the line between privacy and the public’s right to know.” [The Wall Street Journal]
Local councils are responding to the recent Big Brother Watch report on more than 4,000 data protection breaches by councils in the past three years, with one spokesman stating, “We have a legal, moral and ethical duty to properly take care of personal information. As an organisation which processes hundreds of pieces of data every day, we take that responsibility very seriously.” [Burton Mail] Meanwhile, the Information Commissioner’s Office (ICO) has given Central Bedfordshire Council a “limited assurance” rating following a data protection audit. “The ICO advised that the council take action to better its data sharing practises, records management and training and awareness,” the report states. [Digital by Default News]
Although the National Transport Authority has put forward proposals for public input to make CCTV mandatory in taxis, in-cab surveillance footage is inadmissible in Irish courts under current law. “Technically,” an Office of the Data Protection Commissioner (ODPC) spokeswoman said, “it’s just another individual. They would be inadmissible in a court, because they had no consent from the other person to record it, so they wouldn’t be able to use it.” The ODPC spokeswoman added, “It wouldn’t be of use unless the regulation changes and they are allowed to have CCTV footage and they become the data controller of the CCTV footage.” [Herald.ie]
The Bavarian Data Protection Authority (DPA) recently fined both a seller and purchaser “for unlawfully transferring customer data as part of an asset deal. Citing the economic value of customer data, the report notes, “It frequently happens that a company tries to sell these high-value assets to another company as part of an asset deal.” In the Bavaria DPA case, the report states, “transferring customer email addresses requires prior customer consent or, alternatively, customers must be informed of the intent to carry out such a transaction beforehand to give them the opportunity to object.” While exact penalties were not released, the DPA “confirmed they were both five-figure sums and emphasised that the penalties were significant and incontestable.” [JD Supra] The National Law Review reports that the German Chamber of Commerce and Industry has “expressed doubts over the appropriateness” of a governmental draft data retention bill.
Elton John is taking legal action in France over “unfounded reports” about his and husband David Furnish’s private life. Lawyers for the singer have pledged to take action against three French media outlets after they published rumours about John’s health. A legal rep for John and Furnish said that his clients “have instructed my office to pursue through the justice system the violation of the right to respect for their private life due to the publishing by Closermag.fr, TeleStar.fr and VSD of unfounded rumours about their health”. He added that the two men “will no longer tolerate the violation of their privacy and the exploitation of their renown and their image for commercial ends in France”. [Source]
In an attempt at “cleaning up the Internet,” the Chinese government arrested 15,000 alleged cybercriminals. “The Chinese have gotten increasingly worried that they do not have the right kind of regulations, protections and responses in place,” said the Council on Foreign Relations’ Adam Segal. “There is a real sense that there needed to be some type of regulatory response to potential attacks.” The move is among other recent Chinese gestures in an attempt to drum up a greater privacy presence, including the announcement of “cyberpolice units” installed at major corporations and a data protection draft law. [PYMNTS]
Twitter blocks accounts that keep tweets deleted by politicians, saying their rights are more important than society’s right to know. One of the most fascinating things about watching the evolution of Twitter as a platform is the tension between its desire to be a tool for free speech around social issues — a kind of engine that empowers citizen journalists — and the pressure to be a business. Is the service really the “free-speech wing of the free-speech party,” as its executives are fond of saying, or is it just another advertising platform whose primary motivation is boosting its share price? The latest incident to highlight this tension is Twitter’s blocking of a number of accounts that preserve the tweets of politicians, as a way of tracking their public statements about social issues. Twitter first blocked the U.S.-based account @Politwoops in June, and now it has blocked a number of other similar accounts in different countries that were run by the Open State Foundation, a non-profit group that promotes transparency through open data. “Twitter’s decision to pull the plug on Politwoops is a reminder of how the Internet isn’t truly a public square. Our shared conversations are increasingly taking place in privately owned and managed walled gardens, which means that the politics that occur in such conversations are subject to private rules.” [fortune.com] See also: [Download a free messaging app that protects your privacy] [Global think tank calls for global digital privacy] [People are freaking out over a feature in Windows 10’s family accounts] [What’s up with ‘dox’? The troubling history of an online scare tactic] [Lessons From a Tragic Kidnapping in Germany]
The Securities and Exchange Commission (SEC) has decided not to penalize Target for its 2013 cyber-attack, which resulted in the exposure of millions of customers’ data. The SEC was one of several government entities investigating the company following the breach, the report states. In Target’s quarterly results document, which was filed with the SEC and published online for Target’s investors, the company said the SEC’s investigation had ended and that it “does not intend to recommend an enforcement action against us.” State attorneys general and private litigators continue to investigate, which may result in penalties or settlements, the report states. [StarTribune]
While Visa and Target announced a deal last week to compensate card issuers with up to $67 million, lawyers for a slew of banks and credit unions seeking class-action status say it’s not enough “for costs incurred in reissuing cards and reimbursing customers for fraudulent charges.” With a deadline to participate in the Visa-Target deal set for September 4, banks and credit unions must decide whether to take that money or to forgo it in favor of the potential class-action, a certification hearing for which is scheduled for just six days later. Plaintiffs’ lawyers “strongly recommend that financial institutions not accept the optional alternative recovery offers.” [National Law Journal]
Visa says it has reached an agreement with Target to reimburse card issuers up to as much as $67 million for costs related to the retailer’s 2013 data breach. The agreement is more than three times the amount of a prior settlement proposed with MasterCard that did not gain enough support from the financial institutions involved, the report states. In April, the financial institutions challenged the proposed $19 million data breach settlement with MasterCard, filing a motion to void it. Settlement negotiations with Visa were ongoing at that time. “Visa has worked to help Target reach a resolution for the expenses incurred by financial institutions as a result of the 2013 compromise,” a Visa spokesperson said, adding, “This agreement attempts to put this event behind us.” [Reuters]
The latest Ashley Madison news includes more class-action developments and an interview with the hackers behind the breach. “Will The Impact Team be hacking any other sites in the future? If so, what targets or sort of targets do you have in mind?” “Not just sites. Any companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians. If we do, it will be a long time, but it will be total,” The Impact Team responds in an email. Meanwhile, a class-action suit filed “on behalf of Canadians who subscribed” to the site seeks $578 million,StarTribune reports, and Ars Technica reports a New York-based firm is seeking Ashley Madison users in the U.S. to join a prospective privacy and consumer fraud suit. Meanwhile, a CSO op-ed highlights different strategies for companies to stay safe from “cyber extortion.” [Motherboard]
Legislation requiring business “to record their beneficial owners in a public central registry maintained by the government” is a step toward healthy transparency, Alexandra Wrage writes. “Elsewhere in the world, owners of private companies can continue to keep that information hidden from public view,” Wrage notes, adding, “While many argue that this is a fundamental principle of financial privacy, it has also permitted extreme abuses by criminals and kleptocrats.” Wrage adds that “in spite of privacy concerns, many in the business world support the new requirements” and that “sunshine laws make it easier for companies to conduct due diligence on their partners.” [Forbes]
The Indian Ministry of Science& Technology’s Department of Biotechnology posted its Human DNA Profiling Bill for public feedback through August 20. The report cautions among omissions in the current draft, “the Group of Experts’ privacy recommendations are also still missing.” According to the report, the bill does not include such privacy safeguards as distinguishing when DNA can be collected without consent and providing an explicit guarantee that DNA will not be used for purposes other than those for which it was collected. Meanwhile, The Times of India reports an individual has filed a public interest litigation with the Bombay High Court over Mumbai police’s hotel raids, alleging a right-to-privacy violation. [Wire]
A bill being prepared by Dutch Health Minister Edith Schippers is raising concerns. “The government plans to loosen rules on patient privacy by requiring doctors in some cases to work with official agencies probing disability fraud,” the report states, noting the legislation “could clash with the EU’s schedule for implementing regulation to boost patient data protection, which starts to get under way in September.” Meanwhile, IT Pro Portal sums up six tips for moving healthcare services to the cloud in the UK, and the NHS England and the UK government need “to face privacy and security risks head-on” as patients’ privacy concerns “stand in the way of great health research and public service efficiencies.” [Politico]
A study from cloud provider Elastica has found the healthcare industry is the biggest culprit for shadow data use. Elastica defines shadow data as “all potentially risky data exposures lurking in sanctioned cloud apps, due to lack of knowledge of the type of data being uploaded and how it is being shared,” the report states. Healthcare companies have many violations “because of the complexity of relationships in the industry, which include physicians, hospitals, clinics, patients, employees, contractors and insurers, among others. Consequently, there are more potential areas of data leakage than in other industries,” the report states, noting Elastica “found millions of files at risk for direct compliance violations, possible intellectual property leaks or generally risky exposures.” [HealthData Management] [Why cloud security is your next big, expensive, headache]
In an effort to move forward with plans for a national patient identifier (NPI), the College of Health Information Management Executives (CHIME) is launching a contest—and offering $1 million for the best NPI proposal. Historically, the idea of an NPI has been controversial, but supporters “say it is crucial to ensuring patient safety and to enabling healthcare organizations to exchange electronic patient data,” the report states. CHIME’s Keith Fraidenburg has emphasized the winning NPI “must protect privacy and security,” the report states, noting, “Whatever CHIME comes up with, privacy defenders are sure to fight back” due to concerns an NPI will make “records more vulnerable to theft and misappropriation.” The contest kicks off this fall, with a winner announced in 2016. [CIO] [US: National patient identifier struggles for life]
The Internal Revenue Service (IRS) has announced hackers “potentially accessed tax information for a total of 338,000 taxpayers—triple the amount feared when the breach was first disclosed in May.” Originally, the IRS believed the hack had exposed information on 114,000 taxpayers, the report states. “As part of the IRS’s continued efforts to protect taxpayer data, the IRS conducted a deeper analysis over a wider time period covering the 2015 filing season, analyzing more than 23 million uses of the Get Transcript system,” the IRS said in a statement, noting it is “moving aggressively to protect taxpayers whose account information may have been accessed.” [NBC News]
The IRS 2015 breach, in which hackers utilized weak elements of the agency’s website to steal nearly 334,000 personal records, was easy to do based on previous breaches and sub-par IRS cybersecurity measures. “Just knowing a person’s address, which you can get from one of these more traditional breaches, you can discover a lot about a person,” said the University of Michigan Kevin Fu. This easy access to information coupled with weak internal programs, some of which “have been running for 50 years,” according to John Koskine, IRS commissioner, makes it a “difficult challenge competing with organized criminals who have resources.” [Quartz]
Hackers who stole sensitive customer information from the cheating site AshleyMadison.com appear to have made good on their threat to post the data online. A data dump, 9.7 gigabytes in size, was posted to the dark web using an Onion address accessible only through the Tor browser. The files appear to include account details and log-ins for some 32 million users of the social networking site, touted as the premier site for married individuals seeking partners for affairs. Seven years worth of credit card and other payment transaction details are also part of the dump, going back to 2007. The data, which amounts to millions of payment transactions, includes names, street address, email address and amount paid, but not credit card numbers; instead it includes four digits for each transaction that may be the last four digits of the credit card or simply a transaction ID unique to each charge. AshleyMadison.com claimed to have nearly 40 million users at the time of the breach about a month ago, all apparently in the market for clandestine hookups. [Wired Magazine] [The AshleyMadison Leak and Why We Shouldn’t Buy Into It] [Ashley Madison hack includes hundreds of gov’t email addresses] [Ottawa man files lawsuit against Ashley Madison citing privacy breach] [Cyber-Posse Aims to Round Up Ashley Madison Hackers] [How one woman discovered she had an Ashley Madison account]
The Japan Pension Service’s (JPS) handing of a May targeted attack that affected 1.25 million records illustrates a “sloppy information management (that) must be corrected urgently.” “A sweeping organizational reform is called for, in addition to the bolstering of information management systems,” the report continues, noting a similar attack occurred in April. The report calls for efforts “to ensure that a recurrence of similar incidents is robustly prevented” and to restore confidence in the JPS. Cybersecurity reform is especially important, the report states, as cyber-attacks “are becoming more ingenious and shrewd.” [The Japan Times]
Reaction to the massive leak of personal information from Ashley Madison continues, Kashmir Hill writes. Several websites have emerged that allow users to sift through the data, including a site in which a user can plug in an email address to see if it is affiliated with Ashley Madison. In the first 24 hours, https://ashley.cynic.al/ received more than 300,000 visits with more than one million searches. Hill writes, “The ease of checking the Ashley Madison database for a match raises a much tougher ethical question: Even if you can check to see who was using Ashley Madison, should you?” Business Insider shares an interview it conducted with the CEO of Avid Life Media, the parent company of Ashley Madison, before the hack. Meanwhile, New Zealand Privacy Commissioner John Edwards has said that “not a lot” can be done to remove the information that was stolen from AM, Stuff.co.nz reports. [Fusion]
Amidst hackers’ exposure of more information from infidelity site Ashley Madison, Toronto lawyers have filed a class-action notice in Superior Court. The “Impact Team, the ‘hacktivist’ group who released 10 gigabytes of customer data earlier this week, dropped another 20 gigabytes of data, including emails from the inbox of company CEO,” the report states. “It seems massive in some respects, but for us, it’s a classic privacy breach case,” said Ted Charney, one of the attorneys working on the suit. The corporations that run Ashley Madison are listed in the suit, but the hackers are not, the report states. [Toronto Sun]
Amidst the exposure of more information from infidelity site Ashley Madison, class-action suits now follow in the U.S. and Canada. The Canadian suit names the corporations that run Ashley Madison but not the hackers, while an Oklahoma firm “appears to be seeking out plaintiffs.” Lawsuits filed over the hack will be challenging, noting, “Those who take legal action will likely out themselves as one of the notorious website’s purported 39 million members. And just like with any ordinary data breach, they would have to prove they were harmed in some way in order to collect damages.” Meanwhile, Glenn Greenwald likens reactions to the Ashley Madison hack to Hawthorne’s The Scarlet Letter. [NBC News]
Information regarding the specific identities behind the Ashley Madison hack is worth $500,000, Toronto police said on behalf of Avid Life Media, the organization that runs the hacked site. The announcement comes on the heels of an alleged dual suicide of two Ashley Madison leak victims. “This hack is one of the largest data breaches in the world,” said the Toronto police’s Bryce Evans. “The social impact behind this leak, we’re talking about families; we’re talking about children … It’s going to have impacts on their lives.” He said he hopes those “who no doubt have information that could assist this investigation … do the right thing.” Meanwhile, the Office of the Australian Information Commissioner has opened an investigation into the breach. [Tech Crunch]
93,000 Web.com users’ credit card information was compromised in a breach discovered on August 13. The company discovered the breach during routine security checks. Web.com has set up an FAQ page for its customers addressing issues including why it took the company five days to notify users of the breach and what its users should do now. “You should keep a close eye for any suspicious or unusual activity on any credit/debit cards that you may have used with Web.com,” the FAQ states, adding customers should also monitor their credit reports. The company is also offering a year of free credit monitoring, the report states. [Naked Security] [UK: Data breach by holiday firm Thomson exposes hundreds of passengers]
The Department of Education (DoE) has published draft guidance for colleges to best navigate the use of student medical records while respecting privacy. The guidance was catalyzed by the recent University of Oregon suit in which the plaintiff argued the school violated her privacy by accessing her mental health records for use in a rape case. “We want to set the expectation that, with respect to litigation between institutions of higher education and students, institutions generally should not share student medical records with school attorneys or courts, without a court order or written consent,” said DoE CPO Kathleen Styles. The guidance is open for comments until October 2. [Inside Higher Ed]
“If I had a rupee for every time someone tried the ‘If you have nothing to hide, you have nothing to fear’ argument on me, I could have funded a privacy think tank devoted to debunking it,” Malavika Jayaram writes. Jayaram discusses the plan for a universal identifier or Aadhar cards, contending that with Aadhar, “Privacy is breached at several levels,” including when data is collected, when it is stored and when it is used. “All of this is compounded by the lack of a statutory frame for the Unique Identification Authority of India and/or a dedicated privacy law,” Jayaram writes, noting that while the attorney general has stated “there is no privacy violation if the data is not shared, this fails to acknowledge the very complex network of transactions and uses that the scheme is predicated on.” [Scroll]
Sociologist Katherine Cross argues that real-name policies implemented by several social networks and online communities will not stop cyber harassment. “The anti-anonymity lobby is being led by very large companies that have built both a business model and an ideology around forcing us to have a specific set of identities we bring to the Internet,” Cross said. “It’s being dressed up as a solution to abuse, but it is not … anonymity does not cause harassment—it does play a role, but it is much more complicated than most people make it out to be.” Cross added, “If we continue down this path of blaming anonymity, we will never tackle the causes of online harassment.” [Wired]
A Phenix City woman pleaded guilty in Montgomery to conspiracy and aggravated identity theft involving a $7.5 million identity-theft refund fraud. Talashia Hinton pleaded guilty in U.S. District Court to using information stolen from state of Alabama databases maintained by the state of Alabama to file false tax returns and steal millions from the government. The indictment contends that Hinton worked with co-conspirators to file more than 3,000 false tax returns for 2012 and 2013, claiming more than $7.5 million in federal income tax refunds from the Internal Revenue Service. [The Montgomery Advertiser] [Internet company Web.com hit by credit card breach]
Joseph Cannataci, the UN’s first special rapporteur on the right to privacy, believes “the world needs a Geneva convention style law for the Internet to safeguard data and combat the threat of massive clandestine digital surveillance,” The Guardian reports. Describing the current state of the world as worse than George Orwell’s 1984, he notes, “Orwell foresaw a technology that was controlling. In our case we are looking at a technology that is ever-developing, and ever-developing possibly more sinister capabilities.” Meanwhile, InfoSecurity reports the UN Diplomatic Council (DC) is criticizing Internet providers’ failure to protect customers’ digital information. “There is an urgent need to bring about a harmonization via the UN, which guarantees the people all over the world a digital privacy,” said the DC’s Dorian Hartmuth. [The Guardian]
After Virginia State Police used an automatic license-plate reader (ALPR) to spot Vester Lee Flanagan fleeing the scene after shooting to death two journalists, the debate over ALPRs has come to the forefront. While organizations like the Electronic Frontier Foundation (EFF) and the ACLU have spoken out against the devices for the privacy implications for ordinary citizens, police departments say they’re a critical tool in controlling crime. Jennifer Lynch, senior staff attorney at the EFF said while ALPRs may be useful “in an extreme scenario like this one, that shouldn’t mean the police can indiscriminately keep data for an extended period of time on all other cars in the area.” [SC Magazine]
San Jose Mayor Sam Liccardo and Councilmen Johnny Khamis and Raul Peralez have proposed that the city consider strapping license plate readers to the front of garbage trucks, allowing them to record the plates of every car along their routes. The data would be fed directly to the Police Department from the privately operated trash trucks, prompting an officer to respond to stolen vehicles or cars involved with serious crime. “We can cover every street at least once a week and possibly deter thieves from coming into our city,” Khamis said. A committee chaired by Liccardo that sets the council’s agenda voted to continue exploring the idea. Khamis said action is only the first step in a long process. The proposal calls for city officials to explore the “feasibility, legality and civil liberties implications” of garbage-truck mounted license plate readers. Questions the council members asked the city to consider include the process of transferring license data from the private garbage trucks to the police, whether they would be subjected to the same or different policies governing police car license readers and whether other cities have taken similar measures and how they worked. “We’ll look at privacy concerns and talk to ACLU before we do anything,” Khamis said. [San Jose Mercury News] [Beaconsfield garbage truck cameras an invasion of privacy, residents say] [US: Privacy Questioned as Firefighters Embrace Helmet Cameras]\
When the Ontario Legislature resumes its sitting in September, it will be looking at the Police Record Checks Reform Act 2015, which would limit the types of information disclosed in response to records check requests and bring greater uniformity to records checks. Timothy Banks examines “what a police records check will include and what it won’t when you request a police records check on a current or prospective employee or volunteer.” The bill has broad support and “is a direct response to concerns about the practice of releasing non-conviction information and mental health information as part of criminal record checks,” reports Banks. [Privacy Tracker]
In California, the Oakland Police Department has announced that it will now store license-plate reader data for six months, a new policy catalyzed by its server system consistently crashing due to the large amounts of information it was required to retain. “Looking back at a year doesn’t help you solve a case,” said Oakland Sgt. Dave Burke. “There is no plan to store the data beyond six months. The investigators are not looking for data beyond six months. It does us no good to have these datasets if we do not mine them for intelligence.” [Ars Technica]
It is now legal for law enforcement in North Dakota to fly drones armed with everything from Tasers to tear gas thanks to a last-minute push by a pro-police lobbyist. With all the concern over the militarization of police in the past year, no one noticed that the state became the first in the union to allow police to equip drones with “less than lethal” weapons. House Bill 1328 wasn’t drafted that way. The bill’s stated intent was to require police to obtain a search warrant from a judge in order to use a drone to search for criminal evidence. In fact, the original draft of Rep. Rick Becker’s bill would have banned all weapons on police drones. Then Bruce Burkett of North Dakota Peace Officer’s Association was allowed by the state house committee to amend HB 1328 and limit the prohibition only to lethal weapons. “Less than lethal” weapons like rubber bullets, pepper spray, tear gas, sound cannons, and Tasers are therefore permitted on police drones. Becker, the bill’s Republican sponsor, said he had to live with it. [The Daily Beast] [Will we pick privacy over drone-drops from Amazon? ]
Immigration New Zealand has been found to have breached an immigrant’s privacy by refusing to correct his date of birth. The man from Ethiopia had no record of his birth, and arrived in New Zealand with incorrect information on his travel documents. Two years later he underwent a bone density scan and dental examination to clarify his age, which indicated he was possibly as old as 18 at the time. The man asked Immigration New Zealand to change his year of birth to 1996, but it refused and added a note to his file instead. Privacy Commissioner John Edwards has referred the case to the Director of Human Rights Proceedings. He said the incorrect date restricted the man from accessing a number of entitlements, including a driver’s licence and the adult minimum wage. But a spokesperson from Immigration said if the man’s passport showed his birth year as early 2000, the document itself needed to be altered or replaced, and there were important identity issues at stake. [radionz.co.nz]
The Prosecutor General’s Office received another round of complaints regarding Windows 10, this time from Moscow law firm Bubnov and Partners, alleging the system allegedly reaps user data without consent—a potential breach of Russian privacy statues. “The new operating system offers users the choice of how they want it to handle their data, and users can change the settings at any point,” Microsoft said in response. The Russian Association for Electronic Communications corroborated the company’s claim in a statement, including information for concerned customers to change their settings. [The Moscow Times] See also [NZ Privacy Commissioner watching Microsoft on Windows 10]
In a recent study, consumer advocacy organization Access discovered via its site AmiBeingTracked.com that, after use was thought to have died down, 15% of wireless users are still falling prey to “zombie cookies” that permit carriers like Verizon and AT&T to “to ignore a user’s privacy preferences on the browser level and track all online behavior,” Wireless reports. “Using tracking headers also raises concerns related to data retention,” the study states. “When ‘honey pots’ of sensitive information, such as data on browsing, location and phone numbers, are collected and stored, they attract malicious hacking and government surveillance. This kind of collection and retention of user data is unsustainable and unwise, and creates unmanageable risks for businesses and customers alike.” [Full Story]
The World Privacy Forum (WPF) has launched an #OptOutKids campaign that encourages parents and students to opt out of allowing schools to share their data. “Most parents are unaware that schools can compromise their children’s privacy and possibly their safety by sharing private information like their child’s phone number, home address, date of birth, GPA, email and photos with anyone without consent,” WPF states in its announcement. Most schools, however, have a brief window for opt outs, according to WPF Executive Director Pam Dixon, and the beginning of the school year is the time. Parents should opt their children out, Dixon said, because schools sending detailed data on children to unknown third parties can be “a risk for identity theft and worse.” [Full Story]
Mathew Ingram writes about Twitter’s decision to block users like @Politwoops, which used Twitter’s API to document and track Twitter statements of politicians, archiving them even after they’d been deleted. Twitter’s position is that politicians are just like any users, and it would be chilling for users to think they could never erase a statement made on Twitter. However, argues Ingram, “there’s a clear social value in having tweets about important political topics preserved, in the same way that there’s a social value in recording off-the-cuff remarks made by politicians at meet-and-greet events.” Does this decision and the likes of the UK Information Commissioner’s Office position that links to stories about RTBF removals need to be removed indicate a chilling for free speech? [FORTUNE]
Since the EU’s embrace of the right to be forgotten, reports citing specific examples of story-removal requests have begun spurring interest in the stories set to be removed. As such, the UK Information Commissioner’s Office has requested Google take down links to those article-removal-request stories as well. The move “could provide an example for other countries, potentially provoking a new wave of takedown requests of stories about takedown requests and a subsequent wave of stories about those new requests,” the report states, adding, “That will also give ammunition to both free speech advocates and privacy activists in their tussle over where to draw the line between privacy and the public’s right to know.” [The Wall Street Journal]
Since Windows 10 launched, there’s been no shortage of privacy concerns voiced. Now, torrent sites are beginning to put measures in place to block Windows 10 users from accessing them. “The concern is spreading like a virus,” noting the concerns are largely the result of paranoia. The Australian tested Windows 10’s new facial recognition featureand found the software “able to maintain privacy even when dealing with identical twins.” Meanwhile, Theo Priestley criticizes Apple’s use of data, saying the company is “still very much self-serving for the sake of looking consumer friendly.” [BetaNews] [TORRENT TRACKERS BAN WINDOWS 10 OVER PRIVACY CONCERNS] [Apple Privacy May Not Be As Private As You Think]
A study by two Harvard students indicates Facebook’s privacy policies have shown a “stark” and steady decline since a major 2009 privacy overhaul. Jennifer Shore’s and Jill Steinman’s research indicates that Facebook “doesn’t seem especially responsive to pressure either from advocacy groups or regulators,” the column continues, noting their findings indicate the company’s “standards for privacy drop in 22 of the 33 areas that they study.” Meanwhile, the Harvard student who lost his Facebook internship after developing a “Marauder’s Map” function using site data tells GeekWire he’s “happy with the way things turned out.” [Washington Post] [Facebook’s Threat Intelligence Sharing Potential: Data management, scale, and algorithmic strengths may give Facebook an advantage in threat intelligence sharing]
Privacy Commissioner Timothy Pilgrim has been reappointed for another year, with his next term to begin in October. Australian Attorney-General George Brandis, who reappointed Pilgrim, praised his “good working relationship” with businesses as well as government agencies and consumer groups and his work “building awareness of privacy rights and obligations.” Pilgrim has served as privacy commissioner for five years, working in that capacity from July 2010 until July of this year, and then adding “the three-month role of acting information commissioner to his portfolio last month,” the report states, noting Pilgrim also served previously as deputy privacy commissioner from 1998 until 2010. [ZDNet]
Prime Minister Narendra Modi will this week visit Silicon Valley to promote his “Digital India” campaign. But privacy advocates are speaking up ahead of Modi’s arrival. Approximately 137 academics, the majority being of Indian-origin, signed a statement saying Digital India seems to ignore how data is treated and how it might fuel repressive surveillance programs. “We are concerned that the project’s potential for increased transparency in bureaucratic dealings with people is threatened by its lack of safeguards about privacy information, and thus its potential for abuse,” the statement reads. [The Economic Times]
- India’s Ministry of Science & Technology’s Department of Biotechnology has posted its Human DNA Profiling Bill for public feedback through August 20.
- Technology Law Dispatch examines the latest amendment to South Korea’s Personal Information Protection Act.
- By 2018, the Road Transport Department plans to apply a Radio Frequency Identification device to vehicles across Malaysia.
- By next year, the Australian government expects to have a plan in place for law-enforcement agencies to share facial-recognition data.
- Publications Director Sam Pfeifle talks to Hong Kong Privacy Commissioner for Personal Data Stephen Wong, who assumed his new post earlier this month.
- Brazil’s proposed data protection framework may be held up after public comments highlighted some major concerns with the plan.
- The Japanese House of Councilors enacted into law a bill amendment that allows businesses to use de-identified personal data without consent, sets penalties for leaks and establishes a government watchdog.
- Privacy Law Blog offers a primer on Russia’s new data localization law.
- The Japanese government has adopted a draft cybersecurity strategy, reports The Japan Times.
- The Peruvian Congressional Committee on Constitution and Regulations will review the government’s data retention decree in the coming weeks, the Electronic Frontier Foundation reports, noting that it will decide the ultimate fate of the decree.
The U.S. FTC announced it has settled with 13 companies on charges “they misled consumers by claiming they were certified members of the U.S.-EU or U.S.-Swiss Safe Harbor frameworks when their certifications lapsed or the companies had never applied for membership in the program at all.” The companies include a data broker, IT forensics firm, medical waste solution provider—even Dale Jarrett Racing Adventure. Under the settlement, the companies are “prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or other self-regulatory or standard-setting organization.” Meanwhile, the FTC awarded a $25,000 cash prize to the makers of RoboKiller, a mobile app that “blocks and forwards robocalls to a crowd-sourced honeypot.” Other prizes were awarded as well as part of the National Day of Civic Hacking in June. [Full Story]
The FTC has unveiled the agenda for its “Start with Security” conference on September 9 in San Francisco, CA. “Aimed at start-ups and developers,” the FTC press release explains, “this event will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development and vulnerability response.” Cosponsored by the University of California Hastings College of the Law, conference panelists include a wide array of chief information security officers, engineers, chief technology officers and product managers from several organizations, including Google, Yahoo, Mozilla, Pinterest, Twitter, SANS Institute, OWASP Mobile Top Ten, Fastly, Dropbox, Duo Security, HackerOne, Contrast Security and Signal Sciences. [Full Story]
Two Texas women filed lawsuits last week in Washington, DC, complaining the “U.S. government cannot be relied upon to keep the personal data of its citizens safe.” The suits follow the Internal Revenue Service’s (IRS) data breach in which hackers gained access to PII belonging to at least 330,000 people. California firm McCuneWright also filed a class-action complaint Thursday against the IRS. Meanwhile, Medical Informatics Engineering faces an additional three federal lawsuits over its recent breach, bringing the grand total to six, The Journal Gazette reports. [Bloomberg]
On January 1, 2016, a new law will go into effect in Delaware that requires all book service providers with online sales exceeding two percent of their gross sales to protect the privacy of customer information. The Delaware Online Privacy and Protection Act will not affect most independent booksellers because it applies only to companies that sell a lot of books online, the report states. And unlike reader privacy laws in California and New Jersey, it does not affect brick-and-mortar stores. The Delaware law does not impose penalties but does allow that a company could be the target of a civil suit for breach of privacy. [American Booksellers Association]
Ex-US president George W Bush, former Vice President Dick Cheney, and senior law enforcement officials have been named in a class-action lawsuit for authorizing blanket phone, email, and text message surveillance of Utah citizens during the 2002 Winter Olympics. In 2013 the Wall Street Journal reported that the FBI and NSA had done a deal with telco Qwest Communications for blanket surveillance coverage for Salt Lake City during the Winter Olympics. Then-mayor Ross “Rocky” Anderson has now taken up the case and has filed the class action suit. “This is the first time anyone knows of that a surveillance cone has been placed over a specific geographical area in the United States,” he said. “What was so alarming was that they were reading the contents of the text messages and emails.” Anderson served two consecutive terms as mayor between 2000 and 2008. There are currently six plaintiffs, including Utah State Senator Howard Stephenson (R-Draper), former Salt Lake City Council member Deeda Seed, and local historian Will Bagley. In addition to the presidential duo, the suit names former NSA Director Michael Hayden and Cheney’s attorney David Addington, who authorized the surveillance. [The Register]
US – Comcast Names Web Subscriber Whose Account Was Used to Insinuate a Politician Molested Children
Comcast Cable Communications has given a northern Illinois politician the identity of an Internet service subscriber whose account was used to post an anonymous comment online suggesting the politician molests children. That customer is being named as defendant in a lawsuit in the case, which arises from comments made online anonymously. Illinois courts have ruled an account holder’s privacy isn’t protected in such matters. Comcast turned over the name of the subscriber on Aug. 14, attorney Andrew Smith said, almost two months after the Illinois Supreme Court upheld lower court rulings that Internet service providers have no obligation to withhold the identity of a commenter if their comments could be considered defamatory. The U.S. Supreme Court declined to take up the case, which has played out in an environment of increasing concern about potentially damaging online comments made by anonymous Internet users. Experts generally agree that Internet commenters should know their identity won’t be protected if their comments cross the line into defamation. [Associated Press]
The U. S. Office of Personnel Management has been hit with yet another lawsuit related to its alleged cybersecurity and privacy failings, and the role they played in the massive breach that exposed background-check information that the agency was storing for 21.5 million people. But unlike the three other lawsuits already filed against OPM, this one differs in part because the plaintiff is a judge. Teresa J. McGarry, who works as an administrative law judge for the Social Security Administration, filed her lawsuit earlier this month against OPM, the U.S. Department of Homeland Security, as well as KeyPoint Government Solutions, which is the largest provider of background-check services for the U.S. government. McGarry’s lawsuit, which seeks class-action status, alleges that OPM failed in its duty to maintain and safeguard the data that was in its care – including background-check forms containing extensive personal information from applicants, as well as copies of applicants’ fingerprints – thus violating U.S. privacy laws, as well as government cybersecurity regulations. The suit seeks in part to make both OPM and KeyPoint take “reasonable steps” to implement and maintain a program to protect people’s personally identifiable information. It also seeks unspecified damages.
Einstein Called Out: The lawsuit also takes aim at DHS and, in particular, its administration of the so-called Einstein intrusion detection system (see Senate Committee Passes Bill Requiring Einstein Use). “The system was created to detect and prevent intruders from compromising the cybersecurity of federal governmental databases, including those housed at OPM and other governmental agencies,” the lawsuit says. “DHS failed as Einstein did not prevent intruders from breaching the OPM network and extracting sensitive files pertaining to millions of current, former and prospective federal employees and contractors.”
Four Lawsuits – And Counting: So far, the OPM breach has resulted in lawsuits being filed against the agency by two unions – the American Federation of Government Employees and the National Treasury Employees Union – on behalf of their members, as well as a $5 million lawsuit filed by breach victim Marcy C. Woo. She worked for the federal government for 28 years, and her suit alleges that top officials at the OPM knew about cybersecurity deficiencies, but failed to fix them. Woo’s lawsuit names OPM, as well as former director Archuleta, CIO Donna Seymour and KeyPoint. [Government Information Security]
The Internet Association takes umbrage with proposed revisions to the Family Education Rights and Privacy Act (FERPA) via the Student Privacy Protections Act, arguing that the requirements are “too broad.” “As currently drafted, the data security and privacy provisions of the bill impose vague security requirements, including notice requirements triggered by a ‘breach of the security practices,’ which theoretically could include common employee errors such as failing to properly sign-in a visitor or failing to logout of a computer when going to get coffee for five minutes,” the organization said in a letter to the of the House Education and Workforce Committee. [The Hill]
Republican presidential candidate Jeb Bush said he found “no evidence” that USA PATRIOT Act surveillance measures were detrimental to American civil liberties, arguing that revisions to the act need to be reconsidered. “There’s a place to find common ground between personal civil liberties and NSA doing its job,” Bush said. “I think the balance has actually gone the wrong way.” He also called for greater corporate/government cooperation while taking aim at encryption efforts. “It makes it harder for the American government to do its job while protecting civil liberties to make sure evildoers aren’t in our midst,” he said. “Market share … should not be the be-all-end-all,” he added, advocating for “a new arrangement with Silicon Valley in this regard.” [Associated Press]
A Michigan Court of Appeals has ruled that Michigan State University (MSU) is legally obligated to disclose all personal details in public incident reports about its student athletes. After filing a September 2014 document request for an investigative piece, ESPN found that MSU “removed the names and identifying information about suspects, victims and witnesses,” the report states. ESPN successfully sued the school in February for the release of pertinent information, but MSU brought the matter back to court in an attempt to change the ruling. “The disclosure of the names of the student-athletes who were identified as suspects in the reports serves the public understanding of the operation of the university’s police department,” the Court of Appeals said. “The disclosure of the names is necessary to this purpose.” [ESPN]
- The Federal Communications Commission is planning to develop new privacy rules for Internet providers this fall, following its net neutrality decision earlier this year, and those rules “could have big implications for companies like AT&T, Verizon and Comcast.”
- The Department of Education has published draft guidance for colleges to best navigate the use of student medical records while respecting privacy. The guidance is open for comments until October 2.
- The U.S. Court of Appeals for the Third Circuit has rejected Wyndham Worldwide Corp.’s argument that the FTC doesn’t have jurisdiction over cybersecurity.
- The FTC’s victory “could usher in a period of heightened enforcement activity” in the cybersecurity space.
- The Oakland, California, Police Department has announced that it will now store license-plate reader data for six months, a decrease from one year, after consistent server problems due to the large amounts of information.
- The Pentagon is rolling out rules governing how the defense industry should report cybersecurity incidents.
- Data Quality Campaign’s latest Privacy Tracker Student Privacy Legislative Update indicates it is now tracking 182 student data privacy bills in 46 states.
Much to the chagrin of privacy advocates, the U.S. Court of Appeals for the District of Columbia Circuit Court ruled that the National Security Agency’s (NSA) collection of metadata under the USA Freedom Act could continue until the bill’s expiration in November, due to a “lack of sufficient grounds for the preliminary injunction.” Meanwhile, Andy Greenberg argues that suing the NSA is tricky because “someone has to prove that their privacy rights were infringed. And that proof is almost always a secret.” Regardless, plaintiff Larry Klayman plans on taking an appeal to the Supreme Court. “We are confident of prevailing,” he said. [Reuters] [Privacy Is a Human Right: Data Retention Violates That Right]
The National Science Foundation (NSF) and Intel have partnered to offer two new grants totaling $6 million for researchers aiming to find privacy and security solutions in the cyber-physical systems (CPS) underlying the Internet of Things. An NSF press release notes that a “key emphasis of these grants is to refine an understanding of the broader socioeconomic factors that influence CPS security and privacy.” Jim Kurose, who heads up the NSF’s Computer and Information Science and Engineering, said, “Rigorous interdisciplinary research, such as the projects announced today … can help to better understand and mitigate threats to our critical cyber-physical systems and secure the nation’s economy, public safety and overall well-being.” Intel’s Christopher Ramming said the company is “enthusiastic about this new model of partnership.” [Full Story]
Silent Circle’s privacy-focused Blackphone has a new iteration: Blackphone 2. “Thanks to the encryption and special software, all calls and texts made with the phone are secure from all the inquisitive eyes,” the report states. The phone employs Silent OS and Spaces, a program that permits “users and companies to create isolated operating system accounts that don’t interact with each other and therefore, remain more secure,” the report continues. Currently available for preorder, the device will be widely released in September. [TechWorm]
Chris Middleton writes about a future where “a search company has used all of the personal data that’s spread across the Internet about me to patent the concept ‘Chris Middleton,’ and, as a result, I am now a person of no fixed identity languishing in prison for breach of copyright.” Consumers, he suggests, should protect themselves by creating personal application program interface (API) platforms. Personal APIs “could be a fascinating route ahead for consumers in the digital world,” he writes. Placing data behind personal APIs might give consumers the ability to force organizations and individuals “to engage with you on your terms,” he writes, giving consumers the power to withdraw their support from those that do not “match your own belief systems.” [diginomica]
Microchip Technology has announced a collaboration with Intel to implement Intel Enhanced Privacy ID (EPID) technology. “Intel EPID is a sophisticated, proven approach to device authentication that provides both security and privacy for the on-ramp to the Internet of Things (IoT),” the report states. “Microchip has long recognized the importance of security in IoT applications,” said Microchip’s Ian Harris. “Collaborating with Intel to integrate its proven Intel EPID technology demonstrates Microchip’s steadfast commitment to providing the very best IoT solutions, by working to enable designers with the safe and secure interoperation of their ‘things’ with Intel’s devices, gateways and servers.” [StreetInsider.com]
By 2018, the Road Transport Department plans to apply a Radio Frequency Identification (RFID) device to vehicles across Malaysia. The aim of the RFID is to “allow real-time monitoring of traffic conditions and help police track down criminals,” the report states. “While this may raise privacy concerns … the use of RFID tech will herald a new era for vehicle security … and could be the answer to combat vehicle theft and cloned vehicle syndicates,” said Deputy Transport Minister Datuk Aziz Kaprawi. A “smart code” feature permits vehicle tracking by the authorities and satellites. [Paultan.org] [Somebody’s watching: Telematics for cars pits insurers against privacy advocates]
After discovering that “smart” TVs could record their owners’ conversations without consent, California Assemblyman Mike Gatto (D-Glendale) is championing AB116, which aims to mandate that smart TV users be “explicitly informed” their devices might record their conversations. The bill also “forbids TV manufacturers and related third parties from using or selling stored conversations for advertising purposes and would allow manufacturers to reject law enforcement efforts to use the feature to monitor conversations,” the report continues. While privacy advocates applaud the move, the Electronic Frontier Foundation’s Lee Tien points to room for improvement. “Notice is not consent,” Tien said. Smart TV-maker Samsung has indicated it supports the bill, the report states. [Associated Press]
The Pentagon is rolling out long-awaited rules governing how the defense industry should report cybersecurity incidents. The regulations were published in the Federal Register on Wednesday. They require contractors and subcontractors to report “cyber incidents that result in an actual or potentially adverse effect” on either the contractor’s information system and data or its ability to provide “operationally critical support,” the report states. The rules aim to provide a single pathway for Defense Department contractors to report cyber incidents. [The Hill]
According to a new study by CloudLock, system administrators and those with heightened privileges at an organization that employs a cloud service are responsible for 75 percent of the risk, with hackers focusing in on those particular users for easy data access. “Cyber attacks today target your users—not your infrastructure,” said CloudLock CEO Gil Zimmermann. “As technology leaders wake up to this new reality, security programs are being reengineered to focus where true risk lies: with the user,” adding that “the best defense is to know what typical user behavior looks like—and, more importantly, what it doesn’t.” [The Washington Post] [Cars can be hacked by their tiny, plug-in insurance discount trackers]
Uber is to significantly expand its security team as it seeks to soothe worries about data privacy, defend against hackers and even protect its offices and employees from physical attack. The group, most recently valued at about $50bn, plans to end the year with more than 100 staff in its security team, an increase from about 25. [Financial Times]
Joseph Cannataci, the newly appointed UN special rapporteur on privacy has called the UK’s oversight of surveillance “a rather bad joke at its citizens’ expense,” describing the situation regarding privacy as “worse” than anything George Orwell imagined in his dystopian novel ‘1984’. Appointed after concern about surveillance and privacy following the Edward Snowden revelations, Cannataci agreed that his notion of a new universal law on surveillance could embarrass those who may not sign up to it, but for Cannataci – well-known for having a mind of his own – it is not America but Britain that he singles out as having the weakest oversight in the western world. Although Cannataci admits his job is a complex one that is not going to be solved with a magic bullet, he says he is far from starting from scratch and believes there are at least four main areas – including a universal law on surveillance, tackling the business models of the big tech corporations, defining privacy and raising awareness among the public. [Before Its News]
The National Security Agency (NSA) and its German equivalent, the Office for the Protection of the Constitution (BfV), traded access to the U.S. Internet surveillance program XKeyscore for targeted surveillance information on German citizens. While former German Data Protection Commissioner Peter Schaar claimed that he “knew nothing about such an exchange deal,” an official memo obtained by Die Ziet-the outlet that broke the story-indicates that Germany pledged to “(u)tilize XKeyscore in a manner consistent with German law and in a manner reasonably likely not to result in the targeting of U.S. persons,” the report continues. [National Journal]
After an open hearing earlier this month aimed at formulating a group stance, the Diplomatic Council, a UN-registered global think tank, called for more transparency when it comes to government surveillance across the world. Attorney Thomas Lapp, chairman of the Global Information Security Forum of the Diplomatic Council, proposed worldwide stipulations on any judge who approved interception measures. He called for judges to be required to document each interception approved and provide annual reports that provide details on the outcomes of surveillance, including whether the activities led to convictions. Lapp feels the stipulations would influence authorities to better examine eavesdropping requests while making the process more transparency to the public. In addition, the Diplomatic Council is mulling global legislation to curb data collection by large internet corporations. Lapp contended that big companies circumvent the strict data protection laws of several countries. [SC Magazine]
There are challenges of running privacy services—specifically the legal challenge of keeping promises to customers despite government pressure for access to data. To cope, companies have created “warrant canaries.” Companies publish transparency reports listing the number of “secret, gag-ordered surveillance warrants,” where they would list that number as zero. In the next report, if there’s been a secret warrant, the listing would be omitted. Users would notice this and stop using the service, the message to the government being: Serve us with a secret warrant, and everyone you want to spy on will stop using this service. “The idea of warrant canaries is not to voluntarily go out of business, it’s to make business-destroying secret warrants useless,” the report states. [The Guardian]
In San Jose, CA, the city’s mayor and one city councilman have put forward a new proposal that would allow sanitation vehicles—garbage trucks—to use license-plate readers to feed data automatically to city police. “We can cover every street at least once a week and possibly deter thieves from coming into our city,” said Councilman Johnny Khamis. If the proposal were to pass, the city would likely be the first in the country to expand license-plate readers beyond law enforcement to another public entity, the report states. Khamis said the city would consult with the ACLU over privacy concerns before moving forward. [Ars Technica]
There are challenges of running privacy services—specifically the legal challenge of keeping promises to customers despite government pressure for access to data. To cope, companies have created “warrant canaries.” Companies publish transparency reports listing the number of “secret, gag-ordered surveillance warrants,” where they would list that number as zero. In the next report, if there’s been a secret warrant, the listing would be omitted. Users would notice this and stop using the service, the message to the government being: Serve us with a secret warrant, and everyone you want to spy on will stop using this service. “The idea of warrant canaries is not to voluntarily go out of business, it’s to make business-destroying secret warrants useless,” the report states. [The Guardian] and [People are freaking out over a feature in Windows 10’s family accounts]
One rescue squad in Maryland believes the use of helmet-mounted cameras is invaluable, as such video allowed firefighters to later determine what they could have done better to stay safe. But in a California case, helmet-camera video of a plane crash showed a survivor being accidentally run over, and San Francisco’s “fire chief later reminded staff that all cameras are banned without prior approval,” the report states. The International Association of Fire Fighters (IAFF) does not support helmet cameras. The IAFF’s Jim Brinkley explained national standards for the cameras’ use are in development but said “that’s a long process.” [CBS News]
A study by Access Now finds that while mobile wireless companies no longer employ “supercookies” in the U.S., some do so in other parts of the world. Supercookies, or “unique identifier headers,” are codes that permit surreptitious tracking of mobile web use. Access Now’s Deji Olukotun suggested the “use of supercookies outside the U.S. is potentially more invasive because many people use smartphones as their primary way to access the Internet,” the report states. Verizon said it offers an opt-out service to users. “Most users don’t even know what to opt out of,” said Jacob Hoffman-Andrews of the Electronic Frontier Foundation, adding, “This technology is so intrusive that opt-outs are not appropriate.” [The Wall Street Journal] [Anti-privacy unkillable super-cookies spreading around the world | Study]
The FCC is planning to develop new privacy rules for Internet providers this fall following its net neutrality decision earlier this year, and those rules “could have big implications for companies like AT&T, Verizon and Comcast.” “FCC Chairman Tom Wheeler has declined to say when the agency might formally launch a rule-making process,” the report states, noting that if the FCC approves its new privacy policies for Internet providers, it could “powerfully affect the industry’s business model.” For example, the FCC’s new rule could limit such practices as AT&T’s recently launched package allowing customers a discount if the company can track their web history. [The Washington Post]
The United Nations (UN) has said it plans to contact AT&T following a report “it allowed the U.S. National Security Agency (NSA) to wiretap all Internet communications at UN headquarters.” A UN spokeswoman said U.S. officials had assured the UN “they are not … monitoring our communications” when past allegations were made. A piece in The New York Times indicated “AT&T provided technical assistance in carrying out a secret U.S. court order permitting the wiretapping of all Internet communications” at the UN’s New York headquarters, the report states. Meanwhile, AT&T’s and other telecoms’ ability to monitor consumers and making it “deliberately tough“ for them to opt out of marketing “and having their personal data shared.” [Associated Press]
It’s the dirty little secret that’s facilitating what’s being called the biggest breach of privacy ever. Government, security agencies and the telecommunications industry will be forced to explain a security hole that allows hackers to listen in to conversations and hijack Australians’ mobile phones after it’s exposed by a 60 Minutes investigation, the program claims. By tapping in to SS7, a signalling system in use by more than 800 telecommunication companies across the world including major Australian providers, hackers are able to listen in to conversations, steal information stored on mobile phones, and track the location of the phone’s user. The system has long been in use by spies and has been a secret of perpetrators of international espionage. It’s believed to be the very tactic used by Australian spies in tracking the phone calls of the wife of the Indonesian president. But recently, organised crime, commercial spies and potential terrorists have been exploiting this security loophole for their gain, 60 Minutes claims to have uncovered. [Source]
The search giant’s newest device is a router Google hopes you’ll display proudly, and gives the company a beachhead for tech in your home too. The search giant unveiled the OnHub, a sleek new router that Google developed with the networking hardware company TP-Link. The $200 device is also meant to eventually help control all the other disparate Internet-connected devices in your home. The idea is this: Most Wi-Fi routers are ugly, with unruly cords, so people put them on the floor or out of the way where they can’t be seen. But that also causes the device to emit a weaker Wi-Fi signal, Google said. The company hopes the answer is making a better-looking device that people don’t mind displaying out in the open. It has subtle blinking lights and all its antennas are packed inside its black, cylindrical shell. The device also displays the Wi-Fi password if someone taps on it. [CNET]
The IAPP has launched its first eBook, Introduction to IT Privacy: A Handbook for Technologists, which is now available from the Kindle bookstore on Amazon. “In an effort to provide our members access to privacy training content in the ways they find most useful, we decided to pursue offering our first eBook title for those privacy professionals who prefer to access this material digitally,” said IAPP Training Director Marla Berry.”We look forward to the response to this initial offering and anticipate we may be providing future texts to our members in this format as well.” The Privacy Advisor has all the details in this “Live from the IAPP” feature. [Full Story]
It’s likely EU users have noticed an increase in the number of cookie notices they’re presented with while surfing the web—the result of a change in Google’s user-consent policy. The policy “requires website publishers who use Google cookies to obtain their European site visitors’ consent before dropping and reading cookies,” the report states. The change reflects EU regulators’ increasing focus on U.S. companies that serve EU customers. Sites, including ad publishers using Google services as a platform, have until September 30 to comply. Google has released a website to help guide companies implement changes. [Silicon Republic]
A recent attempt by the Illinois legislature to significantly expand the scope of the Illinois data breach notification legislation was vetoed by Gov. Bruce Rauner. Rauner said Illinois Senate Bill 1833 “goes too far,” and the proposed legislation includes “duplicative and burdensome requirements” that other states don’t have. He added such requirements will hurt the state economy. Specifically, he said, including geolocation information and consumer marketing data under the types of protected information is unnecessary because it “does not pose the same risk of identity theft that justifies the extraordinary and costly security and notice requirements imposed by the Personal Information Protection Act.” [HealthITSecurity]
The California State Assembly has approved a measure that would restrict the use of drones over private property without owners’ permission. The bill, proposed by Sen. Hannah-Beth Jackson (D-Santa Barbara), would make flying a drone less than 350 feet above private property without consent a trespassing violation. While some voiced concerns about harming industry, Assemblyman Mike Gatto (D-Los Angeles) said drone operators, not manufacturers, would be held liable. Meanwhile, a bill that would require local law enforcement agencies to set up policies governing their use of body cameras “fell flat after facing criticism from some Democrats that it did not go far enough,” the report states. [Los Angeles Times]
Proposed legislation is inspiring ire from drone developers who argue it could smother the fledgling trade, citing as an example SB 142, which Sen. Hannah-Beth Jackson (D-CA) proposed in an effort at safeguarding privacy by keeping drones at least 350 feet above private property. “The industry argues—and the legislative committees acknowledge—myriad efforts are going on between state and federal authorities to hammer out a regulatory regimen,” the report states. Bruce Parks of the Association for Unmanned Vehicle Systems International argued “the threats are coming from hobbyists, not potential commercial users.” [The San Diego Union-Tribune]
- Sen. Chris Murphy (D-CT) has proposed a bill that, among other things, would change patient privacy laws by offering guidelines to doctors about when to share information about a mentally ill patient with family members.
- Kentucky Rep. Diane St. Onge (R-Lakeside Park) has pre-filed a bill to require law enforcement in the state to get a search warrant in order to use a drone with a camera to collect evidence.
- A North Dakota drone privacy bill has been amended to allow police to equip drones with non-lethal weapon.
- California Assemblyman Mike Gatto (D-Glendale) is championing AB116, which aims to mandate that smart TV users be “explicitly informed” their devices might record their conversations.
- In San Jose, CA, the city’s mayor and one city councilman have put forward a new proposal that would allow garbage trucks to use license-plate readers to feed data automatically to city police.
- Illinois Gov. Bruce Rauner has vetoed a recent attempt by the legislature to significantly expand the scope of the state’s data breach notification legislation.
- The Internet Association says the proposed revisions to the Family Education Rights and Privacy Act via the Student Privacy Protections Act are “too broad.”
- On January 1, 2016, a Delaware law will go into effect requiring certain book service providers to protect the privacy of customer information.
- The California State Assembly has approved a measure that would restrict the use of drones over private property without owners’ permission
- Drinker Biddle offers an overview of proposed federal student privacy legislation in the U.S..
- State Tech offers an overview of Delaware’s new slate of Internet privacy laws.
- An op-ed in the News-Gazette touts the benefits of Illinois’ SB 1833, an amendment to the Personal Information Protection Act, currently waiting for the signature of Gov. Bruce Rauner to become law.
- Pennsylvania Rep. Dan Miller (D-Mt. Lebanon) is drafting student privacy legislation. Pennsylvania lawmakers consider offering legislation to protect student privacy
The Offices of the Privacy Commissioner and of the BC and Alberta Information and Privacy Commissioners have created new guidelines forBYOD programs. “Allowing employees to use their mobile phones, tablets and laptop computers for both personal and professional use carries significant privacy risk—particularly when one world collides with the other,” said Privacy Commissioner Daniel Therrien, adding, “Companies need to consider the risks in advance and prepare to manage them effectively. Only then could they conclude whether a BYOD program is right for them.” A Privacy This Week report suggests the commissioners may use the guidance as a benchmark. [Vancouver Sun]
The Personal Data Protection Commission (PDPC) has published its “Workplace Tips on Personal Data Protection“ in DPO Connect. “Controls also have to be put in place to make sure that only authorised personnel have access to personal data,” the PDPC’s report states, noting organizations should also protect users’ passwords by requiring they be changed, limiting the number of failed login attempts that are allowed before the account is locked and hiding password characters. The PDPC also “advocates for weaving the awareness of personal data protection into the fabric of organisational culture,” the report states. [Full Story]
The Electronic Frontier Foundation has announced its 2015 Pioneer Award recipients. The award recognizes “leaders who are extending freedom and innovation on the electronic frontier.” This year’s recipients, to be recognized at an event on September 24 in San Francisco, include the late Caspar Bowden, a privacy advocate; the human rights and global security researchers at The Citizen Lab, whose work has “put a spotlight” on companies selling state-sponsored surveillance malware and the governments that use them; international Internet access champions Anriette Esterhuysen and the Association for Progressive Communications, and digital community advocate Kathy Sierra. [Full Story]
Half of federal employees access government email and documents from their personal smartphones and mobile devices. A survey commissioned by cybersecurity company Lookout found that out of 1,000 workers from 20 civilian, intelligence and military agencies, 60% said they are aware of the risks, and 85% of those individuals said they use their smartphones anyway. Approximately 40% of employees who work at agencies that prohibit the use of smartphones for work said the rules have little to no impact on their behavior, the report states. Cybersecurity expert Roger Cressey said the challenge for security professionals is “to accept that reality, and come up with proactive solution.” [USA Today]