6-19 May 2018


UK – Report Confirms Deep Flaws of Automated Facial Recognition Software

Big Brother Watch [here] has produced a report bringing together everything we know about the use by UK police of automated facial recognition software, and its deep flaws. The report supplements that information with analyses of the legal and human rights framework for such systems, and points out that facial recognition algorithms often disproportionately misidentify minority ethnic groups and women. Alongside its report, Big Brother Watch has launched the “Face Off“ campaign calling for the UK public authorities to stop using automated facial recognition software with surveillance cameras, and to remove the thousands of images of unconvicted individuals from the UK’s Police National Database. [TechDirt and at: Edgy Labs and Android Headlines]

UK – Cops’ Facial Recog Tech Slammed: Zero Arrests, 2 Matches, No Criminals

London cops’ facial recognition kit has only correctly identified two people to date – neither of whom were criminals – and the UK capital’s police force has made no arrests using it, figures published today revealed. According to information released under Freedom of Information laws, the Metropolitan Police’s automated facial recognition (AFR) technology has a 98% false positive rate. That figure is the highest of those given by UK police forces surveyed by the campaign group Big Brother Watch as part of a report [see PR here and 56 pg PDF report here] that urges the the police to stop using the tech immediately. And, despite cops’ insistence that it works, the report showed an average false positive rate – where the system “identifies” someone not on the list – of 91% across the country. The Met has the highest, at 98%, with 35 false positives recorded in one day alone, at the Notting Hill Carnival 2017. However, the Met Police claimed that this figure is misleading because there is human intervention after the system flags up the match. [The Register and coverage at: Siliconrepublic, BBC News, Metro.co.uk, Software Testing News, Nextgov, The Independent, The Washington Tomes and HuffPost UK]

UK – Sky News Will Use AI to ID Guests at Royal wedding

When Prince Harry and Meghan Markle said “I do” at their royal wedding, online viewers tuning into the Sky News stream did not have to guess the names of international celebrities and British nobility in attendance. Instead, the U.K. broadcaster used artificial intelligence to identify famous guests as they made their grand entrances at St. George’s Chapel at Windsor Castle — displaying the invitees’ names and details about how they are connected to the royal couple. Dubbed “Who’s Who Live,” Sky News announced the live-stream service in partnership with Amazon.com and several data and engineering firms. As the 600 guests entered the chapel, Sky News highlighted notable attendees using Amazon Rekognition, a cloud-based technology that can recognize and compare faces in images and video using artificial intelligence. Along with identifying the wedding guests, the live-stream service also showed facts about them, using captions and on-screen graphics through the company’s app. The data was displayed alongside the video of the procession into the chapel. The celebrity recognition feature’s debut could pave the way for its use at other high-profile events that often invite the audience to interact on social media. [Washington Post]

CA – $30B Facebook Privacy Suit Headed for Jury Trial

A $30 billion class action claiming Facebook harvested the facial data of up to 6 million Illinois residents without consent must be decided by a jury, a federal judge ruled . Facebook argued that its technology doesn’t scan users’ facial geometry in a way that violates a 2008 Illinois privacy law. U.S. District Judge James Donato found only a jury can answer that question. Lead plaintiff Nimesh Patel sued Facebook in 2015 in one of three consolidated class actions, claiming the social network harvested users’ facial data for its “Photo Tag Suggest” function, starting in 2011, without express permission from users. Under the Illinois Biometric Information Privacy Act of 2008, companies must obtain consent before collecting or disclosing biometric data, such as retina scans, fingerprints, voiceprints, hand scans or facial geometry. Facebook also argued that it should not be liable for any damages because it reasonably understood the Illinois privacy law as not applying to data harvested from photographs. Donato rejected that argument too, concluding that “ignorance of the law” has never been accepted as a valid excuse for breaking the law. The judge also scolded Facebook for continuing to cling to legal arguments that were rejected in prior rulings When he denied Facebook’s motion to dismiss in February [see here] and certified a class of up to 6 million Illinois Facebook users in April. The judge described Facebook’s refusal to accept his prior decisions as “troubling.” In an emailed statement, Facebook said: “We are reviewing the ruling. We continue to believe the case has no merit and will defend ourselves vigorously.” [Courthouse News and at: The Register, Business Insurance and Biometric Update]

Big Data / Artificial Intelligence / Data Analytics

EU – EU Commission Issues Artificial Intelligence Strategy

The EU Commission issued recommendations to take advantage of opportunities offered by artificial intelligence. Investments in AI should be increased to develop applications in key sectors (e.g. healthcare), facilitate data access for small and medium-sized companies, and ensure an appropriate framework is applied that promotes innovation, respects EU values, the GDPR, and ethical principles. [EU Commission – Artificial Intelligence for Europe]

WW – Google’s AI Sounds Like A Human on the Phone

It came as a total surprise: the most impressive demonstration at Google’s I/O conference was a phone call to book a haircut. Of course, this was a phone call with a difference. It wasn’t made by a human, but by the Google Assistant, which did an uncannily good job of asking the right questions, pausing in the right places, and even throwing in the odd “mmhmm” for realism. The crowd was shocked, but the most impressive thing was that the person on the receiving end of the call didn’t seem to suspect they were talking to an AI. It’s a huge technological achievement for Google, but it also opens up a Pandora’s box of ethical and social challenges. For example, does Google have an obligation to tell people they’re talking to a machine? Does technology that mimics humans erode our trust in what we see and hear? And is this another example of tech privilege, where those in the know can offload boring conversations they don’t want to have to a machine, while those receiving the calls (most likely low-paid service workers) have to deal with some idiot robot? As Google’s researchers explain, the feature, called Duplex, it can only converse in “closed domains” — exchanges that are functional, with strict limits on what is going to be said. “You want a table? For how many? On what day? And what time? Okay, thanks, bye.” Easy! Duplex works in just three scenarios at the moment: making reservations at a restaurant; scheduling haircuts; and asking businesses for their holiday hours. It will also only be available to a limited (and unknown) number of users sometime this summer [The Verge]

WW – RightsCon 2018 Conference Debates Resolution on Discrimination in Machine Learning

This week marked the opening in Toronto of the seventh RightsCon conference. Attendees will have a choice of 450 sessions on a wide range of rights topics related to the online world.: How to leverage blockchain as a force for good, the digital divide in Indigenous Communities in North America, content regulation, free speech and censorship, false news, online surveillance and Internet governance. One of the highlights will be a preparation of the “Toronto Declaration on Discrimination in Machine Learning” [see here & 11 pg PDF here], a step toward developing detailed guidelines for the promotion of equality and protection of the right to non-discrimination in machine learning. The Declaration will address necessary protections for companies and governments exploring and implementing the future of machine learning. The goal of the declaration is to encourage data scientists to think early when creating machine learning algorithms about implications of assumptions in their work. [IT World] See also: [The 7 Craziest IoT Device Hacks]


CA – Canada Has ‘Fallen Behind’ in Privacy Powers: Denham

The power made available to the Canadian privacy watchdog to investigate companies like Facebook and Cambridge Analytica have not kept pace with those granted to his counterparts around the world. That was the message brought by Elizabeth Denham, the United Kingdom’s information commissioner, to a House of Commons committee studying the breach of personal information harvested from 87 million Facebook accounts by British political profiling firm, Cambridge Analytica. “The Canadian privacy commissioner’s powers have fallen behind the rest of the world,” Denham told the committee members. Her observation comes as Canadian politicians struggle to catch up to other jurisdictions such as the European Union that have pursued stringent new privacy rules in recent years in light of concerns that tech giants like Facebook and Google are not doing enough to protect personal information. [Global News]

CA – Ontario Law Prohibits Inquiries into Compensation History

Ontario’s Bill 3, the Pay Transparency Act, 2018, related to disclosure of compensation for applicants and employees, receives Royal Assent and goes into effect January 1, 2019. Exemptions include a job applicant’s voluntary and unprompted disclosure of their compensation history, compensation ranges or aggregate compensation for comparable positions, or publicly available compensation history, and employers must submit and post pay transparency reports; a government compliance officer may enter a workplace without a warrant to assess the employer’s compliance with the law. [Bill 3 – Pay Transparency Act, 2018 – 41st Legislature, Ontario | Status]

CA – Canadian Government Reassures on Border Searches

The Minister of Public Safety and Emergency Preparedness reported to the Parliamentary Standing Committee on Access to Information, Privacy and Ethics on border privacy. The government believes that it is unnecessary to provide further preconditions for searches of electronic devices at the border in the Customs Act, (which could hinder an ability to respond to threats and contraventions); the recently signed Preclearance Act (which gives U.S. officers an ability to search in certain areas) requires U.S. border officials to comply with Canadian law. [Report: Protecting Canadians’ Privacy at the U.S. Border – Minister of Public Safety and Emergency Preparedness]

CA – Balsillie urges MPs to Regulate ‘Surveillance Capitalism’ of Facebook and Google

A group representing Canada’s tech CEOs told MPs that Facebook and Google represent a new form of “surveillance capitalism” and called for European-style regulation over the U.S.-based web giants. Jim Balsillie, chair of the Council of Canadian Innovators [here], told MPs that immediate government action is required to protect Canada’s commercial interests and the privacy of individuals. “Facebook and Google are companies built exclusively on the principle of mass surveillance,” he said. “Their revenues come from collecting and selling all sorts of personal data, in some instances without a moral conscience.” Mr. Balsillie, the former chair and co-CEO of Research in Motion (now BlackBerry Ltd.) made the comments while sharing a panel [see ETHI Parliamentary Committee meeting May 10, 2018 here] with Colin McKay, Google Canada’s head of public policy and government relations. Mr. McKay challenged Mr. Balsillie’s characterization of Google and told MPs that Google’s products “prioritize user privacy” and the company promotes a service called MyAccount that lets users manage their privacy and security. Earlier in the day, the committee heard from Elizabeth Denham, the United Kingdom’s Information Commissioner who is investigating the Cambridge Analytica issue, as well as Michael McEvoy, British Columbia’s Information and Privacy Commissioner, who is also conducting a related investigation. [G&M and at: Global News, CBC News, The Canadian Press (Via Ottawa Citizen) and National Observer]

CA – Former Elections Watchdog Says Liberals’ Bill C-76 Falls Short on Privacy

Marc Mayrand [wiki here], the man who ran Elections Canada from 2007 to 2016 [says] the federal government’s new election bill [the Elections Modernization Act – Bill C-76 – see PR here & Text here] falls seriously short of expectations when it comes to safeguarding Canadians’ private information In what Mayrand judged “a very small step,” the new bill will require political parties to post a policy on the treatment of people’s personal information: how they use, collect and protect it. Parties will be required to state how they train employees on safeguarding private data, and to provide contact information for a person to whom concerns can be addressed. The bill also states that parties must publish the circumstances under which personal information may be sold, although federal officials said they were unaware of any cases in which this had happened. The Elections Modernization Act, however, contains no independent verification measures and no penalties for violations. There are also, he noted, no assurances that Canadians will find out about breaches, nor avenues for them to request to see the information parties hold about them. The legislation is silent on whether parties can trade the data to anybody or whether they must obtain people’s consent to collect the data, he said. Teresa Scassa [here], Canada research chair in information law at the University of Ottawa, has also blasted the government [see here] for what she calls “an almost contemptuous and entirely cosmetic quick fix designed to deflect attention from the very serious privacy issues raised by the use of personal information by political parties.” [HuffPost]

CA – Alberta Privacy Commissioner Powerless to Investigate Political Parties’ Use of Voter Data

Alberta’s privacy commissioner is powerless to investigate how political parties are collecting and using voters’ personal information, but there’s little incentive for parties to change the status quo, observers say. Alberta’s Personal Information Protection Act (PIPA) [text here & overviews here] governs how companies are able to collect and use personal data, but exempts political parties — limiting the commissioner’s ability to investigate complaints of personal data misuse. The law can only be applied to political parties under exceptional circumstances related to commercial activity, such as selling, bartering or leasing of donor, fundraising or membership lists. University of Victoria Political scientist Colin Bennett has spent years researching privacy protection policies in Canada and abroad and studied how political parties accumulate voter data from social media sites, such as Facebook. “Essentially, individuals have no rights over their personal information that political parties capture” Bennett said provincial political parties don’t want to fall under privacy laws because it can limit campaigning abilities. “In a competitive electoral environment — and lord knows Alberta’s competitive — they’re not going to want to constrain their ability to campaign,” he said. “I would hope (privacy commissioner) Jill Clayton would be very forceful in advocating that Alberta political parties be covered under the Alberta legislation,” he said. “There’s no reason why Alberta should be any different from B.C.” British Columbia is unique among provinces in that its privacy commissioner has the authority to investigate and audit private companies and political parties suspected of skirting the law. [The Star]

CA – Trend of Police Secrecy Over Names in Homicides Raises Alarm

The names of the dead have not been released in a police-involved shooting in Nanaimo nor in a Victoria homicide. It’s becoming increasingly common practice among some agencies probing violent deaths not to release the identities. That’s because the RCMP, B.C. Coroners Service and the Independent Investigations Office, that probes fatal interactions, with police have all declined to identify the deceased. It’s an increasingly common, if inconsistent, practice across B.C. and other jurisdictions in Canada, in which agencies tasked with investigating violent deaths have, in some cases, stopped releasing victims’ names. Legal experts say it’s a trend that prevents Canadians from scrutinizing the criminal-justice system and the people who operate within it. Law-enforcement agencies and others argue that they’re simply obeying privacy laws and respecting grieving families. The Edmonton Police Service has taken a similar approach Steven Penney [here], law professor at the University of Alberta, said it’s a “troubling” practice that departs from Canada’s long-standing tradition of having an open, transparent and accountable criminal-justice system, adding “Our entire criminal-justice system is premised on the idea that when a serious crime occurs, it’s a crime against the entire society. And the entire society deserves to be informed about the implications of that crime and potentially become involved in scrutinizing the behaviour of all of those who are responsible for dealing with it.” [Victoria Times Colonist]

CA – Canada’s Privacy Commissioner Shares View on Autonomous Vehicles

Canada’s privacy commissioner Daniel Therrien presented his views on the privacy implications of autonomous and connected vehicles [remarks here] at a House of Commons transportation committee meeting on May 9th [see here]. Therrien appeared before the Standing Committee on Transport, Infrastructure and Communities (TRAN), in response to a study that was released in January of this year [see 78 pg PDF report here & Infographic here], which pointed to five key areas to help the government better prepare for a self-driving car-filled future including that the “government should put forward legislation to empower the Office of the Privacy Commissioner to proactively investigate and enforce industry compliance with privacy legislation.” He expressed concern with the fact that data flows in connected vehicles are very complex and, as a result of this fact, are not transparent. He touched on how his office has been looking to improve consent for users data by trying to find ways to give “individuals the ability to make decisions about their data.” Ideally, Therrien would like to see an amendment to the law that would allow the privacy office to “independently confirm that the principles in our privacy laws are being respected – without necessarily suspecting a violation of the law.” [MobileSyrup]

CA – Potential Privacy Class Action Against Ontario Auto Insurer

A class-action lawsuit was filed April 10 in Federal Court against The Personal over alleged use of credit scores in adjusting accident benefits claims. It’s not clear yet how many claimants there will be if the lawsuit is approved. Law firm Waddell Phillips Professional Corporation is asking Federal Court to certify the lawsuit as a class action on behalf of a specific class of Canadian auto insurance claimants [see PR here]. If approved by the court, that class would include people who made auto claims with The Personal Insurance Company after Jan. 18, 2012 “and who had their credit score information accessed by The Personal or its agents.” If the class action prevails in court] the insurer might have to pay up to $10,000 a claimant. In the lawsuit against The Personal, the plaintiffs are asking for an injunction prohibiting The Personal from “further using or accessing” personal credit scores for the purpose of adjusting auto accident benefits claims. They are asking Federal Court to award damages of $50 million, as well as aggravated, punitive or exemplary damages of $10 million. [Canadian Underwriter and at: Canadian Underwriter, The Insurance and Investment Journal and LowestRates.ca]


CA – 3 out of 4 Facebook Users Still Active Despite Privacy Scandal: Poll

Three-quarters of Facebook users have remained as active, or even more active, on the platform since the company’s recent privacy scandal, a joint Reuters/Ipsos poll revealed. According to the survey, Facebook’s reputation has suffered little among users. The poll comprised over 2,000 American Facebook users over the age of 18, and found that half of those surveyed had not changed the way they used the site, and another quarter said they were using it more. Analyst Michael Pachter of Wedbush Securities told Reuters that Facebook is lucky the scandal revolves around data being used for political ads and not for “nefarious” purposes. “I have yet to read an article that says a single person has been harmed by the breach,” he said. “Nobody’s outraged on a visceral level.” In its first quarter financial results, Facebook said the number of monthly users in the United States and Canada rose to 241 million on March 31 from 239 million on Dec. 31, growth that was roughly in line with recent years. While many seem unaffected by the privacy concerns, a segment of Facebook users is taking action to protect their information. According to the poll, the one quarter of Facebook users whose activity hasn’t stayed the same or increased has either gone down or ceased entirely. Although user activity seems to be returning to normal a few months after the initial story broke, an Angus Reid Institute/Global News poll released in the middle of March told a very different story about users’ trust in Facebook’s platform. The poll revealed that almost three-quarters of Canadians would change the way they use Facebook as the massive data scandal plaguing the company continues to unfold. [Global News]

WW – ISO Incorporates PbD Guidelines for Consumer Goods and Services

A new ISO project committee, ISO/PC 317, “Consumer protection: privacy by design for consumer goods and services”, will develop guidelines that will not only enforce compliance with regulations, but generate greater consumer trust at a time when it is needed most [see PbD wiki here]. Dr Cavoukian pioneered the concept of “privacy by design”, a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure and business practices. In her video address at the ISO workshop “Consumer protection in the digital economy”, which took place in Bali, Indonesia, –the week of May 6–she said “Regulatory compliance alone is unsustainable as the sole model for ensuring the future of privacy Prevention is needed.” “Privacy by design” is now recognized as a core part of the EU General Data Protection Regulation (GDPR) [see Article 25 of GDRP here] and forms the basis of the ISO standardization work now underway. Implementing the standard will help companies comply with regulations and avoid potentially devastating data breaches that erode consumers’ confidence in online services. [ISO News and at: ACROFAN, SC Magazine]


CA – CRTC Fines Retailers $100,000 for Lack of Consent

The Canadian Radio-television and Telecommunications Commission fined Quebec Inc. 9118-9076 and 9310-6359 for violations of Canada’s Anti-Spam Legislation. Marketing text messages offered recipients an opportunity to receive future commercial offers, and did not include the prescribed information to enable recipients to easily identify and contact the sender; the joint retailers have agreed to put in place a compliance program that includes employee training, adequate disciplinary measures for non-compliance with internal procedures, and corporate policies to ensure compliance with CASL. [CRTC – Undertaking 9118-9076 and 9310-6359 – Quebec Inc.]


CA – Citizen Lab Publishes Canadian Field Guide to Encryption

Shining a Light on the Encryption Debate: A Canadian Field Guide [see 107 pg PDF here] — co-authored by the Citizen Lab and the Canadian Internet Policy and Public Interest Clinic (CIPPIC) [here] — examines the parameters of the encryption debate, paying particular attention to the Canadian context. It provides critical insight and analysis for policymakers, legal professionals, academics, journalists, and advocates who are trying to navigate the complex implications of these technologies. The guide includes five sections: Section One provides a brief primer on key technical principles and concepts associated with encryption in the service of improving policy outcomes and enhancing technical literacy; Section Two explains how access to strong, uncompromised encryption technology serves critical public interest objectives; Section Three explores the history of encryption policy across four somewhat distinct eras, with a focus on Canada to the extent the Canadian government played an active role in addressing encryption; Section Four reviews the broad spectrum of legal and policy responses to government agencies’ perceived encryption “problem,” including historical examples, international case studies, and present-day proposals; and Section Five examines the necessity of proposed responses to the encryption “problem.” A holistic and contextual analysis of the encryption debate makes clear that the investigative and intelligence costs imposed by unrestricted public access to strong encryption technology are often overstated. [CitizenLab and at: BoingBoing]

EU Developments

EU – Eight Countries to Miss EU Data Protection Deadline

Eight EU states, Belgium, Bulgaria, Cyprus, the Czech Republic, Greece, Hungary, Lithuania and Slovenia will not be GDPR ready until far beyond the 25 May deadline. Vera Jourova, the European commissioner for justice, told reporters on Thursday (17 May) She would not hesitate to take the EU capitals to court in serious cases, noting that member states have had more than enough time to get their acts together. She blamed negligence and domestic debates for the delays. Some data authorities say they will still be able to impose sanctions and fines regardless of the missing national legislation. Only Austria, Germany, France, Croatia, the Netherlands, Sweden and Slovakia are ready with everyone else set to have their national acts passed by 25 May. Others like Spain, Italy, Portugal, Romania and Latvia are expected to be ready either end of May or beginning of June. [EU Observer]

EU – Article 29 Working Party Issues Final Guidelines on Consent

On 10 April 2018, the Article 29 Working Party (WP29) published revised guidelines [download 31 pg PDF] on consent under the General Data Protection Regulation (GDPR). Consent is one of the six GDPR bases for the lawful processing of personal data. WP29’s draft guidelines on consent were issued earlier this year. This article examines the differences between the draft and final guidelines [along the following lines]: 1) Conditions for valid consent – freely given; 2) Unambiguous indication of wishes; 3) Explicit consent; 4) Children; 5) Interaction between consent and other lawful grounds for processing; and 6) Re-consenting. [Technology Law Dispatch]

EU – Article 29 WP Adopts Finalized Guidelines on Transparency

The Article 29 Working Party (WP29) adopted, on 11 April 2018, finalized guidelines on transparency (the Guidelines) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) [download 40 pg PDF here], following its public consultation. Draft guidance on transparency were issued earlier this year, so this blog focuses on the key issues and what is new in the final guidelines [along the following lines]: 1) Information being “intelligible”; 2) Informing data subjects about changes to transparency-related information; 3) Providing information to children; 4) Clear and plain language; 5) Changes to Article 13 and 14 information; and 6) Layered privacy statements and notices. [Technology Law Dispatch]

EU – WP29 Issues Position Paper on GDPR Record-Keeping Obligation

The Article 29 Working Party (WP29) has published a position paper on the scope of the derogation from the obligation to maintain records of processing activities. Article 30.5 [see here] provides that the record-keeping obligation does not apply to organisations with less than 250 employees in certain circumstances. The WP29 has stated that the position paper was published as a result of a high number of requests from companies received by national Supervisory Authorities. Despite the existence of the derogation, the WP29 encourages SMEs to maintain records of their processing activities, as it is a useful means of assessing the risk of processing activities on individuals’ rights, and identifying and implementing appropriate security measures to safeguard personal data. In light of the new accountability principle in the GDPR requiring organisations to be able to demonstrate how they comply with their GDPR obligations, it would certainly be prudent for all organisations, regardless of size, to maintain such records. [Ireland IP]

UK – Court Orders Government to Rewrite Investigatory Powers Act

A UK Court considered a request for judicial review of the retention provisions of the UK’s Investigatory Powers Act 2016, and ruled that the retention provisions of the Act are incompatible with fundamental rights in EU law (access to retained data is not limited to the purpose of combating “serious crime”, and access to retained data is not subject to prior review by a court or an independent administrative body), and the government must amend the Act by November 1, 2018. [The National Council for Civil Liberties (Liberty) v. Secretary of State for the Home Department & Secretary of State for Foreign and Commonwealth Affairs – [2018] EWHC 975 (Admin) – England and Wales High Court (Administrative Court) ]

Facts & Stats

UK – ICO Reports Data Incidents Spike 17%, Human Error Dominates

The number of data security incidents reported to the UK’s Information Commissioner’s Office (ICO) jumped 17% between the final three months of 2017 and the first quarter of 2018, according to new figures. In its last update [see here] before the EU GDPR takes effect, the privacy watchdog revealed a rise in incident reports from 815 to 957. Although cybersecurity-related incidents increased by 31% from the previous quarter, the first month-on-month increase since Q4 2016-17, human error dominated. In fact, over the 2017-18 financial year, 3325 reports were filed with the ICO, with the number one breach type “data emailed to incorrect recipient,” (13%) followed closely behind by “data faxed to wrong recipient” (13%). Also high was “loss or theft of paperwork” (13%). The healthcare sector accounted for by far the largest volume of reports (37%), although this figure is likely to be a result of mandatory reporting rules. After health came “general business” (11%), education (11%) and local government (10%). [[Infosecurity Magazine and at: ISBuzz News]

US – Equifax Reveals How Much Information Was Really Exposed in Data Breach

How bad was Equifax’s data breach? Bad. In a new filing with the Securities and Exchange Commission, the credit reporting agency broke down in detail the types of – and how much exactly – sensitive personal information was exposed to hackers in the breach. A statement for the record from Equifax included in the SEC filing breaks down what types of personal information and data was exposed in the September 2017 data breach. The disclosure comes at the urging of several Congressional committees. According to Equifax, the company recently sent a letter to several Congressional committees providing additional detail on the data that was exposed in the breach. In its letter, Equifax said that the names and dates of birth for approximately 146.6 million people were exposed, as well as 145.5 million Social Security numbers, the address information for 99 million people, the gender data for 27.3 million people, 20.3 million consumers’ phone numbers, 17.6 million driver’s license numbers, 1.8 million email addresses, 209,000 payment card numbers and expiration dates, 97,500 tax ID numbers, and the state information for 27,000 driver’s licenses. Additionally, Equifax noted that the hackers also gained access to images uploaded to the company’s online dispute portal by approximately 182,000 consumers, including: 38,000 driver’s licenses; 12,000 Social Security and tax ID cards; 3,200 passports and passport cards; and 3,000 other documents, including military and state IDs and resident alien cards. According to Equifax, it is releasing this information as part of its “commitment to transparency.” [Housingwire]


CA – RTBF: PIPEDA Should Not Regulate Online Speech

The Stanford Center for Internet and Society comments on the Office of the Privacy Commissioner of Canada’s draft position on online reputation. Academics note that data protection laws lack well-developed standards that balance and protect expression rights, introduce unintended consequences (e.g. online platforms and search engines would be required to seek consent before processing user-generated information), and platforms would likely comply with abusive or mistaken notices to avoid litigation risks [Response to the OPC Consultation and Call for Comments on Draft Online Reputation Position Paper – Stanford Center for Internet and Society]


CA – OPC Concerned Bank Act Changes Could Open Door to More Data Abuses

Privacy Commissioner Daniel Therrien is expressing concern with new banking powers over customer data that are contained in the government’s latest budget bill, telling the Senate banking committee [here] that his office was never consulted on the Bank Act changes [see PR here & Commissioner’s remarks here]. Senators have heard conflicting testimony as to what the Bank Act changes [see Division 16 of Part 6 of Bill C-74, the Budget Implementation Act, 2018, No.1 here & Bill status here] would allow in practice. The Finance Department and the banking sector say they are simply about modernizing language to reflect the growth of financial technology firms, or fintechs. However critics warn that the changes would give banks new powers to sell customer data to fintechs, which are in many cases not subject to federal financial regulation. Mr. Therrien said more co-operation between banks and fintechs may be a good thing, but consumers should be able to approve how their data are used through a clear and understandable consent form. He said there is nothing in the bill that would ensure that is the case. [Globe & Mail]


CA – Government Won’t Appeal Decision in Star’s Challenge to Secrecy in Tribunals

The Ontario government will not be appealing a Toronto Star legal victory which should lead to more openness in the province’s tribunal system. Last month, the court ruled in favour of a constitutional challenge launched by the Star that sought greater access to records from such quasi-judicial bodies as the Human Rights Tribunal and the Landlord and Tenant Board. Justice Edward Morgan found [see Toronto Star v. AG Ontario, 2018 ONSC 2586 – here] that denying access to tribunal records was an “infringement” of the Charter of Rights and Freedoms that the provincial government had failed to justify he ruled this violates section 2(b) of the Charter – here]. The judge gave the province one year to make the tribunal system more accessible to journalists and the public. Morgan declared as “invalid” provisions of Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) that delay or block public access to tribunal records. [Toronto Star] [Ontario Court Finds FIPPA Blocks Public Access to Tribunal Records | Toronto Star Newspapers Ltd. v. AGO – 2018 ONSC 2586 CanLII – Ontario Superior Court of Justice]

CA – Transparency Study Shows Inadequate Access Processes

The Citizen Lab, a university research group, compared responses to data access requests made under PIPEDA, to 23: telecommunications companies; fitness trackers; and online dating services. Information provided by telecoms, fitness trackers and online dating services responses to access requests varied widely in types of data provided, specificity of questions answered, and clarity about disclosures to third parties, and there were barriers to access including identity verification procedures, secure data transfer requirements, fees charged, and companies stating they were not bound by Canadian privacy laws. [Approaching Access – A Comparative Analysis of Company Responses to Data Access Requests in Canada – The Citizen Lab | Coverage]

CA – CSIS Permitted to Refuse Access Request

The Federal Court of Canada reviewed the Canadian Security Intelligence Service’s response to an access request, pursuant to the Access to Information Act. The Federal Court of Canada upheld CSIS’ refusal to confirm or deny the existence of records identifying an individual; investigative records consist predominantly of sensitive national security information, and if such records did exist, they would likely be exempt from disclosure on the basis of protecting a CSIS investigation. [VB v. Canada Attorney General – 2018 FC 394 CanLII – Federal Court of Canada

Health / Medical

CA – Ontario Health Minister: People Have a Right to ‘As Much Transparency as Possible’ When It Comes to Doctors’ Pasts

Ontario Health Minister Helena Jaczek says the province’s medical watchdog should provide patients with “as full a picture” as possible of physicians’ disciplinary and criminal histories after a Toronto Star investigation found the public is being deprived of information about sanctions imposed in other jurisdictions. “Obviously, I’m in favour of as much transparency as possible,” Jaczek said in an interview at Queen’s Park. “I think that people have a right to know.” The Star’s 18-month investigation identified 159 disciplined doctors who have held licences on both sides of the Canada-U.S. border, and used public records to piece together their disciplinary histories across provincial, state and country lines. Ninety per cent of these doctors’ public profiles in Canada failed to fully report sanctions taken against them for a range of offences, including incompetence, improper prescribing, sexual misconduct and fraud, the investigation found. The College of Physicians and Surgeons of Ontario (CPSO), the self-regulating body that oversees the province’s doctors, recently amended its bylaws to allow it to post some information about discipline imposed in other jurisdictions on its physician profiles. However, the college only posts sanctions imposed on Ontario doctors outside the province after Sept. 1, 2015. Jaczek said the disciplinary information on the college’s website should be “retrospective.” NDP health critic France Gélinas said greater transparency by the CPSO should have been “mandated long ago.” “The health minister must demand the physicians’ college posts all disciplinary measures that have happened to any of their members, no matter what jurisdiction it’s from,” she said. “We know full well that physicians move. The CPSO is there to protect the public. People expect that. Let’s meet people’s expectations.” Earlier this week, Alberta’s health minister pledged to work with her province’s medical college to post information about sanctions imposed on its doctors by regulators in other jurisdictions. Sarah Hoffman also said she would review the college’s current practice of scrubbing all disciplinary details from doctors’ online profiles after five years. Unlike in the U.S., Canada has no national agency that collects and disseminates licensing and disciplinary information on doctors. The Star’s investigation found some Canadian physicians’ colleges keep secret basic information readily disclosed by other regulators. Quebec’s college, for example, told the Star that a physicians’ credentials — when and where they graduated from medical school — is confidential information. The secrecy of Canadian colleges is in sharp contrast to their counterparts in the U.S., where consumer legislation governs many medical boards and mandates openness. [Toronto Star]

CA – SK OIPC Calls on Health Authority to Fire Employee Who Breached 880 Patient Files

Saskatchewan’s Information and Privacy Commissioner is recommending the provincial health authority fire an employee of the former Sun Country Regional Health Authority who accessed the information of 880 home care clients without a “need to know.” Ronald Kruzeniski, in a report issued on April 30, also recommended the Saskatchewan Health Authority send its investigation file to the Ministry of Justice’s public prosecutions division to determine whether an offence occurred and whether charges should be laid under the Health Information Protection Act. The employee’s name was not disclosed in Kruzeniski’s report. [Saskatoon StarPhoenix]

US – OCR To Share HIPAA Data Breach Settlements With Victims

OCR is proposing to share a percentage of HIPAA data breach settlements with victims, as required by the HITECH law. In the HHS semiannual regulatory agenda [see RIN: 0945-AA04 here & full agenda here] OCR said it is soliciting the public’s view on establishing a methodology for those harmed by a data breach or other HIPAA violation to receive a percentage of any penalty or settlement resulting from the breach. The office plans to issue an advance notice of proposed rulemaking with the proposal in November. While this is an intriguing proposal, its implementation might be a huge challenge for OCR. “The devil is in the details. There are potential issues with this approach,” Marcus Christian, a cybersecurity and data privacy attorney with the law firm of Mayer Brown said. [Health IT Security and at: Bloomberg Law here & here]

US – HHS Distinguishes Between Risk and Gap Analyses

The HHS Office of Civil Rights issued guidance on safeguarding electronic protected health information by conducting risk and gap analyses. Entities subject to the HIPAA Privacy and Security Rule must conduct analyses of all potential risks to ePHI, including identifying all potential threats and vulnerabilities, assessing effectiveness of controls in place, and assigning risk levels. Gap analyses do not satisfy risk analysis obligations because they provide a high level overview of controls and do not thoroughly assess all ePHI risks. [HHS – Risk Analyses vs. Gap Analyses – What is the Difference]

Horror Stories

CA – Insider Threats: OIPC SK Finds Health Entity Had Insufficient Safeguards

This OIPC SK report investigates a complaint against the Saskatchewan Health Authority involving personal health information pursuant to the Health Information Protection Act. An employee admitted to inappropriately accessing PHI in a healthcare system despite having access only on a need-to-know basis; the employee had signed a confidentiality agreement (but 4 years prior) and had never received any privacy training (the employee had not heard of the Health Information Protection Act). [OIPC SK – Investigations Report 066-2018 – Saskatchewan Health Authority]

Identity Issues

CA – Ontario Issues First Non-Binary ‘X’ Birth Certificate

A Vancouver filmmaker and writer has received Ontario’s first non-binary birth certificate. Ontario-born Joshua M. Ferguson identifies as non-binary trans and uses the pronouns “they” and “them.” The birth certificate is marked with an “X” designation, indicating a non-binary person. Ferguson applied to Service Ontario for the document in 2017, and filed a human rights claim when it was not initially granted. The province issued new guidelines on gender designations last year. Ontario says it is the first jurisdiction in the world to implement a two-fold policy, allowing the selection of either male, female or non-binary, and allowing the option of not displaying such identification on a birth certificate. Ferguson has also fought for an “X” designation on BC Health Cards. They were also among the first to have their application for an “X” designation approved under new rules for passports and other documents issued by Immigration, Refugees and Citizenship Canada. Ferguson called the Ontario birth certificate a “victory,” both personally and for all trans Canadians. “This policy makes it clear that non-binary people exist,” they said. “We are Ontarians and Canadian citizens. [CTVNews]

Law Enforcement

UK – Amnesty Int’l Report Hits Met Police’s Gang Mapping Database

A secret police database aimed at tackling rising violence in London could lead to black families being evicted from their homes and as well as young people denied access to education or employment, according to a new report. An investigation by Amnesty International (called “Trapped in the Matrix” – see PR here and 54 pg PDF report here] into the Metropolitan Police’s gang mapping database which is called the Gang Violence Matrix, highlighted criticisms about the disproportionate number of young black males that feature on it. As well as the seemingly discriminatory nature behind how information is collated the report also raised serious concerns about how police officers share this data with housing associations, schools and job centres. [Voice Online and at: The Conversation UK, UKAuthority, CNBC and Apolitical]


WW – Apple Reportedly Hits Back at Apps That Are Snooping on You

Apple is reportedly kicking third-party apps out of the App Store that are sharing users’ locations, as privacy remains in the spotlight in the wake of the Facebook/Cambridge Analytica scandal and pending regulation across the Atlantic. 9to5Mac reports that Apple has recently been removing apps that are sharing location data with third parties and sending the app developers a notice that the app is violating two different parts of the App Store Review Guidelines. The two sections in question are Legal 5.1.1 and Legal 5.1.2 which state: The app transmits user location data to third parties without explicit consent from the user and for unapproved purposes. 9to5Mac noted that Apple also wants developers to explain what the location data is used for, how it is shared, as well as asking for permission. [Fox News]

CA – OPC Looking into Reports Bell, Telus, Rogers Shared Location Data

Privacy officials in Canada plan to look into reports that Canadian telecom companies share location data on subscribers with third-parties, a practice that, in at least one case, appears to have allowed similar data on Americans to be accessed by police without a warrant. Bell, Rogers and Telus were named in an article on ZDNet.com as among the North American telecom companies selling real-time location data on subscribers to a company called LocationSmart. A spokesperson from the office of Privacy Commissioner said there were few details to share right now, but that the office would be looking into the matter. Telus did not respond to a request for comment but spokespersons for Bell and Rogers said the location data in question is not directly shared by them. Instead, it is done by a joint venture owned by all three telecom companies called Enstream. One of its partners is LocationSmart. Enstream is described on its website as providing identity verification services for third-party applications. It operates as a sort of hub of information held by the Canadian telecom companies and others can buy access to the data to do things like verify mobile subscriber identity, allow a roadside assistance company to locate a caller, or verify credit card information used in mobile payment systems. Enstream has launched a security review of its relationship with LocationSmart in light of the reports. [Global News and at: Krebs on Security, CNNTech, Motherboard, WIRED and Reuters | Globe & Mail | The Star | The Star]

Online Privacy

WW – Period Tracking Apps Monetizing Your Menstrual Cycle

Women who use menstruapps are sharing information about their health, sex life and social behaviours that may be sold to advertisers. Whether it’s Clue, FitBit or Eve, there has been a surge in popularity for period tracker apps in recent years. According to researchers at Columbia University, ‘menstruapps’ are now the fourth most popular app category among adults and second most popular among adolescent women in the ‘health apps’ category. From inputting information about moods, pain, cervical fluid and forms of contraception, the apps can be used to better inform women about their sexual health and indicate potential health issues. However, many of us won’t be considering that the apps also track and store vast amounts of personal information, which have the potential to making companies some serious money. Chupadados, a Brazil-based cyber security guide powered by women-led think tank Coding Rights recently delved into what menstruapp users sign up for when they agree to an apps’s terms and conditions. In studying the companies’s privacy policies, Chupadados found that ‘all of the apps rely on the production and analysis of data for financial sustainability’. In other words, the apps make money by sharing users’ personal information and activity on the apps with other businesses, target users for advertisements and product sales. In addition, users’ digital footprints help inform marketing strategies and business models. ‘Every piece of information that we put online becomes something valuable for companies, making our online activities a key component of their economic survival strategies,’ the website explains. ‘Feeding on our data, these tools serve as laboratories for observing physiological and behavioural patterns from period frequency and associated symptoms to users’ buying and Internet navigation habits.’ ‘Monitoring your cycle using a menstruapp means telling the app regularly if you went out, drank, smoked, took medication, got horny, had sex, had an orgasm and in what position, what your poop looked like, if you slept well, if your skin is clear, how you feel, and if your vaginal discharge is green, has a strong odour or looks like cottage cheese,’ Chupadados notes on its website. [Elle] See also: How Worried Should Parents Be About Apps and Websites Collecting Children’s Data?

WW – Data on 3 Million Facebook Users Exposed, Report Says

Researchers at the University of Cambridge uploaded user data from 3 million Facebook users onto a shared portal. They locked the data with a username and password. But students later posted the login credentials online. That exposed the data to anyone who did a quick web search to find the username and password, according to a report from New Scientist. In the new data exposure incident revealed by New Scientist, a different set of researchers collected user information with consent through a personality app, called myPersonality, and then made it available through a web portal. About four years ago, students with access to the data set posted the username and password online on the data sharing website GitHub. While the data was anonymized, privacy experts told the publication that it would be easy to associate data in the collection with the person who originally posted it on Facebook. The myPersonality app has been suspended since April 7. Facebook is aware that the login credential was published on GitHub; the issue was flagged in the company’s program for fielding information about potential misuse or abuse of Facebook user data. [CNET]

UK – “Safari Workaround” Class Action Could Cost Google $4.3 Billion

Google appeared in a UK court to argue against a privacy case brought by the group Google You Owe Us, representing 4.4 million iPhone users that could lead to the search giant paying up $4.3 billion if it loses. Each of class members could receive about $1,000. A lawsuit, filed in July, alleged the tech company violated their privacy from 2011 to 2012 through the “Safari Workaround” [see here]. While Apple’s iOS devices have default privacy settings on its Safari browser, Google was able to bypass it and collect browser data without people’s consent, according to the allegations. The workaround was first discovered in 2012 by a Stanford University researcher. Google agreed to pay $17 million to 37 states and Washington, DC, in a 2013 settlement. The company also agreed to pay a $22.5 million fine from the Federal Trade Commission over the data-tracking practice. [CNET and at: Bloomberg, The Guardian, The Inependent and AppleInsider]

Privacy (US)

US – Suspicionless Border Searches of Electronic Devices Unconstitutional

The U.S. Court of Appeals for the Fourth Circuit’s May 9 ruling in U.S. v. Kolsuz is the first federal appellate case after the Supreme Court’s seminal decision in Riley v. California (2014) to hold that certain border device searches require individualized suspicion that the traveler is involved in criminal wrongdoing. Two other federal appellate opinions this year—from the Fifth Circuit and Eleventh Circuit—included strong analyses by judges who similarly questioned suspicionless border device searches. EFF filed an amicus brief in Kolsuz arguing that the Supreme Court’s decision in Riley supports the conclusion that border agents need a probable cause warrant before searching electronic devices EFF has long argued that border agents need a warrant from a judge, based on probable cause of criminality, to conduct electronic device searches of any kind. The Supreme Court’s pre-Riley case law, however, permits warrantless and suspicionless “routine” searches of items like luggage that travelers carry across the border, a rule known as the border search exception to the Fourth Amendment’s warrant requirement. Based on these pre-Riley cases, the government claims it has the power to search and confiscate travelers’ cell phones, tablets, and laptops at airports and border crossings for no reason or any reason, and without judicial oversight. While we would have liked to see the Fourth Circuit go further by expressly requiring a warrant for all border device searches, we’re optimistic that we can win such a ruling in our civil case with ACLU against the U.S. Department of Homeland Security, Alasaad v. Nielsen, challenging warrantless border searches of electronic devices. [EFF and at: ACLU Blog, Reuters and Reason]

US – Justices Rule Unanimously for Driver in Rental-Car Case

The Fourth Amendment protects us from (among other things) a warrantless search of a place – such as our homes – that we can reasonably expect to remain private. Today the Supreme Court ruled that a driver who has permission to use a rental car is generally entitled to the same protections under the Fourth Amendment as the driver who rented the car. The court’s decision came in the case of Terrence Byrd [see all court docs for Byrd v. United States here], a New Jersey man who was driving a car rented by Latasha Reed, his fiancée (or former girlfriend, depending on whose account you are reading), when he was pulled over by a state trooper in Pennsylvania. The trooper gave him a warning for driving in the left lane and then searched the car, believing that he didn’t need Byrd’s consent because Byrd was not listed as an authorized driver on the rental agreement. The troopers found body armor and 49 bricks of heroin in the trunk, leading to federal charges against Byrd. In a unanimous decision by Justice Anthony Kennedy [see Byrd v. United States – 21 pg PDF decision here], the justices rejected the federal government’s argument that a driver who is not listed on the rental agreement can never have a reasonable expectation of privacy in the car, because the rental company has not given him permission to use it. That rule, the justices concluded, “rests on too restrictive a view of the Fourth Amendment’s protections.” Under the Supreme Court’s cases, the justices explained, whether someone has an expectation of privacy in a car shouldn’t hinge on whether the person who gave them permission to drive it owns the car or rented it. [SCOTUS Blog and at: Reason, ABA Journal, JURIST, The Associated Press (via WP) and Bloomberg]

US – Children and Minors: Updated Meaning of PI Benefits COPPA Safe Harbor

The Electronic Privacy Information Center responded to the FTC’s request for public comment into the Entertainment Software Rating Board’s COPPA safe harbor program. In response to an FTC public consultation, advocates urge the adoption of an enhanced definition of personal information to address changes in technology and prevent online operators from alleging an exemption to the scope of COPPA; geographic limitations should be removed so that its clear COPPA applies to all web operators regardless of a child’s residency or nationality, and risk assessments and self-assessments are critical for necessity and proportionality. [EPIC – Comments to the FTC on COPPAs Entertainment Software Rating Boards Safe Harbor Program Application to Modify Program Requirements]


US – Banks Adopt Military-Style Tactics to Fight Cybercrime

Cybercrime is one of the world’s fastest-growing and most lucrative industries. At least $445 billion was lost last year, up around 30% from just three years earlier, a global economic study found, and the Treasury Department recently designated cyberattacks as one of the greatest risks to the American financial sector. For banks and payment companies, the fight feels like a war — and they’re responding with an increasingly militarized approach. Former government cyberspies, soldiers and counterintelligence officials now dominate the top ranks of banks’ security teams. They’ve brought to their new jobs the tools and techniques used for national defense: combat exercises, intelligence hubs modeled on those used in counterterrorism work and threat analysts who monitor the internet’s shadowy corners. At least a dozen banks have opened fusion centers (a concept originally developed by the US DHS see here) in recent years, and more are in the works. Having their own intelligence hives, the banks hope, will help them better detect patterns in all the data they amass. Cybersecurity has, for many financial company chiefs, become their biggest fear, eclipsing issues like regulation and the economy. [NY Times]

UK – 41% of Cyber-Security Apps Contain High-Risk Open Source Vulnerabilities

According to the 2018 Open Source Security and Risk Analysis (OSSRA) report from Black Duck by Synopsys and published today, open source adoption in the enterprise is growing fast. Unfortunately, the statistics regarding vulnerabilities in open source codebases are equally high. Analysing anonymised data from more than 1,100 commercial codebases, the researchers found that 96% of the applications audited across 2017 contained open source components. Representing industries from automotive to healthcare, financial services to manufacturing, and even cyber-security, the report reckons this reflects a 75% growth in open source adoption over the previous year. Indeed, the research suggests that most applications now contain more open source code than they do proprietary code. Which is all good news for fans of open source. The less good news is that 78% of the audited codebases contained at least one open source vulnerability. More worrying is that 54% of these vulnerabilities were considered to be high-risk, and 17%  were very well publicised ones such as Freak, Heartbleed and Poodle. While the most vulnerable open source components were found within the Internet and Software Infrastructure vertical, with 67% of applications containing high-risk vulnerabilities, the cyber-security industry also fared badly with 41% of apps having them as well. [SC Magazine UK | Synopsis ]

CA – Apps and Websites Collecting Children’s Data

In recent months, the Cambridge Analytica scandal has raised discussion over the privacy risks associated with online data collection. These risks apply to everyone, including young children, says Florian Martin-Bariteau [see here], assistant professor and director of the Centre for Law, Technology and Society at the University of Ottawa. He says websites and apps that are aimed at children may obtain more personal information about them than they, or their parents, realize. And there are concerns about how all this data may be used – whether it’s for personalized advertising, potentially accessed by hackers, or used by organizations aiming to influence users’ attitudes. Last month, a study in the journal Proceedings on Privacy Enhancing Technologies found thousands of popular children’s apps potentially violate U.S. privacy rules. Researchers found 73% of the 5,855 apps they analyzed transmitted confidential data over the internet, and nearly 20% of them collected identifiers or other personally identifiable information using software development kits (SDKs) that are not intended to be used for apps aimed at children. These findings echo the results of a 2015 global privacy sweep that found many websites and apps that were popular among children collected, and sometimes shared, personal data, including full names, genders and hometowns. That sweep, conducted by the Global Privacy Enforcement Network [see here], which included the Office of the Privacy Commissioner of Canada (OPC), found 62% of websites and apps popular in Canada said they may share users’ personal information with third parties, while only 29 per cent sought parental consent before collecting children’s data. (Since then, the OPC has reported that some apps and websites had responded, including five targeted sites that said they had made changes, such as asking for a parent or guardian’s full name and contact details instead of the child’s.) [Globe & Mail]

Smart Cars

WW – The Vehicles Record Everything Around Them—And Can Be Used To Profile Pedestrians

According to officials at Waymo, the company developing Google’s self-driving cars, its autonomous vehicles are months away from reaching everyday people. Since January 2017, the organization has sent test cars to motor around cities including Atlanta, Austin, Detroit, and Phoenix. Driving more than 2.7 million miles without human input, the vehicles have only been involved in one accident—a fact that’s prompted Waymo’s chief executive John Krafcik to announce that its fleet could ferry ordinary Phoenix residents as soon as next year. In short—self-driving cars have arrived. There are, however, huge risks. Hacking, software failures, and letting computers make life-and-death decisions inspire unease among individuals. But for one industry expert, the biggest issues will be around data collection and privacy. “The technology works through a number of sensors. The principal one is lidar—a radar that uses infrared light to give a very accurate 3D picture. Then there’s radar for longer-distance detection, and ultrasonic sensors for things that are close—similar to the back-up warnings in a regular vehicle. There are also cameras with machine vision that check for traffic lights, road signs, and other obstacles. It sees 360-degrees around itself, 10 to 20 times a second. That’s a lot of data.” “These vehicles aren’t just going to have data on your journey,” he says. “They see everything from the road. Even if you don’t sign up to their services, if you’re out on the streets, it’s possible to see you regularly, profile you—even without facial recognition—and learn things about your habits. “These cars are basically mobile sensors that gather data,” he continues. “We can use them to wherever we want data to be collected. So overnight, between the hours of midnight and seven in the morning, most people aren’t looking for a ride. If a company owns a fleet of vehicles, they can offer those cars to businesses or factories that want external security. The vehicle can be parked outside the premises, and companies would pay to have it monitor the surroundings. There are whole new business models that could be based on the sensors on these vehicles.” [Straight]

CA – Smart Cars: Meaningful Consent Plays Vital Role

The OPC Canada appeared before the Standing Committee on Transport, Infrastructure and Communities regarding their study of automated and connected vehicles in Canada. The OPC Canada believes drivers do not necessarily need to control how information is used for road safety purposes and proper functioning of the vehicle, but many other situations should be subject to individual choice (e.g., collection and use of biometric or health data); in complex situations, consent should be supported by industry codes of practice, organizational accountability and privacy by design. [OPC Canada – Appearance Before the Standing Committee on Transport Infrastructure and Communities in Relation to its Study of Automated and Connected Vehicles in Canada.]


US – Spy Agency NSA Triples Collection of U.S. Phone Records: Official Report

The U.S. National Security Agency collected 534 million records of phone calls and text messages of Americans last year, more than triple gathered in 2016, a U.S. intelligence agency report [see PR here & 41 pg PDF here] released on Friday said. This occurred during the second full year of a new surveillance system established at the spy agency after U.S. lawmakers passed a law in 2015 that sought to limit its ability to collect such records in bulk. The 2017 call records tally remained far less than an estimated billions of records collected per day under the NSA’s old bulk surveillance system, exposed Edward Snowden in 2013. The records collected by the NSA include the numbers and time of a call or text message, but not their content. The report also showed a rise in the number of foreigners living outside the United States who were targeted under a warrantless internet surveillance program, known as Section 702 of the Foreign Intelligence Surveillance Act, that Congress renewed earlier this year. [Reuters and at: Forbes, ZDNet, CSO Online, Common Dreams and GIZMODO]

Telecom / TV

CA – Ontario Bill Prohibits Unsolicited Phone Calls

Bill 27, the Stop the Calls Act, 2018, has been introduced for first reading in the Ontario Legislature. The Act would come into force two months after receiving Royal Assent. If passed, prior consent (orally, in writing, or other affirmative action) must be obtained for calls selling or advertising a product or service; contracts entered into based on an unsolicited call will be void (consumers are entitled to repayment for the product or service, and reasonable costs incurred for uninstalling and returning the product), and violations can result in fines ranging from $5,000 to $25,000. [Bill 27 – An Act to Prohibit Unsolicited Phone Calls for the Purpose of Selling, Leasing, Renting or Advertising Prescribed Products or Services – Legislative Assembly of Ontario | Bill Status | Bill Text




24 April – 05 May 2018


US – Legal Ambiguity Surrounds Biometric Authentication

A recent report involving a police attempt to use a dead man’s fingerprint to unlock his phone is a reminder of the problems with biometric security and the legal protections for users of the technology. Additional reporting shows the prevalence of the practice among law enforcement is “relatively common,” raising the legal ambiguity associated with biometric authentication. Although there may be vulnerabilities with passwords, the article states that current legislation does not extend the same protections to biometric authentication as it does to traditional passwords. [TechRepublic]

US – Facial Recognition May Be Coming to a Police Body Camera Near You

Axon, the maker of Taser electroshock weapons and the wearable body cameras now used by most major American city police departments, has voiced interest in pursuing face recognition for its body-worn cameras. It convened a corporate board devoted to the ethics and expansion of artificial intelligence, a major new step toward offering controversial facial-recognition technology to police forces nationwide. The technology could allow officers to scan and recognize the faces of potentially everyone they see while on patrol. A growing number of surveillance firms and tech start-ups are racing to integrate face recognition and other AI capabilities into real-time video. A group of 42 civil rights, technology and privacy groups, including the ACLU and the NAACP, sent board members a letter voicing “serious concerns with the current direction of Axon’s product development.” The letter urged an outright ban on face recognition, which it called “categorically unethical to deploy” because of the technology’s privacy implications, technical imperfections and potentially life-threatening biases. [WashPost and at: NBC News, PCMag, Fortune, Engadget and The Verge]


CA – OPC Canada Calls for Commitment to Privacy in Smart Cities

The OPC Canada and a number of provincial and territorial counterparts send an open letter to the federal government regarding personal information handling in smart cities: the government recently launched a competition for submissions of proposals for smart city designs. Data that smart technologies collect and use can come from many sources, often without knowledge, consent or an opportunity to opt-out; privacy impact and threat risk assessments must be conducted, data governance and privacy management programs put in place (appointing a privacy lead, breach response, and monitoring compliance), and full transparency of information practices provided OPC Canada – Joint Letter to the Minister of Infrastructure and Communities on Smart Cities Challenge | Press Release]

CA – Court Finds Tribunal Secrecy Unconstitutional

Ontario Superior Court declared as “invalid” provisions of Ontario’s Freedom of Information and Protection of Privacy Act that delay or block public access to tribunal records [he ruled they violate section 2(b) of the Charter]. The province has one year to consider how to make its tribunal system more open and accessible to journalists and the public. Ontario’s network of provincial tribunals rule on matters as important as human rights, workplace safety and police conduct, and have been operating well outside the spirit and practice of an open court system for far too long. Tribunals were born of the court system and designed to hive off specialized matters and relieve overburdened courts. They were not created to drop a veil of secrecy over important matters of public interest. But that, unfortunately, is what’s been happening far too often in Ontario. Toronto Star v. AG Ontario, 2018 ONSC 2586 | Ontario Court says FOI statute fails in providing access to administrative tribunal records | Toronto Star | Ontario’s tribunals ‘fundamentally different’ from courts, province argues | Ontario says tribunals should not be as open as courts]

CA – Ontario Law Firm Files Class Action Suit Against Facebook

A London, Ontario-based law firm [Siskinds LLP] has launched a class action lawsuit against Facebook and its Canadian subsidiary for the social network’s role in the Cambridge Analytica data privacy scandal. The filing was submitted to the Ontario Superior Court of Justice on May 2nd, 2018 — the same day that Cambridge Analytica announced that it would be ceasing its operations in the U.K. The class action seeks $62,216,100 CAD in damages as well as an additional $1,000 for all Canadian Facebook users affected by the breach. Facebook reported that 622,160 Canadians were affected by the Cambridge Analytica privacy scandal. While the class action mentions Cambridge Analytica, it’s important to note that the lawsuit doesn’t seek damages from the U.K.-based data analytics company. Instead, the suit specifically outlines Facebook and Facebook Canada as the sole defendants. Siskinds lawyer Sajjad Nematollahi said that the “class action concerns the fundamental privacy rights of hundreds of thousands of Canadians, and engages the interests of Canadians at large in protecting the privacy of their affairs.” [Mobilesyrup and at: The Toronto Star]

CA – OIPC SK Permits Disclosure of Termination Letter

This OIPC SK report investigated the Northern Lights School Division No. 113’s disclosure of personal information pursuant to: The Local Authority Freedom of Information and Protection of Privacy Act; and The Local Authority Freedom of Information and Protection of Privacy Regulations. A school board whose former employee was assigned by a new employer to work in the board had the authority to disclose the letter to the new employer; the letter was a concise expression of the reasons why the board did not want the individual working in their schools or with their students, and the board respected the data minimization principle by redacting an irrelevant paragraph containing the individual’s PI. [OIPC SK – Investigation Report 296-2017 – Northern Lights School Division No. 113]

CA – IPC ON Upholds Utility’s Refusal to Confirm or Deny FOI Records

Ontario IPC order reviewed the response by Toronto Hydro Corporation to a request for records pursuant to the Municipal Freedom of Information and Protection of Privacy Act. Confirmation or denial of records concerning possible privatization would constitute an unlawful act by the utility under another governing provincial statute, and the utility has not made any public statement on the matter (the mayor may have, but not the utility itself). [IPC ON – Order MO-3575 – Appeals MA16-132 and MA16-133 – Toronto Hydro Corporation]


US – Citizens Do Not Trust Tech Companies to Protect Their Data: Study

A survey conducted by HarrisX found U.S. citizens do not trust tech companies to protect their information. Of the respondents polled within 24 hours of Facebook CEO Mark Zuckerberg’s testimony on Capitol Hill, 83% said tougher regulations and penalties are needed for privacy breaches, while 67% said they support privacy legislation, such as the EU General Data Protection Regulation. However, 38% believes the federal government is not capable of regulating large tech companies. When asked about specific tech companies, 44% said they do not believe Facebook cares about privacy, with Twitter having the next highest number at 33%. [Axios]


CA – OIPC Ontario Says Smart Cities Privacy ‘Must Be Front and Centre’

Ontario’s information and privacy commissioner Brian Beamish believes that privacy and security need to be part of the discussions surrounding smart city projects in the province. In an April 26th, 2018 media release [see PR here also see 5 pg PDF letter to Minister], Beamish wrote that “privacy and security of citizens must be front and centre in smart city projects.” Beamish’s statement comes amidst a series of smart city ventures taking place across Ontario — most notably, the Sidewalk Toronto venture between Waterfront Toronto and Alphabet’s Sidewalk Labs urban development firm. Mobilesyrup| Critics seek more details from Sidewalk Labs about proposed Toronto neighbourhood, The Economist | Smart Cities Are The Next Frontier In The Data Protection Debate | Data solutions present ‘smart’ way for cities to grow, says Surrey | Sidewalk Labs proposal stirs fears, raises hopes |

CA – Ottawa Sees Internet Data Cloud as Alternative to Computer Systems

The federal government is willing to accept the privacy and security risks of storing data in the internet cloud as an alternative to its own aging computers that are “at risk of breaking down,” says an internal policy paper. The federal paper on “data sovereignty,” obtained through the Access to Information Act, fleshes out the government’s plan to embrace the cloud as a solution to its file management woes. Privately run cloud companies provide customers, such as federal departments, with virtual computer services — from email systems to vast storage capacity — using software, servers and other hardware hosted on the company’s premises. The government sees the cloud as a way to meet the needs of Canadians in an era of increasing demand for online services. However, the paper says, “a number of concerns” related to data control, protection and privacy have been raised within the government. [CBC and at: 6 Ways Cloud Computing Technology Is Changing | How cloud technology can help seal cyber loopholes | Box CEO Aaron Levie talks Canada, AI and the future of cloud computing]

CA – Electoral Reform Bill Lacks Voter Privacy Detail: Professor

According to professor Colin Bennett of the University of Victoria, the guidelines laid out in the Liberal’s omnibus bill on electoral reform [the Elections Modernization Act – Bill C-76 – see PR here] about the use of public information during elections is “pretty minimal. And is not much more than what the parties already say in their privacy policies, which he has analyzed and thinks have a lot of shortcomings. Bennett’s research on privacy rights, surveillance, social networks and their impact on democratic values led him to the House of Commons ethics committee last week. There, he stressed that the committee acknowledge the urgent need to “bring our political parties within Canada’s regime of privacy protection law.” He noted that there’s a severe lack of knowledge among the Canadian public, and within government, about how much data is gathered by political parties, with little to no accountability. How social media fits into the conversation and whether data gathered on those platforms is included in the proposed privacy provisions is also not listed in Bill C-76’s current form. Canada’s current privacy protection laws applied to political parties are scattered across institutions and laid out in a variety of regulations. PIPEDA’s mandate covers part of this issue, the Privacy Act, the CRTC, and the Canada Elections Act cover other aspects. [iPolitics, CBC News, CTV News, The Globe and Mail, IT World Canada and Liberal elections bill looks to make voting easier, tighten rules on privacy, spending

US – Waze Announces Data-Sharing Agreement with Traffic Analytics Startup

Waze announced a data-sharing agreement with artificial intelligence–based traffic management startup Waycare. Part of the company’s Connected Citizens Program, Waycare will collaborate with Waze to combine anonymized navigation data crowdsourced from drivers who use Waze with Waycare’s traffic analytics, including proprietary deep learning algorithms to figure out how to improve traffic and road conditions. While the partnership is active in Nevada, Florida, California and Nevada, there are plans to expand coverage over the next year. [TechCrunch]


CA – Canadian Privacy Commissioner Investigates Rogers, Yahoo Over Email Terms of Service Issue

The OPC has confirmed that it is investigating both Rogers and Oath over recent changes to Oath’s terms of service agreement. Additionally, the OPC confirmed that the company [Oath] responsible for providing email services to Rogers email customers has removed the clause related to “personal data of friends and contacts” from its terms of service, as it was deemed unnecessary. The Rogers email service is powered by Yahoo, which was acquired by U.S.-based telecommunications service provider Verizon in 2017. In turn, Verizon — which also owns AOL — merged both Yahoo and AOL into a new company called Oath in 2017. [Mobile Syrup and at: The Globe and Mail, Canadian Press (via CTV) and iPhone in Canada]


US – Tech Giants Hit by NSA Spying Slam Encryption Backdoors

A tech coalition formed in 2014 and called Reform Government Surveillance including Apple, Facebook, Google, Microsoft, and Verizon and Yahoo’s parent company Oath, which focuses on efforts to reform government surveillance, said in a statement that it continues to advocate for strong encryption, and decried attempts to undermine the technology. The renewed criticism follows a lengthy Wired article, in which former Microsoft software chief Ray Ozzie proposed a new spin on key escrow. But security experts and cryptographers say that any kind of backdoor can’t be done without it risking being abused or exploited by hackers — and criticized Ozzie’s plan as flawed. The statement comes a week after the group announced the importance of strong encryption as a new core principle behind its mission, calling on governments to “avoid any action that would require companies to create any security vulnerabilities in their products and services.” [ZDNet and at: AppleInsider and iPhone in Canada]

EU Developments

UK – High Court Rules Part of Snoopers’ Charter Illegal

The High Court has ruled part of the government’s controversial Investigatory Powers Act illegal, giving ministers just six months to redraft it. Rights group Liberty is celebrating after the first part of its crowd-funded legal bid to force the government to change large chunks of the so-called ‘Snoopers’ Charter’ largely succeeded. The ruling focused on part four of the legislation, related to the mandate that communications providers and ISPs retain phone records, location data, internet browsing history and info on everyone a user emails and texts for a year. Dozens of public bodies including local police forces and financial regulators can access this information without independent authorization and for reasons unrelated to investigating terrorism or serious crime. However, the court didn’t agree that the IPA was unlawful in allowing for “general and indiscriminate retention of traffic and location data.” [InfoSecurity and at: Out-Law (Pinsent Masons), Silicon UK, Help Net Security, Tom’s Hardware and The Guardian]

EU – Facebook Denied A Stay to Schrems II Privacy Referral

Earlier this week Facebook’s lawyers had asked the Irish High Court to stay the referral to the CJEU of a number of key legal questions pertaining to existing data transfer mechanisms that are being used by thousands of companies (Facebook included) to authorize flows of personal data outside the bloc. Both the lawfulness of Standard Contractual Clauses and the EU-US Privacy Shield mechanism [see here & wiki here] are now facing questions as a result of this challenge. However in a ruling today the Irish High Court denied the company’s request for a stay on the CJEU referral — with the judge ordering the referral to be immediately delivered to the Court of Justice, and emphasizing the risk that “millions” of EU data subjects, including privacy campaigner and lawyer Max Schrems whose complaint triggered the court case and subsequent referral, could be having their data processed unlawfully. [TechCrunch and at: The Irish Times, Irish Examiner, ComputerWeekly, Reuters, Tom’s Hardware and also Reuters, U.S. News & World Report, FirstPost and The Register, Facebook is trying to block Schrems II privacy referral to EU top court | Is this a Perfect Storm Toward Privacy Shield’s Demise?]

EU – EC Proposes Rules for Protection of Whistleblowers

The European Commission proposed new rules for the protection of whistleblowers. Legal entities will be required to design, set up and operate in a manner that ensures confidentiality of the identity of the reporting person, and prevents access to non-authorized staff members; any processing of personal data shall be done in accordance with the GDPR, and personal data not relevant for handling the report must be immediately deleted. [EC – Proposal for a Directive of the EU Parliament and Council on the Protection of Persons Reporting on Breaches of Union Law | Communication from EC to EU Parliament | Factsheet on whistleblower protection]

EU – Companies Turn to Blockchain Ahead of GDPR

As businesses invest in innovative technologies to preserve their data-heavy business models ahead of the EU GDPR, some are turning to implementing blockchain technology. Market research company YouGov is one such company turning to blockchain to ensure the survival of its data-driven business under the GDPR. YouGov CEO Stephan Shakespeare said, “The blockchain, being visible and public, shows a receipt for the information used,” adding, “That lets people know their permissions are being respected.” Speaking at a conference, Amber Baldet, the former head of JPMorgan Chase & Co.’s blockchain program, said the focus should be on creating a “privacy preserving system that gives us the option to create something that might be disruptive.” [AdExchanger

WW – IAB Releases Transparency & Consent Framework

IAB Europe and IAB Technology Laboratory released the technical specifications for its Transparency & Consent Framework designed to help organizations comply with the EU GDPR. The framework will aid organizations in allowing users to be aware of the ways online services use personal data and how third parties use their data for targeted advertising. “The Transparency & Consent Framework will sit at the intersection of users, publishers, and the third-party partners (vendors) that support the publishers in monetising their content, giving both users and publishers more control and transparency in the new environment,” IAB Europe CEO Townsend Feehan said. [IAB.org]

UK – Denham Calls for More Powers to Investigate Data Breaches

U.K. Information Commissioner Elizabeth Denham voiced her agency’s need to have more power to investigate data breaches. Denham made the plea while discussing the U.K. Information Commissioner’s Office’s investigations of the Facebook-Cambridge Analytica revelations, where her agency is currently looking into 30 different organizations. In order to look into data breaches, Denham said there needs to be a “streamlined warrant processes with a lower threshold than we currently have in law.” Denham also discussed the agency’s funding status, and the expectation is for the ICO to have 700 staff members by 2020. [MediaPost]

Facts & Stats

US – Equifax’s Data Breach Expenses Reach $242.7M

In its first-quarter earnings report, Equifax revealed it has spent $45.7 million on IT and data security and $28.9 million on legal fees, bringing the total amount it has spent since its September 2017 data breach to $242.7 million so far. Equifax spent $114 million in 2017 on the breach, with $50 million of it having been covered by insurance. The company plans to spend heavily on IT through 2019 and has been bringing in new staff members to strengthen its security efforts. “We’re investing heavily to ensure we’re market leaders around data security and we will also enhance the transparency of all our transformation efforts with all our constituents, our customers, consumers and the public as we drive this transformation forward,” Equifax CEO Mark Begor said. [ZD Net]


CA – BC Supreme Court Upholds De-Indexing Order

The Court considered a request by Google to set aside a previous court order requiring it to de-index specific search results. The US search engine must continue to stop indexing or referencing websites selling infringed product outside Canada (despite a US court ruling that it did not have to comply); there is no US law prohibiting de-indexing of websites, and the injunction has been somewhat effective (the website owners have had to constantly evade the injunction by creating new websites) [Equustek Solutions Inc. et al. v. Morgan Jack et al. – 2018 BCSC 610 (CanLII) – Supreme Court of BC

EU – Law Would Change Relationship Between Tech Companies, Small Businesses

The European Union has proposed a law regulating tech companies’ relationship with smaller businesses. The bill specifically targets app stores, search engines, and e-commerce sites and will require them to be transparent about their methods for ranking search engine results and their processes for delisting services. Companies will also be given the opportunity to sue those tech organizations if they are found to have violated the new rules. “Platforms and search engines are important channels for European businesses to reach consumers but we must make sure they are not abusing their power, and thus bring harm to their business users,” the EU Commissioner for the Digital Economy said. [Reuters]


CA – IIROC Proposes Cybersecurity Incident Reporting

The Investment Industry Regulatory Organization of Canada (IIROC) proposes amendments to require dealer members to report cybersecurity incidents. Dealer members would be required to report any unauthorized access, disruption, or misuse of their information systems within 3 calendar days of discovery; incidents would not need to be reported unless they result in substantial harm or inconvenience to any person, have a material impact on normal operations, invoke the business continuity/disaster recovery plan, or require notification to government agencies, securities regulators, or other self-regulatory organizations. [IIROC – Proposed Amendments to Dealer Member Rule 3100 – Reporting and Recordkeeping Requirements]

US – Americans Skeptical Financial Services Can Protect their Data

Financial clients have little to no confidence in financial companies to protect their data, and are generally skeptical that corporations and government agencies can do so. According to a study by the New York City-based American Institute of CPAs (AICPA) [here], 80% of Americans say ID theft is “likely” to cost them financially sometime in the next year. Cybercrime cost U.S. consumers $19.4 billion in 2017. Evidence is beginning to mount that the financial sector is increasingly a target of data thieves. According to the Verizon 2018 Data Breach Report, data breach attacks against financial institutions are at an all-time high. Banking trojan botnets and denial of service (DoS) are the most common attacks in the financial industry. In such a vulnerable and risk-laden data security environment, what can financial advisory firms do to hold (and boost) the trust of clients worried about the safety of their private data? Here’s a short list of tips to get that job done: 1) Learn where the weak spots are in your clients’ knowledge of online fraud; 2) Empower your customers to be their own security experts; and 3) Instill loyalty in your clients by providing them with 360-degree awareness of not only their financial situation but also their security situation. [Insurance News]


CA – Timeline Covers Events Leading Up to, Following Nova Scotia FOI Breach

CBC News has compiled a timeline of the events leading up to the breach of the Nova Scotia government’s freedom-of-information website. The timeline dates back to April 2016, when design work began on the website, covering Auditor General Michael Pickup’s concerns with the software used on the website in November 2016, the launch of the portal in January 2017, and the illicit download taking place March 3 this year. Other events cover the fallout from the breach, including the arrest of the 19-year-old man connected to the breach, statements made by the suspect, and the support he has received from tech professionals from around the world. Pickup’s office announced it will conduct an audit of the province’s privacy services in response to the breach. [CBC]

WW – What Estonia Can Teach Privacy Pros About Blockchain

Though a small nation in northeastern Europe, Estonia has long been a leader in digital government services with strong information security. It was the first country to vote online, and nearly all citizens can now file their taxes online. But the nation isn’t stopping there. According to Former Estonian President Toomas Hendrik Ilves, “Estonia is now a blockchain nation.” In this third post in a three-part series on blockchain for Privacy Tech, Duff & Phelps Regulatory Consultant Seth Litwack discusses a practical use case of blockchain for privacy pros through the lens of Estonia. [IAPP.org]


WW – DNA Facial Prediction Could Make Protecting Your Privacy More Difficult

Everywhere we go we leave behind bits of DNA. We can already use this DNA to predict some traits, such as eye, skin and hair colour. Soon it may be possible to accurately reconstruct your whole face from these traces. This is the world of “DNA phenotyping” – reconstructing physical features from genetic data. Research studies and companies like 23andMe sometimes share genetic data that has been “anonymised” by removing names. But can we ensure its privacy if we can predict the face of its owner? Here’s where the science is now, and where it could go in the future. [The Conversation] See also: Calgary police use DNA technology to sketch mother of infant found dead in Calgary dumpster and at: The Canadian Press, CBC News and BBC News]

Health / Medical

UK – NIH Seeks Health Data of 1 Million People, Genetic Privacy an Issue

The National Institutes of Health announced the launch of its attempt to enroll 1 million people in a landmark research effort aimed at developing “personalized” methods of prevention, treatment and care for a wide variety of diseases. Its goal is to supplement and in some cases replace the need to repeatedly recruit human subjects for research by providing a huge database of health and lifestyle information for scientists to plumb. NIH Director Francis Collins and the project’s director, Eric Dishman, said volunteers’ personal data will be carefully shielded. They said the information is off limits to subpoenas and search warrants via “certificates of confidentiality” given to each subject. The rules protect researchers from being forced to release identifying information in judicial proceedings. Personalized medicine, also known as “precision medicine,” is a relatively new approach to treatment that uses genetic and other information to develop therapies targeted at individuals rather than groups of people. Information culled from the project will be available at three levels: some to the general public, some under more tightly controlled circumstances to researchers because of the risk of identifying people participating in the trial, and the rest under the tightest control because of that risk. Participants in the study will have access to their information at all times. Organizers are recruiting only adults but hope to include children later. [WashPost and at: Stat News and Associated Press]

Horror Stories

AU – Info Watchdog ‘Dropped the Ball’ Over Huge Bank Data Loss

Australia’s information commissioner has “dropped the ball” by not reacting to the loss of data from 19m Commonwealth Bank customer accounts privacy campaigners have said. Kat Lane, the vice chair of the Australian Privacy Foundation, has criticised the Office of the Australian Information Commissioner (OAIC) after it failed to tell customers of CBA that their personal account information had been misplaced. “It’s unclear to me how the bank and two regulators came to the view that we weren’t entitled to know. They dropped the ball,” she said. The Commonwealth Bank is in damage control after admitting it may have lost control of data – including customer names, addresses, account numbers and transaction details – of almost 19 million customer accounts, covering a period from 2000 to early 2016, and that it never told its customers. [The Guardian and at: The National Business Review, The Australian Financial Review, ABC Online, Financial Times and ZDNet ]

US – Cambridge Analytica to File for Bankruptcy After Misuse of Facebook Data

Cambridge Analytica announced that it would cease most operations and file for bankruptcy amid growing legal and political scrutiny of its business practices. The decision was made less than two months after Cambridge Analytica and Facebook became embroiled in a data-harvesting scandal that compromised the personal information of up to 87 million people. In a statement posted to its website, Cambridge Analytica said the controversy had driven away virtually all of the company’s customers, forcing it to file for bankruptcy in both the United States and Britain. The elections division of Cambridge’s British affiliate, SCL Group, will also shut down, the company said. Cambridge Analytica also said the results of an independent investigation it had commissioned, which it released on Wednesday, contradicted assertions made by former employees and contractors about its acquisition of Facebook data. The report played down the role of a contractor turned whistle-blower, Christopher Wylie, who helped the company acquire Facebook data, calling it “very modest.” [NY Times and at: The Associated Press, BBC News, GIZMODO and The Wall Street Journal]

WW – Unsecured Database Exposed Personal Data of Cryptocurrency Investors

A recent report from Kromtech Security found that a MongoDB database was left unsecured, exposing sensitive personal data for more than 25,000 investors in the new Bezop cryptocurrency. The report stated “full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses, and other IDs” were involved in the data breach. Bezop Chief Technology Officer Deryck Jones notified those impacted by the data breach that the company had been targeted by a distributed-denial-of-service attack, as well as “security holes exposing that data.” [Gizmodo]

Intellectual Property

CA – Rogers Personal Data Fees Case Raises Privacy Concerns

A case in front of the Supreme Court of Canada has raised privacy concerns. Rogers Communications has filed an appeal in a case with Voltage Pictures over whether it has the right to charge fees for offering personal data on its subscribers to a copyright holder. Voltage Pictures has attempted to gather the information of Rogers subscribers who have illegally downloaded its movies in order to file a lawsuit but has asked the telecom to provide the information for free. Internet Policy and Public Interest Clinic Lawyer Jeremy de Beer offered a warning about the case in his court briefing. “Courts should be especially concerned about innocent defendants caught in the ‘dragnet’ of online copyright enforcement,” de Beer said. [iPolitics]

Internet / WWW

WW – Twitter Updates Privacy Policy Ahead of GDPR

Twitter is changing its privacy policy and will let users opt out of letting the social media platform share their data with its business partners ahead of major new rules set to come into effect next month in Europe. The changes, announced by Twitter, will also apply to users in Canada. According to a blog post published by the company, the new privacy policy focuses on giving users more controls over their personal data and how it is shared by Twitter with developers and business partners. It will go into effect on May 25, which is the same day the European Union’s new General Data Protection Regulation (GDPR) will go into effect and place tough new requirements on companies to comply with tightened consumer and data protection rules. So what exactly do the new changes do and how can you tighten what data the company collects on you? [Global News and at: MarTech Today, Reuters and CNET]

WW – Google Aims to Give Users More Privacy Control in Gmail Update

Google announced updates to the web-based Gmail platform that aims to make email more efficient and gives users more control over how their email is used by others. A new “confidential” mode is designed to afford users greater privacy controls, giving users the ability to prohibit others from forwarding, copying, downloading or printing a message. The update also allows users to set an expiration period for a message. Meanwhile, some argue vulnerabilities would be easy to expose. Sydney Li, a staff technologist at the Electronic Frontier Foundation, called the new “confidential” mode misleading, adding, “This ‘privacy’ feature is potentially harmful to users with a real need for private and secure communications.” [Google Blog]

Law Enforcement

US – Virginia Court Rules ALPR System May Violate State Law

The Supreme Court of Virginia ruled that automatic license plate reader data is “personal information” (it infers personal characteristics about a vehicle owner and his/her presence in a certain location at a certain time) and that police “passive use” of ALPR data (i.e. randomized surveillance not related to criminal investigations) is not exempt from state law, Government Data Collection and Dissemination Practices Act. Previously, the case filed by the American Civil Liberties Union was dismissed after a Fairfax County judge ruled license plate data was not personal information. [Harrison Neal v. Fairfax County Police Department et al. – 2018 Va. LEXIS 42 – Supreme Court of Virginia coverage at: The Associated Press]

Privacy (US)

US – EPIC asks the FTC to Investigate Facebook for Deceptive Practices

The advocacy group Electronic Privacy Information Center (EPIC) has filed a complaint before the FTC against Facebook for violations of the Federal Trade Commission Act [PR here]. EPIC believes that Facebook’s revisions to user privacy settings constitute an unfair and deceptive trade practice; Facebook now categorizes as “publicly available information” the user’s name, profile photos, lists of friends, pages they are fans of, gender, etc., resulting in these categories of data no longer being subject to user privacy settings. EPIC is pushing for the unredacted release of biennial privacy assessments that Facebook agreed to submit under a 2011 consent agreement with the FTC [see FTC posts here & here & 10 pg PDF decree document here & 9 pg PDF ordrer here]. The FTC recently released a heavily redacted version of the latest assessment [see 54 pg PDF here], from 2017 and conducted by the firm PwC, which signed off on Facebook’s privacy program. [EPIC v Facebook – Complaint Request for Investigation Injunction and Other Relief – Before the Federal Trade Commission] Coverage at: The Hill and: Compliance Week]

US – FTC Puts Kids Smart Watches on Privacy Watch List

The FTC has sent warning letter to two foreign companies about kids-targeted smart watches and apps sold through the Google Play and Apple iTunes stores. [see FTC PR here] The FTC has told China-based Gator Group and Sweden-based Tinnitell Inc. that they could be running afoul of the Children’s Online Privacy Protection Act (COPPA) — Gator Group with its Kids GPS Gator Watch [here] (billed as a child’s first cell phone) and Tinitell [here] with its app that works with a mobile phone worn as a watch. In the letters, copies of which were sent as an FYI to Google and Facebook, the FTC pointed out that even though they are based outside the U.S., the companies are required to comply with COPPA when their products are directed to kids in the U.S. [Broadcasting & Cable and at: Wareable and The Outline]

US – Blu Phone Maker Settles with FTC Over Data Privacy

The company behind low-priced, top-selling phones on Amazon has reached a settlement with the US FTC over privacy practices [see PR here & 11 pg PDF Decision/Order here]. After security researchers discovered in 2016 that Blu’s phones were sending personal data — including text messages, contact lists and locations — to servers in China, the Florida-based company said it would update the software to fix the “mistake.” Eight months later, the same security researchers found that Blu phones were still siphoning off the same data to Chinese servers. The issue is tied to preinstalled software from a company called Shanghai Adups Technology. The software, which Blu uses to help update phones, mined data and couldn’t be removed. Blu didn’t tell consumers their phones were sending that data to Chinese servers, according to the FTC. The company agrees to a security plan regarding security risks with all its devices, both new and old. Blu will also be required to undergo third-party checks every two years for the next 20 years. Blu and its president, Samuel Ohev-Zion, will also be prohibited from misleading the public about how it protects people’s privacy. Breaking the terms of the settlement could result in a fine of up to $41,484 for each violation. The settlement isn’t final. It’s open for public comment until May 30. [CNET and at: Android Police, PC Mag, Ubergizmo and Ars Technica]

US – WhatsApp Founder Plans to Leave After Broad Clashes With Parent Facebook

Chief executive of WhatsApp, Jan Koum, is planning to leave the company after clashing with its parent, Facebook, over the popular messaging service’s strategy and Facebook’s attempts to use its personal data and weaken its encryption, according to people familiar with internal discussions. Koum, who sold WhatsApp to Facebook for more than $19 billion in 2014, also plans to step down from Facebook’s board of directors, according to these people. The date of his departure isn’t known. The independence and protection of its users’ data is a core tenet of WhatsApp that Koum and his co-founder, Brian Acton, promised to preserve when they sold their tiny start-up to Facebook. It doubled down on its pledge by adding encryption in 2016. The clash over data took on additional significance in the wake of revelations in March that Facebook had allowed third parties to mishandle its users’ personal information. [WashPost and at: The Verge, The Guardian, Reuters and TechCrunch See also: WhatsApp agrees not to share user info with the Zuckerborg… for now – ICO probe: No legal basis for Facebook slurps| TechCrunch, The Guardian, The INQUIRER, 9to5Mac and FutureScot and France puts Facebook on notice over WhatsApp data transfers | The Guardian, Reuters, Android Headlines and ZDNet]


UK – 43% of Businesses Suffered A Cyberattack Over Last 12 Months

A study from the U.K. Department for Digital, Culture, Media and Sport found 43% of British businesses suffered a cyberattack over the past 12 months. The overall number of affected organizations dropped from 46 percent last year but rose among large businesses, growing from 68 to 72% in the 2018 survey. The survey found data breaches cost organizations more than 22,000 GBP. Meanwhile, another study conducted by Proofpoint finds 25% of employees still answers questions on protecting confidential information incorrectly, a result raising some alarms as the EU General Data Protection Regulation draws closer. [Info Security]

NZ – App Inadvertently Shared Personal Customer Data

New Zealand electricity network provider Vector reported a glitch in the company’s Outage app that exposed the email address, GPS location, and phone number of customers who downloaded that app. The app, which is designed to help customers report power outages, allowed for anyone with the app to access other customers’ data without evading security measures. Vector Chief Digital Officer Nikhil Ravishankar said, “While we believe we have identified the app vulnerability and taken steps to prevent future app users’ data being accessible, and work has already commenced to overhaul the Vector Outage App, I have taken the immediate step of disabling the Vector Outage App until we can have total confidence our customers’ data remains secure while using it.” [Stuff.nz]


US – Oakland Passes “Strongest” Surveillance Oversight Law in US

The Oakland City Council formally approved a new city ordinance [passed unanimously] that imposes community control over the use of surveillance technology in the city. Oakland is now one of a number of California cities, including Berkeley and Davis, that mandates a formal annual report that details “how the surveillance technology was used,” among other requirements. The city has now also created a “Privacy Advisory Commission“, or PAC. This body, composed of volunteer commissioners from each city council district, acts as a privacy check on the city when any municipal entity (typically the police department) wants to acquire a technology that may impinge on individual privacy. The new law requires that the PAC be notified if the city is spending money or seeking outside grant money to be spent on any hardware or software that could potentially impact privacy. Notably, Oakland’s law specifically includes provisions that forbid non-disclosure agreements and protect whistleblowers. [Ars Technica and at: East Bay Times, Gizmodo, Boing Boing and also: Technology turns our cities into spies for ICE, whether we like it or not | Oakland Should Ensure Community Control of Surveillance Technology | Berkeley Mayor: We Passed The “Strongest” Police Surveillance Law | Oakland may become rare American city with strict rules for spy gear use | Oakland Privacy Commission Holds Hearing on ‘Stingray’ Cell Phone Surveillance Devices]

CA – Vancouver Says No to CCTV on Downtown Granville Strip

The City of Vancouver will not be installing surveillance cameras along the popular Granville Entertainment District. The motion was discussed along with other proposed changes to the area as part the city’s liquor policy update at a recent council meeting [see Minutes & Video]. Opponents of surveillance cameras questioned their effectiveness. Micheal Vonn, policy director of the B.C. Civil Liberties Association, said while CCTV can help reduce crime in certain contexts and spaces, it has proved less effective in public street corners. “They do nothing to deter drunk people from doing anti-social things,” Vonn said. Privacy is another concern, Vonn said. In this case, she said, the onus is on the city to show it has tried non-surveillance kinds of solutions and it has reason to believe it can solve the problem with surveillance. Ultimately, a city staff report advised against CCTV. [CBC and at: Vancouver Sun and Global News]

Telecom / TV

CA – CRTC’s First CASL Fine Over Sending of Mobile Text Messages

On May 1, 2018, the CRTC Commission announced [Undertaking here] that the companies operating the 514-BILLETS ticket resale business agreed to pay $100,000 as part of a voluntary settlement of alleged violations of Canada’s Anti-Spam Legislation (commonly known as “CASL“) regarding the sending of text messages without the recipient’s consent and without prescribed information about the message sender. The undertaking is the first settlement of an investigation regarding the sending of text messages to mobile devices. There are a number of important steps that an organization might take to enhance its CASL compliance and mitigate the risks of regulatory enforcement, including: (1) establish/update its CASL compliance program; (2) verify its due diligence documentation; and (3) establish/update its CASL complaint/litigation response plan. [CASL Bulletin (Borden Lagner Gervais and at: MobileSyrup, The Canadian Press and Cartt | Settlement of Alleged CASL Violation – Text Messages Sent Without Consent or Prescribed Information | Federal government looks to overhaul parts of CASL]

US Legislation

US – California Privacy Proposal Poised to Advance

Voters in California could decide this November whether to approve a ballot initiative that would allow them [more] control over their data. Backers said that they had submitted 625,000 signatures in favor of the initiative — almost twice as many as the 365,880 needed to qualify for a spot on November’s ballot. The California Consumer Privacy Act would require companies to tell consumers what “personal information” has been collected about them, upon their request. The proposed ballot initiative would also give consumers the right to prevent data about them from being sold. Additionally, the measure would increase fines and penalties for businesses that fail to implement reasonable security to protect consumers’ data. The initiative’s sweeping definition of personal information includes not only names, street addresses and email addresses, but also information that many marketers don’t consider personally identifiable — like IP addresses, device identifiers and web-browsing history. MediaPost | The Mercury News, The Associated Press, IVN News and California privacy initiative likely to increase costs of civil litigation if passed in November | U.S. Senate Duo and California Ballot Initiative Propose to Radically Alter U.S. Consumer Internet Privacy and Upend Digital Advertising | MediaPost Communications | California’s GDPR-Like Privacy Law Could Rewrite Digital Ad Rules]

Workplace Privacy

WW – Study Examines Trends in Privacy Law Compensation

JW Michaels conducted a study on compensation trends for corporate privacy protection counsel. The study examines the qualifications for an ideal candidate and the challenges companies are facing when trying to hire an individual for the position. Several Fortune companies in Silicon Valley, Washington state, San Francisco and one major e-commerce client gave the salaries they are offering to potential employees, the number of years they would like the candidate to be out of law school, and the percentage of equity they could receive. Candidates could receive between a $200,000 to $285,000 salary and up to 25% equity. [FJW Michaels]




17-23 April 2018


US – State Court Ruling to Shed Light on Police Use of Biometrics

A decision by the Minnesota Supreme Court [Webster v. Hennepin County see here] will help the public learn more about how law enforcement use of privacy invasive biometric technology. The decision is mostly good news for the requester in the case, who sought the public records as part of a 2015 EFF and MuckRock campaign to track mobile biometric technology use by law enforcement across the country. EFF filed a brief in support of Tony Webster, arguing that the public needed to know more about how officials use these technologies. [EFF and at: Minnesota ACLU and Tony Webster]

US – Keep Facial Recognition Away from Body Cameras

Facial recognition in the U.S. poses a unique and significant threat to privacy, and it’s a threat that is not being adequately addressed. One of the FBI’s facial recognition services allows agents to search through databases that mostly include information related to law-abiding Americans, with only 8% of the facial images in the network being associated with criminal or forensic investigations. This is in part thanks to the fact that the FBI has access to drivers license photos from at least 16 states as well as passport photos from the State Department. All told, this Facial Analysis Comparison and Evaluation services allows the FBI to access more than 411 million facial images. A Georgetown study on facial recognition estimates that about half of American adults can be found in a law enforcement facial recognition network. Facial recognition poses a unique threat to law-abiding American citizens, millions of whom are in facial recognition networks merely because they drive. Lawmakers can prevent increased risk of surveillance by forbidding real-time facial recognition on police body cameras. With such devices, police won’t need a “Papers, please” law to identify citizens going about their business; our faces will be our papers. [CATO Institute]

WW – Facial Recognition Technology Commonplace at Venues

There is a growing trend of sports and entertainment venues top use facial recognition technology to produce data to support fan engagement, sponsorships and security. Lee Igel, a clinical associate professor at New York University’s Tisch Institute for Global Sport, said the practice is nothing new, adding, “What is new, as the Facebook scandal is forcing people to face, is the realization that there is a trade-off between getting the experiences we want and maintaining privacy.” One of the larger companies capturing the market is South African–based company Fancam, which sells its technology to venues across the U.S. Managing Director of North America Michael Proman said, “We anonymize all our data. What’s most important is being able to identify macro level trends, not profile fans.” [CNBC]

EU – Article 29 WP Inquiring About Facebook’s Facial Recognition Feature

The Article 29 Data Protection Working Party sent a letter to Facebook’s Global Deputy Privacy Chief about the facial recognition feature. Clarification is needed on whether Facebook will obtain explicit consent for each feature or a global consent to use images, whether the technology will be used to compare against all images already uploaded to Facebook (or only newly added images), and if templates will be created and retained. [Article 29 WP – Request for Information Regarding Facial Recognition on Facebook]

Big Data / Data Analytics

CA – Quebec Commissioner Issues AI Best Practices

The Commission d’Accès à l’Information du Québec issued recommendations for development of artificial intelligence. Organizations should conduct PIAs to document risks posed by AI projects, adopt default privacy settings (including rigorous access rights and retention periods), designate an internal privacy officer, and be transparent with consumers about measures put in place. Determine how to adequately correct algorithmic decisions made based on inaccurate, incomplete or outdated information (the burden should not be placed on consumers). [CAI QC – Brief on Responsible Development of Artificial Intelligence]


CA – Feds Publish Final Text of New Private Sector Data Breach Reporting Rules

The federal government released the final version of new regulations for the private sector that, once in force, will require businesses to disclosure and notify the privacy commissioner and affected individuals about data breaches that pose a “real risk of significant harm” “as soon as feasible.” [Canada Gazette at pg 701] The regulations require companies to record any breach they know of and keep those documents for two years. Per a March 26 order-in-council, the new reporting rules will come into force on Nov. 1, 2018. Following that, any company found in violation of the regulations will be subject to fines of up to $100,000. The government pegged the “nationwide cost impact” of the regulations’ enforcement at “less than $1 million per year.” The Gazette also notes the department of Innovation, Science and Economic development will “evaluate the need for amendments to the Regulations on an ongoing basis.” An OPC spokesperson said the office “strongly supports” the implementation of the new mandatory breach reporting rules – but at the same time, believes the new regulations represent “limited progress in protecting the personal information of Canadians.” There was mixed reaction to the new regulations Former Ontario privacy commissioner Ann Cavoukian, said the wording in the regulations is far too loose to sufficiently protect consumers. “This lets everybody off the hook,” Cavoukian said. [iPolitics and at: The Globe and Mail | Financial Post]

CA – Facebook Faces Tough Questions Over Canadian Data Collection

Kevin Chan, head of public policy for Facebook in Canada, faced tough questions from MPs about the company’s past practice of allowing third-party developers to access their users’ personal data, a policy that may have violated Canadian law. Just 272 Canadians participated in a personality quiz that allowed the researcher behind the Cambridge Analytica scandal to harvest the data of more than 622,000 Canadians, explained Robert Sherman, Facebook’s deputy chief privacy officer, who also testified before the committee [Standing Committee on Access to Information, Privacy and Ethics here & Minutes of Proceedings here]. In most cases, the data was mined without the knowledge or consent of those affected. Both Sherman and Chan spoke about the need to restore users’ trust in Facebook’s handling of personal data. Chan, who is the company’s public face in Ottawa, was also asked why he has not registered as a lobbyist, despite meeting with numerous federal cabinet members, including Finance Minister Bill Morneau. “At no time has Facebook come close to meeting the threshold for registration as a lobbyist,” Chan said. “We will of course register, if and when we meet the threshold.” Chan said that Morneau requested his assistance in setting up a Facebook Live event for his recent budget. New Democratic MP Charlie Angus expressed some doubt over that explanation. “You are registered as the company’s leading public policy-maker in Canada,” Angus said. “My light bulb breaks, I don’t call the head of General Electric to come and fix it. And yet you show up to help him figure out how to get more ‘likes.’” The committee is scheduled to resume its study of the Cambridge Analytica/Facebook scandal next week. [The Star]

CA – Facebook Promises to Join Registry of Lobbyists

Facebook has said it will join Canada’s registry of lobbyists, after questions were raised over whether it is following the rules when it comes to lobbying the government. In a letter sent to Lobbying Commissioner Nancy Bélanger, NDP MP Charlie Angus [here] questioned whether the social media giant is finding ways around the rules, especially the rules that require it to register its lobbyists. The company has no registered lobbyists, despite frequent meetings with senior decision-makers. After CBC News reported on the controversy, Facebook sent a statement saying it will “soon” register its personnel as lobbyists. “Facebook understands the need for greater transparency and, while we do not meet the threshold required for registration, we are committed to being added to the Lobbyist Registry. We will do so as soon as possible,” a Facebook spokesperson said [CBC]

CA – Political Parties Self-Police Use of Voters’ Data, Privacy Watchdog Says

The federal privacy watchdog is calling on the government to address what he calls significant gaps in the law that allow political parties themselves to police how they gather and use voter data. Political parties are only bound by internal, voluntary privacy policies in the absence of an independent body to ensure they follow their own rules, federal privacy commissioner Daniel Therrien told [read Commissioner’s statement here] a parliamentary committee [Standing Committee on Access to Information, Privacy and Ethics (ETHI) here]. Therrien has been calling for changes to strengthen privacy laws to cover how political parties use data — a campaign that has been attracting fresh attention in recent weeks following revelations about how Facebook and other companies treat the personal data of its users. [CTV News and at: Global News, CBC News, Toronto Star, Finacial Post and Radio Canada International]

CA – What Are Quebec’s Political Parties Doing With Your Personal Information?

Facebook/Cambridge Analytica data abuse controversy comes at a critical time for political parties in Quebec. They are already gearing up for the October election, and amassing information on voters is the lifeblood of any campaign. But they are now also facing greater scrutiny about how they gather information about voters, and what they do with it. Here is a closer look at the big data techniques Quebec parties are using. [CBC]

CA – Cameras to Keep Rolling in Paradise as Town Takes Issue to Court

Dozens of surveillance cameras in Paradise, Newfoundland will continue to record, despite a recommendation from the province’s privacy commissioner. The Town of Paradise sent an official response to commissioner Donovan Molloy, saying it will take the issue to court. Earlier this month, Molloy requested [see PR here & Report here] the town remove the cameras until it provides further evidence to justify its need for all 87 cameras. Molloy says he got no response. Both sides will continue to try to reach an agreement, but failing that, the matter will go to Supreme Court and a judge will rule on whether the town has to follow the privacy commissioner’s advice. [CBC]

CA – Privacy Breach Accused Gets Support from Lawyer, Tech Community

While an online legal defence fundraiser gains steam, the 19-year-old accused in the Nova Scotia freedom-of-information scandal has secured legal help from one of Canada’s leading experts in privacy law. David Fraser of the firm McInnes Cooper in Halifax has confirmed he’ll assist with the teenager’s legal defence. He says he’s “optimistic” the case can be resolved once it’s in the hands of the Nova Scotia Public Prosecution Service.  Fraser has already been in touch with an IT security expert and security conference organizer, Dragos Ruiu, who has started a GoFundMe page [see here] for the teenager’s legal defence. “It looks like a lot of tech folks who could easily see themselves in the shoes of this young man being persecuted instead of him, and it resonates with them,” said Ruiu. Both Fraser and Ruiu drew comparisons to the case of Aaron Swartz [see Wiki here], a pioneering coder and internet activist who was charged in Boston in 2011 for mass unauthorized downloading of academic journal articles from MIT. Swartz took his own life in 2013. Ruiu says at the time he wished he’d done more to support Swartz, which is why he’s taking action now. “We can’t let a politician bully a young man like this,” he said. [CBC | Dear Canada: Accessing Publicly Available Information on the Internet Is Not a Crime | Crowdfunding campaign aims to pay legal defence of NS teen charged after data breach | Government softens tone on reaction to privacy breach | You’re a govt official. You accidentally slap personal info on the web. Quick, blame a kid! | Teen Faces 10 Years in Prison for Downloading 7K Freedom of Information Releases | Teen charged in Nova Scotia government breach says he had ‘no malicious intent’ | Halifax law firm looking into possible class action over NS data breach ]

CA – OIPC BC Finds Excessive Collection by Landlords

The OIPC BC investigated the collection and retention of personal information of potential tenants by landlords, pursuant to the Personal Information Protection Act: 13 landlords from both for-profit and not-for-profit rental management companies were asked to provide information; and the OIPC previously issued guidance on PI handling for landlords. PI was collected, that if used, would be a violation of the Human Rights Code, including ages of other occupants of the unit, whether the applicant speaks English, was born in Canada, or is pregnant, and questions seeking marital status and sex; credit checks can only be done with consent and a reasonable purpose, such as a lack of satisfactory references or employment and income verification. [OIPC BC – Investigation Report P18-01 – Personal Information and Tenant Screening]


CA – SK Clinic’s Employee Should be Reprimanded

The OIPC Saskatchewan addressed a complaint against Prince Albert Co-operative Health Centre Community Clinic for unauthorized disclosure. The Saskatchewan Privacy Commissioner recommended that the clinic apply appropriate disciplinary actions to the employee who posted on social media the positive pregnancy test results of a patient, and to notify the patient of the outcome of the investigation and steps taken to prevent future breaches of privacy. [OIPC SK – Investigation Report 239-2017 – Prince Albert Co-operative Health Centre Community Clinic]

CA – Increased Risk of Harm Due to Duration of Unauthorized Access

The OIPC Alberta was notified by Preferred Hotels & Resorts of unauthorized access to personal information, pursuant to the Personal Information Protection Act. An organization’s service provider reported a breach of user credentials, enabling an unauthorized viewing of reservations of customers that may have included credit or debit information; the financial information could be used to cause identity theft and fraud, and the risk of harm is increased because the information was exposed for about 1 1/2 years. [OIPC AB – Breach Notification Decision – P2018-ND-043 – Preferred Hotels & Resorts]

CA – BC Court Allows Appeal of IPC Decision

The Court considered a response by the University of British Columbia to a court ruling upholding an IPC BC decision concerning disclosure of records pursuant to the Freedom of Information and Protection of Privacy Act. The Court agreed that an educational institution’s disclosure of its rubrics for undergraduate admissions would cause harm, by disclosing a grading system that would diminish the value of questions for future use (regardless of whether the questions themselves are already known to others), and because the institution had spent money for several years on the process; the matter is remitted back to the IPC for a new decision. [University of British Columbia v. Geoff Lister and IPC BC – 2018 BCCA 139 – Court of Appeals for British Columbia]

CA – Legal Pot Buying Data Could Get You Banned from U.S., Lawyers Warn

When Canadians are able to buy legal recreational marijuana sometime this year, we are going to start generating a lot of consumer data. Some of it will be clearly linked to individuals. If your Canadian marijuana-buying data ends up on a server in the United States, could it make its way to U.S. border officials? There’s little to stop it, privacy experts say. Canadians can be barred for life from the United States — even after legalization here — if a border officer decides that they are an “abuser” of marijuana. Canadians banned from the U.S. can apply for a waiver allowing them to cross the border, but the process is cumbersome and expensive, and the application has to be restarted from scratch every few years for the rest of the person’s life. As attitudes toward marijuana have softened on both sides of the border, attitudes at the border itself have hardened, warns Len Saunders, an immigration lawyer in Blaine, Wash. Saunders is now seeing a flood of Canadian clients who want help with waivers related to marijuana after being banned for life by U.S. border officials. [Global News]


CA – New Rogers Email ToS Raises Privacy Concerns

The Globe and Mail reports a new terms of service seen by Rogers Communications email users has raised concerns. Anyone who has logged in to their Rogers email account in recent weeks has seen a prompt alerting them they will need to agree to a new terms of service from Oath, as Yahoo no longer handles Rogers’ email services. The new terms of service will allow Oath to analyze messages to send targeted content. Users have gone to forums to express their concerns about a situation similar to the Facebook-Cambridge Analytica revelations. Canadian Internet Policy and Public Interest Clinic Staff Lawyer Tamir Israel said a Cambridge Analytica situation is unlikely, but it is encouraging for citizens to be aware of potential privacy issues. [G& M]


US – Legislators Seek Answers from FBI Director About Unlocking iPhones

Ten US legislators have sent a letter to FBI Director Christopher Wray asking about the agency’s ability to decrypt seized iPhones. While Wray has been vocal about the FBI’s inability to break into 7,800 phones last year, a report from Department of Justice (DOJ) Office of Inspector General (OIG) indicated that in the case of the San Bernardino shooter’s iPhone, the FBI did not explore all possible avenues for accessing the data it held before seeking a court order to force Apple to decrypt the device. The report observes that the FBI did not consult third party companies that have the capability to break into iPhones and that it did not ask its own remote Operations Unit (ROU) for help. Sources:

  • house.gov: Letter to FBI Director Christopher Wray (PDF)
  • The Hill: Lawmakers question FBI director on encryption

EU Developments

EU – Article 29 WP Updates GDPR Consent Components

The Article 29 Working Party revises previously issued guidance on consent under the GDPR.

Assessing freely given consent must consider whether it is tied into a contract or provision of service (inappropriate pressure or influence will render the consent invalid), parental consent will remain valid after the child reaches the age of digital consent (the minor must be informed of their right to withdraw), and explicit consent is valid when obtained via phone call if the choice is fair and specific. [Article 29 WP – Guidelines on Consent Under the GDPR – WP259 Rev.01es]

EU – Article 29 WP Updates GDPR Transparency Requirements

The Article 29 Working Party revised previously issued guidance on transparency requirements under the GDPR. Knowledge of the individuals controllers collect information about (this should be used to determine what they would likely understand), parental consent does not mean children lose their data subject rights (easily understandable notice should be provided to them through cartoons, pictograms, etc.), individuals should not be surprised when new processing purposes are communicated, and where notice would be impossible or involve a disproportionate effort, documentation must be maintained to demonstrate accountability. [Art 29 WP – Guidelines on Transparency under the GDPR – WP260 Rev. 1]

EU – Commission Proposes Rules Similar to US Cloud Act

The EU Commission proposed new rules to allow law enforcement in EU Member States to obtain electronic evidence, regardless of the location of data. Judicial authorities in Member States can request access to stored electronic data (including content, transactional, access and subscriber data) directly from service providers (data must be transmitted within 10 days of receipt, or 6 hours for emergency cases) and require them to preserve the data for up to 60 days; compliance is required regardless of where the data is stored, unless the order violates the EU Charter of Fundamental Rights, contains manifest errors, or is not for a valid offence. [EU Commission – Proposal for a Regulation on EU Production and Preservation Orders for Electronic Evidence in Criminal Matters]

EU – Tech Companies Forced to Give Police Overseas Data Under EU Proposal

Technology companies such as Google, Microsoft and Facebook will be forced to hand over users’ data to European law enforcement officials even when it is stored on servers outside the bloc, under a law proposed by the EU. The law would allow European prosecutors to force companies to turn over data such as emails, text messages and pictures stored online in another country, within 10 days or as little as six hours in urgent cases. The United States recently moved to address the same problem, passing a law making it clear that U.S. judges could issue warrants for data held abroad while giving companies an avenue to object if the request conflicts with foreign law. The proposal will apply only in cases where crimes carry a minimum jail sentence of three years. In cases of cybercrime there will be no minimum penalty requirement. Where companies find themselves in a conflict-of-law situation because the country where data is stored forbids them from handing it over to a foreign authority, they will be able to challenge the seizure request. According to Maryant Fernandez Perez, senior policy adviser at campaign group European Digital Rights “The Commission is proposing dangerous shortcuts to allow national authorities to obtain people’s data directly from companies, basically turning them into judicial authorities.” [Reuters and at: Bloomberg, The Wall Street Journal, Silicon UK and Financial Times]

EU – WP29 Concerned with EU Agreements on PNR

The Article 29 Data Protection Working Party expressed concern to the European Commission about the EU-Canada passenger name record agreement, in light of the EU Court of Justice – recommendations. The agreements between the EU and Canada, US and Australia do not reflect the recommendations raised by the EU Court of Justice; there is no clear and precise description of data concerned, explicit exclusion of sensitive data, or sufficient guarantee of independent oversight. Retention provisions do not reflect appropriate conditions for access to the data or a requirement to delete data after the departure of a passenger after their stay in a third country. [Article 29 WP – Letter to European Commission on EU PNR Agreement with Canada]

EU – Law Enforcement: Article 29 WP Concerns on Central EU Database

The Article 29 Working Party commented on the EU Commission’s draft regulations on interoperability between existing and future EU information systems relating to border control, migration, police and judicial cooperation. The database would cross link all information systems such as the Schengen System, Entry-Exit system and Travel Information and Authorisation System; there is no justification for the necessity of the database (identity fraud is not an essential threat to EU internal security), there is potential for broad and common use of data (national police will have access for overall identity checks), and long retention periods could result from the system of links. [Article 29 WP – Opinion on Commission Proposals on Establishing a Framework for Interoperability between EU information systems in the field of Borders and Visa Borders]

UK – Privacy Chief Wants Powers to Access Data More Quickly

The U.K.’s privacy regulator, who’s leading European investigations into how political consultants accessed the data of millions of Facebook Inc. users, said British data-protection laws are slowing her progress. Elizabeth Denham, the U.K.’s Information Commissioner, said she is “in intense discussion” with the government to broaden the nation’s data protection law. She wants a “streamlined warrant processes with a lower threshold than we currently have in the law. I’m in intense discussion with government to ensure that as part of the data protection bill, the ICO has the ability to move more quickly to obtain information that we need to carry out our investigations in the public interest,” Denham said on Wednesday. [Bloomberg]

WW – A Flaw-By-Flaw Guide to Facebook’s New GDPR Privacy Changes

Facebook is about to start pushing European users to speed through giving consent for its new GDPR privacy law compliance changes [see here]. It will ask people to review how Facebook applies data from the web to target them with ads, and surface the sensitive profile info they share. Facebook will also allow European and Canadian users to turn on facial recognition after six years of the feature being blocked there. But with a design that encourages rapidly hitting the “Agree” button, a lack of granular controls, a laughably cheatable parental consent request for teens and an aesthetic overhaul of Download Your Information [see here] that doesn’t make it any easier to switch social networks, Facebook shows it’s still hungry for your data. The new privacy change and terms of service consent flow will appear starting this week to European users Facebook says it will roll out the changes and consent flow globally over the coming weeks and months with some slight regional differences There are a ton of small changes, so we’ll lay out each with our criticisms. [TechCrunch]

WW – Reaction to WP29’s Accreditation of Certification Bodies Guidelines

The Centre for Information Policy Leadership published recommendations on the Article 29 Working Party’s draft guidance on accreditation of certification bodies under the GDPR. The think tank recommends that accreditation by Supervisory Authorities take place under a common EU-wide accreditation standard approved by the EDPB, and taking into account the requirements adopted by the European Commission; ISO criteria should be considered instructive, not mandatory, and further forthcoming guidance should consider flexibility and scalability for smaller enterprises.

Comments on the WP29 Draft Guidelines on the Accreditation of Certification Bodies under the GDPR – CIPL]

Facts & Stats

WW – Lessons from Verizon’s Annual Data Breach Investigations Report

According to the recently released Data Breach Investigations Report [see PR here, 8 pg PDF Exec. Summary here & 68 pg PDF Report here] from Verizon, the majority of data breaches (73%) are perpetrated by outsiders and involved either hacking techniques (48%) or malware (30%). The annual report examined 53,308 security incidents in 65 countries from November 2016 through October 2017, an increase of 11,000 more incidents than the previous year’s report. Additionally, the report analysed 2,216 confirmed data breaches (defined as a security incident that results in confirmed disclosure – not merely potential exposure – of data to an unauthorised party), an increase from 1,935 the previous year. If consumers feel like data breaches are becoming more and more common, that’s because they are. Here are our top takeaways from the report: 1) Keep sensitive data out of business infrastructures; 2) Continually train and educate employees; 3) Enforce the least-privilege user access (LUA) principle on computer systems; and 4) Champion compliance [Semafone and at: Threatpost, CNET, BankInfoSecurity, Gigabit Magazine, eWEEK and Healthcare IT News]


CA – IPC Ontario Requires Disclosure of Commercial Service Agreements

An IPC ON order reviewed the City of Windsor’s denial of access to portions of documents requested pursuant to the Municipal Freedom of Information and Protection of Privacy Act. Most of the information withheld by a municipality did not consist of trade secrets or technical information, was not supplied (it was mutually generated or negotiated) and would not cause harm if disclosed; it was unsuccessfully argued that disclosure might have a negative affect on the municipality’s ability to attract business (the IPC ruled that disclosure of the municipality’s commitments might actually encourage private companies to partner with the city). [IPC ON – Order MO-3583-I – Appeal MA15-242 – City of Windsor]

Horror Stories

WW – 71% of Incidents Include Exploitation of Software Vulnerabilities’

Ponemon study surveyed 627 IT security practitioners in a variety of healthcare organizations that are subject to HIPAA. Other security incidents identified by the Ponemon Institute include web-borne malware attacks (69%), exploit of existing software vulnerability less than 3 months old (66%), lost/stolen devices (62%), spear phishing (61%), SQL injection (53%), zero day attacks (48%), botnet attacks (45%), click-jacking (44%), ransomware (37%), DDoS (36%), targeted attacks (32%), and rootkits (30%). [The State of Cybersecurity in Healthcare Organizations – Ponemon Institute]

WW – Unsecured Database Contained Profiles of 48M People

UpGuard Director of Cyber Risk Research Chris Vickery discovered an unsecured Amazon S3 database containing profiles of 48 million people created by a data firm. LocalBlox used data-scraping tools to create the profiles by mining information found on sites such as Facebook, Twitter and LinkedIn. Information found in the database included names, physical addresses and employment information. In a report UpGuard published on the leak, the firm informed LocalBlox about the unsecured database in February, with the data firm locking down the information within a matter of hours. Meanwhile, web trackers have been exploiting the “Login with Facebook” feature on third-party sites to gather information. [ZD Net]

CA – Waste Management Apps Compromised in Data Breach

Users of Recycle Coach and My Waste were informed the apps were affected by a data breach. The owner of the apps, Municipal Media Inc., told users a subscriber database was hit during the cyberattack. The database held 55,000 email addresses, with Municipal Media saying some of those addresses were compromised during the breach. “There were no names associated with them, no locations, and of course no passwords or any other personal information,” Municipal Media President Creighton Hooper said. The company is advising users of the apps to be cautious of any suspicious emails and to avoid clicking links they do not recognize. [CTV News]

CA – Firm Releases AggregateIQ’s Canadian Clients

Cybersecurity consulting firm UpGuard has discovered some of the Canadian clients of AggregateIQ. Among AggregateIQ’s clients are three British Columbia Liberal candidates running in last year’s provincial election and a Liberal MLA who ran for party leadership and for the British Columbia Green Party in 2016. UpGuard Director of Cyber Risk Research Chris Vickery found exposed data from the data firm following revelations it was tied with Cambridge Analytica. “It was an eye-opening moment, once it hits you: ‘Oh my god, this is what they’re using to influence elections across the globe,’” Vickery said. The UpGuard director told the Standing Committee on Access to Information, Privacy and Ethics that Facebook may be involved in another breach involving the private messages of 48 million users. [G & M]

WW – Ethereum Thieves Exploited BGP Leak

Thieves exploited vulnerabilities in public facing DNS servers to steal $152,000 USD worth of Ethereum cryptocurrency. The attackers used a Border Gateway Protocol (BGP) leak to redirect users to a phony MyEtherWallet site. Sources:

  • SC Magazine: $152,000 in Ethereum stolen in Amazon DNS server attack
  • ZD Net: AWS traffic hijack: Users sent to phishing site in two-hour cryptocurrency heist
  • Ars Technica: Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency
  • Cyberscoop: Internet infrastructure server hijacked for $152,000 Ether theft

WW – Five Most Dangerous New Attack Techniques

At the Keynote Panel at the RSA Conference in San Francisco, SANS’s Ed Skoudis, Johannes Ullrich, and James Lyne spoke about the most dangerous new attack techniques. Skoudis spoke about the security risks posed by the cloud, noting “There is leakage when you have data stored in the wrong repositories or not stored correctly,” for example, misconfigured Amazon S3 buckets. There have been many attacks, Verizon twice, Time Warner and Uber and the U.S. Army leaked over 100 gigabytes of data because of a bug in an Amazon S3 storage bucket. Skoudis suggested that organizations step up to track and manage data assets, not just systems. Ullrich spoke about the shift from stealing or locking up data to stealing processing power through cryptocurrency mining. Ullrich also showed why assuming that hardware is inherently trustworthy is increasingly dangerous. Sources:

  • SANS Org: RSA Session and summary of their remarks
  • eWeek: Security Experts Warn of New Cyber-Threats to Data Stored in Cloud
  • Fifth Domain: Future cyber threats will come from inside the architecture
  • Infosecurity: #RSAC: The Five Most Dangerous New Attacks According to SANS

WW – Fixes Available for Hotel Card Key Electronic Lock Weaknesses

Security flaws in a card key system used by hotels around the world can be exploited to create a master key, allowing access to rooms. Researchers at F-Secure found that expired card keys can provide enough information to create a master key. The vulnerable system is Vision by VingCard, made in Sweden by Assa Abloy, which has released fixes to address the vulnerabilities. Sources:

  • SC Magazine: Lock maker offers fixes to prevent hackers from using fake master keys to open hotel locks
  • Reuters: Hotel key cards, even invalid ones, help hackers break into rooms
  • The Register: Hotel, motel, Holiday Inn? Doesn’t matter – they may need to update their room key software
  • ZD Net: Hackers built a ‘master key’ for millions of hotel rooms
  • Bleeping Computer: Device Can Generate Master Keys From Valid or Expired Hotel Keys

Identity Issues

EU – Commission Proposes Making Fingerprints Mandatory in ID Cards

Identity cards held by EU citizens will be required to include digital images of the holder’s fingerprints as part of a crackdown on fraudulent documents used by criminals and extremists, the European Commission proposed on Tuesday [see PR here]. The Commission said that it would not oblige countries to introduce ID cards, but those countries that use them would be required to include two pieces of biometric data: an image of two fingerprints and a facial image. The Commission estimates 80 million Europeans currently have ID cards that cannot be read by machines and do not contain biometric identifiers. The Commission also proposed other security measures on Tuesday, which include making it easier for authorities to access electronic and bank account information in other EU countries. [Reuters and at: Deutsche Welle, EuroNews, findBIOMETRICS, Biometric Update and New Europe]

Internet / WWW

WW – Academics Make Recommendations on IoT Security

PETRAS IoT Research Hub issued recommendations to the UK Government regarding the security of IoT. A UK government-commissioned study recommends using multi-factor or biometric authentication, disclosing vulnerabilities that pose threats to consumers, allowing user control of data, providing controls for users to edit privacy settings, updating software and testing all updates, requesting user consent to share data with third parties, and providing user or proxy option to delete personal data. Summary Literature Review of Industry Recommendations and International Developments on IoT Security – PETRAS IoT Research Hub |  Government’s Commitment

Online Privacy

WW – Facebook Fuels Broad Privacy Debate by Tracking Non-Users

Chief Executive Mark Zuckerberg said the world’s largest social network tracks people whether they have accounts or not. Zuckerberg said under questioning by U.S. Representative Ben Luján that, for security reasons, Facebook also collects “data of people who have not signed up for Facebook” [watch here at 1:15].  Critics said that Zuckerberg has not said enough about the extent and use of the data. “It’s not clear what Facebook is doing with that information,” said Chris Calabrese, vice president for policy at the Center for Democracy & Technology, a Washington advocacy group. [Reuters and at: FastCompany and The Mac Observer (audio)]

WW – Facebook Makes End Run Around GDPR for Non-EU Customers

Facebook has changed its terms of service, which will exempt 1.5 billion Facebook users from protection under the European Union’s General Data Protection Regulation (GDPR). While Facebook users in Canada and the US have never been subject to EU rules, the 1.5 billion Facebook users in Latin America, South America, Africa, Asia, and Oceania have until now been governed by Facebook’s Irish terms of service, but now they will be governed by Facebook’s US terms of service. The move reduces Facebook’s GDPR liability; Under GDPR rules, EU regulators can fine companies that collect or use personal data without user’s consent. Facebook maintains that they “apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc. or Facebook Ireland.” Sources:

  • Reuters: Exclusive: Facebook to put 1.5 billion users out of reach of new EU privacy law
  • fb.com: Complying With New Privacy Laws and Offering New Privacy Protections to Everyone, No Matter Where You Live
  • ZD Net: Facebook moving 1.5 billion users away from GDPR protection
  • BBC: Facebook to exclude billions from European privacy laws
  • SC Magazine: Looking to reduce GDPR liability, Facebook ports 1.5B non-U.S. users to domestic HQ
  • The Register: Facebook puts 1.5bn users on a boat from Ireland to California

Privacy (US)

US – Supreme Court Tosses Out Microsoft Case on Digital Data Abroad

The Supreme Court announced on Tuesday that it would not decide whether federal prosecutors can force Microsoft to turn over digital data stored outside the United States. The move followed arguments in the case [United States v. Microsoft, No. 17-2] in February and the enactment of a new federal law that both sides said made the case moot. “No live dispute remains between the parties,” the court said in a brief, unsigned opinion.  The case posed the question of whether a 1986 law, enacted before the dawn of the big-data era, applied to digital information stored outside the nation’s borders. On March 23, Congress enacted the Cloud Act — more formally, the Clarifying Lawful Overseas Use of Data Act. The new law, unlike the one from 1986, clearly applied to data held overseas.  After the new law was passed, the government withdrew the earlier warrant and obtained a new one. In recent Supreme Court filings, both sides told the justices that the case was moot. [NY Times and at: Jurist, SCOTUSblog, TechCrunch, The Wall Street Journal and Hit & Run Blog (Reason)]

WW – Tech Firms Sign ‘Digital Geneva Accord’ Not to Aid Governments in Cyberwar

More than 30 high-tech companies, led by Microsoft and Facebook, announced a set of principles [Cyber Tech Accord PR here] that includes a declaration that they will not help any government — including that of the United States — mount cyberattacks against “innocent civilians and enterprises from anywhere,” reflecting Silicon Valley’s effort to separate itself from government cyberwarfare. It also commits the companies to come to the aid of any nation on the receiving end of such attacks, whether the motive for the attack is “criminal or geopolitical. Although the list of firms agreeing to the accord is lengthy, several companies have declined to sign on at least for now, including Google, Apple and Amazon. [NY Times and at: Inside Privacy ( Covington), Bloomberg (video), Engadget, Inc and TechNewsWorld]

US – Attorney-Client Privilege the First Casualty of Michael Cohen Investigation

The extraordinary attempt by Michael Cohen, the president’s longtime fixer and personal attorney, to recoup materials collected during a law enforcement raid last week failed in federal court. A federal judge ruled that, for the time being, the government would control access to the materials, while forbidding investigators to review any potential evidence. The idea of Trump sorting through Cohen’s correspondence and deciding what should be shared with prosecutors prompted eye rolls and audible sighs in the courtroom. But it got to the core question of the hearing: To whom does the power to determine the scope of attorney-client privilege belong? The attorney? The client? The government? That Trump and the Blind Sheik now share the legally novel experience of having their attorneys’ offices raided by the FBI is not a synchronism; it is a reflection of our current political conditions. As a principle, attorney-client privilege is foundational to our system of justice, no matter how unpopular the attorney or their client. Cohen’s attorneys struggled to push back. “I think in the future this could affect people’s willingness to consult an attorney,” Steve Ryan said, to chuckles, the principle he was invoking clouded by the allegations surrounding his client. While the president’s critics may have claimed victory, a cornerstone of our judicial system — attorney-client privilege — fared less well. Gerald Lefcourt, a criminal defense attorney and former president of the National Association of Criminal Defense Lawyers offered a law school-seminar chestnut to warn of the potential precedent that could follow from Cohen’s case: “Bad facts make bad law.”[The Intercept]


WW – Prevent the Largest Cause of Data Security Incidents – Your Employees

BakerHostetler’s 2018 Data Security Incident Response Report [PR here Webinar here] documents over 560 incidents, more than a third of which stemmed from phishing incidents in which an employee was tricked by an email message into providing access credentials to an unauthorized party, visiting a phony website, downloading an infected document or clicking on a link that installed malware. Other sizeable incident types also involved employee errors: 17% of incidents were inadvertent disclosures and 11% were due to stolen or lost devices. Providing proper training and technical safeguards is one of the most important means to enhance your company’s security profile. However training is not enough. Technological safety nets are needed. Companies should consider implementing the a number of data security measures, which can make it more difficult for criminals to succeed with attacks that prey upon employee vulnerabilities. In addition to the above training and safeguards, companies should enable logging on email and other systems that contain sensitive data. Logging should be retained for at least one year, preferably longer. In many security incidents, the existence of logging is crucial to determining an attacker’s actions and to limiting notifications to information that is known to have been accessed or acquired without authorization. [Data Privacy Monitor]

WW – Key Findings from Baker Hostetler’s 2018 Data Security Incident Report

In their 2018 Data Security Incident Report, “Building Cyber Resilience: Compromise Response Intelligence in Action,” [see PR here, Webinar here & download Report here] BH identifies and analyzed the most important trends and takeaways from the more than 560 incidents we handled last year. These incidents affected nearly every industry and impacted anywhere from a single individual to millions of people. The report distills the lessons learned from those incidents into eight key takeaways for boards, senior management, auditors, IT leaders and general counsel. [Data Privacy Monitor aand t: here & here]

  • MFA is the gold standard. Much like encryption of external devices several years ago, multifactor authentication (MFA) has become an essential security measure and is increasingly becoming a regulatory expectation. However, MFA is not infallible, and not all MFA solutions are equally secure.
  • It’s not the cloud, it’s you. As entities migrate to the cloud, most security issues are not caused by the cloud service provider but by how the entity or its service provider configures access to the cloud.
  • Rise of the regulator. Recent high-profile incidents have rekindled regulatory interest. Moreover, large multistate settlements have given state attorneys general the funds to hire experts and more aggressively investigate breaches.
  • New year, same issues. Entities still are not executing on the basics. Endpoint monitoring agents, SIEM (security information and event management) solutions and privileged account management tools have become more common, but good hygiene could have prevented many incidents.
  • Everyone’s involved. With incidents on the rise and the stakes higher than ever, senior management, boards and external auditors are becoming involved in data breach prevention and response.
  • No one is “too small.” Any entity, of any size, may become the victim of a cyberattack. Hackers are happy to hit “singles” and take advantage of the lax security practices of small and medium-sized entities, and attacker techniques and tools simplify the process of finding even obscure targets of opportunity.
  • The EU General Data Protection Regulation (GDPR) countdown drives uncertainty. With the May 25, 2018, effective date looming, organizations have been racing against the clock to get their privacy, data security and incident response practices in order. Expect adjustments to continue as the regulation is implemented.
  • Reading the litigation tea leaves is an inexact science. The line determining cognizable damages continues to blur. In addition, recent cases show that privilege may not apply to all incident-related communications, and some entities choose to waive privilege.

CA – OPC Canada Emphasizes Risk of Password Reuse

The OPC Canada summarized a number of incidents cases that it investigated in 2017. Customer login data obtained from previous, unrelated breaches were likely the cause of the compromise of an airline’s loyalty website and subsequent ransom demand for the PI of 25,000 members, the unlawful acquisition of the PI of 100,000 loyalty customer of a retailer, and the redemption of a digital media company’s users’ rewards; all 3 companies either reset passwords, forced password changes and/or considered changes to password creation processes. [OPC Canada – Multiple Breach Incidents as a Result of Password Reuse]

WW – Incident Response Procedures: Best Practices

Working Group 11 of the Sedona Conference guidance to help organizations prepare and implement an incident response plan. An industry association recommends that pre-incident planning includes mapping of data and legal obligations and vendor due diligence, conducting initial assessments of an incident before activating the incident response team (cause, time frame, affected systems or information), considering if law enforcement engagement would result in liability exposure or business disruptions, and reviewing actions taken to address blind spots, and areas for improvement. [Incident Response Guide – The Sedona Conference]

WW – Cybersecurity Trend: Complex Business and IT Systems Highest Risk

A new Ponemon study surveyed more than 1,100 senior information technology practitioners from the US, Europe and the Middle East/North Africa region on cybersecurity trends. Other organization risks identified by the Ponemon Institute include lack of funding to support cyber defense (58%), inability to integrate disparate technologies (53%), and lack of cybersecurity leadership (51%); technologies that pose the highest risk were identified as document collaboration tools (58%), use of digital identities (47%), and insecure connectivity (37%). [2018 Study on Global Megatrends in Cybersecurity – Ponemon]

Smart Cars

US – Expectation of Privacy Exists in Vehicle Black Box Data

The Court considered an appeal by the State of Missouri’s to suppress evidence collected from a warrantless search and seizure. A Missouri Court confirmed that a truck’s black box contained information unique to the driver’s use and operation of the vehicle, which was in itself protected by the Fourth Amendment as an “effect”, the intrusion constituted an actionable trespass on the driver’s possessory interest in the vehicle, and there were no exigent circumstances that could not have been addressed in an application for a warrant. [State of Missouri v. Anthony West – 2018 -Mo. App. LEXIS 378 – Court of Appeals of Missouri Western District Division Four]


WW – Research Study: Google’s Play Apps Improperly Track Children

Thousands of apps may be tracking the online activity of children in ways that violate US privacy laws, according to a recent survey of Android apps available on the Google Play store. It concluded that of 5,855 apps in the Play Store’s Designed for Families program, 28% “accessed sensitive data protected by Android permissions” and 73% of the applications “transmitted sensitive data over the internet.” Though the survey noted that simply collecting that information did not necessarily violate the Children’s Online Privacy Protection Act (COPPA). Among the most concerning findings was that approximately 256 apps collected geolocation data, 107 shared the device owner’s email address, and 10 shared phone numbers. 1,100 shared persistent identifiers, which can be used for behavioral advertising techniques that are banned for use on children by COPPA. 2,281 transmitted Android Advertising IDs Those apps appear to be in violation of Google policy. [Gizmodo and at: Education Week, engadget, Ubergizmo, See also: Fake messaging apps could compromise your Android phone | Study Says Many Android Vendors Regularly ‘Forget’ Security Patches]

US – Advocate Alleges Deceptive Tracking App

The Electronic Privacy Information Center filed a complaint against AccuWeather International, Inc., alleging tracking of consumers’ location in violation of the D.C. Consumer Protection Procedures Act. A weather media company’s mobile app collected and used consumers’ personal location data for marketing purposes, including sharing with partners and affiliates; claims against the company include that latitude, longitude and altitude data was collected even if the app was not open, and access permissions were denied by the individual. [EPIC v. Accuweather International Inc. – Complaint – Superior Court of the District of Columbia, Civil Division]

US Government Programs

US – Positive Assessment of Privacy Shield from US Government

The Department of Commerce assessed implementation, oversight and enforcement of the:

The US Department of Commerce noted that certification and monitoring processes have been enhanced (random spot checks, online reviews, delayed public notice of participation), limitation and safeguards on national security access to data have been reauthorized by Congress, an Ombudsperson has been appointed, and 3 individuals have been nominated to the Privacy and Civil Liberties Oversight Board.

DoC – US Implementation, Oversight and Enforcement of the EU-US and Swiss-US Privacy Shield Frameworks]

US Legislation

US – Federal Bill Imposes Student Data Restrictions on Online Services

Senate Bill 2640, the Safeguarding American Families from Exposure by Keeping Information and Data Secure Act (“SAFE KIDS Act”) was introduced and referred to the Senate Committee on Commerce, Science, and Transportation: The Bill stipulates, in regards to online providers of services to educational institutions for pre K-12 purposes, restrictions (targeted advertising) and permitted uses of student PII (disclosures required by federal or state law, or pursuant to student or parental consent), and imposes certain requirements (limited retention or destruction requirements, and security procedures); the FTC would enforce the law. The Bill, if passed, will take effect 18 months after enactment. [Senate Bill 2640 – SAFE KIDS Act – 115th Congress]



10-16 April 2018


WW – Fingerprints Can Show If You’ve Done Drugs

A raft of sensitive new fingerprint-analysis techniques is proving to be a potentially powerful new avenue for extracting intimate personal information—including what drugs a person has used. New techniques can determine, from a single fingerprint, not whether you have handled these drugs, but whether you have taken them. The new methods use biometrics to analyze biochemical traces in sweat found along the ridges of a fingerprint. And those trace chemicals can quickly reveal whether you have ingested cocaine, opiates, marijuana, or other drugs. One novel, noninvasive forensic technique developed by U.K. researchers can detect cocaine and opiate use from a fingerprint in as little as 30 seconds. The assay—which was so sensitive that it could still detect trace amounts of cocaine after subjects washed their hands with soap—correctly identified 99% of the users, and gave false positive results for just 2.5 percent of the nonusers. The researchers say they hope to expand the range of controlled substances that can be detected, which could include methamphetamines, amphetamines, and marijuana. The test can be modified to detect therapeutic drugs prescribed by physicians too. [The Atlantic]

CN – Facial-Recognition Cameras Caught Suspect Among 60,000 Concertgoers

China is pursuing an ambitious plan to make an omnipresent video surveillance network. On the night of April 7, nearly 60,000 people had gathered at the Nanchang International Sports Center for a concert by Cantopop legend Jacky Cheung. In the middle of an upbeat song, a pair of police officers began descending the aisles, according to footage posted on the Chinese video sharing site Miaopai. Soon, they had arrived at the row they were looking for and apprehended the 31-year-old. Before Cheung had finished singing the refrain, officers were escorting the man out of the show. The man, identified only by his surname Ao, was reportedly wanted for “economic crimes,” according to Kan Kan News. Details about Ao had been in a national database, and when he had arrived at the stadium, cameras at the entrances with facial-recognition technology had identified him — and flagged authorities, the news site reported. “He was completely shocked when we took him away,” police officer Li Jin told Xinhua news agency. “He couldn’t fathom that police could so quickly capture him in a crowd of 60,000.” Ao’s unlikely capture became the latest example of China’s growing use of facial-recognition technology. As The Washington Post’s Simon Denyer reported, law enforcement and security officials in China hope to use such technology to track suspects and even predict crimes. Ultimately, officials there want to create a comprehensive, nationwide surveillance system known as “Xue Liang,” or “Sharp Eyes” to monitor the movements of its citizens. At the back end, these efforts merge with a vast database of information on every citizen, a “Police Cloud” that aims to scoop up such data as criminal and medical records, travel bookings, online purchase and even social media comments — and link it to everyone’s identity card and face. A goal of all of these interlocking efforts: to track where people are, what they are up to, what they believe and who they associate with — and ultimately even to assign them a single “social credit” score based on whether the government and their fellow citizens consider them trustworthy. Images from Denyer’s visits to three technology companies showed people monitoring cars and people as they passed through an intersection. Attached to each entity were text bubbles that showed identifying characteristics: the person’s gender and home town, for example. “Surveillance technologies are giving the government a sense that it can finally achieve the level of control over people’s lives that it aspires to,” Adrian Zenz, a German academic who has researched ethnic policy and the security state in China’s western province of Xinjiang, told Denyer. Many have voiced their concerns about the ethical ramifications of such a system. Human Rights Watch has a page dedicated to mass surveillance and the use of “big data” in China. “For the first time, we are able to demonstrate that the Chinese government’s use of big data and predictive policing not only blatantly violates privacy rights, but also enables officials to arbitrarily detain people,” Wang wrote. “People in Xinjiang can’t resist or challenge the increasingly intrusive scrutiny of their daily lives because most don’t even know about this ‘black box’ program or how it works.” As for Ao, the man caught at the Jacky Cheung concert, he said he thought he would be safe in a crowd of tens of thousands. He and some friends had bought the concert tickets, and Ao had driven with his wife about 60 miles to see the show, according to the news site. [Opinion: China’s new surveillance state puts Facebook’s privacy problems in the shade]

Big Data / Data Analytics / Artificial Intelligence

EU – A Privacy Pro’s Guide to Explainability in Machine Learning Models

With the EU GDPR just around the corner, there has been some debate and discussion about whether the law requires a “right to an explanation” from machine learning models. “Regardless of the regulation’s effects on machine learning, however, the practical implications of attempting to explain machine learning models presents significant difficulties,” Immuta Legal Engineer Stuart Shirrell writes. “These difficulties will become an increasing focus for privacy professionals as machine learning is deployed more and more throughout organizations in the future.” [IAPP.org]


CA – Federal Privacy Commissioner Argues for Right to Be Forgotten

Canada’s privacy commissioner took the stage at a Canadian Journalism Foundation (CJF) privacy summit in Toronto to advocate for the right to online reputation. The half-day summit was an opportunity for members of the media, as well as lawyers and legislators to meet and discuss the right to privacy in relation to freedom of expression. Daniel Therrien’s core position is that Canadians should be able to access the internet without having to fear that their reputations will be ruined as a result. A draft paper published in January 2018 established the OPC position, while also suggesting that ‘de-indexing’ and ‘source takedown’ are possible solutions to maintain individual online reputation. Also known as the ‘right to be forgotten,’ de-indexing refers to the process by which individuals can request that search engines remove results when an individual’s name is used in the search. Source takedown, by comparison, refers to the removal of the original source of content from the internet entirely. As individuals at the summit pointed out, there’s some contention between the right to privacy, freedom of expression and the freedom to access information. In response to freedom of speech advocates, Therrien argued, “there are real consequences to incorrect information being out there to be seen by many.” “The solution can be discussed at length, and a reason why we have put this out as a draft position paper is that we’re pretty sure that there’s a harm to be remedied here, and as a regulator, the tool that I have… is the legislation to limit or enforce,” he said. Therrien further argued that the in the age of the internet, more information is easily accessible than ever before. As such, it’s necessary to find some way to regulate the information that’s available. [betakit.com] Canadian Government Leaning Towards A Right to Be Forgotten it Can Enforce Anywhere in The World]

CA – Quebec Commissioner’s Suggests Amendments to Privacy Law

The Quebec Commission on Access to Information’s has issued recommendations for amending the Private Sector Privacy Act. Quebec’s private sector privacy law should be amended to compel organizations to destroy personal information once the purposes for which they were collected are fulfilled (except when kept under a legal provision), and delete any provision recognizing the right of an organization to retain information, even if it can no longer use it according to the law. [CAI QC – Five-Year Report (Pages 120-122)

CA – Supreme Court Rules on B.C. Campaign Financing Case

In a unanimous decision, the Supreme Court of Canada dismissed a bid by the B.C. Freedom of Information and Privacy Association (FIPA) that challenged a section of B.C.’s Election Act that requires even small spenders to register with the province’s chief elections officer if they sponsor election advertising during a campaign. [see here] But in its 7-0 ruling, the top court clarified the law so that people who wear T-shirts bearing political messages, or put bumper stickers on their cars or signs in their windows during an election, will not have to register with the province’s election office, providing they spend less than $500. But people or groups who sponsor advertising must continue to register. FIPA, a non-profit public advocacy group, had argued the requirement to register inhibits “political expression by persons who don’t wish names and addresses to become public knowledge,” and is a violation of the Charter of Rights and Freedoms’ guarantee of freedom of expression. In B.C., a person or group wishing to sponsor advertising during one of the province’s 28-day provincial election campaigns must register with a full name, address and a service address, and provide a signed statement. The Chief Electoral Officer then makes that information public, although the factum of the Attorney General of B.C. says telephone numbers and home addresses can be obscured upon request. Failing to register could result in a fine up to $10,000 or imprisonment up to a maximum of one year, or both. Reacting to the decision, the Canadian Civil Liberties Union said “small voices” could still be silenced under the B.C. Elections Act. B.C. Freedom of Information and Privacy Association v. British Columbia (Attorney General) | BC’s election gag law being challenged in Supreme Court of Canada | Canadian Lawyer magazine | Top Court Upholds BC Law Requiring Election Advertisers to Register | SCC rules on election campaign sponsorship in B.C.  | Wearing a T-shirt isn’t ‘sponsored’ election advertising, top court rules

CA – Insurance Company Must Delete Personal Information

The OPC investigated a complaint against an insurance company, alleging violations of PIPEDA. The OPC investigation determined that a company should have treated an individual’s request to delete his data as a withdrawal of consent; the company initially denied the request (retention was necessary to provide insurance details to other insurers), however, once the individual accepted that deletion could result in higher premiums or coverage denial, his information was deleted. [OPC Canada – Case Summary 2017-005 – Insurance Company Required to Delete Individuals Personal Information After They Withdraw Consent]

CA – Nurse Fined for Criticizing Grandfather’s Healthcare Loses Appeal

A Prince Albert nurse fined for criticizing her grandfather’s palliative care online has lost her appeal of a $26,000 fine ordered by her professional regulatory board. In a written decision, Saskatoon Queen’s Bench Justice J. Currie said Carolyn Strom violated professional conduct rules relating to her profession as a registered nurse. Even though Strom was away from work on maternity leave at the time she wrote the online posts, Currie upheld an earlier decision from the Saskatchewan Registered Nurses’ Association (SRNA) that found Strom guilty of professional misconduct. In his decision, Currie said his role was not to determine whether the decision from the disciplinary committee was correct, but rather whether it “falls within the realm of reasonable decisions in the circumstances.” In that respect, Currie agreed with the discipline committee. The Saskatchewan Union of Nurses acted as an intervenor in the case, and said it is disappointed the SRNA ruling was upheld, saying the decision will affect nurses and other professionals, who will think twice before expressing their personal opinions. [paNOW]

CA – Alphabet to Start Toronto Smart-City Tech Pilot in Summer, Build in 2020

Alphabet Inc’s urban innovation company Sidewalk Labs hopes to break ground on its first ever smart-city project in Toronto in 2020, and begin testing some of the proposed technologies this summer, its chief executive said. This is the first time a timeline has been publicly disclosed for the project. A development plan is expected to be approved by the Sidewalk and Waterfront Toronto boards by the end of 2018, and the first residents could move in as early as 2022. The timeline is subject to government approvals and other processes that Sidewalk expects to spend most of 2019 working through. Other smart city projects have largely failed because of budgets, the involvement of too many parties, and the use of public resources on development with no immediate benefits for the broader population. Corporate access to personal information is a growing concern. Sidewalk Labs has faced growing scrutiny over its plans to put sensors and cameras all over Quayside. Doctoroff said Sidewalk Labs would destroy non-essential information, only retain data that would improve the quality of life, and not sell them to advertisers. Third parties must adopt privacy policies developed for the plan, he added. [Reuters]

CA – Man Arrested for Breaching Nova Scotia’s FOI Website

A 19-year-old Halifax man has been arrested for illicitly accessing the Nova Scotia government’s freedom-of-information website. The man was able to see more than 7,000 documents, some of which contained sensitive information, including birth dates, social insurance numbers, addresses and government-services client information. The Nova Scotia government said no credit card information was compromised in the breach, with government officials saying thousands of citizens in the province were likely affected. Halifax Regional Police searched the suspect’s house before his arrest. The man has been charged with the unauthorized use of a computer. Software and privacy professionals have expressed concerns the Nova Scotia government is using the 19-year-old man as a scapegoat for the breach. [CBC News See also: Teen charged after personal information exposed in Nova Scotia government website breach | Police refute claim they asked province to keep a lid on information breach | Province just sort of stumbles across massive data breach ]


US – Majority of US Consumers Concerned About Privacy: Survey

The Network Advertising Initiative conducted a survey asking 10,000 U.S. consumers about their opinions on online privacy. Of the respondents, 85% said the current state of online privacy was at least “somewhat concerning,” with 50% of those consumers saying they are either “very” or “extremely” concerned about privacy. When asked about their top privacy concerns, 56% said hackers, while 15% said data collection by any federal government around the world. The majority of consumers said they want their online content to be paid by advertising, and 79% of respondents said individuals should be in control of opting out of any online marketing campaigns. [NAI]

CA – Canadians Skeptical About Cloud Security, Except at Work: Study

Nearly half of Canadians aren’t comfortable storing sensitive information in the cloud, according to a new study. 46% of Canadians don’t like the thought of storing family information on the cloud, a figure that rises to 52% when it comes to medical information, and 59% for financial information. Citrix Cloud and Security Survey says 62% of employed Canadians felt that documents uploaded to the cloud were either somewhat, or very secure. At the same time, 42% of workers think their employer is solely responsible for maintaining and upgrading security on all devices. A lot of employees, however – 34% – don’t even know if their company uses cloud services. In addition, more than 40% of all Canadians weren’t sure what the cloud was. [IT Business]

WW – Study Highlights Privacy Concerns with Gaming Platforms

Academic researchers published a paper that examined data handling practices in modern gaming. Platforms and consoles. These collect different types of user data through hardware (cameras, sensors, microphones), platform features (social media, user-generated content) and tracking technologies (cookies, beacons, and scripts). All games studied shared user data with advertising platforms and partners, while, mobile games stored private message contents and had a right to access and review these messages.[Privacy in Gaming – N. Cameron Russell, Joel R. Reidenberg and Sumyung Moon – Center on Law and Information Policy at Fordham Law School | Gaming Platform Updates Its Privacy Setting Default | DigitalTrends]


UK – ICO Fines Royal Mail Over 300,000 “Spam” Emails

Royal Mail, which claims to be the most trusted letter delivery service in the UK, was today fined for sending out more than 300,000 nuisance emails. The UK ICO said it launched a probe [see 16 pg PDF notice here] after an individual complained they had received a marketing email from Royal Mail, despite having opted out. Royal Mail argued the email in question was a service because it was telling customers there was a price drop for second-class parcels – but the ICO disagreed. Deeming the message to be marketing, the ICO issued a £12,000 fine for breaching the Privacy and Electronic Communications Regulations (PECR) since recipients hadn’t consented to receiving the mail. The ICO acknowledged that Royal Mail has an obligation to publicise price changes, but said there were more appropriate ways to do this, such as putting an update on its website. [The Register | BBC News, City A.M. and The Times]

Electronic Records

US – 25% of Patients Did Not Access Data Over Patient Privacy Concerns

A recent study by the Office of the National Coordinator for Health Information Technology (ONC) found that 25% of individuals who were offered access to their online medical records declined out of privacy and security concerns. Increasing access and adoption of electronic health records is stated to be a cornerstone of the ONC’s efforts. In response, the ONC created a guide to help individuals get and use medical records. National Coordinator for Health Information Technology Don Rucker said, “It’s important that patients and their caregivers have access to their own health information so they can make decisions about their care and treatments,” adding, “This guide will help answer some of the questions that patients may have when asking for their health information.” [HealthITSecurity | PR here | NAP.edu]

EU Developments

EU – Proposal Gives Consumers More Power to Sue Companies

The European Union has unveiled a proposal to give consumers more power to sue companies if their rights have been violated. The proposal would call for any offending company to be penalized up to 4 percent of their annual turnover. Under the new rules, EU consumer law would be extended to cover “free” digital services where consumers provide personal data, including social media information, email accounts and cloud storage services. While business groups said the proposed bill could lead to a wave of lawsuits, Justice Commissioner Věra Jourová said profit-seeking class-action lawsuits would not be permitted under the pending legislation. [Reuters]

EU – EDPS Launches ‘Privacy by Design’ Mobile Health App Contest

The European Data Protection Supervisor is launching a contest for creators to design the best mobile health apps using “privacy by design” and “privacy by default” principles. Contestants are encouraged to create apps designed to be user friendly and give users more control over their information. The top two winners will receive prizes of 20,000 and 10,000 euros respectively and will be able to present their projects during the 40th International Conference of Data Protection and Privacy Commissioners in October. Submissions must be sent in by the end of June. [Telecompaper]

EU – WP29 Forming Social Media Working Group

Article 29 Working Party Chairwoman Andrea Jelinek said the agency is forming a Social Media Working Group in response to the Facebook-Cambridge Analytica revelations. “What we are seeing today is most likely only one instance of the much wider spread practice of harvesting personal data from social media for economic or political reasons,” Jelinek said. During his second day on Capitol Hill, Facebook CEO Mark Zuckerberg said regulation of his company is “inevitable,” but lawmakers and privacy professionals are skeptical of when it may happen. [Reuters]

EU – Group Calls for EU to Exempt Blockchain from GDPR

A blockchain group is calling for the European Union to exempt the technology from the GDPR. In a blog post, Coin Center Executive Director Jerry Brito writes the GDPR is “incompatible with the reality of open blockchain networks,” and if technology is regulated under the impending rules without any changes to either, the outcome could be troublesome. “The result of the law, then, may be that Europe is closing itself off from the future of the internet to its detriment.” [The Verge | Gizmodo]

UK – ICO Releases Data Protection Self-Assessment Toolkit

The U.K. ICO has released a data protection self-assessment toolkit. The resource has been created to help organizations, particularly small- and medium-sized businesses, make sure they are compliant with data protection laws, such as the EU GDPR. The toolkit includes checklists for controllers and processors, as well as for other areas of compliance, such as information security, direct marketing, records management, data sharing and subject access, and CCTV. Once a checklist has been completed, a report will be generated advising companies on practical steps they can take to improve their compliance efforts. [ICO.org]

US – GDPR: Study Shows 35% of Organisations Ready

The Centre for Information Policy Leadership conducted its second global survey to understand organisational preparedness for the GDPR. 239 organisations were surveyed across several industries: The first global survey was conducted in 2017. A think tank notes that mandatory DPOs will be appointed in 47% of companies surveyed, 35% have a procedure in place to identify and classify privacy risks to individuals, and only 38% will have to re-obtain individual consent; areas that still require further clarity include legitimate interests, breach notification, DPIAs, privacy by design, certifications, codes of conduct, and internal processing records. [Organisational Readiness for the EU GDPR 2nd Edition – CIPL]


CA – 80-Year Extension on Access-to-Info Request Appears to be a Record

A federal institution has given itself what may be the longest-ever time extension to respond to a citizen’s request under the Access to Information Act — at least 80 years, which will delay the delivery of documents to 2098 or beyond. 70-year-old Michael Dagg, the requester and longtime user of the act, asked Library and Archives Canada (LAC) for files from Project Anecdote, an RCMP investigation into money laundering and public corruption that was launched in May 1993. No charges were ever laid in the massive probe, which concluded in 2003. The voluminous Mountie files were eventually turned over to the government archives. Library and Archives determined there are a minimum of 780,000 document pages to review, in addition to audio and video recordings. Dagg was advised that the review of the material would normally take at least 130 years, but many of the records will automatically become public after 80 years, without need for review under the Access to Information Act, helping to shorten the extension period. Dagg says he plans to contact Library and Archives to negotiate a smaller subset of the Project Anecdote documents. “I would narrow the scope so I can get something within a year or two, rather than beyond my lifetime,” he said in an interview. Timeliness of responses has been a growing issue under the act. In 2016-2017, for example, responses to 2,326 requests took more than a year, up from 1,526 the year previous — or 2.7%t of all requests, up from 2.1%. And 19.3% of all responses to requests in 2016-2017 were in so-called “deemed refusal,” that is, they were late — delivered beyond legislated deadlines. That level of ‘deemed refusals’ has almost doubled in the last five years. And some 1,741 of these late requests were delivered more than a year after deadline. In 2016, former commissioner Suzanne Legault warned of a “culture of delay” within the federal government that has created “a slow and arcane system that seems bent on denying access.” [CBC]

Health / Medical

US – Report Finds Insider Data Breaches Most Common in Health Care Industry

According to Verizon’s 2018 Data Breach Investigations Report, 25% of all attacks over the year were perpetrated by said insiders and were driven largely by financial gain, espionage and simple mistakes or misuse. It also reports that organised criminal groups continue to be behind around half of all breaches, while state-affiliated groups were involved in more than one in 10. Financial gain, unsurprisingly, continued to be the top motivation for cybercriminals. The health care industry ranks worst when it comes to preventing insider data breaches. As the only sector reported to have more internal actors behind data breaches than external, errors were the leading type of cyber incident across health care, followed by malware, hacking and privilege misuse. The report also found that for the malware detected in health care, ransomware accounted for 85%. Simple errors – such as failing to shred confidential information, sending emails to the wrong person or misconfiguring web services – were at the heart of nearly one in five breaches. More than 20 per cent people still click on at least one phishing campaign during a year. [The Washington Post]

Horror Stories

US – Consumer Reports Publisher to Pay $16.4M to Settle Privacy Lawsuit

The publisher of Consumer Reports magazine will pay $16.375 million to settle a lawsuit alleging it violated Michigan privacy law. The publisher was accused of selling customers’ subscription and personal information to third parties without consent. The personal information included customers’ age, race, religion, income, medical conditions and political affiliations. “We have long advocated for the rights of consumers to have control over their private information,” a Consumer Reports spokeswoman said. “While we believe that our practices were in compliance with Michigan law, we chose to settle this case, without admitting liability, so that we can spend our time, effort and resources on protecting consumers.” [Reuters | Insurance Journal

AU – Study Shows Willingness to Pay Malware Ransom Demands

According to findings from the Telstra Security Report, 47% of Australian businesses paid malware ransom demands when found to be the victim of a cyberattack. The report, which surveyed 1,252 people across 13 countries and 15 industries, found that a willingness to pay ransom demands was consistent across all respondents, with 60% of ransomware victims in New Zealand, 55% in Indonesia, and 41% in Europe stating they have paid a ransom demand. Furthermore, 87% of Asian businesses and 82% of European respondents stated they recovered stolen data once the ransom was paid. [ZDNet]

Identity Issues

AU – Anonymization: Australian DPA Finds Publication of Dataset Flawed

The Office of the Australian Information Commissioner issued the results of its investigation into the publication of a dataset by the Department of Health. A dataset had the potential to identify service providers and some individuals because a public agency’s process for de-identification of PI and assessment of the risk of re-identification was flawed; it unlawfully disclosed PI for a purpose other than that of collection, and failed to take adequate steps to remove PI from the dataset relative to the sensitivity of the information (medical/pharm benefits information), and the context of its release (online to the public). [OIC Australia – Publication of MBS/PBS Data]


US – Can GPS Tracking Stop Customers from Stealing Rental Cars? In California, A New Debate Over Privacy Begins

The use of GPS to track stolen vehicles is at the center of a debate between car rental companies and privacy advocates in California. Most rental cars are equipped with navigation and GPS technology. But unlike automakers that can begin tracking their customer’s movements as soon as they drive off the lot, California law bars rental companies from tracking their customer’s location until the vehicle has been missing at least five days past its return date. Some car rental companies want to decrease the number of days significantly, making it possible to track the movements of customers who failed to return vehicles on time. Meanwhile, privacy advocates worry that allowing companies to track customers — even if only after they’ve failed to return a rental vehicle — could open the door to privacy abuses, such as collecting and selling valuable consumer data. The ease of stealing rental vehicles may explain why there were more than 92,000 rental cars thefts across the United States between 2015 and 2018, with nearly 18,000 of those thefts occurring in California, according to the National Insurance Crime Bureau. California remains a leading state for car theft alongside Nevada and Washington State, according to the NCIB. But privacy advocates such as state Sen. Hannah-Beth Jackson (D-Santa Barbara) say the rental industry hasn’t provided data proving that enough thieves are posing as customers to warrant a change in existing laws, such as allowing companies to track the location of overdue rental vehicles. [Wash Post| zdnet.com]

Other Jurisdictions

RU – Russia Seeks to Ban Telegram Messaging App

Russia’s Roskomnadzor, the Federal Service for Supervision of Communications, Information Technologies and Mass Media, has filed a lawsuit asking a court in that country to block the Telegram messaging app. Telegram has refused to provide Russian authorities with encryption keys. [www.v3.co.uk: Russia set to ban Telegram app for refusing to hand over decryption keys on demand | www.zdnet.com: Russia moves to block Telegram after encryption key denial]

CN – China Ranking Citizens With A Creepy ‘Social Credit’ System

The Chinese state is setting up a vast ranking system system that will monitor the behaviour of its enormous population, and rank them all based on their “social credit.” The “social credit system,” first announced in 2014, aims to reinforce the idea that “keeping trust is glorious and breaking trust is disgraceful,” according to a government document. The program is due to be fully operational by 2020, but is being piloted for millions of people already. The scheme is mandatory. At the moment the system is piecemeal — some are run by city councils, others are scored by private tech platforms which hold personal data. Like private credit scores, a person’s social score can move up and down depending on their behaviour. The exact methodology is a secret — but examples infractions include bad driving, smoking in non-smoking zones, buying too many video games and posting fake news online. China has already started punishing people by restricting their travel. Nine million people with low scores have been blocked from buying tickets for domestic flights. Three million people are barred from getting business-class train tickets. The eventual system will punish bad passengers specifically. Potential misdeeds include trying to ride with no ticket, loitering in front of boarding gates, or smoking in no-smoking areas. According to Foreign Policy, credit systems monitor whether people pay bills on time, much like financial credit trackers — but also ascribe a moral dimension. Other mooted punishable offences include spending too long playing video games, wasting money on frivolous purchases and posting on social media. Spreading fake news, specifically about terrorist attacks or airport security, will also be punishable offences. 17 people who refused to carry out military service last year were barred from enrolling in higher education, applying for high school, or continuing their studies, Beijing News reported. Citizens with low social credit would also be prohibited from enrolling their children at high-paying private schools. “Trust-breaking” individuals would also be banned from doing management jobs in state-owned firms and big banks. Some crimes, like fraud and embezzlement, would also have a big effect on social credit. People who refused military service were also banned from some holidays and hotels — showing that vacation plans are fair game too. The regime rewards people here as well as punishes them. People with good scores can speed up travel applications to places like Europe. Naming and shaming is another tactic available. A 2016 government notice encourages companies to consult the blacklist before hiring people or giving them contracts. However, people will be notified by the courts before they are added to the list, and are allowed to appeal against the decision within ten days of receiving the notification. It’s not clear when the list will start to be implemented. A prototype blacklist already exists, and has been used to punish people. There is also a list for good citizens — that will reportedly get you more matches on dating websites. They can also get discounts on energy bills, rent things without deposits, and get better interest rates at banks. Despite the creepiness of the system — Human Rights Watch called it “chilling,” while others call it “a futuristic vision of Big Brother out of control” — some citizens say it’s making them better people already. A 32-year-old entrepreneur, who only gave his name as Chen, told Foreign Policy: “I feel like in the past six months, people’s behaviour has gotten better and better. “For example, when we drive, now we always stop in front of crosswalks. If you don’t stop, you will lose your points. “At first, we just worried about losing points, but now we got used to it.” [Business Insider]

Privacy (US)

US – California Ballot Initiative Seeks to Establish Consumer Privacy Rights

Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., have proposed the Customer Online Notification for Stopping Edge-provider Network Transgressions Act aimed at enhancing consumer privacy. The “privacy bill of rights” would require edge providers, such as Facebook and Google, to obtain consumers’ consent before selling sensitive information. “The avalanche of privacy violations by Facebook and other online companies has reached a critical threshold, and we need legislation that makes consent the law of the land,” Markey said in a statement. The bill would prevent edge providers from forcing customers to provide consent in order to use any services. [Ars Technica | Engadget | Broadcasting Cable | MediaPost | LA Times | LW.com]

US – Consumer Groups Say YouTube Is Collecting, Using Children’s Data Improperly

A coalition of more than 20 consumer advocacy groups is expected to file a complaint with federal officials claiming YouTube has been violating a children’s privacy law. The complaint contends that YouTube, a subsidiary of Google, has been collecting and profiting from the personal information of young children on its main site, although the company says the platform is meant only for users 13 and older. The coalition of consumer groups said YouTube failed to comply with the Children’s Online Privacy Protection Act, a federal law that requires companies to obtain consent from parents before collecting data on children younger than 13. The groups are asking for an investigation and penalties from the FTC, which enforces the law. The New York Times and The Associated Press (via FT), USA Today, WIRED and The Guardian

US – Uber Agrees to Expanded FTC Data Breach Settlement

Uber has agreed to expand its proposed settlement with the FTC related to its 2016 data breach. The FTC released a revised complaint against the ride-hailing company, alleging Uber knew hackers used a key to access 25 million names and email addresses, 22 million names and phone numbers, and 600,000 names and driver’s license numbers. Uber could face civil penalties as a result of the expanded settlement if it fails to notify the agency of any future data breaches. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future,” Acting FTC Chairman Maureen Ohlhausen said. The FTC also offered lessons companies can learn from Uber’s data breach. [FTC.gov]

US – D.C. Court: Accessing Public Information is Not a Computer Crime

A district court in Washington, D.C. has ruled that using automated tools to access publicly available information on the open web is not a computer crime—even when a website bans automated access in its terms of service. The court ruled that the notoriously vague and outdated Computer Fraud and Abuse Act (CFAA)—a 1986 statute meant to target malicious computer break-ins—does not make it a crime to access information in a manner that the website doesn’t like if you are otherwise entitled to access that same information. The case, Sandvig v. Sessions, involves a First Amendment challenge to the CFAA’s overbroad and imprecise language. The plaintiffs are a group of discrimination researchers, computer scientists, and journalists who want to use automated access tools to investigate companies’ online practices and conduct audit testing. The problem: the automated web browsing tools they want to use (commonly called “web scrapers”) are prohibited by the targeted websites’ terms of service, and the CFAA has been interpreted by some courts as making violations of terms of service a crime. This is the second time in a year a court has recognized that a broad interpretation of the CFAA will negatively impact open access to information on the web. Judge Edward Chen found that a “broad interpretation of the CFAA invoked by LinkedIn, if adopted, could profoundly impact open access to the Internet, a result that Congress could not have intended when it enacted the CFAA over three decades ago.” The web is the largest, ever-growing data source on the planet. It is a critical resource for journalists, academics, businesses, and ordinary individuals alike. Meaningful access sometimes requires the assistance of technology to automate and expedite an otherwise tedious process of accessing, collecting and analyzing public information. Using technology to expedite access to publicly available information shouldn’t be a crime—and we’re glad to see another court recognize that. [EFF]

US – Woman Awarded $6.45 Million in Revenge Porn Case

A federal district court in California last week entered a default judgment against a man and ordered him to pay $6.45 million in damages after he was accused of spreading an ex-girlfriend’s naked pictures and videos online. It’s believed to be the second-largest payout for a victim of revenge porn who was not a celebrity, according to the woman’s lawyers. The unnamed woman, who was listed as Jane Doe in legal filings, sued the man, David Elam II, in civil court. She alleged copyright infringement, online impersonation with intent to harm, stalking and the intentional infliction of emotional distress. The case, which was filed in 2014, also underscores how complicated it can be to seek justice. There’s no federal law against revenge porn — just a patchwork of state laws. Doe was awarded $450,000 in damages because of copyright infringement. She also received $3 million in compensatory damages for emotional distress, and $3 million in punitive damages. [CNNMoney]

US – State AGs Opposed to Federal Bill

The New York Attorney General and 29 other State Attorneys General submitted their concerns to Congress regarding HR 4508, the PROSPER Act, specifically potential student-loan related abuses. The Bill would prohibit states from overseeing or addressing certain state law violations by student loan collectors or servicers and there are not federal protections for borrowers of student loans; such servicers have come under increased scrutiny from government agencies for practices that include collections on debt not owed, failures to provide borrowers about repayments options, and difficulties in contacting servicers through call centers. [New York Attorney General et al. – Letter to Congress Regarding PROSPER Act]

US – Copyright Office Considering DMCA Exemption for Voting Machines

As part of its triennial exemption process for the Digital Millennium Copyright Act (DMCA), the US Copyright Office is considering expanding the scope of exceptions to DMCA to include voting machines, which would allow researchers to probe the devices for vulnerabilities without fear of legal repercussion. At a hearing earlier this week, researchers and vendor representatives voiced their opinions about the possible change. [Cyberscoop: Security researchers and industry reps clash over voting machine security testing]

US – American Lawyers Urged to Use ‘Burner Phones’ When Travelling Abroad

Lawyers in the US are being advised to use “burner phones” when they travel abroad to protect information from government inspection on re-entering the country. The advice, given by the New York Bar Association, comes against the backdrop of the Trump administration tightening border security. Anyone entering the US can be asked to turn over their computers and phones to Customs and Border Protection for inspection. They will also be expected to disclose passwords to enable officials to examine their correspondence. Foreigners who refuse to comply can be denied entry into the country while US citizens face having their equipment confiscated temporarily to allow further inspection. The American Bar Association, which has 400,000 members, has been trying to persuade the Department of Homeland Security to devise a policy which will protect lawyer-client privilege. But no agreement has been reached, leading the New York Bar Association to suggest drastic measures. It has urged lawyers to use “burner phones” – cheap throwaway devices often seen in modern crime shows. The Association has also advised lawyers to install software to wipe sensitive information and to disconnect from cloud services. As things stand, the courts have yet to reach a conclusive decision on the legality of inspecting phones and computers. Currently 0.017 per cent of people entering the US are subjected to an electronic device search. [The Telegraph]

US – Data Breach Notification Laws Now Enacted in All 50 States

South Dakota and Alabama are the last of the 50 states to have enacted breach notification laws, along with Washington, D.C., Guam, Puerto Rico and the Virgin Islands. South Dakota became the 49th state to enact a data breach notification law when Governor Dennis Daugaard signed Senate Bill 62 into law on March 21. It goes into effect on July 1, 2018. On March 28, 2018, Alabama Governor Kay Ivey signed into law Alabama Senate Bill 318, effective May 1, 2018. Below are the parameters of these new data breach notification laws. As reported in a blog by Daniel Walbright, 32 state attorneys general have released a letter to Congress preemption of state data breach and security laws with a draft bill, “Data Acquisition and Technology Accountability and Security Act.” [DBR on Data]

US – FTC Launching Small Business Cybersecurity Education Campaign

The FTC announced a national education campaign to assist small businesses in strengthening their cybersecurity efforts. The campaign will include training modules and videos on subjects small business owners have identified as trouble spots, including ransomware, phishing attacks and email authentication. “Small businesses understand the importance of cybersecurity and the need to protect their networks and data, but many feel overwhelmed about how to address the myriad of cyber threats they face,” said the FTC. “Our new campaign aims to help these small businesses with targeted, plain-language advice on everything from protecting against phishing scams to tips on what to look for when choosing a cybersecurity vendor.” [FTC.gov]

US – FTC Report Makes Security Recommendations to the Mobile Device Industry

A new report by the FTC takes aim at how data security tech for mobile devices can be both improved and better utilized. The report, published in February 2018 and titled, Mobile Security Updates: Understanding the Issues [PR here], presents findings based upon information requested by the FTC in 2016 of eight mobile device manufacturers. The report recommends that both the devices themselves as well as their corresponding support services need to do a better job by deployed security updates quicker and more frequently. It recommends that manufacturers provide a minimum period during which security updates are to be provided, and make that period known to the consumer prior to purchase. It also recommended that manufacturers consider providing security updates that are separate and distinct from other updates that are often bundled together in one package. The report is intended to bolster consumer protection, however it is also relevant for small businesses and their use of mobile devices in the workplace such as bring-your-own-device (BYOD). While a BYOD policy helps a small business save on device and carrier costs, it also increases the likelihood of security threats to the business. [Working Place Privacy]

US – EPIC Releases US Privacy Law Updated Guide

The Electronic Privacy Information Center has released a guide on the major developments in U.S. privacy law ahead of the 63rd meeting of the International Working Group on Data Protection in Telecommunications in Budapest. The guide covers topics such as the passing of the CLOUD Act, the Facebook-Cambridge Analytica revelations, the investigation into potential interference with the 2016 U.S. presidential election, and the nominations of four new commissioners to the Federal Trade Commission, as well as U.S. Supreme Court affairs, including the U.S. v. Microsoft and the Carpenter v. U.S. cases. EPIC.org

Privacy Enhancing Technologies (PETs)

WW – Apple’s ‘Private by Design’ Health Care App Aims to Capture Market

With tech companies moving in to capture the health care market, Apple’s “private-by-design” strategy aims to ensure the security and privacy needs of organizations. A recent survey found that 47% of health care IT professionals expect to see mobile devices increase in use over the next two years, highlighting that health care providers are more willing to adopt mobile technology. Apple’s recently introduced Health Records app for iPhone users puts patients in control of data portability. Mike Restuccia, CIO at Penn Medicine, said, “I think the good thing about the Apple solution is that the data only resides on the end-user’s device,” adding, “So, we don’t have access to that. Apple doesn’t have access to the data. The beauty of the solution is it is patient managed, patient controlled and patient centered.” [Computerworld]


AU – Human Error (Not Hackers) Behind Most Data Breaches in Australia

The Office of the Australian Information Commissioner released the first quarterly report since the country’s mandatory data breach notification scheme came into effect and noted an increase in the number of data breaches reported. The OAIC received notification of 63 data breaches in the first six weeks, compared to the 114 instances for the entire 2016–17 period when reporting was voluntary. The majority of breaches stemmed from human error, but an estimated 44% was the result of malicious or criminal behavior. The OAIC also stated that 78% of breaches included “contact information,” 24% contained “identity information,” and 73% of all eligible breaches “involved the personal information of under 100 individuals.” [iTnews | The Mandarin]

CA – Ontario Energy Board Establishes Cyber Security Framework

The Ontario Energy Board (OEB) established a Cyber Security Framework that is to be used by transmitters and distributors as the common basis for assessing and reporting their level of risk and security capability, as a means to move towards a more mature level of control and security. [Ontario Cyber Security Framework – Version 1.0 – Ontario Energy Board]


US – DHS to Compile Database of Journalists and ‘Media Influencers’

The Department of Homeland Security wants to track the comings and goings of journalists, bloggers and other “media influencers” through a database. The DHS’s “Media Monitoring” plan would give the contracting company “24/7 access to a password protected, media influencer database, including journalists, editors, correspondents, social media influencers, bloggers etc.” in order to “identify any and all media coverage related to the Department of Homeland Security or a particular event.” The database would be designed to monitor the public activities of media members and influencers by “location, beat and influencers,” the document says. The chosen contractor should be able to “present contact details and any other information that could be relevant including publications this influencer writes for, and an overview of the previous coverage published by the influencer.” Also, the contractor would have access to a password protected, mobile app that provides an “overview of search results in terms of online articles and social media conversations,” in several different languages such as Arabic, Chinese and Russian. The request comes amid concerns regarding accuracy in media and the potential for U.S. elections and policy to be influenced via “fake news.” The plan calls for the ability to track 290,000 news sources including online, print, broadcast and social media. Also, it would have the ability to track media coverage in over 100 languages, along with the “ability to create unlimited data tracking, statistical breakdown, and graphical analyses on ad-hoc basis.” DHS spokesman Tyler Q. Houlton tweeted that the practice of monitoring the press is considered “standard.” [Chicago Sun Times]


03-10 April 2018

Big Data / Data Analytics 

CA – Big Data: Deceptive Use Is Harmful to Consumers

The Canada Competition Bureau released a study on Big Data, including its use in deceptive marketing practices. The Competition Bureau says Big Data collection is not always apparent to consumers because it may not be incidental to the main purpose of an app or service, and data is often collected from various sources surreptitiously by lead generators and sold; Big Data is also used to make false or misleading representations, target advertising to vulnerable consumers, and produce fake reviews (astroturfing). [Competition Bureau – Big Data and Innovation: Implications for Competition Policy in Canada]


CA – Canada Flagged Facebook’s Third-Party App Privacy Problem in 2009

Canadian federal privacy officials warned that third-party developers’ access to Facebook users’ personal information “raises serious privacy risks” back in 2009, documents show. The report also pointed out that app developers could access information about the Facebook friends of people using apps. In a 2009 speech, then-assistant privacy commissioner Elizabeth Denham said that her office’s top Facebook concern was “the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes.” “We were alarmed by a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information – as well as information about their online ‘friends,’” she said. In 2010, the commissioner’s office said it was satisfied with Facebook’s solution to the third-party app problem, which involved clearer user consent when apps were installed. “The privacy commissioner at the time kind of gave the green light to Facebook, and from our perspective that was really problematic, especially the access to third-party content through the API,” said David Fewer of the Canadian Internet Policy and Public Interest Clinic, whose complaints against Facebook led to the original investigation. “They reached a resolution which did away with our complaint, and basically gave the green light to Facebook to keep on doing what they do.” [Global News]

CA – OPC Joins U.K. and B.C. Counterparts in Probe of Brexit Tampering

Canada’s federal privacy commissioner is joining privacy watchdogs in B.C. and the U.K. in an investigation to determine whether Canadian privacy laws were violated by the Victoria-based political data firm, AggregateIQ, that was hired by the Leave side during the U.K.’s referendum on whether to remain in the European Union [see OPC announcement here]. Since the Leave side won, the company has been accused of being part of a scheme to sidestep U.K. campaign spending rules to sway the vote. Facebook is also being investigated in a separate joint probe by the B.C. and federal Canadian privacy watchdogs. Both probes will look at whether Facebook or AggregateIQ violated PIPEDA or B.C.’s PIPA.[CBC News at: CTV News, Reuters and TheTyee See also: UK probing AggregateIQ as part of inquiry into privacy law breach | Facebook claims its very busy man in Ottawa is not a lobbyist | Canada’s privacy commissioner isn’t surprised about the Facebook privacy scandal | Privacy watchdog suggests he may join ongoing AggregateIQ investigations

CA – NL OIPC Scolds Town of Paradise for the 6th Time in 5 Months

For the sixth time in five months Donovan Molloy, Newfoundland’s privacy commissioner, has made recommendations to the Town of Paradise — this time, it’s to shut off its security cameras [see PR here & Report here]. While he said he can’t comment on specifics of the case yet, Molloy said the Access to Information and Protection of Privacy Act prevents public bodies from putting up cameras without reason. When questioned by Molloy, the town said it installed 87 cameras after incidents of vandalism, false fire alarms, bomb threats and property damage. On two occasions, the footage was used to investigate criminal activity on town property. But when Molloy asked for more detailed information on those incidents, the report says there was no response. [CBC News and at: The Telegram and VOCM]

CA – Opinion: Privacy Laws Should Apply to Political Parties

The Harper Conservatives were innovators in the field of data-driven campaigning. In defeating Harper, the Trudeau Liberals drew on similar micro-targeting techniques. More and more, political parties thrive on big data, the more granular the better. Our privacy protections, however, have failed to keep pace. The current legal framework does almost nothing to ensure that political parties obtain and use citizens’ personal information responsibly. Canadian political parties are exempt from privacy laws. This is “not a good thing,” according to Daniel Therrien, Canada’s privacy commissioner. As he told the Canadian Press last week, “The absence of regulation facilitates the manipulation of information to influence elections in a way which I think is completely contrary to the public interest.” To the extent that micro-targeting happens without voters’ knowing about it or agreeing to it, the practice is manipulative in a way that distorts democracy. Data-hungry political parties are the last entities that should be exempt from privacy laws. If they want to know about us, they should be forced to ask. [Toronto Star and at: Montreal Gazette, The Globe and Mail, CBC News, Hill Times and The Toronto Star]

CA – Ontario Bill Prohibits Inquiries into Employee Compensation History

Ontario’s Bill 3, the Pay Transparency Act, 2018, related to disclosure of compensation for applicants and employees, was introduced and carried at first reading. Exemptions include an applicant’s voluntary and unprompted disclosure of their compensation history, compensation ranges or aggregate compensation for comparable positions, or publicly available compensation history, and employers must submit and post pay transparency reports; a government compliance officer may enter a workplace without a warrant to assess the employer’s compliance with the law. If passed it goes into effect January 1, 2019. [Bill 3 – Pay Transparency Act, 2018 – 41st Legislature, Ontario | Press Release | Status]


WW – Number of Facebook Users Affected by Scandal Grows

Facebook now says that the number of users whose information was improperly used by political consulting company Cambridge Analytica could be as high as 87 million, up from an earlier estimate of 50 million. Facebook says it has adopted new measures to restrict third-part access to user data. Subsequently, Facebook decided to end the drip drip drip of increasing size of the compromise and now just says that its search tools were so easily misused that *most* of the 2 billion Facebook users should consider their personal information to have been harvested without their knowledge or permission. The FTC moved against Facebook in 2011 for privacy abuse and Facebook entered into a settlement that they appear to have violated, since they agreed to obtain” consumers’ express consent before their information s shared beyond the privacy settings they have established.” [nytimes: Facebook Says Cambridge Analytica Harvested Data of Up to 87 Million Users | thehill: Facebook says up to 87 million people affected by Cambridge Analytica scandal]

WW – Facebook: Majority of Two Billion Users May Have Had Data Scraped

Facebook has disabled a feature it believes may have allowed malicious actors to scrape the data of most of its two billion users, while also raising the amount of affected individuals from the Cambridge Analytica revelations. The social media company deactivated the feature letting users enter phone numbers and email addresses into its search tool, which it said could be used to gather information on the majority of its users. The tech company now says 87 million users were affected by the Cambridge Analytica revelations, up from the 50 million initially reported. Meanwhile, Mark Zuckerberg will testify in front of both the U.S. Senate Judiciary and Commerce Committees April 10 on the Cambridge Analytica situation. Facebook also announced a plan to restrict data access on its platform, while Zuckerberg said the companywill offer EU General Data Protection Regulation privacy controls worldwide, disputing previous reports. [FBloomberg]


CA – SK OIPC Advises MLA Against Using Personal Email for Government Business

Saskatchewan Information and Privacy Commissioner Ron Kruzeniski offered advice to Minister of Crowns and SGI Joe Hargrave about his use of his personal email account. A Saskatoon man filed a complaint after sending an email to Hargrave’s government email address, only to receive a response from the minister’s personal account. The man was concerned about the security protections for both of the email accounts. While Kruzeniski determined he had no jurisdiction to investigate the matter as it was not a “government institution,” the commissioner advised Hargrave to observe best practices and not use his personal email for government-related activities. [CBC News]

CA – NL OIPC Advises Caution When Sending PHI Via Email

New guidance from the OIPC Newfoundland and Labrador examined the use of email for communicating personal health information. According to the 3-page guidance, custodians should confirm that patients wish to be contacted via email, inform them of possible risks and verify their email address; prior to sending the email, consider whether it is necessary to send the PHI via email, send the PHI in a separate encrypted attachment (with encryption keys sent by a different method), limit the PHI to what is necessary, and maintain a copy for the patient’s file. [OIPC Newfoundland and Labrador – Use of Email for Communicating Personal Health Information]


CA – CJF Poll Finds 74% Support Right to Access News Over R2BF

A new poll commissioned by The Canadian Journalism Foundation (CJF) finds the right to access news outweighs personal reputation considerations when it comes to online news stories. The poll, conducted by Maru/Matchbox earlier this month among more than 1,500 people, found that 74% believe broadly that Canadians’ right to access news overrides the right to remove accurate and lawful stories that have a negative impact on a person’s reputation. “As the Office of the Privacy Commissioner contemplates a ‘right to be forgotten,’ it will need to strike a balance between those rights protecting freedom of expression and the right to manage reputation online,” says CJF executive director Natalie Turvey. “These polling results suggest Canadians may prioritize their Charter rights and that we care deeply about our right to access news and information.” The poll results come ahead of a topical half-day symposium in Toronto exploring the right to be forgotten, ‘Striking the Balance: Privacy and Freedom of Expression in a Digital Age‘ featuring Daniel Therrien, privacy commissioner of Canada; Michael Geist, law professor at the University of Ottawa; Peter Fleischer, global privacy counsel for Google; and other top privacy experts. [Newswire and at: TCP via CityNews]


US – California Supreme Court Lets Stand Controversial Law Allowing DNA Collection Upon Arrest

The fight for more protective rules in the California government’s DNA collection suffered a major setback when the California Supreme Court. On a 4-3 vote [see 95 pg PDF ruling here], the state’s highest court refused to throw out that part of the [2004 voter initiative, Proposition 69 see here], which has led to the storing of DNA profiles of tens of thousands of people arrested but never charged or convicted. A majority of states collects DNA from arrestees, and the U.S. Supreme Court has approved the practice. Privacy advocates, though, argued that California’s law was more invasive than rules in other places. Of the 200,000 to 300,000 people arrested in California annually on suspicion of a felony, about a third are either acquitted or never formally charged. California, unlike most other states, takes DNA from people before they are even arraigned and has no automatic process for expunging DNA profiles when charges are dropped or people acquitted [Source and at: DeepLinks Blog (EFF), Courthouse News Service, The Recorder (Law.com) and JURIST]

Health / Medical

US – ONC Releases Guide on Sharing Patient Data

The Office of the National Coordinator for Health Information Technology released a guide to help educate patients on accessing and sharing their medical data. The resource informs patients on the benefits of accessing their data and offers advice on the best ways to view the data within their electronic health records. “It’s important that patients and their caregivers have access to their own health information so they can make decisions about their care and treatments,” National Coordinator for Health Information Technology Don Rucker said. [HealthITAnalytics]

US – Health Care Professionals Remain Concerned About Data Security

A recent survey showed that while health care professionals are overwhelmingly concerned about health care data security, 68% believes their own organizations are taking appropriate measures to ensure cybersecurity. The survey conducted by Venafi took place at last month’s HIMSS18 conference and queried 122 health care professionals on sector response to cyber threats. Despite their shared concern, only 29% of respondents believes cybersecurity can be enhanced through more regulation. BakerHostetler’s fourth annual Data Security Incident Response report found that of the 560 security incidents handled by the firm’s privacy and data protection team, more than one-third involved the health care industry, marking an increase from previous years. [HealthITSecurity]

WW – Facebook Sent Doctor on a Secret Mission to Ask Hospitals to Share Patient Data

Facebook was in talks with top hospitals and other medical groups as recently as last month about a proposal to share data about the social networks of their most vulnerable patients. The idea was to build profiles of people that included their medical conditions, information that health systems have, as well as social and economic factors gleaned from Facebook. The proposal never went past the planning phases and has been put on pause after the Cambridge Analytica data leak scandal raised public concerns over how Facebook and others collect and use detailed information about Facebook users. Facebook’s pitch, according to two people who heard it and one who is familiar with the project, was to combine what a health system knows about its patients (such as: person has heart disease, is age 50, takes 2 medications and made 3 trips to the hospital this year) with what Facebook knows (such as: user is age 50, married with 3 kids, English isn’t a primary language, actively engages with the community by sending a lot of messages). The issue of patient consent did not come up in the early discussions, one of the people said. Critics have attacked Facebook in the past for doing research on users without their permission. Notably, in 2014, Facebook manipulated hundreds of thousands of people’s news feeds to study whether certain types of content made people happier or sadder. Facebook later apologized for the study. Health policy experts say that this health initiative would be problematic if Facebook did not think through the privacy implications. [CNBC and at: Inquisitr, GIZMODO, Ars Technica, The Verge, Fast Company, The Hill and Becker’s Hospital Review ]

Horror Stories

AU – Apple Watch Health Data Is Being Used as Evidence in Murder Trial

Myrna Nilsson, 57, was murdered in Adelaide in September of 2017. Nilsson’s daughter-in-law, Caroline Nilsson, 26, told law enforcement that a group of men had invaded her home and attacked her following a road rage incident. Prosecutor Carmen Matteo presented evidence in court that Caroline Nilsson fabricated her story and should be held on charges of murder without bail. A forensic analyst studied the data on the victim’s Apple Watch and determined that the attack and her death occurred within a seven minute window. A flurry of activity was recorded followed by calm when the victim was presumably unconscious, then her heart rate stopped. “The prosecution accumulates those timings and the information about energy levels, movement, heart rate, to lead to a conclusion that the deceased must have been attacked at around 6.38pm and had certainly died by 6.45pm,” Matteo told the court.  The judge agreed with the prosecution and denied bail. Mrs. Nilsson will return to court on June 13th. [Gizmodo and at: News.com.au, The Daily Mail and New York Post]

EU – Norwegian Consumer Council Files Privacy Complaint Against Grindr Following Revelation of HIV Status Data Sharing

The Norwegian Consumer Council has filed a privacy complaint against popular gay dating app Grindr, after it was revealed the app had been sharing the HIV statuses of its users with third parties. Shortly after Grindr announced a new feature for the app which would remind users to get tested for HIV every few months, a report revealed that Grindr shares its user data, including HIV status and location, with at least two third-party companies. In a document published on Tuesday, the Norwegian Consumer Council claimed they were filing the complaint against Grindr “for breaching data protection law.” Citing a section of Grindr’s privacy policy that informs users they are responsible for “all associated risks” surrounding their data, the Council called the policy “unfortunate.” The Council also expressed that in their view, the current policy “is in breach of Norwegian and European data protection law.” [Brietbart and: TechCrunch, Forbrukerrådet and PinkNews and at: Grindr defends HIV-related data sharing | Grindr Sets Off Privacy Firestorm After Sharing Users’ H.I.V.-Status Data  | Dating app Grindr vows to stop sharing data after HIV scandal | The Guardian view on Grindr and data protection: don’t trade our privacy

WW – Grindr Changes Policy of Sharing Users’ HIV Status with Outside Vendors

In response to an outcry, Grindr will stop sharing users’ HIV statuses with third parties after a report disclosed that the company passed the information on to outside vendors hired by Grindr to test the performance of its app. Grindr’s vendors, Apptimize and Localytics, are fed user data that includes HIV statuses, GPS data, phone numbers and e-mail addresses that, when combined, could expose someone’s private health information In a statement Grindr said it would never sell personally identifiable information to third parties, including advertisers. Apptimize and Localytics — services that help Grindr test features on its platform — are under contract to safeguard user privacy and security, the company said. [LA Times and at: BuzzFeed News, Bloomberg, TechCrunch and The Verge]

WW – Panera Website Data Leak

The Panera Bread restaurant website was leaking customer data for at least eight months until it was taken offline on Monday, April 2. The compromised data include names, email and physical addresses, birth dates, and the last four numbers of payment cards. The leak affected customers who had signed up for an account to order food online. The data were accessible in part because “Panera Bread uses sequential integers for account IDs.” [krebsonsecurity: Panerabread.com Leaks Millions of Customer Records]

CA – Upscale Department Store Payment System Breached

Payment systems at some brick-and-mortar Saks Fifth Avenue and Lord & Taylor department stores have been breached. As many as five million payment card numbers allegedly stolen from the stores’ systems are being offered for sale online. The breach does not appear to affect online transactions. Both stores are owned by The Hudson’s Bay Company, which says that steps have been taken to contain the breach. [reuters: Saks, Lord & Taylor hit by payment card data breach | scmagazine: Saks, Lord & Taylor breached, 5 million payment cards likely compromised | theregister: Hacks Fifth Avenue: Crooks slurp bank cards from luxury chain Saks | nytimes: Card Data Stolen From 5 Million Saks and Lord & Taylor Customers]

WW – Under Armour Breach Affects 150 Million MyFitnessPal Accounts

Under Armour disclosed that its MyFitnessPal app and website had been breached, exposing personal Account information of as many as 150 million accounts. The incident occurred in February 2018. The breach did not affect payment account data, as Under Armour processes that information separately. [investor.underarmour: Under Armour Notifies MyFitnessPal Users Of Data Security Issue | scmagazine: Under Armour deftly manages breach, dodges GDPR scrutiny | zdnet: Under Armour says 150 million MyFitnessPal accounts hit by data breach | threatpost: Under Armour Reports Massive Breach of 150 Million MyFitnessPal Accounts]

Intellectual Property

EU – Group Calls for EU to Exempt Blockchain from GDPR

A blockchain group is calling for the European Union to exempt the technology from the General Data Protection Regulation. In a blog post, Coin Center Executive Director Jerry Brito writes the GDPR is “incompatible with the reality of open blockchain networks,” and if technology is regulated under the impending rules without any changes to either, the outcome could be troublesome. “The result of the law, then, may be that Europe is closing itself off from the future of the internet to its detriment,” Brito writes. [The Verge]

CA – DriveHer App Suspends Service Following Data Breach

The founder of the DriveHer app has suspended the service following a data breach. The app was created as a way to increase the safety and security of women drivers and riders. IT Consultant Darryl Burke discovered vulnerabilities within the app leading to the breach, such as finding the data provided by users was not encrypted. “The data accessed may have included personal information such as name, gender, telephone number, profile image,” DriveHer Founder Aisha Addo wrote in an email informing users of the breach. “DriveHer values your privacy and deeply regrets that this incident occurred.” [Toronto Star]

Internet of Things

US – Connecting the Dots Between Security Practices and Legal Obligations: California’s Connected Devices Bill

Internet connected devices can present serious privacy and security issues. California has had an information privacy connected devices bill [for SB-327 status see here] in the works since Feb. 13, 2017. In March 2017, we identified the bill and privacy concerns the state and regulators may be considering when it comes to connected devices. Less than a year later, in January 2018, the bill moved from the state’s Senate to being considered in the state’s Assembly. It has been read once and is currently being “held at desk” in the Assembly, waiting to be referred to a committee. After being introduced, the bill was transformed substantially, with several of its proposed requirements for connected devices stripped entirely at one point it had both privacy and security related requirements, but now largely calls for security obligations. The bill applies to manufacturers that “sell or offer to sell a connected device to a consumer” in California. It obligates manufacturers to “equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” The bill would not obligate manufacturers to seek out the highest level of security measures on the market, but rather creates a floor of at least the most “basic security standards,” according to the latest Senate Floor Analyses. It seems that the purpose of the bill is not so much to force companies to heighten their levels of security, but rather to ensure that IoT devices have some sort of security in place, such as basic encryption, as soon as they hit the market. Despite certain privacy obligations being stricken from the bill, companies should still consider the benefits of employing privacy by design, following the Fair Information Practice Principles, and consider the FTC’s general guidance on IoT devices and comments on draft guidance regarding communicating upgradability, security patches, and transparency. Also consider the evolving efforts to develop international standards, such as guidance published by the IoT Security Foundation from the U.K., security best practices published by the Institute of Electrical and Electronics Engineers, a global nonprofit, and the National Institute of Standards and Technology’s current draft of its Interagency Report on international cybersecurity IoT standardization. With the GDPR becoming effective on May 25, 2018, companies with ties to Europe should also look to what European Data Protection Supervisors have discussed regarding IoT devices in each European member state. [Data Privacy Monitor]

Law Enforcement

UK – Police Can Download All Smartphone’s Data Without A Warrant

A new report by Privacy International shows that since 2012, police forces across the UK have been downloading data from the smartphones of suspects, victims and witnesses, often without obtaining permission. What’s more, they may be storing this data indefinitely, even when no charges are brought. The report is based on Freedom of Information requests to 47 police forces. 26 forces (55%) confirmed that they are using mobile phone extraction technology. This follows on from a 2017 Big Brother Watch report which found that 93% of police forces in the UK are extracting data from digital devices. Data is being collected not only for serious crimes, but also for low-level offences, and several police forces have indicated that they want extraction of mobile data to become the ‘default‘. Police forces across the UK are extracting data from tens of thousands of mobile phones each year. There is no clear national guidance on when forces can use this technology, how data should be stored and for how long it can be kept. [Rights Info and at: The Telegraph, DIGIT and The Times]

Online Privacy

WW – Google Moves to Protect Chrome Web Store Users from Cryptomining

Google’s Chrome Web Store is no longer accepting extensions that mine cryptocurrency, even if it is the express purpose of the extension. In June, Google plans to delist all current cryptomining extensions. Google’s policy prior to this change was to allow cryptomining extensions as long as cryptomining was the extension’s sole function and users were sufficiently informed about the activity. [blog.chromium.org: Protecting users from extension cryptojacking | zdnet: Google to crack down on cryptojacking on Chrome]


CA – Phishing and Ransomware Biggest Concerns: Survey

CIRA issued its 2018 Internet security survey of Canadians that own at least one .CA domain registered to a business or institution. Participants included 1,985 business professionals who play a significant role in their organization’s IT and security-related decisions; and domain name users include: companies – 58%; non-profit organizations – 34%; and government – 8%. The survey shows 22% of large Canadian organizations have been victims of a DDoS attacks in the last year that have negatively impacted business performance, and 32% had users within the organization unwittingly divulge information to hackers; IT security services are obtained through peers (70%), IT security events (50%), current vendors (43%), analyst research (43%) and webinars (40%). [2018 CIRA Canadian Internet Security Survey]


US – DHS Acknowledges Rogue IMSI Catchers in Washington, DC Area

In a March 26 letter responding to a November 2017 from US Senator Ron Wyden (D-Oregon), the US Department of Homeland Security (DHS) acknowledged that it had detected unauthorized cell-site simulators in the Washington, DC area. Also known as international mobile subscriber identity (IMSI) catchers, the technology has been used by law enforcement agencies for years. DHS has not attributed the IMSIs use to “specific entities.” [apnews: APNewsBreak: US suspects cellphone spying devices in DC } wyden.senate.gov: Wyden’s November 2017 letter to DHS (PDF) | scmagazine: DHS acknowledges unauthorized foreign Stingray use in Washington D.C. | theregister: Hold the phone: Mystery fake cell towers spotted slurping comms around Washington DC | zdnet: Evidence of stingrays found in Washington, DC, Homeland Security says | arstechnica: Feds: There are hostile stingrays in DC, but we don’t know how to find them | cyberscoop: DHS says unauthorized Stingrays could be in D.C. area]




27 March – 03 April 2017

Big Data / Analytics / Artificial Intelligence

IS – Israel Launching Big Data Health Project

Israel Prime Minister Benjamin Netanyahu said the country will invest nearly $287 million for a big data project designed to make citizens’ health information available to researchers and privacy companies. Netanyahu said the project will help with personalizing medicine for each citizen and for preventive treatments. The information will come from the four health maintenance organizations within Israel that hold almost all the health data belonging to the nine million citizens of the country. Netanyahu’s office released a statement saying it will address data concerns by ensuring the information will be protected by the proper privacy and security measures while making sure access to the information is restricted. [Reuters]


CA – BC Political Parties and Online Privacy Protection: No Smoking Gun, But Plenty of Smoke

As questions swirl around the globe over Facebook, and how people’s digital profiles are analyzed for ever more precise targeting, B.C.’s Office of the Information and Privacy Commissioner is studying to what extent the phenomenon exists in our backyard. According to the IPC “The unique thing about our position in B.C. is we’re the only jurisdiction in Canada that has the ability to investigate political parties” That’s because B.C. political parties fall under the jurisdiction of B.C.’s Personal Information and Privacy Act. People in charge of digital communications for major B.C. parties will tell you that a data breach on the scale of Cambridge Analytica hasn’t happened here for a couple of reasons: one, British Columbia doesn’t have a large enough population to make the sort of bulk data scraping effective; and, second, there are metrics that political parties can use to create targeted Facebook ads in America that aren’t available in Canada. But that still leaves plenty of room for targeting on a smaller scale, say privacy advocates. [CBC News and at: The Times Colonist and CTV News]

CA – Privilege: Tribunal Orders Client Financial Information Redacted

The Law Society Tribunal considered an application by the Law Society of Upper Canada to make certain financial information non-public. Solicitor-client privilege belongs to the client (not the lawyer) and is not lost by a client who complains to the Law Society that her lawyer committed misconduct; the communications are between the lawyer and his client that have neither been made public nor been disclosed by the client in her civil lawsuit against the lawyer.[Law Society of Upper Canada v. Ian Neil McLean – 2018 ONLSTH 25 – Law Society Tribunal Hearing Division]

CA – OIPC BC: PIPA Does Not Provide Same Level of Protection

The OIPC BC compared PIPA’s obligations against the GDPR. PIPA does not incorporate mandatory breach notification or ensure the same level of individual rights (e.g., right to be forgotten and data portability), and permits implicit consent and opt-out (pre-checked boxes) as valid consent; with the exception of these differences, BC organizations can largely ensure compliance with the GDPR by complying with PIPA. [OIPC BC – Competitive Advantage – Compliance with PIPA and the GDPR]


EU – European Commission Outlines Blockchain Development Plans, Calls for a Feasibility Study and Unveils Fintech Action Plan.

The EU Commission continues to show its support and investment in new technologies in the digital economy. On February 1, 2018, the Commission and the European Parliament launched the EU Blockchain Observatory and Forum, and earlier this month, the Commission also unveiled its FinTech Action Plan. The observatory is designed to be a comprehensive repository of blockchain expertise and a source of innovation and development. The action plan will assist EU businesses and investors utilize advances offered by blockchain, artificial intelligence and cloud services, as part of the push towards the digital single market. The observatory and the FinTech Action Plan represent a collaborative and thoughtful approach that is appropriate for addressing quickly proliferating and developing technologies in a highly regulated international financial industry. [Source]

CA – Nearly 75% Of Canadian Facebook Users Plan to Change Behaviour in Wake of Controversy

Nearly three-quarters of Facebook users in Canada say they will make some changes to how they use the social-media network after [it was] revealed a U.K.-based consulting firm surreptitiously obtained personal information of 50 million users. According to [a new] Angus Reid poll [see here]. The survey asked 1,500 Canadians what – if any – effect allegations that Cambridge Analytica gathered data from unsuspecting Facebook users will have on their personal use of the social-media platform. Sixty-four per cent of respondents said they will change their privacy settings or use Facebook less in the future, while 10 per cent said they would suspend their account or delete it altogether. The remaining respondents said they would continue to use Facebook as they always have. [The Globe & Mail and at: Global News and CBC News Also See: Worried about online privacy? Here’s how to delete data-mining apps off your Facebook | Victoria mayor deletes Facebook because it ‘rewards anger and outrage’ | Here is how to delete Facebook | What the coverage of #DeleteFacebook is missing


CA – Conservatives, NDP Say They’ve Never Accessed Facebook Profiles to Microtarget Voters, Liberals Point to Privacy Policy

The Hill Times sent each of the major federal parties and the Liberal Research Bureau a series of questions about their methods of collecting data from and about Canadians, including data from Facebook. The Liberal Research Bureau did not respond, and the Liberal Party responded after the deadline for the print edition. Spokespeople for the federal Conservatives and NDP said neither they nor any organizations working on their behalf had ever asked Canadians for access to their Facebook accounts, directly or indirectly, in order to gather information. They said they had never accessed Facebook accounts to collect information on Canadians’ Facebook “friends,” and had never collected information on Canadians that was not provided with consent or already publicly-available, or employed an outside firm to do so. A Liberal Party spokesperson did not definitely answer “yes” or “no” when asked the same questions twice, but did imply that the Liberals had not done so either. Susan Delacourt’s 2016 book Shopping for Votes [see here] revealed how the Liberals used Facebook to help them win the last election, with a tool called The Console using information from Facebook to rank ridings on how winnable they were for the party, and how likely individuals were on a scale of one to 10, to vote Liberal. The Conservatives were the first federal party to develop a database technology, dubbed the Constituent Information Management System (CIMS), in 2004. The Liberals were next to follow in 2008, adopting a voter identification and relationship management system dubbed The Liberalist, which is similar to the Voter Activation Network used by the U.S. Democratic Party. The NDP once used a database system dubbed NDP Vote. Federally, there’s nothing to govern how parties collect, use, or distribute information. The Privacy Act only covers government institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA) only refers to organizations collecting information for commercial purposes. Federal parties have developed their own internal privacy policies, but on top of not being legally binding, they’re not always easy to find online. [Hill Times]


US – DOJ Still Seeking Phone Encryption Backdoor

Federal law enforcement officials in the US are renewing their efforts to require technology companies to build tools into devices that would allow access to encrypted information. FBI and the US Department of Justice (DOJ) are meeting with researchers to find a way to allow “extraordinary access” to encrypted devices for law enforcement. [www.nytimes.com: Justice Dept. Revives Push to Mandate a Way to Unlock Phones]

EU Developments

EU – European Council Warns Digital Platforms After Facebook-Cambridge Analytica

The European Council issued a warning to digital platforms in the wake of the Facebook-Cambridge Analytica revelations. In a statement, the group of national leaders said, “Social networks and digital platforms need to guarantee transparent practices and full protection of citizens’ privacy and personal data.” European Council President Donald Tusk said the group “discussed recent developments concerning Facebook and Cambridge Analytica. It was clear to all the leaders that citizens’ privacy and personal data must be protected.” Meanwhile, U.K. Culture Secretary Matt Hancock characterized the revelations as a “turning point” for privacy online. Politico profiles U.K. Information Commissioner Elizabeth Denham, who is leading an investigation into Cambridge Analytica. Mozilla has said it will no longer advertise on Facebook, and in the U.S., the House Energy and Commerce Committee has called on Facebook CEO Mark Zuckerberg to testify at an upcoming hearing. “After committee staff received a briefing from Facebook officials,” said Rep. Frank Pallone Jr., D-N.J., “we felt that many questions were left unanswered.” [Euractiv]

UK – ICO Seeks Comments on Data Protection Impact Assessment Guidance

The ICO has for many years championed the benefits of voluntary Privacy Impact Assessments The new General Data Protection Regulation (GDPR) formalises this situation by making the use of Data Protection Impact Assessments (DPIAs) a legal requirement in certain circumstances. Controllers will be required to complete a DPIA where their processing is ‘likely to result in a high risk to the rights and freedoms of natural persons’. Our draft DPIA guidance builds on our previous PIA code, with further detail on specific GDPR requirements. This includes a DPIA template, although controllers who anticipate doing lots of DPIAs may wish to consider develop their own. We are seeking comment [from 22 March until 13 April 2018] on the draft guidance published last week, particularly on whether or not it is clear when a DPIA will be necessary. [ICO News blog]

Facts & Stats

US – BakerHostetler Releases 2018 Data Security Incident Response Report

BakerHostetler has released its 2018 Data Security Incident Response Report. The report examines 560 incidents from 2017, including the most common types of attacks, with phishing leading the way at 34%, followed by network intrusion at 19%. Key findings from the study include the uncertainty surrounding the EU General Data Protection Regulation, the need for an increase in multifactor authentication, and the rise in the roles of regulators. “Our goal in publishing this report is to offer practical steps you can take to reduce your risk profile, build resilience, and be better prepared to respond when an incident occurs,” writes BakerHostetler. [BakerHostetler and at: Law360]


CA – Ontario Police Need Not Remove DNA Profiles: Court

An Ontario Court reviewed 54 applications under the Human Rights Code alleging discrimination by the Ontario Provincial Police. Although the Police had no ongoing need to retain/use the DNA profiles after the applicants were cleared of the crime for which their samples were taken, the likelihood of use of the DNA profile is highly remote since the samples were listed in a database using a code to which only the investigator had access and there is a legal prohibition to use it except where the DNA donor has been convicted of an offence. [Hosein et al v Ontario – 2018 HRTO 298 – Community Safety and Correctional Services]

Horror Stories

WW – Panera Website Data Leak

The Panera Bread restaurant website was leaking customer data for at least eight months until it was taken offline on Monday, April 2. The compromised data include names, email and physical addresses, birth dates, and the last four numbers of payment cards. The leak affected customers who had signed up for an account to order food online. The data were accessible in part because “Panera Bread uses sequential integers for account IDs.” [krebsonsecurity.com: Panerabread.com Leaks Millions of Customer Records]

CA – Upscale Department Store Payment System Breached

Payment systems at some brick-and-mortar Saks Fifth Avenue and Lord & Taylor department stores have been breached. As many as five million payment card numbers allegedly stolen from the stores’ systems are being offered for sale online. The breach does not appear to affect online transactions. Both stores are owned by The Hudson’s Bay Company, which says that steps have been taken to contain the breach. Sources: www.reuters.com: Saks, Lord & Taylor hit by payment card data breach | www.scmagazine.com: Saks, Lord & Taylor breached, 5 million payment cards likely compromised | www.theregister.co.uk: Hacks Fifth Avenue: Crooks slurp bank cards from luxury chain Saks | www.nytimes.com: Card Data Stolen From 5 Million Saks and Lord & Taylor Customers]

US – Under Armour Breach Affects 150 Million MyFitnessPal Accounts

Under Armour disclosed that its MyFitnessPal app and website had been breached, exposing personal Account information of as many as 150 million accounts. The incident occurred in February 2018. The breach did not affect payment account data, as Under Armour processes that information separately. [investor.underarmour.com: Under Armour Notifies MyFitnessPal Users Of Data Security Issue | www.scmagazine.com: Under Armour deftly manages breach, dodges GDPR scrutiny | www.zdnet.com: Under Armour says 150 million MyFitnessPal accounts hit by data breach | threatpost.com: Under Armour Reports Massive Breach of 150 Million MyFitnessPal Accounts]

WW – Orbitz Breach Affects 880,000 Payment Cards

Expedia subsidiary Orbitz has acknowledges that a data breach has compromised personal information associated with as many as 880,000 payment card accounts. The breach affected the company’s consumer platform between January and June 2016, and its partner platform between January 2016 and December 2017. [threatpost.com: Orbitz Warns 880,000 Payment Cards Suspected Stolen | – www.scmagazine.com: Orbitz hit with data breach, info on 880,000 payment cards at risk | www.reuters.com: Expedia’s Orbitz says 880,000 payment cards hit in breach]

Identity Issues

IN – A New Data Leak Hits Aadhaar, India’s National ID Database

India’s national ID database, called Aadhaar, which includes biometrics on more than 1.1 billion registered Indian citizens], has been hit by yet another major security lapse. A data leak on a system run by a state-owned utility company Indane allowed anyone to download private information on all Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and information about services they are connected to, such as their bank details and other private information. Karan Saini, a New Delhi-based security researcher who found the vulnerable endpoint, said that anyone with an Aadhaar number is affected India’s Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database, issued a strong denial. “There is no truth in this story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” says a portion of the statement, posted to Twitter, which you can read here. Government is currently defending the identity scheme in front of the country’s Supreme Court. Critics have called the database unconstitutional. Enrolling in the database isn’t mandatory [yet], but Indian citizens who aren’t subscribed are unable to access even basic government services. [ZDNet and at: Firstpost, National Herald, Financial Express, Reuters, The National and Times of India Also See: Narendra Modi app shares private data of users with American firm without consent, says cyber expert | ‘Absolutely No Breach Of Aadhaar Database’: Read UIDAI’s Full Statement On Report Of Data Leak | In Aadhaar vs Privacy Debate, Union Minister KJ Alphons’ Argument: ‘Getting Naked Before White Man Not A Problem’ | MoS KJ Alphons slams Aadhaar critics: What’s so private about iris? See also: India – Amid privacy fears, a list of the many apps launched by the Modi government]

Internet of Things

WW – Berlin Group Issues Recommendations for Updating IoT Firmware

The International Working Group on Data Protection in Telecommunications provides recommendations on firmware embedded in Internet of Things devices. The working paper focuses on risks associated with the failure to update the firmware controlling the behaviour of an IoT device. The following devices are excluded from the scope of this paper: desktop PCs, tablets; smartphones, smart TVs; and entertainment systems in connected vehicles. Device manufacturers should inform individuals about procedures to make security updates, consider privacy-friendly default settings, and ensure third-party suppliers support firmware included in components they supply; organizations should document an auditable process for installing firmware updates, and consider testing above and beyond that which was done by the manufacturer. [Working Paper – Updating Firmware of Embedded Systems in the Internet of Things – International Working Group on Data Protection in Telecommunications]

Law Enforcement

US – FBI Did Not Reach Conclusion Before Asking Apple for Help in Encryption Case

A report from U.S. Department of Justice Inspector General Michael Horowitz finds the Federal Bureau of Investigation had not fully come to a conclusion whether it could have opened the phone belonging to the San Bernardino shooter before an attempt to force Apple to do so, The Washington Post reports. Poor communication between FBI units was cited as the reason for the disconnect, while the report corroborated former FBI Director James Comey’s testimony stating the agency could not break into the iPhone in February and March 2016. “The issues identified in this report continue to stress the need for the FBI and other law enforcement to invest internally on processes and procedures,” Access Now U.S. Policy Manager Amie Stepanovich said. [Full Story

Online Privacy

US – Fordham CLIP releases ‘Privacy in Gaming’ research

Fordham Law School’s Center on Law and Information Policy has released its “Privacy in Gaming” research. The study looks at privacy issues and data collection practices surrounding mobile and console gaming, as well as with virtual reality devices. The research points out the many different ways gaming technology collects data from users, such as through cameras, sensors and other hardware. Among the conclusions include the enhancement of transparency regarding data collection practices and the need for special attention to be paid when handling the information belonging to children. [Fordham Law School]

CA – Kids Learn to Defend their Data with New Privacy Game

A new game is coming to Canadian classrooms and homes, designed not just to entertain children but also to teach them how to protect their privacy. Data Defenders, produced by the not-for-profit digital literacy organization MediaSmarts, shows kids how ad brokers try to collect their personal information and offers strategies to keep that information private. The online game is accompanied by parent and teacher guides and a lesson plan for grades 4 to 6 that further reinforces privacy learning. All materials, including the game, can be accessed free of charge on the MediaSmarts website at http://mediasmarts.ca/digital-media-literacy/educational-games/data-defenders-grades-4-6. Data Defenders was made possible by financial contributions from the Office of the Privacy Commissioner of Canada. [GlobeNewswire] and at Digital Journal

WW – Apple Really Wants You to Know It Values Students’ Privacy

At its Chicago event on Tuesday, the company makes a point of emphasizing data privacy in regard to its new educational app Schoolwork. Apple introduced a new way for teachers to hand out assignments and monitor student progress through an app called Schoolwork at its education event in Chicago last week. The Schoolwork app stores student data in the cloud, but the company really wants you to know that keeping this data safe from prying eyes is its No. 1 priority. Privacy is at the forefront of the tech world’s agenda at the moment, following a week of revelations about Facebook user data being harvested without people’s full understanding and therefore consent. Data belonging to children is an even more sensitive topic for many, and a number of toy companies have come under fire in the past for collecting children’s data without permission, or even just not taking security seriously enough. Apple promises it won’t make the same mistakes. “While teachers see each students’ progress information,” said Prescott, “we don’t, and neither can anybody else.” [CNet]

WW – Facebook Launching Privacy Setting System

In response to the Cambridge Analytica revelations, Facebook announced it will launch a centralized system designed to let users control their privacy and security settings. The system will be available to users all around the world and gives users the opportunity to control the information Facebook holds on them, as well as a file to download to see what data Facebook has already collected. Meanwhile, the Cambridge Analytica whistleblower, Christopher Wylie, said the number of people affected by the Facebook revelations is more than the 50 million currently being reported, while New Zealand Privacy Commissioner John Edwards voiced his criticism of the social media site’s handling of personal information. Pew Research Center released a study documenting U.S. citizens’ views toward social media and their privacy. [The New York Times]

WW – Facebook Introduces Central Page for Privacy and Security Settings

The system, which will be introduced to Facebook users globally over the coming weeks [see FB post here], will allow people to change their privacy and security settings from one place rather than having to go to roughly 20 separate sections across the social media platform. From the new page, users can control the personal information the social network keeps on them, such as their political preferences or interests, and download and review a file of data Facebook has collected about them. Facebook also will clarify what types of apps people are currently using and what permissions those apps have to gather their information. Facebook began developing the centralized system last year but sped it up after revelations that a British political consulting firm, Cambridge Analytica, improperly harvested the information of 50 million users of the social network. [NY Times and at: The Guardian, The Verge, Ars Technica and Financial Times See also Here’s a Long List of Data Broker Sites and How to Opt-Out of Them] and Google: Balancing rights and the right to be forgotten]

WW – Security Flaws Found Within Grindr Dating App

A cybersecurity professional discovered a pair of security issues with the Grindr dating app. Atlas Lane CEO Trever Faden set up a website where users could find out who blocked them on Grindr by entering their usernames and passwords, after which Faden could see user data, including email addresses, deleted photos and location data, even if the user opted out of sharing their location. Faden also discovered portions of user data are not protected, allowing anyone observing web traffic to see where a person is located when they open the app. Grindr said in a statement it has worked to patch the vulnerabilities. [NBC Bews]

Privacy (US)

US – FTC Confirms Investigation into Facebook Privacy Practices; Senate Committee Calls on Zuckerberg to Testify

The U.S. FTC announced that it had opened a non-public investigation into Facebook following media reports that it said raise “substantial concerns about the privacy practices” of the company. Also on Monday, the chairman for the Senate Judiciary Committee announced [see here] it had summoned Zuckerberg to testify before Congress on data privacy. The chairman, Chuck Grassley (R-Iowa), said Google CEO Sundar Pichai and Twitter CEO Jack Dorsey were also called to testify at the hearing, which is scheduled for April 10. Additionally on Monday, a bipartisan group of 37 state attorneys general sent a letter [see PR here & 4 pg PDF letter here] to Facebook inquiring about the company’s role in Cambridge Analytica’s activities and how this would affect the protection of data in the future. [The Knife Media and at: Facebook Draws Scrutiny From FTC, Congressional Committees and at: : The New York Times, Bloomberg & PBS NewsHour also see: Mark Zuckerberg has decided to testify before Congress | Zuckerberg will reportedly face the music before Congress instead of sending his deputies | Watch out, Zuckerberg — Congress is a trap | State Attorneys General Asked Facebook These 7 Questions About Cambridge Analytica | Dozens of US states are demanding answers from Facebook over the Cambridge Analytica scandal | State attorneys general send letter to Zuckerberg over data scandal | Facebook’s privacy practices are under investigation, FTC confirms | The Verge, BBC News, ZDNet and Forbes | Facebook scraped call, text message data for years from Android phones and at Global News, BetaNews, Android Central, CNET and Reuters]

US – State Attorneys General Advocate Continuing State Leadership in Privacy Enforcement, Denounce Federal Preemption of State Breach and Security Laws

A coalition of 32 attorneys general wrote a bipartisan letter [see 6 pg PDF here] on March 19, 2018, to the U.S. House of Representatives Committee on Financial Services and the Subcommittee on Financial Institutions and Consumer Credit regarding the proposed Data Acquisition and Technology Accountability and Security Act [see 34 pg PDF here], a draft bill introduced in the House last month. They are concerned that the bill, among other things, places consumer reporting agencies and financial institutions out of the reach of state enforcement. The AGs argue that the states have consistently proven themselves capable of rapidly and effectively responding to and protecting consumers at the state level through their own laws. The letter points out three key shortcomings of the Act beyond the preemption of state laws: (1) it allows entities themselves to judge whether to notify consumers of a breach, which reduces the transparency afforded by state notification requirements; (2) it allows entities that decide to notify consumers to notify after the harm has already occurred, preventing the opportunity consumers currently have under state law to take proactive steps upon timely notification; and (3) it addresses breaches that affect 5,000 or more consumers, leaving attorneys general without the ability to redress the majority of breaches affecting consumers today that do not occur on a national scale [Source and at: The Clarion-Ledger] and at Divonne Smoyer, Kimberly Chow & Kelley Chittenden – and see also Workplace Privacy Report: South Dakota: The 49th State to Enact a Data Breach Notification Law and: Data Privacy Monitor (BakerHostetler) and Oregon Strengthens Consumer Protections in Wake of Data Breaches

US – FPF, Nymity Release Legitimate Interest Report

The Future of Privacy Forum and Nymity collaborated to release a report on legitimate interest. The two organizations gathered cases from national data protection authorities and guidance from the Article 29 Working Party to detail how legitimate interest can be used as a lawful method for processing data under European Union data protection law. The 40 cases detailed the data-processing activities from more than 15 countries, including disclosing health data for litigation purposes, recording employee misconduct and research purposes, using GPS data for private investigations, and sending emails without consent for political purposes. [Full Story]

US – NY AG Penalizes Health Plan for Disclosure of Social Security Numbers

New York Attorney General Eric T. Schneiderman announced [March 6] a $575,000 settlement with EmblemHealth [see here] and its subsidiary, Group Health Incorporated, (together, “EmblemHealth”) after EmblemHealth admitted a mailing error that resulted in the disclosure of 81,122 social security numbers. EmblemHealth is one of the largest health plans in the United States. .The settlement agreement also obligates EmblemHealth to implement a Corrective Action Plan and conduct a comprehensive risk assessment of security risks associated with the mailing of policy documents to policyholders. EmblemHealth must also review and revise its policies and procedures based on the results of said risk assessment. EmblemHealth is also tasked with cataloguing, reviewing, and monitoring its mailings [DBR on Data and at: Becker’s ASC Review and HealthITSecurity]


EU – IAPP and OneTrust map ISO 27001 to the GDPR

According to the International Standards Organization, in 2016 more than 33,000 organizations globally held certification to the ISO 27001 standard, which relates to information security management systems and security controls. That same year, the European Union’s General Data Protection Regulation was finalized, launching a two-year scramble for compliance by May 25, 2018, for companies of all sizes around the world. Noting the significant common ground between the GDPR and ISO 27001 requirements, the IAPP and OneTrust have endeavored to map these two risk-focused documents to each other, demonstrating the overlap in both principles and requirements as part of a significant new piece of research being released for the first time here at the Summit. [Read More]

UK – UK Issues 4-Phase Defensive Approach on Phishing

The UK National Cyber Security Centre HAS issued guidance on phishing. an effective multi-layer approach includes making it difficult for attackers to reach users (anti-spoofing controls), helping users identify and report suspected phishing emails (employee training), protecting the organization from the effects of undetected phishing emails (2-factor authentication), and responding quickly to incidents (incident response plan). A company was able to reduce 1,500 phishing emails to only 1 instance of malware installation. [National Cyber Security Centre, United Kingdom – Phishing Attacks: Defending Your Organisation| Infograph | Case Study]


WW – Tooth-Mounted Sensor Can Track Food Intake

Tufts University scientists have created a device designed to attach to a person’s tooth in order to monitor what they eat and drink. The device is similar to a Fitbit and can track glucose, salt and alcohol intake, with the scientists hoping to examine other “nutrients, chemicals and physiological states.” “If you are somebody with an eating disorder, it could be a checkpoint that monitors your diet a little more closely, or it could be an early detection for disease,” Tufts Professor of Biomedical Engineering Fiorenzo Omenetto said. “It’s a nice way to monitor these things because you have unusual access to these fluids.” [New York Post]

Telecom / TV

WW – Facebook Scraped Call, Text Message Data for Years from Android Phones

This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing [see here]: Facebook also had about two years’ worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received. [see Facebook response here] If you granted permission to read contacts during Facebook’s installation on Android a few versions ago—specifically before Android 4.1 (Jelly Bean)—that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017—the point at which the latest call metadata in Facebook users’ data was found. Apple iOS has never allowed silent access to call data. Facebook provides a way for users to purge collected contact data from their accounts, but it’s not clear if this deletes just contacts or if it also purges call and SMS metadata. [Ars Technica and at: Global News, BetaNews, Android Central, CNET and Reuters, Facebook logged phone records from Android users with older devices: reports]

US Government Programs

US – 14.7 Million Visitors to U.S. Could Face Social Media Screening

Nearly all applicants for a visa to enter the United States — an estimated 14.7 million people a year — will be asked to submit their social-media user names for the past five years, under proposed rules that the State Department issued last week. The proposal covers about 20 social media platforms. Most of them are based in the United States: Facebook, Flickr, Google+, Instagram, LinkedIn, Myspace, Pinterest, Reddit, Snapchat, Tumblr, Twitter, Vine and YouTube. But several are based overseas: the Chinese sites Douban, QQ, Sina Weibo, Tencent Weibo and Youku; the Russian social network VK; Twoo, which was created in Belgium; and Ask.fm, a question-and-answer platform based in Latvia. As news of the proposal emerged Friday, so did criticism. “This attempt to collect a massive amount of information on the social media activity of millions of visa applicants is yet another ineffective and deeply problematic Trump administration plan,” said Hina Shamsi, director of the ACLU’s National Security Project. “It will infringe on the rights of immigrants and U.S. citizens by chilling freedom of speech and association, particularly because people will now have to wonder if what they say online will be misconstrued or misunderstood by a government official.” [Toronto Star]

US Legislation

US – CLOUD Act Becomes Law, Increases Government Access to Online Info

The federal spending bill [read the 2232 pg document here] signed by US President Donald Trump on Friday does more than fund the budget. It also makes it easier for law enforcement agencies to demand access to online information no matter what country the data is stored in. Lawmakers added the CLOUD Act [32 pg PDF here], which stands for Clarifying Lawful Overseas Use of Data Act, to the spending bill before the final House and Senate votes Thursday. It updates the rules for criminal investigators who want to see emails, documents and other communications stored on the internet. Now law enforcement won’t be blocked from accessing someone’s Outlook account, for example, just because Microsoft happens to store the user’s email on servers in Ireland. The law also lets the US enter into agreements to send information from US servers to criminal investigators in other countries with limited case-by-case review of requests.Pprivacy advocates at groups like the ACLU [see here] and the Electronic Frontier Foundation [see here] criticized the change, saying it lets law enforcement bypass constitutional protections against unreasonable searches. It also could lead the US to send user data to police in countries known for abusing the human rights of their citizens, they argue. [CNET and at: Android Central, Bitsonline, Engadget, SC Magazine, Top Tech News, Just Security and TechTarget and also As the CLOUD Act sneaks into the omnibus, big tech butts heads with privacy advocates and at: Reuters, Forbes, Beebom, Slate Magazine and New Media and Technology Law Blog (Proskaur) and see also: Congress Could Sneak a Bill Threatening Global Privacy Into Law and at: Eurasia Review | |Why the CLOUD Act is Good for Privacy and Human Rights and at EFF blog here & here] and CLOUD Act passing likely means end to US v. Microsoft case]

Workplace Privacy

UK – ‘Vicarious Liability’ Breach Case May Have Big Consequences

The High Court of England and Wales, in December 2017, held a company “vicariously liable” for a deliberate data breach carried out by a disgruntled employee. In retaliation for a warning, an employee of supermarket chain owner Wm Morrison posted to the internet the personal data of approximately 100,000 of its employees. Marc Stauch, a research associate at Leibniz Universität Hannover, offers an analysis of Various Claimants v. Wm Morrisons, in which affected employees seek compensation from the company for distress due to the breach. In the case, the court cleared Morrisons of primary liability for the breach but determined that “just as an employer takes the benefits from the activities of his employees, so too should he take the risks of the employee wrongfully performing his duties and injuring others,” Stauch writes. [Full Story]

CA – Right-to-Disconnect Talk Picks Up as Popularity of Workplace Messaging Apps Rises

There’s growing chatter in North America about adopting right-to-disconnect laws to free workers from being tethered to their phones around the clock, but some labour experts say that while the digital demands of work in the 21st century need to be openly discussed, rigid regulations and fines may not be the solution. Last week, a New York councilman proposed making it illegal to force employees to access “work-related electronic communications” from home, with some exceptions including emergency situations. Companies would have to draft written policies spelling out the hours of work and time off, and employers would not be allowed to threaten penalties against anyone who refused to check their email or work-related social networks off-hours. Quebec’s Solidaire’s Gabriel Nadeau-Dubois also tabled a private member’s bill in the Quebec national assembly last week that aims to “ensure that employee rest periods are respected by requiring employers to adopt an after-hours disconnection policy.” The proposal calls for fines between $1,000 to $30,000 for companies that refuse to draft a proper policy, or reassess it annually to ensure it remains up to date and effective. The federal government has also signalled its interest in exploring the right-to-disconnect trend, which made headlines last year when France enacted its own legislation to help protect the free time of its workforce. As part of its public consultation earlier this year on how “labour standards should be updated to better reflect and respond to the new reality” of evolving workplaces, Employment and Social Development Canada released an online survey that included several questions about right-to-disconnect policies. One of the questions asked whether right-to-disconnect regulations should be one of the government’s “most important” labour issues. [CityNews]



19-26 March 2018


WW – Businesses to Incorporate Biometric Authentication as Security Feature

There is a growing trend among businesses to incorporate biometric data into security settings, rather than relying solely on the use of passwords. Alex Simons, director of program management in Microsoft’s identity division, said, “Passwords are the weak link. They have terrible characteristics about them, and they’re hard for you to keep track of,” adding, “Passwords are also super expensive for companies.” Spiceworks, a professional network for the IT industry, reports that by 2020, the use of biometric authentication will grow to encompass 90% of businesses, up from the current 62%. Laws restricting the collection and use of biometric data are beginning to emerge, with Illinois and Texas both passing state laws, and the EU General Data Protection Regulation set to introduce consent requirements this May. [CNN Money]

US – Biometrics: Lawsuit Against Social Network to Proceed

A California Court considered a consolidated class action alleging Facebook’s practices violate Illinois’ Biometric Information Privacy Act. The court ruled that Plaintiffs adequately plead a concrete injury because Illinois’ biometric legislation provides them with a right to privacy in their biometric information, which requires their notice and consent. [Nimesh Patel et al. v. Facebook, Inc. – 2018 U.S. Dist. LEXIS 30727 – United States District Court For The Northern District Of California]

Big Data / Data Analytics / Artificial Intelligence

UK – Uber Releases Anonymized Data to Aid City Planning

In the aftermath of the Transport for London’s finding that Uber is not “fit and proper” to operate as a taxi service, the company has announced several changes to its business model, including a move that will provide anonymized data of its operations. While Uber is appealing the finding, it has also introduced a 24/7 telephone support line and began proactively reporting serious incidents to the police. Fred Jones, Uber’s head of U.K. cities, said the company is also responding to feedback that access to aggregated ride data would be helpful for city planning, adding “…we want to be a better partner to city planners and regulators, so we hope this data will help give them valuable insights for the future.” [Reuters]


CA – Therrien to Take Part in RTBF Symposium

Privacy Commissioner of Canada Daniel Therrien will take part in a half-day symposium in Toronto April 4 examining the “right to be forgotten” making its way into the country. Privacy professionals, journalists and tech leaders will discuss the ways the right to be forgotten will affect Canada and whether the country should embrace the rule. Speakers for the symposium include Canada Post Compliance and Chief Privacy Officer Amanda Maltby, Google Global Privacy Counsel Peter Fleischer, McInnes Cooper Partner David Fraser, and University of Ottawa Law Professor Michael Geist. [Full Story]

CA – B.C. Landlords’ Systemic Invasion of Renters’ Privacy Has to Stop

With near-zero vacancy rates in Vancouver and other cities around B.C., landlords are routinely asking for and getting more personal information than they have a legal right to. Some applicants have been asked whether they might get pregnant within the next year. Others are required to complete behavioural questionnaires, submit to credit checks, or provide three months’ worth of bank statements, according to a report by Drew McArthur, B.C.’s privacy commissioner, released last week. One of the 13 landlords investigated even asked applicants if he could inspect their current homes to determine whether he would rent to them. Another demanded to see an applicant’s child’s report card. Once they’ve collected all this information, few landlords have any policy or plan about what to do with it. But all of this is illegal. Even social media and internet searches are illegal. The interpretation of the Personal Information Privacy Act’s section on “publicly available” sources of information seems quaint to the point of foolishness. Regardless, McArthur says it has to stop. But his 39-page report with its 13 recommendations — including to not do those internet searches — is more educational and explanatory than punitive or threatening. [Vancouver Sun and at: BCLocalNews, The Globe and Mail, CBC News and The Canadian Press (via The Province) see also: Digital tool for landlords measures potential tenants’ kindness, cleanliness and Probe launched into B.C. landlords’ demands for sensitive information Read PR here (August 2017)

CA – OPC Decries ‘Gap’ in Law for Political Parties Handling Personal Info

The fact that political parties are excluded from federal laws on handling personal information — such as social media data – amounts to “an important gap” that could jeopardize the integrity of the electoral process, Canada’s privacy czar says. There should be a law governing the use of personal data by parties to prevent manipulation of the information to influence an election, said privacy commissioner Daniel Therrien. “From a privacy perspective, personal information is unregulated with respect to political parties, so that’s clearly not a good thing.” Neither of the two federal privacy statutes — one for government institutions, the other for private-sector organizations — covers political parties. Therrien’s comments come as he begins investigating the alleged unauthorized use of some 50 million Facebook profiles – possibly including those of Canadians — by Cambridge Analytica, a firm accused of helping crunch data for Donald Trump’s presidential campaign. This week’s events have shown that weak privacy safeguards can have serious effects that go beyond the commercial realm, potentially distorting democracy, Therrien said. “It’s a wake up call, frankly, if not a crisis in confidence. [CTV News and at: The Globe and Mail See also: Liberals awarded $100,000 contract to man at centre of Facebook data controversy | Canada’s privacy watchdog launches investigation into Facebook after allegations of data leak

CA – BC Hydro Handing Customer Information to Police Without Warrants

BC Hydro gave police the electricity bills of 3,500 to 5,000 customers per year without a warrant up until 2014. But shifting priorities — and perhaps the promise of marijuana legalization by the new federal government in 2015 — have led to a plunge in police requests for power bills. Since 2014, police requests for BC Hydro bills — usually to identify a marijuana grow op — have fallen 90% to 300 to 500 per year, said BC Hydro. Grow ops and hydro theft were a larger concern in past years. In 2010, BC Hydro said it was losing $100 million a year to grow ops that bypassed meters avoid detection. The Crown corporation now says its revenues from known grow ops — still illegal — are worth $50 million a year. BC Hydro still hands over customer information to police, including power use, without requiring a warrant. [The Tyee]

CA – Ontario Says Tribunals Should Not Be as Open as Courts

Ontario’s quasi-judicial tribunals are not courts and should not be subject to the same principles of openness when it comes to their records, the province argued in a court filing. Responding to a constitutional challenge from the Toronto Star that calls on Ontario’s various administrative tribunals — such as the Landlord and Tenant Board, and the Ontario Municipal Board, among others — to disclose hearing records as readily as courts do, the province’s lawyers said that while openness and transparency are “important features” of tribunals and the hearings themselves are typically open to the public, the right to access documents related to those hearings must be balanced against privacy concerns. The Star launched its legal challenge against the province last year in an effort to gain faster and fuller access to documents the paper argues are a matter of public interest. While reporters can attend and report on what happens at the tribunals’ public hearings, obtaining documents related to those hearings after they occur is inconsistent, onerous and often significantly delayed, the Star has argued. Unlike courts, some of Ontario’s tribunals require members of the public, including the media, to file formal freedom of information requests in order to access to documents related to a case. The province argues that tribunals do not require the same public scrutiny as courts because they are created by government legislation and subject to government oversight. [The Star]

CA – Some Advice to the Minister on How to Improve the BC FOIPPA

B.C.’s minister for citizens’ services has invited members of the public to offer their views on our provincial freedom-of-information and privacy legislation [Freedom of Information and Protection of Privacy Act (FOIPPA) see text here & IPC overview here] The legislation as it stands is frequently ambiguous, occasionally unintelligible, and an invitation to a game of hide and seek. It enables various public bodies to withhold information that by any reasonable standard should be made available. It has become common practice for public agencies such as health authorities or government ministries to withhold the names of employees dismissed for cause. The justification invariably given is the need to preserve “privacy.” But what right to privacy does an employee possess who has committed a breach of duty sufficient to get fired? There is a valid public interest in knowing this person’s identity, particularly on the part of future employers who are entitled to know who they might be hiring. Here is the nub of the problem. The commissioner has the authority to investigate spurious claims of privacy, but uses it only rarely. That creates an incentive, both for politicians and bureaucrats, to hide their dirty linen. My advice to the minister is simple. Ask the commissioner to spell out in plain language the rules that govern legitimate claims of privacy. Demand also a list of specific instances in which a claim of privacy would not be valid. (Previous commissioners, to be fair, have asked the legislature to clean up the existing muddle, and gone unheard.) And, if need be, rewrite the statutes to introduce greater clarity. [The (Victoria) Times Colonist]

CA – BC Privacy Law & Disclosing Private Info in A Civil Case

Disclosing a Litigant’s Private Information during Judicial Proceedings is not a Privacy Breach. It has long been settled that in civil actions, the public interest in getting at the truth will, absent special circumstances, trump the litigants’ right to privacy. In fact, the introduction of legal proceedings allows the parties, at the discovery stage, to probe into each other’s files and force the disclosure of otherwise confidential information, including private information, for the purpose of verifying the allegations of the parties. Relevant evidence thusly compelled is a permissible invasion of privacy based on the condition that it is solely used in the ongoing matter, for instance, as evidence at trial. But what about a litigant’s private information acquired by an opponent outside pre-trial discovery? Would the disclosure of this information by the opponent in support of their pleadings amount to an actionable breach of privacy against themselves or their counsel? Not under the Privacy Act of British Columbia, according to the BC Court of Appeal in Duncan v. Lessing, 2018 BCCA 9. The immediate implication of Duncan is to relieve counsels and litigants, at least in BC, from the fear that, in advocating their cause and mounting their case, they expose themselves to privacy breach claims from their opponent or third parties. Although not binding in the rest of the country, Duncan will most likely be taken into account in jurisdictions whose privacy legislation contains similar provisions. [CyberLex Blog (McCarthy Tétrault) See also: Truth, Privacy and the Public Interest in Securing Justice | BCCA – No privacy claim against lawyer | BCSC dismisses privacy claim against lawyer ]

CA – B.C. Court Re-examines Google Takedown Order in Light of U.S. Ruling

Last year’s Supreme Court of Canada Google v. Equustek case, which upheld a B.C. court’s global takedown order, continues to play out in the courts. The Supreme Court decision noted that it was open to Google to raise potential conflict of laws with the B.C. court in the hopes of varying the order: “If Google has evidence that complying with such an injunction would require it to violate the laws of another jurisdiction” Google thus argued in U.S. courts that “the Canadian order is ‘unenforceable in the United States because it directly conflicts with the First Amendment, disregards the Communication Decency Act’s immunity for interactive service providers [see wiki here & EFF take here], and violates principles of international comity.’” A U.S. court agreed [see 6 pg PDF here], noting that CDA immunity protections would be lost as a result of the Canadian court order. In doing so, the court concluded that the order “threatens free speech on the global internet.” In early March the case shifted back to Canada with Google seeking to vacate or vary the takedown order in light of the U.S. ruling. The judge confirmed that the hearing should go ahead in light of the U.S. ruling and the Supreme Court’s invitation to seek a variance …The court notably agreed that the case now engages core values of freedom of expression and comity [Geist and at: Barry Sookman Blog, Social Media Law Bulletin, Deeth Williams Wall Blog, Vancouver Sun and Motherboard]


US – US Consumers Feel Companies Are Not Doing Enough to Protect Data

The free flow of data may be coming to an end due to security concerns, according to Deloitte’s Digital Media Trends Survey. It found 69% of consumers believe that companies aren’t doing everything they can to protect data. But 73% of consumers say they’d share data if they had visibility and control over it. Another wrinkle is that 93% of U.S. consumers believe they should be able to delete their online data when they want. The Deloitte survey data was collected from 2,088 consumers in November 2017. [ZDNet and at: Los Angeles Times, Variety and Recode]


US—More States Adopting Auditable Paper Trails to Safeguard Election Reliability

US states are taking steps to make sure that their voting systems provide an auditable paper trail. Currently, there are five states that use only direct recording electronic voting machines (DREs), which do not include a paper trail. Other states have a mix of systems. While some states are moving quickly to make changes, others are incorporating the changes into the lifecycle of current equipment and may not have their auditable systems in place until 2020 or later. Two states, Colorado and Rhode Island, use entirely paper-based voting systems and both require post election risk-limiting audits. [www.cyberscoop.com: Spooked by election hacking, states are moving to paper ballots]

EU Developments

EU – European Data Protection Supervisor Presents 2017 Annual Report

On March 20, Giovanni Buttarelli, European Data Protection Supervisor (EDPS) presented his 2017 Annual Report to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) [see here & wiki here]. ”In the EDPS Strategy 2015-2019, Buttarelli set out three goals and an action plan to help the EU lead by example in the global dialogue on data protection and privacy in the digital age. Buttarelli confirmed the plans for new cloud computing guidance in his newly published annual report for 2017. New guidelines on IT governance and management will also be issued by the supervisor in 2018, according to the report. Another “main objective” for 2018 is preparing for the European Data Protection Board (EDPB) [see here] to become operational. The EDPB will replace the existing Article 29 Working Party as a regulatory body under the EU’s General Data Protection Regulation (GDPR) when the GDPR begins to apply on 25 May. It also promised to provide “targeted input where appropriate” to the continuing development of the proposed new EU regulation on privacy and electronic communications (e-Privacy). [EDPS | Out-Law]

EU – EDPS Releases Cloud Computing Guidelines

The European Data Protection Supervisor has released guidelines on the best ways for European institutions and bodies to use cloud-computing services. The guidelines are designed to help assess and manage the data protection and privacy risks entities may face when personal data is processed by cloud-based services. The guidelines highlight the relevant provisions related to the EU General Data Protection Regulation and focus on several topics, including assessments on whether cloud computing is an appropriate option, determining the proper cloud-computing option by examining and considering data protection requirements, and relevant organizational and technical safeguards. [EDPS]

EU – Reaction to Children’s Data Processing Requirements in GDPR

The Centre for Information Policy Leadership has published recommendations for processing children’s personal data under the GDPR. The think tank notes that parental consent is not the only legal basis for processing by information society services (contractual necessity or legitimate interests can apply), organisations should not have to create standard and child-friendly notices (they should cater to a general audience), and advertising to a child is not automatically a high-risk processing activity (it is a common, expected activity that can be based on legitimate interest). [GDPR Implementation In Respect of Children’s Data and Consent – CIPL]


CA – Royal Bank Offers Info to Help Create Data-Sharing Portals

The Royal Bank is allowing external software developers to access banking data in order to create a portal allowing customers to share their information. The move is a step toward “open banking,” where startups and developers have the ability to create apps using bank data. Royal Bank is currently offering application programming interface portals based on several different types of information, including credit card rates and fees and minimum down payments for buying a home. The portals are only using public information, but with open banking, the goal would be to eventually have customers share their personal banking data. [Financial Post]

US – Americans Spent $1.4B on Credit Freeze Fees in Wake of Equifax Breach

Almost 20% of Americans froze their credit file with one or more of the big three credit bureaus in the wake of last year’s data breach at Equifax, costing consumers an estimated $1.4 billion, according to a new study. The findings come as lawmakers in Congress are debating legislation that would make credit freezes free in every state. The figures, commissioned by small business loan provider Fundera and conducted by Wakefield Research, surveyed some 1,000 adults in the U.S. Respondents were asked to self-report how much they spent on the freezes; 32% said the freezes cost them $10 or less, but 38% said the total cost was $30 or more. The average cost to consumers who froze their credit after the Equifax breach was $23. .Curious about what a freeze involves, how to file one, and other options aside from the credit freeze? Check out this in-depth Q&A that KrebsOnSecurity published not long after the Equifax breach. [Krebs and at: International Business Times, FinancialBuzz and ConsumerAffairs]

Health / Medical

CA – Paper Documents in Hospitals Not Always Properly Destroyed: Study

Dr. Nancy Baxter, the chief of general surgery at St. Michael’s Hospital, Toronto, has just published a new research letter in JAMA [see “Disposal of Paper Records Containing Personal Information in Hospitals” that finds that while all patients have the right to expect their personal health information will be kept safe in hospital, that doesn’t always happen. Baxter and a team of researchers rifled through the recycling bins at five Toronto hospitals to see what got left behind. Among that half tonne of paper bound for recycling [591.6 kilograms of papers from emergency departments, intensive care units, hospital clinics and physician offices] were 2,687 documents containing personal information that should have been shredded. Of those items, 802 were documents with low sensitivity, 843 with medium, and 1,042 with high sensitivity. Though sensitive documents were found in recycling bins of all areas of all five hospitals, most of the items –1,449 of them — came from physicians’ offices. Ontario’s privacy commissioner Brian Beamish reviewed the study and says it is a good reminder that even though there is a move towards electronic medical records, there are still lots of paper medical records out there that need to be disposed of securely. [CTV News at: The Canadian Press (via CBC)]

CA – BC Public Starved for Details When Health Professionals Misbehave

When it comes to the misbehaviour of healthcare professionals, it’s sometimes a maddening process for regular British Columbians to find thorough information about how serious and widespread the offences were. The 23 professional colleges that regulate health workers in B.C. take inconsistent approaches to how much information they reveal in disciplinary decisions. And for anyone who wants to know more, the process for filing a Freedom of Information request can be frustratingly opaque. Unfortunately, the lack of information from many of these colleges leaves the public in the dark on the details we need to make critical decisions about our healthcare. For Mike Larsen, president of the Freedom of Information and Privacy Association, public discipline notices from many colleges look more like press releases than genuine efforts to keep people informed. “I don’t think, and FIPA doesn’t think, they’re doing as good a job as they could be,” Larsen said. [CBC News and at: CBC News and The Vancouver Sun]

CA – No Access to Deceased Spouse’s Medical Records

The BC OIPC reviewed a decision by St. Paul’s Hospital to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. A BC hospital correctly denied an individual access to her deceased husband’s medical records; the request for access was not made on behalf of the deceased individual (it was for use in legal action against the deceased’s daughter), and personal privacy rights continue for at least 20 years after death. [OIPC BC – Order F18-08 – St. Paul’s Hospital]

Horror Stories

US – Facebook Draws Scrutiny from FTC, Congressional Committees

Facebook Inc. is drawing scrutiny from the main U.S. Federal Trade Commission and half a dozen congressional committees over how the personal data of 50 million users was obtained by a data analytics firm Cambridge Analytica [see here & wiki here] — [Note: This is in addition to the UK Electoral Commission here, the UK OPC here, the Canadian Privacy Commissioner here & here, and the Irish Data Protection Commissioner here] The FTC is probing whether Facebook violated terms of a 2011 consent decree [see FTC post here & here] over handling of personal user data that was transferred to Cambridge Analytica without users’ knowledge. The FTC could fine the company into the millions of dollars if it finds Facebook violated the 2011 agreement — [it has the power to fine the company more than $40,000 a day per violation]. Facebook previously said in a statement it rejects “any suggestion of violation of the consent decree.” New York State Attorney General Eric Schneiderman announced that he and Massachusetts Attorney General Maura Healey had sent a demand letter to Facebook as part of a joint probe stemming from the fallout. Connecticut Attorney General George Jepsen announced his own probe. In addition to the briefings, Senator Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, said he wants to hear testimony from Facebook Chief Executive Officer Mark Zuckerberg, as well as Twitter Inc. CEO Jack Dorsey. Senator Richard Burr of North Carolina, chairman of the Intelligence Committee, said any decision about calling Zuckerberg to appear before the panel is farther off. [Bloomberg and at: The New York Times, Bloomberg & PBS NewsHour See also: Top EU privacy watchdog calls Facebook data allegations the ‘scandal of the century’ | Cambridge Analytica revelations are only ‘tip of the iceberg’, warns EU data protection chief | Irish Data Protection Commissioner to probe Facebook’s ‘oversight’ of political targeting on the platform | Facebook Has a Long History of Resolving Privacy Claims on the Cheap | Facebook needed third-party apps to grow. Now it’s left with a privacy crisis | A Facebook shareholder launched a lawsuit against the social network over the Cambridge Analytica scandal | ‘It just felt right’: David Carroll on suing Cambridge Analytica | Facebook Besieged by Wall Street, Washington and Europe | Cambridge Analytica CEO suspended as data scandal grows | Facebook data scandal: Canadian whistleblower was axed by Liberals over data harvesting ideas | A grossly unethical experiment’: Canadian whistleblower at centre of Facebook data breach scandal | Facebook loses control of 50 million users’ data, suspends analytics firm | Cambridge Analytica’s Ad Targeting Is the Reason Facebook Exists | Facebook privacy flaw was flagged with Irish regulator in 2011 | Why We’re Not Calling the Cambridge Analytica Story a ‘Data Breach’ | Canada’s privacy watchdog asks Facebook for info on data misuse that raises ‘serious concerns’ and at: MobileSyrup, CTV News, Global News, The Globe and Mail, National Post] Facebook suspends Cambridge Analytica, SCL, says data shared with third parties violated platform policies at: Reuters, The Wall Street Journal, The Guardian, The New York Times, and USA Today | Facebook may have broken FTC deal in Cambridge Analytica incident | Facebook on Defensive as Cambridge Case Exposes Data Flaw]

WW – Cambridge Analytica Facing Investigations After Revelation of Facebook Data Harvesting

Cambridge Analytica allegedly gathered data illegally from 50 million Facebook users through an online quiz and used them to serve targeted advertisements aimed at discrediting Hillary Clinton and promoting Trump’s presidential campaign. The UK’s Information Commissioner and the Massachusetts attorney general have launched investigations. Wikipedia describes Cambridge Analytica as “a privately held company that combines data mining and data analysis with strategic communication for the electoral process.” Read more in: www.bbc.com: Cambridge Analytica: Warrant sought to inspect company | www.theregister.co.uk: BOOM! Cambridge Analytica explodes following extraordinary TV expose | www.scmagazine.com: Probes launched after Facebook boots professor, Cambridge Analytica for harvesting info on 50M Americans without permission | www.zdnet.com: How Cambridge Analytica used your Facebook data to help elect Trump | www.nytimes.com: Cambridge Analytica, Trump-Tied Political Firm, Offered to Entrap Politicians | www.washingtonpost.com: Cambridge Analytica CEO appears to talk about using bribes and sex workers to sway elections on secretly recorded news video | www.wired.com: Cambridge Analytica Execs Caught Discussing Extortion And Fake News]

US – Former Equifax Exec Facing Insider Trading Charges

Former Equifax CIO Jun Ying is facing insider trading charges from both the US Securities and Exchange Commission (SEC) and the Department of Justice. The charges allege that Ying exercised company stock options work nearly $1 million USD before news of the company’s massive breach became public. [www.justice.gov: Former Equifax employee indicted for insider trading | www.sec.gov: Former Equifax Executive Charged With Insider Trading | www.scmagazine.com: SEC charges former Equifax U.S. CIO with insider trading related to data breach | www.zdnet.com: Former Equifax executive charged with insider trading after data breach | arstechnica.com: Senior ex-Equifax executive charged with insider trading | www.cyberscoop.com: Former Equifax executive charged with insider trading after mega breach]

Identity Issues

US – FTC Announces Blockchain Working Group

Following the FTC’s lawsuit against four individuals who allegedly promoted deceptive cryptocurrency schemes, Neil Chilson, the FTC’s acting chief technologist, announced that an internal Blockchain Working Group has been organized to protect consumers and promote competition in light of cryptocurrency and blockchain developments. “Fraudsters often attempt to capitalize on the excitement and confusion around hot new technologies, and they are quick to dress up old schemes in the clothes of the latest and greatest innovations,” Chilson wrote. “I expect that fraudsters will repurpose old schemes to capitalize on the current glamour and mystery of cryptocurrency.” The goals of the working group will include building upon staff expertise, facilitating communication and coordination of enforcement actions, and to serve as an “internal forum for brainstorming potential impacts on the FTC’s dual missions and how to address those impacts.” Full Story

EU – Blockchain Observatory and Forum Calls for Contributors

The EU Blockchain Observatory and Forum is calling for contributors to participate in two Working Groups it hopes to establish. Contributors can join the Blockchain Policy and Framework Conditions Working Group, which will look to establish the proper policy, legal and regulatory conditions needed to assist in the deployment of blockchain applications, and the Use Cases and Transition Scenarios Working Group, which will focus on public sector use cases for blockchain, including for health care, energy and environmental reporting. The forum is looking for EU citizens who have experience with blockchain technology and will be accepting applications until 9 April. [Full Story]

Internet / WWW

WW – ICANN Considering Limiting Access to Domain Name Registration Data

The Internet Corporation for Assigned Names and Numbers (ICANN) is considering limiting the scope of information about domain name registrations that will be publicly available. Currently, the names, addresses and contact information of entities who register domain names is usually publicly available. ICANN is considering limiting that information to basic website information, such as its location, to comply with European Union rules set to take effect in May 2018. The US government and technology companies are objecting to the proposed changes because they say it will make tracking down criminals more difficult. [thehill.com: Tech companies push back against internet watchdog’s new privacy rules]

WW – Google Announces New Privacy Tools for Data Privacy and Security

Google recently announced products and services to spotlight data privacy and help enhance cybersecurity. Among those included in the release, the new Cloud Security Command Center provides data risk analysis and threat intelligence dashboard to assist businesses gathering threat data, the VPC service controls allow for increased data privacy, and the new Access Transparency Logs, which was already used internally, is now available in a consumer-facing product. Google’s director of security, trust and privacy, said all these features are rooted in artificial intelligence. “We’re constantly evolving and pushing machine learning models so we can learn from literally billions of threat landscape indicators and quickly identify the source of an attack in the making,” she said. [PC Magazine]

Internet of Things

US – NIST Privacy Engineering Program hosting IoT roundtable

The National Institute of Standards and Technology (NIST) Privacy Engineering Program will be hosting a roundtable on the internet of things March 29. The roundtable will help develop a NIST document on the privacy and security risk considerations regarding the IoT. The group is seeking privacy professionals to participate in the roundtable in order to identify privacy risks involving the internet of things and has released a discussion draft offering information about their proposed approaches to the considerations. [NIST]

Law Enforcement

CA – Waterloo Police Considering Using Drones for Missing Person Searches

Waterloo Regional Police are considering the use of drones to assist in missing person cases and investigating car crashes. The drones will be fully operational by May 2018, and a Police Services Board report states the drones will be a faster and more efficient way to search large areas. The report also states the drones will not be used for surveillance purposes without “judicial authorization and completed privacy impact assessment.” [CBC News]


US – Police Ask Google for Location Data to Narrow Suspect Lists

Police in North Carolina have hit on a simple if potentially controversial way to firm up suspect lists – use location data from Google to work out which devices were being used near the scene of crimes. Police in Raleigh used warrants in at least four recent investigations to make the search giant reveal the IDs of every device within certain map locations. Based on one or a combination of GPS, Wi-Fi and cellular location data, police were first given a list of anonymised time-stamped identifiers corresponding to every device within the map coordinates they were interested in. From an example warrant, this area of interest was as small as 150 metres from specific GPS coordinates, covering two narrow time ranges of around an hour each. The problem is that while treating device location data as evidence sounds logical, the inferences that can be drawn from it are fraught with danger. The obvious limitation is proving that a device’s registered owner was the one using it at the time and location police are interested in. If location data is requested while building a case based on a variety of evidence, that might be legitimate. The danger is that this data becomes the incriminating evidence from which the case is built. [Naked Security and at: WRL.com]

US – Spy Lab Wants to Geolocate Any Video or Photo Taken Outdoors

US intelligence is working on geotagging every possible outdoor location in the world. Difficulty of tracking down outdoor photos that haven’t been geotagged has led a US spy lab to launch Finder: a research program of the Intelligence Advanced Research Projects Agency (IARPA), the Office of the Director of National Intelligence’s dedicated research organization. The project aims to build on existing research systems to develop technology that augments analysts’ geolocating skills. At this point, analysts rely on information such as visible skyline and terrain; digital elevation data; existing, well-understood image collections; surface geology; geography; and architecture (think red phone booths). The goal is all-encompassing: IARPA wants Finder to find everything, as in, the ability to geolocate any video or photo taken anywhere outdoors. Once you realize how many of your photos are out there, bearing EXIF data that contains times, dates and locations of, say, your kids in the playground, you might want to start scrubbing your old photos clean. Here’s a guide on that from How-To Geek. [Naked Security and at: Ars Technica]

Online Privacy

WW – Updated Privacy Policies from Microsoft, Linkedin and Slack Leave Much to Be Desired

A week after the Facebook-Cambridge Analytica scandal came to light, Microsoft, LinkedIn and Slack emailed users updated policies committed to privacy. But while experts applauded the transparency efforts, they criticized them for being written in legalese or so vague that they end up raising more questions than answers. ”Companies think of privacy as an afterthought. It needs to be at the forefront,” said Imran Ahmad, a partner at Miller Thomson who leads the firm’s cybersecurity practice. “If you read a privacy statement and can’t understand it, are you really giving informed consent?” Teresa Scassa, the Canada research chair in information law and policy at the University of Ottawa, poked around the links and said she thought “wow, the ordinary consumer lost interest minutes ago.” [The Star]

Privacy (US)

US – 9th Circuit Further Split Over Standing in Data Breach Cases

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc.[see 18 pg PDF here], finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing [see here]. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, and Eighth Circuits over whether the mere exposure of personal information – without actual identity theft or credit/debit card fraud – establishes Article III standing. The Ninth Circuit has now joinwd its sister courts in the D.C., Sixth and Seventh Circuits to make it easier for plaintiffs to maintain data breach cases beyond the pleading stage despite no showing of actual injury. [Data Protection Coverage and at: Data Law Insights and Business Insurance]

US – FTC Modifies Sears’ Consent Order for Tracking Software App

Sears Holdings Management Corporation petitioned the FTC to reopen and modify its previous Consent Order. Sears must continue to notify and obtain express consent prior to disseminating any software program or app that monitors or records consumer activities, except where the tracked information is limited to the configuration of the software program itself, the functionality of the app, or consumers’ use of the app. [In the Matter of Sears Holding Management Corporation – Docket No. C-4264 – Before the FTC | Press Release | See also: Hogan Lovells Represents Sears in Achieving First-Ever Modification to FTC Privacy Consent Order]

Privacy Enhancing Technologies (PETs)

AU – Breach Notification: OIC Australia Releases Comprehensive Guide

The Office of the Australian Information Commissioner (OAIC) issued guidance on how to prepare and respond to data breaches. Entities must notify affected individuals and the Information Commissioner of “eligible data breaches”, which are defined as unauthorised access to or disclosure of PI held by an entity or information is lost in circumstances where unauthorised access or disclosure is likely to occur, that is likely to result in serious harm to any of the individuals to whom the information relates, and the entity has been unable to prevent the likely risk of serious harm with remedial action. 4 steps: Contain, assess, notify, review. [OIC Australia – Data Breach Preparation and Response and OAIC Received 31 Notifications Since Data Breach Scheme Took Effect]


CA – Most Canadian Organizations Feel Insecure

A study, conducted for Scalar by IDC Canada, surveyed 421 IT security and risk compliance professionals in November-December 2017. Organizations expect to be breached but

  • 1/5 cite their security processes as ineffective
  • core security processes are not performed across the entire organization
  • less than 1/3 conduct formal employee training
  • vulnerabilities in third-party relationships are not accounted for
  • the speed of installing security updates and patches is inadequate, and
  • response planning lacks documentation and regular updating.

[The Cyber Security Readiness of Canadian Organizations – Scalar]


CA – Sidewalk Labs Addresses Privacy Concerns Over Proposed High-Tech Quayside District

The Google-affiliated company proposing a high-tech district in the Port Lands is trying to reassure Torontonians their privacy and data will be protected if the project proceeds. Hundreds of people turned out last week for an evening public consultations co-hosted by New York-based Sidewalk Labs and Waterfront Toronto at the Metro Toronto Convention Centre. Rohit (Rit) Aggarwala, Sidewalk Labs’ chief policy officer, told the crowd he has heard loud and clear concerns over privacy and the use of data that would be collected by sensors monitoring and controlling everything from traffic to snow-melting sidewalks in hyper-connected “Quayside.” Audience members seemed unsatisfied with answers about who would own data generated in the district and where it would be stored — officials could only say that negotiations continue. [Toronto Star and at: The Canadian Press (Global News), MobileSyrup, The Globe and Mail and ITBusiness.ca]

Workplace Privacy

CA – When Can HR Legally ‘Snoop’ on an Employee?

Spying, snooping, sleuthing – whatever you choose to call monitoring your employees, there’s no denying it’s a contentious issue in the workplace. But what legally constitutes snooping on your staff? And when are you allowed, or prohibited, from perusing their computers, emails and phones? We spoke to Cameron Wardell [see here], a lawyer at ‎Mathews, Dinsdale & Clark LLP, who gave us his take on this complicated topic.” The framework for privacy protections in BC and Canada is quite complex, and the law about it can be surprising,” observed Wardell “I would say that the biggest take-home point in this digital age is that the Courts and other decision-makers will assign privacy rights outside of what we might historically think of as private. In 2018, employers are well-advised to consider this—and to consult legal counsel—before searching any workplace computer or even the social media profiles of employees or prospective employees.” [HRMonline]



13-19 March 2018


US – Madison Square Garden Used Face-Scanning Technology on Customers

Madison Square Garden has quietly used facial-recognition technology to bolster security and identify those entering the building. It is unclear when the face-scanning system was installed. The people familiar with the Garden’s use of the technology, who were granted anonymity because they were not authorized to speak publicly about it, said they did not know how many events at the Garden in recent months have used it or how the data has been handled. Although security is the most obvious use of the technology, some independent experts say it is less effective as a security measure for private businesses because they do not have access to various watch lists held by law enforcement agencies. In fact, some vendors and team officials said the customer engagement and marketing capabilities of facial recognition are even more valuable than added security for sports facilities.[NYTimes at: GIZMODO and Yahoo Sports]

Big Data / Data Analytics / Artificial Intelligence

US – California State Lawmakers Taking a Closer Look at AI and Privacy

The “robot apocalypse” that some envisioned with the rise of artificial intelligence hasn’t arrived, but machine learning systems are becoming part of Californians’ everyday lives, tech experts told state lawmakers in Sacramento. As use of the technology becomes more widespread, so will the challenges for legislators who will have to grapple with how and when they should step in to protect people’s personal data. The state Assembly hearing was the second this year to take on the issue of artificial intelligence. Members of the Little Hoover Commission, an independent state oversight agency that reviews government operations, held a similar discussion last month. Representatives of tech companies argued at that lawmakers should not move too quickly on developing privacy regulations. But tech privacy experts countered, saying users want more control over how their personal information is shared. Patients, for example, may agree to share their medical data with one AI developer, but might not want that business to release their information to their employers or health insurance companies. [LA Times]

US – University Uses Predictive Analytics to Increase Retention Rate

Researchers at The University of Arizona collect tracking data from student ID cards to analyze interactions and predict which students are most likely to drop out. In a news release, the university explained that their analysis can predict a student’s likelihood to drop out 73% of the time, starting from day one of classes and improving over time. Lists of the most at-risk students are cultivated and sent to advisors twice a semester, who can then intervene and help improve the retention prospect if they choose. It is reported, however, that the student ID policy site does not disclose how data is used in monitoring and tracking student activity. [Gizmodo, CTV News: Startup Uses AI to Assess Tenants’ Level of Risk]

CN – ‘Black Tech’ Facial Recognition Glasses Worn by Chinese Police Raise Privacy Concerns

Beijing police are testing out a new security tool: smart glasses that can pick up facial features and car registration plates, and match them in real-time with a database of suspects. The AI-powered glasses, made by LLVision, scan the faces of vehicle occupants and the plates and light-up warnings for the wearers if the glasses match the information with a centralized “blacklist.” The test, which coincides with the annual meeting of China’s parliament in central Beijing, underscores a major push by China’s leaders to leverage technology to boost security in the country. That drive has led to growing concerns that China is developing a sophisticated surveillance state that will lead to intensifying crackdowns on dissent. “(China’s) leadership once felt a degree of trepidation over the advancement of the internet and communication technologies,” said David Bandurski, co-director of the China Media Project, a media studies research project at the University of Hong Kong. “It now sees them as absolutely indispensable tools of social and political control.”[Global News]


CA – OPC Wants to Limit Data Collection in National Security Bill

The Office of the Privacy Commissioner of Canada (OPC) released on March 5th, 2018 a series of recommendations for Bill C-59 (The National Security Act 2017) that the agency hopes will help lessen some of the potential privacy infringements in the bill. In particular, Therrien’s recommendations related to “publicly available information” sought to add limits on when Canadian intelligence agencies can use information available in online public spaces — such as Facebook, Twitter and other social networks. The privacy commissioner worried that information won’t always be obtained in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) — the federal law that governs how organizations handle private information — potentially allowing the Communications Security Establishment (CSE) to use forms of invasive surveillance to gather intelligence on Canadians. This means that even though Canadians may have information about themselves available online, it would be a privacy invasion for a government agency to compile data and use it on Canadians without cause or consent. The Canadian Civil Liberties Association (CCLA) agreed with the OPC’s privacy concerns. Mobile Syrup, Ottawa’s privacy watchdog wants limits on spies’ information collecting powers

CA – AB OIPC Orders Uber to Notify All 815K Canadian Data Breach Victims

Following a ruling by Alberta Information and Privacy Commissioner Jill Clayton, Uber announced it will notify all 815,000 Canadians who were affected by the ride-hailing company’s 2016 data breach, City News reports. In her ruling, Clayton wrote the personal information of drivers, including their licenses, could be used for identity theft or fraud. Uber will be required to inform the commissioner it has notified all the affected individuals within 10 days of the ruling. While Uber disagreed with the ruling, Uber Spokesman Jean-Christophe de le Rue said the company will adhere to the decision. [Full Story]


CA – How to Handle Loblaw’s Request for More Gift Card ID

Canada’s privacy commission revealed this week that it is investigating Loblaws for sending letters requesting that some customers mail them a copy of their driver’s license or other ID that’s in their name to verify their identity. “This is so outrageous,” says Ann Cavoukian, at the Privacy by Design Centre of Excellence at Ryerson University in Toronto. “It’s completely unacceptable for them to ask. You’re adding insult to injury when they should really be bending over backward to make this right.” Kevin Groh, vice-president of corporate affairs and communications for Loblaw Companies Ltd., explains the company’s position this way. “For a small percentage, we’ve asked for proof of name and address. No customer has to submit a driver’s license. Our first suggestion is that customers can send a utility bill—like a hydro or phone bill—which doesn’t contain sensitive information. ID will be collected through a secure channel, verified, then destroyed.” Cavoukian also doesn’t trust Loblaw when they say that they’re going to destroy the proof of identity documents. “Info gets lost or stolen because of so many people inside handling the documents. They’re putting people at risk.” Instead, Cavoukian says Loblaws should issue an immediate apology and tell people who’ve received the letters that they are destroying any information they’ve received immediately. [MoneySense]


CA – Canucks Hit by ‘Cryptojacking’ Hacker Trend

A wave of so-called “cryptojacking” has been sweeping the internet, forcing unwitting web surfers into generating money for cybercriminals. Hackers infect websites with malicious code that secretly conscripts visitors into an army of cryptocurrency miners. Cryptocurrency mining involves devoting a computer’s processing power to solving a complicated mathematical problem with digital currency offered as a reward. The cryptojacking process is invisible and web surfers typically don’t even realize anything is happening in the background, unless they hear their computer’s fan kick in as the machine is forced to work at its full capacity. Once they leave the infected website, the cryptojacking stops. Last month. The websites of the Information and Privacy Commissioner of Ontario, the Centre for Addiction and Mental Health, and some municipal websites were among thousands that were hit with an attack linked to a third-party accessibility app called Browsealoud. [The Canadian Press and at: Naked Security, The Next Web, ComputerWeekly, Digital Trends, MyBroadband and Public Radio International]

WW – Privacy-Busting Bugs Found in Popular VPN Services

A new report reveals three popular VPN services have been found to leak private user information Hotspot Shield, Zenmate, and PureVPN all promise to provide privacy for their users. The research reveals bugs that can leak real-world IP addresses, which in some cases can identify individual users and determine a user’s location. ZDNet, CyberGhost VPN review: A speedy VPN provider that’s easy to use  | NordVPN review: This VPN’s features make it hard to beat  | SaferVPN review: Good features overshadowed by privacy concerns | TunnelBear VPN review: An option for occasional VPN users | TorGuard VPN review: A VPN service designed for extreme privacy | VyprVPN review: A VPN committed to online user security, privacy, and an open internet ||Speedify review: A mobile-focused VPN with zippy upload speeds

EU Developments

EU – Metadata Privacy Regulation at Heart of Broader Telecoms Market Debate

EU Working Party on Telecommunications and Information Society are set to scrutinise the issue of metadata processing [See here & here] at a meting when proposed new EU laws on privacy and electronic communications – a draft e-Privacy Regulation [see proposal overview here & download 35 pg PDF here other ePR Documents here] – will be discussed. In advance of that meeting, the Bulgarian presidency of the Council of Ministers has published a document that has highlighted that there are different views across national governments in the EU on the rules that should apply to metadata [wiki here] processing. The Bulgarian presidency’s document has set out a range of options for EU governments to consider which would loosen the rules around metadata processing for the companies subject to the e-Privacy framework. The options put forward range significantly on what they would enable electronic communication service providers to do. The final text of the new Regulation must be approved by both the Council of Ministers and the European Parliament before it can enter into EU law, and there is likely to be a transitional period after that point before the new rules take effect. [Out-Law]


CA – Alberta Privacy Commissioner to Investigate FOI Interference

Alberta Information and Privacy Commissioner Jill Clayton announced her office will launch an investigation into Premier Rachel Notley’s former chief of staff, John Heaney. A complaint alleges Heaney stopped a freedom-of-information request regarding email logs from executive council. Heaney sent an email suggesting the information should not be released until he discussed it with another staff member. The complaint states Heaney’s involvement led to a two-month delay, with the information having never been released. Heaney had left the premier’s office last summer. The investigation will include an oral hearing, and commissioner Jill Clayton expects to issue notices compelling staffers to attend and produce records. The opposition United Conservative Party wants the hearing to be public. In November, UCP accountability critic Nathan Cooper asked Clayton to investigate what he called “political interference” by Heaney and Service Alberta. According to internal emails, Heaney had concerns with the response prepared by bureaucrats and recommended changes to what would be released. Cooper slammed that as political interference. [Edmonton Journal and at: CBC News, CBC News]

CA – Rejected BC Job Applicants Obtain Disclosure of Application Records

The British Columbia Information and Privacy Commissioner recently ordered Compass Group Canada Ltd., a food, cleaning and maintenance service company, to disclose all records related to the job applications of a group of rejected applicants. This decision provides insight into the disclosure obligations of private organizations. Organizations cannot refuse to disclose records containing personal information on the basis that they contain confidential or personal information protected by the Personal Information Protection Act if the offending portions of the documents can be redacted. As a matter of procedure, if an organization considers that a disclosure request is frivolous or vexatious, it should ask the Commissioner for authorization to disregard the request prior to responding in any way. [Source] [Mondaq]

Health / Medical

UK – NHS Staff Breaking Data Security Policies Every Day With Whatsapp

CommonTime published ‘Instant Messaging in the NHS‘ that delves into the swelling issue of instant messaging apps (like WhatsApp and Messenger) being used to supplement official communication channels – a sign that NHS staff themselves are being driven to innovate faster than the trusts they represent. The very first finding from the report is that the issue of NHS staff communicating via consumer-oriented instant messaging (IM) services is actually much bigger than has been previously reported. A measly 15% of NHS staff use only Trust provided channels of communication, while a staggering 43% use consumer IM (to varying degrees). The report finds that thus far, attempts to stem the tide through education, the provision of alternatives and enforcement of policy are doing little to discourage staff with 1 in 50 receiving disciplinary actions for IM related incidents. [SecurityBrief and at: Infosecurity Magazine, Computer Business Review and The Sun]

US – ONC Officials Say It’s Time to Share Data With Patients

The Office of the National Coordinator for Health IT officials said it is time to give patients access to their data. ONC Deputy National Coordinator Jon White said patients are frustrated they cannot see their information, while National Coordinator Donald Rucker shot down the argument that medical information would be too complicated for patients to understand. The comments from the ONC officials come as the Centers for Medicare & Medicaid Services announced two initiatives designed to help enhance data-sharing practices. [FierceHealthcare]

Horror Stories

US – Yahoo Judge Lets Hack Victims Seek Payback for Data Breaches

Customers make a plausible argument that “high-ranking executives and managers at Yahoo” engaged in “malicious conduct,’’ the standard for seeking punishment damages on top of ordinary compensation for consumer harm, U.S. District Judge Lucy Koh in San Jose, California, said in a recent ruling. Yahoo reached an $80 million settlement this month with investors over claims that executives concealed the data breaches to artificially inflate the price of the internet firm’s shares. Under the accord, investors are slated to get 12 cents for each share of Yahoo stock they owned. With the investor claims settled, Yahoo will probably move to resolve the consolidated customer cases, said Rahul Telang, a professor of information systems at Carnegie Mellon University in Pittsburgh. “I foresee a settlement in the hundreds of millions rather than billions”. [Bloomberg and at: Reuters, Security Boulevard, Courthouse News Service and Business Insurance]

Identity Issues

US – Delaware to Pilot Mobile Driver’s Licenses

Delaware could be among the first states to use mobile driver’s licenses. The Division of Motor Vehicles has launched a mobile driver’s license pilot study that will run for six months and include about 200 state employees and stakeholders before deciding to roll out to 800,000 licensed drivers and ID card holders. Features of the mDL that will be tested include:

  • Enhanced privacy for age verification: No need to show a person’s address, license number and birthdate. The mobile driver’s license will verify if the person is over 18 or 21 and display a photo.
  • Law enforcement use during a traffic stop: The mobile driver’s license will allow law enforcement officers to ping a driver’s smartphone to request their driver’s license information before walking to the vehicle.
  • Business acceptance: Understanding how businesses that require identification or age verification interact with the mobile driver’s license will be advantageous throughout the pilot study.
  • Ease of Use: Ensuring the mobile driver’s license is able to be presented to any organization without difficulty.
  • Secure access: The mobile driver’s license is unlocked and accessible only by the license holder. The mobile driver’s license is accessed through an app on the owner’s smartphone and is opened/unlocked by entering a user-created PIN or facial recognition. [Delaware Online]

US – Judge Rules NH Lottery Winner Able to Stay Anonymous

A judge ruled that a New Hampshire woman who won a $560 million lottery will be allowed to keep her identity unknown. While the woman’s hometown may be disclosed, Judge Charles Temple said disclosing the woman’s name would constitute an invasion of privacy, adding, “This personal information is exempt from disclosure under the Right-to-Know law.” The state attorney general’s office had argued that since the woman signed her name on the back of the ticket, her identity must be revealed. [USA Today, Forbes, The Washington Post, USA Today, Courthouse News Service and BBC News]

UK – Controversial Online Porn Block Has Been Delayed

The UK government has delayed a controversial age verification block on pornography websites in the UK. The system, which was meant to go live in April, would have required all pornographic websites to verify if people viewing content were 18 years of age or older. Confirmation of the delay, buried deeply within a government press release about 5G, reveals that “age verification will be enforceable by the end of the year.” The project was introduced as part of the Digital Economy Act in 2017 [ wiki]. In what’s come to be known as the ‘UK porn block‘, three of the largest porn websites in the UK haven’t been able to confirm how they will implement age verification. One of the world’s biggest pornography companies has only released limited details of how its age checker will work. Under the law, pornography websites are expected to start using software, most likely from third-parties, to check whether someone is old enough to view the content. The UK government hasn’t recommended one piece of software that should be used but said it will leave this to the “industry”. [WIRED and at: The Register, Gizmodo, engadget and The Guardian]

Internet of Things

UK – Government Issues IoT Security Guidelines

The UK government’s Secure by Design review includes a proposed code of practice for Internet of Things (IoT) manufacturers, IoT service providers, mobile application developers, and retailers that includes not allowing universal default passwords, securely storing sensitive data, making it easy for consumers to configure the devices, updating software, and implementing a vulnerability disclosure policy. [www.gov.uk: Secure by Design: Improving the cyber security of consumer Internet of Things Report | www.gov.uk: New measures to boost cyber security in millions of internet-connected devices | www.zdnet.com: New IoT security rules: Stop using default passwords and allow software updates | www.v3.co.uk: Government to demand ‘security by design’ in new measures to tackle IoT security]

WW – Google Android Security Report 2017

Google released its fourth annual Android Security Year in Review – see Blog post – Key takeaways to ponder: 1) report is about perception and corralling an ecosystem that’s hard to wrangle; 2) Apple iOS vs. Android security argument is futile (apples vs. oranges, if you will); 3) Android’s security model (think patches from the sky) rhymes with Microsoft’s; 4) Google Play has given Google more control over security; 5) The Android security report is partly aimed at the enterprise; 6) The influx of PHAs now requires daily scanning; and 7)Cloud and machine learning give Google an edge in security [ZDNet and at: PC World, 9to5Google, Engadget and CNET]

Law Enforcement

UK – Amazon Partnership With British Police Alarms Privacy Advocates

Police in northwest England have rolled out a program to broadcast crime updates, photos of wanted and missing people, and safety notifications to Amazon Echo owners. Since February, the free app has been available to those using Alexa, a cloud-based voice assistant hooked up to the Echo smart speaker. The first of its kind in the U.K., the program was developed by the police force’s innovations manager in a partnership with Amazon developers. The next iteration of the pilot program, expected to launch by year’s end, will allow users to report crimes directly to their smart speakers. After that Alexa might be used not just by civilians, but internally by officers for briefings and important information. Given the sensitive nature of crime reporting, civil liberties experts wonder whether storing reports with a third party like Amazon might pose an obstacle to citizens hoping to report crimes anonymously. Another major concern is cybersecurity. [The Intercept]


US – MoviePass CEO Misspoke on Company’s Location-Tracking Efforts

MoviePass CEO Mitch Lowe now says he misspoke when he described the ways his company is tracking users during the Entertainment Finance Forum on March 2. Lowe stressed that in the future, customers will have the ability to opt in to the company’s location-based marketing offers and said, “I said something completely inaccurate as far as what we are doing,” adding, “We only locate customers when they use the app.” According to Lowe, the MoviePass app only uses location data on two occasions: when customers are checking for movie theaters in their area and again to verify when a customer checks in to a theater. [Variety]

Online Privacy

WW – Anti-Tracking Browser Extension Now Open-Sourced

Ghostery, a browser extension that blocks online tracking software, announced it is now an open-source software. Ghostery Director of Product Jeremy Tillman said, “As a privacy product, especially one designed to give users a look behind the scenes at what data companies are collecting and doing with it, we thought it was important to give our users a look under the hood.” Tillman added that by becoming open-sourced, it will be easier to incorporate contributions and evolve the product. Currently, Ghostery is free to use in exchange for user data used in its business product. [CNET]

Privacy (US)

US – FTC Recommends Security-Only Updates for Mobile Devices

The FTC has issued a report regarding mobile device security update practices, with information obtained from special reports submitted by: Apple; Blackberry; Google; HTC; LG; Microsoft; Motorola; and Samsung. Patching vulnerabilities in security-only releases fast-tracks security updates by disentangling them from larger functionality upgrades; manufacturers should disclose minimum guaranteed security support periods and update frequency (e.g., notify device owners when security support is about to end so they can make decisions about post-support use). [FTC Report February 2018 – Mobile Security Updates Understanding the Issues]

US – Sears Achieves First-Ever Modification to FTC Privacy Consent Order

The FTC has approved the first-ever petition to reopen and modify a privacy-related consent order. The petition, filed by Sears Holdings Management Corporation, sought to amend the terms of Sears’ 2009 consent order, which settled allegations that Sears did not adequately disclose the extent to which desktop software it distributed collected information from consumers. After reviewing Sears’ petition and public comments, the Commission agreed with Sears that, as a result of changes in the mobile application marketplace, the Order’s requirements as applied to Sears’ mobile apps were “burdensome and counterproductive, both for consumers and Sears.” The decision offers important guidance on how the FTC views the mobile application marketplace and consumer expectations of data privacy in that rapidly-evolving space. Even more importantly, as the first of its kind, it shows that the FTC is willing to modify data privacy orders. [HLDA]


WW – PWC Highlights Privacy Insights from Security Survey

PwC released a report detailing privacy insights stemming from their Global State of Information Security Survey 2018. Of the 9,500 executives interviewed around the world, 87% said they are investing in cybersecurity to build trust with customers, and while 81% said they will place an emphasis on transparency in regards to data use, only 44% said they will do so to a large extent. The report offered next steps global business leaders can take to shore up their privacy efforts, including prioritizing data use governance, engaging the board of directors, and viewing the EU General Data Protection Regulation as an opportunity to align themselves for future success. [PWC]

US – Interpreting the SEC’s Latest Guidance on Data Breach Disclosure

On the heels of several headline-grabbing data breaches – and greater emphasis on the importance of disclosure in the lead-up to the May 25 General Data Protection Regulation (GDPR) deadline – the US Securities and Exchange Commission (SEC) recently issued a statement that puts more responsibility on executives for data breaches. This updated guidance [PDF here] calls for public companies to provide investors with more information on all cybersecurity incidents – even just the existence of potential risks – with minimal delay. The statement goes a step farther in attempting to thwart the potential for the exchange of “insider” information, which was a major concern on the heels of the record-shattering Equifax data breach. Specifically, corporate officers, directors and “other corporate insiders” are prohibited from trading shares if they have knowledge of any unpublicized security incident within the company. [Dark Reading and at: The SEC says companies must disclose more information about cybersecurity risks

CA – Employees Confused About Cybersecurity Responsibilities

A new survey of 1,505 Canadians on workplace security found employees are confused as to who is responsible in the workplace for protecting company information. The shows Canadians are split on who should safeguard the security of corporate data. 40% of employees believe they bear zero responsibility for securing information, pointing to the need for a more comprehensive strategy that makes security everyone’s business. The findings show that companies are increasingly vulnerable to breaches from unsafe practices. Six-in-10 employees have accessed personal or work data using public WIFI networks, which may be unsecure, and half have been the victim of a phishing email or online virus. One in three employees are not fully aware of security protocol. So, what can be done from an organizational perspective? The report proposes three guiding principles that can be applied to all workplace security practices. [Toronto Star]


UK – Surveillance Camera Commissioner Calls for New Safeguards

Surveillance Camera Commissioner Tony Porter called on politicians to implement new rules to ensure that surveillance technologies are not abused. In an address to the ANPR Conference, Porter said there is a growing appetite for the “use of increasingly intrusive technologies integrated with surveillance camera systems in society”. He asserted that he has been lobbying government ministers, council members, law enforcement officials and privacy advocates to explore ways these systems can be better regulated. “The public interest which demands clear legislation, transparency in governance and approach and a coherent and effective regulatory framework in which they can have confidence,” he said. Just over a year ago, Porter launched the National Surveillance Camera Strategy [Exec Sum] which outlined ways in which the government and organisations should use surveillance technology. “I engaged with a broad spectrum of stakeholders including police, public and privacy campaigners to better understand the divergence of opinion around its use,” he said. The Commissioner revealed that he has come across many people who are concerned about the lack of regulations that ensure this technology is used responsibly. [Computing]

US Government Programs

US – ACLU Hits TSA With FoI Suit Over E-Device Searches

The ACLU Foundation of Northern California filed a lawsuit against the TSA [PR] demanding that the government disclose its policies for searching the computers and cellphones of domestic travelers, arguing that anecdotal accounts have raised concerns about potential privacy invasions. “We’ve received reports of passengers on purely domestic flights having their phones and laptops searched, and the takeaway is that TSA has been taking these items from people without providing any reason why,” the staff attorney said. “The search of an electronic device has the potential to be highly invasive and cover the most personal details about a person.” A TSA spokesman declined to comment on the lawsuit but said: “TSA does not search the contents of electronic devices.” [The Guardian] and at: ACLU of NC Blog, Law360 and engadget



6-12 March 2018

Big Data / Data Analytics /Artificial Intelligence

WW – Is Artificial Intelligence the Ultimate Test for Privacy?

Artificial intelligence is emerging as the new testing ground for privacy. 21st century artificial intelligence relies on machine learning, and machine learning relies on data. Artificial intelligence is essentially about problem solving and for that we need data, as much data as possible. Against this background, data privacy and cybersecurity legal frameworks around the world are attempting to shape the use of that data in a way that achieves the best of all worlds: progress and protection for individuals. Is that realistically achievable?  Ironically, assessing the impact of technology on our privacy and identifying the right safeguards may end up being more accurately done by machines in the not too distant future. Until then, our principal job will be to embed privacy and cybersecurity practices in the development of artificial intelligence involving personal data. This is not a machine v. human battle. It is a defining moment which requires a sense of responsibility and a long-term view. Future generations will thank us if the way in which we develop artificial intelligence today looks at the true value it can deliver while respecting data protection principles. [HLDA Data Protection]


CA – Parliamentary Committee Gives Privacy Commissioner Enforcement Powers

The federal Privacy Commissioner would have the power to make orders and impose fines for companies not complying with PIPEDA if the government approves suggested changes to the law recommended by a Parliamentary committee. The change is one of a number unanimously proposed by the Standing Committee on Access to Information, Privacy and Ethics [see PR here and Report here or 108 pg PDF here]. Some of the proposed changes could mean big changes in corporate privacy and marketing policies. The recommendation doesn’t say what order powers or how high the fines the Privacy Commissioner should be given. Some of the recommendations, if approved, could also bring PIPEDA closer to complying with Europe’s new privacy law, the General Data Protection Regulation (GDPR), which comes into effect May 25. Under the EU’s current privacy regime, PIPEDA – which companies here have to follow unless provincial legislation applies – has adequacy status. Privacy experts have worried that after May 25, when the GDPR comes into effect, PIPEDA would automatically not be seen as adequate with GDPR.  The committee made other recommendations to Parliament that if passed will affect corporate privacy and marketing strategies. They include:

  • ensuring that consent remains the core element of the privacy regime, while enhancing and clarifying it by additional means, when possible or necessary;
  • amending PIPEDA to explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, with a view to also implementing a default opt-in system regardless of purpose;
  • amending PIPEDA to replace the term “fraud” with “financial crime” (and propose a definition for that term);
  • amending PIPEDA to provide for a right to data portability, which would give a person the right to transfer their personal data from one company to another. This right is one of the essential elements of the GDPR;
  • considering implementing measures to improve the transparency of algorithms, such as used in machine learning and artificial intelligence applications;
  • study the issue of the ability of people to revoke the consent they’ve given to a company for use of personal data in order to clarify the form of revocation required and its legal and practical implications;
  • modernizing the Regulations Specifying Publicly Available Information in order to take into account situations where individuals post personal information on a public website and in order to make the Regulations technology-neutral;
  • considering amending PIPEDA in order to clarify the terms under which personal information can be used to satisfy legitimate business interests;
  • examining the best ways of protecting depersonalized data;
  • considering implementing specific rules of consent for minors, as well as regulations governing the collection, use and disclosure of minors’ personal information. This is also linked to the issue of the right to ask sites like search engines to de-index links to certain pages (see below). One issue, Lawford said, is that young people’s ability to make an informed decision on consenting to allow their personal information to be used by a company is limited. The Canadian Marketing Association already has a rule that sites shouldn’t market to people under 16, he pointed out;
  • considering including in PIPEDA a framework for a right to erasure based on the model developed by the European Union that would, at a minimum, include a right for young people to have information posted online, either by themselves or through an organization, taken down;
  • considering including a framework for the right to de-indexing web links to Internet stories in PIPEDA, and that this right be expressly recognized in the case of personal information posted online by individuals when they were minors. The issue of de-indexing links for searches on request has been raised by people who have been involved in criminal convictions or divorces years ago and want these events placed lowered in searches for their names;
  • consider amending PIPEDA to strengthen and clarify organizations’ obligations with respect to the destruction of personal information;
  • determine what, if any, changes to PIPEDA will be required in order to maintain its adequacy status under the GDPR; and, if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, create mechanisms to allow for the seamless transfer of data between Canada and the EU;
  • work with the provinces and territories to make sure that all relevant jurisdictions are aware of what would be required for adequacy status to be granted by the EU.

Under the EU’s current privacy regime, PIPEDA — which companies here have to follow unless provincial legislation applies — has adequacy status. Privacy experts have worried that after May 25, when the GDPR comes into effect, PIPEDA would automatically not be seen as adequate with GDPR. [ITWorld see also: The Globe and Mail, Denton’s and BetaKit]

CA – Saskatchewan Agency Unlawfully Disclosed PI

The Saskatchewan OIPC investigated a complaint that the Workers’ Compensation Board disclosed of personal information, in violation of the Freedom of Information and Protection of Privacy Act. The agency was not authorized to disclose to an employee an individual’s home address, family status, opinion about the agency’s support of employees, or status with the agency; the information was not required to investigate the individual’s harassment claim against the employee, and no conditions were placed on the employee to prohibit any further disclosures. [OIPC SK – Investigation Report 266-2017 – Saskatchewan Workers Compensation Board]

CA – B.C. Seeks Public Input on Updating FOI Legislation

The BC government has launched a new public engagement website to give residents a chance to provide input on how Freedom of Information (FOI) requests and privacy protection in the province operate. The Freedom of Information and Protection of Privacy Act (FOIPPA) [see text here & IPC overview here] covers approximately 2,900 public bodies in British Columbia. The public is being asked to participate in online discussions and provide written feedback on topics related to privacy and access to information, including what records should be released without an FOI request; timelines for responding to access requests; fees that can be charged; and what should happen when privacy is breached. According to Minister of Citizens’ Services, Jinny Sims, “The engagement website will be updated regularly, so be sure to keep checking back for new topics and new opportunities to submit your thoughts.” British Columbians will be able to participate until the engagement closes on April 9. [Lawyer’s Daily See also: British Columbians are more FOI-hungry than all other Western provinces combined ]

CA – Ontario Passes Law Overhauling Policing Rules in the Province

Bill 175, dubbed the Safer Ontario Act, passed in the legislature Thursday and offers the first updates to the Police Services Act in more than 25 years. Many of the changes stem from Appeal Court Justice Michael Tulloch’s report on police oversight, which made 129 recommendations aimed at increasing transparency and accountability for the province’s forces and the three bodies that oversee their conduct. The new bill requires the Special Investigations Unit or SIU, one of Ontario’s three police oversight agencies, to report publicly on all of its investigations and release the names of officers charged. The three agencies – the SIU, the Office of the Independent Police Review Director (OIPRD) and the Ontario Civilian Police Commission (OCPC) – will also get expanded mandates. The OIPRD will be renamed the Ontario Policing Complaints Agency and investigate all public complaints against police officers. The OCPC will be renamed the Ontario Policing Discipline Tribunal, dedicated solely to adjudicating police disciplinary matters, so that such matters are no longer handled internally. An Inspector General will be established to oversee police services, with the power to investigate and audit them, and Ontario’s ombudsman will be able to investigate complaints against the police oversight bodies. As well, the SIU will have expanded powers to investigate both current and former officers, volunteer members of police services, special constables, off-duty officers and members of First Nations police services. Police officers who don’t comply with such investigations could be fined up to $50,000 and/or be sent to jail for up to one year, a departure from current rules that do not force officers to co-operate with an investigation. [CTV News See also: Toronto Sun, Canada NewsWire and Orangeville Banner]

CA – Policies and Procedures Lacking in Yukon Government

The Yukon’s Executive Council Office audited the government’s privacy management policy, pursuant to the Access to Information and Protection of Privacy Act. None of the 12 departments audited have completed data mapping to identify the PI in their custody and control, purpose for collection, use and disclosure, or the sensitivity of data they process; a comprehensive set of policies and procedures relating to the purpose and authority of processing were also lacking. [Privacy Management Policy – Compliance Audit Final Report – Yukon Executive Council Office]


CA – Majority of Canadians Still Worried About Identity Theft: Poll

The Chartered Professional Accountants of Canada’s annual fraud survey [see PR here], found 71% of Canadians are concerned about identity theft, up from 66 per cent last year [see here]. 68% of those surveyed believe electronic payment methods, such as tapping debit and credit cards or using smartphone apps, make it easier for thieves to commit fraud. And most surveyed think businesses are still vulnerable to cyber attacks. Still, despite those fears, the survey suggests half of Canadians are comfortable making online purchases. The CPA fraud survey of 1,000 Canadian adults was conducted by Nielsen, a market research company, between Feb. 7 and 18, 2018. [Vancouver Sun see also: Canadian Underwriter, Insurance and Investment Journal and IT World Canada]

UK – Study Finds Growing Privacy Concerns Among UK Consumers

A recent ForgeRock survey suggests U.K. consumers share a growing concern for how widely their personal information has been shared and how it may be used by businesses. The survey of 2,000 U.K. consumers found that 63% believed organizations holding their data should be responsible for protecting it, and 58% said they would cut ties with an organization if it was discovered to have shared their personal information without consent. Furthermore, the survey found that 64% of those surveyed had either never heard of the EU General Data Protection Regulation or knew nothing about it. Eve Maler, vice president of innovation and emerging technology in ForgeRock’s office of the CTO, said, “Organisations need to take notice of these concerns and focus on building trust and brand loyalty by giving consumers greater visibility and control over how their data is being collected, managed and shared.” [ComputerWeekly | More than half of UK consumers will share personal data for reward points]

CA – Digital tool for Landlords Measures Potential Tenants’ Kindness, Cleanliness

Victoria-based tech startup Certn [here] is helping landlords and property managers leverage the power of big data and artificial intelligence to weed out potentially undesirable tenants before handing over the keys. It combs through more than 100,000 online data points, everything from social media posts to criminal convictions to eviction notices, in order to build a risk profile for each consenting applicant. The company even offers behavioral analysis questionnaires to gauge things like ethics, honesty, intelligence, attitudes and beliefs. Digital tenant screening solutions like those on offer from Certn, and its Canadian competitor Naborly, can be powerful tools for landlords in saturated rental markets like Victoria, Vancouver and Toronto. But using companies that scour the internet to build a comprehensive history of applicants, complete with numerical rankings for character and personality traits, raisequestions. “It’s very hard to see how information that is disclosed on Facebook, Instagram or Twitter would be related to a tenant suitability decision,” said Acting Deputy B.C. Privacy Commissioner Bradley Weldon. “If you are collecting more information than is necessary, which would almost certainly include information that is in a social media platform . . . then you are likely in contravention of PIPPA [here].” [CTV News See also: Probe launched into B.C. landlords’ demands for sensitive information | Privacy commissioner to query whether landlords violate prospective tenant privacy | ‘It feels like a jail’: Surrey renters revolt over ‘heavy-handed’ strata fines, surveillance | Get ready to give up your online privacy to score the perfect rental | Report landlords who break privacy rules, urges BC agency | Company scraps ‘bad tenant list’ after privacy commissioner upholds complaint


EU – Germany Government Computers Infiltrated, Data Stolen

Germany’s government computer networks have been targeted in a cyber attack. The intruders were first detected in December 2017. They were able to steal information and may have been exfiltrating data for as long as a year before they were detected. Reports suggest that the attacks may be the work for a hacking group known as Fancy Bear or APT28. [www.theregister.co.uk | www.zdnet.com | www.reuters.com]

US – DHS Disputes Report Russia Compromised Voting Systems

The US Department of Homeland Security (DHS) is refuting claims that Russia breached voter sites and registration systems in seven US states prior to the November 2016 presidential election. The news report cited unnamed US officials as saying that there was evidence that the systems had been compromised but that the states were not informed. Alaska’s top election official Josie Bahnke said that according to information she received from DJS, Russian scanned a public elections website but got no further. www.nbcnews.com | www.govtech.com: | thehill.com]

Electronic Records

CA – Alberta Physicians’ EHR Access Lawful: Court

The Alberta Court reviewed a decision of the Alberta OIPC, finding Drs. Gowrishankar and Pinsk violated the Health Information Act. The Court quashed a OIPC decision that two physicians were not authorized to access a child’s medical records in a hospital database; the access was to respond to a complaint by the child’s mother about medical treatment received from the physicians, and the mother signed a consent form (as part of the complaint process) allowing the hospital to obtain relevant medical records. [Drs. Gowrishankar and Pinsk and AB Health Services v. JK_LK and OIPC AB – 2018 ABQB 70 CanLII – Court of Queens Bench of Alberta]

EU Developments

EU – WP29 Clarifies Automated Decision-Making

The provision on automated decision-making should be interpreted as a prohibition, not a right to be invoked; however, this prohibition only applies in specific circumstances when a decision based solely on automated processing (including profiling) has a legal effect on or similarly significantly affects someone (e.g. eligibility for credit or access to health services), and even in these cases may be subject to an exception (e.g. performance of a contract). [ Article 29 Working Party – Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 – Working Paper 251 rev. 01 ]

EU – WP29 Requires Clarifications for Cloud Providers

The Article 29 Data Protection Working Party provided an opinion on the Code of Conduct for Cloud Infrastructure Service Providers. It should be made clear where the GDPR is cited and when it is interpreted in the Code, and focus should be put on the security measures providers offer, rather than stressing what it is not responsible for; providers are required to inform the customer of any intended changes in service (such as using a subprocessor in a third country), providing customers with an opportunity to object to such changes. [Article 29 WP – Letter to Cloud Infrastructure Service Providers]

EU – WP29 brings Binding Corporate Rules in Line with the GDPR

On February 6, 2018, the Article 29 Working Party adopted updated guidelines on Binding Corporate Rules (“BCRs“) [WP256 for Controllers | WP257 for Processors, which replace the previous WP29 working documents 153 and 195 on BCRs and Processor BCRs. BCRs are one of the permitted data export solutions under European data protection law, allowing members of a corporate group that have committed to a binding and approved set of data protection rules to transfer personal data within their organization (including from inside the European Economic Area to outside of it). In contrast to the Directive, the General Data Protection Regulation [see text here] incorporates BCRs into legislation and sets out at Article 47 [see here] various conditions that must be met when relying on BCRs. The updates draw attention to the following elements: 1) Right to lodge a complaint; 2) Transparency; 3) Scope of Application; 4) Data Protection Principles; 5) Accountability; 6) Third Country Legislation; 7) Third Party Beneficiary Rights; and 8) Service Agreement. [Data Protection Report and at: Technology Law Dispatch and William Fry Blog]

US – Reaction to Article 29 WP Consent Requirements

The Centre for Information Policy Leadership recommendations on the Article 29 Working Party’s guidelines on consent under the GDPR. A think tank notes that the concepts of freely given consent and genuine choice are not a one-size-fits-all approach, and the elements of consent should be assessed taking into account the nature, scope, context and purpose of the processing; old consents should only be refreshed under the GDPR where they were conditional on processing not necessary for the performance of a contract or do not meet requirements for consent of a child for information society services. [Comments on the WP29 Guidelines on Consent – CIPL]

EU – Insights on the Data Protection Commissioner’s Annual Report for 2017

The Data Protection Commissioner (DPC) has published her Annual Report for 2017 [76 pg PDF], which discusses the key activities and challenges of her office last year, as well as her priorities for the coming year. The DPC spent much of 2017 raising awareness of the GDPR. She continued to engage with organisations in regard to their data protection law compliance, carrying out over 200 consultations and 100 face-to-face meetings in which preparation for the GDPR was a constant feature. The DPC dealt with a record number of complaints (2,642), most of which were resolved amicably. She was also busy on the litigation front, particularly in regard to court proceedings concerning the validity of the EU Standard Contractual clauses as a legal mechanism to transfer personal data out of the EEA. [In this post we review]: 1) Litigation & Data Transfers; 2) Proactive Engagement with the Financial Sector; 3) Other Engagement Activities; 4) Consultation Queries; 5) Complaints & Prosecutions; 6) Investigations & Audits/ Inspections; 7) Breach Notifications; and 8) The Year Ahead …The DPC, like other stakeholders, is eagerly awaiting the finalisation and enactment of the Irish Data Protection Bill 2018 [read bill 132 pg PDF here & review here], which is currently before the Oireachtas. That legislation will give further effect to the GDPR in areas where national derogations are permitted, and will transpose the Law Enforcement Directive into Irish law, as well as further underpinning the structures, functions and powers of the DPC. The Irish Government has committed to finalising the Bill by 25 May 2018, when the GDPR comes into force. [Ireland IP]

UK – Data Watchdog Draws Up Plans for ‘Data Protection by Design’

The Information Commissioner’s Office (ICO) plans to create a “regulatory sandbox” as part of its first ever technology strategy to help organisations build adequate data protection into their products before they are released. The scheme forms part of the UK data watchdog’s wider Technology Strategy, announced last week, which outlines eight priorities for the regulator between now and 2021, including educating both businesses and the public on emerging technologies such as AI and big data. The sandbox provides a means for organisations to test products and services they produce against the regulatory requirements enforced by the EU’s incoming General Data Protection Regulation. The ICO hopes this will allow for “data protection by design”, where adequate safeguards can be baked into a product as it’s being created. As part of this initiative, the ICO will create a two-year postdoctoral role looking at the effect of AI on data privacy. It will also establish an annual ICO conference on Data Protection and Technology to help showcase industry innovations, and a “panel of forensic investigators” that will support current regulatory investigations. [ICO Blog – additional coverage at: The Register and Out-Law]

UK – Denham Named Most Influential Individual in Data-Driven Business

U.K. Information Commissioner Elizabeth Denham has been given the top spot of the DataIQ 100. For the fifth year in a row, DataIQ has been releasing their list of the top 100 influencers in data-driven business. Denham lands the highest spot on the list recognizing individuals who show leadership and engagement with the data and analytics industry. “My role allows me to engage with progressive companies and public bodies looking to adopt privacy by design solutions. I am struck by entrepreneurial development of products which minimise the amount of personal data processed and which maximise the control people have over their data,” Denham said. “I am honoured to work with 500 staff dedicated to innovative regulation and excellent public service.” [ICO.uk.org]

UK – New Fee Charging Structure to Fund the UK ICO

The UK Government has announced a new three-tier charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office (ICO) to come into effect on 25 May 2018 to coincide with the GDPR coming into force. Currently, organisations that are controllers of personal data are legally required to register details of their processing activities with the ICO and pay a notification fee of £35 or £500, unless they are exempt. The [new] three-tier fee structure is as follows: Tier 1) Micro organisations Fee: £40; Tier 2) Small or medium organisations Fee: £60; and Tier 3) Large organisations Fee: £2,900 Generally, organisations that are controllers of personal data are required to pay the notification fee. However, there are exemptions [but] even if there is an exemption to paying a fee, there is still a need to comply with other data protection obligations. [HLDA Data Protection see also: Security & Privacy // Bytes Blog (Squire)]


CA – Split Tax Information Sharing Plan from Budget Bill, Says Critic

A controversial proposal to give the Canadian government more powers to share confidential tax return information with police in foreign countries should be broken out of the budget [see here & 369 pg PDF here] and tabled separately in the House of Commons, said Conservative revenue critic Pat Kelly. “We should have an opportunity to debate it separately and at committee hear testimony from the privacy commissioner,” Kelly said. “It’s not budgetary. There are significant privacy issues that really should be debated and I’m not prepared to take a position on whether or not this expansion of their information-sharing regime is appropriate or not until that debate and discussion and details are provided.” Michael Bryant of the Canadian Civil Liberties Association said …”The big concern is that Canada would be unwittingly participating in a star chamber investigation and prosecution of somebody in another jurisdiction,” he said, “or that Canadians would in essence be thrown under the bus and information would be shared with other jurisdictions that don’t have our due process and constitutional protections.” [Kelly said] …”privacy is a major, major concern and it’s not clear whether a privacy impact assessment has taken place.” Tobi Cohen, spokeswoman for Privacy Commissioner Daniel Therrien’s office, said the office has not yet received a privacy impact assessment (PIA) from the government for the measures included in the budget. Cohen said the privacy commissioner’s office will wait to see the details of the measures in legislation before it comments further. [CBC | Commissioner provides comments and recommendations for the review of the Proceeds of Crime and Terrorist Financing Act | Canadians’ confidential tax info to be shared with police in other countries ]


CA – P.E.I. Urged to Extend Freedom of Information Legislation to Include UPEI

Post-secondary institutions in P.E.I. have skirted accountability far too long, says the UPEI faculty president. Nola Etkin is urging the government to extend the province’s Freedom of Information and Protection of Privacy (FOIPP) legislation to include the Island’s lone university. “UPEI is the only Canadian university that doesn’t fall under FOIPP legislation and Islanders should have the same rights to that information that all other Canadians take for granted,’’ she says. With the provincial FOIPP legislation currently under review [see here], the UPEI Student Union, the UPEI Faculty Association, and CUPE 1870 are calling on the province to add post-secondary institutions to the list of public bodies included under the FOIPP Act. [The Guardian see also: CBC News and P.E.I.’s FOIPP review: Where the key players stand on releasing information to you ]

CA – Ontario Town’s Disclosure an Invasion of Privacy

The IPC Ontario addressed a complaint against the Town of South Bruce Peninsula involving disclosure of litigation records, under the Municipal Freedom of Information and Protection of Privacy Act. The town was under the wrong impression that records of an individual’s name, the amount of the court costs awarded against him, and the fact that these have been paid are not “personal information”; the fact that the information relates to the entity as well does not mean that it cannot also consist of personal information. [IPC ON – privacy Complaint Report MC15-41 – Town of South Bruce Peninsula]

NZ – NZ Privacy Commissioner Introduces Subject Access Request Tool

New Zealand’s Office of the Privacy Commissioner has created AboutMe, a new tool to help individuals request their personal data from organizations in New Zealand. Under the Privacy Act, individuals will have the right to request that their personal data be disclosed. To consumers, the commission states, “If your request deals with highly personal or very sensitive information, we suggest you call or write to the organisation directly, rather than using this tool to email it.” [Privacy.org.nz]

Health / Medical

WW – Insider Threat Seriously Undermining Healthcare Cybersecurity

The healthcare industry’s ability to defend against cyberthreats is being seriously undermined by its own workforce, according to two separate reports released last week. In an analysis of 1,368 security incidents at healthcare organizations in 27 countries, Verizon found that nearly six out of 10 (58%) security incidents involve insiders. That figure, according to Verizon, makes healthcare the only sector where internal actors pose the biggest threat to an organization’s cybersecurity posture than external actors. In an Accenture report [see blog post here] based on a survey of 912 healthcare employees in the US and Canada, some 18% of the respondents — or nearly 1 in 5 — professed their willingness to sell confidential data to unauthorized thirds parties for as little as between $500 and $1,000. Among the malicious activity they were willing to perform: sell login credentials, download data to portable drives, and install tracking software on business systems. 24% actually know someone in their organization who had sold their access credentials to an unauthorized third-party. The willingness to sell confidential data was more pronounced among respondents from provider organizations (21%), compared to those in payer organizations (12%) The Verizon and Accenture reports are among several new reports that paint an especially bleak picture of healthcare cybersecurity against the backdrop of the Healthcare Information and Management Systems Society’s (HIMSS) conference in Las Vegas this week. US organizations in particular appear to be struggling more with security issues than counterparts in other regions of the world. [Dark Reading and at: Health IT Security, Healthcare Informatics, Fortune and Becker’s Hospital Review]

Horror Stories

US – Equifax Hack Could Cost ‘Well Over $600M’

Equifax’s massive 2017 data breach could turn out to be the most costly in corporate history. Equifax disclosed that it expects to incur another $275 million this year in costs related to the hack, bringing the total to $439 million through the end of 2018. Larry Ponemon, chairman of Ponemon Institute [here] said total costs could be “well over $600 million,” including costs to resolve government investigations into the incident and civil lawsuits against the firm. [CFO Additional coverage at: Reuters | Equifax says consumer bureau still probing hack despite report it eased off]

CA – Uber to Inform Canadians Affected by Data Breach

Uber will inform all Canadians whose personal data may have been compromised in a 2016 breach after Alberta’s privacy commissioner ruled it must notify impacted drivers and riders in the province. In a decision dated Feb. 28, the commissioner ruled that there is a real risk of significant harm to the affected individuals as a result of an Oct. 2016 breach that saw the theft of information — including names, email addresses and mobile numbers — from some 57 million accounts globally. The personal information of drivers, such as their driver’s license numbers, could be used for identity theft or fraud, wrote Jill Clayton, information and privacy commissioner. “These are significant harms,” she wrote. While Uber disagrees with the ruling, it will comply, said a spokesman. [The Canadian Press]

Law Enforcement

CA – Toronto Police Used IMSI Catchers to Identify Threat Against Mayor

City of Toronto Mayor John Tory told reporters at March 6th, 2018 press conference that he was made aware of TPS [Toronto Police Services] using IMSI catchers [see wiki here] last year. TPS used IMSI mobile phone trackers last year in order to identify an individual making threats against Tory Tory’s acknowledgement that he knew about TPS using cellphone trackers came mere days after the Toronto Star reported that it was able to obtain documents stating that TPS used IMSI catchers in five separate investigations since 2010 — even after the force claimed to not use the technology or even have access to it. An Office of the Privacy Commissioner of Canada (OPC) report [see here] also revealed that the RCMP used IMSI catchers without “exigent circumstances” six times out of 126 instances of surveillance. [MobileSyrup | Two years after they said they didn’t, Toronto police admit they use Stingray cellphone snooping device | Star editorial: Ontario: Time to crack down on ‘stingrays’ | How the Star finally learned Toronto police used cellphone data-catching devices]


US – MoviePass CEO Discloses Location Tracking Efforts

Speaking at the Entertainment Finance Forum, MoviePass CEO Mitch Lowe described the ways his company is tracking users. “We get an enormous amount of information,” Lowe said. “We watch how you drive from home to the movies. We watch where you go afterward.” The MoviePass privacy policy, however, only refers to tracking locations when selecting a theater in order to help customize the service. A MoviePass representative said in a statement the company does not sell any of the data it collects but intends to use the information to offer personalized advertisements. [TechCrunch]

WW – Transcription App’s Privacy Policy Found To Be Faulty

Privacy issues have been identified in new transcription app Otter. The app allows users to record and transcribe meetings in real time using artificial intelligence. While the app claims only the user has access to the data, Otter’s privacy policy does not state that data will not be used for any purpose. After ZDNet published their original story, Otter changed its privacy policy and removed several sections, including a segment on granting the company the rights to access and use data. An Otter spokesperson said only their CTO has access to any information and will allow access only for legitimate user requests. [ZDNet]

US – Location-Based Advertising Expected to Expand

The potential increase in mobile app access and profit from available user location data. When a user shares location data with an app, the user often inadvertently allows the app to sell the data to data vendors. While personal data is often fragmented in such instances, the article states that as the ability to track users expands, so too does the possibility of exposing user location data. While advertisers spent $16 billion on location-targeted ads for mobile devices in 2017, research from BIA/Kelsey estimates that firms will increase spending to $32.4 billion by 2021. [Wall Street Journal]


WW – New Series Highlights Privacy in Marginalized Communities

The International Journal of Communication announced the release of a new section, designed to highlight privacy in marginalized communities. In the series, “Privacy at the Margins,” 10 international scholars challenge the basic assumptions underlying privacy and shine a light on new considerations for researchers. Editors Alice Marwick, faculty adviser to the Media Manipulation Initiative at the Data & Society Research Institute, and danah boyd, principal researcher at Microsoft Research and founder and president of Data & Society Research Institute, write, “Although privacy and surveillance affect different populations in disparate ways, they are often treated as monolithic concepts by journalists, privacy advocates, and researchers. Achieving privacy is especially difficult for those who are marginalized in other areas of life. This special section interrogates what privacy looks like at the margins, investigating a broad spectrum of issues, methodologies, and contexts.” [Source]

Online Privacy

US – FTC Recognizes Lower Notice Requirements for “Consumer-Expected” Data Collection

Last week, the FTC granted a petition by Sears Holding Management seeking modification of a 2009 Commission Order. The notable 2009 Order settled allegations that Sears had improperly failed to provide notice regarding data collection by certain software the company offered to consumers. Sears argued that the 2009 Order placed it at a “competitive disadvantage” in the mobile application marketplace. The now-modified Order enables Sears to conduct certain “consumer-expected” forms of data collection and use without requiring heightened notice or consent under the 2009 Order. The Order may hold broader significance for companies which collect information via mobile applications and other platforms. The modified Order clarifies that the Commission generally does not expect heightened notice regarding data use relating to application functionality “in performing a service the consumer expects.” However, in its opinion granting Sears’ petition, the Commission distinguishes such application functionality from other forms of data use, such as “passive tracking, cross-application tracking, or third-party tracking.” For these activities, and for the “collection and use of sensitive information,” the Commission appears to favor heightened forms of consumer notice and consent. [Alston Privacy]

US – FPF Releases ‘Session Replay Scripts’ Guide

The Future of Privacy Forum has released a guide on “session replay scripts“ based on research conducted at Princeton University’s Center for Information Technology Policy. The scripts are used to track visitors’ browsing sessions by monitoring keystrokes and mouse movements. The FPF guide aims to educate privacy professionals on the potential problems the scripts can cause, as improperly implemented scripts can lead to security vulnerabilities and accidental data collection. The guide offers a checklist for privacy professionals to follow when implementing the scripts and advice on vetting the tools, such as examining script providers’ terms of service and privacy policies. [FPF]

Other Jurisdictions

HK – Privacy Commissioner Urges Businesses to Use Data Ethics

Speaking at the Mobile World Congress in Barcelona, Hong Kong Privacy Commissioner Stephen Wong said data privacy policies are essential to increasing consumer trust and growing the field of big data analytics, artificial intelligence and machine learning. Wong stressed the need for data ethics and said, “While consumers disclose to data users or controllers all their sensitive data, we do expect data users or controllers not to betray consumers’ trust. Herein, accountability involves taking proactive and preventive measures to ensure privacy protection and legal compliance.” Wong also asked that attention be paid to the “the reasonable expectations, rights, interests and freedoms of the individuals concerned when processing personal data.” He added, “In this regard, I urge data users and controllers to embrace two principles: (1) no surprise to consumers and (2) no harm to consumers.” [Telecom Asia]

Privacy Enhancing Technologies (PETs)

WW – IAPP Releases 2018 Privacy Tech Vendor Report

In the last year, the privacy technology market has gone from an emerging space to a full-blown, dynamic ecosystem. While the first issue of the 2017 Privacy Tech Vendor Report contained 44 privacy tech vendors, Thursday’s newly released 2018 Privacy Tech Vendor Report includes 122 vendors and counting. In this new report, Jedidiah Bracy, CIPP, interviewed 12 privacy practitioners and consultants to get their insight into operationalizing the implementation of third-party tech vendors, from the vetting process, to acquiring budget, to negotiations, to staff training. The report also includes a new “product category matrix,” a visualization of the types of services these vendors offer. This issue also includes a new product category: the “privacy information manager.” [IAPP.org]

Internet of Things / RFID

UK – ICO Advice: 6 Reasons You Need Think About IoT Data Protection

It’s safe to say the IoT market is booming. At the same time, barely a week goes by without hearing of a connected device that has serious yet basic security flaws, leaving personal data potentially exposed to malicious third parties. As internet-enabled devices process increasing amounts of personal data, as a manufacturer or retailer how much do you really know about the rules around IoT and the way your products use personal information? Here are six points to consider as a starting point for manufacturers and retailers of IoT devices: (For manufacturers) – 1) Your devices will probably be processing personal data; 2) Privacy should be built in from the beginning if a device uses personal data; 3) Data protection and cyber security go hand in hand; 4) You want to build trust with your customers – (For retailers) 5) You have a duty to your customers; and 6) Shoddy products can ruin your reputation Looking to the future of IoT, we’re working closely with the “Department for Digital, Culture, Media and Sport” (DCMS) on their Secure by Design project. The project is focusing on improving the security of consumer internet connected devices and associated services. DCMS will be publishing a report today [see PR here & Report here] which advocates a fundamental shift in approach to moving the burden away from consumers having to secure their devices and instead ensuring that strong cyber security is built into consumer IoT products by design. Going forward, we are keen to support DCMS’s work with developing their recommendations and encourage stakeholders to provide feedback on DCMS’s draft proposals during their informal consultation. [ICO News blog at: ITPro, Electronics Weekly, Information Age and ZDNet]


AU – Study: Many Companies Don’t Change Security Policy After Cyberattack

A recent study found that 52% of Australian respondents said their organizations rarely change their security strategy, even in the wake of a cyberattack. The 2018 Vanson Bourne-CyberArk Global Advanced Threat Landscape Report surveyed a mix of 160 chief information officers and chief technology officers. In a statement, CyberArk ANZ Regional Director Matthew Brazier said, “Attackers have almost limitless freedom and agility, and are constantly evolving their tools and techniques,” adding, “Organisations, being much larger and more structured, are not able to evolve their security strategy and controls to match this pace of change.” [CSO]

Smart Cars / Cities

US – New Orleans Surveillance Program Gives Powerful Tools to a Police Department With a History of Racism and Abuse

On a street lamp in New Orleans red and blue flashing lights are fastened to an NOPD surveillance camera that, just like the lights, runs 24 hours a day. This camera is just one of an unknown number that the city installed over the past few months, part of Mayor Mitch Landrieu’s $40 million public safety plan which the American Civil Liberties Union has condemned as “surveillance on steroids.” The plan also includes new license plate readers and a controversial city ordinance that requires the installation of cameras on the outside of all bars and liquor stores. The plan has endured criticism about its high cost and the lack of evidence that surveillance programs are an effective crime prevention strategy. Still others have worried that the Big Easy’s free-wheeling spirit and eccentricity will wane under the perpetual gaze of the police. But more concerning is the public safety plan’s ambiguous purpose and the potential for abuse. It seems that the only oversight will come from the city’s Office of Homeland Security and from within the police department itself, which is currently under a federal consent decree for a myriad of violations including “a pattern of stops, searches, and arrests that violate the Fourth Amendment.”[The Intercept] See also: Detroit Police Are Playing ‘Big Brother’ at Local Businesses

CA – The Risks of Becoming a Google City

Waterfront Toronto’s eagerness to sign a deal with a Google sister company has alarmed experts who warn cities are easy prey for Big Tech and its unquenchable thirst for data. “Google isn’t going to be creating these urban innovations for the public good or the common welfare,” says Jathan Sadowski [see here], a postdoctoral research fellow in Smart Cities at the University of Sydney in Australia. “They’ll be doing things — as we should expect them to — that will benefit their own interests as a private company, as one of the most profitable, most wealthy companies in the world. Last fall Sidewalk Labs, the urban innovation firm of Google parent Alphabet Inc., won [see here] a competitive bid to be Waterfront Toronto’s “innovation and funding partner” for Quayside, a 12-acre former industrial site at Queens Quay E. and Parliament St. [What few people know is] that board members of Waterfront Toronto, a city, Ontario and federal partnership, had only four days to review the “framework agreement” before signing. Julie Di Lorenzo, chair of the agency’s investment and real estate committee — responsible for reviewing and evaluating “major development projects” — voted against the framework agreement, expressing alarm at the process’ “accelerated manner” Sidewalk Labs’ role in developing waterfront land, unlocked by the promise of $1.25-billion in government-funded flood protection, remains unclear as work continues on an agreement expected later this year that, if signed by both parties, would formalize the Quayside project dubbed “Sidewalk Toronto.” Sidewalk’s assurances that it envisions making money from licensing new technologies created in the high-tech district, rather than selling data, are not allaying fears. Micah Lasher, Sidewalk Labs’ head of policy and communications, told the Star in an email “there is no data-sharing agreement between Google and Sidewalk Labs.” Sidewalk Toronto is holding its first “public roundtable” March 20 at 6:30 p.m. [Toronto Star] See also: Cracks appear in Sidewalk Labs’ Toronto waterfront plan after fanfare | Welcome to the neighbourhood. Have you read the terms of service? | Sidewalk Labs’ Toronto waterfront tech hub must respect privacy, democracy | A Google-Related Plan Brings Futuristic Vision, Privacy Concerns To Toronto | Sidewalk Toronto promises to listen, but what it really wants is an open question | Don’t lose sight of personal privacy in futuristic city: Editorial]


US – Geek Squad’s Relationship with FBI Is Cozier than We Thought

EFF filed a Freedom of Information Act (FOIA) lawsuit last year to learn more about how the FBI uses Geek Squad employees to flag illegal material when people pay Best Buy to repair their computers. The relationship potentially circumvents computer owners’ Fourth Amendment rights. New documents [see here] released to EFF show that the relationship [between the FBI and Geek Squad] goes back years. The records also confirm that the FBI has paid Geek Squad employees as informants. The documents show that Best Buy officials have enjoyed a particularly close relationship with the agency for at least 10 years. They show that over the years of working with Geek Squad employees, FBI agents developed a process for investigating and prosecuting people who sent their devices to the Geek Squad for repairs. The documents detail a series of FBI investigations in which a Geek Squad employee would call the FBI’s Louisville field office after finding what they believed was child pornography. The FBI agent would show up, review the images or video and determine whether they believe they are illegal content. After that, they would seize the hard drive or computer and send it to another FBI field office near where the owner of the device lived. Agents at that local FBI office would then investigate further, and in some cases try to obtain a warrant to search the device. Some of these reports indicate that the FBI treated Geek Squad employees as informants, identifying them as “CHS,” which is shorthand for confidential human sources. In other cases, the FBI identifies the initial calls as coming from Best Buy employees, raising questions as to whether certain employees had different relationships with the FBI. Although these documents provide new details about the FBI’s connection to Geek Squad and its Kentucky repair facility, the FBI has withheld a number of other documents in response to our FOIA suit. Worse, the FBI has refused to confirm or deny to EFF whether it has similar relationships with other computer repair facilities or businesses, despite our FOIA specifically requesting those records. We plan to challenge the FBI’s stonewalling in court later this spring. [EFF.org and at: ZDNet, NPR, National Review, Tom’s Hardware, Fast Company and The Register and also Privacy commissioner says that just because information may be “publicly-available,” it doesn’t mean it’s automatically fair game for spy agency’s.]

US Government Programs

US – DHS Cybersecurity Audit Scores Below Target Security Levels

The Office of Inspector General evaluated the information security practices of the Department of Homeland Security and found [see 34 pg PDF here] the agency to be underperforming expected targets in three out of five areas. Unfortunately, while DHS FISMA scores were expected to be at Level Four – which the NIST Cybersecurity Framework describes as a security program that is “Managed and Measurable” but not yet “Optimized” (Level Five) – the DHS cybersecurity audit found that the agency only met those targets for two of five so-called cybersecurity functions. Of the five functions – Identify, Protect, Detect, Respond and Recover – DHS FISMA scored at Level Four in risk management (Identify) and incident response (Respond), but at Level Three in Protect – which includes configuration, identity and access management and training – Detect and Recover. [SearchSecurity See also: ZDNet, CSO Online and Infosecurity Magazine]

US Legislation

US – How Close Is an American Right-To-Be-Forgotten?

While one 2015 survey claims 88% of Americans support this so-called “right-to-be-forgotten,” the prospects of similar legislation or court decision in the U.S. are dim. The New York State Assembly has come nearest to an American version of a right-to-be-forgotten. The Bill, A05323[see here & 2 pg PDF text here], titled “An act to amend the civil rights law and the civil practice law and rules, in relation to creating the right to be forgotten act,” in large part mimics of the European Court of Justice’s decision [see 2014 “Google Spain v AEPD and Mario Costeja González” here & wiki here]. The Assembly’s government operations committee is currently reviewing the legislation for the second time. [Forbes]

Workplace Privacy

US – More Companies Using Technology to Monitor Employees, Sparking Privacy Concerns

Sensors and microchips may signal a new era of a connected workforce, but some experts say these technologies also put employees’ privacy at risk. For example, a recent patent [see here] submitted by tech giant Amazon describes an electronic wristband that could monitor employees’ tasks. Three Square Market, a tech company based in Wisconsin, started an optional microchipping program for its employees in July 2017 [see here]. UPS has sensors on its delivery trucks to track the opening and closing of doors, the engine of the vehicle, and whether a seat belt is buckled [see here]. [ABC News See also: Keeping an Eye on Employees Guidance from BC’s Office of the Information and Privacy Commissioner | European Court Proposes Criteria for Assessing Employee Monitoring Activities


26 Feb – 05 March 2018


Big Data / Artificial Intelligence

WW – Artificial Intelligence: Privacy and Legal Issues

The implementation of AI-based systems is raising a whole host of new legal issues and stimulating a robust public debate about data privacy. It is important, first and foremost, to recognize that data is the “raw material” of artificial intelligence. The greater the amount of data these AI systems have, the better the decisions become. Thus, for any company aiming at AI, the goal is to get as much data as possible in an effort to make their artificial intelligence systems as powerful as possible. There is nothing sinister about this – at least directly. But where things get dicey is when customer data is used in ways that are completely unexpected, potentially representing a threat to your private information. Legal researchers sometimes refer to this as the “Big Data Challenge.” [CPOMagazine and at: Computerworld Australia]

CA – Canadian Competition Policy Focuses in on “Big Data”

The application of competition law and policy to “big data” has become a major focus for government agencies in Canada and around the world. In recent weeks, both the Competition Bureau and the Bank of Canada have weighed in. Competition regulators around the world, from the U.S. to Japan to Germany and the European Union have also issued their own policy statements on the application of competition laws to big data. …The collection and use of personal data raises novel competition law issues. As the Canadian economy becomes increasingly digitized (as reflected by the February 15, 2018 announcement to support a Digital Technology Supercluster), resolving these issues in a coherent and consistent manner will become even more important. [Blakes see also: The Globe and Mail here & here]

WW – NIST Issues Final Guidance on Attribute Metadata

The National Institute of Standards and Technology issued a final report on attribute data. Attribute metadata is considered “trust data” that can be used in agreements, contracts and trust frameworks; parties must evaluate and understand privacy implications associated with a given use case or transaction type, and conduct risk assessments to identify potential negative impacts to privacy arising from the use of certain metadata elements. [NIST – Attribute Metadata – NISTIR 8112]

WW – Opinion: Sublime and Scary Future of Cameras With A.I. Brains

Something strange, scary and sublime is happening to cameras, and it’s going to complicate everything you knew about pictures. There’s a new generation of cameras that understand what they see. They’re eyes connected to brains, machines that no longer just see what you put in front of them, but can act on it — creating intriguing and sometimes eerie possibilities. It doesn’t take long to imagine the useful and very creepy possibilities of cameras that can decipher the world. A.I. will create a revolution in how cameras work, too. Smart cameras will let you analyze pictures with prosecutorial precision, raising the specter of a new kind of surveillance — not just by the government but by everyone around you, even your loved ones at home. [New York Times]


CA – Federal Standing Committee on Access to Information, Privacy and Ethics Issues Review of PIPEDA

The Standing Committee on Access to Information, Privacy and Ethics (Committee) issued the report Towards Privacy By Design: Review of the Personal Information Protection and Electronic Documents Act (Report). The Report makes 19 recommendations.  Some of the more notable ones:

  • Consent remain the core element of the privacy regime, but that it be enhanced and clarified by additional means, when possible or necessary.
  • The Government of Canada consider implementing measures to improve algorithmic transparency.
  • Paragraph 7(3)(d.2) of the Personal Information Protection and Electronic Documents Act be amended to replace the term “fraud” with “financial crime”  and that the definition of “financial crime” in the Act include:
    • fraud;
    • criminal activity and any predicate offence related to money laundering and terrorist financing;
    • all criminal offences committed against financial service providers, their customers or their employees;
    • the contravention of laws of foreign jurisdictions, including those relating to money laundering and terrorist financing.
  • The Government of Canada should consider including in the Personal Information Protection and Electronic Documents Act a framework for a right to erasure based on the model developed by the European Union that would, at a minimum, include a right for young people to have information posted online either by themselves or through an organization taken down.
  • The Government of Canada should consider including a framework for the right to deindexing in the Personal Information Protection and Electronic Documents Act and that this right be expressly recognized in the case of personal information posted online by individuals when they were minors.
  • PIPEDA should be amended to make privacy by design a central principle and to include the seven foundational principles of this concept, where possible.
  • PIPEDA should be amended to give the Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance.
  • The Government of Canada work with its European Union counterparts to determine what would constitute adequacy status for the Personal Information Protection and Electronic Documents Act in the context of the new General Data Protection Regulation.
  • The Government of Canada determine what, if any, changes to the Personal Information Protection and Electronic Documents Act will be required in order to maintain its adequacy status under the General Data Protection Regulation; and if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, the Government of Canada create mechanisms to allow for the seamless transfer of data between Canada and the European Union.
  • The Privacy Commissioner of Canada issued a statement applauding the Committee’s recommendations to enhance the Commissioner’s enforcement powers and for taking seriously the Commissioner’s concerns regarding consent and reputation.

CA – OPC: Ottawa Looking to Collect Data, ‘Blurring’ Lines on Privacy

The federal government is “blurring” lines around privacy protections as they look for new ways to collect data on Canadians, according to documents prepared for privacy commissioner Daniel Therrien and obtained under access to information law, which suggest the 35-year-old Privacy Act may be too “permissive” in how the federal government can collect and use Canadians’ personal information. Therrien’s warning was aimed at a select group of senior bureaucrats tasked with examining new ways to deliver government services using digital means, while balancing concerns around privacy and transparency. The Liberal government has committed to overhauling the Privacy Act, but has not yet begun promised public consultations on the issue. Any Canadian review of privacy laws would take place against the backdrop of sweeping new data protection rules in the European Union, which come into force later this year. [Toronto Star]

CA – Liberals Pitch $500 Million Cyber Security Plan

The National Cyber Security Strategy, announced in the Liberals’ 2018 budget, spreads the $507.7 million over five years and across multiple departments and agencies with a hand in cyber defence. The budget is light on the actual details of the strategy, but it does lay out who will get increased funding. The Communications Security Establishment will play a central role in the new strategy. The Liberals are planning to consolidate the federal government’s cyber defence expertise under one roof [“Canadian Centre for Cyber Security“] within the CSE and will be open to Canadian citizens and private businesses. CSE will receive $155.2 million over the next five years to establish and operate the centre. Under the new strategy, responsibility for investigating cyber crime will remain with the RCMP, who will receive $116 million over five years to create a new unit to coordinate those investigations. In addition to the cyber security strategy, the Liberal budget proposed $225 million over four years, beginning in 2020, to “preserve” CSE’s ability to conduct foreign electronic spying. [Toronto Star at: IT World Canada, National Observer, iPolitics, Calgary Herald and MobileSyrup]

CA – Parents, Muslim Group Welcome Budget’s $$$ for Federal No-Fly Fixes

The 2018 Federal budget sets aside $81.4 million over five years, starting in 2018–19, and $14 million a year ongoing, to remake the much-maligned no-fly program. The money will go to the Canada Border Services Agency, Public Safety and Transport Canada. Families from the group known as the No Fly List Kids successfully pressed the government to redesign the system after many nerve-racking airport delays due to children being mismatched with people on the no-fly roster. The federal money will be used to develop “a rigorous centralized screening model” as well as a redress system for legitimate air travellers caught up in the no-fly web. The revised program will help ensure that privacy and fairness concerns are addressed, while keeping Canadians safe, the budget plan says. [Winnipeg Free Press See also: Global News, CTV News and CBC News]

CA – Federal budget: Ottawa to Study Merits of ‘Open Banking’

Ottawa is going to study the merits of introducing “open banking“, which allows consumers’ financial data to be shared between banks and other financial services providers, to see if it should be introduced in Canada. In last week’s budget, the government said open banking has the potential to increase innovation and competition in the banking sector. But it also gives rise to concerns over privacy and data security, so a final decision has not been made. [Calgary Herald and at: Global News and IT World Canada]

CA – B.C Parent Raises Flags Over School District Privacy Breach

About 1,000 past and present students in the Chilliwack School District may have been affected by a privacy breach that took place between 2005 and 2015. A letter [PDF here or here] explaining the breach was published by the district on their website on Dec. 22, 2017, but the information has not come up in any recent public meetings. It happened through the district’s participation in research with a not-for-profit group called Educational and Community Supports, a program of the University of Oregon. The connection between School District 33 and Educational and Community Supports was for the use of a program called “Positive Behaviour Information System” (PBI-SWIS). Data was sent across the border for the program, and the school district paid a licensing fee for the software. In their public letter, the district states the program is used to track behavioural incidents. “PBI-SWIS was used to gather information about the type and frequency of school based behavioural interventions on an individual and aggregated basis. Only information pertaining to students receiving behaviour support or intervention was affected. We estimate that the number of students affected was approximately 1,000.” The school district has been working with the Office of the Information and Privacy Commissioner to respond to privacy concerns and say there is “no information to suggest that any of this research information was used or disclosed or any purpose other than the university research.” [Observer]

CA – Preparing for Mandatory Data Breach Reporting and Record-Keeping

In Canada, regulation of the protection of personal information for private-sector organizations is governed by either federal, PIPEDA [text here & OPC info here], or substantially similar provincial legislation — currently Alberta [here], British Columbia [here] and Quebec [here]. In June of 2015, PIPEDA saw significant amendments under the “Digital Privacy Act“, including the introduction of mandatory breach reporting and record-keeping …[which are expected to become opperational this Spring] On September 2, 2017, the Canadian government published the Breach of Security Safeguards Regulations [here] provides further details on mandatory breach reporting and record-keeping. Alberta’s “Personal Information Protection Act” (“PIPA” here) is the only piece of Canadian legislation currently requiring mandatory notification of data breaches. There are many similarities between the reporting provisions of PIPA and PIPEDA and we can look to PIPA in assessing how mandatory reporting will occur. PIPEDA will also require organizations to maintain records of every unauthorized disclosure of personal information for two years after it occurs. There is no threshold associated with this requirement, so even records relating to data breaches with no risk of significant harm must be kept. This record-keeping requirement is a significant regulatory burden on corporations, particularly smaller organizations without dedicated privacy departments. However, with potential fines of up to $100,000 under both PIPA and PIPEDA, organizations are well advised to ensure compliance with privacy requirements. The OPC may request to inspect a corporations breach records at any time [DLA Piper]

CA – OIPC AB Finds Lawful Access to Records

The Alberta OIPC investigated a complaint against the Calgary Police Service, pursuant to the Freedom of Information and Protection of Privacy Act . A credit check performed by the police service was necessary to maintain public safety and the safety of children; the individual failed to show up for scheduled court application to deal with a guardianship order relating to his children, had taken his premature infant son from the hospital (against doctor’s advice), and left the province with his children. [OIPC AB – Order F2018-05 – Calgary Police Service]

CA – Newfoundland Entity Failed to Preserve Responsive Records

This OIPC NFLD and Labrador reviews the Town of Paradise’s handling of a request for records pursuant to the Access to Information and Protection of Privacy Act. The entity’s CCTV system erased the recordings after receiving the request for images captured, they were overwritten at 14 days instead of 30 days as indicated in their policy due to having exceeded storage capacity; the organization must acquire the capacity to store the information as indicated by their policy and be able to de-identify persons recorded. [OIPC NL – Report A-2018-005 – Town of Paradise]

CA – A Strong Society Interest Protects Excess Information from Exclusion

The court reviewed Joshua and Cynthia DeSilva’s request to exclude the results of a production order issued by a Justice of the Peace and executed on the CIBC. Individuals’ privacy was infringed when police obtained information which led them to believe there were bank accounts at a certain financial institution; this information was outside the scope of the warrant but a strong societal interest in having the issue resolved allowed the evidence to be used. [Her Majesty the Queen v Joshua and Cynthia DeSilva – Ontario Court of Justice]

CA – Ontario Court: Insurer Obligated to Defend Hospital Employee in Lawsuit

The Ontario Superior Court has ruled, In the case Oliveira v. Aviva Canada Inc, that insurance company Aviva is obligated to defend a hospital employee against a privacy breach lawsuit by a former patient. An ex-patient alleged that the employee – who is not involved in providing care to the patient – breached the patient’s privacy by frequently accessing the patient’s medical records without a legitimate reason. Aviva refused to defend the employee on the basis that the alleged privacy breach did not arise from the “operations” of the hospital. The insurer also argued that the employee was not “acting under the direction of the hospital” when the individual committed the alleged privacy breach. The company added that the employee abused her position and engaged in unlawful activities unrelated to her employment by the hospital, conflicting with her employment obligations. The Superior Court rejected these arguments, saying that they would have excluded a considerable portion of the privacy breach coverage that Aviva’s insurance policy claimed to provide. [Insurance Business Magazine]

CA – Metrolinx Gave Presto Users’ Personal Info to Police 30 Times Last Year

Metrolynx provided law enforcement agencies with Presto fare card users’ personal information 30 times in 2017, complying with roughly half of the requests made by officers. In a first-of-its-kind report published last week, the regional transit agency detailed its response to all of the police applications for Presto information it received last year. The public disclosure is part of an enhanced privacy policy Metrolinx adopted in December, after the Star revealed it had been quietly sharing Presto data with police. According to the report, law enforcement agencies made 64 requests in 2017. Of those, 27 were for emergencies such as a missing person, and 33 were related to investigations into an alleged offence. Four instances were related to found wallets. Metrolinx provided information for eight of the 27 emergency requests. The agency said that often the missing person was found before it provided police with their card information. It shared data in the majority of requests related to offence investigations, or 22 out of the 33. Although Metrolinx agreed to 30 of the requests, in some cases more than one card owner was involved, and the agency says a total of 35 customers’ information was provided. At least 10 agencies asked Metrolinx for Presto data, including two from outside the province. In addition to requests made by the agency’s own transit safety officers, applications also came from forces in Durham, Edmonton, Halton, Ottawa, Peel, Port Hope, Quebec, Toronto, and York. Metrolinx didn’t comply with 34 of the 64 requests it received in 2017. The agency said one reason it would reject an application if it was too broad. [Toronto Star]

CA – New Standard for Certifying Privacy Breach Class Actions?

Judges in class action lawsuits involving privacy breaches are going to become “more accepting of the notion that you can get money for your inconvenience,” Eric Dolden, a partner with Dolden Wallace Folick LLP, said at a Cyber Risk Summit in Toronto [see here]. “If you had a psychological “sequela” secondary to an invasion of privacy, that’s going to get you over the finish line.” [A “sequela” is a condition that is the consequence of a previous condition or a disease.] In Condon v. Canada, the Federal Court of Appeal allowed claims for negligence and breach of confidence to be included as part of a class proceeding. The original Federal Court judge did not include it as part of the class action lawsuit, noting that “it is plain and obvious that the claims based on negligence and breach of confidence would fail for lack of compensable damages.” …”People whose privacy’s being infringed electronically or otherwise have a right to claim damage even if they have no actual injury,” Dolden said during the session Claims & Losses Update. “[There’s cases] where Canadian judges awarded damage where there’s no harm to the claimant, merely the fear of harm – my credit card might be used or my personal medical details might be disclosed to someone. That’s really important because that’s the bulk of claims that as defence counsel we face in Canada.” [Canadian Underwriter]

CA – N.W.T. Health Information Act too Complicated, Should Be Simplified: OIPC

Elaine Keenan Bengts [see here], the information and privacy commissioner for the N.W.T. [and Nunavut] is calling on the N.W.T. government to fix its Health Information Act [see 111 pg PDF here] because she says it’s too dense and hard to understand. Keenan Bengts said the government doesn’t have the technology to properly protect people’s health information, as outlined in the act. The act says residents should be in control of who can have access to their health records, but Keenan Bengts said the systems aren’t in place for that to happen. She said people should be able to block someone, such as an ex-partner working in health care, from accessing their health information. This isn’t the first time the privacy commissioner has chastised the department over the Health Information Act. In the six months after the act became law, the commissioner said there were seven separate privacy complaints. [CBC]

CA – Cracks Appear in Sidewalk Labs’ Toronto Waterfront Plan after Fanfare

Four months have passed since Waterfront Toronto, the municipal-provincial-federal development agency, named Sidewalk its “innovation and funding partner” for the project [see here] – time enough for some of the gee-whiz talk of hyper-energy-efficient modular buildings and “taxibots” to be replaced by a rising chorus of critics both inside and outside City Hall. The concerns over privacy sparked by proposals involving arrays of cameras and sensors – from a company owned by Google – have been raised locally and in publications such as U.S. tech magazine Wired and Britain’s The Guardian. Sidewalk has hired former Ontario privacy commissioner Ann Cavoukian and Waterfront Toronto hired former federal privacy commissioner Chantal Bernier as advisers to help deal with these issues. Meanwhile, despite briefings from Waterfront Toronto and Sidewalk executives, some city councillors say they still have little idea what Sidewalk actually intends to do – or where. The project is supposed to be limited, at first, to the 12-acre Quayside parcel. [Globe & Mail and at: The Globe and Mail and The New York Times]

CA – Some Gains on FOI and Privacy, Says Gogolek, But Much More to Do

Vincent Gogolek offered parting comments after stepping down as executive director at the Freedom of Information and Privacy Association, an advocacy group. FIPA will be in good hands with Sara Neuert taking over as executive director, Gogolek said. And he expressed gratitude to founder Darrell Evans, the Law Foundation of BC, volunteers on the FIPA board, and the various information and privacy commissioners “who’ve listened to us with varying degrees of sympathy or annoyance over the years.” Gogolek has commented on FOI, privacy and other topics frequently for The Tyee and other media, so we took the occasion of his retirement to get his thoughts on what’s changed, what still needs to be improved, and what he sees as the emerging issues. Following is an edited version of that discussion. [The Tyee]

WW – The Next Big Thing: Data Breach Securities Class Action Litigation

Over the past year, plaintiffs have filed nine federal class action securities fraud lawsuits [see wiki here] against public companies after data security incidents, according to a recent Bloomberg Law study. And in each case, the company’s stock dropped after the disclosure of either a data breach or alleged data security vulnerability. In earlier data breaches, it was unusual to see declines in stock price – a necessary element of a securities fraud claim. But the Yahoo! and Equifax hacks changed that with stock prices tumbling and billions of dollars in market capitalization lost. Shareholders have generally used one of two legal theories: First, shareholders have alleged that the company’s pre-breach public disclosures didn’t adequately disclose the risk of a data security incident or that the company overstated its cybersecurity strength or capabilities. Or second, that the company withheld or was too slow in disclosing a breach after it was detected. This way, the claims cover both shareholders who purchased stock before the breach as well as those who purchased after the breach but before the public disclosure. For companies on the receiving end of a data security-related class action securities fraud complaint during the past year, we have found that the lawsuits fall into three general categories: 1) Companies That Tout Their Data Security; 2) Companies That Said Nothing about Data Security (Allegedly); and 3) Companies That Concededly Disclose Risks Connected to Data Security But Are Sued Nonetheless. We suspect that these nine cases are only the beginning and additional cases will be filed whenever a data security incident is followed by a decline in stock price. [PBWT]


AU – Australian Concerned About Online Privacy

The University of Sydney released the results of a study concerning the role of private, transnational digital platforms on work, study and business in Australia, based on: a national survey of 1,600 Australians; a focus group discussion; and an analysis of legal, policy and governance issues. Concerns include profiling and analytics (almost 2/3 have changed their social media settings), government data matching and surveillance (most consider retention of phone call information to be a privacy breach), the workplace (almost half of employers have a policy on what employees post online), and speech regulation (1/4 have had personal content posted without their consent). [Digital Rights in Australia]


US – Lack of Funding Exposes US Federal Agencies to High Data Breach Risks

Last week, cybersecurity firm Thales, in conjunction with analyst firm 451 Research, revealed the results of the “2018 Thales Data Threat Report, Federal Edition” [see PR here & 8 pg PDF report here]. [It] suggests US federal agencies suffer the highest volume of data breaches out of government agencies worldwide and budgets are part of the problem 57% of federal agencies experienced a data breach in the past year, in comparison to only 26% of non-US government agencies worldwide. This is a vast jump from an estimated 34% in 2016 – 2017, and 18% in 2015 – 2016. 93% of respondents said that security spending will be increased over the coming year within their IT budgets. In total, 56% plan to spend their budgets by focusing on endpoint security, 48% will hone in on network security, and 19% view data-centric security as a focal point. [ZDNet and at: ExecutiveBiz Blog and Channelnomics]

US – DHS Classified Briefings for State Election Officials

The US Department of Homeland Security (DHS) provided state election officials with classified briefings on election systems cybersecurity. The election officials were in Washington, DC, for a meeting of the National Association for Secretaries of State (NASS) and the National Association of State Election Directors. DHS described the briefings as being “focused on increasing awareness of foreign adversary intent and capabilities against the states’ election infrastructure, as well as a discussion of threat mitigation efforts.” [fcw.com: State officials get classified briefings on election security]


CA – Ontario Arbitration Board Rules Patient Consented to Email

The Ontario Health Professions Appeal and Review Board considered an appeal by a patient of a decision of the Inquiries, Complaints and Reports Committee of the College of Optometrists. A patient complained that an optometrist had sent her digital eye exam images over email in an unsecured manner, but the Board ruled that the patient had specifically requested that the images be sent to her at that email address. [C.T. v. A.L.,OD – 2018 CanLII 5616 – File # 16-CRV-0525 – Health Professions Appeal and Review Board of Ontario]

Electronic Records

CA – OIPC ON: Health Records Were Accurate to Serve Purpose

Ontario OIPC investigated complaints against the Toronto Central Local Health Integration Network, alleging violations of PHIPA. An individual sought the correction of 62 health records consisting of an assessment of her care needs and evaluation of placement in a care facility; however, the request failed to establish that the records were inaccurate to serve the purposes of assessment and evaluation, and custodians are not obligated to correct information on which it does not rely for the relevant purpose. [IPC ON – PHIPA Decision 67 – Toronto Central Local Health Integration Network]

CA – Alberta Physicians’ EHR Access Lawful

An Alberta Court reviewed a decision of the Alberta OIPC, finding Drs. Gowrishankar and Pinsk violated the Health Information Act. The Court quashed a OIPC decision that two physicians were not authorized to access a child’s medical records in a hospital database; the access was to respond to a complaint by the child’s mother about medical treatment received from the physicians, and the mother signed a consent form (as part of the complaint process) allowing the hospital to obtain relevant medical records. [Drs. Gowrishankar and Pinsk and AB Health Services v. JK_LK and OIPC AB – 2018 ABQB 70 CanLII – Court of Queens Bench of Alberta]

CA – Increased Risk of Harm from Loyalty Program Hack

The Alberta OIPC was notified of a personal information breach by Imperial Oil Ltd, pursuant to the Personal Information Protection Act. Routine website traffic alerts discovered the hack by an unknown third party using IDs and passwords; the breached information (name, billing address, account password, loyalty points and email) could be used to access accounts, for phishing, or to compromise other online accounts with the same password. The Company required users to reset all logins and passwords, enhanced geo-blocking with IP location control for website access, and issued new accounts and cards. [OIPC AB – Breach Notification Decision P2018-ND-019 – Imperial Oil Ltd]

CA – OPCC: Bill C-49 Lacks OPC Oversight

The OPC Canada commented before the Senate Standing Committee on Transportation and Communications on Bill C-49. If enacted, the bill would provide that companies would not have to comply with PIPEDA’s obligations in relation to the collection, use, disclosure and retention of PI collected from locomotive voice and video recorders; the bill should confirm the jurisdiction of the OPC to investigate complaints relating to alleged violations of PIPEDA, including whether exceptions found in the Railway Safety Act were properly applied. [OPC Canada – Appearance Before the Senate Committee on Transportation and Communications on Bill C-49]

EU Developments

EU – Europe Seeks Power to Seize Overseas Data in Challenge to Tech Giants

The European Union is preparing legislation to force companies to turn over customers’ personal data when requested even if it is stored on servers outside the bloc, a position that will put Europe at loggerheads with tech giants and privacy campaigners. The EU push comes as a landmark legal battle in the United States nears its climax. The U.S. Supreme Court will [Feb 26] hear oral arguments in a case pitting Microsoft against U.S. prosecutors, who are trying to force the company to turn over emails stored on its servers in Ireland. [see here] Campaigners say giving governments so-called extra-territorial authority to reach across borders and access data would erode individuals’ privacy rights. The planned law, which would apply to all companies around the world that do business in the European Union, is an apparent shift in position for the European Commission, the EU executive. In 2014, it said in relation to the Microsoft case that “extraterritorial application of foreign laws (and orders to companies based thereon) … may be in breach of international law”. The legislation is still in the drafting stage and is expected to go before lawmakers and member states at the end of March. [Reuters see also at: Silicon UK, AppleInsider, Wccftech, Siliconrepublic, Patently Apple and Computing]

EU – Article 29 WP Draft Accreditation Guidelines

The Article 29 Working Party has issued draft guidance on the accreditation of certification bodies under the GDPR. Public comments can be submitted until March 30, 2018. The GDPR empowers Supervisory Authorities to accredit certification bodies, using accreditation criteria guided by ISO 17065 and complemented by any additional requirements to assess the independence and data protection expertise of the certification body, and where applicable, withdraw certifications or order certification bodies to not issue certifications. Article 29 WP – Draft Guidelines on the Accreditation of Certification Bodies Under the GDPR – WP261 AP WP – WP261 – Certification Bodies]


CA – Canadian Telecoms Firms Target Pirates With Online Censorship Plan

Plans are afoot in Canada to block access to websites which host pirated content. …The coalition, which has named itself Fairplay and consists of more than 30 media companies, including Bell, Rogers, and CBC, submitted their proposal to the CRTC at the end of January. But there has been a heated response to the proposals because of the fears of the wider internet censorship it could lead to. The coalition proposed that the CRTC should set up an independent agency whose job was to identify websites which were primarily focused on disseminating pirated content. That body would then have the power to require telecommunications companies to block access to these sites. The CRTC quickly put the idea up for comment on their website Of the 5,000 or so people who have commented [see submissions here] so far, most have been overwhelmingly negative, with many highlighting big concerns about where this online censorship programme would end. Open Media, has been especially vocal in its criticism of the proposals and is collecting signatories for their own submission in response to the proposals. They have amassed 16,000 signatures in support of their position so far. If the suggested blocking of sites does come into effect, then all will still not be lost for Canadian citizens who value their online privacy either. By using a reputable VPN, such as IPVanish or ExpressVPN, they will be able to access any blocked content simply by redirecting their online traffic through a server located outside Canada. [VPN and at: CBC News and Michael Geist Blog here, here, here, here, here]

CA – The Case Against the Bell Coalition’s Website Blocking Plan, Part 12: Increasing Privacy Risks for Canadians

The Bell website blocking coalition cites privacy protection as a reason to support its plan, noting the privacy risks that can arise from unauthorized streaming sites. There are obviously far better ways of protecting user privacy from risks on the Internet than blocking access to sites that might create those risks, however. Further, with literally millions of sites that pose some privacy risk, few would argue that the solution lies in blocking all of them. In fact, the privacy argument is not only weak, it is exceptionally hypocritical. Bell is arguably the worst major Canadian telecom company on user privacy and its attempt to justify website blocking on the grounds that it wants to protect privacy is not credible. …Rather than enhancing privacy protection, the Bell coalition proposal puts it at greater risk, with the possibility of VPN blocking, incentives to monitor customer traffic, and the potential adoption of invasive site blocking technologies. [Geist]


CA – Confidential Tax Info to Be Shared With Police In Other Countries

Confidential information from Canadian taxpayers could soon be shared with police and authorities in three dozen countries around the world, under measures included in Finance Minister Bill Morneau’s latest budget [see here & 369 pg PDF here]. In an inconspicuous section tucked into a small 78-page annex to the budget, the government says it wants to give police and tax authorities new powers to fight tax evasion and advance international investigations into serious crimes, ranging from drug trafficking and money laundering to terrorism. A civil liberties advocate accuses the government of using the budget to hide controversial changes. “If you can get something buried in the budget that nobody knows about, sometimes you can get something passed without getting the kind of heat it deserves … this deserves a lot of heat from the opposition and scrutiny from media.” said Michael Bryant, executive director of the Canadian Civil Liberties Association and a former Ontario attorney general. Bryant said the proposed changes risk affecting Canadians’ civil liberties and should be introduced — and debated — as part of a separate bill. “The big concern is that Canada would be unwittingly participating in a star chamber investigation and prosecution of somebody in another jurisdiction, or that Canadians would in essence be thrown under the bus and information would be shared with other jurisdictions that don’t have our due process and constitutional protections,” he said. The government also plans to give Canadian police more access to tax information. Currently, police investigating certain crimes can obtain a court order to get income tax information. The government plans to extend that ability to access confidential information to the Excise Act, which taxes a variety of products, including tobacco and alcohol. [CBC See more at: Canadian Press, iPolitics.ca, The Globe and Mail, CTV News and Global News]


CA – Canadian Firms Hindering Customer Data Access Requests: Study

Businesses could do a better job at responding to Canadians’ requests to look at the personal data they hold, according a new study from the University of Toronto’s Citizen Lab. Under the federal PIPEDA Canadians can make data access requests (DARs) to find out how their personal data is collected and is being used by any company — based here or not — that holds their personal information. But after a three-years of volunteers submitting requests to 23 telecommunications companies, fitness trackers and online dating services researchers concluded “processes surrounding DAR-handling and -processing are immature.” Among the problems were inconsistent responses, large dumps of data that would be hard to understand and charging fees. For those wanting to create a DAR, Citizen Lab and its partners have operated Access My Info (AMI), a web application that makes it easier for Canadians to create one. As of February over 6,000 requests have been created using the application in Canada. [IT World Canada | CBC Radio]

Health / Medical

US – Medical Center Not Liable for Unauthorized Access

The Arkansas Supreme Court considers whether St. Vincent Infirmary Medical Center is vicariously liable for unauthorized access to medical records. An Arkansas medical center is not liable for its employees accessing medical records of a public figure treated at its facility; the access was outside the scope of their employment, in violation of the medical center’s training, was not authorized or ratified by the medical center (the employees were subsequently terminated), and the individuals pled guilty to HIPAA violations. [Patricia Cannady v. St. Vincent Infirmary Med. Ctr. 2018 Ark. LEXIS 31 – Supreme Court of Arkansas]

Horror Stories

US – Equifax Identifies Additional 2.4 Million Affected by 2017 Breach

Equifax announced that it identified about 2.4 million U.S. consumers whose names and partial driver’s license information were stolen. The company said the consumers affected “were not in the previously identified” population of cyberattack victims. That brings the total number of U.S. consumers whose personal information was compromised by the breach to 147.9 million, up from 145.5 million previously. These latest breach findings are based on a new methodology it is using to conduct further analysis of the impact of the event. It said its original findings were centered around people whose Social Security numbers were compromised because its forensic investigation led the company to believe that the attackers were focused primarily on attaining Social Security numbers. The analysis found that there were partial driver’s license information, like strings of digits of drivers’ license numbers, and names. That is how it found the additional 2.4 million people who were affected. The company said those consumers’ information was stolen by the hackers. However, their Social Security numbers weren’t affected by the hack. It said that “in the vast majority of cases” the partial information that was stolen on these 2.4 million consumers didn’t include home addresses, driver’s license states, dates of issuance, or expiration dates. [Wall Street Journal See also: NPR, ConsumerAffaires, CNNMoney, Washington Post, and Daily Report (Law.com)]

Law Enforcement

CA – Despite Unanimous Queen’s Park Vote, Police Still Disclosing Unproven Allegations

More than two years after passing legislation protecting innocent Ontarians from having unproven allegations, mental health incidents or withdrawn charges show up on their police record checks, the proposed law remains unenforced. The Police Records Check Reform Act, passed at Queen’s Park in December 2015 by a vote of 93-0, followed a Toronto Star investigation that revealed that tens of thousands of Canadians have records in police databases despite having never been convicted of a crime. The province still hasn’t proclaimed the legislation into law, meaning it is not yet in force. This unusual delay has continued to undermine careers, volunteer opportunities and travel because of the disclosure of false or misleading information, say lawyers, victims and a new report [see PR here, Report overview here & 52 pg PDF Report here] from the John Howard Society [Toronto Star and at: CCLA]

Online Privacy

WW – Google Rejected 57% “right to be forgotten” Privacy Requests

In its latest annual Transparency Report [Blog post here & report here], Google reveals that it was asked to delist 2.4 million URLs from 2014 to 2017. Of those requests, Google denied 57% of the requests and green-lighted just 43%. An overwhelming number of requests—nearly 85%—come from private individuals, according to a draft of Three Years of the Right to be Forgotten, a paper authored by Google-affiliated researchers. A handful of people are making a significant portion of the requests. Just 1,000 people (0.25% of the people who filed requests) accounted for 15% of the URLs submitted for delisting. In all, 51% of total requests came from the U.K., France, or Germany. [Fast Company See also at: Engadet, Venture Beat, Mashable, Gizmodo and The Register]

Privacy (US)

WW – Justices Divided Over Disclosure of Overseas Emails

Computer giant Microsoft told the SCOTUS justices today [oral arguments here, the case is “United States v. Microsoft Corp. – often called “the Microsoft Ireland case” see here, here & wiki here] that the SCA [Stored Communications Act: see text here, wiki here & EFF take here] only applies within the United States, so the company cannot be compelled to turn over emails stored outside the country. The federal government countered that, although laws don’t normally apply outside the United States, the SCA focuses on “classically domestic conduct”: Here, it stressed, Microsoft is simply being asked to turn over electronic records that it controls, even if those records happen to be stored elsewhere. After struggling with the issues (and the technology) in the case for approximately an hour of oral argument, it wasn’t at all clear how the justices will rule – if they even have the opportunity to do so before Congress enacts legislation that would resolve the case. Recently a bipartisan group of senators introduced legislation — known as the CLOUD Act [Clarifying Lawful Overseas Use of Data Act] — that would allow warrants for data stored overseas, but would also give both email providers and the countries where the data is stored a chance to object to those disclosures. Ginsburg and Justice Sonia Sotomayor seemed to believe that Congress, rather than the Supreme Court, was best suited to deal with the questions before the court. [SCOTUS Blog See also: Lawfare Blog, The Los Angeles Times, The New York Times, The Washington Post, The Washington Times and Bloomberg and also: The Microsoft-Ireland Case: A Supreme Court Preface to the Congressional Debate and also at: Reuters, The Irish Times, The Washington Post and Financial Times]

US – 9th Circuit Court of Appeals to Review Protect Device Privacy at Border

Saying that the U.S. Court of Appeals for the Ninth Circuit has a new opportunity to strengthen personal privacy at the border, the EFF recently filed amicus briefs in two cases, U.S. v. Cano and U.S. v. Caballero, before the Ninth Circuit arguing that the Constitution requires border agents to have a probable cause warrant to search travelers’ electronic devices. Border agents, whether from U.S. Customs and Border Protection (CBP) or U.S. Immigration and Customs Enforcement (ICE), regularly search cell phones, laptops, and other electronic devices that travelers carry across the U.S. border. The number of device searches at the border has increased six-fold in the past five years, with the increase accelerating during the Trump administration. These searches are authorized by agency policies that generally permit suspicionless searches without any court oversight. With these Ninth Circuit briefs, EFF has now filed a total of five amicus briefs since 2015 arguing that border agents need a probable cause warrant to search electronic devices at the border. [EFF]

US – Information Injury Workshop Covers Non-Financial Harms Faced by Consumers

The FTC held its Information Injury Workshop [see here and here] in December in Washington D.C. The goal of the workshop was to explore how to characterize and measure information injuries to consumers. Information injury is the harm that a victim suffers as a result of privacy or data security breach. Financial, health and safety injury are the most common types of alleged injuries that the FTC has seen in privacy and data security in the past few years. Yet, injury that does not cause financial harm can be challenging to quantify. In her opening remarks at the workshop, FTC Acting Director Maureen Ohlhausen said the FTC needs a “framework for principled and consistent analysis of consumer injury in the context of specific privacy and data security incidents.” The workshop had four panels with noted experts in a variety of fields and disciplines. The brief summary that follows is not intended to be comprehensive, but to touch on some interesting points made during the course of the workshop. Transcripts for each panel are linked below, [including]: 1) Injuries 101 Panel; 2) Potential Factors in Assessing Injury; 3) Business and Consumer Perspectives; and 4) Measuring Injury [DBR on Data]

US – Opinion: Six Big Privacy Concerns for Edtech

In December, the U.S. FTC hosted a workshop on student privacy and edtech in Washington, D.C. During one panel, Priscilla Regan, a professor at George Mason University — who has been writing about privacy policy since the late 1970s — set the framework for discussion by identifying six broad concerns that together comprise the facets of the U.S. student privacy discussion:

  • Organizational information privacy concerns: Federal and state laws generally regulate the collection, use, retention and disclosure of personal information. This is becoming more complicated and complex as greater quantities of data are collected and as qualitative information — such as behavior — is being derived and collected. Parental concerns are heightened as citizens generally become more aware of data collection activities.
  • Anonymity: Part of privacy, in many people’s minds, is the ability to remain anonymous, sometimes called “practical obscurity.” As more and more data is gathered and retained, it becomes more difficult to anonymize that information. The evolving use of such technology as artificial intelligence makes the ability to remain anonymous less feasible. “This is where we get into sort of the algorithmic searches, the use of artificial intelligence, the fact that personally identifiable information is sort of a less meaningful concept,” Regan said.
  • Surveillance and tracking: As personalized learning, online learning and online testing all become more common, the applications are monitoring and analyzing what students are doing, when and where they are working, who else may be working on similar things. “Things like how long it might take to read a page, the patterns and the ways in which students are reading and responding, which gives some indication, then, of the students’ thought processes,” Regan said, which facilitate qualitative information-gathering.
  • Autonomy: There is a risk that using analytics to determine students’ strengths and weaknesses and building a personalized learning experience around that may narrow students’ options too early, by limiting the avenues for their curiosity and creativity. And today’s students are more aware of being monitored and channeled toward particular disciplines; they may self-censor what they’re doing.
  • Bias, discrimination and due process: Another part of the concept of privacy is fairness — treating people equally and without discrimination. “This is obviously critical in the edtech and the education environment generally, because of the importance of education to equal opportunity,” Regan said. With the kind of algorithmic analyses in place now, it can make it harder to identify bias and discrimination, thus also harder to reverse. As with concerns about autonomy, judging students early may lead to discrimination.
  • Data ownership: As data is generated, collected and analyzed, the question arises — who owns the information, the individual, the school or a third party such as the application vendor? Generally, school records are owned by the school, but laws such as FERPA (Family Education Rights and Privacy Act) ensure parental rights. This issue is something to be addressed in schools’ contracts with vendors. [EdScoop]

Privacy Enhancing Technologies (PETs)

US – FTC Warns Users on VPN Apps

In a blog post last week, the US FTC warned consumers to thoroughly research VPN apps before using them. According to a report from researchers at CSIRO, the University of New South Wales, ICSI, and the University of California at Berkeley that examined nearly 300 VPN apps, many did not encrypt traffic and requested information and privileges that could put consumers’ privacy at risk. Some VPN apps sell customer data to third parties. [www.consumer.ftc.gov: Shopping for a VPN app? Read this | www.icir.org: An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps | www.scmagazine.com: FTC warning users to do homework before using VPN apps]

WW – Private Browsing Lacks Privacy

Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) delivered a paper at the Network and Distributed Systems Security Symposium describing a framework to improve the privacy of private browsing modes. The framework is necessary because even in private modes, browsers can leak information. [www.ndss-symposium.org: Veil: Private Browsing Semantics Without Browser-side Assistance | www.theregister.co.uk: Private browsing isn’t: Boffins say smut-mode can’t hide your tracks]


WW – NIST Identifies Gaps in Standards for IoT

The National Institute of Standards and Technology issued a report on international cybersecurity standardization prepared by the Interagency International Cybersecurity Standardization Working Group. Gaps include cyber incident management (best practices for remediation when software patches are not feasible), hardware/software assurance (best practices for avoiding malware in firmware/software), supply chain risk management (generic standards are not specific to IoT and need to be reviewed to see if they are sufficient or require revision), and system security engineering (determine if generic standards consider IoT systems). [NIST – Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) – Draft NISTIR 8200 | Press Release]


US – NIST Releases Draft Report on IoT Cybersecurity Standards

The National Institute of Standards and Technology (NIST) has released a draft of its NIST Interagency Report 8200 (NISTIR 8200) [see PR here & 187 pg PDF here], which is intended to inform policymakers and standards participants in developing and implementing cybersecurity standards in and for IoT devices and systems. NISTIR 8200 provides a non-exhaustive list of five IoT technology application areas that are offered for use in any analysis of the present state of IoT cybersecurity standardization. These include: 1) Connected Vehicle IoT; 2) Consumer IoT; 3) Health IoT; 4) Smart building IoT; and 5) Smart manufacturing IoT. The report breaks down each of the five IoT technology application areas into eleven cybersecurity core areas and analyzes IoT cybersecurity objectives, risks, and threats present in each. The report notes that this proliferation of varying IoT devices presents a challenge in terms of sheer volume of systems to be protected, and the diverse nature of IoT services increases the challenge for development of consistent cybersecurity standards. The list of IoT cybersecurity standards the report contains will constitute a valuable resource for tracking the current state of IoT cybersecurity standards, as it is quite extensive and contains a range of information about each standard. Comments on NISTIR 8200, the draft report, are due by April 18, 2018. [DBR on Data and at: Federal News Radio, GCN and HealthITSecurity]

EU – ENISA Issues Guidance for Organisations on Cybersecurity Programmes

The EU Agency for Network and Information Security guidance for organisations on creating a Cybersecurity Culture programme. ENISA recommends setting a core work group to oversee implementation of cybersecurity activities, equipping employees with risk awareness, skills and controls specifically related to their role, allowing them to provide feedback on how the programme affects their daily duties, and revising initial programme goals if they are impossible to achieve or unacceptable to employees. [ENISA – Cyber Security Culture in Organisations]

Smart Cars

US – Trust Needed in TV Data Collection Practices

The Future of Privacy Forum carried out a review of Smart TVs in 2017 and published the results. Smart TV manufacturers provide little detail about how their automated content recognition technology works and the information collected is generally referred to only as “viewing information” or “viewing history”; privacy policies should be relevant, accurate and easy to comprehend. [Seeing the Big Picture on Smart TVs and Smart Home Tech – Future of Privacy Forum]

Workplace Privacy

CA – Alberta’s Top Court Upholds Injunction Against Drug Testing of Workers

The Alberta Court of Appeal has upheld an injunction that stops random drug and alcohol testing at Suncor Energy sites in the northeastern part of province. In a two-to-one decision, the court dismissed the appeal by Calgary-based Suncor, which has been arguing for years that random tests are needed to bolster safety at its projects near Fort McMurray. A Court of Queen’s Bench judge granted the injunction last December, pending an arbitration hearing, after the union representing about 3,000 oilsands workers in the region requested one. The Appeal ruling said the crux of the case is balancing safety against privacy interests. Two judges noted that while there is clearly a safety issue, random testing would target about 1,339 employees per year or 104 per month. “It is therefore conceivable that some union employees would be forced to comply with multiple tests within the same month … constituting a significant intrusion on their privacy, dignity and bodily integrity.” Justice Frans Slater said he would have allowed Suncor’s appeal and set aside the injunction. Suncor spokeswoman Sneh Seetal said the company is reviewing the Appeal decision and assessing its options. [National Post: See also: CBC News]