07-14 September 2016

Biometrics

US – Homeland Security Eyes Expanding Biometric Collections at US Borders

Homeland Security officials are working on a plan to vastly expand the collection of biometric information at US borders in an effort to more closely track foreign visitors. The program aims to put in place more biometric scanners, which may include iris, face, and fingerprints, at border crossings beginning in 2018 in an effort to ensure visitors do not leave the US under another person’s passport. DHS has collected biometrics in an entry and exit program since 2004. [The Christian Science Monitor] See also: [Allan Richarz: What, if any, rights to privacy do you have when crossing the border?]

US – Disney World Starts Scanning Kids’ Fingers

Walt Disney World has begun requiring children from 3 to 9 years old to have their fingers scanned when they enter the theme parks, just like older kids and adults. Disney said the new process will help block the use of stolen and shared tickets. Previously, kids’ tickets would have been easy to transfer because they had no finger images attached to them. Parents who feel uncomfortable with having their kids’ fingers scanned can use their own instead. Disney introduced scanners more than a decade ago that used “finger geometry” — pictures of several points on people’s fingers. [Orlando Sentinel]

WW – Wi-Fi Routers Can Identify, Spy on You

Wifi signals can be used to monitor humans—and in surprisingly detailed ways. As people move through a space with a Wi-Fi signal, their bodies affect it, absorbing some waves and reflecting others in various directions. By analyzing the exact ways that a Wi-Fi signal is altered when a human moves through it, researchers can “see” what someone writes with their finger in the air, identify a particular person by the way that they walk, and even read a person’s lips with startling accuracy—in some cases even if a router isn’t in the same room as the person performing the actions. Several recent experiments have focused on using Wi-Fi signals to identify people, either based on their body shape or the specific way they tend to move. Earlier this month, a group of computer-science researchers at Northwestern Polytechnical University in China posted a paper to an online archive of scientific research, detailing a system that can accurately identify humans as they walk through a door nine times out of ten. [The Atlantic]

Canada

CA – Government to Launch Bill C-51 Review

The Liberal government will launch the public phase of its long-awaited national security review with the release of a discussion paper. The government has promised to repeal what it calls the problematic elements of omnibus security legislation, known as Bill C-51, ushered in by the previous Conservative government. The Liberals also plan to introduce new measures they say will do a better job of balancing collective security with rights and freedoms. Among other things, the government has pledged to ensure all Canadian Security Intelligence Service (CSIS) warrants respect the Charter of Rights and Freedoms. This could roll back new provisions allowing CSIS to disrupt terror plots through tactics that breach the charter as long as a judge approves. Public Safety Minister Ralph Goodale has said the government is open to an expansive revamp of national security legislation and policy, not just the handful of promised changes. Goodale and Justice Minister Jody Wilson-Raybould are slated to discuss the consultation at a news conference in Edmonton. They will release a discussion paper as well as a lengthy background document outlining national security issues. [Global News] The consultation can be found here and runs until Dec. 1. [Bill C-51: Liberals says changes to anti-terrorism law coming soon | Federal agencies already using new Bill C-51 information-sharing powers | Making the spies accountable: real change or illusion? | Privacy Advocates Fear Bill C-51 Consultations Will Be Skewed | Trudeau should stop delaying on fixes to anti-terror laws | A Liberal sense of mystery surrounds the future of Bill C-51 | Liberals identify 10 key national security issues for public consultations | B.C. Civil Liberties Association reacts to national security consultation announcement | 8 things you need to know about Bill C-51 | Lawyers at the BC Civil Liberties Association have gone over the bill paragraph by paragraph, and outlined the parts of this massive document that concern them most. For a more comprehensive explanation of concerns, read their Submission to the Standing Committee on Public Safety and National Security | Concerns over Bill C-51 prompt CSIS to brief other agencies on operations | National security review tries to tackle needs of law enforcement in digital world | Anti-terror revamp to stretch into next year as Liberals launch consultation]

CA – CSIS Briefs Government Agencies on Bill C-51 Concerns

The Canadian Security Intelligence Service has moved to tamper down concerns with the controversial surveillance law, Bill C-51. The omnibus bill designed to overhaul CSIS has “sent ripples throughout the federal-security bureaucracy.” To help the relevant agencies that are concerned with the changes, CSIS has intimated it will give them a heads up about what it is doing. For example, “when CSIS is considering the use of threat-reduction measures, CSIS will initiate strategic case-management discussions with the RCMP on the target of the measure… The RCMP may indicate that it needs time to review the information discussed to assess any potential conflict,” and if the two agencies see a conflict, “the matter will be referred for a more senior level discussion.” [The Globe and Mail]

CA – Ontario Court Awards Damages for Family Member’s Disclosure of Mental Health Information

The Ontario Small Claims Court, in Halley v McCann, 2016 CanLII 58945 (ON SCSM), recently awarded a plaintiff $9,000 in damages for breach of privacy. The case arose because the defendant disclosed the fact that the plaintiff had admitted herself to a mental health facility. The defendant is also the half-sister of the plaintiff. It was alleged that the defendant had told three people outside the facility about the plaintiff’s stay there. No other information was disclosed. The Court then awarded an additional $1500 in punitive damages. [Canadian Privacy Law Blog]

CA – ‘Unprecedented’ Number of Online Privacy Breaches Reported in Alberta

Alberta’s privacy commissioner is seeing an “unprecedented” number of breach reports under the province’s Personal Information Protection Act, including e-commerce hacks, ransomware and phishing scams. A 15-member committee is in the midst of reviewing the act, which was last updated in 2010, and this week heard suggestions from 10 presenters. Provincial privacy commissioner Jill Clayton said that while she doesn’t think the act is a broken piece of legislation, she would like to see it tightened in a few areas, including extending it to cover non-profits and requiring organizations to have privacy management programs in place. She said government agencies and law enforcement are increasingly relying on personal information collected by the private sector but, as the law stands, there’s no way for people to know the number, scale, frequency of or reasons for disclosures without consent. [Edmonton Journal] [The Edmonton Sun: Alberta Sees Increase in Data Breaches, Seeks to Improve PIPA]

CA – Ontario Court Orders Video-Sharing Website to Disclose Subscriber Information to School Board

An Ontario Court has issued a decision in a request submitted by a school board compelling YouTube/Google to disclose user information. The video-sharing service must, within 20 days, disclose the subscriber registration and IP information of a particular account holder who may have unlawfully posted a video of a vulnerable student without consent of the students, his parents, or the Board; the Board has requested the video in order to pursue disciplinary and copyright proceedings (the poster is suspected to be an employee). [Ottawa-Carleton District School Board v. YouTube, Inc., YouTube, LLC and Google, Inc. – Order – Ontario Superior Court of Justice | Ottawa Citizen]

Consumer

WW – Study: Government Surveillance Leads to Bad Passwords?

Professor Stanislav Mamonov explains what he sees is the connection between weak passwords, government surveillance, a societal feeling of helplessness, and his research. A 2016-published survey of 400 asked the participants to answer questions about their perspectives toward online privacy and secure their information with a password after reading four news stories about the topic. Mamonov found that those exposed to stories about government surveillance picked worse passwords than those who didn’t. The results were “very unexpected” for his team, leading to an as-of-yet unpublished secondary project to explain their findings. “And the only emotion out of the more than 20 that we assessed that was affected by exposure to government surveillance was the feeling of helplessness.” [The Atlantic]

E-Government

US – House Oversight Committee Report on OPM Breach

According to a report from the US House Oversight and Government Reform Committee, the breach of systems at the Office of Personnel Management (OPM) was due (in large part) to “the longstanding failure of OPM leadership to implement basic hygiene.” The report notes that there were two breaches at OPM. The first, which began in November 2013 and was shut down in May 2014, targeted manuals and technical information about the types of data stored in OPM systems. The second breach targeted personally identifiable information, including background investigation data and personnel records. [www.darkreading | arstechnica | www.theregister | https://oversight.house.gov]

UK – Study Calls Out UK Government for Poor Security Leadership, Practices

A National Audit Office (NAO) study has criticized the U.K. government’s online security practices. Among the 73 teams compromising 1,600 employees with data security duties was a sense of confusion about who to go to for “guidance.” The NAO study also found a “dysfunctional” process of reporting breaches and encryption practices that left many “unsecured endpoints.” A government representative acknowledged that the government was aware of the problems found by the NAO study. “So we are already well under way in strengthening oversight of information security by bringing together nine separate central teams into just two,” the representative said. “We have also appointed the government’s first ever chief security officer.” [BBC]

Encryption

WW – Google Chrome to Warn Users of Unencrypted Websites

Google will start warning users about sites using HTTP rather than HTTPS early next year. When the stable version of Chrome 56 is released at the end of January 2017, the browser will warn users when sites send passwords or payment card data over non-secure, HTTP connections. The warnings are “part of a long-term plan to mark all HTTP sites as non-secure,” according to Google’s blog post. [Computerworld | CNet | The Register | Motherboard | https://security.googleblog.com]

WW – Chrome OS Verified Access API

Google has introduced the Verified Access API, which organizations can use to cryptographically validate Chrome OS devices and make sure that the devices are compliant with security policies before accessing the network. The API uses digital certificates stored in the Trusted Platform Module (TPM). [ComputerWorld | IT News]

EU Developments

EU – Children and Minors: EU DPAs Outline Key Privacy Issues

The ARCADES project, involving Data Protection Authorities producing educational materials on data protection and privacy, has provided guidance on protecting children’s privacy issues at schools. Students should be taught about why privacy is important, types of data considered sensitive, obligations of organisations, how to refuse or consent to personal data collection, and how to modify online privacy settings; it is important that students do not publicly share their address, phone number, or email account, have a clear understanding that content posted or shared will be available to everyone, and know what information can be found if their name or alias is searched. [Introducing Data Protection and Privacy Issues at Schools in the EU]

UK – Ruling Shows ICO Will Use Tiered Approach to Breach Notification

A new ruling by the information rights tribunal suggests that businesses in the UK should be prepared to make multiple notifications to the Information Commissioner’s Office (ICO) in the event of a data breach under new EU data protection laws In the TalkTalk case, the information rights tribunal upheld a decision by the UK’s Information Commissioner’s Office (ICO) in which the watchdog fined TalkTalk £1,000 for failing to notify it of a personal data breach within 24 hours after the detection of that breach. [Out-Law News]

Finance

PCI Council Releases New Card Reader Standards

The Payment Card Industry (PCI) Security Standards Council has released a new standard aimed at reducing fraud originating at point-of-sale terminals. To comply with the PCI PIN Transaction Security Point-of-Interaction Modular Security Requirements version 5.0, point-of-sale card readers must support and cryptographically authenticate firmware updates; must be tamper-proof; and must not leak keys through side-channel monitoring. The new standard will take effect in September 2017. Sources: Dark Reading| The Register| PCI Security Standards]

US – CFPB Levies $100 Million Penalty Against Bank for Unlawful Sales Practices

The Consumer Financial Protection Bureau (CFPB) has entered into a consent order with Wells Fargo to settle allegations of deceptive sales practices in violation of: sections 1031 and 1036(a)(1)(B) of the Consumer Financial Protection Act of 2010. The bank opened deposit accounts and made transfers to those accounts, submitted applications for credit cards, enrolled consumers in online banking services and activated debit cards, all without customers’ knowledge or consent; the bank’s Board is responsible for all compliance with the consent order. The bank must hire an independent consultant to conduct a comprehensive review of its sales practices and implement a compliance plan, and allot $5 million for consumer redress. [Consumer Financial Protection Bureau – Consent Order – Wells Fargo Bank, N.A. [ Press Release]

FOI

CA – OIPC BC Orders Government Agency to Disclose 911 Caller Details

This OIPC order addresses BC Emergency Health Services’ partial withholding of records requested under the Freedom of Information and Protection of Privacy Act. The applicant met the test for disclosure of the caller’s first name and telephone number for a fair determination of her rights; the identity of the caller relates to the applicant’s legal right to sue for damages due to an accident, the applicant has indicated she is contemplating a legal proceeding, and the caller’s withheld identity is necessary to prepare for such a proceeding, regardless of whether the applicant may be able to learn the 911 caller’s identity as part of a court process. [OIPC BC – Order F16-36 – BC Emergency Health Services]

CA – OIPC BC Orders Government Ministry to Disclose Generic Data on Employees’ Grievances

This OIPC order addresses the Ministry of Finance’s partial refusal to disclose records request under B.C.’s Freedom of Information and Protection of Privacy Act. The ministry correctly applied an invasion of third party privacy exemption to most of the data contained within a table, but is able to redact employee numbers, dates and department names and disclose column headings and other generic information. [OIPC BC – Order F16-33 – Ministry of Finance]

CA – OIPC PEI Finds Questions of Accuracy in Information Contained in Responsive Records is Not a Valid Reason to Withhold Access

The OIPC PEI reviewed Health PEI’s response to a request for records, pursuant to the Freedom of Information and Protection of Privacy Act. The public body informed an individual that it did not hold statistics on ambulance response times for all calls in a specific area; however, the public body had custody and control of paper patient care reports that would have satisfied the request, and its assertion that the reports contained inaccurate information is not a sufficient reason to withhold the records. [OIPC PEI – Order No. FI-16-005 – Health PEI]

Genetics

CA – Winnipeg Drivers Asked to Voluntarily Submit DNA Sample for Drug Testing at Checkstop

In the early morning hours of Sept. 8, drivers were being checked at a roadside stop and asked the standard “have you been drinking” question by Winnipeg police officers. After drivers were cleared by police, they were asked if they would voluntarily complete a survey. On the side of the road there were approximately five areas set up with tablets and an area set up by Manitoba Public Insurance (MPI). “We are asking for your help in a voluntary driver safety survey that deals with alcohol, drugs and driving,” read a part of the survey. “(You will be asked) to provide a breath sample to measure the amount of alcohol in your system… If the test shows that you are over the legal limit, you will be asked to let a non-impaired passenger drive, or we will provide you with a free taxi ride to your destination.” MPI said it is using the samples to test for drug usage and are trying to determine a baseline before marijuana use is legalized in Canada. …According to the crown corporation, similar surveys were conducted in Ontario in 2014 and British Columbia in 2010 and 2012, although no data was available for any of those. …MPI said all information is voluntary and remains anonymous. “No names are taken. The information is not shared with anybody else.” Privacy lawyers said it does raise concerns for drivers. Police did not explain their officer’s involvement in the roadside checkstop and survey, as it was an armed, uniformed officer who was the first point of contact with drivers. Police refused repeated requests for an interview. [Global News] See also: [DNA Dragnet: In Some Cities, Police Go From Stop-and-Frisk to Stop-and-Spit]

US – Law Enforcement DNA Collection Sparks Concerns

Police departments in smaller cities are collecting DNA samples from citizens, even if they are not charged or suspected of committing a crime, according to a new report. The cities have begun to assemble their own DNA databases, created with help of privacy labs in order to help law enforcement investigate minor crimes. Privacy advocates are concerned police departments will abuse the power to collect DNA samples, but as consensual DNA collection is a relatively new way to collect data, the rules remain unclear. “There’s no laws, there’s nothing,” said Bensalem Police Department’s Frederick Harran. “We’re in uncharted territory,” he said. “There’s nothing governing what we’re doing.” [ProPublica]

CA – Genetic Information Privacy Bill May Fail Over Lack of Liberal Support

Bill S-201, which seeks to entrench privacy rights around Canadians’ genetic information, will go to second reading just days after the House reconvenes — but its sponsor in the House of Commons, Liberal MP Rob Oliphant, isn’t sure his government will let it proceed. He was told instead the Justice Department has some reservations over the constitutionality of the bill, he said, but wasn’t told what those reservations were. A promised briefing by government officials has not yet happened, he said. Put forward by independent Liberal caucus leader Sen. James Cowan in 2013, S-201 would keep Canadians’ genetic test results private and make it illegal for insurers or employers to demand them, removing the fear of financial penalties that currently give many pause when considering the potentially life-saving testing. It would also add “genetic characteristics” to the Canadian Human Rights Act as a type of discrimination. Critics for the Conservative, New Democratic and Green parties have all confirmed they and their parties will support the bill at second reading on Sept. 20, leaving the government seemingly alone in its uncertainty. Private member’s bills that have issues, even constitutional problems, are usually permitted to go to committee for further study to help correct those problems. Previous attempts to create privacy protections around genetic testing drew criticism from the insurance industry, which is not specifically mentioned in S-201. Nonetheless, those advocating against the bill’s passage have warned that privacy regulations could lead to higher health insurance premiums. The Canadian privacy commissioner’s office said that, as in other countries where similar legislation has been passed, “The impact of a ban on the use of genetic test results by the life and health insurance industry would not have a significant impact on insurers or the efficient operation of insurance markets.” [National Post]

Health / Medical

CA – Health Leader, Nunavut Privacy Commissioner Take Different Sides On Privacy Audit

A top Nunavut health bureaucrat, Chris D’Arcy, has disputed “nearly everything” Privacy Commissioner Elaine Keenan Bengts said before a committee of members of the legislative assembly on the territory’s health department and a recent privacy audit experience. Specifically, D’Arcy maintained that contrary to Keenan Bengts’ report, “the creation of health-specific legislation is a priority for the department of health and the GN [Government of Nunavut] as a whole.” He also argued that unlike what Keenan Bengts said during her time with that committee that “the GN values the role of the Information and Privacy Commissioner as an ombudsman and firmly believes that a positive and collaborative relationship between public bodies and the commissioner’s office provides the most benefit to the GN and all Nunavummiut.” [Nunatsiaq Online]

Horror Stories

CA – Ontario Court Approves Settlement in Home Depot Breach Lawsuit

An Ontario court has approved a settlement in a class-action lawsuit against Home Depot of Canada, Inc. and its corporate parent. Between April and September 2014, Home Depot’s payment card system was hacked, but no evidence of fraudulent credit card charges was found. The settlement was valued at $400,000 for the settlement class members. Home Depot also agreed to create a non-reversionary fund of $250,000 “for the documented claims of Canadians whose payment card information and/or email address was compromised as a result of the data breach during the data breach period.” [Canadian Underwriter]

WW – Olympic Athlete Doping Test Results Leaked

Medical information about Olympic athletes has been leaked, according to the World Anti-Doping Agency. While the leaked information shows that some athletes tested positive for banned substances, all had received therapeutic medical use exemptions, and were not breaking any rules. [Source: ArsTechnica | BBC | Computerworld | Wired]

Identity Issues

US – Privacy Groups ask FCC to Reconsider Anonymized Data Carve Out

A group of more than 30 privacy organizations has written a letter to Federal Communications Commission Chairman Tom Wheeler asking him to reconsider creating a carve out for anonymized data in his broadband privacy proposal. In the letter, the privacy groups say ISPs have failed to demonstrate customer benefits from the carve out, while also stating customers should remain in possession of their own data. The groups believe it would be an “an attractive way for [ISPs] to circumvent the vital consumer protections that will be put in place by this rule.” [Broadcasting & Cable]

Intellectual Property

CA – Thousands of University of Manitoba Students Hit with Illegal Download Notices

Downloading the latest episodes of Game of Thrones and other hit shows has landed thousands of University of Manitoba students in hot water. But the university – despite being forced to pass on violation notices to students illegally downloading content through its networks – is warning students not to fall prey to aggressive collection agencies’ pressure tactics. Joel Guenette, copyright strategy manager with the UoM, estimates that the university has forwarded roughly 6,000 notices to students since the law took effect in January of last year. The notices range from gentle reminders from companies like HBO that its content is available legally through a variety of streaming platforms to more aggressive letters threatening lawsuits and demanding users pay resolution fees to settle their cases. Guenette said it’s important for students to know that at no point does the university provide agencies with people’s personal information or identities. [Source]

Law Enforcement

CA – University Researchers Compile Stingray Study, Call for Change

Everything that is known or suspected about the government’s use of these machines – called “IMSI catchers,” “cell-site simulators” or “Stingrays” – is chronicled in a comprehensive, first-of-its-kind, 130-page study written by privacy experts. Researchers Christopher Parsons and Tamir Israel say it’s time for civil society to debate the pros and cons of IMSI catchers, even if many government agencies still won’t discuss them. ”IMSI catchers pose a particularly insidious threat to real-world anonymity,” write Mr. Parsons and Mr. Israel. Their paper, which is titled “Gone Opaque,” points out that corporations that manufacture IMSI catchers often swear police to non-disclosure agreements. Germany releases annual statistics on that government’s use of IMSI catchers, and that the U.S. Department of Justice has posted the rules that American authorities must abide by. In Canada, RCMP-led surveillance teams are understood to control IMSI-catcher technology and lend it out to smaller police forces shadowing specific suspects. But IMSI catchers also pull digital identifiers from the phones of everybody in proximity, raising many privacy questions. “This ongoing secrecy has the effect of delaying important public debates. Given the potential for IMSI catchers to massively track Canadians who have done nothing wrong other than be near the surveillance device, it is imperative to ensure [security] measures are in place.” The Telecom Transparency Project and the Canadian Internet Policy & Public Interest Clinic-commissioned report suggests routine notification procedures if a Stingray accidentally captures data. [The Globe & Mail] See also: [UK oversight body tipped to examine phone snooping tech in prisons] [Here Is the Contract for the UK’s First Confirmed IMSI Catcher] [Long-Secret Stingray Manuals Detail How Police Can Spy on Phones]

EU – Berlin DPA Investigation Reveals Excessive and Unlawful Use of Silent SMS by Law Enforcement

The Berlin Commissioner for Privacy and Freedom of Information investigated law enforcement use of “silent SMS” in criminal investigations. One third of case files examined did not have an apparent need for use of silent SMS (less intrusive approaches to determine individuals’ locations were not considered), judicial applications were frequently made for collection of traffic data, which were then used to send silent SMS (without justification or disclosure in the application), and reasons for use of silent SMS were not officially recorded. [DPA Berlin – Final Report on Use of Silent SMS in Criminal Investigations]

Location

US – Lawmakers Wrestle With Cellphone Tracking for Missing Persons

Lawmakers are eyeing a deal with privacy advocates on a bill that would give law enforcement officials more access to location data from mobile phones. The Kelsey Smith Act, named for a young Kansan who was kidnapped and murdered almost a decade ago, would require mobile phone providers to give location data to law enforcement agencies in some emergency situations. But privacy advocates on the left and the right are worried about the proposal, fearing it would invite abuse. They have worked to slow down a version of the bill in the Senate that lacks additional protections. Privacy groups are pushing to add a provision to the law that would mandate that the owner of a mobile phone whose location was tracked be notified of the decision. Wessler said police departments should also have to report “basic data” about their requests. Supporters of the bill counter that law enforcement would be given just enough data to find an individual in trouble. [Source]

Online Privacy

US – Student Privacy Pledge Reaches 300 Signatures, FPF Announces

The Future of Privacy Forum and the Software & Information Industry Association’s Student Privacy Pledge has garnered 300 signatures from ed tech companies. The 2014-launched initiative to better protect and secure student data has received the support of President Barack Obama and the National School Boards Association. “As students return to school for the fall and teachers develop their curricula to incorporate the benefits of data and technology, companies that take the Pledge are ensuring that they are accountable for how they safeguard student data,” said Future of Privacy Forum CEO Jules Polonetsky. [FPF Press Relase]

US – OTA Requests Public Call for Comment for 2017 Trust Audit

The Online Trust Alliance has issued a call for public comment on criteria that should be included in its 2017 Online Trust Audit. The benchmarking research evaluated websites across industry sectors for responsible privacy and data security practices. The goal of the audit is to track industry best practices for privacy, provide tools and resources to help companies bolster their privacy practices, and recognize those organizations that do achieve a high level of protection. “In order to maintain consumer trust and confidence and spur the vitality of online services, it is imperative that organizations double-down on security and privacy measures,” said OTA Executive Director and President Craig Spiezle. Twitter and Healthcare.gov were among those that topped OTA’s 2016 audit. [OTA Alliance]

WW – App vs. Website: Which Best Protects Your Privacy?

Both apps and websites leak personal information, including names, gender, phone numbers, and e-mail. But don’t despair. Northeastern researchers, led by assistant professor David Choffnes, have developed an automated system to help you know which platform to use for your online interactions. In particular, the team investigated the degree to which each platform leaks personally identifiable information—ranging from birthdates and locations to passwords—to the advertisers and data analytics companies that the services rely on to help finance their operations. The answer? “It depends,” says Choffnes, a mobile systems expert in the College of Computer and Information Science. “We expected that apps would leak more identifiers because apps have more direct access to that information. And overall that’s true. But we found that typically apps leak just one more identifier than a website for the same service. In fact, we found that in 40% of cases websites leak more types of information than apps.” [Source]

US – Class Action Complaint Alleges App Intercepted Phone Communications Without Consent

LaTisha Satchell filed a class action complaint against Sonic Notify, Inc. et al. alleging unlawful interception of consumers’ oral communications in violation of the Electronic Communications Privacy Act. The mobile app delivered scores, news, and information to users about a basketball team, and integrated beacon technology to allow targeting of specific users to send tailored content, promotions or advertisements; the complaint alleges private communications were intercepted without informing users and without obtaining their consent. [Latisha Satchell v. Sonic Notify Inc. et al. – Class Action Complaint – US District Court Northern District of California, San Francisco Division]

AU – Study: Online Service Providers’ Agreements Problematic?

A UTS’ Communications Law Centre study funded by the Australian Communications Consumer Action Network has maintained that online service provider privacy agreements “have the potential to be interpreted as unfair, unconscionable or misleading under domestic consumer laws.” The study examined consent practices, data sharing, and the time consumers have to look over the long privacy terms. Of particular concern was what the study’s authors considered a generalization of terms that could lend consumers to “challenge [them] under Australian Consumer Law as misleading.” The CLC encouraged companies to conduct more research into understanding users’ attitudes regarding privacy. [CSO Online]

Other Jurisdictions

WW – IAF Reveals Details of Its ‘Effective Data Protection Governance’ Project

The Information Accountability Foundation (IAF) reported on its work creating what it believes is a more Effective Data Protection Governance method when responding to the complexity of information flows, while also meeting the goals of stakeholders. “We believe that, while the ‘tenants’ (sic) or ‘objectives’ of data protection remain the same, today’s complex information ecosystems suggest a need to evolve our approach to achieving these objectives,” writes Peter Cullen. “Data-driven innovation and the organizations that are dependent upon such activities must develop and demonstrate evolved information use governance systems to avoid many of the risks associated with such practices, including policy makers and/or regulatory action.” Cullen details the objective of the project, including enabling an enforcement model providing more capability for regulators and achieving implementable alignments of the EDPG model with existing laws. [IAF] The annual IAPP and EY-underwritten Privacy Governance Report has found that only 34% of privacy professionals expect their companies to certify under the EU-U.S. Privacy Shield.

Privacy (US)

US – 2016 Annual IAPP-EY Privacy Governance Report Released

What’s the mean privacy budget for a company with $1 billion in revenues? What’s the primary reason for a company with fewer than 5,000 employees to have a privacy program? What do manufacturing firms consider to be the toughest compliance task in the General Data Protection Regulation? The answers to these questions and many more are now available in the 2016 IAPP-EY Privacy Governance Report, 126 pages of detailed information from 600 companies around the world that have provided answers to budget, staffing, organizational, and prioritization questions. Further, as this is the second year of releasing the report, there is now directional, year-over-year data showing everything from how companies are progressing with their vendor management programs to the pace of privacy’s integration with the rest of the organization. Finally, we for the first time have data on cross-border data transfer and GDPR concerns and preparations. It is the most comprehensive benchmarking data for privacy available anywhere — and free to download. [IAPP.org]

US – Clinton, Trump’s Privacy, Security Attitudes Analyzed

The cybersecurity and privacy positions of both presidential hopefuls, Hillary Clinton and Donald Trump. Clinton are analyzed. They both “support expanded investment in cybersecurity technologies, as well as public-private collaboration on cybersecurity innovation.” “Trump has been far less sanguine about existing efforts to keep networks safe,” while acknowledging that compared to other nations, the U.S.’s technical abilities were “so obsolete.” Ultimately, “both major party candidates have called for the U.S. to do more to protect itself against digital attacks and to use digital tools to thwart extremist activity and digital communications, the report adds. [Fast Company]

US – Disposal Rule Now Open to Public Comment, FTC Announces

The FTC has opened its Disposal Rule up to public comment. The rule “requires certain persons who have consumer report information for a business purpose to properly dispose of it by taking reasonable measures to protect it from unauthorized access,” and its review is part of the agency’s “systematic review of all current FTC rules and guides.” The FTC is specifically looking to see if the rule has any economic impacts, if it clashes with other laws, its influence on technological advancement, and whether the agency should expand the definition of “consumer information.” The public comment period extends through Nov. 21. [Press Release]

Yelp, 13 Other App Companies Face the Music After Losing Class Action

U.S. District Judge Jon Tigar has ruled that Yelp and 13 other apps are guilty of violating users’ privacy by uploading their personal information without consent. “The court accepted the fact that Yelp only accessed the email addresses of a user’s contacts to help them find friends on Yelp after receiving consent to do so, and did not save or misuse that information,” said Yelp spokeswoman Rachel Youngblade. “Nonetheless, the court appears to state that an online mobile app must inform a user any time data is transmitted from their phone to the online company to make the app work.” The results of the consolidated class action could set a precedent for other plaintiffs’ successes in similar cases. [Courthouse News]

US – FTC to Look into Facebook, WhatsApp New Data Access Plan

The FTC has announced in a letter to the Center for Digital Democracy and the Electronic Privacy Information Center that it will look into Facebook and WhatsApp’s “change of heart” regarding the messaging service’s privacy practices. Facebook will now access phone numbers and other information that WhatsApp had previously not made available, a switch from plans the social media company established when it purchased WhatsApp in 2014. “The crux of the FTC’s analysis will likely turn on the notice that now appears when a consumer opens the WhatsApp app.” The notice alerts consumers to Facebook’s new terms. “But, if a consumer clicks on a ‘learn more’ link, they will see a button where they can opt out of most of the data sharing.” [Fortune]

US – Snowden on Why He Should Receive a Presidential Pardon

Speaking via video from Moscow during an interview, Edward Snowden outlined the case for President Barack Obama to grant him a pardon before Obama leaves office in January. Snowden said his disclosure on the scale of surveillance being conducted by both U.S. and British intelligence agencies was the morally correct thing to do. While the law may say he should be prosecuted, Snowden said, “that is perhaps why the pardon power exists — for the exceptions, for the things that may seem unlawful in letters on a page but when we look at them morally, when we look at them ethically, when we look at the results, it seems these were necessary things, these were vital things,” he said, adding policies and procedures have changed for the better as a result of his disclosures. [The Guardian]

Privacy Enhancing Technologies (PETs)

US – HPE-IAPP Privacy Technology Innovation Winners Announced

The winners of the annual HPE-IAPP Privacy Innovation Awards have been announced, including for this year’s “most innovative privacy technology.” Two companies received the technology award this year. Vysk Communications has invented the QS1, a smartphone case designed to protect and secure voice calling and allow users a multitude of ways to secure their phone. Protenus offers a new platform for health care organizations needing to find a better system for protecting and controlling access to electronic medical records. The platform consists of two distinct services for health care organizations; one focuses on analytics and protective detection, while a second piece provides forensics and investigation solutions. [IAPP.org]

Security

FTC Opens Safeguards Rule to Public Comment

The FTC announced it would be opening the Safeguards Rule under the Gramm-Leach-Bliley Act to public comment for the purpose of evaluating its ability to protect consumer information. The FTC hopes to determine the economic advantages and disadvantages of the Safeguard Rule, as well as potential clashes it has with state and local laws. However, the result of the comments may not necessarily create change due to the nature of the law itself, said Morrison & Foerster’s Nathan Taylor. The rule “by design puts in place a risk-based process that is both flexible and adaptable,” Taylor said. It’s “specifically designed to be able to respond to changes in technology and changes in the threat landscape.” The comment period will extend to Nov. 7. [Bloomberg BNA]

US – FTC Announces it will Provide Guidance on Ransomware

The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware. According to experts on hand for the event, this pay-to-unlock scheme is the most profitable malware in history. FTC Chairwoman Edith Ramirez said not only is it prevalent and dangerous, but there are also many challenges associated with thwarting it, including its rapid proliferation, the vectors of attack and the vast array of harms. [InsidePrivacy] [Privacy Advisor: At FTC Workshop on Ransomware, FBI says: Don’t Pay] [FTC focuses on combating ransomware]

WW – Ransomware is Spreading Through Cloud Apps

The latest report from Netskope, a cloud access security broker, has revealed how the presence of ransomware is spreading through cloud apps. On average there were 26 pieces of malware found in cloud apps across a given organisation. Of these 26, 43.7% of malware found in enterprises’ cloud apps have delivered ransomware, and 56% of malware-infected files in cloud apps are either being shared with internal or external users, or shared publicly. Ransomware accounts for nearly half of all malware found in organisations. [Information Age] [Nearly Half of Cloud-Based Malware Now Delivers Ransomware]

WW – 3 Essential Steps for Responding to Ransomware Attacks

Likely because most victims comply with their demands, the incidence of attacks by ransomware hackers has exploded in 2016. Guidance issued by the U.S. Department of Health and Human Services in July notes that, on average, there have been 4,000 reported ransomware attacks per day thus far in 2016, far exceeding the average of 1,000 attacks per day last year. While it may be tempting to do so, there are serious risks to this approach. Even if the ransom demanded by a ransomware hacker is not prohibitively expensive, an organization victimized by an attack must bear in mind that simply paying off the hacker is unlikely to make its problems go away. If you believe your organization has been victimized by a ransomware attack, you should proceed as follows, carefully documenting each of the steps. [Workplace Privacy Report]

US – NIST Seeks Feedback from Privacy Pros on Special Publication 800-53

During a government workshop this week, the National Institute of Standards and Technology sought feedback from privacy professionals as it begins its fifth round of revisions on NIST Special Publication 800-53. Of particular concern was “the disconnect between security and privacy controls.”  However, the Department of Homeland Security’s Jamie Danker said that privacy pros’ “equal footing” with security pros in this regard illustrated the profession’s growth. But no one argued the job is done. After nearly two years of real-world application, it has become clear there are blind spots. Danker said it would be helpful to have information on how to better identify a privacy risk. Sean Brooks, a privacy engineer at NIST, said there is not enough information for identifying and solving problems that don’t involve a malicious actor. Another session member said that SP 800-53 should be written in a way that doesn’t just tack privacy on at the end. Privacy and security should be integrated throughout the document because privacy experts rely heavily on security experts and vice versa. There needs to be more communication between them, attendees said. Other concerns included the inability the lack of metrics for implementation of Appendix J and the lack of an assessment process for it. The agenda for the workshop said the goal was to identity “whether changes should be made in the publication’s fifth revision.” The clear consensus from the day was yes, but what those changes should be was far from decided. NIST welcomes comments on the draft of Appendix J and 800-53 through Sept. 30, with the final draft expected in 2017. [IAPP.org] [GCN.com]

Surveillance

US – Seizure of Cell Site Location Information Should Require a Warrant

An advocacy group submitted an amicus brief in support of 3 individual appealing a district court ruling concerning seizure of cell site location information (“CSLI”) from a phone provider. The government seized the CSLI without a warrant, but the Supreme Court has held that the government should first acquire a warrant under probable cause; no exception applied to the CSLI (there was no hot pursuit, inventory search, emergency aid or exigent circumstance). [U.S.A v. Kenneth Benbow, Mark Pray, and Alonzo Marlow – Brief of the Cato Institute as Amicus Curiae In Support of Appellants – In The U.S. Court Of Appeals For The District Of Columbia Circuit | Amicus Brief | Legal Brief]

Telecom / TV

US – State Officials Warn Against FCC Privacy Regulations

Attorney Generals of 16 states wrote to express concerns over a federal proposal that would regulate the privacy practices of broadband providers while exempting big tech companies, saying it would threaten consumer privacy and complicate “an already complex regulatory environment.” ”If this proposed rule moves forward not only may it be read to preempt important state laws that effectively protect consumers’ privacy, but this new approach will also foster a byzantine regulatory environment rather than clear, enforceable requirements that improve data privacy for all consumers,” the group argued. [Washington Examiner]

UK – Report: ISPs Say Government Surveillance Could Weaken Network Security

According to a report from The Internet Service Providers’ Association (ISPA), the majority of UK Internet service providers (ISPs) say they are concerned that government surveillance will undermine their network security and increase the likelihood that their networks will be targets of attacks. ISPs also say they would like to see the government focus on raising consumer awareness and creating greater consistency in law enforcement’s response to reported cyber incidents. [eWeek | Ars Technica]

US Government Programs

US – Customs Office Has Problematic Data Policies, DHS IG finds

The Department of Homeland Security Office of Inspector General has announced findings that the U.S. Customs and Border Protection’s Office of Professional Responsibility has shared too much personally identifiable information, “putting its mission ahead of protecting sensitive personal data.” A request from Sen. Tom Coburn, R-Okla., catalyzed the review, which found that while the agency did not violate the Privacy Act of 1974, many of its practices were questionable and needed repurposing. “We believe the manner in which CBP OPR shared the sensitive PII showed a lack of regard for, and may have compromised these individuals’ privacy,” the OIG report states. The CBP OPR agreed with the OIG’s guidance to remedy policies and better train employees, and has 90 days to provide the OIG with an action plan. [Federal Times] [Customs investigators violated privacy of thousands]

US – Gov’t Releases Guidance on Senior Privacy Roles

The U.S. federal government has released updated guidance on the role of the senior agency official for privacy (SAOP). The Office of Management and Budget’s guidance asserts the SAOP has to serve in a “central leadership position” and have the “necessary authority and expertise” to lead the agency on all things privacy. The establishment of SAOPs at every agency comes as part of an update to Circular A-130 — the resource for government agencies’ information-management protocols — and follows the establishment of a Federal Privacy Council via U.S. President Barack Obama’s Executive Order, issued in February. In a blog post, Marc Groman, senior advisor for privacy at OMB, said the guidance “recognizes that the success of an agency’s privacy program depends upon its leadership. Further, the guidance joins a growing list of actions this administration has taken to support the federal government’s protection of privacy … to help ensure that agencies take a coordinated approach to addressing privacy and information security.” Most importantly, the U.S. federal government now recognizes the vital role that privacy professionals play in evaluating legislative and regulatory efforts that involve and depend upon personal data. “The SAOP shall ensure that the agency considers and addresses the privacy implications of all agency regulations and policies,” the memo reads, “and shall lead the agency’s evaluation of the privacy implications of legislative proposals, congressional testimony, and other materials.” Time is of the essence. Each agency now has 60 days to look at who’s handling privacy at their agency and then either designate that person to be the SAOP, officially, or choose another person to serve that role. Further, the guidance requires the SAOP to “take a central role at the agency in policy development and evaluation, privacy compliance, and privacy risk management.” Most importantly, however, “agencies should recognize that privacy and security are independent and separate disciplines. While privacy and security require coordination, they often raise distinct concerns and require different expertise and different approaches.” In fact, “the distinction between privacy and security is one of the reasons that the Executive Branch has established a Federal Privacy Council independent from the Chief Information Officers Council,” the memo states. [IAPP]

US Legislation

US Legislative News

Workplace Privacy

WW – Would You Hand Over Your Social Media Account Details for A New Job?

According to one vendor, as of 2013, 93% of recruiters were likely to look at a candidate’s social profile, and 42% had been moved to give the thumbs-up or -down based on what they turned up. There have been various tools put forth that make it easier for employers to get at your “true” self. Now, there’s another such tool to go beyond just plain old running a search on a candidate. Called The Social Index, the online service promises to rifle through the digital footprints of short-listed job candidates and present employers or recruiters with a report. That report is an infographic that, the company claims, maps out a candidate’s “personal brand.” It crunches data from Facebook, Twitter and LinkedIn. According to a report from Mashable, The Job Index focuses on those three social platforms partly because they’re common, but also because, typically, they’re the ones most relevant to a company’s client activities or reputation. It takes about 30 seconds for the candidate to be analyzed before their “social footprint” is ready. Within 24 hours the report will be delivered to both the client and the job seeker. As of 2013, 93% of recruiters were likely to look at a candidate’s social profile, and 42% had been moved to give the thumbs-up or -down based on what they turned up. [Naked Security] See also: [This software start-up can tell your boss if you’re looking for a job] and [Your employer may know if you’re quitting before you say so, thanks to Jobrate]

US – Tech Company to Release Sensor-Based Employee Badge

Boston-based tech company Humanyze has developed an employee badge that senses speech and movement to measure productivity, set for October release. The device, dubbed a “Fitbit for your career,” is “slightly larger than … a credit card” and has two microphones to record sounds — except when users go to the restroom. The company maintains that it doesn’t record the content of conversations; that managers cannot look at a specific individual’s data, and that employees choose whether or not to use the badge. “If you don’t give people choice, if you don’t aggregate instead of showing individual data, any benefit would be dwarfed by the negative reaction people will have of you coming in with this very sophisticated sensor,” said Humanyze CEO Ben Waber. [The Washington Post]

WW – IoT-Tricked Office Not a Privacy Problem, But the Future

Staff at Futurice, a Helsinki-based, digital innovation consultancy created an “indoor mapping” system of tracking temperature, bathroom usage, and free desk space which has some worried about privacy, surveillance and data collection, while others maintain connecting offices in this way is the new future of internet of things development. The Futurice model is opt-in, and no data is tracked or stored. “It’s just what’s happening near me right now,” said Futurice’s Paul Houghton. Tools like this are only the beginning, some say. “We’re merely scraping the surface of what could be achieved if more offices look at how they can adopt the internet of things and data to improve everything from operations to sales, and happiness to product development,” said Tech City UK’s Gerard Grech. [The Guardian]

+++

 

 

26 August – 06 September 2016

Biometrics

WW – Hackers Trick Facial-Recognition Logins With Photos From Facebook

Researchers have demonstrated a disturbing new method of stealing a face: one that’s based on 3-D rendering and some light Internet stalking. Security and computer vision specialists from the University of North Carolina presented a system that uses digital 3-D facial models based on publicly available photos and displayed with mobile virtual reality technology to defeat facial recognition systems. A VR-style face, rendered in three dimensions, gives the motion and depth cues that a security system is generally checking for. The researchers used a VR system shown on a smartphone’s screen for its accessibility and portability. Their attack, which successfully spoofed four of the five systems they tried, is a reminder of the downside to authenticating your identity with biometrics. By and large your bodily features remain constant, so if your biometric data is compromised or publicly available, it’s at risk of being recorded and exploited. Faces plastered across the web on social media are especially vulnerable. [Wired]

UK – Met Police Rolls Out Real-Time Live Face-Spotting Tech

London’s Metropolitan Police will trial an automated facial recognition system to identify people at this weekend’s Notting Hill Carnival. This is only the second time that British cops have openly trialled live automated facial recognition (AFR) systems in the UK. Last year, Leicestershire Police also trialled AFR at Download Festival – though this was found to not have been part of the policing plan for the event and police didn’t bother assessing how effective it was after the event. According to the Met, the AFR system “involves the use of overt cameras which scan the faces of those passing by and flag up potential matches against a database of custody images. The database has been populated with images of individuals who are forbidden from attending Carnival, as well as individuals wanted by police who it is believed may attend Carnival to commit offences.” The government’s Surveillance Camera Commissioner, Tony Porter, said that “the Surveillance Camera Code of Practice requires relevant authorities such as Local Authorities and Police Forces to ensure they use surveillance cameras effectively, efficiently and proportionately. “Even if the use of AFR complies with the code, the Met’s collection of custody images has been a greater source of controversy. In his annual report earlier this year, the Biometrics Commissioner warned that the Home Office was cruising for a lawsuit in this area, particularly after a High Court ruling in 2012, R (RMC and FJ) v MPS, in which Lord Justice Richards found: [T]he just and appropriate order is to declare that the [Metropolitan Police’s] existing policy concerning the retention of custody photographs … is unlawful. It should be clear in the circumstances that a ‘reasonable further period’ for revising the policy is to be measured in months, not years. According to a Freedom of Information request made by pressure group Liberty last year, however, in the three years since the ruling the Met confessed it had only deleted 560 persons’ images because “the current I.T. system which holds MPS custody images was not designed or built to accommodate a complex retention policy.” In response to a Parliamentary question reported in the Birmingham Mail, Baroness Williams of Trafford reported that by 15 July this year, there were “over 19 million custody images, which may include images other than of faces, uploaded by forces onto the PND (Police National Database).” “Of these, 16,644,143 had been enrolled in the facial image recognition gallery and are searchable using automated facial recognition software,” Williams revealed – a figure representing roughly a quarter of the UK’s entire population. This area is expected to receive enhanced attention when the Home Office publishes its long-awaited Biometrics Review, as well as its Custody Images Review. Though both of these have been completed, the Home Office has not published them, which The Register’s sources have claimed is a result of redrafting the “rubbish” reports. [The Register]

Big Data

WW – Tech Giants Explore AI Ethics Standards Group

With the rise of artificial intelligence, some of the world’s biggest tech companies are commencing informal talks on how best to develop an ethical and self-policing framework for the burgeoning technology. Alphabet, Amazon, Facebook, IBM and Microsoft have been meeting to discuss its impact on jobs, transportation and warfare. Though a name for the standards group has not yet come to light, four people familiar with the meetings said the group intends to “ensure AI research is focused on benefiting people, not hurting them.” Stanford University has also released a report funded by Microsoft researcher Eric Horvitz. The report, titled “Artificial Intelligence and Life in 2030,” contends that it will be impossible for government to regulate AI. “The study panel’s consensus is that attempts to regulate AI in general would be misguided, since there is no clear definition of AI (it isn’t any one thing), and the risks and considerations are very different in different domains.” [The New York Times reports]

WW – Are Algorithms ‘Weapons of Math Destruction’?

Remember the 2008 financial crisis and the “dark financial arts” that caused it? Cathy O’Neil sees parallels between those calamitous days and the use of big data today. In her new book, “Weapons of Math Destruction,” O’Neil, a Harvard-trained mathematician who used to ply her talents on Wall Street, argues that, the “discriminatory and even predatory way in which algorithms are being used in everything from our school system to the criminal justice system is really a silent financial crisis.” To solve the problem, O’Neil has proposed a Hippocratic Oath for mathematicians and a host of regulatory reforms. [Time]

Canada

CA – NL OIPC Issues Guidelines on Legal Advice Exemption

The Newfoundland and Labrador (NL) OIPC has issued guidelines on applying the legal advice exception found in section 30 of the Access to Information and Protection of Privacy Act, 2015

  • The guidelines rely heavily on the decision by the NL Supreme Court in Newfoundland and Labrador (Information and Privacy Commissioner) v. Eastern Regional Integrated Health Authority, 2015 NLTD(G) 183 (Eastern Health case).
  • The Court in the Eastern Health case reviewed the current state of the law regarding solicitor and client privilege.
  • The guidance document annotates and summarizes the court’s review of both solicitor-client and litigation privileges, both of which are covered by the legal advice exception.
  • When relying on these exceptions the NL OIPC noted that “public bodies should consider the scope and intention of the privilege.”
  • The NL OIPC affirms that if a public body is relying on the exception of solicitor and client (legal advice) it must be able to show that:
  1.   the document was a communication between a solicitor, acting in his or her capacity, and the client;
  2.   the communication entailed the seeking or giving of legal advice, AND
  3.   the communication was intended to be confidential.
  • If a public body is relying on litigation privilege it must be able to show that:
  1.   the dominant purpose for the preparation of the document must be the litigation in question, AND
  2.   litigation must have been in reasonable contemplation at the time of preparation of the document.

Source: [OIPC NFLD – Section 30 – Legal Advice]

E-Mail

US – Yahoo Email Scanning Settlement Garners Criticism

Yahoo has agreed to a settlement on its alleged scanning of user emails, but is making no plans to stop the practice. The tech giant was accused of scanning emails without user consent. The lawsuit was one of six requesting Yahoo to halt its monitoring activities. The settlement awarded $4 million, but none of it will go to the public, with the entirety of the award going to lawyers. The settlement also allows Yahoo to continue to look over user emails without non-Yahoo users’ consent. Yahoo now agrees to only scan the emails when they are on its servers, not while they are in transit. [Ars Technica]

Encryption

US – Tech Companies Use Encryption as Marketing Tool, Not a Security One: FBI Director

At the 2016 Symantec Government Symposium, FBI Director James Comey discussed the problems of encryption by default and the need for a backdoor, maintaining that tech companies tout encryption not for security’s sake but for marketing’s. “What has happened in the three years I’ve been Director [of the FBI], post-Snowden, is that that dark corner of the room, especially through default encryption, especially through default encryption on devices, that shadow is spreading through more and more of the room,” he said. Technologists countered that his comments over-simplify the issue. “But when you look into it, what they’re really asking for is dramatic, it’s a huge thing,” said Errata Security CEO Robert Graham. “They’d need to outlaw certain kinds of code.” [The Daily Dot]

EU Developments

EU – EU Regulators to Look at Facebook-WhatsApp Changes

Fall out from recently announced plans for WhatsApp to share user data with parent company Facebook continue. The Wall Street Journal reports the Article 29 Working Party said it is following changes to WhatsApp’s privacy policy “with great vigilance.” Additionally, privacy advocates, including the Electronic Privacy Information Center and the Center for Digital Democracy, have filed a complaint with the U.S. Federal Trade Commission, arguing proposed changes that allow it to use WhatsApp user data for “marketing purposes” is an “unfair and deceptive trade practice.” Delhi’s High Court in India has asked the government, specifically the Telecom Regulatory Authority of India, for its response to the privacy policy changes. The New York Post reports that, in addition to individual users, businesses are also concerned about the changes, particularly how it can protect corporate and user data that is shared when companies communicate via WhatsApp with their consumers. [Full Story]

Facts & Stats

WW – Airbnb Releases First Transparency Report on Law Enforcement Requests

Airbnb has released its first transparency report on the amount of law enforcement data requests it has received. Airbnb provided data on 82 of the 188 requests sent to it from law enforcement agencies during the first six months of 2016. The report is published as part of Airbnb’s Community Compact initiative, where the home-sharing company works to become more transparent to the public and local governments in the cities where it operates. “We’re building a more transparent community and sharing data about our community with the general public,” said Airbnb spokesman Christopher Nulty. “We felt that this is an important first step. In the future, we’ll look to share additional sorts of data about our community.” [TechCrunch]

Filtering

WW – Google to Tweak Search Result Algorithm to Favor Sites that Make Content Readily Accessible

Google plans to alter its search result ranking algorithms so sites that have pop-up advertisements or interstitial pages that interfere with users’ ability to view content are less favored. Google cites examples of techniques that interfere with viewing content: pop-ups that cover portions of the main content; interstitial pages that must be closed before being able to view content; and advertisements that fill web browsers’ screens so users must scroll down to access content. Exceptions will include pop-ups that tell users about the use of cookies, and pages that require login information. [BBC: Google punishes sites with pop-up adverts | – Google Blog: Helping users easily access content on mobile]

Finance

US – FTC Opens Public Comment on Safeguards Rule

The Federal Trade Commission is asking for public comment on its Safeguards Rule as the agency reviews its rules and guidelines. The Safeguards Rule requires financial institutions to create and maintain comprehensive information security programs for handling customer data. “The FTC seeks comments on a number of questions, including the economic impact and benefits of the Rule; possible conflict between the Rule and state, local or other federal laws or regulations; and the effect on the Rule of any technological, economic or other industry changes,” the agency’s announcement said. In another blog post, FTC Chief Technologist Lorrie Cranor previews the agency’s “Putting Disclosures to the Test workshop.” The event will cover topics including measuring disclosure effectiveness and whether consumers actually pay attention to a disclosure. [FTC]

WW – Google, Amazon Offer to Build Wall Street Database

Major tech companies are vying for the right to build a new database for the Securities and Exchange Commission designed to track stock and options trading from exchanges and broker-dealers on a daily basis, Bloomberg reports. Amazon and Google’s parent company, Alphabet Inc., are looking to help build the Consolidated Audit Trail database, designed to host exchanges in the cloud, but will also hold personal information on more than 100 million customer accounts. Brokers and bankers are concerned about the database’s construction, fearing problems from data breaches and technology firms asserting themselves within the financial industry. “This is a huge opportunity for Amazon and Google,” said Harvard University Senior Fellow Jo Ann Barefoot. “Their involvement in this project I do think is a threat to the incumbents. If big tech firms can win more trust in Washington, that’s one of the biggest challenges facing banks.” [Full Story]

CA – 80,000 People Suffer Pay Crisis in Canada After IBM System Debacle

No-one in Canada can accuse public servants of being overpaid these days. The crisis affects 80,000 employees or almost one third of Canada’s federal public servants. Thanks to a massive breakdown of the Federal Government’s new, privatised pay system, tens of thousands of Canadian public servants have been going weeks, even months with reduced pay — or in many cases, no pay at all. It is a crisis on a huge scale for Prime Minister Justin Trudeau’s new Government, and the cause of thousands of crises on an individual level, with people forced to borrow money or max out their credit cards to make ends meet. [ABC News]

FOI

CA – AB OIPC Probes ‘Chronic’ Delays in Meeting Access Requests

Alberta’s privacy commissioner has launched an investigation into the justice department for she calls “chronic” delays in responding to freedom of information requests. The Information and Privacy Commissioner’s office said it has issued eight orders since February, after it found instances where the department did not meet the 30-day time limit for responding to an access requests under the Freedom of Information and Protection of Privacy Act. “Essentially, there has just been no response to the applicant to those requests, which is a significant compliance issue within the legislation.” Included in the orders issued by the OIPC are requests for communication records between an individual and Crown counsel, the entire file of a named individual with an Alberta Serious Incident Response Team file number, emails relating to a named individual, and an applicant’s request for records of his employment. Time extension requests, along with delays in responding to requests, have become an issue within the justice department as well. Pprivacy commissioner Jill Clayton said the justice department’s “apparent systemic issue” of not responding to access requests within the time limit is a “significant” compliance issue. There is no penalty under the act for delays in complying with the time limit. The investigation will review the department’s process for dealing with access requests to determine the reasons for the delays, and will make recommendations to improve its compliance. An emailed statement from press secretary on behalf of justice minister Kathleen Ganley said the government takes the concerns raised by the Information and Privacy Commissioner “extremely seriously.” [CBC News]

CA – Secretive Drug Policies Putting Injured Workers at Risk, Critics Say

It’s the body tasked with recommending which drug treatments are covered for tens of thousands of injured workers across the province. But no minutes are taken at its meetings, its members are a secret, possible conflicts of interest are not publicly reported and the full list of drugs subsidized by Ontario’s worker compensation board is unknown. Critics say that lack of transparency surrounding the Workplace Safety and Insurance Board’s Drug Advisory Committee and its overall drug policies are compromising the care of often-vulnerable injured workers — who sometimes have no idea whether drugs prescribed by their doctor will be paid for by the board until they’re out of pocket at the pharmacy. [The Star]

UK – New UK Commissioner Sets Out FOI Plans

In her first interview since becoming UK commissioner in July, Ms Denham told me about her plans for the FOI side of her new responsibilities. Ms Denham particularly wants to improve the transparency of public services delivered by private companies, as more and more national and local state functions are outsourced. She says she will be raising this issue with ministers. “Private contractors above a certain threshold for a contract or doing some specific types of work could be included under the FOI Act. The government could do more to include private bodies that are basically doing work on behalf of the public,” she says. The new commissioner also plans to review how her office tackles public authorities with a poor track record of handling FOI requests. [BBC]

Genetics

CA – Free DNA Tests Offered After Two Cases of Manitoba Men Switched at Birth

After four men revealed they were switched at birth at Norway House, Health Canada is offering free DNA tests to others born there in the mid-1970s. Two men from Norway House announced last week — and two men from nearby Garden Hill revealed last year — that they had been switched at birth at the federally run hospital in 1975. David Tait Jr. and Leon Swanson cried in front of news cameras Friday after receiving initial DNA test results. Tests last November showed Luke Monias and Norman Barkman also went home from the hospital with each other’s families. The two cases have raised the question of whether there could be more. Health Canada spokesman Eric Morrissette said Tuesday that the department is offering free DNA tests to anyone born at the Norway House hospital in the mid-1970s. [The Canadian Press]

Health / Medical

US – Facebook Argues No Concrete Harm from Disclosure of Health-Related Internet Communications

Facebook Inc. et al. have filed a reply to support their motion to dismiss a class action complaint by Winston Smith et al., alleging unlawful collection, use and disclosure of personal information. The social media company argued that its targeted advertising based on disclosures from various medical websites (of static links to public web pages) did not violate user privacy; the URLs disclosed indicated whether someone visited a website (sensitive medical information was not disclosed), many of the websites’ policies and procedures expressly stated that the URLs would be disclosed, and the individuals failed to take available measures to safeguard their information (e.g. by opting-out). [Smith et al. v. Facebook Inc. et al. – Defendants Joint Reply in Support of Motion to Dismiss the Complaint – US District Court for the Northern District of California, San Jose Division]

US – EHR Burden Weighs Heavily on Physicians, Leads to Burnout

Physicians are spending more time with patients’ electronic health records (EHRs) than they are with the patients themselves, according to an observational study looking at the allocation of physician time in ambulatory practice. For every hour of clinic time they spend with patients, physicians spend approximately 2 additional hours on EHR and desk work during office hours, Christine Sinsky, MD, vice president of professional satisfaction at the American Medical Association (AMA), and colleagues report in an article published online September 6 in the Annals of Internal Medicine. In addition to the time physicians spend at the office, they also spend another 1 to 2 hours on computer and other clerical work during their personal time each day. This finding adds to the growing body of evidence suggesting that the current generation of EHRs adds to physicians’ daily administrative burden and, as a result, may be increasing rates of professional burnout. [MedScape] SEE ALSO: [Recent study | Another study | Medscape EHR Report 2016]

CA – Computer Medical Records Breached at Grey Bruce Health Services

An investigation was initiated after four individuals came forward with concerns about access to personal information within their electronic medical records. Results of the investigation indicate that a former employee inappropriately accessed the electronic medical records of 246 individuals over a seven year period from January 2008 to September 2015. All individuals involved in the privacy breach have been notified in writing, and a summary of the investigation has been given to the province’s Information and Privacy Commissioner. This privacy breach does not impact any test results or diagnosis. This breach involves one individual who accessed electronic medical records for no work-related reason and appears to be related to personal curiosity. [Blackburn News]

Horror Stories

WW – Hackers Dump Data from Dropbox’s 2012 Hack Online

Unidentified hackers have dumped the stolen user passwords and emails from more than 68 million Dropbox users online. The data was from a 2012 hack that Dropbox had then reported only included passwords, and at the time compromised more than two-thirds of its customer base, the report states. “The hack highlights the need for tight security, both at the user end — the use of strong passwords, two-step authentication and no reuse of passwords — and for the companies storing user data,” the report adds. “Even with solid encryption practices for securing users’ passwords, Dropbox fell [a]foul of password reuse and entry into its company network.” [The Guardian ]

UK – Reported UK Data Breaches Soar 88% in a Year

The volume of data breach incidents reported to the Information Commissioner’s Office (ICO) has almost doubled in the space of a year, according to a new Freedom of Information (FoI) request. The figure rose from 1,089 in the period April 2014-March 2015 to 2,048 in virtually the same period a year later, according to Huntsman Security. Health, local government and education were the worst performing sectors in terms of the volume of breaches disclosed, accounting for 64% of the total in 2015-16. However, financial organizations were the worst hit by ICO fines. Despite accounting for fewer than 6% of incidents they were on the receiving end of 33% of the watchdog’s financial penalties during the period, which hints at the severity of these breaches. In three-quarters of the total number of cases, no action was taken by the ICO, either suggesting that the incidents themselves were fairly innocuous or that the watchdog needs to grow some sharper teeth. It’s believed that incoming commissioner Elizabeth Denham may be less forgiving of organizations in this regard than her predecessor. Data disclosed in error accounted for the vast majority of reported breaches (67%), followed by security incidents (30%). [InfoSecurity]

Identity Issues

US – NIST Publishes Major Revisions to Digital Authentication Guidance

The National Institute of Standards and Technology released a major update to Special Publication 800-63 for digital authentication. The third version was published Aug. 30, and divides the digital authentication document into four sections: digital authentication guidelines, enrollment and identity proofing, authentication and lifecycle management, and federation and assertions. The third revision has already received more than 200 comments. Michael Garcia, deputy director at NIST’s National Strategy for Trusted Identities in Cyberspace, said identity proofing is “a complete re-write,” based off good practices guidance like the kind seen in Canada and the UK. “It’s much more about the characteristics of quality evidence and the outcomes of the event itself,” Garcia said, pointing out that the Federations and Asserts document was practically all new. According to the draft, this type of system “is preferred over a number of siloed identity systems that each serve a single agency or RP [relying party].” the draft states. The benefits of “federated identity architecture,” NIST says in its draft, include enhanced privacy, data minimization, cost reduction and enhanced user experience. Garcia said the third iteration reflects a better understanding of the digital authentication space, however, “we’re not there yet.” [Federal News Radio]

WW – Identity Governance Red Flags Identified

Five of the most common warning signs that a company is struggling with identity governance issues are identified. They include orphaned accounts, poorly defined certification processes, inadequate access request approvals, lack of segregation-of-duty controls, and independent processes across the organization. The issues are very typical and can lead to employee-catalyzed breaches. “Fortunately, the right identity governance and intelligence solution can solve these issues to minimize your security risks and help you systematically achieve and manage your regulatory compliance.” [SecurityIntelligence]

UK – One in Five Mothers Say They Chose Wrong Name for Their Child: Poll

One in five mothers feels “namer’s remorse” and would pick another name for their child if they had the choice, according to a survey before this week’s annual announcement on baby names. Names most frequently regretted were Charlotte, Amelia, Anne, Daniel, Jacob, James and Thomas. Of the 245 mothers who regretted the names they gave their children, 12% “always knew it was the wrong choice”, 3% knew from the moment the child was born, 8% knew within a couple of days, 32% knew within the first six weeks and 23% began to regret their choice when their children first started nursery or school. The main reason for regretting the name was that it was too commonly used (25%). Just over one in five mothers who regretted their choice said it “just doesn’t feel right”. One in five said they had never liked the name but had been pressured into using it. Just over 10% of mothers said the name did not suit their child. Another 11% said it was not distinctive enough. A further 11% said it caused their child problems with spelling or pronunciation. Six percent regretted their choice because they disliked the shortened version of the name their child ended up being called. Only 3% pinned their regret on the fact there had been a change in public perception of the name since their child was born. Just 1% regretted their choice because a celebrity had used the name for their child. The consolation is that most children grow into their names – and those who don’t can always fall back on middle names, nicknames or (in extremis) deed polls.” Just 6% of mothers, however, have changed any of their children’s names, although one in three has considered it. [The Guardian]

Law Enforcement

CA – Ottawa Police Introduce Automatic Licence Plate Scanners, Privacy Concerns Raised

Technology that will allow Ottawa police to scan up to 5,000 licence plates per hour has already netted results in the city, while privacy advocates are voicing their concerns over how the data will be collected and safeguarded. Police unveiled the first Ottawa Police Service cruiser to implement the Automatic Licence Plate Recognition technology – a device with three all-weather infrared cameras mounted to the roof, with the ability to scan and record licence plates in multiple lanes of traffic and in multiple directions. The readings are fed into a database, and the officer is alerted to potential offenders within seconds if the plate number matches the police “hot list.” In accordance with the Ontario Privacy Commission’s stringent guidelines, Ottawa police have agreed to track data only for offenders – one of the ACLU’s primary recommendations. That information will be stored for five years, while licence plates of “non-hit” vehicles are immediately purged from the data bank. [Ottawa Citizen]

US – Alaskan Police Force Removes Body Cameras, Citing Privacy Fears

The Kodiak, Alaska, police department has stopped using body cameras, citing privacy and effectiveness concerns. While the department’s initial use of the technology in February 2015 “appeared beneficial to the community,” issues arose, said Kodiak Police Chief Rhonda Wallace. Among technological concerns and attachment problems, officers were fearful that the cameras were hurting citizen privacy, especially when they interacted with people on their “worst days” or when they had to deliver sensitive information. The police removed the cameras in December 2015, a move that has caused some controversy as police cameras successfully bolstered an autistic man’s suit earlier that year. “Once a person’s right to privacy has been addressed, we’ll work toward getting the program back up and using them again,” said City Manager Aimee Kniaziowski. [Govtech] [govtech.com]

CA – Cape Breton Prostitution Sting Raises Public Shaming Concerns

Experts in privacy and civil rights are raising questions about a police news conference that identified 27 men caught in a Cape Breton prostitution sting, saying the move amounted to unnecessary “public shaming.” “Public shaming is not something that our justice system should promote … [and] when you release names to try to deter others that sounds like public shaming to me,” said a spokeswoman for the Canadian Civil Liberties Association. “Deterrence is a feature of our criminal justice system, but we usually leave that to the sentencing process.” Last week, provincial court Judge Brian Williston rejected a legal challenge from one of the accused, saying police have the discretion to release personal information to the media, so long as it does not jeopardize a fair trial. However, the lawyer for John Russell Mercer, 73, argued in court that the news conference last September was akin to “locking someone in the stocks” — a form of public humiliation that violated his client’s rights under Section 7 of the Charter of Rights and Freedoms. But the judge disagreed, saying the information released by Cape Breton Regional Police was “limited to what was already accessible to the media and the public.” Deshman said that line of reasoning doesn’t recognize the impact of holding a news conference to draw attention to the accused. [The Canadian Press]

Location

US – Location Privacy and Use of ALPR at Airports

I’d just finished parking my car in the covered garage at Reagan National Airport when I noticed a dark green minivan slowly creeping through the row behind me. The vehicle caught my attention because its driver didn’t appear to be looking for an open spot. What’s more, the van had what looked like two cameras perched atop its roof — one of each side, both pointed down and slightly off to the side. I had a few hours before my flight boarded, so I delayed my walk to the terminal and cut through several rows of cars to snag a video of the guy moving haltingly through another line of cars. I approached the driver and asked what he was doing. He smiled and tilted the lid on his bolted-down laptop so that I could see the pictures he was taking with the mounted cameras: He was photographing every license plate in the garage (for the record, his plate was a Virginia tag number 36-646L). The man said he was hired by the airport to keep track of the precise location of every car in the lot, explaining that the data is most often used by the airport when passengers returning from a trip forget where they parked their vehicles. I checked with the Metropolitan Washington Airports Authority (MWAA), which manages the garage, and they confirmed the license plate imaging service was handled by a third-party firm called HUB Parking. “Reagan National uses this service to assist customers in finding their lost vehicles,” said MWAA spokesperson Kimberly Gibbs. “If the customer remembers their license plate it can be entered into the system to determine what garages and on what aisle their vehicle is parked.” What does HUB Parking do with the information its clients collect? Ilaria Riva, marketing manager for HUB Parking, says the company does not sell or share the data it collects, and that it is up to the client to decide how that information is stored or shared. “It is true the solution that HUB provides to our clients may collect data, but HUB does not own the data nor do we have any control over what the customer does with it,” Riva said. Gibbs said MWAA does not share parking information with outside organizations. [Krebs on Security]

Online Privacy

US – Online Tool Allows Users to Inspect Banks’ Privacy Notices

Computer scientists at Carnegie Mellon have developed an online tool designed to help users examine banks’ privacy notices. The tool, simply titled “Bank Privacy” inspects the notices of a user’s bank, and other banks within the area, giving the user the opportunity to possibly find a bank with a privacy notice they prefer. “We collected lists of financial institutions in the United States and wrote a computer program that automatically queries Google in search of companies’ standardized notices on their websites,” Carnegie Mellon wrote in a paper on the subject. “Upon finding such a notice, the program automatically parses the standardized notice and feeds the extracted information into a database, enabling a large-scale comparison of financial institutions’ privacy practices.” [Motherboard]

WW – Survey: Indians Most Likely to Share Sensitive Info on Public Wi-Fi Hubs During Vacation

An Intel Security survey of 13,960 respondents across 14 nations found that at 31%, India boasts the most leisure travelers comfortable with sharing personal information over public Wi-Fi. Among the personal information is credit card data, usernames and passwords, the report states. “More than one out of three Indians (36%) share their personal data even when they realize that this will make them vulnerable,” the survey states. This is potentially problematic as cyber thieves target public Wi-Fi with increased frequency. [Business Standard]

US – Facebook in Privacy Fail as Psychiatrist’s Patients Are Recommended to Become Friends With Each Other

Facebook’s mission, as defined by its founder Mark Zuckerberg, has always been to ‘connect the world’, but now it seems the social media giant has gotten too good at doing just that. Every Facebook user is familiar with the ‘People You May Know’ section of the site, which lists people with whom you have friends in common, or in whose photos you’ve been tagged. But Facebook seemingly takes other factors into account when suggesting whom you should friend, including phone contacts, and possibly geographical proximity. According to Fusion writer Kashmir Hill, she has been contacted recently by a psychiatrist named Lisa who discovered that Facebook had started recommending her own patients as potential friends. The mental health professional, who lives in a small town, was surprised and troubled by this development, since she was an infrequent Facebook user and had not granted the app access to her phone contacts.  However, upon reviewing her Facebook profile, Lisa realized that she had shared her own phone number on the social media site. The matter took a more disturbing turn when one of her patients, a snowboarder in his 30s, came to her saying that he had begun getting recommendations to ‘friend’ septuagenarians with whom he had nothing in common, and whom he never met. Sometime later, another patient of Lisa’s got a friend suggestion on Facebook for a person she recognized from a chance encounter in the office’s elevator. Now the woman had another patient’s full name and other personal information listed on his social media profile. ‘It’s a massive privacy fail,’ said Lisa, who asked Fusion not to use her real name. ‘I have patients with HIV, people that have attempted suicide and women in coercive and violent relationships.’ As a precaution, the psychiatrist and her colleagues in the medical community now urge their patients not go on Facebook while at the office, or even leave their phones at home when going for an appointment. However, Facebook says its friend-finding algorithm does not rely on geographic proximity. An alternative theory is that Lisa’s patients began popping up on each other’s Facebook pages because they have her phone number in their own phones, which the social network’s algorithm then possibly used to link them up. In a statement to Fusion, Facebook could not confirm that hypothesis, but a spokesperson said that the ‘People You May Know’ function uses a variety of data to source its suggestions, including mutual friends, phone contacts, school and work information, and networks to which users belong. [Daily Mail]

Other Jurisdictions

AU – NSW Gov’t Rejects Legal Remedies for Invasions of Privacy

The NSW government has knocked back the advice of its law and justice committee to adopt new legal protections that would allow residents to take court action against serious invasions of their privacy. Attorney-general Gabrielle Upton rejected the recommendation following the committee’s nine-month investigation into the remedies available to individuals who feel their personal privacy has been breached. The laws recommended by the NSW committee could have seen individuals handed the ability to sue people and organisations alike for serious breaches of privacy. Existing privacy laws only apply to government agencies and businesses with a turnover greater than $3 million per annum, and govern how they must store and manage personal data. Instead of introducing a privacy tort, the NSW government has indicated it will tweak existing criminal legislation to outlaw the “non-consensual sharing of intimate images” or ‘revenge porn’. She said in the absence of a uniform national law addressing the issue – which to date has been ignored by the Commonwealth – a NSW-only course of action would create inter-jurisdictional headaches for business and would open the Australian courts system up to “forum shopping” for preferential conditions by litigants. However, NSW has not ruled out continuing to lobby for a federal law with the help of its fellow states and territories. [Source]

WW – The World is Looking to the US for Third Party Risk Guidance

As more organizations here in North America and overseas increasingly utilize third party vendors with a global presence to perform critical functions, process key transactions and provide exposure to sensitive proprietary information, those organizations with mature third party risk (TPR) programs are receiving a loud call to provide assistance to those new to the TPR field. This issue is also not a US-centric challenge; organizations globally are struggling with standardization as well. Robin Jones, of the UK’s Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) discussed the fact that innovation in technology is receiving the strongest emphasis in the prudential specialists unit and that the unit is focused on those issues that surround events that involve an organization’s third parties (1). He further added his unit is paying renewed focus on technology resiliency and outsourcing (termed “TRO”) and that the FCA’s Cyber Risk Team is monitoring these elements of soundness and risk with the industry. [Huffington Post]

Privacy (US)

US – Google to Pay $5.5 Million for Sneaking Around Apple’s Privacy Settings to Scoop User Data

Google has agreed to pay a $5.5 million settlement in a class-action suit that resulted from cookie placement that worked around Apple Safari do-not-track settings. The lawsuit suggested Google collected the user data to boost ad revenue. “Behaviorally targeted advertisements based on a user’s tracked internet activity generally sell for at least twice as much as non-targeted, run-of-network ads,” the suit said. The settlement money will be sent to six technology and privacy groups, including the Berkeley Center for Law & Technology and the Center for Internet & Society at Stanford.Editor’s Note: Find the facts and analysis of the FTC settlement with Google in our FTC Casebook. [SiliconBeat]

US – Court Ruling Is A ‘Fatal Blow’ to Consumer Protections, Advocates Say

Companies such as Google and Facebook thrive on your personal data — the bits of information that tell advertisers how old you are, what brands you like and how long you lingered on that must-see cat video. Historically, how these companies use this data has been subject to oversight by the Federal Trade Commission, the government’s top privacy watchdog. A big court defeat for the FTC this week is putting the agency’s power to protect consumers in jeopardy, analysts say. The ruling could wind up giving Google and Facebook — not to mention other companies across the United States — the ability to escape all consumer-protection actions from the FTC, and possibly from the rest of government, too, critics claim, unless Congress intervenes. In the wake of the setback, the FTC is mulling an appeal — which would mean either asking for a rehearing at the U.S. Court of Appeals for the 9th Circuit, or escalating to the Supreme Court, according to a person close to the agency. But unless regulators can persuade the courts to overturn Monday’s decision, the result will be “a fatal blow” to consumer protection, said Jeffrey Chester, executive director of the Center for Digital Democracy. [Washington Post]

US – Clinton Campaign Switching to ‘Snowden-Approved’ Signal Messaging App

Following suspected Russian hacks of the DNC and the subsequent release of email messages through WikiLeaks, the Hillary Clinton campaign is said to be taking security advice from an unusual source: Edward Snowden. According to a new Vanity Fair article, campaign staffers were told: “If anyone was going to communicate about Donald Trump over e-mail or text message, especially if those missives were even remotely contentious or disparaging, it was imperative that they do so using an application called Signal…Signal, staffers in the meeting were told, was ‘Snowden-approved.’“ Signal is a messaging app for iOS and Android that allows for encrypted communication. The Clinton campaign has not yet responded to a request for comment about what messaging apps staffers are using. [CNET]

Privacy Enhancing Technologies (PETs)

WW – HP Builds First Laptop with Built-In Privacy Screen

Yahoo reports HP has built the first laptop to have a built-in privacy screen. Previously, consumers had to bolt on physical privacy screens designed to prevent anyone 35 degrees away from the center from seeing the contents of the monitor. Now, 3M’s solution will be built in. “Designed with more than 20 years of 3M optical films technology experience incorporated into the privacy screen, HP Sure View helps address the concern of protecting sensitive information through a world-class solution tailor-made for open work environments and for the mobile worker,” said 3M’s Vice President and General Manager of display materials and systems division, Makoto Ishii. [Full Story]

RFID / IoT

WW – Industrial IoT Groups Working Together to Develop Industrywide Standards

The Organization for Machine Automation and Control, OPC Foundation, and PLCopen have announced plans to band together and create industrial internet of things standards for data sharing and “seamless … interoperability.” This alliance comes on the heels of each group’s individual IIoT developments, like creating a global taskforce charged with developing a companion specification for industry tools. However, industrywide “standards are needed to support communications from machine-to-machine and from the plant floor to interfaces that will allow large scale data analytics and information transfer,” said OMAC’s John Kowal. “It just makes sense for these organizations which have individually done so much to advance automated manufacturing to collaborate and avoid redundant developments.” [AutomationWorld]

US – Chicago’s New Data-Collecting Sensors Stir Privacy Concerns

The Array of Things made its live debut in Chicago, where the city installed two 10-pound nodes on traffic posts last week. The nodes contain low resolution cameras, microphones and various air quality sensors, along with sensors that detect use of WiFi and Bluetooth devices within a 100-foot range. The Array of Things is a collaborative project between the University of Chicago, Argonne National Laboratory and the School of the Art Institute of Chicago that was originally launched in 2014 and is designed to be a “fitness tracker” for the city. But for privacy-minded citizens, there are glaring holes in the project that have yet to be addressed. The resolution on cameras is thought to be low, and the sound sensors are meant to only monitor sound levels – not record noises, as there will be audio and image files that will be used to calibrate the sensors. A written response from project managers explained, “These images will contain no sensitive PII, but some may show faces or license plate numbers.” All information gathered by AoT will be available to the public – except for ones containing PII. In an attempt to maintain transparency, the Department of Innovation and Technology fielded questions from residents about their concerns. PII data will not be made public but will be stored in a separate, safe facility, where access to this data is “restricted to operator employees, contractors and approved scientific partners who need to process the data for instrument design and calibration purposes, and who are subject to strict contractual confidentiality obligations and will be subject to discipline and/or termination if they fail to meet these obligations. … The privacy and governance policies nevertheless limit who will have access to data, under what circumstances, and for the limited purpose of research and development.” When it comes to warrants, the project managers were even vaguer, saying, “The University of Chicago, as copyright holder of the data, would be responsible for responding to law enforcement requests.” [rt.com]

WW – The Internet of Things: A 101 Guide to Privacy in The Digitized World

According to a new report by Altimeter, ‘Consumer Perception in the Internet of Things’ there’s a growing consumer anxiety concerning the ‘digitization of our physical world’. At the same time the report states that 87% of American citizens in one study didn’t even know what IoT is. They were worried about their privacy, but weren’t exactly sure how or why it was being plundered in the digital world. Other respondents in the study were aware their cookies were being tracked, but had little idea why, or at least asked for more transparency from those collecting the information. The gist of the study: “Roughly 60% of all respondents report such heightened discomfort in the sharing/selling of their data.” So what should the consumer be thinking about right now in terms of his/her privacy? “At a minimum, you need to be aware of two facts: (1) people and companies will want to collect data about you and might do so without your permission, and (2) there is no total security, and every system can be hacked. Follow some simple rules: be mindful about what data you share and ask yourself what somebody could do with it. If in doubt, reject to share and ask the vendor questions, and ask yourself if the vendor is trustworthy. For the security aspect, always keep your software and devices updated; don’t use weak passwords, be mindful of the risks, and encrypt your data wherever possible.” [siliconangle.com]

Security

US – FTC Cautions that Developing Secure APIs Remains a Challenge

The FTC examines the ongoing challenge of developing secure application programmable interfaces (“APIs”) in light of the InMobi settlement. Consumers are unaware that app developers or third party ad networks can use legitimately collected unique identifiers (e.g. BSSIDs) and other Wi-Fi network information to infer and track consumers’ location; despite related changes made to Android and iOS, app developers should ensure that their use of APIs are consistent with their privacy promises and consider contractual terms to ensure that their third party service providers (e.g. ad networks and analytics firms) do not circumvent consumers’ privacy choices. [FTC – A Deep Dive Into Mobile App Location Privacy Following The InMobi Settlement]

WW – Data Science Helping Organizations Stop Insider Threats

With physical boundaries of corporate networks and digital assets not as clearly defined as they once used to be, the focus in fighting insider threats needs to shift toward protecting user accounts. “Now that the traditional security perimeter has been erased by mobile and cloud computing, identities have become both an attack vector and security perimeter.” The truth is that credential theft does happen, and it happens a lot. In fact, a Verizon 2015 data breach report found that the majority of confirmed security incidents occur as a result of compromised user accounts. Massive lists of user credentials and passwords are being sold on the Dark Web at low prices, and, for a small fee, anyone can obtain access to all sorts of enterprise networks and cloud services, and impersonate legitimate users. Therefore, fighting insider attacks hinges on detecting anomalous user behavior. But this again presents its own set of challenges, because defining normal and malicious behavior is not an exact science and involves a lot of intricacies. Data science is helping organizations crack down on insider threats. Data science is used to extract knowledge and detect patterns. The information it produces can help an organization define normal user behavior based on identities, roles, and working circumstances. Using data science can help point out abnormal user behavior, stop insider threats, and help lower the amount of false positives. “Most users have rather clean and repeating patterns in their work from a statistics point of view,” said F-Secure Labs Lead Researcher Jarno Niemelä. “Thus, alarming changes in the users’ behavior can be detected with suitable near real-time statistics analysis tools, supported by heuristics and machine learning systems.” [TechCrunch]

MX – Mexican DPA Says Lost, Stolen or Improperly Discarded Devices Are Common Cause of Data Breaches

The Mexican data protection authority issues its “Guide to Securely Erasing Personal Data“. Individuals seeking to retrieve personal data for improper purposes collect discarded documents and tape them back together, find broken equipment parts and reuse them, and use specialized software to retrieve data from a “wiped” device; proper destruction methods include crushing, incinerating, pulverizing, shredding or chemical processes (physical media), and degaussing, over-writing or cryptographic erasure (electronic media. [DPA Mexico – Lost Stolen or Improperly Discarded Devices The Primary Cause of Data Breaches | Press release]

Smart Cards

WW – Apple’s New Patent Shows Future iPhones and iPads Will Capture the Biometrics, Photos, Videos and Audio of the Thief

Theft of smartphones is still rampant, despite current security measures such as fingerprint technology and Apple’s Touch ID. Thieves always find a way around these security protocols. However, a patent application by Apple will make life difficult for iPhone and iPad thieves in the future. Apple filed a patent with the USPTO on 25 August 2016. The patent details a technology that will allow a “trigger condition” to record the biometric, photos, audio, and video of an authorized user of a “computing device”, in this case, an iPhone or iPad, which are currently the only Apple devices that can capture biometrics. The technology will then store the acquired data which may be fingerprints, photos, and so on. The computing device may then provide the stored data for identification of the unauthorized user. From the information in the filed patent, the trigger conditions are unclear. Probably the trigger is a report by the authorized user to law enforcement authorities or Apple. Or maybe a single failed attempt to unlock the device using touch ID will be the trigger. However, there is a slight problem with Apple’s Touch ID. The technology requires a user to place the finger in different angles for verification. It is, therefore, a little unclear how Apple will register a failed unlock attempt(s) as a trigger condition. The fact that the patent suggests Apple will stealthily capture personal identifier data already raises security concerns. A more practical move would be to make the technology optional in future iOS releases. But even then we are not sure that would not make the company lose credibility among customers who mind about their privacy. [Mobipicker.com]

US – Delta Air Lines Introduces Tracking Tags to Combat Lost Luggage

Radio frequency identification (RFID) is also widely used in our daily lives, from keyless cars to pet microchips. Delta Air Lines, which says the amount of luggage it mishandles is low, has spent $50 million (U.S.) in new technology to keep better track of the 120 million bags it checks each year. The system launched this month. It’s replacing an old barcode system with RFID technology, also known as radio frequency identification. It allows for data to be read at a distance, easily pinpointing a single bag if it needs to come off a plane. The airline has deployed 4,600 scanners and 3,800 bag tag printers at airports around the world. Conveyer belt loaders have sensors that give the green light if the suitcase is headed to the right plane, and a red light if it’s not, so a baggage handler can redirect it. Australia’s Qantas Airways has used similar technology for its automatic bag drop system on domestic flights, which the airline says has shortened lines. Elite frequent flyers receive a reuseable RFID bag tag, and other passengers can buy one. An estimated 1.5 million permanent tags have been issued in the past two years. In Canada, no airline has plans to adopt the tags yet, though Air Canada is running a test in its Montreal and Frankfurt warehouses for cargo shipments. WestJet Airlines spokeswoman Lauren Stewart said the airline has reviewed the technology but has no plans to run any trials. “As a low-cost carrier we are highly aware of the expense of such tools,” she said. “In addition, the hardware and infrastructure would require installation at each airport.” Porter Airlines spokesman Brad Cicero said the carrier’s baggage mishandling rate for the last two years is 0.4 per 1,000 passengers, “so we’re very comfortable with this standard and our current processes.” [Toronto Star]

Surveillance

WW – Transit Systems Have their Eyes on You but Surveillance Footage Isn’t Always There When it Counts

Security cameras are ubiquitous on public transit across the country, but when it comes to using them to investigate sexual harassment or assault, what they record is often gone before it can be used. While victims might take weeks or even months to report an incident, surveillance footage can be erased in a matter of days. In Canada’s largest city, Toronto, security camera footage from streetcars, buses, subway trains and stations is kept for three days. It was the report of an alleged assault on a city bus that prompted Toronto’s transit agency to extend the amount of time that it holds on to footage a year ago. At the time, footage from streetcars and buses was held for only 15 hours, but after a teenage girl went to police to report an assault a few days after it allegedly happened and found there was no video evidence available, the Toronto Transit Commission extended that to 72 across its whole system. Some women who have experienced harassment or assault say 72 hours still doesn’t give victims enough time to report an incident. The TTC used to be allowed to hold on to surveillance camera footage for a week, but that changed eight years ago when it expanded the use of cameras throughout the transit network. At the time, Ontario’s privacy commissioner, Ann Cavoukian, approved the addition of 12,000 cameras on condition that images be held for a maximum of 72 hours to protect riders’ right to privacy. The exception to the 72-hour limit is the TTC’s wheelchair transportation service, which holds on to footage for seven days. The transit agency’s justification is that riders with handicaps or cognitive impairments might need more time to report incidents. An investigation by the city’s ombudsman also found that the footage has been used by the TTC to reassess whether riders are still eligible for the service. Transit agencies in some other Canadian cities keep their security footage for longer than the TTC. In Edmonton, footage from trains on the light rail transit system is retained for 48 hours, but footage from stations is held for 21 days. Bus system surveillance is held for 18 days. Vancouver used to keep surveillance footage from its SkyTrain system for only two hours when it was using video tapes, but since moving to a digital system in 2008, footage can be held for up to a week. Reports of sexual assaults on the Toronto subway system are significantly down, according to police, with 67 reported in 2014 compared to 56 last year, but police say that’s not necessarily a good thing given that the majority of sex assaults never get reported. [CBC] ‘Harassment on TransLink’ website lets victims speak out | TTC votes on whether to retain surveillance video longer | Sexual harassment on the rise on transit, say police | Ontario privacy chief gives green light to TTC surveillance plans | ETS starts ‘zero tolerance’ campaign to curb sexual harassment | TransLink safe despite recent assaults, officials say | TTC to develop new app that would enable riders to report harassment | New OnDuty transit police smartphone app released and [Considering Privacy in the Age of the Camera]

WW – Ambient Light Sensors an Up-and-Coming Privacy Issue

University College London’s Lukasz Olejnik’s new research maintains that online ambient light sensors could pose a threat to privacy. “Lighting conditions in the user’s surrounding convey rich and sensitive data describing users and their behavior,” Olejnik writes. “This information could be hijacked and abused, applied to profile the users and perhaps discriminate them.” The information at stake includes data about “the user, the user’s environment, the user’s behavior and life patterns,” as well as information about the user’s home, he adds. While Olejnik cautions users not to be fearful online, as many projects like SensorsPrivacy.com work to increase the safety of technology. However, he does encourage websites to limit the amount of ambient light sensors they collect. [The Daily Dot] [Privacy problems on the Web: Even your device’s battery life can be used to track you]

Workplace Privacy

EU – Spying on an Employee in France Breaches His Right to Privacy, Even Where He is Committing Breaches of His Employment Contract

The French Supreme Court recently ruled that an employer could not rely on the report of a private detective it had hired to spy on one of its employees to obtain an injunction against him because this was a breach of the employee’s privacy and that could not be justified, however legitimate were its concerns. The first instance Court accepted that the employer had legitimate reasons to secure evidence but on appeal the employee disputed the validity of the Order on the ground that the employer had breached the employee’s right to a private life as protected by Article 9 of the French Civil Code and Article 8 of the European Convention on Human Rights. The Supreme Court ruled that the first instance Court should have rejected the employer’s application because it had relied on unlawfully obtained evidence to sustain it (i.e. the report from the detective). It was immaterial to this that the report clearly showed the employee to be in breach of his obligations to the employer and that he could now potentially destroy evidence of that guilt before a trial on the issue. This decision is consistent with earlier case law of the French Supreme Court, which declares inadmissible any evidence collected by employers through covert surveillance of employees, whether the spying is done by someone hired by the employer or by the employer itself, on the ground that it breaches the employee’s privacy rights. More generally, the Supreme Court also usually rejects as inadmissible any other evidence that has been collected through clandestine means (i.e. without the employee having been informed of the control/surveillance methods) with the consequence that an employee’s dismissal based on that evidence will be deemed automatically unfair, almost however guilty of the misconduct in question he may actually be. [The National Law Review]

WW – Research: Customer Monitoring Also Affects Employees

Solon Barocas and Karen Levy discuss how retailers’ efforts to monitor customer behavior also affects their employees, a consequence they refer to as refractive surveillance. “This effect of data collection is often overlooked. Debates about consumer privacy have largely missed the fact that firms’ abilities to develop a better understanding of consumers also impacts workers’ day-to-day experiences, their job security, and their financial well-being,” they write. Barocas and Levy detail the repercussions of the tracking, saying it impacts employees’ relationships with customers, when they work, and the evaluation process. Since these are “still early days for in-store tracking,” Barocas and Levy contend that managers “have an opportunity to explore how to collect customer data in ways that both respect consumers’ privacy and advance the legitimate interests of workers.” [Harvard Business Review]

+++

 

 

19-25 August 2016

Biometrics

US – N.Y. State DMV Facial Recognition Tech Helps Nab 100 ID Thieves

In January, the New York State DMV enhanced its facial recognition technology by doubling the number of measurement points on a driver’s photograph. The DMV said this vastly improves its chances of matching new photographs with one already in a database of 16 million photos. As many as 8,000 new pictures are added each day. The state’s governor says has led to the arrest of 100 suspected identity thieves and opened 900 unsolved cases. In all, since New York implemented facial recognition technology in 2010, more than 14,000 people have been hampered trying to get multiple licenses. “Facial recognition plays a critical role in keeping our communities safer by cracking down on individuals who break the law,” Gov. Andrew M. Cuomo said in a statement. “New York is leading the nation with this technology, and the results from our use of this enhanced technology are proof positive that its use is vital in making our roads safer and holding fraudsters accountable.” The DMV said new licenses won’t be issued until a photo clears the DMV database. At least 39 US states use some form of facial recognition software. New York’s DMV first implemented facial recognition technology in 2010. Since then, more than 3,600 people have been arrested for possessing multiple licenses. The agency said it resolved another 10,500 facial recognition cases outside the criminal justice system because the statute of limitations had expired. In those instances, the cases were handled administratively—and the agency revoked licenses and transferred all tickets, convictions and accidents to the scofflaw’s true identity. New York’s DMV photo database is not among those databases forwarded to an FBI program containing about 411.9 million facial recognition images of people who have committed no crimes. [Ars Technica]

EU – Germany Eyes Facial Recognition Tech for Airports, Train Stations

Germany’s interior minister revealed plans for facial recognition systems in the country’s airports and train stations over the weekend—but digital rights activists have told Ars that the plan goes too far and would prove ineffective. Thomas de Maiziere told Bild am Sonntag that he wanted a system that would allow biometric information gathered from surveillance cameras to be matched against intelligence databases of known terror suspects. “There are opportunities for individuals to photograph someone and use facial recognition software on the Internet to find out if they have seen a celebrity or a politician. I want to use such face recognition software on video cameras at airports and train stations to show if a suspect is detected,” he said. “The authorities must use technology they are legally allowed to use.” [Ars Technical]

WW – Researchers Use 3-D Models to Break Facial Recognition Security

Security and computer vision specialists from the University of North Carolina have developed a method to break through facial recognition authentication systems. Using photos found on the internet, the researchers created 3-D models rendered with the motion and depth cues needed to pass through facial recognition security. The hack successfully spoofed four of the five authentication systems the researchers tested. The team also noted the photos were not supplied by any of the 20 volunteers, but were collected through search engines and social media networks. “We could leverage online pictures of the [participants], which I think is kind of terrifying,” says study author True Price. “You can’t always control your online presence or your online image.” [Wired]

Big Data

WW – CSA Issues 100 Best Practices for Keeping Big Data Secure

Big data is best known for its volume, variety, and velocity — collectively referred to as the “3 Vs” — and all three of those traits make security an elusive goal. Targeting companies grappling with that challenge, the Cloud Security Alliance has released a new report offering 100 best practices. As its name would suggest, the CSA focuses on promoting the use of security best practices within the cloud computing world; In an earlier report, the CSA broke down big data security risks into a set of the top 10 major challenges. Now, for each of those, it presents 10 best practices designed to help enterprises keep their information safe. To ensure that the privacy of data subjects is not compromised, all personally identifiable information such as names, addresses, and Social Security numbers must be either masked or removed. It’s also important to watch for the presence of “quasi-identifiers” that can almost identify a data subject, including ZIP code, date of birth, or gender, the report warns. Companies that use nonrelational data stores such as NoSQL databases, meanwhile, are hampered by the fact that such products typically include few robust embedded security features, the report’s authors say. For that reason, they suggest using strong encryption methods such as the Advanced Encryption Standard (AES), RSA, or Secure Hash Algorithm 2 (SHA-256) for data at rest. “The storage of code and encryption keys must be separate from the data storage or repository,” they advise. “The encryption keys should be backed up in an offline, secured location.” Also included in the report are suggestions for real-time security and compliance monitoring, privacy-preserving analytics, data provenance, cryptographic techniques, and more. The handbook is now available as a free download. There’s been growing concern about the use of big data and the associated risks to privacy and security. Early this year, the U.S. FTC issued a report with caveats and guidelines for businesses. Market researcher Gartner, meanwhile, predicts that the improper use of big data analytics will cause half of all business to experience ethics violations by 2018. [CIO.com] [CSA Big Data Privacy and Security Handbook]

Canada

CA – Canadian Security Establishment Increased Interceptions 26-fold in 2015

An Office of the Commissioner of the Communications Security Establishment report of the Canadian Security Establishment has found that the agency increased its rate of private communication interception 26-fold in 2015. While the government won’t explain the reason for the increase, the agency did find that all of the CSE’s proceedings were lawful. CSE watchdog Bill Robinson predicts that that agency “may have targeted social media conversations between individuals and counted each separate message in the string as a private communication,” the report states. “A small number of online conversations could be responsible for the rather large total.” [National Post] [Canada’s Spy Agency Now Intercepting Private Messages 26 Times More Than Previously]

CA – Main Terror Threat to Canada Comes From Lone Wolves: Report

The main terrorist threat on Canadian soil remains lone wolves or small groups inspired by ideology to carry out attacks, a new public safety report states. The 2016 report on terrorist threats to Canada drew a distinction between attacks “inspired” by extremist ideology versus those “directed” by terrorist organizations abroad. The report points out one area where that balance will be tested: the use of encrypted communications technology. Encryption allows private citizens, companies, and governments to protect their communications, business transactions and sensitive information. But law enforcement officials in Canada and beyond have argued that it also allows criminals and terrorists to evade arrest or capture. While encryption has been intensely debated in other Western countries — notably the United States — Canada has yet to have a public debate over its merits. “Encryption technology helps protect the privacy of Canadians but also creates new barriers in law enforcement and national security investigations,” the report states. “The government intends to work with Canadians, industry, and other key stakeholders and the international community to address these privacy and security concerns.” [Source]

CA – Online Privacy a Must in New Alberta Curriculum: Advocate

As the Alberta Education Ministry sets out on the massive task of overhauling the province’s school curriculums, one advocate is hoping to see a focus on privacy in the digital age. Sharon Polsky, director of the Rocky Mountain Civil Liberties Association said she feels it’s important Alberta Education make online privacy a priority in the Career and Life Management (CALM) portion of the new curriculum. “Considering something like 30% of children have a tablet for their own exclusive use by the time they’re one and the vast majority have daily time with electronic devices by the time they’re two– it’s the same thing as giving a kid your car keys and saying have a nice time, stay safe on the road– they don’t understand the implications of what they’re doing,” she said. Larissa Liepins, press-secretary for David Eggen, Minister of Education, said they’re interested in hearing input from concerned citizens about what should be included in the new provincial curriculum. [Source]

CA – Waterloo Changes Rental Bylaw After Privacy Complaint

The City of Waterloo had to change its rental housing bylaw after a complaint to the Ontario Privacy Commissioner about Waterloo collecting tenants’ personal information. Council voted this week to approve the changes. Waterloo’s controversial rental housing licensing bylaw limits bedrooms and requires landlords pay fees. It was criticized by landlords who called it a cash grab. It went into effect in 2012. At issue was a city requirement for landlords to provide the names and contact information for all tenants. In 2014, someone complained to the privacy commissioner about personal information being collected and an investigation was launched. Waterloo finally agreed to stop collecting tenant information altogether in late 2015, but didn’t want to make the bylaw change until a review of the entire licensing bylaw currently underway is complete. Staff relented at the privacy commission’s request and changed the bylaw this week. [Source]

E-Government

WW – Voting Online Means You’re Giving Up Privacy, Researchers Warn

A research initiative conducted by groups including the Electronic Privacy Information Center and the Verified Voting Foundation found that in the 32 states and one district where online voting is permitted, voters usually accept “technical limitations” that give up their right to a private ballot. Researchers therefore suggest voting in person instead of online. “Even if offered, avoid the use of an online method for marking and/or transmitting votes,” the study states. “Marking ballots without the use of a connection to the internet is the best way to keep your vote secret.” [Vocativ]  [Wired: America’s Electronic Voting Machines Are Scarily Easy Targets]

E-Mail

WW – Study: Business Email Compromise Costs $3B in Damage Worldwide

A new report from Trend Micro reveals an oft-underreported scam has bilked more than $3 billion from businesses around the world. “Business email compromise” — a method by which adversaries use email to trick employees into wiring company funds — has affected approximately 22,000 organizations, according to the FBI, since the beginning of 2015. Trend Micro tracked more than 2,000 BEC incidents in the U.S. and found that attackers often closely research a given target. An adversary may research a company’s legal settlement and imitate the law firm’s email account, for example. Trend Micro Chief Cybersecurity Officer Ed Cabrera said, “BEC doesn’t fall in line with data breach laws — it’s just a digital con game. And unlike other attacks, it does not cause a loss of operational time.” [The Hill]

Electronic Records

US – Many Hospitals Transmit Your Health Records Unencrypted

Healthcare IT organizations often lack budget and personnel to address security needs About 32% of hospitals and 52% of non-acute providers — such as outpatient clinics, rehabilitation facilities and physicians’ offices — are not encrypting data in transit, according to a new survey. Additionally, only 61% of acute providers and 48% of non-acute providers are encrypting data at rest. The Survey, conducted by the Healthcare Information and Management Systems Society (HIMSS), a Chicago-based trade group for the health information technology sector, also revealed that many of the facilities’ networks don’t even have firewalls. A study by the Brookings Institution predicts that one in four data breaches this year will hit the healthcare industry [IT World]

Encryption

WW – One Third of Transmitted Health Care Data Left Unencrypted: Study

The Healthcare Information and Management Systems Society’s Cybersecurity Survey found that 35% of hospitals and 52% of non-acute providers do not encrypt their transmitted data. Additionally, 61% of acute providers and 48% of non-acute providers encrypt resting data. The study also found that many health care facilities do not use firewalls. Researchers cautioned that where there is tech, there are opportunities for breaches or ransomware. “Without a program in place, there can be a large time window for hackers to exploit an unpatched system (especially if systems are patched or upgraded on a reactive, ad hoc basis).” “Time is money, including for hackers, and they are likely to go after low-hanging fruit.” [ITWorld] [Computerworld: Many hospitals transmit your health records unencrypted | HIMSS: 2016 HIMSS Cybersecurity Survey ]

EU – German, French Legislators Want EC Help Accessing Encrypted Tech

In the wake of multiple deadly terrorist attacks in their respective countries, German and French officials will petition the European Commission to provide states with the ability to force encrypted technology companies to provide governmental access. “It’s a central issue in the fight against terrorism,” said French Interior minister Bernard Cazeneuve. “The European Commission said it ‘welcomed’ the initiatives between the two countries, but said that data protection laws are already under review,” the report states. [ZDNet]

US – NIST Scientists ‘Nervous’ About Lightweight Crypto for IoT

Federal scientists at the National Institute for Standards and Technology are working on new cryptographic standards for the tiny computers embedded into car engines, lightbulbs and others devices connected to the internet — but the process makes some of them uneasy. The Internet of Things presents a unique challenge for cryptographers: How long should a key be? For instance, the tiny RFID chips embedded in electronic passports have very limited memory. And the standards for connected cars have to enable ultra-low latency — meaning those chips have to be near instantaneous as they encrypt and decrypt information. But as a result, some of the lightweight crypto standards might end up weaker, and this easier to crack. Keys for use in current NIST-approved encryption standards must be at least 112 bits long. Some have proposed using keys as short as 80 bits in the new lightweight standards. [FedScoop]

Facts & Stats

CA – Trying to Measure the Cost of a Breach

CISOs know that data breaches cost money. One question is how much; another is whether the rest of the organization knows. To answer the first question Deloitte recently issued a white paper with a calculation to show how many costs aren’t being considered by management. In one hypothetical case, as reported by David Wheldon, the damage could be up to US$1.6 billion over five years. That’s right. For a theoretical breach of 2.8 million records from a U.S. private health insurance company the damage could run into 10 figures. [Read the full report here] Not all of the numbers would be applicable to Canada in this particular example. For example, because most Canadians are covered under the government funded heath insurance, private insurers here are smaller — and, of course, we have a smaller population. While the dollar values would be smaller, the factors would be the same. So the Deloitte calculation includes an estimated $230 million loss to brand image to the insurer. There’s a lost value of customer relationships at $430 million over three years. These would apply to a retailer or manufacturer. However, there are a lot of other so-called beneath the surface costs the C-suite may not be thinking of today: operational costs, insurance premium increases, and, if necessary, the cost of raising debt to pay for these and other costs. Then there’s the expected costs: Notifying potentially-affected customers and partners, paying for customer protection services, hiring forensic investigators, possibly hiring a crisis reaction team for public relations, facing customer/partner lawsuits, paying regulatory fines, loss of intellectual property (perhaps incalculable) and — of course — cyber security improvements including awareness training. [Source]

WW – Study: Breaches Could Cost One-Fifth of Retail Customers

A KPMG survey found that one-fifth respondents said they would stop shopping with a company after a data breach, regardless of how it handled the data loss post-breach. One-third of the surveyed added that they would avoid shopping there for at least three months after the breach, the report states. Regardless, only 55% of surveyed organizations said they had invested in upgraded cybersecurity in the past year. “Make no mistake, there is a lot at stake here for retailers,” said KPMG’s Mark Larson. “Consumers are clearly demanding that their information be protected and they’re going to let their wallets do the talking.” [FedScoop]

FOI

CA – OIPC AB Upholds Law Enforcement Body’s Refusal to Confirm or Deny Existence of Disciplinary Records

This OIPC AB order addresses the Calgary Police Service’s handling of a request for access to records pursuant to Alberta’s Freedom of Information and Protection of Privacy Act. Confirmation or denial of the existence of a disciplinary record would indicate whether a complaint had been made or proceedings taken against an officer; disclosure of a disciplinary record would be an unreasonable invasion of privacy (it would reveal his/her employment history, and unfairly damage his/her reputation if a complaint did not go to a hearing) – the only exception would be a disciplinary record that arises from a public hearing. [OIPC AB – Order F2016-24 – Calgary Police Service]

CA – NFLD Public Bodies Should Consider Scope and Intention When Applying the Solicitor-Client Privilege Exception

The OIPC Newfoundland and Labrador has provided guidance on the scope of the legal advice exception in section 30 of the Access to Information and Protection of Privacy Act The scope of solicitor-client privilege must consider the context and rational for the privilege (e.g. civil litigation, criminal investigations or prosecutions), and whether the client intended that the communication be kept confidential; the privilege will not include documents that are attached, but not otherwise related to obtaining legal advice, and the capacity in which the communications are sent does not determine privilege (context must be assessed for each case). [OIPC NFLD – Section 30 – Legal Advice]

CA – IPC ON Upholds Hospital’s Decision to Withhold Meeting Notes Provided to Legal Counsel by Hospital Staff

The OIPC Ontario reviews a decision by a hospital to deny access to records, pursuant to the: PHIPA and FIPPA. In anticipation of litigation, staff were asked by a senior hospital staff member to provide their recollections of a meeting with Complainant where the health care of Complainant’s mother was discussed; the purpose of the records were to document the meeting for legal counsel with the intent of obtaining legal advice and preparing for litigation. [IPC Ontario – PHIPA Decision 30 – Mackenzie Health]

Health / Medical

UK – British Government Mulls Plans to Sell Patient Data

The British government is considering a plan to sell patient health data to private organizations. New guidelines state patient data will be collected and stored in a centralized database run by NHS Digital. The decision comes after the British government dropped their care.data plan after two independent reviews criticized the plan over poor consent and a lack of transparency regarding where patient data would be shared. The government is saying data sharing will only be for the patients’ benefit. “We have a strong legal framework to make sure NHS Digital only shares personal information where there is a clear health or care purpose,” a Department of Health spokesperson said. “This means data will only ever be used to deliver real benefits for people and puts beyond any doubt that data can be shared for commercial insurance or other solely commercial purposes.” [Politico]

US – Blockchain in Healthcare Getting a Lot of Attention

When the Office of the National Coordinator of Health Information Technology recently challenged developers and health IT thinkers to come up with uses for blockchain in healthcare, officials were surprised by the vigor of the response. While the blockchain-backed bitcoin cryptocurrency has become a worldwide phenomenon attracting both devotion and criticism, perhaps lesser known is that thinking around blockchain in healthcare is moving past the theoretical stages and is even spurring activity from major companies and venture capitalists. Health IT giant Philips has launched a blockchain-in-healthcare lab and joined a new blockchain-in-healthcare network led by blockchain vendor Gem. And accounting and consulting firm Deloitte has released several bullish reports on blockchain in healthcare and formed partnerships with several blockchain startups. Blockchain is in essence a distributed public ledger linked by what supporters say is a nearly impregnable cryptographic chain. As such, they say, it has the potential to solve health IT’s most intractable problems: lack of interoperability and securing the integrity, completeness and privacy of health records. [Source]

Horror Stories

CA – OPC Finds Dating Website’s Security Measures Were Lacking, Misled Consumers

The lead privacy regulators of Canada and Australia have released the results of their joint investigation into the Ashley Madison data breach. The dating service had inadequate authentication processes for employee remote access, stored encryption keys and passwords as plain, clearly identifiable text on its systems, fabricated the security trust-mark on its homepage, and inappropriately retained personal information after user profiles had been deactivated or deleted; the service must conduct a comprehensive review of its protections, augment its security framework, adequately train staff, and cease indefinite retention of personal information from deactivated and inactive accounts. [OPC Canada – PIPEDA Report of Findings 2016-005 – Joint investigation by the Privacy Commissioner, the Australian Privacy Commissioner and Acting Australian Information Commissioner News Release | Report of Findings | Compliance Agreement | Takeaways for All Organizations] [OAIC.gov.au | The Globe and Mail | OPCC: Ashley Madison investigation finds security measures lacking; fictitious security trustmark was ‘deceptive’]

Identity Issues

AU – Australia’s Government Is Copping Flack for its ‘Digital Identity’ Plans

“Digital Identity is having the ability for the government to trust that you are who you say you are,” is the explanation the Federal Government’s Digital Transformation Office (DTO) gives for the establishment of a singular digital profile that will allow you to access various government services. But trust has to go both ways, and the Australian Privacy Foundation (APF) has expressed “serious concern” about federated identity, stating the process has been “seriously deficient” and conducted “in a context of increasing distrust of government.” The DTO says the global trend of services moving online, and the economic benefits that produces, necessitates an online identity verification process — particularly in cases of sensitive data. The DTO is building both a verification model and a method for logins. The APF’s concerns surround the fact that the Digital Identity project has now been running for over a year, has reached the beta stage, and statements are being made about deployment. “Yet civil society has yet to be engaged,” APF says. “A single meeting has now been held, but materials were withheld until the last moment, and the very few advocates present had limited opportunity to gain clarifications, and virtually none to provide feedback”. The APF says that by its nature the project “harbours enormous threats to individuals, and to society as a whole”, warning the whole thing has “a very high” risk of failure. “This is the latest of many proposals that have come and gone over the last 30 years relating to citizen identifiers, accounts, authenticators and credentials,” the APF says. The APF says overall, there is a “lack of clarity” surrounding the scheme. “Apart from a brief remark to the effect that the scheme could be implemented administratively, i.e. without parliamentary approval or even oversight, no information has been provided about applicable laws, and the impact of laws in such areas as data retention, data breach notification, cybersecurity, disestablishment of the OAIC, and a privacy right of action”. [Gizmodo]

US – FTC’s Ramirez: We’re Expanding Definition of PII

Speaking at the Technology Policy Institute in Aspen, Colorado, FTC Chairwoman Edith Ramirez said consumer control and consent need to remain at the forefront of innovation, despite online privacy issues becoming increasingly complex. “We hear with increasing frequency the claim that technological innovation and big data have rendered certain fundamental tenets of privacy, particularly the idea of consumer consent, outdated and ill-suited for today’s digital world. I disagree,” said Ramirez. The FTC is working to address this issue by broadening the definition of personally identifiable information. “We now regard data as personally identifiable when it can be reasonably linked to a particular person, computer, or device,” Ramirez said. “In many cases, persistent identifiers, such as device identifiers, MAC addresses, static IP addresses, and retail loyalty card numbers meet this test.” [FedScoop]

Internet / WWW

WW – Survey: 51% of IT Execs Believe Public Cloud More Secure

A SADA Systems survey of 210 tech executives found that 51 percent feel that the public cloud is more secure than their private one, while 58% believe the public cloud is the most cost-efficient and safe data-storage option. In total, 84% of the surveyed said their companies used public clouds. Yet just because cloud “comfort levels” continue to grow doesn’t mean information technology professionals should dial back their vigilance, the report states. “Security still needs to be the front and center concern when you are relying on someone else to manage your data,” the report adds. “The key is that while cloud providers may have all the newest and shiniest security solutions … the cloud customer still needs to take ownership of security.” [ZDNet]

Law Enforcement

CA – Canada’s Police Chiefs Pass Resolution to Obtain Passwords

The Canadian Association of Chiefs of Police passed a resolution requesting legal measures to force people to deliver electronic passwords with a judge’s consent. The police chiefs cite criminals increasing use of encryption to hide illegal activities. RCMP Assistant Commissioner Joe Oliver said there is nothing in Canadian law compelling an individual to hand over a password during a law enforcement investigation. “The victims in the digital space are real,” Oliver said. “Canada’s law and policing capabilities must keep pace with the evolution of technology.” OpenMedia spokesman David Christopher called the proposal “wildly disproportionate,” believing handing over a password for a piece of technology such as a laptop would be similar to “handing over the key to your whole personal life.” A Toronto Star op-ed argues Canadian citizens need to protect their privacy rights when considering any proposal involving law enforcement password requests. [The Canadian Press] The lobbying group Canadian Association of Chiefs of Police is calling for a legal framework requiring Canadians to share electronic passwords during a police investigation]

CA – Police Don’t Want to Talk About How They Spend Surveillance Dollars

Police in Toronto, Ottawa, and the municipalities of Peel and York have received hundreds of thousands of dollars each to pay for the Provincial Electronic Surveillance Equipment Deployment Program (PESEDP). This little-known project is described by police as “funding for the purchase of, or improvements to, equipment used in the investigation of organized crime”, which doesn’t reveal much. Mentions of the program can be found in publicly-available meeting agendas and reports dating back to 2011. A 2016 report detailing the latest payment to the York Regional Police notes that the force has agreements with the Ontario Provincial Police to “share services to intercept personal communications” and “to monitor personal communications,” both expiring in November of 2017. Tamir Israel, staff lawyer at the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic, says that the PESEDP money could be spent in a number of ways. “Police services are investing in a range of new surveillance technologies, from license-plate recognition devices, to facial recognition or IMSI catchers. As for whether a privacy assessment has been done on the program, a media request made to the federal Office of the Privacy Commissioner was referred to the provincial office, then to MCSCS, which would neither confirm nor deny it. At this point, no one other than the police forces involved knows what kinds of equipment PESEDP is paying for, but some of the surveillance programs operated by police in Ontario and elsewhere in Canada are coming to light. [Source]

Online Privacy

US – EFF Voices Criticisms of Microsoft’s Windows 10 Updates

The Electronic Frontier Foundation voiced its criticisms over Microsoft’s Windows 10 updates, saying the reminders violate user privacy. The EFF also says Microsoft collects an “unprecedented amount of usage data,” including location data, text input, browsing history, and running programs. Microsoft defended its practices, saying the data collected helps make Windows 10 a more customizable experience for the user. The EFF wants to see Microsoft clarify whether opting out of the features is enough to ensure the user’s privacy rights are intact. “Microsoft should come clean with its user community,” said EFF Intake Coordinator Amul Kalia. “The company needs to acknowledge its missteps and offer real, meaningful opt outs to the users who want them, preferably in a single unified screen.” [Digital Trends] [Microsoft forces you to choose between privacy and security, say campaigners]

WW – WhatsApp to Begin Sharing User Data with Facebook

WhatsApp will start sharing user information with Facebook. The messaging app plans to send members’ phone numbers and analytics data to the social network, marking the first time WhatsApp has connected user accounts to Facebook. WhatsApp said neither company would be able to view users’ encrypted messages, and promised not to share phone numbers with advertisers. “Our values and our respect for your privacy continue to guide the decisions we make at WhatsApp,” Co-founder Jan Koum wrote in a blog post explaining the update to the company’s privacy policy. “It’s why we’ve rolled out end-to-end encryption, which means no one can read your messages other than the people you talk to. Not us, not Facebook, nor anyone else.” [The New York Times] [WhatsApp gives users 30 days to opt-out of handing phone number over to Facebook]

UK – UK Data Privacy Regulator to Track Whatsapp’s Data Sharing with Facebook

The UK’s data privacy regulator will monitor how the mobile messaging app WhatsApp shares data with parent business Facebook following an update to its privacy policy. The Information Commission’s Officer (ICO) aims to ensure that WhatsApp is being transparent about what and how its users’ data are shared, observing that new policy would likely split opinion among them. Under the new policy, the phone numbers of the more than one billion users of the app will be shared with Facebook, paving the way for more targeted ads and friend recommendations. “Some might consider it’ll give them a better service, others may be concerned by the lack of control. Our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared and protecting consumers by making sure the law is being followed” said Information Commissioner Elizabeth Denham. While the ICO does not have the power to block such a move, any change does need to abide by data protection laws. If it doesn’t and is found to breach the Data Protection Act then it could be fined up to £500,000 by the regulator. [Source]

Other Jurisdictions

NZ – Privacy Commissioner: Children’s Safety Comes Before Privacy Laws

New Zealand Privacy Commissioner John Edwards has officially agreed with the Minister of Social Development’s proposal to update privacy laws so that federal agencies can disclose information about children in danger with both greater ease and less fear about potential enforcement action, the Office of the Privacy Commissioner announced in a statement. “Agencies should not be concerned about breaking privacy laws when it comes to vulnerable children,” Edwards said. “They should already be sharing information and not be waiting for the law reform to take effect.” He added that whatever the proposed legal revisions, government officials should continue to encourage those who know of a child at risk to report that information. [privacy.org]

Privacy (US)

US – FTC Will Host Ransomware Panel Discussions

Next month, the FTC will host three panel discussions on ransomware to help organizations and consumers protect their computers. The event is scheduled for September 7 at 1:00PM ET and will be webcast from the FTC site. [Computerworld: Ransomware attracts FTC attention |- FTC: Fall Technology Series: Ransomware]

US – FTC Notice Workshop Agenda Announced

The FTC has released its agenda for its Sept. 15 workshop entitled, “Putting Notices to the Test,” the agency said in a press release. The free event will feature 22 different presentations and remarks by FTC Chairwoman Edith Ramirez and FTC Chief Technologist Lorrie Cranor, among others. The workshop will begin with a presentation of cognitive models and then split into six topic areas: “methods and procedures to evaluate the effectiveness of disclosures; whether and when people notice or pay attention to various types of disclosures; how much people understand or comprehend the information presented in disclosures; disclosures’ impact on consumers’ decision making processes; case studies; and a look at the future of research on disclosures,” the release states. [FTC]

US – Pennsylvania Court Confirms Unlawful Disclosure of Legally Protected Information Constitutes an Injury

The Court reviewed a debt collector’s motion in limine to dismiss an individual’s claim of injury under the Fair Debt Collection Practices Act. An individual received a debt collection letter in the mail that included a barcode next to his name and address, which was visible through the envelope’s glassine window; the Court found the injury was particularized because the individual alleged that his personal identifying information was disclosed, and concrete because the unlawful disclosure of legally protected information is sufficient to demonstrate a concrete harm. [John Daubert v. NRA Group, LLC – 2016 U.S. Dist. LEXIS 105909 – United States District Court for the Middle District of Pennsylvania | Subscription required

US – EPIC suing FAA for Lack of Privacy in Drone Regulations

The Electronic Privacy Information Center has sued the Federal Aviation Association for not including privacy regulations in its first formal rules for drone use. “EPIC argues that, since Congress directed the FAA to develop ‘comprehensive’ rules that ‘safely’ integrate drones into U.S. airspace, it’s obligated to consider privacy issues,” the report states. The suit calls for the DC Circuit Court of Appeals to overturn the regulations and compel the FAA to consider privacy protocols. [ZDNet]

Privacy Enhancing Technologies (PETs)

WW – Bitcoin Privacy Tool ‘CoinShuffle’ Sees First Transaction

A type of anonymous bitcoin transaction that privacy enthusiasts have been awaiting for years has finally been tested successfully. Sent on the bitcoin test network earlier this month, the transaction is possibly the first real-world implementation of CoinShuffle, a proposal that first generated excitement in April 2014 for building on existing privacy techniques in a way that doesn’t rely on third parties. Until now, it was just a proof-of-concept, but on 15th August, bitcoin developer Daniel Krawisz sent what he believes is the first transaction utilizing this tool. The big idea behind the technique is that it guards sensitive user information that may otherwise be visible on bitcoin’s public blockchain, but the short-term goal is to incorporate the technique into the bitcoin wallet service Mycelium, which is sponsoring the project. Launched in 2013, Mycelium recently released a roadmap with CoinShuffle scheduled for “phase 5”, or the final step, of its development plan. [Coindesk]

Security

US – Forthcoming NIST Guidelines On Passwords Embrace Emojis

The U.S. National Institute for Standards and Technology is developing guidelines for strong computer passwords. The guidelines recommend elongating the length of passwords, using emojis, and allowing users to check whether their potential password is among the most popular, the report states. Furthermore, the guidelines advise against hint questions, SMS verification, and “special character” or knowledge-based authentication hurdles. “Password policies need to evolve as we learn more about how people use and abuse them,” the report states. “NIST’s goal is to get us to protect ourselves reliably without unneeded complexity, because complexity works against security.” [Naked Security]

WW – Study: SMBs Lack Security Training

The Shred-it 2016 Security Tracker survey found security training is lacking in a majority of companies. The study found 78% of small- and medium-sized businesses only conduct security training once a year or less, with 51% of C-suite executives responding with similar results. 28% of organizations state they have never trained their employees on legal compliance requirements and 22% conduct training on an ad hoc basis. “With employees returning to work in the fall, business leaders have a prime opportunity to engage their teams and raise awareness of information security risks,” said Shred-it Global Director Andrew Lenardon. “They can consider taking advantage of this time to launch a comprehensive training program that makes information security best practices a part of all employees’ daily routine and responsibilities.” [Infosecurity Magazine]

Surveillance

UK – Terror Watchdog Backs Bulk Hacking Powers, Calls for Expert Tech Panel

Bulk hacking of equipment at home and abroad by UK spies can be justified, an independent review of proposed terror law has said—even though an operational case for such surveillance is yet to be proven. David Anderson QC confirmed in his 204-page report that mass snooping powers—some of which have been used by MI5, MI6, and GCHQ for years—were vital to help the security services combat terrorism and other serious crime in the UK. He said, in a review of the government’s operation case for bulk powers (PDF), that bulk interception and the scooping up and storing of vast amounts of communications data and bulk personal datasets had, over the years, helped those agencies to avert a wide range of threats. [Ars Technica] [Mixed reaction to Anderson review of bulk surveillance powers] [Review finds ‘proven’ or ‘distinct’ operational case for bulk surveillance powers]

US – Chicago’s ‘Smart City’ Networks Face Law Enforcement Access Questions

Chicago’s Array of Things sensor network approved a new privacy policy, but questions remain surrounding law enforcement requests. Chicago will activate the first wave of sensors, cameras and microphones later this summer, monitoring the city’s environment, as well as pedestrian and vehicular traffic. As for law enforcement requests, Chicago’s Commissioner of the Department of Innovation and Technology Brenna Berman believes law enforcement requests will be low, while saying the requests were not included in the privacy policies, as “a policy is designed to set a general framework around operations. We can’t actually answer what action would be taken under any possible circumstance in the future.” Senior Staff Attorney for the Electronic Frontier Foundation Lee Tien was critical of the omission. “The handling of law enforcement, it seems pretty clear it’s not in there at all and it should be,” Tien said. “So that’s definitely a failure.” [The Chicago Tribune]

US – Privacy and the New Tolling System in Massachusetts

Massachusetts is making the shift to an all-electronic tolling system that will end the need for drivers to stop, or even slow down, to pay tolls. State officials have said the new system will reduce congestion, pollution, accidents at toll plazas, and, hopefully, drivers’ commute times. But concerns have also been raised about the volume of data the technology collects as drivers pass through toll zones, and about how that data is being stored and used. According to a state transportation department spokeswoman, the new all-electronic tolling system captures the following information each time a vehicle passes through a toll zone: date and time, location, lane, vehicle speed, E-ZPass transponder number, photos of the front and rear of the vehicle to capture the license plate number and plate date, a video to capture vehicle axle count. The data is retained indefinitely and used primarily for business purposes, but also for “ research purposes “in the interest of identifying traffic patterns.” The new tolling system also includes a “hot list” feature that can send law enforcement instant alerts when cars with specified license plates or transponders pass under toll gantries. Officials say the feature will only be used to track vehicles in the case of urgent public safety emergencies, such as AMBER Alerts, the notices issued when children are abducted and believed to be in danger. Officials have said vehicle speed data that are collected are used to synchronize the cameras that record each license plate. Officials have pledged that speed data will not be used to ticket drivers. The department has reciprocal agreements to share a limited amount of tolling data with other states so that the department can bill out-of-state vehicle owners who drive on Massachusetts toll roads. Otherwise, the department said it shares tolling data when legally required to do so, including with federal officials, law enforcement agencies, and lawyers representing individuals in divorce and other civil cases who obtain court orders. The department said, that in accordance with state law, it notifies people whose information is sought through subpoenas allowing them to take legal action to fight the subpoenas. However, exceptions could be made for serious and time-sensitive cases in which law enforcement request to able to use the hot list feature, officials said. MassDOT offers special transponders that can be loaded by paying cash so the devices will not be associated with a drivers’ name, address, bank account, or credit card. [Boston Globe]

US Government Programs

US – Stolen NSA Tools Take Advantage of Zero-Day Vulnerabilities

Sophisticated “hacking tools” allegedly stolen from an NSA-related server have been leaked online. The thieves have said they plan to sell the tools in a digital auction. The tools bear digital signatures that match those used by the Equation Group, a group that has alleged links to the NSA. The incident highlights the risk of hoarding zero-day vulnerabilities. When intelligence agencies use them to develop tools, those tools could be stolen and make their way into the hands of malicious actors. [ eWeek: Hard Facts Scarce in Purported Theft of Hacking Tools from NSA Server | Washington Post: NSA hacking tools were leaked online. Here’s what you need to know. | Wired: The Shadow Brokers Mess is What Happens when the NSA Hoards Zero-days | Ars Technica: Confirmed: hacking tool leak came from “omnipotent” NSA-tied group | Computerworld: Alleged NSA data dump contains hacking tools rarely seen]

Workplace Privacy

UK – Ex-officer Wins Lawsuit After Department’s Illicit Monitoring

A former Met Police officer won her case after suing the department for illicitly monitoring her activities. The Met surveilled former Detective Constable Andrea Brown after she went on vacation with her daughter while on sick leave. The Met Police and the Greater Manchester Police both admitted to violating the Data Protection Act and Brown’s right to privacy before the final ruling. “What is significant is that the judge commented that the senior police officers involved in this case didn’t appear to have any appreciation or understanding of the laws that regulate their conduct in this area, and didn’t acknowledge that they had done anything wrong,” said Brown’s Solicitor Advocate David Gray-Jones. [BBC]

+++

 

06–18 August 2016

Biometrics

WW – Algorithms Can Identify Individuals Trying to Evade Facial Recognition

German researchers published a paper revealing algorithms can be used to identify individuals even if they have obscured their faces. The researchers from the Max Planck Institute call it the “Faceless Recognition System,” which “trains a neural network on a set of photos containing both obscured and visible faces, then uses that knowledge to predict the identity of obscured faces by looking for similarities in the area around a person’s head and body.” Depending on the level of obscurity, the success rate can range from 14.7% to 91.5%. Meanwhile, Facebook users filing a lawsuit against the social media network say the level of damages they received meet the level set in the Spokeo decision. Editor’s Note: The IAPP will be hosting a discussion on biometrics and consumer privacy at the Privacy. Security. Risk. conference from Sept. 13-16, in San Jose, California. [Motherboard]

Canada

CA – OPC Canada Provides Tips Protecting Employee Privacy

the Office of the Privacy Commissioner of Canada has published tips to human resources professionals regarding the protection of employee personal information. HR professionals should ensure the bcc field is used for emails sent to multiple recipients that include sensitive personal information, vet documents to remove personal information before disclosing to third parties, and only share information that is factual, objective and pertinent; HR professionals should be knowledgeable about relevant privacy legislation requirements when handling personal information and advising clients on sensitive personal matters. [OPC Canada – Key Privacy Protection Tips for Federal Human Resources Professionals – Fact Sheets]

CA – Clayton Rules Former Premier Violated Privacy Law

Alberta Privacy Commissioner Jill Clayton said the office of former Premier Alison Reford violated privacy laws when she leaked personal information about former Deputy Premier Thomas Lukaszuk and three other government officials. The information revealed Lukaszuk rang up more than $20,000 in international data roaming charges during a personal trip to Europe in 2012. Clayton said the disclosure of the information goes against the Freedom of Information and Privacy Act. “While it is arguable that the release of information about cellphone charges may have been in the public interest, it was leaked in an uncontrolled manner — nobody’s privacy interests were considered,” Clayton said. [Global News[

CA – NL OIPC Reports 66 Breaches between March and June

The Information and Privacy Commissioner has disclosed 66 breaches within public entities between March and June 2016, an increase from the 51 breaches during 2016’s first quarter. “Most of the private information was released through email or regular mail, and only one was intentional,” the report states. Institutions like Service NL, Central Health and the Newfoundland and Labrador English School District all reported breaches. [CBC News]

CA – Newfoundland OIPC Sees Rise in Access to Information Requests

Newfoundland and Labrador’s new Information and Privacy Commissioner Donovan Molloy has seen a large increase in access to information requests. Molloy said changes to the Access to Information and Protection of Privacy Act have made asking for information far easier, resulting in a large influx of applications. “It’s my understanding that there’s been a substantial increase in the number of requests since 2015,” said Molloy. Since taking over last month, Molloy said the large amount of requests have been taxing on his office. “It’s a real struggle right now in terms of volume, keeping up with the number of requests,” said Molloy. “Because of the capacity to store large volumes of information electronically, then the requests are often quite broad as well.” [CBC News]

CA – Lawsuits Filed Against ‘Pokemon Go’, IP Mapping Company

Two separate lawsuits have emerged against companies that use location data. A family in Alberta, Canada, has initiated a class-action lawsuit against the makers of “Pokemon Go” because their house is a “Gym” in the augmented reality game, meaning it’s a destination for players. Homeowner Barbra-Lyn Schaeffer said more than 100 players have wandered onto her property in the past month. A separate lawsuit has been filed by a Kansas, U.S., family against IP mapping company MaxMind. The issue, originally reported on by Fusion’s Kashmir Hill, involves a default GPS setting — which happens to be where the family lives, meaning law enforcement is often called out to the family’s home thinking it’s a place where a crime has been committed. MaxMind has changed the IP location, but not all users have updated their settings, meaning the issue could affect the family for years to come. [Calgary Herald]

E-Government

US – Interior Dept. Needs to Update Logical Access Controls: Report

According to a report from the US Department of the Interior (DOI) Office of the Inspector General (OIG), eight of nine systems OIG tested at the agency did not meet minimum federal standards for logical access controls. The report also found that DOI needs to encrypt mobile devices and to develop “the ability inspect encrypted traffic for malicious content.” The OIG report acknowledges that “DOI has implemented multifactor authentication to reduce the risk of unauthorized access” to systems. [SC Magazine: Interior Dept. must update access control standards to meet NIST guidelines – report | FCW: IG: Interior needs to tighten computer security | DOIOIG: Inspection of Federal Computer Security at the US Department of the Interior]

US – OIF Finds GSA Access Controls in Good Shape

The Office of Inspector General (OIG) of the US General Services Administration (GSA) found the agency’s “policies and procedures regarding access controls” to be in line with federal standards. Eleven of the GSA’s 18 examined systems use “multifactor authentication for privileged users consistent with government-wide policies.” The seven systems that do not have multifactor authentication use “compensating controls for privileged user access.” [Nextgov: GSA Gets Thumbs Up on Cybersecurity Act Assessment | GSAIG: US General Services Administration Office of Inspector General Cybersecurity Act Assessment]

E-Mail

WW – Google to Warn Users About Potentially Dangerous e-Mail

In a blog post, Google says it will send warnings to users when they receive email messages that could harm their computers. The warning will ask users if they want to open messages that Google deems untrustworthy either because they contain links to sites known to host malware, or because Google cannot authenticate that the sender is who it claims to be. [CNET: Don’t click on that: Google updates email warnings | ZDNet: Google Gmail: Now you about get security alerts about senders to beat email spoofing | Google: Making email safer with new security warnings in Gmail]

EU Developments

WW – ICDPPC Updates Upcoming Morocco Conference

In its latest communique, the International Conference of Data Protection and Privacy Commissioners provides an update to this year’s conference in Marrakech, Morocco. The conference’s closed session will feature discussion on artificial intelligence, robotics and encryption, while the program will also include themes such as “privacy as a driver for sustainable development, security and privacy, digital education, technology and social trends,” New Zealand Privacy Commissioner and ICDPPC Chair John Edwards wrote. The newsletter also features highlights from the executive committee’s meeting in Singapore, a Q&A with Macedonia Director of the Directorate for Personal Data Protection Goran Trajkovski, and an update on the cloud computing resolution that was adopted in 2012. [Full Story]

EU – E-Privacy Directive Draft on September Docket for European Commission

The European Commission will release its E-Privacy Directive update draft in September, which will mandate that apps like Skype and WhatsApp fall under the same privacy regulatory umbrella as SMS text messages and both mobile and landline calls. “It was obvious that there needs to be an adjustment to the reality of today,” said Green MEP Jan Philipp Albrecht. “We see telecoms providers being replaced and those companies who seek to replace them need to be treated in the same way.” He added that the proposed law will take special aim at upholding strong encryption. Critics counter that these laws must be careful not to curb economic innovation, and that re-tailoring older legislation to fit newer technology is “well-nigh impossible,” the report states. [The Gurdian]

Facts & Stats

WW – Study: ‘Insider Negligence’ Most Likely Cause of Data Breaches

A Ponemon Institute study revealed “insider negligence” is the most common cause of a data breach. The study polled more than 3,000 employees in the U.S., U.K., France and Germany, and found 76% of their organizations suffered a data breach in the last two years. The respondents said insider negligence results in more breaches than hackers, malicious employees or poor contractor security. The study also found that 87% of those polled said their jobs require access and use of customer data, employee records and financial information, but only 29% said their organizations allow access on a “need-to-know” basis, with 25% monitoring employee email and file activity. [ZDNet]

FOI

CA – OIPC SK Outlines Steps for Responding to Access and FOI Requests

The Office of the Information and Privacy Commissioner in Saskatchewan has provided guidance on granting individuals access to records within public bodies, pursuant to the: Freedom of Information and Protection of Privacy Act; and Local Authority Freedom of Information and Protection of Privacy Act. Applicant identity should not disclosed to anyone without a legitimate need to know, public bodies are not entitled to require applicants to explain the reason for their request (unless to refine/narrow it, deciding to waive fees, or it believes it is frivolous, vexatious, or in bad faith); fee estimates should be proportionate to the work required to respond efficiently and effectively, and notice should be given to third parties any time access is denied due to a third party exemption, or there is an OIPC review. [OIPC SK – Best Practices for Responding to Access Requests]

CA – OIPC NFLD Finds Government Employee Names, Titles and Remuneration Amounts Should Be Disclosed

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador has reviewed a complaint by third parties, regarding the decision of the Newfoundland and Labrador English School District to allow access to records pursuant to the Access to Information and Protection of Privacy Act, 2015. Disclosure is not an unreasonable invasion of privacy if the information is about a public employees’ position, function, or remuneration; the privacy of public employees must be balanced against the public’s right to know how tax dollars are spent, and to release specified information about employees without employee names would undermine the purpose of the Access to Information and Protection of Privacy Act. [OIPC NFLD – Report A-2016-015 – NFLD English School District]

Genetics

US – MIT Scientists Create System Protecting Patient Privacy Within Genomic Databases

MIT’s Computer Science and Artificial Intelligence Laboratory and Indiana University at Bloomington have developed a research database that allows queries from genome-wide association studies while decreasing privacy threats to “almost zero.” The database employs differential privacy techniques to keep vulnerabilities so low. “It does that by adding a little bit of misinformation to the query results it returns,” the report states. “That means that researchers using the system could begin looking for drug targets with slightly inaccurate data. But in most cases, the answers returned by the system will be close enough to be useful.” Decreased privacy risks and increased access cut database wait times down from the months-long queue period, the report adds. [MIT News] [Nature] See also: [Genetic analysis and its privacy pitfalls]

Health / Medical

WW – Some mHealth Apps Aren’t Making Privacy a Priority

A new study finds that health and wellness apps in particular aren’t making privacy policies easily available to users, even though they are collecting sensitive data. A study by the Future of Privacy Forum finds an overall improvement in the mHealth industry, with 76% of apps surveyed having a privacy policy – an 8% increase since the last survey in 2012. Among their findings was a marked difference in transparency between free and paid apps. Some 86% of the free apps have an accessible privacy policy, while only 66% of the paid apps have a policy. Researchers noted that free apps are usually sustained by advertising, and often are required to disclose their tracking practices to comply with that industry’s standards. [mHealthIntelligence]

Horror Stories

WW – IoT Sex Toy Shares Private Data With Manufacturer

Security researchers have revealed that an internet-connected sex toy is sending intimate data back to the manufacturer for “market research.” The We-Vibe 4 Plus can be controlled remotely through a mobile device and is intended to help couples be more intimate when they’re away from each other. However, the researchers demonstrated the device also shares temperature and vibration intensity data with the manufacturer, and can be easily hacked. “As teledildonics come into the mainstream,” their presentation description noted, “human sexual pleasure has become connected with the concerns of privacy and security already familiar to those who previously only wanted to turn on their lights, rather than their lover.” The president of the manufacturer said the data it receives is not granular enough to know how it’s being used. [Newsweek]

Location

EU – Irish Commissioner Releases Guidance on Location Data

The Office of the Data Protection Commissioner today released guidance on location data. “Aimed at both individuals and organizations, our guidance will assist individuals in understanding how much information relating to their location is collected and processed, and provides clarity to organizations on their obligations regarding such data. The overriding principle of the guidance centers on the protection of the individual’s right to data privacy,” the DPC said in a press release. Included in the guidance are tips about smartphone apps and public Wi-Fi networks collecting location data, as well as wearable devices. The guidance is part of an ongoing educational effort on behalf of the DPC. [Full Story]

US – FTC Offers Analysis, Guidance from InMobi Location Tracking Case

In a new FTC blog post, Nithan Sannappa and Lorrie Faith Cranor offer a deep dive into the location privacy issues revealed in the InMobi case. “In this post,” they write, “we explain the mechanism that the commission alleges InMobi used to track users’ location without permission, and discuss technical steps that mobile operating systems have taken to try to address this practice.” In addition to a detailed analysis of how InMobi tracked the location of users, Sannappa and Cranor write, “Given these complexities, all actors in the mobile ecosystem have a role to play in protecting consumer privacy.” Further, app developers should “consider contractual terms or other steps to help ensure that their third party service providers do not circumvent consumers’ privacy choices.” [Full Story]

Offshore

TH – Thai Government Could Require SIM Cards for Tourists

Thailand’s National Broadcasting and Telecommunications Commission could mandate tourists to carry “location-tracking SIM cards.” “It is not to limit tourists’ rights. Instead it is to locate them which will help if there are some tourists who overstay or run away (from police),” said Secretary-General Takorn Tantasith. Details surrounding the potential program are sparse, like the cost of the cards, how location tracking would work on the card, and when the program could start, the report states. [The Nation]

Online Privacy

WW – Facebook Update Overrides Ad Blockers

Ad blockers will no longer work on Facebook thanks to site updates. While ad blockers will continue to work on others sites and Facebook users can tailor their ad preferences on-site, the move will spark more debate about ads, privacy, and the blockers used to prevent them, the report states. Many are frustrated at the erosion of user control. “It takes a dark path against user choice,” said Eyeo G.m.b.H’s Ben Williams. Some feel Facebook’s updates strike a balance. “Many users rely on ad blockers because they are concerned about privacy or malware,” said the Future of Privacy Forum’s Jules Polonetsky. “Facebook’s change lets users continue to use ad blockers to protect themselves, while ensuring ads are displayed.” [The New York Times]

Other Jurisdictions

NZ – Privacy Commissioner Launches Tool for Privacy Questions

New Zealand’s Office of the Privacy Commissioner launched an online service allowing people to ask privacy-related questions whenever they need to. The “Ask Us“ tool allows anyone from individuals to small-business owners to government workers the chance to access privacy information, according to Privacy Commissioner John Edwards. “We have designed this tool with a 360-degree view of who might find it useful,” said Edwards. “We believe this is a leading model that is available to be shared with other public-sector agencies that are also on the Common Web Platform. People will be able to access information that is relevant to them in a convenient way without having to join a phone queue to a call centre.” [CIO]

Privacy (US)

US – FTC to Host Ransomware Event Sept. 7

The Federal Trade Commission will host a three-panel discussion on ransomware in Washington on Sept. 7 as part of its Fall Technology Series, the agency announced in a press release. FTC Chairwoman Edith Ramirez, FTC Chief Technologist Lorrie Faith Cranor, and representatives from organizations like PhishLabs, Red Canary and the FBI will speak. “In addition to the panel discussions, the FTC’s Office of Technology Research and Investigation and New York University’s computer science department will present research based on a study of dozens of ransomware variants,” the report states. This event is free and public. [FTC]

US – Judge Denies Google’s Request to Dismiss Email Interception Lawsuit

U.S. District Judge Lucy Koh denied Google’s request to dismiss a class-action lawsuit alleging the company illicitly intercepts and scans emails before reaching a user’s inbox. Google claims its process for obtaining emails and scanning their contents for use in targeted advertising is part of their standard operating procedure. Koh disagreed with Google, saying its policy may violate the California Wiretap Act. “Under the plain meaning of the Wiretap Act, the ‘ordinary course of business’ exception protects an electronic communication service provider’s interception of email where there is ‘some nexus between the need to engage in the alleged interception and the [provider’s] ultimate business, that is, the ability to provide the underlying service or good,’” Koh wrote in her ruling. [Courthouse News Service]

US – DOC Releases First List of Privacy Shield-Compliant Companies

Late last week, the International Trade Administration — an arm of the U.S. Department of Commerce — released a list of nearly 40 companies that have been approved under the EU-U.S. Privacy Shield. A DOC spokesman said the list would be updated on a rolling basis, adding, “There are nearly 200 applications currently involved in our rigorous review process.” However, businesses have been slow to join the agreement, mostly due to a lack of legal uncertainty in the EU. PwC’s Jay Cline, CIPP/US, said, “we don’t expect a stampede to join it in the next few days, but rather a steadily growing wave over the long run, especially if European companies begin to favor Privacy Shield membership in competitive bids.” [Wall Street Journal] See also: The EU-U.S. Privacy Shield is fully operational, as the U.S. Chamber of Commerce has opened registration for U.S. companies, the European Commission announced in a press release, and [Could privacy trust marks be a better Privacy Shield alternative?]

US – California’s Gang Member Database May Violate Privacy Rights

California’s database of suspected gang members may violate the privacy rights of those within the system. A state auditor report examined the CalGang database, a system shared by police agencies across the state, and contains information on nearly 150,000 gang members. The system “does not ensure that user agencies collect and maintain criminal intelligence in a manner that preserves individuals’ privacy rights,” wrote auditor Elaine Howle. The report found four court cases where the database was used as proof of an individual’s gang involvement, and three law enforcement agencies using the database for employment or military-related screenings. “These instances emphasize that inclusion in CalGang has the potential to seriously affect an individual’s life,” the report states. “Therefore, each entry must be accurate and appropriate. [SFGate]

Privacy Enhancing Technologies (PETs)

WW – Enterprise Privacy Tech Solutions Are On the Rise

With a major new privacy regulation on the horizon in Europe, and increased media and regulatory scrutiny of companies’ privacy practices around the world, the job of engendering consumer trust and maintaining privacy compliance is getting seemingly more difficult every day. Of course, employing privacy pros is the obvious first step in ensuring a robust internal privacy regime, but more and more, privacy pros are in need of tools to help them do their jobs. Fortunately, startups and venture capitalists are recognizing this need for better privacy and information management tools. In this post for Privacy Tech, Jedidiah Bracy, CIPP, looks at two startups looking to work further with privacy pros in an effort to provide technological solutions designed directly for the privacy pro. [IAPP] See also: [Op-ed: New tech could be the boon health care privacy needs]

Security

US – Study: 91% of Visual Hacking Attempts Successful

A Ponemon and 3M Company study found the vast majority of visual hacking attempts are successful. The Global Visual Hacking Experiment spanned 157 trials in 46 participating companies across eight countries, including China, France, Germany and the U.K. The study had a white hat visual hacker take information in different ways, including walking through offices for information, taking confidential business documents off desks and placing them into briefcases, or taking a picture of confidential information using a smartphone. The attempts were successful 91% of the time, with 52% of the sensitive information taken from employee computer screens. Hackers were normally not confronted, as 68% of visual hacking attempts resulted in the malicious party not receiving any questioning. [Full Story]

US – Active Response, Behavior Baselining Hot at Black Hat Conference

One of the popular security terms making their way into conversations during the Black Hat conference last week in Las Vegas is behavior baselining, where an organization focuses on understanding its system’s typical behavior in order to identity any deviations. “Most organizations accomplish this by employing people and technologies utilizing data science and machine learning for automated analysis,” the report reads. This is complemented by active response, another term making its way around Black Hat. “Active response is the ability to respond to an attack as soon as it is detected within the organization’s environment. The response could include communication with secondary systems such as a ticketing system, or it could include creating a ticket or collecting additional data.” [TechCrunch]

Surveillance

US – NYC Art Exhibit Examines Privacy in the Surveillance Age

An art exhibit in New York City is focusing on the attempts to stay private in a growing age of surveillance. “Public, Private, Secret” features a wide range of privacy-themed surveillance art from the 1940s to today, a video diary made up of an individual’s private online thoughts, and photos of celebrities. One of the themes of the exhibit is the growing number of people who have access to cameras, allowing more people to engage in visual communication. “The big difference is, it used to be a few people taking images that went out to millions,” said the International Center of Photography’s Executive Director Mark Lubell. “Now it’s millions and millions of people going out to millions and millions of people. I think that’s a seismic shift in the medium, and it’s something we should be looking at and exploring.” [PBS Newshour]

WW – AI Company Develops Drone Risk Analysis Program

An artificial intelligence company is developing a risk analysis program for commercial drones. Flock’s program allows drone operators to safely use their devices by leveraging real-time weather information, locating buildings, and predicting when areas will be filled with people in order to find less congested routes. “We extract actionable insights and predictions from big data by extracting multiple data sources and amassing a wealth of historical data in cities,” said Flock CEO Ed Leon Klinger. “The machine learning element of our technology is what allows us to predict when and where certain areas of cities will become particularly hazardous for drones.” Flock may also be used by insurance companies to help determine the risks of drone flight. [Yahoo!]

US Government Programs

US – Court of Appeals Finds Government’s Warrantless Use of Cell Phone Location Information was Justified

The US Court of Appeals reviewed an appeal by Frank Caraballo for a conviction by the District Court for the District of Vermont for conspiring to distribute drugs, possession of a firearm in furtherance of a drug trafficking crime, and causing the death of an individual. The Court found that emergency circumstances may make the needs of law enforcement so compelling that a warrantless search is objectively reasonable under the Fourth Amendment; the Defendant was reasonably believed to be armed, had recently been identified by the victim as a person who was likely to cause harm, was likely to escape if not quickly apprehended, and posed an imminent threat to law enforcement (undercover police and confidential informants). [US v. Frank Caraballo – 2016 US App. LEXIS 13870 – United States Court of Appeals for the Second Circuit]

US Legislation

US – New Illinois Law Requiring Stricter Rules for Stingray Use

SB 2343, An Act Concerning the Use of Cell Site Simulator Devices, was signed by the Illinois Governor. Before deploying cell site simulators, law enforcement agencies must submit a court application that includes a description of the nature and capabilities of the device to be used, the method of deployment, and procedures to protect the privacy of non-targets; all non-target data must be deleted within 24 hours (if the device is used to location or tracking) or 72 hours (if used for device identification). The Act is effective January 1, 2017. [SB2343 – An Act Concerning the Use of Cell Site Simulator Devices – Illinois General Assembly]

+++

29 July – 05 August 2016

Biometrics

WW – New Snapchat Facial Recognition Patent Could Have Retail Ramifications

Snapchat received a patent for technology to identify the face of specific individuals, then blur or obscure their faces if they have set their privacy settings to do so. The technology would allow Snapchat to surf through the database for anyone who has used the app, and if it finds a match, the app will place “a privacy-protected version of the image, wherein the privacy-protected version of the image has an altered image feature.” However, similar facial recognition technology, the report points out, could be used in a retail setting, where an organization could scan customers to determine their shopping habits and other information through social media and other online outlets. [Computerworld]

WW – Facial Recognition for Monitoring Crowd Reactions?

At each of the recent major political conventions held in the United States last month, Microsoft was on-site as part of an event with POLITICO where it demonstrated its Microsoft Research Division capabilities. One exhibit was titled “Realtime Crowd Insights” and displayed functionality whereby individual faces in a crowd could be singled out and identified by approximate age, emotional state and gender. The report questions whether the technology’s abilities mesh with consent-based privacy policies. “It’s difficult,” said Georgetown professor Alvaro Bedoya,” to envision how companies will obtain consent from people in large crowds or rallies.” [The Intercept]

WW – How Hackers Could Get Inside Your Head With ‘Brain Malware’

Hackers have spyware in your mind. You’re minding your business, playing a game or scrolling through social media, and all the while they’re gathering your most private information direct from your brain signals. Your likes and dislikes. Your political preferences. Your sexuality. Your PIN. It’s a futuristic scenario, but not that futuristic. The idea of securing our thoughts is a real concern with the introduction of brain-computer interfaces—devices that are controlled by brain signals such as EEG, and which are already used in medical scenarios and, increasingly, in non-medical applications such as gaming. Researchers at the University of Washington in Seattle say that we need to act fast to implement a privacy and security framework to prevent our brain signals from being used against us before the technology really takes off. “There’s actually very little time,” said electrical engineer Howard Chizeck over Skype. “If we don’t address this quickly, it’ll be too late.” “Broadly speaking, the problem with brain-computer interfaces is that, with most of the devices these days, when you’re picking up electric signals to control an application… the application is not only getting access to the useful piece of EEG needed to control that app; it’s also getting access to the whole EEG,” explained Bonaci. “And that whole EEG signal contains rich information about us as persons.” And it’s not just stereotypical black hat hackers who could take advantage. “You could see police misusing it, or governments—if you show clear evidence of supporting the opposition or being involved in something deemed illegal,” suggested Chizeck. “This is kind of like a remote lie detector; a thought detector.” [MotherBoard]

Big Data

WW – Privitar receives 3M GBP from Illuminate Financial Management

Big data privacy startup Privitar will receive 3 million GBP in financing from Illuminate Financial Management, with other investments coming from existing investors. Privitar will use the funds to boost its growth both in the U.K., and in Europe for its big data software, designed to let companies publish and share data privately, while meeting regulatory compliance. “Every organisation that collects and analyses data is grappling with the issue of data privacy. They are all potential customers for our privacy-enhancing software solution,” said Privitar CEO Jason du Preez. “That is why we are excited to be partnering with Illuminate Financial with their deep connectivity into one of our target vertical market.” [Finextra]

Canada

CA – Newfoundland & Labrador’s New Information and Privacy Commissioner Speaks Up

In an interview, Newfoundland and Labrador’s newly-appointed Information and Privacy Commissioner Donovan Molloy discusses elements of the role he looks forward to tackling and his goals for the province’s privacy. “At the end of the day, the public is entitled to every piece of information that exists in government, unless it is specifically exempted in the [Privacy] Act,” Molloy said. “The role of this office is to make sure the exemptions and qualifications are properly applied.” He added that he has a particular interest in privacy issues. It’s “one of the areas of law that’s developing very quickly, and will increasingly become more important in our society,” Molloy said. [The Telegram]

CA – BC SC Orders Voyeur to Pay $85,000 In Privacy Damages

The BC Supreme Court ordered $85,000 in damages to be paid to a young woman whose stepfather surreptitiously recorded her while she was undressed in her bathroom and bedroom. The damages finding was driven significantly by the “thoroughly undignified and humiliating actions” of the defendant, the age of the defendant and proof that the defendant’s actions caused a significant psychological disorder that the plaintiff was still recovering from at the time of trial (which was four years after discovering the defendant’s wrong). The plaintiff was recovering, the judge also noted, as well as noting that the defendant conducted his defence with “appropriate restraint.” The judge did not consider evidence that the plaintiff was herself provocative in his damages assessment. The Court also ordered damages to be paid for past loss of earning capacity, the cost of medication taken and health care received and the cost of future care. [Source] T.K.L. v. T.M.P., 2016 BCSC 789 (CanLII).

CA – Alberta Commish Issues ‘Landmark’ Trans-Privacy Ruling

In what’s being described as a “landmark” decision for the transgender community, the Office of the Information and Privacy Commissioner of Alberta has decided trans students have the right to protect their birth names from becoming public information. Following repeated incidents where teachers displayed the student’s birth name in front of other students or otherwise discussed the student’s birth gender status in public, the family complained. In the ruling, the adjudicator found the school in breach of the Freedom of Information and Privacy Act for disclosing personal information and failing to make proper security arrangements. The school has already amended practices, but Kris Wells, a professor with the University of Alberta’s Institute for Sexual Minority Studies and Services, called it a “landmark decision” because of the way it will force school boards to re-examine policies across Canada. [GlobalNews] [Trans student at centre of Edmonton school’s privacy breach hopes it doesn’t happen to others]

Consumer

WW – Windows 10 Privacy Concerns May Drive Customers Over to The Mac

A recent survey conducted by OnePoll reveals that two-thirds of the Windows-based population would consider switching to a Mac due to the privacy concerns over Microsoft’s latest platform, Windows 10. The poll arrives just after the French National Data Protection Commission (CNIL) presented Microsoft with examples late last month of how some of Windows 10’s user data collection is unwarranted. France’s reaction is just one of many reports of privacy concerns over Microsoft’s data collection. The OnePoll survey questioned 500 individuals in North America and 500 residents in the UK. It asked one simple question: If the controversial collection of user data in Windows 10 that’s causing privacy concerns would push them into considering a switch over to Mac. the survey found that 501 individuals said they “might” consider switching, while 141 individuals said they would “definitely” consider the switch. Another 358 individuals said they wouldn’t even consider it. The poll goes on to show that U.K. respondents are more concerned about the Windows 10 data collection than Americans, with 15.2% of the U.K. residents polled saying they would “definitely” consider a switch and 51.8 percent saying “maybe.” For the Americans, 13% said “definitely” and 48.4% said “maybe.” [Digital Trends]

E-Government

CA – Government of Canada Releases Cloud Adoption Strategy

The Government of Canada recognizes that a strong IT workforce and modern IT infrastructure are the backbone of better service delivery to Canadians. Treasury Board President Scott Brison has taken another step to modernize the Government of Canada’s use of IT by releasing the Cloud Adoption Strategy for public comment. This strategy prioritizes the security and privacy of Canadians while providing departments with new modern and flexible alternatives to make more efficient use of information technology. Using cloud computing services provides the Government with even more options in terms of data storage and running applications. The strategy is designed to allow the Government to select the right cloud solution for its evolving needs. This is the result of consultations with industry and provincial governments over the past two years, and a review of global trends in cloud computing. Feedback on the strategy will be collected until September 30, 2016, and will be used to finalize the Government’s approach. [Press Release] [Government of Canada Cloud Adoption Strategy | Security Control Profile for Cloud | Right Cloud Selection]

CA – General Insurance Council of Manitoba Fines Broker $1,000 For Unauthorized Access to Customer Database

The General Insurance Council of Manitoba investigated whether Basil Galarnyk violated the Insurance Act and the General Insurance Agent Code of Conduct. The broker accessed customer information 42 times without performing any transactions, without customer approval, and for no discernible reason; the broker acted in a manner that showed a lack of trust with regard to consumer privacy, and the rules for use of customer files in conducting business. [Decision of the General Insurance Council of Manitoba respecting Basil Galarnyk]

Electronic Records

US – Prominent Senator Calls for Open Access to Patient Data

U.S. Sen. Elizabeth Warren called recently for greater access to patient data created by drug and medical-device testing. “I appreciate that there are many policy, privacy and practical issues that need to be addressed in order to make data sharing practical and useful for the research community,” Warren said in an editorial in the New England Journal of Medicine, “but the stakes are too high to step back in the face of that challenge.” Counter-arguments did not involve privacy, however, but rather concern about “research parasites” and other intellectual property concerns. As a compromise, the International Committee of Medical Journal Editors has recently proposed that scientists publish research data within six months of publishing results — “stripped of any information that could identify patients.” Meanwhile, eight plaintiffs have sued a pair of anti-abortion activists in federal court to prevent their personal information from being released as part of the University of Washington’s Birth Defects Research Laboratory. [STAT]

EU Developments

WW – Morocco Launches Program for 38th DPAs Conference

This year, the International Conference of Data Protection and Privacy Commissioners will be held for the first time in an Arabic-speaking nation, when commissioners gather in Marrakech, Morocco, Oct. 17 through 20. Sam Pfeifle speaks with Morocco National Commission for the Control and Protection of Personal Data General Secretary Lahoussine Aniss about how this year’s program is designed “to show the world that privacy and data protection is taken seriously in Morocco.” [IAPP] [Program]

FOI

CA – OIPC BC Finds Disclosure of Info Related to Water Quality is in the Public Interest

The OIPC BC reviewed a complaint alleging the Ministry of Environment failed to meet its obligations under the Freedom of Information and Protection of Privacy Act. Disclosure of regulatory actions taken by a ministry body to address water contamination is clearly in the public interest; water quality and management of nitrate application was the subject of debate in the Legislature and media, the issues giving rise to significant harm to the environment, public health or safety is still ongoing, and disclosure of a summary of the information would not allow the public to assure itself that actions undertaken were appropriate. [OIPC BC – Investigation Report F16-02 – Disclosure of  Information Quality in Spallumcheen]

Health / Medical

UK – National Data Guardian Finds Healthcare Organisations Are Not Adequately Protecting Personal Data

The UK National Data Guardian reviews current approaches to data security in the National Health Services. Organisations were often confused about which data standard or principle they were to follow, 41% of all breaches reported to the ICO were from the health sector (mostly caused by employees), and there was a lack of clarity in processing responsibilities; recommendations include using appropriate tools to identify vulnerabilities (dormant accounts, default passwords, multiple log-ins from the same account), allowing opt-outs for uses beyond direct care, and stronger sanctions for malicious or intentional breaches. [UK Government – National Data Guardian for Health and Care – Review of Data Consent and Opt-Outs]

US – Federal Healthcare Rule Expands Use and Disclosure of Medicare Data

The Department of Health and Human Services issued a Final Rule to implement requirements under section 105 of the Medicare Access and CHIP Reauthorization Act of 2015, expanding availability of Medicare data: this Rule is effective September 6, 2016. Qualified entities may provide or sell combined or non-public analyses to authorized users provided that analyses are limited to de-identified data, a data use agreement has been executed, and authorized users do not use the data for marketing, harm or fraud; any violations of the terms of a data use agreement can result in an assessment being imposed by the Centers for Medicare & Medicaid Services. [Final Rule – 42 CFR Part 401 – Medicare Program – Expanding Uses of Medicare Data by Qualified Entities]

US – Cancer Database Allows Patients to Share Data Anonymously

Inspired by the Obama administration’s Cancer Moonshot Initiative, two professors joined forces to create CancerBase, a database allowing patients to share personal medical data to further cancer research. Stanford associate professor of bioengineering Jan Liphardt, Ph.D., and University of Southern California professor of medicine and engineering Peter Kuhn, Ph.D., created the database to give patients an opportunity to share their diagnosis and their location without revealing their identities. “So that’s the simple idea: A global map and give patients the tools they need to share their data — if they want to. They can donate information for the greater good. In return, we make a simple promise: When you post data, we’ll anonymize them and make them available to anyone on Earth in one second. We plan to display this information like real-time traffic data. HIPAA doesn’t apply to this direct data sharing,” said Liphardt. [Scopeblog][stanford.edu]

US – Advocate Health Care to Pay Largest HIPAA Settlement for Privacy Violations

Advocate Health Care has agreed to pay the largest HIPAA settlement ever to the Department of Health and Human Services’ Office for Civil Rights. Advocate will pay $5.55 million to settle multiple data protection violations over the last three years. The health system is also penalized for not properly assessing potential risks to its ePHI systems, and for failing to ensure the organization and its business associates had satisfactory protections for their systems. “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. [Modern Healthcare]

WW – Pregnancy-Tracking Exposes Extremely Sensitive Personal Information

Consumer Reports Labs tested Glow, a very popular menstrual cycle/fertility-tracking app, and found that the app’s designers had made a number of fundamental errors in the security and privacy design of the app, which would make it easy for stalkers or griefers to take over the app, change users’ passwords, spy on them, steal their identities, and access extremely intimate data about the millions of women and their partners who use the app. After being alerted to these problems, Glow fixed the app and re-released it. Consumer Reports has verified that the app’s known major problems have been fixed. This is the first cybersecurity audit that Consumer Reports has published, and the beginning of a wider project they’re commencing. [BoingBoing]

Horror Stories

WW – Hacker Dumps More Than 200M Yahoo Accounts On Deep Web

More than 200 million Yahoo accounts were discovered on a deep web marketplace. A hacker known by the name “Peace” dumped the data onto a marketplace called The Real Deal. Peace said the data was “most likely” from 2012, and the passwords were hashed with an MD5 algorithm. Yahoo has not confirmed whether the data is authentic, but is aware of the leak. “We are aware of a claim. We are committed to protecting the security of our users’ information and we take any such claim very seriously,” said a Yahoo representative. “Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.” [International Business Times]

US – Banner Health Alerting 3.7M Individuals Following Cyberattack

Banner Health suffered a cyberattack and has started to contact 3.7 million individuals whose information may have been compromised. The breach started on Banner’s credit card payment systems for food and beverage purchases, then expanded to include patient and health plan data. “The patient and health plan information may have included names, birth dates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and Social Security numbers,” read an investigation into the breach. Banner’s Vice President of Public Relations Bill Byron said there is no evidence the data has been used in an illicit manner. In related news, retailer Kmart agreed to settle their 2014 data breach lawsuit and will pay $5.2 million to hundreds of credit unions and banks. [Modern Healthcare]

WW – Sheer Number of Devices in Use Enlarges Security Gaps in Healthcare

Hospitals that want to improve network security should carefully assess the hundreds of medical devices they’re using, including fetal monitors, medical imaging devices, electrocardiographs, lasers and gamma cameras, to name a few. Some devices hold a sizable amount of data that can be hacked; others don’t have much data, but can increase network vulnerability. Infusion pumps, for instance, don’t have a lot of data but are a gateway to the network and “have become the poster child for medical device security gone wrong,” says Stephanie Domas, an ethical hacker and lead medical device security engineer at Battelle, a large research and development organization. [Source]

Internet / WWW

WW – Study: Mobile Streaming Represents New Privacy Frontier

In their research paper, “Up, Periscope: Mobile Streaming Video Technologies, Privacy in Public, and the Right to Record,” Lehigh University’s Jeremy Littau and Texas Christian University’s Daxton Stewart examine the privacy implications of live streaming technology. They found that U.S. privacy laws have yet to adapt to the new technology and that the First Amendment likely protects the rights of those streaming, the report states. “In this study, we advocate for less legal restraint of recording and live-streaming public matters or government officials in public places, which clearly deserve First Amendment protection,” Stewart said. “But we also call for wisdom by users and tech companies in controlling the spread of materials that may be more harmful to private individuals.” [Eurekalert] See also: [Amazon plans headphones that know when someone says your name]

Law Enforcement

US – Boston Police Used ‘Stingray’ Cellphone Spying Technology Without Warrants

Boston police never obtained warrants in the 11 instances when they used “Stingray” cell-site simulators, contradicting the commissioner’s claims that officers generally obtain permission from a judge to use the devices. The New England Center for Investigative Reporting (NECIR) reported that it had obtained documents indicating Boston police were using the spying devices without obtaining warrants. While Massachusetts does not have an explicit statute prohibiting the technology, judges will often throw out evidence obtained with Stingrays if their use is deemed to violate the privacy of the defendant. Boston Police Department (BPD) Commissioner William B. Evans said during a February radio interview that officers “normally” obtain a warrant before using the technology. In fact, the department had used Stingrays 11 times since 2009 and never obtained a search warrant for their use in any of those cases. However, BPD spokesman Lieutenant Detective Michael McCarthy told NECIR that there was no contradiction, because all of the situations in which the devices were used were considered to be emergencies. [RT]

US – Body Camera Scorecard Reveals Nationwide Failure to Promote Transparency and Accountability

An updated body camera scorecard highlights a disturbing state of affairs in body camera policy that lawmakers should strongly resist. A majority of the body camera policies examined by Upturn and the Leadership Conference on Civil and Human Rights received the lowest possible score when it came to officer review of footage and citizens alleging misconduct having access to footage, meaning that the departments were either silent on the issues or have policies in place that are contrary to the civil rights principles outlined in the scorecard. Such policies do not promote transparency and accountability and serve as a reminder that body cameras can only play a valuable role in criminal justice reform if they’re governed by the right policies. Upturn and the Leadership Conference on Civil and Human Rights looked at the body camera policies in fifty departments, including all departments in major cities that have either outfitted their officers with body cameras or will do so in the near future. Other departments that were scored include departments that received at least $500,000 in body camera grants from the Department of Justice as well as Baton Rouge Police Department and the Ferguson Police Department. Body cameras can only be tools for increased transparency and accountability in law enforcement with the right policies in place. Unfortunately, Upturn and the Leadership Conference on Civil and Human Rights’ scorecard reveals not only that many departments have poor accountability and transparency policies but also that the Department of Justice does not review these policies as disqualifying when it comes to body camera grants. [CATO] Also See: [Police body cam policies in San Jose and Oakland are flawed, report says | Police body cameras can provide accountability, but also risk, study finds | Harsh Consequences Required for Officers Who Fail to Activate Body Cameras]

Online Privacy

WW – Massive New Study Lifts the Lid on Top Websites’ Tracking Secrets

So, just how tracked are you? Plenty, according to the largest, most detailed measurement of online tracking ever performed: Princeton University’s automated review of the world’s top 1,000,000 sites, as listed by Alexa. To begin, huge numbers of folks are trying to track you: 81,000+ third-party trackers appeared on at least two of the top million sites. However, only 123 trackers showed up on at least 1% of those sites: “The number of third parties that a regular user will encounter on a daily basis is relatively small. [Moreover], all of the top 5 third parties, as well as 12 of the top 20, are Google-owned… Google, Facebook, and Twitter are the only third-party entities present on more than 10% of sites.” The researchers find “a trend towards economic consolidation” – fewer but larger third-party trackers. In their opinion, that’s actually good news for privacy advocates, as these “are large enough entities that their behavior can be regulated by public-relations pressure and the possibility of legal or enforcement actions.” According to the Princeton review, news, arts, and sports sites track the most, which typically provide content for free and “lack an external funding source, [and] are pressured to monetize page views with significantly more advertising.” The sites that track the least belong to government organizations, universities, and non-profit entities… websites [that] may be able to forgo advertising and tracking due to the presence of funding sources external to the web.” Oh, and adult sites, too. Next, the researchers turned to fingerprinting: techniques for individually identifying anonymous site visitors based on the unique characteristics of their hardware and software. (Check out our detailed primer on fingerprinting here.) The researchers wanted to know: Is it really being used in the wild? How widely? Which techniques? The reseachers say privacy tools like Ghostery do a nice job of protecting against standard tracking scripts from widely-used third-party trackers. However, they sometimes miss more obscure scripts using these emerging, exotic techniques. Since they’ve open-sourced OpenWPM, anyone can use it. That includes academics: it’s already been part of seven published studies. It also includes site owners who want to know what third-party trackers are doing on their sites. And it especially includes journalists and activists. [Naked Security]

CA – Ontario Defendant in Revenge Porn Case Seeking a Do-Over: Porter

How much is a lifetime of public humiliation worth? Ontario Superior Court Justice David Stinson pegged it at precisely $141,708.03 in January. That’s how much he ruled a young man had to pay his ex-girlfriend for the shame and psychological suffering he’d caused her by posting an intimate video of her on pornhub.com. He called it “college girl pleasures herself for ex boyfriends delight.” The decision set a new path for revenge porn victims. Since 2014, when Parliament passed the revenge porn law, victims can go to police and hope the jerk who put their images online without their permission lands in jail. But with Stinson’s ruling, they could also pursue some civil justice — cash, and a lot of it. He set the bar high, awarding the young victim the maximum damages — enough to pay her lawyer, and cover therapy bills for years of shame, fear, distrust … [Toronto Star]

Other Jurisdictions

EU – US Cloud Services Seeing Major Growth in Europe

U.S. cloud computing businesses is growing in Europe, despite pressure on European companies to keep sensitive data within the continent. The U.S. growth stems from European companies moving cloud computing needs to outside providers, with American organizations offering lower prices and the ability to rapidly put out new services and upgrades. Four U.S.-based businesses, for example, own 40 percent of the European market share, and more than a dozen new U.S. data centers have been built in Europe over the past couple of years, convincing European businesses U.S. providers can protect their data. “On paper, European companies should be poised to take advantage of this growth. But they are less nimble,” said RBC Capital Markets Senior Analyst Jonathan Atkin. [The Wall Street Journal]

Privacy (US)

US – FTC Issues Warnings to Companies Claiming APEC Privacy Certification

The FTC has issued warning letters to 28 companies claiming to be certified participants in the Asia-Pacific Economic Cooperative Cross-Border Privacy Rules system. This is an important reminder for companies, including Canadian companies, that the use of international certifications is something in which regulators take a keen interest. The FTC did not release the names of the organizations to which it sent letters. This gives the organizations a chance to demonstrate compliance and revise their websites and thereby avoid the reputational damage associated with being publicly cited by the regulator. However, the fact that the FTC publicized the issuance of the warning letters likely indicates that it views the problem of unsubstantiated certifications as an issue which needs to be addressed. [Cyberlex]

US – White House Announces New Drone Initiatives

Following a report on privacy by design in drones, the White House announced it will work on strengthening the integration of the technology by hosting workshops and deploying drones in different scenarios. The White House Office of Science and Technology Policy said the work will build on the Federal Aviation Administration’s drone rules from earlier this year. Reaction to the announcement was mixed: “Today’s announcement is another important step forward in realizing the enormous potential of unmanned aerial systems, and will help speed up our development and adoption of this technology, which still lags behind other countries,” said Sen. Mark Warner, D-Va. However, Sen. Ed Markey, D-Mass., expressed concern: “While I am pleased that the White House continues its efforts to safely integrate drones into our national airspace, when it comes to drone privacy, we are still essentially flying blind As more drones take flight, voluntary privacy guidelines and best practices are simply not enough.” [Broadcasting & Cable] See also: [FPF, Intel, PrecisionHawk advocate for privacy by design framework in drones] and May 2016 stakeholder-drafted Voluntary Best Practices for UAS Privacy, Transparency, and Accountability. And [New Hampshire town hit with wave of drone complaints]

US – Jimmy Carter Defends Edward Snowden, Says NSA Spying Has Compromised Nation’s Democracy

Former President Jimmy Carter announced support for NSA whistleblower Edward Snowden this week, saying that his uncovering of the agency’s massive surveillance programs had proven “beneficial.” Speaking at a closed-door event in Atlanta covered by German newspaper Der Spiegel, Carter also criticized the NSA’s domestic spying as damaging to the core of the nation’s principles. “America does not have a functioning democracy at this point in time,” Carter said,according to a translation by Inquisitr. No American outlets covered Carter’s speech, given at an Atlantic Bridge meeting, which has reportedly led to some skepticism over Der Spiegel’s quotes. But Carter’s stance would be in line with remarks he’s made on Snowden and the issue of civil liberties in the past. [Huffington Post]

US – Judge Blasts FBI for Bugging Courthouse, Throws Out 200 Hours of Recordings

The FBI violated the Fourth Amendment by recording more than 200 hours of conversation at the entrance to a county courthouse in the Bay Area, a federal judge has ruled. Federal agents planted the concealed microphones around the San Mateo County Courthouse in 2009 and 2010 as part of an investigation into alleged bid-rigging at public auctions for foreclosed homes. In November, lawyers representing five defendants filed a motion arguing that the tactic was unconstitutional, since the Fourth Amendment bans unreasonable searches. “[T]he government utterly failed to justify a warrantless electronic surveillance that recorded private conversations spoken in hushed tones by judges, attorneys, and court staff entering and exiting a courthouse,” US District Judge Charles Breyer wrote in an order published this week. “Even putting aside the sensitive nature of the location here, Defendants have established that they believed their conversations were private and they took reasonable steps to thwart eavesdroppers.” Breyer concluded that the disputed evidence must be suppressed. At a hearing next week, he’ll consider whether the recordings tainted the rest of the prosecution’s case. [Source]

Privacy Enhancing Technologies (PETs)

WW – Energy Monitoring Device Without the Cloud Sharing from MIT

MIT says it has the answer to those concerned with Google Nest’s privacy practices: an energy-monitoring device that measures in-home energy usage without sending data into the cloud. The system uses a wireless, sensor-based approach to energy measuring, the report states. “MIT electrical engineering professor Steven Leeb was particularly impressed with the team’s discovery that energy monitoring can be achieved despite keeping data within the home,” the report adds. “The system only releases ‘small subsets’ of data for cloud processing, which addresses bandwidth and privacy concerns.” If made commercially available, the device would cost an estimated $30 per household. [ZDNet]

RFID / IoT

US – NTIA Announces IoT Security and Education Initiative

The National Telecommunications & Information Administration has announced a new multistakeholder process to help consumers understand the security measures in internet of things devices and ensure security upgrades and patches are appropriately maintained. “The goal of the new multistakeholder process will be to promote transparency in how patches or upgrades to IoT devices and applications are deployed,” said NTIA Deputy Assistant Secretary for Communications and Information Angela Simpson. “Potential outcomes could include a set of common, shared terms or definitions that could be used to standardize descriptions of security upgradability or a set of tools to better communicate security upgradability.” The NTIA is encouraging “broad participation and diverse perspectives” and hopes to have its first meeting in early fall. [NTIA]

Security

WW – Most Healthcare Breaches Can Be Traced to One of Three Factors

Those include losses or thefts of laptops; improper or criminal accessing of credentials to information systems; and unintentional errors, such as sending sensitive information to the wrong person, according to Verizon Enterprise Solutions. [Information Management]

Surveillance

WW – Database Tracks Surveillance Companies Around the World

Privacy International has a new searchable database allowing users to find information on hundreds of surveillance companies around the globe. The Surveillance Industry Index possesses information on more than 520 surveillance companies, while also having information on the technology they have sent to government agencies and telecommunications companies. “State surveillance is one of the most important and polarizing issues of our time, yet the secrecy around it means it’s a debate lacking reliable facts,” said Privacy International Research Officer Edin Omanovic. “Understanding the role of the surveillance industry, and how these technologies are traded and used across the world, is crucial to not only understanding this debate, but also fostering accountability and the development of comprehensive safeguards and effective policy.” [The Verge]

US – Disney Obtains Patent to Track Theme Park Guests Through Their Feet

The U.S. Patent and Trademark Office has issued Walt Disney Co. a patent for a new type of technology: A system that can track theme-park guests through their feet. According to information supplied to the patent agency, sensors and cameras would help identify particular visitors, and the data “can be used to output a customized guest experience” including photographs. Theme parks could also use such a system to mine data about common paths from ride to ride. The company can already track guests at Walt Disney World who use MagicBands, RFID bracelets that function as theme-park tickets, FastPasses, hotel keys and credit cards. Current methods of tracking guests and matching them up “are limited to rather invasive methods, such as retinal and fingerprint identification methods,” the patent information said. “These methods are obtrusive and some guests may not feel comfortable providing this type of biometric information to a third party.” The company says that there are no immediate plans to use such a system. This project is part of Disney’s ongoing innovative research process, the company said, and many projects it explores may never actually end up in the parks. [Orlando Sentinel]

Telecom / TV

US – Comcast Asks FCC to Shoot Down Rules Prohibiting ‘Pay-For-Privacy’ Pricing

Comcast has sent a filing to the Federal Communications Commission requesting the agency to shoot down proposed rules stopping broadband providers from charging higher fees to customers declining behaviorally targeted ads. “A bargained-for exchange of information for service is a perfectly acceptable and widely used model throughout the U.S. economy, including the internet ecosystem, and is consistent with decades of legal precedent and policy goals related to consumer protection and privacy,” Comcast writes. The provider says prohibiting a pay-for-privacy pricing system “would harm consumers by, among other things, depriving them of lower-priced offerings,” while adding the FCC “has no authority to prohibit or limit these types of programs.” [MediaPost]

US Government Programs

US – Appointees named to New Evidence-based Policymaking Commission

All 15 appointees to the Evidence-Based Policymaking Commission have been named. The commission will determine whether the federal government should establish a clearinghouse for program and survey data, what data should be included in the clearinghouse, and which qualified researchers from both the private and public sector could access the data to perform program evaluations and related policy research. The commission will also study how best to ensure confidentiality of data and protect individuals’ privacy. See also: [H.R.1831 – Evidence-Based Policymaking Commission Act of 2016]

US – Student Data Policymaking Recommendations issued

DQC released its policy recommendations for state policymakers in April, and followed that up with district and federal recommendations. Each set of policy recommendations includes student data privacy and directs policymakers to align their policies across federal, state and district levels in four priority areas:

  • Measure What Matters
  • Make Data Use Possible
  • Be Transparent and Earn Trust
  • Guarantee Access and Protect Privacy

US – OMB Releases Updated Circular A-130

The Office of Management and Budget has released an update to Circular A-130, requiring every federal agency to, among other things, appoint a senior agency official for privacy, provide privacy training and conduct Privacy Impact Assessments. Under FISMA all NIST FIPS documents are now required. The 800 series documents are also going to be used by OMB as “best practices” when conducting their audits. Implementing these NIST standards is going to be quite a lot of work for most agencies. [FedScoop] [OMB] [Circular A-130] [Wikipedia on Circular A-130]

+++

 

 

21-28 July 2016

Biometrics

CA – The RCMP is Trying to Sneak Facial and Tattoo Recognition into Canada?

In November of 2015, the Royal Canadian Mounted Police had a problem. At the time, the US FBI had been using its massively controversial database of biometric information—photos of people’s faces, tattoos, iris scans, and more—at “full operational capacity” for about a year. The RCMP, on the other hand, was stuck with a national fingerprint database that didn’t allow officers to scan and search people’s faces or other body parts. Canada’s federal police force was falling behind its southern counterpart. The RCMP had “no authority” to support new capabilities for its nationwide Automated Fingerprint Identification System, or AFIS, according to an internal presentation from November 24 of 2015 obtained through an access to information request. Still, the police felt a pressing need to improve “interoperability with international partner systems”—in other words, to make sure their system meshed with what police in other countries were doing—but lacked an opportunity to do so. Undeterred, the RCMP went ahead and began working to procure a new AFIS system that could analyze and capture faces, fingerprints, palm prints, tattoos, scars, and irises—all without clear authorization or approval by the country’s federal privacy watchdog, or even a plan to implement it.  So, yeah, the RCMP is trying to bring biometric identification to Canada without anybody noticing. “There are no immediate plans to use facial recognition features,” RCMP spokesperson Annie Delisle wrote. “The priority for the RCMP is to replace AFIS. Once the new AFIS is operational, the RCMP may consider the use of facial recognition features.” According to Delisle of the RCMP, “There is currently no RCMP policy with regards to the use and retention of facial recognition images. In the event a new service requirement is identified in the future, consultation with the Office of the Privacy Commissioner of Canada would first be initiated.” The OPC has not received any privacy impact assessments from the RCMP relating to the use of facial recognition technology, an OPC spokesperson said. “[Motherboard]

WW – Snapchat Turns Facial Recognition Technology on its Head

While facial recognition technology is often criticized for invading people’s privacy, smartphone messaging company Snapchat is looking at how it can use the same technology to enhance the privacy of its users. Snapchat has filed a patent for a technology that automatically modifies a photo and restricts its distribution according to the privacy settings of the photo’s subjects. Facial recognition is very different to the object recognition used in Snapchat lenses. Object recognition simply uses algorithms to understand the general nature of objects within a photo so users can add real-time special effects and sounds to them. With a new facial recognition feature, Snapchat users would be able to dictate how and where images of them are displayed. Here’s how it would work:

  1. You take a photo.
  2. Snapchat scans it to work out if any of the faces belong to its users.
  3. If any do, it checks their privacy settings.
  4. Their face or body would be altered according to their privacy setting.
  5. The modified image would then be shared according to the subjects’ privacy settings.

For facial recognition to work, Snapchat would need to store images of all users that sign up to the feature – as a reference image to compare photos against. [Source]

Big Data

AU – OAIC Asks for Public Comment on Big Data Draft Guide

The Office of the Australian Information Commissioner is looking for public comment on a draft guide on big data. The OAIC Draft Guide aims to assist big data activities across public and private sectors, while ensuring personal information is protected under the Australian Privacy Principles. In order to have a balance between big data use and privacy protection, the Draft Guide advises APP entities to “introduce a holistic approach of ‘privacy by design’ to embed privacy protection in their cultures, practices, processes, systems and initiatives; conduct privacy impact assessments as part of their risk management and planning processes; and consider whether de-identified information can be used before undertaking any big data activities involving personal information.” The Draft Guide also mentions big data privacy issues, including notice and consent, retention minimizations, and use limitations. [Image & Data Manager]

WW – Victoria Commissioner Tapped for UN Big Data Study

Joe Cannataci, U.N. special rapporteur for privacy, has asked Victoria, Australia, Privacy Commissioner David Watts to lead a study looking at big data and open data and how they affect the right to privacy globally. According to the report, the study “will seek to bed down a globally recognized definition of big data, plus a list of its benefits, risks, and the kinds of management frameworks that could be endorsed as best practice on the international stage.” Watts will remain in his capacity in Victoria during the study. A report will be delivered to the U.N. General Assembly in October 2017. [iTnews]

Canada

CA – OPC/OIC Releases Annual Reports on the Privacy Act

The Office of the Privacy Commissioner of Canada has published its annual reports on the privacy and the access to information acts. Both the short reports are short (22 pages0 and provide overviews of the OPC mandate, governance structure and activities, with statistical breakdowns and charts. [2015-16 Annual Report to Parliament on the Privacy Act | PDF] [2015-16 Annual Report to Parliament on the Access to Information Act | PDF]

CA – OPC Announces Funding for 2017 Privacy Research Symposium

The Office of the Privacy Commissioner of Canada (OPC) has issued a call for proposals seeking applicants to organize and host the next research symposium in the Office’s Pathways to Privacy series. The OPC is inviting academic institutions and not-for-profit organizations, including industry associations and trade associations, eligible under its Contributions Program to submit proposals to organize and host an event to be held between January 15 and March 31, 2017. The proposed event should put a strong emphasis on innovation, in terms of both format and themes. The content should prominently feature previously funded projects under the Contributions Program and address one or more of the OPC’s privacy priorities: Economics of Personal Information, Government Surveillance, Reputation and Privacy, and Body as Information. The goal of the Pathways to Privacy series is to expand the reach and application of existing privacy research and knowledge translation projects, so that more people can benefit from this work. It also promotes and encourages a dialogue between the people who do privacy research and those who can apply it in the private or public sectors. There is a maximum of $50,000 available for this initiative. Eligible organizations must submit proposals in accordance with the established parameters, as outlined in the Applicant’s Guide, by August 15, 2016.

CA – Annual Report On CSE Activities Begins in Parliament

The Annual Report of the Communications Security Establishment Commissioner began in Parliament. The Honourable Jean-Pierre Plouffe’s report reviews the CSE’s activities to determine if the organization complied with Canadian law and protected the privacy of Canadian citizens. “Transparency continues to be a cornerstone of my approach, to inspire better informed public discussion and maintain confidence in the work of CSE. As such, I am committed to providing as much explanation as possible with respect to my investigations,” Plouffe said. “I have continued to encourage CSE to make as much information public as possible.” [Yahoo]

CA – New Privacy Commissioner of Newfoundland and Labrador Named

The provincial government of Newfoundland and Labrador named Donovan Molloy as its new information and privacy commissioner. A St. John’s lawyer and former assistant deputy justice minister, Molloy replaces former commissioner Ed Ring, who retired in June. “I am confident that his leadership abilities, senior executive experience and extensive legal background will serve the office well,” said Speaker Tom Osborne. The provincial government announced the new appointment Thursday and said Molloy officially takes over the position July 22. [CBC News]

CA – Overview of Proposed National Security Laws

A few weeks ago, the government of Canada introduced three bills in Parliament dealing with national security issues. One bill proposes a new National Security and Intelligence Committee for greater oversight of the intelligence community and the other proposals aim to continue strengthening Canada-U.S. cooperation at the border. Timothy Banks writes for Privacy Tracker about these bills, including the authority of the proposed committee and whether the new legislation will set the stage for expanded biometric screening of individuals heading from Canada into the U.S. [Privacy Tracker]

CA – Toronto Real Estate Board Gets Extension On Sales-Data Deadline

Canada’s Federal Court of Appeal has granted the country’s largest real estate board temporary relief from an impending deadline to make home-sales data more widely available online. In a decision published on the court’s website, Appeal Justice Mary Gleason ruled that the Toronto Real Estate Board would not be required to meet an Aug. 3 deadline issued by Canada’s Competition Tribunal to make data such as a home’s selling price available to the public over the Internet. In April, the Tribunal ruled that the real estate board’s restrictions on how its members share electronic home-sales data from the Multiple Listings Service was stifling competition and innovation in the Greater Toronto Area’s resale housing market. Under TREB’s existing rules, realtors were free to share details about the housing market with their individual clients, but were not allowed to publish such data in bulk on publicly accessible websites. [Source]

CA – Sask Updating FOIP & LAFOIP: Bills 30 and 31 Amendments

At a June 28 news conference presenting his 2015-16 annual report, Saskatchewan privacy commissioner Ronald Kruzeniski said he was pleased the government was updating the acts. “The first reason is because of the time since they were last amended, which is way too long for any legislation to not be looked at,” said Kruzeniski. “Secondly, we made proposals, and a good number, but not all, have shown up in the proposed amendments.” Maybe it’s a remnant of Saskatchewan’s old “party line” tradition where neighbours used to listen in on each other’s calls on shared phone lines, but as a province, our privacy and access to information track record is not good. IPC Kruzeniski flagged several amendments as highlights in Bill 30 and 31, including a duty to assist. “A public body has an obligation when an access request comes in to deal with it openly, accurately and completely,” he said. “Other provinces have this duty, and I’m pleased to see it’s there. My hope is that by public bodies communicating with those who request information that the issue gets solved so fewer people have to launch appeals with our office.” The amendments also introduce a duty for public bodies to report any breaches that occur so the affected party can take protective action, and broaden the definition of “employee” to include consultants and contractors who work for public bodies on service contracts. Considering how much outsourcing there is these days, that’s a no-brainer. [Source]

E-Government

US – State Supreme Court to Consider the Privacy of Government Metadata

Noah Feldman examines the role metadata plays when determining the privacy rights of the government and the public based on a lawsuit currently in front of the New Jersey Supreme Court. The case was brought by Open Government Advocacy Project Chairman John Paff, who has demanded the email logs — their metadata, not content — of government officials under New Jersey’s Open Public Records Act. According to Feldman, the “lawsuit in effect asks: if metadata isn’t that private, why not give the public access to the government’s records of who contacted whom, and when?” In defense of the government, lawyers have essentially echoed concerns of privacy advocates, stating that metadata reveals a lot about an individual and “would compromise confidentiality.” Privacy advocates have long called for more metadata protections for citizens. Feldman notes that the public shouldn’t get the metadata of government officials because of how much is revealed, but adds, “the police have something like the same privacy interests in their communications metadata that you and I should have in ours.” [Bloomberg View]

US – OMB Now Requires Privacy Head, Training, PIAs for All Agencies

The Office of Management and Budget will release on July 28 in the Federal Register an update to Circular A-130, a document that regulates how the federal government manages its information, the White House said in a press release. “Today’s update to Circular A-130 gathers in one resource a wide range of policy updates for federal agencies regarding cybersecurity, information governance, privacy, records management, open data, and acquisitions,” the release states. Most interesting for privacy professionals, the new regulations now require every federal agency to appoint a senior agency official for privacy, provide privacy training, conduct PIAs, maintain an inventory of PII, and actively limit the collection, use, storage, and processing of PII. [WhiteHouse.gov]

E-Mail

CA – CRTC Enforcement Advisory: Remember, You Must Have Records To Prove Consent

The CRTC has issued an enforcement advisory to both businesses and individuals that send commercial electronic messages (CEMs) to keep records of consent. The CRTC reminded senders of CEMs that section 13 of Canada’s anti-spam legislation (CASL) places the onus on the sender to prove they have consent to send every single CEM. The advisory made a point to note the CRTC has observed businesses and individuals unable to demonstrate they have obtained consent before sending CEMs. Failure to meet record keeping requirements has been alleged in recent CRTC enforcement decisions against organizations. However, today’s enforcement advisory may suggest the CRTC is finding record keeping to be a widespread concern, warranting this advisory. Record keeping is one of the most contested provisions under CASL as the financial, organizational and technical burden weighs on senders to meet the high record-keeping standards set by the CRTC. Having the record keeping requirements on the CRTC’s radar adds further urgency to ensure a sender’s compliance program is sufficient. The CRTC emphasized in its advisory that good record-keeping practices can assist senders establish a due diligence defense in the case of a violation under CASL. Violations of CASL may result penalties of up to CAD $1,000,000 for individuals, and up to CAD $10,000,000 for organizations. [Source] [CRTC’s guidelines to help develop a corporate compliance program.]

US – Court Orders Yahoo to Explain Email Access in Drug Trafficking Case

Magistrate Judge Maria-Elena James has requested Yahoo explain how it accessed emails that were thought to be deleted for use in a case against a U.K. drug trafficker. The plaintiff “claims Yahoo circumvented British law and included four ‘snapshots’ of content from the email account,” as he never actually sent an email through the service, the report states. While “Yahoo claims the ‘snapshots’ were files created by the company as part of its email autosave feature, which keeps versions of email drafts on its email server for ‘periodic intervals,’” the attorney maintains that Yahoo broke British surveillance law. Yahoo must respond to the court order by Aug. 31. [Threatpost]

WW – Yahoo Still Retains a Copy of Your Emails After They Are Deleted From Your Inbox

Yahoo’s ‘auto-save’ feature saves a copy of emails even after they have been deleted from Trash and Draft. A judge is now demanding that Yahoo explicitly define how it is able to retrieve deleted emails. The email provider is ordered present a witness and provide documents on how the email retention system works, as well as a copy of the software’s source code and instruction manuals used by Yahoo staff on how to retrieve the emails. Yahoo has argued that it is able to recover the emails via its “auto-save” feature, which creates snapshots of an email account preserving its contents at a certain date, and that it provided law enforcement with four snapshots from the Yahoo account used by Knagg and his accomplice. [IBTimes]

Electronic Records

UK – Government Consults on Data Security Standards and Data Sharing in the Health Sector

On 6th July, the UK Government published two independent reviews concerning data security and data sharing in the health and care system in England. At the same time the UK Government launched a public consultation on proposals resulting from these reviews. The public consultation will be of interest to organisations that regularly interact with the public health sector in the UK and in particular to those organisations that rely on access to health data from the NHS for research purposes. The two independent reviews are the:

  • Care Quality Commission review of data security in the NHS; and
  • Dame Fiona Caldicott’s (who is the National Data Guardian for Health and Care) review of data security, consent and opt-outs (the ‘Caldicott Report’).

The Care Quality Commission is the independent regulator of health and social care in England and is responsible for ensuring health and social care services are safe and effective through its monitoring and inspection activities. In its report examining data handling within the health sector, the CQC’s findings indicated that the main areas of concern are leadership, behaviours and systems. Accordingly, the CQC recommendations focus on senior leadership, staff training and support, patient-designed IT systems, audits and external validations as well as ensuring that the proposed new data security standards come within the CQC’s monitoring remit. The Caldicott Report acknowledges that the public still finds the data sharing model within the health sector confusing and that the case for data sharing still needs to be made to the public. At the heart of the proposals for data sharing are the principles of transparency and control. In other words, giving individuals clearer information on how their personal data can be used and a greater degree of control through a new consent/opt-out model. [Source]

EU Developments

EU – Article 29 Working Party Releases ePrivacy Directive Opinion

The Article 29 Data Protection Working Party has released its opinion on the evaluation of the ePrivacy Directive. “The Article 29 Working Party (WP29) supports the European Commission’s recognition of the need to have specific rules for electronic communications in the EU,” the opinion read. The Article 29 opinion also discussed how the ePrivacy Directive must not undermine the General Data Protection Regulation. “The revised ePrivacy instrument should keep the substance of existing provisions but make them more effective and workable in practice, by extending the scope of the rules on geolocation and traffic data to all parties, while simultaneously introducing more precisely defined conditions that take the intrusiveness of the processing of communication data to the private life of users thoroughly into account,” the group states. [EU Opinion]

EU – EDPS Publishes ePrivacy Directive Opinion

European Data Protection Supervisor Giovanni Buttarelli has expressed favor for strong encryption and against the use of backdoors within the revised ePrivacy law in his published opinion on the ePrivacy Directive on July 25. “Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited,” Buttarelli wrote. “In addition, the use of end-to-end encryption should also be encouraged and when necessary, mandated, in accordance with the principle of data protection by design.” He also maintained that the law’s encryption protections should include over-the-top service providers in addition to “publicly available electronic communication services,” the report states. [Ars Technica]

EU – Article 29 Working Party Issues Statement on Privacy Shield

The official group of the EU’s data protection authorities, the Article 29 Working Party, issued a statement on the EU-U.S. Privacy Shield. Though they commend the European Commission and U.S. Department of Commerce, the group still has concerns, particularly with regard to a lack of clarity on automatic decisions in the commercial sector and access by government authorities to EU citizens’ data. “The first joint annual review will therefore be a key moment for the robustness and efficiency of the Privacy Shield mechanisms to be further assessed,” the document states. Significantly, WP29 said the results of the first joint review “regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.” The group said in the intervening year it will commit to “proactively and independently assist data subjects” and work to provide guidelines to data controllers as to their obligations under Shield. [Europa] [A29WP promise one-year moratorium on Privacy Shield litigation]

EU – CNIL Formally Orders Microsoft to Limit Windows 10 Data Collection

The French data protection authority, the CNIL, has formally ordered Microsoft to alter the data collection practices in its Windows 10 operating system within the next three months, according to an official CNIL press release. Between April and June 2016, the CNIL “carried out seven online observations” and queried the company on “certain points of its privacy policy to check that Windows 10 complied with the French Data Protection Act,” the release states. The formal notice applies to France only, the CNIL points out, noting that other European data protection authorities are still conducting their own investigations. The CNIL also points out that “formal notices are not sanctions and no further action will be taken if the company complies with the Act” within the three months allotted. Microsoft VP and Deputy General Counsel David Heiner said it will work with the CNIL to fully understand the regulator’s concerns and “to work toward solutions that it will find acceptable.” [CNIL.fr]

Facts & Stats

WW – 75% of US Firms Have Failed to Detect Breach: Ponemon Study

Nearly two-thirds (60%) of US firms believe some of their data is now in the hands of a competitor because of a breach, according to a new study from Ponemon Institute. These “knowledge assets” could include profiles of high-value customers, product design, development and pricing, pre-release financial reports, strategic plans, and confidential information about existing relationships or anticipated transactions, according to the report. In fact, three-quarters (74%) of the 600 respondents to the study, carried out on behalf of law firm Kilpatrick Townsend, claimed that their firm had failed to detect a breach involving such assets. [Infosecurity Magazine]

Filtering

WW – Microsoft Approved 63% of Revenge-Porn Takedown Requests

Within six months of instituting a revenge-porn removal policy, Microsoft received 537 content removal requests from around the world, approving 63% of them, Microsoft reports in a blog post. The rest were denied, mainly because the content was not deemed revenge porn. The company added that it wanted to make the process continually easier for victims to report abuse. Meanwhile, Microsoft has announced it will adopt the EU-U.S. Privacy Shield, Out-Law.com reports, while company President and Chief Legal Officer Brad Smith discusses Microsoft’s recent win in the Irish data-storing appeals case in an interview with The Washington Post. [Full Story]

FOI

WW – Audit: Every Piece of Sensitive Data Could Have 1,000 Unnecessary Copies

An Identity Finder audit conducted at a multinational manufacturer, university, and health care tech company claims that unmanaged sensitive data will “will create up to 1,000 unnecessary copies.” It also found that for every accessor of unmanaged sensitive data, “up to 100 additional users will have access to it,” the audit states. Identity Finder CEO Dr. Jo Webber urged companies to identify their sensitive data and “start taking control by automatically classifying it according to [their] rules and policies.” This “should be able to remove extra, unneeded copies; stop additional spread at the time of creation; and apply appropriate controls and protection over needed copies,” she said. [Network World] [Betanews] See also: Study reveals security gap in big data projects

Health / Medical

WW – Concerns Raised and Addressed About Health Research Apps

Privacy concerns have been raised regarding apps created using Apple’s relatively new ResearchKit, which connects health researchers with patients willing to provide data for studies, often collected via the iPhone’s various sensors. GlaxoSmithKline, for example, has released a new arthritis study that gets 300 patients to do wrist exercises and record their experiences. The article raises concerns about re-identification of anonymous data, and the company doing much of the anonymizing is clear that perfect de-identification is virtually impossible. There is also some concern from a bioethicist about how informed the consent is, given a nine-page pdf in 12-point font explains data use, though a GSK spokeswoman’s response added as an update seems to address that concern. Finally, there is a question as to whether the for-profit ethical review board is appropriate for the app’s creation, though another update makes clear that GSK also conducted two separate internal reviews. [Gizmodo]

WW – Apple’s Health Experiment Is Riddled With Privacy Problems

Pharmaceutical giant GlaxoSmithKline (GSK) has partnered with Apple on a new clinical study on rheumatoid arthritis. The study relies on an iPhone app to collect data about arthritic symptoms from users as they go about their daily lives. That sounds great at first glance, but how well will it protect your privacy? The app was built by the London-based GSK using Apple’s ResearchKit, an open source software framework to transform your iPhone into a handy diagnostic tool for clinical studies. Launched last year, ResearchKit is designed to make it easier for medical researchers to access data about millions of potential subjects. As Lifehacker’s Alan Henry wrote at the time, “The platform aims to give anyone with an iOS device the opportunity to participate in medical research, join programs that can help them track their symptoms, or share information with their doctors.” So far there are just a handful of ResearchKit apps tied to clinical studies, but the GSK partnership is the first time Apple has joined forces with a major drug company. The Patient Rheumatoid Arthritis Data from the Real World (PARADE) study will use its app to track the mobility of over 300 participants suffering from rheumatoid arthritis, including information on their level of joint pain, fatigue, and changing moods. No drugs are being tested. Rather, the app guides users through a simple wrist exercise, with the iPhone’s built-in sensors recording data from that motion. That data may help Glaxo design better clinical trials in the future. [Source]

US – ProPublica Publishes Hundreds of OCR Closing Letters

Investigative news outlet ProPublica is releasing hundreds of closing letters issued to providers by the U.S. Department of Health and Human Services’ Office for Civil Rights. When the OCR fines a company for violating HIPAA, it issues a press release with details, but, the report points out, the agency sends thousands of letters per year to providers to resolve complaints about possible HIPAA violations. The letters tend to remind providers of legal requirements and provide advice on how to ameliorate any issues they have uncovered. Though the OCR could make such letters public, it chooses not to. “As part of its examination into the impact of privacy violations on patients,” the report states, “ProPublica has posted about 300 of these ‘closure letters’ in our HIPAA Helper tool.” The goal is to allow users to “review the details of these cases and track repeat offenders.” ProPublica said it obtained the letters through Freedom of Information Act requests. [ProPublica]

Horror Stories

US – Medical Center Settles With OCR For $2.75M After 2013 Breach

The University of Mississippi Medical Center has agreed to pay the Department of Health and Human Services’ Office for Civil Rights $2.75 million after a laptop theft in 2013 put data of 10,000 patients at risk, the Hattiesburg American reports. While the information was allegedly not accessed or disclosed, an OCR investigation found the medical center had known about lax security standards since 2005, the report states. “We have learned from this experience and are working hard to ensure that our information security program meets or exceeds the highest standard,” said Vice Chancellor for Health Affairs Dr. LouAnn Woodward in statement. The UMMC will further commit to an OCR-sanctioned three-year HIPAA corrective program, as per the settlement. [Full Story]

WU – Five Million Danish ID Numbers Sent to Chinese Firm

The Danish Data Protection Agency (Datatilsynet) said that the CPR numbers of 5,282,616 people were mistakenly delivered to the Chinese Visa Application Centre, a Copenhagen-based Chinese company. The CPR numbers and health information of 5.3 million residents was sent to a Chinese company. If you lived in Denmark between 2010 and 2012, it’s almost certain that your personal identification number (CPR number) and health information ended up in the hands of a Chinese company. SSI acknowledged that “we are talking about sensitive personal data of a very extensive character and it cannot be ruled out that it could have had concrete consequences for the affected individuals if the information had actually reached unauthorized individuals”. [The Local Denmark]

Identity Issues

UK – Govt Tests Whether ‘Online Activity History’ Can Serve to Verify Identity

The UK government has tested whether internet users’ “online activity history”, including data from social networks, can be used to verify their identity when they use online public services. Under the Verify system, individuals using government online services choose a certified ID assurance provider with which to verify their identity. This involves answering security questions and entering a unique code sent to an individuals’ mobile number, email address or issued in a call to their fixed-line telephone number. [Out-Law]

WW – Spotify Sharing Data on 70M Users for New Marketing Initiative

The Christian Science Monitor reports on Spotify’s plan to incorporate user data in a new personalized marketing initiative. The streaming music service will use the data collected on its 70 million free subscribers to generate targeted, automated advertising. The data will integrate users’ age, gender, location, music preferences and behavioral habits, allowing advertisers to send ads to specific demographics. The new process will allow advertisers to buy ads in real time, a major step in digital advertising, the report states. However, Spotify’s new method will be examined by concerned privacy advocates. “If, as advertisers claim, consumers are truly interested in receiving targeted ads, then they can affirmatively choose to do so, but the default is set the other way around because advertisers know that many people will not want to agree to that,” said Consumer Federation of America Director of Consumer Protection and Privacy Susan Grant. [Full Story]

SG – PDPC Releases Guidelines for Personal Data Removal Techniques

Singapore’s Personal Data Protection Commission delivered new guidelines to businesses for disposing personal information. The guidelines state papers that reveal personal information must be shredded in at least two different directions, and cannot be placed in unsecured dumpsters. The commission also said data stored on electronic devices such as hard disks, USB drives or DVDs need to be deleted using specialized software to avoid data leaks. The guidelines come as the commission and the Monetary Authority of Singapore conduct an investigation on United Overseas Bank for allegedly leaving intact client documents in a trash bag at Boat Quay. [The Straits Times]

Internet / WWW

US – Privacy Advocates Ask FTC to Investigate ‘Pokemon Go’ Creator

The Electronic Privacy Information Center is requesting the Federal Trade Commission investigate Niantic, Inc., the creator of “Pokemon Go.” The privacy advocacy group wrote a letter to the FTC alleging the app captures and stores information of its users, including children, in violation of federal privacy laws. “We want the FTC to establish concrete limits on the amount of information “Pokemon Go” is collecting and how long they are keeping it,” EPIC Consumer Protection Counsel Claire Gartland said. “Niantic should only be allowed to collect data that is necessary for the operation of the app. Data collection should not be a free-for-all of sensitive consumer data.” In related news, a man is suing Niantic in a Florida Court, claiming “Pokemon Go’s” terms of service and privacy policy are deceptive, unfair and violate state contract laws. [EdScoop]

Law Enforcement

AU – Queensland Police Begin Rolling Out Body-Worn Cameras

The Queensland Police Service has started its statewide rollout of 2,200 Axon body-worn cameras. Police Minister Bill Byrne said the cameras will be available to specialty teams, including tactical crime units, rapid action and patrol groups, the Railway Squad, Dog Squad, and the Road Policing Command. Police Commissioner Ian Stewart believes the cameras will assist in gathering evidence, while saying the technology has helped save 10 minutes per officer per shift in the initial trials. “Through use of the evidence management system, officers were able to add metadata to their recordings in the field, reducing the amount of time officers had to spend manually managing their data at the end of a shift,” said Stewart. [ZDNet]

WW – Company Wants Police Body Cams Live Streamed With Facial Recognition

Taser International is planning on live streaming police body camera footage to the cloud starting in 2017 as well as eventually integrating facial recognition technology. The combination would allow law enforcement to possibly identify criminals by looking at them. Facial recognition and body camera technology has caught the attention of other companies outside of Taser. “You’ve already got the ability to use cameras to tap into databases to find the license plates of stolen vehicles and overdue parking tickets,” said Digital Ally CEO Stan Ross, adding police and law enforcement are also excited to use facial recognition technology. “Why wouldn’t we be pushing to bring that technology to the next level?” Ross said. Georgetown Law’s Clare Garvie expressed concern about such capabilities, saying citizens would not be able to receive notice or give consent. “And there’s no police interaction even in place. No probable cause for a search,” she added. [Motherboard]

US – Wisconsin Supreme Court Upholds Use of Criminal Risk-Assessment Software

The use of risk-based software is being used to identify potential criminals and its involvement in a Wisconsin legal case. The software, covered in a ProPublica investigation earlier this year, assigns an individual points based on the likelihood they will commit a crime. Eric Loomis objected to the use of this data when he was arrested and sentenced for his alleged involvement in a drive-by shooting. Northpointe’s software known as COMPAS was used, and Loomis decided to appeal his conviction saying the software violated his rights to due process. The Wisconsin Supreme Court disagreed with Loomis, saying the software will continue to be used, but added, “some studies of COMPAS risk assessment scores have raised questions about whether they disproportionately classify minority offenders as having a higher risk of recidivism.” [Fusion.net]

Online Privacy

WW – Majority Still Unaware of Adchoices Program for Online Advertising

The AdChoices program is an attempt to persuade the public to get comfortable with “targeted” ads based on their Web browsing behaviour. But almost three years since its launch, more than 60 per cent of people don’t recognize that little symbol. The Digital Advertising Alliance of Canada (DAAC) has conducted a survey to gauge the awareness of the self-regulatory program. Of the 1,000 Canadians surveyed, 38 per cent recognized the blue icon that, when clicked, gives people information about how ads are targeted to them, and gives them options to opt out of targeting. (The recognition was higher among millennials – identified as those aged 18 to 34 for this survey – at 46 per cent.) [Source]

US – Anti-Domestic Violence Group, Twitter Release Harassment Protection Guide

The National Network to End Domestic Violence has released “Safety & Privacy on Twitter: A Guide for Survivors of Harassment and Abuse,” a guideline published “with the support of Twitter,” the group announced in a press release. “This new guide walks through a number of safety tips to help users control their privacy and explains several features to ensure that users are making informed decisions on how they use Twitter,” the report states. The release pushes back against the notion that those suffering from harassment shouldn’t go online. “This is not an acceptable solution,” it states. “Survivors should be able to use social media and online spaces while also maintaining control over their personal information and feeling safe.” [NNEDV]

Privacy (US)

US – FTC’s Ramirez Calls for Comprehensive Data Security Laws

FTC Chairwoman Edith Ramirez is pushing for comprehensive data security laws. With cyberattacks continuing to be a major issue, Ramirez believes Congress and the tech industry need to do more in order to protect user privacy. The FTC wants to create federal standards for the ways organizations can collect, share and store data, while also seeking greater authority to punish businesses for putting citizens’ data at risk. “So much of the data collection that’s taking place happens behind a curtain. It’s largely invisible to consumers,” said Ramirez. The FTC chair also hopes to see organizations step forward to install strong privacy initiatives. “It’s an issue on which I think a company can differentiate itself. And speaking also as a competition agency, we want to see more and encourage more competition in the area of privacy,” Ramirez said. [BuzzFeed]

US – Albany Law School to Offer Data Privacy Master’s Degree

The Albany Business Review reports on a new online master’s program offered by the Albany Law School focusing on cybersecurity and data privacy. Starting in January, students can obtain a Master of Science in Legal Studies degree in cybersecurity and data privacy through the institution. “We developed this program for students across the state, nation and globe to take advantage of our rich history and deep connections in the heart of New York State’s Tech Valley,” said Albany Law School President and Dean Alicia Ouellette in a press release. [Full Story]

US – US Privacy News Roundup

RFID / IoT

US – NSA Releases IoT Report

In the newest edition of the NSA’s publication “The Next Wave,” dedicated to reviewing emerging tech, the focus is on the internet of things. Over 50 pages, and with a mix of highly technical academic pieces and more informative magazine-style articles, the publication features everything from agile block cyphers to the NSA’s newest NiFi developments to an investigation into nascent privacy issues. In fact, NSA Director of Civil Liberties and Privacy Becky Richards is the publication’s guest editor. “NSA sees itself as a facilitator,” she writes, “bringing together diverse people and ideas to foment multidisciplinary research, and perhaps even to develop a true science of privacy.” [NSA.gov]

WW – Government Intervention Necessary Against IOT Manipulation: Schneier

Protection against internet of things manipulating can only come from government agencies taking a hard legislative stance, Bruce Schneier writes in an op-ed for Motherboard. Security solutions aren’t a silver bullet, he writes. “This is not something that the market can solve. Like data privacy, the risks and solutions are too technical for most people and organizations to understand … and the interests of the companies often don’t match the interests of the people.” The government needs to fill in the gaps, “setting standards, policing compliance, and implementing solutions across companies and networks,” he adds. [Full Story]

WW – The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters: Schneier

On the Internet of Things, integrity and availability threats are much worse than confidentiality threats. It’s one thing if your smart door lock can be eavesdropped upon to know who is home. It’s another thing entirely if it can be hacked to allow a burglar to open the door—or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car’s location. With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete. [Motherboard]

Security

US – White House’s New Cyberattack Directive Faces Criticisms

The White House and FBI issued official releases on the new cyberattack directive, but cybersecurity professionals are voicing their criticisms of it. One issue professionals see with the color-coded system is it’s oversimplification of the complexity of a cyberattack. “There [are] a lot of hacks that, over time, seem to affect a national or foreign policy interest — and we’re going to have to be more flexible and creative about the way these agencies are going to be involved,” said Digital and Cyberspace Policy Program at the Council on Foreign Relations Director Adam Segal. Other criticisms focus on the severity rankings of different cyberattacks. “I could steal $1 billion from the Federal Reserve, and that is probably more consequential than turning off the generator for the electric power in a town of 20,000 people,” said Stanford Center for International Security and Cooperation’s Herb Lin. [The Christian Science Monitor]

WW – Wireless Keyboard Vulnerabilities

Researchers have found that security weaknesses in some wireless keyboards could allow attackers to inject keystrokes and to read everything users type, spelling trouble for the security of account access credentials and any other sensitive communications. To sniff this information, attackers would need to be within 250 feet of a targeted device. [CNET: Hackers could sniff out your passwords if you’re typing nearby | ZDNet: Flaws in wireless keyboards let hackers snoop on everything you type | Wired: Radio Hack Steals Keystrokes from Millions of Wireless Keyboards | V3: Wireless keyboards and mice vulnerable to keystroke ‘sniffing’]

EU – Portal Offers Help with Ransomware

Europol, along with the Dutch National Police, Kaspersky Lab, and Intel Security, has launched the No More Ransom portal. Its goal is to educate people about ransomware and to provide resources to help people recover files without paying a ransom. The site includes tools for unlocking certain strains of ransomware, and will allow people whose computers have been infected to upload encrypted files to determine which strain of the malware was used. [BBC: Ransomware advice service to tackle extortion gangs | ZDNet: This initiative wants to help ransomware victims decrypt their files for free | Dark Reading: New Portal Offers Decryption Tools For Some Ransomware Victims] SEE ALSO: [The Register: Security firms team to take down rudimentary ransomware | Computerworld: Free decryption tools released for PowerWare and Bart ransomware] See also: US Civil Rights Office Issues Ransomware Guidance]

Smart Cars

EU – ENISA Launching Smart Car Cybersecurity Study

The European Union Agency for Network and Information Security is launching a study on cybersecurity measures for smart cars. “The objective of this project is to establish a comprehensive list of cybersecurity policies, tools, standards, measures and provide recommendations to enhance the level of security of smart cars. The study focuses on the assets inside the cars as well as on data exchanges related to safety,” the organization said. ENISA is looking for car manufacturers, Tier 1 and Tier 2 suppliers to participate in the study, with a workshop scheduled for 10 Oct., to review the findings. [Full Story]

US – Auto Industry Now Has Best Practices Guidelines for Cybersecurity

The Automotive Information Sharing and Analysis Center has published a set of cybersecurity best practices for the automobile industry. The guidelines cover “governance; risk assessment and management; security by design; threat detection and protection; incident response; training and awareness; and collaboration and engagement with appropriate third parties,” the report states. The “suggested measures” include standards from the International Organization for Standardization and National Institute of Standards and Technology, the report adds. [Covington Inside Privacy]

US – The case of traveling odometer data

Fusion reports on consumer surprise regarding the sharing of odometer data between companies like car dealerships and oil-change shops and insurance companies. One consumer got a letter earlier this year from his insurer letting him know his “low annual mileage” rating was being revoked, because he had driven too many miles. Another noticed his oil changes mentioned in a CarFax report. In fact, State Farm’s policy reads: “To ensure we’ve priced our insurance coverage accurately, we verify odometer readings through a third-party provider.” But what about those supplying the information? “If they’re following privacy best practices,” the article states, “they should be disclosing to their customers that they’re passing that data along to third parties.” The article does not ask any dealerships or oil-change shops for their policies or whether they inform customers in any way, however. [Fusion.net]

US Legislation

US – US Legislative Roundup

 

13-20 July 2016

Canada

CA – OICC Recommends Reform to Access to Information Act

The Information Commissioner of Canada provided an opinion on the Access to Information Act. Priority recommendations to bring the Access to Information Act up to date include extending coverage to ministers’ offices and institutions supporting Parliament and the courts, establishing a comprehensive legal duty to document (with appropriate sanctions for non-compliance), addressing delays, repealing the exclusion for Cabinet confidences and replacing it with mandatory exemption, narrowing the exemption for advice and recommendations, and ensuring mandatory periodic review. [Office of the Information Commissioner of Canada – The Act is Ripe for Amendments | Consultation]

CA – Federal Warrant Reports Understate True Police Activity

“Clear gaps” in how the federal government reports invasive surveillance practices may hide the true scope of police activities, according to documents prepared for Canada’s privacy watchdog. Although the number of authorized wiretaps has “plummeted” since 2002, a January briefing for Privacy Commissioner Daniel Therrien suggests those numbers may mask police surveillance practices. “It would be erroneous to infer from the drop in overall warrants issued that surveillance is affecting fewer individuals,” reads the document, obtained under access to information law. “While federal authorities issued just over a hundred surveillance warrants last year (2014), they issued 792 notifications of surveillance to individuals previously targeted. From this, one can conclude more and more individuals are being named as targets in a warrant application. “With a single warrant from the Federal Court (police) may list dozens of individuals for surveillance targeting.” [Chronicle Herald]

CA – Ontario Privacy Watchdog Drops Case Against Toronto Police Over Attempted Suicide Info

Ontario’s privacy commissioner is no longer taking legal action against Toronto police over the sharing of attempted suicide-related information with U.S. border services. The Information and Privacy Commissioner’s office says it has withdrawn its case because the force has developed new procedures to better protect people’s privacy. The privacy commissioner’s office, which investigated the issue, said since launching its legal action, Toronto police worked with the RCMP to create a new mechanism allowing all police services to suppress suicide-related entries from being accessed by U.S. users of the Canadian Police Information Centre database. [GlobalNews]

CA – OIPC AB: Access to PI Puts Individuals at Risk of ID Theft and Fraud

The Alberta OIPC reviewed a breach notification for ABS-CBN Canada Remittance Inc., pursuant to the Personal Information Protection Act. The incident resulted from a deliberate attempt to obtain unauthorized access to personal information, and the information was successfully used to process fraudulent transactions; the personal information involved was sensitive information, including name, address, identification document and number, place of issue and expiry date (if SIN was listed, only last 4 digits recorded), and information about whether an individual or family member is a politically exposed foreign person. [OIPC AB – P2016-ND-31 – ABS-CBN Canada Remittance Inc.]

EU Developments

UK – ICO Issues Guidance on ‘Internal Breach Reporting Procedure’

Although it remains unclear whether the General Data Protection Regulation (GDPR) will directly apply in the UK in light of the country’s vote to leave the EU, the UK watchdog has published a new piece of general guidance to help companies understand what their duties are under the new legislation. In its overview of the GDPR, the ICO explained, among other things, what organisations should do to prepare for new data breach notification rules. Those rules require them to tell data protection authorities and the public about personal data breaches they experience in certain circumstances. Organisations should put in place an “internal breach reporting procedure” so that they can comply with their obligations to notify personal data breaches under new EU data protection laws, the UK ICO has said. “You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data,” the ICO said. “You should ensure that you have an internal breach reporting procedure is in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public.” [Out-Law] See also: U.K. Information Commissioner has issued guidance on the General Data Protection Regulation and what the country’s imminent exit from the EU does to implementation.

EU – UK’s ICO Pushes Alternative to Consent as Based Cookie Rules

In response to a European Commission consultation on potential reforms to the EU’s Privacy and Electronic Communications (e-Privacy) Directive, the ICO said the rules should be updated and “seek to achieve a proportionate balance between the legitimate interests of information society services and the privacy rights of individuals”. “There is a case for an exemption or an alternative basis for processing other than consent, particularly in cases where the privacy impact on the individual is minimal,” the ICO said. In its consultation response the ICO also said that all forms of direct marketing via electronic communications should be subject to an opt-in consent requirement. Currently, some types of direct marketing activity can be carried out on an opt-out basis. Some social media communications should be considered subject to the e-Privacy rules on direct marketing. The ICO criticised rules that place restrictions on the processing of location and traffic data by internet service providers and mobile network operators. It urged the provisions to be deleted as conditions on such data processing are “covered by the GDPR”. The GDPR, or General Data Protection Regulation, is the EU’s new broad data protection framework which and will come into effect in May 2018. The ICO said: “Revised e-Privacy rules should avoid dictating business models, especially where there is minimal privacy impact for the individual.” The watchdog also said that the penalties regime for infringement of e-Privacy rules should not necessarily reflect that outlined under data protection laws since breaches do not always concern personal data. At the moment, the maximum fine for infringement, of £500,000, that can be issued under the UK’s Privacy and Electronic Communications is the same as that which can be issued under the Data Protection Act. [The ICO’s consultation response] [Out-Law News]

EU – Study: More than 75% of Cloud Apps Not in Line with GDPR Regulation

A Netskope survey of 22,000 cloud apps has found that more than 75 percent are out of compliance with the General Data Protection Regulation that will go into effect in less than two years. “This is the first time that data processors [cloud providers] actually have a direct compliance risk and obligation under the regulation,” said Intralinks Global Data Privacy Officer. “Now, it’s actually both data processors and data controllers. They would be liable and they have their own obligations under the GDPR.” As such, “Every organization should be keeping a frequently updated and well-documented data security risk assessment within easy reach,” said ESET’s Stephen Cobb. “You should be doing that regardless of GDPR, but GDPR is one more reason you should be doing it.” [SearchSecurity]

Filtering

CA – Google Faces Landmark Legal Fight, Advocacy Groups Rally in Support

The Supreme Court of Canada will soon have to assess whether Canadian courts have the authority to block search results outside of Canada’s borders, and under which circumstances a litigant can seek an injunction against a “non-party” that had nothing to do with the original lawsuit — in this case, Google. A spokesperson has confirmed that it submitted its brief to the Supreme Court last month, and it expects the court to hear the case in early December. The Wikimedia Foundation isn’t the only body to file a motion in support of Google — according to the SCC’s official proceedings page, the following entities have recently filed motions to intervene: Software Freedom Law Centre, Center for Technology and Society, Dow Jones & Company, Reporters Committee for Freedom of the Press, American Society of News Editors, Association of Alternative Newsmedia, The Center for Investigative Reporting, First Amendment Coalition, First Look Media Works, Human Rights Watch, and others. [Venturebeat]

US – Judge Reignites Debate Over Researching Jurors Online

Mining prospective jurors’ Facebook, Twitter and other social media accounts is common practice for many attorneys looking to spot biases that might cost their clients a fair trial. The American Bar Association has said the searches are ethical, and a ruling by the Missouri Supreme Court bolstered arguments that attorneys have a duty to do online research of prospective jurors. Still, some judges have deemed the online searches invasive and banned them. Now a federal judge’s ruling in a copyright battle between Silicon Valley heavyweights Oracle and Google has reignited debate about the practice while also offering a potential middle ground. U.S. District Judge William Alsup, raising concerns about prospective jurors’ privacy, said attorneys could research the jury panel, but would have to inform it in advance of the scope of the online sleuthing and give the potential jurors a chance to change online privacy settings. Otherwise, they had to agree to forego the searches. The ruling prompted a fresh wave of discussion in legal circles about how aggressively attorneys should be allowed to investigate jurors’ online personas and how beneficial the searches are. [Source]

Finance

UK – Bitcoin Benefits System Criticized On Privacy, Security Grounds

Much to the consternation of privacy advocates, the Department for Work and Pensions has begun a test of the GovCoin Systems’ bitcoin and blockchain program to provide welfare recipients with their benefits. While some maintain that blockchain payments increase security, others, like the Open Data Institute, aren’t so sure. “Experimenting with putting highly personal data in immutable data stores is fraught with danger,” said ODI Technical and Deputy Director. “To avoid undermining trust in government’s use of data, DWP should be much more open and transparent about the policy objective of these trials.” Both GovCoin and the DWP said they were aware of the security concerns and were continuing to develop safeguards. [Financial Times]

FOI

CA – OIPC SK Issues Guide to Exemptions for FOIP and LA FOIP

The OIPC SK has published guidance on exemptions pursuant to Saskatchewan’s: The Freedom of Information and Protection of Privacy Act; and The Local Authority Freedom of Information and Protection of Privacy Act. Exemptions in both statutes can be distinguished by the wording of the provision; use of the phrase “shall refuse” indicates a mandatory exemption, but some exemptions specify the conditions under which a public body may still release information. Many discretionary exemptions require the application of a multi-part test that must be met in order for the exemption to apply, and/or a clear cause and effect relationship between the disclosure of a record and the harm that is alleged to reasonably result. [OIPC SK – IPC Guide to Exemptions for FOIP and LA FOIP]

US – Database of Excuses the Govt Uses to Withhold Public Info Being Built

We’ve entered something of a golden era of government transparency—or at least, a golden era of journalists and interested citizens filing information requests with government agencies. Freedom of Information Act requests have increased greatly as the internet and services such as Muckrock, a tool that fills out sample language for information requests and then tracks them, have made filing easier. But there’s one major problem: Federal agencies use lots of different tactics to avoid actually releasing all sorts of documents, and few journalists actually know how to fight back against the system. It’s not entirely their fault: Enforcement of different FOI “exemptions” varies by agency and often depends on which specific FOIA officer handles the request. At the state level, where a patchwork of “sunshine” laws govern what records are public well, things are even more of a mess. By creating a central repository for FOI exemptions, Muckrock is in a better place to challenge them and to effect change. If most states, for example, allow FOI requesters to obtain police body camera footage but a couple exempt that data, Muckrock and others can push for greater transparency in those states that don’t allow it by floating model FOI legislation with friendly lawmakers. Crowdsourcing data on which FOI exemptions are most common will also help Muckrock identify problem areas—if certain states are inappropriately claiming that certain records are part of “internal deliberations” (a common FOI exemption in many states) when they shouldn’t be, there may be grounds for a lawsuit or a public shaming campaign that could help change things. [Motherboard]

CA – Edmonton Council Votes to Review Privacy Rules

City council voted to review its privacy rules this week, with some councillors musing more information should become public once sensitive matters have been decided. Edmonton has no automatic process for declassifying information. Coun. Michael Oshry wasn’t sure if the audio of the discussions should ever be public, even after 10 or 15 years. Coun. Mike Nickel put the privacy issue on the agenda, suggesting all private discussions should eventually become public and asking administration to come back with a list of policy options. He filed a two-page inquiry that Mayor Don Iveson ruled had to be entered as a motion. Council voted unanimously to accept it. Nickel also wants a policy to make council memos public, especially when they are a followup to a question asked at a public meeting. He also wants Edmonton to review its freedom of information process and add a review so redacted information can be released when it’s no longer sensitive. [Edmonton Journal]

CA – Canadian Researchers Who Commit Scientific Fraud Are Protected by Privacy Laws

78 Canadian scientists have fabricated data, plagiarized, misused grants, or engaged in dodgy scientific practices in projects backed by public funds, a Star analysis has found. But the publicly funded agency responsible for policing scientific fraud is keeping secret the details surrounding these researchers. The scientists’ names, where they worked and what they did wrong is not made public because that information is protected under federal privacy laws. “If you were going to be a fraudulent scientist or plagiarist, or you want to steal grant money, Canada is an excellent place to live,” said Amir Attaran, a professor in the faculties of law and medicine at the University of Ottawa. Making public the names of research wrong-doers and their transgressions, he said, would “keep scientists honest.” And because the agency doesn’t follow up with police, it’s not known if any of the researchers faced criminal charges. [The Star]

WW – Google Says Government Requests for User Data at All-Time High

Government requests worldwide for user data related to search engine traffic on Google increased 29% from 2014 to 2015, according to the search site’s most recent Transparency Report, which was published today. Google reports on the government requests every six months. In the second half of 2015, it said it received more than 40,000 requests for data related to more than 81,000 user accounts; That compares to the first half of the year when Google received about 35,000 requests related to about 69,000 accounts. In the second half of 2014, Google received 31,140 requests from U.S. entities for user information related to more than 50,000 accounts. By far, the U.S. leads the world in government requests for data, followed by Germany with 11,562 requests. Google agreed to hand over “some” user data for 64% of the requests worldwide, but it handed over data for U.S. government requests 79% of the time. [ComputerWorld] Google’s latest transparency report shows record government data requests | How Google became a champion for government transparency.

Health / Medical

US – HHS: HIPAA Struggling to Keep Up with Health Apps, Wearables

A U.S. Department of Health and Human Services study found HIPAA is struggling to keep up with the growing number of wearable fitness trackers, mobile health apps and online patient communities. “Health privacy and security law experts have a reasonably clear idea of where HIPAA protections end, but the layperson likely does not,” said the HHS’ Office of the National Coordinator for Health Information Technology report. “Moreover, even entrepreneurs, particularly those outside the health care industry … may not have a clear understanding of where HIPAA oversight begins and ends.” The HHS report, which was originally due in 2010, does not offer any suggestions to filling the lapses in legislation. “At the end of the day, it’s a very complicated environment that we find ourselves in,” said ONC for Health Information Technology Chief Privacy Officer. “We believe we’re fulfilling our duties. If Congress has concerns about that, I’m sure that we will hear about them.” [ProPublica] [Morning Consult: US – Lawmakers Call for Privacy Safeguards in Health Apps, Wearables] [Health Data Management: US – Privacy, Security Concerns Continue to Cloud Mhealth’s Future]

US – NIST and ONC Host White Paper Challenge on Blockchain in Health Care

The Office of the National Coordinator for Health Information Technology and the National Institute of Standards and Technology have created a challenge asking for white papers on the potential benefits of blockchain technology in health care. The “Blockchain and Its Emerging Role in Healthcare and Health-related Research” asks for submissions addressing the “privacy, security and scalability of health records.” Submissions are accepted through Aug. 20, and winners will present their papers at an ONC and NIST workshop. [HealthITSecurity]

WW – Active Market for Healthcare Records Looms as Newest Cyber Threat

Offers to sell patient records with protected health information on the “Dark Web” market represent a new level of threat for healthcare organizations trying to protect health information, offering further monetary inducement to hackers trying to access records. The addition of a new potential for profiting from hacking could increase the “demand” side of the equation for records, increasing the likelihood of attacks and the need for healthcare organizations to stiffen defenses. In late June, a hacker known as “The Dark Overlord” reported the theft of nearly 10 million patient medical records from providers and a major insurer and put them on the Dark Web market where hackers conduct buy and sell data taken from a variety of sources. The extent of the data theft has not been verified by outside sources. But what this hacker started—the creation of a new market for patient records—will only expand, cybersecurity professionals believe. OWL Cybersecurity said the information that is available is unencrypted plain text that includes usernames and passwords, It said the Dark Overlord reported the total includes 48,000 records from a provider in Farmington, Mo.; 210,000 records from a healthcare organization in the Midwest; 397,000 records from a provider in the Atlanta region; 34,000 records from a provider in New York State; and 9.3 million records from an unidentified insurer. Those figures have not been independently verified. [Info Management]

US – HHS Releases Healthcare Ransomware, HIPAA Guidance

According to new HIPAA guidance, ransomware attacks must be reported to the Department of Health and Human Services (HHS). The guidance “describes ransomware attack prevention and recovery from a healthcare sector perspective, including how HIPAA breach notification processes should be managed in response to a ransomware attack.” HHS has created a fact sheet to help covered entities keep ePHI secure and follow HIPAA regulations. Conducting a risk analysis, regular user training, and maintaining an overall contingency plan are just a few of the recommendations from the Department of Health and Human Services (HHS) in its recent healthcare ransomware and HIPAA guidance. The new guidance is meant to help covered entities and business associates reinforce their adherence to HIPAA regulations, and also better prevent, detect, contain, and respond to threats. Electronic data being compromised through cybersecurity threats, including ransomware, is one of the biggest current threats to the industry, Office for Civil Rights Director Jocelyn Samuels explained in a blog post. [HealthIT Security]

Horror Stories

CA – Doctor Fired for Unauthorized Access to Patient Files

Vitalité Health Authority has fired a doctor who accessed more than 100 sensitive medical records of young women. A New Brunswick College of Physicians and Surgeons notice said Dr. Fernando Rojas violated the ethics of the Canadian Medical Association and the College of Physicians and Surgeons. Vitalité CEO Gilles Lanteigne said processes are being implemented to prevent a similar breach from happening in the future. He said, “We put in place the systems where as we would receive red lights way sooner in the process, so that’s one thing we’ve learned,” adding, “The other thing is that the magnitude of the impact of the breach has on a person, you know, it really brought this to light how important that is.” [CBC] See also: [P.E.I. care home employee fired after photo of deceased resident shared on Snapchat]

CA – Phoenix Pay System Also Breached Federal Workers’ Privacy

A dysfunctional compensation system that’s withholding paycheques from federal workers has also been breaching their privacy. Newly released documents show senior officials were warned as early as Jan. 18 that the new Phoenix system has a flaw that allows widespread access to employees’ personnel records, including social insurance numbers. Despite the warning, the faulty software was broadly implemented this spring — without alerting the unions or any employees that their private details were no longer secure. The disclosure of a massive privacy breach appears in documents obtained by CBC News under the Access to Information Act, deepening a crisis that has already touched some 80,000 public servants and triggered a wave of hiring to patch the problems. The briefing material prepared by Public Services and Procurement Canada indicates that up to 70,000 public servants had access to the personal details of all 300,000 employees covered by the system. A spokeswoman for Canada’s privacy commissioner confirmed the department “has reported this matter to our office and we have followed up with them.” Valerie Lawton said she could provide no further details. [CBC]

Identity Issues

CA – OPCC Issues Guidance on Customer Identification and Authentication

The Office of the Privacy Commissioner of Canada has published updated guidance on identification and authentication of individuals. Organizations should only identify or authenticate customers when necessary (i.e. to fulfill the transaction), individuals should provide appropriate consent for provision of personal information, and authentication levels (e.g. single factor, multi-layer, or multi-factor) should be commensurate with identified risks; reliable audit records should be maintained (including date, time, and failed attempted authentications) with the level of detail reflecting associated risks. [OPC Canada – Guidelines for Identification and Authentication]

Law Enforcement

US – Boston Police Body Camera Pilot Program Raises Privacy Questions

A group of 100 Boston Police officers will soon volunteer to take part in a six-month pilot program that would explore the use of body cameras by the department, the mayor’s office announced last week. The program incorporates recommendations from several privacy and police accountability groups they believe balance privacy with improving department transparency. The ACLU, along with the Boston NAACP and the Boston Police Camera Action Team, praised the Boston Police Department for incorporating recommendations it felt balanced civilian protection while improving transparency in police interactions with the public. Those include a requirement officers activate the cameras when engaged in most “potentially adversarial” encounters with the public; privacy protections for those in homes or other sensitive situations with an expectation of privacy; an explicit ban on using the cameras to record civilians based only on their “political or religious beliefs or upon the exercise of the civilians’ First Amendment rights;” and a ban on any kind of biometric capabilities in the camera — including face recognition technology. [Source]

US – Taser Plans to Livestream Police Body Cam Footage to the Cloud by 2017

Could police officers someday identify criminals just by looking at them? That’s the vision being touted by Taser International, which holds a monopoly on “conducted electrical weapons” for law enforcement and is aiming to build one for police body cameras. Facial recognition has been part of Taser’s plan. It’s been mentioned in Taser press releases as far back as 2009. In 2010, a Taser spokesman told GQ that Axon would turn “every cop [into] RoboCop.” “You’ve already got the ability to use cameras to tap into databases to find the license plates of stolen vehicles and overdue parking tickets,” said Stan Ross, CEO of Digital Ally, one of a growing number of companies fighting for market share in the fast-growing body camera industry. The business case for facial recognition is obvious. Cops and police chiefs who are aware of facial recognition “are really excited to try it.” Robert Vanman of WatchGuard—another body camera competitor—had similar thoughts. “In regards to facial recognition, WatchGuard will certainly be deploying that technology in the future,” he said. “We are the clear technology leader in hardware, and we plan to keep it that way.” But Vanman brought the discussion down to earth. “Facial recognition will require enough pixel resolution to be effective (to get good recognition results the image needs to contain about 50 pixels between the eyes),” he wrote. “To run facial recognition algorithms in real time will require substantial processing power and an on-camera database (which will require frequent updating). Those elements work against the battery life needs.” So there are practical challenges—video resolution that isn’t yet crisp enough; and battery life that isn’t yet long enough. Not to mention that some police departments can’t even get decent enough internet speeds to download their body cam footage to in-house servers, let alone livestream them to the cloud. [Motherboard]

Online Privacy

US – Nobody Reads Terms of Service, Privacy Policies: Study

A new study found that nearly three-quarters of the 543 university students surveyed skipped over the terms of service of a social media site they thought was real. Researchers included clauses that users agreed to, that they had until 2050 to give up their firstborn and that their data will be shared directly with the U.S. National Security Agency. The paper, titled “The biggest lie on the Internet: Ignoring the privacy policies and terms of service policies of social networking services,” was written by York University communication technology professor Jonathan Obar and University of Connecticut communications assistant professor Anne Oeldorf-Hirsch. For those few who did read the terms of service and privacy policy, they on average spent 51 seconds and 73 seconds on each respectively. [Ars Technica] [PC World]

Privacy (US)

US – Court: U.S. Agents Can’t Access Data Held On Overseas Computers

Microsoft Corp. won a major legal battle with the U.S. Justice Department Thursday when a federal appeals court ruled that the government can’t force the company to turn over emails or other personal data stored on computers overseas. The case, closely watched by Silicon Valley, comes amid tensions between Europe and the U.S. over government access to data that resides on the computers of social-media and other internet companies. The ruling is another setback for the Justice Department’s efforts to force technology companies to comply with government orders for data, following the collapse earlier this year of two cases involving Apple Inc.’s refusal to help open locked iPhones. The ramifications of Thursday’s ruling by the Second U.S. Circuit Court of Appeals in Manhattan could be sweeping. If the appeals court’s legal rationale stands, it could influence companies’ and their customers’ decisions about how and where to store data. It also alters the course of talks between the U.S. and other governments, in terrorism and criminal cases, about access to evidence stored in servers on foreign soil. In a statement, Microsoft President and Chief Legal Officer Brad Smith called the decision “a major victory for the protection of people’s privacy rights under their own laws, rather than the reach of foreign governments.” [Wall Street Journal]

US – US Plans Would Allow Foreign Gov’ts to Serve Warrants on US Tech Firms

In the wake of last week’s U.S. court decision in the Microsoft warrant case, the Justice Department plans to secure a series of international agreements with certain countries that would allow them to serve warrants on U.S. internet companies. Justice Department senior official Brad Wiegmann said the deals would allow governments — for example, the U.K. — to serve warrants directly on U.S. companies. Such an arrangement between the U.S. and U.K., however, would require legislative approval from both nations. “These agreements will not be for everyone,” Wiegmann explained. “There will be countries that don’t meet the standards.” The Center for Democracy & Technology’s Greg Nojeim expressed concern about the plan, noting it would be “swapping out the U.S. law for foreign law,” arguing the U.K. has less robust warrant requirements. A British diplomat disputed Nojeim’s assessment, stating the U.K. would apply strict judicial scrutiny of such warrants. [The Wall Street Journal]

US – Appeals Court Rules Mugshots Do Not Need Public Release

The 6th U.S. Circuit Court of Appeals ruled mugshots do not need to be released to the public, but instead, can be reviewed on a case-by-case basis. The hearing was held en banc, with a 9-7 vote in favor of the notion that arrested individuals have a privacy interest in not having their mugshots publicized, overturning a decision the same court made in 1996. Judge Deborah Cook said booking photos falls under the Freedom of Information Act exemption criteria 7(c), which includes potentially “embarrassing” personal information. “Booking photos — snapped ‘in the vulnerable and embarrassing moments immediately after [an individual is] accused, taken into custody, and deprived of most liberties’ — fit squarely within this realm of embarrassing and humiliating information,” Cook wrote. The Detroit Free Press may ask the Supreme Court for further review. [Courthouse News Service]

US – Precedent Set for Stingray-Gleaned Evidence

In a first-of-its-kind ruling, U.S. District Judge William Pauley has decided that the U.S. Drug Enforcement Administration’s use of stingrays when collecting evidence against defendant Raymond Lambis was a violation of his rights. Agency officials had used the device to determine the location of Lambis’ cellphone for a drug-trafficking case, evidence that Judge Pauley suppressed. “Absent a search warrant, the government may not turn a citizen’s cellphone into a tracking device,” Pauley said in his decision. The third party doctrine does not apply; cell phone users do not voluntarily submit their location data to their provider, and there is no third party (with the cell-site simulator, the government cuts out the provider and obtains the information directly). The ACLU hailed the move as one that “strongly reinforces the strength of our constitutional privacy rights in the digital age.” While the prosecutors can pursue an appeal, they have not yet moved to do so, the report states. [Reuters: Precedent Set for Stingray-Gleaned Evidence] [United States of America v. Raymond Lambis – 2016 U.S. Dist. LEXIS 90085 – United States District Court For The Southern District Of New York]

Security

WW – Ponemon Study: Companies Lack Resources to Spot Cyberattacks

According to a report from the Ponemon Institute, nearly 80% of businesses say they do not have sufficient infrastructure or personnel to monitor their networks for and defend their networks against cyberattacks. Only 17% say they have established formal, company-wide intelligence gathering processes. [ZDNet]

UK – UK ICO Issues Basic Security Guidance on Baby Monitors

Two years after it was revealed that a creepy Russian website was allowing users to watch more than 73,000 live streams from unsecure baby monitors, the UK’s data watchdog has warned that manufacturers still aren’t doing enough to keep their devices safe from hackers. The privacy breaches have prompted the ICO to issue guidance to help users guard against opportunistic hackers, and people using the murky likes of the Shodan search engine to browse the Internet of Things. The ICO lists six basic steps parents can take to help prevent casual hackers:

  • Research the most secure products
  • Secure your router with a strong password
  • Secure the device by changing its default password
  • Check manufacturer’s websites for security updates to out-of-the-box software
  • Read the manual to see if there are extra measures listed
  • Use two-step authentication, if you can

The ICO declined to name any of the sites where streams are available, but a spokesperson said that “you can connect to these devices directly, so there’s no intermediary website as such.” [Ars Technica]

Surveillance

US – FAA Drone Bill Drops Key Privacy Provisions

A Federal Aviation Administration reauthorization bill that was passed by the Senate this week has excluded key privacy provisions, including a requirement that commercial and government users of drones must disclose if they collect personally identifiable information of a person. The provisions would put checks on the collection of personal data by drone operators, including the government. The bill passed this week would prohibit drones from interfering with emergency response activities, such as wildfire suppression and law enforcement, and provides for civil penalties of not more than US$20,000 for those found in violation. Drones are also to be used for firefighting and restoration of utilities. The bill, which is a compromise short-term extension to ensure continued funding at current levels to the FAA, was passed by the Senate and goes to President Barack Obama to be signed into law, two days before the current authorization is to expire. It was earlier passed by the House of Representatives. But Senator Edward J. Markey, a Democrat from Massachusetts and a member of the Commerce, Science, and Transportation Committee, said that the new bill, called the FAA Extension, Safety, and Security Act of 2016, was “a missed opportunity.” It does not include drone privacy provisions that he authored and were included in the Senate version of the FAA reauthorization bill that passed in April this year, the senator said in a statement. [PC World]

US Legislation

US – Legislative Roundup

+++

 

 

5-12 July 2016

Biometrics

UK – NHS Sending 1M Eye Scans to Google’s DeepMind

Google’s DeepMind division will receive 1 million anonymized eye scans from Moorfields Eye Hospital to help train its artificial intelligence system to identify signs of disease. DeepMind’s machine learning algorithms will examine the scans for symptoms of diseases such as macular degeneration and diabetes-related vision loss. The collaboration, however, has already raised some privacy concerns. In a letter to Moorfields, tech journalist Gareth Corfield cited the Data Protection Act, writing, “To be crystal clear, I have not consented for my personal data to be used by Moorfields NHS Trust for any purpose other than treating me for genuine medical purposes.” The announcement comes after Google’s AI system faced criticism for its collaborations with three small London hospitals. [BBC]

Big Data

WW – IDEAS Conference to Address Digital Privacy Issues in an Era of Big Data

All it takes is 300 “likes” while you’re scrolling through your newsfeed — that’s the point at which Facebook knows you better than your own spouse or your best friend. So if you’re averaging 10 “likes” a day, it will take just a month for the social network behemoth to have you figured out more accurately than the people you consider your soul mates. And if you’re a compulsive clicker of the “thumbs up” icon, Facebook may have insight into your innermost thoughts and feelings in a mere week-and-a-half. [Montreal Gazette]

Canada

CA – PIPEDA Amendments Creating General Obligation to Notify Individuals and Privacy Commissioner of a Breach Not Yet in Force

Canada’s federal privacy law does not currently include a general obligation to provide notification of breaches (the OPC has issued best practice guidelines that strongly encourage such notification); after the amendments to PIPEDA come into effect, organizations will be required to notify the OPC and affected individuals of any breach where it is reasonable to believe that the breach creates a real risk of significant harm to the individual. [Global Guide to Data Breach Notification – Canada – Peter Ruby and Rachel Ouellette, Goodmans LLP and George Pollack, Davies Ward Phillips & Vineberg] (Pages 22 – 32)] See also: the Office of the Privacy Commissioner of Canada has issued a call for proposals seeking applicants to organize and host the next research symposium in the Office’s Pathways to Privacy series. Learn more

CA – Toronto Real Estate Board Increases Efforts to Overturn Tribunal’s Ruling

The Toronto Real Estate Board is stepping up its efforts in court to overturn a decision by the federal Competition Tribunal that allows more detailed home sales data to be released on the Internet. TREB reiterated its concerns that the tribunal’s April 27 order mandating wider access to the industry’s Multiple Listing Service (MLS) database violates privacy law and the rights of buyers and sellers. On May 27, the real estate board filed a notice of appeal to challenge the ruling in the Federal Court of Appeal and last week, it asked the court to stay the tribunal’s decision. After a subsequent hearing last month to work out the details of its ruling, the Competition Tribunal said TREB’s active realtor members would be allowed to publish information online that is not currently being widely disseminated, including sales figures, pending sales and broker commissions. As part of this arrangement, virtual brokers would be permitted to display and analyze this data as freely over the Internet as other realtors currently share such information with their clients in person, by fax or over e-mail. Even as TREB continues to contest the decision in court, its information technology staff are working to upgrade its systems so it’s ready to comply with the order, which is set to come into effect on Aug. 3. [The Globe and Mail]

CA – Do Photographs Taken by a Landlord for Marketing a Rental Unit Offend Privacy Rights?

A recent decision of the Ontario Divisional Court has ruled that landlords of residential tenancies are not permitted to enter into a tenant’s premises to take photographs in order to market the property for sale while it is occupied by another tenant, unless there is a consent of that tenant or a specific provision in the lease permitting the taking and publication of photographs. In Juhasz v. Hymas (2016 ONSC 1650,) the Ontario Divisional Court noted that the lease and legislation did allow the landlord to show the premises to prospective tenants or purchasers but that that the lease did not contain a clause permitting entry by a real estate agent to take photographs for marketing the property for sale. [Source]

E-Government

US – How Presidential Candidates Sell Supporters’ PII to Other Candidates

What do failed presidential candidates do with their supporters’ email addresses once they drop out of the race for the White House? Nearly every GOP candidate in the 2016 presidential election has sold, rented or loaned their supporters’ addresses to other candidates, marketing companies, charities or private firms, CNNMoney found through an analysis of thousands of emails and Federal Election Commission records. The failed candidates have been able to make thousands of dollars through data sharing, with Marco Rubio taking home $504,651 and Rand Paul making $212,495. The practice is not illegal, as the campaign tells donors what will happen with their personal information when they give money to a particular candidate. [CNN Money]

E-Mail

CA – Private Right of Action Under Canada’s Anti-Spam Law (CASL)

As of July 1, 2017, individuals and organizations will be entitled to institute a “private right of action” before the courts against those that contravene certain provisions of Canada’s Anti-Spam Law (“CASL”). In the event of a contravention of the message rules in CASL, a monetary penalty up to a maximum of $1,000,000 per day may be imposed. This private right of action should be taken seriously right now. From this perspective and building on previous publications, this bulletin discusses this new mechanism. [Fasken] See also: [Emerging Limits on the Certification of Privacy Class Actions]

Encryption

WW – Facebook Testing Encryption for Messenger

Facebook has begun testing Secret Conversations, an end-to-end encryption feature for Messenger. Users will be able to create secret conversations that can be read on only one of the recipient’s devices. The cryptographic keys “are generated or derived on-device,” which means that Facebook never has possession of the keys. Secret Conversations will also let users determine how long the message will be visible. Starting July 8, a select number of Facebook Messenger users will test the social media site’s opt-in, end-to-end encrypted “secret conversations” feature. The site’s will make its “secret conversations” widely accessible starting “later this summer or in early fall.” [SC Magazine: Facebook testing ‘Secret Conversations’ end-to-end encryption feature for Messenger | Quartz: Facebook is testing encrypted, self-destructing messages | CNET: Facebook adds encryption to Messenger | Facebook: Messenger Starts Testing End-to-End Encryption with Secret Conversations] [WIRED]

CA – Encryption Keeping Police Out, Government Documents Indicate

Encryption and privacy technologies are making Canadian law enforcement’s ability to use data in an investigatory capacity increasingly difficult. “Canadians are increasingly using mobile phone networks, the internet, and other electronic means to communicate and execute transactions with each other,” wrote public safety officials in the documents addressed to Minister Ralph Goodale. “This has led to a significant gap between the technologies available for criminal exploitation and our means to enforce Canada’s laws and keep Canadians safe.” The documents suggested having a “thoughtful discussion” on the best legal framework for encryption technology that benefits all, the report adds. [The Star]

WW – Google Testing New Encryption That Protects Against Quantum Attacks

Google has begun testing a new form of encryption in its Chrome browser designed to protect systems from quantum attacks. Google is adding a post-quantum key-exchange algorithm to a small number of connections between the desktop version of Chrome and Google’s servers. [Wired: Google Tests New Crypto in Chrome to Fend Off Quantum Attacks | ZDNet: Google is experimenting with post-quantum cryptography]

EU Developments

EU – EU Governments Approve Privacy Shield

The European Union’s 28 member states have approved Privacy Shield, the EU-US data transfer agreement crafted to replace Safe harbor, which the EU high court struck down last autumn. Once the European Commission approves Privacy Shield, the agreement will take effect. European privacy groups are likely to challenge the agreement in court because they believe it does not go far enough to protect EU citizens’ privacy. [The Hill: Week ahead: EU set to finalize new data pact | eWeek: European Member States Approve Privacy Shield Agreement | BBC: Privacy Shield data pact gets European approval | SC Magazine: Privacy Shield gets nod from EU, ripe for judicial challenge]

EU – EU-U.S. Privacy Shield 2.0 Signed, Sealed and Delivered

The European Commission and the U.S. Department of Commerce-approved updated version of the EU-U.S. Privacy Shield was green lighted by a regulatory committee of EU countries July 8 and will be formally adopted and finalized the following week, the authors write as they discuss the outlines of the new data transfer pact. The updated Decision also clarifies that while the general rule will be that the Principles apply to a U.S. business immediately upon filing of the self-certification documents with the U.S. Department of Commerce, there will be an exception for cases where an organization has a pre-existing relationship with third parties. [BNA] [EU-US Privacy Shield agreement goes into effect: Tech companies welcome new data transfer agreement, but activists say it doesn’t do enough to protect privacy | New ‘Privacy Shield’ deal between U.S. and Europe is already catching flak | Say hello to the General Data Protection Regulation |

EU – European Parliament Approves Cybersecurity Law

The European Parliament has approved cybersecurity legislation that “establish[es] a common level of network and information security and enhance[s] cooperation among EU member states, which will help prevent cyberattacks on Europe’s important interconnected infrastructures.” The new rules affect a broad spectrum of business sectors, including finance, energy, transportation, and technology. [Bloomberg Technology | ZDNet: European lawmakers approve new cybersecurity law | Bloomberg: European Union’s First Cybersecurity Law Gets Green Light | European Parliament Press Release: Cybersecurity: MEPs back rules to help vital services resist online threats | European Parliament Press Release: Cyber security: new rules to protect Europe’s infrastructure] See also: The Digital Economy Bill had its first reading in the U.K. Parliament. The bill would allow for sharing of information between public bodies when there is a public benefit, increase online protection for minors, offer universal broadband access and more.

EU – EU Planning $2B Cybersecurity Research Investment

The European Union wants a $2 billion investment into cybersecurity research. The EU is planning on contributing $500 million to it and is asking industry to contribute the remaining $1.5 billion. The European Commission fears the EU economy is susceptible to cyberattacks, saying the incidents “could undermine the digital single market and economic and social life as a whole.” The $2 billion cybersecurity public-private partnership is “intended [to] boost cross-border research into cybersecurity, and to aid development of security products and services for the energy, health, transport and finance industries,” said the European Commission in a report published Tuesday. Developing strong levels of cybersecurity can also be a big advantage for the EU over other countries, the European Commission said, as IT security continues to accelerate in growth worldwide. [PCWorld]

EU – Norwegian DPA Critiques Facebook at Work’s Terms of Use

The Norwegian Data Protection Authority has reviewed Facebook at Work and found its terms of use do not stand up to the national Personal Data Act. The agency said businesses using Facebook at Work to conduct internal communications must create their own terms for Facebook’s part as the provider, as those companies are liable for protecting privacy and maintaining information security. Since Facebook is acting as the provider, and given the social network’s history of mining user data, the DPA said, “Facebook’s entry to the Norwegian workplace therefore requires vigilance in terms of privacy implications.” The agency expects to release a more in-depth analysis this September. [Telecompaper]

EU – Helen Dixon: DPC’s Resources Tied Up by ‘Ambulance Chasers’

Ireland Data Protection Commissioner Helen Dixon says her agency’s resources are being gummed up by “digital ambulance chasing.” At issue are a number of complaints about issues that could be considered “embarrassing or distressing” but not necessarily critical. “On this note,” she said, “I think we are starting to see the rise in digital ambulance chasers in terms of certain legal firms presenting volumes of cases to the office where essentially their goal is to obtain a formal determination of the data protection commissioner that organization x,y,z is in breach of data protection legislation.” Dixon said she wonders if these type of complaints “really represents anyone’s interests well,” noting they tie up the DPC when the “controller has already acknowledged the contravention and attempted to right the wrong.” [The Irish Times]

Finance

EU – Commission Places Stronger Controls on Bitcoin, Pre-Paid Credit Cards

The European Commission is looking to strengthen its efforts to stop financial crimes and terrorism funding by placing tighter controls on bitcoin transactions and pre-paid credit cards. “Today’s proposals will help national authorities to track down people who hide their finances in order to commit crimes such as terrorism,” said European Commission First Vice President Frans Timmermans. “Member States will be able to get and share vital information about who really owns companies or trusts, who is dealing in online currencies, and who is using pre-paid cards.” Virtual currency exchanges must now conduct stricter customer identification checks on customers exchanging fiat for bitcoin and other digital currency. To cut down on the number of anonymous transactions, pre-paid credit card thresholds for identification have been lowered from 250 euros to 150 euros. [Law360]

FOI

US – Private-Account Email Can Be Subject to FOIA: Court

On the same day that the FBI announced that the criminal investigation of Hillary Clinton’s use of a private email server is likely to conclude without any charges, a federal appeals court issued a ruling that could complicate and prolong a slew of ongoing civil lawsuits over access to the messages Clinton and her top aides traded on personal accounts. In a decision Tuesday in a case not involving Clinton directly, the U.S. Court of Appeals for the D.C. Circuit held that messages contained in a personal email account can sometimes be considered government records subject to Freedom of Information Act requests. The case ruled on by the D.C. Circuit focused on a relatively obscure White House unit: the Office of Science and Technology Policy. At least one federal judge handling a FOIA suit focused on Clinton’s emails said last month he was watching to see how the D.C. Circuit ruled in the dispute involving Obama science adviser John Holdren and an account he kept on a server at the non-profit Woods Hole Research Center in Massachusetts. After the free-market-oriented Competitive Enterprise Institute filed suit over a request for work-related emails sent to or from that private account used by Holdren, U.S. District Court Judge Gladys Kessler ruled last year that the government had no duty to search an email account that wasn’t part of OSTP’s official system. But the three D.C. Circuit judges who ruled Tuesday all said Kessler was too rash in throwing out the suit and they agreed the case should be reinstated. While the opinions in the case make no mention of Clinton or her private server, it seems evident that all three appeals judges involved are aware of the obvious analogy. [Source]

Genetics

EU – Sweden May Open National DNA Database to Law Enforcement

The Swedish government may allow law enforcement and possibly private insurance companies to access its massive DNA database. The PKU Registry contains the genetic information of every single Swedish citizen under the age of 43, as the government allowed blood samples to be collected of every newborn since 1975 in order to aid medical research. Privacy advocates are pushing back against opening up the database. The Pirate Party’s Rick Falkvinge believes the decision would be “an outrageous and audacious breach of contract with the parents who were promised the sample would be used only for the good of humanity in terms of medical research.” Falkvinge argues the insinuation of opening the database to police will stop individuals from providing samples in the future. [Ars Technica]

Health / Medical

CA – OIPC AB Provides Guidance for Safeguarding Electronic Health Systems

This OIPC guidance is intended for custodians and their information managers (i.e. EHR service providers) to assess the safeguards in electronic health record system. Practices include a system design that restricts access on a need-to-know basis, a system ability to reduce access, view or disclosure capability based on an individual’s request, tracking of research requests for disclosure of health information, the inclusion of privacy statements or reminders on system screens, availability of backup and restoration procedures (including the audit log information) at an offsite location, and systems/processes to securely dispose of health information where authorized. [OIPC AB – Guidance for Electronic Health Record Systems]

UK – Patients Should Have More Control Over How Their Medical Data Is Used, Says Caldicott

The national data guardian in England recommended that a new consent and opt-out model for data sharing be implemented in the NHS in England in a report presented at the end of her review of health and care data security and consent, which had been commissioned by the UK government. Dame Fiona said that NHS bodies should generally be free to share patients’ medical data for the purposes of delivering care directly to those people. However, patients should be given control over any other proposed uses of their health records, she said. “People should be able to opt out of their personal confidential data being used for purposes beyond their direct care unless there is a mandatory legal requirement or an overriding public interest,” Dame Fiona said. “Relevant information about a patient should continue to be shared between health professionals in support of their care. An individual will still be able to ask their doctor or other healthcare professional not to share a particular piece of information with others involved in providing their care and should be asked for their explicit consent before access to their whole record is given,” she said. Dame Fiona said that the new opt out and consent model could consist of either asking patients a single question about whether they will allow their data to be used for purposes beyond direct care or a “two-part” mechanism that would allow patients to be more specific about the way their data can be used. [Source]

US – Nursing Home Operator Agrees to Pay $640,000 for ePHI Breach

The Department of Health and Human Services, Office for Civil Rights entered into an agreement with the Catholic Health Care Services of the Archdiocese of Philadelphia a business associate, to settle alleged violations of the HIPAA Security Rule. An operator-provided smartphone was stolen that was unencrypted and not password protected and contained social security numbers, diagnosis/treatment information, medical procedures and names of family members/legal guardians; the operator must conduct a risk analysis, implement prescribed policies and procedures (e.g. regarding the encryption of ePHI, password management, security incident response, and mobile device controls), implement training programs, and submit reportable events and implementation and annual reports. [HHS – Resolution Agreement – Catholic Health Care Services of the Archdiocese of Philadelphia Press Release | Resolution Agreement] [Business Associates Beware: First HIPAA Settlement with Business Associate]

UK – Gov’t Takes Surgeon’s Knife to Controversial NHS Care.Data Scheme

A recent review published by National Data Guardian Dame Fiona Caldicott suggests moving forward with the data sharing plans of the U.K.’s now-extinct Care.data health database for the U.K.’s national health care system. In her review, Calidcott recommended “new data security standards for the NHS and social care, a method for testing compliance against the standards, and a new opt out to make clear how people’s health and care information will be used and in what circumstances they can opt out.” Meanwhile, Polly Toynbee criticizes the privacy concern-borne criticism that led to the demise of Care.data in an op-ed for the Guardian, calling it a “loss” for the country. [Ars Technica]

Horror Stories

WW – Analysts Concerned by ‘Insider Threat’ Trend

Insider threats are growing increasingly more dangerous than external hackers, some security analysts predict. “A lot of companies are really worried about employees walking off with their data,” said Gartner’s Avivah Litan. “Insider threats have become a major issue because external criminals are actively recruiting insiders to help perpetrate their crimes, while disgruntled employees are actively making their insider services available.” The influence of the Dark Web has incentivized these threats, he added. “Disgruntled employees, especially those working in data-rich organizations like financial services companies, pharmaceutical firms, and in government are being actively recruited by and selling access to network credentials and corporate data to criminals on the Dark Web.” An Intel report from September 2015 determined that insiders could be blamed for 43% of lost data, and Verizon’s 2016 breach report blamed disgruntled insiders for roughly one in ten security incidents. [Christian Science Monitor] See also: [Former SaskPower employee illicitly accessed more than 4,000 HR files]

UK – Police Departments Commit 10 Data Breaches a Week: Study

A study from civil liberties group Big Brother Watch finds police forces in the U.K. are responsible for 10 data breaches a week. Big Brother Watch’s report, “Safe in Police Hands?“ found police departments committed 2,315 data breaches between June 2011 and December 2015. Incidents include officers illicitly using information for financial gain and passing sensitive information to organized crime syndicates. More than half of the breaches resulted in no formal disciplinary action, with 13% resulting in a resignation or termination. “While there have been improvements in how forces ensure data is handled correctly, this report reveals there is still room for improvement. Forces must look closely at the controls in place to prevent misuse and abuse,” the report said. [Computer Weekly]

US – Wendy’s Payment Card Data Breach Affected More Than 1,000 Locations

Wendy’s fast food restaurant chain now says that malware was found on point-of-sale systems at more than 1,025 of its franchises, considerably more than the 300 initially reported earlier this year. The malware targeted: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. The investigation is still active. Fraudulent activity involving some of those accounts was first detected in fall 2015. [BBC: Food chain Wendy’s hit by massive hack | CNET: Wendy’s says payment card info accessed in malware attack | ZDNet: Wendy’s admits credit card hack is far worse than first thought | SecurityWeek: Over 1,000 Wendy’s Restaurants Hit by PoS Malware | USA Today: Wendy’s: Credit card numbers disclosed in cyber attack ]

Identity Issues

WW – ID Theft Cases Increased 57% as Thieves Mine Social Media

A study from fraud prevention service Cifas found the number of identity theft victims in the U.K. rose 57% in 2015. Cifas said there were 148,000 victims of identity theft last year, up from the 94,500 reported cases in 2014. The majority of the cases involved thieves assuming the identity of a real person, using their name, date of birth, address and bank details. Social media networks are becoming a popular place for identity thieves to garner the information necessary to commit the crimes. “The likes of Facebook, Twitter, LinkedIn and other online platforms are much more than just social media sites — they are now a hunting ground for identity thieves,” said Cifas Chief Executive Simon Dukes. “We are urging people to check their privacy settings today and think twice about what they share.” [BBC]

CA – OPC Releases Guidance on De-Identification

The OIPC Ontario outlined key issues to consider when de-identifying personal information in the form of structured data. An acceptable re-identification risk should assess information sensitivity, the level of detail of the information, the number of individuals, potential harms/injuries from a breach, and individual consent for disclosure; public and semi-public release should have a maximum risk measurement applied (non-public releases have an average risk), and agreements with recipients should prohibit re-identification, linking to external data sets, or sharing without permission. [IPC ON – De-identification Guidelines for Structured Data]

Internet / WWW

WW – The Cloud and Filing Cabinets Should Have the Same Privacy Rights

According to a civil complaint filed by Microsoft against the government in federal court, the U.S. government issued more than 5,600 demands to Microsoft over an 18-month period, seeking access to customer information hosted in the cloud. More than 2,500 of those demands came with court-issued secrecy orders that prevented Microsoft from alerting its customers that their information — including personal communications, business records and confidential documents — was being given to the government. Microsoft’s lawsuit challenges this abuse with a simple premise: citizens and businesses that store information on remote data centers are entitled to the same degree of privacy and freedom from unlawful seizure as those who store such information in filing cabinets or personal computers. [Source]

Law Enforcement

US – Minnesota Law Classifies Public and Private Law Enforcement Body-Worn Camera Footage

SB 498, classifying police body-worn camera data, has been signed into law by the Governor and is effective August 1, 2016. Footage is public data if it documents firearm discharge in the course of an officer’s duty, use of force that results in substantial bodily harm, and agencies may redact or withhold access to portion of public data that are clearly offensive to common sensibilities; individuals who are the subject of the footage may request access to a copy of the data, however data on other individuals who do not consent to its release must be redacted. [Senate Bill 498 – A Bill for an Act Relating to Portable Recording System Data – Minnesota Legislature]

UK – Police Suffered 2,315 Data Breaches in Last Five Years but Want More Data

A report from UK privacy watchdog Big Brother Watch (BBW) reveals that UK police suffered 2,315 data breaches between June 2011 and December 2015 as a result of insiders abusing their access to the data. BBW says that, in 869 cases, police officers accessed citizens private data without a work-related purpose, and in 877 incidents, police officers shared data with unauthorized third-parties. Few police officers who caused the breaches were punished. Despite the flagrant abuse, in 1,283 cases, authorities decided to take no disciplinary action against the individual that broke procedures. Only 297 cases resulted in the resignation or dismissal of the guilty employee. Authorities did decide to press charges, and for 70 cases, the investigation concluded with a criminal conviction or a caution warning. For 258 less flagrant cases, officers received a written or verbal warning. [Source]

EU – Swedish DPA Greenlights Security Police Registry of Terrorist Group Supporters

Swedish security police Säpo has received permission from the country’s data protection authority to register individuals who express support for ISIS and other terrorist groups. The authority deemed that public support of an EU or U.N.-recognized terror organization was not “sensitive personal information,” the report states. However, “according to Säpo, the decision from the Data Inspection Board does not mean that information can be registered based on political and religious beliefs, which is not generally allowed in Sweden,” the report adds. The move “will allow us to further streamline our work,” said Säpo Press Secretary Simon Bynert. “We will be able to register relevant tips and will be able to get a better overall picture of the people we follow.” [The Local]

Location

US – Researchers Develop Method for Stronger Location Data Control

A group of UCLA researchers are proposing a way to give users more granular control over their location in light of the growing amount of Internet of Things devices. Joshua Joy, Minh Lee, and Mario Gerla have come up with LocationSafe, a privacy module implemented directly into the GPSD of a user’s device, allowing the user to dictate the manner location data is provided before other applications can use it. “User applications requesting data of users is a binary permission, either I share my data or I don’t. However, sensitive data such as location needs finer control on how accurate and how often the location information is released,” the authors said in their paper. [Motherboard]

Online Privacy

EU – EU Submits Draft Code of Conduct on Privacy for Mobile Health Apps to Article 29 Working Party for Approval

the European Commission submitted a draft code of conduct for privacy for mobile health apps to the Article 29 Data Protection Working Party for its considerations and approval. The EC functioned as a facilitator with industry members who drafted a Code of Conduct. The Code of Conduct, once approved, can be voluntarily signed by app developers with a commitment to following its rules, including data protection principles (such as transparency and privacy by design), requires valid explicit consent for collect/use of data subject data, permits secondary use of data for scientific research or Big Data, and acknowledges that it can be difficult to irreversibly anonymise health data when a retention period expires. [European Commission – Draft Code of Conduct on Privacy for Mobile Health Applications Press Release | Draft Code of Conduct | Hogan Lovells]

EU – Tech Industry Gangs Up On European Commission, Calls for Cookie Law To Be Scrapped

A massive coalition of tech and telco companies have called for the EU’s so-called cookie law to be repealed. Ars reported yesterday that the European Commission was working to overhaul the current ePrivacy Directive, and had held a public consultation soliciting feedback. But a group of 12 trade bodies has now called for it to be scrapped altogether. The coalition includes the European Telecommunications and Network Operators association (ETNO), the European Competitive Telecommunications Association (ECTA), the GSMA representing mobile operators, the Computer and Communications Industry Association (CCIA), IAB, the interactive advertising bureau, and DigitalEurope. “We believe that simplifying and streamlining regulation will benefit consumers by ensuring they are provided with a simple, consistent, and meaningful set of rules designed to protect their personal data,” said the group. “At the same time, it will encourage innovation across the digital value chain and drive new growth and social opportunities. This is critical at a time when digital companies are striving to launch new innovative services and working to build a 5G Europe.” The coalition brings together telco operators, online service providers, hardware manufacturers, and online publishers. [Source]

US – MIT Researchers Develop Anonymity Network That Rivals TOR

Anonymity networks protect people living under repressive regimes from surveillance of their Internet use. But the recent discovery of vulnerabilities in the most popular of these networks — Tor — has prompted computer scientists to try to come up with more secure anonymity schemes. At the Privacy Enhancing Technologies Symposium in July, researchers at MIT’s Computer Science and Artificial Intelligence Laboratory and the École Polytechnique Fédérale de Lausanne will present a new anonymity scheme that provides strong security guarantees but uses bandwidth much more efficiently than its predecessors. In experiments, the researchers’ system required only one-tenth as much time as existing systems to transfer a large file between anonymous users. The system …employs several existing cryptographic techniques but combines them in a novel manner. The heart of the system is a series of servers called a mixnet. Each server permutes the order in which it receives messages before passing them on to the next. If, for instance, messages from senders Alice, Bob, and Carol reach the first server in the order A, B, C, that server would send them to the second server in a different order — say, C, B, A. The second server would permute them before sending them to the third, and so on. [MIT News]

Privacy (US)

US – Obama Administration Unveils National Privacy Research Strategy

The White House has announced the National Privacy Research Strategy, a program which aims to foster more sophisticated privacy research alongside the development of innovative data use. This strategy proposes the following priorities for privacy research:

  • Foster a multidisciplinary approach to privacy research and solutions;
  • Understand and measure privacy desires and impacts;
  • Develop system design methods that incorporate privacy desires, requirements, and controls;
  • Increase transparency of data collection, sharing, use, and retention;
  • Assure that information flows and use are consistent with privacy rules;
  • Develop approaches for remediation and recovery; and
  • Reduce privacy risks of analytical algorithms.

“With this strategy, our goal is to produce knowledge and technology that will enable individuals, commercial entities, and the federal government to benefit from technological advancements and data use while proactively identifying and mitigating privacy risks.” The strategy suggests increased transparency of data use; a more “multidisciplinary approach” to privacy research, and the creation of system design methods that satisfy privacy requirements. The new Federal Privacy R&D Interagency Working Group will help facilitate these efforts. [Press Release]

US – DEA Changes Wiretap Procedure After Questionable Eavesdropping Cases

Following criticism for its dubious surveillance program in the L.A. suburbs, the Drug Enforcement Administration is overhauling its procedures for agents to secure permission for wiretaps. DEA agents must discuss any plans for a wiretap with federal prosecutors, and then receive permission from a senior DEA official before taking their request to a state court. The change comes after an investigation discovered the DEA had a wiretapping program monitoring millions of calls and texts in the Los Angeles area, getting approval from a single state court judge while bypassing Justice Department lawyers. “With federal courts, there’s a significant amount of scrutiny on something before you get a wiretap, and there’s a lot of layers of protection for privacy that don’t exist in state court,” said Louisville defense lawyer Brian Butler, who is challenging the legality of the DEA’s past surveillance efforts. [USA Today]

US – Sports Authority’s Post-Bankruptcy Data Sale Sparks Privacy Concerns

After Dick’s Sporting Goods bid on and won the now-bankrupt Sports Authority’s trove of an estimated 25 million email addresses and 14 million shoppers’ files for $15 million, former Sports Authority consumers are now concerned about the potential ramifications on their privacy. “It’s extremely valuable data for companies to identify customers who are looking for a new home,” said SSP Blue’s Hemu Nigam. “Customer emails are stolen every day [but] they lack awareness that this is a possibility,” Nigam said. “The auction is raising awareness of another way customer data can be sold without even thinking about it.” Representatives from Dick’s Sporting Goods and Sports Authority declined to comment, the report states. [Los Angeles Times]

US – CFPB Proposes Privacy Notice Requirement Amendment

The Consumer Financial Protection Bureau is pitching to amend the privacy notice requirement under the Gramm-Leach-Bliley Act and has opened up a request for public comment. “The bureau is proposing to amend Regulation P, which requires, among other things, that financial institutions provide an annual notice describing their privacy policies and practices to their customers,” the report said. The CFPB alteration installs a December 2015 statutory amendment to the act, “providing an exception to this annual notice requirement for financial institutions that meet certain conditions.” The report also states, “If financial institutions share certain consumer information with particular types of third parties, the annual notices must also provide customers with an opportunity to opt out of the sharing.” [Consumer Finance]

US – Facebook 3rd-Party Data Sharing Case Will Move Forward with One Plaintiff

U.S. District Judge Ronald Whyte has ruled that plaintiff Wendy Marfeo’s suit against Facebook for allegedly sharing her information with a third-party site via “referrer headers” will move forward. Whyte found “that she had suffered harm by Facebook sharing her personal and private information despite the tech company’s many assertions it would not do so,” the report states. The judge did respect Facebook’s motion to dismiss co-plaintiff Katherine Pohl’s allegations that the company had shared her information with a third party, the report adds. “We are pleased that the court ruled in our favor and determined that the case should not proceed as a class action,” said a Facebook representative. [Courthouse News Service]

US – EFF and ACLU-led Coalition Opposes Dangerous “Model” Employee and Student “Privacy” Legislation

EFF, ACLU, and a coalition of nearly two-dozen civil liberties and advocacy organizations and a union representative are urging the Uniform Law Commission (ULC) to vote down dangerous model employee and student privacy legislation. The bill, the Employee and Student Online Privacy Protection Act (ESOPPA), is ostensibly aimed at protecting employee and student privacy. But its broad and vaguely worded exceptions and limitations overshadow any protections the bill attempts to provide. As our joint letter explains, ESOPPA will result in only further invasions of student and employee privacy. ESOPPA does next to nothing to prevent school administrators and employers—including public school employees and state officials—from coercing or requiring students and employees to turn over private, non-publicly available information from social media accounts. Furthermore, ESOPPA applies only to students at the college level and beyond, leaving the privacy of students at the high school level and below completely exposed. That’s why we’re asking the ULC to either address ESOPPA’s deficiencies or reject the bill outright at its upcoming meeting. Other organizations, including the Foundation for Individual Rights in Education (FIRE), have also sent their own letter to the ULC opposing the current draft of ESOPPA. You can read the full text of the letter below or access a PDF of the original letter here. Special thanks to all of our coalition partners, listed in full below. [Source]

US – More Than 95% of Public Comments Pan FCC Privacy Plans

More than 95% of public comments on a proposal by the Federal Communications Commission to regulate the privacy practices of broadband providers have been critical of that idea, according to a report. The figures were provided by “Protect Internet Freedom,” a nonprofit group that established an online platform for users to submit feedback to the FCC. “A total of 259,539 opposition comments were filed against the [rules], an overwhelming majority of the 271,669 total comments filed in the docket as the commenting deadline nears,” the group said in a press release. The public comment period is set to close this week. Democrats on the commission moved to issue the notice of proposed rulemaking, which would restrict how Internet providers are allowed to collect and use customer data. Critics say that tech companies like Google and Facebook represent a more significant threat and would be given an unfair advantage because the rule wouldn’t apply to them. [Washington Examiner]

RFID / IoT

US – Senator Asks FTC to Boost Privacy Efforts in IoT for Children

Sen. Mark Warner, D-Va., wrote a letter to FTC Chairwoman Edith Ramirez on her agency’s efforts to protect the privacy of the “Internet of Playthings.” In his letter, Warner says the FTC must work with Congress to safeguard children’s personal information as “smart toys” rise in popularity. “The ever-declining cost of digital storage and internet connectivity have made it possible to connect an unimaginable range of product and services,” Warner said in his letter. The senator cited researchers hacking into talking dolls and altering their responses and the ease of hacking the cloud to obtain conversations recorded by children’s toys as reasons for the FTC to take action. Warner also questioned Ramirez whether the FTC had enough authority to guard children’s privacy under the Children’s’ Online Privacy Protection Act with IoT on the rise. [Multichannel News]

Security

WW – Infrared Light Could Shut Off Forthcoming iPhones’ Camera

Apple has been granted a patent for an unnamed system that allows those with infrared-capable devices to disable the filming capabilities of proximate iPhones. While the system was initially developed to prevent bootlegging of films or illegal filming of concerts, there is concern that law enforcement agencies could manipulate it. “Given how police have secretly adapted new kinds of technology, from Stingrays that can intercept text messages in transit to license plate scanners, it’s not hard to predict how police could take [it] on as part of their arsenal, regardless of Apple’s recent anti-surveillance track record.” At the time of publication, Tech.Mic was still awaiting a potential response from Apple. [Tech.Mic]

US – Password Sharing Is a Federal Crime, Appeals Court Rules

One of the nation’s most powerful appeals courts ruled that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all “hacking” law that has been widely used to prosecute behavior that bears no resemblance to hacking. In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal’s use of a former coworker’s password to access one of the firm’s databases was an “unauthorized” use of a computer system under the CFAA. The decision is a nightmare scenario for civil liberties groups, who say that such a broad interpretation of the CFAA means that millions of Americans are unwittingly violating federal law by sharing accounts on things like Netflix, HBO, Spotify, and Facebook. Stephen Reinhardt, the dissenting judge in the case, noted that the decision “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.” At issue is language in the CFAA that makes it illegal to access a computer system “without authorization.” McKeown said that “without authorization” is “an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who? [Motherboard] [Reuters]

WW – D-Link Camera Vulnerability Found in Other Devices

A vulnerability initially detected in D-Link wireless IP surveillance cameras is now known to affect as many as 400,000 devices, because the flawed software component was used in other D-Link devices. D-Link was notified of the issue by researchers; the company performed its own analysis of its devices and determined that 120 different products contain the vulnerable component. The flaw allows attackers to take control of the administrator account on the devices. There is currently no patch available. [ SANS ISC InfoSec Forums: Pentesters (and Attackers) Love Internet Connected Security Cameras! | SC Magazine: D-Link flaw affects 400,000 devices | The Register: 414,949 D-Link cameras, IoT devices can be hijacked over the net]

WW – Home Entertainment, Health Care Tools’ Security Ranks Most Vulnerable

Recent studies have found that while consumers are concerned with the overall costs and privacy implications of Internet of Things devices, security professionals have identified specific technologies as most vulnerable to attack. A survey by Lastline found that home entertainment systems, health care-related tools, and connected cars were among the top-ranking devices that troubled IT analysts the most. “The very nature of hacking dictates that people will find the new and innovative hacking targets, such as hacking into toys, smart TVs and refrigerators which are seemingly harmless, and try and compromise them — simply because they can,” said Lastline’s Brian Laing. “IoT presents one of those unchartered territories.” [MediaPost]

US – HHS Publishes HIPAA, Ransomware Fact Sheet

The Department of Health and Human Services has released a fact sheet on ransomware and HIPAA, noting that adhering to the rule’s requirements can help businesses prevent and recover from a data-hostage situation. Under HIPAA, “some of these required security measures include implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information and implementing security measures to mitigate or remediate those identified risks,” the report states. HIPAA’s data backup requirements are also helpful should a ransomware occur, the fact sheet adds. Meanwhile, Becker’s Health IT and CIO Review reports that June was the worst month so far for hospital breaches in 2016, with more than 11 million patient records compromised. [Fact Sheet: Ransomware and HIPAA]

Surveillance

UK – 15 Secretive Orders ‘Allow Spy Agencies to Collect Communications Data’

A new report published by the Interception of Communications Commissioner’s Office (IOCCO) disclosed that there were a total of 23 “extant” section 94 directions within the scope of its oversight. They were all given by the Home Secretary or Foreign Secretary at various times between 2001 and 2016 on behalf of MI5, GCHQ, the three intelligence agencies collectively – MI5, GCHQ, and MI6 – or the Metropolitan Police’s counter-terrorism command. Fifteen of the directions relate to the acquisition of bulk communications data, while t he remaining eight directions relate to the provision of services in emergencies, for “civil contingency purposes” or to help agencies in safeguarding the security of their personnel and operations. [Source]

EU – Police Scotland to Dump Millions of ANPR Records Over Privacy Fears

A freedom of information request made earlier this year revealed that Police Scotland kept records of every recorded vehicle movement dating back to 2012, even though data protection rules prohibit forces from keeping records that are not linked to criminal activity being kept for longer than two years. Now a trove of official documents on ANPR published by The Ferret shows that senior officers were aware that they could be breaking data protection rules by retaining ANPR records as early as 2013. [The Ferret] [ANPR records retained by Police Scotland ]

Telecom / TV

EU – Vodafone Customers Exposed to Potential Privacy Breach

The Data Protection Commissioner of Ireland will look into an alleged Vodafone breach after users discovered that anyone with knowledge of their phone number can check their balance without passing through security controls. Vodafone maintains that the service is both acclaimed and unproblematic. The company “does not view this as a data protection breach on the basis that the balance given is not identifiable personal data,” Vodafone said in a statement. “The privacy of Vodafone’s customers is afforded the highest priority and the company continuously seeks feedback from our customers on the services we provide as well as regularly reviewing the IVR (interactive voice response) functionality.” [Independent.ie]

US – FCC Rules Government Can Make Robo-Calls

A ruling from the Federal Communications Commission clarified that federal government employees and their contractors are exempt from robo-call regulations. The regulations specifically prevent “persons” from making the calls, defined as “an individual, partnership, association, joint-stock company, trust, or corporation.” The FCC felt that the U.S. government does not fit in those categories, and was therefore free to make these calls until the law changes to specifically prohibit them. “The implications of the decision could be far-reaching,” the report states. “It validates the ability of federal agencies to perform surveys and polls on the effectiveness of their programs. … It also affirms the ability of contractors to make robo-calls to inform people of their Social Security benefits.” [The Washington Post]

US – Federal Judge Rules Automated Calls Can Cause Harm, Cites Spokeo

A West Virginia federal judge ruled the plaintiff accusing Got Warranty Inc., N.C.W.C. Inc. and Palmer Administrative Services Inc., of violating the Telephone Consumer Protection Act can move forward with her lawsuit. U.S. District Judge John Preston Bailey cited the Spokeo decision in the ruling, saying Diana Mey’s suit against the companies proved she suffered both tangible and intangible harm. Mey alleges the companies sent her numerous automated phone calls causing her harm in the form of lost battery life, lost phone minutes, and the “intrusion upon and occupation of the capacity of the consumer’s cellphone,” said Bailey. [Law 360]

US Government Programs

US – OMB Leadership Mandates Breach-Response Contracts

According to a memo issued by Office of Management and Budget Chief Acquisition Officer Anne Rung, all government agencies providing credit monitoring and identity theft protection must contract via the General Services Administration’s Identity Monitoring Data Breach Response and Protection Services blanket purchase agreement. “Taking advantage of the IPS BPAs ensures agencies can meet their needs for expeditious delivery of best-in-class solutions from pre-approved and vetted companies at competitive pricing,” Rung wrote. “For these reasons, the IPS BPAs shall be treated as a preferred source for federal agencies.” This would help avoid violation of federal laws, as the inspector general said the Office of Personnel Management did after “choosing the wrong contract vehicle” in the wake of its 2015 breach, the report states. [Federal Times]

US – NSA Labels Privacy-Centric Internet Users as Extremists

The NSA is not making any friends these days, and their latest statement on privacy-centric journalists is not helping matters much either. To be more precise, an investigation by the agency revealed how they are continuing to target the Tor network. Moreover, The Linux Journal is referred to as an “extremist forum”. Quite a strong sentiment, and possibly completely misguided as well. [The Merkle]

US Legislation

US – Ohio Bill Would Provide Privacy Exemptions for Releasing Police Body Cam Videos

The bill introduced by Rep. Niraj Antani, a Miamisburg Republican, maintains that camera videos are public records but adds exemptions to address privacy concerns. Body camera use has proliferated in recent years as have the legal issues surrounding their public release. Antani said he’s not aware of any Ohio cases where privacy was invaded on body camera video, but that lawmakers should be proactive considering more police departments are using them. [Source]

Workplace Privacy

US – Employees Express Workplace Wearables, BYOD Security Concerns

A Tech Pro Research survey found that while mobile devices are nearly universally used in the workplace, not all employees feel their devices are completely secure, ZDNet reports. The respondents expressed specific concern over wearables’ security. “Only 57% of respondents said their companies require user IDs and passwords, and less than a quarter used data encryption or device management software,” the report states. Bring-your-own-device security was also called into question. While 76% of respondents’ employers allowed the practice, “IT departments are still divided about supporting these devices,” the report adds. [Full Story]

WW – Business Travellers Putting Organisations’ Cyber-Security at Risk

Business travellers are more likely to be targeted for their access to private and corporate data than be mugged, according to a new report. A survey by Kaspersky Lab of 11,850 people from across Europe, Russia, Latin America, Asia Pacific and the US found that the pressure from work to get online is clouding the judgment of business travellers when connecting to the internet. It said that three in five (59%) of people in senior roles say they try to log on as quickly as possible upon arrival abroad because there is an expectation at work that they will stay connected. The research also found that 47% think that employers, if they send staff overseas, must accept any security risks that go with it. Almost half (48%) of senior managers and more than two in five (43%) of mid-level managers use unsecure public access Wi-Fi networks to connect their work devices when abroad. At least two in five (44% and 40%, respectively) use Wi-Fi to transmit work emails with sensitive or confidential attachments. One of the main reasons for business travellers acting the way they do on business is down to a widely held assumption that their work devices are inherently more secure than private communications tools, regardless of their connectivity. Two in five (41%) expect their employers to have set strong security measures. This is most pronounced among business leaders (53%) and mid-level executives (46%). One in five (20%) senior executives admit to using work devices to access websites of a sensitive nature via Wi-Fi – compared to an average 12%. One in four (27%) have done the same for online banking – compared to an average 16%. Kaspersky Lab said that the report showed that cyber-crime is a real hazard while traveling and employees are putting confidential business information at risk. [Source]

+++

 

25 June – 04 July 2016

Big Data

WW – Perspectives on Big Data, Ethics, and Society

A white paper has been published from the Council for Big Data, Ethics, and Society. The paper consolidates conversations and ideas from two years of meetings and discussions and identifies policy changes that would encourage greater engagement and reflection on ethics topics. It also indicates a number of pedagogical needs for data science instructors; explores cultural and institutional barriers to collaboration between ethicists, social scientists and data scientists in academia and industry around ethics challenges; and offers recommendations geared toward those who are invested in a future for data science, big data analytics, and artificial intelligence guided by ethical considerations along with technical merit. [Full Story]

US – What Algorithmic Injustice Looks Like in Real Life

Courtrooms across the nation are using computer programs to predict who will be a future criminal. The programs help inform decisions on everything from bail to sentencing. They are meant to make the criminal justice system fairer — and to weed out human biases. ProPublica tested one such program and found that it’s often wrong — and biased against blacks. (Read our story.) We looked at the risk scores the program spit out for more than 7,000 people arrested in Broward County, Florida in 2013 and 2014. We checked to see how many defendants were charged with new crimes over the next two years — the same benchmark used by the creators of the algorithm. Our analysis showed:

  • The formula was particularly likely to falsely flag black defendants as future criminals, wrongly labeling them this way at almost twice the rate as white defendants.
  • White defendants were mislabeled as low risk more often than black defendants. [Source]

Canada

CA – Ontario IPC Releases 2015 Annual Report

The Information and Privacy Commissioner of Ontario has published his 2015 annual report. Commissioner Brian Beamish has made four overarching suggestions for the year ahead. They include expanding the jurisdiction of established privacy laws, creating order-making power for privacy complaints, review address changing technologies, and enacting “mandatory proactive disclosure of identified categories of records.” He also recommended updating FIPPA and MFIPPA. “A public review and update of the acts will ensure greater transparency and accountability of government institutions, meet the growing expectations of the public and ensure that Ontarians benefit from the same access and privacy rights as other Canadians.” [IPC]

CA – Nova Scotia Still Missing Key Privacy Protections Says Annual Report

Nova Scotia’s information and privacy commissioner says the province needs a statutory duty to report breaches of individual privacy. Commissioner Catherine Tully published her office’s annual report on Nova Scotia’s access to information and protection of privacy laws. It found that personal information held by public bodies was “likely breached between 10 and 154 times” over the last year. Tully writes that her office is notified of minor breaches of privacy, but not major ones, and she’s “increasingly concerned” about those breaches that go unreported. The privacy office claims the number of minor breaches of private health information increased 75% this past year. It’s currently impossible to determine if there was an equal increase in major breaches. According to the annual report, there was also a 41% increase in new cases for the OIPC over this past year, along with a jump of 569% (from four to 58) in external consultations about file requests. Despite the heavier workload, the office boasts that it’s resolved 10% more complaints than 2014/15, with an average turnaround time of 65 days. [The Coast] [Global News] [Nova Scotians need better notification of privacy breaches, report says]

CA – PC Says Saskatchewan Health Care Laws Need Revisions: Annual Report

The Office of the Saskatchewan Information and Privacy Commissioner released its 2015-2016 Annual Report “Striking a Balance“. Saskatchewan Privacy Commissioner Ronald Kruzeniski recommended updates to the province’s 2003 Health Information Privacy Act in his 2015-2016 annual report. The health care law currently does not regulate post-breach patient notification, an omission Kruzeniski finds problematic. He further emphasized that “the act should also specify how long personal health information should be retained.” [Global News] [Sask. health minister considering beefing up privacy rules]

CA – Manitoba OIPC Releases Annual Report

Manitoba’s Ombudsman issued its 2015 Annual Report relating to the Freedom of Information and Protection of Privacy Act, the Personal Health Information Act, and the Public Interest Disclosure (Whistleblower Protection) Act. [Source]

CA – Drew McArthur Named British Columbia’s Acting Commissioner

Drew McArthur has been named acting information and privacy commissioner for British Columbia. McArthur will be taking the role vacated by Elizabeth Denham, who will be taking over the role of U.K. Information Commissioner from Christopher Graham. McArthur had served for six years on the Office of the Information and Privacy Commissioner’s external advisory board, while helping develop and install the privacy policy for Telus as its chief compliance officer. [Castanet]

E-Government

UK – Government Websites Must Switch to HTTPS with HSTS

All UK Government Digital Services websites will be required to adopt HTTPS encryption by October 1, 2016. The sites will also be required to use HTTP Strict Transport Security (HSTS) to protect them from downgrade attacks, and to publish a Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy for email systems. [V3: GDS to demand that all government websites go HTTPS from 1 October | Tom’s Hardware: UK Government Websites To Be Secured By HTTPS, HSTS, DMARC By October 2016 | GDS Guidance (February 2016): Domain-based Message Authentication, Reporting and Conformance (DMARC)]

Encryption

US – House Encryption Report Says No Current Bills Appropriate Solution

The House Subcommittee on Homeland Security released a report that states no current bills in Congress appropriately address the current encryption-government access issue. The report was based on “more than a hundred meetings” with privacy advocates, technologists, cryptographers and law enforcement. Though it does not present a way forward, it does reject the viability of all current bills, including the controversial Burr-Feinstein bill. The Subcommittee published a “primer” regarding the encryption debate in the legislature. The paper is based on “extensive discussions with stakeholders,” and says that no legislation yet proposed adequately addresses the issue, noting that “Lawmakers need to develop a far deeper understanding of this complex issue before they attempt a legislative fix,” the report states. [Wired] [Wired: Even Congress Is Slamming That Crummy Crypto Bill | US House: Going Dark, Going Forward: A Primer on the Encryption Debate] See also: [Pending Russian Legislation Would Require Companies to Decrypt Communications]

EU Developments

EU – New US-EU Data Transfer Agreement Expected to Win Approval

The New York Times reports that the EU is expected to approve the new draft of the US-EU Privacy Shield data transfer agreement. The new framework, developed to replace the Safe Harbor agreement that the European Court of Justice struck down last year, “protects the fundamental rights of Europeans and ensures legal certainty for businesses,” according to European Commission spokesman Christian Wigand. The absence of an agreement has left US companies in limbo regarding European customer data. In early June, the Hamburg (Germany) Data Commissioner fined three companies for using the defunct Safe Harbor agreement to transfer European customer data to the US. While agreement may have been reached, a number of hurdles stand in the way of passage. The first is that each of the member states of the EU have to pass the agreement. From there it will then be passed on to the College of Commissioners who will then validate the adequacy of the agreement. [New York Times: Europe Is Expected to Approve E.U.-U.S. Data Transfer Pact | Reuters: German privacy regulator fines three firms over U.S. data transfers] and European Commission sends new Shield to Article 31, vote expected this week.

EU – Belgian DPA Loses Privacy Case Against Facebook

The data protection authority in Belgium has said it lost its privacy case against Facebook. The Belgian DPA wanted the social network to stop tracking non-users of Facebook in Belgium who go to Facebook pages. Facebook has argued the so-called datr cookie is a security measure. A spokeswoman for the Belgian Privacy Commission said the case was dismissed by the Brussels Appeals Court because the regulator does not have jurisdiction over Facebook. The company’s European headquarters is located in Ireland. [Reuters]

UK – Christopher Graham Says Goodbye to ICO in Final Annual Report

Outgoing U.K. Information Commissioner Christopher Graham spoke highly of the agency in the last year as its head in his final annual report. “We have delivered on our objectives, responded to new challenges and prepared for big changes, particularly in the data protection and privacy field,” said Graham, who also discussed the agency’s work handling data breaches and other privacy violations. “The ICO also took part in the debate on surveillance and security and the Investigatory Powers Bill. And, in its responses following the Schrems judgment, with all the implications for trans-Atlantic data flows, the ICO’s influential counsel helped to avert a meltdown,” said Graham. The departing information commissioner also bid farewell on the ICO’s YouTube page, while calling the upcoming months and years ahead an exciting time for his successor, Elizabeth Denham. [Computer Weekly]

Facts & Stats

WW – Study: More Than 50% of SMBs Suffered Breaches Within Last Year

Security organization Keeper Security released the results of a study it conducted with Ponemon Institute on the rate small- and medium-sized businesses are hit with data breaches. The survey found more than 50% of SMBs suffered a breach within the last 12 months, and only 14% of the organizations polled felt their ability to stop attacks are highly effective. Phishing and social engineering attacks were the most common types of incidents, and while anti-virus software was deemed useful, companies felt they could not count on them to stop breaches. “Cyberattack prevention is now everyone’s responsibility,” said CEO of Keeper Security. “As both frequency and size of data breaches increases, SMBs must face the reality that a material adverse financial impact on their business is a real possibility.” [Market Wired]

Finance

WW – World-Check Terrorism Database Leaks Online

A financial crime database used by banks has been leaked on to the net. World-Check Risk Screening contains details about people and organisations suspected of being involved in terrorism, organised crime and money laundering, among other offences. Access is supposed to be restricted under European privacy laws. But the database’s creator, Thomson Reuters, has confirmed an unnamed third-party has exposed an “out of date” version online. The leak was discovered by security researcher Chris Vickery and made public by the Register, which reported it contained more than two million records and was two years old. “There was no protection at all. No username or password required to see the records,” Mr Vickery told the BBC. [BBC News]

FOI

CA – Ontario Doctors Challenge Ruling That Would Identify Top OHIP Billers

The Ontario Medical Association (OMA) is seeking to overturn a landmark decision by the province’s privacy commissioner to release the names of top-billing doctors. In addition, a group of about 40 doctors and one physician acting alone who are on the list have made separate applications for a judicial review of an order from the privacy commissioner to release to the Toronto Star the identities of the top 100 billers. The three parties filed applications this week with the province’s divisional court to quash the ruling made June 1 by the Information and Privacy Commissioner of Ontario. In seeking a judicial review of Higgins’ decision, the OMA, which represents the province’s 29,000 doctors, is arguing that it is not in keeping with previous rulings by the commissioner. “We continue to advocate that this is personal information and, without the proper context, OHIP billings will be misconstrued as income, which is false,” OMA president Dr. Virginia Walley said in a written statement. “OHIP billings do not provide insight into the number of hours doctors work, the complexity of care they provide to patients, or the overhead costs they bear in order to staff, equip and run their clinics.” Among the organization’s other arguments: the ruling is incorrect and/or unreasonable, the adjudicator failed to consider submissions from doctors, and the ruling was made without proper legal or factual bases. The two other physician parties are making similar arguments. They are asking the courts for a special order permitting them to proceed with the judicial review without their identities being made public. The physician acting alone, described only as “Dr. A.B.,” also argues that he was never informed about the case by the privacy commissioner even though he is among the top billers. He was never given the opportunity to argue his case, unlike other affected doctors, his application states. [Toronto Star]

CA – OIPC BC Finds Public Body Must Disclose Internal Investigative Information

The Office of the BC Information and Privacy Commissioner reviewed a decision by the Independent Investigations Office to deny access to records requested pursuant to the Freedom of Information and Protection of Privacy Act. Disclosure of the information would not harm the effectiveness of investigative techniques and procedures used; techniques used are obvious and clearly known to the general public (employee interviews and examining electronic equipment), and other information withheld was administrative (e.g. details about scheduling, general protocol and procedures, non-sensitive information about investigations the requestor was working on when employed by the public body). [OIPC BC – Order F16-28 – Independent Investigations Office]

Health / Medical

CA – Education Key to Preventing Medical Record Snooping: Commissioner

The latest case of medical record snooping uncovered in Ontario — in which at least six Mississauga patients had their files probed — highlights the ongoing challenge to protect patient privacy in the digital age, the province’s privacy commissioner says. Since formally assuming the role in 2015 — in the midst of controversies over a spate of snooping incidents of patient record across the province — Ontario privacy commissioner Brian Beamish has emphasized stiffer punishments for what he calls “higher-end cases.” That’s why five of the six snooping cases that have ever been referred to the attorney general for breaking the province’s health privacy legislation have occurred on Beamish’s watch, he said. “Snooping was a continuing, recurring problem, and we started to think: what else can we do to reinforce that this is unacceptable?” Beamish told the Star in an interview. On Monday, the College of Physicians and Surgeons of Ontario held its first-ever disciplinary hearing for one of its members accused of snooping. Dr. Douglas Brooks, a general practice physician in Sault Ste. Marie, was found to have improperly probed the electronic medical records of two non-patients several times, college spokesperson Kathryn Clarke said in an emailed statement. Brooks had his college certification suspended for five months, must participate in medical ethics training, and was ordered to pay $5,000 in costs for the hearing, Clarke said. There are three more discipline hearings scheduled in the coming months for alleged snooping by other doctors. [The Star]

US – States Pass Laws Requiring Dependents’ Care Remain Confidential

Several states have passed laws and regulations ensuring medical communications for dependents remain confidential. With the Affordable Care Act allowing young adults to remain on their parents’ insurance until they are 26, policyholders can receive notices from insurers every time their child gets medical care. California, Colorado and other states are starting to fill in gaps not covered by HIPAA requiring insurers to keep those encounters private for the patients’ safety. “There’s a longstanding awareness that disclosures by insurers could create dangers for individuals,” said Center for Adolescent Health and the Law Director Abigail English. “But there was an added impetus to concerns about the confidentiality of insurance information with the dramatic increase in the number of young adults staying on their parents’ plan until age 26.” [Kaiser Health News] [US: States Offer Privacy Protection For Young Adults On Parent’s Health Plan]

Horror Stories

WW – List of ‘Heightened-Risk Individuals’ Not Secure Enough, Researcher Says

Security researcher Chris Vickery has discovered a global terror watchlist containing more than 2.7 million entries of “heightened-risk individuals.” Vickery found the list on a server “configured for public access,” making the sensitive information too easy to investigate, he said. “If governments and banks are going to alter lives based upon information in a database like this, then there needs to be some sort of oversight,” Vickery added. There’s also the issue of data revision or deletion. “Those who are named in the database have little or no recourse to have their data corrected or removed,” the report adds. [ZDNet] [ZDNet: A massive financial crime and terrorism database has leaked]

Identity Issues

CA – Trudeau Says Canada Will Explore Gender-Neutral ID Cards

Canada is exploring the use of gender-neutral options on identity cards, Justin Trudeau told a television station as he became the first Canadian prime minister to march in a gay pride parade. Trudeau, who participated in the downtown Toronto parade along with other politicians, did not give details, saying only the government was exploring the “best way” and studying other jurisdictions. Last week, the Canadian province of Ontario said it would allow the use of a third gender indicator, X, for driver’s licenses, which are commonly used in North America to provide identification. Countries including Australia, New Zealand and Nepal already allow the use of the X gender indicator. [Source] [Fake fingerprints: The latest tactic for protecting privacy]

US – FOIA Improvement Act Becomes Law

President Obama has signed the Freedom of Information Act Improvement Act into law. It “codifies a statutory presumption of openness,” clarifying the need for agencies to justify their decision to withhold information rather than placing the burden of justification on the entity making the request. The bill also places a 25-year limit on the length of time agencies may keep internal deliberations confidential, and it requires the Office of Management and Budget (OMB) to create a single-access website for making FOIA requests. [SC Magazine: Obama signs FOIA reform bill into law | Federal News Radio: Obama celebrates 50th anniversary of FOIA by signing update into law | White House: Fact Sheet: New Steps Toward Ensuring Openness and Transparency in Government]

Law Enforcement

EU – Disgruntled Ex-Employee Leaks Info On 112,000 Police Officers

A file containing the home addresses and telephone numbers of 112,000 French police officers was uploaded to Google Drive with minimal protection. The data’s only means of protection was a “simple password,” and an investigation has been launched to determine if the compromised data was accessed. The data reportedly originated from a health and benefit insurance firm tied to the police and was uploaded by a disgruntled ex-employee in what is described as “an act of revenge.” The situation comes after French police work to implement extra privacy measures for their officers following the murder of a police officer by an ISIS jihadi in early June. [International Business Times]

Location

WW – Location Data Can Help Facebook Make Friend Suggestions

Facebook’s “People You May Know” feature now uses location data in addition to other features to suggest potential connections on its mobile app. If users have their Facebook app location settings switched to “always have access,” the company’s algorithms can identify and suggest users who have shared GPS and network connections as potential friends. Not everyone is comfortable with the practice. “Using location data this way is dangerous,” said Samford University’s Woodrow Hartzog. “People need to keep their visits to places like doctor’s offices, rehab and support centers discreet.” Facebook countered that location isn’t the sole factor in its suggestion process. “That’s why location is only one of the factors we use to suggest people you may know,” a Facebook representative said. [Fusion] [Facebook admits to using your location to suggest friends]

Online Privacy

US – Google Beats Children’s Web Privacy Appeal, Viacom to Face One Claim

Google and Viacom defeated an appeal in a nationwide class action lawsuit by parents who claimed the companies illegally tracked the online activity of children under the age of 13 who watched videos and played video games on Nickelodeon’s website. By a 3-0 vote, the 3rd U.S. Circuit Court of Appeals said Google, a unit of Alphabet, and Viacom were not liable under several federal and state laws for planting “cookies” on boys’ and girls’ computers, to gather data that advertisers could use to send targeted ads. The court also revived one state law privacy claim against Viacom, claiming that it promised on the Nick.com website not to collect children’s personal information, but did so anyway. Monday’s decision largely upheld a January 2015 ruling by U.S. District Judge Stanley Chesler in Newark, New Jersey. It returned the surviving claim to him. [Source]

US – Browse Free or Die? New Hampshire Library Is at Privacy Fore

A small library in New Hampshire sits at the forefront of global efforts to promote privacy and fight government surveillance—to the consternation of law enforcement. The Kilton Public Library in Lebanon, a city of 13,000, last year became the nation’s first library to use Tor, software that masks the location and identity of internet users, in a pilot project initiated by the Cambridge, Massachusetts-based Library Freedom Project. Users the world over can—and do—have their searches randomly routed through the library. [Source]

Other Jurisdictions

AU – Victorian Watchdog Develops Protocols for Agencies

Victorian Commissioner for Data and Privacy Protection David Watts has established regulations that would require agency heads to adhere to a minimum standard of data protection principles. The rules, dubbed the Victorian Protective Data Security Framework require agencies to have “a formal incident management plan; an organization-specific security management framework; and an access management regime,” among others. The rules also give the commissioner’s office “free and full access to data or data systems when requested.” [iTnews]

Privacy (US)

US – ACLU Files Legal Challenge to Computer Fraud and Abuse Act

The ACLU has filed a lawsuit challenging the Computer Fraud and Abuse Act (CFAA) on behalf of journalists, computer scientists, and academic researchers investigating online discrimination. The lawsuit focuses on a problematic CFAA provision: the prohibition against “exceeding authorized access” has often been interpreted to include violations of websites’ terms of service. [Washington Post: Does this cybercrime law actually keep us from fighting discrimination? | Computerworld: ACLU lawsuit challenges U.S. computer hacking law | Wired: Researchers Sue the Government Over Computer Hacking Law | CNET: ACLU sues to kill decades-old hacking law | SC Magazine: ACLU suit challenges CFAA for thwarting studies on discrimination | ACLU: ACLU Challenges Law Preventing Studies on ‘Big Data’ Discrimination | ACLU: SANDVIG V. LYNCH – COMPLAINT]

US – CDT Criticizes DHS’ Cyber-Threat Sharing Model

The Center for Democracy and Technology criticized the Department of Homeland Security’s cyber-threat sharing model. “The guidance fails to address many of the foundational issues in the law itself, and we remain concerned that [the Cybersecurity Information Sharing Act] will result in the sharing of sensitive personal information [that] could then be used for purposes that go far beyond ‘cybersecurity,’” the CDT said in a report. The CDT was highly critical of the four DHS guidelines for private organizations to share cyber-threat indicators with the government and amongst themselves. “None of the guidelines address one baseline issue — the overly permissive ‘use’ provision that allows cybersecurity information to be shared and then used for non-cybersecurity purposes,” the CDT said. [The Hill]

Privacy Enhancing Technologies (PETs)

WW – $6.1M Raised to Fund Data Startup

Data-sharing startup Digi.me has received $6.1 million in funding from its Series A push, most of which came from global re-insurer Swiss Re. The move is “is one key plank of a strategy for bagging the critical mass of users needed to deliver on a radical rethink of how personal data is collected and shared online,” the report states. For Digi.me founder Julian Ranger, the service is about empowering each user. Digi.me is “bringing data together for the individual and we were doing it on the individual’s own devices — which is the key thing for Digi.me is that we don’t see, touch, nor hold any data ever; it’s all only held by the individual — and that’s when the whole idea for [the current business vision] came about,” he said. [TechCrunch]

RFID / IoT

US – Broadband Advisory Group to Study Privacy, Security of IoT

The Broadband Internet Technical Advisory Group has announced a study on the technical aspects to the Internet of Things industry’s privacy and security. The multistakeholder nonprofit will study mobile phones, computers, tablets and other devices. “To address the technical issues underlying these security- and privacy-related concerns, BITAG’s technical working group will analyze this topic and issue a report that will describe the issue in-depth, highlight technical observations, and suggest appropriate best practices,” the group said in a statement. The BITAG aims to release the results of the study in the fall, the report states. [Broadcasting & Cable]

Security

WW – 67% of Drives for Sale Still Contain Sensitive Data: Study

Security organization Blancco Technology Group (BTG) found that 67% of 200 analyzed hard drives purchased from eBay and Craigslist still contained previous users’ personally identifiable information. An additional 11% contained “sensitive corporate data.” Companies must “test that [their] deletion methods are adequate,” said BTG. “Remaining data can still be accessed and recovered unless the data is securely and permanently erased.” This can lead to data breaches, loss of consumer trust, and even enforcement action. The U.K. ICO fined the Brighton and Sussex University Hospitals NHS Trust 325,000 GBP in 2012 for selling unclean drives online. [InfoSecurity]

Surveillance

US – Courts 2015 Wiretap Report

According to the US Courts 2015 Wiretap Report, the total number of federal and state wiretaps issued in 2015 was 4,148, a 17% increase from the number granted in 2014. No requests were reported as denied in 2015. While law enforcement encountered encryption in just 13 of those cases, the FBI indicated that it does not seek wiretap orders in cases where it knows it will encounter encryption. The report does not include wiretap requests made to the Foreign Intelligence Surveillance Court. [Encryption, wiretaps and the Feds: THE TRUTH | US courts didn’t reject a single wiretap request in 2015, says report | Wiretaps harvest fewer encrypted communications | Wiretap Report 2015]

UK – Surveillance Bill Web Activity Logging a Huge Risk to Privacy, Peers Warn

A former senior chief in the U.K.’s Met Police and now a Lib Dem peer in the House of Lords has warned about major risks to the privacy of web users’ personal data from a provision in the Investigatory Powers bill that would require ISPs to retain information on the websites and services accessed by their users for a full 12 months — so called Internet Connection Records (ICRs). Lord Paddick noted that the provision is not being requested by the security services, who have additional investigatory tools to obtain the data they need, so is purely a power on the police’s wish-list — going on to argue that the catch-all nature of ICRs is disproportionate given the warrantless access the bill affords police to this personal data on all U.K. web users. Any “reasonably high-profile individual” could be at risk of being accused of a crime they did not commit — resulting in their entire personal web access history being handed over to the police, Paddick argued. The draft bill has still to go through committee and report stages, so is certain to be subject to further amendments. Lib Dem peers are certainly mounting a concerted effort to tackle some of the more controversial elements of the bill, with Lord Strasburger also speaking out against ICRs, noting that a similar move was abandoned in Denmark in 2014 and warning the bill creates a “new theft risk” for internet users. Other elements concerning the Lib Dem peers at this stage include threats to privileged communications, such as between lawyers and their clients; so-called “request filters,” which imply a behind the scenes attempt by the government to build a searchable database of citizen data (including pulling in data from ICRs); the “vexed question” (as Strasburger put it) of bulk powers — currently under independent review by QC David Anderson, which was another concession pushed for by the Labour party; inconsistencies in authorization mechanisms for intercept warrants; and the need to ensure judicial commissioners, who are set to approve and review warrants, are rigorously independent of the government that appoints them. Strasburger also pointed to the current turmoil in the U.K. political landscape following the Brexit vote, noting “how quickly ruthless politicians can replace leaders” and warning of associated risks to freedom and democracy if such intrusive legislation passes onto the statute books unamended. “In the hands of an extreme government the IP bill is a toolkit for tyranny,” he warned. [techcrunch.com]

Telecom / TV

CA – 911 System Framework Should Limit Info Required for Communications

The OPC comments on the CRTC’s Notice of Consultation regarding a regulatory framework for next-generation 911. Existing policy states that individuals’ name, location, telephone number, and service class are provided for responding to calls; however other information will likely be collected (e.g. health information, voice and location information, personal medical alert systems, and intelligent transportation systems), and there should be boundaries to limit information required, and how the information is accessed. [OPC Canada – Establishment of a Regulatory Framework for Next-Generation 911 in Canada – Submission to the CRTC]

WW – Norton Releases New App Protecting Data Over Public Wi-Fi Networks

FREE Wi-Fi is no different to a filthy public toilet, water fountain or payphone. That’s according to antivirus firm Norton, which has released a new app designed to stop hackers from stealing users’ private information over unsecured Wi-Fi. According to Norton, more than one quarter of Australians have accessed banking or financial information while using public Wi-Fi — but most people can’t tell the difference between a secure and unsecure connection. The firm says hackers are eavesdropping and intercepting consumer information regularly, but 63% of Australians think their data is protected. Commonly available tools can easily see traffic, potentially exposing passwords, emails, social media accounts, photos, videos and financial information. The Norton Wi-Fi Privacy app, launched globally this week for iOS and Android, is designed to protect that data by routing all traffic through a virtual private network (VPN). It will also block advertisers from placing tracking cookies on your device. [news.com.au] [Yahoo] [Norton launches privacy app to combat hackers]

US Government Programs

US – FTC Closes 70% of Its Security Investigations

During a Heritage Foundation discussion on federal online data security regulations, Federal Trade Commission Commissioner Maureen Ohlhausen said her agency closes approximately 70% of the security investigations it opens. “The touchstone of our data security is reasonableness,” Ohlhausen said. “A company’s data security measures must be reasonable, in light of the sensitivity and volume of the consumer information it holds, the size and complexity of its data operations, and the cost of the available tools to improve security and reduce vulnerabilities.” Ohlhausen said the FTC doesn’t investigate companies over a single flaw, but rather, it investigates companies that have major issues with their overall security programs. If a company’s security is “reasonable, or even good,” she said, the investigation can be wrapped up quickly if the company resolves the issue in a timely manner. [FedScoop]

 

 

18-24 June 2016

Biometrics

WW – IBIA Approves New Facial Recognition Best Practices

The International Biometrics + Identity Association voiced its approval of a new set of facial recognition best practices. The guidelines were created by the Department of Commerce’s National Telecommunications and Information Administration, and have been hailed by the IBIA as a flexible guideline for numerous applications of the technology, including authentication and social media. “The clear benefits of facial recognition technology come with a responsibility to users and consumers,” said IBIA Managing Director Tovah LaDier. “These privacy best practices will help to assure the public that facial recognition is being used responsibly and accountably. They also demonstrate the strong commitment of the industry to protecting the public’s privacy, even as new technologies and applications emerge.” [Planet Biometrics] [NTIA group agrees on face recognition code of conduct]

Canada

CA – The OPCC has Released Its Annual Report for 2015-2016. [Source]

CA – PI Contained in Public Court or Tribunal Decisions is Publicly Available Information: OPC

The Office of the Privacy Commissioner investigated a complaint about an online legal database pursuant to PIPEDA. The OPC dismissed a complaint alleging an online legal database unlawfully published an individual’s PI by publishing a court decision about her; the PI appeared in a public judicial document for which there was no publication ban, and the company’s subscription-based research tools and services do not undermine the balance between privacy and the open courts principle. [OPC Canada – PIPEDA Report of Findings #2015-013 – Online legal database doesn’t need consent to use publicly available court decisions, in support of the open court principle]

CA – Decision Provides Rare Insight on the Applicability of RTBF in Québec

On April 14th, 2016, the Commission d’accès à l’information (the “CAI”) issued a decision discussing the relevance of the “right to be forgotten” with regards to the “right to rectification” found in the Act Respecting the Protection of Personal Information in the Private Sector, CQLR, c. P-39.1. The CAI interestingly noted that a person’s right to rectification with respect to inaccurate, incomplete or equivocal information is distinct from the “right to be forgotten.” This right, which is recognized in the European Union, allows individuals to stop search engines from providing links to information about them that is deemed “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue.”  As a result of this decision, it is now clear that the right to be forgotten is irrelevant to the examination of the right to rectification, as the two rights are different, both conceptually and practically. [Source]

CA – Therrien to Trudeau: Government Privacy Law Outdated

In a letter to Prime Minister Justin Trudeau, Privacy Commissioner Daniel Therrien warns that without renewal, protections under Canada’s Privacy Act “are proving to be increasingly out of touch with Canadians and their engagement with the digital world.” The act, which governs federal government data handling, was passed in 1983 and no substantial changes have been made to it since, reports The Star, even while advances in technology have dramatically changed the way government does business. A representative for the prime minister says the issue is a priority and they “are committed to working with the commissioner on an active and ongoing basis,” noting the minister of justice is reviewing the recommendations. [Source]

CA – BCCLA Says Warrantless Spying on Canadians Must End

In the latest step in a court case launched in 2013, the British Columbia Civil Liberties Association is asking the federal court to allow access to government documents that would shed light on the surveillance activities of the Communications Security Establishment. Specifically, the BCCLA objects to the warrantless collection of information on Canadian citizens, and points to recent data mishandling by the CSE as part of its participation in the Five Eyes program with Australia, New Zealand, the U.K. and the U.S. “The CSE is engaged in what is surely one of the largest warrantless activities directed at Canadians,” the BCCLA Litigation Director Grace Pastine told On the Coast guest host Michelle Eliot. [CBC News]

CA – Federal Court Finds Individual’s Request for Review of OPC Report Misdirected

The Federal Court hears E.W’s request for review of the findings of the Privacy Commissioner of Canada in response to her privacy complaint against the Department of Human Resources and Skills Development Canada. The OPC (after an investigation of the individual’s complaint of alleged improper collection of personal information without her consent) could not reach a finding, since 12 years had passed since the alleged collection, and the file retention period for the information had elapsed; the individual was provided opportunity to make submissions, all relevant evidence was investigated by the OPC, and the individual’s grievance lies with the institution that collected the data, not the OPC. [E.W. v. Privacy Commissioner of Canada – Federal Court – 2015 FC 1420]

CA – Proposed Manitoba Bill to Protect Kids Draws Privacy Criticism

Proposed legislation that would make it easier for Manitoba agencies and police to share information about at-risk children is raising privacy concerns. The Progressive Conservative government introduced Bill 8, the Protecting Children (Information Sharing) Act, earlier this week. The bill authorizes organizations and others who provide services to at-risk and vulnerable children to collect, use and disclose personal information or personal health information about them. The act would apply not only to children in the care of CFS or those involved in the criminal justice system, but also to those who require disability services, mental-health services, addiction services, victim services and to schoolchildren with special needs who require an individual education plan. Information could be disclosed about parents or guardians of the children.  Michelle Falk, executive director of the Manitoba Association for Rights and Liberties, said it appears the bill would give “ordinary bureaucrats” the power to make judgment calls that could have long-term implications for children in care and their families. “It gives unfettered authority to any government department, agency or the police department to share any information to any other department,” she said Thursday. [Winnipeg Free Press]

CA – Other Canadian News

Consumer

CA – New Online Tool Allows Users to Ask Companies About Their Data

A new version of a Canadian website allows individuals to contact companies to see what information they have collected. Access My Info Canada originally was created to message telecommunications companies, but the new version launched by developer Andrew Hilts now gives users the chance to reach out to companies making fitness trackers and dating apps. “This can help people answer questions if they’ve ever wondered if their cellphone provider is logging their location, or if their online dating app is ever sharing their sexual preferences,” said Hilts. Access My Info has been created to help consumers understand their rights under Canadian privacy laws, while also giving them information on what data could be compromised if a company were to suffer a data breach. [CBC News]

US – For Consumers, Injury Is Hard to Prove in Data-Breach Cases

The Wall Street Journal reports on consumer lawsuits following data breaches, and whether companies should be forced to compensate customers for attacks exposing sensitive information. Judges dismiss the majority of lawsuits spawning from major data breaches, including those in attacks against Target and Home Depot because customers have not been able to prove the breaches have caused any tangible harm. Companies argue having personal data exposed doesn’t equate to harm requiring compensation, and when stolen credit card information results in fraudulent purchases, customers often cannot prove the fraud was a result of the breach. Federal judges in Illinois and California, however, have let lawsuits proceed, possibly opening a door for corporate liability. [Wall Street Journal]

US – Privacy by the Numbers: A Deep Dive into the Structure of Privacy Policies

As researchers from the Common Sense District Privacy Evaluation Initiative analyze the correlation between the content and stylistic infrastructure of privacy policies, they have flagged “potential indicators” that they say will help them to analyze them more efficiently, the group’s Bill Fitzgerald writes. While Fitzgerald said he and his researchers “do not think we will find any direct correlation between policy structures and whether terms are good or bad,” technical elements of the policies, such as reading level, length of terms and structure, create patterns that matter. “It’s difficult to say what constitutes a ‘normal’ policy without a baseline, and the work we will be launching this summer will help create a clearer picture — supported by openly available data — of what a typical policy looks like,” he wrote. [The Journal]

E-Mail

US – Supreme Court Decision May Support Microsoft’s Position in Ireland Server Data Case

In a decision released earlier this week, the US Supreme Court wrote, “absent clearly expressed congressional intent to the contrary, federal laws will be construed to have only domestic application.” The ruling was made in a RICO (Racketeer Influences and Corrupt Organizations) Act case. While unrelated to the Microsoft case in which the company is refusing to surrender data held on a server in Ireland to US officials, the decision could provide support for Microsoft’s position that the Electronic Communications Privacy Act (ECPA) does not say that congress intended it to “reach private emails stored on provider’s computers in foreign countries.” [Computerworld: Microsoft invokes Supreme Court opinion in Ireland email case]

WW – Board Members Increasingly Targeted by Spearphishing Schemes

A growing trend is corporate boards of directors falling victim to spearphishing attacks. Board members can be hit by these schemes by receiving malicious emails that ask for tax information and bank transfer requests and sending it to another employee who handles the response. Members have lost financial statements, cybersecurity documents and intellectual property, mainly through a lack of education on identifying spearphishing emails. “Most board members use personal email accounts to handle board communications so they don’t get mixed with the emails from the companies where they work,” said Experian Information Solutions Vice President, Data Breach Resolution Michael Bruemmer. “These are less secure, and we have seen examples of these accounts having been compromised.” [CSO Online]

Encryption

US – Apple Makes Encrypted Operating System Public

In a surprising move, Apple has exposed the inner workings of its encryption-based operating system for the first time. The tech giant did not reveal whether the disclosure of its kernel was by design, but many in the security industry believe Apple made the code public in order to help locate possible security weaknesses in the software. To date, Apple has not run any bug bounty programs. The move comes after Apple’s well-publicized battle with the FBI in the San Bernardino case. By choosing to expose its software rather than starting a bug bounty program, Apple is taking a big risk, the report states. “This is a gamble,” said forensic scientist Jonathan Zdziarski. “But I can see the possible reason that Apple may have decided to make this wager.” [MIT Technology Review]

EU Developments

EU – German Court Ruling: WhatsApp Must Translate English TOS and Privacy Policy to German

German courts have ruled WhatsApp has violated the country’s Telemedia Act by forcing users to agree to the app’s terms of service in English. When the judgement is finalized, WhatsApp will be required to translate its terms of service and privacy policy into German, or face a $283,000 fine. Klaus Muller, CEO of the Federation of German Consumer Organizations, said companies make it difficult for consumers to comprehend terms of services, and WhatsApp has made it even harder for German users with the conditions written in a foreign language. The courts ruled WhatsApp’s violation stems from not allowing users to contact a German country representative if they have any questions or concerns . WhatsApp has not announced whether it will appeal the ruling. [Neurogadget]

Facts & Stats

CA – Average Cost of a Data Breach Up 12.5% Among Canadian Firms: Report

Canadian CISOs who want more hard data to convince the C-suite and boards to devote more resources to cybersecurity have a new report to show. If a study of 24 Canadian organizations is accurate, the total cost over a recent 12 month period of a breach of over 1,000 records went up 12.5 per cent compared to 2014 to just over $6 million. Another way of looking at it is the average cost per record stolen or lost went up 10.6% to $278 compared to the same period the year before. These numbers come from a study released last week by the Ponemon Institute that was funded by IBM. The costs were based upon estimates provided by participating victim organizations. The report is part of an annual global study of breaches in 13 countries (United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates, Saudi Arabia, Canada and, for the first time, South Africa), which last year covered 383 organizations. The average cost of a breach across all those firms was US$4 million. [IT World Canada]

Filtering

UK – Mandatory Web Monitoring in Schools Opens a Slippery Can of Worms

Without Parliamentary or public discussion, children’s internet use will be monitored by third parties from September. This is despite widespread associated concerns – including choking off free speech, religious freedom, and staff feeling vulnerable – presented to the Joint Select Committee for Human Rights by experts in education and security legislation. The brief paragraph 75 in The Department for Education (DfE) “New measures to keep children safe online at school and at home“ statutory guidance Safeguarding in Schools, will impose a change from a duty ‘to consider’ web monitoring to one that ‘should ensure’ it for educational establishments, excluding 16-19 academies and free schools. The supporting advice to which the Government response points, suggests actively monitoring all screen activity during a lesson from a central console using appropriate technology as a solution, even in circumstances that suggest low risk. And that logfile information should be able to identify an individual user, and be reviewed regularly. Pro-active monitoring is suggested where alerts are managed by a third-party provider. The Department for Education’s summary response and advice however offers little practical support to school leaders how to concretely take these things into account, while still meeting human rights legislation. Without explicit clarity on the practice of monitoring personal electronic devices not owned by the school, we risk a slippery descent into schools made complicit in a privacy invasion of family life. [Schoolweek]

FOI

CA – Audit Finds Vancouver Failing to Meet FOI Deadlines, Deleting Emails

City hall has received a stern talking to from the province’s information and privacy commissioner following an audit of Vancouver’s compliance with freedom-of-information (FOI) laws. “It is clear to me there is a need for change to the approach city staff use in processing access requests,” commissioner Elizabeth Denham said in a June 23 media release. “We observed shortcomings in almost every step of the freedom of information process—from receipt of the request, to searching for records, to the timeliness of response to the applicant and the content of the response itself.” The audit, conducted by the Office of the Information and Privacy Commissioner of B.C., mostly focuses on FOI response times and delays that appear to target requests filed by members of the media. But the report’s most troubling findings concern the alleged deletion of records and evasion of FOI laws. The OIPC, however, found that an examination of these concerns fell outside the scope of its investigation. [Straight]

CA – NFLD Public Bodies Should Not Allow Staff Use of Personal Email Accounts for Work

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador (“OIPC”) issues guidelines relating to the use of personal email accounts for public business. Use of personal email accounts does not relieve the duty to thoroughly search for records responsive FOI requests and produce them, however, officers and employees may be reluctant to produce records from these accounts or provide access for FOI purposes; personal accounts are less likely to meet requirements to protect personal information under a public body’s custody or control (terms of service may allow for third-party access, and security features may not be adequate). [OIPC NFLD – Use of Personal Email Accounts for Public Business]

US – Dropbox’s New Transparency Report Includes State-By-State Breakdown

Releasing its biannual transparency report, Dropbox has included a state-by-state breakdown of government requests in their July-December 2015 study. Dropbox received 574 requests for user data from around the globe, including 348 search warrants and 206 subpoenas, providing information on the vast majority of inquiries. California had more requests than any state in the U.S. with 70, followed by Texas with 49, Florida with 48, and Virginia with 32. “Although we continue to see an increase in requests from U.S. law enforcement, the numbers remain small compared to our user base of over half a billion users,” Dropbox said in a blog post. The company also detailed the joint efforts with tech companies to oppose government legislation forcing organizations to undermine their security protocols. [Dropbox Blog Post]

Genetics

CA – Supreme Court Rules Police Can Swab Suspected Rapist Without Warrant

In a ruling that adds to police powers in investigating rape, the Supreme Court of Canada says police have the right to take a penile swab (without a warrant) from suspected attackers, forcibly if necessary, as long as they do so in a private cell and have reasonable grounds to believe they will find relevant evidence. Just two Supreme Court judges, both of them women, said a penile swab should be deemed an illegal search. In a strong dissent in the case, Justice Andromache Karakatsanis accused the majority of straying from precedents that found a “close relationship between bodily privacy and human dignity.” Justice Rosalie Abella said she would have disallowed the penile swab and barred the evidence from being used. [G&M]

Health / Medical

CA – Trillium Health Partners Hit With Privacy Class Action

A class-action lawsuit has been filed against Trillium Health Partners, alleging a doctor’s assistant used patient credentials to access medical records. Former patient Katie Mallinson filed the suit against Dr. Tony Vettese and his assistant Lisa Lyons, claiming Lyons accessed Trillium’s database to review the confidential records of an unknown number of patients for many years. The records contain sensitive medical information, including medication history, treatments received and diseases suffered. The suit seeks $2 million in general damages, while stating Trillium’s privacy policies and procedures are “inadequate, underfunded and unenforced.” Trillium was not aware of Lyons’ improper access until Mallinson first became suspicious of illicit activity. [Press Release] See also: [397 medical records snooped at Hamilton General Hospital]

US – Workers May Soon Have to Share Health Data — Or Pay A Penalty

New Equal Employment Opportunity Commission regulations may force employees to share medical data in order to qualify for benefits, or face penalties. If employees choose not to share medical data with their employers, they face increases in health premiums and the possibility of the EEOC suing their organization. Privacy advocates are concerned employees will have to pay more for their privacy as well as face potential discrimination if an employee chooses to opt out of the program. Wellness programs also have access to medical records and insurance claims data, meaning employers can learn about genetic test results and access information on employee family history. “Our argument is participation in a wellness program is simply no longer voluntary if employees can be penalized in this way,” said American Society of Human Genetics Science Policy Director Derek Scholes. [BuzzFeed]

WW – Google Unveils Symptom-Search Functionality

Google has announced it will list related conditions when users search the site using health symptoms as keywords. “We create the list of symptoms by looking for health conditions mentioned in web results, and then checking [sic] them against high-quality medical information we’ve collected from doctors for our Knowledge Graph,” the report states. The move is an effort to simplify accessing and understanding online health information. The feature will go live in “the next few days” in the U.S. and will expand internationally in the future. [Google Blog]

US – OCR Releases Video Guidance on Provision of Medical Records

The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services. The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. That guidance is essential reading for companies operating in the medical records space, as it sets forth OCR’s views on such topics as how records must be provided upon request, methods for calculating reasonable fees for copies, and provision of medical records to third parties at a patient’s direction. [Source]

Horror Stories

US – Three Hacked Hospital Databases Up For Sale on Deep Web

Breaches of three separate health databases by one hacker has resulted in more than 650,000 medical records for sale on the deep web. The hacker was able to tap into a vulnerability in each database’s Remote Desktop Protocol. One database from Georgia containing more than 400,000 records is priced at 607 bitcoin, the report states. “Although it remains unclear as to which hospital was attacked, this story goes to show how lackluster IT security keeps plaguing the health care industry,” the report adds. Meanwhile, a TrapX Security study has found that hackers are increasingly targeting medical devices used within hospital systems, ZDNet reports. These tools “often contain backdoors, botnet connections and remote access tunnels for cyberattackers to manipulate devices,” the report adds. [The Merkle]

WW – Hacker Plans to Release 100,000 Escort Site User Records

Moroccan hacker ElSurveillance has breached and defaced an additional 37 escort sites, which are mostly from the U.K., and pledged to leak 100,000 users’ data online in the coming week. This is not the first instance of ElSurveillance’s breach activity, with the hacker claiming 79 defacement incidents of similar sites in January, the report states. The hacks are religiously motivated. “[O]ur bodies are gifted from Allah to us to look after and not to destroy,” the hacker said. “Unlike [ElSurveillance’s] fellow ISIS-affiliated colleagues who spread fear, threats and warnings of violence, he’s spreading a message of peace and a religious-rooted message,” the report adds. [Softpedia]

CA – Personal Info in 100,000 IT Requests Compromised in SFU Privacy Breach

More than 100,000 Simon Fraser University information technology service requests from 2013-2016 were inadvertently stored in an unprotected server for four months. The data compromised included 20,294 email addresses, contact information and other personal data, the report states. The school’s IT team discovered the breach May 16 and brought the information offline the next day, notifying the affected students in early June, the report adds. “We have no evidence that any third party accessed the database during the time it was unprotected, nor do we have any evidence that there was any misuse of the information contained in the database,” said SFU Communications Director Kurt Heinrich. He added that the school was reviewing and modifying additional breach protections. [Burnabynow]

Identity Issues

WW – Dashcam Smartphone App to Employ License-Plate Detection

A new smartphone app takes all of the features of a dashcam and adds license-plate detection to warn users of potentially dangerous drivers. The Nexar app uses a smartphone’s camera to detect and record automotive activity and collisions. It also plans to add “real-time warnings” to help drivers avoid cars with bad track records. Nexar uses machine vision and artificial intelligence algorithms to locate license plates and record drivers who speed and perform illegal maneuvers. Privacy concerns will likely arise, but the recording process is likely legal. “Courts generally say that people generally have little or no expectation of privacy in the movements of their cars on public roads,” said University of Chicago law professor Lior Strahilevitz, “as long as cars aren’t being tracked everywhere they go for a lengthy period of time.” [PC Magazine]

Location

US – Ad Network Settles with FTC, Will Pay $950,000 for Location Tracking

The FTC announced it has settled with the Singapore-based mobile advertising company InMobi under charges that it “deceptively tracked” the locations of hundreds of millions of consumers — including children — without notification or consent. As part of the settlement, InMobi will pay $950,000 in civil penalties and implement a comprehensive privacy program. The FTC alleges that the company — whose ad software reaches nearly 1 billion consumers worldwide — also violated COPPA by collecting location information from apps directed at children. “This settlement ensures that InMobi will honor consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises,” said FTC Bureau of Consumer Protection Director Jessica Rich. [FTC] – Ars Technica: Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users | – Computerworld: Mobile advertiser tracked users’ locations without their consent, FTC alleges | – FTC: Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission]

Online Privacy

US – Senate Rejects Measure That Would Allow FBI to Search Browsing Histories Without a Warrant

US legislators have rejected an amendment to a criminal justice funding bill that would have allowed the FBI to conduct warrantless searchers of people’s browsing histories. While the measure garnered a majority of the votes, it failed to obtain the necessary 60 votes to advance. The issue may come up for consideration as soon as next week, however, because Senate majority leader Mitch McConnell submitted a motion to reconsider it. Sources: – CNET: Senate nixes plan for warrantless FBI searches of internet browsing histories | – ZDNet: Senate rejects FBI bid for warrantless access to internet browsing histories | – Washington Post: After Orlando, Senate rejects plan to allow FBI Web searches without court order]

WW – New Firefox Feature Allows Users to Create Individual ‘Personalities’

A new feature from Mozilla will allow users to separate their web history within their browser. Firefox Containers divides the browser into individual “personalities.” Each persona can be used for different internet activities, such as banking, work, shopping and for personal use. The browsing histories and cookies are kept within a “fully segregated cookie jar” by keeping each persona’s caches separate, according to a Mozilla blog post. “We all portray different characteristics of ourselves in different situations,” said Mozilla Security Engineer Tanvi Vyas. “But when I use the web, I can’t do that very well. There is no easy way to segregate my identities such that my browsing behavior while shopping for toddler clothes doesn’t cross over to my browsing behavior while working.” [The Christian Science Monitor]

US – Cloud-Based EHR Company Settles FTC Complaint It Failed to Advise that Reviews of Doctors Containing Patient Information Would Be Made Public

This FTC agreement settles allegations that Practice Fusion, Inc. failed to disclose that consumer reviews containing sensitive personal information would be publicly disclosed in violation of the FTC Act. The company is prohibited from misrepresenting the extent to which it makes certain information (e.g. health information) publicly available (including by posting on the Internet); prior to such disclosure, the company must provide notice and obtain express consent from consumers, and must not maintain any healthcare provider review information (except for review and retrieval by its healthcare provider customers, or as permitted by law, regulation or legal process). FTC – In the Matter of Practice Fusion, Inc. – Complaint and Agreement Containing Consent Order | Press Release | Complaint]

Other Jurisdictions

IS – Judge Approves $400 Million Class Action Against Facebook for Violating Privacy

Israel’s Central District Court has approved a $400 million privacy class-action suit against Facebook, ruling that the company’s terms-of-use requirement for all lawsuits to be heard in California was invalid. The suit alleged that the company both breached privacy protocols by targeting advertisements based off of users’ private posts, and failed to register its database in Israel’s national database registry as mandated by the country’s law, the report states. “Perhaps the time has come to examine the issue from a different angle, from the customer’s standpoint, especially when he’s the customer of huge international corporations that deal with customers all over the world,” said Judge Esther Stemmer. The court gave Facebook 90 days to respond to the suit. [Haaretz]

Privacy (US)

US – Tech Companies Oppose Government Hacking Rule Change

A group of 50 organizations including Google and the American Civil Liberties Union has called upon Congress to block “dangerously broad” changes that, effective Dec. 1, increase judges’ warrant jurisdiction. The changes to Rule 41 of the Federal Criminal Procedure “invite law enforcement to seek warrants authorizing them to hack thousands of computers at once — which it is hard to imagine would not be in direct violation of the Fourth Amendment,” the later states. Meanwhile, in an additional report from Morning Consult, Sen. John McCain, R-Ariz., expressed his support for FBI Director James Comey’s surveillance perspectives over those of privacy advocates. “I have great sympathy for them but I respect more the view of Director Comey,” he said. [Morning Consult]

US – NTIA Publishes Revised Best Drone Practices Guidance

The National Telecommunications and Information Administration has released an updated best drone practices guidance. The guide is the culmination of a two-month public comment session and subsequent May 18 meeting on drone privacy and transparency issues. Meanwhile, the Federal Aviation Administration has published a 600-page drone regulation document that does not include specific privacy protocols, The Intercept reports. The Electronic Privacy Information Center responded to the announcement with a statement on its website, recalling its 2015 suit of the FAA for failing to regulate drone privacy. [NTIA]

US – Obama Administration Approves FAA Rules for Small Drones

The Obama administration has approved the commercial use of small drones. The Federal Aviation Administration created a new class of rules for drones weighing less than 55 pounds, fly up to 400 feet, and below 100 miles per hour. Drone operators now have the ability to fly the unmanned aircraft without special permission, but must be at least 16 years old. Drones will not be allowed to fly at night, unless they have special lighting and stay at least 5 miles from an airport. Transportation Secretary Anthony Foxx said, “As this new technology continues to grow and develop, we want to make sure we strike the right balance between innovation and safety.” [Reuters] [Op-ed: FAA’s rules for small drones are flawed]

US – AG Enforcement, Algorithmic Discrimination Top PLSC Line-Up

The Privacy Law Scholars Conference held its ninth annual gathering in Washington at the beginning of this month, bringing together academics and practitioners to present papers that are still in development. The workshop environment is a closed circuit — no tweeting or blogging about what happens there is allowed, and papers may or may not ever be published. However, papers and ideas inevitably rise to the top, and the IAPP recognizes two of those with its annual IAPP Papers Award, voted on by attendees. [IAPP]

Privacy Enhancing Technologies (PETs)

WW – Silent Circle Launches Virtual Security Assistant Privacy Meter

Silent Circle has announced its Silent OS 3.0 for Android mobile phones will include a program that will regularly scan a device, alerting the user if any apps, services or settings contain privacy-compromising elements. The program, dubbed “Privacy Meter,” is automatically embedded into the operating system, the report states. “Think of it as an assistant that is always next to you helping you maintain the most awareness of your Privacy Profile,” said Silent Circle’s David Puron. “Whether you have available software updates, your browsing certificates have been altered, or an app is sharing your location, the Privacy Meter will show you what is happening then guide you through the appropriate configurations, if desired.” [ZDNet]

RFID / IoT

US – Chicago Needs More Detail in Array of Things Privacy Policy, Experts Say

The city of Chicago is preparing to install a network of sensors that will track people on city streets — walking, biking, driving — and privacy experts say it needs to better spell out how it will use that information. The nine-page privacy policy includes just a few paragraphs on how the data will be collected, used and shared. The city plans to install 500 Array of Things devices across the city by the end of 2018. They will house sensors including a low-grade camera and microphone that can capture images and sound from passersby, bringing a new scale of data collection to busy intersections. Officials say the project will help improve city life by analyzing patterns in environmental and human behavior. City officials are seeking public input on the policy before installing the first 42 devices, slated to go up around the city starting in late July. The second of two public forums on the policy is from 5:30 to 7 p.m. Wednesday at the Harold Washington Library downtown. [Chicago Tribune]

Smart Cards

US – California County Approves Ordinance Restricting Government Use of New Technologies

The Board of Supervisors of Santa Clara County approved Ordinance No. NS-300.897, relating to surveillance technology and community safety. Law enforcement must seek approval of the County Board before purchasing any new surveillance technologies (e.g. drones, automated license plate readers, GPS, cell-site simulators, RFIDs, facial recognition, biometric identification); annual surveillance reports must be submitted to the Board detailing usage, complaints, internal audits, and how successful different technologies have been. [Ordinance No. NS-300.897 – Surveillance Technology and Community Safety – Board of Supervisors of Santa Clara County]

US Government Programs

US – DHS Wants to Snoop on Travelers’ Facebook, Twitter, and Instagram Accounts

The Department of Homeland Security has opened its proposal to include an optional field to disclose social media handles in travel documents to public comment. The documents in question are the Electronic System for Travel Authorization and Form I-94W, a document foreign travelers complete when leaving and entering the U.S., the report states. “Please enter information associated with your online presence — Provider/Platform — Social media identifier,” the forms would read if the proposal is accepted. “As phrased that could include your Twitter handle, the URL for your Facebook page, your OkCupid or Grindr handle …” the report adds. “Where does it end?” DHS will accept comments here until Aug. 22. [Fusion]

US Legislation

US – McConnell Pushes Measure to Expand Surveillance Tools

Senate Majority Leader Mitch McConnell, R-Ky., has proposed an amendment to the bill funding the Department of Justice and Department of Commerce that would both increase federal law enforcement surveillance powers and “permanently extend” elements of the PATRIOT Act. “Both measures have been criticized by privacy and civil liberties advocates, who have fought the proposals on multiple fronts in recent months,” the report states. The bill is considered similar to the legislative revisions Senate Republicans aim to make to the Electronic Communications Privacy Act, the report adds. A procedural vote on McConnell’s amendment is predicted for Wednesday. [The Hill]

US – Other Privacy News

Workplace Privacy

WW – BYOD Can Pose Privacy Risks to Employees: Study

Companies that use remote device management software to oversee employee devices used for business have the ability to collect a lot more information than employees may be comfortable with, according to a report released today. “The intent of these MDM solutions is not to spy on employees, but to monitor for things like malware and general security,” said Salim Hafid, product manager at Bitglass, which produced the report. But if the company wants to, these tools provide the ability to do a lot more, he said. That includes seeing where the phone is located, what apps are on the phone, and even what websites the user was accessing. “We were able to see virtually all the activity on the device,” he said. “We could see that some of our employees search for health information on the web.” [CSO Online]

WW – Russian Technology Allows Employers to Monitor Phone Calls

A Moscow security firm has created technology allowing companies to listen in on mobile calls made on their property. InfoWatch, a former subsidiary of Kaspersky Lab, says it has created the product for companies trying to curb information leaks by scanning employee phone calls for key terms that may prompt an investigation. While InfoWatch is legal in Russia, installing it in western countries would be very difficult. “This technology may become a hot ticket for any company seeking to protect its commercial secrets,” said Gartner analyst Petr Gorodetskiy. “But it can’t be rolled out in markets where it may trigger court claims.” Others question whether the product is truly functional. “The part that puzzles me is how successful speech recognition, transcription and automated analysis of texts can be,” said Polytechnic University of Milan professor Stefano Zanero “I would be surprised if any major company decided to buy into this.” [Bloomberg]

+++