18-24 June 2016

Biometrics

WW – IBIA Approves New Facial Recognition Best Practices

The International Biometrics + Identity Association voiced its approval of a new set of facial recognition best practices. The guidelines were created by the Department of Commerce’s National Telecommunications and Information Administration, and have been hailed by the IBIA as a flexible guideline for numerous applications of the technology, including authentication and social media. “The clear benefits of facial recognition technology come with a responsibility to users and consumers,” said IBIA Managing Director Tovah LaDier. “These privacy best practices will help to assure the public that facial recognition is being used responsibly and accountably. They also demonstrate the strong commitment of the industry to protecting the public’s privacy, even as new technologies and applications emerge.” [Planet Biometrics] [NTIA group agrees on face recognition code of conduct]

Canada

CA – The OPCC has Released Its Annual Report for 2015-2016. [Source]

CA – PI Contained in Public Court or Tribunal Decisions is Publicly Available Information: OPC

The Office of the Privacy Commissioner investigated a complaint about an online legal database pursuant to PIPEDA. The OPC dismissed a complaint alleging an online legal database unlawfully published an individual’s PI by publishing a court decision about her; the PI appeared in a public judicial document for which there was no publication ban, and the company’s subscription-based research tools and services do not undermine the balance between privacy and the open courts principle. [OPC Canada – PIPEDA Report of Findings #2015-013 – Online legal database doesn’t need consent to use publicly available court decisions, in support of the open court principle]

CA – Decision Provides Rare Insight on the Applicability of RTBF in Québec

On April 14th, 2016, the Commission d’accès à l’information (the “CAI”) issued a decision discussing the relevance of the “right to be forgotten” with regards to the “right to rectification” found in the Act Respecting the Protection of Personal Information in the Private Sector, CQLR, c. P-39.1. The CAI interestingly noted that a person’s right to rectification with respect to inaccurate, incomplete or equivocal information is distinct from the “right to be forgotten.” This right, which is recognized in the European Union, allows individuals to stop search engines from providing links to information about them that is deemed “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue.”  As a result of this decision, it is now clear that the right to be forgotten is irrelevant to the examination of the right to rectification, as the two rights are different, both conceptually and practically. [Source]

CA – Therrien to Trudeau: Government Privacy Law Outdated

In a letter to Prime Minister Justin Trudeau, Privacy Commissioner Daniel Therrien warns that without renewal, protections under Canada’s Privacy Act “are proving to be increasingly out of touch with Canadians and their engagement with the digital world.” The act, which governs federal government data handling, was passed in 1983 and no substantial changes have been made to it since, reports The Star, even while advances in technology have dramatically changed the way government does business. A representative for the prime minister says the issue is a priority and they “are committed to working with the commissioner on an active and ongoing basis,” noting the minister of justice is reviewing the recommendations. [Source]

CA – BCCLA Says Warrantless Spying on Canadians Must End

In the latest step in a court case launched in 2013, the British Columbia Civil Liberties Association is asking the federal court to allow access to government documents that would shed light on the surveillance activities of the Communications Security Establishment. Specifically, the BCCLA objects to the warrantless collection of information on Canadian citizens, and points to recent data mishandling by the CSE as part of its participation in the Five Eyes program with Australia, New Zealand, the U.K. and the U.S. “The CSE is engaged in what is surely one of the largest warrantless activities directed at Canadians,” the BCCLA Litigation Director Grace Pastine told On the Coast guest host Michelle Eliot. [CBC News]

CA – Federal Court Finds Individual’s Request for Review of OPC Report Misdirected

The Federal Court hears E.W’s request for review of the findings of the Privacy Commissioner of Canada in response to her privacy complaint against the Department of Human Resources and Skills Development Canada. The OPC (after an investigation of the individual’s complaint of alleged improper collection of personal information without her consent) could not reach a finding, since 12 years had passed since the alleged collection, and the file retention period for the information had elapsed; the individual was provided opportunity to make submissions, all relevant evidence was investigated by the OPC, and the individual’s grievance lies with the institution that collected the data, not the OPC. [E.W. v. Privacy Commissioner of Canada – Federal Court – 2015 FC 1420]

CA – Proposed Manitoba Bill to Protect Kids Draws Privacy Criticism

Proposed legislation that would make it easier for Manitoba agencies and police to share information about at-risk children is raising privacy concerns. The Progressive Conservative government introduced Bill 8, the Protecting Children (Information Sharing) Act, earlier this week. The bill authorizes organizations and others who provide services to at-risk and vulnerable children to collect, use and disclose personal information or personal health information about them. The act would apply not only to children in the care of CFS or those involved in the criminal justice system, but also to those who require disability services, mental-health services, addiction services, victim services and to schoolchildren with special needs who require an individual education plan. Information could be disclosed about parents or guardians of the children.  Michelle Falk, executive director of the Manitoba Association for Rights and Liberties, said it appears the bill would give “ordinary bureaucrats” the power to make judgment calls that could have long-term implications for children in care and their families. “It gives unfettered authority to any government department, agency or the police department to share any information to any other department,” she said Thursday. [Winnipeg Free Press]

CA – Other Canadian News

Consumer

CA – New Online Tool Allows Users to Ask Companies About Their Data

A new version of a Canadian website allows individuals to contact companies to see what information they have collected. Access My Info Canada originally was created to message telecommunications companies, but the new version launched by developer Andrew Hilts now gives users the chance to reach out to companies making fitness trackers and dating apps. “This can help people answer questions if they’ve ever wondered if their cellphone provider is logging their location, or if their online dating app is ever sharing their sexual preferences,” said Hilts. Access My Info has been created to help consumers understand their rights under Canadian privacy laws, while also giving them information on what data could be compromised if a company were to suffer a data breach. [CBC News]

US – For Consumers, Injury Is Hard to Prove in Data-Breach Cases

The Wall Street Journal reports on consumer lawsuits following data breaches, and whether companies should be forced to compensate customers for attacks exposing sensitive information. Judges dismiss the majority of lawsuits spawning from major data breaches, including those in attacks against Target and Home Depot because customers have not been able to prove the breaches have caused any tangible harm. Companies argue having personal data exposed doesn’t equate to harm requiring compensation, and when stolen credit card information results in fraudulent purchases, customers often cannot prove the fraud was a result of the breach. Federal judges in Illinois and California, however, have let lawsuits proceed, possibly opening a door for corporate liability. [Wall Street Journal]

US – Privacy by the Numbers: A Deep Dive into the Structure of Privacy Policies

As researchers from the Common Sense District Privacy Evaluation Initiative analyze the correlation between the content and stylistic infrastructure of privacy policies, they have flagged “potential indicators” that they say will help them to analyze them more efficiently, the group’s Bill Fitzgerald writes. While Fitzgerald said he and his researchers “do not think we will find any direct correlation between policy structures and whether terms are good or bad,” technical elements of the policies, such as reading level, length of terms and structure, create patterns that matter. “It’s difficult to say what constitutes a ‘normal’ policy without a baseline, and the work we will be launching this summer will help create a clearer picture — supported by openly available data — of what a typical policy looks like,” he wrote. [The Journal]

E-Mail

US – Supreme Court Decision May Support Microsoft’s Position in Ireland Server Data Case

In a decision released earlier this week, the US Supreme Court wrote, “absent clearly expressed congressional intent to the contrary, federal laws will be construed to have only domestic application.” The ruling was made in a RICO (Racketeer Influences and Corrupt Organizations) Act case. While unrelated to the Microsoft case in which the company is refusing to surrender data held on a server in Ireland to US officials, the decision could provide support for Microsoft’s position that the Electronic Communications Privacy Act (ECPA) does not say that congress intended it to “reach private emails stored on provider’s computers in foreign countries.” [Computerworld: Microsoft invokes Supreme Court opinion in Ireland email case]

WW – Board Members Increasingly Targeted by Spearphishing Schemes

A growing trend is corporate boards of directors falling victim to spearphishing attacks. Board members can be hit by these schemes by receiving malicious emails that ask for tax information and bank transfer requests and sending it to another employee who handles the response. Members have lost financial statements, cybersecurity documents and intellectual property, mainly through a lack of education on identifying spearphishing emails. “Most board members use personal email accounts to handle board communications so they don’t get mixed with the emails from the companies where they work,” said Experian Information Solutions Vice President, Data Breach Resolution Michael Bruemmer. “These are less secure, and we have seen examples of these accounts having been compromised.” [CSO Online]

Encryption

US – Apple Makes Encrypted Operating System Public

In a surprising move, Apple has exposed the inner workings of its encryption-based operating system for the first time. The tech giant did not reveal whether the disclosure of its kernel was by design, but many in the security industry believe Apple made the code public in order to help locate possible security weaknesses in the software. To date, Apple has not run any bug bounty programs. The move comes after Apple’s well-publicized battle with the FBI in the San Bernardino case. By choosing to expose its software rather than starting a bug bounty program, Apple is taking a big risk, the report states. “This is a gamble,” said forensic scientist Jonathan Zdziarski. “But I can see the possible reason that Apple may have decided to make this wager.” [MIT Technology Review]

EU Developments

EU – German Court Ruling: WhatsApp Must Translate English TOS and Privacy Policy to German

German courts have ruled WhatsApp has violated the country’s Telemedia Act by forcing users to agree to the app’s terms of service in English. When the judgement is finalized, WhatsApp will be required to translate its terms of service and privacy policy into German, or face a $283,000 fine. Klaus Muller, CEO of the Federation of German Consumer Organizations, said companies make it difficult for consumers to comprehend terms of services, and WhatsApp has made it even harder for German users with the conditions written in a foreign language. The courts ruled WhatsApp’s violation stems from not allowing users to contact a German country representative if they have any questions or concerns . WhatsApp has not announced whether it will appeal the ruling. [Neurogadget]

Facts & Stats

CA – Average Cost of a Data Breach Up 12.5% Among Canadian Firms: Report

Canadian CISOs who want more hard data to convince the C-suite and boards to devote more resources to cybersecurity have a new report to show. If a study of 24 Canadian organizations is accurate, the total cost over a recent 12 month period of a breach of over 1,000 records went up 12.5 per cent compared to 2014 to just over $6 million. Another way of looking at it is the average cost per record stolen or lost went up 10.6% to $278 compared to the same period the year before. These numbers come from a study released last week by the Ponemon Institute that was funded by IBM. The costs were based upon estimates provided by participating victim organizations. The report is part of an annual global study of breaches in 13 countries (United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates, Saudi Arabia, Canada and, for the first time, South Africa), which last year covered 383 organizations. The average cost of a breach across all those firms was US$4 million. [IT World Canada]

Filtering

UK – Mandatory Web Monitoring in Schools Opens a Slippery Can of Worms

Without Parliamentary or public discussion, children’s internet use will be monitored by third parties from September. This is despite widespread associated concerns – including choking off free speech, religious freedom, and staff feeling vulnerable – presented to the Joint Select Committee for Human Rights by experts in education and security legislation. The brief paragraph 75 in The Department for Education (DfE) “New measures to keep children safe online at school and at home“ statutory guidance Safeguarding in Schools, will impose a change from a duty ‘to consider’ web monitoring to one that ‘should ensure’ it for educational establishments, excluding 16-19 academies and free schools. The supporting advice to which the Government response points, suggests actively monitoring all screen activity during a lesson from a central console using appropriate technology as a solution, even in circumstances that suggest low risk. And that logfile information should be able to identify an individual user, and be reviewed regularly. Pro-active monitoring is suggested where alerts are managed by a third-party provider. The Department for Education’s summary response and advice however offers little practical support to school leaders how to concretely take these things into account, while still meeting human rights legislation. Without explicit clarity on the practice of monitoring personal electronic devices not owned by the school, we risk a slippery descent into schools made complicit in a privacy invasion of family life. [Schoolweek]

FOI

CA – Audit Finds Vancouver Failing to Meet FOI Deadlines, Deleting Emails

City hall has received a stern talking to from the province’s information and privacy commissioner following an audit of Vancouver’s compliance with freedom-of-information (FOI) laws. “It is clear to me there is a need for change to the approach city staff use in processing access requests,” commissioner Elizabeth Denham said in a June 23 media release. “We observed shortcomings in almost every step of the freedom of information process—from receipt of the request, to searching for records, to the timeliness of response to the applicant and the content of the response itself.” The audit, conducted by the Office of the Information and Privacy Commissioner of B.C., mostly focuses on FOI response times and delays that appear to target requests filed by members of the media. But the report’s most troubling findings concern the alleged deletion of records and evasion of FOI laws. The OIPC, however, found that an examination of these concerns fell outside the scope of its investigation. [Straight]

CA – NFLD Public Bodies Should Not Allow Staff Use of Personal Email Accounts for Work

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador (“OIPC”) issues guidelines relating to the use of personal email accounts for public business. Use of personal email accounts does not relieve the duty to thoroughly search for records responsive FOI requests and produce them, however, officers and employees may be reluctant to produce records from these accounts or provide access for FOI purposes; personal accounts are less likely to meet requirements to protect personal information under a public body’s custody or control (terms of service may allow for third-party access, and security features may not be adequate). [OIPC NFLD – Use of Personal Email Accounts for Public Business]

US – Dropbox’s New Transparency Report Includes State-By-State Breakdown

Releasing its biannual transparency report, Dropbox has included a state-by-state breakdown of government requests in their July-December 2015 study. Dropbox received 574 requests for user data from around the globe, including 348 search warrants and 206 subpoenas, providing information on the vast majority of inquiries. California had more requests than any state in the U.S. with 70, followed by Texas with 49, Florida with 48, and Virginia with 32. “Although we continue to see an increase in requests from U.S. law enforcement, the numbers remain small compared to our user base of over half a billion users,” Dropbox said in a blog post. The company also detailed the joint efforts with tech companies to oppose government legislation forcing organizations to undermine their security protocols. [Dropbox Blog Post]

Genetics

CA – Supreme Court Rules Police Can Swab Suspected Rapist Without Warrant

In a ruling that adds to police powers in investigating rape, the Supreme Court of Canada says police have the right to take a penile swab (without a warrant) from suspected attackers, forcibly if necessary, as long as they do so in a private cell and have reasonable grounds to believe they will find relevant evidence. Just two Supreme Court judges, both of them women, said a penile swab should be deemed an illegal search. In a strong dissent in the case, Justice Andromache Karakatsanis accused the majority of straying from precedents that found a “close relationship between bodily privacy and human dignity.” Justice Rosalie Abella said she would have disallowed the penile swab and barred the evidence from being used. [G&M]

Health / Medical

CA – Trillium Health Partners Hit With Privacy Class Action

A class-action lawsuit has been filed against Trillium Health Partners, alleging a doctor’s assistant used patient credentials to access medical records. Former patient Katie Mallinson filed the suit against Dr. Tony Vettese and his assistant Lisa Lyons, claiming Lyons accessed Trillium’s database to review the confidential records of an unknown number of patients for many years. The records contain sensitive medical information, including medication history, treatments received and diseases suffered. The suit seeks $2 million in general damages, while stating Trillium’s privacy policies and procedures are “inadequate, underfunded and unenforced.” Trillium was not aware of Lyons’ improper access until Mallinson first became suspicious of illicit activity. [Press Release] See also: [397 medical records snooped at Hamilton General Hospital]

US – Workers May Soon Have to Share Health Data — Or Pay A Penalty

New Equal Employment Opportunity Commission regulations may force employees to share medical data in order to qualify for benefits, or face penalties. If employees choose not to share medical data with their employers, they face increases in health premiums and the possibility of the EEOC suing their organization. Privacy advocates are concerned employees will have to pay more for their privacy as well as face potential discrimination if an employee chooses to opt out of the program. Wellness programs also have access to medical records and insurance claims data, meaning employers can learn about genetic test results and access information on employee family history. “Our argument is participation in a wellness program is simply no longer voluntary if employees can be penalized in this way,” said American Society of Human Genetics Science Policy Director Derek Scholes. [BuzzFeed]

WW – Google Unveils Symptom-Search Functionality

Google has announced it will list related conditions when users search the site using health symptoms as keywords. “We create the list of symptoms by looking for health conditions mentioned in web results, and then checking [sic] them against high-quality medical information we’ve collected from doctors for our Knowledge Graph,” the report states. The move is an effort to simplify accessing and understanding online health information. The feature will go live in “the next few days” in the U.S. and will expand internationally in the future. [Google Blog]

US – OCR Releases Video Guidance on Provision of Medical Records

The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services. The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year. That guidance is essential reading for companies operating in the medical records space, as it sets forth OCR’s views on such topics as how records must be provided upon request, methods for calculating reasonable fees for copies, and provision of medical records to third parties at a patient’s direction. [Source]

Horror Stories

US – Three Hacked Hospital Databases Up For Sale on Deep Web

Breaches of three separate health databases by one hacker has resulted in more than 650,000 medical records for sale on the deep web. The hacker was able to tap into a vulnerability in each database’s Remote Desktop Protocol. One database from Georgia containing more than 400,000 records is priced at 607 bitcoin, the report states. “Although it remains unclear as to which hospital was attacked, this story goes to show how lackluster IT security keeps plaguing the health care industry,” the report adds. Meanwhile, a TrapX Security study has found that hackers are increasingly targeting medical devices used within hospital systems, ZDNet reports. These tools “often contain backdoors, botnet connections and remote access tunnels for cyberattackers to manipulate devices,” the report adds. [The Merkle]

WW – Hacker Plans to Release 100,000 Escort Site User Records

Moroccan hacker ElSurveillance has breached and defaced an additional 37 escort sites, which are mostly from the U.K., and pledged to leak 100,000 users’ data online in the coming week. This is not the first instance of ElSurveillance’s breach activity, with the hacker claiming 79 defacement incidents of similar sites in January, the report states. The hacks are religiously motivated. “[O]ur bodies are gifted from Allah to us to look after and not to destroy,” the hacker said. “Unlike [ElSurveillance’s] fellow ISIS-affiliated colleagues who spread fear, threats and warnings of violence, he’s spreading a message of peace and a religious-rooted message,” the report adds. [Softpedia]

CA – Personal Info in 100,000 IT Requests Compromised in SFU Privacy Breach

More than 100,000 Simon Fraser University information technology service requests from 2013-2016 were inadvertently stored in an unprotected server for four months. The data compromised included 20,294 email addresses, contact information and other personal data, the report states. The school’s IT team discovered the breach May 16 and brought the information offline the next day, notifying the affected students in early June, the report adds. “We have no evidence that any third party accessed the database during the time it was unprotected, nor do we have any evidence that there was any misuse of the information contained in the database,” said SFU Communications Director Kurt Heinrich. He added that the school was reviewing and modifying additional breach protections. [Burnabynow]

Identity Issues

WW – Dashcam Smartphone App to Employ License-Plate Detection

A new smartphone app takes all of the features of a dashcam and adds license-plate detection to warn users of potentially dangerous drivers. The Nexar app uses a smartphone’s camera to detect and record automotive activity and collisions. It also plans to add “real-time warnings” to help drivers avoid cars with bad track records. Nexar uses machine vision and artificial intelligence algorithms to locate license plates and record drivers who speed and perform illegal maneuvers. Privacy concerns will likely arise, but the recording process is likely legal. “Courts generally say that people generally have little or no expectation of privacy in the movements of their cars on public roads,” said University of Chicago law professor Lior Strahilevitz, “as long as cars aren’t being tracked everywhere they go for a lengthy period of time.” [PC Magazine]

Location

US – Ad Network Settles with FTC, Will Pay $950,000 for Location Tracking

The FTC announced it has settled with the Singapore-based mobile advertising company InMobi under charges that it “deceptively tracked” the locations of hundreds of millions of consumers — including children — without notification or consent. As part of the settlement, InMobi will pay $950,000 in civil penalties and implement a comprehensive privacy program. The FTC alleges that the company — whose ad software reaches nearly 1 billion consumers worldwide — also violated COPPA by collecting location information from apps directed at children. “This settlement ensures that InMobi will honor consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises,” said FTC Bureau of Consumer Protection Director Jessica Rich. [FTC] – Ars Technica: Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users | – Computerworld: Mobile advertiser tracked users’ locations without their consent, FTC alleges | – FTC: Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission]

Online Privacy

US – Senate Rejects Measure That Would Allow FBI to Search Browsing Histories Without a Warrant

US legislators have rejected an amendment to a criminal justice funding bill that would have allowed the FBI to conduct warrantless searchers of people’s browsing histories. While the measure garnered a majority of the votes, it failed to obtain the necessary 60 votes to advance. The issue may come up for consideration as soon as next week, however, because Senate majority leader Mitch McConnell submitted a motion to reconsider it. Sources: – CNET: Senate nixes plan for warrantless FBI searches of internet browsing histories | – ZDNet: Senate rejects FBI bid for warrantless access to internet browsing histories | – Washington Post: After Orlando, Senate rejects plan to allow FBI Web searches without court order]

WW – New Firefox Feature Allows Users to Create Individual ‘Personalities’

A new feature from Mozilla will allow users to separate their web history within their browser. Firefox Containers divides the browser into individual “personalities.” Each persona can be used for different internet activities, such as banking, work, shopping and for personal use. The browsing histories and cookies are kept within a “fully segregated cookie jar” by keeping each persona’s caches separate, according to a Mozilla blog post. “We all portray different characteristics of ourselves in different situations,” said Mozilla Security Engineer Tanvi Vyas. “But when I use the web, I can’t do that very well. There is no easy way to segregate my identities such that my browsing behavior while shopping for toddler clothes doesn’t cross over to my browsing behavior while working.” [The Christian Science Monitor]

US – Cloud-Based EHR Company Settles FTC Complaint It Failed to Advise that Reviews of Doctors Containing Patient Information Would Be Made Public

This FTC agreement settles allegations that Practice Fusion, Inc. failed to disclose that consumer reviews containing sensitive personal information would be publicly disclosed in violation of the FTC Act. The company is prohibited from misrepresenting the extent to which it makes certain information (e.g. health information) publicly available (including by posting on the Internet); prior to such disclosure, the company must provide notice and obtain express consent from consumers, and must not maintain any healthcare provider review information (except for review and retrieval by its healthcare provider customers, or as permitted by law, regulation or legal process). FTC – In the Matter of Practice Fusion, Inc. – Complaint and Agreement Containing Consent Order | Press Release | Complaint]

Other Jurisdictions

IS – Judge Approves $400 Million Class Action Against Facebook for Violating Privacy

Israel’s Central District Court has approved a $400 million privacy class-action suit against Facebook, ruling that the company’s terms-of-use requirement for all lawsuits to be heard in California was invalid. The suit alleged that the company both breached privacy protocols by targeting advertisements based off of users’ private posts, and failed to register its database in Israel’s national database registry as mandated by the country’s law, the report states. “Perhaps the time has come to examine the issue from a different angle, from the customer’s standpoint, especially when he’s the customer of huge international corporations that deal with customers all over the world,” said Judge Esther Stemmer. The court gave Facebook 90 days to respond to the suit. [Haaretz]

Privacy (US)

US – Tech Companies Oppose Government Hacking Rule Change

A group of 50 organizations including Google and the American Civil Liberties Union has called upon Congress to block “dangerously broad” changes that, effective Dec. 1, increase judges’ warrant jurisdiction. The changes to Rule 41 of the Federal Criminal Procedure “invite law enforcement to seek warrants authorizing them to hack thousands of computers at once — which it is hard to imagine would not be in direct violation of the Fourth Amendment,” the later states. Meanwhile, in an additional report from Morning Consult, Sen. John McCain, R-Ariz., expressed his support for FBI Director James Comey’s surveillance perspectives over those of privacy advocates. “I have great sympathy for them but I respect more the view of Director Comey,” he said. [Morning Consult]

US – NTIA Publishes Revised Best Drone Practices Guidance

The National Telecommunications and Information Administration has released an updated best drone practices guidance. The guide is the culmination of a two-month public comment session and subsequent May 18 meeting on drone privacy and transparency issues. Meanwhile, the Federal Aviation Administration has published a 600-page drone regulation document that does not include specific privacy protocols, The Intercept reports. The Electronic Privacy Information Center responded to the announcement with a statement on its website, recalling its 2015 suit of the FAA for failing to regulate drone privacy. [NTIA]

US – Obama Administration Approves FAA Rules for Small Drones

The Obama administration has approved the commercial use of small drones. The Federal Aviation Administration created a new class of rules for drones weighing less than 55 pounds, fly up to 400 feet, and below 100 miles per hour. Drone operators now have the ability to fly the unmanned aircraft without special permission, but must be at least 16 years old. Drones will not be allowed to fly at night, unless they have special lighting and stay at least 5 miles from an airport. Transportation Secretary Anthony Foxx said, “As this new technology continues to grow and develop, we want to make sure we strike the right balance between innovation and safety.” [Reuters] [Op-ed: FAA’s rules for small drones are flawed]

US – AG Enforcement, Algorithmic Discrimination Top PLSC Line-Up

The Privacy Law Scholars Conference held its ninth annual gathering in Washington at the beginning of this month, bringing together academics and practitioners to present papers that are still in development. The workshop environment is a closed circuit — no tweeting or blogging about what happens there is allowed, and papers may or may not ever be published. However, papers and ideas inevitably rise to the top, and the IAPP recognizes two of those with its annual IAPP Papers Award, voted on by attendees. [IAPP]

Privacy Enhancing Technologies (PETs)

WW – Silent Circle Launches Virtual Security Assistant Privacy Meter

Silent Circle has announced its Silent OS 3.0 for Android mobile phones will include a program that will regularly scan a device, alerting the user if any apps, services or settings contain privacy-compromising elements. The program, dubbed “Privacy Meter,” is automatically embedded into the operating system, the report states. “Think of it as an assistant that is always next to you helping you maintain the most awareness of your Privacy Profile,” said Silent Circle’s David Puron. “Whether you have available software updates, your browsing certificates have been altered, or an app is sharing your location, the Privacy Meter will show you what is happening then guide you through the appropriate configurations, if desired.” [ZDNet]

RFID / IoT

US – Chicago Needs More Detail in Array of Things Privacy Policy, Experts Say

The city of Chicago is preparing to install a network of sensors that will track people on city streets — walking, biking, driving — and privacy experts say it needs to better spell out how it will use that information. The nine-page privacy policy includes just a few paragraphs on how the data will be collected, used and shared. The city plans to install 500 Array of Things devices across the city by the end of 2018. They will house sensors including a low-grade camera and microphone that can capture images and sound from passersby, bringing a new scale of data collection to busy intersections. Officials say the project will help improve city life by analyzing patterns in environmental and human behavior. City officials are seeking public input on the policy before installing the first 42 devices, slated to go up around the city starting in late July. The second of two public forums on the policy is from 5:30 to 7 p.m. Wednesday at the Harold Washington Library downtown. [Chicago Tribune]

Smart Cards

US – California County Approves Ordinance Restricting Government Use of New Technologies

The Board of Supervisors of Santa Clara County approved Ordinance No. NS-300.897, relating to surveillance technology and community safety. Law enforcement must seek approval of the County Board before purchasing any new surveillance technologies (e.g. drones, automated license plate readers, GPS, cell-site simulators, RFIDs, facial recognition, biometric identification); annual surveillance reports must be submitted to the Board detailing usage, complaints, internal audits, and how successful different technologies have been. [Ordinance No. NS-300.897 – Surveillance Technology and Community Safety – Board of Supervisors of Santa Clara County]

US Government Programs

US – DHS Wants to Snoop on Travelers’ Facebook, Twitter, and Instagram Accounts

The Department of Homeland Security has opened its proposal to include an optional field to disclose social media handles in travel documents to public comment. The documents in question are the Electronic System for Travel Authorization and Form I-94W, a document foreign travelers complete when leaving and entering the U.S., the report states. “Please enter information associated with your online presence — Provider/Platform — Social media identifier,” the forms would read if the proposal is accepted. “As phrased that could include your Twitter handle, the URL for your Facebook page, your OkCupid or Grindr handle …” the report adds. “Where does it end?” DHS will accept comments here until Aug. 22. [Fusion]

US Legislation

US – McConnell Pushes Measure to Expand Surveillance Tools

Senate Majority Leader Mitch McConnell, R-Ky., has proposed an amendment to the bill funding the Department of Justice and Department of Commerce that would both increase federal law enforcement surveillance powers and “permanently extend” elements of the PATRIOT Act. “Both measures have been criticized by privacy and civil liberties advocates, who have fought the proposals on multiple fronts in recent months,” the report states. The bill is considered similar to the legislative revisions Senate Republicans aim to make to the Electronic Communications Privacy Act, the report adds. A procedural vote on McConnell’s amendment is predicted for Wednesday. [The Hill]

US – Other Privacy News

Workplace Privacy

WW – BYOD Can Pose Privacy Risks to Employees: Study

Companies that use remote device management software to oversee employee devices used for business have the ability to collect a lot more information than employees may be comfortable with, according to a report released today. “The intent of these MDM solutions is not to spy on employees, but to monitor for things like malware and general security,” said Salim Hafid, product manager at Bitglass, which produced the report. But if the company wants to, these tools provide the ability to do a lot more, he said. That includes seeing where the phone is located, what apps are on the phone, and even what websites the user was accessing. “We were able to see virtually all the activity on the device,” he said. “We could see that some of our employees search for health information on the web.” [CSO Online]

WW – Russian Technology Allows Employers to Monitor Phone Calls

A Moscow security firm has created technology allowing companies to listen in on mobile calls made on their property. InfoWatch, a former subsidiary of Kaspersky Lab, says it has created the product for companies trying to curb information leaks by scanning employee phone calls for key terms that may prompt an investigation. While InfoWatch is legal in Russia, installing it in western countries would be very difficult. “This technology may become a hot ticket for any company seeking to protect its commercial secrets,” said Gartner analyst Petr Gorodetskiy. “But it can’t be rolled out in markets where it may trigger court claims.” Others question whether the product is truly functional. “The part that puzzles me is how successful speech recognition, transcription and automated analysis of texts can be,” said Polytechnic University of Milan professor Stefano Zanero “I would be surprised if any major company decided to buy into this.” [Bloomberg]

+++

 

10-17 June 2016

Biometrics

US – GAO Criticizes FBI on Facial Recognition Database

The Government Accountability Office has issued an in-depth report critical of the FBI’s use of facial recognition technology. Specifically, the GAO has “concerns regarding both the effectiveness of the technology” and the “protection of privacy and individual civil liberties.” The FBI has collected 411 million photos in various databases. “The FBI has entered into agreements to search and access external databases — including millions of U.S. citizens’ driver’s license and passport photos,” the GAO states, but until the FBI can assure the data they receive is accurate, “it is unclear whether such agreements are beneficial to the FBI.” Meanwhile, the National Telecommunications and Information Administration released suggested best practices derived from its multi-stakeholder process on facial recognition. Several consumer and privacy advocacy organizations have come out against the guidelines. [ZDNet] [Huge FBI facial recognition database falls short on privacy and accuracy, auditor says ]

AU – Australian Cops Want to Use Fingerprint Scanners to ID People In Public

The South Australian state parliament is considering a proposal to give police the power to scan fingerprints in public. If passed, the bill will give police the ability to request fingerprints from anyone they suspect of committing a crime—and anyone they think may be able to assist with an inquiry. Police are currently able to stop anyone on the street and request to see some form of traditional ID, but fingerprints are only allowed to be taken once a person has been charged. If the bill gets passed, suspects will be required to have their prints scanned upon request. Since 2014, the SA Government has trialled 150 scanners sporadically across the state and plans to spend $3.4 million on the technology if approved. The new scanners would be wirelessly linked to the National Automated Fingerprint Identification System, which will allow officers to access criminal records within a minute of scanning a suspect’s prints. Deputy Premier John Rau has released a statement arguing why fingerprint scanners are a good idea. “Legislative reform is necessary to enable police to use the scanners in wider circumstances, where a person does not have to give consent and police can scan for prints without the need to arrest,” he said. However, there’s been considerable backlash from both sides about the ramifications for privacy and civil liberties. Greens leader Mark Parnell likened the changes to something out of George Orwell’s 1984. “This is the realm of science fiction and it should send shivers down everyone’s spine,” he told The ABC. “It enables all manner of biometric testing and it does actually lead to a situation where the state could hold a database of every single person’s fingerprints.” [Source]

WW – Apple’s New Photo System to Include Facial Recognition

An update to Apple’s Photos software will include facial recognition technology. The upgrade will catalog photos within the app by the face of the person within the image. Apple’s new feature comes as Facebook and Google are locked in lawsuits over facial recognition capabilities, specifically possible violations of the Illinois Biometric Information Privacy Act. Apple Senior VP of Software Engineering Craig Federighi said the system uses local data rather than storing it on company servers. Though Apple’s features differ from that of Google and Facebook, it is not yet known if they would violate the Illinois law. [The Verge]

Canada

CA – New Spy Watchdog Will Have Power to Examine ‘Any Activity, Any Operation’

Sweeping powers to scrutinize “any issue, any activity, any operation” will be granted to a new committee of parliamentarians to watch over federal spying and other clandestine security and intelligence activities, the government has announced. The long-promised Bill C-22 tabled in the Commons proposes to create an unprecedented “national security and intelligence committee of parliamentarians” to hold to greater account the nation’s two chief spy services and at least 15 other departments and agencies with national security responsibilities. The move fulfils a major Liberal election promise to increase parliamentary scrutiny of national security operations to offset the expansive and controversial counterterrorism powers under the Anti-terrorism Act of 2015, formerly Bill C-51, to investigate, detain, arrest, silence or otherwise thwart individuals suspected as threats to the security of Canada. The all-party committee of nine MPs and two Senators, to be chosen by Prime Minister Justin Trudeau and supported by a small secretariat, would be sworn to permanent secrecy and handed a broad mandate to probe, mainly ex post facto, any and all national security activities to gauge whether they are effective, efficient and legal. Its primary investigative tool would be a statutory power to access many of the nation’s most guarded secrets. “They will be able to ask questions and conduct inquiries and satisfy themselves that two important objectives are being met: to make sure our security and intelligence agencies are being effective in keeping Canadians safe and to make sure they are safeguarding the rights and freedoms of Canadians.” Though the legislation clearly empowers the committee to explore and review the country’s deepest confidences, it also offers government a handful of disclosure escape clauses. Chief among them is the state’s power to deny the committee information “injurious to national security,” a catch-all clause that past governments have used to slam the door on politically sensitive or otherwise damaging inquiries. [National Post]

CA – New Bill Would Allow Border Guards to Collect Data on Those Leaving Canada

Public Safety Minister Ralph Goodale has proposed revisions to the Customs Act that would allow the federal government access to the personal data of Canadian travelers leaving the country. The information collected wouldn’t extend beyond information collected in a passport’s second page — meaning “full name, nationality, date of birth, gender and issuing authority of the passport,” the report states. “Having this data will allow us to better respond to Amber Alerts, for example, on missing children,” Goodale said. “It will help us deal with human trafficking. It will help us deal better with illegal travel by terrorist fighters.” [CBC News]

CA – Privacy Watchdog Seeks More Stringent Laws in Wake of Health Breach

B.C.’s privacy commissioner is calling on the province to step up its privacy laws and impose fines of up to $50,000 for health-care workers found snooping. “It’s a significant issue of public trust when one or more individuals access electronic health records without authorization,” B.C. privacy commissioner Elizabeth Denham said in an interview. B.C.’s privacy laws are outdated when it comes to protecting electronic health records from general snooping, Denham said. [Times Colonist] See also: 2 BC health workers fired in breach that included high-profile people

CA – Sask Cops, MLAs & Ministers to Fall Under FOI Legislation

New legislative amendments brought forward by the Saskatchewan government on Monday could soon mean police in the province will be subject to freedom of information requests. The proposed amendments to Saskatchewan’s FOI and privacy laws received first reading in the Legislature on June 13. One of the proposed changes is to extend the FOI legislation to include police services. Other changes include creating a new offence for snooping, extending privacy requirements to include MLA and cabinet ministers’ offices and increasing penalties for privacy violations. The Saskatchewan Information and Privacy Commissioner, Ronald Kruzeniski, said in a statement he is pleased with the proposed amendments and will work further on FOI regulations once the amendment is passed. [Global News]

CA – Frustration Over Health Disclosure Doesn’t Trump Privacy Protection: Experts

After a case involving a 21-year-old taking her own life following a battle with depression, Nova Scotia is examining whether it needs to review its health privacy laws for disclosing mental health issues to a patient’s family. Currently, Nova Scotia law allows for mental health disclosures when it’s determined there is an immediate threat to the health of any person, including the patient. Nova Scotia Privacy Commissioner Catherine Tully is apprehensive about whether officials and government body officials have enough knowledge to determine what can and cannot be disclosed. “It is absolutely a training issue,” said Tully. “I have travelled around the province and talked to hundreds of people responsible for administering our privacy laws and training is a very key issue and one that requires constant work.” [Global News]

Consumer

WW – Privacy Concerns Around Alternative Credit Reporting

Companies are trying alternative credit reporting using nontraditional data to determine a candidate’s reliability and creditworthiness, but privacy concerns surround the tactics. In addition to privacy concerns, efforts to determine an individual’s chances for receiving a loan, house, or a job often hurt those in low-income brackets. Though companies are using a wide range of ways to determine a person’s creditworthiness and reliability — as students, prospective employees, or credit applicants — the methods of doing so fall in a legal area that’s murky at best. Overseas, companies in parts of Africa and Latin America monitor cellphones and social media to evaluate potential loan recipients. While U.K. startup Tenant Assured has started a service mining social media accounts, selling information to landlords and other parties. [The Atlantic]

US – Data Breach Simulation Explores Notification Timing

During a mock data breach at Stanford University’s Hoover Institution, a group of journalists studied the art of post-breach notification, learning that sometimes waiting to sort out technical errors before notifying victims is the wisest route to take. “It takes time to figure out what happened, and sometimes notification can cause more damage because you haven’t had time to remediate it,” said Intel Chief Privacy and Security Counsel. [Los Angeles Times]

E-Government

US – Board of Elections Posts DC’s Compete Voter List Online

D.C. makes it shockingly easy to snoop on your fellow voters. A little-known law in the nation’s capital is leading to complaints over the way it lets anyone on the Internet find out D.C. voters’ names, addresses, voting history and political affiliations, with little more than a click or two. It’s not the existence of the file itself that’s shocking, critics say. It’s the fact that the D.C. Board of Elections made it available on the Internet. Typically, every state has this kind of voter information; it’s just held at the statehouse or at the public library where you have to physically retrieve it from the stacks — probably with the help of a staffer — in order to see it. Putting that data on the open Internet changes the game because it allows virtually anyone, from anywhere, to view the data with no questions asked. [The Washington Post] [Washington voter registry publication sparks debate]

UK – 36% of Public Trust Government to Protect Their Data: ICO SUrvey

An ICO survey, published on 15 June, asked more than 1,200 people for their views on data protection. It found that the public were only slightly more likely to trust government with their information as they were to trust energy providers. Just 36% of respondents to the survey said they trusted government departments with their information. High street banks garnered the highest overall levels of trust, with 53% saying they trusted them with their information. However, trust in government increased for those in the higher socio-economic group AB1, at 41%, and millennials, at 43%. The survey also found that almost half of respondents disagreed with the statement that existing policy and regulation were sufficient to protect their data. Just 20% said policies were sufficient, which shows little change since the ICO’s 2014 survey, when 19% said policies were sufficient. [Public Technology]

E-Mail

CA – CRTC Partners With International Agencies to Fight Spam, Unsolicited Calls

The Canadian Radio-television and Telecommunications Commission (CRTC) announced that it has signed a memorandum of understanding with ten enforcement agencies from across the globe, including the Office of the Privacy Commissioner of Canada, to fight unlawful spam and unsolicited telecommunications. The agreement promotes cooperation between the CRTC and its international counterparts in enforcing Canadian and international spam and unsolicited telecommunications laws. The agencies have committed to sharing information and intelligence, where permitted by the laws of its jurisdiction, regarding unsolicited communications. By working closely with its partners, the CRTC will be able to more effectively ensure that all those who engage in unsolicited communications, whether local or foreign, comply with the Unsolicited Telecommunications Rules and Canada’s Anti-Spam legislation. [Press Release]

EU Developments

UK – IP Bill Extends GCHQ Snooping Powers to All Law Enforcement

The Investigatory Powers Bill, which was passed by the House of Commons last week, will effectively give the police and other authorities the same powers of surveillance that are currently enjoyed by GCHQ. That’s according to Raegan MacDonald, senior policy manager EU principal at Mozilla. “It’s about legally justifying the previously secret practices of GCHQ and also allowing those powers to go to all levels of law enforcement.” The IP Bill, commonly known as the Snooper’s Charter, requires telecoms companies and ISPs to store records of telephone and internet communications for one year. What is less widely known is that the Home Office is also building a search engine for all this data known as “request filter”, which will allow authorities to conduct detailed searches across all of this data. These queries will be subject to the “filtering” oversight of the Investigatory Powers Commissioner, and for this reason request filter is being sold by the Home Office as a privacy enhancing measure. “The request filter, when used, acts as an additional safeguard for communications data requests made by public authorities, to ensure that the data they acquire is limited only to that which is absolutely necessary,” says the government in a fact sheet. But pointing out that the Bill is short on mechanisms to ensure that oversight is effective, Jim Killock, executive director of Open Rights Group, questioned how this will work in practice. [Source] See also: The U.K. House of Commons passed the controversial Investigatory Powers Bill with a 444-69 vote. The bill now moves to the upper house of Parliament, the House of Lords.

EU – 75% of Cloud Apps Are Not Ready for New EU Data Protection Rules

More than 75% of cloud apps in the EU lack key capabilities to ensure compliance under the new EU General Data Protection Regulation (GDPR), according to a new study by Netskope. In particular, these businesses failed to meet the minimum requirements of new regulations in areas like deleting personal data in a timely manner and violating data portability requirements. Netskope tracked 22,000 cloud apps in use in the EU by giving them a rating between 1 and 100 in terms of GDPR readiness.

  • Just under 28% of cloud apps were deemed unready.
  • Half (48%) were scored as somewhat ready.
  • Only 25% were deemed ready.

The results of the report are especially troubling for businesses, as the adoption of mobile and cloud strategies gains momentum. The shift to cloud brings with it increasing complexity and a greater volume of security challenges for enterprises. Chief among them is the need to comply with new GDPR laws. These businesses have less than two years to ensure their cloud apps are up to regulation or face fines of either $22 million, or 4% of their global turnover (whichever is higher). [Source]

US – Ransomware Attacks Taking Huge Toll on Healthcare Resources

Healthcare organizations are aware of the omnipresent threat of ransomware on their information systems, and the danger it poses to their HIPAA compliance efforts and reputations, and are struggling to bear the expense of shoring up their defenses. The rising number of ransomware attacks against providers is prompting security professionals to intensify data security efforts, as well as consider entirely different approaches to security. Ransomware is turning the tables on how healthcare organizations now deal with security. For years, top security professionals have struggled with thefts that took data out of an organization’s control—for example, through the theft of data on stolen unencrypted laptops or through employee snooping of records that contain protected health information. The incentive for avoiding these types of breaches was to avoid landing on the HHS Office for Civil Rights’ web site of major breaches, and possibly face OCR-imposed financial sanctions and corrective action plans. But ransomware is different. Information remains in a provider’s system but is inaccessible, locked away until a provider makes a financial payment to free it. That scenario in large part has not been considered as a possibility until recently. Consequently, intensified data security is not the answer in the ransomware era, he believes; organizations must look at different approaches to data protection. [Source]

EU – Google Announces EU-Based Machine Learning Research Group

Google has struck a research group in Switzerland dedicated to machine learning. Machine learning consists of “systems that can learn things and come up with predictions from sets of data, without being specifically programmed to do so.” Machine learning currently powers Google’s translation engine, its Inbox “smart reply” feature, spam recognition in Gmail, and assists Google’s driverless cars examine their surroundings. The research group will work on machine intelligence, speech recognition, natural language processing, and machine perception, such as identifying images in photos and recognizing handwriting. “We look forward to collaborating with all the excellent computer science research that is coming from the region, and hope to contribute towards the wider academic community through our publications and academic support,” wrote Emmanuel Mogenet, head of Google Research in Europe. [Fortune]

EU – Other EU News

Facts & Stats

WW – Data Breach Costs Up 29% Since 2013: Study

A study from the Ponemon Institute and IBM found the average cost of a data breach is $4 million, a 29% increase from 2013. Ponemon’s study examined 283 companies, finding the average cost per compromised record was $158 in 2016, up from $154 last year. The study also revealed a 26% probability of an enterprise suffering one or more data breach where 10,000 records will be compromised over the next two years. Ponemon found that the healthcare industry has the highest costs per breached record, and that U.S. data breaches were the most costly per record, coming in at $223, with the average total cost estimated at $7.01 million. In related news, hackers have stolen the information of more than 45 million users of car, sports and tech sites in what could be one of the largest data breaches ever. Compromised data appears to include email and IP addresses, usernames and passwords. [ZDNet]

CA –Data Breaches Detection, Escalation Costs Highest in Canada: Report

Detection and escalation costs related to data breaches were the highest in Canada and lowest in India, note findings of a new global survey. The average detection and escalation costs for Canada was US$1.60. In contrast, the average costs were US$0.53,” states 2016 Cost of Data Breach Study: Global Analysis, benchmark research sponsored by IBM and conducted by Ponemon Institute LLC. “Data breach costs associated with detection and escalation are forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and Board of Directors,” notes the report. …The average cost per record to resolve being US$170 compared to US$138 per record for system glitches and US$133 per record for human error or negligence. Canada held a distinction in this respect. “Companies in the U.S. and Canada spent the most to resolve a malicious or criminal attack (US$236 and US$230 per record, respectively),” the report states. [Canadian Underwriter]

WW – Study: Most Companies Struggle to Restrict Sharing of Confidential Data

A new study found only 36% of surveyed IT practitioners from large companies are able to control how confidential data is shared with third parties. The study of more than 600 IT professionals also found that companies are rarely able to track where their most sensitive documents go. Only 27% of the those surveyed were able to restrict the sharing of confidential data between employees. According to the survey, conducted by the Ponemon Institute on behalf of Fasoo, 58% of companies say their employees use free online file sharing applications, and almost half say their employees, on occasion, keep confidential documents on their home computers or personal mobile devices. In addition, 68% of those surveyed say they don’t even know where their company’s confidential information is located. The study also revealed a deficiency in employee education about protecting data. Of the respondents, 56% said their companies did not educate their employees about protecting confidential information. The study found that careless employees were the primary cause of company data losses 56% of the time. The second most common cause was lost or stolen devices. In March, a SailPoint survey revealed that more than a quarter of employees said they uploaded sensitive information to cloud apps intending to share the information outside the company. According to Gartner, more than 70% of unauthorized access to data is committed by an organization’s own employees. Employees are frequently the cause of many security weaknesses in the enterprise. Most of these insider threats actually carry no malicious intent, but instead are the result of weak access controls and a lack of employee awareness. [CIO Dive] CSO: Study: Most companies can’t protect confidential documents

Finance

US – Home Depot Suit Claims U.S. Credit-Card Firms Block Security Upgrades

The Home Depot has alleged that MasterCard and Visa use faulty security measures prone to fraud in a new federal lawsuit. The company accused the financial institutions of putting cybersecurity behind economic gain and “dominant market positions,” calling its reliance on chip cards behind other, more secure, global methods. “Regardless of how the cardholder’s identity is confirmed, the chip makes data much more secure, rendering it almost useless to create fraudulent cards or transactions,” said a MasterCard spokesman. Meanwhile, Bob Hedges urged banks to engage in privacy debates in an op-ed for American Banker. “If they don’t, they run the risk that the public policy debate could eventually hurt their historical ‘trusted agent’ position,” he said. [The Seattle Times]

FOI

EU – ENISA Creates Free Personal Data Breach Notification Tool

ENISA, in co-operation with the Office of the Federal Commissioner for Data Protection and Freedom of Information of Germany (German DPA), developed a tool for the notification of personal data breaches. In particular, the purpose of the tool is to provide for the online completion and submission of a personal data breach notification by the data controller to the competent authority (DPA/NRA). It covers all types of personal data breaches and all types of business sectors, public or private. Based on the input of the notification, the tool also provides to the competent authority an assessment of the severity of the breach. The assessment is based on the relevant Personal Data Breach Severity Assessment Methodology developed by ENISA in co-operation with the DPAs of Greece and Germany. The tool is free for use by any interested party, in particular national competent authorities who would like to facilitate the notification of personal data breaches by data controllers in their countries. [Source]

Health / Medical

US – Oregon Prescription Database Access Ignites Privacy Debate

The Drug Enforcement Administration hopes to access Oregon’s Prescription Drug Monitor Program database in an effort to curb drug abuse, causing privacy concerns. The agency is fighting a 2014 U.S. 9th Circuit Court of Appeals ruling that decided warrantless seizure of the data was illegal. The DEA countered that as the PDMP is a third-party data host, users shouldn’t have an expectation of privacy, the report states. Not everyone agrees. “The primary purpose of PDMPs is health care, not law enforcement,” said the American Medical Association in an amicus brief. The database wasn’t created to be “a tool or repository for law enforcement to initiate access to gather information,” the AMA added. [The Daily Beast]

CN – China Pledges Tighter Privacy as it Centralises Personal Health Data

Chinese Premier Li Keqiang has announced the Chinese government’s intention to increase privacy regulations as it increases developments for health care data systems. “Enhancing the development of medical big data is a pressing task now,” Keqiang said. “It is also an important project for public welfare, in the context of a growing need for health and medical services.” To that end, “more comprehensive regulation and legislation in personal information and data protection” is necessary, he added. The State Council’s plans would call for the creation a countrywide health database, as well as a guide for medical record portability, the report states. [The Register]

Horror Stories

US – Cyber Insurer Seeks to Void Data Breach Coverage Because of Purported Misstatements in Policy Application

Cyber insurers commonly require insureds to complete detailed applications, often including extensive technical disclosure and risk self-assessments. The complaint recently filed by the insurer in Columbia Casualty Co. v. Cottage Health System illustrates the pitfalls in these requirements. Cottage Health, an operator of a hospital network, suffered a data breach in 2013 resulting in thousands of its patients’ private medical information being publicly disclosed. In addition to other losses, Cottage Health paid $4.125 million to settle a putative class action in 2014 and faces additional proceedings arising from the breach. Columbia’s lawsuit denies all coverage for the breach and seeks to rescind its policy due to the insured’s alleged failure to comply with the cybersecurity practices described in its application. In its complaint Columbia contends, first, that the “Failure to Follow Minimum Required Practices” exclusion in its cyber policy—applying to losses from, among other things, the Insured’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application”—precludes coverage for Cottage Health’s losses. Columbia further contends that it has a right to void its policy altogether due to alleged misstatements in the “Risk Control Self Assessment” that Cottage Health completed as part of its cyber insurance application. Any new cyber policy wording requires expert legal scrutiny before purchase, because these specialty insurance products can contain gaps or hidden traps. For example, Cottage Health might have averted its dispute with Columbia if the policy’s potentially onerous “Failure to Follow Minimum Required Practices” exclusion had been modified or deleted. [Source] See also: [Cyber insurance is changing the way we look at risk ]

WW – Other Horror Stories

Identity Issues

WW – Apple to Use ‘Differential Privacy’ in New Software

Apple is using a special technique to balance user privacy with its data collection efforts. Apple’s Senior VP of Software Engineering Craig Federighi discussed “differential privacy” during his company’s Worldwide Developers Conference in San Francisco. “We believe you should have great features and great privacy,” Federighi said during the conference. “Differential privacy is a research topic in the areas of statistics and data analytics that uses hashing, subsampling and noise injection to enable … crowdsourced learning while keeping the data of individual users completely private. Apple has been doing some super-important work in this area to enable differential privacy to be deployed at scale.” [Wired] See also: [What Apple’s differential privacy means for your data and the future of machine learning] and [A Few Thoughts on Cryptographic Engineering]

IN – Alibaba Launches App With Face Recognition Lock Feature In India

Alibaba has unveiled Privacy Knight in India, a free app-lock that uses a one-second selfie to verify and grant access to users’ protected apps, BiometricUpdate.com reports. According to Alibaba, the program’s facial recognition with blink detection has 99.47% accuracy, the report states. “Face lock is set to change the way people protect their privacy,” said Alibaba’s Mobile Business Group. [Full Story]

Internet / WWW

WW – Microsoft’s Acquisition of Linkedin Faces Some Privacy Concerns

While Microsoft’s purchase of LinkedIn will benefit both companies, some are raising privacy concerns. BigID CEO Dimitri Sirota said the purchase is meaningful as Microsoft is acquiring “the world’s second largest personal database,” but the use of the data will determine the success of the sale. “Given that the value of the purchase will derive from the usage of personal data it will be natural to ask how this data usage gets governed so it doesn’t compromise either personal privacy or many privacy regulations,” said Sirota. Acquiring large amounts of personal data is an issue many companies now deal with, he said, adding, “Organizations gain tremendous marketing, sales and intelligence value from collecting and aggregating as much customer data as they can, but the tools to govern the privacy risk and compliance of the aggregated ‘identity’ data are only now being developed.” [TechRepublic]

Law Enforcement

CA – Constable Fired for Accessing Data

A Gatineau police officer was fired this week after pleading guilty in April to illegally accessing police records. For the crime of unauthorized use of a computer, whereby the constable checked information on three former friends in police databases, she received no jail time, but had to make a donation of $1,000 to a crime victims’ assistance center. Despite no data being passed to a third party, nor the constable apparently seeing any benefit from the access to the data, the Gatineau Police Service released a statement saying she was fired because it “requires its police officers meet the highest ethical standards and professional standards.” [Ottawa Citizen]

Online Privacy

US – OTA Releases Privacy Assessment of Consumer-Facing Websites

Consumer services websites are improving privacy practices while news sites need vast improvements. That’s according to the release of the 8th annual Online Trust Audit & Honor Roll. Conducted by the Online Trust Alliance, this wide-ranging audit looks at nearly 1,000 consumer-facing websites to assess their consumer protections, privacy practices and data security. [Full Story]

Other Jurisdictions

SG – Singapore PDPC Publishes Data Protection Guidelines

The Personal Data Protection Commission of Singapore has published a number of guidelines for data access, notification and privacy protection, among other related subjects, on its official website. Its newest guideline, Guide to Handling Access Requests, details “information and considerations for organizations in handling requests for access to personal data, including sample access request and acknowledgement forms,” the site states. [Full Story]

IN – TRAI Consultation Paper Talks Cloud Computing

The Telecom Regulatory Authority of India has released a 119-page consultation paper on cloud computing regulation. The paper’s six sections cover interoperability, cloud security, and bringing cloud services to governments, among other topics. Frameworks for cloud services remain a major focus, the report adds. “Regulations should be put in place to protect the interests of both cloud services providers and the consumers,” the paper states. “Legal framework under which the cloud operates becomes very important.” [The Wire]

Privacy (US)

US – FBI Says Utility Pole Surveillance Cam Locations Must Be Kept Secret

The US FBI has successfully convinced a federal judge to block the disclosure of where the bureau has attached surveillance cams on Seattle utility poles. The decision stopping Seattle City Light from divulging the information was expected, as claims of national security tend to trump the public’s right to know. However, this privacy dispute highlights a powerful and clandestine tool the authorities are employing across the country to snoop on the public—sometimes with warrants, sometimes without. Just last month, for example, this powerful surveillance measure—which sometimes allows the authorities to control the camera’s focus point remotely—helped crack a sex trafficking ring in suburban Chicago. Meanwhile, in stopping the release of the Seattle surveillance cam location information—in a public records act case request brought by activist Phil Mocek—US District Judge Richard Jones agreed with the FBI’s contention that releasing the data would harm national security. “If the Protected Information is released, the United States will not be able to obtain its return; the confidentiality of the Protected Information will be destroyed, and the recipients will be free to publish it or post the sensitive information wherever they choose, including on the Internet, where it would harm important federal law enforcement operational interests as well as the personal privacy of innocent third parties,” Jones ruled. [Ars Technica]

US – More States Adopt Education Privacy Protections

As students’ online presence grows due to schools’ growing reliance on digital third-party student databases, lawmakers and privacy advocates have expressed concern for the potential mishandling of students’ information. Some states have turned to stricter privacy laws, with nine states adopting new data regulations in 2016. “The conversation is looking different in every state and district at this point,” said the Data Quality Campaign’s Rachel Anderson. “Some states are really taking the approach of parents can decide if they want to opt-in or out of these additional recommendations.” In 2014, 21 states passed 26 student data laws mostly targeted at states and school districts. Many echoed a 2013 Oklahoma law that requires state approval to release student data and mandates that only aggregated data — no data tied to individual students — can be released. By last year, lawmakers had shifted their focus to third-party companies. They passed 28 student privacy laws, in many cases mirroring a California statute that prohibits service providers from using data to target ads to students, selling student information, and creating student profiles for commercial purposes. This year nine states — Arizona, Connecticut, Hawaii, Kansas, New Hampshire,Tennessee, Utah, Virginia and West Virginia — have added 11 new student data laws, mostly based on the California standard. A similar proposal is awaiting the signature of Colorado’s governor. Between 2014 and 2015, state legislators introduced 98 bills that included opt-in or opt-out provisions, and this year Arizona passed a law requiring schools to obtain parents’ permission before collecting certain data. [PBS Newshour]

RFID / IoT

US – Health and Human Services IG to Assess Medical Device Security Monitoring

The US Department of Health and Human Services (HHS) Office of Inspector General’s Fiscal Year 2016 Mid-Year Work Plan calls for an assessment of the Food and Drug Administration’s (FDA’s) review of cybersecurity control on wireless and Internet-connected medical devices. The HHS IG also plans to look into state Medicaid agency and contractor breach notification practices and responses. [GovInfoSecurity]

US – NSA Could Use Internet-Connected Medical Devices for Surveillance

NSA Deputy Director Richard Ledgett told an audience at the Defense One Tech Summit in Washington, DC, last week that the agency is examining ways to exploit the Internet of Things (IoT) to conduct covert monitoring. Ledgett said that the NSA is “looking at it sort of theoretically from a research point of view right now,” and noted that conducting surveillance through medical devices could be “a tool in the toolbox.” [ComputerWorld] [The Intercept]

US – Chicago Seeks Input on Privacy Policy for Sensor Network

Chicago officials will soon release their privacy policy for the city’s traffic sensor project, the Array of Things, for citizen input. The first of 500 devices will go live in July, collecting vehicular and environmental data, the report states. The policy aims to protect collateral information that could identify an individual. “We’ve always been focused on making sure there was a privacy policy to inform the public about how the data that the nodes are collecting is going to be managed,” said Department of Innovation and Technology Commissioner and Chicago Chief Innovation Officer Brenna Berman. Open policy screenings begin June 14, the report adds. [Chicago Tribune]

CA – Who is Watching You on B.C. Highways?

At any time thousands of drivers are on B.C. highways trying to get places as soon as they can. And there is a team of people keeping an eye on all of that that traffic – in a building nestled between Highway 1 and Lougheed Highway in Coquitlam. Transportation Management Centre staff keep watch on over 600 cameras throughout the province. And when you are on the Lions Gate Bridge, Penny Martin is watching and decides when to flip the counterflow lane. There are sensors and computers but Martin says it is often simply watching the causeway cameras for volume that will guide her decision to flip the lane. And it’s not just for Metro Vancouver. With the flick of a mouse people here can change the speed limits on the Sea to Sky or Coquihalla highways using the new variable speed limit signs. Centre manager Brigid Canil says they use advanced traffic management software to change speed limits, almost instantly, based on weather or traffic conditions. But what if the speed limit changes from 120 kilometres an hour to 80 km/hr and police pull you over? “We would know exactly what times the signs would change and be able to correlate what time the ticket was written to ensure the individual is treated fairly,” said Transportation Minister Todd Stone. Another big issue is privacy. On the Drive BC website you can see a “Replay the Day” video of many locations – but they say they don’t keep piles of surveillance. “We don’t keep the data and that is directly in response to concerns about privacy,” said Stone. [Global News]

Security

WW – Study: Weak Passwords, Phishing Attacks Top Breaches

Verizon’s 2016 Data Breach Investigations Report has found that 63% of recent breaches were due to weak passwords. Phishing scams are also a major culprit, the report states. Nearly one-third of the analyzed phishing emails were opened by recipients. While the sophistication and success rate of these attacks is growing, strategies for keeping oneself safe remains the same. “The surest anti-phishing protection is also one of the rarest assets around: common sense,” the report adds. “No matter who an email comes from, never click on a link in an email — instead cut and paste it into a web browser and read the address. If it smells phishy, it probably is.” [TechCrunch] [Employee Error Accounts for Most Security Breaches]

US – FICO to Offer ‘Enterprise Security Scores’

Fair Isaac Corp. has acquired cybersecurity startup QuadMetrics to create an industrywide “enterprise security score” for businesses. The security score will act as an equivalent to the FICO consumer-credit scores, giving chief information officers and other IT professionals an “easy-to-understand” metric to determine their company’s online risks, while handling other possible issues from third-party software vendors and acting as a guide for cyber breach insurance underwriting. “Just as the FICO Score gave credit markets a single metric for understanding credit risk, this product will give the industry a common view of enterprise security risk,” said FICO’s Vice President of Cybersecurity Solutions Doug Clare. [The Wall Street Journal]

Surveillance

CA – RCMP Can Spy on Your Cellphone, Court Records Reveal

A judge lifted the publication ban on information surrounding a suspected mafia murder, revealing different surveillance methods used by the RCMP. While investigating the 2011 murder of Salvatore Montagna, the RCMP used IMSI catchers, commonly known as “Stingrays,” to mimic cellphone towers in order to obtain information on a suspect’s phone. The RCMP used the collected information to intercept and decode BlackBerry PIN-to-PIN messages as part of the murder cover-up. “Our biggest concern with Stingrays is there’s really no regulation or oversight as to how they’re being used,” said OpenMedia Digital Rights Specialist Laura Tribe. “We right now, as the Canadian public, have no idea where they’re being used, when, what the requirements are for these technologies being used and what’s happening to the data of everyone being caught up in their sweep.” [CBC News] See also: [VPD admits to not owning a Stingray surveillance device, but is it ‘borrowing’ one?] and [Santa Clara County, California, has approved an ordinance that requires government agencies to put policies in place before acquiring or activating new surveillance technologies.]

US Government Programs

US – Federal Government Releases Final Guidance on CISA

The Department of Homeland Security (“DHS”) and Department of Justice released final guidance as required by Title I of the Cybersecurity Act of 2015 (“CISA”), which was enacted into law this past December. The guidance was prepared in consultation with several additional federal agencies, and includes four separate documents.

  1. The first document (“sharing guidance”) provides guidance for non-federal entities (including state governments) that elect to share cybersecurity information with the federal government under CISA.
  2. The second document establishes “privacy and civil liberties guidelines governing the receipt, retention, use, and dissemination” of cyber threat indicators and defensive measures by the federal government.
  3. The third document, which was released in final form on February 16, describes procedures through which information is shared by the federal government to participating non-federal entities.
  4. The fourth document describes procedures for the receipt of cyber threat indicators and defensive measures by the federal government. [Inside Privacy]

 

+++

 

 

03-09 June 2016

Biometrics

CA – Federal Photo-Matching Scheme Quietly Singles Out Passport Fraudsters

Federal officials used photo-matching technology to identify 15 high-risk people – all wanted on immigration warrants – who used false identities to apply for travel documents. The Liberal government might make the facial-recognition scheme permanent to help find and arrest people ineligible to remain in Canada due to involvement with terrorism, organized crime or human rights violations. The photo-matching idea emerged from concerns that people wanted by the Canada Border Services Agency might use fake names to obtain genuine Canadian travel documents from the Immigration Department’s passport program, say internal memos released under the Access to Information Act. The privacy commissioner’s office has not been consulted on the project. However, both the border agency and the passport program have shared information about other facial-recognition initiatives with the commissioner. Passport officials have used the image-matching technology for years to see if someone has applied for multiple travel documents in different names. The border agency has quietly been working with other agencies since at least 2011 to gauge the ability of devices to extract usable facial images from video footage. [Source]

Canada

CA – Court Rules that Health Records Do Not Require Vetting Prior to Disclosure to Childrens Aid Society

The Court considers a request for a protection application for the production of records from non-parties. The records, containing mental health information of a parent, do not require vetting by counsel for the society or the parent (this approach could give either party an unfair advantage in litigation), or the Court (the mental health records are relevant to whether the parent’s children are in need of protection, and the production order will be structured to preserve the parent’s privacy interests). [Catholic Children’s Aid Society of Hamilton v. L.K. – 2016 CanLII 15148 (ONSC) – Superior Court of Justice of Ontario]

CA – BC Appeals Court Finds Senders of Texts and Emails Have a Reasonable Expectation of Privacy in the Content of the Message

a review of impact of the BC Court of Appeal’s decision in R. v. Craig. Senders have a reasonable expectation that their text messages will be confidential; senders do not abandon their right to privacy in the content of the message, to the extent that they should be able to count on the recipient’s duty of confidentiality. While there is inherent risk in any human interaction, the risk that a message might be improperly shared (i.e. breach of confidentiality) is not enough to vitiate a reasonable expectation of privacy. ‘[Privacy, technology, and instant messaging – The British Columbia Court of Appeal sends a (instant) message – Dara Jospé, Michael Shortt, and Antoine Guilmain – Fasken Martineau, Montréal]

CA – Other Canada News

E-Government

US – Survey: A Year After the OPM Hack, Victims Don’t Feel Safer

A Federal News Radio survey on the Office of Personnel Management breach has found that roughly 55% of government employees and contractors don’t feel their personal information is safer a year after the hack. George Mason University’s Jim Jones said one reason for these responses is that many acknowledge that the risks move faster than security efforts. “The threat is so flexible and responsive in the sense that when we do something, we close one hole they simply move on to another one,” he said. Meanwhile, NPR also examines the changes in security practices at the OPM in a subsequent report. [Federal News Radio]

E-Mail

CA – OIPC ON Cautions Against Using Personal Email and Instant Messaging When Doing Public Business

Ontario’s Information and Privacy Commissioner, Brian Beamish, is calling on the leaders of all public institutions to educate staff and enact policies to strictly control the use of personal email and messaging tools, such as BlackBerry Messenger, to conduct business. All public servants should be aware that records relating to government business are subject to provincial access legislation, even if they are created, sent or received through instant messaging tools or personal email accounts. The use of these tools and accounts can create a number of challenges for institutions in meeting their obligations under Ontario’s access and privacy laws. To avoid these issues, Beamish is asking all Ontario institutions to either strictly control the use of personal email or instant messaging when doing business, and implement clear policies to help public servants meet their legal obligations. If it is necessary to use these tools, institutions must plan for compliance by conducting thorough risk assessments and implementing appropriate administrative and technical measures to ensure that records are saved. A new guide to assist Ontario’s public institutions, Instant Messaging and Personal Email Accounts: Meeting Your Access and Privacy Obligations, is now available. [Office of the Information and Privacy Commissioner of Ontario]

Electronic Records

CA – Alberta OIPC Issues Guidance for EHR Systems

The OIPC of Alberta has published Guidance for Electronic Health Record Systems. This guide was developed to assess the safeguards in electronic health record (EHR) systems. Custodians and their EHR service providers may use this document to support a Privacy Impact Assessment on an EHR system, or to examine whether changes to a system comply with Health Information Act requirements. Two versions of the document are available on our website. A PDF version and an editable Word document:

EU Developments

US – US and EU Officially Ink Umbrella Agreement

Officials from the EU and U.S. officially signed the so-called Umbrella Agreement, which sets privacy protections on European citizens’ personal data when transferred to the U.S. for law enforcement purposes. It will give EU citizens judicial redress in U.S. courts — something the EU already provides for U.S. citizens. U.S. Attorney General Loretta Lynch, Dutch Minister Ard van der Steur, and EU Justice Commissioner Věra Jourová signed the deal Thursday. Privacy advocates, however, have expressed concern about the deal. Access Now’s Estelle Massé said the new rules are “toothless” and that it “should absolutely be brought back to the drawing board.” [Ars Technica]

EU – British Lawmakers Pass New Digital Surveillance Law

The House of Commons passed the controversial Investigatory Powers Bill, which would provide security agencies with stronger monitoring abilities. The bill was approved 444-69. Interior Minister Theresa May said the new law will help “keep us safe in an uncertain world.” While May noted the scrutiny of the Investigatory Powers Bill was “unprecedented,” a new privacy clause has been added requiring agencies to contemplate less intrusive ways to surveil, while also offering special protections for lawmakers, journalists and lawyers. “It provides far greater transparency, overhauled safeguards and adds protections for privacy and introduces a new and world-leading oversight regime,” May said. The bill now moves to the upper house of Parliament, the House of Lords. [Reuters]

EU – European Commission Creates Code of Conduct for Mobile Health Apps

The European Commission has formally submitted a code of conduct to the Article 29 Working Party to increase privacy capabilities on mobile health apps. The code has been handed in for comments, and once approved, app developers can voluntarily commit to them. The European Commission code is based on EU data protection legislation, and aims to raise awareness for all parties, including small and medium enterprises as well as individual developers who may not have legal teams on hand, and “increase compliance at the EU level for app developers.” The code covers numerous issues, including user consent, purpose limitation, privacy by design and default, and data security. The European Commission also covered advertising within mHealth apps, disclosing data to third parties, children’s privacy, and data transfers. [Telecompaper] [Press Release] [Public Consultation]

EU – EDPS Announces New Accountability Initiative

European Data Protection Supervisor Giovanni Buttarelli announced a new accountability initiative to help EU bodies transition to the General Data Protection Regulation. The EDPS started working on a project to enhance accountability in data processing in 2015, when the agency examined itself as an institution. “We developed a specific tool to ensure and demonstrate our accountability as an organisation, to plan and to keep track of related actions. This document consists of a set of questions for the supervisors, the director, the staff responsible for managing processing operations and our data protection officer,” Buttarelli wrote in a blog post. “This year, we aim to visit — and have already started — small, medium, and large EU bodies to explain the new obligations,” he continued, adding, “As part of our efforts … we will recommend our accountability document during these visits and suggest that they tailor it to suit their specific needs.” [EDPS Blog Post]

Finance

WW – Facebook is Using Your Phone to Listen to Everything You Say: Professor

Facebook admits to using people’s microphones to listen to what they say, but they claim this is somehow a good thing. Kelli Burns, mass communication professor at the University of South Florida claims to have tested devices running the Facebook mobile app, and found that all of them are listening to everything you say, providing customized ads based on what you are saying. “I’m really interested in going on an African safari. I think it’d be wonderful to ride in one of those jeeps,” she said out loud with her phone in hand. According to the NBC report, less than a minute later, the first story in her Facebook feed was about a safari. And a car ad soon appeared on her page – go figure. Of course, this is not scientific evidence at this point, but Burns is not one to shun. Before becoming an academic, she spent seven years in corporate marketing and is a well-known figure in social media circles. Facebook didn’t deny the claims. Instead, it admitted that it picks up sounds from users, but said that it only does this to recommend they post things on Facebook. It’s not the first time Facebook has come under fire for something like this. Last years it was also accused of the same thing, and they said at the time that users had to turn their microphone on in order for this to work. But now, the microphone is on by default, so this does seem to confirm that Facebook is listening to you. [zmescience.com]

FOI

CA – Ontario Health Ministry Ordered to Disclose Names on OHIP Billings

Ontario’s privacy watchdog has ordered the province to publish the names of the 100 doctors whose billings to the Ontario Health Insurance Plan are highest. An adjudicator, ruling on an access-to-information request from the Toronto Star, said the billings are “not personal information” and, even if they were, it would be in the public interest to reveal them. The Ontario Medical Association, which represents the province’s 28,000 physicians, opposed release of the data, saying it could be misconstrued. (Billings are not salaries but gross payments from which doctors must pay office overhead, benefits and pension.) The OMA has not yet decided if it will appeal the ruling. If it does not, the data will be made public on July 8. [Source] [IPC Decision] [54-page order] [Ontario Doctors’ Billings: Transparency is the Best Medicine] [End the secrecy over doctors’ billings: Editorial]

CA – OIPC NFLD Expects Redaction to be Used Sparingly

The Office of the Newfoundland and Labrador Information and Privacy Commissioner provided its expectations for Public Body Coordinators on handling non-responsive information in an access request, pursuant to the Access to Information and Protection of Privacy Act. Redact non-responsive information only where necessary and appropriate; best practices include, releasing the information if it is just as easy as claiming non-responsive (this will save time-consuming consultations and time weighing discretionary exceptions), avoid breaking the flow of information (do not claim non-responsive within sentences or paragraphs), and explain what non-responsive means in the final response to the Applicant, and that information has been redacted on this basis. [Newfoundland and Labrador OIPC – Practice Bulletin – Redacting Non-Responsive Information in a Responsive Document]

US – Snowden Questioned NSA’s ‘Interpretation of Legal Authorities’ Before Leak

Former government contractor Edward Snowden attempted to contact the NSA about its surveillance programs before exposing a trove of documents to the public. In response to a “long-running” Freedom-of-Information-Act lawsuit, the Office of the Director of National Intelligence released more than 800 pages of communications to Vice News revealing Snowden tried to ask questions about the “interpretation of legal authorities” related to the programs. The documents also reveal Snowden’s face-to-face interaction with an official, details about Snowden’s work with the agency, and efforts by the NSA, the White House and U.S. Senator Dianne Feinstein, D-Calif., to discredit Snowden. [Full Story]

Genetics

US – Biden Unveils Launch of Major, Open-Access Database to Advance Cancer Research

Vice President Joe Biden will unveil a 12,000-patient, open-access cancer research database called the Genomic Data Commons today. The database will include “raw genomic and clinical data” as well as information regarding patients’ treatment types and their bodies’ response to it, the report states. “This is good news in the fight against cancer,” Biden said. “Increasing the pool of researchers who can access data and decreasing the time it takes for them to review and find new patterns in that data is critical to speeding up development of lifesaving treatments for patients.” The GDC will have privacy protections in place, with representatives from cancer centers drafting a model consent form, the report adds. [Washington Post] See also: [Canada: Genetic Discrimination And Canadian Law] and [How new DNA testing is cracking open long-stalled cold cases]

Health / Medical

US – OCR: Sharing Electronic Patient Data Crucial, Requires Cooperation

A slew of breakthroughs will put the pressure on health care leaders to start becoming more transparent with data. Deputy Director of Health Information Privacy in the Department of Health and Human Services’ Office for Civil Rights Deven McGraw highlighted this during the Office of the National Coordinator for Health Information Technology’s annual meeting in Washington, where she said cooperation will be key for successfully sharing patient data. “I can enforce people to comply with the law, but the culture change that makes a difference is not because the government is going to force it down people’s throat,” said McGraw. “It’s going to happen because people want it and demand it.” McGraw said providers should release electronic patient data at their request. “Whatever the patient wants to do with that information, it’s her right to have it and to have it in the form or format that she wants it,” McGraw said. [Healthcare IT News]

Horror Stories

WW – 32M Twitter Passwords Held at Ransom

A hacker with purported ties to the LinkedIn, Myspace, and Tumblr breaches is now claiming to have a database of 32 million Twitter login credentials at ransom. “The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” said a statement from breach-notification company LeakedSource, which analyzed the database and was able to verify accounts. The company added that the passwords taken were most likely in plain text with no hashing. “The lesson here? It’s not just companies that can be hacked, users need to be careful too,” the statement said. [ZDNet]

EU – Dutch DPA Receives More Than 1,500 Breach Notifications in First 4 Months

Review of the first 4 months of new breach notification requirements in the Netherlands shows that, in approximately two-thirds of breaches, the DPA had reason to more closely examine the circumstances of the breach or it opened formal investigations; subsequent action was taken against about 70 organisations. DPA’s classification of breaches found that 3 of the four categories related to inadvertent disclosures by the organisation (e.g. loss of unencrypted devices, insecure disposal, or insecure transfers); the remaining category related to malicious access to databases and ransomware. [130 days, 1,500 notifications: Does Dutch breach rule foreshadow GDPR? – Lokke Moerel and Alex van der Wolk, Morrison & Foerster LLP]

Identity Issues

WW – Search Queries Could Leave Medical Clues: Study

A Microsoft study published June 7 has found that by analyzing large sets of anonymized search engine queries, scientists may be able to detect those internet searchers with pancreatic cancer before an official diagnosis. “We asked ourselves, ‘If we heard the whispers of people online, would it provide strong evidence or a clue that something’s going on?’” researcher Dr. Eric Horvitz said. He acknowledged that using data in this way was uncharted territory for the health care industry. Regardless, “We’re hoping that this stimulates quite a bit of interesting conversation,” he said. [The New York Times]

WW – Inventor of the Web Creates Identity on Bitcoin Blockchain

Sir Timothy Berners-Lee, an english computer scientist and the inventor of the World Wide Web has created his first Bitcoin blockchain ID on June 9, through the popular blockstack-based platform Onename. Built on the decentralized, privacy-centric, and Bitcoin blockchain-secured database Blockstack, Onename is an open source platform which enables users to register their social media accounts and IDs through the Bitcoin blockchain network. The concept of embedding an account on the Bitcoin blockchain is fairly simple. Each Bitcoin transaction has a feature which allows users to store data apart from the core transaction information, creating space for anyone to embed small pieces of data in accordance with transaction data in a full transaction. Through the Blockstack nodes, Onename then verifies and authenticates various social media accounts, linking it to their network and enabling users to identify others through the account. “With the Blockstack software, a network of computers collectively maintain a global registry of identities, public keys and names. When you run a Blockstack node, you join this network, which is more secure by design than traditional identity, naming, and digital registry systems,” explains the Blockstack team. [Source]

Law Enforcement

CA – BC Police Act Violates Charter (sec.8), Suspended Vic Chief Says

Suspended Victoria Police Chief Frank Elsner is asking the courts to declare that sections of B.C.’s Police Act violate the Charter of Rights and Freedoms’ search and seizure provisions and are therefore not enforceable. Under the act, independent investigators with the Office of the Police Complaint Commissioner are not required to obtain warrants to search police premises, equipment and records when looking into allegations of misconduct at municipal departments. Those provisions violate Section 8 of the charter, because they relate to matters to which there is a high expectation of privacy, Elsner says. Section 8 protects against unreasonable search and seizure. [The Victoria Times Colonist]

Online Privacy

US – Android Users Seek Class-Action in Privacy Battle Over App Purchases

Android users are requesting to go forward with a class-action lawsuit against Google’s app store for allegedly disclosing personal information to developers. The lawsuit, started by Illinois resident Alice Svenson in 2013, is on behalf of numerous Android users who made purchases on the Google app store. “Casting aside the express promises made in their own terms of use, for years, defendants have routinely and systematically disclosed to third-parties, their buyers’ personal contact and billing information — including, names and email addresses — which they now admit was not necessary to complete the transactions or otherwise authorized for disclosure,” the users’ lawyers wrote in the motion. Svenson’s initial lawsuit was thrown out, but after revising her complaint by saying the disclosure lessened the value of her personal data, it was allowed to proceed. Last year, U.S. District Court Magistrate Paul Grewal in San Jose dismissed a separate lawsuit that also alleged Google violated app purchasers’ privacy by sending their names to developers. [MediaPost]

EU – Researchers Re-identify 40% of RTBF Subjects

One of the world’s most widespread efforts to protect people’s privacy online —RTBF— may not be as effective as many policymakers think, according to research by computer scientists based, in part, at New York University. The academic team said that in roughly a third of the cases examined, the researchers were able to discover the names of people who had asked for links to be removed. Those results, based on the researchers’ use of basic coding, came despite the individuals’ expressed efforts to remove their names from searches. The research paper raises questions about how successful Europe’s “right to be forgotten” can be if the identities can still be found with just a few clicks of a mouse. The paper says such breaches undermine “the spirit” of the right to be forgotten. The research also will add increased pressure on some European authorities, particularly the French privacy regulator, who would like Google and other online search engines like Microsoft’s Bing to extend the reach of the right to be forgotten across all of the companies’ global domains, including Google.com in the United States. “This poses a threat to whether the ‘right to be forgotten’ can be maintained in the long-term,” said Keith Ross, dean of engineering and computer science at NYU Shanghai, who led the project and who said he had contacted Google with his research. “If a hacker can easily find 30 or 40% of people’s names from delisted articles, what is the point?” he said. [New York Times]

Privacy (US)

US – Federal Appeals Court Says No Warrant Needed for Stingray Use

The Fourth US Circuit Court of Appeals has overturned a lower court verdict that ruled law enforcement must obtain warrants before using cell-site simulators to determine a suspect’s location. According to the ruling, obtaining the information does not violate a suspect’s Fourth Amendment rights because the information is already being shared with the suspect’s wireless carrier” “Whenever [an individual] expects his phone to work, he is permitting – indeed, requesting – the service provider to establish a connection between his phone and a nearby cell tower.” [ZDNet]

US – Yahoo Publishes National Security Letters

Yahoo has published three National Security letters it has received from the federal government. National Security Letters allow federal law enforcement officers to demand customer records and transaction information from communication companies without the need for a warrant. The letters also carried a gag order that until recently never expired – anyone or organization receiving an NSL was not permitted to disclose its contents or even its existence. The USA Freedom Act, which became law last year, changed those requirements. The FBI must now review gag orders once the investigation is closed or three years after it was opened, to determine if lifting the order will or will not be detrimental to the investigation. Yahoo’s disclosure is the first since the USA Freedom Act passed. [Wired] [eWeek] [Redacted letters] [Yahoo’s position]

US – NTIA Issues Best Practices for Operators of Commercial and Private Drones

The National Telecommunications and Information Administration released its best practices for use of drones by operators for private and commercial uses. Public comments were sought in 2015. Operators should making a reasonable effort to provide prior notice to individuals of the general timeframe and area in which they intend to operate a drone to collect data; provide a publicly available privacy policy that includes the purposes of collection, the types of data the drone will collect, the operator’s data retention and de-identification practices, the types of entities with which data will be shared, how to submit privacy/security complaints or concerns, and a description of response practices to law enforcement requests. [National Telecommunications and Information Administration – Voluntary Best Practices for UAS Privacy, Transparency, and Accountability]

US – Snowden Questioned NSA’s ‘Interpretation of Legal Authorities’ Before Leak

Former government contractor Edward Snowden attempted to contact the NSA about its surveillance programs before exposing a trove of documents to the public. In response to a “long-running” Freedom-of-Information-Act lawsuit, the Office of the Director of National Intelligence released more than 800 pages of communications revealing Snowden tried to ask questions about the “interpretation of legal authorities” related to the programs. The documents also reveal Snowden’s face-to-face interaction with an official, details about Snowden’s work with the agency, and efforts by the NSA, the White House and U.S. Senator Dianne Feinstein, D-Calif., to discredit Snowden. [Vice News] [Snowden and the NSA Gets Curiouser and Curiouser]

US – Court Certifies Class Action Alleging Social Networking Site Unlawfully Scanned Users’ Private Messages

A US Court has considered a motion for class certification of a complaint alleging Facebook violates users’ privacy by scanning their private messages. The Court accepted the Plaintiffs’ argument that injunctive relief is appropriate for the class as a whole because Facebook has utilized a uniform system architecture and source code to intercept and catalog its users’ private message content; the Court rejects the social networking site’s argument that individual proof will show that many class members impliedly consented to the challenged practices. [Matthew Campbell et al. v. Facebook, Inc. – 2016 U.S. Dist. LEXIS 66267 – United States District Court For The Northern District Of California]

US – Electronic Health Records Company Settles FTC Charges It Deceived Consumers About Privacy of Doctor Reviews

The FTC announced electronic health records company Practice Fusion has settled with the agency over claims it mislead customers by asking for reviews of its doctors without telling customers the reviews would be made public, resulting in the disclosure of sensitive medical data. “Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Companies that collect personal health information must be clear about how they will use it — especially before posting such information publicly on the internet.” In its settlement with the FTC, Practice Fusion is prohibited from making deceptive statements about the privacy and confidentiality of consumer information it collects, while requiring consumer opt-in before disclosing any information in the future. [Full Story]

Security

US – Three Bills Approved To Boost Security for California’s IT systems

California lawmakers passed three bills designed to strengthen the security of the state’s information technology systems. One of the bills would mandate a statewide response plan for cybersecurity threats on critical infrastructure by July 1, 2017. “Ensuring that these preparations are made for cybersecurity will make our state networks more resilient, improve response coordination, reduce recovery time and costs and ultimately limit the damage that is done,” said bill author Jacqui Irwin, D-Thousand Oaks. Another bill requiring state agencies to create detailed data breach response plans was unanimously approved by the California Senate, along with legislation making it illegal to knowingly put ransomware on a computer’s system, network or data. [Techwire]

CA – New Conference Board Centre to Focus on Cyber Security Policy

A new Conference Board of Canada research Centre is working to tackle cyber security issues that affect all Canadian citizens, starting with the critical issue of personal data privacy in the digital world. The first research from the Centre aims to get decision-makers and Canadians up-to-speed on privacy regulations and capable of making smart decisions. The report, Private Matters: Regulating Privacy in Canada, the European Union and the United States, highlights key trends that firms should address in order to maintain proactive privacy compliance. They include:

  • Consent—The broad concepts of informed and implied consent are no longer sufficient. Regulators are increasingly demanding that consent be active, explicit, and easily understood.
  • Breach notification—Enhanced regulations require organizations to report privacy breaches in a timely, comprehensive way. Failure to do so can result in steep fines and costs to a firm’s reputation.
  • Territoriality—Privacy will have to balance the rights of national citizens against the borderless nature of e-commerce. The new EU-U.S. Privacy Shield will have an impact on this debate. If EU demands prevail, EU citizens’ right to privacy will travel with their data.
  • Individual rights after consent—As regulators and industry get closer to figuring out how to get consent right, they will need begin enumerating the rights of individuals who have consented to data collection. They will also need to determine the appropriate remedies when those rights are violated.
  • Answering public demands—As the pace and pervasiveness of technology continue to accelerate, regulators will have to strike a balance between protecting the public and insisting the public more meaningfully contributes to its own protection.

The Conference Board of Canada’s new Cyber Security Centre examines the evolving nature of cyber security at the strategic and policy level, in order to meet the needs of senior executives and board members across all sectors and industries. [Conference Board of Canada News Release]

Surveillance

CA – BlackBerry Hands Over User Data to Help Police ‘Kick Ass,’ Insider Says

A specialized unit inside mobile firm BlackBerry has for years enthusiastically helped intercept user data — including BBM messages — to help in hundreds of police investigations in dozens of countries, a CBC News investigation reveals. CBC News has gained a rare glimpse inside the struggling smartphone maker’s Public Safety Operations team, which at one point numbered 15 people, and has long kept its handling of warrants and police requests for taps on user information confidential. A number of insiders, none of whom were authorized to speak, say that behind the scenes the company has been actively assisting police in a wide range of high profile investigations. But unlike many other technology companies, which regularly publish transparency reports, it is not clear how many requests BlackBerry receives each year, nor the number of requests it has fulfilled. [Source] See also: [More Canadian telcos should detail police data requests: Privacy commissioner]

US – Google Wants Privacy Lawsuit Dismissed, Cites Spokeo Case

Citing the Supreme Court’s decision in the Spokeo case, Google is asking a U.S. district judge to dismiss claims it disregards privacy laws. Google filed court papers in response to allegations it violates federal and state privacy laws by scanning emails in order to serve ads. A lawsuit from San Francisco resident Dan Matera claims Google illegally “intercepts” email messages, which forced him to interact with Gmail users, even though he did not have a Gmail account. Thanks to the result of the Spokeo case, Google wants Matera’s case thrown out, saying he cannot show a concrete injury, the report states. “Plaintiff does not allege, for example, that the alleged violations led to the disclosure of his confidential information to third parties, or that he suffered any other purported harm from the alleged ‘interceptions’ of his emails,” Google wrote in the papers. [MediaPost]

UK – Spies Circumvented Surveillance Laws With No ‘Meaningful’ Oversight

Privacy International has released previously confidential government documents that shed light on how British spy agencies circumvented legal restraints on their surveillance powers, with little interference from the commissioner charged with overseeing them. The documents detail correspondence carried out in 2004 between lawyers for two UK spy agencies — the Government Communications Headquarters (GCHQ) and MI5 — and Sir Swinton Thomas, the Interception of Communications Commissioner at the time. Thomas was responsible for overseeing the two agencies, but Privacy International, a London-based watchdog organization, says his correspondence with the GCHQ and MI5 “exposes the lack of meaningful restraint of the agencies’ over-reaching and intrusive powers.” The release of the document comes ahead of a Parliamentary debate on the controversial Investigatory Powers (IP) Bill. Introduced last year, the bill aims to provide a legal framework for bulk data collection, while increasing transparency and strengthening oversight for British spy agencies. But privacy advocates, internet service providers, and major technology companies have expressed alarm over the law — referred to by critics as the “snooper’s charter” — arguing that it gives police and intelligence agencies broad surveillance powers under vaguely defined terms. Privacy International says that the correspondence released today demonstrates the flimsiness of existing oversight mechanisms. [The Verge] [UK: Official correspondence reveals lack of scrutiny of MI5’s data collection]

+++

 

27 May – 02 June 2016

Biometrics

WW – Car’s Computer Can ‘Fingerprint’ You in 5 Min Based on How You Drive

The way you drive is surprisingly unique. And in an era when automobiles have become data-harvesting, multi-ton mobile computers, the data collected by your car—or one you rent or borrow—can probably identify you based on that driving style after as little as a few minutes behind the wheel. In a study they plan to present at the PETs Symposium in Germany this July, a group of researchers from the University of Washington and the University of California at San Diego found that they could “fingerprint” drivers based only on data they collected from internal computer network of the vehicle their test subjects were driving, what’s known as a car’s CAN bus. In fact, they found that the data collected from a car’s brake pedal alone could let them correctly distinguish the correct driver out of 15 individuals about nine times out of ten, after just 15 minutes of driving. With 90 minutes driving data or monitoring more car components, they could pick out the correct driver fully 100 percent of the time. “With very limited amounts of driving data we can enable very powerful and accurate inferences about the driver’s identity.” And the researchers argue that ability to pinpoint could have unexpected privacy implications: Everything from letting insurance companies punish drivers who loan their cars to their teenage kids, to confirming the identity of a driver who violated traffic laws or caused a collision. [Wired] [Is driving style the next biometric?]

US – Tattoo Recognition Research Threatens Free Speech and Privacy: EFF

An EFF Investigation Finds NIST/FBI Experimented with Religious Tattoos, Exploited Prisoners, and Handed Private Data to Third Parties Without Thorough Oversight …Now, with NIST and the FBI on the precipice of a new, larger experiment that will use upwards of 100,000 tattoo images, officials must suspend any further research into tattoo recognition technology until they address the First Amendment, ethical, and privacy concerns EFF has identified. [Source] See also: [Six Things You Need to Know Before Collecting Biometric Information]

Canada

CA – Company Scraps ‘Bad Tenant List’ After OPC Upholds Complaint

A property management company that maintained a “bad tenant” list for a landlord association has agreed to scrap it after the office of federal Privacy Commissioner Daniel Therrien concluded the personal information it contained was improperly collected. Therrien’s office investigated after receiving a complaint in February 2014 from a single parent with a disabled child. The unidentified woman had applied to the company for new rental accommodation that was fully accessible to her child, but was turned down. She was told by the company that her inclusion on the bad tenant list — for allegedly having skipped payments and for owing money for damages — was one of the reasons it was denying her housing services. The management company, which wasn’t named, told privacy commissioner investigators that members of the unidentified landlords association added the names of “bad tenants” to the list. The personal information on the list included the tenant’s name, the alleged incident for which the individual’s name was added to the list and the rental accommodation where the problem occurred. The company said the information was used to help landlords “avoid credit default” by potential tenants and determine “valid renters.” The complainant said she never consented to her personal information being collected for that purpose and wasn’t allowed to see the information about her or find out which landlord had added her name to the list. The property management company pointed to a clause in its rental agreement authorizing the landlord to obtain credit reports “or other information as may be deemed necessary.” But in a recently posted decision, the privacy commissioner’s office says it did not see how those words “would lead individuals to understand they were consenting to their personal information being collected, used and disclosed for the purposes of a ‘bad tenant’ list.” [Source]

CA – Office of the Privacy Commissioner Announces First Investigation Under Address Harvesting Provisions

The OPC announced its report of findings against Compu-Finder, a Quebec-based company that offers face-to-face professional training courses. The OPC alleges Compu-Finder used address harvesting programs to search and collect e-mails on the internet. This marks the first investigation by the OPC involving its address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). The OPC concluded that Compu-Finder did use e-mail addresses of individuals to send e-mails promoting its business activities, without the consent of the individuals concerned. Compu-Finder was unable to demonstrate it had the appropriate consent for the collection and use for many of the e-mail addresses. Further, the OPC found Compu-Finder lacked basic privacy knowledge of its obligations and failed in demonstrating accountability and openness of its privacy practices. This investigation also debuts the OPC’s compliance agreement power since the tool was added by the Digital Privacy Act on June 18, 2015. The compliance agreement between the Privacy Commissioner of Canada and Compu-Finder lists over ten remedial measures imposed on Compu-Finder. Some of the following measures that Compu-Finder has agreed to implement, include:

  • collect and use only e-mail addresses with proper consent;
  • destroy all e-mail addresses in its possessions which were collected without obtaining consent;
  • refrain from collecting any electronic addresses of individuals through the use of a harvesting computer program;
  • develop and implement a privacy program; and
  • obtain a third-party audit of its privacy program.

Compu-Finder is also under investigation by the CRTC, who issued a Notice of Violation against Compu-Finder pursuant to Canada’s Anti-Spam Legislation (CASL) on March 5, 2016. The OPC acknowledged the CRTC shared investigative information with the OPC pursuant to CASL and a Memorandum of Understanding between the two agencies. The CRTC’s proceedings against Compu-Finder are still on going. You can read the full report of findings and compliance agreement online here. [Source]

CA – Spy Agency Accidentally Shared Canadians’ Data With Allies for Years

A federal spy agency inadvertently shared logs of Canadians’ phone calls and Internet exchanges with intelligence allies such as the United States for years, a newly disclosed report says. The revelation that the CSE compromised Canadians’ privacy while sharing clandestinely captured data appears in a confidential watchdog’s report obtained from court filings related to a lawsuit against the Canadian government. The report said software that was supposed to remove identifying information on Canadians from material CSE captured during international surveillance operations had failed. This meant that Canada’s intelligence allies received data that Canadian laws say they should not see. The confidential report was written by Jean-Pierre Plouffe, a retired Quebec judge who heads the Office of the CSE Commissioner, the spy agency’s watchdog agency. In it, he suggests the unlawful seepage of Canadians’ phone and Internet records to foreign intelligence agencies could date back to the mid-2000s, and that the overall amount of compromised material is unclear. Given this, Mr. Plouffe is urging Parliament to pass laws spelling out how it wants the spy agency to function. “As CSE’s collection posture has strengthened, … the volume of metadata collected has increased considerably,” Mr. Plouffe writes in his 2015 report. He urged federal politicians to give clearer direction on surveillance. [The Globe and Mail]

CA – TREB Seeks ‘Opt-In’ Consent for MLS Data to Protect Consumer Privacy

Canada’s largest real estate board is urging the federal Competition Tribunal to protect consumer privacy by requiring homeowners to consent to sharing their housing information over the Internet. In filings posted on the tribunal’s website ahead of a hearing on Thursday in Ottawa, the Toronto Real Estate Board argues that electronic access to the board’s Multiple Listings Service should be made available to online real estate brokerages only after both buyers and sellers have checked an “opt-in” box on their sale and purchase agreement. TREB also asked the tribunal to make electronic home-sales data available for only six months after a house has sold, and said the data should not contain details of house sales that occurred before the tribunal issues its final order. It also argued that online brokers should not be able to use its MLS information for “data analytics” – such as building home-price heat maps or neighbourhood-level price trends – without the explicit consent of both buyers and sellers. The hearing comes a month after a three-member panel of the Competition Tribunal ruled that TREB was stifling competition in the Greater Toronto Area’s real estate industry by restricting how member realtors who run online brokerages access and share electronic data about homes that have sold. [The Globe and Mail]

Consumer

CA – Majority of Canadians Feel Their PI is Vulnerable to Security Breach

A report released earlier this month has indicated that the majority of Canadians believe the personal data the government holds on them, is vulnerable to a security breach. The study, conducted by Ipsos on behalf of Accenture Cyber, indicated that Canadians feel distrustful of their data in the hands of municipal, provincial and federal governments. A total of 54% of Canadians believe that personal information held by the federal government is vulnerable to a security breach. 20% of those surveyed feel they are “very vulnerable” and 33% feel they are “somewhat vulnerable,” according to the results of the survey. Albertans feel most distrustful of their governments, as 62% of those in the province report feeling vulnerable, followed by those from British Columbia (58%), Ontario (55%), and Atlantic Canada (53%). Quebec, Saskatchewan and Manitoba tied for last place with 49 % feeling their data could be compromised. On average, the results also say that women feel more vulnerable than men, and older Canadians are more skeptical of the safety of their data than younger ones. [Source]

E-Government

US – Uber Says New York Can’t Be Trusted With Its Data

Uber has gone to court to ensure confidentiality over records it provided for New York’s investigation of how the ride-sharing service secures data. New York began collecting the information two years ago after media reports surfaced about real-time tracking of rides — known internally as “God View” — that included personal information about riders. Uber provided the information at issue in response to an attorney general’s probe, so the company “thus enjoys categorical exemption from disclosure,” the petition states. Attorney General Eric Schneiderman’s office would only discourage similar cooperation from companies if it released the confidential information, the petition continues. [Source]

Electronic Records

US – Certified EHR Technology Now Widely Used at U.S. Hospitals

Nearly all of the country’s hospitals have adopted certified electronic health records, according to new survey data released May 31 by the Office of the National Coordinator for Health Information Technology. Results of the survey show the industry has a long way to go in sharing and then using from other healthcare organizations in treating patients—only a minority say they use patient information from outside their organization in treating patients. Based on the American Hospital Association IT Supplement to the AHA annual survey, the adoption rate of certified EHRs has increased from almost 72% in 2011 to 96% in 2015. Last year, 84% of hospitals adopted at least a basic EHR system, representing a nine-fold increase since 2008. ONC defines basic EHR adoption as a minimum use of core functionality determined to be essential to an EHR system, including clinician notes. The set of EHR functions must be implemented in at least one clinical unit to be considered basic EHR adoption. While small, rural, and critical access hospitals continue to have significantly lower basic EHR adoption rates compared with all hospitals, ONC notes that the new data show that adoption rates for these hospitals has increased significantly. Since 2014, small and rural hospitals increased their adoption of basic EHRs by at least 14 percentage points and CAHs increased their adoption of basic EHRs by 18 percentage points. Currently, about eight out of 10 small, rural, and CAHs have adopted a basic EHR. [Source]

Encryption

US – Proposed Senate Bill Requiring Backdoors in Encryption Appears Dead

A proposed anti-encryption bill has stalled out in the US Senate. The draft legislation would have required that encryption be breakable so investigators could access communications. The bill lacked White House support, and the intelligence community were reportedly “ambivalent” because the law could have impeded their own encryption efforts. [Reuters] [The Register] [CNET] [ComputerWorld] [ZDNet]

EU Developments

EU – Privacy Shield Doesn’t Hold Up: EDPS

European Data Protection Supervisor Giovanni Buttarelli has published his opinion on the EU-U.S. Privacy Shield, which he says is “not robust enough to withstand future legal scrutiny.” While he expressed appreciation for the legislative effort behind the agreement, “significant improvements are needed should the European Commission wish to adopt an adequacy decision,” he wrote. Buttarelli isn’t the only recent Privacy Shield critic. “We keep thinking we’re going to reach a date and from that date onwards we won’t have any more issues. That won’t happen,” said Intel Global Privacy Officer David Hoffman. “The idea that we’re going to solve the international data transfer issue with Privacy Shield, to me, is an incorrect assumption.” [v3] [BBC: EU Data Protection Supervisor Rejects Privacy Shield Agreement]

Facts & Stats

US – Most 2016 Healthcare Data Breaches from Unauthorized Access

Last year is often referred to as the “Year of the Hack” for healthcare, with the majority of healthcare data breaches being caused by third-party cyber attacks. The top three incidents alone combined to potentially affect nearly 100 million individuals, and were all involved hacking. So far, 2016 is not immune from healthcare data breaches, but the leading cause of incidents is unauthorized access, according to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach reporting database. There have been 114 incidents reported to OCR between Jan. 1, 2016 and June 1, 2016. Of those, 47 were classified as being caused by unauthorized access or disclosure. The rest of the classification breakdown is as follows:

  • 34 – hacking/IT incident
  • 26 – theft
  • 5 – loss
  • 2 – improper disposal

However, the largest healthcare data breach so far this year was due to a hacking incident. [Source] Top 10 Healthcare Data Breaches of 2015

UK – Sloppy Human Error Still Prime Cause of Data Breaches: ICO

FOI data from ICO reveals usual failings: loss of paperwork, data sent to wrong recipients, insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data …Of the sectors compared over the three years, 66% reported an increase in data breach incidents, with the courts and justice sector recording a rise of 500% over the period. Healthcare organisations continue to top the list for total number of reported incidents at 184. Human error continues to be mainly to blame. For January – April 2016, human error accounted for almost two-thirds (62%) of the incidents reported to the ICO, outstripping other causes such as insecure webpages and hacking, which stands at just 9% combined. Despite this, market attention and resource continues to focus on external threats, notably cyber-attacks and hackers. [Source] See also: [Human error causes more data loss than malicious attacksHuman Error to Blame as UK Data Breaches Soar | Courts and justice sector see 500 per cent rise in data breaches]

Filtering

CA – BC Supreme Court Orders Search Engine to Deny Access to Defamatory Statements

An individual seeks an injunction against a website that allegedly posted defamatory comments. An individual who filed a defamation lawsuit against two individuals and a website was granted a permanent injunction against those U.S. Defendants (who are prohibited from publishing such statements) in light of the possibility that they may resist enforcement of a monetary judgment of a Canadian court; a permanent injunction was also granted against a search engine, through which links can be obtained to the defamatory statements. [Nazerali v. Mitchell – 2016 BCSC 810 – In The Supreme Court of British Columbia]

CA – Officials Examining ‘Right-To-Be-Forgotten’ Potential in Canadian Law

As Google and the CNIL continue their battle over Europe’s “right-to-be-forgotten” law in France, Canadian officials are mulling whether the law has a place in their own legal system. A case involving Google and Datalink Technologies Gateways, Inc., has drawn parallels to the case in France, as the search engine is challenging an order in front of the Canadian Supreme Court to remove listings of Datalink, which is being accused of trademark violations across its worldwide search. To address their course on the RTBF, the Office of the Privacy Commissioner of Canada has received 23 formal submissions on the subject. “The law is broadly struggling to address these issues, and so we thought it was a legitimate question to ask,” said Patricia Kosseim, director general of the Legal Services, Policy, Research and Technology Analysis branch of the OPC. [The Globe and Mail]

FOI

CA – OPC Urges Committee to Rethink Information Commissioner’s Legal Jurisdiction

Privacy Commissioner of Canada Daniel Therrien suggested limiting the “proposed authority” for Information Commissioner Suzanne Legault in a brief to the Commons committee considering the Access to Information Act. Therrien argued that the current balance of power “illustrates the healthy tension between opposing interpretations” of what the law defines personal information to be. Said balance should be taken into consideration before revising job descriptions, he added. Instead, he suggested “the matter should only be discussed two years from now, when the government does a full-scale review of the access law,” the report states. [CTV News]

Health / Medical

CA – Saskatchewan Adopts Anti-Snooping Law for Health Records

The government is toughening up its laws around the protection of personal health information in Saskatchewan. The changes are in response to a member of the public finding thousands of medical records in a Regina dumpster in 2012, something the privacy commissioner at the time called the “worst breach of patient information” his office had ever seen. Despite that, there were no prosecutions. That incident sparked the government to create a working group made up of doctors, nurses, government officials and a patient representative to come up with stronger rules. The amendments to the Health Information Protection Act (HIPA) are effective June 1. They include a reverse onus clause for trustees of medical records to show they took reasonable steps to prevent their abandonment. [Source]

AU – Australian HealthCare Providers Must Protect Against Insider Risk

Recommendations for Australian healthcare providers to protect health information. Providers should adopt an approach that manages the risk of an external attack and aims to prevent internal data breaches from negligent or malicious staff; ensure employees have a high level of cybersecurity awareness (training and policies), encrypt all portable devices and allow for remote wiping, and revoke employee access to the network immediately after notice of termination is given. [Cybersecurity and the Risk of Inside Jobs – Marie Feltham, Special Counsel and Leonard Lozina, Lawyer – DibbsBarker]

CA – Ontario Health Ministry Ordered to Disclose Names on OHIP Billings

The province’s privacy commission has ordered the health ministry to release the names of doctors along with their OHIP billings, in the interests of transparency and accountability. The decision comes two years after the Toronto Star began requesting physician-identified billings from the health ministry, and brings the province more in line with other jurisdictions that are opting to disclose public funds paid to doctors. In granting an appeal the IPC said physician-identified billings are not “personal information” and are, therefore, not exempt from disclosure under the province’s Freedom of Information and Protection of Privacy Act. Even if they were deemed personal, a compelling public interest in their disclosure would outweigh the purpose of the act’s privacy exemption, the IPC wrote in a 54-page order released Wednesday and received by the Star Thursday. The IPC has ordered the health ministry to release the information to the Star by July 8. [Source]

Horror Stories

WW – Recently Confirmed Myspace Hack Could Be the Largest Yet

A report from LeakedSource.com says that there are over 360 million accounts involved. Each record contains an email address, a password, and in some cases, a second password. As some accounts have multiple passwords, that means there are over 427 million total passwords available for sale. Despite the fact that this data breach dates back several years, the size of the data set in question makes it notable. Security researchers at Sophos say that this could be the largest data breach of all time, easily topping the whopping 117 million LinkedIn emails and passwords that recently surfaced online from a 2012 hack. That estimation seems to hold up – while there are a number of other large-scale data breaches, even some of the biggest were not of this size. The U.S. voter database breach included 191 million records, Anthem’s was 80 million, eBay was 145 million, Target was 70 million, Experian 200 million, Heartland 130 million, and so on. [Source]

WW – LinkedIn Sends Out Breach Notification Emails

Users of LinkedIn likely received breach notification emails from the social network earlier this week. The emails come four years after a 2012 hack of the service in which millions of passwords and usernames were accessed. The incident was widely reported in 2012, but came back into the spotlight last week with news that 117 million email and password combinations — significantly more than the 6.5 million originally reported in 2012 — were for sale on the Dark Web. “While we do all we can, we always suggest that our members visit our safety center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible,” the email stated. [Fortune] See also: [Unencrypted Laptops Expose Over 400,000 Patients’ Medical Data]

WW – Hackers Stole 65 Million Passwords from Tumblr, New Analysis Reveals

On May 12, Tumblr revealed that it had just found out about a 2013 data breach affecting “a set” of users’ email addresses and passwords, but the company refused to reveal how many users were affected. As it turns out, that number is 65 million, according to an independent analysis of the data. Troy Hunt, a security researcher who maintains the data breach awareness portal Have I Been Pwned, recently obtained a copy of the stolen data set. Hunt said the data contained 65,469,298 unique emails and passwords. The passwords, however, were not in plaintext, but were “hashed,” a process that turns the actual password into a different string of digits. The company also added a series of random bytes at the end of the passwords before hashing them, or “salted” them, as Tumblr said when it disclosed the breach. The company, however, didn’t say exactly what algorithm it used to hash the passwords. Since Tumblr’s announcement, the hacked data appears to have been circulating within the internet underground. A hacker known as Peace, who also claims to have the data and was selling it on the darknet marketplace The Real Deal, said Tumblr used SHA1 to hash the passwords. Given that it also used salt, they are very hard for hackers to crack. [Source]

Identity Issues

US – Doctors Fire Back at Bad Yelp Reviews – and Reveal PHI Online

Burned by negative reviews, some health providers are casting their patients’ privacy aside and sharing intimate details online as they try to rebut criticism. In the course of these arguments — which have spilled out publicly on ratings sites like Yelp – doctors, dentists, chiropractors and massage therapists, among others, have divulged details of patients’ diagnoses, treatments and idiosyncrasies. [Source]

Internet / WWW

US – Tech in U.S. Schools Collects Student Data for Marketing Purposes: Report

The National Education Policy Center has issued its 18th annual report about commercialization of student information. Current regulatory frameworks do not effectively protect against application service providers using student’s personal information for marketing purposes; legislators should eliminate loopholes that provide companies with opportunities to collect and exploit children’s data, and pass enforceable legislation that holds schools, districts, and companies with access to student data accountable for violations of student privacy. [NEPC: Learning to be Watched: Surveillance Culture at School]

Law Enforcement

US – ACLU joins Microsoft’s Challenge to DoJ Gag Orders

The American Civil Liberties Union has filed a motion to join Microsoft’s challenge to the Justice Department’s use of gag orders that prevent companies from telling users when the government is demanding access to their data. “A basic promise of our Constitution is that the government must notify you at some point when it searches or seizes your private information,” said ACLU Senior Staff Attorney Alex Abdo. “Notice serves as a crucial check on executive power, and it has been a regular and constitutionally required feature of searches and seizures since the nation’s founding.” A Microsoft spokesman said the company “appreciates the support from the ACLU and many others in the business, legal and policy communities who are concerned about secrecy becoming the norm rather than the exception.” [USA Today]

Location

US – Appeals Court Delivers Blow to Cellphone-Privacy Advocates

Courts across the country are grappling with a key question for the information age: When law enforcement asks a company for cellphone records to track location data in an investigation, is that a search under the Fourth Amendment? By a 12-3 vote, appellate court judges in Richmond, Virginia, on Monday ruled that it is not — and therefore does not require a warrant. The 4th Circuit Court of Appeals upheld what is known as the third-party doctrine: a legal theory suggesting that consumers who knowingly and willingly surrender information to third parties therefore have “no reasonable expectation of privacy” in that information — regardless of how much information there is, or how revealing it is. Research clearly shows that cell-site location data collected over time can reveal a tremendous amount of personal information — like where you live, where you work, when you travel, who you meet with, and who you sleep with. And it’s impossible to make a call without giving up your location to the cellphone company. [The Intercept]

WW – Collaborative Project Maps Areas Where Governments Spy on People

The Digital Freedom Alliance has launched a collaborative open source project to map places in the world where governments use malware to conduct surveillance on journalists, activists, lawyers, and NGOs. The project gathers information from a variety of sources and maps the locations, noting the dates, targets, and type of malware used. [Wired]

Online Privacy

WW – Facebook to Begin Sending Targeted Ads to Nonusers

In an attempt to grow its online ad network, Facebook will display ads to consumers who do not have accounts with the social media network. Facebook plans to reach nonmembers through cookies, “like” buttons, and plug-ins on third-party sites. While Facebook says its new method will better serve relevant ads to nonusers, European regulators have cited privacy concerns in their criticism of the practices. Facebook feels they are in a great position to target nonmembers through the large amounts of data it holds on current users. “Because we have a core audience of over a billion people [on Facebook] who we do understand, we have a greater opportunity than other companies using the same type of mechanism,” said VP of Facebook’s Ad and Business Platform Andrew Bosworth to the Journal. [The Verge] See also: [You Should Go Check Facebook’s New Privacy Settings]

WW – Googling Yourself Now Leads to Personal Privacy Controls

Soon, all you’ll need to do is Google yourself if you’re wondering how deeply Google has been digging into your digital life. In coming weeks, a shortcut to personal account information will appear at the top of Google’s search results whenever logged-in users enter their own names in the query box. The feature is part of an update to the “My Account” hub that Google introduced a year ago to make it easier for people to manage the privacy and security controls on the internet company’s services. While Google isn’t making any additional information available, it is making it easier to find. The link to personal accounts will appear at the top right of the listings for searches done on personal computers and at the top of requests entered on smartphones. Google is making the change because it learned that many users doing a “vanity search” under their name wanted a quicker way to find out what the company knew about them, as well as to see how they are depicted on various sites across the internet, said Guemmy Kim, a Google product manager. A new feature on Google’s mobile app will also quickly take users to their account information with a spoken request. All that will be required are the words: “OK Google, show me my Google account.” This option initially will only be available in English. [Source]

WW – IETF Publishes RFC for DNS Encryption

The Internet Engineering Task Force has released an RFC (request for comments) proposing that DNS requests be encrypted with Transport Layer Security (TLS). DNS requests and responses are often collected by law enforcement because they are classified as metadata. [The Register] [RFC]

Privacy (US)

US – Report: Employee Cybersecurity Knowledge Low, Despite Training Programs

A study from Experian and the Ponemon Institute reveals security training programs aren’t efficient enough at altering workers’ unsafe online behavior. “Managing Insider Risk through Training & Culture” is a survey of companies providing data protection courses to their employees. The study revealed 60% of respondents said their employees were either not knowledgeable or had no knowledge of cybersecurity, despite having training available. Only 35% said senior executives placed a high priority on employee data threat education, and 43% said their corporate training consisted of one course covering all departments. Low numbers were also reported on courses containing information on phishing and social engineering. “Phishing and social engineering attacks have been shown to result in data breaches. Training programs should show the consequences of these attacks and how to avoid falling prey to them.” [SC Magazine]

US – Obama Releases Final Privacy Framework for Precision Medicine Initiative

The White House announced the release of the final Data Security Policy Principles and Framework for its Precision Medicine Initiative. The framework is based on the administration’s cybersecurity framework and creates data security expectations and a risk-management approach for organizations taking part in the initiative. All federal PMI agencies will also integrate the framework across all PMI activities. President Barack Obama said, “We’re going to make sure that protecting patient privacy is built into our efforts from day one.” [White House]

US – Other Privacy News

Security

US – New System Monitors Govt Employees for Potential “Insider Threats”

The Defense Department is creating a system designed to expose potential “insider threats” by monitoring national security personnel. The Pentagon is hiring a team of “cross-functional experts” who are trained in cybersecurity, privacy, law enforcement, intelligence, and psychology to help discover potential traitors. The DOD Component Insider Threat Records System will also examine employees’ social media posts, and their digital work habits, while also incorporating keystroke tracking, screen captures and email. Civil liberties advocates are voicing their opposition to the system, saying the constant surveillance will stop whistleblowers from coming forward. “When you read the insider threat material, what they view as a threat is somebody reporting information about government activity to the press, which is, in a democratic society, not only important but necessary,” said FBI veteran Michael German. [Nextgov]

US – DOD is Creating an Insider Threat Database

The US Defense Department (DOD) is creating a system that contains information about national security personnel and other people with security clearances to help identify potential insider threats. The DOD Component Insider Threat Records System was created in response to the Pfc. Chelsea Manning data leaks that occurred in 2010. [NextGov]

WW – CIOs Say Organized Cybercrime is Top Threat to Business Operations

According to the Harvey Nash/KPMG 2016 CIO Survey, one-third of the respondents said they had dealt with a significant IT emergency or a cyberattack over the past two years. CIOs say organized cybercrime is the biggest cyber-threat to their organizations. The report found that 46% of CDOs (chief digital officers) report to their organization’s CEO, while just 21% report to the CIO. And 65% of respondents said they believe that a shortage of technical talent will hinder their ability to keep pace with the changing digital landscape. The survey comprises data gathered from 3,352 CIOs and technology leaders in 82 countries. [Press Release] [v3.co.uk] [v3.co.uk]

US – Medical Devices Could Be Used as Point of Entry into Healthcare Networks

The US Department of Veterans Affairs (VA) deputy director of health information security told Nextgov that attackers are more likely to break into Internet-connected medical devices to gain access to a hospital network than to disrupt a patient’s treatment. Medical records are a valuable commodity on the data black market. Medical devices are not as readily patched as computers and phones. Lynette Sherrill also said that her agency removes devices that are found to be infected with malware, even if it means cancelling appointments. [NextGov]

WW – ICSA Launches IoT Certification Testing Program

ICSA Labs has launched its IoT (Internet of Things) Certification Testing program. The devices that pass muster will receive the ICSA seal of approval. The ICSA program will test both consumer products and enterprise products over six components: alerts and logging; cryptography; authentication; communications; physical security, and platform security. Earlier this year, Underwriters Laboratories launched its Cybersecurity Assurance Program (UL CAP). [DarkReading] [ComputerWorld]

WW – Microsoft Ends Common Password Use and Password Lockout

Microsoft has announced plans to dynamically prohibit common passwords, like the word “password,” while congruently using the smart password lockout system. The lockout program would keep hackers from continually attempting to access users’ accounts while not freezing out legitimate users at the same time, the report states. The changes respond to the recent hacker dump of LinkedIn data, the report adds. Reddit also took action in light of the breach, announcing it would reset user passwords, SC Magazine reports. Meanwhile, a hacker is selling more than 65 million Tumblr passwords on the Dark Web, while 427 million MySpace passwords were found for sale online for $2800. [SC Magazine]

WW – Unbox Your Laptop, and Say Hello to Security Risks

Powering up a new laptop can be exhilarating. It can also be full of security risks. Software update tools that are preinstalled on Acer, Asus, Dell, HP and Lenovo laptops all contained at least one critical security vulnerability that hackers could easily exploit, said Duo Labs, the research arm of Duo Security, in the results of an investigation published Tuesday. In total, Duo Labs uncovered 12 different OEM software vulnerabilities across all the computer makers. OEM (original equipment manufacturer) software includes programs like product registration and 30-day free trials that come installed on a laptop right out of the box. They’re often referred to as bloatware since they’re largely unnecessary and weren’t installed at the user’s request. Not only is bloatware superfluous, it’s often a weak link in the security chain, according to Duo Labs. “The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant — meaning, trivial,” wrote Darren Kemp, a security researcher with Duo Labs, in a blog post Tuesday. [Source]

Surveillance

WW – Governments Turn to Commercial Spyware to Intimidate Dissidents

A growing number of U.S. companies are teaching foreign law enforcement agencies to code unique surveillance devices, often to track dissidents. The tools can override encryption measures, the report states. “There’s no substantial regulation,” said Bill Marczak of the University of Toronto’s Munk School of Global Affairs. “Any government who wants spyware can buy it outright or hire someone to develop it for you. And when we see the poorest countries deploying spyware, it’s clear money is no longer a barrier.” [New York Times]

CA – Interim RCMP Policy Sets Body Cam Guidelines

A new RCMP policy will require Mounties wearing small video cameras to hit record when they believe force will be used against a suspect. The interim policy is being considered with two purposes in mind: To gather evidence for prosecution against criminal behavior, and to answer any questions surrounding the aftermath of an incident. “Police are making use of a relatively new technology to hold both police officers, and members of the public we interact with, accountable for any actions taken,” the RCMP says. Other privacy concerns addressed in the interim policy include telling an individual when officers are wearing cameras, teaching RCMP members of best video policies and practices, and making sure recordings are uploaded securely. [The Canadian Press] See also: [As More Police Wear Body-Cams, States Set New Rules Limiting Access to Footage] [Minnesota’s police body camera law is bringing privacy concerns.]

WW – Sports World Embraces Data Analytics

The Seattle Mariners’ use of sleep tracking tool Readiband last year is a window into the professional athletics’ community’s adoption of data-collecting tools. This use of data analytics is changing how coaches and players interact, Chicago Cubs Baseball Operations Assistant John Baker argues. “Welcome to the next frontier in baseball’s analytic revolution,” the report states. “Many of this revolution’s tenets will be familiar to anyone who works for a living — the ever-growing digitization and quantification of things never-before measured and tracked, for instance, or the ever-expanding workplace, the blurring distinction between the professional and the personal, and the cult of self-improvement for self-improvement’s sake.” [Vice Sports]

AU – ACT Govt Launches Review Into Civil Surveillance

The ACT government has announced a review of the use and conduct of civil surveillance in the territory that could lead to Australia’s first law to allow victims to sue over privacy intrusions. According to the statement, the review’s terms of reference be looking at a range of issues including:

  • Surveillance in civil litigation claims
  • Surveillance businesses
  • Surveillance technology and practices, such as geo-tagging
  • Expansion of the existing Listening Devices Act 1992 to capture video surveillance and electronic monitoring
  • Possible need for a tort of breach of privacy
  • Current regulation of civil surveillance and the Information Privacy Act 2014.

An independent reviewer will be engaged by the Justice and Community Safety Directorate in order to undertake the review. [Source]

Telecom / TV

WW – Charging Mobile Devices Could Put Data at Risk

Smartphones can be compromised when charged using a standard USB connection connected to a computer, Kaspersky Lab experts have discovered in a proof-of-concept experiment. The researchers are now evaluating what the impact of such an incident might be. To learn more, read the blog post available at Securelist.com. [Kaspersky Corporate News]

US Legislation

US – Legislative Roundup

+++

 

19-26 May 2016

Biometrics

WW – Google’s Biometric Tool Aims to Kill Password Logins

A new Google feature could spell the end for password logins. Trust API will be tested at “several very large financial institutions” in June, said Google’s Daniel Kaufman. Google’s new service looks to use multiple indicators to create one viable identifier. Trust API will use biometrics in its mission to eliminate passwords, including shaping a user’s face and voice patterns, to how a user moves and types and how they swipe on the screen. “Biometric authentication is a powerful enabler, allowing businesses smart enough to deploy it to significantly increase rates of registration, gaining data and insight about their customers, while also increasing customer security,” said Richard Lack from customer identity management firm Gigya. “This is a win-win scenario which sounds the death-knell for awkward and insecure passwords sooner than we may imagine.” [The Guardian] [Can Google replace passwords by tracking you more thoroughly?]

WW – ‘Faception’ Tech Can Determine Terrorists from Just a Face Scan

Israeli startup and facial recognition company Faception says a homeland security agency has hired it to help discover terrorists. The company says its technology is so precise it can identify “great poker players to extroverts, pedophiles, geniuses and white collar-criminals,” just from a face scan. The tech is not without critics. “Can I predict that you’re an ax murderer by looking at your face and therefore should I arrest you?” said the University of Washington’s Pedro Domingos. “You can see how this would be controversial.” Meanwhile, advertising company Mattersight Corporation will start using publicly available facial data from avenues like YouTube and Vine to gather personality profiles. [Washington Post] [ComputerWorld]

Big Data

US – Big Data: White House Issues Report on Primary Challenges and Opportunities

The Executive Office of the President has issued a report on Big Data that examines:

  • instances where big data methods and systems are being used in the public and private sectors in order to illustrate the potential for positive and negative outcomes; and
  • the extent to which “equal opportunity by design” safeguards may help address harms.

The primary challenges of Big Data are inputs to an algorithm (e.g. poorly selected data, incomplete/incorrect or outdated data, selection bias, and unintentional perpetuation/promotion of historical biases), and the design of algorithmic systems and machine learning (e.g. poorly designed matching systems, personalization and recommendation services that narrow user options, decision-making systems that assume correlation implies causation, and data sets that lack information or disproportionately represent certain populations). [Big Data: A Report on Algorithmic Systems, Opportunity, and Civil Rights – Executive Office of the President: Press Release | Report]

Canada

CA – New Recommendations for British Columbia’s FIPPA

Timothy Banks writes about the report tabled this month by the special committee appointed to review the B.C. Freedom of Information and Protection of Privacy Act. The committee made 39 recommendations to the legislature, several of which, if accepted, “would provide needed updates to improve public sector transparency. Regrettably, however, the committee has recommended that the legislature retain the controversial data sovereignty provisions of FIPPA that preclude transfers of personal information outside of Canada.” In this post, Banks examines four interesting recommendations made by the committee dealing with mandatory breach reporting, duty to document, data destruction, and data sovereignty. [Full Story] See also: Timothy Banks offers an analysis of Ontario’s new Health Information Protection Act and the ways it has amended the Ontario Personal Health Information Protection Act, 2004]

CA – Alberta Premier Rebuts Privacy Concerns Over Carbon Tax Law

Premier Rachel Notley is dismissing opposition accusations that her NDP government’s carbon tax bill contains invasive and arbitrary rules on search and seizure. …Under Bill 20, officials who believe there are breaches of the levy can get a search warrant to go on properties, check fuel tanks, vehicles, buildings and computer hard drives. If they feel that someone is at immediate risk of harm or evidence might be destroyed they can proceed without a search warrant, but a search warrant or the owner’s permission is needed to get into someone’s home. [The Canadian Press]

CA – NS Government to Consider Mental Health Care Improvements

Premier Stephen McNeil and other Nova Scotian liberal politicians will investigate whether the province’s privacy laws are preventing youths with mental illnesses from receiving proper care. During a recent news conference on the matter, Carolyn Fox described how health care privacy laws prevented doctors from alerting her about her daughter’s three hospital visits, knowledge of which she felt could have prevented her daughter’s January suicide. “Because of the privacy law I was not contacted,” Fox said. There were “no red flags as to say this girl has been here three times, released, and told she was fine. This is not acceptable.” McNeil agreed. He acknowledged, however, that there was “a whole host of issues” accompanying revisiting notification protocol, “not the least of which is the breaching of someone’s privacy,” he said. [CBC News]

CA – Newfoundland Supreme Court Finds General Warrant Can Be Used to Retrieve Historical Text Messages

The Supreme Court of Newfoundland and Labrador considers whether authorisation under the Criminal Code is necessary prior to search of a cellphone’s historical data. An individual argued that police unlawfully searched his mobile phone because a general warrant was obtained for the search (which does not authorize interception of private communications); although his text messages qualify as a private communication, retrieval of prior stored messages does not qualify as an interception (messages would not be retrieved in the course of the communication process). [Her Majesty the Queen v. Rex Rideout – Supreme Court of Newfoundland and Labrador – 2016 CanLII 24896]

CA – Courts & Privacy Issues Around Production of Text Messages

There can be no doubt that text messages are normally producible under any rules of civil procedure, if they are relevant to the issues set out in the pleadings of an action and are only between the parties in the litigation. But in any number of types of civil proceedings there are surely many other relevant texts in which either the sender or receiver are not a party to the litigation, or are texts that have been intercepted by someone not a sender, or receiver, of that text. Whether production of those texts is subject to some scrutiny regarding privacy rights is an open question. While production of some of these types of texts might be sanctioned by way of a motion for third-party production, the more immediate question for a plaintiff, or defendant, in a civil proceeding is whether or not to initially produce such a text without breaching an expectation of privacy and privacy rights of a non-party. [The Lawyers Weekly Canada]

Consumer

UK – Two-Thirds of Brits think Snooper’s Charter Extracts Are from Dystopian Fiction: Research

Research from popular VPN service, HideMyAss, has revealed that when presented with extracts from the [Investigatory Power Bill, also known as the Snooper’s Charter], two-thirds of Brits thought it was from dystopian fiction …On average, one in five of those (20%) suspected the quotes derived from George Orwell’s 1984, one in ten (10%) thought they were from Enemy of the State, and 7% believed the quotes were from The Hunger Games. What’s more, 8% of those polled even believed the quotes were from North Korean propaganda. [Source]

NO – Consumer Council Hosting Live-Streamed Reading of Privacy Policies

The Norwegian Consumer Council will livestream a reading of the terms of service and privacy policies from apps on an average mobile phone. The NCC predicts the event, featuring 33 apps in total, will take more than 24 hours, “as the combined texts are longer than the New Testament,” the report states. “The current state of terms and conditions for digital services is bordering on the absurd,” said Norwegian Consumer Council Digital Policy Director Finn Myrstad. “Their scope, length and complexity mean it is virtually impossible to make good and informed decisions.” The agency hopes the event will highlight the inapproachability of long policies, the report states. [Fortune]

E-Mail

US – Tech Companies Urge Senate to Pass Email Privacy Act Without Changes

As the Senate Judiciary Committee plans to examine, and possibly change, the Email Privacy Act, a group of 70 major tech companies are asking senators to approve the bill without any alterations. The organizations sent a letter to the Senate urging it to ratify the “carefully negotiated compromise” immediately, without any amendments added to “weaken” the bill. Signatories of the letter include Adobe, Amazon, Apple, Facebook, Google, IBM, Microsoft, and Yahoo. Despite questions about what version of the Email Privacy Act will be examined by the panel, the Senate Judiciary Committee will vote on the exact same text as the one unanimously passed by the House of Representatives. [The Hill] See also: [Email Privacy Act could face changes]

Encryption

EU – Cybersecurity and Police Chiefs Reach Breakthrough Agreement on Encryption

Leaders from the EU Agency for Network and Information Security (ENISA) and Europol have reached an agreement about the legal lengths to which law enforcement groups may go to access personal information. The move is what the report calls a “surprise turn” in discussions between cybersecurity group ENISA’s Udo Helmbrecht and Europol Director Rob Wainwright. Both spoke in favor of strong encryption and stated their dual opposition to back-door encryption. “While this would give investigators lawful access in the event of serious crimes or terrorist threats, it would also increase the attack surface for malicious abuse, which, consequently, would have much wider implications for society,” they said in a statement. [EurActiv]

EU Developments

EU – Parliament Finds Privacy Shield Does Not Provide Substantial Improvements to Safe Harbour

The European Parliament issued its opinion on the EU-US Privacy Shield. The Shield does not provide an equivalent set of principles (there are no requirements for consent or data minimisation, processing for incompatible purposes is allowed, and blanket permission is given for all types of processing), allows for bulk collection of EU citizens’ personal data and communications (in breach of CJEU and ECHR judgments), and supervisory powers of the Department of Commerce, FTC and the Ombudsperson are not comparable to EU supervisory authorities. [EU Parliament – Motion for a Resolution on Transatlantic Data Flows]

EU – Privacy Seal Schemes Gradually Taking Shape in Europe

The EU is moving ever closer to having a widely recognized privacy seal scheme — or rather, several of them — for Web services. EuroPriSe is a company that spun out of the data protection authority of Germany’s Schleswig-Holstein state a few years back, with funding from the European Commission. It’s pushing to expand its scope across the EU and beyond, and last month it started offering website operators a privacy seal indicating to the world that they stick to EU data protection law. And it’s not the only player in the game. “Europe’s privacy kitemark scene may be fragmented and in its early stages, but at least the many players are talking to one another. [Full Story] See also: [Op-ed: UL certification program for IoT devices a ‘step in the right direction’ ]

Finance

US – Campaign Hopes to Inspire Congress to Better Protect Financial Data

A group of seven trade organizations have banded together to create a Stop the Data Breaches campaign. The group wants to publicize the costs of breaches for financial institutions in an effort to garner attention and legislative support from Congress, the report states. “Credit unions and other financial institutions are continuing to pay the tab for retailer data breaches, and consumers’ data remains vulnerable,” said the National Association of Federal Credit Unions’ Brad Thaler. “It’s long overdue for Congress to pass legislation ensuring that everyone has a similar mandate to keep customer data safe,” added Financial Services Roundtable’s Jason Kratovil. [Associations Now]

FOI

CA – Rogers Releases New Transparency Report

In its third annual transparency report, Rogers Communications revealed that, of the more than 86,000 requests, it refused to hand over consumer data to law enforcement 3% of the time. This is the first time one of the “Big Three” telecoms has disclosed how many times it has refused government requests for data. “It’s so that people understand that we do not just accept requests at face value,” said Rogers Chief Privacy Officer Dave Watt. “We really feel strongly about protecting customer information.” Open Media’s Laura Tribe said the report could improve, but said Rogers’ more detailed report is a “positive example,” adding, “This type of reporting is essential if we are to shed light on the government’s attempts to obtain our private information.” [Financial Post]

CA – Alberta OIPC Finds FOIP and HIA Do Not Apply When Information is Collected in an Employee’s Personal Capacity

The Office of the Alberta Information and Privacy Commissioner reviewed a decision made by a health organization to deny access to personal information. The letters collected by the employee were written specifically for her, discussed incidents that took place in the health clinic, and had a very personal tone; the applicant purposefully provided the letters in the parking lot of the clinic so he would not be handing over information as a patient to a health facility and specifically requested that the employee destroy them immediately after reading them. [OIPC Alberta – Order H2016-05/F2016-13 – Alberta Health Services]

CA – Federal Interim Directive Commits to More Open and Transparent Government

The federal government issued a request for feedback on its proposals to improve the Access to Information Act. Effective May 5, 2016, all non-application fees are waived, and requesters must generally receive information in a computer-readable format; a full review of the Act, scheduled for 2018, would incorporate these changes, ensure the Act applies to the office of Ministers and the Prime Minister, and permit the refusal of frivolous/vexatious requests. [Government Proposals to Revitalize Access to Information – Government of Canada Consultation | Interim Directive | Additional Information ]

Genetics

US – Myriad Genetics Hit with ACLU Complaint to HHS

A complaint has been filed against genetic testing company Myriad Genetics, Inc. for not adhering to the requests of four patients wishing to view personal genetic information. The ACLU filed the complaint to the U.S. Department of Health and Human Services’ Office for Civil Rights, saying Myriad’s refusal to provide the information was a HIPAA violation. Despite Myriad providing the information to the patients at a later date, the ACLU will still go forward with the complaint. Myriad spokesman Ron Rogers said delivering the information was not done to prevent an ACLU complaint, and the company promises to honor future requests. “As far as we’re concerned, the matter is resolved,” Rogers said. “We think the ACLU’s claim is without merit.” [Reuters]

US – Final Rule Prohibits Employer Wellness Programs from Collecting Employee and Spousal Health Data Unless Prescribed Standards Are Met

The Equal Employment Opportunity Commission has issued final rules amending the Regulations Under the Americans With Disabilities Act (“Part 1630”), and the Genetic Information Nondiscrimination Act (“Part 1635”) – the rules are:

  • effective July 18, 2016; and
  • applicable beginning January 1, 2017.

Employers are subject to incentive limits in regards to encouraging employee participation in wellness programs (which include medical exams); no incentives are permitted in exchange for the current/past health status information of employees’ children or for specified genetic information of an employee, and an employee’s spouse and/or children.[Equal Employment Opportunity Commission – Final Rules 29 CFR Parts 1630 and 1635 – Employer Wellness Programs – Regulations Under the Americans Disabilities Act; Genetic Information Nondiscrimination Act | Press Release ] Federal Register (Regulations Under the Americans Disabilities Act; Genetic Information Nondiscrimination Act)

Health / Medical

WW – Google Health App Halted as Enforcement Agencies Examine Data Use

Streams, the health data app borne of a controversial alliance between Google’s DeepMind and the NHS Royal Free Trust, is not currently active. The app served to discover hospital patients in danger from acute kidney disease, but critics took umbrage with the amount of data the app used to deliver so specific a diagnosis, the report states. As a result, the Medicines & Healthcare Products Regulatory Agency is “in discussions” with the organizations to determine whether the app needs to be registered as a medical device, the report states. This announcement comes on the heels of the decision by the U.K. Information Commissioner’s Office to investigate a “small number of complaints” about Streams’ data use. [TechCrunch]

Horror Stories

WW – Database of 2M Mexicans’ Voter Data Found Online

A data breach researcher discovered a database of the personal information of more than 2 million Mexicans posted online. MacKeeper’s Chris Vickery, who discovered the breach, is the same researcher who recently found a similar database of 93.4 million Mexican voting records leaked online. This time, he found the new database by conducting a “random search,” the report states. After an investigation, Mexico’s voting authority confirmed the information was voting data from Sinaloa, and the data has since been taken down. “I think the sudden appearance of multiple [voter registry] databases is a symptom of giving out too many copies,” said Vickery. “I think the [voting authority] is making good changes in the future by not allowing so much information to be so widespread.” [Fortune]

Identity Issues

WW – Hartzog: ‘Public’ Data Sets Are Not Fair Game

In the wake of research that published a data set on 70,000 users of OKCupid, professor Woodrow Hartzog argues that traditional notions of “public” data are now misguided and outdated. Justifying the release of data because it’s considered public “is fundamentally wrong,” he writes. “Not just because we should be able to expect a certain amount of privacy in public, but because, despite frequency of use and seeming self-evidence, we actually don’t even know what the term public even means.” He warns that the public data argument is “gaining steam” in policy discussions, but adds, “The ‘public information’ justification is a simple way to avoid answering hard questions about the privacy interests in data.” [Slate] See also: [Published personal data on 70,000 OkCupid users taken down after DMCA order]

EU – EU Advocate General Opinion States IP Addresses Are Personal Data

Manuel Campus Sanchez-Bordona, the EU advocate general, has determined that dynamic IP addresses qualify as personal data, according to a blog post from Covington. Sanchez-Bordona’s opinion is in relation to Patrick Breyer v. Germany, a case currently pending in the EU Court of Justice. The advocate general’s opinion details how even if a website operator cannot determine the user behind an IP address, Internet service providers have data that, when connected with an IP address, can identify the individual. The opinion also covered how the collection and use of IP address data, when used to ensure a website is functioning, could be acceptable on the basis of the “balancing of legitimate interests” test in the GDPR. While the court doesn’t have to follow the advocate general’s opinion, it could have broad implications for the EU if followed by the Court of Justice. [Full Story] [Review of Opinion]

Law Enforcement

CA – RCMP Under Fire for ‘Misrepresenting’ Stingray Use

Recently disclosed court documents indicate that the Royal Canadian Mounted Police used Stingray devices during two 2014 criminal investigations, but the defendants’ lawyers in the cases argue that the RCMP allegedly “misrepresented” how they would use the tools. The undisclosed details include the Stingrays’ range, phone location pinpointing abilities, and their “potential for interference with 911 calls,” the lawyers argue. However, RCMP lawyers countered that nondisclosure agreements keep the law enforcement agency from elaborating on the Stingrays’ capabilities, among other details. A hearing on the matter was postponed from May 17 to a later date, at which time the defense will seek more information on the RCMP’s precise use of the tools, the report states. [Vice News]

US – Commentary: FBI, Locals Team Up to Invade Citizens’ Privacy

StingRay deployments have been confirmed in at least 24 states and the District of Columbia, and there is every reason to believe many of the remaining states possess them and simply haven’t been forced to disclose it. Different departments have different deployment policies, but cities such as Baltimore have admitted to deploying the devices in thousands of investigations. Given such widespread use, and such obvious and troubling privacy implications, one would expect to find a large body of court rulings on the constitutionality of warrantless StingRay surveillance. One would be mistaken. [Source]

US – New System Would Give Law Enforcement Access to Public Cameras

Computer scientists at Purdue University have developed tools allowing law enforcement to access cameras that aren’t password protected to help determine the best way to respond to a crime. While in proof of concept form, the Visual Analytics Law Enforcement Toolkit overlays the rate and location of crimes to the location of police surveillance cameras, while CAM2 reveals the locations and positions of public network cameras. Registered users only have limited access. The terms of service state, “you agree not to use the platform to determine the identity of any specific individuals contained in any video or video stream,” but those safeguards aren’t enough to quell privacy advocates’ concerns. “I can certainly see the utility for first responders,” says EFF investigative researcher Dave Maass. “But it does open up the potential for some unseemly surveillance.” [Wired]

CA – Mounties Wearing Video Cameras Told to Record Use of Force

Mounties wearing tiny video cameras must hit the record button when there is “a high likelihood” they’ll use force against someone, says an interim RCMP policy on use of the devices. …RCMP detachments in Wood Buffalo, Alta., and Windsor and Indian Head, N.S., took part in the 2015 tests. In addition, the Mounties have advised the federal privacy commissioner of ad-hoc evaluations of the technology. “For example, they have used the cameras at protests in New Brunswick and in Burnaby, B.C.,” said Tobi Cohen, a spokeswoman for the privacy commissioner. [Source]

Online Privacy

WW – Default Settings Criticized in New Google Messaging App

Last week, Google unveiled a number of new products, one being a new messaging app called Allo. The app features strong, end-to-end encryption, but it’s not the default setting. Users have to turn it on, and that has some privacy advocates up in arms. Edward Snowden tweeted that not having it on by default “is dangerous, and makes it unsafe.” New America’s Open Technology Institute Director Kevin Bankston, however, said, “I, too, would prefer that Allo be encrypted by default,” but added, “all in all, this is going to be a net increase in the amount of encrypted messaging out in the world. And that is ultimately a good thing.” [The Washington Post] [Allo Chat Privacy Concerns Are Way Overblown] See also: [This Fitness App Tracks You Too Much, Consumer Advocates Claim [ Runkeeper in Hot Water] and [Grindr users can have location tracked, even with adjusted settings]

Other Jurisdictions

WW – Global Guide to Data Breach Notifications 2016

A new guide from World Law Group provides information organizations need to know when facing a data breach in one or more countries. Produced by the WLG’s Privacy & Data Protection Group, it provides summaries of relevant law, data breach reporting requirements, contact information for relevant data protection authorities and more for 60 countries. [Read Now] [Full Story]

AU – Victoria to Create Info Commissioner Role to Oversee Privacy and FOI

The new body will be created as part of an overhaul of the state’s FOI regime, which will also include introducing the ability to review ministerial and departmental FOI decisions including under Cabinet exemptions; reducing the time to respond to an FOI request from 45 days to 30 days; and reducing the time that agencies have to seek a review by the Victorian Civil and Administrative Tribunal from 60 days to 14 days. [Source]

Privacy (US)

 FTC to Host Disclosure Workshop

The Federal Trade Commission will host “Putting Disclosures to the Test“ on Sept. 15 a free, public workshop that will evaluate companies’ claims and privacy practice disclosures, according to a press release. The event will “explore how to test the effectiveness of these disclosures to ensure consumers notice them, understand them, and can use them in their decision-making,” the report states. Interested parties may submit proposals for the event to disclosuretesting@ftc.gov. [FTC Press Release]

US – Educator’s Guide Takes the Mystery Out of Student Data Privacy

Now that technology is an imperative in our personal and professional lives, it is also a necessary part of education. More than that, technology is making it possible for more students and teachers across the country to collaborate, create, and get access to high quality resources. At the same time parents and policymakers are increasingly concerned about the student data those tools create and track. How can a classroom teacher or a building level administrator who knows and loves education technology balance student privacy with powerful student learning? ConnectSafely and the Future of Privacy Forum have partnered to write The Educator’s Guide to Student Data Privacy. The authors wanted to create an easily accessible resource that teachers and administrators could use right away. Using an online collaborative document, the authors integrated varied perspectives from classroom education, media, policy, connected technologies, and parenting. This guide includes a ten question checklist to help educators as they consider using a new tool with students, will make managing privacy manageable for educators. [Education Week] [PDF of Guide]

US – Federal Procurement Regs Adopt Simple Security Controls

This week the Federal Acquisition Regulations were updated to focus on basic security hygiene. [Source] [Pescatore blog]

Security

WW – Survey: Baby Boomers Better at Password Security than Millennials

According to survey results, Baby Boomers – people aged 51-69 – are the demographic most likely to use the security best practice of having a unique password for each and every online account: 65% of respondents said they have 5 or more passwords across their online accounts, compared with just 44% of millennials (ages 18-34). The report didn’t give the figures on people ages 35-50, but it did say that only 16% of people follow best practices overall. [Source]

Smart Cars

CA – Tighter Rules Needed for Police Access to Event Data Recorders

Are tighter rules needed on recording devices in cars? ‘I think if a device is surveilling you … that there have to be restrictions on it’ Most vehicles built since the early 2000s contain event data recorders that silently log everything, such as braking, speed, steering and whether a seatbelt is buckled. …However, that constant data collection is raising questions. Both the Canadian Automobile Association and the Automobile Protection Association are asking for clearer rules on how that data is obtained and used by police, car manufacturers and insurance companies. [Source]

Surveillance

UK – 22 BILLION Police ANPR Photos Stored, 34 Million Added Daily

A police network of ‘Big Brother’ spy cameras takes photos of about 34million number plates each day, new figures have revealed. Around 9,000 surveillance cameras have been placed along Britain’s roads and senior officers claim they are invaluable in preventing and solving serious crimes and terrorist attacks. The Automatic Number Plate Recognition (ANPR) technology is also fitted to police vehicles, and is used to find stolen cars and tackle uninsured drivers. But privacy campaigners have argued that the system, which allows officers to access 22 BILLION records held for up to two years, is intrusive and heightens fears of an Orwellian surveillance state. Searches of the database by police officers have soared by more than 50% in just two years – from 194,317 in 2012 to 300,758 in 2014. In the last 12 months, evidence from ANPR cameras has been used in more than 200 court cases to secure convictions for a offences including robbery, kidnapping, drugs and murder. Information Commissioner raised questions about the scale of surveillance – But police forces say it is critical to monitor criminal activity on the roads [The Daily Mail]

EU – German Court Accepts Footage from Single Dashcam to Convict Driver

A decision by a German court to accept footage from a dashcam as the sole evidence to convict a driver who drove through a red light sparked a debate in the media on Friday about privacy and surveillance. …”After the court decision, might amateur ‘sheriffs’ now feel empowered to film and report people behaving badly?” the Sueddeutsche Zeitung wrote in a front page article on Friday. [Source]

CA – Winnipeg to Expand Back-Lane Cameras to Private Property

City administrators want permission to set up motion-activated cameras on private property to catch illegal garbage dumping. The city launched a pilot program last month in which cameras were set up on city property. So far, two cameras have been placed at dumping hot spots. Now, the administration wants the ability to place cameras on private property. Six mobile, high-definition cameras were purchased at a cost of $54,000. Images from the cameras can be downloaded remotely. The manufacturer states the cameras can capture clear images from up to 30 metres, even at night. The administration wants council to give its chief administrative officer the authority to approve legal agreements with private property owners. …Winnipeg lawyer Andrew Buck, who specializes in privacy law, said concerns about privacy violations need to be considered within the context of the neighbourhood concerns and the problems tied to illegal dumping. [City wants to boost effort to catch illegal dumping]

US Government Programs

US – OMB Helping Privacy Professionals Become More Tech Savvy

The Office of Management and Budget has been working to help privacy and security pros work together. OMB Senior Privacy Advisor Marc Groman said privacy and security can work “perfectly in concert” if professionals from both fields work on projects from their genesis. The OMB has started offering technical training to help privacy professionals have more meaningful roles in discussions. “It is my personal belief that you cannot be a privacy professional in 2016 and not understand tech,” Groman said. “And so we are building a technology curriculum for federal government privacy professionals so that when they sit across the table from all of you, as you’re building a new system or discussing enterprise architecture, they have a baseline understanding of tech, just like I hope you all will have a baseline understanding of privacy.” [FCW]

US Legislation

US – Federal Bill Proposed to Limit Use of Stingays

The federal bill requires State and local law enforcement agencies to conform to federal guidelines when using cell simulator devices H.R. Bill 5154 – Fourth Amendment Integrity Restoration (“F.A.I.R.”) in Surveillance Act 2016 was

  • introduced in the House of Representatives:
  • the bill was referred to the Committee on the Judiciary.

Any coordination or agreement between a Federal and State or local law enforcement agency, pertaining to the acquisition or use by that agency of any cell simulator device, must require that the use will conform to the guidance and policies that apply to the Federal agency on the use of such devices. [H.R.5154 – F.A.I.R. Surveillance Act of 2016]

+++

 

 

12-19 May 2016

Biometrics

WW – Facebook Launches Facial Recognition App Without Facial Recognition Technology

Facebook is releasing its photo app Moments in Europe, but with some important changes in order to comply with EU privacy laws. While the U.S. version of Moments features facial recognition technology, the European version will not, in part because of Facebook’s battle with the Irish data protection commissioner over the legality of the technology. The app uses facial recognition technology to identify individuals within photos bundled from the same event. The European version will still group photos from a particular event, but users will have to manually tag their friends. One major difference allows European users to share their photos privately, in a move geared toward the more privacy-cautious EU userbase. [The Guardian]

US – FBI Doesn’t Want Privacy Laws to Apply to Its Biometric Database

The FBI has been building a massive biometric database for the last eight years. The Next Generation Identification System (NGIS) starts with millions of photos of criminals (and non-criminals) and builds from there. Palm prints, fingerprints, iris scans, tattoos and biographies are all part of the mix. Despite having promised to deliver a Privacy Impact Assessment of the database back in 2012, the FBI’s system went live towards the end of 2014 without one. That’s a big problem, considering the database’s blend of guilty/innocent Americans, along with its troublesome error rate. The FBI obviously hopes the false positive rate will continue to decline as tech capabilities improve, but any qualms about bogus hits have been placed on the back burner while the agency dumps every piece of data it can find into the database. The FBI has shown little motivation to address Americans’ privacy concerns by providing an updated Impact Assessment (the one it does have dates back to the program’s inception in 2008), but has wasted no time in alerting legislators about its own privacy concerns. On Thursday, the Justice Department agency plans to propose the database be exempt from several provisions of the Privacy Act — legislation that requires federal agencies to share information about the records they collect with the individual subject of those records, allowing them to verify and correct them if needed. The DOJ’s comments reflect the FBI’s desire to keep its newest tracking toy as secret as possible. It asks for a number of exceptions and justifies those with the same excuses it uses to withhold information from both courts and FOIA requesters. [Source]

UK – PwC White Paper Points to Best Privacy Practices When Using Biometric Matching for Authentication

Nok Nok Labs, a member of the FIDO (Fast IDentity Online) Alliance, published a White Paper from PwC Legal comparing key privacy implications of on-device and on-server matching of biometric data. For organisations considering biometrics as they move away from reliance on usernames and passwords, the report highlights why device-side matching of biometric data is a compelling approach to satisfy key privacy requirements on cross-border personal data transfers, as well as providing the benefits of individual choice and control around such personal data. Other key findings in the White Paper include:

  • Freely given, informed user consent is required before processing biometric data in almost every jurisdiction covered in the White Paper
  • With centralised storage of biometric data, the potential for large-scale loss of data is significantly increased
  • On-device authentication will generally avoid international cross-border biometric data transfer implications. Conversely, on-server authentication for a global network of biometric users results in international transfers of data; transfer of personal data, including biometric data, out of a jurisdiction is generally restricted

“Biometrics are a compelling way to improve mobile application usability and avoid the security pitfalls of username/passwords, but significant privacy concerns come into play,” said Phillip Dunkelberger, President & CEO of Nok Nok Labs. “With biometrics, it is crucial to understand the difference between on-device and on-server matching, as the difference between the two approaches significantly affects the risk and exposure of data in a breach. The on-device approach, as used by Nok Nok Labs technology, ensures optimal privacy for biometric information.” [Source] [FedScoop: PwC Study: Device-Side Biometrics Preferred Over Server-Side]

AU – OAIC Seeks Feedback on Draft Guide to Big Data & Privacy

The Office of the Australian Information Commissioner is seeking feedback on a draft guide to the interaction between so-called big data and Australian privacy law. In particular, the draft examines how the Australian Privacy Principles (APPs) apply to big data. “There is no doubt that big data practices challenge us to think about how key existing privacy principles — including notice and consent, data collection, use limitation, and retention minimisation, — work in practice,” acting Australian Information Commissioner Timothy Pilgrim said. “However, the APPs [Australian Privacy Principles] are technologically neutral, and structured to reflect the entirety of the information lifecycle. This means entities have the flexibility to tailor their personal information handling practices to respond to the privacy challenges of big data uses.” “The draft guide is aimed at facilitating big data activities while protecting personal information. It encourages entities to take a risk management approach and to use existing privacy tools to get privacy right for big data,” Pilgrim said. [Source] The document is available from the OAIC’s website. The deadline for submissions on the draft is 26 July.

Canada

CA – OPC Starts Consultations on the Realities of Customer Consent

“It seems clear that reading privacy policies could be a full-time pursuit with untold hours of overtime,” federal privacy commissioner Daniel Therrien told a privacy conference in Toronto. “It is no longer entirely clear who is processing our data and for what purposes – creating challenges for meaningful consent.” That’s why his office has started a consultation with chief privacy officers and other executives, researchers as well as the public on whether the consent model — largely instituted by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) — should be improved or should there be more focus on accountability and ethical uses of personal information by organizations, which would place the responsibility for oversight on regulators. [Source]

CA – OPC Releases Publication Highlighting Independent Privacy Research Projects Funded by Contributions Program

The Office of the Privacy Commissioner of Canada (OPC) has released the latest edition of Real Results—a publication highlighting the innovative and socially relevant independent privacy research and knowledge translation projects funded by the OPC Contributions Program over the past few years. The new edition of Real Results features funded projects that explore a range of emerging privacy issues—police background checks, the use of genealogical information, and telematics systems in cars—as well as some innovative approaches for helping young people learn to protect their privacy. The stories feature key findings of the projects, as well as commentaries and ideas from the researchers themselves that illustrate the issues and the impact of their work. The OPC Contributions Program funds independent privacy research and related knowledge translation initiatives. These projects not only advance the collective knowledge on privacy, they provide real, tangible research results that Canadians can use to make decisions about privacy protection in their own lives. To explore all research and knowledge translation projects funded by the OPC Contributions Program, see the Contributions Program projects listed by year on our website. [Source]

CA – NWT Government Seeking Comments on Reforms to ATIPPA

The Department of Justice for the Northwest Territories has issued a consultation on reform of the Access to Information and Protection of Privacy Act. Comments will be accepted until June 15, 2016. A comprehensive review of the Act is being conducted to address identified issues related to the purposes of the Act, the scope of the Act, time limits for responding to access to information requests, mandatory and discretionary exceptions to disclosure, circumstances allowing disclosures of personal information, the powers of the IPC, and current levels of fines for offences under the Act. [NWT Government – Public Engagement on the Comprehensive Review of the Access to Information and Protection of Privacy Act]

CA – Gov’t Minister Veto Could Trump Proposed Info Commish Powers

The Liberal government is floating the idea of a ministerial veto over planned new powers for the information commissioner — a move that would give cabinet the power to block release of documents. …Currently the commissioner, an ombudsman for users of the access law, can investigate complaints and recommend that records be released. But she cannot force a government agency to do so, and must head to court to pursue the matter further. Provincial commissioners in British Columbia, Alberta, Ontario, Quebec and Prince Edward Island have the power to order the release of government information. Many openness advocates have called for the federal commissioner to have similar authority. [Source]

CA – Quebec Info Commish Blasts School Board Over Data Sent to US

Quebec’s Information Commissioner has condemned Lester B. Pearson School Board (LBPSB) for sharing confidential personal information far too freely. Judge Cynthia Chassigneux ruled that LBPSB grossly violated its stakeholders’ rights by sharing their personal information with a private California database firm Blackboard Connect, where it is subject to disclosure to American authorities under the Patriot Act. [The Suburban]

CA – Ontario Court of Appeal to re-Examine Shielding Data from US Probes

What happens to data being stored in Canada and whether it can be accessed by foreign law enforcement agencies is a question Canadian courts are currently grappling with. Two decisions — one in Ontario, the other in British Columbia — have determined that information held in servers in Canada can’t be shielded for review by American investigators. But the Ontario Court of Appeal has decided to re-examine one of those cases. [Law Times]

CA – BC Court of Appeal Rules on Privacy, Technology, and Instant Messaging

In its recent decision R. v. Craig, 2016 BCCA 154, the B.C. Court of Appeal recognized a reasonable expectation of privacy in private instant messages shared on a social network. Even though the context was criminal law, the reasoning underlying the decision is of interest to any practitioner confronted with protection of privacy issues. This bulletin discusses this case first by presenting the facts, followed by the legal issues, the “reasonable expectation of privacy” test, and the court’s guidance for the future. “In our opinion, this decision can be summed up in two words as it pertains to reasonable expectation of privacy: tradition and progress. Legal tradition, because the Court of Appeal reiterated and affirmed the doctrine of confidentiality in private communications: the sender is not supposed to know that the recipient will share the message with third parties. Technical progress, because the Court of Appeal applied this doctrine, with the necessary adaptations, to the digital universe, by explaining that private instant messages shared on a social media website are entitled to an objective expectation of privacy. Most importantly, from a much broader perspective, this principle would apply to any private technological communication.” [Fasken]

CA — OPC Releases Survey Results on Canadian Businesses

The Office of the Privacy Commissioner of Canada recently commissioned a telephone survey of 1,016 Canadian companies to find out how Canadian businesses fare with their privacy knowledge and protections. The informative report on the survey is the 2015 Public Opinion Research with Canadian Businesses on Privacy-Related Issues. Canadian businesses report increased knowledge of privacy issues, but little progress in implementing privacy policies or response plans for data breaches – placing them at risk for new enforcement activities and fines. [Source]

CA – RCMP Surveilled Journalists for 9 Days Without Authorization

Mounties probing CSIS leak conducted unauthorized surveillance of 2 journalists Officers spent 9 days watching Ottawa-based journalists, new document reveals. Only after the surveillance of the reporters had occurred did officers ask their RCMP bosses for the required permission. They were immediately denied authorization, and told to cease the surveillance. The bombshell revelation about a national police agency spying without authorization on Canadian journalists appears in a document obtained by CBC News under the Access to Information Act. The partly censored briefing note for Public Safety Minister Ralph Goodale was written after media reports appeared last November detailing Project Standard. That was the official name of the Mountie probe into the leak of a 2003 secret document, created by the Canadian Security Intelligence Service (CSIS), to journalists working for the Montreal newspaper La Presse. [CBC] [Trudeau: ‘Unacceptable’ That Rogue Canadian Cops Spied on Two Journalists] See also: [Mulcair calls for inquiry into RCMP surveillance of journalists] [RCMP commissioner speaks out on unauthorized surveillance]

CA – Privacy Laws for Mental Health Care in Nova Scotia Could Soon Be Reviewed

The governing Liberals are ready to examine whether Nova Scotia’s privacy law is preventing young adults from getting the support they need when they are suffering from a mental illness. The issue was front and centre at Province House on Tuesday during a visit to the legislature by Carolyn Fox. Her daughter, Cayley, 21, killed herself on Jan. 22. [Source] See also: [Nova Scotia mental health care privacy laws unlikely to change: former health czar]

Consumer

CA – Ipsos Survey Finds Most Canucks Don’t Trust Gov’t With Their Info

A majority of Canadians believe that their personal, confidential information held by all levels of government is vulnerable to a security breach, including non-authorized internal access or an external data hack and theft, according to a new Ipsos poll conducted on behalf of Accenture. Municipal governments top the list, with 56% of Canadians describing them as vulnerable (16% very/41% somewhat) to threats when it comes to personal data for things such as property tax, water/sewage and traffic fines. A minority (44%) does not see their information as vulnerable (9% not at all/34% not very). Other levels of government don’t perform much better, as many feel the same way about their provincial government, which stores confidential data for drivers’ licenses, health cards and birth certificates: a slim majority (55%) say entities at the provincial level are vulnerable to data security breaches (20% very/35% somewhat), while nearly half (45%) say they aren’t vulnerable (13% not at all/32% not very). When sharing their personal, confidential data with the Federal government – for anything from taxes to SIN cards to passport renewals – 53% of Canadians feel their data is vulnerable to a security breach (20% very/33% somewhat), while fewer than half (47%) do not (15% not at all/32% not very). While most Canadians likely trust their doctor, many are less convinced about the security of their health records. Half (55%) feel records held at their doctor’s office or hospital are vulnerable (20% very/35% somewhat) to a security breach, while 45% do not (14% not at all/31% not very). Other institutions are not exempt from data protection concerns. Half of Canadians (52%) feel their hydro electricity provider is vulnerable to a data security breach (14% very/38% somewhat), while the other half (48%) does not feel their information held by their hydro provider is vulnerable (10% not at all/38% not very). [Source] [Press Release | Detailed Tables 1 | Detailed Tables 2

US – NTIA study: Privacy Concerns Curtailing Americans’ Online Activity

A National Telecommunications & Information Administration survey found Americans are concerned about online privacy and security and are curtailing their activities as a result. The survey revealed 19% of Internet-using households, equaling around 19 million, have been hit by a negative event, including a security breach or identity theft in the 12 months before the July 2015 survey. When asked about online concerns, 84 percent of participants named at least one online security concern, with identity theft cited as the most pressing issue, coming in at 63%. These fears are affecting online habits, the report states, as 45% of households said concerns stopped them from activities such as financial transactions, posting on social media or buying goods or services, with 30 percent saying it stopped them from performing at least two of those actions. [NTIA] [Privacy And Security Concerns Are Keeping Many Americans Offline]

UK – High-Profile Data Breaches Affecting Consumer Trust in Big Brands

A survey of 1,000 UK consumers commissioned by FireEye has revealed that last year’s high-profile data breaches have dented long term consumer trust in major brands. Findings highlighted rising public concerns over a perceived lack of board-level concern for data privacy, with almost three quarters (72%) of consumers stating that they were likely to stop purchasing from a company if a data breach was found to be linked to the boardroom failing to prioritise cyber security. A data breach linked to a lack of board-level attention was deemed less acceptable than if a data breach had occurred as a result of human error – with only 38% of consumers stating that they would be likely to stop purchasing if this was the reason. 29% of consumers said that data breaches had diminished their loyalty as current or potential customers of affected brands, and 38% said that they felt more negatively about companies that suffer data breaches, indicating that consumers are still largely viewing the organisations breached as the parties at fault, rather than victims of cyber crime. In addition to this, over a quarter of consumers (27%) indicated that persistent data breaches have negatively affected their perception of organisations that they buy from in general, indicating that persistent reports of data breaches is not just harming the reputation of affected organisations, but having a wider impact on consumer trust. The findings also reveal the potential long-term financial impact of data breaches on major brands, with 52% of consumers warning they would take legal action against companies if a data breach resulted in their personal details being stolen or used for criminal purposes. 62% of consumers also reported that they will now share fewer personal details with companies, which could hit the revenues of organisations – from social media platforms to search engines – that rely on collecting detailed consumer data for advertisers. [Source]

E-Government

AU – Vic.P.Commish Says Compulsory Census A Bad Precedent

Australian jurisdictions are highlighting privacy and data control this month, but disquiet remains about The Australian Bureau of Statistics’ recent reversal of a longstanding policy and plan for mandatory retention of names and addresses with this year’s national census. Victoria’s privacy chief worries compulsory collection of information for purposes other than law enforcement “could set a really bad precedent”. The census collects a huge array of personal data in one place — a potential honeypot for those involved in identity crime. “One of the privacy principles is data minimisation and that’s contrary to what the census is about, so I have reservations about it,” he says. [Source] [CA— Ex-MP Dean Del Mastro says long-form census may violate right to privacy]

CA – Microsoft Opens Azure Cloud Floodgates for Canadian Businesses

Microsoft has finally made its Azure Cloud services generally available in Canada post a short limited availability experiment in March. To provide Canadian businesses with the satisfaction that their data isn’t leaving the country, all users will be provided cloud services through local datacentre regions located in Toronto and Quebec City. Microsoft has also said that its Office 365 customers will also be provided data residency through the local datacentres. “With so much momentum in the cloud, we are thrilled to welcome Bell Canada as the first Canadian telecommunications partner for Azure ExpressRoute,” said Canadian MSFT CEO Janet Kennedy. [Source]

E-Mail

CA – CRTC Fines Company $194,000 for Unsolicited Telemarketing Calls

The Canadian Radio-television and Telecommunications Commission issued a Notice of Violation to Thee Future Web Ltd. for violations of the Unsolicited Telecommunications Rules. The company made calls to individuals registered on the National Do Not Call List, had not registered or subscribed to the Do Not Call List, and did not provide the appropriate information in a clear manner upon reaching the individual. [CRTC – Notice of Violation – Thee Future Web Ltd] See also: [CRTC Fines Company $30,000 For Unsolicited Telemarketing Calls: Notice of Violation – Century 21 Innovative Realty Inc.] and [CRTC Fines Company $65,000 For Unsolicited Telemarketing Calls: Notice of Violation: Right at Home Realty Inc. – PDR 9174-1603]

Electronic Records

SA – South Africa: 32% of Business Not Confident in Cloud Data Security

Despite the many benefits of moving to the cloud, South African businesses are still hesitant to make the transition. There is still much uncertainty about the move and how it will affect business. …Here are five extra reasons why adopting the cloud could work for your business. According to Vodacom Business, 32% of South African businesses are not confident that data is secure when using a cloud service. There are several reasons why wariness of transitioning to the cloud exists such as:

  • Loss of control.
  • Handing the performance of your business over to a 3rd
  • What if the system fails?
  • What position will the business be in if it isn’t able to perform?
  • The fear of operations being affected.
  • Security concerns. [Source]

Encryption

EU – Europol Director: Encryption Affects 75% of Agency’s Cases

Rob Wainwright, director of Europol, says encryption is a major problem in most of the cases the agency handles, Motherboard reports. Wainwright responded to an op-ed written by John Naughton for the Guardian on Twitter, proclaiming how encryption has been plaguing Europol cases. “Encryption dilemma must be solved soon. Real problem in 75% of all Europol cases” Wainwright tweeted. While Wainwright did not elaborate on the types of encryption troubling Europol, Claire Georges, a member from the agency’s corporate communications, said technology such as Tor and bitcoin are part of the problem. “Technology in general is used not only by cybercriminals, but also by drug dealers, child sexual offenders and other criminals involved in different illegal activities. Encryption is commonly used in secure communications and is becoming a standard protection feature in many products, such as e-wallets for virtual currencies,” Georges said. [Full Story]

EU Developments

EU – European Court Advisor: Dynamic IP Addresses Are Personal Data

Dynamic IP addresses are subject to privacy protection rules, the EU Advocate General said in a non-binding opinion. …The opinion, issued by Advocate General Manuel Campos Sánchez-Bordona, is online but has yet to be translated into English. The advocate general’s opinions are non-binding but they typically dictate how the European Court of Justice will rule. [Electronic Privacy Information Center] [CBS] [EU Advocate General Considers “Dynamic IP Addresses” as “Personal Data”: an Extension of Personal Data Scope?]

UK – ICO Issues Guidance for Direct Marketing by Charities & Business

Following a year that saw investigations into direct marketing by charities and a change in the law that led to the UK Information Commissioner’s Office setting record fines for nuisance calls and texts, ICO’s recent update of its guidance on direct marketing comes at a critical time. In light of the new guidance – as well as the new EU data protection regulation and expected review of the e-privacy directive – it’s more important than ever that those involved in direct marketing understand how to apply this complex area of law. Most of the new guidance focusses on helping charities to comply with the law, but it also gives helpful clarification for businesses that do direct marketing: particularly on the issue of what constitutes consent to use data, including ‘indirect’ consent. This article highlights the changes to ICO’s guidance, and what else is on the horizon that might affect how businesses conduct direct marketing. [Source]

Facts & Stats

UK – Survey Finds Brits ‘Confused’ About Security & Privacy Priorities

An F5 survey exploring the attitudes of data and security handling found half of UK respondents agree that tech firms should prioritise national security over consumer privacy. Only 26% of Brits agreed that privacy should be prioritised over security. The survey found that two-thirds of respondents were concerned about their privacy being compromised, while 72% had no confidence in social networks to protect their data from hackers effectively. But despite this, more than half were willing to share personal information for free access to a company service. People it seems are willing to share date of birth (53%), marital status (51%) and personal interests (50%) in return for a free service. But almost a third (31%) see no value in giving their personal data to companies. Nearly all consumers (88 percent) feel strongly that organisations should improve authentication for greater security. [Source]

Filtering

WW – Study: Google has denied 75% of RTBF requests

The organization behind the right to be forgotten application site Forget.me, Reputation VIP, has released a new report which found in the two years since Google began accepting RTBF requests, the company has refused 70 to 75 percent of them. Germany and U.K. residents most frequently make RTBF entreaties, the report states. While “invasion of privacy” tops the catalyst for most applications, “Google most frequently denies removal requests that concern professional activity,” the report states. “Following that, Google often denies requests where the individual involved is the source of the content sought to be removed.” [Search Engine Land]

Finance

AU – Database Makes Australian Credit Scores Public

A new credit rating database allows Australians to look up the credit scores of other civilians by address. Dubbed Georisk, the publicly accessible system exists for companies to “keep track” of consumers’ financial history while helping predict customers’ credit worthiness. It then ranks the scores on a risk factor from one to 10. The database has frustrated privacy advocates, the report states. “I think most people are going to feel their privacy is being grossly invaded by public disclosure of this information for anyone who wants to look at it for any purpose whatsoever,” said Civil Liberties NSW’s Stephen Blanks. [Yahoo7 News]

AU – Privacy Issues With Household Credit Ratings Posted Online

Civil libertarians have been left outraged by a public database which shows household credit ratings. It’s information anyone can look up, all that is needed is an address. Credit rating companies keep track of past financial behaviour to predict a person’s credit worthiness. Now companies are able to access a credit risk rating that has been applied to every household in Australia. Georisk aims to measure an individual’s financial risk, by putting consumers in a range from one to ten. The ratings are publicly available to anyone who wants to search it on a computer. Not everyone was pleased to know their information was publicly visible online. However the creators have defended the website, saying they weren’t offering anything that was sensitive to the individual. To see what your home’s credit risk rating is click here. [Video: Outrage over private household information being released on public database] [Source]

WW – Payday Loan Ads Prohibited on Google

Google will no longer permit “payday loan ads” on its site. The Wednesday announcement is a concession to critics who argue that the lending practices exploit “the poor and vulnerable,” the report states. They pose a privacy concern as well. “You search the Internet when you need help — and as a result you may give search engines some really sensitive information about your finances,” said Georgetown Law Center on Privacy & Technology’s Alvaro Bedoya. He called Google’s decision a “principled stance,” adding that it will set a precedent for other search engines. [Full Story]

WW – Verizon 2016 Report Confirms People Are #1 Source of Data Breaches

Verizon has just published its 2016 Data Breach Investigation Report. In preparation for this publication, Verizon reviewed more than 100,000 incidents (reported by a plethora of technology companies, law firms, government agencies, and insurance companies, as well as through its own investigations), of which 3,141 were confirmed data breaches. The report yielded several interesting trends. Not surprisingly, most data breaches are about money — thieves stealing data because of its value. 63% of confirmed data breaches involved leveraging weak, default, or stolen passwords, proving that data thieves will exploit vulnerabilities to take the easiest route. Phishing continues to trend upward. People seemingly just can’t help clicking on authentic-sounding “click here to reset your banking password” e-mails. For example, Verizon found 30% of phishing messages were opened, unfortunately an increase from 23% in 2014. 12% then proceeded to open the malicious attachment or click the link, no doubt to their peril. Overall, 95% of breaches, and 86% of incidents across all industries, predictably fell into nine identified patterns:

  • miscellaneous errors (17.7%),
  • insider and privilege misuse (16.3%),
  • physical theft and loss (15.1%),
  • denial of service (15%),
  • crimeware (12.4%),
  • web app attacks (8.3%),
  • point-of-sale intrusions (0.8%),
  • cyber-espionage (0.4%),
  • and payment card skimmers (0.2%).
  • the bucket “everything else” category covered 13.8%.

Interestingly, many of the data breaches reported were not caused by super-secret and sophisticated Mission Impossible-style attacks involving hacking or the wearing of black ninja gear while scaling walls. Instead, many breaches fall into what I think of as the “people are people” category — highlighting human greed/avarice and our basic capacity to make dumb mistakes. [Source]

FOI

CA – Court Rules Severance Payment Information Is Exempted from Disclosure Under New Brunswick FOI Legislation

The Court considered an appeal of the Access to Information and Privacy Commissioner’s decision recommending St. Thomas University release information requested under New Brunswick’s Right to Information and Protection of Privacy Act. The Court ruled that, contrary to the Privacy Commissioner’s recommendation, an organization does not have to disclose severance payment information to a requester; such information is neither a “benefit” (it does not bestow an advantage or betterment on a recipient) nor “discretionary” (it is made only to avoid or settle litigation). [Elizabeth Hans v. St. Thomas University – 2016 NBQB 049 – In the Court of Queen’s Bench of New Brunswick, Trial Division, Judicial District of Fredericton]

CA – Information Commissioner Opposes Government Veto Power Over Releasing Files

Information Commissioner Suzanne Legault says giving the government a veto over the release of files would turn her federal watchdog role into “a mirage.” Legault told a Commons committee studying reform of the Access to Information Act that she firmly opposes the idea of a ministerial trump card over proposed new order-making powers for her office. The Liberals promised the information commissioner could issue “binding orders” during last year’s election campaign. …[Now] the Liberal government is floating the notion of a veto that would give the federal cabinet power to block release of documents even if [Information Commissioner] Legault ordered disclosure. [Source]

WW – The Intercept Is Broadening Access to the Snowden Archive

The Intercept has announced two innovations in how they report on and publish the Snowden Archives. Both measures are designed to ensure that reporting on the archive continues in as expeditious and informative a manner as possible, in accordance with the agreements we entered into with our source about how these materials would be disclosed, a framework that he, and we, have publicly described on numerous occasions. The first measure involves the publication of large batches of documents. We are, beginning today, publishing in installments the NSA’s internal SIDtoday newsletters, which span more than a decade beginning after 9/11. We are starting with the oldest SIDtoday articles, from 2003, and working our way through the most recent in our archive, from 2012. Our first release today contains 166 documents, all from 2003, and we will periodically release batches until we have made public the entire set. The documents are available on a special section of The Intercept. Accompanying the release of these documents are summaries of the content of each, along with a story about NSA’s role in Guantánamo interrogations, a lengthy roundup of other intriguing information gleaned from these files, and a profile of SIDtoday. We encourage other journalists, researchers, and interested parties to comb through these documents, along with future published batches, to find additional material of interest. Others may well find stories, or clues that lead to stories, that we did not. (To contact us about such finds, see the instructions here.) A primary objective of these batch releases is to make that kind of exploration possible. Consistent with the requirements of our agreement with our source, our editors and reporters have carefully examined each document, redacted names of low-level functionaries and other information that could impose serious harm on innocent individuals, and given the NSA an opportunity to comment on the documents to be published (the NSA’s comments resulted in no redactions other than two names of relatively low-level employees that we agreed, consistent with our long-standing policy, to redact). Further information about how we prepared the documents for publication is available in a separate article. We believe these releases will enhance public understanding of these extremely powerful and secretive surveillance agencies. [Source]

US – Appeals Court: DPPA Doesn’t Cover Traffic Accident Reports

A Wisconsin state appeals court has ruled that the Driver’s Privacy Protection Act doesn’t require law enforcement agencies looking to comply with open records laws to redact names from accident reports. DPPA in fact includes an exception for unredacted, non-Department of Motor Vehicles-supplied accident reports. The ruling came at the relief of Wisconsin officials who had “begun blacking out drivers’ names and other information that normally would be public in accident reports” for fear of DPPA violations, the report states. The court did, however, encourage a state circuit court to decide if the unredacted traffic accident information served a purpose beyond compliance, the report adds. [FierceGovernmentIT]

Genetics

US – Vanderbilt Receives $4M to Study Genetic Data Privacy

The National Institutes of Health awarded researchers at the Vanderbilt University School of Medicine a $4 million, four-year grant to study the privacy ramifications surrounding genomic data use. “We’re really broadening our horizons to think about how history and public opinion and literature affect the way individuals and communities think about privacy concerns,” said primary investigator Ellen Wright Clayton. “Ultimately, the goal is to develop policy recommendations that address the complexity of what’s at stake.” Johns Hopkins University, University of Utah, and University of Oklahoma also received similar grants, the report states. [EurekAlert!

Health / Medical

CA – OIPC SK Releases Comprehensive Guidance for Health Information Protection Act

The OIPC SK has provided trustees with guidance to interpret The Health Information Protection Act, including:

  • guidance on when to disclose personal health information to family and friends;
  • guidance on de-identified PHI;
  • guidance on faxing PHI;
  • recommended safeguards;
  • best practices for data sharing agreements; and
  • privacy breach guidelines.

The guidance includes circumstances under which PHI may be disclosed to family/friends, de-identification of PHI (including an explanatory list of techniques), considerations for data sharing agreements with providers, recommended security measures (including faxing considerations), and a 4-step privacy breach process. [OIPC SK – IPC Guide to HIPA]

WW – Providers Seek Cloud Solutions for Healthcare Data Security

Healthcare data security has become a top priority for IT professionals when it comes to investing in cloud applications in 2016, reported the survey. In the 2014 survey, only 31.3% of survey participants stated that their organization planned on investing in cloud solutions for disaster recovery purposes, which often includes healthcare data security measures. Researchers also found that respondents were implementing cloud services to develop more comprehensive incident recovery plans. When participants were asked to assess the motivation factor from 1 (least motivating) to 7 (highly motivating), healthcare data security response was evaluated at 5.11. [Source]

WW – Healthcare Suffers Estimated $6.2 Billion in Data Breaches

Nearly 90 percent of healthcare organizations were slammed by a breach in the past two years. …The most commonly exposed data in healthcare breaches are medical records, followed by billing and insurance records, and payment information. Some 64% of attacks targeted medical files and billing and insurance records, up from 45%. Nearly 40% of healthcare organizations and 26% of their business partners say they know of medical identity theft incidents affecting their patients and customers, but 64% of healthcare organizations don’t offer credit protection services for victims, and 67% of business partners don’t have procedures in place to correct errors in medical records—a gap that could be life-threatening in the case of an identify thief using a patient’s medical information for fraudulent purposes, the Ponemon report notes. [Source] [Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute]

Study: 90% of Health Care Organizations Suffered Data Breach

A Ponemon Institute report found nearly 90% of health care organizations suffered at least one data breach during the past two years, costing the industry $6.2 billion, InformationWeek reports. Ponemon’s “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data” discovered 79% of those organizations suffered two or more breaches, with 45% saying they had been hit by more than five breaches. With most of the breaches exposing less than 500 records, the incidents are not reported to the Department of Health and Human Services. The report also discovered health care budgets for security have either dropped, or remained the same during the past year. In related news, Vormetric released a study revealing 90% of security pros in the financial sector feel vulnerable to data threats, with 44 percent already experiencing a breach. [Full Story] [The Star reports on the first person ever charged under Ontario’s new health care privacy law.]

US – World Privacy Forum Questions Adequacy of PMI Privacy Principles

The World Privacy Forum says privacy principles set forth for the Precision Medicine Initiative “lack detail and fail to address underlying legal requirements and protections.” In a research paper published this week, the organization notes that the HIPAA Privacy Rule will not apply to the research, and that the principles “appear to be voluntary and lack important legal and administrative details.” The current privacy principles in place for the initiative were created by the White House with help from experts working both inside and outside the government. They include categories such as transparency to participants and the public; respect for participant preferences; and appropriate data sharing, access and use. In the paper, WPF outlines its privacy concerns for the PMI and identifies issues that should be addressed. Some recommendations the authors make include:

  • The structure and organization of the initiative must be detailed so privacy protections can be assessed, and participants must know who will maintain their data.
  • Uses and disclosures of the data for security and law enforcement purposes should be clarified.
  • There is “immediate need” for a Privacy Impact Assessment, which then should be open for public comment.
  • Privacy rules should be described as covering health records, administrative records and monitoring from health devices and mHealth tools. [Source]

Horror Stories

WW – LinkedIn Resets Passwords as 117M Logins for Sale on Dark Web

LinkedIn has confirmed a significant breach from 2012 was worse than first thought, with the number of leaked usernames and passwords rising from 6.5 million to a purported 117 million. Earlier this week, fresh LinkedIn credentials went on sale on a dark web market known as The Real Deal. 117 million LinkedIn usernames and passwords will cost 5 Bitcoins, worth approximately $2,200. LinkedIn is in the process of resetting user passwords for every member who joined before 2012 who had not changed their password since the previously-reported breach. It confirmed the action in a blog post, in which it added: “We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply. In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.” [Forbes]

Identity Issues

US – Firms Suffering Data Breaches Can Tap Free Customer Fraud Protection

Organizations that suffer data breaches may now be able to offer free fraud protection to their customers through a new program announced this week. Austin, Texas-based data security and analytics company XOR Data Exchange has launched a new platform, the Compromised Identity Exchange, which “aims to protect U.S. consumers, businesses and government entities from data breach-related identity theft and fraud.” Participation in the exchange is free to organizations that have suffered a data breach of personally identifiable information in order to drive widespread protection for breach victims. According to the firm, The Compromised Identity Exchange synthesizes breached records with ongoing fraud analysis to offer banks, financial lenders and other service providers “unprecedented insight into which of their accounts and applications carry a higher risk of fraud related to one or more data breaches.” It does this without the need for ongoing data sharing from breached entities, the firm stressed. [Source]

US – Stanford Study: Basic Phone Logs Can Reveal Your Intimate Details

Following Edward Snowden’s revelations about surveillance, officials have downplayed its programs as being concerned not with the actual content of email or phone calls, but “just” with collecting metadata, as if metadata didn’t reveal just about as much about us as does the content itself. Metadata, when it comes to phone communications, includes who we call or text, who they contact (that’s called a “hop”), when we call or text, and the duration of each call or length of each message. Since the surveillance revelations, there have been various studies about how much can be gleaned about us from metadata. The answer: a lot. Now, researchers at Stanford University in the US have done another study, and their findings confirm that basic, supposedly anonymous phone logs can be used to glean people’s names, where they live, their partners’ names, and intimate personal details. A sample of the researchers’ vignettes show the type of things they managed to infer:

  • Somebody’s planning to grow weed. Within less than 3 weeks, the subject made calls to a hardware outlet, locksmiths, a hydroponics store, and a head shop.
  • Somebody’s got heart problems. The evidence included a long call from the cardiology group at a regional medical center, brief calls with a medical laboratory, several short calls from a local drugstore, and brief calls to a self-reporting hotline for a cardiac arrhythmia monitoring device.
  • Somebody’s pregnant. Early one morning, the subject was on the phone with her sister for a long time. Two days later, she called a nearby Planned Parenthood clinic several times. Two weeks later, she placed more brief calls to Planned Parenthood, and she placed another short call a month after.

The study involved 823 participants who volunteered to have their metadata collected via an Android app on their phones. The researchers also required participants to have a Facebook account, so as to verify that they were over the age of 18, as well as to verify the accuracy of their results. [Naked Security] [TechCrunch][“Evaluating the privacy properties of telephone metadata“]

US – Feds & States Continue to Expose SSNs on Mailed Documents

Americans Collecting Disability and Unemployment are at Risk of Identity Theft. Members of the FTC and consumer groups criticized the Employment Development Department’s (EDD) practice of using the numbers as identifiers on mailed documents and state lawmakers from both sides of the aisle demanded the EDD make changes. The coverage ultimately shamed the EDD into doing what it had long insisted was impossible. Three months after our first report, the agency began redacting social security numbers on the most commonly mailed documents. However, now we’ve discovered the EDD is still printing the number on many other mailed documents, including those sent to claimants collecting disability. The EDD is not alone in mailing sensitive information. ConsumerWatch reached out to every state in the nation and only 8 of the 42 states that responded say they redact Social Security numbers on all mailed documents. Like California, 17 admit they still mail the full number on documents to both claimants and employers. Another 17 states say they only print the full SSN on documents mailed to employers. However, that is just as concerning for many who don’t trust that their former employers will take the same care that they would to properly dispose of the documents. [Source]

Intellectual Property

CA – Ann Cavoukian Launches Global Council on PbD Standards

Ann Cavoukian, former Ontario, Canada information and privacy commissioner, will form a new international council to advocate and set standards for privacy by design. The International Council on Global Privacy and Security: By Design will work with companies, national privacy commissioners and technology professionals to educate the public and raise awareness for privacy by design. Cavoukian set out three goals for the council:

  •  educate politicians, businesses, government, media and the public that systems can and must be engineered to protect both privacy and security;
  •  create policy templates that can show how privacy can be applied to technologies in the digital age; and
  •  foster technology innovation in academic institutions around the world to foster privacy and public safety, as well as privacy and business interests, such as big data and data analytics, without sacrificing either privacy or security. [Source]

Internet / WWW

WW – Study: Facebook, Google own top-used third parties

Google and Facebook-owned third parties are among the top-used on the Internet’s most-viewed sites, a new study from the Princeton Web Census shows. “Google owns seven of the 10 most loaded third-party domains,” the report states, adding Google Analytics was by far the most popular. “The remaining three are all owned by Facebook.” While the study found the amount of third parties a typical Internet user would engage with is “relatively small,” new websites are among those with the highest number of trackers. “Since many of these sites provide articles for free and lack an external funding source [these sites] are pressured to monetize page views with significantly more advertising,” the study states. [Full Story]

Law Enforcement

US – National Institute of Justice to Review Body Worn Cameras, Seeks Input
The National Institute of Justice (“NIJ”) is soliciting information in support of the upcoming National Criminal Justice Technology Research, Test, and Evaluation Center (NIJ RT&E Center) “Market Survey of Body Worn Camera (BWC) Technologies”; input is due May 31, 2016. [Source]

Location

WW – Study: Just 8 Tweets Can Reveal Precise Location

MIT and Oxford University researchers say with just eight tweets, “a relatively low-tech snooper” can deduce a user’s whereabouts using location stamps. A paper presented by researchers Ilaria Liccardi, Alfie Abdul-Rahman and Min Chen at a recent conference says while Twitter’s location notation is opt-in, many users reportedly engage the services. “With this study, what we wanted to show is that when you send location data as a secondary piece of information, it is extremely simple for people with very little technical knowledge to find out where you work or live,” Liccardi said. Their work was a part of MIT’s Internet Policy Research Initiative, a program geared toward increasing social media privacy awareness. [MIT News]

Online Privacy

WW – Researchers Publish Information on Nearly 70,000 OkCupid Users

Nearly 70,000 OkCupid users had their data published by researchers, including their usernames, location, sexual turn-ons and sexual orientation. Two Danish researchers, Emil O. W. Kirkegaard and Julius D. Bjerrekær, collected the data from the dating website using a scraper, a tool saving certain segments of a Web page. The scraper targeted random profiles who had answered numerous OkCupid multiple-choice questions. While the researchers’ actions were legal, criticism has been levied at the project. Scott B. Weingart, digital humanities specialist at Carnegie Mellon University, said in a tweet he could use the information to re-identify the actual identities of OkCupid users. Weingart claimed he could with 90 percent accuracy connect sexual preferences and histories to real names of over 10,000 of the OkCupid users. [MotherBoard]

WW – OKCupid Study Raises New Questions About ‘Public’ Data

When you sign up for a dating website, you are making your information available for other users to see. But does that mean your information is “public”? Experts are now mulling this question after a group of researchers released a data set of nearly 70,000 users from the online dating site OkCupid. The researchers used a “scraper,” or a browser extension designed to collect data from web pages, to collect the data. In other words, they collected the data without OkCupid’s permission, breaking the site’s terms of usage and the Computer Fraud and Abuse Act. The data was uploaded on Open Science Framework, an online forum that encourages researchers to share data for easy collaborations, but it has since been removed. The scraped data revealed many user details including name, age, gender, religion, and detailed information about users’ habits and preferences. When asked whether the researchers took measures to anonymize the data, Mr. Kirkegaard, the lead researcher responded, “No. Data is already public… All the data found in the dataset are or were already publicly available, so releasing this dataset merely presents it in a more useful form.” But even if the data is available to other users, should it be shared publicly? Some experts don’t think so. While OkCupid lets registered users view profiles of other users on the site, that doesn’t justify anyone releasing this information to the public, they say. In this case, the researchers breached the ethics of Social Science Research, which requires researchers to obtain consent from subjects as well as ensure that researchers are maintaining confidentiality before they can publicly share personal information. The OkCupid profiles include very personal information on everything from political views to sexual habits. OkCupid asks its users hundreds of questions to help its algorithm generate better matches. Though the researchers didn’t release real names with the data, just profile user names, that is not considered maintaining confidentiality, say experts. One Twitter user claimed that he could link some bits of data to actual names of more than 10,000 users on OkCupid. [The Christian Science Monitor] See also: [OkCupid Study Reveals the Perils of Big-Data Science]

WW – Study: 16% of Apps Access Info Sans Consent

Deloitte published its annual privacy index 10 May, which found that of 88 brands’ apps, from various industries in Australia, 16% accessed users’ phone data without notifying them. The surveyed brands were not named, although Deloitte’s Tommy Viljoenhen called them among “the most trusted.” He added, “What’s happening with the brands we don’t know about? As consumers, are we even aware of the extent to which information is being collected without our knowledge?” [Mashable]

Other Jurisdictions

US – Report: Schools ‘Soft Targets’ for Data Collection

A new report details how schools are “soft targets” for companies looking to obtain data and market to children. “Learning to be Watched: Surveillance Culture at School,” from the National Center for Education Policy at the University of Colorado at Boulder, discusses how student privacy has been compromised by organizations creating relationships with schools, often through free technology. The report also discusses how laws created to protect student privacy, including the Children’s Online Privacy Protection Act, have major weaknesses. “Schools have proven to be a soft target for data gathering and marketing. Not only are they eager to adopt technology that promises better learning, but their lack of resources makes them susceptible to offers of free technology, free programs and activities, free educational materials, and help with fundraising,” the report said. [The Washington Post]

Privacy (US)

US – SCOTUS on Spokeo: Life Just Got Harder for Class-Action Lawyers As Court Rejects ‘No-Injury’ Cases

Plaintiff lawyers who have built a lucrative business over the past few decades suing companies over minor legal breaches that arguably harmed no one may have a tougher time bringing cases following the U.S. Supreme Court’s decision in Spokeo v. Robins, requiring plaintiffs to plead a “concrete” injury to proceed in federal court. The decision wasn’t a complete win for corporate defendants as the court left plenty of room for creative lawyers to craft complaints that allege their clients suffered an injury, no matter how small, from miscues like data breaches or incorrectly worded mortgage documents. But by stating clearly that some injury is required under Article III of the Constitution, the court may have ended the long-profitable business of suing companies over nothing more than statutory damages provided under laws like the anti-robocalling Telephone Consumer Protection Act. Spokeo was sued by Thomas Robins, who claimed the online information site inflated his education credentials and made other errors that may have caused him to have a harder time finding a job. I say “may have,” since it is extremely unlikely any potential employers actually looked at his entry on Spokeo and Robins didn’t provide any evidence supporting the idea he was harmed. [Forbes] See also: [Brace for more class action challenges post-Spokeo]

US – EFF Releases Annual Report

The Electronic Frontier Foundation released its 2015 annual report, covering all of the work the organization has achieved during the past year. The group celebrated more than 500,000 installations of its Privacy Badger browser extension and the two-millionth certificate of its Let’s Encrypt service. The EFF also touted major activism and law efforts it has completed in the past year. “We fight to make sure people have access to the speech platforms and privacy tools that help them take control of their world,” said EFF Executive Director Cindy Cohn, adding, “Based in part on our near decade of activism and legal work, Congress also passed the USA Freedom Act, the first real restrictions and oversight imposed on the NSA’s surveillance powers since 1978.” [Full Story]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Acronis Applying Blockchain to Data Protection Problems

Acronis has announced a new strategic initiative to develop applications of Blockchain technology for data protection. The company announced the initiative at its 2016 VIP Partner Summit held in Singapore this week. Acronis is taking a unique and targeted approach at how Blockchain can be used to solve specific data protection problems by seeking and developing use cases that exist today. Data and transactions that are protected from tampering by Blockchain can be used for those use cases where individuals or businesses absolutely must maintain the integrity of the original information. [Source] See also: [IBM Touts Blockchain to National Cyber Security Commission]

Security

WW – Almost Half of Companies Don’t Teach Staff Data Security

44% of companies do not think it should be compulsory for staff to be trained around data security, even though they have formal data protection processes in place. This is despite the security firm finding more than 22% of IT professionals have shared confidential information using an unsecure file sharing platform such as Google Drive, OneDrive or Dropbox, while 10% said they have shared data with people outside the company. Employees are also no strangers to data loss. 13% of the 2,000 IT professionals questioned admitted they have lost data while at work and 5% said they have experienced a data breach. Egnyte also explained that 14% of staff had opened an unsecure link that had been sent to their work email and 12% had used a public Wi-Fi network to work on confidential documents. “File sharing technology is sound from a security perspective… The root cause of mishaps is simply lack of awareness. With conscious effort to educate end users, enterprises can secure their data at little real cost. “Additional measures as simple as creating a checklist of content protection recommendations and making it readily available to employees, or integrating content management best practices into onboarding, can move the needle.” [Source]

Surveillance

US – Privacy Groups, Industry Agree to Best Practices for Drone Use

Stakeholders taking part in the National Telecommunications & Information Administration Multi-Stakeholder process have agreed to a set of best practices for drones. The practices are designed to provide flexibility for drone use, especially for smaller operators, while providing strong privacy standards. Groups agreeing to the practices include Amazon, the Software & Information Industry Association, and the Consumer Technology Association. “These standards will help ensure these technologies are deployed with privacy in mind,” said Future of Privacy Forum CEO Jules Polonetsky,. In a blog post, Center for Democracy & Technology Vice President of Policy Chris Calabrese said, “As the nascent drone industry is starting to take-off, adopting these best practices will help ensure that drones fly safely, ethically and respectfully.” [FPF]

US – CDT, Fitbit Collaborate On Best R&D Privacy Practices for Wearables

The Center for Democracy & Technology joined forces with Fitbit to release a report detailing the best privacy practices for research and development teams working in wearable technologies. Together with Fitbit, the CDT conducted interviews, surveys and other research to assess industry trends and best practices. “R&D teams in wearable technology can and should also be laboratories of privacy and ethical research best practices,” wrote CDT and Fitbit. The paper also offers “practical guidance on privacy-protective and ethical internal research procedures at wearable technology companies,” they add. Other key takeaways include the need for a culture of privacy, security and ethics in R&D, successful management of many different forms of trust with consumers, and the need for policies and procedures for handling ethical questions on R&D teams. [Full Story]

Telecom / TV

US – Tracking Apps Raise Security, Privacy and Legality Questions: GAO

Tracking apps can be useful in a variety of ways, such as, letting consenting spouses know each other’s locations. However, location data from mobile devices can be highly personal …”GAO found that some federal laws apply or potentially apply to smartphone tracking apps, particularly those that surreptitiously intercept communications such as e-mails or texts, but may not apply to some instances involving surreptitiously tracking location. Statutes that may be applicable to surreptitious tracking apps, depending on the circumstances of their sale or use, are statutes related to wiretapping, unfair or deceptive trade practices, computer fraud, and stalking. [Experts the GAO interviewed] also expressed concerns over what they perceived to be limited enforcement of laws related to tracking apps and stalking,” the GAO stated. [Network World]

US Legislation

US – Legislative Roundup

Workplace Privacy

US – FTC Releases FCRA Guidance

The FTC has published new guidance to assist employment background checking agencies with Fair Credit Reporting Act compliance, the agency announced in a statement. The guidance is primarily concerned with showing companies what work would qualify them as a consumer reporting agency and, given that, what their legal obligations may be. [FTC]

US – Social Media Posts Now Fair Game for Security-Clearance Applications

Director of National Intelligence James Clapper released a policy May 13 that confirms federal agencies will begin using public information from social media sites when looking at security clearance applications. Information the government finds irrelevant will be deleted from their servers, the report states. Some lawmakers expressed concern. “How do we flag the serious from the trivia?” asked Rep. Gerry Connolly, D-Va. “How do we make sure we don’t have some enormous depository of government information” that is held? [The Washington Post]

US – Workplace Monitoring Gets Easier Under New Law

“Companies that monitor their employees’ emails or Internet activity now have new protections from potential allegations of wiretap violations: Under the Cybersecurity Act of 2015, companies enjoy liability protection for the monitoring of their information systems for ‘cybersecurity purposes.’” “The act’s inclusion of liability protections for cybersecurity activities to safeguard theconfidentiality of information suggests that monitoring in order to protect trade secrets and intellectual property could receive liability relief in addition to monitoring for general network security.” [Full Story]

CA – Suncor Wins Legal Round for Random Oilsands Drug Testing

A Court of Queen’s Bench judge has quashed a 2014 arbitration panel ruling that determined the proposed testing plan would violate the privacy of union workers represented by Unifor. Justice Blair Nixon said the panel should have considered evidence about alcohol and drug incidents involving all workers at Suncor, including non-union contract employees. “By focusing only on the bargaining unit, the majority (of the panel) expressly excluded consideration of relevant evidence,” Nixon wrote. “The majority ignored evidence pertaining to some two-thirds of the individuals working in the oilsands operation.” [Source]

+++

 

7-11 May 2016

Biometrics

US – Federal Judge Says Facebook Photo-Tagging Suit Can Continue

A San Francisco federal judge is allowing a case against Facebook’s facial recognition, photo-tagging feature to proceed. Plaintiffs have argued the feature violates users’ privacy, as the facial recognition technology goes against Illinois’ Biometric Information Privacy Act, which requires companies to obtain explicit consent from users before gathering biometric data. While Facebook argued the feature is covered in its terms of service, and that the suit should be dismissed, U.S. District Judge James Donato disagreed. “Trying to cabin this purpose within a specific in-person data collection technique has no support in the words and structure of the statute, and is antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology,” Donato wrote in his ruling. [USA Today] See also: [Facial-recognition tech used for anti-theft initiatives] and [Italy’s Data Protection Authority has mandated that Facebook disclose details of an instance of trolling in a case where the user claims the social network responded unsatisfactorily, International Business Times reports]

EU – EU Proposes Minority Report-Style Facial Recognition for Refugees 

In its attempts to bring the refugee crisis to heel, the European Commission wants to expand its fingerprint database, introduce facial recognition software, store the information for even longer than before and include minors in the process. The EU is planning wholesale changes to the bloc’s asylum law. In addition to a “fairer” distribution system for refugees and an extension of border controls within the Schengen area, the Eurodac fingerprint database, which is currently used to identify asylum seekers and irregular migrants, is to be enlarged. The system is set to be supplemented with facial recognition software and personal data will be stored for a longer period of time, with the aim of ensuring that irregular migrants stay on the authorities’ radar; the information of underage refugees will also be kept. The upgrade will cost some E30 million. [Source]

US – Illinois Anger Over Elementary School Student Thumbprint Scanner

Privacy advocates are concerned about what looks to them like Big Brother overreach in an Illinois elementary school. The Harrison Street Elementary School in Geneva has installed a new thumbprint scanner for students to pay for their meals and keep track of their accounts. The thumb scanners replaced another biometric device by PushCoin Inc. that the school used last year. These types of devices are growing in popularity and other districts are looking to implement the scanners. But not everyone thinks they are a good idea. Parents are able to opt out and use a card if they want to. [Source] [Daily Herald]

Canada

CA – OIPC SK Releases Guidance Regarding Access to Personal Information of a Child Under the Age of 18

The Office of the Saskatchewan Information and Privacy Commissioner has released guidance relating to obtaining personal information of a child under the age of 18 years: Included is a list of common questions and responses. Unless otherwise ordered by a Court or a custodial agreement, the Children’s Law Act, FOIP, LA FOIP and HIPA confer the right or power of a legal custodian to request access to personal information of a child under the age of 18; trustees need to exercise discretion when determining if the disclosure is reasonable or will constitute as an invasion of the child’s privacy, such as when the child expresses they don’t want a parent to know or if the information is highly sensitive. [Office of the Saskatchewan Information and Privacy Commissioner – Who Signs for a Child?]

Consumer

NZ – Privacy Commissioner Survey Finds Privacy a Major Concern

New Zealanders are becoming increasingly worried about their privacy, according to a new survey. In the new UMR public opinion survey, commissioned by the Privacy Commissioner, 46% of the 751 people questioned said they were growing more worried about individual privacy, and their online information in particular. That is especially the case for young people and those with a university education. Privacy Commissioner John Edwards said there was a high level of concern about identity theft as well as financial and health information. About 80% of those surveyed were worried about identity theft and their credit card and banking details being stolen. Nearly all respondents – 87% – were concerned about the personal information children upload to the internet. The survey also found that 62% felt personal data should not be shared between government organisations, as the risk to people’s privacy and security outweighed the benefits. But they were more open to data sharing when safeguards were put in place, with a small majority willing to share data as long as they could opt out if they chose, of if there were strict controls on who could access the data and how it was used. [Source] [Survey]

WW – Snowden’s Surveillance Leaks Made People Less Likely to Read About Surveillance

A new Oxford University study has published empirical evidence showing that government mass surveillance programs like those exposed by Edward Snowden make us significantly less likely to read about surveillance and other national security-related topics online. The study looks at Wikipedia traffic before and after Snowden’s surveillance revelations to offer some new insight into the phenomenon of “chilling effects,” which privacy advocates frequently cite as a damaging consequence of unchecked government surveillance. What it found is that traffic on “privacy-sensitive” articles dropped significantly following what author Jon Penney describes as an “exogenous shock” caused by revelations of the NSA’s mass surveillance programs and the resulting media coverage. The articles were chosen based on keywords from a list of terms flagged by the Department of Homeland Security, used for monitoring social media for terrorism and “suspicious” activity. For example, Wikipedia articles containing the 48 terrorism-related terms the DHS identified—including “al-Qaeda,” “carbomb” and “Taliban”—saw their traffic drop by 20%. The results also mirror a similar MIT study from last year which found that users were less likely to run Google searches containing privacy and national security-related terms that might make them suspicious in the eyes of the government. Perhaps even more alarmingly, the study seems to show a long-term drop in article views on these topics that lasts well past the initial shock of Snowden’s revelations, suggesting that people’s’ calculations about what to read on Wikipedia may have been permanently affected. [Source]

Encryption

US – Former Officer Is Jailed Months Without Charges, Over Encrypted Drives  

A former police sergeant has been held without charges in a federal detention cell in Philadelphia, part of an effort by the authorities to pressure him to decrypt two computer hard drives believed to contain child pornography. The case reveals yet another battle line for law enforcement and digital privacy advocates over encryption, this time on an Apple computer, not an iPhone. The sergeant, Francis Rawls, was ordered by a federal court last August to hand over the two hard drives, which were seized from his home because they were suspected to contain the illegal pornography. When he refused to decrypt the drives, claiming he could not remember the passwords, he was taken into custody, and this week he started his eighth month in a federal detention center, all without ever being charged with a crime. Mr. Rawls’s case is the latest in a growing number of legal battles over digital privacy in the United States. The challenges are playing out in courts across the country, propelling a national debate over when the government can compel individuals or companies to disclose codes or passwords giving access to private data. “Not only is he presently being held without charges, but he has never in his life been charged with a crime,” Keith M. Donoghue, his federal public defender, wrote in a motion last week seeking his client’s release. [Source]

EU Developments

EU – GDPR, Directive 2016/680, PNR Officially Published

It’s finally final for three separate pieces of privacy legislation in the EU. On 4 May, the Official Journal of the European Union published the texts of the General Data Protection Regulation, officially Regulation 2016/679; Directive 2016/680, governing the handling of data in law enforcement situations; and the Passenger Name Record Directive, officially Directive 2016/681. This creates something of a countdown clock for privacy professionals. As the GDPR goes into effect two years and 20 days following its publishing in the Official Journal, 25 May 2018, takes on new portent. [Lex-Europea] See also: [The European Parliament is struggling to set a date for a plenary vote on the EU-U.S. Privacy Shield] [The US Supreme Court has updated Rule 41, allowing federal judges to issue warrants for computers outside of their jurisdiction, potentially threatening the EU-U.S. Privacy Shield.]

UK – Employers Vicariously Liable for Data Breaches Caused by Rogue Employees

In April 2016, the High Court of England and Wales issued its judgment in Axon v Ministry of Defence [2016] EWHC 787 (QB). The court emphasised (albeit obiter) the fact that employers can be liable for data breaches caused by rogue employees (in the present case, an employee who had passed on certain information to journalists without the permission of her employer). The impact of this decision on employers is potentially significant, and it serves as another reminder to employers to implement proper data protection processes and procedures, and to ensure that employees receive appropriate training on these issues. [Source] [PDF]

EU – CJEU to Rule on Test Data Case

The Supreme Court of Ireland has referred to the Court of Justice of the European Union to decide whether a man’s accounting exam is considered personal data under the Data Protection Act. After being denied access to his test by both his school and the Data Protection Commissioner, plaintiff Peter Nowak argued in the Circuit Court and then appealed to the High Court that his handwritten test qualified as biometric, and therefore personal data, the report states. He further argued that as exam results are “considered personal,” the test and exam comments ought to be too. [Independent]

Facts & Stats

WW – UNCTAD Publishes Report on Data Flows, International Trade

Late last month, the United Nations Conference on Trade and Development released a new study on privacy law, trans-border data flow and their implications on international trade and development. The in-depth and substantive report also places a focus on developing nations. “The study reviews the current landscape and analyzes possible options for making data protection policies internationally more compatible,” the report states. Contributors to the report include international organizations, government bodies, the private sector and civil society. “The findings of the study should help to inform the much needed multi-stakeholder dialogue on how to enhance international compatibility in the protection of data and privacy,” the report adds. [UNCTAD]

FOI

CA – BC Makes Changes to Freedom of Information Law

B.C. cabinet’s travel receipts, calendars to automatically be made public: Finance Minister Mike de Jong has issued a rare order under B.C.’s Freedom of Information law to ensure that travel receipts and daily calendars for cabinet ministers and their senior officials are automatically made public. The change was part of a series of directives issued by Mr. de Jong to respond to criticism that his government has deliberately thwarted the release of information to the public through the practice of triple-deleting e-mails within government and relying on oral reports to avoid the creation of documents that could be accessed. Vincent Gogolek, executive director of the BC FIPA, said Mr. de Jong’s changes are both minimal and long overdue. “They are not doing nothing, but they are doing the least possible,” Mr. Gogolek predicted one of Mr. de Jong’s new initiatives will be counterproductive. Starting this month, the government will publish all active access-to-information (FOI) requests, a measure that Mr. de Jong said will provide more transparency on government response times. However, Mr. Gogelek said the change could discourage access requests. “This is exposing FOI requesters. The privacy commissioner has asked for anonymity for those making information requests, and this seems to be going in the opposite direction.” [Source]

CA – B.C. Privacy Commissioner Mainly Positive Toward New FOI Policies

British Columbia’s Information and Privacy Commissioner is praising the province’s expansion of its Access-to-Information policies, but she’s also concerned about the potential “unintended consequences” of a decision to post information requests as they are received. Elizabeth Denham issued a statement on Tuesday that offered a largely positive assessment of the changes, which were announced a day earlier, but singled out the disclosure of Freedom-of-Information (FOI) requests as a potential concern. “I wish to examine all possible implications, including any unintended consequences, of publicly disclosing a description of an applicant’s request for records before they have received those records,” Ms. Denham said in her statement. [Source]

CA – OIPC BC Finds Ministry Properly Withheld Information Relating to Tolling Framework

The OIPC BC reconsidered Order F14-20, pursuant to a court order, where the Ministry of Transportation and Infrastructure refused to disclose information requested under the Freedom of Information and Protection of Privacy Act. Disclosure of the information would reveal the substance of the Ministry’s deliberations because it contained financial implications of the framework, and a presentation that formed the basis of the Priorities and Planning Committee’s deliberations; although the decision to impose a toll was made public and implemented, the information should not be disclosed because it related directly to the issues the Committee considered. OIPC BC – Order F16-22 – Ministry of Transportation and Infrastructure [Re-consideration Order – F16-22] [Original Order – F14-20]

US – ODNI Releases Documents as Part of FOIA Pilot Program

The US Office of the Director of National Intelligence released several documents as part of a pilot program with the Freedom of Information Act. The ODNI is one of seven federal agencies contributing to the program, with the goal of making FOIA record requests available to the public. During the program, the ODNI will announce the release of “proactive disclosures.” Among the first group of documents released include, “Unlocking the Secrets: How to Use the Intelligence Community“ and “Semiannual Report to the Director of National Intelligence – Office of the Inspector General of the Intelligence Community.” [Full Story]

Genetics

CA – Looking for an ‘Internet of DNA’

The Star reports on calls by some researchers to create an “Internet of DNA” to help treat rare genetic diseases and psychological disorders. “If we’re looking to 2025, I see a kind of World Wide Web for health, a true Internet for health, which doesn’t exist today,” said Dr. Tom Hudson, a genomics researcher and president of the Ontario Institute for Cancer Research. “We are transforming a lot of information into digital bits and that information is huge,” he added. Such a DNA network could transform medicine and how diseases are cured, researchers argue. Currently, valuable medical data is contained in silos, “while legal, technical and cultural barriers prevent scientists from easily sharing their data troves,” the report states. “If nothing is done, there is a risk that balkanized systems will soon become established,” the Global Alliance’s website points out. [Full Story]

Health / Medical

CA – Northern Canadian Hospital Confirms Staff Wrongly Accessed Patient Records

Security experts emphasize that organizations have to limit access to databases with sensitive information. However, they also have to carefully design information systems themselves so sensitive data doesn’t appear on screens users have legitimate reasons to see. That appears to have failed at a health authority in Canada’s far north, which confirmed that employees inappropriately accessed patient health records through an online scheduling system in what appears to be a case of employee snooping. CBC News reported that some staff the Beaufort-Delta Health and Social Services Authority, which serves 6,700 residents of the Beaufort Delta Region in the Northwest Territories including the Inuvik Regional Hospital have been disciplined for wrongly accessing records of  67 patients. The information “had been inappropriately accessed by staff outside a legitimate scope of duties,” Arlene Jorgensen, CEO of the Inuvik Health Authority, was quoted as saying. The institution’s scheduling system includes expected information such as appointment times and check-out dates. But it also lists the reason patients were at the hospital. Several staff members who had accessed this information did not need it to do their jobs, according to the health authority. The authority emphasized that detailed information, such as diagnoses were not accessed during the breach. [Source]

CA – Ontario Appeals Board Finds Regulatory Committee Failed to Adequately Investigate Complaint Alleging Physician Inappropriately Accessed Patient Files

The Board reviewed the decision of the Inquiries, Complaints and Reports Committee of the College of Physicians and Surgeons regarding a complaint made against a physician. The regulatory committee failed to properly examine whether the access took place after the physician left a clinic, may have improperly concluded that the access was due to the nature of the filing system (computer logs may support a different conclusion), and failed to consider that the alleged breach is a serious matter under PHIPA; mandatory further investigation should include direct questioning of the physician, examining how the electronic filing system operates, and determining what system access is allowed a non-treating professional. [F.J.S., MD v. S.S.E., MD – 2016 CanLII (ON HPHARB) – Health Professions Appeal and Review Board]

CA – Ontario Appeal Board Upholds Verbal Caution to Pharmacist Regarding Confidentiality

the Health Professions Appeal and Review Board reviewed an investigation of the Inquiries, Complaints and Reports Committee of the Ontario College of Pharmacists, into a pharmacist’s solicitation of new business. The pharmacist obtained patient information from his previous employer and used it to establish clientele for his new business; the Committee found that this active solicitation of business was inappropriate, and warned the pharmacist that he must maintain patient confidentiality, not use patient information for improper purposes, demonstrate professionalism and ethical principles, and respect patients’ right of self-determination. [J.J. v G.C., 2016 CanLII 21553 (ON HPARB) – File#15-CRV-0181]

US – OCR Cautions Hospitals to Prepare for Breaches at Business Associates

With many healthcare organizations questioning their data security arrangements with business partners, the Office of Civil Rights (OCR) of the Department of Health and Human Services, sent out an alert suggesting steps to mitigate damage from breaches resulting from those associations. The alert OCR sent last week said that following the 2015 hack of U.S. Office of Personnel Management (OPM), many healthcare organizations believe the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have not stopped breaches and have not allayed their fears. “Not only do a large percentage of HIPAA covered entities believe they will not be notified of security breaches or cyberattacks by their HIPAA business associates, they also think it is difficult to manage security incidents involving business associates, and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach,” the alert said. As a result, HIPAA-covered organizations and their HIPAA business associates should consider how they will confront a breach at their business associates or subcontractors. [Source] See also: [Ontario’s legislature has passed the Health Information Protection Act in its third reading. The act aims to improve privacy, accountability and transparency in health care, according to a news release]

US – Brookings Calls Out OCR on HIPAA Audits, Offers Security Tips for Healthcare Organizations  

With the healthcare industry suddenly accounting for nearly 25% of all data breaches, a new study from The Brookings Institution suggests some new cybersecurity strategies are needed. Niam Yaraghi, a Brookings fellow, conducted in-depth interviews with 22 healthcare organizations – providers, payers and business associates – that had each experienced at least one  data breach. He found some things in common across them, and some differences. But his biggest takeaway was that guidance and enforcement from the federal government isn’t doing enough to keep patient data safe, and that a more concerted private-sector strategy is needed to help ensure security best practices. In his report, “Hackers, phishers, and disappearing thumb drives: Lessons learned from major healthcare data breaches,” Yaraghi offered a series of suggestions for both the HHS Office of Civil Rights and those working in the healthcare trenches. [Source] See also: [Status report: OCR’s effort to guide HIPAA compliance in mobile health] [Earlier HIPAA Audits Help Healthcare Data Breach Prevention]

Horror Stories

CA – Two Convicted of Snooping on Rob Ford

An Ontario court has convicted two health care workers for unauthorized access to the late mayor Rob Ford’s medical records, the first such conviction under the province’s health privacy law. Both workers pleaded guilty under PHIPA to “willfully collecting, using or disclosing personal health information,” the report states. The former employees have also each been fined $2,505 for the incident. There is no evidence the workers shared the health records they accessed. [The Star] SEE ALSO College of Nurses of Ontario disciplines nurse who snooped into patient records. Mandy Gayle Edgerton – Results of Past Hearings – College of Nurses of Ontario Results of Past Hearings | Toronto Star ]

UK – London HIV Clinic Fined £180,000 for ‘Serious’ Data Breach

A London HIV clinic that leaked data on 781 of its patients has been fined £180,000. 56 Dean Street, based in London’s Soho, sent an email newsletter with all patient email addresses in the ‘To’ field, rather than the ‘Bcc’ field. The email addresses allowed for the identification of the patients – 730 of the 781 contained people’s full names – and constituted a “serious breach” of data protection rules, the Information Commissioner’s Office (ICO) said. The Option E newsletter was intended for people using the clinic’s sexual health services and gave general details for treatment and support. The ICO said the breach was “likely to have caused substantial distress” to those who were included on the list. Under data protection rules, information about a person’s health or sexual life is deemed as sensitive and the organisation issued the monetary penalty after an investigation. “It is clear that this breach caused a great deal of upset to the people affected,” Information Commissioner Chris Graham said in a statement. “We recalled/deleted the email as soon as we realised what happened. If it is still in your inbox please The NHS Trust can appeal the decision but if it decides to pay the fine before June 2 it will be reduced to £144,000. Medical director and caldicott guardian Zoe Penn, from the clinic, said that it “fully accept[s]” the decision of the ICO and that the organisation had made changes to its procedures. [Source]

Internet / WWW

WW – Twitter Bans US Spying Agencies from Terrorism Early Alert Service

In the growing fury over terrorism, surveillance and privacy, Twitter has shoved the US government further away by closing down US spy agencies’ access to a data-mining service that spots terror attacks. The company hadn’t announced the news as of Monday morning. Rather, a senior official in the intelligence community, along with others privy to the matter, told the Wall Street Journal about it. The service in question is Dataminr: a real-time information discovery service that analyzes the output of Twitter’s firehose of real-time public tweets, geolocation data, traffic data, news wires and other data streams, to turn up breaking news such as natural disasters, political unrest and terror attacks. [Source]

Law Enforcement

US – Digital Rights Group Challenges Legality of ‘Thematic Warrants’

Privacy International has filed a judicial review challenging a decision regarding the sanctioned use of “thematic warrants.” The digital rights group sent the review to the U.K. High Court, appealing an earlier decision by an oversight tribunal of the security agencies in the U.K. over the use of the warrants. Privacy International is arguing the legality of the “thematic warrants” — orders giving the government major invasive investigatory powers covering wide classes of people and property. The group first challenged the use of the warrants in 2014, saying they violate Articles 8 and 10 of the European Convention on Human Rights. In related news, the Guardian reports on another privacy advocacy group using an interesting face to don on their campaign against the Investigatory Powers Bill: North Korean leader Kim Jong-un. [TechCrunch]

US – New Hampshire State Claims that Secret Recording of Police Is a Crime

New Hampshire outlaws recording conversations when any party to the conversation “has a reasonable expectation that the communication is not subject to interception, under circumstances justifying such expectation,” thus requiring the knowledge of all parties before such a conversation can be recorded. Most states require only “one-party consent,” under which you can record a conversation to which you are a party, because you consent to the recording, even if the others don’t. But some states — including New Hampshire — require “all-party consent,” or at least all-party knowledge, that the conversation is being recorded. And New Hampshire authorities read this as applying even when someone is recording his conversation with the police. Indeed, Alfredo Valentin is under indictment for recording such a conversation, between himself and the police officers who were searching his home. The U.S. Court of Appeals for the 1st Circuit, which is in charge of cases from New Hampshire, has held (Glik v. Cunniffe) that a similar Massachusetts law violates the First Amendment; but that case involved someone openly recording the police, and the court stressed that fact in the Fourth Amendment portion of the Glik opinion. New Hampshire authorities appear to take the view that secret recording of the police can be banned, even if open recording cannot be. [Source] See also: [New Jersey Governor Chris Christie has approved a bill making it illegal to surreptitiously record or photograph a person’s undergarments.]

Privacy (US)

US – FTC and FCC Join Forces to Examine Mobile Security

The FTC and the FCC are working together to examine the current state of mobile security. The FTC is issuing orders to eight mobile device manufacturers, requiring them to give the agency information on their procedures for issuing security updates to remedy device vulnerabilities. Among the companies receiving orders include Apple, Google, Microsoft and Samsung. The eight companies must provide details such as “the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device” and “detailed data on the specific mobile devices they have offered for sale to consumers since August 2013.” The FCC issued a press release announcing their cooperation with the FTC, and how they will send letters to mobile companies on how they evaluate and deliver security updates. [FTC] See also: [The Senate Judiciary Committee’s subcommittee on Privacy, Technology and the Law will host a May 11 hearing on the Federal Communications Commission’s proposed privacy rules] and [The New Privacy Cop Patrolling the Internet And it’s armed with new data-privacy rules]

US – Neopets, Global Email Addresses Among this Week’s Biggest Breaches

A dataset from JumpStart’s online game Neopets was posted online, with Motherboard reporting that the number of customers affected allegedly numbered more than 70 million. The information compromised varied from customer to customer, but no credit card or home addresses were breached, said JumpStart’s Jim Czulewicz. While the dataset appeared to be dated before JumpStart acquired Neopets in 2014, the company planned to alert customers regardless. Independent.ie reports that out of the recent global breach of more than 272.3 million email accounts, an estimated 42,000 accounts are Irish. [NextGov]

US – Lyft, Uber Among EFF Data-Sharing Report Top Scorers

The Electronic Frontier Foundation awarded Uber and Lyft with perfect scores on the group’s sharing economy data protection study. When grading organizations, the EFF considered whether they published transparency reports and if companies required government agencies to provide a warrant before they shared user data, the report states. “Consumers should be able to understand their privacy rights by reading the policies of the companies that hold their data,” EFF’s study states. [Fortune]

WW – Bark Helps Parents Keep Kids Safe Online Without Invading Their Privacy

Launching today at TechCrunch Disrupt NY 2016 is a new service called Bark, aimed at parents who want to keep their kids safe online. Unlike traditional “parental control” software or net nanny-type watchdog applications, Bark’s goal is to strike the correct balance between respecting a child’s right to privacy and protecting them from online predators and cyberbullying, while also looking out for issues like sexting or mental health concerns. To use the service, parents sign up online at the Bark website, add their kids, then work with the children to connect their social accounts. Once set up and configured, Bark uses machine learning techniques to look for incidents of dangerous activity, whether that’s cyberbullying, sexting, a child interacting with an older stranger who could be grooming them (as online predators do) or even signals that the child could be experiencing a mental health concern like depression or suicidal thoughts. When Bark finds something questionable, it sends an alert to the parent that not only contains the relevant conversation, when and where it took place, but also recommended ways of handling the issue appropriately. Bark competes with a handful of other solutions, including VISR, more traditional software programs and cyberbullying-specific solutions like ReThink or STOPit. [Source]

Security

WW – Stop Resetting Your Passwords, Says UK Govt’s Spy Network

The UK government has, on World Password Day, repeated its advice against the common security practice of routinely changing passwords. “In 2015, we explicitly advised against [the practice],” a post by GCHQ’s Communications-Electronics Security Group (CESG) notes. “This article explains why we made this unexpected recommendation, and why we think it’s the right way forward.” As tech advice goes, this is one that people will actually want to hear, and the CESG has put out a 16-page document called “Simplifying Your Approach” that explains what you should do to get your information secure without driving your users crazy. Those in favor of automatically and regularly resetting passwords believe it makes historical password information useless; it forces users to periodically think about security; it increases the likelihood that people will use a password they do not use for other services; and it creates more of a moving target for potential hackers. “The problem is that this doesn’t take into account the inconvenience to users – the ‘usability costs’ – of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember.” The problem is our rubbish brains: “While we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.” The result, according to CESG, is that we are more likely to write our password down. Or forget the password altogether, forcing service desks to reset them, chewing up time and resources. As a result, CESG “now recommend organisations do not force regular password expiry.” Instead, it says, companies should introduce system monitoring tools such as showing a user the last time they logged in to flag if someone else is using their account. [Source] See also: [Don’t do it! 5 ways to upgrade your passwords this PasswordDay]

WW – Security Defenses Improving at Many Firms, Study Reveals 

Many organizations have made significant improvements in IT security preparedness and effectiveness, taking steps to improve their security posture, according to new research from SolarWinds, a provider of IT management software. The company’s survey of IT professionals in North America showed that more than half (55%) said their organizations did not experience any security breaches in 2015. About 30% said they had experienced a breach. Half of the respondents said their organizations were less vulnerable than they were a year ago, compared with 12% who said they are more vulnerable. “The most surprising finding of the survey is just how many organizations are less vulnerable today than they were a year ago, and, on a related note, how many have implemented security technologies and better security training,” said SolarWinds. [2016 IT Security Survey, North America] [Source] See also: [Microsoft has published the 20th edition of its Security Intelligence Report covering the period July 2015 to December 2015]

Surveillance

US – Justice Department Building Wearable Camera Catalog for Police

The Justice Department is crafting a catalog to assist police departments buying wearable cameras, including information on the devices’ privacy capabilities. Fears surrounding hackers infiltrating body cameras will be addressed in the catalog, with data protection and privacy controls among the characteristics listed in the guide. Each device will have five areas of information to properly inform departments of what they are purchasing, covering vendor, camera, video storage software, ease of use, and installation. Included within those five categories are details on facial recognition, “privacy masking” to blur out certain images and protect personal privacy, and encryption features to protect data from cyberattacks. Sheila Jerusalem, a spokeswoman for the Justice Department’s National Institute of Justice, said the organization wants the guide available by December 2016. [Nextgov]

US Legislation

US – California Bill Would Dictate What Happens to Digital Footprint Post-Death

A new California bill could set a national precedent for the handling of an individual’s digital footprint after they pass away, Fusion reports. The Revised Uniform Fiduciary Access to Digital Assets Act would create rules for how companies can share a deceased person’s digital records. The rules first defer to the late party’s directions for how those records would be handled, then look toward a will. If no instructions have been left, all decisions will be made by the site’s terms of service. Despite revisions being made to the bill, privacy advocates are still concerned. “Is it possible that they might make mistakes both by releasing too much information or releasing it to the wrong person?” said Kevin Baker, legislative director for the ACLU of Northern California. “We think the history of the treatment of digital records shows that there likely will be mistakes.” [Full Story]

+++

 

26 April – 05 May 2015

Biometrics

US – FBI Seeks Privacy Act Exemptions for Its Biometric Database

Seeking to avoid compromising law enforcement investigations, the FBI wants to prevent individuals from discovering if their information is contained within the agency’s biometric database. The Justice Department will propose the FBI’s “Next Generation Identification System“ be withheld from provisions of the Privacy Act. The NGIS gathers information on individuals, including palm prints, fingerprints, iris scans and facial photographs. The FBI fears that letting individuals know if their information is within the database could affect law enforcement investigations by undermining “national security efforts,” or possibly revealing a “sensitive investigative technique.” The Electronic Privacy Information Center’s Jeramie Scott said, “If you have no ability to access the record the FBI has on you, even when you’re not part of an investigation … and lo and behold inaccurate information forms ‘a pattern of activity’ that then subjects you to [be] the focus of the FBI, then that’s a problem.” [Nextgov]

RU – Facial Recognition App An ‘Unmitigated Privacy Disaster’

FindFace, a facial recognition app, has caused a stir within Russia, and its creators are working to halt malicious use. While the app has been used to take pictures of subway riders and locate them on Vkontakte, Russia’s version of Facebook, others have used it for more nefarious purposes, including outing Russian porn stars. Maxim Perlin, the founder of FindFace, said the company is “making every effort to protect all Vkontakte users from potential malicious acts,” but it’s difficult to stop the bad behavior. FindFace’s power comes from NTechLab, the company developing the facial recognition technology used by the app. NTechLab won the University of Washington’s face recognition challenge, beating out Google’s FaceNet program, by identifying 73% of individuals in a set of 500,000 images. [Fusion] [Facial Recognition Used to Strip Sex Workers of Anonymity]

US – Lunchroom Print Scanners Problematic?

Biometric company PushCoin and its lunch line fingerprint scanners have proponents lauding their convenience, but civil libertarians warn their growing preeminence may adversely dilute privacy attitudes. “I think it undermines the notion of really thinking about the importance of your biometrics as a matter of privacy,” said an ACLU spokesman. “I think in this age, when so much is available and so much is accessible online about us and there is all of this information that floats out there, to begin to include in this one’s biometrics, it really does raise some legitimate concerns.” [Daily Herald]

Canada

CA – Privacy Important to Business but Many Lack Privacy Basics: OPC Survey

While it is encouraging that businesses are increasingly using more tools to protect personal information, according to a recent survey, there is still room for improvement when it comes to meeting privacy obligations and preparing for soon to be in force mandatory breach requirements. These were among the findings revealed in the Office of the Privacy Commissioner’s (OPC) biannual telephone survey of 1,016 Canadian businesses. The survey seeks to examine the privacy awareness and practices of Canadian businesses. The findings come ahead of the coming into force of mandatory data breach obligations under federal privacy law. The survey showed some positive developments in certain areas. For example, 41% are “concerned” about suffering a potential data breach (up from 31% in 2013). The OPC was also encouraged to see that an increasing percentage (83%, up from 78 % in 2013) said their business uses technological tools, such as passwords, firewalls and encryption to protect customer personal information. The survey, however, revealed limited movement in other areas. For example, only 41% (up slightly from 37% in 2013) have policies and procedures in place to deal with a breach. In addition, less than half said they have privacy policies to inform customers about the personal information they collect and how it is used. The complete survey, which is considered to be accurate to within +/- 3.1%, 19 times out of 20, can be found on our website at www.priv.gc.ca. [Source]

CA – Canadian Spy Agency CSE Won’t Reveal Number of Privacy Breaches

The Communications Security Establishment is refusing to release the number of privacy breaches the agency has logged since 2007. Documents obtained by the Star state the intelligence and cyber defence agency has maintained a central database for certain privacy violations since 2007. These breaches are categorized as minor “procedural errors” or more serious “privacy incidents,” and reviewed by the CSE Commissioner’s office every year. The Star requested just the number of breaches — no details about what actually transpired or the Canadian personal information involved — but was told the agency could not comply due to “operational security concerns.” “Releasing the number of (breaches) would provide insight into CSE’s capacity to conduct operations, the extent of its capabilities, the degree to which partner organizations benefit from sharing and the reach of the programs,” wrote spokesperson Ryan Foreman in an email last week. Documents tabled in Parliament last month show CSE logged 13 privacy and information breaches in 2015, affecting at least 630 individuals. The agency did not report any of the privacy breaches to the federal privacy commissioner, as CSE determined that there was “no significant risk” to the individuals involved. CSE further refused to report the activities that led to the breaches. The Star reported Sunday that the agency has been in a year-long debate with the Privacy Commissioner Daniel Therrien’s office over how much information CSE is required to report about privacy breaches. A government-wide regulation requires all serious breaches to be reported to the privacy watchdog, but a “discussion” about how best to do that has been dragging on since at least January 2015. On Monday, NDP foreign affairs critic Hélène Laverdière asked Defence Minister Harjit Sajjan to explain why CSE is resisting turning information over to Therrien’s office. “CSE has proactively worked with the commissioner on all aspects, and they do have a good working relationship,” said Sajjan, who is responsible for the intelligence agency. “CSE abides by Canadian law, including the Privacy Act.” [Star]

CA – OPC Funds Ten New Privacy Studies

This week, Canada’s Office of the Privacy Commissioner announced the research projects receiving funding in 2016-2017 under the annual OPC Contributions Program. They are:

  • Decision-Making and Privacy: How Youth Make Choices About Reputational and Data Privacy Online
  • Big Data Ethics Initiative: Assessment for Canadian Organizations
  • Understanding, Discovering and Asserting Personal Privacy Preferences: A Feasibility Study
  • E-Learning Courses on Anonymizing Data
  • Effects of Informal Online Regulatory Regimes on Privacy
  • The Peer Privacy Protectors Project: Innovative Youth-Led Privacy Education
  • Between Memory and Forgetting: Consumers and Digital Death
  • Cloud Atlas: A Citizen’s Guide to Online Privacy and Surveillance Using IXmaps
  • “Protect your Privacy—Online!” Educational Program
  • Left to their own Devices: Privacy Implications of Wearable Technology in Canadian Workplaces [Source]

CA – Children’s Aid Class Action Seeks $25 Million Damages from Hacking

A lawsuit is filed in Ontario court by an individual against county service organizations, a government minister, and others, alleging damages caused by a data breach. The PI of 285 clients was hacked and then posted on a social media site; causes of action include negligence, breach of fiduciary duty and confidence, negligent misrepresentation and intrusion upon seclusion (e.g. a failure to use adequate firewalls, encryption, and up-to-date security protocols and heed warnings about inadequate system security), a breach of Ontario’s FOI legislation (security was not appropriate to the sensitivity of the PI), and a breach of the Charter of Rights and Freedoms (operational negligence). [M.M. v. Family and Children’s Services of Lanark et al. – Statement of Claim – Ontario Superior Court of Justice] [Class action filed after privacy breach at one Ontario children’s aid office]

CA – Canada Considering Spying on Kids to Stop Cyberbullying

The Canadian government is looking for a person or organization to “conduct an evaluation of an innovative cyberbullying prevention or intervention initiative” in a “sample of school-aged children and youth,” according to a tender notice published by Public Safety Canada last week. Although nothing has been finalized, the government will consider letting the organization spy on kids’ digital communications to do it, Barry McKenna, the Public Safety procurement consultant in charge of the tender, said.  “The tender doesn’t preclude or necessarily require digital monitoring,” said McKenna. “But there are certainly products on the market that do that, and I would guess that that kind of intervention would be one of interest.” The school board overseeing the school used in the study would have to sign off on digital surveillance of kids, McKenna said, and so would Public Safety. McKenna would not disclose whether any person or organization has responded to the tender yet. The government has budgeted $60,000 for the program, the notice states. [Source]

CA – Rise of Private Surveillance Cameras Point to Legal Limbo

As more homeowners spread the reach of “Little Brother” by installing security cameras on their property, chances are images of their neighbours’ properties or the neighbours themselves could end up being recorded without their knowledge. And while provincial and federal privacy laws are designed to protect citizens from snooping by governments and businesses, they don’t apply to cameras on individuals’ private property. The Office of the Information and Privacy Commissioner for B.C. doesn’t have jurisdiction over homeowners who use security cameras or collect data for personal use, spokeswoman Michelle Mitchell said. But private citizens are using the camera or the data for commercial purposes would be subject to the provincial Personal Information Protection Act — “for example, if a homeowner who is also landlord has a CCTV camera that happens to capture images of a tenant,” Mitchell said. “It is not the type of device (i.e., CCTV system), or its location, but why the information is being collected, and what it is being used for, that determines whether our office has jurisdiction,” said Mitchell. [Source]

Consumer

UK – Study Reveals Post-Snowden Surveillance Chilling Effect

A new study from Oxford University reveals empirical evidence that knowledge of government mass surveillance programs make the public less likely to read articles about surveillance and other related topics online. The study analyzed Wikipedia traffic before and after the June 2013 Snowden revelations and found evidence of “chilling effects.” Traffic on “privacy-sensitive” articles went down after the “exogenous shock” from the initial Snowden coverage. The articles chosen in the study were based on keywords that are flagged by the Department of Homeland Security for “suspicious” activity. “It means that the NSA/PRISM surveillance revelations … are associated in the findings not only with a sudden chilling effect, but also a longer term, possibly even permanent, decrease in Web traffic to the Wikipedia pages studied,” said the study’s author, Jon Penney. [Full Story]

E-Government

US – Federal Government Accepted All 2015 Surveillance Requests

An as-of-yet unreleased Justice Department report disclosed that the Foreign Intelligence Surveillance Court received 1,457 communication surveillance warrants from federal law enforcement in 2015, approving all “entirely or in part.” While most of the requests were focused on foreigners’ data, one in five of the warrants were concerned with Americans, the report states. Meanwhile, Facebook indicated that 60 percent of its government-initiated data requests from 2015 prohibited the company from alerting their users, according to U.S. News & World Report. However, “Facebook does not provide any government with ‘back doors’ or direct access to people’s data,” said Facebook Deputy General Counsel Chris Sonderby. “If a request appears to be deficient or overly broad, we push back hard and will fight in court, if necessary.” [ZDNet]

Electronic Records

AU – My Health Record System A ‘Privacy Disaster Waiting to Happen’: APF

The Australian Privacy Foundation has major problems with the federal government’s My Health Record system, saying it’s a “privacy disaster waiting to happen.” The APF says the biggest problem with My Health Record is the amount of access its Medicare Call Centre’s employees have to the system’s data. While the government said it would provide a “clear and robust framework” for the call center in 2011, the APF said not enough has been done in the past five years. “This total failure to deliver on its promise and put in place much needed protections exposes patients to curious call centre operators whose prying and spying are unlikely to be detected,” said Dr. Bernard Robertson-Dunn, chair of the health committee at the APF. [Delimiter]

CA – Insurance Industry Needs to Keep Pace With Data Security

The Canadian life and health insurance industry is making good strides in moving ahead with electronic data exchange, but now needs to ensure that it is keeping pace with ongoing compliance and cyber security issues, a conference was told. Tana Sabatino, implementation services specialist at the Canadian Life Insurance EDI Standards (CLIEDIS), told the organization’s annual seminar in Toronto that its top goal for this year is to concentrate on getting reliable feeds from the advisor to the distributor and over to the carrier. CLIEDIS is the industry association that promotes using electronic data among key members of the life insurance industry, including advisors, managing general agencies (MGAs) and life insurance carriers. Part of that agenda calls for CLIEDIS to ensure data security among members by streamlining the amount of feeds a distributor needs to connect with carriers. Sabatino said there can’t be a situation in which every carrier has a different data stream agreement that each imposes on MGAs. “HUB [for example] isn’t going to implement 15 different security sets of requirements. They’re going to have one, because they have one set of systems.” [Source]

Encryption

US – Man Jailed for Seven Months (and Counting) for Failure to Decrypt

An unidentified Pennsylvania man has been held in jail for seven months because he has refused to decrypt hard drives that authorities believe contain illicit images. He has not been charged, but is being held in custody because he was found to be in contempt of court for his refusal. The Electronic Frontier Foundation (EFF) has filed an amicus brief on the defendant’s behalf. [Ars Technica] [Electronic Frontier Foundation Amicus Brief] [Ars Technica]

EU Developments

UK – Government Refuses to Give SC Commish Powers He Didn’t Request

The government has refused to give the Surveillance Camera Commissioner (SCC) extra enforcement powers. The problem is that the SCC hadn’t asked for any more powers. In a very brief letter to SCC Tony Porter, the incumbent commissioner, junior Home Office minister Mike Penning said the government was “not yet convinced that granting your office enforcement and sanction powers would improve compliance.” Penning’s remarkably curt letter also informed Porter that he, Penning, would not be available to meet to discuss the SCC’s annual review of CCTV surveillance, which was published earlier this year. He also noted that the Protection of Freedoms Act 2012, which established the commissioner’s office, is “due for post-legislative scrutiny in 2017.” As we previously reported, speaking at an event hosted by the National Security Inspectorate, a non-governmental certification body on 10 March last year, Porter acknowledged that “one thing that has been levelled at the code and my role is that it lacks teeth. This is a fair comment I think. I don’t have any powers of sanction or inspection. So if a relevant authority is not paying due regard to the code of practice there is not much I can do.” Despite this criticism, in another letter to the minister Porter noted that Penning’s response was “confusing” as he “did not request any powers of enforcement or sanction in the Review.” Porter’s 20-page Review of the impact and operation of the Surveillance Camera Code of Practice was published in February. Penning’s brief letter did not respond to several of the issues raised in Porter’s review. The SCC stated that he was “disappointed that apart from recommendation three, there was no comment on any of the other recommendations.” [The Register]

EU – Commission’s Issues New Action Plan for Privacy Standards

On 19 April 2016 the European Commission published its Communication ‘ICT Standardisation Priorities for the Digital Single Market’. The Communication was part of the wider ‘Digitising European Industry’ announcement on 19 April – read our blog here for full details of what was announced. The ICT Priorities Communication thrusts into the limelight an obscure but vitally important area of policy: the setting of common technical specifications for ICT products and services, particularly those related to the ability of different devices to communicate with each other. According to the Communication, common standards that ensure interoperability between digital technologies are the foundation of an effective Digital Single Market. The Communication identifies numerous challenges faced by the current legal framework through which technical standard setting at a European level takes place. The Commission’s solution to these challenges is the adoption of a priority action plan set out in the Communication that comprises i) the identification of five priority ‘building block’ areas of the ICT sector in relation to which standardisation efforts are to be focused (5G, IoT, Cybersecurity, Cloud and Big Data); and ii) a high level political process to validate, monitor and, where necessary, adapt the list of priority areas. [Hogan Lovells]

EU – Other EU News

Finance

CA – Compromised Bank Cards Lead to Few Answers From Banks

The president of the Consumers’ Association of Canada is calling on banks to become more transparent and release information about what he feels is an increase in the number of compromised bank cards.

“We’ve seen an escalation in the last 12 months of compromised bank accounts, credit cards, debit cards and PINs,” Bruce Cran said. His organization has received “hundreds” of complaints, not only about initial compromises, but repeated compromises on the same account. He said some accounts were compromised as many as four times last year. “The mere volume of what’s happening at the moment indicates to us that there’s a bigger problem here,” he said. “In terms of privacy breaches involving banking institutions, it’s unusual that you would have a number of banks all at the same time formally notifying customers by mail of their card being compromised,” he said. “This is very unusual.” Charney said privacy is not a reason to withhold information from customers. “What it sounds like to me is some kind of excuse in the short term for the banks to continue to investigate and respond to this data breach before they have to publicly announce it,” Charney said. [CBC]

FOI

CA – Saskatchewan Charging Media $180K to Access Land Deal Documents

Attempts by media to obtain documents relating to the controversial Global Transportation Hub (GTH) land deal isn’t coming cheap; the province says it’s going to cost $180,000. A total of 29 Freedom of Information (FOI) requests were filed by the CBC. Fifteen were sent to the GTH and 14 to the Ministry of Highways. According to the province’s estimates the requests could total approximately 9,500 pages.

“In the electronic age it means going back to back-up tapes to get some things. Also, government’s older records are stored off site and we have to get those things in,” Deputy Minister of Justice Kevin Fenwick explained. However, the opposition NDP decried the government’s excuses and is calling it a clear cover-up. “We are talking about a fiasco that ultimately saw a Crown corporation pay alleged Sask. Party insiders three times the estimated value of land close to the Regina highway bypass,” Wotherspoon added. “He needs to scrap this bill and hand over this information.” Meanwhile, a complaint has been filed by the CBC with Saskatchewan’s Information and Privacy Commissioner. [Global News]

CA – Fredericton Secret Meeting Broke the Rules, Privacy Commissioner Says

Everyone who attended a closed-door meeting of Fredericton city council where it approved a letter in support of the Energy East pipeline should have known it was against the Municipalities Act, the province’s privacy watchdog says. Access to Information and Privacy Commissioner Anne Bertrand has been following the controversy after the city sent a letter to the prime minister in support of the pipeline after an in camera meeting on Jan. 26. Thursday, the city issued a statement acknowledging it did not follow the proper process when it sent the letter. Bertrand said, under the act, municipalities are supposed to be open and transparent by default about every decision they make. “They only go to closed sessions when it is necessary, and there are 10 instances that they can do that. So they can’t just decide that anything goes to a closed session,” she said. Bertrand said obvious examples include labour and employment issues, security issues or criminal investigations. [Source]

CA – Fontaine v. Canada Ruling Favours Privacy Of IRS Survivors

In a case that tied questions of aboriginal law with privacy law, the Ontario Court of Appeal decided indigenous Canadians who suffered abuse in residential schools could decide whether their evidence will be archived or destroyed after a mandatory 15-year retention period. Part of the question in Fontaine v. Canada was who gets to decide whether claimants’ testimony, submitted as part of the Indian Residential Schools Settlement Agreement, would be achieved or destroyed. Detailed and often traumatic personal stories of abuse are gathered under the IRSSA’s Independent Assessment Program. The court said the appeals before it raised “the question whether the survivors control the stories of their residential school experiences or whether others do.” In Fontaine, a number of Catholic institutions argued they, too, should consent before the redacted evidence is achieved at the National Centre for Truth and Reconciliation and potentially available for access by future generations. They argued the decision to archive the documents affects the alleged perpetrators and the churches. A lower court judge had found the only consent needed to archive the evidence is that of the claimants themselves. In a decision dated April 4, the court of appeal agreed. [Source]

EU – Google RTBF Requests Report for Europe

Google released a transparency report, presenting figures on European right to be forgotten requests for online searches since the European Court of Justice ruling of May 2014. A total of almost 1.5 million URLs have been evaluated, and of the 422,000 requests for removal, 42.8% were removed; 10 social network sites and search directories account for 8% of all URL removal requests. [Transparency Report: European Privacy Requests for Search Removals – Google]

US – ODNI Publishes 2015 Transparency Report

The Office of the Director of National Intelligence (ODNI) released its third annual transparency report. The report offers statistics about the frequency with which the government employs certain national security authorities, according to a press release. The release follows President Barack Obama’s 2013 direction to the intelligence community that it both declassify and make public data on U.S. surveillance activities to the extent that it was possible while still protecting national security data. Further, the USA FREEDOM Act of 2015 codified the statistics published in the DNI’s annual reports. The release covers “information concerning United States person search terms and queries of certain unminimized, [Foreign Intelligence Surveillance Act]-acquired information,” in addition to unique identifiers from FISA orders. [Source]

US – FBI Customer Record Requests Up 50% in 2015

A U.S. government transparency report revealed FBI requests for customer records were up 50 percent in 2015. The FBI sent 48,642 National Security Letters to Internet and telecommunications companies last year, up from the 33,024 letters in 2014. An NSL is sent by the FBI requesting information on an individual, including phone numbers, emails, IP addresses and other information. The report also states that 31,863 of the requests were made on foreigners, attributed to law enforcement efforts to track terrorist groups such as the Islamic State. In related news, U.S. District Judge Yvonne Rogers has stopped Twitter’s attempt to release more information on surveillance orders it receives from the government. “The First Amendment does not permit a person subject to secrecy obligations to disclose classified national security information,” Rogers wrote. Twitter will have the chance to re-file its case. [FSource ]

Genetics

CA – NS Suspends “Unreliable” Hair Testing for Child Protection Cases

Nova Scotia has become the fourth known province to suspend or ban the use of drug and alcohol hair testing in child protection proceedings, after New Brunswick, British Columbia and Ontario. The move comes in the wake of a 2014 Star investigation into the Hospital for Sick Children’s Motherisk laboratory, which found that prior to 2010, the lab was using a hair test that was not recognized as the “gold standard.” An independent review deemed the hair test results “inadequate and unreliable” in 2015. They were used in potentially thousands of child protection cases in Ontario as well as in British Columbia, Quebec, Nova Scotia and New Brunswick, where they were routinely accepted as evidence with little scrutiny in court. Questions have been raised for years about hair strand testing, regardless of the laboratory performing the service. Because of the effect of alcohol-based hair products, “the risk for false-positive results appears high when monitoring a female population,” Motherisk’s own manager at the time, Joey Gareri, wrote in a 2011 paper he co-authored with Motherisk founder and director Gideon Koren. Studies have also suggested that drugs appear to be incorporated more readily into darker-coloured hair, and there is also evidence that the way substances are incorporated into the hair of a single individual may vary from strand to strand. Motherisk ceased its hair testing practices in 2015 prior to the completion of the independent review, but some provinces were still using hair tests from other labs in some cases until very recently. [Source]

Health / Medical

CA – Massive Health Information Overhaul Coming to Alberta

Patients tired of retelling medical histories, physicians frustrated with a cumbersome record system too reliant on paper, and administrators struggling to cut costs hope to benefit from a massive health information overhaul in Alberta. The government has vowed to invest $400 million over the next five years to begin replacing most of the 1,300 unconnected technology platforms currently in use within Alberta Health Services. The new, single clinical information system will be deployed across the province after an initial rollout in Edmonton facilities, where an antiquated, 30-year-old technology has been a festering headache. Dr. Robert Hayward, chief medical information officer for AHS, described a clinical information system as a giant integrated data hub that serves every aspect of the health system a patient might touch, from drug prescriptions and diagnostic tests to rehab clinics and home care. He said the best systems not only offer information for individual users, but can also manage broad, systemwide data on admissions and discharges, and the management of beds and supplies. For patients, Hayward said one of the biggest benefits will be the ability to have a single medical record that can be accessed by health providers at any point in the system. Currently, patients are often forced to repeatedly explain their health stories to different professionals, rather than having a seamless experience in which everyone is working from the same information. The system is also expected to have a portal for patients to access their own information. For health professionals, the arrival of the system should modernize processes that are often described as excessively time consuming and prone to error. Hayward said $400 million will “kick-start” the project by allowing AHS to issue a request for proposals. It’s expected the successful company will need a couple of years to install the new technology platform across the Edmonton zone, which is behind Calgary and plagued with a system at risk of failure. Then, over the next 10 years, the idea is to extend the system all over the province so that every provider can use it, including small doctors’ offices. Hayward said cost savings from the first rollout of the technology will be used to fund the later stages. [Edmonton Journal]

CA – Settlement Reached in Lawsuit After Edmonton Medicentre Laptop Theft

A settlement has been reached in a class-action lawsuit filed after a laptop containing the personal health information of 620,000 Albertans went missing. The settlement totals $725,000 to resolve credit damage, mental distress, increased risk of future identity theft and time and costs associated with preventing identity theft. The lawsuit originally sought $11 million. It was filed in 2014 against Medicentres Canada Inc., AbleIT Inc. and third-party individuals after an unencrypted laptop of an IT consultant for Medicentres was stolen from an Edmonton medical clinic in September 2013. The computer contained the names, birth dates, Alberta Health Care numbers and Alberta Health diagnostic codes of people who attended a Medicentre clinic in Edmonton or Calgary between May 2, 2011, and Sept. 19, 2013. People who were affected by the records loss can register with the law firms. There are different categories of claimants, including those who suffered mental stress and sought medical attention; those who can show that their identities had been stolen as a result; and those concerned about identity theft. [Source]

UK – NHS to Share 1.6 Million Health Records with Google AI Company

Google’s artificial intelligence company DeepMind has struck a deal with the UK’s NHS to access healthcare data of 1.6 million people. The agreement allows DeepMind access to current and historical data for patients at three London hospitals to develop an app to help monitor patients with kidney disease. The access granted in the agreement covers all health data, not just kidney disease data. [New Scientist] [The Register] [SCMagazine] [v3.co.uk] See also: [Google company’s access to NHS records raises privacy concerns]

WW – Why Cybercriminals Attack Healthcare More Than Any Other Industry

Cybercriminals attacked the healthcare industry at a higher rate than any other sector in 2015, and more than 100 million healthcare records were compromised last year, according to a new report published by IBM. In fact, 2015 was “the year of the healthcare breach,” IBM said in its 2016 Cyber Security Intelligence Index. The rate of attacks against the healthcare sector climbed to the highest level of all industries studied in 2015, after not making the top five in 2014, as healthcare leaped ahead of the manufacturing, financial services, government and transportation industries. Data breaches in the healthcare sector are also getting larger – with five of the eight largest health data breaches reported since 2010 (those with more than 1 million records compromised) occurring in the first six months of 2015, IBM’s report said. And the cost of data breaches is going up, particularly in healthcare, according IBM’s 2015 Cost of a Data Breach study. While the average cost of a data breach across all industries was $3.8 million in 2014 – up 23% from 2013 – the cost per record in the healthcare sector was $363 per record breached, more than twice the overall average of $154 per record. [Source]

Horror Stories

WW – Massive Breaches at Major Email Services, 272.3 Million Affected

Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia’s criminal underworld. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru Russia’s most popular email service, and smaller fractions of Google Yahoo and Microsoft email users, said Alex Holden, founder and chief information security officer of Hold Security. It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago. [Reuters]

WW – Notable Privacy Breaches

Intellectual Property

US – Self-regulatory Group Takes Action Against Three App Developers

Three popular app publishers have changed their privacy practices after the enforcement arm of the Better Business Bureau found they were out of compliance with accepted self-regulatory standards. The makers of Spinrilla, Top Free Games and Bearbit Studios were found to be out of compliance with the Digital Advertising Alliance’s Self-Regulatory Principles. [Full Story]

Internet / WWW

WW – Google for Work & Google Cloud Get New Security/Privacy Certs

In what is clearly part of the company’s efforts to get more enterprise customers on its platforms, Google announced that it has renewed its ISO 27001 certification for the fourth year in a row and upped its product coverage from 34 to 59 products. In addition, Google Apps for Work and the Google Cloud Platform have now also been certified for ISO 27017 for cloud security and ISO 27018 for privacy. Google already said it would adopt ISO 27018 for Google Apps for Work last year. ISO 27017 basically certifies that Google’s virtual networks are as secure as its physical networks, that data is protected and inaccessible to other customers on the same platform and that it’s clear which security responsibilities fall on Google and which are the customer’s. ISO 27018 mostly covers privacy controls. It certifies that Google doesn’t use its customers’ data on the covered platforms for advertising, for example, and that the customers’ data remains theirs. It also certifies that Google lets you delete and export your data and is transparent about where the data is stored. Because enterprises do look for these certifications when they decide on a cloud provider, it’s no surprise that Amazon’s AWS and Microsoft’s Azure also offer similar compliance assurances. AWS already offers the same ISO 27001, 27017 and 27018 certifications as Google, for example. Azure, too, is ISO 27001- and 27018-compliant. [Source]

Law Enforcement

US – Maryland Cops deploy StingRay Tech Against Chicken-Wing Thief

Police in Maryland, US, used controversial cellphone-tracking technology intended only for the most serious crimes to track down a man who stole $50 of chicken wings. Police in Annapolis used a StingRay cell tower simulator in an effort to find the location of a man who had earlier robbed a Pizza Boli employee of 15 chicken wings and three sandwiches. Total worth: $56.77. In that case, according to the police log, a court order was sought and received but in many other cases across the US., the technology is being used with minimal oversight, despite the fact it is only supposed to be used in the most serious cases such as terrorism. Annapolis police never found the thief but he represented just one of 17 occasions on which the city of 40,000 people used the device in 2011. Its use is far more prevalent in larger cities. The Philip Merrill College of Journalism’s Capital News Service found that Maryland State police has used a StingRay at least 125 times since 2012. Howard Country, which lies to the south of Baltimore and with a population of 300,000, has used a StingRay 129 times since 2011. The police in Baltimore City have used its StingRay an extraordinary 4,300 times since 2007, sparking an investigation and review of 2,000 of them. New York City has used its StingRay more than 1,000 times since 2008. [The Register]

Location

US – Westin Centre Issues New Geolocation Practice Guide

Geolocation is used for purposes ranging from emergency services to targeted advertising to fraud prevention. For consumers, the use of geolocation has obvious benefits — though concerns over how this data is collected, accessed and used, and by whom, has been a consistent topic of debate. Regulators from across the globe have weighed in with guidance and legislation, industry groups have issued codes of conduct and even the U.S. Supreme Court has offered an opinion. This IAPP Westin Center Practice Guide offers a quick way to get up to speed on geolocation and the issues surrounding it. [Full Story]

EU – Healthcare Apps and Wearables Create High Risks for Users: German DPAs

During their last Data Protection Conference, the German data protection authorities (DPAs) agreed on a resolution on data protection principles that providers of healthcare apps and wearables should consider. According to the resolution, almost a third of the German population 14 years or older uses wearables (body-worn devices that record an individual’s health data) and healthcare apps (mobile device software offering health-related services). The DPAs claim that these devices and apps collect personal health data, which is subsequently transmitted to manufacturers, internet providers, and other third parties. In general, under German law, a company may collect, process, and use personal health data only if specifically authorized by law, such as the German Federal Data Protection Act (FDPA), or if the data subject has consented. The resolution clarifies how these requirements apply to wearables and apps:

  • Manufacturers of wearables and healthcare apps should use data privacy-friendly technologies and default settings (e.g., privacy by design), and should adhere to the principles of data reduction and data minimization, as well as anonymization/pseudonymization.
  • A data subject’s consent regarding the collection, processing, and use of personal health data should be transparent, particularly regarding a transfer to third parties.
  • In the context of employment and insurance, any consent to use of personal health data likely is invalid, based on concerns regarding significant negotiating imbalances between the parties. Consistent with the German DPA’s view, the Dutch DPA recently stated that an employee’s consent to the use of wearables to be not valid due to the financial dependence of the employee.
  • Legal requirements for data security cannot be waived contractually or via consent.
  • In the case that multiple parties are involved in the creation or distribution of wearables and healthcare apps, those parties have a joint responsibility for the wearables and apps, including issues such as meeting quality standards, ensuring IT security, functionality, and the transparency of data usage. However, the resolution does not explain how joint responsibility should operate in practice. [Source]

Online Privacy

US – Supreme Court Gives FBI More Hacking Power

The Supreme Court this wseek approved changes that would make it easier for the FBI to hack into computers, many of them belonging to victims of cybercrime. The changes will take immediate affect in December, unless Congress adopts competing legislation. Previously, under the federal rules on criminal procedures, a magistrate judge couldn’t approve a warrant request to search a computer remotely if the investigator didn’t know where the computer was—because it might be outside his or her jurisdiction. The rule change, sent in a letter to Congress on Thursday, would allow a magistrate judge to issue a warrant to search or seize an electronic device if the target is using anonymity software like Tor. Over a million people use Tor to browse popular websites like Facebook every month for perfectly legitimate reasons, in addition to criminals who use it to hide their locations. The changes, which would allow the FBI go hunting for anyone browsing the Internet anonymously in the U.S. with a single warrant, are already raising concerns among privacy advocates who have been closely following the issue. [The Intercept]

Privacy (US)

US – SCOTUS Approves Rule 41 Update, Privacy Advocates Outraged

The Supreme Court approved an update to Rule 41 this week, effectively expanding judges’ abilities to issue warrants for access to computers outside of their jurisdictions. The move has drawn criticism from Sen. Ron Wyden, D-Ore., and several privacy advocates. Last month, Wyden warned of the potential change and vowed to stop it. Congress has until Dec. 1 to either amend or deny the update. “Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime,” said Wyden. Open Technology Institute’s Kevin Bankston said the “obscure rule change” authorized “a whole lot more” government hacking. [Morning Consult] See also: [A retail industry group is railing against a bill that would require companies to notify customers following a breach and set nationwide data security standards similar to those in the financial sector] and [A House Committee on Education and the Workforce hearing to evaluate the 1974 Family Educational Rights and Privacy Act and how Congress should update it.]

Security

WW – SS7 Network Leaves Major Hole in Cellphone Security

Signaling System No. 7 network’s vulnerabilities have caused major problems for smartphone security. SS7 is a set of technical rules for how data gets exchanged in cellular networks, mainly involving computing cellular billings, texts, and assisting when users are roaming. The vulnerability in the network was revealed last week during a “60 Minutes” episode in which researchers demonstrated how they could hack into Rep. Ted Lieu’s, D-Calif., smartphone. Lieu has since called for a congressional hearing on SS7, and the Federal Communications Commission has said it will examine the issue as well. [Wired]

WW – Latest Security Study Worry: How Many Times Will You Be Breached?

The threat level of cyber attacks on virtually every organization continues to increase, with more than half of companies reporting the loss of customer data due to DDoS attacks, and three-quarters of organizations suffering a breach in 2015. Those are among the findings of the latest research from Neustar, Inc., from its third global DDoS Attacks and Protection Report titled The Threatscape Widens: DDoS Aggression and the Evolution of IoT Risks. The research results show that although revenue loss caused by a DDoS related outage is usually the main concern of targeted organizations, 57% of all breaches involved some sort of theft including intellectual property and customer data as well as financial information. “More troubling, following the initial breach, 45% of organizations reported the installation of a virus or malware – a sign that attackers are interested in causing ongoing harm,” the report explains. The research highlights that although DDoS attack tactics continue to evolve from single large attacks intended to take a website offline to the multi-vector attacks we are seeing today, organizations are fighting back. The research revealed that 76% of companies are investing more in DDoS protection than in 2014, and 47% of the attacked organizations are participating in security consortiums to share information on threats and counter measures. [Source] [Neustar Press Release]

Smart Cars / Internet of Things

WW – Samsung SmartThings Vulnerabilities

Researchers from the University of Michigan have published an “in-depth empirical security analysis” of the Samsung’s SmartThings smart home platform, a program that allows people to use SmartApps to control all sorts of Internet-connected devices in their home from their smartphone. The researchers found they could trigger false smoke alarms and plant code in digital locks that would allow them access to the house. They noted that the SmartApps are capable of gaining privileges they do not need, and that the SmartThings event subsystem offers inadequate protection of events that transmit sensitive data. [The Register] [Wired] [CNET] [Ars Technica] [Security Analysis of Emerging Smart Home Applications]

SG – Singapore Ramping Up Smart City Efforts

Singapore is planning to create the most elaborate and comprehensive smart city in the world. The country plans on placing an undetermined amount of cameras and sensors around the city, permitting the government to check everything from crowd numbers to the movement of vehicles. While the smart city’s capabilities won’t be fully realized until after it is implemented, some early uses could include monitoring events such as the spread of infectious diseases. The government is working on finding the best way to ensure citizens’ privacy won’t be violated, according to the report. While public meetings haven’t been held on protecting citizens’ privacy, the government insists collected data will be anonymized as much as possible. [The Wall Street Journal]

US – Proposed Michigan Bills Would Have Car Hackers Face Life in Prison

State legislators in Michigan have introduced two bills that would impose a life prison sentence for anyone who maliciously accesses automobile computer systems. One of the bills reads, in part, “a person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter, or gain unauthorized control of the motor vehicle.” [ComputerWorld] [The Register] [CNET]

CA – Lawyers Ask SCOC to Consider “Black Box” Privacy

Two Kamloops lawyers are making a bid to overturn a B.C. Court of Appeal decision that found drivers have no expectation of privacy relating to data in their vehicle’s black box. 54-year-old Wayne Fedan of Kamloops was convicted in September 2014 of dangerous driving causing death in connection to a crash four years earlier. He was sentenced to three years in prison and handed a three-year driving ban to begin following his sentence. The sentencing judge found data contained in the black box of Fedan’s pickup truck showed his foot was on the accelerator as he rounded a corner at more than twice the posted speed limit. Lawyers Micah Rankin and Anthony Varesi have filed an argument with the Supreme Court of Canada. The court has yet to decide whether it will hear the appeal. The March 20, 2010, crash on Mackenzie Avenue, at the turn in front of the entrance to McArthur Island, killed 20-year-old Brittany Plotnikoff and 38-year-old Kenneth Craigdaillie. All three were at a party together and Fedan was driving them home. Both the B.C. Supreme Court and B.C. Court of Appeal rejected arguments that police required a search warrant before accessing data in the vehicle’s black box (known as the sensing diagnostic module, or SDM). Rankin and Varesi’s argue Canada’s highest court should consider the appeal based on what they call “an issue of national importance,” including four factors:

  • Changes in technology mean automobiles have become “repositories of potentially vast amounts of personal information about drivers” — information that should have protection of privacy rights.
  • The decision sets a precedent for seizure without a search warrant.
  • The decision is at odds with rulings in senior Ontario courts, which found drivers have an expectation of privacy in material contained in the black box.
  • The appeal asks whether the Canadian Charter of Rights and Freedoms limits police from accessing data from devices in automobiles. [Source]

Surveillance

US – Schumer Wants FTC to Investigate Billboard Tracking

Saying it raises “serious questions about privacy,” Sen. Chuck Schumer, D-N.Y., has called on the Federal Trade Commission to investigate Clear Channel Outdoor, a company that manufactures billboard-tracking technology. The RADAR technology uses mobile phone data to collect information for advertising. “Your personal cellphone should not become a James Bond-like gadget that’s used against you by some company,” adding, “You should have to give them permission to follow you when you drive or walk by a billboard.” Earlier this year, Sen. Al Franken, D-Minn., wrote a letter to the company with his privacy concerns. “RADAR uses only aggregated and anonymized information from privacy-compliant third-party data providers who have verified that they adhere to consumer-friendly business practices,” said Clear Channel Outdoor spokesman Jason King. [Full Story]

UK – Civil Rights Group Releases Video Satirizing Investigatory Powers Bill

Liberty, a civil rights campaign charity, released a video lampooning the potential surveillance powers the British government could possess if the Investigatory Powers Bill is passed. In “Show Me Yours,” comedian Olivia Lee approaches random citizens, browbeating them into showing personal information on their phones. Lee is met by a series of irritated individuals, highlighting Liberty’s opposition to the bill Home Secretary Theresa May is looking to pass and how citizens don’t want third parties looking at their information. “As our film shows, people naturally recoil when a stranger asks to see their phone — there’s a reason we use encrypted services and protect our phones and computers with passwords and codes,” said Larry Holmes, Liberty’s digital and campaigns coordinator. [The Huffington Post]

Telecom / TV

UK – 72% Orgs Support BYOD Despite Privacy/Security Concerns: Survey

According to the results of a new survey, 72% of organisations across the financial services, technology, healthcare, government and education sectors support BYOD for all or some employees. However, only 14% have successfully deployed Mobile Application Management (MAM) solutions, creating issues in areas such as controlling access to corporate data and enforcing device encryption. In most of the industries surveyed, employee satisfaction was seen as a key benefit of enabling BYOD, with government being the only exception where it was valued by less than half (44%) of respondents. In contrast, privacy was cited as the biggest inhibitor to BYOD adoption in 52% of SMBs, with large organisations being more concerned with security. Data leakage was one of the top concerns across all sectors, including 81% of financial services, 90% of healthcare and 79% of education organisations. Despite this concern, device encryption was supported in only 36% of educational institutions, 56% of financial services organizations and 57% of healthcare organizations. The full report, entitled ‘How Forward-Looking Industries Secure BYOD,’ surveyed more than 800 cyber security professionals and can be found here. [Source]

US Government Programs

US – FBI Use of National Security Letters Up by 50% in 2015

FBI requests for customer records under a secretive surveillance order increased by nearly 50 percent in 2015, according to a U.S. government transparency report published this week. Internet and telecommunications companies in 2015 received 48,642 requests, up from 33,024 reported in 2014, for data via so-called National Security Letters (NSLs). The NSL is a tool used by the FBI to gather phone numbers, email and IP addresses, web browsing histories and other information. An NSL does not require a warrant and is usually accompanied by a gag order. The amount of actual written orders issued decreased in 2015, however, from 16,348 to 12,870. One NSL often contains multiple requests for information, such as a series of email addresses believed relevant to an investigation, where each address counts as one request. The year-to-year statistics may not be entirely precise due to changes in reporting requirements ushered in last year under a surveillance reform law passed by Congress, sources familiar with the process said, but they indicate general trends. The majority of NSL requests, 31,863, made in 2015 sought information on foreigners, regarding a total of 2,053 individuals, according to a Justice Department memo sent to Congress, while the amount of requests on U.S. persons declined. A U.S. government source said the rise in NSL requests is in part attributable to efforts by militant groups such as Islamic State to use multiple accounts across several different communications platforms. [Reuters]

US – White House to Commence Artificial Intelligence Workshops

In an official White House blog post, Deputy U.S. Chief Technology Officer Ed Felten announced a new series of public workshops designed to better understand the potential benefits and concerns about artificial intelligence. Felten notes that “a series of breakthroughs in the research community and industry have recently spurred momentum and investment” in the AI field. With a potential to transform health care, education and transportation, AI will also bring with it risks, including privacy and security risks. As a result, the White House Office of Science and Technology Policy will co-host four workshops in the coming months. Cities include Seattle, Washington, Pittsburgh and New York City. The workshops will then “feed into the development of a public report later this year,” Felten wrote. [Full Story]

US Legislation

US – House Passes Bill Aimed at Closing ECPA Loophole

The US House of Representatives has unanimously passed the Email Privacy Act, which would amend an outdated law to protect the privacy of digital communications. The wording of 1986’s Electronic Communications Privacy Act (ECPA) was being interpreted to allow law enforcement to demand email and other electronic communications without a warrant. The Email Privacy Act would require authorities to obtain warrants to access the information. [The Hill] [Ars Technica] [ComputerWorld] ee also: The House Energy and Commerce Committee passed a bill levying heavy punishments for individuals committing the prank known as “swatting“ — a form of online trolling.

US – Colorado Student Data Privacy Bill Gets Unanimous Senate Approval

The 2016 legislative session’s biggest education policy bill — a measure intended to protect the privacy and security of student educational data — passed the Senate 35-0 this week. The vote continued the unbroken string of success for House Bill 16-1423, which has passed unanimously on every committee and floor roll call since it was introduced. That’s a pattern usually seen only with the most minor, technical bills. The measure’s original text also has survived almost entirely intact. The main elements of the bill include a detailed definition of personally identifiable information that must be protected, restrictions on software companies and other vendors, and additional transparency and disclosure requirements for the Colorado Department of Education and school districts. The bill also sets some district controls over classroom apps and software used by teachers. The bill returns to the House for consideration of non-controversial amendments, approval of which will be a formality. [Source]

US – Other US Legislative Developments

+++

 

 

Privacy News Highlights: 19-25 April 2016

Canada

CA – Manitoba Ombudsman Lays Charges for “Snooping”

The Manitoba Ombudsman has laid charges for snooping under new provisions in the Personal Health Information Act. Individuals using, accessing or attempting to access personal health information without cause are now committing a fineable offence under the Personal Health Information Act. [Manitoba Ombudsman lays “snooping” charge under The Personal Health Information Act]

CA – Ransomware: OIPC SK Provides Guidance on Preventive Measures

The OIPC in Saskatchewan released guidance to public and private sector organisations on how to manage ransomware. Organizations should install anti-virus software, educate employees about phishing attacks, maintain offline backups of data and have an infection response plan in place; if attacked remove the infection, and attempt to restore the files or system from backup. [Office of the Saskatchewan Information and Privacy Commissioner – Ran$omware…What You Need to Know]

CA – Assisted Dying Bill C-14 Could Violate Charter, Feds Acknowledge

In a written explanation of the reasoning behind the proposed new law on medical assistance in dying, the Justice Department acknowledges that the bill could violate the charter of rights on a number of fronts.

They include:

  • Excluding those who are suffering intolerably but whose natural death is not reasonably foreseeable could violate the right to life, liberty and security of the person.
  • Treating people differently on the basis of their different medical conditions could violate equality rights.
  • Not allowing advance directives could force those with competence-eroding conditions like dementia to take their lives prematurely or risk permanently losing access to medically assisted death once they no longer have capacity to consent, thereby violating equality rights and the right to life, liberty and security of the person.
  • Restricting access to adults at least 18 years of age could violate the right not to be discriminated against based on age.
  • Requiring two independent people to witness a written request for medical assistance in dying could violate privacy rights. [Source]

CA – OPC to Investigate RCMP Over Alleged Stingray Cellphone Surveillance

While the outcome of the Privacy Commissioner’s investigation may hinge on whether the RCMP obtained proper judicial authorization prior to the use of Stingrays in particular cases, the validity of the legislation providing for such authorization could be open to an attack under the Canadian Charter of Rights and Freedoms and might also contravene telecommunications legislation. Whatever the legal outcome, the disclosure of the use of Stingrays has already sparked a public debate that could act as a catalyst for new legislation specifically regulating the use of Stingray devices. [Source]

CA – Brison Pledges to Improve Reporting of Privacy Breaches

Treasury Board will work with Canada’s Privacy Commissioner to improve the reporting of privacy breaches by federal government departments, said Treasury Board President Scott Brison following a committee meeting. “It’s an area that we will work with the commissioner and the commissioner’s office and with departments and agencies to understand fully what we can do to improve results and we’re seized with it.” Brison’s comments come after documents tabled in Parliament last week revealed that federal government departments and agencies breached the privacy of thousands of Canadians last year but only a fraction of those incidents were ever reported to Canada’s Privacy Commissioner Daniel Therrien. While departments don’t have to inform the privacy commissioner’s office of every incident, the documents also revealed that there was a wide range in the proportion of the breaches reported to the Privacy Commissioner’s office. [Source]

CA – RCMP Memo Details Public Safety Risks Via Surveillance Devices

A 2011 internal Royal Canadian Mounted Police memo warns of the ways in which IMSI catchers can negatively affect public safety. The memo mentions how the devices, which mimic cellphone towers to obtain data, can block important phone calls, including people dialing 911. RCMP has been using IMSI to surveil for potential crimes, but the internal memo indicates warnings of a risk to innocent third parties. Details within the memo also hint at expanded use of the devices by the RCMP. “When considering whether the use of the [IMSI catcher] should be authorized … officers should weigh the need to prevent imminent bodily harm, preserve life and investigate serious crimes … against the importance of having a reliable 911 system that Canadians can count on in all circumstances,” the memo reads. [The Globe and Mail]

Consumer

US – Poll: American Voters Overwhelmingly Want Privacy, Encryption

Voters overwhelmingly support encryption and other measures to protect their digital privacy, according to a new poll from ACT | The App Association trade group. In the survey, 93% of respondents said it’s important that the photos, health data or financial information they store on their phones and apps, or share online, stay secure and private. Nearly the same number (92 percent) said they need “powerful, consumer-focused encryption technology” to make sure their information is secure. Meanwhile, the survey also found that 54% of respondents trust tech companies like Apple, Google and Facebook more than federal agencies, like the FBI, to protect personal information on their electronic devices. Only 21% said the reverse. [FedScoop]

US – Study: Trust in Social Media Companies Ranks Very Low

An Environics Communications study found only 26% of those surveyed ranked social media with a five or higher on a seven-point scale of trustworthiness. “These are relatively new industries, they haven’t had a lot of time to accumulate baggage … but there’s something about what’s going on that is not creating trust,” said Environics CEO Bruce MacLellan. Companies’ use of personally identifiable information and other elements of a user’s social media content for targeted advertising may be the source of anxiety. “The whole privacy issue is a huge part of this,” MacLellan said. “People are wary about what’s going on with that content, and how it’s being used.” [The Globe and Mail]

E-Mail

US – Email Privacy Act Expected to Pass in House Vote

House Majority Leader Kevin McCarthy, R-Calif., docketed a vote for the Email Privacy Act in the upcoming week. If passed, the legislation would mandate law enforcement officials get a warrant before accessing users’ electronic communications stored by tech companies, the report states. It came through committee in early April with only minor revisions. While the bill is believed to pass the House with ease due to its more than 300 co-sponsors, its Senate journey might not be so clear-cut, the report adds. Senate Judiciary Committee Chairman Chuck Grassley, R-Iowa, “has previously expressed sympathy for some agencies’ concerns.” [The Hill]

US – Study: Phishing Email Attacks on the Rise

Verizon’s ninth annual Data Breach Report found that phishing emails were the primary catalyst for data loss, with the amount of emails opened growing from 23-30% in the last year. Embracing two-factor authentication is one potential for companies looking to avoid falling prey to phishing attacks, said Verizon’s Bryan Sartin. “It would mitigate an entire swathe of these breaches.” [CSO Online]

Encryption

US – Tech Groups Write Open Letter Criticizing Encryption Bill

Four major tech groups, representing companies including Facebook, Netflix and Google, have written an open letter to a pair of senators regarding their bill requiring all encryption have the ability to be cracked when needed. The bill, by Senators Richard Burr, R-N.C, and Dianne Feinstein, D-Calif., was recently leaked and widely criticized. “We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm,” the letter’s opening reads. The letter arrives at the same time a new survey from ACT reveals that 93% of respondents said it’s important their data is secured, with 92% needing strong encryption on their devices. [TechCrunch]

EU Developments

EU – EDPS Finds Commission Proposal to Exchange Non-EU Citizens’ Criminal Data Disproportionate

The European Data Protection Supervisor provides an opinion on the European Commission’s proposal to extend the European Criminal Records Information System to third country nationals. Member States would be obliged to store the fingerprints of all convicted non-EU citizens to ensure proper identification of individuals; however, not all Member States store fingerprint data or are connected to the national automated fingerprint identification system, and it is not necessary or proportionate to require storage of fingerprint data regardless of States’ sanction thresholds or the nature of the offence. [EDPS – Opinion 3/2016 – Exchange of Information on Third Country Nationals as Regards the European Criminal Records Information System]

EU – German Constitutional Court Finds Police Investigative Powers Too Broad

The German Federal Constitutional Court hears a complaint alleging that certain provisions introduced into the Federal Criminal Police Office Act are unconstitutional. Criteria for collection of personal data do not have requirements that a specific and foreseeable incident is present or an individual’s behavior substantiates a specific probability for terrorist offences, surveillance of private homes is not fully proportionality and constitutes a serious interference with individual privacy (it should focus exclusively on target persons communications), and the body charged with viewing the collected data (members of the police force) are not sufficiently independent. [Germany Federal Constitutional Court Declared BKA Act Partly Unconstitutional]

EU – US Hesitant to Renegotiate Privacy Shield Following EU Regulators’ Opinion

After European privacy regulators articulated concerns with Privacy Shield, the U.S. is reluctant to reopen negotiations. European data protection authorities weren’t pleased with the amount of U.S. surveillance permitted in the new Shield agreement, and while their approval is not needed to finish the deal, they will be enforcing it and aiming to ensure it doesn’t meet the same fate as Safe Harbor. With massive amounts of business on the line, delays to Privacy Shield implementation might be too costly to consider, the report states. “Given the pressure that currently exists with U.S. organizations and even in Europe, with organizations there trying to conduct business, my bet is that we’re going to see the Commission go forward with Privacy Shield,” said a lawyer from Foley & Lardner LLP. [The Hill] [The U.K. Information Commissioner Christopher Graham voiced his disappointment that the U.S. has articulated it isn’t interested in reopening negotiations for the Privacy Shield] U.S. businesses expressed their anxieties after the Article 29 Working Party released its opinion of the E.U-U.S. Privacy Shield agreement.

Finance

CA – Identity Management: FINTRAC Clarifies Which Client ID May Be Requested and/or Recorded for Identity Verification

FINTRAC has issued guidelines to securities dealers on client identification. Acceptable ID must have a unique identifier number, have been issued by a provincial, territorial or federal government, be valid (unexpired), and an original (not a copy); examples include an individual’s birth certificate, driver’s licence, Canadian or foreign passport, record of landing, permanent resident card, or certificate of Indian status or a provincial or territorial identification card (issued by prescribed entities). [Financial Transactions and Reports Analysis Centre of Canada – Guideline 6E: Record Keeping and Client Identification for Securities Dealers]

FOI

CA – Doctors, Pharma Company Funding and Privacy

Your doctor could be getting money from pharmaceutical companies and doesn’t have to tell you. It’s not uncommon for health practitioners to have relationships with industry — companies may be in touch about new drugs, sponsor educational conferences or compensate doctors financially for consultation, for work on advisory boards or in clinical trials. If your doctor’s in the United States, you can search their name in a public database and find each payment itemized by date, company and amount, thanks to the Sunshine Act, part of the Affordable Care Act. The legislation requires any pharmaceutical company giving payments or “transfers of value” of any kind or amount to American doctors to disclose them in detail. Canada has no such law. Canadian pharmaceutical companies are legally required to itemize all of their payments to doctors in Detroit, Fargo, Spokane and Seattle — but none of their payments to doctors in Windsor, Winnipeg, Calgary or Vancouver. Disclosures for presentations, not patients Nav Persaud, a researcher and physician with St. Michael’s Department of Family and Community Medicine in Toronto, wants that to change. “There are requirements to disclose that funding when, for example, you’re giving a talk to your colleagues. What there’s not clear guidance on is whether those gifts or payments need to be disclosed to patients.” Provincial governments could do it easily, Persaud argues: Ontario, for example, could pass a law requiring all the companies manufacturing drugs covered under the Ontario Drug Benefit to disclose and itemize all of their payments to Ontario health practitioners. [Global News]

US – FBI Officials Keep Tactics Secret, Even from Fellow Agents

According to documents recently disclosed under a Freedom of Information Act lawsuit, FBI officials have long aimed to keep their surveillance tactics secret even from fellow law enforcement officials. Officials “once warned agents not to share details even with federal prosecutors for fear they might eventually go on to work as defense attorneys.” Privacy advocates are concerned that secrecy makes court scrutiny of such practices difficult. Meanwhile, it’s been reported that the Drug Enforcement Administration has been taking tips from National Security Agency data. [USA TODAY]

CA – Ontario’s Police Watchdog Lags Behind Others in Transparency

When a BC man died after being Tasered during an arrest last year, the province’s civilian police watchdog launched an investigation that ultimately cleared the five Chilliwack RCMP officers involved in the death. The officers “acted appropriately” when they used the Taser, wrote Chief Civilian Director Richard Rosenthal in his recent report. Their force was not excessive and no officer should be charged in relation to the death. Then Rosenthal backed that decision up — in a detailed, 12-page public report posted on the watchdog’s website, a document that is “virtually identical” to the report sent to B.C.’s Ministry of Justice, according to the watchdog’s spokesperson, Marten Youssef. That report includes: a timeline of 911 and dispatch calls and a description of their content; a breakdown of the evidence provided by two witness officers and five civilian witnesses; a summary of an analysis of the conducted-energy weapon and of the autopsy report; an explanation of the legal issues, including whether the officers used excessive force that resulted in his death; and the director’s analysis of the evidence.

In cases where B.C.’s Independent Investigations Office clears an officer, the agency releases a decision that is as detailed as possible, because in cases with no charges, “there better be an explanation, and a comprehensive one,” Youssef said. He acknowledges that few people will actually read them from start to end, “but it needs to be there.” “It’s a question of transparency,” he said. Ontario — once a leader in civilian oversight after establishing Canada’s first provincial police watchdog, the Special Investigations Unit, in 1990 — is now lagging behind other provinces when it comes to the transparency measures of its independent police oversight agencies. [Source]

Health / Medical

NO – Norwegian Appeals Board Upholds DPA’s Denial of Approval for Health Data Research Project

The Privacy Appeals Board reviewed the Norwegian Data Protection Authority’s decision to reject an application from the University of Oslo’s to process health data for a research project. The research project’s proposed collating of data from various sources, including a national patient register, would have permitted the indirect identification of individuals, which did not sufficiently meet pseudonymisation requirements; the DPA was correct in finding that relevant legislation requires that such pseudonymisation be irreversible. [Privacy Appeals Board, Norway – PVN-2015-12 – University of Oslo Health Research Project]

WW – Health Data: Challenges in Providing Notice to Users of Wearable Devices

Current and future challenges of obtaining meaningful consent, before collecting or processing health-related data generated by individuals’ wearable devices. Organizations collecting mHealth data via wearable devices face challenges in obtaining meaningful consent from users (owing to small screen sizes and the need to provide a privacy statement including proposed uses of the data); prior consent is still required (with limited exceptions, including for preventive medicine, for medical diagnosis) and the new GDPR will impose even more stringent requirements. [mHealth – Wearables, technical innovation and Data Protection – CMS Law]

UK – Privacy Concerns Limit Social Media-Based Health Campaigns: Study

A “qualitative evaluation” of HIV Prevention England’s awareness program, “It Starts With Me,” found that online privacy concerns inhibit the wider reach of social media-mired intervention campaigns. “Nearly all of our participants held concerns about privacy relating to their social media use and their engagement with sexual health interventions,” the researchers said. They added that their study did not contain privacy-specific questions, but that respondents expressed their privacy concerns organically. [NAM Aidsmap] [Witzel TC et al. It Starts With Me: Privacy concerns and stigma in the evaluation of a Facebook health promotion intervention. Sexual Health, 2016]

Horror Stories

WW – BeautifulPeople.com Private Data of 1.1 Million ‘Elite’ Daters for Sale

Sexual preference. Relationship status. Income. Address. These are just some details applicants for the controversial dating site BeautifulPeople.com are asked to supply before their physical appeal is judged by the existing user base, who vote on who is allowed in to the “elite” club based on looks alone. All of this, of course, is supposed to remain confidential. But much of that supposedly-private information is now public, thanks to the leak of a database containing sensitive data of 1.1 million BeautifulPeople.com users. The leak, according to one researcher, also included 15 million private messages between users. Another said the data is now being sold by traders lurking in the murky corners of the web. Other leaked data included weight, height, job, education, body type, eye colour and hair hue, as well as email address and mobile phone number. Location data, in the form of latitude and longitude, were also leaked, along with smoking and drinking habits, interests and favourite TV shows, movies and books. Anyone using the site expecting privacy should now consider themselves exposed, right down to their appearance, whereabouts and interests. “We’re looking at in excess of 100 individual data attributes per person. Everything you’d expect from a site of this nature is in there.” [Source]

US – NY Hospital to Pay $2.2 Million Over Unauthorized Filming of 2 Patients

NewYork-Presbyterian Hospital has agreed to pay a $2.2 million penalty to federal regulators for allowing television crews to film two patients without their consent — one who was dying, the other in significant distress. Regulators said that the hospital allowed filming to continue even after a medical professional asked that it stop. At the same time, regulators clarified the rules regarding the filming of patients, prohibiting health providers from inviting crews into treatment areas without permission from all patients who are present. That could end popular television shows that capture emergencies and traumas in progress, getting permission from patients only afterward. “It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation or voice alteration software) for whom an authorization was not obtained,” the Office for Civil Rights with the federal Department of Health and Human Services said in an online post. “I think this will have a chilling effect on hospitals going forward. Any hospital legal counsel worth his salt or any P.R. director would be committing malpractice in order to allow it to occur. It’s now embodied in a federal directive.” [Source]

US – North Carolina Clinic Settles HIPAA Breach for $750,000

The Raleigh Orthopaedic Clinic must pay $750,000 in a settlement after the Department of Health and Human Services’ Office for Civil Rights discovered it had shared the health data of 17,300 individuals in 2013 without “executing a business associate agreement,” a violation of HIPAA. “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said OCR Director Jocelyn Samuels. “It is critical for entities to know to whom they are handing personal health information and to obtain assurances that the information will be protected.” [Healthcare IT News]

CA – Class Action Lawsuit Filed for Privacy Breach in Lanark, Leeds and Grenville

A Class Action lawsuit has been filed following a massive privacy breach at Family and Children’s Services of Lanark, Leeds and Grenville earlier this week that saw the names of 285 families involved with children’s services leaked on Facebook. The class action filed in the Ontario Superior Court of Justice on behalf of a person identified only as M.M. names the agency, its executive director, Children and Youth Services Minister Tracy MacCharles and John Doe – the person responsible for sharing the information – as defendants. The lawsuit calls for $25-million in general damages, $25-million in special damages and $25-million in punitive, aggravated and exemplary damages on behalf of M.M. the families whose names were shared in a document on the Smiths Falls Swapshop and Families United Facebook pages earlier this week. “This is a very serious breach of privacy, made possible by the Family and Children’s Services of Lanark, Leeds and Grenville,” said Sean Brown of Flaherty McCarthy LLP in Toronto. “That institution made the decision to use an on-line portal system that was easily accessed by an individual without any obvious hacking skills. The most sensitive and confidential information held by that body, specifically the names of those under its investigation, have now been published on the Internet. The damage has been done. That bell can not be unrung.” [CFRA]

Identity Issues

WW – FPF Reports on the Full Spectrum of Practical Data De-Identification

One of the most hotly debated issues in privacy and data security is the notion of identifiability of personal data and its technological corollary, de-identification. De-identification is the process of removing personally identifiable information from data collected, stored and used by organizations. Once viewed as a silver bullet allowing organizations to reap the benefits of data while minimizing privacy and data security risks, de-identification has come under intense scrutiny with academic research papers and popular media reports highlighting its shortcomings. At the same time, organizations around the world necessarily continue to rely on a wide range of technical, administrative and legal measures to reduce the identifiability of personal data to enable critical uses and valuable research while providing protection to individuals’ identity and privacy. This paper proposes parameters for calibrating legal rules to data depending on multiple gradations of identifiability, while also assessing other factors such as an organization’s safeguards and controls, as well as the data’s sensitivity, accessibility and permanence. It builds on emerging scholarship that suggests that rather than treat data as a black or white dichotomy, policymakers should view data in various shades of gray; and provides guidance on where to place important legal and technical boundaries between categories of identifiability. It urges the development of policy that creates incentives for organizations to avoid explicit identification and deploy elaborate safeguards and controls, while at the same time maintaining the utility of data sets. [Source] [Infographic] [Privacy Advisor]

US – Judge: Ashley Madison Breach Victims Must Use Real Names

Victims of the Ashley Madison data breach wishing to be named plaintiffs in the upcoming litigation will need to use their real names. U.S. District Judge John Ross made the decision, saying fake names should only be used in civil litigations in certain cases. “The disclosure of Plaintiffs’ identities could expose their sensitive personal and financial information — information stolen from Avid when its computer systems were hacked — to public scrutiny and exacerbate the privacy violations underlying their lawsuit,” Ross said. “At the same time, there is a compelling public interest in open court proceedings, particularly in the context of a class action, where a plaintiff seeks to represent a class of consumers who have a personal stake in the case and a heightened interest in knowing who purports to represent their interests in the litigation.” Victims have until June 3 to join the class. [Ars Technica]

WW – More than 1 Million Facebook Users Access via TOR Network

It seems that every few weeks or so, a new study about how the dark web is mostly vile and mostly harbors criminals crops up. The majority of people, in fact, would be pretty OK about it were the dark web to be padlocked, according to a recent survey. The battle over anonymizing technologies – encryption and the Tor network that the dark web runs on – is a polemic issue: it often boils down to a simplistic battle between the advocates of innocent individuals’ privacy rights (and of security that isn’t weakened via backdoors) vs. the shielding of criminals. On one side of the argument, Tor is used by whistleblowers, human rights activists, journalists and others to protect their identities. On the other side: it’s also used by people shielding their activities around cybercrime, drugs, illegitimate porn and violent extremism. As it turns out, a large number of people who want to use Facebook secretly without revealing their identities fall into the “legitimate use” side of the battle. Facebook said on Friday that over a million people accessed Facebook through the Tor network this month. That’s up from the 525,000 people who were coming in over Tor over a 30-day period last June, and it follows two years of work to enable people to find the social network on Tor. [Source]

Internet / WWW

WW – Google Beefs Up Chrome Web Store User Data Policy

Google has made changes to the Chrome Web Store User Data Policy to protect users from data theft. Third-party developers must encrypt personal data that they transmit. The revised policy also requires developers to create and publish a privacy policy explaining which data they collect and how it is used. [Register] [Google]

Law Enforcement

CA – Surrey’s License Plate-Scanning & 300 Traffic Cameras Remain Limited

Although the RCMP have now been given 24-hour access to Surrey’s 300 traffic cameras in the fight against gang violence, there is a line Mounties are not attempting to cross. They aren’t proposing to use the 330 city intersection cameras to rapidly scan licence plates and check drivers against policing databases, as now happens with the Automated Licence Plate Recognition (ALPR) system on use on about 40 police cars in B.C. In theory, a stationary system of cameras integrated with ALPR could act as a surveillance network, tracking the movements of known gangsters or quickly identifying suspect vehicles fleeing the scene of a shooting – if that was allowed here as it is in the U.K. “That’s not what exists here in British Columbia or anywhere else in Canada,” RCMP Dep. Commissioner Craig Callens said, giving a short answer of “no” when asked if such a London-style system is being pursued. “I have not been involved in any discussions to this point,” he told Black Press. “And I think to do so would require some considerable consultation with the provincial privacy commissioner.” A University of the Fraser Valley study in 2015 suggested much more could be done with the licence-scanning system to tackle more serious crime. “ALPR is not being used in Surrey to its full potential,” according to the report by UFV criminologists. In other jurisdictions, they noted, the second most common use is for crime intelligence – using ALPR equipped vehicles to patrol high-crime areas to run plates, collect data and identify and track potential suspects. [Source]

Location

US – Support Increases for Legislation to Halt Government Location Tracking

The House Judiciary Committee may consider halting the government’s ability to track citizens’ locations via their cellphones without a warrant sooner rather than later. During its meeting on the Email Privacy Act last week, Chairman Bob Goodlatte, R-Va., said he wants to hold a meeting on how the committee is dedicated to safeguarding geolocation data when the next Congress commences. Goodlatte’s stance is drawing praise from both sides of the aisle and has been compared to legislation from Rep. Zoe Lofgren, D-Calif., requiring the government to seek a warrant in order to intercept or request geolocation data from any citizen. Goodlatte has the support of privacy advocates including Sen. Ron Wyden, D-Ore., who believe location tracking to be a prominent issue to be addressed in the widespread surveillance debate. [Morning Consult]

Privacy (US)

UK – Supreme Court Believes IT Progress Make Privacy Laws ‘Unenforceable’

Lord Neuberger, president of the UK Supreme Court, expressed skepticism about the overall effectiveness of privacy laws, claiming such orders are “unenforceable.” Delivering his opinions in front of lawyers in Edinburgh, Neuberger believes gains in technology have made it impossible to properly enforce privacy laws, and developments in IT have greatly increased the tensions between personal privacy and freedom of expression. “The existence of the Internet inevitably affects what can be practically achieved in terms of enforcement of privacy, and the law should never seek to acknowledge or enforce rights which are in practice unenforceable,” Neuberger said. [Daily Mail]

US – Legislators Lack Unbiased Scientific and Technical Advice

Budget cuts more than twenty years ago eliminated the US Office of Technology Assessment (OTA), which provided legislators with unbiased scientific and technological information. Former congressman Rush Holt, a trained research physicist, tried to bring OTA back, but did not succeed. He noted, “Most members of Congress don’t know enough about science and technology to know what questions to ask, and so they don’t know what answers they’re missing.” [Wired]

Security

US – DHS Red Teams Conduct Penetration Tests on Government Agencies

The US Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) has conducted penetration tests on three unnamed US government civilian agencies. The red teams were able to “own those agencies from top to bottom and side-to-side.” NCCIC now plans to help those agencies fix their network weaknesses. The agencies will also have help developing internal cybersecurity talent so they can continue to conduct similar assessments more frequently. [Source]

US – More Bad News for NASA Cybersecurity

Two more reports have found serious cybersecurity problems at NASA. The agency’s inspector general found that NASA needs to improve continuous monitoring management, configuration management, and risk management. And a private security company, Security Scorecard, ranked NASA last among 600 federal, state, and local government agencies surveyed in its report. Security Scorecard found that NASA had issues with secure sockets layer (SSL) certificates, unsecure open ports, and misconfigured email sender policy frameworks. [Source] [NASA IG Report]

WW – 93 Million Mexican Voter Records Exposed on Cloud

A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken out of the cloud and offline. The database sat exposed to the public for at least eight days after its discovery by a researcher, but originally went public in September 2015. The security researcher discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon’s AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter’s name, address, voter ID number, date of birth, the names of their parents, occupation, and more.

Eventually, after a speaking engagement at Harvard University’s Center for Government and International Studies, the researcher was able to reach someone the Mexican Instituto Nacional Electoral (INE). The database was pulled offline earlier this morning. Given that the database has been online since September 2015, it isn’t clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown. Mexico has strict laws regarding the usage and access of voter information, and the last time such records were in the hands of a company in the U.S., it became an international incident. “Under Mexican law this data is strictly confidential, carrying a penalty of up to 12 years in prison for transfer or extraction for personal gain. The Mexican Elections Commissioner has confirmed that the database is authentic. The data is now secured but the real question is who else had access to this sensitive information, and who put it on a US-based Amazon cloud server?” he said in a brief statement. [Source] [Hacker discovers information on nearly all Mexican registered voters]

EU – Security Frameworks – EDPS Details Components of Information Security Risk Management Process

The European Data Protection Supervisor has released a guidance document on Information Security Risk Management practices in support of requirements found in Article 22 of Regulation 45/2001. Key steps include establishing a company’s context (collecting relevant information, defining scope, assigning roles), identification and assessment of risks, deciding on responses, management sign-off of residual risks, and ongoing monitoring of risks as well as the process itself. [European Data Protection Supervisor – Guidance – Security Measures for Personal Data Processing – Article 22 of Regulation 45/2001]

Surveillance

US – Federal Appeals Court Says Warrant Not Needed for Stingray Use

The 6th US Circuit Court of Appeals has agreed with the federal government that a warrant is not necessary when using cell-site location technology like Stingrays. The majority of federal appeals court rulings share this position; the only federal appeals court that sided against has agreed to rehear the case, so the opinion has been set aside. The issue is unlikely to head to the Supreme Court anytime soon unless more federal appeals courts disagree with the government. [Ars Technica]

UK – Surveillance Bill Would Require Government Vetting of New Communications Technology

Draft surveillance legislation in the UK would require technology and telecommunications companies to run new products, services, and features by the government prior to their release, to ensure that they provide capability for the government to intercept communications or access stored data. [ZDNet] Privacy International has flagged a provision in the U.K.’s draft Investigatory Powers Bill that would mandate tech firms like Google and Apple to inform spies when their technologies were to be upgraded.

UK – Documents Reveal British Intelligence Agencies Collecting Bulk Personal Data Since 1990s

A collection of more than 100 documents reveals how British intelligence agencies, including MI5, MI6 and GCHQ, have been collecting bulk personal data in secret since the late 1990s. The documents show how the agencies have been stockpiling the data, which includes travel records, financial data and communications information, for longer than previously divulged. The internal memos also reveal how the agencies gathered information on individuals who are “unlikely to be of intelligence or security interest.” Other revelations include continuous issues intelligence agencies face regarding data handling errors, resulting in the disciplining of two MI5 and three MI6 agents between 2014 and 2016 for mishandling bulk personal data, while a GCHQ staff member was fired for unauthorized searches. [Guardian]

CA – Saskatchewan OIPC Issues Best Practices on Public Surveillance

The OIPC SK has provided guidance on video surveillance of public areas, aimed at public bodies who may be subject to:

Images of individuals are personal information under privacy legislation; public bodies deploying CCTV cameras (or similar) should consider the following – confirming that the collection is necessary and lawful (i.e., proper authority under the law), minimizing impact on personal privacy (avoid washrooms, post notices that the area is under surveillance), conducting a PIA, and ongoing audit and review of the program. [Video Surveillance Guidelines for Public Bodies – OIPC SK]

Telecom / TV

US – 60 Minutes Segment Demonstrates Ease of Tracking Smartphones

US television investigative news magazine 60 Minutes ran a segment showing just how vulnerable smartphones are to tracking and eavesdropping. US Senator Ted Lieu (D-California) participated in the demonstration. Using just the 10-digit number associated with the smartphone, Security Research Labs’ Karsten Nohl was able to record calls made to and from the device and track its precise location. Nohl exploited a weakness in the Signaling System No. 7 (SS7) routing protocol to access the phone Lieu was using. [Ars Technica] [ComputerWorld] [The Register] [The Hill]

US – FCC to Examine Mobile Network Security

Following a 60 Minutes television news magazine segment that demonstrated a vulnerability that could be exploited to eavesdrop on phone calls, the head of the US Federal Communications Commission’s (FCC) Public Safety Bureau has directed his staff to look into the Signal System 7 (SS7) vulnerability. [SC Magazine] [The Hill]

AU – 60 Minutes Australia Covered SS7 Vulnerability Last Year

The SS7 vulnerability was demonstrated last year on a segment for Australia’s 60 Minutes program, which also noted that a relatively inexpensive and readily obtainable device known as an IMSI catcher, or cell-site simulator, could be used to conduct man-in-the-middle attacks against cellphones. [YouTube] [NDTV]

CA – BC Appeals Court Affirms Its Position on Text Message Privacy

On April 11th, the BC Court of Appeal held that a defendant convicted of internet luring and sexual touching of a minor had a reasonable expectation of privacy in direct messages he sent to the complainant and others via a social media platform. The trial judge had found no such expectation – a finding that rested in part on the nature of the messages. The trial judge held that the messages contained no personal information that the defendant had not posted in his public profile and were not sent to an intimate, trustworthy contact. The Court of Appeal viewed the messages differently – as “flirtatious” – and held that the trial judge rested too heavily on the “risk analysis” that characterizes American Fourth Amendment law. It reasoned: While recognizing that electronic surveillance is a particularly serious invasion of privacy, the reasoning is of assistance in this case. Millions, if not billions, of emails and “messages” are sent and received each day all over the world. Email has become the primary method of communication. When an email is sent, one knows it can be forwarded with ease, printed and circulated, or given to the authorities by the recipient. But it does not follow, in my view, that the sender is deprived of all reasonable expectation of privacy. To find that is the case would permit the authorities to seize emails, without prior judicial authorization, from recipients to investigate crime or simply satisfy their curiosity. The analogy between seizing emails and surreptitious recordings [as considered by the Supreme Court of Canada in R v Duarte] is valid to this extent. In the end, the Court found a breach of section 8 but held the evidence was after conducting its section 24(2) analysis. The Court’s reasonable expectation of privacy finding follows its earlier similar finding in R v Peluco. For the context see this Law Times article. [BCCA affirms its position on text message privacy]

US Government Programs

US – U.S. Administration Refuses Information About Spying On Americans

A group of lawmakers from both parties are unhappy that they are being asked to reauthorize two key surveillance programs without the Obama executive branch answering how much data is being gathered on innocent Americans. The two programs authorized by Section 702 of the Foreign Intelligence Surveillance Act, are PRISM and Upstream. PRISM is a clandestine surveillance program under which the US NSA collects internet communications from at least nine major US internet companies. Since 2001 the US government has increased its scope for such surveillance, and so this program was launched in 2007. The major companies include Facebook, Yahoo, and Skype. Upstream collection involves four different surveillance programs: In a Foreign Intelligence Surveillance Court (FISC) order from October 3, 2011, it’s said that the Upstream collection accounts for approximately 9% of the total number of 250 million internet communications which NSA collects under the authority of section 702 FAA every year. During the first half of 2011, NSA acquired some 13.25 million internet communications through Upstream collection. “The program is unable to exclude domestic communications due to technical difficulties. The government refuses to tell politicians how much data is collected from Americans. Fourteen members of the House Judiciary Committee sent a letter to James Clapper, the Director of National Intelligence, asking for at least a rough estimate of the number. The letter said: “In order that we may properly evaluate these programs, we write to ask that you provide us with a public estimate of the number of communications or transactions involving United States persons subject to Section 702 surveillance on an annual basis.” Senator Rony Wyden has been asking for the number since 2011. The Privacy and Civil Liberties Oversight Board also asked in 2014. More than 30 privacy groups have also asked for the number. [Source] [Clapper: ‘We’ll do our best’ to figure out surveillance numbers]

US Legislation

US – Legislative News Roundup

Workplace Privacy

CA – Employee Privacy: Ontario Arbitration Board Rules that Employer’s Search of Employee’s Personal USB Key Did Not Infringe Charter Rights

An arbitration board heard a termination complaint filed by a union for federal employees against an Ontario government ministry. A supervisor was permitted by a management rights clause in the collective agreement to search the lost USB key (which was reported to contain employer documents) for evidence of employee misconduct. Any Charter-infringing conduct was minor; some degree of intrusion into personal documents was inevitable because the key was used for both personal and work purposes. [Association of Management, Administrative and Professional Crown Employees of Ontario (Bhattacharya) v. The Crown in Right of Ontario (Ministry of Government and Consumer Services) – 2016 CanLII 17002 – The Grievance Settlement Board, Ontario]

CA – ONSC Affirms Damages Award for “Friend’s” Leak of Work Schedule

On April 8th, the Ontario Superior Court of Justice affirmed a $1,500 damages award for a privacy breach that entailed the disclosure of information that the defendant received because she was the plaintiff’s social media friend. The plaintiff and defendant were pilots who worked for the same airline. The plaintiff shared his work schedule with the defendant though an application that allowed him to share his information with “friends” for the purpose of mitigating the demands of travel. The airline also maintained a website that made similar information available to employees. The defendant obtained the schedule information through one or both of these sites and shared it with the plaintiff’s estranged wife. Among the issues raised in this scenario: Is a work schedule, in this context, personal information? Does one have an expectation of privacy in information shared in this context? Does the intrusion upon seclusion tort proscribe a disclosure of personal information? The appeal judgement is rather bottom line. In finding the plaintiff had a protectable privacy interest, the Court drew significance from the airline’s employee privacy policy. [Source]

+++

 

9-18 April 2016

Biometrics

WW – Fingerprint Identification Technology Expanding Beyond Smartphones

Biometric fingerprint technology has surged in popularity among smartphone users, and now companies are looking to bring the technology to new places. Credit card use, rail commuting and entrances to buildings could be the next wave of opportunities to implement fingerprint identification. Specifically, Sweden’s Fingerprint Cards, already leading the market for fingerprint identification sensors in smartphones, believes biometric smart cards could be its most rapidly expanding market by 2018. Security advocates praise fingerprint identification as a superior alternative to pin codes, and the market for the technology continues to grow, with many companies jumping into the business. [Reuters]

WW – Russian Photographer’s Project Shows Ease of Finding People Online

A Russian photographer’s project looks to show how an individual’s private life is becoming less and less private. Egor Tsvetkov created an experiment titled “Your face is big data,” where he took pictures of nearly 100 people sitting across from him on the subway, then used the facial-recognition app FindFace to discover them on VK, a Russian social media site. Tsvetkov located about 60 to 70% of the people he photographed who were between 18 and 35 years old. [PCWorld]

US – Shutterfly Settles Facial Recognition Lawsuit

An undisclosed settlement has been reached between Shutterfly and an Illinois man who brought a lawsuit against the photo-sharing website, claiming the company violated his privacy. Brian Norberg alleged Shutterfly used facial recognition software to identify his face, which ended up in the company’s database after a friend tagged him in a photo in February 2015. Norberg’s suit said Shutterfly analyzed the details of his face and offered other photos he should be tagged in, which the suit asserts violates Norberg’s rights under the Illinois Biometric Information Privacy Act. “Helping a user re-identify his own friends within his own digital photo album does not violate any law,” Shutterfly countered. Had the lawsuit gone to trial, it could have had repercussions for companies using facial recognition software. [Chicago Tribune]

Canada

CA – Nova Scotia to Craft New Cyberbullying Law

The province’s Justice Department says it is working on new cyberbullying legislation to replace the Cyber-safety Act, which was struck down in December by the Nova Scotia Supreme Court. Since then the province has had no law on the books specifically dealing with cyberbullying. Over the next several months the province said it will seek legal expertise to craft a new act that balances the right to freedom of speech with a way to protect the victims of cyberbullying. The earliest new cyberbulling legislation could be introduced is the fall. [Source]

Consumer

WW – Men and Women Differ in Their Approach to Online Privacy and Security

What do internet users want in terms of security and privacy? What do they do to protect their own privacy and security when they use the internet? Hide My Ass! (HMA) commissioned a nationwide survey to find out. The main results revealed a striking disconnect between what people want and what they do while a deeper look uncovered some intriguing differences between men and women. HMA is a VPN (virtual private network) service provider. VPNs hide an internet user’s identity, location and internet activity by encrypting their data and routing their internet connection through multiple IP addresses and remote servers. HMA summarized the results of their survey with an attractive infographic and a more detailed report. While most people want more internet security and privacy, they do very little to make use of the tools and techniques that are available to give them what they want. The survey found that 70% of consumers say they restrict their level of social media use in order to avoid exposing personal information. However, only 25% enable strict privacy restrictions on the social media platforms they use. Likewise, 67% say they want additional layers of security while only 9% use email encryption programs, 11% use a VPN and 13% use two-factor authorization. [Forbes]

WW – RAND Corporation Examines Consumers’ Reactions to Data Breaches

When a data breach occurs within an organization, how do affected consumers respond? It’s the question the RAND Corporation sought to answer in “a nationally representative survey of the consumer experience” following a data breach. Of their findings, RAND reports 26% of respondents, roughly 64 million adults in the U.S., received a breach notification in the 12-month period before the survey, with 44% of those individuals saying they were already aware of the attack from sources other than the affected company. Free credit monitoring was a popular choice among respondents, with 62% of individuals accepting the service. Many were pleased with a company’s reaction to the incidents, with 77 percent reporting high satisfaction with the organization’s post-breach response, and only 11% discontinuing a relationship with the organization following the breach. [Full Story] [Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information]

WW – Firm Releases 2016 Data Breach Litigation Report

Data breach litigation “remains one of the top concerns of general counsel, CEOs and boards alike,” Bryan Cave, a law firm, points out in its latest report on data breach litigation, adding, “there remains a great deal of misinformation reported by the media, the legal press and law firms.” The 2016 Data Breach Litigation Report found a 25% decline in the amount of cases that were filed from its 2015 report. Additionally, when “multiple filings against single defendants” were removed, there were only 21 unique defendants during that 15-month time period, and only 5% of reported data breaches ended up facing class-action litigation. According to the report, such a decline in class actions may derive from an overall decline in reported breaches. [Report]

E-Government

US – Government Agencies Dead Last in Cybersecurity: Report

The cybersecurity protections at U.S. government agencies — from federal to local levels — ranked dead last compared to 17 other private industries, according to a report from security risk startup SecurityScorecard. SecurityScorecard analyzed the security capabilities of major industries across 10 categories, including weaknesses to malware and rates of password exposure. The security startup examined 35 major government data breaches between April 2015 and April 2016, saying agencies had the worst scores on network security, software patching defects and malware. Among the 600 government entities SecurityScorecard examined, NASA was the worst performer, particularly its susceptibility to email spoofing and malware attacks. Other low ranking agencies included education and telecommunications, while information services, food and construction industries received high marks. For more on the report: here. [Reuters] [Newsweek]

E-Mail

US – House Judiciary Committee Unanimously Approves Email Privacy Act

In a 28-0 vote, the Email Privacy Act has been approved by the House Judiciary Committee. The new bill, created to update the 1986 Electronic Communications Privacy Act, requires law enforcement to obtain a warrant before requesting email providers to hand over a suspect’s electronic communications stored for more than 180 days. The bill is expected to pass through the House, but might face opposition in the Senate, as civil enforcement agencies — including the Securities and Exchange Commission and the FTC — are concerned the bill could hamper civil investigations. [Morning Consult]

Electronic Records

US – 96% of Health Care Organizations Susceptible to Data Threats: Report

The results of the Healthcare Edition of the 2016 Vormetric Data Threat Report revealed 96% of health care organizations feel susceptible to data threats, the organization said in a press release. Findings included 63% of respondents saying they have experienced a data breach, with nearly 20% experiencing one in the last year. Meeting compliance requirements was the top IT security spending priority, coming in at 61%, with data breach prevention “well behind at 40%.” Complexity clocked in at 54% as the toughest barrier to overcome for better adoption of data security, with lack of staff coming in second. [Full Story]

EU Developments

EU – WP29 Refuse to Endorse Privacy Shield Scheme

The Article 29 Working Party (WP29) met in Brussels to discuss the European Commission’s Privacy Shield scheme, the proposed replacement for Safe Harbor. As anticipated, WP29 decided that in their view Privacy Shield does not offer adequate protection. Whilst the decision is not binding on the Commission it will be hard to ignore if Privacy Shield is to be successful, especially since enforcement is still in the hands of the data regulators who sat around the table at WP29 and not in the hands of the Commission. WP29’s position is not a surprise, especially given the rumours coming out of Germany. Some German data protection authorities have had a long-held objection to Safe Harbor and they have been the most aggressive in enforcement since Safe Harbor died (for more on this see our alert here).Amongst WP29’s criticisms are:

  • A lack of clarity over the ombudsman role; and
  • Exceptions allowing the US to still collect European bulk data.

Most companies will have to plan for a world without Safe Harbor or Privacy Shield at least in the short term. They will have to explore alternative solutions including EU model terms and Binding Corporate Rules (BCRs). BCRs are likely to gain momentum and sources close to WP29 tell us that we can expect statements soon from regulators removing some of the existing objections to BCRs. In addition BCRs will gain in use once their statutory status is confirmed by the forthcoming General Data Protection Regulation (GDPR) – there is more on this in our GDPR FAQs here. [The WP29 issues draft adequacy decision] [IAPP GDPR Resources] [Data watchdogs do not endorse the EU-US Privacy Shield as drafted] [WP29 Privacy Shield opinion sparks anxieties for US businesses] The Hill also reported on businesses’ Privacy Shield related fears, and the potential challenges of trying to alert the agreement. [WP29 on Privacy Shield: More work needed]

EU – European Commission Seeks Views on ePrivacy Directive

The European Commission seeks stakeholders’ views on the current text of the ePrivacy Directive as well as the possible changes to the existing legal framework to make sure it is up to date with the new challenges of the digital area; the consultation is open until July 5, 2016. Learn more

EU – Passenger Name Record Bill Passes

The European Parliament approved the EU Passenger Name Record bill after five years of discussion. The bill will permit federal law enforcement officials to share airline-passenger information, like name and payment data, across national borders for up to five years in an attempt to curb terrorist activity. “It is one all EU governments and indeed the U.S. government have requested as a very important tool to tackling terrorism,” said U.K. MEP Timothy Kirkhope. Critics in the Green Party disagree. “This EU PNR system is a false solution, based on the flawed political obsession with mass surveillance,” said Green MEP and Home Affairs spokesman Jan Philipp Albrecht in a statement. [EUobserver]

UK – CJEU Hears Case on British Data Retention Laws

The EU’s highest court will hear a legal challenge this week concerning the validity of UK data retention laws. In July last year the High Court in London ruled that DRIPA was incompatible with human rights legislation but that decision was appealed by the UK government to the Court of Appeal. The Court of Appeal has asked the CJEU to rule on whether its previous judgment on the Data Retention Directive sets out “mandatory requirements of EU law applicable to a member state’s domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the EU Charter”. [Source]

EU – Belgian DPA Advises Data Controllers to Have Detailed Cloud Contracts

The Belgian data protection authority issued guidelines for data controllers contracting with cloud service providers regarding compliance with the Data Protection Act. Provisions should include requirements that the provider only process the data upon the controller’s instructions and obtain controller approval for all subcontractors, and a list of the physical locations where the processing takes place for the duration of the contract. [DPA Belgium – Opinion No 10/2016 – Use of Cloud Computing for Data Controllers]

Facts & Stats

CA – Reporting of Government Privacy Breaches Varies Widely

Federal government departments breached the privacy of more than 45,000 Canadians last year but only a small fraction of those breaches were ever reported to Canada’s Privacy Commissioner. Moreover, the proportion of breaches reported to the Privacy Commissioner’s office varied widely from one department to another. For example, while the Justice Department reported 80% of the breaches it discovered, the agency with the largest number of breaches – the Canada Revenue Agency – only revealed less than 1% of its 3,868 breaches to Privacy Commissioner Therrien’s office. While departments are not required to notify Therrien of every breach that occurs, last year he was only notified about 5.3% of the 5,853 privacy breaches discovered by departments. See Chart: Privacy breaches reported to privacy commissioner. [Source] [Document: Order/Address of the House of Commons] [Feds made 5,670 privacy breaches last year; CRA worst offender] [Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Transfer of Information to the United States Internal Revenue Service (IRS) ] [Ottawa open for comments on proposed breach notification regulations]

CA – Half a Billion Identities Were Stolen or Exposed Online in 2015

500 million identities were stolen or exposed online in 2015 according to a report by digital security firm Symantec. The report also revealed that the amount of malware online increased by 36%, with 430 million new pieces of malicious code being created in 2015. Ransomware attacks are also on the increase, with 35% more attacks than the previous year. The UK ranked as the most targeted nation for spear-phishing campaigns that attempt to steal data by targeting employees within a specific organisation. This type of attack increased by 55% in 2015. We’re also beset upon by fake technical support scams and social media fakes, with the UK being the second most targeted nation globally in both categories. Symantec drew particular attention to the increased number of zero-day vulnerabilities in 2015. It identified 54 zero-day vulnerabilities in 2015, the majority of which existed in widely-used pieces of software. Four out of the five most exploited zero-day vulnerabilities were found in Adobe’s much-maligned Flash Player. On average, each data breach exposed more than 1.3 million identities, but Symantec identified nine ‘megabreaches’ – the leaking of over 10 million records in a single attack – in 2015. [Source] [BBC] See also: [The seven types of e-commerce fraud explained]

CA – Hamilton Using Google Maps to Enforce Bylaws

Since 2002, Hamilton city officials have been quietly collecting aerial photographs that allow enforcement staff to investigate breaches of bylaws, especially the requirement that homeowners acquire a building permit before building a deck or some other construction project. Images from past years can be compared to get an idea when a deck, pool or addition was built. If the structure wasn’t there one year, and appeared the next, it means it was built sometime in between. But Jorge Caetano, the manager of plan examination in the city’s building division, says the information is never used to go on fishing expeditions for violators. It’s only consulted after the city receives a complaint. “We use it as a tool. We don’t use it in place of going there in person to investigate, to see the property,” he said. “At this point, we don’t base enforcement on aerial photographs. We would have to go out there physically and inspect the property. We still have to carry out the proper investigation.” He said information from past aerial photographs could be consulted to verify whether a structure has been there for many years and was, say, built by a former owner. A spokesperson from the IPC Ontario said the use of aerial maps would not appear to violate privacy rules: “As defined in Ontario privacy legislation, personal information means recorded information about an identifiable individual. Several IPC decisions have found that information about properties and businesses does not qualify as personal information as it does not reveal something of a personal nature about identifiable individuals.” [Source]

Finance

CA – CRA Should Notify People When Their Bank Records are Shared: Therrien

The CRA should automatically notify individuals when it shares their banking information with the U.S. IRS under a controversial information sharing agreement, says Canada’s Privacy Commissioner. Testifying before Parliament’s Access to information, Privacy and Ethics committee Daniel Therrien said there is no reason for the CRA not to advise people when their information is transferred. “Can it be realized? It is certainly an effort but we know that the government wants to facilitate access to data by citizens so it seems to me that would be a move that would fit in that objective.” Therrien said there are likely electronic ways to notify people when the CRA shares their banking information with the U.S. Therrien said he is also concerned that Canada’s banks and the CRA may be over reporting the number of people considered “U.S. persons” under the information sharing agreement. While the CRA originally estimated that the deal it signed would result in it sending 30,000 to 90,000 banking records to the IRS, it ended up sending 155,000 records. [Source]

US – Insurance Coverage for ‘Malicious Insider’ Breach Depends on Policy Wording

With most data now stored electronically, businesses are facing new challenges in relation to data retention and keeping it secure and safe. Bespoke cyber insurance policies and, increasingly, data protection coverage as part of a general commercial liability policy will generally cover both first and third party liabilities in the event that anything happens to that data – but how will these policies respond in the face of deliberate or criminal behaviour by an employee who decides to release data to harm either colleagues or the business? As insurance contracts are supposed to cover fortuities and not deliberate actions, insurers may be able to reject claims arising out of malicious acts by employees. It is important, therefore, for both insurers and the insured to ensure that policy wordings reflect the regulatory framework surrounding data breaches, as well as the specific types of claim that are likely to arise as a result. In the absence of specific wording, insurers may be able to reject claims arising out of deliberate data breaches by disaffected employees. .As insurance contracts are supposed to cover fortuities and not deliberate actions, insurers may be able to reject claims arising out of malicious acts by employees. It is important, therefore, for both insurers and the insured to ensure that policy wordings reflect the regulatory framework surrounding data breaches, as well as the specific types of claim that are likely to arise as a result.

CA – Privacy Law Gives Insurers a Boost in the Battle Against Fraud

With amendments to federal privacy laws last year, group benefits providers are facing a host of new consent and disclosure-related obligations that can offer helpful tools or signal potential headaches. Bill S-4, the Digital Privacy Act, came into force in June 2015. It amended PIPEDA to include new provisions around obtaining consent, disclosing information without consent and mandatory breach notification. For group benefits providers, the most positive development is likely the new provision that will help them fight fraud by allowing for increased disclosure of information without consent in certain cases. Before the amendment, insurers had to obtain the consent of anyone they had a contract with before disclosing their personal information even if that person was suspected of involvement in fraudulent activity. Many of the amendments also create consistency with privacy legislation in Alberta and British Columbia. Industry efforts will include helping insurers to consider ways to share claims data in order to identify fraud trends that the association says can be hard to pinpoint when each provider is working independently. [Benefits Canada] See also: [Out-Law: Insurance Coverage for ‘Malicious Insider’ Breach Depends on Policy Wording]

FOI

US – Microsoft Sues Justice Department over ECPA Gag Orders

Microsoft is suing the Justice Department for its frequent use of gag orders that prevent the company from telling users when the government has obtained a warrant to search their emails. Microsoft claims the gag order statute in the Electronic Communications Privacy Act is unconstitutional and violates both the First and Fourth Amendments. In its suit, Microsoft argues that the government has “exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.” Brad Smith, the company’s top legal advisor, said, “People should not lose their rights just because they are storing their information in the cloud.” The House Judiciary, earlier this week, unanimously passed a bill that would reform parts of the ECPA. [The New York Times] [Microsoft Corporation Delivers a Reality Check to the U.S. Government – Microsoft Corporation Challenges the Government] [Microsoft Sues Justice Department to Protest Electronic Gag Order Statute]

US – Making Records Accessible on the Internet is a “Publication” –Federal Court

A federal appeals court upheld a ruling against insurance firm Travelers Indemnity Company of America, saying, under the terms of a commercial general liability policy, the company should have defended a client in a lawsuit resulting from an electronic data breach. Travelers was found by a three-judge panel in the 4th U.S. Circuit Court of Appeals in Virginia to have failed to prove its two CGL policies with its client, Portal Healthcare Solutions, excluded the defense of a 2013 class-action lawsuit filed when Portal publicly posted the records of Glens Falls Hospital patients. The trial court summarily rejected the argument that because Portal Healthcare had not intended to release the information, there was no “publication,” stating that “the issue cannot be whether Portal intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Importantly, the court also rejected the argument that because no one had read the records, there was no “publication.” On appeal, the Fourth Circuit “commended” the trial court for its “sound legal analysis,” but did not add more, including on the scope of the term “publication.” The ruling goes against decisions in Connecticut and New York where CGL policies were determined not to cover damages from cyberattacks. “I think it’s a shocker to CGL insurers to see a decision like this,” said a research analyst. “CGL insurers don’t really think that they should be on the hook for this type of claim. They see this as a cyber and privacy claim, not a general liability claim.” [SC Magazine] [Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016)] [Source] [Court Opinion] [Appeal] [Federal Court Rules CGL Insurance Covers Data Breach] [4th Circuit affirms Travelers v. Portal Healthcare breach decision]

CA – BC Judge Calls for Restrictions on Court Database Searches

Thomas Crabtree, Chief Judge of the BC Provincial Court, wants restrictions placed upon searches for individuals who were ultimately not convicted of a crime. Crabtree declared a consultation regarding Court Services Online, an online database providing access to criminal records in the Provincial Court. Crabtree believes individuals who weren’t convicted of a crime should not be stigmatized, and cases ending in acquittals, dismissals and withdrawals will only be available in the database in the 30 days after the information is entered. Media outlets are displeased, believing court records should be fully open. “On balance, the need to protect individuals who have not been convicted from misuse of court record information outweighs the desirability of broad online public access to information about such cases and the individuals affected,” Crabtree wrote in a statement. [The Globe and Mail]

US – NSA appoints First Transparency Officer

The National Security Agency has appointed current Civil Liberties and Privacy Director Rebecca Richards as its first ever transparency officer. An NSA announcement states her dual role “complements ongoing initiatives to ensure that NSA has the best civil liberties and privacy practices.” The new role will serve under the Office of the Director of National Intelligence’s Intelligence Transparency Council, which aims to make “information publicly available in a way that enhances understanding of intelligence activities, while continuing to protect information when disclosure would harm national security.” [The Washington Times]

Health / Medical

CA – GPEN Launches 2016 “Internet of Things” Global Privacy Sweep

The Global Privacy Enforcement Network will focus their 2016 Global Privacy Sweep around the Internet of Things. The group, made up of data protection authorities from around the world, including the IPC, will specifically look into the accountability practices of IoT companies during this year’s Sweep. Regulators participating in the event — taking place April 11 through 15 — will examine the privacy practices of various devices, ranging from wearables to smart TVs. The OPC says it will investigate health devices. The IPC is surveying two dozen class 2 medical devices available for sale in Ontario. DPAs will have the flexibility to focus on actual products taken right off the shelf, by investigating statements on company websites, or by directly connecting with a manufacturer. [Office of the Privacy Commissioner of Canada] [Privacy watchdog to study impact of personal Internet devices]

UK – 15,000 Expectant Parents’ Info Compromised

The personal information of more than 15,000 expectant parents was compromised after hackers breached the National Childbirth Trust. The NCT alerted users of the breach, which exposed information including email addresses, usernames and encrypted passwords. No sensitive personal or financial information was accessed in the incident. The cyberattack has been reported to both the police and the U.K.’s data protection authority. A spokesman for the NCT said the organization reached out to affected individuals, advising them to change their usernames and passwords. NCT also posted information on their Facebook page about the hack, while also sending a message on social media telling users their website may face further disruptions. [The Telegraph]

Horror Stories

US – FDIC Breach of 44,000 Customers Caused by Storage Device

A former employee of the Federal Deposit Insurance Corp. (FDIC) departed the agency with a storage device that contained data and information involving 44,000 FDIC customers. A former FDIC employee departed the agency with a storage device that contained data and information involving 44,000 FDIC customers. While FDIC Chairman Martin J. Gruenberg said in a March 18 memo that the data was downloaded to the storage device “inadvertently and without malicious intent,” the device included customer names, addresses and Social Security numbers, according to a media report. The former employee signed an affidavit indicating the breached information was not used, the representative noted. [Source]

Identity Issues

CA – BC Law Firm’s Request for ID is Contrary to PIPA

The BC OIPC mediated a complaint from an individual who was asked to produce identification during a free initial consultation with a law firm. PIPA prohibits businesses from collecting more information than is required (a law firm requested ID from a potential client to comply with money laundering legislation, however confirmed that the law society did not require this collection when providing free services). [Potential Client Questions Law Firm Demand for Identification (P16-06-MS)]

CA – CAI PQ Reminds Landlords They May Only Collect Limited Contact and Credit Related Information from Prospective Tenants

The Commission d’accès à l’information du Québec issued reminders to landlords regarding privacy issues in light of July 1st, the traditional “moving day” in Quebec. A landlord may request a prospective tenant’s name and current full address, may ask to see ID, collect the name of a previous landlord, and perform a credit check (with tenant consent); the landlord may not collect data from a health card, driver’s license or passport, and should not request a SIN, employment or salary information, car details (e.g. brand, colour, or license plate number), or details of the tenant’s financial institution. [CAI PQ – Leases and Personal Privacy Principles and Guidelines To Be Respected]

Internet / WWW

WW – New Guidelines Help Cloud Providers Handle Data Breaches

Technology law specialist Bryan Tan discusses new guidelines in Singapore designed to help cloud providers and their business clients handle data breaches while following the country’s data protection regime. According to the new guidelines released by the Infocomm Development Authority of Singapore, the cloud outage incident response rules “are not meant to resolve issues due to cybersecurity, malicious act or breach of personal data protection laws.” The cloud outage incident response, or COIR, guidelines explain how the standards work with Singapore’s Personal Data Protection Act when a data breach occurs, discussing security arrangements to protect personal data, and ensuring security measures are compliant with the PDPA. COIR advises cloud providers on assessing and planning for outages, encouraging for response plans for any incidents, while also structuring the severity of the attacks into a four-tier system. [Full Story]

WW – Box to Let Overseas Customers Store Files Locally in Privacy Bid

Box is trying to lure international customers, offering overseas clients concerned about privacy the option to store information locally in cloud datacenters belonging to Amazon.com Inc. or IBM Corp. Starting in May, Box Zones will give customers the choice of locating their files in Germany, Ireland, Japan, and Singapore. The company plans to add more regions in the future, said CEO Aaron Levie, and is looking at further choices in Europe and Asia as well as adding Australia and Latin America. Customers, particularly in some parts of Europe and South America, face laws that require certain types of data to be stored in their country or have strong preferences for that. Storage closer to the customer can also speed up computing. Box runs data centers in the U.S. but didn’t want to incur the costs of building out internationally to attract these customers, and it’s cheaper to pay Amazon and IBM to use their facilities, Levie said. [Source]

Law Enforcement

CA – Report: Canadian Police Have Had BlackBerry Encryption Key Since 2010

The Royal Canadian Mounted Police (RCMP) have had a key to access encrypted BlackBerry messages since 2010, a joint report from Vice News and Motherboard found. According to the report, the RCMP first obtained the key in 2010 as part of an investigation into a series of violent crimes committed between 2010 and 2012. The investigation, dubbed Project CLEMENZA, resulted in the take down of two Italian-based organized crime cells in June 2014. Over the course of the investigation, the RCMP said it read more than one million private messages sent by members of the cell using a PIN to PIN interception technique. The RCMP said the investigation was the first time the encryption-breaking technique was used on such a large scale in a major investigation in North America. Court documents obtained by Vice Canada show the RCMP has a server in Ottawa – called the “Blackberry interception and processing system” – that cracks messages by simulating a mobile device that receives messages as though it were the intended recipient. The documents cite the RCMP’s use of the “correct global key” in decrypting the messages, though the documents do not specify how police obtained the key. [WirelessWeek] [Canadian Law Enforcement Can Intercept, Decrypt Blackberry Messages]

EU – Danish DPA Finds License Plate Information Retained Longer Than Necessary

The Data Protection Authority in Denmark investigated the processing of personal data by a parking lot company pursuant to the Act on Processing of Personal Data. The company retained license plate information on individuals for 15 months (for those exiting within the free parking period), and 5 years (for individuals that made correct payments, and those that did not pay); information for individuals not required to pay and individuals that have provided correct payment should be deleted without delay, and information for individuals that have not paid should be retained until a payment is made or a claim has been settled. [DPA Denmark – File No. 2015-631-0122 – Registration of License Plates in Parking]

CA – Chatham PD Registry of “Vulnerable” People 10% of Population

The Chatham-Kent Police Service is creating a registry of people considered to be vulnerable, through a voluntary online registry service. Data available to police would be submitted by a legal guardian or caregiver to be used by police should they need to interact with or search for them. Chief Gary Conn said the Vulnerable Persons Registry will be implemented with the service through a new online program they purchased called COP Logic. “In two to three weeks it will be soft-launched, so probably at the end of April or beginning of May,” said Conn, who also called the registry, “another investigative tool in our tool kit.” Conn added, “The advantages of the system are pretty self-evident.” He said the information in the vulnerable persons registry could be used, for example, if someone goes missing. If that person’s profile shows they have an attraction to certain places, it could mean finding them more quickly. People who may benefit from listed with the registry would include those who wander, have an inability to communicate, have fascinations or attractions to places of possible danger such as water or construction sites, or who have social responses such as aggression or fear of the police. When police receive a call involving a registered person or flagged address, the responding officers are notified and given the information contained in the registry to help them in responding more effectively to the situation. Acknowledging that the definition of “vulnerable” is a broad one, Conn said up to about 10,000 people in Chatham-Kent – nearly one-10th of the entire population – might meet the mandate of the definition. The information that will be contained in the registry will be treated as confidential by officers, subject to the Personal Health Information Protection Act, and will be used when responding to incidents or investigations involving the registered person. [Source]

Online Privacy

WW – Study: Shortened URLs Not As Private As You Think

In a paper released April 14, researchers at Cornell Tech outlined how Google, Bit.ly, and Microsoft’s shortened URLs can be “brute-forced” by hackers to access and manipulate so-called “private” sites. “With a decent number of machines you can scan the entire space,” said Cornell Tech’s Vitaly Shmatikov. “You just randomly generate the URLs and see what’s behind them.” Once the process is complete, “online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone,” the researchers said in their report. “This leads to serious security and privacy vulnerabilities.” [Wired]

WW – Google Unveils Privacy-Protective Beacon

Seeking an answer to Apple’s iBeacon, Google released new information on its open-source beacon format Eddystone. Eddystone has four different frame types, one for identifying other beacons, a second to send URLs to other devices, and a third that sends diagnostic data on a user’s phone. The fourth option, the Ephemeral Identifiers mode, offers a secure connection between the beacon and user. The EID is the only format to keep device information private and can be used to act as a Bluetooth tracker to locate various objects, like car keys. No identifiable or traceable information is available outside the connection as EIDs are equipped with a constantly changing identifier that alters the beacon ID — anywhere from a couple of seconds to hours at a time — making it difficult for third parties to capture any usable information. [Ars Technica]

WW – How Should Crowdfunding Platforms Deal With Privacy?

Crowdfunding has seen explosive growth, both domestically and globally, in the past few years. As the industry continues to mature, U.S.-based crowdfunding platforms are beginning to find that privacy considerations deeply impact their business. Aside from the usual considerations facing traditional financial service companies, crowdfunding platforms must be conscientious in the type of borrower or sponsor data they choose to display to investors on their website. Depending on the particular measures employed to protect the individual’s identity, the website may end up publishing very sensitive information in violation of strong public policies in favor of identity protection. [Privacy Advisor]

US – NAI Members’ Privacy Practices Up to Snuff: Study

The Network Advertising Initiative published its 2015 Annual Compliance Report, compiled by NAI Counsel and Director of Compliance Anthony Matyjaszewski. The report studied its “members’ adherence to the NAI Code of Conduct,” and found NAI members “­met their obligations under the provisions of the code and demonstrated their commitment to consumer privacy and industry best practices.” The NAI’s Noga Rosenthal said, “NAI is set apart in the industry by its high standards for Internet­-Based Advertising and related business models, and our robust monitoring program that ensures compliance with these standards. The 2015 Compliance Report shows that member companies continue to take their obligations under the code seriously.” [Network Advertising Initiative]

WW – As Friend Network Grows, Facebook Sharing Decreases

Facebook is trying to combat a growing lack of “personal sharing” that occurs as social media users’ friend groups increase and a sense of online intimacy diminishes. The trend of sharing news articles instead of personal status updates has led to what insiders dub a “context collapse,” with “original sharing” of personal anecdotes down 21% since mid-2015, the report states. Instead, users are employing outlets like Instagram and Snapchat to share, where their audience is comparatively small. Facebook’s newer “On This Day” feature is an attempt to combat the trend, the report adds. Meanwhile, a forthcoming Chrome extension, “Data Selfie,” will let users see their data profile as Facebook and other advertisers do, Motherboard reports. [Bloomberg Technology]

Privacy (US)

US – FTC Accepting Research Proposals for 2016 Events

The FTC is accepting proposals via public comment from privacy researchers for its upcoming PrivacyCon and Fall Technology Series events. The FTC’s 2016 focus is on research papers that “quantify consumers’ privacy and security interests, discuss attack trends and responses, and describe research on transparency and control,” the report states. “It is extremely valuable for us to hear from privacy and security researchers about their work,” the report continues. “This helps us stay up-to-date with technology and identify potential areas for investigation and enforcement.” The FTC will accept PrivacyCon submissions until Oct. 3. [Source]

US – Uber to Pay Up To $25M in Driver Background Checks Lawsuit

Uber has settled a civil lawsuit with the district attorneys of L.A. and San Francisco over claims the company deceived customers on its safety practices and driver background checks. In papers filed in a U.S. District Court, Uber will pay $5 million to each of the district attorneys and faces an additional $15 million fine if the terms of the settlement aren’t met within two years. Additionally, the safety-related language Uber uses around the ride fees must be reworded. The lawsuit claimed Uber overstated safety measures used to screen drivers, only requiring a driver pass a background check carried out by a third-party service. [The New York Times]

US – Lawsuit: Seattle Compost Ordinance Is Rotten

A Seattle ordinance that bars people from throwing their coffee grounds, pizza scraps and other potential compost into their trash cans is being challenged by critics who say the liberal city is turning garbage collectors into trash investigators. A group of homeowners has sued the city over the tactic, claiming it violates privacy protections provided by the state Constitution. The rule that went into effect early last year requires trash collectors to tag garbage cans that contain more than 10% compostable material with educational information. The tactic is projected to divert as much as 38,000 tons of extra food waste from a landfill every year. Several other cities have passed similar food waste laws, including Vancouver, B.C., San Francisco and Portland, Oregon. Lawyers for the homeowners cited a case that was argued in front of the Washington Supreme Court in which Port Townsend police searched a man’s garbage for evidence that he was selling drugs after the trash was placed on a curb. The court ruled police needed a warrant to search the rubbish, even if it was in plain view near the sidewalk. Homeowners also presented an affidavit from someone claiming they were tagged for compost violations twice when their trash had been secured in black plastic bags, suggesting collectors opened the bags to search for compost. [Source]

US – Uber has Given US Agencies Data on More than 12 Million Users

Uber has released its first ever transparency report. More than 12 million riders and drivers were affected by regulators’ data demands between July and December 2015. The fact that regulators are doing the demanding is what makes the number so big. Uber’s the first company, it claims, to include regulatory requests. Uber says the reason it’s including regulatory requests is that its business is “different.” Besides regulatory data, Uber provided data on 469 users to state and federal law agencies. The agencies requested information on trips, trip requests, pickup and dropoff areas, fares, vehicles, and drivers. It got 415 requests from law enforcement agencies, the bulk of which came from state governments. It produced data in nearly 85% of these cases. Uber used the transparency report release to push back against regulatory agencies that it thinks could compromise users’ privacy by going after more data than necessary. From the Medium post: In many cases they send blanket requests without explaining why the information is needed, or how it will be used. And while this kind of trip data doesn’t include personal information, it can reveal patterns of behavior  –  and is more than regulators need to do their jobs.It’s why Uber frequently tries to narrow the scope of these demands, though our efforts are typically rebuffed. This isn’t the first time Uber has wrangled with the California Public Utilities Commission (CPUC) over rider and driver data. In January, the CPUC fined Uber $7.6 million for failing to meet data reporting requirements in 2014. The CPUC was after data about accessible cars, the number of rides requested and accepted per ZIP code, and driver safety information. [Source]

Security

UK – Brits Suffer More than 2,000 Ransomware Attacks Each Day

DON’T PANIC but the amount of cyber crime bashing the UK is increasing, at least according to Symantec and one of its regular round robin threat missives. The Symantec 2016 Internet Security Threat Report warned that threats are rising in several areas. The firm logged an international increase of 35% in crypto-ransomware attacks, the UK taking the third largest chunk with up to 2,215 attacks a day. Some of the best advice from the security community is to use strong passwords, a suggestion Symantec makes in its summaries and guidance information. The security firm said that the enemy is now more organised than ever before, and that most groups have the same kind of resources, skills and support as nation-state hacker groups. “ [The Inquirer]

Smart Cars / IoT

US – NTIA Begins Internet of Things Consultation

The National Telecommunications and Information Administration (“NTIA”) has initiated an inquiry regarding the Internet of Things (IoT) to review the current technological and policy landscape; NTIA is seeking input from interested stakeholders on the potential benefits and challenges of these technologies and what role, if any, government should play – comments are due before May 23, 2016. [Source]

Surveillance

CA – RCMP Being Investigated Over Controversial Spy Tech

An OPC spokesperson confirmed that it has opened an investigation into the RCMP’s use of IMSI catchers, or “StingRays.” These devices are essentially fake cell phone towers that force phones in the vicinity to connect and reveal identifying information. The use of such devices has been the topic of much heated discussion and public debate in the US. The Florida Supreme Court ruled that the warrantless use of StingRays by police is unconstitutional in 2014. StingRays are controversial because they target devices within a certain area, and thus risk violating the privacy of innocents. A leaked email from Correctional Services Canada last year indicated that an unnamed, StingRay-like device was installed in an Ontario prison to monitor inmate communications, but also caught innocent people outside the facility in the dragnet. “These are fundamentally tools of mass surveillance,” said David Christopher of OpenMedia, the organization that filed the privacy complaint that spurred OPC’s investigation. Canadian police have been extraordinarily unforthcoming when it comes to the use of IMSI catchers, or StingRays. Last month, seven men accused in a Quebec court case relating to a mafia slaying pleaded guilty, but not before the RCMP was forced to reveal in open court that they had used a so-called “mobile device identifier”—the RCMP’s term for IMSI catchers—in the course of their investigation. The end of the case meant that the RCMP will reveal no more information about its use of IMSI catchers in court. In BC, Vancouver police are embroiled in a public battle to keep the details of their use of IMSI catchers secret. [Source] See also: [Feds back RCMP secrecy on possible use of ‘stingrays’ for surveillance] [Privacy watchdog to investigate RCMP over alleged ‘stingray’ cellphone surveillance]

US – Bill Permits Government Use of Automatic License Plate Reader Systems

HB 93, An Act to Amend Article 1 of Chapter 1 of Title 40 of the Official Code of Georgia, has passed the House and is tabled in the Senate. Law enforcement agencies are permitted to store (immediately upon collection) and exchange license plate data; the data cannot be accessed except for a law enforcement purpose, must be destroyed no later than 1 year after collection, and policies and procedures for use and operation of an automated license plate recognition system must be maintained. [HB 93 – An Act to Amend the Georgia Code to Prohibit Law Enforcement from Retaining License Plate Data Obtained from License Plate Recognition Systems]

Telecom / TV

US – California Says No to Phone Decryption Bill

A California bill that aimed to punish companies for making smartphones that can’t be cracked has failed. The bill, introduced by assembly member Jim Cooper was introduced in January and required any smartphone sold in California to have the ability to be decrypted. It was “rejected without a vote,” the report states. “The bill, both before and after it was amended, posed a serious threat to smartphone security,” said Rainey Reitman of the Electronic Frontier Foundation. “It would have forced companies to dedicate resources to finding ways to defeat their own encryption or insert backdoors to facilitate decryption.” [ZDNet]

WW — Google Changes App Developer Rules

Aiming to improve privacy and mitigate risk, Google has released a new set of users’ data policy rules for its Chrome Web Store. Developers will be required to publish a privacy policy and use encryption for sensitive or personal information, the report states. And if sensitive data is being collected for a reason that isn’t directly related to an app feature, a prominent disclosure is required, separate from the privacy policy. The change comes following the passage of the GDPR, which requires “clear and affirmative consent” when processing personal data, the report states. Google says developers have until July 14 to makes the necessary changes to comply. [ZDNet]

US Government Programs

US – Privacy Orgs Encourage FCC to Ignore Comment Extension Requests

The Center for Digital Democracy, Electronic Privacy Information Privacy, and eight additional agencies have asked the FCC to disregard the Association of National Advertisers’ request to extend the evaluation time of the FCC’s new behavioral advertising regulations. The ANA’s wish for a request for a 60-day deliberation extension is “unwarranted,” as “the public has long had notice of many of the questions the FCC would attempt to address in this proceeding,” the groups said in a letter to the FCC. “This issue is extremely important and timely. In order to protect consumers without undue delay, the FCC should decide it as quickly as possible.” [MediaPost] [Association of National Advertisers seeks extension for comments on FCC’s broadband rule]

US Legislation

US – Draft Crypto Bill Criticized as “Ludicrous, Dangerous, Technically Illiterate”

US senators have introduced legislation that would require technology companies to comply with requests from law enforcement to unlock encrypted devices. A “discussion draft” of the bill was leaked last week. It has been criticized for weakening security and hindering competitiveness. The bill requires compliance with court orders for information, and if the information is “unintelligible,” the bill requires that the information be made “intelligible.” [Wired] [SC Magazine] [CNET] [InformationWeek]

US – House Bill Would Require Verification of Identification to Purchase Pre-Paid Mobile Devices

H.R. 4886, Closing the Pre-Paid Mobile Device Security Gap Act of 2016, was introduced in the House of Representatives and referred to the Committee on Energy and Commerce. Authorized resellers of mobile devices and SIM cards would be required to collect identifying information at time of purchase and share the information with the device’s wireless carrier; failure to comply with these provisions can result civil penalties of $50 for each separate offense. [H.R4886 – To require purchasers of pre-paid mobile devices or SIM cards to provide Identification]

Workplace Privacy

CA – Secret Video Surveillance Allowed In Ontario Dismissal Case

In a preliminary award, an Ontario arbitrator allowed covert video surveillance footage to be used as evidence in a wrongful dismissal grievance. The complainant, Mr. Donnelly, was one of three elementary school custodians dismissed for allegedly smoking marijuana, adjacent to school grounds during working hours. The wrongful dismissal case between Ottawa-Carleton District School Board and Ontario Secondary School Teachers’ Federation, District 25 (Donnelly Grievance) was mediated by Arbitrator Knopf. The three dismissed custodians were reported by a fellow employee who maintained alleged marijuana use and trafficking, while at work. Following the report, the Board’s Director of Human Resources sought approval to hire a private security company to conduct covert video surveillance. The surveillance team was strictly instructed to record only illegal drug use within the vicinity of the school. Following such footage being obtained, the complainant was reprimanded and his employment terminated by the Board. In Donnelly’s defence, the union highlighted the failings of the surveillance footage in adhering to the Board’s policies and procedures. The union maintained that the security company had failed to deliver the video evidence in a secure manner, without proper documentation of the approval process. They argued the video evidence be inadmissible, as policy permitted video surveillance, only to enhance safety, protect property or identify intruders, and not to collect dismissal evidence. Furthermore, they contended such covert video surveillance should only be used as a last resort, which this was not. Privacy rights were taken into account when assessing the admissibility of the video footage, however, Arbitrator Knopf accepted the evidence in light of the management’s right to provide a safe workplace. She decided this was a last resort situation, and the former employee had a low expectation of privacy since he allegedly performed illegal drug use and trafficking in a public space, while at work, and wearing a work uniform. She said that the Board had a reasonable basis to carry out the surveillance, amid credible allegations of illegal behaviour on school grounds. [Source] See also: [Ireland CCTV images of illegal dumpers raise privacy concerns: Data Protection Commissioner contacts Dublin City Council over litter poster]

CA – Tribunal Denies Request by Employer to Submit Surreptitiously Obtained Evidence from Employee’s Social Networking Account

A Quebec labour tribunal considered an appeal of an earlier decision, including a request to consider evidence from an employee’s social networking site. The employer obtained the social networking profile content through the deceptive actions of an unknown third party, and it is not the first occasion on which the employer has done so; the employer has not demonstrated sufficient grounds to justify such an invasion of privacy (i.e. a serious purpose that would appropriately allow the employer to discover dishonest content of the employee’s Facebook page, without the employee’s knowledge). [Maison St-Patrice Inc. v. Julie Cusson – 2016 QCTAT 482 – Administrative Labour Tribunal]

CA – Best Practices: OPC Guidance on Handling Employee “Snooping”

The OPC guides entities on addressing inappropriate employee access to personal information. Organizations must set clear expectations with their employees (through clear communication concerning snooping, its harm and consequences), monitor for unauthorised access to records (audit access logs), and be prepared to respond appropriately when snooping is discovered (conduct of investigation, mitigate harm to affected individuals, and include disciplinary action). [OPC Canada – Ten Tips for Addressing Employee Snooping]

AU – New Legislation Allows Companies to Surveil Suspicious Employees

New Australian legislation allows employers to watch their employees outside of the workplace if there’s suspicion of unlawful activity tied to their job. The law covers 160,000 Canberra workers, UnionsACT Chief Alex White said. “If someone has done the wrong thing, if they are breaking the law or engaging in criminal activity, the appropriate agency to investigate that is the police, it’s not the employer or insurance company,” said White. Justice Minister Shane Rattenbury said strict safeguards are enacted to ensure workers have a right to privacy. “There are important safeguards there with the requirement for a magistrate to permit any sort of surveillance that is undertaken,” said Rattenbury. “We also worked very closely with the Human Rights Commission to make sure that these rights, these new powers, were compliant.” [Full Story]

+++

Follow

Get every new post delivered to your Inbox.