The FBI has said its new facial-recognition software, dubbed the Next Generation Identification System, does not utilize photographs from social media sites but only “official images like driver’s license photos or mugshots.” The software, which uses biometrics like DNA and fingerprints, has met with criticism, but the agency merely aims to “narrow (suspects) down from essentially a pool of everybody to a smaller, maybe in single digits or a few more than 10, that gives the investigator a place to start,” said FBI Special Agent Patrick Dugan. [CBS Baltimore]
A new project by MasterCard is testing various biometric identifiers—including fingerprints and facial recognition—for authorizing financial transactions. Users would download the MasterCard app, look into their phone screens and blink once to authorize transactions. “The new generation, which is into selfies … I think they’ll find it cool. They’ll embrace it,” said MasterCard’s Ajay Bhalla, noting data would be securely transmitted to company servers. “From a privacy perspective, it’s awful—from a business perspective, I don’t understand why’d they accept that risk,” said Dragos Security’s Robert M. Lee. Nok Nok Labs’ Phillip Dunkelberger downplayed the concerns. “They’re storing an algorithm, not a picture of you. And I’m sure they’re doing all the appropriate stuff to guard it.” [CNN] Bhalla explained how it works in this video. [Information Week] See also: [How Mark Zuckerberg’s vision for telepathic communication could work]
Churches are joining the widening group of entities using facial-recognition software to track people. In four months, approximately 30 churches around the world have started using a facial-recognition software called Churchix, according to Moshe Greenshpan, the CEO of Face-Six, which sells the technology. Churchix uses CCTV footage or photos to match churchgoers against a database of high-resolution pictures collected by a church. It can be used to monitor attendance, alert church officials if members stop coming to services or screen for people banned from the church, the report states. [RT]
Following President Barack Obama’s request that the Department of Health and Human Services look at how to best protect individual privacy while capitalizing on big data, the Health IT Policy Committee’s Privacy and Security Workgroup has come up with preliminary recommendations. The group’s co-chair, Stanley Crosley, presented the recommendations last week. “Patients should not be surprised or harmed by collections, uses or disclosures of their information,” Crosley said. “Nowhere is this more difficult than with big data.” The work group found that while some U.S. laws prohibit discriminatory uses of big data, some uses are actually expressly permitted. [HealthData Management] See also: [When your scale and fridge conspire to make you lose weight, the Internet of Things will have gone too far]
The 2016 election will be employing data mining in an unprecedented manner. Utilizing data from email-forwarding and social media, “these new methods are like switching from a hand-held Dustbuster to an industrial-strength Shop-Vac to suck that data up, and from a 1984 Macintosh to a 2015 MacPro to crunch it. So it has the potential to make the hair stand up on the napes of privacy-rights activists—and perhaps a lot of average voters,” the report continues. “There’s probably a fine line to walk: If you push it too far, it does look a little like the things that bother people most about the digital world: surveillance and invasion of privacy,” said Grinnell College’s Barbara Trish. [TNS]
The RCMP has quietly stopped releasing the names of people who die in car crashes and other tragic accidents across Canada. The police force says it is following the Privacy Act. However, the RCMP will not disclose why it has started enforcing the policy now. In a written statement, an RCMP spokeswoman said there are exemptions under which personal information may be disclosed, including when:
- The information is already publicly available (Section 69(2)).
- Disclosure is necessary to further an investigation (Section 8(2)).
- When in the opinion of the head of the institution, public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or disclosure would clearly benefit the individual to whom the information relates (Section 8(2)(m)).
David Fraser, privacy lawyer at McInnes Cooper, said: “There certainly haven’t been any legislative changes that have happened to our privacy laws that would cause this, nor have there been any significant findings from the privacy commissioner or any high-profile circumstances that I can think of that might have brought about this change in policy.” Fraser also doesn’t buy the sudden affection for the law. “Not disclosing the information very likely makes their jobs easier, and not having to ask the next of kin or the family to disclose whether they can disclose this information, it’s one less thing that they have to do. “It’s always easier — we see this across government — to just point to the privacy legislation as a reason to not do something … to not provide information to the media.” [CBC]
A secret deal between Canada’s spies and border guards proposed more information sharing and joint operations without the need for political sign-off. A 2014 deal between the Canadian Security Intelligence Service (CSIS) and the Canada Border Services Agency (CBSA) proposed the two agencies be allowed to share information and resources without the prior approval of their political masters. “The Framework (Memorandum of Understanding) will also authorize (CSIS) to enter into more specific arrangements with CBSA, as required, without the necessity to seek your approval each time,” wrote CSIS director Michel Coulombe in a memo explaining the deal to Public Safety Minister Steven Blaney. Blaney’s office won’t say whether or not the deal has been approved. [The Star]
A left-leaning advocacy organization and a national student group will be in Ontario Superior Court hoping to relax voter identification rules for the looming federal election. The court factum prepared by the Council of Canadians and the Canadian Federation of Students argues that tens of thousands or more of eligible voters will be denied a ballot this October due to changes enacted last year by the Conservative government. The groups want the court to issue an interim injunction allowing Elections Canada to recognize as valid ID the voter identification cards that are mailed to everyone on the voters’ list. Some 400,000 Canadians used the voter identification cards in the 2011 election as part of a pilot project that Elections Canada wanted to expand to the whole country. Instead, the Harper government — citing fear of voter fraud — passed a new law that increases the ID requirements of would-be electors while ruling out the use of the Elections Canada mail-outs that tell people where to vote. Critics of the changes, including past and present chief electoral officers from across the country, say the strict ID rules will primarily impact the young, the elderly in care, students who move often, the homeless and natives on reserves — groups that might be less inclined to vote for the governing Conservatives. The court factum states that in some elections, as many as 95% of electors used a driver’s licence to vote. For the estimated 14% of Canadians over age 18 who don’t have a driver’s licence, photo ID that includes a name and home address is almost non-existent. Until 2007, Canadians who were on the list of electors were not required to show ID at the polls, but could simply state their name and address to be provided with a ballot. The Harper government brought in voter ID rules in 2007, then toughened them further with the 2014 Fair Elections Act. It also ended the practice of vouching, in which a voter with ID could attest for the identity and local residence of another elector. A study by former B.C. chief electoral officer Harry Neufeld found that about 120,000 people voted in 2011 after being vouched for, in addition to the 400,000 Canadians who used their voter identification cards as a piece of ID. Neufeld found no evidence of voter fraud. [The Huffington Post]
The Bill increasing powers of spy agency and federal law enforcement has met with accusations it is too broad and infringes on rights to privacy and free speech. Opponents claim the bill is overly broad, lacks sufficient oversight for national security and law enforcement agencies and infringes on a series of rights, including the right to privacy and the right to freedom of speech. [The Guardian]
Last week, a senate report on terrorism suggested the government help train and certify Canadian imams. Imagine the same call aimed at priests or rabbis. [Source] Canada’s anti-terrorism laws and taxes – what’s the connection? The increased sharing of confidential taxpayer information is consistent with a trend that continues to develop. For example, the Canadian and U.S. governments entered into an agreement to implement FATCA which requires Canadian financial institutions, under specified circumstances to provide account information to CRA and requires CRA, under specified circumstances, to in turn provide the information to the IRS. Similarly, in June of this year the Minister of National Revenue issued a news release announcing that she signed an international Multilateral Competent Authority Agreement which is described as “an important step towards implementing the Common Reporting Standard for the automatic exchange of financial account information with other tax jurisdictions.” According to the announcement, the Agreement is part of the government’s commitment to addressing international tax evasion and improving tax compliance. [Source]
Even though Snowden’s leaked secret documents sparked some changes to surveillance laws and caused outrage around the world, David Lyon (director of the Surveillance Studies Centre at Queen’s University) says the general public still isn’t angry enough because they have bought into the idea that governments need mass surveillance to keep us safe, and because they are so comfortable with the computers we rely on and the cameras that surround us. [Source]
CA – RTBF: BC Supreme Court Denies Injunction to Compel a Search Engine to Remove Search Results Worldwide
Although the Court found that Mr. Niemela may be able to establish that the words were defamatory, he would be unable to satisfy the second and third parts of the test. On the basis of the evidence presented, the Court found that Mr. Niemela had not established that he would suffer irreparable harm. First, the Court considered evidence from Google that 90% of searches for Mr. Niemela on its platforms originated from google.ca. The Court noted, that many of the searches, both on google.ca and google.com, likely originated from Mr. Niemela himself. Second, the Court found that there were other possible explanations for the decline in Mr. Niemela’s law practice: namely, a prominently displayed disciplinary history with the Law Society. Lastly, the Court was reluctant to make the Order as it could not be complied with. Legislation in the United States prevents Google from complying “with an order compelling it to block defamatory search results” due to the possible infringement on the right to free speech. [Source]
The Federal Court of Appeal has ordered the expansion of a class-action lawsuit brought by thousands of students after the government lost their personal loan data.And the lawyer representing the students says that decision could have far-reaching implications for other similar cases. The appeal court this week overturned a prior decision limiting the avenues the students had to pursue their case, on the grounds that they had failed to prove they actually suffered certain kinds of damage when the data was lost. A portable hard drive with information on 583,000 Canada Student Loans Program borrowers from 2000 to 2006 went missing in 2013 and has still not been found. But the appeal court overturned the decision, saying that in negligence and breach of confidence matters the specific details of damages don’t need to be proven before a class action can go ahead. Lawyer Ted Charney called the decision pioneering because for the first time the court has laid down legal markers for certifying class-action lawsuits around privacy breaches. The students are also suing for breach of contract and warranty, and the tort of intrusion upon seclusion — basically, invasion of privacy. The lost files include student names, social insurance numbers, dates of birth, contact information and loan balances, as well as the personal contact information of 250 department employees. Among the cases that could be impacted is a lawsuit being brought by users of a medical marijuana program who had their identifies exposed in a government mailing. [The Canadian Press via Toronto Star]
In a filing with the Office of the Commissioner of Lobbying of Canada, Zurich Insurance indicated the subjects of its lobbying activity are Bill S-4 (the Digital Privacy Act), Bill C-59 (which implements some provisions of the budget tabled April 21) and Bill C-51 (the Anti-Terrorism Act), with respect to “identifying concerns for information breaches and mitigating such risks.” [Source] The requirements of complying with the Digital Privacy Act involves the challenge of keeping and maintaining “a record of every breach of security safeguards involving personal information under its control” as require by the law. [Viewpoint: Canada’s Digital Privacy Act Receives Royal Assent, but Breach Notification Provisions Lag Behind] [Knowing The Unknowable: The Challenge of Complying with the Digital Privacy Act] See also: [The Digital Privacy Act – part 1: the calm before the storm]
Residents of condominiums have a reasonable expectation of privacy in the common areas of their buildings, Ontario’s top court has ruled. In upholding the acquittal of an accused drug trafficker, the Court of Appeal said police had breached his rights by snooping around the stairways, hallways and storage rooms of his 10-unit building without a warrant. “Some limits on police activity are necessary if privacy is to be protected,” the court stated. “The home is entitled to the greatest degree of protection from unreasonable search, and in my view, the police conduct in this case had a serious impact on the respondent’s privacy rights.” In challenging the acquittal, the Crown argued White had no reasonable expectation of privacy in the common areas of his multi-unit building, saying it would be perverse to make such areas a “zone of protection for criminal activity” that would undermine their safety and quality of residents’ lives. The Appeal Court disagreed. “There is nothing ‘perverse’ about providing a measure of privacy protection to the many Canadians who live in multi-unit dwellings,” the Appeal Court said. [GlobalNews] [The Canadian Press]
Government staff in Alberta can start shredding documents again following a review into allegations that documents were improperly destroyed after the 44-year-old PC government was swept from office on May 5th. A memo was sent to government departments clearing the way for the resumption of shredding. The ban remains in place for the environment department however. Two months ago all departments were ordered to stop shredding until the new government could assume office. At that time Alberta’s Information and Privacy Commissioner and the province’s Public Interest Commissioner announced they were launching a joint investigation after receiving complaints that documents were improperly destroyed by the province’s department of Environment and Sustainable Resource Development. [CBC News]
Operators at the city-run hotline are used to fielding complaints about garbage pickup or potholes. Now they’re being trained to respond to distress calls from people considering suicide, which are up in the past six months. Gary Yorke, director of 311, attributes the influx to concerns about confidentiality. “In the last few months there has been a dramatic increase of those calls,” says Yorke. “When you call 911, you’re forced to make an official record of (the call) and the police are dispatched. So some people don’t necessarily want that articulated.” [Source]
A new set of guidelines released by the province’s information and privacy commissioner has Ed Ring wondering just how much video surveillance is considered too much. Ring said the guidelines apply to public bodies and spaces only, but he says the basic questions are universal. He said that even though more surveillance cameras are being installed at public buildings and in public spaces, there have been no complaints — and that worries him.. [CBC News]
A MasterCard survey indicates that for 62% of Millennials, the thought of having personal information compromised is more egregious than the thought of naked photos being “leaked online.” “Today’s digital lifestyle means consumer concerns regarding safety and security have moved online,” said Robert Siciliano, an identity theft expert. “Information is the currency of the Millennial generation. It is far more important to them, in many cases, than most physical possessions or an image—even an embarrassing one,” the report continues. However, the same survey found that while information-security concern was high in this age group, 53% of Millennials fail to regularly update their passwords. [Reuters] [The Daily Beast: Are Surveys Asking the Wrong Questions?] SEE ALSO: [Opinion: A New Model for Consent]
Social networking side Ello has released a “Bill of Rights” with 10 articles to “serve as guiding principles for Ello” that the company believes “should extend to other companies.” “These rights would give users the ability to turn off data tracking … allow users to retain full control and ownership of posted content … the option to use a pseudonym and limit what personal information is required … and access to terms and conditions written in simple language,” the report states. “We believe these are the basic rights of every social media user in the world, on every social network,” Ello CEO Paul Budnitz said. [International Business Times] [How to see everyone who’s unfriended you on Facebook (and everywhere else, welp]
A new report from the Direct Marketing Association (DMA) found brands need to be much clearer with consumers about how and why they collect data if they are to gain consumers’ trust. The report found trust was the most important factor for consumers deciding whether to share their personal information with a brand. Forty% of respondents said trust outweighed freebies, discounts or tailored offers. While to date brands have been relying on consumers’ tacit understanding of the benefits and drawbacks of handing over their information, the DMA report said this lack of total transparency is unsustainable. “Without trust, brands will not grow,” said DMA CEO Chris Combemale. [Marketing Magazine]
Privacy campaigners have secured significant concessions in a key report into surveillance by the British security agencies published last week. The 132-page report, A Democratic Licence To Operate, which former deputy prime minister said Nick Clegg commissioned last year in the wake of revelations by the US whistleblower Edward Snowden, acknowledges the importance of privacy concerns. The report affirms privacy as a human right and says that there are “inadequacies in both law and oversight that have helped create a credibility gap that has undermined public confidence”. The report proposes that the intelligence services retain the power to collect bulk communications data on the private lives of British citizens, but it also now concedes that privacy must be a consideration throughout the process. The report, written for the Royal United Services Institute (RUSI) by a panel that includes three former heads of UK intelligence agencies, also calls for an overhaul of existing legislation. Despite its concessions to the privacy lobby, the report overall is more favourable to the police and intelligence services than to the campaigners. Key points in the report include:
- Its claim that the UK intelligence agencies are not knowingly acting illegally, though it leaves open past behaviour.
- Its proposal that the security services retain the power to collect bulk communications data, one of the key concerns raised by Snowden.
- Its acknowledgment that privacy concerns should be integral to considerations at the start of bulk data collection rather than left towards the end of the process.
Its proposal that judges rather than ministers take responsibility for authorising warrants related to criminal issues but that, subject to judicial review, ministers retain responsibility for warrants related to national security – something the intelligence agencies wanted. The report concludes: “Despite the disclosures made by Edward Snowden, we have seen no evidence that the British government knowingly acts illegally in intercepting private communications, or that the ability to collect data in bulk is used by the government to provide it with a perpetual window into the private lives of British citizens. “On the other hand, we have seen evidence that the present legal framework authorising the interception of communications is unclear, has not kept pace with developments in communications technology and does not serve either the government or members of the public satisfactorily. A new, comprehensive and clearer legal framework is required.” Clegg, who will be at the RUSI on Tuesday for the formal launch of the report, said: “We are now seeing an emerging consensus in favour of a new settlement, with clearer rules and stronger safeguards. I hope that this report, together with the recent report by David Anderson QC, can provide the basis for a stable new system that protects our security while doing much more to preserve the privacy of ordinary citizens online.” [Theguardian.com]
Although there are currently attempts underway in Congress, overwhelmingly supported by a broad bipartisan consensus, to amend ECPA by pushing for uniform search warrant requirements for all email communications, the Securities and Exchange Commission (SEC) has called for an agency-specific exemption that would allow them to be excused from meeting the burden of acquiring a warrant. Instead, as it outlined in a letter to the Senate Judiciary Committee, the SEC has argued that any reforms to ECPA should permit civil agencies to obtain this digital content, sans any warrant, from the third party service providers that host individuals’ email and social media accounts. This request is troubling, especially in light of the impending reform amendments meant to scale back ECPA’s powers. [Source] See also: R Street looks at the history of the Email Privacy Act, which aims to update the U.S. Electronic Communication Privacy Act of 1986. “It is possible email privacy is next on the ‘to-do list.’ There has been chatter on the Hill that the legislation could receive committee and House floor action in July,” the report states, and [CA – Porter Airlines Agrees To Pay $150,000 for Alleged Violations of CASL]
In some of the latest discussions in the long-running debate about the role default encryption plays in consumer products and the obstacles it presents to law enforcement, federal officials told the Senate Judiciary Committee they’d like Silicon Valley to come up with a solution to the so-called “going dark” issues around encrypted technology. [Privacy Tech] What Yates really meant was that she wants companies to stop providing end-to-end encryption, or find ways to circumvent it. Comey and Yates insisted that there must be some new technology that Silicon Valley could develop that would give them the access they want without risking strong encryption. But privacy and cryptology experts have insisted for years that this would be impossible without compromising overall security and opening holes for criminals to exploit. [FirstLook]
An elite group of code makers and code breakers says in a new paper there is no viable technical solution that would allow American and British governments to gain “exceptional access” to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger. The 13 cryptographers, computer scientists and security specialists released the report a day before FBI Director James Comey Jr. and Sally Quillian Yates of the Justice Department are scheduled to testify before the Senate Judiciary Committee on concerns that new encryption technologies will prevent government agencies from monitoring criminals’ communications. [The New York Times] [FBI Director Says Scientists Are Wrong, Pitches Imaginary Solution to Encryption Dilemma]
The Washington Post began encrypting parts of its website this week, aiming to make it more difficult for hackers, government agencies and others to track readers’ habits, the publication reported on its blog. The added security will immediately apply to the Post’s homepage, stories on its national security page and technology policy blog. The rest of the site will be encrypted over coming months, the report states. “The biggest gain is letting users feel secure,” said Post CIO Shailesh Prakash. The ACLU’s Christopher Soghoian said, “The articles you read paint a picture of your life” and can reveal personal details including sexuality and political interests. [WashPost] [The Washington Post becomes first major news publisher to secure website]
Two Bitcoin entrepreneurs and the MIT Media Lab have revealed a prototype for a system called Enigma, which allows data to be encrypted in a way that it “can be shared with a third party and used in computations without it ever being decrypted.” Enigma would allow untrusted computers to “accurately run computations on sensitive data without putting the data at risk of hacker breaches or surveillance,” the report states. “The actual data is never revealed, neither to the outside nor to the computers running the computations inside,” said MIT Media Lab’s Guy Zyskind, one of Enigma’s co-creators. [Wired]
11 out of 14 virtual private network (VPN) providers are exposing personal information through a vulnerability linked to IPv6, according to a study by the UK’s Queen Mary University in London. Since the Snowden revelations, VPN providers have seen an increase in users, the report states, with those users often seeking to avoid mass surveillance or to circumvent censorship. “There are a variety of reasons why someone might want to hide their identity online, and it’s worrying that they might be vulnerable despite using a service that is specifically designed to protect them,” said Gareth Tyson, co-author of the study. [v3.co.uk]
As the EU moves to implement its airline passenger name record system, critics are concerned about its privacy implications. A European Parliament media release indicates the data is only from flights in and out of the EU and kept “only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and certain types of serious transnational crime.” Parliament’s Civil Liberties, Justice and Home Affairs Committee “quickly dealt with almost 900 amendments … before agreeing to enter negotiations on a final text with the European Commission and the Council of the EU,” the report states. “The Commission has still not produced evidence for the necessity and proportionality of an EU PNR scheme,” said MEP Jan-Philipp Albrecht. [IDG News Service]
Negotiators involved in the second round of trilogue negotiations to hammer out a finalized General Data Protection Regulation said progress was made. According to the report, a tentative agreement was reached on Chapter 5 and Article 3—sections that focus on territorial scope and international data transfers, respectively. Exceptions for national security proved to be a sticking point for negotiators this week, but “an avenue is clear for agreement,” sources said. The next trilogue meeting is scheduled for September 1 and may not find as much consensus, the report states. [The Register] [Unraveling the Mysteries of the Trilogues]
Activist Max Schrems’ suit alleging that Facebook’s “terms of service and data collection policies violate EU law and their consumer rights” was dismissed by Vienna District Court, which cited lack of jurisdiction and a blurring of personal and professional use of the service. “It is clear that the complainant is using the enormous media interest in his case against Facebook … for the sales of his book and his career, even if it was credible that this is a social-societal concern for the complainant,” said Judge Margot Slunsky-Jost Schrems said he “will go to a higher court … The court is simply passing the hot potato on.” [The Irish Times] [Wall Street Journal]
British Prime Minister David Cameron will officially move forward with anti-terror surveillance legislation, once dubbed the “Snooper’s Charter.” “The question we must ask ourselves is whether … we are content to leave a safe space … for terrorists to communicate with each other,” Cameron said. “My answer is no, we should not be,” he continued. Tech company In.die has pledged to take its business elsewhere. “We’re not going to stay in a country where we might be forced to backdoor our products—and possibly not even be allowed to tell anyone about it,” the company said in a statement. [Politico]
Privacy advocate Caspar Bowden has died, according to German site Netzpolitik.org. Bowden was well-known in the privacy community as an outspoken activist, concerned about mass government surveillance, even before the Snowden revelations broke. Bowden worked as Microsoft’s chief privacy advisor from 2002 to 2011. Fellow privacy advocate Justin Brookman said “Caspar was a dedicated and brilliant advocate and a deeply caring person. He knew as much about intelligence law as anyone I’ve ever met … He was one of the first to fully recognize just how the rise in cloud processing empowers state surveillance. He spent his life trying to protect individual liberty, and I will miss him.” [The Privacy Advisor] SEE ALSO: [Hustinx Awarded Honorary Degree from University of Edinburgh]
Europe’s emerging country-by-country attitudes toward privacy regulation as opposed to the “one-stop shop” approach has Facebook frustrated. “A number of authorities in Europe are using that judgment to challenge the status quo that’s existed for many years,” said Stephen Deadman, global deputy chief privacy officer at Facebook. “We think they’re wrong. We think the model we have is right.” Deadman expressed support for a pan-European “super data regulator” for privacy. “There should be order within Europe and a single regulator that regulates you, not multiple regulators all trying to regulate everything in their own different ways,” Deadman said. The Belgian data protection commission recently sued Facebook over what it sees as a disregard for Belgian citizens’ private lives in terms of the social network’s tracking of users for advertising. Deadman said: “[Facebook] don’t agree that the Irish data protection authority isn’t doing its job. The academic report, which forms the foundation of [the Belgian privacy commission lawsuit], was not conducted by reviewing our practices, there was no interface with us, it was purely done without engagement with us or trying to find out the facts from Facebook.” [The Guardian] See also: [Hong Kong privacy watchdog’s order to remove names from website would create an ‘Orwellian memory hole’, says market analyst]
The BBC’s displeasure with the right to be forgotten and its subsequent republishing of 182 of its Google-delisted links “needs to be viewed with considerable caution,” indicating that Google had already found the links to be conduits to “personal information that is inaccurate, irrelevant or out of date and holds no public interest,” and that the site “misleadingly” promoted the links. “It was a deliberate journalistic choice that causes public shame and has not meaningfully contributed in any way to better policy making,” the report states, continuing, “It looks petulant, not constructive. And in some cases, it deceptively withholds crucial details … without also identifying that the original story has been modified simultaneously to remove the complainant’s name. So much for transparency.” [The Guardian]
- European Data Protection Supervisor Giovanni Buttarelli has said EU governments should “focus on implementing laws that take into account privacy rights as well as the indisputable need to fight terrorism,”
- Isabelle Falque-Pierrotin of the Article 29 Working Party and French Data Protection Authority the CNIL spoke with Wired recently about issues including the CNIL’s case against Google.
- Under new digital health laws passed by Germany’s Bundestag, doctors “will have access to emergency patient data via electronic health cards in the event of an emergency from 2018 if patients request storage of their emergency patient data on the card.”
- Hessian Privacy Commissioner Eva Kühne-Hörmann has criticized Germany’s “draft law on the introduction of data fencing as a criminal offence for being too soft.”
- In The Netherlands, the government has said the requirement “to report data leaks and expanded powers of Dutch privacy regulator will go into effect from 1 January 2016.”
- A public consultation has been launched to update the Intelligence and Security Act of 2002 in The Netherlands,, calling for “mandatory cooperation” to be “required from everyone providing any online services to customers in The Netherlands.
- The New York Times: Irish Regulator Says Country Will Stay at Center of Online Privacy Debates
- UK: Information Commissioner’s Office to investigate Daily Mail allegations of privacy breaches at four large charities and a fundraising agency
The Alliance of Automobile Manufacturers (AAM) has announced it is creating an information-sharing and analysis center, ISAC, as a hub for car companies developing smart cars to “swap cybersecurity data and keep each other abreast of the latest hacking threats targeting vehicles.” The AAM, which is made up of 12 manufacturers, hopes to “further enhance the industry’s ongoing efforts to safeguard vehicle electronic systems and networks,” said AAM Vice President of Safety Robert Strassburger. ISAC is expected to open later this year, with governmental protection to “facilitate cybersecurity information sharing,” Strassburger added. [Fortune]
David Jordan, head of editorial policy said “It’s impossible to have a meaningful debate if you’ve not got an idea about what’s being de-listed.” He said while it was up to individual media organisations to decide how best to be transparent with audiences over what has been removed, he felt the BBC had taken the lead “without being provocative”. He denied the suggestion that publishing the links was bringing more attention to those who had wanted to be forgotten. “It doesn’t make [the stories] more findable for anybody looking for a name,” he said. “What it does is give a sense of and a flavour of what kind of material is being delisted. That’s important.” [BBC]
“On the most fundamental level, FATCA deprives individuals of the right to the privacy of their financial affairs,” according to the complaint. “On a practical level, FATCA is severely impinging on the ability of U.S. citizens to live and work abroad.” …Those accords, which didn’t get congressional approval, are unconstitutional because they exceed the president’s authority, Paul claims. He asked a judge to strike down the Canadian, Czech, Israeli and Swiss agreements. [Bloomberg] [Rand Paul Suit Blasts Foreign Banking Rules]
Industry Canada has released new transparency reporting guidelines “to help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies, and regulatory authorities.” While the Privacy Commissioner of Canada lauded their release, the guidelines raise several significant concerns.
First, for rules purporting to enhance transparency, their development was surprisingly secretive. The Privacy Commissioner states that they were developed in consultation with the government and “industry stakeholders”, yet the public and privacy groups appear to have been excluded from the process. Given the importance of guidelines that are fundamentally about the rights of the public to know when their personal information is being disclosed, a secretive, exclusionary process badly taints the final result.
Second, the guidelines effectively create new limitations on the transparency where previously none existed. For example, TekSavvy’s transparency report provides specific aggregated number of disclosures (e.g. 52 requests for data on customer usage of devices in 2012 and 2013). The government guidelines prohibit specific disclosures where the number is less than 100, requiring companies to instead present a range of 0 – 100. The result is less transparency, not more. Moreover, the guidelines prohibit regional information (it must be Canada-wide) and their release must be delayed by at least six months from the time of the original request.
Third, the limits on transparency come without an appropriate regulatory or legal process. The government could have addressed the issue of transparency reporting within the Digital Privacy Act, which recently received royal assent. Indeed, the issue was repeatedly discussed during committee hearings. Yet by adopting a closed-door, non-transparent approach, the government has pushed new limitations on Internet and telecom companies without the opportunity for public comment or debate.
Fourth, disclosure under the guidelines is not mandated as the government has been careful to note that disclosure is merely an option. However, the law requires organizations to be open about their privacy practices, which arguably would include transparency reporting on personal information requests and disclosures. Further, individuals are entitled to demand that companies provide access to their information file, including details on how their personal information is used and whether it has been disclosed. By emphasizing the voluntary nature of the guidelines and declining to establish a clear legal requirement, the government may have actually weakened corporate transparency obligations. [Source]
The Department of Homeland Security (DHS) released its Freedom of Information Act (FOIA)-related mobile app to provide users with the ability to submit FOIA requests, check the status of requests and access resources. DHS said the app has reduced the FOIA complaint backlog by 20 percent. In its announcement of the app, DHS said it “is committed to transparency and accountability,” adding that the app aims to help modernize FOIA processes and improve the customer experience.” Privacy protections in the app make it more difficult to use. “On the one hand, in minimizing data collection from the app, the DHS Privacy Office is doing something laudable. On the other, it makes using it much more onerous,” the report states. [The Huffington Post]
After an information-sharing incident gone awry and a data breach, St. Elizabeth’s Medical Center faces a $218,400 settlement with the Department of Health and Human Services (DHHS) for failing to comply with the Health Insurance Portability and Accountability Act (HIPAA). “Organizations must pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications,” said DHHS Office for Civil Rights Director Jocelyn Samuels, adding, “In order to reduce potential risks … all workforce members must follow all policies and procedures.” A hospital spokesperson said, “St. Elizabeth’s has taken steps to ensure this will not happen again.” [The Boston Globe]
ESPN’s Adam Schefter tweeted a photo of the New York Giants’ Jason Pierre-Paul’s medical records indicating he had a finger amputated after a July 4 accident, and critics of the move are calling it Health Insurance Portability and Accountability Act (HIPAA) violation. ESPN disagreed, tweeting in response, “HIPAA does not apply to news organizations.” The report states, “HIPAA originally was designed to provide workers access to health coverage when they change or lose jobs. But a key provision of the law defines policies designed to guard the privacy of patients.” [MarketWatch] [Modern age leaves little room for athletes’ privacy]
Nebraska Medicine’s mHealth technology research project is using Apple Watch and related apps to study “the impact of remote health monitoring of chronically ill patients.” The $10 million project uses an Apple Watch-based app that allows patients and physicians to communicate and access data like test results and appointment information. “We want to push the envelope, but we want to do it in a way that is very, very safe, so we haven’t turned on every feature and we haven’t enabled every device to communicate with our electronic medical record,” said Chief Transformation Officer Michael Ash. “We are looking at each area, each app and even each vendor to make sure they are meeting HIPAA requirements and that they are demonstrating the ability to securely transmit their information back and forth.” [FierceMobile Healthcare]
Three Toronto hospital workers face prosecution for snooping into former Toronto Mayor Rob Ford’s medical records at the Princess Margaret Cancer Centre. If convicted, it will be the first successful health privacy prosecution in Ontario’s history. Information and Privacy Commissioner Brian Beamish said he could not comment on the prosecution because it was now before the courts. [Source] SEE ALSO: [CA – IPC Blog: Disclosing Disciplinary Action]
In the biggest theft of U.S. government records in the nation’s history, the Office of Personnel Management (OPM) announced that the sensitive information of 21.5 million individuals was compromised in the second major hack of its IT systems this year. In the wake of the announcement, and after several calls for her resignation, OPM Director Katherine Archuleta resigned this week. Privacy Tech reports on the latest OPM announcement, Archuleta’s resignation, reaction from Capitol Hill and what the Obama administration is doing to help strengthen the country’s cyber-infrastructure. [Forbes] [ArsTechnica] [Source] [GovExec: Acting OPM Director Promises Better Breach Response] [Officials: OPM Has Yet To Notify 21.5 Million Affected By Breach] [NTEU Sues OPM Over Breach] [Union Files Class-Action Against OPM] SEE ALSO [Should Sony Have Seen It Coming?] [Brian Krebs: OPM Breach Timeline and Analysis] [Analysis: Why the OPM Breach Is So Bad]
St. Elizabeth’s Medical Center will pay $218,400 in a settlement with the federal government for failing to comply with rules to safeguard private patient information. The Brighton hospital, owned by Steward Health Care System, also must adopt a “robust corrective action plan” to comply with federal laws in the future, the US Department of Health and Human Services said in a statement. The settlement concerns violations of HIPAA. It comes after federal regulators investigated a 2012 complaint that employees at St. Elizabeth’s used an Internet-based document sharing program to store health information of at least 498 patients. In August 2014, St. Elizabeth’s also reported a data breach involving information about 595 patients on a former employee’s personal laptop and flash drive. [bostonglobe.com] See also [50 Cent must pay $5M to woman who sued over sex tape]
A Vietnamese man has been sentenced to 13 years in prison for his role in a breach involving 200 million personal records from Court Ventures, a subsidiary of credit-monitoring firm Experian. The Department of Justice said Hieu Minh Ngo, 25, was sentenced this week in the U.S. District Court of New Hampshire on charges including wire fraud and identity fraud. Ngo “tricked Court Ventures into giving him access to a personal records database by posing as a private investigator from Singapore,” the report states. Ngo was arrested in Guam in 2013 and had been selling personal information, including credit card numbers and Social Security numbers, since 2007. [IDG News Service]
Officials from the Army National Guard announced that current and former members’ private information might have been compromised in a breach that is unrelated to the Office of Personnel Management hack. “All current and former Army National Guard members since 2004 could be affected by this breach,” said National Guard Bureau Spokesman Maj. Earl Brown, noting files that contained personal information were “inadvertently transferred to a non-DoD-accredited data center by a contract employee.” He added the incident involved members’ names, Social Security numbers, dates of birth and home addresses. “After investigating the circumstances of these actions, and the information that was transferred, the Guard has determined, out of an abundance of caution, to inform current and past Guard personnel,” he noted. [Source]
A Florida hospital has announced it will investigate the possible leak of a National Football League player’s medical record after it was tweeted out by an ESPN anchor. The anchor tweeted out a photo of the New York Giants’ Jason Pierre-Paul’s medical record after he had a finger amputated following a fireworks accident. Some media outlets said the records were leaked by an employee at Miami-based Jackson Memorial Hospital. Hospital CEO Carlos Migoya said the hospital has initiated an “aggressive internal investigation” into the allegations. “We do not tolerate violations of this kind,” he said. [Modern Healthcare]
Harvard University says that the Faculty of Arts and Sciences and Central Information networks were breached and that system and email login credentials may have been compromised. The intrusion was discovered in mid-June, but the school chose to wait until mitigation work had begun before disclosing the incident. [SC Magazine] [The Register] [DarkReading]
A breach of the systems at Trump Hotel Properties has compromised payment card information. The breach was detected when a pattern of fraudulent transactions were traced to cards that had been used at the hotels. The attack may have begun in February 2015. The company has acknowledged the incident and says it is investigating. [Krebs] [BBC] [TheRegister]
Two US telecommunications companies will pay a combined US $3.5 million to resolve a Federal Communications Commission (FCC) investigation that found the companies stored customer data on servers that were unprotected and accessible from the Internet. The issue affects more than 300,000 customers of TerraCom and YourTel America. [ComputerWorld] [FCC.gov]
A criminal group has been systematically targeting large corporations — including four Canadian organizations — over the past three years to steal confidential information and intellectual property, warns Symantec. The security vendor said the group, which it has dubbed Butterfly, has hit 49 organizations in more than 20 countries including Twitter, Facebook, Apple, Microsoft and firms in the pharmaceutical, legal and oil and precious metals sectors. More details on the group are in this Symantec report. [IT World Canada] See also: [Walmart Canada Looks Into Possible Credit Card Data Breach] [Govt. Prosecutes Health Workers for Snooping Into Rob Ford’s Medical Records] [Small Canadian Gold Firm Suffers Computer Hack] [Hacking Team hacked: firm sold spying tools to repressive regimes, documents claim] [CBC News: Walmart Canada Shuts Online Photo Store After Possible Data Breach]
Two new surveys indicate consumer attraction to more sophisticated and innovative approaches to their online privacy beyond usernames and passwords. reports on Accenture’s Digital Trust in the IoT Era survey, which indicates “77% of digital consumers would be interested in alternatives to usernames and passwords,” while “60% of the 24,000 respondents across 24 countries believe usernames and passwords are cumbersome to use.” And the 2015 State of Consumer Privacy & Personalization, conducted by OnePoll and Gigya, found “consumers demanding increased privacy and personalization are now opening up to the idea of using more advanced authentication methods, like biometrics and payment providers like PayPal and Amazon.” [ZDNet]
In June, mobile identity company TeleSign commissioned a study on consumers’ concerns about online security and their exposure to breaches. It found that, amidst increasing breach reports, 80% of consumers are worried about their online security and 40% have experienced a security incident within the past year. It also found, however, that 73% of online accounts use duplicated passwords and more than half of consumers use five or fewer passwords across their entire online life. Given statistics like those, TeleSign has launched a campaign aimed at educating consumers on what it says is the future of mobile identity: two-factor authentication. [Source] [US – Is the SSN a De Facto National ID?]
An Online Alliance survey of 1,000 company sites indicates 46% “were found vulnerable to known online security threats,” finding a specific trend of weakness in Internet of Things sites. These results come on the heels of an additional SANS Institute report suggesting, “Financial services organizations are still being breached too often, most frequently by those with insider access,” with 46% of respondents citing “abuse or misuse by internal employees or contractors.” In South Africa, Check Point Software Technologies’ Security Report found, “Mobile devices are the weak link in a company’s security chain,” and Romania’s Business Review reports that privacy pros now believe there isn’t a “one-size fits all” approach to security. [ITProPortal]
A survey from The Learning Curve indicates that while 75% of parents feel technology has enriched education, 79% are uneasy about the security of the data said technology gathers. “The fear is that the multibillion-dollar education technology industry that seeks to individualize learning and reduce dropout rates could also pose a threat to privacy, as a rush to commercialize student data could leave children tagged for life with indicators based on their childhood performance,” the report continues. “Technology has tremendous potential to improve the lives of students and teachers. But none of it will come to pass if we don’t set higher standards for student data security,” said Clever CEO Tyler Bosmeny. [The Intercept]
Conventional identity schemes, such as those that issue official “identity cards”, utilise data from official government databases to provide proof of the identity of an individual, ideally with a very high level of assurance. These databases in turn rely on data from civil registration systems (births, marriages, deaths) perhaps cross referenced against other official records (voter lists, driver licenses, tax records etc.). Such large databases of identity data are at risk of being hacked, as are databases containing key biographical information that can be used for identity verification purposes such as data used when applying for US government jobs that require security clearance. Additionally, these databases can help enable a surveillance state. The GOV.UK Verify service approaches identity policy very differently, drawing on the technology specific capabilities. Rather than focusing on maintaining a gold standard of identity data, in a centralised database, providing a single digital identity it takes a risk-based perspective on the whole identity transaction drawing on a broad range of (public and private) identity-related data, assessing the quality of validation and verification processes of that data and processing the data in a way that minimises privacy risks, although not necessarily perfectly. A series of certified identity providers work with Verify to provide the verification services to enable access to government services. Verification with an identity provider is a one-time activity. Once an individual has a verified identity, they can use it to access any government service linked to Verify. During the verification process, each identity provider draws on its own set of data sources to determine whether it has confidence in the identity claims made by the individual. The data sources cover evidence categories related to being a Citizen, Money and Living and can come from both public and private sources. Whilst no single piece of evidence is considered as proof of identity, when combined with other pieces of evidence (particularly from different categories) they can be used to determine a level of assurance as to the identity of an individual. Once a certain level of assurance is reached, the identity is verified and the individual can, for example, file their tax returns. Some government services (e.g. tax credits) require a lower level of assurance than filing tax returns and the Verify service has recently completed a trial of the use of a basic identity account that provides this lower level of assurance. The Verify service emerged from the 2010 coalition government as a response to concerns about the surveillance state. It includes various privacy enhancing mechanisms including data minimisation. For example, the verification process does not require identity providers to store details of an individual’s passport. Instead, all they need to store is whether, at the time of verification, the individual’s passport was valid. To ensure that these privacy principles are being followed in the design and operation of Verify, the Cabinet Office Privacy and Consumer Advisory Group (PCAG) has published a series of Identity Assurance principles that guide the operation of the Verify service. These nine principles place the user at the centre of identity assurance activities (“I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them”) and explicitly discuss data minimisation (“My interactions only use the minimum data necessary to meet my needs”) and the multiplicity of identity providers (“I can use and choose as many different identifiers or identity providers as I want to”) as well as explicitly considering consumer options for dispute resolution (“If I have a dispute, I can go to an independent Third Party for a resolution”). The Verify service is currently a beta service. [LSE (London School of Economics and Political Science)]
There is growing opposition from women’s rights and privacy advocacy groups to an Internet Corporation for Assigned Names and Numbers (ICANN) proposal aimed at combating online piracy. A coalition—including celebrities and academics—sent ICANN a letter protesting the proposal that would require website operators to reveal users’ personal information. The letter argues the move will “physically endanger many domain owners and disproportionately impact those who come from marginalized communities.” Breakthrough VP for Communications Lynn Harris, a signatory of the letter, said, “I don’t want my personal information out there,” adding, “(This is) kind of like being doxxed by ICANN. I know the intent is not malicious, but a lot of people are sadly forced to work hard to keep their personal information private.” [BuzzFeed News]
This year’s Privacy Law Scholars Conference featured some of the leading thinking in the field, and yet again the IAPP was proud to award $2,500 and a speaking role to those two papers voted as the best of the best. After a couple of years featuring co-written papers, this year we’ve awarded two single authors for work that on the one hand looks back at the history of the Social Security number and on the other offers a path toward a new and better form of consumer-protection regulation. [Full Story]
The World Wide Web Consortium (W3C) has released a “Last Call Working Draft” for a proposed do-not-track (DNT) compliance standard. The road travelled by DNT has been a long and at times contentious one, but W3C Tracking Protection Group Co-Chair Justin Brookman says “the technical mechanism will soon be certified for widespread implementation.” [Privacy Perspectives] The city of Oakland, CA, has moved to pass legislation that specifies how law enforcement purchases surveillance equipment]
The United Nation’s Human Rights Council (HRC) will announce its appointment for a special rapporteur on the right to privacy. President of the Human Rights Council Joachim Ruecker announced that the HRC’s Consultative Group ranked first Katrin Nyman-Metcalf of Estonia, though “concerns were raised as to whether she was the best qualified candidate for this specific position.” As such, Ruecker recommends for the job the Consultative Group’s second-rank pick, Joseph Cannataci of Malta, “who has long-standing experience in the field of human rights.” A total of 30 candidates applied, including former German Data Protection Commissioner Peter Schaar and Dutch DPA Chairman Jacob Kohnstamm. [Full Story]
Katrin Nyman-Metcalf was the candidate ranked first by a “consultative group” of five ambassadors – from Poland, Chile, Greece, Algeria and chaired by Saudi Arabia. But when it came to approving her appointment, Joachim Ruecker said he was over-ruling their choice and proposing the second-ranked candidate instead, Malta’s Joseph Cannataci. Nyman-Metcalf said …Ruecker had told her that civil society groups felt she was not “activist” enough. “It seemed in this criticism that he had received about me, these people who criticized me wanted somebody to wave a flag for (former U.S. security contractor Edward) Snowden,” she said.Nyman-Metcalf said she also found it bizarre that she had been criticized for saying there was no such thing as total privacy. [Reuters] [WW – Estonian blocked as UN’s first digital privacy investigator] [Slate: The U.N.’s New Digital Privacy Investigator Should Have Been Estonian]
The UAE was elected as the head of a new research committee for the Internet of Things (IoT) that was formed during a recent meeting of the International Telecommunication Union (ITU) in Geneva. The group focus is on implementing the Internet of Things to smart cities and communities in order to meet the needs of standardization of the IoT technologies. This will be achieved by creating a single platform combining engineers and experts from industry, telecom operators, ITU Member States and concerned organizations, to exchange visuals, examine the challenges and solutions while coming up with recommendations and unified global standards in this field. [TradeArabia News Service]
Social media sites such as Twitter and YouTube would be required to report videos and other content posted by suspected terrorists to federal authorities under legislation approved this past week by the Senate Intelligence Committee. The measure, contained in the 2016 intelligence authorization, which still has to be voted on by the full Senate, is an effort to help intelligence and law enforcement officials detect threats from the Islamic State and other terrorist groups. It would not require companies to monitor their sites if they do not already do so, said a committee aide, who requested anonymity because the bill has not yet been filed. The measure applies to “electronic communication service providers,” which includes e-mail services such as Google and Yahoo. Companies such as Twitter have recently stepped up efforts to remove terrorist content in response to growing concerns that they have not done enough to stem the propaganda. Twitter removed 10,000 accounts over a two-day period in April. The bill, passed in a closed session Wednesday, is modeled after a federal law — the 2008 Protect Our Children Act — that requires online firms to report images of child pornography and to provide information identifying who uploaded the images to the National Center for Missing and Exploited Children. The center then forwards the information to the FBI or appropriate law enforcement agency. Google, Facebook and Twitter declined to comment on the measure, but industry officials privately called it a bad idea. “Asking Internet companies to proactively monitor people’s posts and messages would be the same thing as asking your telephone company to monitor and log all your phone calls, text messages, all your Internet browsing, all the sites you visit,” said one official, who spoke on the condition of anonymity because the provision is not yet public. “Considering the vast majority of people on these sites are not doing anything wrong, this type of monitoring would be considered by many to be an invasion of privacy. It would also be technically difficult.” [The Washington Post]
Even without the ban on privacy for “commercial” websites, the proposal creates serious privacy problems for website owners. Accusations of copyright and trademark infringement are easy to make and easy to abuse, and the working group proposal doesn’t impose any consequences for false or abusive accusations. [EFF] [Google Hates ICANN’s Attempt to Eliminate Whois Privacy Calling it “Impractical & Ineffective] SEE also: [WW – Internet Runs out of New Addresses] and [Is IoT going to be squashed because of privacy concerns?] and [Internet of cars goes beyond self-driving vehicles]
An internal RCMP survey conducted months after the Supreme Court limited the police’s ability to access personal information without a warrant says the ruling has had no “significant negative effects” on operations. According to the documents, there is a general sentiment within the force that the court’s decision, known as Spencer, would cause investigative delays. But only 18% of Mounties responding to the survey said they had any difficulty obtaining a production order for sensitive information they previously got informally. “It appears that the biggest shift is that law enforcement is no longer able to rely on voluntary enforcement requests, and that the process of drafting and obtaining a production order or other judicial authorization is more time-consuming and rigorous,” reads the internal report, obtained by the Star under access to information law. The report also notes that while the number of warrantless requests has dropped sharply, there has been only a slight increase in production orders. The RCMP survey was conducted two months after the Spencer decision, and the report warns that the full impact will be known only in the coming years. The report recommends the RCMP begin to track data related to informal law enforcement requests for information, and how many production orders are sought by each division. Up to now, that data has not been tracked, which has led Privacy Commissioner Daniel Therrien’s office to conclude they could not investigate the RCMP’s use of warrantless requests. [Toronto Star]
Google introduced several new products around Bluetooth Low Energy beacons that include an open beacon format, tools and APIs for building services on top of beacons. Google also unveiled a new service for developers looking to manage and monitor large beacon deployments. The so-called cornerstone of the new set of products is called the Eddystone format. Released on Github, the new format provides developers with a “more robust and extensible way” for working with beacons, the report states, noting the releases from Google allow it to compete with Apple iBeacon technology. [TechCrunch]
Auto companies, increasingly collecting data about drivers through connected cars, are limiting the data they share via new systems that link smartphones to cars with technology partners Apple and Google. “We need to control access to that data,” said Don Butler, Ford’s executive director of connected vehicle and services, adding, “We need to protect our ability to create value” based on digital services built on vehicle data. GM told investors earlier this year it expects to see an additional $350 million in revenue over the next three years from the high-speed data connections it’s building into its cars. [Reuters]
The Russian parliament has approved a bill that will require online search engines to remove search results about specific individuals at their request, regardless if the person is a public figure or not. Though somewhat similar to the EU’s right-to-be-forgotten concept, the Russian version has no balancing test for the public’s right to information. Individuals may request that search engines remove search results if the data about them is “no longer relevant,” the report states. Russia’s largest search engine Yandex said last month that such a law would impede “people’s access to important and reliable information,” while Russian lawmaker Leonid Levin defended the bill, saying it “will create an efficient tool for clamping down on blackmail and Internet bullying.” [NDTV] [RU – ‘Right to Be Forgotten’ Exposes Russia to Risks] [In Russia, Parliament has given its approval to an Internet privacy bill] [Russia’s Parliament has approved a bill that will require online search engines to remove search results about specific individuals at their request, regardless if the person is a public figure or not]
A new draft law in China would give the government the authority to shut down Internet access during major “social security incidents.” The law would also require technology companies to ensure protection of user data. People would be required to register for services with their real names, and companies would be required to store user data within the country. [QZ.com] [Ars Technica] [The Register] [China Law Translate] [China Releases Draft of New Network Security Law: Implications for Data Privacy & Security] [China’s highest legislative body, the National People’s Congress, has released text of proposed national legislation that would bolster privacy protection, outlaw hacking activity and give authorities a mandate to control Internet access] [The Chinese government’s new National Security Law “calls for strengthened management over the web and tougher measures against online attacks, theft of secrets and the spread of illegal or harmful information”]
Internet trolls face up to two years’ jail in New Zealand under a controversial new law which bans “harmful digital communications”. And under a parallel amendment to New Zealand’s Crimes Act, a person who tells another to kill themselves faces up to three years in prison. The law will help mitigate the harm caused by cyber-bulling and give victims a quick and effective means of redress, supporters said. But critics said the law harms free speech and its fine print could threaten public interest journalism in the country. Under the Harmful Digital Communications Act in effect from this week, anyone convicted of “causing harm by posting digital communication” faces two years in prison and a $50,000 (NZ) (£6,500) fine, while businesses face fines of up to $200,000 (NZ). Harmful communications can include truthful as well as false information, and “intimate visual recordings” such as nude or seminude pictures or video shared without permission. The bill was introduced after a public outcry over the horrific “Roast Busters” scandal, in which a group of teenage boys from Auckland was accused of sexually assaulting drunk, under age girls and boasting about the acts on social media. [The Telegraph] [New Zealand’s Harmful Digital Communications Act makes some changes to the scope of the Privacy Act, including closing a “revenge porn loophole where complainants’ ex-partners could distribute intimate photographs or videos without breaching the Privacy Act”]
“Transparency reporting has the potential to increase public awareness of the information gathering activities of law enforcement and security agencies and encouraging companies that hold the information to be open with consumers about the limitations of confidentiality, and the ways in which they cooperate with agents of the state. This year we intend to trial asking companies to keep a standardised record of requests for information from law enforcement agencies and to report this information to us. We will then publish this information.” – Privacy Commissioner John Edwards [Source] SEE ALSO: [As unmanned aircraft popularity burgeons, concerned parties like the New Zealand Privacy Commission and even drone experts believe that regulations like those due to be released next month are necessary]
Chiang has taken to advocating the disastrous “right to be forgotten” law of the European Union in the typically me-too mentality of the Hong Kong bureaucrats – he was for a long time postmaster general after all. In that spirit, he has been harassing people and websites that provide a genuine public service. His office, for example, is now fighting corporate governance advocate David Webb at the Administrative Appeals Board after Webb refused an order to redact the names of people who appeared in reports on three court judgments handed down between 2000 and 2002. Webb has rightly argued that publishing judgments is a judicial function, so personal data that appear in judgments should be exempt from data protection principles. It’s Chiang’s job to “keep private data private”, Webb pointed out, but “not to make public data private” [Source]
The Privacy Commissioner’s appointment expires this week, while the Australian Information Commissioner formally resigns on July 31, leaving the OAIC potentially without any statutory officers. The government will need to find a solution to avoid FOI chaos. [Source] SEE ALSO: [AU – The New South Wales Parliament’s Law and Justice Committee “has begun a fresh inquiry into the long-debated need for legal measures that would let Australians sue over serious breaches of their privacy.]
- BM – Bermuda’s Personal Information Protection Act Draft Model was tabled Friday, and Minister of Economic Development E Grant Gibbons has called it “a milestone in the protection of the rights of the residents of Bermuda.”
- VN – Vietnam’s Minister of Information and Communications Nguyen Bac Son’s comments about the draft Law on Information Safety.
- BU – A year after the collapse of Bulgaria’s fourth largest bank, Parliament has abolished the country’s banking privacy laws.
The World Wide Web Consortium (W3C) has published a “Last Call Working Draft” for a proposed compliance standard that defines a set of practices for complying with users’ do-not-track (DNT) requests. While browsers currently have DNT functionality, “those headers don’t actually prevent anyone from tracking users,” the report continues. “Instead, the headers send a signal to publishers and ad networks—which are free to honor them or not.” The initiative, which has struggled to gain consensus since it began in 2011 , aims to ensure a common definition of DNT so that users can understand what an entity means when it claims adherence. “This eliminates the industry’s excuse of not knowing what the do-not-track signal means,” said Digital Content Next CEO Jason Kint. Comments on the draft are welcome to the W3C through October 7. [MediaPost]
Data gleaned from archived versions of Google’s transparency report revealed statistics related to right-to-be-forgotten takedown requests, potentially demonstrating that more than 95% of the takedown requests involved “everyday members of the public” and not criminals, politicians or other high-profile public figures. According to the report, more than 95% of the requests are related to private personal information and nearly half of those have been granted. Google said, “The data The Guardian found in our Transparency Report’s source code … was part of a test to figure out how we could best categorize requests. We discontinued that test in March because the data was not reliable enough for publication. We are however working on ways to improve our transparency reporting.” [The Guardian]
A consumer watchdog is filing a formal complaint with the FTC arguing that, by not providing Americans with the same right-to-be-forgotten measures existent in the EU, Google is exercising an unfair and deceptive trade practice. In the complaint, the group urges the FTC to “investigate and act.” Consumer Watchdog Privacy Project Director John Simpson said, “Google holds itself out as so concerned about users’ privacy, but denies fundamental privacy protection—that’s deceptive.” [The Washington Post]
Google says the proposal of the Internet Corporation for Assigned Names and Numbers (ICANN) aimed at combating online piracy by prohibiting commercial domain registrants from using proxy or privacy services is unfair to small businesses and individuals. Google says companies will still be able to use shell companies to hide ownership of domain names, but small businesses and individuals won’t be able to do the same. “Corporations, in particular, often use proxies or subsidiaries to provide local contacts … to provide privacy as in the case of law firms or ‘shell companies’ acting on behalf of their principals,” the company said in its comments, citing its own Charleston Road Registry. [The Domains]
World Wide Web founding father Tim Berners-Lee made comments regarding individuals’ rights to their digital data and the need for government transparency and researchable clinical data. “We may have a revolution where people are demanding their data back,” he said. “Consumers of the world need to make it very clear that they want control; they want access to their data, they want access to open government data.” He has also called for a bill of online rights that would be respected by both governments and businesses. Plus, he said, “Clinical data should be available to research by default,” adding, “It’s such a valuable thing; the medical community could do such valuable things with it.” [Bloomberg]
Adobe has rushed out a patch for its Flash Player to address a vulnerability that had been leaked and was being used in active attacks. Users should update to Flash version 22.214.171.124 for Windows and Mac; version 126.96.36.1991 for Linux; and version 188.8.131.522 for users on the extended support channel. The Flash plug in on Google Chrome and on Internet Explorer on Windows 8.x will be updated automatically. [ComputerWorld]
Facebook’s new chief security officer has said, via Twitter, that it’s time for Flash to go. Alex Stamos tweeted, “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.” Stamos became Facebook’s CSO in June after less than a year as CISO at Yahoo. Steve Jobs called for an end to Flash in 2010. [ZDNet] [CNET] [Second Flash Player zero-day exploit found in Hacking Team’s data]
Privacy activists have long complained that large social networks like YouTube, Twitter, Facebook and others use members’ private information without consent or transparency. But so far, there have been few alternatives. That’s something Bill Ottman is hoping to change. Ottman is the founder and CEO of a new social network called Minds.com, a social network that’s free, completely open-source coded, and fully encrypted. Still only a few weeks old, Minds has already received one high-profile vote of confidence from the privacy-centric hacker collective called Anonymous. [VOA] See also: [A Third of the World Is Using Social Media, But 90% Are Concerned About Privacy]
A security researcher has abruptly cancelled next month’s scheduled unveiling of a privacy device designed to mask Internet users’ physical locations. It’s a move that has both disappointed privacy advocates and aroused suspicions. Ben Caudill, a researcher with Rhino Security Labs, took the unusual step of saying he no longer plans to release the software or hardware schematics for his so-called ProxyHam box. He said the devices already created have been destroyed. Caudill has offered no explanation for the killing of the project, but he has reportedly ruled out both intellectual property disputes and Federal Communications Commission licensing concerns. That has left some people to speculate a secret government subpoena known as a National Security Letter is at play in the decision to kill the project. The ProxyHam device was able to mask the location of an Internet user by broadcasting on a 900MHz radio frequency so the owner could connect from up to 2.5 miles away from the source of the Internet connection. As a result, even if someone tracked down the location of an IP address, the user wouldn’t automatically be discovered. The box was billed as using open-source software and requiring less than $200 in hardware. It was scheduled to be the topic of a now-canceled talk at next month’s Defcon hacker conference in Las Vegas. Whatever the reason for the cancellation, it wouldn’t be hard for someone else with expertise in hardware to create a box that does exactly what Caudill described. So far, there’s no word of anyone offering to sit in for Caudill. [arstechnica.com] [CSO: The Implications of ProxyHam’s Sudden Disappearance]
Kenya Communications Authority’s Francis Wangusi has announced a new set of regulations to fight cybercrime. The new rules will require all users of devices with wireless networking capability to register their devices with the Kenya Network Information Centre, the report states. The registry will allow Kenyan authorities to “be able to trace people using national identity cards that were registered and their phone numbers keyed in during registration” if the devices are associated with criminal activity on the Internet, Wangusi said. In addition, all Kenyan businesses will be required to host their websites within Kenya. [Ars Technica] [Kenya to require users of public Wi-Fi to register with government]
The Chinese government’s newly minted National Security Law “calls for strengthened management over the web and tougher measures against online attacks, theft of secrets and the spread of illegal or harmful information.” “Externally speaking, the country must defend its sovereignty, as well as security and development interests, and … it must also maintain political security and social stability,” a spokeswoman said. “Companies worry that (the legislation) could undermine their ability to send encrypted emails or operate the kind of private corporate networks commonly used to secure communications,” the report states. Members of the Chinese public are worried that their right to speech may be further curtailed in the name of national security. China already has some of the most restrictive Internet controls. It blocks popular Web sites such as Twitter, Facebook, YouTube, Instagram and various Google services. Search results are severely filtered to scrub out information deemed offensive to the authorities, and online posts are routinely removed if they are considered to have potential to unsettle the public. [Source]
By enforcing the FTC act against trivial misstatements in privacy policies that nobody reads, the Commission has been able to put an increasingly large number of firms in the digital economy under 20-year orders. The orders often mandate intrusive monitoring and reporting. What’s more, the FTC can obtain substantial monetary penalties for order violations—just ask Google, which was hit with a $22.5 million fine for a misstatement on its FAQ page about how to disable cookies in Safari (which by all indications impacted nobody). [Source]
A “sharply divided” FCC has issued its Telephone Consumer Protection Act (TCPA) Declaratory Ruling and Order with “a range of new statutory and policy pronouncements that have broad implications for businesses of all types that call or text consumers for informational or telemarketing purposes,” Laura Phillips and Eduardo Guzman of Drinker Biddle & Reath write. Key areas of the ruling include scope and definition of auto-dialers; consent and revocation of consent; treatment of text messaging and Internet-to-phone messaging, and service provider offering of call-blocking technology, they write, noting the FCC “states that the new interpretations of the TCPA are effective upon the release date of the Declaratory Ruling. Requests may be lodged, however, to stay its enforcement pending review.” [TCPA Blog]
The Information Technology and Innovation Foundation (ITIF) is calling on Congress to ban revenge porn. The ITIF released a report entitled “Why and How Congress Should Outlaw Revenge Porn,” recommending Congress pass legislation like the bill Rep. Jackie Speier (D-CA) will release July 23 to ban photos of genitalia if a nonconsenting person is identifiable by face or name, as well as create a special FBI unit to provide immediate assistance to revenge porn victims and “direct the Department of Justice to work with the private sector on developing best practices for how online services can quickly remove nonconsensual pornography.” [The Hill] [NY Mag: Could Affirmative-Consent Model Stop Revenge Porn?]
The FCC Enforcement Bureau has announced a $3.5 million settlement with TerrCom, Inc., and YourTel American, Inc., to resolve an investigation into whether the companies failed to properly protect the confidentiality of personal information they received from more than 300,000 consumers. An investigation found the companies’ vendor stored consumers’ personal information on unprotected servers that were accessible over the Internet. “Consumers rightly expect that companies will take every reasonable precaution to protect their personal information,” said FCC Enforcement Bureau Chief Travis LeBlanc. In addition to the penalty, the companies will notify all consumers whose information was subject to unauthorized access and will provide complimentary credit monitoring services for all affected. [Full Story]
The attorneys general (AGs) from the 47 states that have data breach notification laws sent Congressional leaders a letter urging them to not preempt states’ rights in investigating breaches. The AGs write that “any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.” Virginia AG William Sorrell said, “Given the almost constant stream of data security breaches, state attorneys general must be able to continue our robust enforcement of data breach laws,” adding, “A federal law is desirable but only if it maintains the strong consumer protection provisions in place in many states.” [The Hill]
A targeted message from Uber to its Brooklyn, NY, users urging them to challenge New York City travel legislation has drawn criticism from users and a consumer security expert who feel that the move was a breach of privacy. “It is not uncommon to email riders and driver-partners based on neighborhood,” Uber has responded. Gary Miliefsky, CEO of SnoopWall, disagrees. “They need to know where you are for your ride, not to know who to send political documents to,” Miliefsky said. “Can we at least be upfront and clearer with the privacy risk we are putting customers at?” [CNBC]
Following the news of breaches of the OPM’s networks that compromised security clearance data, the White House has ordered federal agencies to immediately adopt basic security practices. The required procedures include applying patches for critical flaws promptly; using anti-virus products and checking logs for attack indicators; deploying two-factor authentication; and strengthening controls for privileged users. [ComputerWorld] [The Register] [NextGov]
New York City-based CA Technologies has received approval of its binding corporate rules (BCRs) from UK Information Commissioner Christopher Graham. “Being one of the first technology companies to receive approval for our BCR is an incredible achievement and one that demonstrates that CA not only creates secure solutions but also implements the highest level of data privacy and protection as a matter of company policy,” said CA Technologies General Counsel Michael Bisignano. CA Technologies joins a growing list of companies choosing BCRs as a data-transfer mechanism. [Source]
“Computer scientists and legal experts from Trinity College Dublin and SFI’s ADAPT centre are working to marry two of cyberspace’s greatest desires” via “Privacy Paradigm,” an online privacy system that aims to both customize and protect data on popular sites and apps “so that users signing up would know exactly how private, or otherwise, their personal information would be.” “It’s a grand target we’re setting ourselves and the research is ongoing,” said Trinity Prof. Owen Conlan, “but the big-picture vision is to make the way online services use our personal—and often privacy-sensitive—information as transparent and easy to understand and manipulate as possible for ordinary users.” [Phys.org]
An Altimeter Group study Consumer Perceptions of Privacy in the Internet of Things discovered that while 40% of consumers still have little understanding” regarding cookies and 87% of consumers are unsure of what the Internet of Things is, exactly, they have a fundamental understanding of “the data implications of fitness trackers, connected cars or connected home appliances. And most don’t like it,” adding that consumers’ chief concern is having their data sold. Jessica Groopman, who conducted the research, said, “It’s clear that there’s a communication and consent gap today. It isn’t smart for companies to move forward ruthlessly and relentlessly. It should be a bit more of a joint effort where companies educate consumers and get their opt in.” [Fortune]
Although the US federal government has increased spending on cyber security over the past few years, the government’s systems continue to experience serious attacks, such as those lunched against networks at the Office of Personnel Management (OPM), the Internal Revenue Service (IRS), and the State Department. Some of the increase in cyber security events can be attributed to privacy violations, lost and stolen devices, and attempted break-ins, and better incident awareness and detection. A recent survey found that government agencies are having trouble keeping up with changing threats and that incident response times have not changed. Agencies are also hiring contractors who are not equipped to interpret the data generated by the security tools the agencies have in place. [CSMonitor]
The federal government could find many more cyber intrusions following the White House-initiated 30-day “cyber sprint.” Office of Management and Budget Chief Information Officer Tony Scott said, “I think it’s a realistic chance, and I think this is true no matter where you go … It’s not unique to the federal government.” The 30-day sprint is now completed, and, according to the report, Scott plans to publicly release which agencies have achieved the goals of getting up to speed on critical information-security protections. “Some will get there, and some won’t,” he said. “There’s probably no CIO in any federal agency now who wants to be the bottom of the list.” [Reuters] v[#AntiCanadaDay Attacks On Government Sites]
The National Telecommunications and Information Administration (NTIA) announced its first cybersecurity multi-stakeholder process will launch in September and focus on vulnerability research disclosure. The goal of the process will be to bring together security researchers, software vendors and “those interested in a more secure digital ecosystem to create common principles and best practices around the disclosure of and response to new security vulnerability information.” The multi-stakeholder process follows the Department of Commerce’s announcement in March of an initiative to address key cybersecurity issues facing the digital economy. [NTIA blog post]
A Healthcare Information and Management Systems Society survey indicates that 87% of healthcare professionals have used the last year to elevate the importance of cybersecurity, while an additional two-thirds of those surveyed have had a “significant security incident in the recent past.” “On average, the survey-takers’ organizations use 11 different technologies to try to secure their networks and data, in part because hackers, phishers and other scammers are getting more sophisticated,” the report states. Meanwhile, the healthcare profession doesn’t “have a system in place that is practical or financially viable at scale for securing medical devices, and innovation is essential.” [MedCity News]
Investigators have shut down what they call the world’s largest-known English-language malware forum, an online marketplace called Darkode where cybercriminals bought and sold hacked databases, malicious software and other products that could cripple or steal information from computer systems, the Justice Department announced Wednesday. 12 people linked to the site have been charged. [Associated Press]
Data breaches are resulting in more investment in cybersecurity companies. “Five years ago, it would have been a very hard sell,” said Max Krohn, cofounder of encryption start-up Keybase with Chris Coyne. “Probably, it would have been, ‘Sorry, no one cares about security, therefore this product doesn’t have much of a hope.’” Keybase, a new Dropbox-style file-sharing service that employs public-key encryption, has landed $10.8 million in funding from venture capital firm Andreessen Horowitz; UK big-data privacy start-up Privitar recently landed $1 million . Such investors “say they likely wouldn’t have invested in a company like Keybase even two years ago,” the report states, noting that in the first half of this year, “venture firms invested $1.2 billion in cybersecurity start-ups … up sharply from $771 million in 2013’s first half.” [The Wall Street Journal]
The Center for Internet Security has released Critical Security Controls Draft Version 6c for public comment. Changes in this draft include the reprioritization of certain Controls due to the evolution of threat, the restructuring of some Controls for simplification, and better alignment with other frameworks, including the NIST Cybersecurity Framework. [CISecurity]
In its State of the Corporate Perimeter survey, a new survey out from Centrify found that nearly 60% of US IT decision-makers share access credentials with other employees at least somewhat often. Conducted among 200 of these decision-makers, the survey also found that 52% of US-based IT employees also shared credentials with contractors. About three-quarters of respondents estimate that more than 10% of employees have access to these kinds of privileged accounts, whether legitimately or through sharing. And over half of respondents in the US reported that it would be easy for a former employee to log in to access systems or data with old passwords. Unsurprisingly, 74% of those surveyed in the US reported that their organization needed to do a better job monitoring who is accessing data and 62% believe their organization has too many privileged users. The concern grows as new models in cloud and mobile computing have obliterated the corporate perimeter. As things stand, 92% of organizations in the US currently have some form of user monitoring in place. However, only a 56% have some sort of privileged identity management. Of those, nearly a third companies do not have someone formally analyzing or auditing how and when employees or contractors are performing privileged access to systems in the organization on at least a weekly basis. Even something as simple as updating passwords on a regular basis is only performed by about 58% of US organizations. [Dark Reading]
They aren’t the murderers, drug traffickers and rapists who usually are on the FBI’s lists, but cyber criminals are still some of agency’s most-wanted bad guys. The top five most-wanted cyber criminals, based on the amount of money offered for their capture and prosecution, are responsible for hundreds of millions of dollars in losses, according to FBI statistics, and authorities are willing to pay a combined $4.2 million for information leading to their arrest. [The Washington Post]
A recent academic study found that few computer users notice indicator lights and even fewer realize that the camera is always recording when the light is on. The lack of awareness, say researchers, makes people more vulnerable to webcam spying. The webcam light is a type of privacy indicator, which is a notification that a user’s data is being collected in some way. Other privacy indicators include the green Secure Socket Layer lock in the website address bar that indicates a secure connection or the pop-up on a smartphone asking for consent to share your location with an app. “One of the big problems we see today is that it’s really hard to know how an application is using your data,” says Serge Egelman, a research scientist at UC Berkeley’s Department of Electrical Engineering and Computer Science. “Once you’ve granted access to it, it’s essentially gone.” Until better indicators are developed for the webcam, Portnoff and Egelman recommend placing a sticker over the webcam and using antivirus software. For other applications, pay attention to what permissions they ask for. [csmonitor.com]
The Intercept has released a new trove of documents accessed via the Edward Snowden leaks, providing a detailed look into the capabilities of the U.S. NSA program known as XKEYSCORE. First reported in 2013, the program is one of the agency’s “most powerful tools of mass surveillance” and “makes tracking someone’s Internet usage as easy as entering an email address,” the report states, adding the program “provides no built-in technology to prevent abuse.” [Full Story] Meanwhile, UK Prime Minister David Cameron doubled down on his promise to not “leave a safe space … for terrorists to communicate with each other.” Additionally, the Investigatory Powers Tribunal has found the UK’s GCHQ reportedly spied on Amnesty International’s private communications. The human rights organization called the agency’s actions “outrageous.”
NSA documents leaked to the Guardian in 2013 described a covert program called XKeyscore, which involved a searchable database for intelligence analysts to scan intercepted data. Now, new documents show the breadth of this program and just what sort of data XKeyscore catalogs. According to a new report from The Intercept, the amount of data XKeyscore scoops up as well as the sort of data it collects is much larger than originally thought. Here are a few highlights from the new report: The XKeyescore database is “fed a constant flow of Internet traffic from fiber optic cables that make up the back of the world’s communication network, among other sources, for processing,” the new report writes. Its servers collect all of this data for up to five days, and store the metadata of this traffic for up to 45 days. Web traffic wasn’t XKeyscore’s only target. In fact, according to the documents posted by The Intercept, it was able to gather data like voice recordings. A list of the intercepted data included “pictures, documents, voice calls, webcam photos, web searches, advertising analytics traffic, social media traffic, botnet traffic, logged keystrokes, computer network exploitation (CNE) targeting, intercepted username and password pairs, file uploads to online services, Skype sessions and more.” How the search works is very advanced. The new documents detail ways that analysts can query the database for information on people based on location, nationality, and previous web traffic. XKeyscore was also used to help hack into computer networks for both the US and its spying allies. One document dated in 2009 claims that the program could be used to gain access into unencrypted networks. Using XKeyscore was reportedly insanely easy. “The amount of work an analyst has to perform to actually break into remote computers over the Internet seems ridiculously reduced — we are talking minutes, if not seconds,” security researcher Jonathan Brossard told The Intercept. “Simple. As easy as typing a few words in Google.” While XKeyscore has been known as an intelligence tool for years now, these new documents highlight just how advanced and far-reaching the program’s surveillance is. The NSA, in a statement to The Intercept, claims that all of its intelligence operations are “authorized by law.” It added, “NSA goes to great lengths to narrowly tailor and focus its signals intelligence operations on the collection of communications that are most likely to contain foreign intelligence or counterintelligence information.” [Source]
UK – Government’s Surveillance Plans Could Put Citizens, Economy and Entire Internet at Risk, Argue Leading Computing Experts
Proposals are ‘unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when internet vulnerabilities are causing extreme economic harm’, leading experts argue [Source] [Why We Must Fight the ‘Snoopers Charter’]
Reports that the government’s plan would result in a ‘ban’ on PGP, Apple Messages or WhatsApp have been based on speculation so far. The government has not stated explicitly how it intends to handle the issue. Inserting backdoors into encrypted systems for government agencies, however, would effectively render them open since it would be impossible for the provider and end user to ever be certain their communications were not being monitored. …At this stage it is not clear whether the plan to ban encryption is even possible. The technology has been in the wild for decades now, and previous attempts to limit its use have been unsuccessful. The UK’s own Parliamentary Office of Science and Technology said in a briefing that a ban on encryption is “infeasible” from a technological standpoint – though its report is not binding on government decisions. [Source]
Report in response to Edward Snowden’s revelations concedes privacy should be a greater concern in data collection and that current laws are outdated. The report proposes that the intelligence services retain the power to collect bulk communications data on the private lives of British citizens, but it also now concedes that privacy must be a consideration throughout the process. …There was vigorous debate between the former intelligence heads and privacy advocates over Snowden’s disclosures and whether British intelligence agencies had acted illegally. The intelligence agencies had wanted the report to give them a clean bill of health, but instead several caveats were added at the request of privacy advocates such as the inclusion of the word “knowingly” [Source]
Business Insider has seen a letter sent from Baroness Shields, the minister for internet safety and security, to an MP in which Shields says “this government supports encryption, which helps keep people’s personal data and intellectual property safe from theft by cyber means. It is fundamental to our everyday use of the internet. Without the development of strong encryption allowing the secure transfer of banking details there would be no online commerce.” [Source]
“When I sat down with an ex-minister, former security chiefs, internet execs and others, today’s report on oversight of bulk data collection seemed a long way off. Yet we did. The Royal United Services Institute panel was set up by Nick Clegg, the then deputy prime minister, in response to revelations from the US whistleblower Edward Snowden about the scale of intrusion by US and British intelligence agencies into private lives. Our remit: to look at the legality, effectiveness and privacy implications of government surveillance; how it might be reformed; and how intelligence gathering could maintain its capabilities in the digital age. It wasn’t easy and there were several times when I thought I would be writing a minority report with one or two of the panel members. But in the end we reached consensus: the report – published today – proposes that the security services continue with bulk collection of communications data, but with improved oversight and safeguards. [Source]
“We have seen no evidence that the British government knowingly acts illegally in intercepting private communications or that the ability to collect data in bulk is used by the government to provide it with a perpetual window into the private lives of British citizens,” the ISR concluded. “On the other hand, we have seen evidence that the present legal framework authorising the interception of communications is unclear, has not kept pace with developments in communications technology, and does not serve either the government or members of the public satisfactorily.” [Source]
The power, which comes from Section 702 of the 2008 FISA Amendments Act, was supposed to be aimed at foreign nationals living outside the USA but has ended up being used to collect massive amounts of personal communication from Americans. That data, which can also include photos, texts and instant messages, can be gathered by U.S. intelligence agencies without a warrant as long as it crosses the U.S. border electronically at some point. Given the fluid nature of electronic communications and data storage, that happens all the time …A majority of House members agreed, voting 255-174 in June for legislation by Massie and Rep. Zoe Lofgren, D-Calif., to prohibit intelligence agencies from using federal funds to search the data they collect under Section 702 for information about Americans. …But security hawks in Congress and the Obama administration are pushing back, vowing to fight any effort to weaken government surveillance programs at a time when terrorist threats from the Islamic State and other terrorist groups are on the rise. [Source] See also: [Spying on the Internet is Orders of Magnitude More Invasive Than Phone Metadata ] [It’s Not Just the NSA — the IRS Is Reading Your Emails Too ]
Instead of clarifying the matter, Congress sparked another controversy with the passage of the USA Freedom Act, which gave the government a 180-day transition period before it goes into effect on Nov. 29. The government interpreted this clause as giving the NSA a window to continue with the same program that the Second Circuit had recently found illegal. Late last month, a judge from the Foreign Intelligence Surveillance Court endorsed that view, and the ACLU immediately vowed to return to New York to continue its fight. [Source]
Its (ACLU) major contention in support of the requested injunction is that despite the Freedom Act’s provision for a transition period, the underlying law authorizing the bulk surveillance remains the same Patriot Act provisions that the second circuit held do not justify the NSA phone-records collection. “There is no sound reason to accord this language a different meaning now than the court accorded it in May. [The Patriot Act] did not authorize bulk collection in May, and it does not authorize it now,” reads the ACLU brief. [The Guardian]
In the month since Congress’ action, however, debate has continued about whether the USA FREEDOM Act actually curtailed government surveillance programs or whether it is mere window dressing. …the weeks since June 2 have seen a more measured and increasingly negative view of the real impact of the act. Several commentators have argued that the NSA’s bulk telephone collection program is only one minor NSA surveillance program and that too many others run by the government remain intact. Freedom Watch’s founder Larry Klayman called the act a “sham,” arguing that the NSA—and the Central Intelligence Agency (CIA)—will “do as they please” in surveillance activities. InfoWorld’s security columnist Roger A. Grimes argued that under the USA FREEDOM Act, only a “small part of a single NSA data collection program was barely modified,” while “nearly every other NSA program is intact.” Other commentators have described the act as “Orwellian,” “Inscrutable,” and “a Virtual Scam.” [Source]
The Electronic Privacy Information Center (EPIC) wrote to the FTC and DoJ to formally request an investigation of Google, Samsung, Mattel and other companies’ “always on” devices in an attempt to identify and curtail potential privacy issue. EPIC cited among its items of concern everything from Barbie dolls that record voices to Samsung’s smart TV. The letter asks “whether the products store people’s communications and whether security measures like encryption are in place to protect the recorded data,” the report states. Among the target companies and government agencies, only Samsung and home camera-maker Canary Connect have responded, the report states. [CIO]
On August 3, the National Telecommunication and Information Administration (NTIA) will meet with privacy groups in an effort to understand the regulatory privacy measures necessary for drones. This is the third iteration of talks of this nature, which thus far have ended without consensus and with privacy groups leaving frustrated. “Consumer and privacy groups don’t have confidence in the process,” said Center for Digital Democracy Executive Director Jeffrey Chester. “Protecting privacy from the use of drones requires a serious effort that the NTIA has so far failed to demonstrate.” [PCWorld]
Hacking Team (HT), a controversial surveillance technology developer, was itself hacked over the weekend. The company has been criticized by digital activists in the past for allegedly supplying repressive governments with powerful surveillance technology, potentially used to spy on political dissenters, human rights activists and journalists. On Sunday, the company’s Twitter handle was hacked and included several screen shots of stolen data, including the user names and passwords of company executives. According to the report, approximately 400 gigabytes of data was stolen from the firm. The ACLU’s Christopher Soghoian said the data “dump includes an .xls spreadsheet listing every government client, when they first bought HT and revenue to date.” [PCWorld]
A 400 gigabyte online “document dump” of data stolen from spyware organization Hacking Team highlights the technology developer’s alleged dealings with the FBI and other groups. One of the hacked spreadsheets indicates the FBI has paid Hacking Team more than $773,226 since 2011 “for services related to the Hacking Team product known as ‘Remote Control Service,’ which is also marketed under the name ‘Galileo,’” the report states. Another document discusses Hacking Team’s ability to bypass the HTTP strict transport security mechanisms designed to make HTTPS website encryption more reliable and secure. “Our solution is the only way to intercept TOR traffic at the moment,” the document said. [Ars Technica]
It could be an argument with a friend over what was said, an uncomfortable interaction with a co-worker or a routine police stop that turns sour. These are the kinds of situations that leave people wishing they could hit rewind on their lives and re-watch the situation to prove they were in the right. A new smartphone app could be that reliable witness. Alibi works in the background to record audio, video and location 24 hours a day, seven days a week, to document what really happened when there are conflicting accounts. Users download the app onto their smartphones. They only have to start it up once and Alibi will continuously work in the background to record audio, video and location. After the app records for one hour all of the data is automatically deleted. None of the recordings are stored by the company. If someone finds themselves in a situation where they want the data saved after an encounter, users can open the app and hit save. Alibi will save the last hour of recordings and hide the file on the person’s phone so it cannot be tampered with by anyone else. [CBC News]
New drone regulations come into effect on August 1, banning the small aircraft from flying over houses without the property owner’s consent. “The Privacy Commission has only received one complaint to date, but it’s hard to tell how many the police have fielded to date because they don’t really much about it, they’ve got no policy.” Part of the reason for the lack of complaints was because of the lack of regulations concerning drones. The most significant new rule that will come into effect in August is that drone operators will have to gain the consent of property owners before flying over their house and people who they fly over. “That covers things like sporting events, music events… unless there is an exemption obtained by the Civil Aviation Authority, they can’t cover those events without the consent of every single person they will fly over.” The rules are prompted by both privacy and security concerns, says Mr Iorns. “That comes down to a safety consideration – we don’t want drones of up to 15kgs dropping out of the sky and landing on people’s heads.” [3news.co.nz]
Fed up with unwarranted spying by police, residents of the California port city of Oakland are pushing back by developing the first enforceable city legislation to regulate the purchase and use of surveillance equipment by law enforcement agencies. If approved, the legislation could make Oakland a national trailblazer for privacy rights campaigners alarmed at the rise of cameras, “stingrays” and other surveillance technologies used by law enforcement. Activists are hopeful that in the coming months the city council and mayor’s office will appoint members of a privacy advisory committee to draft a city ordinance on surveillance. They say this will be a big win for residents and a significant change from 2013, when the Oakland police, fire and port officials proposed to use $2m in federal grant money to expand a surveillance program from the port of Oakland to the entire city. [The Guardian]
The rise of body-worn cameras poses serious data protection and privacy concerns for the public, according to the UK government’s surveillance camera commissioner. Tony Porter noted that while police use of body warn cameras, such as by the Metropolitan Police, is governed by strict rules and regulations, other organisations that use the technology lack the same oversight. “I’m talking about door supervisors at night clubs, traffic enforcement officers and environmental officers,” he said. As such, Porter said questions need to be asked about training, data security and who has access to recordings of the public. Porter also discussed the UK’s automatic number plate recognition (ANPR) system which captures around 27 million images every day. The commissioner questioned the transparency surrounding the number of ANPR cameras that currently exist. Porter is currently reviewing the operation of the Surveillance Camera Code of Practice and will present his findings to home secretary Theresa May later this year. The code was introduced in 2013 to curb the excessive use of cameras for surveillance by increasing numbers of private and public sector organisations and an updated version was issed in 2014 by the Information Commissioner’s Office. [v3.co.uk] See also: [A new Florida law “shields the footage taken by police body cameras from public view.” The new measure includes a privacy exception preventing the disclosure of such videos, including those taken in homes, at hospitals or at the scenes of medical emergencies]
Congratulations, Theresa May! The internet hates you. The British cabinet secretary in charge of home affairs, policing, and counter-terrorism received a gong, part of the annual UK Internet Industry Awards, for “forging ahead with communications data legislation that would significantly increase capabilities without adequate consultation with industry and civil society.” Privacy International, a civil liberties group, picked up the award on her behalf. The home secretary, who unshackled from her Liberal Democrat coalition partners following a surprise majority victory earlier this year, is pushing ahead with a rapid expansion of the UK’s investigatory and law enforcement powers. The so-called “snoopers’ charter” would allow police and intelligence agencies to grab British phone and email records to prevent terrorism. But the bill has been pushed through parliament with almost no consultation with phone and internet providers who will be affected the most. The “snoopers’ charter” bill is due before parliament in the coming months, though no specific date has been set. [zdnet.com] [EU – Head of EU data protection says trading privacy for security is a “false fad” ]
PayPal is changing its tune on sending you automated phone calls and text messages in the face of pushback from regulators and consumers. The company is again amending its user agreement just two days before its updated policies were to take effect. Under the changes, PayPal promises not to robocall you unless you’ve previously given the company your prior, express written consent. That means it also won’t require users to opt-in to receiving robocalls as a condition of continuing to use the mobile payments service. And the company is also clarifying its user agreement to state that PayPal will primarily use robocalling to “detect, investigate and protect our customers from fraud” or to notify users about account activity. That’s a significant turnaround from its previous proposed revisions, which required that all customers agree to accept robocalls if they wanted to keep using PayPal. The proposal sparked letters from concerned lawmakers and even the Federal Communications Commission, which has strict rules about robocalling and telemarketing. [The Washington Post]
The Christian Science Monitor’s Passcode reports on a slew of documents released by the ACLU about Executive Order (EO) 12333. Signed by President Ronald Regan in 1981 and strictly run under the executive branch, EO 12333 permits the Central Intelligence Agency (CIA) to collect foreign Internet communications in bulk. However, the documents show that the CIA can direct the NSA or FBI to conduct domestic surveillance on its behalf. Meanwhile, former NSA General Counsel Rajesh De discusses the role privacy plays in the agency, saying it is highly regulated and that the Foreign Intelligence Surveillance Act “is anything but a rubber stamp.” [Full Story]
Filmmaker Laura Poitras is suing the U.S. government after receiving no response to her Freedom of Information Act requests for documents pertaining to the government’s targeting of Poitras at U.S. and foreign airports, The Intercept reports. Poitras was searched, interrogated and detained more than 50 times over six years. Officials seized her notebooks, laptop, cell phone and other personal items. “I’m filing this lawsuit because the government uses the U.S. border to bypass the rule of law,” said Poitras in a statement. The filmmaker, who won an Oscar for Citizenfour, said she hopes the suit will also bring attention to those who are less well known but are also harassed at the border. [Full Story]
As private-sector corporations move to streamline their online payment processes, making them faster and more convenient for customers, the Consumer Financial Protection Bureau (CFPB) has released its guiding principles for organizations to protect consumers. “Companies developing new financial technologies should be building systems from the outset with consumer protections in mind,” said CFPB Director Richard Cordray. “It is a lot easier to build something right from the start than it is to retrofit it. The CFPB will continue our work to help ensure that financial services marketplaces are safe and transparent for consumers.” [Full Story]
The FTC announced a new initiative aimed at educating businesses on data security best practices. The agency also announced a series of workshops to help flesh out specific data security needs for start-ups and small- to medium-sized organizations. The “Start with Security” initiative also includes new guidance for businesses . “Promoting good data security practices has long been a priority of for the FTC,” said FTC Bureau of Consumer Protection Director Jessica Rich in a press release. “The new Start with Security initiative shares lessons from the FTC’s 54 data security cases,” she noted, adding, “Although we bring cases when businesses put data at risk, we’d much rather help companies avoid problems in the first place.” [Full Story]
Nine House Democrats have unveiled the Recover Act, a bill that would provide “lifetime identify-theft monitoring” for the millions of victims of the recent Office of Personnel Management (OPM) breaches. “Much of the OPM data is lifetime and permanent background information that cannot be changed like a credit card number,” said Rep. Eleanor Holmes Norton (D-DC), whose bill is a companion to one from Sen. Ben Cardin (D-MD). The bill has support from National Treasury Employees Union President Colleen Kelly, who said it “will go a long way toward protecting individuals from ID theft problems stemming from these devastating data breaches.” [The Hill]
The House of Representatives passed the 21st Century Cures bill, which “contains a controversial provision calling for significant changes to the HIPAA Privacy Rule.” The House approved the bill by a 344 to 77 vote, the report states, noting, “Among the 309-page bill’s many provisions is a proposal that the Secretary of Health and Human Services ‘revise or clarify’ the HIPAA Privacy Rule’s provisions on the use and disclosure of protected health information (PHI) for research purposes.” Patient authorization would not be needed to use PHI for research “if only covered entities or business associates, as defined under HIPAA, are involved in exchanging and using the data,” the report states. [Gov Info Security]
Rep. David Cicilline (D-RI) introduced The Consumer Privacy Protection Act as a companion bill to a Senate bill from Sen. Patrick Leahy (D-VT). The bill, which would apply to companies with information about more than 10,000 customers, would require them to notify consumers within 30 days if hackers obtain “sensitive information” and implement security procedures to, in part, minimize the amount of sensitive information they collect. Chris Lewis of Public Knowledge said it creates “a strong federal standard of privacy protections” without preempting more stringent state laws, while the Direct Marketing Association supports a national data breach bill that would preempt state legislation. This week, 47 state AGs wrote to Congress urging it not to pass laws that would preempt state rights. [MediaPost]
The Senate Intelligence Committee will file a bill mandating that if an “electronic communication service provider” has knowledge of terrorist activity on its site, it must report the activity to authorities. The bill has already catalyzed privacy and First Amendment concerns. “Considering the vast majority of people on these sites are not doing anything wrong, this type of monitoring would be considered by many to be an invasion of privacy. It would also be technically difficult,” said one industry official, who requested anonymity. Others disagree. “Ultimately this is a higher-tech version of ‘See something, say something.’ And in that sense, I believe that there is value,” said Leidos Executive Vice President, Michael Leiter. [The Washington Post]
Critics of Section 702 of the 2008 FISA Amendments Act are urging Congress to revise it. The act makes data, “which can also include photos, texts and instant messages,” viewable sans-warrant by law enforcement “as long as it crosses the U.S. border electronically at some point,” the report continues. “It’s really troubling, and it’s a clear violation of the Fourth-Amendment prohibition against unreasonable searches and seizures,” said Rep. Thomas Massie (R-KY). The call for a revision has majority support in the House, but security officials disagree. “These queries can, among other things, enable analysts to identify terrorist plots,” countered National Intelligence Director James Clapper. [USA Today] Critics of Section 702 of the 2008 FISA Amendments Act, including Rep. Thomas Massie (R-KY), who said the act is “really troubling, and it’s a clear violation of the Fourth-Amendment prohibition against unreasonable searches and seizures,” are urging Congress to revise it.
Washington, Oregon, Wyoming, Illinois, and North Dakota have updated their data breach laws this year, and Alabama is on its way to becoming the 48th state to adopt such legislation in the wake of unprecedented data breaches in healthcare, finance, and retail. [Source] [2015 Data Breach Legislation Six Month Review: Many Proposals, Few Changes] Attorneys general from the 47 states that have data breach notification laws have sent Congressional leaders a letter urging them to not preempt states’ rights in investigating breaches.
- The Senate Intelligence Committee is expected to soon file a bill mandating that if an “electronic communication service provider” has knowledge of terrorist activity on its site, it must report the activity to authorities.
- Rep. David Cicilline (D-RI) has introduced The Consumer Privacy Protection Act as a companion bill to a Senate bill from Sen. Patrick Leahy (D-VT), noting the bill would require companies to notify consumers within 30 days if hackers obtain “sensitive information” and implement security procedures to, in part, minimize the amount of sensitive information they collect.
- The National Treasury Employees Union is suing the Office of Personnel Management over its recent data breach, following similar action by the American Federation of Government Employees.
- The Securities and Exchange Commission (SEC) opposition to the bipartisan Email Privacy Act on the grounds “that the legislation would harm the SEC’s enforcement efforts“ doesn’t take into account Americans’ basic privacy rights.
- Consumer Watchdog is filing a formal complaint with the FTC arguing that, by not providing Americans with the same right-to-be-forgotten measures existent in the EU, Google is exercising an unfair and deceptive trade practice, The Washington Post reports.
- The U.S. Chamber of Commerce is siding with Google and Viacom in asking an appellate court to throw out a lawsuit accusing the companies of violating a federal privacy law by using tracking cookies on children’s website Nick.com.
- A judge has unsealed court documents in a case against celebrity Bill Cosby, stating that Cosby’s privacy expectations are diminished because he is a public figure who “donned the mantle of public moralist.”As a result, Cosby “voluntarily narrowed the zone of privacy that he is entitled to claim,” the judge wrote.
- The Federal Communications Commission has marked this fall as the time to hash out what its jurisdiction over Internet privacy will look like specifically.
- Citing a Supreme Court ruling that a thermal imaging device used to detect marijuana in a suspect’s home did not require a warrant because it wasn’t “in general public use,” In-Q-Tel CISO Dan Geer writes, “We must change liability law so thoroughly and so substantially that data acquisition is no different from stockpiling combinations of lethal chemicals that grow increasingly dangerous as their varieties increase.”
- The American Federation of Government Employees has filed a class-action lawsuit against the Office of Personnel Management in the wake of its massive data breach.
- The U.S. Drug Enforcement Administration may sue the state of Utah over access to a controlled-substance database.
- Delaware’s Student Data Privacy Protection Act, which was modeled on California’s Student Online Personal Information Privacy Act and passed by the General Assembly on June 25, is awaiting the governor’s signature.
- While drone regulations failed to pass during the New Mexico Legislature’s regular session, the Science, Technology and Telecommunications Committee met recently “to hear from a panel of experts about the advancement of the technology and its possible uses as well as concerns about privacy.”
- In a Pennsylvania court case, an opinion by Lehigh County Judge Robert L. Steinberg indicating “Pennsylvania’s wiretap law is not keeping pace with the widespread adoption of technology such as tablet computers and Google Glass.”
- Rhode Island’s Katie’s Law requires individuals arrested for violent crimes to provide samples of their DNA.
- In Oregon, a bill prohibiting video voyeurism that won unanimous support in the House and Senate is awaiting the signature of Gov. Kate Brown
A recent decision of the Ontario Grievance Settlement Board raises the interesting question of an employer’s vicarious liability for an employee’s privacy breach. Vicarious liability occurs when the law holds one person responsible for the misconduct of another because of their relationship. The most common relationship giving rise to vicarious liability is the employer and employee relationship. In Ontario Public Service Employees Union v. Ontario 2015 CanLii 19325 [ON GSB] one employee (“Employee X”) inappropriately accessed the employment insurance file of a co-worker (“Ms. M”) who was away from the workplace due to sickness. The inappropriate access took place during work hours and Employee X discussed Ms. M’s personal information with other employees. There was no work reason for Employee X to be accessing Ms. M’s EI file. The Employer had appropriate policies in place that prohibited the use of the Employer’s IT resources for unacceptable activities and was proactive when hiring new employees to instruct them in connection with their obligations to keep information private. Upon being made aware of the unauthorized accesses to Ms. M’s EI file the Union representing Ms. M filed a grievance. During the hearing of the grievance the Union put the Employer on notice that it would bring a motion before the Grievance Settlement Board to determine the effect of the tort of intrusion upon seclusion to the disposition of the grievance. After reviewing the law in relation to vicarious liability in the employment context and the evidence pertaining to the incident, including the Employer’s hiring practices and the Employer’s privacy policies, the Board concluded that the Employer was not vicariously liable for the actions of Employee X. The Board was of the view that the “wrongful act” of snooping in Ms. M’s EI file was not sufficiently related to conduct authorized by the Employer to attract vicarious liability. Employee X’s actions were viewed by the Board as being the actions of a rogue employee who, for her own purposes accessed Ms. M’s EI file. It was not an action that could be seen to “further the employer’s aims”. The actions were done without the employer’s sanction or knowledge. The Board accepted the Employer’s evidence that it knew nothing of the intrusion until being told of it by a co-worker of Ms. M. Upon learning of the intrusion the Employer took immediate action to investigate and manage the issue. The evidence indicated that Employee X had received a significant suspension. The decision, although good news for the Employer, did not leave Ms. M without a remedy. Like the plaintiff in Jones v. Tsige, Ms. M would still be permitted to sue Employee X at common law for damages for the tort of intrusion upon seclusion as a result of her unauthorized snooping. [Cox and Palmer Law Publications]