18-27 November 2016

Biometrics

US – Facebook Says Illinois Biometrics Privacy Law Violates Constitution

Facebook Inc. says an Illinois biometrics law that prevents interstate-sharing of facial recognition data violates the U.S. Constitution In August, three class actions against Facebook over allegations that the company’s ‘tag suggestion’ feature violates users’ privacy rights, were moved from Chicago’s federal courts to San Francisco’s. Facebook said that the BIPA infringes on a constitutional protection under the commerce clause, which restricts a state’s ability to pass legislation that would improperly strain or discriminate against interstate commerce. Last month, both Facebook and Google stated that collecting facial biometrics data isn’t against the law, even without the user’s consent. [Biometrics Update | Federal Court in Illinois dismisses biometric data privacy case against Smarte Carte ]

Canada

CA – OPC Canada Recommends Amending Federal Privacy Act to Require Breach Notification and Improved OPC Powers.

The federal Privacy Commissioner of Canada appears before a committee studying potential reviews of the Privacy Act. Government institutions should be required to report material breaches of personal information to the OPC in a timely manner and notify affected individuals in certain cases. The ombudsman model for complaint investigation should be replaced with OPC powers to issue binding orders, and the OPC should be granted discretionary power to decline complaints or discontinue investigations on specified grounds, including when the complaint is frivolous, vexatious or made in bad faith. [OPC Canada – Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Study on Review of the Privacy ActOpening Statement | Recommendations]

CA – Therrien Calls on Parliament for Clear Rules on Surveillance

Privacy Commissioner Daniel Therrien has called on Parliament to enact clearer rules around how law enforcement collects, obtains and destroys data on Canadian citizens. He said Bill C-51 needs more protections built in. “Security agencies, with (Bill C-51 powers) and with the absence of rules around retention, for instance, would be able to collect and retain information that they don’t really need,” Therrien said. “I don’t dispute that CSIS needs to analyze information in order to do their job but once the analysis has been completed and the vast majority of people about whom they’re collecting information are found not to be a threat, and that’s the case, then they should destroy that information.” [Toronto Star]

CA – Ottawa Approves Redress System for Canadian Travellers Affected by No-Fly List

The federal government has approved a redress system to protect Canadian travellers, including children who can’t board airline flights due to aviation security lists. Unlike the U.S. stand-alone system, Canada’s no-fly-list database was designed to piggyback on to airline computers, making it more problematic to deal with misunderstandings about passenger identity. Canada is now poised to set up its own independent data system that will be controlled by Public Safety, Transport Canada and the Canada Border Services Agency. The redress system will allow Canadians whose names closely match those on the no-fly list to apply for a unique identification number. They will be able to use the number at the time of ticket purchase to clear their name in advance and prevent flight delays. [Globe & Mail | Six-year-old’s name still on Canada’s no-fly list, mother says | Secret Bans, Secret Trials: The Canadian ‘No-Fly’ Lists | Families say shared Canada-U.S. no-fly lists must include safeguards for children  | Canada’s no-fly list is ‘very mysterious’ and leaves targets little recourse, say critics

CA – Canada Steps Away from Online Redress System, But ‘No Fly List Kids’ Parents Still Waiting

Canada could implement a redress system as early as spring of 2018 to make it easier for children and adults falsely flagged as security threats to get past extra airport security checks when their names match those of people on no-fly lists. Public Safety Minister Ralph Goodale described the future system at a town hall on national security Saturday afternoon in Markham, Ont. Goodale pointed to the American redress model, which provides a redress number to “false-positives” on the list that can be entered online anytime they make a booking to avoid additional screening. “That’s the way the Canadian system should work,” the public safety minister said, adding that once implemented, Canada’s system will be interactive, automatic and done entirely online. But in the meantime, the public safety minister announced no interim solutions for people falsely flagged by the list, something the parents advocacy group No Fly List Kids had been hoping for. “It was a little bit disappointing,” said a spokesperson for the group, who added she was nevertheless encouraged to hear changes are coming. Consultations began on Sept. 8 and will be completed on Dec. 15. Submissions can also be made online. Feedback from the town halls will be compiled into a report that will be made public, the government said. [CBC | Liberals ask public to weigh in online about national security issues | Ontario man stranded in Amsterdam by U.S. no-fly list back home | Markham man still stranded in Amsterdam says his name is on no-fly list | ‘As a Canadian citizen I felt very helpless’: Man on U.S. no-fly list stranded overseas | Mom of boy on no-fly list ‘really looking forward’ to travelling after feds announce plan to end mix-ups | Mother insists plan for Canada-US no-fly list must protect children | Human rights tribunal questions Air Canada’s ‘no-fly list’ policies | Boy, 6, still flagged in no-fly list mix-up, family says | Mother of boy on no-fly list ‘pleased’ by Ottawa’s response | Families affected by no-fly list reach out to mother of Ontario boy | U.S. no-fly list could be behind Canadian air travel nightmares | Ottawa says there’s no need for additional airport security screening for under-18s | Getting on Canada’s no-fly list is ‘a very mysterious process,’ says critic | Ottawa approves redress system for Canadian travellers affected by no-fly list | Secret Bans, Secret Trials: The Canadian ‘No-Fly’ Lists | Families say shared Canada-U.S. no-fly lists must include safeguards for children | Canada’s no-fly list is ‘very mysterious’ and leaves targets little recourse, say critics]

CA – New Brunswick Benefits Bill Changed Due to Privacy Concerns

A benefits bill that details what information is shared between the New Brunswick and federal governments has been altered because of privacy concerns. The bill will simplify the sharing of personal data between the governments deciding which provincial residents are eligible for welfare, housing and nursing home subsidies. One change included a more narrow and specific definition of personal information. Families Minister Stephen Horsman said, “Personal information’ means the name and date of the birth of the person.” Ultimately, he said, the bill will cut down on waiting times so residents can get the services they need more quickly. [CBC]

CA – Nova Scotia Privacy Breach Shows Why Faxing Personal Information Must End

Nova Scotia’s privacy commissioner is urging the provincial health authority to stop allowing doctors to send faxes with sensitive information A number of organizations still use fax machines for sending data, particularly in the health care field where paper is the most trusted form of documentation. But a fax sent to the wrong number can cause a major privacy breach. That’s what has been happening in Nova Scotia, where for years a private business has been receiving faxes from family doctors referring patients to a mental health clinic with a similar fax number. It got bad enough that Catherine Tully, the Information and Privacy Commissioner, stepped in to investigate. [IT World Canada | Privacy commissioner says doctors should move away from faxing patient referrals | Doctors should move away from faxing patient referrals: Nova Scotia Privacy Commissioner]

CA – SCC Decision Reaffirms Protection of Solicitor-Client Privilege

In a pair of decisions, the Supreme Court of Canada has reaffirmed robust protections for solicitor-client privilege, while elevating litigation privilege. In Lizotte v. Aviva Insurance Company of Canada, the Supreme Court upheld a 2015 Quebec Court of Appeal ruling that determined a provincial regulator could not have access to information Aviva Insurance claimed was protected by litigation privilege. In the second decision released Friday, Alberta v. University of Calgary, the court determined a provincial regulator could not abrogate solicitor-client privilege on inference. “…solicitor-client privilege cannot be set aside by inference but only by legislative language that is clear, explicit and unequivocal,” Justice Suzanne Côté wrote for the majority in the decision. [Canadian Lawyer | SCC deals blow to privacy commissioner powers – privilege reigns supreme | Alberta’s information and privacy commissioner loses Supreme Court case

CA – Quebec Government Launches Online Privacy Awareness Campaign

The Quebec government is introducing a new campaign designed to raise online privacy awareness. National Assembly of Quebec Minister Rita de Santis will tour with actor Nicolas Ouellet to explain to teens between the ages of 14 and 17 why they need to be careful about what they share on social media. De Santis also plans to introduce legislation to the National Assembly to increase privacy protections, but admits more needs to be done. “The law alone can’t change how people behave,” de Santis said. The tour will finish in May 2017. [Full Story]

CA – Monsef Says She’s Heard No Concerns on Political Parties’ Big Data Operations

Democratic Institutions Minister Maryam Monsef says she hasn’t heard concerns about political parties’ unfettered ability to collect and use data from Canadians. There are virtually no rules or oversight into how parties collect, store and analyze data collected from Canadian voters. But Monsef said the issue hasn’t come up as she’s crisscrossed the country talking about how to reform Canada’s election system. All three major federal parties have been ramping up their big data operations to help guide their electoral efforts. Data can be drawn from fundraising emails and online petitions, interactions on voters’ doorstep, even social media postings. Privacy Commissioner Daniel Therrien noted that, while government agencies, including intelligence and law enforcement agencies, are subject to strict privacy laws, political parties have no rules or oversight. “All of these rules that apply to government departments, or to private organizations, which are basic privacy safeguards, do not apply to political parties,” [The Star | Political parties need rules for collecting Canadians data, says privacy watchdog | Ottawa may review parties’ use of Canadians’ private data

CA – Ontario Court Determines Customer Consent Allows for Production of Medical Documents

An Ontario Court reviewed a request by Fairview Assessment Centre seeking directions concerning the production of medical documents from non-party insured individuals. The Court ordered the production of medical documents of non-party insured individuals who made claims for statutory accident benefits; by signing the insurance application form, applicants expressly consented to the use and disclosure of their PHI for legitimate purposes (including investigation, adjudication and preventing and detecting fraud), and acknowledged that their PHI can be disclosed for purposes of complying with a legal order or participating in a proceeding as a witness. [Economical Insurance Company v Fairview Assessment Centre Inc. – cv-10-414992 – Superior Court of Justice – Ontario]

Consumer

WW – MEF Releases White Paper On Personal Data Economy

The Mobile Ecosystem Forum has released a new white paper focused on the personal data economy, the concept of “letting individuals take ownership of their information so they can share it with businesses on their terms.” The white paper, commissioned on behalf of the MEF Consumer Trust Working Group, defines the personal data economy, provides case studies, includes regulation and compliance issues, outlines potential benefits, and details key challenges. [Mobile Ecosystem Forum]

Encryption

CA – Poll: Only 15% of Citizens Use Encryption

A CBC News and Toronto Star poll found few Canadian citizens use advanced personal security tools to protect their data. While 81% of respondents said they clear cookies and erase their browser histories, only 15% said they use encryption, and only 17% use services such as virtual private networks to hide their identities (and locations) online. The poll found men are more likely to take steps to protect their privacy online than women. [CBC]

CA –Therrien Memo Indicates Support for Encryption

A memo prepared for Privacy Commissioner of Canada Daniel Therrien states that it “would be difficult for any one country to weaken or ban encryption technology.” “Encryption tools very much are now ubiquitous, globally distributed and irrevocable, which plainly no piece of domestic regulation or lawmaking will undo, given that two-thirds of encryption products are produced and sold by non-U.S. firms,” the memo states. While some critics argue that the practice protects criminals, a U.S. committee on homeland security report, summarized within the memo, counters that weakened encryption could have adverse effects on public safety. “What we are really dealing with is not so much a question of ‘privacy versus security,’ but a question of ‘security versus security.” [FToronto Star]

EU Developments

UK – Investigatory Powers Bill Passes Parliament

Britain’s Parliament has passed the Investigatory Powers Bill, a controversial surveillance law that grants UK intelligence agencies what some have called “overreaching, draconian and intrusive” authority to snoop on citizens. The bill is expected to become law before the end of the calendar year. It compels Internet service providers (ISPs) to retain every customer’s browsing history for up to a year; grants intelligence agencies the authority to gather “bulk personal datasets,” which could include information belonging to individuals not associated with an investigation; and requires companies to decrypt information upon demand. [ZDNet | v3.co.uk | SCMagazine | Sweeping UK spy bill dubbed ‘snoopers’ charter’ becomes law | Snoopers’ Charter will face legal challenge as privacy groups decry mass surveillance regime | The Investigatory Powers Bill (Snoopers’ Charter) Is Here, Now What Do We Do? | How to avoid the UK’s new online surveillance powers] See also: [Germany planning to ‘massively’ limit privacy rights]

EU – Other Privacy News

Facts & Stats

CA – CRTC Signs Agreement with FTC to Fight Unlawful Robocalls and Caller ID Spoofing

Effective November 17, 2016, the CRTC signed a memorandum of understanding with the U.S. FTC in regards to enforcing:

  • automated telephone calls (“robocalls”); and
  • inaccurate caller identification laws (“caller ID spoofing”).

The agreement will allow both organizations to work more collaboratively on the growing threat that unwanted robocalls pose to citizens of both countries, and requires both the CRTC and FTC to share complaints and other relevant information, provide investigative assistance, and facilitate a mutual exchange of knowledge and expertise through training programs and staff exchanges. [CRTC – Memorandum of Understanding Between the United States FTC and the CRTC on Mutual Assistance in the Enforcement of Laws on Automated Telephone Calls and Inaccurate Caller Identification | CRTC Press Release | FCC Press Release]

Finance

CA – Supreme Court of Canada Holds that Bank Can Disclose Mortgage Discharge Statements to Creditors

Royal Bank of Canada appealed the decision of the Ontario Court of Appeal holding that PIPEDA precludes Scotiabank from disclosing a mortgage statement to RBC. The court overrules lower court decisions by holding that a reasonable mortgagor would be aware that a judgment creditor has a legal right to obtain information necessary to realize their right to recover the debt against the individual’s assets; a creditor should be entitled to a court order requiring disclosure of a mortgage discharge statement if it has obtained judgment, filed a writ of seizure and sale, had the debtor either refuse consent to the disclosure or fail to attend an examination, and served the debtor with a motion to obtain disclosure (PIPEDA does not bar such disclosures). [Royal Bank of Canada v. Trang – 2016 SCC 50 (CanLII) – Supreme Court of Canada]

US – IRS Looking for Bitcoin Users’ Identity, Have Analysts Concerned for the Currency’s Future

The IRS is searching for both the identity of Coinbase users and their transactional activity after evidence suggests they violated U.S. tax laws. “As indicated by the summons, two things are clear: one, the IRS has tracked bitcoin-related activity sufficiently to be able to determine that certain users may not be in compliance with tax law, and two, this activity has been traced back to Coinbase wallets.” The move ultimately has some wondering if bitcoin is “over… Although bitcoin was initially touted as an ‘anonymous’ currency, people who understand the technology have always known it’s actually easily trackable. This sweeping action by the IRS demonstrates why it’s important for the crypto world to be advancing both convenience and anonymity in its currency,” said Dash’s Eric Sammons. [Cointelegraph]

EU – ENISA Examines Insurers’ Assessment Criteria and Best Practices

ENISA issued recommendations on cyber insurance companies and cyber insurance customers. Assessment criteria includes geographic spread of business (size, operations and revenue), business details (activities, outsourced functions and risk exposure), IT dependencies, processing of data (volume, sensitivity and liability), incident history, corporate social media presence, policy/claims history, and requested policy limit; a risk assessment is a best practice which should include review of dedicated resources (CISO), policies and procedures, employee awareness, incident response, security measures, vendor management and Board oversight. [ENISA – Cyber Insurance: Recent Advances, Good Practices and Challenges]

FOI

CA – Waits for Access to Information Get Longer in Alberta: Report

Albertans are facing increasingly lengthy waits for the province and its agencies to respond to information requests, says a newly published government report that was itself delayed by more than two years. The report reveals a worsening trend of failures to meet a legally mandated 30-day limit for fulfilling information applications. Newly released statistics from the 2014-15 fiscal year show the government and its agencies hit the deadline for 59% of the requests they received, while nearly a quarter of requests took 60 days or longer to complete. While offering plenty of statistics, the latest annual report offers little insight as to what factors might be behind the response times, such as a lack of FOIP staff, inadequate training, increased volume or complexity of requests, or heightened government scrutiny of requests. The report was released the same week as a new annual report from Information and Privacy Commissioner Jill Clayton, who also expressed confusion at the trend and speculated the government may not have enough FOIP staff. Regardless of what the reasons might be, Clayton said the government’s performance has Alberta “fast approaching a crisis situation” in information access. [Edmonton Journal | The Report | Access to information in Alberta nearing ‘crisis situation,’ FOIP commissioner says]

US – Yahoo Disclosed User Content in 1,115 US Gov’t Requests in First Half of 2016

Yahoo! provides its transparency report on requests for customer information from US and global government agencies between January 1, 2016 and June 30, 2016. The transparency report only includes government data requests. Yahoo received a total of 4,709 requests from US government agencies between January 1, 2016 and June 30, 2016, with most requests relating to criminal investigations; the company scrutinizes each request to ensure that it complies with the law, but may voluntarily disclose information where a disclosure without delay will prevent imminent danger of death or serious physical injury to a person. [Yahoo Transparency Report 2016]

Genetics

EU – Council of Europe Issues Recommendations for Non-Discrimination in Insurance Contracts

The Committee of Ministers for the Council of Europe issued essential principles to protect the rights of individuals whose personal data are processed for insurance purposes. Predictive genetic tests should only be used if authorised by law, and an independent assessment can confirm that individuals have provided free, express, informed consent, processing is specified, justified and proportional, the quality and validity of the data is in line with generally accepted scientific and clinical standards, and the data has a high positive predictive value. Family members’ health data, and data obtained from the public domain, or for research should not be processed for insurance purposes. [Council of Europe – Recommendation CM-Rec(2016)8 – Processing of Personal Health-Related Data for Insurance Purposes, Including Data Resulting from Genetic Tests]

Health / Medical

CA – OIPC NFLD Finds Physician Names, Specialties and Unique Numbers are not Personal Information

The Office of the Information and Privacy Commissioner of Newfoundland and Labrador reviewed a decision by the Department of Health and Community Services to deny the disclosure of records, pursuant to the Access to Information and Protection of Privacy Act, 2015. A physician’s name and specialty is considered professional or business information, and their gross billing information would not be an accurate representation of their income, such that it would reveal anything of a personal nature; for the purposes of the Access to Information and Protection of Privacy Act, 2015, physicians shall be treated as employees (not third parties), because they practice in the context of a contractual relationship with the government to perform services for the public. [OIPC NFLD – Report A-2016-019 – Department of Health and Community Services]

CA – OAIPC NB Finds 3 Health Custodians Jointly Responsible for Preventable Breach of PHI

A new OAIPC report investigates a privacy breach incident at a hospital pursuant to New Brunswick’s Personal Health Information Protection Act. An employee’s unencrypted and uncabled laptop was stolen from an unlocked office; notification was given to all affected patients, the OAIPC, and law enforcement (the OAIPC agreed it was burdensome to notify 78 other patients who were not easily identifiable). All 3 custodians agreed to undertake appropriate corrective measures; a joint committee establishing policies around devices holding PHI, and a mandatory policy for passwords/encryption on portable devices. [OAIPC NB – 2014-2214-H-640 – Case About a Laptop Containing Unencrypted Personal Health Information Stolen from a Hospital]

UK – DeepMind has Signed a Major New Deal With the NHS Despite Concerns About Patient Privacy

DeepMind, an AI lab acquired by Google for £400 million, has secured a landmark deal with the NHS, paving the way forward for the company’s growing healthcare division. Royal Free London NHS Foundation Trust announced on its website on Tuesday that it will start rolling out DeepMind’s Streams app to clinicians at its hospitals from early 2017. Under the new five-year partnership, DeepMind and the Royal Free intend to expand the app’s abilities so that it can be used to help doctors monitor and detect patients at risk of other conditions, including sepsis and organ failure. DeepMind’s work on the Streams app with the Royal Free was criticised by privacy campaigners in April when New Scientist published an article highlighting the extent of the data-sharing agreement between the two organisations. [Business Insider | DeepMind hits back at criticism of its NHS data-sharing deal | Google company’s access to NHS records raises privacy concerns | DeepMind’s cofounder defended a controversial data-sharing agreement with the NHS | ICO probes Google DeepMind patient data-sharing deal with NHS Hospital Trust | DeepMind NHS health data-sharing deal faces further scrutiny

Horror Stories

US – Dept of Housing and Urban Development Breach of 600,000 Records

A Department of Housing and Urban Development website error led to the exposure of an estimated 600,000 users in August of this year, and victims have just heard of the breach via letters from the agency. While the breach only exposed the partial Social Security numbers and names of public housing residents, “some people who worked for employers that sought HUD/Empowerment Zone-related tax credits, including name, address and full or partial Social Security numbers, was also disclosed,” the letter states. The agency is offering those affected a year’s worth of credit monitoring. [Forbes]

UK – Three UK Suffers Data Breach After Hackers Obtain Employee Login

Hackers may have compromised the information of millions of Three UK customers after gaining access to an employee login. Three UK estimates hackers may have access to the information of two-thirds of its 8.8 million active customers after using the employee login to trigger bonus upgrades for premium smartphones in hopes of intercepting devices before they were delivered to customers. The customer data includes names, phone numbers, addresses and dates of birth. “We’re aware of an attempted fraud issue regarding upgrade devices and are working with police and relevant authorities on the matter. The objective was to steal high-end smartphones from Three, but we’ve already put measures in place to stop the fraudulent activity. We’d like to reassure customers that their financial details are not at risk,” Three UK said in a statement on Facebook. | TechCrunch | ZDNdnet | The Register]

Identity Issues

CA – OIPC AB Finds Public Body Inappropriately Disclosed Individual’s Address to the CRA

The Office of the Information and Privacy Commissioner in Alberta reviewed a decision by Service Alberta to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. After a previous CRA request to the public body for an individual’s residential address, the public body contacted the CRA when the individual renewed her vehicle registration and provided a new address; the individual was not informed about the disclosure, and the CRA’s request for the information did not describe the nature of the investigation against the individual, how the address would be of assistance, or show that the CRA was authorized to obtain her address from the public body. [OIPC AB – Order F2016-41 – Service Alberta]

CA – Quebec Commission Finds Bank’s Collection of Personal Information Excessive for Identification Purposes

The Commission d’Accès à l’Information du Québec investigated a complaint alleging the unnecessary collection of personal information pursuant to the Act respecting the Protection of Personal Information in the Private Sector. The bank’s collection of notices of assessments was justified for the purpose of assessing a customer’s creditworthiness in relation to a credit application; however, the collection of a customer’s SIN, driver’s licence number and health card number for the purposes of identification is not proportionate to the intended use and sensitivity of the documents (e.g. health card is only to be used in relation to health services and SIN is not required if there is no tax implication). [CAI QC – Decision 061063 – Banque Nationale du Canada]

Law Enforcement

US – RCMP Seeks Stronger Surveillance Capabilities from Prime Minister

The Royal Canadian Mounted Police is pushing the Prime Minister’s Office for the ability to circumvent digital roadblocks, including obtaining basic subscriber information without a warrant in matters of national security. RCMP Commissioner Bob Paulson said criminal activity is taking place with technology the police force cannot act upon. “Because of our inability — and the future inability — to protect Canadians, both from garden variety criminality and from the national security threat, I see that as really significant,” Paulson said. “I’m consumed with trying to make sure that we’re able to mitigate the threat.” In an op-ed for Motherboard, however, Jordan Pearson claims the RCMP is using the media to “create moral panic” on the topic of encryption. [CBC News]

CA – RCMP is Overstating Canada’s ‘Surveillance Lag’

The RCMP has been lobbying the government behind the scenes for increased surveillance powers on the faulty premise that their investigative powers are lagging behind those foreign police services. The RCMP lobbying efforts paint an image of crisis where none exists. Surveillance capacities of other countries are overstated, while the formidable powers already available to Canadian agencies are disregarded. the RCMP appears to have convinced the federal government to transform a process intended to curb the excesses of Bill C-51 into one dominated by proposals for additional surveillance powers. The RCMP’s proposal to bypass the courts — historic front line watchdogs of our policing agencies — in favour of direct police access to sensitive digital identifiers is reducible to a desire to save “time and paperwork.” Collectively, the RCMP lobbying efforts paint an image of crisis where none exists. Surveillance capacities of other countries are overstated, while the formidable powers already available to Canadian agencies are disregarded. Far from “going dark,” the amount of data available to policing agencies in Canada and abroad is at historic heights, making this truly the golden age of investigative surveillance. [The Star | The RCMP needs you scared — and the media seems happy to help | Canadian Media Is Selling Citizens Short In a Nationwide Surveillance Debate | The RCMP Is Using the Media to ‘Create Moral Panic’ About Encryption

CA – Should Police Be Able to Force You to Hand Over Your Digital Passwords?

CBC News/Toronto Star demo a $450 device that cracks iPhones to explore existing investigative capabilities. Police say they need the power to compel suspects to hand over cellphone passwords and computer encryption codes in serious crime cases where potential evidence is hidden behind digital walls. But the proposal has not only provoked an outcry from civil liberties advocates, it has even caused division among police leaders. The idea is being floated in a federal government discussion paper and was endorsed by the Canadian Association of Chiefs of Police (CACP) as one measure to help investigators collect evidence on tech-savvy suspects who hide their identities and activities. But legal and civil liberties advocates warn that a law to compel the surrender of passwords flies in the face of the right to remain silent enshrined in the Charter of Rights and Freedoms. Micheal Vonn, policy director of the BC Civil Liberties Association, called it a “a very radical proposal in Canadian law.” Obtaining a suspect’s passwords is only one way for police to access encrypted devices. Critics say law enforcement has developed many other techniques to bypass passcodes and data protections on encrypted phones. CBC News and the Toronto Star asked a local data forensics expert who has worked closely with law enforcement to demonstrate how he can use a device to get past a password. [CBC News | RCMP can spy on your cellphone, court records reveal | Canadians want judicial oversight of any new digital snooping powers for police: Poll | RCMP boss Bob Paulson says force needs warrantless access to ISP user data | RCMP want new powers to bypass digital roadblocks in terrorism, major crime cases | Your cellphone password could hold the key in legal battle over collecting evidence | Canadians support police calls for more digital powers — with a catch: Toronto Star/CBC poll | Top Mountie lobbying PM for greater digital surveillance powers | Top-secret RCMP files show digital roadblocks thwarting criminal investigations in Canada]

CA – Canadians Want Judicial Oversight of New Digital Snooping Powers for Police: Poll

A CBC News/Toronto Star survey finds many willing to sacrifice some privacy under certain conditions Nearly half of the respondents to an Abacus Data survey of 2,500 Canadians agreed that citizens should have a right to complete digital privacy. But many appeared to change their mind when asked if an individual suspected of committing a serious crime should have the same right to keep their identity hidden from police. Respondents were evenly split on whether police should be able to demand suspects or witnesses hand over passwords or codes to unlock devices and encrypted data. But support for granting police this authority increased to 77% if a judge is required to first approve a warrant. Less than half of respondents agreed communications providers should be forced to keep text, email, phone and internet records for two years to assist potential criminal investigations. But support jumped to 66% if access to the stored information is protected and police would need a judge’s order before accessing a suspect’s records. Opposition was strongest to the third proposed new power for police: access to basic subscriber information (such as a user’s name and IP address) without authorization from a judge. Most respondents (78%) said police should need judicial approval to ask a communications company for a person’s basic digital identity, and only 35% said they’d support a system where a senior police officer or prosecutor could sign off. The survey, conducted on behalf of CBC News and the Toronto Star, asked Canadians about their views on three specific proposals to expand police powers, which are raised in a federal discussion paper that’s part of a review of Canada’s Anti-Terrorism Act. [Toronto Star | RCMP boss Bob Paulson says force needs warrantless access to ISP user data RCMP want new powers to bypass digital roadblocks in terrorism, major crime cases | Top Mountie lobbying PM for greater digital surveillance powers | Top-secret RCMP files show digital roadblocks thwarting criminal investigations in Canada | The RCMP Is Using the Media to ‘Create Moral Panic’ About Encryption | Canadians support police calls for more digital powers — with a catch

CA – Commercial Drone Operators Violating Privacy Could Face Criminal Charges

A law firm examines the current state of drones (“UAVs”) in Canada. Drones with cameras raise privacy concerns among the general public; PIPEDA’s consent obligation likely applies to drone footage, and there are criminal code provisions related to covert video surveillance, voyeurism and interception of private communications. Aeronautics fall under federal jurisdiction, but municipalities are starting to regulate the recreational use of drones in public areas (e.g. one B.C. municipality has banned drone flights in city parks and on school grounds). [Canadian Skies Abuzz – The Regulation of Drones and UAVs in Canadian Airspace – Kirsten R. Embree, Partner, and Jawaid Panjwani, Associate, Dentons]

Online Privacy

US – Civil Rights Leaders Fear BPD’s Social Media Tracking Will Target Blacks

Civil rights groups say they want answers from Boston police on how the department will use its $1.4 million social media tracking system — citing fears that it will broadly target young blacks and try to link them to gang activity. The concern is that police efforts to take down violent gangs — with predominantly minority membership — could mean an overly intensive focus on social media use by black youths, including both those who have nothing to do with gangs, and those who may have relationships with gang members but aren’t involved in crime. Advocates say they want police to reveal the search criteria for tracking Facebook and Twitter accounts, and report on the race and locations of people investigated or prosecuted via social media posts. BPD is due to award a $1.4 million contract by Dec. 5 for a system to “proactively alert personnel to threats communicated via social media and/or online open source and/or social media platforms.” [Boston Herald | Council seeks clarity from police on just ‘who is being monitored’ | McGovern: Constitutional dangers lurk in tracking of social media | Boston police set to buy social media monitoring software]

WW – Tor Project Creates Android Smartphone Prototype

The Tor Project has created a prototype of its Tor-enabled Android smartphone. The phone runs the Android firewall, OrWall, to protect user privacy by routing traffic over Tor, while blocking other forms of traffic. Tor developer Mike Perry said, “The prototype is meant to show a possible direction for Tor on mobile,” Perry wrote in a blog post. “We are trying to demonstrate that it is possible to build a phone that respects user choice and freedom, vastly reduces vulnerability surface, and sets a direction for the ecosystem with respect to how to meet the needs of high-security users.” [Ars Technica]

WW – Firefox Focus Browser for iOS is All About Privacy

Mozilla has launched a new browser for iOS. Firefox Focus aims to protect users’ privacy. It blocks ad trackers, analytics trackers, and social trackers by default. All records of a browsing session can be deleted with one tap. [v3.co.uk | TechCrunch.com]

US –FTC Report Covers Rise of App-Based ‘Sharing Economy’ Platforms

The FTC released a new report detailing the rise of internet and app-based “sharing economy” platforms. The study, titled “The ‘Sharing’ Economy: Issues Facing Platforms, Participants, and Regulators,” addresses concerns from state and local regulators and stakeholders worried the sharing economy platforms give new entrants the opportunity to avoid regulations designed to safeguard consumers and promote public safety. “This report provides fresh insights about ‘sharing economy’ platforms that continue to disrupt traditional industries,” said FTC Chairwoman Edith Ramirez. “It is important to allow competition and innovation to continue to flourish, while at the same time ensuring that consumers using these online and app-enabled platforms are adequately protected.” [FTC] [Hogan Lovells Summary]

Privacy (US)

US – IoT Security Takes Center Stage at FBI, DHS, NIST and Congress

In light of recent attacks, there has been an increased focus on IoT security at the FBI, the U.S. Department of Homeland and Security (DHS), the National Institute of Standards and Technology (NIST) and Capitol Hill. [Privacy and CyberSecurity Law | FBI Notification | DHS guidance | NIST guidance | A video of the hearing can be found here | White House and Homeland Security Publish Cybersecurity Guidelines for IoT Devices | NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors | Ambassador Sepulveda Urges Technology Industry to Ensure the Security and Interoperability of the Internet of Things | Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers | NIST scientists ‘nervous’ about lightweight crypto for IoT

US – California AG Guidance for the Ed Tech Industry: 6 Recommendations to Protect Student Data Privacy

Just before the election, California Attorney General Kamala Harris provided a document laying out guidance for those providing education technology (“Ed Tech”). “Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data“ provides practical direction that operators of websites and online services of a site or service used for K-12 purposes can use to implement best practices for their business models. Given the size of the California market, any guidance issued by the California Attorney General’s office should be carefully considered and reviewed. Ed Tech, per the Recommendations, comes in three categories: (1) administrative management systems and tools, such as cloud services that store student data; (2) instructional support, including testing and assessment; (3) content, including curriculum and resources such as websites and mobile apps. The Recommendations recognize the important role that educational technology plays in classrooms by citing the Software & Information Industry Association; the U.S. Market for PreK-12 Ed Tech was estimated at $8.38 billion in 2015. The data that may be gathered by through Ed Tech systems and services can be extremely sensitive, including medical histories, social and emotional assessments and test results. However, according to the Recommendations, federal laws “are widely viewed as having been significantly outdated by new technology.” Attorney General Harris’ office provided six recommendations for Ed Tech providers, especially those that provide services in the pre-kindergarten to twelfth grade space.

  1. Data Collection and Retention: Minimization is the Goal
  2. Data Use: Keep it Educational
  3. Data Disclosure: Make Protections Stick
  4. Individual Control: Respect Users’ Rights
  5. Data Security: Implement Reasonable and Appropriate Safeguards
  6. Transparency: Provide a Meaningful Privacy Policy [Privacy and Security Matters]

Security

CA – Carleton University Recovering from Ransomware Attack

The university said it has made progress on restoring IT services after detecting “an attempt by an external group or individual to hack into the IT network.” However, it isn’t known how many PCs or servers were infected. At one point the university warned the community through its Web site that “any system accessible from the main network, that is Windows based, may have been compromised.” With their large student bodies and valuable research databases, universities are tempting targets. Some students — and universities — are willing to pay up to not have work on their computers unreachable. Earlier this year the University of Calgary paid $20,000 for decryption keys after some 100 PCs ir servers were hit by the malware. It isn’t clear, though, if the university had to use the keys or was able to recover the data either from backups or other ways. [IT World Canada]

US – Guidance for Defending and Responding to Ransomware Attacks

On November 10, 2016, the United States Federal Trade Commission issued basic ransomware guidance (How to defend against ransomware and Ransomware – A closer look) and an accompanying video (Defend against Ransomware) to help consumers and businesses defend against and prepare to respond to ransomware attacks. The FTC’s guidance cautions against paying a ransom, but acknowledges that a ransom payment might be necessary in some circumstances. The FTC’s guidance is consistent with other guidance from Canadian and United States regulators An organization should prepare to respond to a ransomware attack by establishing and testing a detailed incident response plan that will enable the organization to make important technical, business and legal decisions in a timely manner. Those legal decisions may include whether the organization should give notice of the ransomware attack to regulators (e.g. privacy commissioners), affected individuals (e.g. customers), other organizations (e.g. business partners), stakeholders (e.g. shareholders and investors) and insurers. In many circumstances, an organization might have a legal obligation (under statute, generally applicable common or civil law or contract) to give notice of a ransomware attack. In addition, there might be important business reasons to give notice of a ransomware attack even if there is no legal obligation to do so. [BLG] FTC Announces New Guidance on Ransomware

WW – Ransomware May Target ‘Smart Cities,’ Autonomous Cars

A ransomware attack recently hit the San Francisco transport agency, and the attackers asked for $70,000 to unlock the systems. The agency cleared its systems, but we may see many more attacks on public “smart” systems that use outdated or unpatched operating systems and firmware. Ransomware attacks have kept climbing over the past few years. Soon, ransomware may even target autonomous cars and other smart city systems as they become more commonplace. Right now, the biggest threat of insecure Internet of Things devices is that botnets can take them over and then use them in massive distributed denial of service (DDoS) attacks against large companies or organizations. However, ransomware could leverage the same vulnerabilities as well, especially if attacking them could lead to a whole city infrastructure being locked-down Cities are starting to adopt IoT devices [to] power transportation systems, information systems, power plants, water and electricity supply networks, law enforcement, and so on. Once these systems use insecure IoT devices that aren’t well supported, they can become easy targets for ransomware and other types of attacks, which could then create major disruptions in cities. [Source | Warding off the blues of ransomware | 12 Keys For a Ransomware Game Plan | Why it’s time to take new strategies for beating ransomware | [San Francisco Rail System Hacker Hacked | SF Gate: Hacked Muni Refused $73,000 Ransom Demand; Computers Restored | SF Examiner: Alleged Muni ‘Hacker’ Demands $73,000 Ransom, Some Computers in Stations Restored | Info Mgmt News: Healthcare Is Prime Target of Gatak Trojan Malware]

WW – Are Images on Facebook Spreading Ransomware onto Devices?

Check Point researchers claim to have found a Locky ransomware variant doing the rounds on social media, using a unique mode of attack. However, Facebook denies that images on its service are hosting this ransomware [saying in a] statement: “This analysis is incorrect. There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook. We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for nearly a week. We also reported the bad browser extensions to the appropriate parties.” [Silicon Republic]

Smart Cars / IoT

US – NIST Issues Internet of Things (IoT) Guidance

After four years of research and collaboration with stakeholders, the National Institute of Standards and Technology recently released its final version of Special Publication 800-160 to provide much-needed guidance for securing IoT devices and systems throughout their entire life cycle. Special Publication 800-160 emphasizes the vulnerability of devices that rely on post-manufacture features such as firewalls, encryption and systems monitoring to ward off evolving and sophisticated cyber threats. Instead, the NIST encourages commercial and government technology developers to focus on simplifying design architecture and building out functional capability to counter threats, mitigate damage, and recover quickly from successful attacks. The guidance highlights engineering-based solutions and includes a range of technical standards and security principles to consider over the full life cycle of a product or system, including the development phase, upgrades and maintenance, and during retirement. This life cycle approach is intended to ensure that the IoT remains secure and that intellectual property and consumer personal data are also protected [Privacy and Security Matters |Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress | White House and Homeland Security Publish Cybersecurity Guidelines for IoT Devices | NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors | Ambassador Sepulveda Urges Technology Industry to Ensure the Security and Interoperability of the Internet of Things | Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers | NIST scientists ‘nervous’ about lightweight crypto for IoT]

US – Experts Testify Before Congress About IoT Security

Experts told the US House Committee on Energy and Commerce that action must be taken to secure the Internet of Things (IoT). Among the ideas raised were consequences for manufacturers that release products with inadequate security; a federally-funded IoT testing laboratory; and a new federal agency focused on cybersecurity. The committee hearing was a post-mortem of the distributed denial-of-service (DDoS) attack against Dyn last month that caused a number of popular websites to experience temporary outages. [Computerworld | Darkreading | The Register |-The Hill]

US – Google, Other Tech Giants Outline Ways to Improve IoT Security

Broadband Internet Technical Advisory Group (BITAG) laid out its recommendations for a rapidly growing industry within the world of online communication: the Internet of Things. BITAG recommends a handful of security standards for IoT devices, including timely, automated and secure software updates, password protection, and increased testing of customization options. The group also suggests implementing encryption best practices, plus the ability for these devices, particularly home alarm systems, to function if internet connectivity or the cloud fails. BITAG even wants to establish an industry cybersecurity program that includes a seal for certified “secure” devices. [ BITAG | EnGadget | Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress | White House and Homeland Security Publish Cybersecurity Guidelines for IoT Devices | NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors | Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers

US – Lyft Seeks Explicit Consumer Data Protection from NHTSA on Autonomous Vehicles

Lyft has released its extended comments on the National Highway Traffic and Safety Administration’s guidelines on autonomous driving. While Lyft agreed with the NHTSA policy in several areas, the ride-hailing company’s primary complaint stems from the agency’s lack of data collection guarantees. Lyft claims the guidelines do not explicitly state the NHTSA is not interested in collecting consumer data, such as names, phone numbers, credit card info and usage data. “Ultimately, Lyft believes that assuring the public that the data the federal government is seeking on such vehicles is limited to maintaining the safety of the vehicle is key to gaining public acceptance. A belief that “big government” will be sifting through PII and collecting consumer ride history will erode public trust and inhibit public acceptance and adoption of this transformational technology,” the company said in its letter to the NHTSA. [TechCrunch]

US – CDT: NHTSA Should Take Lead in Smart Car Privacy, Security Regs

In a post for the Center for Democracy and Technology, CDT Policy Counsel Joseph Jerome discusses what roles agencies should take in creating privacy and cybersecurity regulations in smart cars. The National Highway Traffic Safety Administration should take the lead in regulating autonomous vehicles, he argues. It has sent mixed signals about whether privacy and cybersecurity are safety priorities and has been even less transparent on how it views driver privacy. “NHTSA must address important privacy considerations regarding driver data, such as when and how to de-identify data, enacting data minimization, and setting data retention limits,” Jerome contends. He also said the Federal Trade Commission should play a secondary role, ensuring it monitors any unfair or deceptive business practices with implementation of security measures, while the Federal Communications Commission should establish privacy and security standards in communication technologies used in autonomous cars. [CDT]

Surveillance

WW – Twitter to Crack Down on Third-Party Surveillance

Twitter announced in a blog post that it will “take on expanded enforcement and compliance efforts” to quell third-party surveillance and misuse of data on its site. “The post is likely to reassure Twitter users and civil liberties groups who are concerned about the use of social media as a surveillance tool” in the wake of reports that third parties use Twitter’s stream of real time data to identify protesters and others, then market their surveillance tools to law enforcement and authoritarian regimes. Twitter has already cut off “firehose” access to some of those companies. In response to questions about recent news of the FBI’s use of Dataminr, a Twitter representative said, “A narrowly tailored news alert product is available to some first responders, like the FBI.” [Fortune]

CA – CSIS Admits Reporters May Have Been Under Surveillance in the Past

A senior CSIS official admitted Monday the spy agency may have spied on the communications of Canadian journalists in the past. The admission comes weeks after Quebeckers were shocked to learn Montreal city police and Quebec provincial police had tracked communications of several high-profile columnists and investigative journalists in that province in attempts to find suspected leaks of information by police sources. It runs contrary to assurances offered by Prime Minister Justin Trudeau, Public Safety Minister Ralph Goodale, RCMP Commissioner Bob Paulson, and the country’s top spook, CSIS director Michel Coulombe, that federal agencies do not target journalists’ communications. [The Star]

CA – Govt Surveillance Overshadows Free Speech for Canadian Journalists

Mass surveillance causes reporters to avoid writing or speaking about some topics, according to a recent survey of journalists by Ryerson’s Centre for Free Expression (CFE). The survey, published Nov. 14, was prepared by Turk. A total of 129 Canadian writers and journalists volunteered to complete the survey between May 27 and June 20. Over 80% of respondents reported they were concerned about government surveillance of their communications and more than 90 per cent said they were concerned with government collection and analysis of metadata. The Eyeopener Read the survey: Chilling Free Expression in Canada: Canadian Writers’ and Journalists’ Views on Mass Surveillance | Canadian journalists push for ‘shield law’ to protect sources | ‘We were a bit naive’ about police surveillance, journalist panel says | Canadian police spied on reporters, raising questions of press freedom | Quebec must uphold freedom of the press | Why spying on the press damages our democracy

US Legislation

US – Privacy Developments

Workplace Privacy

US – Law Prohibits Employers from Forcing Employees to Use Social Media

Illinois employers may be punished for violating state law starting next year if they coerce employees to use their own social media accounts to boost their company’s social media presence. The newly amended Right to Privacy in the Workplace Act makes it illegal for companies to ask or require employees to use personal social media profiles to join their employer’s online accounts. Rulings by the National Labor Relations Board state employers cannot restrict what employees post on their own accounts. “Employers cannot restrain the type of information an employee can post in their own personal online account, according to the NLRB,” Faegre Baker Daniels associate Sylvia B. St. Clair said. “And, as of Jan. 1, 2017, employers cannot request to access an employee’s personal online account or require an employee to authenticate their personal online account pursuant to this act.” [Cook County Record]

US – Privacy Debate Over Employee Wellness Programs Continues

The debate surrounding employee wellness programs and the corresponding privacy trade-off continues. More workplaces are requesting employees’ medical history details for wellness programs, offering cash incentives and insurance premium savings for participating. “Employees are giving up some aspect of their privacy and their personal health information,” Georgetown University Health Policy Institute Assistant Professor Dania Palanker said, adding some workers question “whether their privacy is worth the amount of money that is at stake.” Some health care professionals believe the fears associated with sharing medical information are overblown. “The allegation that somehow you’ve given your health information or your spouse’s health information to your boss and they’re going to use that against you, it’s just to scare people, it’s not real,” said Erisa Industry Committee Senior Vice President of Health Policy James Gelfand. [CNBC]

CA – OPC Commissioner Finds Company’s Disclosure of Employee’s Drug Test Results was Unnecessary

The Office of the Privacy Commissioner of Canada reviewed a complaint of inappropriate disclosure of an individual’s personal information by their employer, an international trucking company. The company disclosed the individual’s drug test results to the worker’s compensation board without his knowledge or consent (the individual had an active claim with the board following a workplace accident); although the drug test results were collected to fulfill the company’s substance abuse policy requirement, disclosure to the board for his claim and return to work process was not necessary to process his claim, and required his consent. [OPC Canada – PIPEDA Case Summary 2016-009 – Trucking Company Inappropriately Disclosed Employee Drug Test Results to WCB]

+++

 

 

5-17 November 2016

Biometrics

US – EPIC Sues FBI Over Biometric Database Records

The Electronic Privacy Information Center (EPIC) has filed a lawsuit against the FBI to force the bureau to release all relevant documents about its plan to share a huge amount of biometric information with the Department of Defense. The lawsuit concerns the FBI’s Next Generation Identification system, which comprises fingerprint, iris scan, and facial recognition data, and the bureau has been using it for several years. “With NGI, the FBI will expand the number of uploaded photographs and provide investigators with ‘automated facial recognition search capability.’ The FBI intends to do this by eliminating restrictions on the number of submitted photographs (including photographs that are not accompanied by tenprint fingerprints) and allowing the submission of non-facial photographs (e.g. scars or tattoos),” the EPIC lawsuit says. “The FBI also widely disseminates this NGI data. According to the FBI’s latest NGI fact sheet, 24,510 local, state, tribal, federal and international partners submitted queries to NGI in September 2016.” Privacy advocates, including EPIC, have said that the new database presents serious problems because of the high error rates seen with facial recognition systems. Also, the collection and storage of that data is a significant risk for the people whose information is in the database. [Source]

WW – INTERPOL Calls on Governments to Share Terrorists’ Biometric Data

In an effort to improve global security, INTERPOL’s General Assembly is urging governments around the world to share known terrorists’ biometric data. The move came after the INTERPOL’s General Assembly convened for the 85th ICPO-INTERPOL General Assembly Exhibition in Bali, Indonesia this week. “In a statement, the global police agency said it currently possesses information about 9,000 terrorists, but that only 10 percent of its files feature biometric information, with INTERPOL Secretary General Jürgen Stock calling the lack of such data ‘a weak link’ in the prevention of terrorism.” [FindBiometrics]

WW – Researchers Develop Lip-Reading Tool with 93.4% Accuracy

University of Oxford Computer Science Department researchers have developed a tool called LipNet that can read lips with 93.4 percent accuracy. “Instead of analyzing footage of someone speaking on a word-by-word basis, LipNet goes one step further by taking entire sentences into consideration, using Deep Learning techniques to then backtrack and decipher each word… Running on a smartphone, fed a live feed from a body-worn camera, LipNet could serve as an amazing tool for the hearing impaired. Even if they already know how to lip read, it could help boost their understanding while watching someone speak.” [Gizmodo]

AU – Australia’s New Facial Verification System Goes Live

Australia’s federal police and foreign affairs department are now able to match a person’s facial image against records held by Immigration after the government sent the first phase of its new face verification service live. Last year the federal government handed over $18.5 million to fund the development of a national facial recognition system, proposed by state and federal police ministers and attorneys-general. The face verification service (FVS), which will complement the existing document verification service (DVS), is intended to reduce cross-border criminal activities by letting law enforcement agencies share citizens’ facial images to verify identities and identify unknown individuals. Justice Minister Michael Keenan today said the first phase of the platform – allowing DFAT and the AFP access to images on citizenship applications held by Immigration so they can verify identities – was now live. Other types of images such as visa and passport photos will be added over time, he said, with the government also currently talking to states and territories to bring driver licence images into the FVS. Access will also gradually be expanded to other police and security agencies such as ASIO and Defence. The federal Attorney-General’s Department is the lead agency for the capability and manages access. [IT News]

Big Data

AU – Australia Productivity Commission Calls for Greater Sharing of Datasets amongst Private and Public Sectors

The Australian government’s Productivity Commission issued a draft report on the benefits and costs of increasing the availability and use of public and private sector data (“Big Data”): ◦comments are due by December 12, 2016. A new Data Sharing and Release Act could create a framework for the open release of non-sensitive datasets with few restrictions on their uses; for datasets that should not be publicly released, entities could apply for “trusted user” status, which would then make them eligible to access these restricted datasets. Individuals should have a right to opt-out of a process of data collection, however, this right to cease collection would not prevent the use of data already collected. [Data Availability and Use – Draft Report – Productivity Commission, Australian Government | Overview and Summary]

Canada

CA – CSIS: Agency Did Not Deliberately Violate Law When Holding onto Metadata

Canadian Security Intelligence Service Director Michel Coulombe released a statement saying the intelligence agency did not deliberately violate laws when it illegally held metadata on individuals who posed no security threat. The statement came after a federal court ruled CSIS violated the law by holding onto the metadata over a 10-year period. Coulombe said the data was collected legally using warrants, while adding the agency interpreted the CSIS Act in a way allowing it to retain the data. “The federal court has disagreed with this interpretation and we accept their decision. I would like to make it clear that the Service was not knowingly exceeding the scope of the CSIS Act,” Coulombe wrote. In related news, former Ontario Information and Privacy Commissioner Ann Cavoukian said the metadata should have been deleted from CSIS servers, and should not have been collected in the first place. [CBC News] [Spy agency declined to meet Federal Court judges to describe its methods] [Surveillance watchdog says C-22 not likely to be abused]

CA – Court Finds Federal Spy Agency Illegally Retained Metadata Indefinitely

The Canadian Security Intelligence Service applied to the Federal Court for amendments to conditions of draft warrant templates, pursuant to the CSIS Act. The agency retained phone logs and email trails of targets of past investigations, without informing the Court of its intention to do so (at the time it obtained warrants to collect the information) and in violation of its primary mandate (its jurisdiction is restricted to Canadian security threats); information retained must be assessed to determine if it is linked to an identified threat, or can assist with a prosecution, national defense, or international affairs, with all other information being destroyed. [In the Matter of an Application For Warrants Pursuant to the CSIA – Judgment and Reasons – 2016 FC 1105 | Summary]

CA – Quebec Announces Details of Inquiry into Surveillance of Reporters

A judge, a media lawyer and a former police chief …will preside over a 14-month public inquiry into police practices over the past six years, including allegations that calls from politicians led two police forces to spy on reporters. Justice Jacques Chamberland, of the Quebec Court of Appeal, will head the inquiry. A judge since 1993, he is a former Quebec deputy justice minister and deputy attorney general. The two other commissioners are media lawyer Guylaine Bachand and Alexandre Matte, a former Quebec City police chief. The commissioners will hold both closed-door and public hearings and are to publish a report by March 1, 2018. Their mandate will cover police activities beginning in May 2010, when the Supreme Court of Canada spelled out what judges should consider when asked by police to issue a warrant involving the identity of journalists’ sources. Quebec Premier Philippe Couillard announced the inquiry two weeks ago after a public uproar when several surveillance cases came to light. In one case, the SQ obtained six reporters’ phone records after then-Parti Québécois public security minister Stéphane Bergeron asked then-SQ director-general Mario Laprise to look into leaks to the news media about an investigation into union boss Michel Arsenault. In another case, Montreal police obtained a warrant to examine a La Presse reporter’s phone records after Mayor Denis Coderre asked police brass to look into how the reporter had learned Coderre had been given a $444 traffic ticket. [Montreal Gazette] See also: Media surveillance highlights privacy risk to all Canadians | How Montreal police were able to use legal means to track a journalist | How Canada’s Anti-Cyberbullying Law Is Being Used to Spy on Journalists | Quebec to hold public inquiry into police surveillance of journalists | An unprecedented crisis’: Quebec government calls inquiry into spying on journalists by police | Quebec launches commission of inquiry into police spying on journalists

CA – Therrien: Tracking Journalists Highlights Bigger Privacy Issues

In an op-ed, Privacy Commissioner of Canada Daniel Therrien explains why the surveillance requests made against journalists not only affects the media, but the privacy rights of all Canadian citizens. Therrien writes the privacy of all Canadians has been put at risk since the adoption of Bill C-13, making it easier for law enforcement to obtain electronic surveillance records and metadata warrants, possibly revealing sensitive information about Canadian citizens, including political beliefs and sexual orientation. “Recent events also demonstrate the fact that warrants for metadata are not exclusive to individuals suspected of criminal activity. These warrants can involve innocent people believed to have had contact with a suspect under investigation for reasons that may have nothing to do with the commission of a crime,” Therrien wrote. In another op-ed for The Globe and Mail, Yves Boisvert takes a closer look at the privacy battle between the media and law enforcement. [The Globe and Mail]

CA – OIPC NL Orders Eastern Health to Strengthen Security

Following a privacy breach at Eastern Health, Newfoundland and Labrador’s Privacy Commissioner Donovan Molloy issued a report warning the health care organization to shore up its security procedures. Molloy’s report states the incident was “an intentional breach of patient information” when an unknown person illicitly accessed and printed personal health information. The information was obtained from the account of a doctor who failed to log out of patient information software. Molloy told Eastern Health to remind its staff going forward of the importance of logging out. The patient information consisted of patient names, MCP numbers, gender, age, the date they were admitted to the hospital, their attending physician, and the reason for their visit. [CBC News]

CA – OIPC NB Pushes for Mandatory Breach Reporting

New Brunswick’s Privacy Commissioner Anne Bertrand is pushing for stronger legislation to require government departments to report data breaches involving personal information. Bertrand’s request comes as the Liberal government plans to install changes to New Brunswick’s privacy legislation. While health care agencies must alert the commissioner when personal health information is stolen, government departments do not have any requirements to report incidents. Bertrand examined a list of 11 data breaches since 2013, and heard of some of the attacks for the first time. The majority of the incidents involved stolen laptops. “When I see this kind of thing, you almost make a case for an argument that the commissioner’s office be notified, because we can report on that,” Bertrand said. “Reporting on this publicly will encourage concrete actions to be taken.” [CBC News]

CA – OIPC NS Recommends Reforms to the Personal Health Information Act

The OIPC NS has recommended areas of improvement under the Personal Health Information Act. Recommendations to bring PHIA up to date include permitting a substitute decision maker to exercise any right or power conferred on an individual, and setting clear standards for breach identification and notification to affected individuals, health custodians, and the OIPC; provisions should also allow the OIPC to require any relevant record to be produced (regardless of whether the record is subject to the provisions of PHIA), exchange information with extra-provincial commissioners, and receive immunity from privacy-related lawsuits. [OIPC NS – PHIA Review Recommendations]

CA – BC Supreme Court: Production Order for Text Messages Violated Accused’s Charter Rights

The Court considers an application concerning the alleged unconstitutionality of certain provisions of the Criminal Code. The order allowed police to collect more information than a cell phone tracking or number record warrant, and should have required the higher standard of reasonable and probable grounds to believe; there was an expectation of privacy in the messages and billing records, the invasion of privacy was for a long period (4 months), and the content of the messages potentially revealed private “core biographical information” (e.g. personal friends, business interests or communications from counsel). [R. v. Grandison – 2016 BCSC 1712 – In The Supreme Court Of British Columbia]

CA – Quebec Court Orders Court Proceedings to Remain Temporarily Confidential

The Court considered a request for a safeguard order confirming the sealing and non-publication of any defamatory or identifying information about a Plaintiff in relation to his lawsuit against Defendant Google. The Court accepted a Plaintiff’s argument that publicizing court proceedings from his lawsuit against a search engine (stemming from allegedly defamatory and sensitive search results) would invade his privacy rights under the Quebec Charter of Rights and Freedoms; the Court ordered a prohibition on the publication of exhibits and evidence and the redaction of Plaintiff’s name from the court file, but denied his request for a permanent sealing of the file (the trial decision is permitted to be confidential for only 31 days). [AB v. Google, Inc. – 2016 QCCS 4913 – Superior Court of Quebec]

CA – OIPC BC Recommends Improvements to the Govt Use of Mobile Device

The OIPC BC examined the management of mobile devices issued to employees by the B.C. Government, pursuant to the Freedom of Information and Protection of Privacy Act. There was no overarching privacy management program in place, and as a result mobile device usage assessments, reviews or audits were not conducted (there was a lack of capacity, expertise, resources and tools to provide such reviews); the consequences of this meant that there was a lack of personal information inventory (the types of personal information being stored on mobile devices was unknown), unauthorized personal devices were being connected to government servers, and the adoption of security controls and patches was being left to the end-user employee. [OIPC BC – Investigation Report F16-03 – Mobile Device Management in B.C. Government]

CA – OPC Canada Finds Gaps and Weaknesses in Government Agency’s Privacy Management Regime

The Office of the Privacy Commissioner of Canada conducted an audit of the personal information management practices of Employment and Social Development Canada’s Old Age Security Program. The agency did not use accredited or certified IT systems, employee access rights were not always removed on a timely or consistent basis, or limited to the minimum required to perform their duties, audit trails were not proactively reviewed, and electronic files were never deleted; the agency must modify and delete access rights consistently, review audit trails to ensure timely identification of inappropriate access, and implement new retention and disposal schedules. [OPC Canada – Audit of Employment and Social Development Canada’s Old Age Security Program]

CA – OPC Releases Tech Blog Series for Privacy Professionals

The Office of the Privacy Commissioner of Canada announced it has launched a Privacy Tech-Know series of blogs targeted toward privacy professionals looking to increase their technical awareness and knowledge. “The posts will help privacy professionals speak more confidently and accurately about new information technologies and their privacy implications. The series of blog posts planned for the coming months will cover everything from cookie contents to e-voting systems to license plate recognition,” the announcement read. The first entry, titled “Pay me to regain access to your personal information! Ransomware on the rise,” discusses the ransomware problem estimates say affect 1,600 Canadians per day. [priv.gc.ca]

Consumer

WW – New App from Cloud Insurance Wants Users to ‘Regain Control of Their Digital Footprints’

Sydney-based Cloud Insurance is developing Opt Out, an app that will put data access controls in on the spot, “automates data access permissions” and streamlines users’ ability to “invoke de-identifications rights.” “We need to reassure the public that privacy is not dead,” said Cloud Insurance’s Joanne Cooper. “Privacy is the third and missing leg of a three-legged stool and in the current digital environment we have to make consent, whether you opt in or opt out, central to the topic,” she said. The app ultimately aims to “simplify a complex aspect of the internet by making it easier for internet users to make informed decisions and regain control of their digital footprints.” [The Australian Business Review]

WW – Report: Digital Marketing Affecting Children’s Health, Privacy

The University of Liverpool has teamed up with the World Health Organization and several other organizations to produce a report regarding digital marketing toward children and the ways it affects their health. Digital marketers aim ads toward children for foods high in fats, salt and sugars. Since there are no effective regulations for digital media in many areas in Europe, children are exposed to ads through social media sites and online games. “Children have the right to participate in digital media; and, when they are participating, they have the right to protection of their health and privacy and to not be economically exploited,” said the University of Liverpool’s Dr. Emma Boyland. [EurekAlert]

E-Government

WW – Study: Governments Pose a Bigger Threat to Privacy than Companies

A study from the Montreal Economic Institute states governments are a bigger threat to privacy than companies. MEI economist Mathieu Bédard said companies gather information through mutual consent, while governments rarely ask individuals before collecting data. The study states it is more profitable for companies to retain information rather than selling it, while governments do not give citizens a choice when gathering information. For example, journalists discovered the RCMP decrypted 1 million private messages from BlackBerrys alone, while the number of intercepted communications by the government rose by 26 percent in 2015. “All of these revelations shatter the widespread prejudice by which companies are less respectful of privacy than governments are.” [Montreal Gazette] [MEI] [Media release: How far does secret government surveillance go?]

E-Mail

EU – European Commission Probes US on Yahoo Email Scanning Allegations

The European Commission has asked the U.S. about allegations of Yahoo scanning thousands of customer emails for law enforcement purposes. The European Commission is concerned the email scanning may be in violation of the Privacy Shield agreement. The commission is asking the U.S. for clarification on the allegations, while asking the U.S. to explain how the email scanning fits with its commitments to the agreement, even if the orders came before Privacy Shield was put in place. “The U.S. will be held accountable to these commitments both through review mechanisms and through redress possibilities, including the newly established ombudsperson mechanism in the U.S. State Department,” European Commission spokesman said. [Reuters]

Encryption

WW – Encrypted Email Sign-Ups Rise After US Election

Sign-ups for Swiss-based encrypted email service provider ProtonMail are on the rise since last week’s U.S. presidential election. ProtonMail CEO Andy Yen wrote, “the number of new users coming to ProtonMail has doubled compared to the previous week. Telegram, which provides end-to-end encrypted messaging, has also seen a spike in new users since last week. “We did notice more users than usual signing up for Telegram globally,” said Telegram co-founder Pavel Durov. Yen said the rise in new users worried about the incoming administration “really demonstrates that privacy isn’t just a liberal or conservative issue, it is something that we all need to champion, regardless of our political leanings.” He also noted this paradigm shift “could be a potent trigger to accelerate the development of Europe’s tech sector and decrease … dependence on the U.S.” [TechCrunch]

WW – WhatsApp Adds Encrypted Video Calling Amid Unsure Privacy Climate

WhatsApp is adding fully encrypted video calling to its messaging platform. The new feature comes as privacy advocates are concerned about enhanced government surveillance efforts under President-elect Donald Trump’s administration and news that Facebook’s revised privacy policy would access WhatsApp user data. WhatsApp co-founder Jan Koum said the video call feature will be rolled out to 180 countries after it is introduced at an event in India. Koum also said the company will remain committed to security after Trump’s victory. While a Trump administration may require companies such as WhatsApp to redesign their policies to better assist law enforcement investigations, Koum does not feel WhatsApp will be threatened, as many diplomats and officials use the app around the world. “It would be like them shooting themselves in the foot,” Koum said. [Reuters]

EU Developments

EU – French Advisory Commission Objects to Biometric Database

France’s independent advisory commission, CNNum, is calling for the suspension of the biometric database designed to hold the information of the country’s citizens. The group said the biometric database would be a “target of inestimable value” in a time where every system is vulnerable. CNNum also stated the database is a sign democracy is on the wane in both Europe and the U.S. The French Socialists objected to an earlier database proposal submitted by the center-right government in 2012. The Socialist government was able to pass the new database by government decree during a holiday weekend, without France’s National Assembly agreeing to the new proposal. [BBC News]

EU – Ireland’s DOJ Releases Consultation Paper on ‘Digital Age of Consent’

The Department of Justice published a consultation paper on the digital age of consent for online services offered to children. The paper states the rates of children using online services is high, but younger children may be vulnerable to online risks, such as abuse or cyberbullying. “When their physical or emotional safety and welfare is at stake, the need for adequate safeguards for children is beyond question. Parents and guardians have an essential role to play in this context and the best interests of the child remains the paramount guiding principle,” the paper states. The target age for the restrictions is 16, but member states can set it to as low as 13 years of age. Minister for Justice Frances Fitzgerald plans to bring a proposal on the topic to the cabinet later this year, ahead of the General Data Protection Regulation. [The Irish Times]

UK – ICO: Facebook Agrees to Suspend Use of WhatsApp User Data

The U.K. Information Commissioner’s Office announced Facebook has agreed to suspend its use of WhatsApp data collected from users in the U.K.. “We’re pleased that they’ve agreed to pause using data from U.K. WhatsApp users for advertisements or product improvement purposes,” U.K. Information Commissioner Elizabeth Denham said in a statement. “If Facebook starts using the data without valid consent, they may face enforcement action from my office.” The ICO said consumers were not properly protected from the data sharing and asked the two companies to sign a plan to better explain the data sharing agreement to users. A Facebook spokeswoman said the company will work with the ICO to continue addressing any concerns. [Reuters]

Facts & Stats

WW – Study: Cost of Breach Rises to $7M

IBM-sponsored research by the Ponemon Institute has found that the overall cost of a U.S. company’s data breach has risen seven percent to total an average of $7.01 million. “On average, a single breach involved nearly 30,000 records, in a range of 5,125 to 101,520.” The study examined 64 companies and the majority of the breaches studied occurred in 2015. “The study did not include breaches involving more than 100,000 records because ‘they are not indicative of data breaches incurred by most organizations’ and would have artificially skewed the results.’” The research also examined how these numbers compare globally, finding that the cost of a breach was highest in the U.S., with Germany coming in second at $5.01 million. [Yahoo News]

FOI

CA – IPC ON Orders Municipality to Release CCTV Footage of Fatal Collision

This IPC ON Order reviews the decision by the City of Ottawa to deny CCTV footage requested under Ontario’s Municipal Freedom of Information and Protection of Privacy Act. The IPC agreed that unblurred footage could reveal an individual’s PI (e.g. personal characteristics, their presence at the accident, their conduct and location); however, the blurred footage does not contain personal information, and police unsuccessfully argued that disclosure of the footage would interfere with an ongoing law enforcement investigation (a federal agency had concluded its investigation, and the police were not conducting a collateral investigation themselves). [IPC ON – Order MO-3358 – City of Ottawa]

Health / Medical

AU – Health Organisations in Australia Must Establish Protocols for the Use of Smartphone Cameras

An overview of the use of smartphone cameras in the Australian healthcare sector, pursuant to the Australian Privacy Principles of the Privacy Act 1988. A photograph can only be taken by a health practitioner with the voluntary, informed consent of the patient, and can be used and disclosed as part of providing clinical care and treatment to a patient; organisations should use systems that will prevent images being automatically uploaded to dia or back-up sites, ensure practitioners delete clinical images from their personal mobile device once saved onto a patient’s health record, and provide mandatory training to all administrative staff. [Smartphone Cameras in Health Practice – Beware the Privacy Issues – Joanne Hayes, Senior Associate and Marie Feltham, Special Counsel, DibbsBarker]

Horror Stories

WW – 412M Friend Finder Network Accounts Breached

A data breach of Friend Finder Network has exposed more than 412 million accounts spanning 20 years. 339 million of the breached accounts come from AdultFriendFinder.com, more than 15 million “deleted” accounts not wiped from the company’s network, and 7 million accounts from Penthouse.com, which FFN sold to Penthouse Global Media in February 2016. The culprit hasn’t been identified, and Revolver “instead blamed users of an underground Russian hacking site” for the breach. [ZDNet] [Computerworld: Biggest hack of 2016: 412 million FriendFinder Networks accounts exposed | ZDnet: AdultFriendFinder network hack exposes e412 million accounts]

US – Car Dealership Data Exposed, Compromising Millions

The personal information of millions of people who recently purchased automobiles at over a hundred car dealerships across the country was discovered online. The information was held on a centralized record system built and operated by DealerBuilt. Security researchers at MacKeeper found 128 dealerships backed up their information on DealerBuilt’s central systems with no encryption or security protocols in place. Names, addresses, phone numbers and Social Security numbers, of both customers and employees, were among the data exposed online. The number of compromised records is currently unknown, but estimates put the number as high as five million. “This massive leak is just another painful lesson of what happens when private and sensitive data is stored without encryption or modern data security practices,” MacKeeper researchers wrote in a blog post. [ZDNet]

US – Job Recruitment Database Leaks Data on Millions

Millions of individuals who used global recruiting firm Michael Page had their personal information compromised when it was discovered a database had been left on the open internet. Capgemini, an outsourcing company, ran the exposed database, containing sensitive information such as the names, contact information, resumes and other personal data of numerous people who signed up with Michael Page. Security researcher and owner of Have I Been Pwned? Troy Hunt was made aware of the breach by a hacker who took a screenshot of a sample of the information. “Just the U.K. file was 780,000 people, and when you look at the list of how many countries are in there, and how big the U.K. is compared to everything else, you would assume that it’s lots of millions, if not more than 10 million,” Hunt said. [Motherboard]

Identity Issues

WW – Are Mobile Numbers the ‘Digital Equivalent’ to Social Security Numbers?

Cellphone numbers are increasingly becoming “key codes” to users’ information, and some analysts say that it is in many ways akin to a Social Security number. “The point is the cellphone number can be a gateway to all sorts of other information,” said the Federal Trade Commission’s Robert Schoshinski. “People should think about it.” The advent of the cellphone number also echoes that of the Social Security number, which “was never meant as a general-purpose identification number… But the strongest identifier and conduit to useful information is the cellphone number, which acts like ‘the digital equivalent of the Social Security number,’ said Affirm’s Max Levchin. Where the two differ is their ability to protect against fraud. “What you can do with the cellphone number and mobile technology represents a pretty substantial advantage in the ongoing war against fraud and identity theft,” said venture investor Rajeev Date. [New York Times]

EU – Web of Trust Add-On Sold User Data Without Proper Anonymization

German broadcaster NDR discovered the firm behind the Web of Trust add-on sold user data without ensuring it was properly anonymized. WoT rates websites’ safety by using information provided by users. The add-on collects data through searched terms, sites users visit, and shared documents. NDR received information WoT sold to one firm, and found personal data including email addresses and phone numbers, making it easy to tie the information to browsing histories and other personal details. WoT said the breakdown was “unacceptable,” and will reform its data handling policies to win back the trust of its users. [BBC News]

EU – Spanish DPA Issued Best Practices for De-Identification of Personal and Confidential Data

the Agencia Española de Protección de Datos has issued guidance on anonymising personal data. The initial stage of the anonymisation process should identify data to be de-identified, determine retention periods, and conduct a pilot project to assess costs and any re-identification risks; anonymisation policies should include risk management objectives, team responsibilities, identification and classification of variables (i.e., what is sensitive and what can be eliminated), terms of access to anonymised data, and control measures. [DPA Spain – Guidelines on Anonymisation of Personal Data]

EU – EMA Issues Guidance on Anonymization in Clinical Trials

The European Medicines Agency (EMA) issued guidance on the implementation of its Policy 0070 on the publication of clinical data for medicines, including with respect to anonymization of clinical reports for publication. Balancing subject privacy and transparency presents drug manufacturers with a difficult task—how to increase transparency of clinical studies while also attenuating the risk of subject reidentification. In its guidance, the EMA discusses three approaches to anonymization of clinical reports:

  • Masking – Described as the simplest method, masking is accomplished with a redaction tool that scrubs specified information.
  • Randomization – Randomization changes the data so it is less identifiable to an individual.
  • Generalization – This method dilutes the “attributes of the data.” For example an individual’s name could be substituted with an age range.

These anonymization techniques can be used separately or in combination. These techniques are consistent with the Article 29 Working Party’s Opinion 05/2014 (WP216) on Anonymisation Techniques. [Data Protection Report]

Internet / WWW

WW – Forrester’s Privacy Heat Map Highlights EU’s Impact on Regulations

Market research company Forrester has updated its data privacy heat map to highlight data protection guidelines and practices in 54 countries. The 2016 update looked back at the past five years of assessments and noted three high-level trends. The three trends included countries such as Nigeria, Argentina and Japan looking toward Europe as the standard for data protection, the General Data Protection Regulation affecting legislation both inside and outside the EU, and efforts to strengthen surveillance that undermines data protection laws. “In a world where privacy has become a competitive differentiator for multinational organizations, businesses must increasingly work with their general counsels and chief privacy officers to understand global data privacy requirements, implementing controls that protect personal data accordingly,” Sherman writes. [Forbes]

WW – Study Ranks Android Apps by Tracker Use

An Opera study of 60 companies in 10 countries has ranked Android apps by their use of data trackers. It found that Bukalapak and OLX “were the worst in terms of how many tracker requests they sent to users’ smartphones.” “Sharing data like bank account information through unsecured Wi-Fi networks can increase the risks of hacking and cybercrime,” said app Opera Max’s Sergey Lossev in the study. “A lot of users give up information without their realization; like when they shop online through their mobile phones.” The report added that “both companies say using trackers in applications is common practice in Indonesia and elsewhere.” [Business Standard]

Law Enforcement

US – FBI Can Access Most of the Encrypted Devices it Faces During an Investigation

During a public meeting in Washington on Nov. 11, FBI General Counsel Jim Baker said that the agency is able to access most of the locked computers or mobile phones during investigations. Analyzing data from the 2016 fiscal year disclosed by Baker, Motherboard calculates that the FBI can crack 87 percent of devices it interacts with. “The fed’s argument is that unbreakable encryption is stumping criminal investigations, making them harder, if not impossible, to sometimes access important evidence on a suspect or a victim’s phone or computer… The numbers disclosed by Baker on Friday, which have never been published before, seem to indicate that the reality, however, is a little different.” The FBI has yet to confirm or deny the accuracy of Motherboard’s calculations. [Motherboard] [Cops Have Given The FBI 6,814 iPhones They Couldn’t Access In 2016]

CA – Top-Secret RCMP Files Show Digital Roadblocks Thwarting Criminal Investigations in Canada

The RCMP has provided unprecedented access to the Toronto Star and the CBC in an effort to make its case that antiquated laws and diminished police powers in the digital age are allowing suspected terrorists, drug gangs and child abusers to operate beyond the law. Journalists from the two media outlets have reviewed the details of 10 high-priority cases after clearing RCMP security checks for access to “top-secret” information. In each case, investigators were stonewalled by legal and technical obstacles in accessing digital evidence, the Mounties say. Most of the suspects remain at large. These cases stand at the centre of an emerging national debate. Police argue they are on the losing side of a digital divide, while on the other side are tech-savvy criminals who are shielded by impenetrable encryption, telecommunication companies and technology manufacturers. Privacy advocates argue that police have never before had such powers of surveillance and that they have failed to provide evidence that the public’s safety is in jeopardy. The audience is Canadians who are alarmed to learn that some criminals are increasingly beyond the reach of the law. They are equally alarmed by the recent Federal Court ruling that denounced the national spy agency, CSIS, for illegally gathering the private information of Canadians, and by news that Quebec police forces intercepted and tracked the cellphones of as many as 10 journalists to discover their sources. [Toronto Star] See also: Secret Bans, Secret Trials: The Canadian ‘No-Fly’ Lists  | Bill C-51: Less Free Speech, Undermines De-radicalization | The ‘New’ CSIS Brings Secret Police to Canada | Curbs Needed on Sweeping Powers to Spy on Canadians | The RCMP Is Using the Media to ‘Create Moral Panic’ About Encryption | Top Mountie lobbying PM for greater digital surveillance powers | RCMP boss Bob Paulson says force needs warrantless access to ISP user data

Online Privacy

WW – Facebook to Stop Ads from Targeting Users Based on Race, Ethnicity

Facebook has announced it will prohibit advertisers from targeting or excluding users based on race and ethnicity. “We are going to turn off, actually prohibit, the use of ethnic affinity marketing for ads that we identify as offering housing, employment and credit,” said Facebook VP of U.S. Public Policy Erin Egan. She also said advertisers must affirm they will not use discriminatory ads on the site. Facebook will offer educational materials to help advertisers become familiar with their new obligations. The changes come shortly after Facebook met with New York Attorney General Eric Schneiderman, Rep. Robin Kelly, D-Ill., the Congressional Black Caucus, Rep. Linda Sanchez, D-Calif., and the Congressional Hispanic Caucus. Egan said the company recently had a “constructive dialogue” with other advocacy groups as well, including the American Civil Liberties Union and Center for Democracy & Technology. “In light of these concerns that have been raised, we are taking this step,” she added. [USA Today]

WW – Google Cracking Down on Websites’ End-Runs Around Security

Google is paying attention when websites take the easy way out of complying with its Safe Browsing terms. If a site is deemed unsecure, users will see warnings in most browsers. Webmasters can ask to have the warnings removed once they have brought their sites into compliance. Google was finding that some sites make changes to get the warnings removed, but quickly revert to unsecure practices. Google’s Safe Browsing rules now include a “repeat offender” category. “Repeat Offenders are websites that repeatedly switch between compliant and policy-violating behavior for the purpose of having a successful review and having warnings removed.” Webmasters of sites identified as repeat offenders must now wait 30 days before requesting a review. Computerworld: Google punished web backsliders in Chrome

Other Jurisdictions

HK – HK Privacy Commissioner Signs Privacy Research Declaration

At the Barun ICT Research Conference 2016 & Asia Privacy Bridge Forum in Seoul, South Korea on Nov. 2, the Hong Kong Office of the Privacy Commissioner for Personal Data, the Korea Internet & Security Agency, Barun ICT Research Center, and others from the Asia-Pacific privacy community signed the Asia Privacy Bridge Forum Joint Declaration 2016, the PCPD announced in a press release. The declaration aims “to strengthen privacy research and education as well as policy cooperation in [the] Asian region.” The declaration “reflects the recognition of our commitment to balancing the free flow of information and personal data privacy protection from our international counterparts,” said Hong Kong Privacy Commissioner for Personal Data Stephen Kai-yi Wong. “I shall be very glad to share our experience in law enforcement as well as promotion and education on data protection in Hong Kong, and explore common interests in joint research topics and policy cooperation initiatives.” [PCPD.org]

Privacy (US)

US – FTC Announces Changing Consumer Demographics Workshop

On Dec. 6, the FTC will host a workshop in Washington examining the changes in consumer demographics, the agency announced in a statement. “According to the U.S. Census Bureau, the population is getting older and more racially and ethnically diverse… Understanding our changing communities will be necessary as the FTC continues its efforts to combat unfair and deceptive practices affecting all consumers.” The workshop will tackle questions of what “the consumers of the future” will look like and how tactics to reach them and protect them from fraud will change. Pre-registration is not required and the event is free and open to the public. Those interested in sharing research should reach out to the workshop team, the report adds. [FTC.org]

US – Court: Incorrectly Identifying Individual as Terrorist in Consumer Report Constitutes Concrete Harm

The Court considered Trans Union, LLC’s request for de-certification of two alleged violations under a class law suit for alleged violations under the Fair Credit Reporting Act. A consumer reporting agency wrongly described an individual as a terrorist, ascribing to him a criminal record that he did not have, and failing to provide him with access to his file; there is core harm in sharing erroneous and damning information about an individual, even if only narrowly disseminated (the report was only shared with a prospective landlord). Preventing a customer from monitoring their file presents of risk of real harm, which can satisfy the requirement of concreteness. [Patel v. Trans Union LLC – Case No. 14-cv-00522-LB – United States District Court Northern District of California]

US – Adobe Settles with States for 2013 Data Breach

Adobe has reached a settlement with the states that sued the company following its 2013 data breach. Adobe will pay $1 million dollars, to be divided evenly between the 15 states, while also enacting stronger security protocols. The states sued Adobe after the breach, claiming it did not take “reasonable security measures” to properly protect the data. “Consumers should have a reasonable expectation that their personal and financial information is properly safeguarded from unauthorized access,” said Connecticut Attorney General George Jepsen, who also praised Adobe for cooperating with the states while the settlement was reached. “Companies have a responsibility to consumers to protect their personal information, and this settlement will ensure Adobe establishes stronger safeguards in the future,” said Illinois Attorney General Lisa Madigan. [ConsumerAffairs]

Security

US – Indiana County Government Will Pay to Remove Ransomware

After ransomware hit the IT systems of Madison County, Indiana government, the county commissioners voted unanimously to pay the ransom. The attack shut down county services for days. The county’s insurance company, Travelers, is covering the cost of the ransom, less a deductible. In a separate story, the Lansing (Michigan) Board of Water & Light acknowledged that it paid $25,000 to regain control of its accounting and email systems earlier this year. [Arstechnica: | Networkworld ]

Smart Cars / IoT

US – Court: Collection of Data from Logging Devices in Commercial Vehicles is Lawful

The Owner-Operator Independent Drivers Association Inc. et alia. argue that the US Department of Transportation Rule requiring installation of electronic logging devices in interstate commercial motor vehicles is contrary to the law. Data collected from the devices (installed in all vehicles required to maintain hours of service records) is intentionally limited in scope – exact vehicle locations are not collected, and recordings are only done when the vehicle is turned on, when the duty status changes, and once per hour while driving; drivers and motor carriers are responsible for maintenance and storage of the data (not the Dept. of Transportation), and personal information is redacted before release of the data (e.g. for civil litigation). [Owner-Operator Independent Drivers Association Inc. et al. v. US Dept. of Transportation et al. – Petition – US Court of Appeals for the 7th Circuit]

US – White House and DHS Publish Cybersecurity Guidelines for IoT Devices

Two independent IoT (Internet of Things) cybersecurity publications were released by the White House and the Department of Homeland Security, covering guidelines and principles for creating IoT devices with in-built security measures, as well as recommended protocols for implementing such measures. The Obama administration ‘rushed’ the NIST publication a month ahead of the planned release, primarily due to the escalated urgency surrounding cybersecurity for IoT devices following last month’s major Distributed Denial of Service attack that disabled parts of the United States’ internet infrastructure. Both publications are aimed at guiding for cybersecurity measures at the design and manufacture stage rather than at the user level. And that brings along with it the cost factor, the biggest question being: can device manufacturers be incentivized enough to make it worth their while to spend time, money and effort on incorporating security hardware and software on their devices? The guidelines themselves target the fundamentals and system lifecycle processes for device manufacture, and provide guidelines for incorporating security protocols as part of the product lifecycle itself. The Homeland Security publication goes a step further and addresses the issues from an industrial consumer standpoint. The purpose of these publications is to initiate a high-level awareness and evoke a sense of urgency in implementing the guidelines and principles outlined in them. As of now, the FCC has said it is not likely to enact any mandatory standards for IoT cybersecurity, but with IoT now permeating through critical industrial areas such as power production, medical technology and transportation infrastructure, the longer things stand the way they are, the greater the risk of such systems being compromised. [Source] NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors

Surveillance

WW – Pre-installed Phone Software Transmitted User Information to China

Security firm Kryptowire discovered certain Android phones had pre-installed software that sends user data to China every 72 hours. Shanghai Adups Technology Company wrote the software and said it is on more than 700 million phones, cars and other smart devices. The software transmitted users’ text messages, contact lists, call logs, location information, and other data to a Chinese server. While Adups intentionally designed the software to monitor user behavior, it was never meant to make its way to the U.S. American phone manufacturer BLU Products said 120,000 of its devices had the software, and has offered updates to remove the feature. BLU’s Chief Executive Samuel Ohev-Zion said Adups told him all the information collected from his customers has been destroyed. [The New York Times] [Budget US Android smartphones found secretly sending personal data to China | Android Phone Maker Ignored Researchers’ Warnings That Their Phones Had Backdoor]

WW – Is Social Media the ‘New Front in Warfare’?

Motherboard has published two reports on how governments are increasingly viewing social media as “a new front in warfare” and tool for the military. A global conference in London with senior military and intelligence personnel reveals social media can be an intelligence source on civilian populations and enemies and a channel for propaganda to influence public opinion. A separate Motherboard article reports on how spies use social media — Tinder, for example — to infiltrate activist groups. Though infiltrating activist groups is nothing new, the crop of personal information found on social media can be used to manipulate and socially engineer intelligence targets. [Full Story]

US – Art Installation Explores Surveillance

Student photographer at SUNY New Paltz Connor Henderson displayed the photos of students taken without their consent for an installation exploring surveillance and privacy. “We all had to create installations involving the ideas of ‘public v.s. private’ and ‘surveillance,’ so the project itself was for a class, [but] the idea for the project and the concept behind it came from me,” Henderson said. He added that he conspicuously took “hundreds of photos” of campus-dwellers walking through the school’s academic quad, but “not one person asked me what I was doing,” he said. “I feel like most people just don’t really realize how much surveillance we have in our society,” he continued. “We really are always being watched.” [The New Paltz Oracle]

US Government Programs

US – Federal Executive Branch Agencies Must Notify Congress of Major Incidents

The US Office of Management and Budget (OMB) released its 2017 FISMA Guidance to government agencies. The newest version of the document defines a major cyber incident as “any incident that is likely to result in demonstrable harm to the security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” Major cyber incidents must be reported to Congress. The guidance defines any breach that exposes records of more than 100,000 to be a Major Breach, even if the other requirements are not met. The guidance also requires use of the NCCIC Cyber Incident Scoring System, which is new. [Federal News Radio: OMB tries again to define a major cyber incident | FCW: White House tweaks incident reporting in FISMA memo | Whitehouse.gov: OMB Memo: Fiscal Year 2016-2017 Guidance on Federal Information Security and Privacy Management Requirements

US Legislation

US – Legislative Roundup

 

+++

 

28 Oct – 04 Nov 2016

Biometrics

US – Judge Rejects Facebook’s Constitution Argument in Biometrics Case

U.S. District Judge James Donato presided over a hearing on a motion to dismiss the Facebook biometrics case. Facebook is currently facing three lawsuits claiming it violated the Illinois Biometric Information Privacy Act and another class action in California. The social network’s attorney Lauren Goldman has argued the Supreme Court’s recent Spokeo decision declared plaintiffs cannot sue unless they demonstrate concrete injury, as shown in Article III of the Constitution. Donato rejected Goldman’s argument, but pressed class attorney Rafey Balabanian to describe what kind of privacy injury came from Facebook’s biometric data collection. The judge said if he does decide for Facebook’s motion to dismiss the lawsuits, he will likely remand two of them back to the state jurisdictions in which they started. [Courthouse News Service] See also: A California court has held that a violation of the California Invasion of Privacy Act is, in itself, a concrete and particularized harm.

Big Data

US – Colleges Paying 50¢ per Student to Gain PI for Admissions Decisions

Just as companies pay for consumer data to make informed decisions, it turns out, colleges and universities do the same, according to a report by non-partisan think tank New America. The report, called “The Promise and Peril of Predictive Analytics in Higher Education,” detailed the ways in which colleges pay for student data. For less than 50 cents a name, colleges glean student data from third-party groups. The College Board, which administers the SAT, the ACT, and the National Research Center for College and University Admissions (NRCCUA) all collect student information that schools pay for. All three are non-profits. The students’ demographic information is then used for “predictive analytics,” a little-known x-factor that colleges often use for enrollment management. The process pulls a multitude of data points into a model that predicts the probability a particular student will apply to a school, choose to attend after they’ve been accepted, or perform well once enrolled. The third-parties also have their own predictive models that colleges can pay for, which can include around 300 different data points on students. The report also explained how colleges rank students based on this data. Admissions teams individually score students’ likelihood of becoming an applicant, being admitted, and deciding to enroll, usually on a scale of 0-10 based on factors like: race and ethnicity, zip code, high school, and anticipated major, according to the authors. Predictive analytics raises questions about discrimination. [Business Insider]

Canada

CA – BC Supreme Court Compels Newspaper to Disclose Information Related to Professional Association Investigation

The BC Supreme Court considered a motion to quash production orders issued by the Law Society to a journalist and his employer newspaper in relation to an internal investigation. The Legal Profession Act, which includes subpoena powers, applies to non-lawyers, and the production order issued by a law society to the newspaper and journalist for purposes of investigating a member’s conduct was reasonable; the order was not seeking the petitioner’s PI or proprietary corporation information, the petitioners’ article placed the information in the public domain, and the regulation of professions is a compelling objective. [Mulgrew v. The Law Society of British Columbia – 2016 BCSC 1279 – In The Supreme Court of British Columbia]

CA – Professional Regulatory Bodies in Saskatchewan Should Consider De-Identification of Published Disciplinary Decisions

The Office of the Information and Privacy Commissioner in Saskatchewan has issued guidance on publication of disciplinary decisions by professional regulatory bodies. Decisions published on websites of regulatory bodies may contain sensitive personal information or personal health information (wrongdoings, opinions about members, physical or mental health information); staff should consider de-identification of names and other identifiable information (especially of witnesses, complainants, affected individuals), and determine that documents only contain personal information that the regulatory body has the authority to disclose. [OIPC SK – Guidance for Professional Regulatory Bodies – Transparency of Discipline of Members]

CA – OIPC SK: Administrative Tribunals to Redact PI When Posting Decisions

The OIPC SK has examined administrative tribunals’ decisions that are published on the internet. Tribunal decision can involve sensitive issues such as alleged wrongdoings and traumatizing incidents. Key advice for tribunals:

  • determine whether including all PI is necessary when posting a decision
  • ensure staff know about what can and cannot be done with PI
  • notify citizens that some PI may be published online (prior to commencement of the proceedings)
  • If publishing a decision online, consider de-identifying or removing PI or writing the decision in such as way that the parties are de-identified and the least amount of PI is disclosed.

[OIPC SK – Decisions of Administrative Tribunals – How Much Is Too Much? ]

CA – OIPC NS Recommends Reforms to the Personal Health Information Act

The Office of the Information and Privacy Commissioner recommends areas of improvement under the Personal Health Information Act. Recommendations to bring PHIA up to date include permitting a substitute decision maker to exercise any right or power conferred on an individual, and setting clear standards for breach identification and notification to affected individuals, health custodians, and the OIPC; provisions should also allow the OIPC to require any relevant record to be produced (regardless of whether the record is subject to the provisions of PHIA), exchange information with extra-provincial commissioners, and receive immunity from privacy-related lawsuits. [OIPC NS – PHIA Review Recommendations]

CA – OPCC: Political Parties Need Rules for Collecting Canadians Data

Canada’s privacy watchdog said no rules for political parties collecting Canadians’ data a “gap” that needs fixing. Parliament needs to address political parties’ ability to operate outside the Canada’s privacy safeguards, the federal privacy watchdog says. Currently there are no rules governing how political parties collect and use sensitive personal information about Canadians, such as political beliefs, family composition, and financial information. Privacy Commissioner Daniel Therrien has argued for the need for oversight into parties’ data activities. But Therrien isn’t arguing just for oversight — he wants some basic rules. The Star reported that a House of Commons committee is considering looking into how political parties use data harvested from millions of door-to-door interactions, fundraising drives, and other interactions with citizens. Very little is known about the extent of parties’ data operations. All three major parties — Liberals, Conservatives and the NDP — have either recently overhauled their database programs or are in the process of doing so. But all of these data operations are running with, at most, voluntary privacy policies and practices with no independent oversight or governing rules. Therrien said that the kind of information collected by parties is among the most sensitive information Canadians hold. It’s not only internal misuse that’s a danger, the privacy commissioner said. Successive privacy commissioners have done everything they could to move the issue forward, Therrien said, and it remains up to parliamentarians to “actually do something about it.” [The Star]

Consumer

WW – FOC Releases Cybersecurity Guidelines Protecting Human Rights

The Freedom Online Coalition has released new policy recommendations for human rights-based cybersecurity strategies. The recommendations are targeted toward policy makers and others in the cybersecurity industry, covering issues such as user security online and offline, responding to cyber threats, encryption, and anonymity. “These recommendations are a first step towards ensuring that cybersecurity policies and practices are based upon and fully consistent with human rights — effectively, that cybersecurity policies and practices are rights-respecting by design,” reads the guideline’s preamble. The recommendations received the support of all 30 FOC government member states. The U.S. and Canadian governments and industry representatives such as Mozilla have also backed the guidelines. [APC]

E-Mail

US – NIST Issues Draft eMail Security Guidance

The US National Institute of Standards and Security’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has released daft guidance on email security. The document describes several technologies that, if adopted, could increase the security of email communications. Comments will be accepted through December 19, 2016. [Uncle Sam emits DMS email security guide – now speak your brains] [DNS-Based Secured Email] See also: [Why do people still use email — or at least not secure it?]

EU Developments

EU – Article 29 WP Offers Tentative Support for EU-US Umbrella Agreement

The Article 29 Working Party, in a “revealing statement,” offered signs of support for the EU-U.S. Umbrella Agreement, while also delivering recommendations to ensure the act complies with EU law. The WP29 supports the initiative in creating a general data protection framework to bolster trans-Atlantic cooperation and in protecting and sharing data for law enforcement investigations. While the WP29 said the Umbrella Agreement “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the U.S., some of which were concluded before the development of the EU data protection framework,” the group added clarification may be needed for the agreement to be consistent with EU law, specifically since personal data and data processing have different definitions in EU and U.S law, and restrictions on individuals’ rights to access their data are broad. [Hogan Lovells’ Chronicle of Data Protection]

EU-U.S. Umbrella Agreement Gets ‘Amber Light’ from Article 29 Working Party

The Article 29 Working Party has issued a revealing statement about the so-called EU-U.S. Umbrella Agreement, which is aimed at creating a high-level data protection framework in the context of transatlantic cooperation on criminal law enforcement. While broadly supportive, the Working Party intends to monitor whether the Umbrella Agreement fully satisfies key data protection requirements and whether it is in compliance with Article 7 and Article 8 of the Charter of Fundamental Rights of the European Union. It also recommends requesting further assurances from the US government explaining and confirming the scope of redress rights granted to data subjects in the EU through the Judicial Redress Act, how records from US law enforcement agencies are exempted from the application of the Privacy Act, and the compatibility of these practices with the Umbrella Agreement. The Working Party adds that clarification may be needed to ensure that the level of protection of personal data afforded by the Umbrella Agreement is fully consistent with EU law, particularly given that:

  • The concepts of “personal data” and “data processing” are differently defined by US and EU law.
  • The data retention period is insufficiently strictly defined in relation to the purpose pursued.
  • The restrictions on individuals’ access rights are very broad.
  • Access could be improved by the establishment of an indirect access right mechanism.

Once the Agreement is approved by the European Parliament, the Working Party intends to continue to monitor its implementation and oversight measures to ensure that the rights afforded are effective. As part of this exercise, the Working Party undertakes to follow future developments in legislation and in the courts in the U.S. and the EU. This statement by the Working Party follows its recent announcement that it had created a working group for enforcement actions on organisations targeting several member states, which is yet another sign of the growing international ambitions of the EU data protection authorities. [Source]

EU – Personal Information Management Systems Can Support Data Protection Principles: EDPSR

The European Data Protection Supervisor has explored the concept of technologies and ecosystems that empower individuals to control the sharing of their personal data that are known as personal information management systems (“PIMS”). PIMS are technologies and ecosystems that use local or cloud-based storage to empower individuals to control the sharing of their personal data, using security and data protection as the main drivers (e.g. cryptography, data minimisation and anonymisation); PIMS use consent management and automated mechanisms to achieve the objective of allowing users to define at a granular level how their PI should be used and for what purposes, and enable then to track the way the PI is used. European Data Protection Supervisor – Opinion 9/2016 on Personal Information Management Systems | Press Release]

UK – ICO UK Issues Code of Practice on Privacy Notices

The UK Information Commissioner’s Office has issued key recommendations to develop a clear and effective privacy notice, including:

The GDPR’s rules on notice are more detailed and specific than in the Data Protection Act (e.g. information must be concise, transparent, intelligible and easily accessible, written in clear and plain language, particularly if addressed to a child and free of charge), but data controllers may still consider where the information should be displayed in different layers of a notice; use a privacy notice checklist (i.e. what to include, where to give the notice, when to give the notice, and how to give the notice), and then test it, roll out and continuously review it. [Information Commissioner’s Office, United Kingdom – Privacy Notices, Transparency and Control: A Code of Practice on Communicating Privacy Information to Individuals]

UK – ICO Recommends Personal Liability of Directors for Breaches of Data Protection Law

At a recent Parliamentary meeting to discuss the draft Digital Economy Bill, the UK Information Commissioner recommended imposing personal liability and accountability upon company directors. If such liability is imposed, it will mark a radical departure from the current law, under which directors of companies generally have no personal liability or accountability for breaches of data protection law committed by their companies. The ICO’s recommendations to the Committee

  • Reviewing the Bill against the GDPR, to ensure that the new requirements imposed by the Bill are consistent with the GDPR – in particular, the new rights afforded to individuals.
  • Putting the ICO’s Data Sharing Code of Practice and Direct Marketing Code of Practice on a statutory footing, effectively giving those Codes the force of law (whereas currently they are merely guidance).
  • Obliging companies to make their data sharing activities transparent at two levels, by requiring them to: (i) ensure that the purposes of the data sharing, and how it will occur, are made clear either at the point of collection of data, or in ways that are easily accessible by individuals; and (ii) implement safeguards and transparency in line with the ICO’s Privacy Notice Code of Practice.
  • Ensuring that data sharing, whilst beneficial for public interest reasons, is always kept proportionate, minimised as far as possible and undertaken in accordance with the Data Protection Act 1998.
  • Ensuring that the requirement for age verification does not result in an open-ended approach that allows the relevant websites to take large amounts of personal data from individuals. Secure and accredited third party providers of age verification systems should be used to ensure that the bare minimum of data are disclosed to such website owners.
  • Lowering the threshold for the requirement of ‘harm’, in relation to nuisance calls, to make it easier for the ICO to take enforcement action and issue fines.

Whitecase.com | Regulator seeks further enforcement powers in its fight against nuisance marketing | Lexology

EU – Other EU Developments

Facts & Stats

CA – Tracking of Journalist Highlights Need for Guidance to Courts: Privacy Czar

Parliament has a role to play in instructing the courts on when to grant police a warrant to obtain sensitive data, privacy commissioner Daniel Therrien told a House of Commons committee this week. “This is a very worrisome issue,” Therrien said under questioning at a meeting of the Commons information, ethics and privacy committee, which is conducting a review of the federal Privacy Act. …”It’s one thing to say that the courts are involved,” Therrien said. “That’s a good start. But this case leads me to believe that that’s not adequate in itself. It may be useful to give the court tools so that they’re better able to exercise their power.” Among Therrien’s recommended revisions to the federal privacy regime is a call for agencies involved in law enforcement to publish regular reports on the requests they make to telecommunications companies for information about subscribers. Therrien noted that many communications outlets produce such transparency reports about the data they hand over to police and spies. “It’s one thing for companies to do it. But the ones who should really be transparent are those who ask for and use the information,” he said. Montreal-based La Presse newspaper said this week it had learned at least 24 surveillance warrants were issued for columnist Patrick Lagace’s iPhone this year at the request of city’s police service. Three warrants reportedly authorized police to get the phone numbers for all Lagace’s incoming and outgoing texts and calls, while another allowed them to track the phone’s location via its GPS chip. National News Watch | Police surveillance of journalist ‘worrisome’: Senator Pratte |Premier promises greater protection of journalists, sidesteps call for inquiry | Privacy czar decries tracking of journalist

US – Washington State Attorney General Releases Data Breach Report

The personal information of at least 450,000 Washington state citizens was compromised between July 2015 and July 2016, according to a report from Attorney General Bob Ferguson. The report highlights the 39 data breaches that affected at least 500 individuals as part of the stricter notification rules adopted by the state in 2015. While most breaches affected less than 10,000 individuals, T-Mobile reported an incident where an intruder received the sensitive information of nearly 330,000 people. “Information is power, and this new law gives my office and Washingtonians valuable information about potential risk to their personal information and their businesses,” Ferguson said. “Data breaches are a serious threat to our security, and my office can use this information in our efforts to protect the people of Washington.”[Full Story]

Filtering

WW – 70 Rights Groups Urge Facebook to Clarify Its Content Removal Policies

In a letter sent to Facebook, more than 70 rights groups have called on the organization to explain its content removal policies, “especially at the behest of governments.” The missive alleges Facebook has removed content concerning police violence or war imagery, the report states. “When the most vulnerable members of society turn to your platform to document and share experiences of injustice, Facebook is morally obligated to protect that speech,” the letter said. While a Facebook spokeswoman said it was reviewing the letter, the company is still facing “international scrutiny amid several controversial takedowns and reversals in recent months, including the company’s handling of an iconic Vietnam War photo showing a naked girl burned by napalm,” the report adds. [Reuters]

FOI

WW – Google Releases Transparency Report for First Half of 2016

According to Google’s most recent transparency report, which covers the first six months of 2016, it received nearly 45,000 requests for information regarding more than 76,000 accounts from governments around the world. While the volume of government requests Google receives for data from Google have risen, the proportion of those requests it complies with has remained steady at about 64 percent. The report also notes that the FBI lifted a gag order on a National Security letter issued in the second half of 2015. [Google discloses FBI inquiry | Government Requests for Google User Data Rise Steadily | Building on Surveillance Reform (Google blog)]

CA – Ontario Health-care Watchdogs Making Cautions Issued Over Mistakes or Bad Behaviour Public

Ontario’s health-care watchdogs are lifting the veil of secrecy surrounding cautions given to dentists, nurses, pharmacists and others for mistakes or improper behaviour. Doctors’ cautions became public last year. Until recently, cautions — such as those issued for drug-dispensing errors or delays in sending patients for crucial followup appointments — were kept secret from the public, including future patients critics say deserved to know the track record of each health professional. The decision was prompted by a 2013 Toronto Star investigation. Since the Star stories, Ontario’s health regulatory colleges have been developing measures that would tell the public when their members receive cautions. There are now 26 colleges that regulate the province’s more than 300,000 health-care professionals. Most colleges have decided to post cautions publicly on their websites, while three are considering proposals to do so. The College of Physicians and Surgeons of Ontario began making cautions public last year. [The Star]

Genetics

US – NIH-Funded Genetic Sequencing Project Filled with Privacy Concerns

A National Institutes of Health-funded genetic sequencing project is offering parents of newborns the opportunity to discover if their infants are more likely to have genetic conditions, but privacy concerns have emerged. Researchers are using the BabySeq project to determine whether discovering a child’s genetic makeup could benefit their health or increase health care costs. However, any results from the genetic sequencing will permanently go on a child’s medical record. Federal law prohibits health care providers and workplaces from discriminating against medical conditions, but life insurers can use the information to determine who receives a policy. “It really gave me pause that this would be part of the medical record that private companies would have access to,” said Lauren Patrick, a parent who declined participating in the project. “That was my full stop in the end.” [Full Story]

Horror Stories

AU – 550,000 Blood Donors’ Data Leaked in Red Cross Blood Service Breach

Australian Red Cross Blood Service CEO Shelly Park has said that a mistake made by a contractor in charge of the organization’s website led to the accidental publication of more than 550,00 blood donor’s personal information on a public-facing, unencrypted development section of the site. The data was accessed and sent to Microsoft’s Troy Hunt, who “reported the person who gained access to the information had contacted him, revealing [his] own personal details and a 1.74GB data file containing the records,” the report states. Park said the organization was looking into the breach and notifying the affected, with Australian Privacy Commissioner Timothy Pilgrim announcing his office’s own investigation. [The Sydney Morning Herald]

Internet / WWW

EU – Merkel: Internet Platform Algorithms Need More Transparency

German Chancellor Angela Merkel is pushing internet platforms to be more transparent with their algorithms. Merkel believes the lack of transparency harms debating culture and advocates for internet users to have a means by which to find out how they received information through search engines. “I’m of the opinion that algorithms must be made more transparent, so that one can inform oneself as an interested citizen about questions like ‘what influences my behaviour on the internet and that of others?’” said Merkel. “Algorithms, when they are not transparent, can lead to a distortion of our perception, they can shrink our expanse of information.” [The Guardian]

UK – Company Says It Can Determine Voters’ Personality to Help Target for Campaigns

Cambridge Analytica CEO Alexander Nix claims that the company can “determine the personality of every single adult in the United States of America,” and the Trump campaign is paying “millions of dollars” for the company’s assistance. “The firm says it can predict how most people will vote by using up to 5,000 pieces of data about every American adult, combined with the result of hundreds of thousands of personality and behavioral surveys, to identify millions of voters who are most open to being persuaded to support Trump,” the report states. Some are critical that the company can do that successfully. Yale University’s Eitan Hersh, author of “Hacking the Electorate,” argues that Cambridge Analytica’s claims are “basically impossible … You can do better randomly guessing.” [The Washington Post]

WW – Facebook Tool Allows Advertisers to Target, Exclude ‘Ethnic Affinities’

Facebook allows advertisers to tailor ads to exclude or target groups it dubs “Ethnic Affinities.” The Civil Rights Act of 1964 and the Fair Housing Act of 1968 make such moves illegal, the report states. “This is horrifying. This is massively illegal,” said civil rights lawyer John Relman. “This is about as blatant a violation of the federal Fair Housing Act as one can find.” Facebook representatives said they would be moving the “Ethnic Affinity” category out of the “Demographics” section of its ad-building tool. “We take a strong stand against advertisers misusing our platform: Our policies prohibit using our targeting options to discriminate, and they require compliance with the law,” said Facebook Privacy and Public Policy Manager Steve Satterfield. [ProPublica]

Law Enforcement

CA – Montreal Cops Have Tracked a Journalist’s Cellphone for the Past Year

On Monday Montreal newspaper La Presse published details on surveillances warrants, at least 24 in total, obtained to surveil journalist Patrick Lagacé. …Lagacé, who works at La Presse, had been in contact with Faycal Djelidi, a Montreal police officer under investigation for a number of crimes, including perjury and obstruction of justice. When Lagacé’s number popped up on Djelidi’s phone, the Montreal police obtained the initial surveillance warrants for the journalist’s device. …The case, just one of many instances of Canadian cops investigating journalists in recent years, shows how willing police are to compromise journalist’s protection of their sources, La Presse said in a statement. [Vice.com | | ‘A Detrimental Chilling Effect’: VICE Pushes Back in Legal Fight With Canadian Police – April 29, 2016 | Media Coalition and Civil Liberties Groups Granted Say in VICE Case Against RCMP  – October 27, 2016 | How Canada’s Anti-Cyberbullying Law Is Being Used to Spy on Journalists | Montreal police spied on La Presse journalist Patrick Lagacé | La Presse columnist says he was put under police surveillance as part of ‘attempt to intimidate’ | We’re spied on more often than you think, journalists groups say | 3 other journalists allegedly under surveillance by Montreal police | Police surveillance scandal: Quebec tightens rules for monitoring journalists

US – On-Demand Cell Phone Searches Hurt Teenagers on Parole

Should law enforcement get an all access, long-term pass to a teenager’s cell phone, just because he or she had a run in with police? That question is in front of California’s highest court, and in an amicus brief filed earlier this month, EFF and the three California offices of the ACLU warned that it was a highly invasive and unconstitutional condition of juvenile parole. In this case, a teenager known in court documents as Ricardo P. admitted to two cases of burglary. One condition of his parole was that he submit his phone to search at any time, whether by his probation officers or any peace officer, even though his phone use had nothing to do with the commission of the crimes. But the U.S. Supreme Court has ruled that you cannot treat personal electronic devices so cavalierly. In 2014, the court in Riley v. California recognized that government searches of cellphones implicate personal privacy in ways that few things do, and rejected the government’s claims that cellphones can be searched without a warrant. After all, cell phones contain the sum of all of our lives, including our religious views, our sexual orientations, our health conditions, or physical movements throughout the day, and more. And the privacy implications go far further than the individual juvenile on parole. Everyone the child talks to also has personal information that is exposed to law enforcement. An on-demand search without any probable cause is like letting the government have a long-running wiretap—unprecedented for a probation condition for a juvenile. [EFF]

Offshore

US – FedRAMP Improvements Made

FedRAMP (the Federal Risk Authorization and Management Program) has streamlined the process cloud services companies must go through to be approved, which has increased the number of authorized services. FedRAMP has also implemented a new dashboard that is easier for federal agencies to use.[Federal News Radio: FedRAMP overhaul begins paying dividends]

Online Privacy

WW – How Despots Use Twitter to Hunt Dissidents

Twitter’s ‘firehose’ of a half billion tweets a day is incredibly valuable—and just as dangerous. …if Twitter provides a rare outlet for criticism of repressive regimes, it’s also useful to those regimes for tracking down and punishing critics. There have been dozens of Twitter-related prosecutions in Saudi Arabia, according to Human Rights Watch. Twitter is still popular in Saudi Arabia but it no longer hosts much dissent. Activists are careful to tweet in coded language, if they tweet at all. “People don’t openly discuss important things on Twitter anymore,” says Ali Adubisi, a Saudi human-rights activist. “Twitter is totally different, totally silent, totally weak.” [Bloomberg]

WW – Company to Pull Plan to Price Car Insurance Based on Facebook Posts

Admiral has been forced to scrap plans to use Facebook posts to analyse the personalities of car owners and set the price of their insurance after the social media company said the scheme breached its privacy rules. In an embarrassing U-turn, the insurance firm pulled the product less than two hours before it was due to officially launch. The product, called firstcarquote, was launched later with “reduced functionality”: users can log in to the product with Facebook but it will no longer analyse their data. Facebook said protecting the privacy of its users was of the “utmost importance” and that it had clear guidelines about how information obtained from the site should be used. Privacy campaigners welcomed Admiral’s reversal but said that it was only the start of other companies trying to use personal data in a similar way. The scheme would be voluntary and not apply price increases to drivers deemed to be more risky. [The Guardian]

Privacy (US)

US – Judge Rejects Settlement Over Surveillance of Muslims by NYPD

A federal judge has rejected the settlement of a lawsuit stemming from the New York Police Department‘s surveillance of Muslims, saying the proposed deal does not provide enough oversight of an agency that he said had shown a “systemic inclination” to ignore rules protecting free speech and religion. In January, Mayor Bill de Blasio, a Democrat, agreed to appoint a civilian lawyer to monitor the department’s counterterrorism activities as a means of settling two lawsuits accusing the city of violating the rights of Muslims over the past decade. But the judge, Charles S. Haight Jr., in an opinion published on Monday, said the settlement did not go far enough for an agency that had become “accustomed to disregarding” court orders. “The proposed role and powers of the civilian representative,” Judge Haight wrote, “do not furnish sufficient protection from potential violations of the constitutional rights of those law-abiding Muslims and believers in Islam who live, move and have their being in this city.” The decision means lawyers for both sides will have to negotiate changes to the settlement or fight the lawsuit in court. Jethro Eisenstein, a civil rights lawyer in the case, said he and his colleagues planned to discuss the ruling with city lawyers. [New York Times]

US – Judge Rules Anxiety Cannot Be Used To Claim Damages

Plaintiffs in a class-action lawsuit against Barnes & Noble stemming from a 2012 data breach were able to prove their standing, but could not adequately claim they suffered damages. The plaintiffs claimed the book chain invaded their privacy and violated several laws after the incident where cyber criminals hacked Barnes & Noble PIN pad terminals. The plaintiffs’ original complaint was shot down in 2013, and their amended complaint was also rejected by a judge last month. “Plaintiffs did allege monetary harm such as costs associated with renewing identity protection monitoring services,” said Reed Smith Associate Brian Willett. “But the court found that those claims, in addition to suffering anxiety based on the PIN pad tampering, were insufficient to support the suit.” In other news, an appeals court ruled the victims of a Nationwide Insurance data breach do not need to establish their standing to prove they are in danger. [Penn Record]

US – Anthem Breach Victims File Class Action, Seek OPM Audit Data

Victims of the 2015 Anthem data breach have filed a class-action lawsuit against the health insurer. Plaintiffs are also asking for information on an audit conducted by the U.S. Office of Personnel Management on the state of Anthem’s network security. The OPM first conducted an audit in 2013, but Anthem turned down the agency’s request to conduct tests, with the company citing “corporate policy” issues. The OPM conducted its second audit following the breach, but the findings were not released to the public. The plaintiffs claim if the audit discovered security vulnerabilities, then Anthem had the ability to prevent the cyberattack, making it important for the information to be made public. [Modern Healthcare]

Security

WW – Study: One-Third of Targeted Breaches Succeed While Majority of Execs Say their Infosec Practices Work

An Accenture survey of 2,000 security officers from large enterprises worldwide has found that one-third of targeted breaches against companies are successful, but three-quarters of executives are still confident in their infosecurity practices. “To survive in this contradictory and increasingly risky landscape, organizations need to reboot their approaches to cybersecurity,” the report, entitled “Building Confidence: Facing the Cybersecurity Conundrum,” states. “Ultimately, many remain unsure of their ability to manage the internal threats with the greatest cybersecurity impact even as they continue to prioritize external initiatives that produce the lowest return on investment.” Focusing mainly on data protection law compliance isn’t enough to protect data, the study adds. Meanwhile, a BDO USA survey of 160 companies has found that 74% of directors say that their boards are increasingly discussing cybersecurity issues. [Bloomberg Technology]

US – Report: Private Sector Must Incorporate ‘Active Defense’ Into Cybersecurity Efforts

The GW Center for Cyber and Homeland Security has released a report detailing the private sector’s role in implementing cybersecurity protocols. “Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats“ explains why the private sector is responsible for defending itself against attacks while the government will offer assistance by providing a framework for incorporating “active defense” into cybersecurity methodology. “These activities fall into two general categories, the first covering technical interactions between a defender and an attacker. The second category of active defense includes those operations that enable defenders to collect intelligence on threat actors and indicators on the internet, as well as other policy tools that can modify the behavior of malicious actors,” the report states. In other news, research firm Forrester predicts the next president will face a cyber crisis within the first 100 days of his or her term. [Lawfare]

Smart Cities

US – D.C. Plans Streetlights That Save Money, Offer Wi-Fi, Help with Parking

D.C.’s technology office envisions a Washington with streetlights that not only have a motion detector but also offer Wi-Fi and live video of every street in the city, and trash cans that let the city know when they need to be emptied. There are more than 71,000 streetlights in the District, not all of them working. Chief Technology Officer Archana Vemulapalli is leading an effort to convert all of them to smart technology hubs that will one day bring free Wi-Fi to students who don’t have internet connectivity at home, provide police real time video of every street in the District and allow the District’s Department of Transportation to monitor and regulate traffic from one remote location. [NBC]

Surveillance

WW – Holiday Shoppers’ Appetite for New Smartphones Comes With Steep Data Privacy Price

A new research study released by Blancco Technology Group, “Holiday Shopping: When Smartphone Upgrades Go Wrong in a BYOD Workplace“ reveals that 68% of mobile users plan to purchase a new smartphone during the holiday shopping season. But new smartphones and insecure mobile data practices will come with a steep data privacy price – both for smartphone owners and their employers. Key findings from the study include:

  • Promotional incentives and discounts sway holiday shoppers to ditch old phones.
  • Data privacy fears don’t halt holiday shoppers’ plans to trade in and resell old phones.
  • Customer records, patent filings and system login credentials top the list of corporate data loss fears.
  • Despite Fears of Credit Card Numbers, Company Emails and Customer Lists Being Exposed, 72% of Mobile Users Automatically Connect to Available WiFi Connections & 76% Connect to Company Networks.
  • Keeping mobile data safe is thorny issue for users and employers. Over half (56%) of the surveyed mobile users reported storing both personal and corporate information on their smartphones.
  • However, 42% of mobile users said their company does not have visibility into which types and quantities of corporate data are stored on their smartphones. [Newswire]

Telecom / TV

US – FCC Approves New Internet Data Privacy Rules

The US Federal Communications Commission (FCC) has approved new rules aimed at protecting sensitive consumer data. The rules require broadband providers, including Verizon, Comcast, and AT&T, to obtain customers’ permission before sharing data the FCC has deemed to be sensitive. These data include precise geo-location; financial information; health information; children’s information; web browsing and app usage histories; and contents of communications. ISPs also must be clear about what information they collect and with whom they share it. FCC ruling means users must ‘opt in’ to let data be sold | FCC approves new privacy rules for ‘sensitive’ internet data | FCC imposes new consumer privacy rules on ISPs | The FCC just passed sweeping new rules to protect your online privacy | FCC Adopts Privacy Rules to Give Broadband Consumers Increased Choice, Transparency, and Security for Their Personal Data] SEE ALSO: [The FCC’s new privacy rules are toothless]

 

+++

16 – 27 October 2016

Biometrics

Facebook Class-Action Asks Court to Decide on Facial-Recognition Tool

Here’s what we know: Every time you tag a friend in a Facebook photo, Facebook stores their image in its database. And here’s what we’re about to find out: whether that’s an illegal violation of users’ privacy. This week, a class-action lawsuit alleging that the world’s largest social network is violating its users’ privacy will enter phase two. Specifically, a San Francisco court will assess whether Facebook is breaking the law by using its facial-recognition tool, to identify faces in photographs uploaded by users, or by collecting those photographs into a central database. In use since 2010, Facebook claims its facial-recognition tool is now 97.35% accurate, which is great news if you’re trying to tag overcrowded party pictures, but less so if you’re worried about privacy. Plaintiffs in the case are concerned on a number of fronts: Facebook could be selling identifying information to retailers or other third parties. More importantly, they worry that biometric data is just as susceptible to theft, hacking, and the long and invasive arm of law enforcement as other types of data. “Unique and unchangeable biometric identifiers are proprietary to individuals,” the complaint reads (paywall). It also alleges that Facebook failed to acquire consent before collecting “faceprints.” The class-action suit hinges on a unique Illinois law passed in 2008, called the Biometric Information Privacy Act. It states that if companies fail to get consent from users before storing biometric information, they can be subject to a $5,000 fine, plus $1,000 in damages if the violation shows negligence. That’s per violation. For a company with 7 million users in Illinois, that could mean fines as high as $35 billion. There is some precedent here. In April, photo-sharing website Shutterfly reached a settlement over its facial-recognition technology. Snapchat faced a similar suit over the summer, but has denied storing any biometric information (the company says it uses “object recognition,” not facial recognition). Alphabet’s cloud-based Google Photos service also uses similar technology, and Google is facing privacy lawsuits of its own. [Quartz]

US – Researchers Find Flaws in Police Facial Recognition Technology

Nearly half of all American adults have been entered into searchable law enforcement facial recognition databases, according to a recent report from Georgetown University’s law school. But there are many problems with the accuracy of the technology that could have an impact on a lot of innocent people. Police can run any photo through a facial recognition program to see if it matches any of the license photos. It’s kind of like a very large digital version of a lineup, says Jonathan Frankle, a computer scientist and one of the authors of the report, titled “The Perpetual Line-Up.” “Instead of having a lineup of five people who’ve been brought in off the street to do this, the lineup is you. You’re in that lineup all the time.” Frankle says the photos that police may have of a suspect aren’t always that good — they’re often from a security camera. “Security cameras tend to be mounted on the ceiling,” he says. “They get great views of the top of your head, not very great views of your face. And you can now imagine why this would be a very difficult task, why it’s hard to get an accurate read on anybody’s face and match them with their driver’s license photo.” Frankle says the study also found evidence that facial recognition software didn’t work as well with people who have dark skin. There’s still limited research on why this is. Some critics say the developers aren’t testing the software against a diverse enough group of faces. Or it could be lighting. Findings

  • Law enforcement face recognition networks include over 117 million American adults — and may soon include many more.
  • By running face recognition searches against 16 states’ driver’s license photo databases, the FBI has built a biometric network that primarily includes law-abiding Americans.
  • Major police departments are exploring real-time face recognition on live surveillance camera video.
  • Law enforcement face recognition is unregulated.
  • Police face recognition could be used to stifle free speech.
  • Most law enforcement agencies do little to ensure that their systems are accurate.
  • Without specialized training, human users make the wrong decision about a match half the time.
  • Police face recognition will disproportionately affect African-Americans.

Recommendations

  • Law enforcement face recognition searches should be conditioned on an individualized suspicion of criminal conduct.
  • Mug shot databases used for face recognition should exclude people who were found innocent or who had charges against them dropped or dismissed.
  • Searches of driver’s license and ID photos should occur only under a court order issued upon a showing of probable cause.
  • Limit searches of license photos — and after-the-fact investigative searches — to investigations of serious offenses.
  • Real-time video surveillance should only occur in life-threatening public emergencies under a court order backed by probable cause.
  • Use of face recognition to track people on the basis of their race, ethnicity, religious or political views should be prohibited.
  • The FBI should test its face recognition system for accuracy and racially biased error rates, and make the results public.

[Study: Police Use of Facial Recognition Goes Unregulated | NPR.org | The Perpetual Line-Up | Facial recognition technology is taking over US, says privacy group |Study Urges Tougher Oversight for Police Use of Facial Recognition | Half of US adults are profiled in police facial recognition databases | Maryland’s use of facial recognition software questioned by researchers, civil liberties advocates

Big Data

CA – RCMP’s Counterterrorism Centre Facilitates Information Sharing

The RCMP have created a permanent place for counterterrorism detectives to work shoulder-to-shoulder – and database to database – with federal border guards, immigration officials and spy-agency analysts. The national-security joint-operations centre (NSJOC) in Ottawa is a “real-time and rapid information-sharing” crossroads where federal agents can efficiently swap files, according to recently released records. However, critics fear it will go places no watchdog can follow. The counterterrorism centre was largely unknown until RCMP Commissioner Bob Paulson made a brief reference to it in Parliament earlier this year. The Globe and Mail has acquired the centre’s terms of reference under Access to Information laws. The federal agencies constantly collect data, but under different mandates than that of the Mounties. Federal agents typically shield their files from each other unless they have a compelling reason to share. In some cases, warrants are needed for information handovers. Yet federal agents want to knock down institutional walls in times of crisis, and the RCMP-led centre seeks to keep the bureaucratic barriers to information-sharing low. The centre’s terms of reference says criminal charges are just one approach to fighting terrorism. Pooling knowledge among federal agents makes other interventions possible – such as revoking suspects’ passports, adding people to no-fly lists, or even warning the family and friends of radicalized young people “of the risks associated with violent extremist activity.” Nothing in the terms of reference suggests the agencies got new powers to share information. Federal watchdog agencies have complained for years that they cannot track what information agencies share in the name of national-security. Even as federal-security agencies increasingly swap files, none of their review bodies are legally empowered to see what is happening as it happens, or within more than one agency. “A body like this makes the case for why we need more robust real-time oversight,” says Carmen Cheung, a professor at the University of Toronto’s Munk School of Global Affairs. “It looks like they are all co-located in essentially one room, and that room has direct access to all the databases of all the respective agencies, which is amazing.” A decade ago, a judicial inquiry recommended Canada create a watchdog to track all security agencies at once, but the concept never got off the ground. The finding followed a Canadian counterterrorism investigation in which federal agents swapped information carelessly and several Canadians were wrongly jailed as presumed terrorists in Middle East prisons. [The Globe and Mail]

US – 75% of US Citizens Back Use of Data Fusion Tools: TransUnion

A TransUnion study found 75 percent of Americans support the use of data fusion tools in law enforcement investigations. Of the 1,002 respondents, 81% said law enforcement “has an obligation” to use publicly available information to solve crimes, including names, addresses, phone numbers and bankruptcy records. Support hinged on the fact non-public data, such as phone records, internet search histories, and banking statements are not included in the data gathering, with 59% saying they support data fusion tools because they do not use non-public data. “Law enforcement agencies continue to expand their use of data fusion tools. The value of linking hundreds of millions of records in a short period of time to find cyber evidence on criminals is critical in cases which need timely outcomes — such as solving a murder or finding an abducted child,” said TransUnion’s Jonathan McDonald. [MarketWire]

WW – Google, OpenAI Create Algorithms to Use Personal Data, Protect Privacy

OpenAI and Google have created a method by which artificial intelligence can study and use personal data, despite not having any access to the information. The two companies created a “student” algorithm, one designed to mimic decisions learned from “teacher” algorithms through millions of simulated decisions. Numerous teacher algorithms send information to a student algorithm, allowing the student to process the information, but making it impossible for the information to be deciphered if it were reverse-engineered. “All the research in this space explores a tension between privacy and utility, as more privacy means utility goes down,” said machine learning security researcher Thomas Ristenpart. Meanwhile, artificial intelligence and robotics were a hot topic last week at the 38thInternational Conference of Data Protection and Privacy Commissioners. [Quartz]

WW – AI’s Effect on Insurance Industry Could Lead to Privacy Issues

Advances in big data analytics and artificial intelligence could have a major impact on the insurance industry. Insurance firms could mine social media to determine proper pricing on premiums. An insurance company could look at users’ Twitter accounts and make offers based on the tone of their posts, using analytics to determine their health outlook. While companies such as reinsurer Swiss Re say the advances will drop the price of insurance protection and assist individuals in making better choices through incentive programs, those against the idea say it would violate user privacy, lead to personalized pricing, and minimize any form of shared risk. “In a relatively short period of time, maybe a few years, most of the major insurers will have integrated lessons from behavioral research,” said Swiss Re’s Daniel Ryan. “Undoubtedly, it will lead to a different interaction between insurer and policyholders.” [Reuters]

WW – Why AI May Be the Next Big Privacy Trend (Opinion)

In the past month, we have seen the launch of a major industry effort to explore the policy ramifications of AI, and the U.S. Department of Transportation has released a policy roadmap for autonomous vehicles, suggesting that regulators and policymakers are eager to get into the AI game. Even the White House got involved this spring when it announced a series of workshops to explore the benefits and risks of AI. The first fruits of that White House effort were unveiled last Wednesday with an initial report on the immediate future of these exciting technologies. It includes 23 recommendations aimed at the U.S. government and various federal agencies, and while privacy and data protection are not major focuses of the report, it does introduce a new vocabulary and raises issues that will implicate the privacy space. Writes attorney Joseph Jerome. “If the phenomenon of big data encouraged nearly every company to view itself as a data company, fueling the privacy profession, AI looks to have a similar trajectory for influencing how organizations do business,” he notes. In this post for Privacy Perspectives, Jerome details why “getting a handle on the contours of AI” and how it intersects with privacy, “could be increasingly important.” [Full Story]

Canada

CA – Submissions on OPC Consultation Show Lack of Consensus for Trustmarks and Codes of Practice

The OPC releases the submissions provided in response to its consultation on the consent model and possible alternatives. Submissions include beliefs that “one-size-fits-all” sectoral codes of practice, trustmarks, and privacy seals do not reflect the diversity of practices and needs of businesses in the digital economy, and a rejection of the voluntary, industry-drive trustmark model; suggestions include support for a trustmark overseen by a credible organization independent of industry influence (e.g. the OPC or an independent organization supervised by the OPC). [OPC Canada – Overview of Consent Submissions]

WW – Guidelines for Privacy Certifications and Trustbrands

Privacy certifications, or “trustbrands,” are seals licensed by third parties for organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization which has displayed the seal has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. A snapshot of information concerning privacy certifications:

  • Percentage of consumers that are worried about online privacy: 92%
  • Percentage of consumers who claim they look for privacy certifications and seals on a website: 76%
  • Percentage of consumers who say that they would share their interests with advertisers if the advertiser’s privacy policy was “certified: ~50%
  • The number of certifying agencies the FTC has alleged offered deceptive seals: 2

What to think about when considering whether your organization should purchase a privacy certification:

  1. Does the certifying agency have its own privacy or security standards?
  2. Do the certifying agency’s standards exceed legal requirements?
  3. Does your organization’s practices meet the certifying agency’s standards?
  4. If the certifying agency’s standards change, is your organization prepared to modify its practices accordingly?
  5. Has the certifying agency been investigated by the FTC, or another consumer protection authority, for deceptive or unfair practices?
  6. If so, are you confident that the certifying agency’s seal and review process is non-deceptive and that association with the agency will not result in negative publicity?
  7. Have consumers complained to the FTC about the certifying agency?
  8. Does your organization have a mechanism in place to ensure that the license for the seal is renewed each year and/or that the seal is removed from your website if the license expires?
  9. Have plaintiff’s attorneys used the seal against other organizations by alleging that those organizations agreed to a higher standard of care by adopting the seal? [Source]

US – Feds Love to Shred: Spending on Documents Spiked

The Government of Canada has apparently accumulated too much paper. Public Accounts documents show sudden surge in spending on document shredding and storage. The federal government spent approximately $12 million more on hiring companies that offer services like document shredding and storage in the last fiscal year than it did ten years ago. During the 2005-2006 fiscal year, the Health and Transport departments spent about $389,247 on two separate contracts with companies that are in the business of destroying and storing physical and digital documents. By 2013-2014, when the Harper government was enjoying its third term in government, that number had increased to nearly $3 million. But it was the following year that the government went all out. Public Accounts documents for the 2014-2015 fiscal year show the federal government spent nearly $13 million on similar contracts. By that time, many more departments were utilizing these services — including the Canada Revenue Agency, Employment and Social Development, and the Justice department. This past fiscal year — during which Canada underwent a change of government — saw a slight decrease in spending, to just under $12.4 million. The biggest spender in the 2015-2016 fiscal year, by a long shot, was the Canada Revenue Agency, which spent a whopping $8.4 million on contracts with Mobilshred and Shred-It. The year prior, it dished out approximately $10.3 million — which is largely responsible for the sudden spike in document spending by the government that year. The Alberta government experienced a “shred-gate” in early January 2016. The privacy and public interest commissioners found that the outgoing Progressive Conservative government improperly destroyed nearly 350 boxes of shredded documents. [iPolitics]

CA – NWT’s Protection of Health Records Still Needs Work: Commissioner

The Northwest Territories Department of Health has received a slap on the wrist from the territory’s privacy commissioner for the way it handles confidential patient information. The Information and Privacy Commissioner of the N.W.T’s annual report was tabled in the legislative assembly. In it, commissioner Elaine Keenan-Bengts criticizes the territory’s health department for the way it has implemented the N.W.T. Health Information Act that came into effect in October 2015. The act is meant to govern how personal health information is collected and disclosed. In the six months after the act became law, the commissioner says there were seven separate privacy complaints. She says it’s clear that a number of people who deal with private health information don’t properly understand the act. “While there was some training done before the act came into effect, it does not appear that the training was mandatory,” Keenan-Bengts wrote. Keenan-Bengts also says little has been done to educate the public of their rights when it comes to their personal health information. She says the majority of patients don’t know the act gives them the right to put conditions on who has access to their records, such as barring a practitioner, nurse, clerical staff or other employee in any particular office from accessing their file. Despite patients having this right, Keenan-Bengts says the health department doesn’t actually have the ability to do that. Keenan-Bengts recommends better training for health staff on the act as well as better education campaigns for the public. [CBC News]

CA – Does the Surrey RCMP Need A Surveillance Camera Database?

Surrey will soon launch Project Iris, which is based on a CCTV program out of Philadelphia residents and business owners will be able to register their surveillance cameras with the RCMP. Terry Waterhouse [Surrey’s director of Public Safety Strategies] says he has collaborated with the B.C. Privacy Commissioner’s Office to ensure the program doesn’t violate anyone’s rights. “The important parts are that it is completely voluntary and also, it’s voluntary in the sense that if they do have the footage, whether or not they provide it [to police] is voluntary as well,” he said. B.C. Civil Liberties Association policy director Micheal Vonn says she has one small concern about Project Iris. “We don’t want to encourage businesses to over-collect information.” “If you are collecting information on your property and you have appropriate signage, all of that is fine. What you can’t do is, you can’t collect footage in a public space as a private entity. You’re governed by the private sector privacy legislation.” [CBC News]

Consumer

WW – Millennials ‘Extremely Reluctant’ to Share Data: Study

A Lexis Nexis Risk Solutions study has found millennials are “extremely reluctant” to share personal information even though they use connected devices in large numbers. The study found that more than a quarter of millennials across the globe had no trust that retailers or mobile wallet programs will treat their data “correctly or securely.” “The general discomfort millennials are expressing with information sharing, beyond a couple of the most basic data points, shines a light on the need to educate this major and growing portion of the consumer population,” said Lexis Nexis Risk Solutions’ Kimberly Little Sutherland. “Likewise, it begs the question, are retailers and financial institutions optimizing their business processes for the millennial customer?” [Multichannel Merchant]

E-Government

US – California Attorney General Releases Caloppa Violation Reporting Tool

California Attorney General Kamala Harris has announced a new tool to help consumers report organizations and other entities that are not complying with the California Online Privacy Protection Act, the California Office of the Attorney General said. “In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy,” said Harris. “As the devices we use each day become increasingly connected and more Americans live their lives online, it’s critical that we implement robust safeguards on what information is shared online and how. By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge.” [OAG]

CA – Watchdogs Find Lax Management of Smartphones and Tablets by BC Government

BC government workers sometimes waited months to report a lost or stolen smart phone or tablet, according to a report on mobile device management by the Acting Information and Privacy Commissioner, Drew McArthur. “On average it took employees two to six days to make a report. At one ministry, employees were advised not to report lost devices for up to three days in case the device was found.” Investigators also found that records of lost and stolen devices were not properly maintained or analysed, so management missed an opportunity to provide additional training. McArthur said investigators found policies were often overlapping, inconsistent and confusing. The ministries also did not keep track of personal information stored on mobile devices or categorise sensitivity of such personal information. “Government is not meeting its statutory obligation to protect personal information stored on mobile devices.” Privacy training was not specific to mobile devices nor was it conducted frequently. Risk assessments were poor and breach and incident protocols were not consistently followed when privacy breaches happened. Auditor General Carol Bellringer also released a report looking at the security aspects of government mobile device management. She noted the size and portability of devices makes them easy to lose or steal and they often become obsolete, meaning fewer security updates as they age. Unlike desktop or laptop computers, mobile devices often remain connected around the clock, putting them in jeopardy of unauthorised access. Bellringer found there were policy gaps, the full life cycle of mobile devices is not well managed, appropriate security controls are not always in place and there is no central monitoring and logging by government of mobile device activity. Both reports said that the government began to make improvements to its policies and procedures while the investigations were underway. [Business Vancouver]

WW – This Is Why We Still Can’t Vote Online

Online voting sounds like a dream: the 64 percent of citizens who own smartphones and the 84 percent of American adults with access to the internet would simply have to pull out their devices to cast a ballot. And Estonia—a northern European country bordering the Baltic Sea and the Gulf of Finland—has been voting online since 2005. But ask cybersecurity experts and they’ll tell you it’s really a nightmare.

We are nowhere close to having an online voting system that is as secure as it needs to be. Ron Rivest, a professor at MIT with a background in computer security and a board member of Verified Voting, said it is a “naive expectation” to even think online voting is on the horizon. In 2010, the District of Columbia’s Board of Elections & Ethics conducted a pilot project where they built an Internet voting system for overseas and military voters in effort to expedite the absentee voting process. The system was simple: voters would log in, receive a ballot, print the ballot, cast their vote, and upload their ballot to the Internet. In the weeks prior to the general election, a public trial was held to see if the system could be infiltrated. J. Alex Halderman, professor of computer science and engineering at the University of Michigan, welcomed the opportunity to try to legally break into government software with his students. Within 36 hours, they found a tiny error that gave them full control of the system. “The flaw that we exploited was just such a small error—in tens of thousands of lines of computer source code, in one specific line the programmer had used double quotation marks instead of single quotation marks and that was enough to let us remotely change all the votes,” said Halderman. [Motherboard]

EU Developments

EU – CJEU Judgement: Dynamic IP Addresses Constitute Personal Data

On October 19, 2016, the Court of Justice of the European Union (CJEU) decided that the dynamic IP address of a website visitor is “personal data” under Directive 95/46EC (Data Protection Directive) in the hands of a website operator that has the means to compel an internet service provider to identify an individual based on the IP address. The case was brought by Patrick Breyer, a German Pirate Party politician. Breyer asserted that the German government’s storage of IP addresses of users visiting German government websites allowed the creation of user profiles and, therefore, was impermissible under Section 15 of the German Telemedia Act (TMA). The CJEU sided with Breyer. The Court largely followed the opinion that the court’s Advocate General issued on May 12, 2016. The CJEU relied on the Recital 26 of the Data Protection Directive, which states that in determining whether a person is identifiable, “account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person.” In applying the test to the German government’s program, the Court found that the website operators were collecting the IP addresses to identify cyber attackers and, in some cases, to bring criminal proceedings against them. In this context, the government would likely have a legitimate reason to demand that the internet service provider correlate the IP address to the account holder, and thus allow the government to re-identify the individual. Therefore, the court held that the reasonable likelihood test was met, concluding that the dynamic IP addresses in these circumstances were personal data. [Data Protection Report | The Ever-Expanding Concept of Personal Data } Your dynamic IP address is now protected personal data under EU law | Websites free to store IP addresses to prevent cyber attacks: EU court IAPP: CJEU Defines Personal Data in Breyer Decision | The Ever-Expanding Concept of Personal Data | Your dynamic IP address is now protected personal data under EU law | Websites free to store IP addresses to prevent cyber attacks: EU court]

UK – Surveillance by Consent: Commissioner Launches UK-Wide CCTV Strategy

Surveillance Camera Commissioner Tony Porter say there are six million CCTV Cameras across the UK, but many of them are poor quality or in the wrong place. Mr Porter said he wants to ensure surveillance cameras are protecting members of the public, rather than spying on them and has issued a 16-page draft national strategy to raise regulatory standards regarding the surveillance of public spaces. Only a year ago, less than 2% of public authorities operating surveillance cameras were doing so in compliance to “any British standard” according to Porter, who says that as of today 85% are now demonstrably “having regard” for the Home Office’s Surveillance Camera Code of Practice | Daily Mail | The Register]

EU – Other EU Privacy News

Finance

WW – New PCI Digital Security Standard Introduces Critical Changes

The Payment Card Industry Digital Security Standard (PCI DSS) is an information security standard for organisations that handle credit and debit cards from the major card companies, including Visa, MasterCard and American Express. Organisations that take payments from, process or store, card details are obliged to meet the security standard. Those who fail to observe the standard can find themselves excluded from receiving credit card payments and those who lose credit card numbers, or have them stolen from them, can face hefty fines for failure to meet the standard. A new release (3.2 ) to the standard has significant implications for card providers and their service providers. The standard consists of twelve broad principles:

  1. Install and maintain a firewall configuration to protect cardholder data;
  2. Do not use vendor-supplied defaults for system passwords and other security parameters;
  3. Protect stored cardholder data;
  4. Encrypt transmission of cardholder data across open, public networks;
  5. Use and regularly update anti-virus software on all systems commonly affected by malware;
  6. Develop and maintain secure systems and applications;
  7. Restrict access to cardholder data by business need-to-know;
  8. Assign a unique ID to each person with computer access;
  9. Restrict physical access to cardholder data;
  10. Track and monitor all access to network resources and cardholder data;
  11. Regularly test security systems and processes; and
  12. Maintain a policy that addresses information security.

The standard document describes the processes, policies and settings required to conform to these principles in quite granular detail. Since its release in 2004 only two major releases or revisions have been made to the standard. A new Version 4.0 is expected in early 2017. However, a number of ‘sub-releases’, containing revisions and clarifications, have been made between the three major releases. The most recent, Release 3.2, contains a number of significant changes which may have significantly implications and costs for organisations required to conform to the standard. According to the PCI SSC, these new standards must be implemented by organisations before 31st October 2016, when the prior standard Release, version 3.1, will no longer be valid. Of the changes required by the new PCI DSS Release 3.2 a number appear to arise directly from the lessons learned from the large recent hacking incidents in the US. These include:

  • New Rule 8.3 requires two-factor authentication to access the PCI segment of a network
  • Rule 3.3 require athat card numbers be partially masked when displayed
  • New Rule 10.8 requires that card service providers implement a process for the timely detection and reporting of failures of critical security control systems, setting out a sizeable list of devices over which such reporting is required.
  • Additional Rule 10.8.1 requires service providers to respond to failures in these systems in a timely manner, setting out in some detail what actions such responses should include.
  • New Rule 11.3.4.1 requires that penetration tests be run on networks every six months to ensure that the PCI segment is effectively isolated from the rest of the network.
  • New rule 12.4.1 requires that that a named member of the executive management is responsible and accountable for the maintenance of PCI DSS compliance. It requires that a charter be established, setting out what information must be provided by those directly responsible for PCI compliance to the executive with direct authority.
  • Rule 12.11.1 requires organisations to perform reviews at least quarterly to confirm personnel are following security policies and operational procedures and to correctly document such reviews. The operational procedures which should be reviewed include daily log reviews.

[Mondaq] Se3e also: The PCI SSC said if breaches continue at their current rate, U.K. businesses could face up to 122 billion GBP in fines once the GDPR comes into effect, and recommends organizations work to prevent cyberattacks before 2018.

HK – E-Wallet Programs Store Data Too Long, Consumer Council Finds

The Consumer Council has revealed that some e-wallet companies have problematic data storage procedures, with information on “Alipay customers was stored permanently while Bank of Communications, O!ePay and TNG Wallet would retain the information for six to seven years.” An Alipay spokeswoman countered that only a “small portion” of consumers’ records was stored in the event of a money laundering investigation, and TNG Wallet said it maintained customer records to “meet the same standard established by the Hong Kong Monetary Authority,” the report states. However, council member Michael Hui King-man argued that the Personal Data (Privacy) Ordinance specified that “personal data should not be kept longer than is necessary.” [South China Morning Post]

FOI

CA – IPC ON Orders Disclosure of Consultant Report on Public Transit System

The Information and Privacy Commissioner in Ontario reviewed a decision by the Toronto Transit Commission to deny access to records requested, pursuant to the Municipal Freedom of Information and Protection of Privacy Act. The transit system can withhold information detailing its financial exposure and risk since disclosure would it cause severe economic and financial disadvantage during contractor negotiations; however, it must disclose a review of project that assessed performance, identified areas of improvement and recommended improvements for project efficiency. [IPC ON – Order MO-3347 – Toronto Transit Commission]

CA – OIPC SK Issues Guidelines on Conducting a Search for PHI

The Office of the Saskatchewan Information and Privacy Commissioner issued guidance on handling access requests for personal health information, pursuant to The Health Information Protection Act. A trustee of personal health information must make every reasonable effort to assist an applicant and respond to each request openly, accurately, and completely; organizations should communicate with the applicant to clarify the request, talk to people “in the know” (such as record managers), document the search strategy, and keep details of the actual search. [OIPC SK – The Search For Personal Health Information]

CA – OIPC SK Finds Disclosure of Emails, Trip Details and Public Information Does Not Qualify as Commercial Information

The Office of the Information and Privacy Commissioner in Saskatchewan reviewed a decision by Global Transportation Hub Authority to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. A public body incorrectly withheld details of a trip to China, government invitations, public information about an association, and emails about a meeting; disclosure of the information would not harm the public body or a third party, and emails between the parties (where the third party objected to disclosure) cannot retroactively serve as proof that both parties intended for the information to be held in confidence. [OIPC SK – Review Report 158-2016 – Global Transportation Hub Authority]

CA – OIPC BC Orders Transportation Agency to Disclose Smart Card Defects

This OIPC order reviewed the decision by South Coast British Columbia Transportation Authority to deny access to records requested under British Columbia’s Freedom of Information and Protection of Privacy Act. Disclosure of the records would not impede a third party’s ability to obtain new work (the third party did not say how many competitors it has or refer to cases in which prospective customers rejected its bids, and it did not deny that it had been successful in recent bids despite negative media coverage); the third party could not prove that disclosure would give competitors “commercially valuable insight” into its business. [OIPC AB – Order F16-45 – South Coast British Columbia Transportation Authority (Translink)]

CA – NS Court Orders Hospital to Produce De-Identified Medical Records

The Supreme Court of Nova Scotia considered a motion for the production of records by Aberdeen Hospital in a lawsuit, pursuant to the Personal Health Information Act. The doctor seeks the disclosure of patient records with respect to his whereabouts when he was not with a patient leading up to the birth of her infant; the names and personal health information of the patients do not need to be disclosed to meet this requirement, but the hospital must produce this information for the doctor as it is relevant to the lawsuit and the records are in the hospital’s control (the doctor could seek patient consent for the release of records, however the hospital is custodian of the records). [Finney v. Joshi – 2016 NSSC 227 – Supreme Court of Nova Scotia]

Genetics

CA – Canada’s Genetic Privacy Bills and How They Compare

Timothy Banks writes about two new bills addressing genetic privacy in Canada. “News reports frequently suggest that Canada is alone amongst G-7 countries in not having a law specifically addressing genetic discrimination.” Analyzing these bills and putting them up against laws in the U.K. and U.S., Banks writes that “Canada might be late to the table, but the Canadian anti-discrimination laws, if either were passed, would prohibit the use of genetic testing and genetic characteristics to make distinctions between individuals in far more circumstances than is currently the case in either the U.K. or the U.S.” [Privacy Tracker]

Health / Medical

US – New HHS Guidance Makes Clear HIPAA Applies in the Cloud

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released guidance making clear that cloud service providers (CSPs) that create, receive, maintain, or transmit electronic protected health information (PHI) are covered by HIPAA. The guidance is notable for its broad scope [and] clarifies how and when HIPAA applies in the cloud service context. [Hogan & Lovells]

US – Health Care Lawyers Say Industry at Greatest Risk of Breach: Study

A study conducted by the American Health Lawyers Association and Bloomberg Law found 87% of health law attorneys believe their health care clients are more likely to suffer a cyberattack than other industries. The study polled 290 health care lawyers, with 97% saying they anticipate having greater involvement in their client’s cybersecurity efforts within the next three years, and 75% saying their practices are developing cybersecurity experience to meet the demand. However, 40% fear their plans to respond to an attack are “too generic and lack specific guidance for the types of incidents their organizations or clients might face.” Only 21 percent of the respondents are involved with cybersecurity efforts before a breach, while 46% are asked for counsel after an attack. [Modern health Care]

CA – NS Court Orders Hospital to Produce De-Identified Medical Records for Doctor’s Private Lawsuit

The Supreme Court of Nova Scotia considered a motion for the production of records by Aberdeen Hospital in a lawsuit, pursuant to the Personal Health Information Act. The doctor seeks the disclosure of patient records with respect to his whereabouts when he was not with a patient leading up to the birth of her infant; the names and personal health information of the patients do not need to be disclosed to meet this requirement, but the hospital must produce this information for the doctor as it is relevant to the lawsuit and the records are in the hospital’s control (the doctor could seek patient consent for the release of records, however the hospital is custodian of the records). [Finney v. Joshi – 2016 NSSC 227 – Supreme Court of Nova Scotia]

US – ONC, OCR Announce Updates to HIPAA Security Tool

The Office of the National Coordinator and the Office for Civil Rights have revised and updated the HIPAA Security Risk Assessment Tool. The updates include increased Windows compatibility, a Save As feature, and expanded customization of PDF files, the report states. “You can use the tool as your local repository for your answers, comments and plans,” said the ONC’s Ebony Brice and the OCR’s Nick Heesters. “Your answers are stored wherever you store the tool and neither OCR nor ONC can access your answers. You can use the tool as often as you need to reassess your organization’s health information security risks. We encourage you to conduct risk assessments on an annual basis.” [HealthITSecurity]

US – Doctors Continue to Wage War on HIPAA Requirements, Bad Yelp Reviews

Physicians are working to strike back against sometimes unfair Yelp reviews while working to stay within HIPAA confidentiality requirements. “Yelp is the bane of many doctors’ existence,” said Dr. Jonathan Kaplan. “A patient can be really vocal, but you cannot. It’s not a fair playing field.” Yelp has said it will only remove those reviews that include “hate speech, threats or harassment,” conflict of interest, or exclude “direct experience with the provider.” Otherwise, doctors are on their own. “Patients can post very detailed information about themselves and their providers, but the providers have to be very vague when they respond,” said Planet Hipaa’s Danika Brinda. Many doctors have taken to encouraging patients to leave positive reviews to offset the negative remarks, or have begun reaching out to disgruntled reviewers directly. [San Francisco Chronicle]

Horror Stories

WW – Weebly Suffers Data Breach, Compromising 43M User Accounts

Data breach notification site LeakedSource has said web design platform Weebly suffered a data breach in February, compromising the usernames and passwords of 43 million users. Weebly sent an email to users saying IP addresses were also taken in the breach. The company contends it does not believe any customer websites have been improperly accessed. The passwords taken in the breach are protected by a strong hashing algorithm, and Weebly said it does not store any credit card information, making it unlikely any users will be affected by fraudulent charges. LeakedSource was notified of the breach when an anonymous source gave the site Weebly’s database. LeakedSource then notified Weebly of the incident, and now said Weebly is in the process of resetting user passwords. [TechCrunch]

US – Report Details OPM’s 2015 Hack

A WIRED report covers the 2015 Office of Personnel Management hack, from agency employees’ discovery of the breach, their realization that the attack was most likely an advanced persistent threat, and their subsequent investigation. It also looks to the future, exploring the faults of security tools like unpaired encryption and how the agency can best rebuild. To remedy the loss of data in the attack, “a cybersecurity overhaul of this magnitude will, of course, require an abundance of talent,” the report states. “And that means much depends on how well government recruiters can convince the best engineers that being locked in a high-stakes competition with supervillain-esque adversaries is more exciting than working in Silicon Valley.” [WIRED]

Identity Issues

UK – Porn Age Verification Proposal Outrages Privacy Advocates

The UK has an online age-checking plan to stop kids from watching porn, but porn-browsing adults would also hit an Age Gate which might verify age via banking or social media accounts.The GCHQ has already expressed a Chinese-esque plan to create the Great UK firewall, but now the UK, which previously dabbled in porn blocking, wants online age verification services to ensure that people viewing porn are age 18 or over; the dangerous implementation of the system has outraged privacy advocates.ComputerWorld | Porn viewers could all be added to a country-wide database of viewing habits under new age verification scheme | Protesters gathered around Parliament to voice their disapproval of a digital economy bill penalizing online pornographic websites not asking for “robust” proof they are over 18 before accessing the content. The Department for Culture, Media and Sports cited credit cards or electoral records as possible examples of verification, but no specifics had been made. “There is an impact on privacy,” said lawyer and obscenity laws campaigner Myles Jackman. “We could see age verification be done by private companies; there is no guarantee that your personal details will be kept private, will not be sent to a third party, will not be leaked or hacked Ashley Madison-style.” The bill is currently going through the House of Commons. [BuzzFeed: Protesters Voice Disapproval of Bill Requesting ID to Watch Pornography]

EU – Ireland DPC Publishes Guidance on Anonymisation and Pseudonymisation

The Irish Data Protection Commissioner has published guidance on the use of data anonymisation and pseudonymisation. This follows similar guidance published by EU regulators in 2014. The DPC’s guidance focuses on the effectiveness of anonymisation techniques and provides recommendations for organisations wishing to use these techniques. Anonymisation of data is a technique used to irreversibly prevent an individual being identified from that data. Pseudonymisation, on the other hand, is not a method of anonymisation. Instead, it is a method of replacing one attribute in a record, such as a name, with another, such as a unique number Given this, pseudonymisation still allows an individual to be identified, but indirectly. Importantly, the DPC warns that while pseudonymisation is a useful security measure, pseudonymised data remains ‘personal data’ as defined in the Acts. Despite this, the DPC recognises that effectively anonymised data identified is not personal data and therefore falls outside the scope of the Acts. In the DPC’s view, the threshold for truly anonymised data is extremely high. To meet this threshold, organisations must take appropriate steps to ensure that individuals are not identified by or identifiable from the data in question. In other words, organisations must ensure that the information can no longer be considered personal data. In order to determine whether an individual is identified or identifiable, the DPC suggests that organisations should consider whether a person can be distinguished from other members of a group. A person is identifiable even if identification is merely a possibility (in other words, even if the person has not actually been identified). The effectiveness and strength of any anonymisation technique is primarily based on the likelihood of re-identifying an individual. There are a number of ways in which data can be re-identified, such as ‘singling out’, ‘data linking’, ‘inference’ and ‘personal knowledge’. The DPC accepts that it is impossible to state with any certainty that an individual will never be identified from an anonymised data set. This is because more advanced data de-identification technologies may be developed and additional data sets may be released into the public domain allowing for cross-comparison of data. This, again, sets the bar very high for true anonymisation. In assessing the risk of re-identification, the DPC suggests that organisations should consider whether the data can be re-identified with reasonable effort by someone within the organisation or by a potential “intruder”. In carrying out this analysis, organisations should take into account technological capabilities along with the information that is available for re-identification. If organisations intend to make anonymised data available to the public, the DPC warns that there is a much higher burden on ensuring that the information is effectively anonymised so that individuals cannot be identified. Importantly, the DPC advises that if an organisation retains the underlying source data following anonymisation, the “anonymised” data will still be considered to be personal data. The main takeaway from the DPC’s guidance is the considerable threshold for rendering data truly anonymous. Pseudonymisation alone is not sufficient to render personal data anonymous and the DPC recommends using a combination of anonymisation techniques. [MHC]

Internet / WWW

WW – International DPAs Adopt New Resolutions

At the 38th International Privacy Conference in Marrakech, Morocco, the International Conference of Data Protection & Privacy Commissioners adopted several resolutions, including a resolution for the adoption of an International Competency Framework on Privacy Education, Developing New Metrics of Data Protection Regulation, Human Rights Defenders, and International Enforcement Cooperation. The group also released an International Competency Framework for school students on data protection and privacy. In past years, the ICDPPC has issued resolutions on cooperating with the U.N. Special Rapporteur on the Right to Privacy, big data, web tracking, and cloud computing. [ICDPPC]

WW – Skype, Snapchat Low on Amnesty International Privacy Rankings

Amnesty International has graded 11 of the most popular messaging apps in its Message Privacy Ranking, in which Snapchat and Skype received some of the lowest scores. Amnesty International’s ‘Message Privacy Ranking’ ranks technology companies on a scale of one to 100 based on how well they do five things:

  • Recognize online threats to their users’ privacy and freedom of expression
  • Apply end-to-end encryption as a default
  • Make users aware of threats to their rights, and the level of encryption in place
  • Disclose details of government requests to the company for user data, and how they respond
  • Publish technical details of their encryption systems

Snapchat received a 26 out of 100 on the organization’s scale, while Skype received 40 out of 100. Neither app used end-to-end encryption, which Amnesty argues should be a given in messaging apps. “It is up to tech firms to respond to well-known threats to their users’ privacy and freedom of expression, yet many companies are falling at the first hurdle by failing to provide an adequate level of encryption,” said Amnesty. Press Release | The Huffington Post | Easy guide to encryption and why it matters]

WW – Common Thread Network Launches New Website

U.K. Information Commissioner Elizabeth Denham and Privacy Commissioner of Canada Daniel Therrien co-chaired the Common Thread Network’s Annual General Meeting in Marrakech, Morocco on Oct. 18, where they also announced the group’s new website, the U.K. Information Commissioner’s Office said in a statement. Established in 2014, the Common Thread Network is comprised of 20 data protection leaders from across the globe who work to “further a common approach to respecting citizens’ privacy, to promote and build capacity in the sharing of knowledge and good practices for effective data protection.” “The new website is one among many features which the Common Thread Network intends to use to foster a common approach and create synergies among commonwealth nations to uphold individuals’ privacy and data protection rights.” [ICO.uk]

CA – Can “Cloud Sovereignty” Keep Canadian Data Safe from Global Hacks?

Montreal cloud computing company CloudOps and Chatham, Ontario-based independent telecom provider Teksavvy are partnering to scale cloud.ca, an independent cloud infrastructure services company, in order to give Canadian businesses a stronger domestic platform on which they can more securely innovate on the global stage. Cloud.ca’s Internet-as-a-Service platform appears to be a well-timed answer to the question of whether or not it’s a great idea to run a business on servers south of the border, or to use their term, to reclaim “end-to-end data sovereignty” over how our data crosses borders. “The cloud.ca partnership between TekSavvy and CloudOps brings together leaders in regional networking, data centre, and cloud IaaS that offers a unique competitive advantage for jurisdiction-conscious Canadian customers,” said Philbert Shih, Managing Director of Toronto-based independent research and consulting firm focused on hosting and cloud infrastructure, Structure Research. Whether the appeal to independence, in either a national or “free from the Big Telcos” sense, or nationalism, for either patriotic or pragmatic reasons, is enough to appeal to a large enough user base of Canadian businesses to keep cloud.ca viable remains an open question. [Can Tech]

Location

WW – “Anonymous” Yik Yak Users Can Be Tracked Down, Say Researchers

Researchers have found that Yik Yak anonymity can be erased even without a warrant or Yik Yak’s compliance with US laws that force it to turn over user information. The researchers did it by relying on publicly available location data from the app, mixed with location-spoofing and message-recording on a device outfitted with simple machine learning. [Naked Security]

Online Privacy

WW – Google Has Quietly Dropped Ban on Personally Identifiable Web Tracking

Google is the latest tech company to drop the longstanding wall between anonymous online ad tracking and user’s names this summer, Google quietly erased that last privacy line in the sand – literally crossing out the lines in its privacy policy that promised to keep the two pots of data separate by default. In its place, Google substituted new language that says browsing habits “may be” combined with what the company learns from the use Gmail and other tools. The change is enabled by default for new Google accounts. Existing users were prompted to opt-in to the change To opt-out of Google’s identified tracking, visit the Activity controls on Google’s My Account page, and uncheck the box next to “Include Chrome browsing history and activity from websites and apps that use Google services.” You can also delete past activity from your account. [ProPublica | Google’s ad tracking is as creepy as Facebook’s. Here’s how to disable it]

US – Advertising Alliance to Begin Enforcing Cross-Device Tracking Code in 2017

The Digital Advertising Alliance has announced that it will begin enforcing the industry’s “privacy code for cross-device tracking” beginning in February of 2017. The November 2015-released code “sets out privacy rules governing ad networks, publishers and other companies that collect data from one type of computer  in order to serve ads to different devices used by the same consumer,” the report states. “This restriction means that if a user opts out on a laptop, marketers can’t use data collected from that laptop to serve ads on any device linked to the person.” The DAA’s Lou Mastria added that the agency established its February 2017 start date to allow companies time to adhere to the new code. [MediaPost]

WW – Journal Issue Focuses on Privacy and Ethics in Educational Data Analytics

An issue of the Springer journal, “Education Technology Research and Development,” covered the relationship between ethics and privacy in learning analytics. Professors Dr. Dirk Ifenthaler and Dr. Monica Tracey guest edited the issue, explaining why the growth of educational big data doesn’t necessarily result in better learning environments. Education institutions can use student data such as “socio-demographic information, grades on higher education entrance qualifications, or pass and fail rates” to allocate resources, or determine whether a student will drop out of school. “Consequently, higher education institutions need to address ethics and privacy issues linked to educational data analytics. They need to define who has access to which data, where and how long the data will be stored, and which procedures and algorithms to implement for further use of the available data,” said Ifenthaler. [phys.org See also: [Educational tech, balancing students’ privacy a challenge]

Other Jurisdictions

AU – Australian Bill to Create Mandatory Breach Reporting Regime

Australia’s Privacy Amendment (Notifiable Data Breaches) Bill 2016 received first reading. Notification of a data breach must be provided to both affected individuals and the OAIC if there is a risk of serious harm to affected individuals (determined by consideration of various factors, including the sensitivity of the information and the security measures that were in place) or if directed to do so by the OAIC; notification to affected individuals is to generally take place using the normal method of communication with the individual. [Privacy Amendment (Notifiable Data Breaches) Bill 2016 – House of Representatives, The Parliament of the Commonwealth of Australia Bill | Explanatory Memorandum | Progress of Bill] [New Mandatory Data Breach Notification Bill] See also: The Australian Senate has passed a bill allowing for a cancer screening register after the government amended it with stronger privacy protections suggested by Privacy Commissioner Timothy Pilgrim.

WW – Cavoukian Launches Global Council on Privacy by Design

Ryerson University Executive Director Ann Cavoukian has launched the International Council on Global Privacy and Security, by Design. The mission, according to a press release, “is to dispel the commonly held view that organizations must choose between privacy and public safety or business interests,” and its “goal is to educate stakeholders that public- and private-sector organizations can develop policies and technologies where privacy and public safety, and privacy and big data, can work together” for a better outcome. The council will work with businesses, data protection authorities, and technology professionals to educate and raise awareness of these privacy and public safety issues. [GPSbyDesign.org]

Privacy (US)

US – New FTC Data Breach Response: A Guide for Business

This week, the FTC announced on its Business Blog the release of Data Breach Response: A Guide for Business. The Guide’s release seems to be part of the FTC’s push to position itself as the main federal regulator of data security practices and is available for free on the FTC’s website. The Guide outlines the steps to take and those that should be contacted when there is a data breach; and includes advise on securing systems, how to handle service providers, and network segmentation. In addition, it has tips on notifying law enforcement, affected businesses and individuals. The Guide even has a model data breach letter to notify people whose Social Security numbers have been stolen. The FTC smartly drafted the Guide so that those who are not security and data privacy professionals can understand. Along with the 16-page Guide the FTC released a video. Accompanying the release of the video and blog is an update to the FTC’s guide Protecting Personal Information: A Guide for Business. The FTC has been very active in this area, last year releasing both the Start with Security: A Guide for Business and Careful Connections: Building Security in the Internet of Things. The new Data Breach Response: A Guide for Business gives insight into what the FTC expects businesses to do in the case of a data breach and following the guide will go a long way in convincing the FTC or state regulators that a business took the necessary and sufficient steps after a data breach has occurred. Note that the date of the Guide is September 2016, although the announcement occurred this week. [InfoLawGroup]

US – FTC to Host Public Conference on Identity Theft

The FTC announced it will host an all-day conference studying the current state of identity theft and what it may look like in the future. “Planning for the Future: A Conference About Identity Theft” will take place on May 24, 2017, in Washington and will bring together academics, business and industry representatives, government officials, and consumer advocates to discuss the ways identity theft affects consumers. “The FTC event will look at the full life cycle of identity theft, addressing how identity thieves acquire consumers’ information and what information they seek most often, as well as the cost and ease with which consumers’ data can be acquired. In addition, the conference will examine how identity thieves use information, and how they may attempt to use it in the future.” [FTC]

US – DOJ Wants to Overturn Microsoft V. United States

In July, the Second Circuit Court of Appeals in New York overturned a ruling in Microsoft v. United States that forced Microsoft to hand over private email correspondence and other data to US law enforcement from servers based in Dublin, Ireland. It was a victory for privacy because the Department of Justice (DOJ) was unable to force compliance of the Stored Communications Act. But last week, the DOJ expressed interest in re-hearing Microsoft v. United States, once again jeopardizing domestic and international privacy rights. If the decision is overturned, not only will Microsoft’s security be threatened, but so too will all foreign nations that house data owned by any US-based company. Sponsored Video: Know Right Now: USA Freedom Act Signed Into Law If the July ruling is indeed overturned, the Fourth Amendment will be seriously weakened and taxpayers will have no assurance that continued overreach by the DOJ will be stopped. Not only will future domestic investigations not need a warrant, but neither will those of an international scope. The utter lack of safeguards in place would point to a foreseeable overreach by U.S. investigators and the destruction of the nation’s diplomatic efforts. The U.S. government would assuredly be mad if a foreign country took private data and intelligence from our soil without a warrant. After all, the U.S. has started wars over more trivial matters. So why would any reasonable court believe that the U.S. has a special “hall-pass” to do whatever it pleases with other nations’ data? [IJR.com] See also: [US government wants Microsoft ‘Irish email’ case reopened | Microsoft Cloud Warrant Case Edges Closer to Supreme Court | Government Seeks Do-Over On Win For Microsoft And Its Overseas Data | Lawmakers question DOJ’s appeal of Microsoft Irish data case]

US – Other US Privacy News

Privacy Enhancing Technologies (PETs)

UK – Wearable Badge Could Blur Your Face in Unwanted Social Media Photos

More than 1.8 billion photos are uploaded to the internet every day. From baby showers to funerals and street photography to office parties, nearly every aspect of our life is documented and stored in the cloud indefinitely — sometimes, whether we like it or not. Now, a new physical badge is designed to give people control over their own image by signalling to algorithms that the wearer does not wish to be photographed, so their face can be automatically blurred in photos. The Do Not Snap badge is a physical, wearable symbol. It works by pairing up with software capable of identifying this symbol in different settings, which will then flag it up and automatically blur the face of the wearer on whatever platform the photo is on. Upload a photo of a friend or child wearing it to a social network and that network could censor out their face, for example, respecting their wishes not to have images of them shared online. It’s up to social networks to decide whether to honour the Do Not Snap. [UK Business Insider]

Security

WW – Over 80% of Employees Lack Security/Privacy Awareness: Report

A new study has revealed worryingly low levels of employee cybersecurity and privacy awareness, with 88% described as lacking the requisite skills to prevent an incident. The MediaPro 2016 State of Privacy and Security Awareness Report was compiled from interviews with over 1000 US employees. Only 12% were classed as ‘hero’ – meaning they are able to identify and dispose of information safely, recognize malware and phishing attacks and keep info safe when working remotely. Unfortunately, 72% were classed as ‘novice’ while 16% were judged to exhibit the kind of behaviors that could put their organization at serious risk of a major privacy or security incident. Some 39% of respondents claimed to discard password hints insecurely, for example in a bin; a quarter failed to recognize a phishing email with a suspicious looking attachment and questionable “from address”; and 26% said they thought it was fine to use a personal USB to transfer work documents outside of the office. What’s more, 30% said they thought it was fine to post on behalf of their company to a personal social media account. “This survey clearly shows the human threat vector is still largely unsecured, and most organizations don’t really know whether their employees have the necessary level of data protection awareness to avoid preventable incidents,” said MediaPro founder Steve Conrad. The most recent stats from the Information Commissioner’s Office (ICO) revealed an increase in human error-related data breach incidents reported to the UK privacy watchdog. Incidents involving data being sent by email to an incorrect recipient increased by 60% between the first and second quarters of 2016, while the number of incidents involving failure to redact data jumped by 64% from Q1 to Q2. Yet some experts at Infosecurity Europe this year argued that current training programs are largely ineffective. The focus should be on changing people’s behavior rather than raising awareness, as the latter does little to improve information security, they argued. [InfoSecurity]

Smart Cars

US – NHTSA Releases Guidelines for Automotive Cybersecurity

The National Highway Traffic Safety Administration released a set of guidelines to help improve cybersecurity in vehicles. The 22-page set of best practices is designed to help auto manufacturers handle hacking attempts and to encourage car companies to incorporate security protocols into their vehicles. The NHTSA best practices include recommending a “layered approach,” placing critical system security over other safety-specific features, while endorsing information sharing in “as close to real time as possible” in the event of a cybersecurity incident. The NHTSA also encourages revealing any potential vulnerabilities, as well as holding onto any data used for a self-audit. [TechCrunch]

Surveillance

US – Surveillance up 500 % in D.C.-area Since 2011 –Almost All Sealed Cases

Secret law enforcement requests to conduct electronic surveillance in domestic criminal cases have surged in federal courts In Northern Virginia, electronic-surveillance requests increased 500% in the past five years, from 305 in 2011 to a pace set to pass 1,800 this year. Only one of the total 4,113 applications in those five years had been unsealed as of late July, according to information from the Alexandria division of the U.S. District Court for the Eastern District of Virginia, which covers northern Virginia. The federal court for the District of Columbia had 235 requests in 2012, made by the local U.S. attorney’s office. By 2013, requests in the District had climbed 240 percent, to about 564, according to information released by the court’s chief judge and clerk. Three of the 235 applications from 2012 have been unsealed. [Washington Post]

US – Police Convinced Courts to Let Them Track Cellphones Without Warrant

The Chicago Police Department has acquired and used several varieties of advanced cellphone trackers since at least 2005 to target suspects in robberies, murders, kidnappings, and drug investigations. In most instances, officers only lightly described the devices’ advanced technical surveillance capabilities to courts, which allowed the police to use them, often without a warrant. Now, after a lengthy legal battle waged by Freddy Martinez, a Chicago software technician, court orders and case notes were released, painting a more detailed picture of how the second-largest police precinct in the U.S. uses surveillance technology to track cellphones. According to the purchase records, some of which Martinez had previously obtained in more redacted form, the Chicago Police Department’s Organized Crime Division spent hundreds of thousands of dollars over more than 10 years buying multiple different models of IMSI catchers (cellphone trackers & Cell-site simulators), as well as upgrades, training programs, software, and attachments. The department purchased Harris Corporation’s Stingrays — a popular model used by many police departments across the country, and King Fish — a more powerful cellphone tracker. It also bought DRT boxes, known as dirt boxes — military grade trackers made by Digital Receiver Technology Inc., a subsidiary of Boeing. The Chicago PD also turned over 43 records of times they deployed cellphone trackers in the past 10 years — which Martinez suggests is likely still lower than the actual amount of times the devices were used. [The Intercept]

Telecom / TV

US – Broadband Privacy Rules Approved Despite Industry Pushback

Federal regulators have approved new broadband privacy rules that make internet service providers like Comcast and Verizon ask customers’ permission before using or sharing much of their data, potentially making it more difficult for them to grow advertising businesses. Under the measure, for example, a broadband provider has to ask a customer’s permission before it can tell an advertiser exactly where that customer is by tracking her phone and what interests she has gleaned from the websites she’s visited on it and the apps she’s used. For some information that’s not considered as private, like names and addresses, there’s a more lenient approach. Customers should assume that broadband providers can use that information, but they can “opt-out” of letting them do so. The Federal Communications Commission’s measure was scaled back from an earlier proposal, but was still criticized by the advertising, telecommunications and cable industries, who want to increase revenue from ad businesses of their own. Companies and industry groups say it’s confusing and unfair that the regulations are stricter than the Federal Trade Commission standards that digital-advertising behemoths such as Google and Facebook operate under. The FCC does not regulate such web companies. FCC officials approved the rules on a 3-2 vote Thursday, its latest contentious measure to pass on party lines. “It is the consumer’s information. How it is to be used should be the consumers’ choice, not the choice of some corporate algorithm,” said Tom Wheeler, the Democratic chairman of the FCC who has pushed for the privacy measure and other efforts that have angered phone and cable companies. AT&T and other players have fought the “net neutrality” rules, which went into effect last year, that say ISPs can’t favor their some internet traffic. Another measure that could make the cable-box market more competitive is still waiting for an FCC vote. [Associated Press]

US – Ohm: FCC’s Privacy Proposal is ‘Sensible’

In a post for the Benton Foundation, Georgetown University Law Center professor Paul Ohm argues the pending FCC broadband consumer privacy proposal is “sensible.” He contends ISPs “jeopardize” consumer privacy “in ways the phone company and postal service” do not, pointing out that an ISP is the “mandatory first hop to the rest of the internet” giving ISPs “a nearly-comprehensive picture” of what a user does. He concludes, “If the FCC’s commissioners hold on to their commitments over the next few weeks and resist the continuing barrage from those urging them to water down the new privacy rules, they will accomplish something truly important. They will long be remembered and celebrated for protecting the kind of privacy we need to ensure safe, dynamic, and innovative online spaces. [Benton.org]

Workplace Privacy

US – DOT Screening Program Doesn’t Violate Drivers’ Privacy

The Transportation Department didn’t violate truck drivers’ privacy by providing information about their non-serious safety violations to prospective employers, a federal appeals court decided ( Flock v. U.S. Dep’t of Transp. , 2016 BL 351349, 1st Cir., No. 15-2310, 10/21/16 ). The ruling leaves intact the pre-employment screening program, or PSP, launched in 2010 by the DOT’s Federal Motor Carrier Safety Administration. For a fee, the program gives employers access to commercial driver applicants’ crash and inspection information. Driver consent is required before information is disclosed by the government. In the present case, drivers contended that the PSP database should include only serious safety violations. They claimed that the inclusion of non-serious offenses, such as speeding tickets and other fines, violated their rights under the Privacy Act. The U.S. Court of Appeals for the First Circuit disagreed, upholding the dismissal the drivers’ claim. The law allowing the FMCSA to collect safety information doesn’t restrict the agency’s discretion to disclose non-serious violations to employers, provided they have the drivers’ consent, the court said. The court also rejected the drivers’ argument that the PSP’s consent forms are coercive because they must be signed in order for the drivers to seek employment. Employer use of the PSP is optional, and the drivers didn’t present evidence that their employment chances are “doomed entirely” because of the inclusion of non-serious violations, the court said. [bna.com]

WW – The Changing Face of IT Training

It’s the second-most universal aspect of the job of privacy: organizing and providing privacy-related awareness and training. Not only must privacy pros be steeped in the knowledge of privacy law, but the IAPP-EY Privacy Governance Report says 78% of privacy pros also need to know how to convey some portion of that knowledge to others. Whether it’s HR, marketing or IT, different areas of the organization need different information. [IAPP.org]

+++

15 Sept – 14 Oct 2016

15 September-14 October 2016

Biometrics

EU – Facial Recognition Tech Goes Live for MasterCard in Europe

MasterCard has announced it will move its facial scan-trigged payment authentication from trial to live status in Europe. This program, entitled “MasterCard Identity Check,” allows users to authenticate payments with a selfie or fingerprint scan. “One extant issue with using biometrics for authentication is that, unlike passwords, they cannot be changed,” the report adds. “So let’s hope MasterCard is properly encrypting whatever biometric data it is storing/accessing.” Regarding data storage, a MasterCard spokeswoman said that the company was currently working to eventually store facial recognition data at a device level. She added that MasterCard used the collected biometric information only to verify identity. The company expects a global rollout of the recognition technology in 2017, the report adds. [TechCrunch] [MasterCard Rolls Out Selfie Payments Decreasing Privacy One Step Further]

EU – CNIL Announces Implementation of Two New Biometric Rules

French data protection authority, the CNIL, announced the implementation of two new biometric rules. Single Authorizations AU-052 and AU-053 will repeal previous biometric rules created by the CNIL and have been enforced in anticipation of the General Data Protection Regulation. The authorizations differentiate between two types of biometric systems. Single Authorization AU-052 covers biometric systems controlled by an individual, such as a chip card, or within a database in a form unusable without the user’s involvement. Single Authorization AU-053 covers biometric systems not permitting users to keep control of their biometric template. The CNIL advises organizations to use biometric access systems allowing users to maintain control of their biometric template. [Hunton & Williams’ Privacy & Information Security Law Blog] [CNIL Advises Biometric Data Should Be Used For Employee Access Only if Alternative Means are Insufficient: CNIL – Biometrics – A New Framework for Biometric Access Control in the Workplace]

WW – Uber to Use Facial Recognition Technology

Ride-sharing service Uber has announced it will use facial recognition and matching technology to verify driver identity, prevent fraud and increase user safety. “It also protects riders by building another layer of accountability into the app to ensure the right person is behind the wheel,” said Uber Chief Safety Officer Joe Sullivan. The app will begin using Microsoft’s Cognitive Services tool to match photos by the end of the week. While some are concerned about the move’s privacy implications, other maintain there aren’t any. “Face verification is less problematic than other uses of the technology — such as when face recognition is used to identify an unknown person,” said the Center on Privacy and Technology Executive Director Alvaro Bedoya. [The Hill] [Portland Uber drivers will now be prompted for selfies]

US – Invasion of Privacy: Hotels Are No Longer Places of Enforced Privacy

A law firm examines the lack of privacy in hotels. Hotels, like other organizations, are increasingly using big data and new technology to track and build guest profiles (e.g. using WiFi, TV viewing habits, facial recognition software and surveillance cameras, and reward programs); guest privacy is also impacted by government access (e.g. subpoenas, municipal ordinances, or covert surveillance in some countries), and hackers (e.g. malware attacks on payment card information). [Sleep with an Eye Open: The New Age of Hotel Privacy Intrusion – Theodore Claypoole, Partner, Womble Carlyle Sandridge & Rice, LLP]

Canada

CA – Therrien: Canada Needs to Modernize Its Data Protection Efforts

The Privacy Commissioner of Canada Daniel Therrien calls for more modernized methods to protect personal data in his Annual Report to Parliament. Therrien said technological advances and new business models are putting more pressure on privacy, and with 90% of Canadians concerned about their inability to safeguard their privacy, it’s time to look at new ideas and possibly revamp outdated laws. Therrien also said the government has not done enough to protect the privacy of “law-abiding Canadians” from information-sharing powers under the C-51 legislation. “We’re trying to use 20th century tools to deal with 21st century privacy problems and it’s clear those tools are increasingly insufficient … The government should give greater priority to the modernization of laws and policies and it should invest more resources in building robust privacy protection frameworks.” [OIPC Canada] [Privacy chief says tools must keep pace with technology; takes aim at TV show] [Government failing to protect privacy of citizens, says watchdog]

CA – C-22 ‘Good First Step’ But Government Still Needs National Security Advice

Appearing before the House of Commons public safety and national security committee, Canada’s privacy commissioner Daniel Therrien said that while the government’s legislation to create a committee of parliamentarians tasked with reviewing national security activities is a “good first step,” it should expand the idea to include a panel of national security experts. Therrien’s comments kicked off the committee’s new study on Canada’s national security framework and how it balances privacy and civil rights with the need to keep Canadians safe. The committee also will examine C-22 before Parliament rises for the winter but the meeting (the first of seven) dealt more broadly with witnesses on the national security framework. Therrien pointed out that while the nine members of Parliament and senators appointed to the committee will be sworn to secrecy, they won’t necessarily be subject matter experts in national security. While three of Canada’s security agencies are subject to expert review (CSE, CSIS and the RCMP), the vast majority of the 17 government departments and agencies able to exchange information on Canadians under C-51 still would not be, and Therrien suggested that should change in conjunction with the creation of the committee. [I Politics] Commissioner Therrien is pushing for laws to regulate the Communications Security Establishment’s access to and collection of citizens’ metadata] See also: [Spies use C-51 to gather intelligence from Canadians detained overseas]

CA – Report: Six Provinces Have No Breach Notification Laws for Health Data

Six provinces do not possess any legislation requiring hospitals, doctors or other health care organizations to notify patients when their data is breached. British Columbia, Alberta, Saskatchewan, Manitoba, Quebec, and Prince Edward Island currently have not implemented or have no laws at all for breach notifications. The six provinces have a combined population of nearly 20 million people. CBC News found there were 1,300 health care breach reports in 2015, up from 922 in 2014. Those numbers include breaches occurring in provinces with no notification rules. Alberta and Prince Edward Island are working to implement passed legislation to make breach notifications mandatory. [CBC News]

CA – P.E.I.’S New Law Makes It Mandatory to Inform Patients of Privacy Breaches

Prince Edward Island’s Information and Privacy Commissioner Karen Rose discussed the province’s Health Information Act, making it mandatory for patients to be notified if their privacy is breached. “What the Health Information Act states is the public body, when they discover the breach, they manage it as quickly as possible by responding to it, trying to contain it, notifying the people who are affected by it, investigating it, and then looking at what additional systems they could put in place to ensure this doesn’t happen again,” said Rose. The commissioner said all breaches will be reported to her and she will provide oversight on how they are handled. [CBC News] [New P.E.I. Health Act Will Disclose Privacy Breaches]

CA – Kruzeniski: HIPA Has ‘Gaps’ Needing Fixing

Saskatchewan Information and Privacy Commissioner Ron Kruzeniski is pushing to fix a “gap” in the Health Information Protection Act following a situation involving patient information and a photocopier. An anonymous individual purchased a photocopier from an auction that possessed printed pages of personal health information from Midway Walk-in Healthcare Centre. The individual attempted to sell the information for $5,000. Kruzeniski said HIPA doesn’t apply to business owners of health facilities, adding the definition of a trustee needs to be expanded. “I find the situation extremely frustrating and concerning,” Kruzeniski wrote in a report. “To think that my personal health information was given to and collected by a physician, but when stored or processed, my personal health information did not have the protection of HIPA.” [Regina LeaderPost]

CA – Op-ed: British Columbia Must Update FOI, Privacy Law

Vincent Gogolek explains why BC needs to reform the Freedom of Information and Protection of Privacy Act. Gogolek cites repeated efforts from former Information and Privacy Commissioner Elizabeth Denham to update the law. “Some of these recommendations include setting out a legal duty to document government actions, increasing penalties for interfering with information rights, and expanding coverage of the Act to include private contractors working for the public sector,” writes Gogolek, who also explains the downsides to delaying the revisions. “By waiting until February 2017, it seems unlikely the government will introduce, never mind pass into law, the necessary reforms to the Freedom of Information and Protection of Privacy Act, despite years of detailed reports and recommendations by commissioners, former commissioners, a unanimous Special Legislative Committee, and a slew of experts and citizens,” Gogolek writes. [The Huffington Post]

CA – Stoddart Invested by Governor General

His Excellency, the Right Hon. David Johnston, Governor General of Canada, invested 46 recipients into the Order of Canada in a ceremony at Rideau Hall in Ottawa, on September 23. Among the new Officers of the Order of Canada, recognizing National service, was former Bradford West Gwillimbury resident and Privacy Commissioner, Jennifer Stoddart, who has been a passionate defender of the privacy rights integral to a free and democratic society. Trained as a lawyer and historian, she was prominent in human rights and employment equity before her appointment as Canada’s 6th Privacy Commissioner. During her tenure, she led a number of initiatives demonstrating how to protect privacy, in the Information Age – recognizing that the global reach of social media necessitated a co-ordinated response. She rallied the international community to defend privacy rights, setting an example. [Bradford Times]

Consumer

WW – Consumer Tool Helps Users Understand Pricing Algorithms

ProPublica has unveiled tool focused on pricing algorithms, in its series designed “to explain and peer inside the black-box algorithms that increasingly dominate our lives.” Because websites are “created, literally, the moment you arrive,” companies can easily develop websites for different users. “Each element of the page — the pictures, the ads, the text, the comments — live on computers in different places and are sent to your device when you request them.” For example. The Princeton Review was citing different SAT prep course prices depending on ZIP codes, and the new tool allows users to test their findings. “That’s the thing with algorithms — they can discriminate unintentionally.” “And as we enter a world of mass customization, we need to be on the lookout for this kind of discrimination.” [ProPublica]

WW – 92 % of Consumers Don’t Understand How Companies Use Their Data

A study conducted by the Chartered Institute of Marketing found 92% of the 2,500 consumers surveyed did not understand how companies used their data. Of those participants, 57% did not trust companies to responsibly handle their data, while 51% claimed they had been contacted by an organization after their data had been misused. After compiling their findings, the CIM said personal data policies should be clearer and simpler on websites. The study also found only 16% of respondents take the time to read terms and conditions and privacy policies. [BBC.com]

E-Government

US – Montana Department of Justice Listing Data Breaches on Its Website

Following legislation passed in 2015 requiring companies in Montana to report data breaches, the state’s Department of Justice will now post the breaches on its website. “You can arrange the data in different ways,” said the department’s John Barnes. “You can export it into an Excel sheet, a PDF, or however you want to do it. It has information such as the business name, the notification documents that were sent to us are linked there, the date of the start and end of the breach, the data that it was reported to us, and the estimated number of Montanans impacted by each specific breach.” [KGVO.com]

AU – Agency Pulls 96,000-Person Dataset from Internet Over Privacy Concerns

The Australian Public Service Commission has removed an anonymized dataset of 96,000 surveyed government employees after concerns that a numerical data code assigned to each of the surveyed could be used to discover respondents by their answers. “We decided that extra care should be taken to make certain that individual officers could not be identified, especially if cross referenced with a range of other publicly available data,” an APSC representative said in a statement. “A review of the dataset is underway.” The set had been downloaded 58 times before it was removed, the report adds. [iTnews] See also: [Media Researchers May Need To Onboard Privacy Controls To Avoid Matching Respondent Identities]

US – Foreign Hackers Breach Voter Databases In Four States

Foreign hackers breached the voter registration databases in four states. Officials acknowledged cyberattacks in both Arizona and Illinois, while sources say Florida was one of the other states breached. The fourth state has not been identified. One source said a phishing attack was likely the cause of the attacks, as the hackers targeted both government systems, and computers maintained by private contractors hired to keep voter data. “The attack was successful only in the sense that they gained access to the database, but they didn’t manipulate any of the voter [information] in the database,” the ABC News source said. Homeland Security Secretary Jeh Johnson said 21 states have asked his department for help in order to prevent similar attacks from occurring. [ABC News]

US – DHS Says Attackers Probing US States’ Voting Systems

According to a US Department of Homeland Security (DHS) official, voter registration systems in at least 20 states have been breached or probed by attackers. DHS says there is no evidence that data have been altered. However, the fact of the intrusions themselves could cause people to doubt the integrity of US voting systems. [Fortune | Darkreading]

US – Bill Would Punish Agency Heads for Breaches

Legislation introduced in the US House of Representatives would allow for agency heads to be punished in the event of certain security breaches. The Cybersecurity Responsibility and Accountability Act of 2016 would allow the Office of Management and Budget (OMB) to recommend demotion, pay penalties, or even firing if a breach is found to be due to the agency head’s failure “to comply sufficiently with the information security requirements, recommendations, or standards.” The proposed Cybersecurity Responsibility and Accountability Act of 2016 would mean government agency heads could be fired, demoted or punished for breaches resulting from their failure to “comply sufficiently with the information security requirements, recommendations or standards. [Nextgov.com]

E-Mail

US – Yahoo Scanned eMail for US Government

Yahoo created a tool to scan all customers’ incoming emails for a certain set of characters at the behest of US intelligence. There is speculation that this is the first instance of a US Internet company agreeing to comply with a government demand to scanning all incoming messages. Former employees say that some senior executives were unhappy with the company’s decision to comply with the demand. Alex Stamos, who at the time was Yahoo’s CISO, left that company in June 2015. – Reuters: Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence – sources | Arstechnica: Yahoo’s CISO resigned in 2015 over secret e-mail search tool ordered by feds | Washington Postm: Yahoo helps the government read your emails. Just following orders, they say] [Yahoo Mail suspends automatic mail forwarding as privacy controversies swirl]

US – Yahoo Updates Email Security Features

In the wake of Yahoo’s confirmation of a 2012 breach with 500 million victims, the company has updated its email security features. It added a user tracking screen, showing “the recent devices (e.g., Chrome, Mac OS X) where the Yahoo account has been used, followed by a log of the most recent activity or changes to your Yahoo account,”. However, critics argue that the screens features aren’t comprehensive enough, and that the lack of a straightforward account deletion button is problematic. Meanwhile, the Morning Consult reports that half of the 1,989 registered voters surveyed by the publication are “uneasy” about allegations that Yahoo may have scanned emails for intelligence information on behalf of the U.S. government. [TechCrunch] See also: [Access Now asks Verizon to examine email scanning allegations against Yahoo] [Verizon reportedly wants $1B taken off Yahoo sale after privacy fallout] [Yahoo faces wave of breach class actions, EU regulators raise ‘serious questions’]

CA – OIPC ON Cautions Custodians about the Risks of Using Email to Communicate PHI

A new Ontario IPC fact sheet addresses the risks of emailing personal health information. The risks include inadvertently sending the PHI to the wrong recipient (e.g. mistyping an email address or using the autocomplete feature), the theft or loss of portable devices, unauthorized forwarding or changing of the email, and interception or hacking by third parties; risk mitigation measures include notifying patients about the custodian’s written email policy and obtaining their consent prior to the use of unencrypted email, using end-to-end encryption, and encrypting backups (including those located offsite). [IPC ON – Communicating Personal Health Information by Email | Press Release]

CA – NL OIPC Recommends Ban on Personal Emails for Government Business

Province has ‘duty to document,’ according to information commissioner Donovan Molloy, Newfoundland and Labrador’s information and privacy commissioner, who said the provincial government should prohibit the use of personal email accounts to conduct government business. Donovan Molloy made that recommendation in a report issued this week. That report was specific to the Department of Natural Resources. But in it, Molloy also dealt with the broader issue of the “duty to document” within the government. “True commitment to accountability and transparency dictates the implementation of record-keeping practices and policies that preclude use of personal email accounts or other means that either avoid creating records or make records inaccessible,” Molloy wrote. “Premiers, ministers, chairs, directors and other executives who use personal email to conduct the business of a public body set a tone throughout the body that this is acceptable, and perhaps preferred. Citizens of the province are entitled not to have their access to information subverted by the use of personal email. The public also must be satisfied that communications surrounding a public body’s decisions and its actual decisions are documented so that there are records to access.” [CBC News]

CA – NS OIPC: Personal Email and Government Work Should Never Mix

Government records not properly secured, search for info not easy on outside servers. Nova Scotia’s information watchdog wants any provincial and municipal employees paid by taxpayers to be prohibited from using personal cellphones, tablets and email accounts for work-related tasks — unless those tools can be set up to retain and store records automatically. Information and privacy commissioner Catherine Tully issued new guidelines warning public employees not to use personal emails or send texts if it involves their jobs. She said the policy is needed to safeguard government records. [CBC News]

CA – Risk Managers Unsure Whether their Cyber Insurance Policy Covers Data in Cloud Servers

Four in five risk managers surveyed said their company has a stand-alone cyber insurance policy, though only three in four reported their policy covers network/business interruption, Risk and Insurance Management Society Inc. said in the 2016 RIMS Cyber Survey. When asked whether their company has a “stand-alone cyber insurance policy,” 80% of respondents said yes, 19.5% said no and 0.5% said they were not sure. Respondents were asked whether their organization’s cyber insurance extends to data stored in cloud servers. More than two-thirds (69%) said yes, 9% said no and 22% said they were not sure. RIMS also asked members which losses were included in their cyber insurance policies. More than nine in 10 (91%) said breach notification costs. About one in four (27%) said theft of trade secrets; 80% said data recovery; 50% said professional liability; 76% said network/business interruption; 78% cyber extortion and 63% said fines and penalties. Among U.S. respondents, 48% the U.S. government should mandate breach reporting. [Canadian Underwriter]

US – Donald Trump Rented Ted Cruz’s Supporter Email List 31 Times

Before endorsing Donald Trump for president, Sen. Ted Cruz, R-Texas, had rented the email list of his supporters to the Trump campaign numerous times for financial gain. While the financial conditions of the agreement are unclear, an “email rate sheet shows that Cruz asks campaigns to pay more than $22,000 for the right to send a single email [to] his list of 280,000 digital donors. He charges more than $51,000 to ping his full email file of 1.28 million supporters.” Cybersecurity professional Robert Graham donated $10 to most presidential candidates using different email addresses to determine how many times his address was shared. Graham’s records found Trump consulted the Cruz list 31 times, more than any other candidate or committee. [POLITICO]

Electronic Records

WW – How Medical PHI Is Sold On Deep Web and Why That Matters

Perhaps no industry sector has been hit harder in recent years by data breaches than the health sector. To delve further into the issue, researchers at the Institute for Critical Infrastructure Technology dove into the so-called “deep web,” and discovered marketplaces where users can buy prescription drugs, access government and pharmacy databases, and buy medical information from stolen electronic health records. Ryan Chiavetta looks into the report — Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims — and discusses its results with one of the report’s researchers, James Scott, as well as Protenus CEO Robert Lord. [Privacy Tech] See also [Why medical breaches run rampant and what can be done to stop them]

Encryption

WW – Prepare for Threat of Quantum Computing to Encrypted Data

The race to create new cryptographic standards before super-fast quantum computers are built that can rip apart data protected by existing encryption methods isn’t going fast enough, two senior Canadian officials have warned a security conference. “I think we are already behind,” Scott Jones, deputy chief of IT security at the Communications Security Establishment (CSE), responsible for securing federal information systems, told the fourth annual international workshop on quantum-safe cryptography in Toronto. “Quantum represents a fundamental change and challenge to encryption for all of us,” Jones said, noting that encrypted transactions are the backbone of security and trust on the Internet. [itworldcanada.com] [National Electronic Intelligence Agency Executive Calls for ‘Rational Debate’ on Encryption]

WW – Facebook Now Offers Opt-in Encryption for Mobile Messenger App

Facebook is now offering an opt-in encryption for its Messenger mobile app. The “Secret Conversations” feature allows users to send messages that no one but the sender and the recipient will be able to read. It also allows senders to set a destruction time of between five seconds and one day for sent messages.[ZDnet.com | CS Mmonitor]

EU Developments

UK – ICO Endorses Use of ‘Just-In-Time’ Notices

The UK Information Commissioner’s Office has endorsed the use of “just-in-time” notices in its new code of practice. The agency said the notices, consisting of video messages or other forms of communication, can help companies receive the consent they need to process personal data correctly. The ICO said organizations should not restrict privacy notices to a single document or page on their websites. “Often, and particularly when on an organisation’s website, people will provide personal data at different points of a purchase or interaction. When filling out a form people may not think about the impact that providing the information will have at a later date. Just-in-time notices work by appearing on the individual’s screen at the point where they input personal data, providing a brief message explaining how the information they are about to provide will be used,” the ICO said. [ICO.iuk.org]

UK – ICO Fines TalkTalk Over Customer Data Theft

The UK Information Commissioner’s Office has fined telecommunications company TalkTalk £400,000 (US $497,000) for inadequate security resulting in the theft of customer data. The incident occurred in October 2015. The attackers were able to access the personal information of more than 156,000 TalkTalk customers; roughly 16,000 of those records included bank account information. If TalkTalk pays the fine by November 1, 2016, it will be reduced by 20 percent. [ICO Report | BBC | v3.co.uk] [UK ICO Fines Telecom £400,00 For Failing to Safeguard Online Customer Personal Data]

EU – Commission Plans Cybersecurity Rules for Internet-Connected Machines

The European Commission is getting ready to propose new legislation to protect machines from cybersecurity breaches, signalling the executive’s growing interest in encouraging traditional European manufacturers to build more devices that are connected to the internet. A new plan to overhaul EU telecoms law, which digital policy chiefs Günther Oettinger and Andrus Ansip presented three weeks ago, aims to speed up internet connections to meet the needs of big industries like car manufacturing and agriculture as they gradually use more internet functions. But that transition to more and faster internet connections has caused many companies to worry that new products and industrial tools that rely on the internet will be more vFulnerable to attacks from hackers. EU lawmakers want to dispel those fears by creating rules that force companies to meet tough security standards and go through multi-pronged certification processes to guarantee privacy. “That’s really a problem in the internet of things. It’s not enough to just look at one component. You need to look at the network, the cloud. You need a governance framework to get certification,” Thibault Kleiner, Oettinger’s deputy head of cabinet, said at a Brussels conference yesterday evening (4 October). Kleiner said the Commission would encourage companies to come up with a labelling system for internet-connected devices that are approved and secure. [EurActiv]

EU – Europe Drafting IoT Security Requirements

The European Commission is drafting new laws aimed at improving security of the Internet of Things (IoT). The rules are a part of the European Commission’s plan to rework its telecommunications laws. The medical machinery/devices and industrial control systems, have had over a decade to self-regulate and have failed. And those are industries selling to business. The current and future wave of “things” in the IoT is consumer-driven and built and sold by thousands of companies that can’t even spell cybersecurity. The European Commission seems to be aiming at UL or Energy Star like certification program. If the “basic security hygiene” certification bar is high enough (a big “if”), that is a good starting point. [ krebsonsecurity]

EU – Smart Meters Receive New Guidelines to Protect Data from Hackers

Technical guidelines for a new digitization law designed to protect smart meters from cyberattacks, while putting consumers in control of what happens to their data. Employing privacy-by-design principles, the guidelines will incorporate a system requiring consumers to allow a “fine-grained data transmission” before the information can be used by various entities. The smart meters collect and transfer data on consumers and are used by third-party metering companies, direct marketers, data aggregators, virtual power plant operators, and storage companies. [Ethical Corp]

EU – Watchdog Groups Sue US, UK and Other Countries for Violating European Convention on Human Rights

Ten privacy watchdog organizations from Canada, Egypt, Ireland and the U.S., including Amnesty International, have sued the U.S., New Zealand, Australia, the U.K. and Canada for bulk surveillance practices that they contend violates the European Convention on Human Rights. The surveillance “violates the Convention’s right to privacy because the U.K.-based wing of the program does not implement adequate safeguards’” “In framing a government which is to be administered by men over men, the great difficulty lies in this: you must first enable the government to control the governed; and in the next place oblige it to control itself,” the groups said in their brief. [The Hill]

EU – Researchers Find Privacy Policies Lack Privacy Considerations

German third-party testing laboratory the AV-Test Institute has criticized privacy policies in a new study. It argues companies have too much access to the personal information of users. “In almost every privacy policy examined, the manufacturers presume a vast number of access rights to data that should not be necessary for using a security software application,” AV-Test Institute’s study states. Some policies called for access to biometric data. While the AV-Test Institute’s CEO Andreas Marx didn’t want to specify which policies asked for what, he did say that the average policy is 12 pages and most were composed of “impenetrable jargon.” He added that the study’s feedback found that some companies were working to improve their policies. [Fedscoop] [Study]

Facts & Stats

CA – Federal Data Breaches Up 16%, Canadian Privacy Commissioner Reports

The number of material data breaches suffered by federal government departments increased 16 % to 298 for the 12 month period ending March, 2016, compared to 256 the previous year according to the federal privacy commissioner’s annual report. “As in years before, ‘accidental disclosure’ was the most common cause cited for breaches, “highlighting the need for institutions to ensure proper procedures are in place to protect Canadians’ personal information. The report says new technologies and business models are putting ever-greater pressures on privacy and demand a more modern approach to protecting personal information. “The government should give greater priority to the modernization of laws and policies and it should invest more resources in building robust privacy protection frameworks. This is essential to maintaining public confidence in government and the digital economy.” The data breach numbers for the last fiscal year were the second year government departments were obliged under Treasury Board rules to report to the privacy commissioner’s office “material” data breaches. In the years before 2012-2013 reporting was voluntary. But, the report adds, there is still inconsistency in reporting. For example, there were more than 5,800 breaches recorded across all departments in 2015-2016, but just over five per cent of those reported to Therrien. The report says it’s time for breach notification to be elevated from a policy directive to a legal requirement. The report also notes a sharp increase in voluntary data breach reports submitted by organizations covered by PIPEDA. For calendar year 2015, there were 98 reports, more than double the 44 received in 2014. That is expected to increase even more when mandatory data breach reporting comes into effect, perhaps next year, when regulations are proclaimed under the Digital Privacy Act. [itworldcanada.com]

Finance

CA – OPC Canada Warns About Privacy Risks Associated with Electronic and Digital Payments

The OPC issues guidance on privacy of electronic and digital payments. Privacy and security risks are generally greater due to the multiple entities processing PI; there can be significant association of purchases with location and social media connections, virtual currencies do not necessarily permit anonymous purchasing (e.g. account registration may require a user to provide PI that can include driver’s licence and passport information), data brokers and marketers may buy purchase data from retailers or loyalty/reward programs, and some digital wallet apps may post who a user paid and what they paid for. [OPC Canada – Electronic and Digital Payments and Privacy] See also: [UK: Are card firms are putting YOU at risk online as they scale back verified schemes to stop shops missing out on sales?]

FOI

CA – NL Privacy Commissioner Pushes to Post Contracts for Goods and Services Online

The province’s information and privacy commissioner believes he has a way to save the Newfoundland and Labrador government money and fight corruption at the same time: by posting its contracts with companies for various goods and services online. He said other countries have started posting the contents of contracts online and seen savings, and his idea has caught the attention of some people in this province. Right now, the province does maintain an Open Data web site where it posts data on a variety of topics such as fuel prices, wildlife permits, and mining industry employment. [CBC News]

US – US-EU Join Forces to Create Open-Source, Open-Data System

U.S. Department of Commerce counselor Justin Antonipillai and the Director-General of DG Connect at the European Commission Roberto Viola announced a partnership to create a joint U.S.-EU open-source, open-data system, designed to speed up access to open data on both sides of the Atlantic. Open Government Data is the product of the two agencies exchanging ideas on digital issues, and represents “a substantial source of trusted and quality information which can speed up the transition towards a truly data-driven economy …We want to ease the reuse of open data by businesses for development of new products and services and to help public authorities exchange best practices in publishing open data,” the announcement read. “Also, we want to more broadly seek to identify needs from data users for a better usability of open data originating from the EU and the U.S.” [Medium.com]

CA – OIPC AB Finds Public Body Did Not Meet Burden of Proof for Exemption

The Alberta Office of the Information and Privacy Commissioner reviewed a decision by the Alberta Justice and Solicitor General to deny a request for records, pursuant to the Freedom of Information and Protection of Privacy Act. The public body provided an affidavit stating that all records over which privilege had been claimed are the subject of an exemption; however, privilege can only be claimed document by document, with each document being required to meet the criteria (a communication between solicitor and client which entails the seeking or giving of legal advice, and is intended to be confidential by the parties). [Office of the Information and Privacy Commissioner – Order F2016-31 – Alberta Justice and Solicitor General]

CA – BC Supreme Court Compels Newspaper to Disclose Information Related to Professional Association Investigation

The BC Supreme Court considered a motion to quash production orders issued by the Law Society to a journalist and his employer newspaper in relation to an internal investigation. The Legal Profession Act, which includes subpoena powers, applies to non-lawyers, and the production order issued by a law society to the newspaper and journalist for purposes of investigating a member’s conduct was reasonable; the order was not seeking the petitioner’s PI or proprietary corporation information, the petitioners’ article placed the information in the public domain, and the regulation of professions is a compelling objective. [Mulgrew v. The Law Society of British Columbia – 2016 BCSC 1279 – In The Supreme Court of British Columbia]

CA – OIPC SK Confirms Ministry Cannot Charge for Time Spent Preparing Fee Estimate

The Office of the Saskatchewan Information and Privacy Commissioner reviewed a fee estimate provided by the Ministry of Agriculture, pursuant to the: Freedom of Information and Protection of Privacy Act; and Freedom of Information and Protection of Privacy Act Regulations. The Ministry could not charge the applicant the same preparation fee after he narrowed the scope of his request simply because the Ministry had already completed the search for records before the fee estimate was agreed on (completing the entire search before reaching agreement on the fees was a waste of government time); once the fee was expected to surpass $50, the Ministry should have stopped its search for responsive records and provided a fee estimate. [Office of the Saskatchewan Information and Privacy Commissioner – Review Report 115-2016 – Ministry of Agriculture]

CA – OIPC BC Finds Solicitor-Client Privilege Applies to Final Report About a Workplace Investigation

The BC Office of the Information and Privacy Commissioner reviewed a decision by the Provincial Health Services Authority to deny access to records requested, pursuant to the Freedom of Information and Protection of Personal Privacy Act. The report was a confidential communication between the public body and the law firm retained to conduct the investigation; the firm was retained to provide legal advice (not just investigate the issue), Terms of Reference explicitly state that the investigation was privileged and confidential, the investigating lawyers expressly agreed that all information collected would be treated confidentially, and each page of the report was stamped with the word ‘confidential’. [OIPC BC – Order F16-40 – Provincial Health Services Authority]

Genetics

US – DNA Database Poses Potential Privacy Risks: Op-ed

David Lazarus explains why U.S. President Barack Obama’s “precision medicine” database containing DNA information of a million volunteers needs strong privacy protections. While the system represents a big leap in big data analytics by allowing doctors and hospitals to help piece together a person’s risk for disease, it also has its downsides. “The darker possibility, however, is a disturbing prospect of genetic haves and have-nots, and of discrimination based not on race, age or gender but on health.” “My sense is that when it comes to big data and health care, we don’t know what we don’t know. That is, the full benefits and dangers will become apparent only as these systems are brought online and start to interact,” he added. [Los Angeles Times]

US – White House’s OSTP Requests Info on Data Portability

The Office of Science and Technology Policy has issued a request for information on data portability and “whether and how to increase your ability to get and use your data,” the White House said. “Proponents of increased data portability point to numerous, significant benefits for users, service providers and the broader public,” while “some privacy and security advocates also worry that the strength of data portability could encourage more information sharing, including when it might be inadvisable from a privacy perspective.” Therefore, the OSTP hopes to discover the benefits and detriments of increased data sharing; those industries most affected by the practice; what the federal government and other organizations can be doing to increase data portability; and best practices, the report adds. The OSTP will accept comments until Nov. 23. [White House]

Health / Medical

CA – Ontario: Doctors Worry About Patient Privacy As They Speculate On Government Plans For Ehealth

The province’s doctors are expressing “grave concerns” about the Liberal government’s plans for eHealth Ontario. In the wake of Health Minister Eric Hoskins’ decision to ask Premier Kathleen Wynne’s privatization guru, Ed Clark, to appraise the monetary value of the electronic health records agency, the Ontario Medical Association is sounding the alarm over patient privacy. Wrote OMA president Dr. Virginia Walley in an open letter to Clark: “We have grave concerns about how your mandate from Minister Hoskins is being interpreted… We are particularly concerned to read in media reports that the government may be seeking to monetize this data-gathering ability for profit,” she continued, as she urged “safeguards” to protect patients. Walley, whose organization represents the province’s 42,000 doctors, also took issue with the government’s assertion that its digital health strategy is paying off dividends. “The blunt reality is that we do not currently have a functional eHealth system that benefits patient care and it is unclear to us currently how your mandate from Minister Hoskins will help encourage or support this,” she wrote. [Toronto Star] See also: [Ontario asks privatization czar to look at digital health system]

US – HHS Releases Cloud Computing Guidance for HIPAA Covered Entities

The U.S. Department of Health & Human Services has released guidance on the best ways for HIPAA covered entities and business associates to use cloud computing solutions while protecting electronic health records. “This guidance focuses on cloud resources offered by a CSP [cloud service provider] that is an entity legally separate from the covered entity or business associate considering the use of its services. CSPs generally offer online access to shared computing resources with varying levels of functionality depending on the users’ requirements, ranging from mere data storage to complete software solutions,” the announcement said. The guidance answers several concerns, including whether covered entities can use a cloud service to store or process ePHI, and if HIPAA rules allow health care providers to use mobile devices to access ePHI in the cloud. [HHS.gov]

CA – Health Crackdown on Doctor Double-Billing Hindered by Privacy Laws

The New Brunswick Department of Health contends privacy laws are preventing it from stopping doctors who are double billing Medicare and WorkSafe New Brunswick for the same medical services. The department’s Deputy Minister Tom Maston said privacy legislation makes it impossible for the two agencies to determine whether they are paying for the same service two times. “One of the challenges we have with the data is you cannot use the data for something other than what the data was collected for,” said Maston. “Each act will specify that this piece of data is collected for this reason, and if you want to use it for a different reason, sometimes the act will not permit that. Even within our department, within divisions, it is difficult to share data because of privacy concerns.” [CBC News]

US – Affordable Care Act Hurts Fight Against Medical Identity Theft: Op-ed

ID Experts CEO Bob Gregg explains how the Affordable Care Act works against patients who are victims of identity theft. Gregg speaks to health industry executives who wish to develop relationships with patients based on trust, but the ACA’s requirement to spend 80-85% of customer premiums on claims or quality improvement initiatives creates an issue. “The problem is that security measures to protect data or fight fraud are considered administrative expenses and not quality of care improvements. Insurers are effectively barred from spending beyond a certain amount on protections for their customers’ medical identities, protections that could potentially save their lives,” writes Gregg. “Health plans should not be penalized for spending money to protect their customers.” [The Hill]

US – NYT Writer Attempts to Obtain His Entire Medical History in 72 Hours

Proclaiming it “an exercise that most people could benefit from,” Ron Lieber challenged himself to obtain his entire medical history within 72 hours. The project came in response to a colleague’s article that stated “there’s often no such thing as a complete medical dossier on anyone.” Gathering all his medical data in one place could help him correct any errors in his medical history “that make me look like a bad insurance bet,” he wrote. “I spent three full days pestering my pediatrician in Chicago for immunization records and wandering New York in search of the travel medicine specialist I saw in 2005… Then, I tried to figure out what life insurance underwriters would find out from services that gather prescription drug histories upon request.” Lieber was not successful in obtaining all the information in the allotted time frame, but said he learned a lot about obtaining data from different health care entities. [The New York Times] See also: [How robots could fill a gap in health-care]

US – WakeMed Health Penalized for Publishing PHI Within Online Court Documents

A federal court penalized WakeMed Health and Hospitals for publishing sensitive patient information online in filings it made for court cases. WakeMed must pay $70,000 in punitive damages, including $50,000 to the court and $10,000 going to each of the two individuals filing a complaint, while also paying $60,000 to cover the plaintiffs’ legal fees. Thousands of patients had their Social Security numbers and dates of birth published online in court documents WakeMed was using to seek payments for debts supposedly owed by individuals who filed for bankruptcy protection. “The court’s decision highlights the need to offer certain staff members compliance training that goes far beyond HIPAA and addresses all relevant patient privacy legal requirements — including those tied to bankruptcy issues.” [GovInfoSecurity]

Horror Stories

US – More than 58 Million Records Stolen from Data Aggregator

Data aggregator Modern Business Solutions suffered a database breach that compromised at least 58 million records. Modern Businesses Solutions works primarily with the automotive and real estate industries. [SC Magazine | The Register]

CA – Ex-AHS Employee Inappropriately Accessed Thousands of Patient Records

A former Alberta Health Services employee inappropriately accessed the health information of 1,300 patients, and the hospital is now in the process of notifying those affected. AHS also said the same employee viewed demographic information on another 11,539 Alberta patients, including names, addresses, dates of birth and health care numbers. The hospital said patient records were not altered, and the employee is no longer working in the organization. “The accuracy of that health care information has not been altered or tampered with,” AHS Interim Vice President of Quality Dr. Francois Belanger said. “We also know that health care information has not been printed and likely not shared with anybody else. “We understand that this information will be concerning to Albertans, and it is to us as well.” [Global News]

CA – Vancouver Marijuana Dispensary Site Exposed Patient Medical Information

A Vancouver marijuana dispensary website suffered a data breach when it was discovered the information of several patients was openly available to the public with no password protection. The website had personal information and medical records on patients, including birth certificates, medical imaging, passports, prescriptions, biopsy reports and mental health assessments. The BC Information and Privacy Commissioner has started an investigation, and it has not been determined whether the breach was accidental, or malicious. The breach comes after Ottawa marijuana dispensary chain Magna Terra Health Services accidentally sent an email containing information on 470 customers who purchased cannabis at their stores. [Times Colonist] see also [300,000 urology patients’ info exposed online]

CA – Marijuana Dispensary Accidentally Sends Email With Customers’ Addresses

Ottawa marijuana dispensary chain Magna Terra Health Services accidentally sent an email containing the addresses of 470 individuals who had purchased medical cannabis at their locations. A second email was sent out by Magna Terra President Franco Vigile apologizing for the breach, saying the employee responsible for sending the first email had been fired. “We take risks daily to ensure all of our members have safe and convenient access to their medication which I believe outlines our sincerity and dedication towards caring about our members which leaves me extremely upset over this situation,” Vigile wrote in the email, while also saying he has reached out to the service provider to “try and rectify the error by recalling all of the emails sent out.” [Ottawa Citizen]

NZ – More than 1M Dating Site Accounts Leaked on The Internet

The personal information of approximately 1.5 million users of a New Zealand-based dating company was discovered on the internet. The C&Z Tech Limited leak revealed usernames, email addresses, passwords, genders, dates of birth, countries of residence, and other personal information. The company was alerted to the breach by the MacKeeper Security Research Center, and quickly secured the data. “While we acknowledge the data breach, only a small number of users were affected,” said C&Z employee Anton who did not provide his last name “The data leak was from one of our test databases, the majority of data were dummy data and were randomly generated, and the vulnerability was immediately remediated.” Media reports questioned the legitimacy of the dating site’s claims. [ZDNet]

Identity Issues

AU – Bill Making Re-Identifying Data Criminal Debuts in Senate

Australian Attorney-General George Brandis has moved on his plans to criminalize re-identification of de-identified data “published by the Commonwealth,” introducing into the Senate his proposed amendments to the Privacy Act. “It will also be an offence to counsel, procure, facilitate or encourage anyone to do this, and to publish or communicate any re-identified dataset,” the exploratory memorandum said. Lawbreakers could face up to two years in prison. The bill “will be retrospectively applied from 29 Sept.,” the report adds. [ZDNet] See also: [Japan’s Government Releases Guidance on De-identification of Personal Data | Press Release] and [Irish DPA Advises that Removal of Direct Identifiers Does Not Make Data Sets Anonymous – see the Data Protection Commissioner in Ireland provides guidance on anonymisation and pseudonymisation of personal data- Anonymisation and Pseudonymisation]

AU – New Amendments Would Criminalize ‘Re-Identified’ Government Data

Australia Attorney-General George Brandis plans to amend the Privacy Act to make it a criminal offense to publish or disseminate “re-identified” government datasets. “The amendment to the Privacy Act will create a new criminal offence of reidentifying de-identified government data’ … It will also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset.” Researchers and privacy advocates believe the new amendments will only impede progress for finding security issues. “Security through obscurity doesn’t work — keeping the algorithm secret wouldn’t have made the encryption secure, it just would have taken longer for security researchers to identify the problem. It is much better for such problems to be found and addressed than to remain unnoticed,” wrote University of Melbourne researchers in an article. [Guardian]

Internet / WWW

WW – GPEN Unimpressed With State of Connected Devices

The Global Privacy Enforcement Network, a group of data protection authorities from around the globe, has released the results of its latest annual privacy sweep, this time examining connected devices. The findings? “The privacy communications of internet-connected devices are generally poor and fail to inform users about exactly what personal information is being collected and how it will be used,” reads a press release. Twenty-five privacy enforcers took part in the sweep, which took place in April. A total of 314 connected devices were examined, including smart meters, health monitoring devices, smart TVs and connected toys. DPAs studied the privacy communications included with the products, both “in the box” and online, and often interacted with the devices to see how reality matched the communications. While this was not a proper “investigation,” and no enforcement actions are connected to the findings, the DPAs’ message is clear: “It is imperative,” they write, “that companies do a better job of explaining their personal information handling practices.” [OIPC Canada] See also: [Alberta’s connected devices fared well in global privacy sweep] [ICO UK Found 59% of Devices Do Not Inform Customers How Personal Data is Collected, Used and Disclosed] [DPA France Finds that Most Connected Devices Are Not Transparent About Data Practices] [DPA Italy Finds Smart Devices Do Not Adequately Inform Customers About Personal Data Handling Practices] [DPA Ireland Finds Transparency of Smart Device Data Practices Requires More Focus] and [Norwegian Data Authority Cites Privacy Issues With Telemedicine Products]

WW – Poorly Secured IoT Devices Are Making the Web Less Safe

Distributed denial-of-service attacks have been around for a long time, but with the rise of internet of things devices — particularly ones that are poorly secured — DDoS attacks are getting exponentially more powerful. Respected infosecurity blogger Brian Krebs felt the brunt on one such powerful attack over the weekend. The attack was so powerful that Krebs’ website went down for several days, and the company providing pro bono security services had to pull out because of cost. Jedidiah Bracy looks into this rising issue, the dangers it could pose for e-commerce, and explores whether there’s a role privacy pros can play to help. [Privacy Tracker] See also: [The IoT zombies are already at your front door] See also: [Potential Apple Watch snooping: A not-so-paranoid cyberespionage risk]

WW – Trying to Comply With SOC 2? Things Just Got Easier

In 2016, the American Institute of Certified Public Accountants revised the SOC 2 trust principles with the issuance of TSP 100, Trust Services Principles and Criteria. One of the most significant revisions in this update was a simplified set of criteria for the privacy principle. Overall changes The AICPA is constantly working on improvements for SOC reports and the guidance that goes with them. In 2015, the AICPA revised its SOC 2 guide, but privacy remained a 64-page effort of management criteria, illustrations, and additional considerations based on Generally Accepted Privacy Principles. Because this information seemed to repeat itself quite a bit; was difficult to understand, and had so many aspects that appeared to be needed for compliance, many companies avoided the privacy principle in SOC 2 as much as possible. The AICPA revised the trust principles again recently with the biggest change coming to the privacy principle. Instead of 64 pages of guidance, the new TSP 100 simplified privacy to eight criteria with a total of 20 control objectives. [IAPP.org]

Law Enforcement

US – Wyoming Lawmakers Examine Rules for Police Body Cameras

State lawmakers are looking at establishing rules for police body camera footage, with the intention of protecting law enforcement, privacy rights and the public interest. Last week, members of the Wyoming Legislature’s Task Force on Digital Information Privacy decided to move forward with a proposal to address the process for how police body camera video is released. Currently, state law does not address how those recordings should be handled, and as a result, some agencies are reluctant to use body cameras. The proposal from the task force would make all body camera footage private by default. However, the public, media, law enforcement or other entities could ask a court to have the footage released if there is a public interest in doing so. Sen. Chris Rothfuss, D-Laramie, and a co-chairman of the task force, said the legislation began as a result of conversations nationally about body cameras. He said he thinks having legislation to protect both law enforcement officers and the public interest will encourage more agencies to use body cameras. If law enforcement is comfortable with privacy protections, they’ll adopt the technology,” Rothfuss said. “I think it’s critical we have this. I think it protects our law enforcement, and I think it protects the public.”[Wyoming News]

US – Report: Police Misuse of Law Enforcement Databases Abounds

An investigation has found that police officers nationwide have abused data access privileges into law enforcement databases to find information on everything from journalists and romantic partners in ways that are not related to their daily work. “No single agency tracks how often the abuse happens nationwide, and record-keeping inconsistencies make it impossible to know how many violations occur.” “But the AP, through records requests to state agencies and big-city police departments, found law enforcement officers and employees who misused databases were fired, suspended or resigned more than 325 times between 2013 and 2015.” While law enforcement agencies train officers not to abuse the databases and that their usage is subject to audit, “misuse persists.” [The Associated Press]

UK – Report: Four Police Employees Fired for Data Breaches

Privacy advocate group Big Brother Watch revealed three Dorset Police officers and one police staff member were fired for committing data breaches. Big Brother Watch discovered the four employees violated the Data Protection Act, while an additional seven officers and 13 staff members were internally disciplined. Two of the staff members resigned during the disciplinary process. The Big Brother Watch report found 30 incidents of officers not receiving any form of discipline for a data breach, with 12 police staff falling into the same category. “Dorset Police takes a very proactive approach to data breaches,” said Dorset Police’s Tim Whittle. “We have a robust audit system in place to monitor the use of police systems and as such the statistics will reflect this.” [Dorset Echo]

US – ACLU Launches Police Transparency Initiative as Surveillance Grows

The American Civil Liberties Union of California has announced a “multi-city legislative initiative” to increase police transparency around its surveillance practices. The ACLU began the Community Control Over Policing Surveillance initiative after requesting records from 63 California law enforcement agencies, ultimately finding that 40 percent of the responding groups used social media surveillance tools, “and most of them started using them within the last year” without notifying the government or the public. Meanwhile, The Hill reports that New York City officials have asked the Federal Communications Commission to overhaul its mobile emergency alert system in the wake of the New York and New Jersey bombings. [TechCrunch

US – Law Enforcement Investigating People Based Solely On IP Addresses

Law enforcement is using IP addresses to track potential criminals, only to discover they belong to innocent parties. Officers attempt to track down an individual involved in online criminal activity by tracing an IP address, but run into innocent people who either run a Tor exit relay, have an open Wi-Fi network, or have had their IP address reassigned. Privacy advocates are asking law enforcement to be more cautious when using IP addresses as leads. “Although IP addresses can sometimes be reliable indicators of locations or individuals when combined with other information, such as ISP records, use of the IP address alone, without more, can too often result in dangerous, frightening and resource-wasting police raids based on warrants issued without proper investigation,” the Electronic Frontier Foundation wrote in a paper. [Fusion] See also: [Data seized by Toronto police can be shared with Dutch authorities, judge rules]

Location

US – MassDOT Wants to Hold Drivers’ Speed Data for 30 Days

The Massachusetts Department of Transportation is planning to create a proposal asking to keep data on the speed of drivers traveling under the Massachusetts Turnpike’s new all-electronic toll gantries for 30 days. MassDOT has said in the past it needs the speed data to synchronize the tolling system’s cameras, and for research purposes, but is declining to say why it needs the data for 30 days. Privacy advocates are concerned the data will be used to punish speeding drivers, and could also be turned over for law enforcement investigations. MassDOT should say “why it is collecting personally identifiable speed data in the first place, and how it arrived at a 30-day retention period for those records,” said American Civil Liberties Union of Massachusetts’ Kade Crockford. “It’s not clear what business purpose the collection and retention of these data serves.” [The Boston Globe]

Offshore

HK – Privacy Commissioner Releases Information Leaflet On Hong Kong BYOD Practices

The Hong Kong Privacy Commissioner has published an Information Leaflet with bring-your-own-device guidelines. “The Information Leaflet suggests organizations adopt a risk-based approach to BYOD security, implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and likelihood of loss or unauthorized disclosure,” the report states. “The commissioner has suggested as best practice that organizations should, at the outset of any BYOD implementation, conduct risk assessments and implement internal BYOD policies accordingly to ensure appropriate data privacy and data security compliance.” [JD Supra Business Advisor]

Online Privacy

WW – Tool Helps Users Understand the Data Facebook Has on Them

ProPublica has announced the first tool in a series to let users see inside the “black box” that is the algorithms used to define their digital lives. The first experience revolves around Facebook and what it knows about users. The Chrome browser-based tool “lets you see what Facebook says it knows about you,” the report states. ProPublica encourages users to then rate the information it generates for accuracy and return it to them. “We will, of course, protect your privacy,” it adds, promising not to collect “identifying details” or share data with others. While the report specified that the data its tool gleans is “the same information that Facebook itself offers users,” it added that researchers were unsure whether it represented all that the social media site knew about a user. [Propublica]

WW – Cisco Using Data Science to Stop Password Sharing

Cisco has announced that it is working toward a method to thwart video service password sharing — a practice that cost the media industry $500 million in 2015. The concept uses data science to determine “where authorized users would normally be (geographically), the times of day they use the service (typically) and other behavioral characteristics that can identify them.” Cisco demonstrated this work in progress at IBC 2016 and is in testing for creating a deployable product. The company also aims to use similar methods to identify legitimate subscribers to pay TV that redistribute broadcast signals. The next question is what to do once they can identify individuals sidestepping the systems. [Videonet]

WW – Messaging Apps’ Privacy Features Compared

The Wall Street Journal takes a look at the different privacy settings for several messaging apps. The report examines the default settings of WhatsApp, iMessage, Signal, Facebook Messenger, and Google’s Allo app. The comparisons include whether the apps use end-to-end encryption, and other important privacy features. “End-to-end encryption can prevent you from being snooped on, and prevent your personal and private information from being stolen as well,” said American Civil Liberties Union’s Christopher Soghoian. “The reason why some companies like Google and Facebook don’t use this by default is they’re willing to sacrifice your privacy to build features like chatbots and response predictions that aren’t that useful.” [WSJ]

Other Jurisdictions

WW – More U.S. Cloud Services Open, Invest In Europe

Amazon Web Services has announced it would open data centers in the U.K. and France, the latest tech giant to announce a new round of European-based cloud service investments. A major impetus for the moves is increasing European user trust amid stricter regulation. “Countries like Germany are well aware of data privacy, and it has made them more wary of where data is kept,” said Gartner’s Gregor Petri. “Local data sovereignty has become important, and American companies are now aware of that.” [The New York Times]

IS – Marketing Leader Predicts 50% of Big Data Startups Are in Israel

Many of the startups that collect significant amounts of user data are Israeli, GO Digital Marketing owner and founder Adir Regev said. “I think that about 50 percent of the startups are coming from Israel,” he said. “We’re very good at analytical advertising, and we’re very good at surveillance. You put those together and we become very good at predicting which products you will buy.” He added that many consumers are unaware of the true extent of companies’ data collection, and that “privacy has all but lost … People don’t realize that most of their lives are digitalized in places that we don’t think of,” Regev said. “Even when we’re not posting on Facebook, companies are tracking what we’re doing, not just online but offline.” [The Jerusalem Post

Privacy (US)

US – Bill Would See Firings For Poor Security In Government

A bill introduced in the House this week would mean government agency heads could be fired, demoted or punished for breaches resulting from their failure to “comply sufficiently with the information security requirements, recommendations or standards.” The Cybersecurity Responsibility and Accountability Act of 2016 would also allow the director of the Office of Management and Budget to recommend their removal; tasks the National Institute of Standards and Technology director with identifying major security concerns and supporting agencies in security training; and requires NIST, OMB and the Department of Homeland Security to create a job description for a chief information security officer within six months of its enactment. [NextGov]

US – Pew Research on the State of Privacy in the US

A series of studies released by the Pew Research Center detail the opinions U.S. citizens have on privacy following the Snowden leaks. One study found 49% of citizens feel anti-terrorism surveillance programs do not go far enough to protect the U.S., while only 33% say the programs unfairly restrict civil liberties. Another survey found 86% of internet users have taken steps to mask their digital footprints. And yet another study found 74% of citizens say it’s “very important to them to be in control of who can obtain information about them.” Pew Research’s Lee Rainie wrote, “Americans’ awareness and concerns over issues of privacy also extend beyond the kinds of surveillance programs revealed by Snowden and include how their information is treated by companies with which they do business.” [Pew Reseasrch]

US – Montana Department of Justice Listing Data Breaches on Its Website

Following legislation passed in 2015 requiring companies in Montana to report data breaches, the state’s Department of Justice will now post the breaches on its website. “You can arrange the data in different ways,” said the department’s John Barnes. “You can export it into an Excel sheet, a PDF, or however you want to do it. It has information such as the business name, the notification documents that were sent to us are linked there, the date of the start and end of the breach, the data that it was reported to us, and the estimated number of Montanans impacted by each specific breach.” [KGVO.com ]

US – CDT, Bakerhostetler Compile Student Privacy Laws for All 50 States

To help navigate the “maze” of student privacy laws in the U.S., the Center for Democracy & Technology teamed up with BakerHostetler to create a survey for all 50 states, plus the District of Columbia. The resource includes a full rundown of each state’s privacy laws, including the definition of those laws, whether there are any use limitations, data minimizations, and individual participation, among other categories. “As the compendium makes clear, many state laws are far less protective and use very different approaches, including variations in when personally identifiable information may be collected and stored, or in determining when school administrators and third parties have access to student data and what they are allowed to do with it,” the CDT’s Michelle De Mooy wrote. [CDT]

US – PCO Offers New Guidance for FERPA Application

The U.S. Department of Education’s Family Policy Compliance Office has issued new guidance on “the application of the Family Education Rights and Privacy Act to the disclosure of student medical records by institutions of higher education.” The FPCO guidance covers what should happen when medical records are disclosed for litigation as well as for health and safety emergencies. The agency also detailed action items and best practices related to FERPA interpretation. “As data privacy, and particularly health care privacy, continues to be a priority of students, parents, government regulators and other stakeholders, institutions of higher education should expect further guidance and scrutiny from FPCO and others with respect to how institutions use, disclose and safeguard student health information,” the guidance stated. [JD Supra]

Privacy Enhancing Technologies (PETs)

US – FPF Receives Grant to Create Privacy Research Network

The Future of Privacy Forum announced it has received a $300,000, two-year grant from the National Science Foundation to create a Privacy Research and Data Responsibility Research Coordination Network. The goal of the network is to produce academic researchers and industry practitioners to back research priorities for the National Privacy Research Strategy. The grant will allow FPF to discuss the RCN with numerous privacy professionals, including chief privacy officers and civil rights advocates. “The overarching goal of the National Privacy Research Strategy is to produce knowledge and technology that will enable individuals, commercial entities, and the government to benefit from transformative technological advancements, enhance opportunities for innovation, and provide meaningful protections for personal information and individual privacy,” said FPF’s CEO Jules Polonetsky. [FPF]

Security

US – Law Firm Releases Cybersecurity Guidebook

Mayer Brown has announced the publication of its new guidebook, “Cybersecurity Regulation in the United States: Governing Frameworks and Emerging Trends.” The 80-page book authored by members of the Mayer Brown Cybersecurity and Data Privacy practice “offers insights on the regulatory frameworks applicable across key sectors of the US economy as well as emerging regulatory trends across sectors.” The handbook aims to “guide, assist, and help” companies across different industries, “from banks to the Internet of Things.” “Mayer Brown’s interdisciplinary team of cybersecurity and data privacy lawyers work closely with clients across a wide range of industries to achieve these goals, and launched this handbook to help companies navigate the ever-changing landscape of cybersecurity regulation.”  [MayerBrown] [Press Release]

Smart Cars

US – Fears of Hacks, Privacy Issues Surround Autonomous Cars

Privacy and cybersecurity jitters are consumers’ biggest fears around self-driving cars. “The No. 1 reason why people say they are unlikely to buy an autonomous vehicle is that they don’t feel that they’re safe,” said Altman Vilandrie and Company’s Moe Kelley. “The worst case scenario is that a hacker will be able to drive someone off the road. People also fear for their privacy with automated vehicles. Even minor hacks that allow someone’s movements to be tracked over the internet are scary to many consumers as well.” Regulators and car companies “must respond to these concerns” in order to assuage buyers’ fears. [The Christian Science Monitor] the National Highway Traffic Safety Administration (NHTSA) released new guidelines for the vehicles in September | The Government Accountability Office (GAO) said in a March 2016 report that while NHTSA is “examining the need for government standards or regulations regarding vehicle cybersecurity,” officials “estimated that the agency will not make a final determination on this need until at least 2018.”

US – DOT Outlines Connected Car Privacy Parameters

Automobile safety is not just about crash safety anymore, unless that includes computer crashes. The Department of Transportation has released guidelines for broadband-connected cars (highly automated vehicles, or HAVs) and the first sub-topics under “Safety Assessment” are “data recording and sharing” and related “privacy.” DOT cited the White House Consumer Privacy Bill of Rights and the FTC’s privacy guidance in saying that it strongly believes in protecting privacy rights. DOT laid out the following guidelines on privacy, targeted at auto manufacturers: A. Transparency: B. Choice: C. Respect for Context: “ D. Minimization E. Data Security: F. Integrity and Access: and G. Accountability. DOT plans to solicit comment on the guidelines and hold workshops and says regulation could follow if necessary to govern the rollout of connected cars. [broadcastingcable.com]

Surveillance

US – Senators Send Letter to FCC Over Stingray Use

Last Thursday, 12 U.S. senators sent Federal Communications Chairman Thomas Wheeler an open letter expressing concern about the use of Stingrays — a technology used by law enforcement to intercept mobile phone communications — along with a set of 10 detailed questions about the FCC’s role in overseeing the use of such technology. In addition to concerns about whether it violates the Communications Act, the senators also expressed concern about the alleged disproportionate use of Stingrays in minority neighborhoods. Jedidiah Bracy reports on the letter for The Privacy Advisor and includes comments from Georgetown University’s Alvaro Bedoya and Justice First’s Eugene Puryear. [IAPP.org] See also: [Privacy Advisory Commission of Oakland nearer to Stingray vote] and [‘Shady, secretive system’: Public Safety green-lit RCMP, CSIS spying devices, documents reveal]

WW – Study: Latin America’s Surveillance Laws Do Not Hinder Widespread Governmental Snooping

An Electronic Frontier Foundation study has found that the laws in many Latin American nations have fallen out of step with current governmental surveillance practices. The research examines the surveillance laws and practices in 12 countries in Central and South America. “Many intelligence agencies in the region were formed under these military dictatorships, and even after transitioning to democratic rule, most Latin American countries maintained strong executive branch powers ‘without well-placed controls or public oversight mechanisms. … Without public oversight — not just judicial oversight — the laws on the books just won’t work.” [The Intercept] See also: The Massachusetts Supreme Judicial Court ruled that police must have “particularized evidence” a cellphone was connected to a crime in order to use data from the phone in court.

US – Amzon’s License Plate Reading Tech Comes with Privacy Concerns

Amazon’s grocery-delivery service plan faces potential privacy issues. The tech company wants to build convenience stores where users can buy groceries, with some stores offering the option to buy them online. Amazon wants to incorporate license plate reading technology to speed up wait times, and while it would be beneficial to users, it also opens up privacy concerns. Amazon could use the data, combined with information from other companies, to determine where a user’s car has gone, and thus determine the user’s habits and preferences. If Amazon were to access a commercially available database where information is held on where a license plate has been seen, the company could figure out where a user lives, works and shops. [The Atlantic]

WW – Signal Messaging App Reveals Information It Turned Over For First Subpoena

The developer of encrypted messaging app Signal revealed the amount of information it was able to provide after it received its first subpoena earlier this year. A Virginia assistant attorney requested Open Whisper Systems produce email addresses, history logs, browser cookie data, and other information in connection with two phone numbers as a part of a grand jury probe. Due to its encryption technology, Open Whisper Systems was only able to give the user registration dates and the date one of the numbers last used the app. “We’ve designed Signal so it minimizes the amount of data we retain on users, and we don’t really have anything to respond with in situations like this,” Open Whisper Systems’ Moxie Marlinspike said. On its website, Open Whisper Systems included a redacted copy of the subpoena and said it plans to continue to publish transcripts of its responses to future government requests. [Reuters]

Telecom / TV

US – FCC Releases Broadband Consumer Privacy Proposal

In a highly anticipated announcement and Fact Sheet, U.S. Federal Communications Commission Chairman Tom Wheeler has issued a new broadband consumer privacy proposal. In it, he proposes internet service providers get opt-in consent for “sensitive data,” and opt-out consent for non-sensitive data. Categories of data considered sensitive would be geo-location, children’s information, health and financial information, Social Security numbers, web browsing, app usage history, and the content of communications. The proposed rules would also require ISPs “to take reasonable measures to protect consumer data from breaches and other vulnerabilities,” he wrote. FTC Chairwoman Edith Ramirez said she was “pleased to see the FCC moving forward to protect the privacy of millions of broadband users across the country.” Industry, however, is not happy with the proposal. [FCC]

CA – Gov’t Re-Opens Privacy Debate on Access to Telecom Subscriber Info

The Canadian government has revived a discussion on a particularly controversial privacy topic: how much access law enforcement should have to telecom subscriber information in the name of public safety. In September 2016 the government opened a public consultation on national security, releasing a ‘green paper’ and background document that details issues, challenges and general questions surrounding national security threats like domestic terrorism. Many topics are covered in the documents, but there’s one in particular that may sound familiar to Canadians: the issue of warrantless access to subscriber information from telecom companies. The public consultation — started by Public Safety Minister Ralph Goodale — has put the issue back up for debate. “The Public Safety consultation skips over the years of lawful access debate by putting everything back on the table,” writes Geist, “acknowledging that the law was updated less than 24 months ago but suggesting that more change may be needed.” The issue has also been brought to the forefront by the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic in a report titled “Canada’s National Security Consultation I: Digital Anonymity & Subscriber Identification Revisited… Yet Again.” The report, written by Tamir Israel and Christopher Parsons, notes that attempts to legislate access to subscriber identification data — which can include IP addresses, home addresses and mobile IMEI numbers — have always proven controversial and “fallen in the face of public resistance.” As for the Minister’s thoughts on the matter, a spokesperson stated to that the green paper was meant to “provoke discussion.” The public consultation remains open until December 1st, 2016 and can be accessed here if you’d like to add your voice to the conversation. [Mobile Syrup]

US Government Programs

US – Company Used by Twitter, Facebook, Instagram Gave Data on Protestors to Police: ACLU

The American Civil Liberties Union has discovered that a data analyzer was collecting feeds from social media sites Twitter, Facebook and Instagram and supplying that information to law enforcement agencies, which then used it to surveil people who had participated in protests in Baltimore, Maryland, and Ferguson, Missouri. “The companies provided the data — often including the locations, photos and other information posted publicly by users — to Geofeedia, a Chicago-based company that says it analyzes social media posts to deliver real-time surveillance information to help 500 law enforcement agencies track and respond to crime.” The companies have since restricted Geofeedia’s access to their information after the ACLU notified them of its discovery. [The Washington Post]

US – White House Releases Strategic Plan for AI Research & Development

Teaming up with the National Science and Technology Council and the Networking and Information Technology Research and Development Subcommittee, the White House has a strategic plan for the research and development of artificial intelligence. “This ‘National Artificial Intelligence R&D Strategic Plan’ establishes a set of objectives for federally funded AI research, both research occurring within the government as well as federally-funded research occurring outside of government, such as in academia,” the report said. “The ultimate goal of this research is to produce new AI knowledge and technologies that provide a range of positive benefits to society, while minimizing the negative impacts.” The report details seven strategies for the federally funded AI research, including making long-term investments in the research, and ensuring the safety and security of AI systems. [White House]

US Legislation

US – States Passing Laws to Determine Who Gets Deceased User Data

Illinois and 18 other states have passed laws this year in order to clarify what happens to a user’s internet data when they die. The new laws state tech companies will release basic user information, such as an email contact list, to help gather assets, or find friends. A user would have to specify who will receive the actual contents of their digital footprint, including contents of emails, and photos and documents stored on the cloud. Tech companies such as Facebook and Google allow users to choose who can access their data if they were to pass away. [The Associated Press]

Workplace Privacy

CA – Video Monitoring of Quebec Employees Must be Based on Serious Concrete Grounds

A look at the use of video surveillance in Quebec to ensure security of employees and company property. Employers must be able to establish serious grounds for surveillance (e.g. repeated occurrences of theft, fraud, or vandalism), other investigative means must be proven insufficient to address the problem, employees must have full knowledge of the surveillance, and the intrusion to employees’ privacy rights must be minimal (prohibitions of constant surveillance, and individual tracking, limited access to images and minimal retention periods). [Demystifying Video-Camera Surveillance – Georges Samoisette Fournier and Charles Wagner – Langlois Lawyers LLP]

+++

07-14 September 2016

Biometrics

US – Homeland Security Eyes Expanding Biometric Collections at US Borders

Homeland Security officials are working on a plan to vastly expand the collection of biometric information at US borders in an effort to more closely track foreign visitors. The program aims to put in place more biometric scanners, which may include iris, face, and fingerprints, at border crossings beginning in 2018 in an effort to ensure visitors do not leave the US under another person’s passport. DHS has collected biometrics in an entry and exit program since 2004. [The Christian Science Monitor] See also: [Allan Richarz: What, if any, rights to privacy do you have when crossing the border?]

US – Disney World Starts Scanning Kids’ Fingers

Walt Disney World has begun requiring children from 3 to 9 years old to have their fingers scanned when they enter the theme parks, just like older kids and adults. Disney said the new process will help block the use of stolen and shared tickets. Previously, kids’ tickets would have been easy to transfer because they had no finger images attached to them. Parents who feel uncomfortable with having their kids’ fingers scanned can use their own instead. Disney introduced scanners more than a decade ago that used “finger geometry” — pictures of several points on people’s fingers. [Orlando Sentinel]

WW – Wi-Fi Routers Can Identify, Spy on You

Wifi signals can be used to monitor humans—and in surprisingly detailed ways. As people move through a space with a Wi-Fi signal, their bodies affect it, absorbing some waves and reflecting others in various directions. By analyzing the exact ways that a Wi-Fi signal is altered when a human moves through it, researchers can “see” what someone writes with their finger in the air, identify a particular person by the way that they walk, and even read a person’s lips with startling accuracy—in some cases even if a router isn’t in the same room as the person performing the actions. Several recent experiments have focused on using Wi-Fi signals to identify people, either based on their body shape or the specific way they tend to move. Earlier this month, a group of computer-science researchers at Northwestern Polytechnical University in China posted a paper to an online archive of scientific research, detailing a system that can accurately identify humans as they walk through a door nine times out of ten. [The Atlantic]

Canada

CA – Government to Launch Bill C-51 Review

The Liberal government will launch the public phase of its long-awaited national security review with the release of a discussion paper. The government has promised to repeal what it calls the problematic elements of omnibus security legislation, known as Bill C-51, ushered in by the previous Conservative government. The Liberals also plan to introduce new measures they say will do a better job of balancing collective security with rights and freedoms. Among other things, the government has pledged to ensure all Canadian Security Intelligence Service (CSIS) warrants respect the Charter of Rights and Freedoms. This could roll back new provisions allowing CSIS to disrupt terror plots through tactics that breach the charter as long as a judge approves. Public Safety Minister Ralph Goodale has said the government is open to an expansive revamp of national security legislation and policy, not just the handful of promised changes. Goodale and Justice Minister Jody Wilson-Raybould are slated to discuss the consultation at a news conference in Edmonton. They will release a discussion paper as well as a lengthy background document outlining national security issues. [Global News] The consultation can be found here and runs until Dec. 1. [Bill C-51: Liberals says changes to anti-terrorism law coming soon | Federal agencies already using new Bill C-51 information-sharing powers | Making the spies accountable: real change or illusion? | Privacy Advocates Fear Bill C-51 Consultations Will Be Skewed | Trudeau should stop delaying on fixes to anti-terror laws | A Liberal sense of mystery surrounds the future of Bill C-51 | Liberals identify 10 key national security issues for public consultations | B.C. Civil Liberties Association reacts to national security consultation announcement | 8 things you need to know about Bill C-51 | Lawyers at the BC Civil Liberties Association have gone over the bill paragraph by paragraph, and outlined the parts of this massive document that concern them most. For a more comprehensive explanation of concerns, read their Submission to the Standing Committee on Public Safety and National Security | Concerns over Bill C-51 prompt CSIS to brief other agencies on operations | National security review tries to tackle needs of law enforcement in digital world | Anti-terror revamp to stretch into next year as Liberals launch consultation]

CA – CSIS Briefs Government Agencies on Bill C-51 Concerns

The Canadian Security Intelligence Service has moved to tamper down concerns with the controversial surveillance law, Bill C-51. The omnibus bill designed to overhaul CSIS has “sent ripples throughout the federal-security bureaucracy.” To help the relevant agencies that are concerned with the changes, CSIS has intimated it will give them a heads up about what it is doing. For example, “when CSIS is considering the use of threat-reduction measures, CSIS will initiate strategic case-management discussions with the RCMP on the target of the measure… The RCMP may indicate that it needs time to review the information discussed to assess any potential conflict,” and if the two agencies see a conflict, “the matter will be referred for a more senior level discussion.” [The Globe and Mail]

CA – Ontario Court Awards Damages for Family Member’s Disclosure of Mental Health Information

The Ontario Small Claims Court, in Halley v McCann, 2016 CanLII 58945 (ON SCSM), recently awarded a plaintiff $9,000 in damages for breach of privacy. The case arose because the defendant disclosed the fact that the plaintiff had admitted herself to a mental health facility. The defendant is also the half-sister of the plaintiff. It was alleged that the defendant had told three people outside the facility about the plaintiff’s stay there. No other information was disclosed. The Court then awarded an additional $1500 in punitive damages. [Canadian Privacy Law Blog]

CA – ‘Unprecedented’ Number of Online Privacy Breaches Reported in Alberta

Alberta’s privacy commissioner is seeing an “unprecedented” number of breach reports under the province’s Personal Information Protection Act, including e-commerce hacks, ransomware and phishing scams. A 15-member committee is in the midst of reviewing the act, which was last updated in 2010, and this week heard suggestions from 10 presenters. Provincial privacy commissioner Jill Clayton said that while she doesn’t think the act is a broken piece of legislation, she would like to see it tightened in a few areas, including extending it to cover non-profits and requiring organizations to have privacy management programs in place. She said government agencies and law enforcement are increasingly relying on personal information collected by the private sector but, as the law stands, there’s no way for people to know the number, scale, frequency of or reasons for disclosures without consent. [Edmonton Journal] [The Edmonton Sun: Alberta Sees Increase in Data Breaches, Seeks to Improve PIPA]

CA – Ontario Court Orders Video-Sharing Website to Disclose Subscriber Information to School Board

An Ontario Court has issued a decision in a request submitted by a school board compelling YouTube/Google to disclose user information. The video-sharing service must, within 20 days, disclose the subscriber registration and IP information of a particular account holder who may have unlawfully posted a video of a vulnerable student without consent of the students, his parents, or the Board; the Board has requested the video in order to pursue disciplinary and copyright proceedings (the poster is suspected to be an employee). [Ottawa-Carleton District School Board v. YouTube, Inc., YouTube, LLC and Google, Inc. – Order – Ontario Superior Court of Justice | Ottawa Citizen]

Consumer

WW – Study: Government Surveillance Leads to Bad Passwords?

Professor Stanislav Mamonov explains what he sees is the connection between weak passwords, government surveillance, a societal feeling of helplessness, and his research. A 2016-published survey of 400 asked the participants to answer questions about their perspectives toward online privacy and secure their information with a password after reading four news stories about the topic. Mamonov found that those exposed to stories about government surveillance picked worse passwords than those who didn’t. The results were “very unexpected” for his team, leading to an as-of-yet unpublished secondary project to explain their findings. “And the only emotion out of the more than 20 that we assessed that was affected by exposure to government surveillance was the feeling of helplessness.” [The Atlantic]

E-Government

US – House Oversight Committee Report on OPM Breach

According to a report from the US House Oversight and Government Reform Committee, the breach of systems at the Office of Personnel Management (OPM) was due (in large part) to “the longstanding failure of OPM leadership to implement basic hygiene.” The report notes that there were two breaches at OPM. The first, which began in November 2013 and was shut down in May 2014, targeted manuals and technical information about the types of data stored in OPM systems. The second breach targeted personally identifiable information, including background investigation data and personnel records. [www.darkreading | arstechnica | www.theregister | https://oversight.house.gov]

UK – Study Calls Out UK Government for Poor Security Leadership, Practices

A National Audit Office (NAO) study has criticized the U.K. government’s online security practices. Among the 73 teams compromising 1,600 employees with data security duties was a sense of confusion about who to go to for “guidance.” The NAO study also found a “dysfunctional” process of reporting breaches and encryption practices that left many “unsecured endpoints.” A government representative acknowledged that the government was aware of the problems found by the NAO study. “So we are already well under way in strengthening oversight of information security by bringing together nine separate central teams into just two,” the representative said. “We have also appointed the government’s first ever chief security officer.” [BBC]

Encryption

WW – Google Chrome to Warn Users of Unencrypted Websites

Google will start warning users about sites using HTTP rather than HTTPS early next year. When the stable version of Chrome 56 is released at the end of January 2017, the browser will warn users when sites send passwords or payment card data over non-secure, HTTP connections. The warnings are “part of a long-term plan to mark all HTTP sites as non-secure,” according to Google’s blog post. [Computerworld | CNet | The Register | Motherboard | https://security.googleblog.com]

WW – Chrome OS Verified Access API

Google has introduced the Verified Access API, which organizations can use to cryptographically validate Chrome OS devices and make sure that the devices are compliant with security policies before accessing the network. The API uses digital certificates stored in the Trusted Platform Module (TPM). [ComputerWorld | IT News]

EU Developments

EU – Children and Minors: EU DPAs Outline Key Privacy Issues

The ARCADES project, involving Data Protection Authorities producing educational materials on data protection and privacy, has provided guidance on protecting children’s privacy issues at schools. Students should be taught about why privacy is important, types of data considered sensitive, obligations of organisations, how to refuse or consent to personal data collection, and how to modify online privacy settings; it is important that students do not publicly share their address, phone number, or email account, have a clear understanding that content posted or shared will be available to everyone, and know what information can be found if their name or alias is searched. [Introducing Data Protection and Privacy Issues at Schools in the EU]

UK – Ruling Shows ICO Will Use Tiered Approach to Breach Notification

A new ruling by the information rights tribunal suggests that businesses in the UK should be prepared to make multiple notifications to the Information Commissioner’s Office (ICO) in the event of a data breach under new EU data protection laws In the TalkTalk case, the information rights tribunal upheld a decision by the UK’s Information Commissioner’s Office (ICO) in which the watchdog fined TalkTalk £1,000 for failing to notify it of a personal data breach within 24 hours after the detection of that breach. [Out-Law News]

Finance

PCI Council Releases New Card Reader Standards

The Payment Card Industry (PCI) Security Standards Council has released a new standard aimed at reducing fraud originating at point-of-sale terminals. To comply with the PCI PIN Transaction Security Point-of-Interaction Modular Security Requirements version 5.0, point-of-sale card readers must support and cryptographically authenticate firmware updates; must be tamper-proof; and must not leak keys through side-channel monitoring. The new standard will take effect in September 2017. Sources: Dark Reading| The Register| PCI Security Standards]

US – CFPB Levies $100 Million Penalty Against Bank for Unlawful Sales Practices

The Consumer Financial Protection Bureau (CFPB) has entered into a consent order with Wells Fargo to settle allegations of deceptive sales practices in violation of: sections 1031 and 1036(a)(1)(B) of the Consumer Financial Protection Act of 2010. The bank opened deposit accounts and made transfers to those accounts, submitted applications for credit cards, enrolled consumers in online banking services and activated debit cards, all without customers’ knowledge or consent; the bank’s Board is responsible for all compliance with the consent order. The bank must hire an independent consultant to conduct a comprehensive review of its sales practices and implement a compliance plan, and allot $5 million for consumer redress. [Consumer Financial Protection Bureau – Consent Order – Wells Fargo Bank, N.A. [ Press Release]

FOI

CA – OIPC BC Orders Government Agency to Disclose 911 Caller Details

This OIPC order addresses BC Emergency Health Services’ partial withholding of records requested under the Freedom of Information and Protection of Privacy Act. The applicant met the test for disclosure of the caller’s first name and telephone number for a fair determination of her rights; the identity of the caller relates to the applicant’s legal right to sue for damages due to an accident, the applicant has indicated she is contemplating a legal proceeding, and the caller’s withheld identity is necessary to prepare for such a proceeding, regardless of whether the applicant may be able to learn the 911 caller’s identity as part of a court process. [OIPC BC – Order F16-36 – BC Emergency Health Services]

CA – OIPC BC Orders Government Ministry to Disclose Generic Data on Employees’ Grievances

This OIPC order addresses the Ministry of Finance’s partial refusal to disclose records request under B.C.’s Freedom of Information and Protection of Privacy Act. The ministry correctly applied an invasion of third party privacy exemption to most of the data contained within a table, but is able to redact employee numbers, dates and department names and disclose column headings and other generic information. [OIPC BC – Order F16-33 – Ministry of Finance]

CA – OIPC PEI Finds Questions of Accuracy in Information Contained in Responsive Records is Not a Valid Reason to Withhold Access

The OIPC PEI reviewed Health PEI’s response to a request for records, pursuant to the Freedom of Information and Protection of Privacy Act. The public body informed an individual that it did not hold statistics on ambulance response times for all calls in a specific area; however, the public body had custody and control of paper patient care reports that would have satisfied the request, and its assertion that the reports contained inaccurate information is not a sufficient reason to withhold the records. [OIPC PEI – Order No. FI-16-005 – Health PEI]

Genetics

CA – Winnipeg Drivers Asked to Voluntarily Submit DNA Sample for Drug Testing at Checkstop

In the early morning hours of Sept. 8, drivers were being checked at a roadside stop and asked the standard “have you been drinking” question by Winnipeg police officers. After drivers were cleared by police, they were asked if they would voluntarily complete a survey. On the side of the road there were approximately five areas set up with tablets and an area set up by Manitoba Public Insurance (MPI). “We are asking for your help in a voluntary driver safety survey that deals with alcohol, drugs and driving,” read a part of the survey. “(You will be asked) to provide a breath sample to measure the amount of alcohol in your system… If the test shows that you are over the legal limit, you will be asked to let a non-impaired passenger drive, or we will provide you with a free taxi ride to your destination.” MPI said it is using the samples to test for drug usage and are trying to determine a baseline before marijuana use is legalized in Canada. …According to the crown corporation, similar surveys were conducted in Ontario in 2014 and British Columbia in 2010 and 2012, although no data was available for any of those. …MPI said all information is voluntary and remains anonymous. “No names are taken. The information is not shared with anybody else.” Privacy lawyers said it does raise concerns for drivers. Police did not explain their officer’s involvement in the roadside checkstop and survey, as it was an armed, uniformed officer who was the first point of contact with drivers. Police refused repeated requests for an interview. [Global News] See also: [DNA Dragnet: In Some Cities, Police Go From Stop-and-Frisk to Stop-and-Spit]

US – Law Enforcement DNA Collection Sparks Concerns

Police departments in smaller cities are collecting DNA samples from citizens, even if they are not charged or suspected of committing a crime, according to a new report. The cities have begun to assemble their own DNA databases, created with help of privacy labs in order to help law enforcement investigate minor crimes. Privacy advocates are concerned police departments will abuse the power to collect DNA samples, but as consensual DNA collection is a relatively new way to collect data, the rules remain unclear. “There’s no laws, there’s nothing,” said Bensalem Police Department’s Frederick Harran. “We’re in uncharted territory,” he said. “There’s nothing governing what we’re doing.” [ProPublica]

CA – Genetic Information Privacy Bill May Fail Over Lack of Liberal Support

Bill S-201, which seeks to entrench privacy rights around Canadians’ genetic information, will go to second reading just days after the House reconvenes — but its sponsor in the House of Commons, Liberal MP Rob Oliphant, isn’t sure his government will let it proceed. He was told instead the Justice Department has some reservations over the constitutionality of the bill, he said, but wasn’t told what those reservations were. A promised briefing by government officials has not yet happened, he said. Put forward by independent Liberal caucus leader Sen. James Cowan in 2013, S-201 would keep Canadians’ genetic test results private and make it illegal for insurers or employers to demand them, removing the fear of financial penalties that currently give many pause when considering the potentially life-saving testing. It would also add “genetic characteristics” to the Canadian Human Rights Act as a type of discrimination. Critics for the Conservative, New Democratic and Green parties have all confirmed they and their parties will support the bill at second reading on Sept. 20, leaving the government seemingly alone in its uncertainty. Private member’s bills that have issues, even constitutional problems, are usually permitted to go to committee for further study to help correct those problems. Previous attempts to create privacy protections around genetic testing drew criticism from the insurance industry, which is not specifically mentioned in S-201. Nonetheless, those advocating against the bill’s passage have warned that privacy regulations could lead to higher health insurance premiums. The Canadian privacy commissioner’s office said that, as in other countries where similar legislation has been passed, “The impact of a ban on the use of genetic test results by the life and health insurance industry would not have a significant impact on insurers or the efficient operation of insurance markets.” [National Post]

Health / Medical

CA – Health Leader, Nunavut Privacy Commissioner Take Different Sides On Privacy Audit

A top Nunavut health bureaucrat, Chris D’Arcy, has disputed “nearly everything” Privacy Commissioner Elaine Keenan Bengts said before a committee of members of the legislative assembly on the territory’s health department and a recent privacy audit experience. Specifically, D’Arcy maintained that contrary to Keenan Bengts’ report, “the creation of health-specific legislation is a priority for the department of health and the GN [Government of Nunavut] as a whole.” He also argued that unlike what Keenan Bengts said during her time with that committee that “the GN values the role of the Information and Privacy Commissioner as an ombudsman and firmly believes that a positive and collaborative relationship between public bodies and the commissioner’s office provides the most benefit to the GN and all Nunavummiut.” [Nunatsiaq Online]

Horror Stories

CA – Ontario Court Approves Settlement in Home Depot Breach Lawsuit

An Ontario court has approved a settlement in a class-action lawsuit against Home Depot of Canada, Inc. and its corporate parent. Between April and September 2014, Home Depot’s payment card system was hacked, but no evidence of fraudulent credit card charges was found. The settlement was valued at $400,000 for the settlement class members. Home Depot also agreed to create a non-reversionary fund of $250,000 “for the documented claims of Canadians whose payment card information and/or email address was compromised as a result of the data breach during the data breach period.” [Canadian Underwriter]

WW – Olympic Athlete Doping Test Results Leaked

Medical information about Olympic athletes has been leaked, according to the World Anti-Doping Agency. While the leaked information shows that some athletes tested positive for banned substances, all had received therapeutic medical use exemptions, and were not breaking any rules. [Source: ArsTechnica | BBC | Computerworld | Wired]

Identity Issues

US – Privacy Groups ask FCC to Reconsider Anonymized Data Carve Out

A group of more than 30 privacy organizations has written a letter to Federal Communications Commission Chairman Tom Wheeler asking him to reconsider creating a carve out for anonymized data in his broadband privacy proposal. In the letter, the privacy groups say ISPs have failed to demonstrate customer benefits from the carve out, while also stating customers should remain in possession of their own data. The groups believe it would be an “an attractive way for [ISPs] to circumvent the vital consumer protections that will be put in place by this rule.” [Broadcasting & Cable]

Intellectual Property

CA – Thousands of University of Manitoba Students Hit with Illegal Download Notices

Downloading the latest episodes of Game of Thrones and other hit shows has landed thousands of University of Manitoba students in hot water. But the university – despite being forced to pass on violation notices to students illegally downloading content through its networks – is warning students not to fall prey to aggressive collection agencies’ pressure tactics. Joel Guenette, copyright strategy manager with the UoM, estimates that the university has forwarded roughly 6,000 notices to students since the law took effect in January of last year. The notices range from gentle reminders from companies like HBO that its content is available legally through a variety of streaming platforms to more aggressive letters threatening lawsuits and demanding users pay resolution fees to settle their cases. Guenette said it’s important for students to know that at no point does the university provide agencies with people’s personal information or identities. [Source]

Law Enforcement

CA – University Researchers Compile Stingray Study, Call for Change

Everything that is known or suspected about the government’s use of these machines – called “IMSI catchers,” “cell-site simulators” or “Stingrays” – is chronicled in a comprehensive, first-of-its-kind, 130-page study written by privacy experts. Researchers Christopher Parsons and Tamir Israel say it’s time for civil society to debate the pros and cons of IMSI catchers, even if many government agencies still won’t discuss them. ”IMSI catchers pose a particularly insidious threat to real-world anonymity,” write Mr. Parsons and Mr. Israel. Their paper, which is titled “Gone Opaque,” points out that corporations that manufacture IMSI catchers often swear police to non-disclosure agreements. Germany releases annual statistics on that government’s use of IMSI catchers, and that the U.S. Department of Justice has posted the rules that American authorities must abide by. In Canada, RCMP-led surveillance teams are understood to control IMSI-catcher technology and lend it out to smaller police forces shadowing specific suspects. But IMSI catchers also pull digital identifiers from the phones of everybody in proximity, raising many privacy questions. “This ongoing secrecy has the effect of delaying important public debates. Given the potential for IMSI catchers to massively track Canadians who have done nothing wrong other than be near the surveillance device, it is imperative to ensure [security] measures are in place.” The Telecom Transparency Project and the Canadian Internet Policy & Public Interest Clinic-commissioned report suggests routine notification procedures if a Stingray accidentally captures data. [The Globe & Mail] See also: [UK oversight body tipped to examine phone snooping tech in prisons] [Here Is the Contract for the UK’s First Confirmed IMSI Catcher] [Long-Secret Stingray Manuals Detail How Police Can Spy on Phones]

EU – Berlin DPA Investigation Reveals Excessive and Unlawful Use of Silent SMS by Law Enforcement

The Berlin Commissioner for Privacy and Freedom of Information investigated law enforcement use of “silent SMS” in criminal investigations. One third of case files examined did not have an apparent need for use of silent SMS (less intrusive approaches to determine individuals’ locations were not considered), judicial applications were frequently made for collection of traffic data, which were then used to send silent SMS (without justification or disclosure in the application), and reasons for use of silent SMS were not officially recorded. [DPA Berlin – Final Report on Use of Silent SMS in Criminal Investigations]

Location

US – Lawmakers Wrestle With Cellphone Tracking for Missing Persons

Lawmakers are eyeing a deal with privacy advocates on a bill that would give law enforcement officials more access to location data from mobile phones. The Kelsey Smith Act, named for a young Kansan who was kidnapped and murdered almost a decade ago, would require mobile phone providers to give location data to law enforcement agencies in some emergency situations. But privacy advocates on the left and the right are worried about the proposal, fearing it would invite abuse. They have worked to slow down a version of the bill in the Senate that lacks additional protections. Privacy groups are pushing to add a provision to the law that would mandate that the owner of a mobile phone whose location was tracked be notified of the decision. Wessler said police departments should also have to report “basic data” about their requests. Supporters of the bill counter that law enforcement would be given just enough data to find an individual in trouble. [Source]

Online Privacy

US – Student Privacy Pledge Reaches 300 Signatures, FPF Announces

The Future of Privacy Forum and the Software & Information Industry Association’s Student Privacy Pledge has garnered 300 signatures from ed tech companies. The 2014-launched initiative to better protect and secure student data has received the support of President Barack Obama and the National School Boards Association. “As students return to school for the fall and teachers develop their curricula to incorporate the benefits of data and technology, companies that take the Pledge are ensuring that they are accountable for how they safeguard student data,” said Future of Privacy Forum CEO Jules Polonetsky. [FPF Press Relase]

US – OTA Requests Public Call for Comment for 2017 Trust Audit

The Online Trust Alliance has issued a call for public comment on criteria that should be included in its 2017 Online Trust Audit. The benchmarking research evaluated websites across industry sectors for responsible privacy and data security practices. The goal of the audit is to track industry best practices for privacy, provide tools and resources to help companies bolster their privacy practices, and recognize those organizations that do achieve a high level of protection. “In order to maintain consumer trust and confidence and spur the vitality of online services, it is imperative that organizations double-down on security and privacy measures,” said OTA Executive Director and President Craig Spiezle. Twitter and Healthcare.gov were among those that topped OTA’s 2016 audit. [OTA Alliance]

WW – App vs. Website: Which Best Protects Your Privacy?

Both apps and websites leak personal information, including names, gender, phone numbers, and e-mail. But don’t despair. Northeastern researchers, led by assistant professor David Choffnes, have developed an automated system to help you know which platform to use for your online interactions. In particular, the team investigated the degree to which each platform leaks personally identifiable information—ranging from birthdates and locations to passwords—to the advertisers and data analytics companies that the services rely on to help finance their operations. The answer? “It depends,” says Choffnes, a mobile systems expert in the College of Computer and Information Science. “We expected that apps would leak more identifiers because apps have more direct access to that information. And overall that’s true. But we found that typically apps leak just one more identifier than a website for the same service. In fact, we found that in 40% of cases websites leak more types of information than apps.” [Source]

US – Class Action Complaint Alleges App Intercepted Phone Communications Without Consent

LaTisha Satchell filed a class action complaint against Sonic Notify, Inc. et al. alleging unlawful interception of consumers’ oral communications in violation of the Electronic Communications Privacy Act. The mobile app delivered scores, news, and information to users about a basketball team, and integrated beacon technology to allow targeting of specific users to send tailored content, promotions or advertisements; the complaint alleges private communications were intercepted without informing users and without obtaining their consent. [Latisha Satchell v. Sonic Notify Inc. et al. – Class Action Complaint – US District Court Northern District of California, San Francisco Division]

AU – Study: Online Service Providers’ Agreements Problematic?

A UTS’ Communications Law Centre study funded by the Australian Communications Consumer Action Network has maintained that online service provider privacy agreements “have the potential to be interpreted as unfair, unconscionable or misleading under domestic consumer laws.” The study examined consent practices, data sharing, and the time consumers have to look over the long privacy terms. Of particular concern was what the study’s authors considered a generalization of terms that could lend consumers to “challenge [them] under Australian Consumer Law as misleading.” The CLC encouraged companies to conduct more research into understanding users’ attitudes regarding privacy. [CSO Online]

Other Jurisdictions

WW – IAF Reveals Details of Its ‘Effective Data Protection Governance’ Project

The Information Accountability Foundation (IAF) reported on its work creating what it believes is a more Effective Data Protection Governance method when responding to the complexity of information flows, while also meeting the goals of stakeholders. “We believe that, while the ‘tenants’ (sic) or ‘objectives’ of data protection remain the same, today’s complex information ecosystems suggest a need to evolve our approach to achieving these objectives,” writes Peter Cullen. “Data-driven innovation and the organizations that are dependent upon such activities must develop and demonstrate evolved information use governance systems to avoid many of the risks associated with such practices, including policy makers and/or regulatory action.” Cullen details the objective of the project, including enabling an enforcement model providing more capability for regulators and achieving implementable alignments of the EDPG model with existing laws. [IAF] The annual IAPP and EY-underwritten Privacy Governance Report has found that only 34% of privacy professionals expect their companies to certify under the EU-U.S. Privacy Shield.

Privacy (US)

US – 2016 Annual IAPP-EY Privacy Governance Report Released

What’s the mean privacy budget for a company with $1 billion in revenues? What’s the primary reason for a company with fewer than 5,000 employees to have a privacy program? What do manufacturing firms consider to be the toughest compliance task in the General Data Protection Regulation? The answers to these questions and many more are now available in the 2016 IAPP-EY Privacy Governance Report, 126 pages of detailed information from 600 companies around the world that have provided answers to budget, staffing, organizational, and prioritization questions. Further, as this is the second year of releasing the report, there is now directional, year-over-year data showing everything from how companies are progressing with their vendor management programs to the pace of privacy’s integration with the rest of the organization. Finally, we for the first time have data on cross-border data transfer and GDPR concerns and preparations. It is the most comprehensive benchmarking data for privacy available anywhere — and free to download. [IAPP.org]

US – Clinton, Trump’s Privacy, Security Attitudes Analyzed

The cybersecurity and privacy positions of both presidential hopefuls, Hillary Clinton and Donald Trump. Clinton are analyzed. They both “support expanded investment in cybersecurity technologies, as well as public-private collaboration on cybersecurity innovation.” “Trump has been far less sanguine about existing efforts to keep networks safe,” while acknowledging that compared to other nations, the U.S.’s technical abilities were “so obsolete.” Ultimately, “both major party candidates have called for the U.S. to do more to protect itself against digital attacks and to use digital tools to thwart extremist activity and digital communications, the report adds. [Fast Company]

US – Disposal Rule Now Open to Public Comment, FTC Announces

The FTC has opened its Disposal Rule up to public comment. The rule “requires certain persons who have consumer report information for a business purpose to properly dispose of it by taking reasonable measures to protect it from unauthorized access,” and its review is part of the agency’s “systematic review of all current FTC rules and guides.” The FTC is specifically looking to see if the rule has any economic impacts, if it clashes with other laws, its influence on technological advancement, and whether the agency should expand the definition of “consumer information.” The public comment period extends through Nov. 21. [Press Release]

Yelp, 13 Other App Companies Face the Music After Losing Class Action

U.S. District Judge Jon Tigar has ruled that Yelp and 13 other apps are guilty of violating users’ privacy by uploading their personal information without consent. “The court accepted the fact that Yelp only accessed the email addresses of a user’s contacts to help them find friends on Yelp after receiving consent to do so, and did not save or misuse that information,” said Yelp spokeswoman Rachel Youngblade. “Nonetheless, the court appears to state that an online mobile app must inform a user any time data is transmitted from their phone to the online company to make the app work.” The results of the consolidated class action could set a precedent for other plaintiffs’ successes in similar cases. [Courthouse News]

US – FTC to Look into Facebook, WhatsApp New Data Access Plan

The FTC has announced in a letter to the Center for Digital Democracy and the Electronic Privacy Information Center that it will look into Facebook and WhatsApp’s “change of heart” regarding the messaging service’s privacy practices. Facebook will now access phone numbers and other information that WhatsApp had previously not made available, a switch from plans the social media company established when it purchased WhatsApp in 2014. “The crux of the FTC’s analysis will likely turn on the notice that now appears when a consumer opens the WhatsApp app.” The notice alerts consumers to Facebook’s new terms. “But, if a consumer clicks on a ‘learn more’ link, they will see a button where they can opt out of most of the data sharing.” [Fortune]

US – Snowden on Why He Should Receive a Presidential Pardon

Speaking via video from Moscow during an interview, Edward Snowden outlined the case for President Barack Obama to grant him a pardon before Obama leaves office in January. Snowden said his disclosure on the scale of surveillance being conducted by both U.S. and British intelligence agencies was the morally correct thing to do. While the law may say he should be prosecuted, Snowden said, “that is perhaps why the pardon power exists — for the exceptions, for the things that may seem unlawful in letters on a page but when we look at them morally, when we look at them ethically, when we look at the results, it seems these were necessary things, these were vital things,” he said, adding policies and procedures have changed for the better as a result of his disclosures. [The Guardian]

Privacy Enhancing Technologies (PETs)

US – HPE-IAPP Privacy Technology Innovation Winners Announced

The winners of the annual HPE-IAPP Privacy Innovation Awards have been announced, including for this year’s “most innovative privacy technology.” Two companies received the technology award this year. Vysk Communications has invented the QS1, a smartphone case designed to protect and secure voice calling and allow users a multitude of ways to secure their phone. Protenus offers a new platform for health care organizations needing to find a better system for protecting and controlling access to electronic medical records. The platform consists of two distinct services for health care organizations; one focuses on analytics and protective detection, while a second piece provides forensics and investigation solutions. [IAPP.org]

Security

FTC Opens Safeguards Rule to Public Comment

The FTC announced it would be opening the Safeguards Rule under the Gramm-Leach-Bliley Act to public comment for the purpose of evaluating its ability to protect consumer information. The FTC hopes to determine the economic advantages and disadvantages of the Safeguard Rule, as well as potential clashes it has with state and local laws. However, the result of the comments may not necessarily create change due to the nature of the law itself, said Morrison & Foerster’s Nathan Taylor. The rule “by design puts in place a risk-based process that is both flexible and adaptable,” Taylor said. It’s “specifically designed to be able to respond to changes in technology and changes in the threat landscape.” The comment period will extend to Nov. 7. [Bloomberg BNA]

US – FTC Announces it will Provide Guidance on Ransomware

The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware. According to experts on hand for the event, this pay-to-unlock scheme is the most profitable malware in history. FTC Chairwoman Edith Ramirez said not only is it prevalent and dangerous, but there are also many challenges associated with thwarting it, including its rapid proliferation, the vectors of attack and the vast array of harms. [InsidePrivacy] [Privacy Advisor: At FTC Workshop on Ransomware, FBI says: Don’t Pay] [FTC focuses on combating ransomware]

WW – Ransomware is Spreading Through Cloud Apps

The latest report from Netskope, a cloud access security broker, has revealed how the presence of ransomware is spreading through cloud apps. On average there were 26 pieces of malware found in cloud apps across a given organisation. Of these 26, 43.7% of malware found in enterprises’ cloud apps have delivered ransomware, and 56% of malware-infected files in cloud apps are either being shared with internal or external users, or shared publicly. Ransomware accounts for nearly half of all malware found in organisations. [Information Age] [Nearly Half of Cloud-Based Malware Now Delivers Ransomware]

WW – 3 Essential Steps for Responding to Ransomware Attacks

Likely because most victims comply with their demands, the incidence of attacks by ransomware hackers has exploded in 2016. Guidance issued by the U.S. Department of Health and Human Services in July notes that, on average, there have been 4,000 reported ransomware attacks per day thus far in 2016, far exceeding the average of 1,000 attacks per day last year. While it may be tempting to do so, there are serious risks to this approach. Even if the ransom demanded by a ransomware hacker is not prohibitively expensive, an organization victimized by an attack must bear in mind that simply paying off the hacker is unlikely to make its problems go away. If you believe your organization has been victimized by a ransomware attack, you should proceed as follows, carefully documenting each of the steps. [Workplace Privacy Report]

US – NIST Seeks Feedback from Privacy Pros on Special Publication 800-53

During a government workshop this week, the National Institute of Standards and Technology sought feedback from privacy professionals as it begins its fifth round of revisions on NIST Special Publication 800-53. Of particular concern was “the disconnect between security and privacy controls.”  However, the Department of Homeland Security’s Jamie Danker said that privacy pros’ “equal footing” with security pros in this regard illustrated the profession’s growth. But no one argued the job is done. After nearly two years of real-world application, it has become clear there are blind spots. Danker said it would be helpful to have information on how to better identify a privacy risk. Sean Brooks, a privacy engineer at NIST, said there is not enough information for identifying and solving problems that don’t involve a malicious actor. Another session member said that SP 800-53 should be written in a way that doesn’t just tack privacy on at the end. Privacy and security should be integrated throughout the document because privacy experts rely heavily on security experts and vice versa. There needs to be more communication between them, attendees said. Other concerns included the inability the lack of metrics for implementation of Appendix J and the lack of an assessment process for it. The agenda for the workshop said the goal was to identity “whether changes should be made in the publication’s fifth revision.” The clear consensus from the day was yes, but what those changes should be was far from decided. NIST welcomes comments on the draft of Appendix J and 800-53 through Sept. 30, with the final draft expected in 2017. [IAPP.org] [GCN.com]

Surveillance

US – Seizure of Cell Site Location Information Should Require a Warrant

An advocacy group submitted an amicus brief in support of 3 individual appealing a district court ruling concerning seizure of cell site location information (“CSLI”) from a phone provider. The government seized the CSLI without a warrant, but the Supreme Court has held that the government should first acquire a warrant under probable cause; no exception applied to the CSLI (there was no hot pursuit, inventory search, emergency aid or exigent circumstance). [U.S.A v. Kenneth Benbow, Mark Pray, and Alonzo Marlow – Brief of the Cato Institute as Amicus Curiae In Support of Appellants – In The U.S. Court Of Appeals For The District Of Columbia Circuit | Amicus Brief | Legal Brief]

Telecom / TV

US – State Officials Warn Against FCC Privacy Regulations

Attorney Generals of 16 states wrote to express concerns over a federal proposal that would regulate the privacy practices of broadband providers while exempting big tech companies, saying it would threaten consumer privacy and complicate “an already complex regulatory environment.” ”If this proposed rule moves forward not only may it be read to preempt important state laws that effectively protect consumers’ privacy, but this new approach will also foster a byzantine regulatory environment rather than clear, enforceable requirements that improve data privacy for all consumers,” the group argued. [Washington Examiner]

UK – Report: ISPs Say Government Surveillance Could Weaken Network Security

According to a report from The Internet Service Providers’ Association (ISPA), the majority of UK Internet service providers (ISPs) say they are concerned that government surveillance will undermine their network security and increase the likelihood that their networks will be targets of attacks. ISPs also say they would like to see the government focus on raising consumer awareness and creating greater consistency in law enforcement’s response to reported cyber incidents. [eWeek | Ars Technica]

US Government Programs

US – Customs Office Has Problematic Data Policies, DHS IG finds

The Department of Homeland Security Office of Inspector General has announced findings that the U.S. Customs and Border Protection’s Office of Professional Responsibility has shared too much personally identifiable information, “putting its mission ahead of protecting sensitive personal data.” A request from Sen. Tom Coburn, R-Okla., catalyzed the review, which found that while the agency did not violate the Privacy Act of 1974, many of its practices were questionable and needed repurposing. “We believe the manner in which CBP OPR shared the sensitive PII showed a lack of regard for, and may have compromised these individuals’ privacy,” the OIG report states. The CBP OPR agreed with the OIG’s guidance to remedy policies and better train employees, and has 90 days to provide the OIG with an action plan. [Federal Times] [Customs investigators violated privacy of thousands]

US – Gov’t Releases Guidance on Senior Privacy Roles

The U.S. federal government has released updated guidance on the role of the senior agency official for privacy (SAOP). The Office of Management and Budget’s guidance asserts the SAOP has to serve in a “central leadership position” and have the “necessary authority and expertise” to lead the agency on all things privacy. The establishment of SAOPs at every agency comes as part of an update to Circular A-130 — the resource for government agencies’ information-management protocols — and follows the establishment of a Federal Privacy Council via U.S. President Barack Obama’s Executive Order, issued in February. In a blog post, Marc Groman, senior advisor for privacy at OMB, said the guidance “recognizes that the success of an agency’s privacy program depends upon its leadership. Further, the guidance joins a growing list of actions this administration has taken to support the federal government’s protection of privacy … to help ensure that agencies take a coordinated approach to addressing privacy and information security.” Most importantly, the U.S. federal government now recognizes the vital role that privacy professionals play in evaluating legislative and regulatory efforts that involve and depend upon personal data. “The SAOP shall ensure that the agency considers and addresses the privacy implications of all agency regulations and policies,” the memo reads, “and shall lead the agency’s evaluation of the privacy implications of legislative proposals, congressional testimony, and other materials.” Time is of the essence. Each agency now has 60 days to look at who’s handling privacy at their agency and then either designate that person to be the SAOP, officially, or choose another person to serve that role. Further, the guidance requires the SAOP to “take a central role at the agency in policy development and evaluation, privacy compliance, and privacy risk management.” Most importantly, however, “agencies should recognize that privacy and security are independent and separate disciplines. While privacy and security require coordination, they often raise distinct concerns and require different expertise and different approaches.” In fact, “the distinction between privacy and security is one of the reasons that the Executive Branch has established a Federal Privacy Council independent from the Chief Information Officers Council,” the memo states. [IAPP]

US Legislation

US Legislative News

Workplace Privacy

WW – Would You Hand Over Your Social Media Account Details for A New Job?

According to one vendor, as of 2013, 93% of recruiters were likely to look at a candidate’s social profile, and 42% had been moved to give the thumbs-up or -down based on what they turned up. There have been various tools put forth that make it easier for employers to get at your “true” self. Now, there’s another such tool to go beyond just plain old running a search on a candidate. Called The Social Index, the online service promises to rifle through the digital footprints of short-listed job candidates and present employers or recruiters with a report. That report is an infographic that, the company claims, maps out a candidate’s “personal brand.” It crunches data from Facebook, Twitter and LinkedIn. According to a report from Mashable, The Job Index focuses on those three social platforms partly because they’re common, but also because, typically, they’re the ones most relevant to a company’s client activities or reputation. It takes about 30 seconds for the candidate to be analyzed before their “social footprint” is ready. Within 24 hours the report will be delivered to both the client and the job seeker. As of 2013, 93% of recruiters were likely to look at a candidate’s social profile, and 42% had been moved to give the thumbs-up or -down based on what they turned up. [Naked Security] See also: [This software start-up can tell your boss if you’re looking for a job] and [Your employer may know if you’re quitting before you say so, thanks to Jobrate]

US – Tech Company to Release Sensor-Based Employee Badge

Boston-based tech company Humanyze has developed an employee badge that senses speech and movement to measure productivity, set for October release. The device, dubbed a “Fitbit for your career,” is “slightly larger than … a credit card” and has two microphones to record sounds — except when users go to the restroom. The company maintains that it doesn’t record the content of conversations; that managers cannot look at a specific individual’s data, and that employees choose whether or not to use the badge. “If you don’t give people choice, if you don’t aggregate instead of showing individual data, any benefit would be dwarfed by the negative reaction people will have of you coming in with this very sophisticated sensor,” said Humanyze CEO Ben Waber. [The Washington Post]

WW – IoT-Tricked Office Not a Privacy Problem, But the Future

Staff at Futurice, a Helsinki-based, digital innovation consultancy created an “indoor mapping” system of tracking temperature, bathroom usage, and free desk space which has some worried about privacy, surveillance and data collection, while others maintain connecting offices in this way is the new future of internet of things development. The Futurice model is opt-in, and no data is tracked or stored. “It’s just what’s happening near me right now,” said Futurice’s Paul Houghton. Tools like this are only the beginning, some say. “We’re merely scraping the surface of what could be achieved if more offices look at how they can adopt the internet of things and data to improve everything from operations to sales, and happiness to product development,” said Tech City UK’s Gerard Grech. [The Guardian]

+++

 

 

26 August – 06 September 2016

Biometrics

WW – Hackers Trick Facial-Recognition Logins With Photos From Facebook

Researchers have demonstrated a disturbing new method of stealing a face: one that’s based on 3-D rendering and some light Internet stalking. Security and computer vision specialists from the University of North Carolina presented a system that uses digital 3-D facial models based on publicly available photos and displayed with mobile virtual reality technology to defeat facial recognition systems. A VR-style face, rendered in three dimensions, gives the motion and depth cues that a security system is generally checking for. The researchers used a VR system shown on a smartphone’s screen for its accessibility and portability. Their attack, which successfully spoofed four of the five systems they tried, is a reminder of the downside to authenticating your identity with biometrics. By and large your bodily features remain constant, so if your biometric data is compromised or publicly available, it’s at risk of being recorded and exploited. Faces plastered across the web on social media are especially vulnerable. [Wired]

UK – Met Police Rolls Out Real-Time Live Face-Spotting Tech

London’s Metropolitan Police will trial an automated facial recognition system to identify people at this weekend’s Notting Hill Carnival. This is only the second time that British cops have openly trialled live automated facial recognition (AFR) systems in the UK. Last year, Leicestershire Police also trialled AFR at Download Festival – though this was found to not have been part of the policing plan for the event and police didn’t bother assessing how effective it was after the event. According to the Met, the AFR system “involves the use of overt cameras which scan the faces of those passing by and flag up potential matches against a database of custody images. The database has been populated with images of individuals who are forbidden from attending Carnival, as well as individuals wanted by police who it is believed may attend Carnival to commit offences.” The government’s Surveillance Camera Commissioner, Tony Porter, said that “the Surveillance Camera Code of Practice requires relevant authorities such as Local Authorities and Police Forces to ensure they use surveillance cameras effectively, efficiently and proportionately. “Even if the use of AFR complies with the code, the Met’s collection of custody images has been a greater source of controversy. In his annual report earlier this year, the Biometrics Commissioner warned that the Home Office was cruising for a lawsuit in this area, particularly after a High Court ruling in 2012, R (RMC and FJ) v MPS, in which Lord Justice Richards found: [T]he just and appropriate order is to declare that the [Metropolitan Police’s] existing policy concerning the retention of custody photographs … is unlawful. It should be clear in the circumstances that a ‘reasonable further period’ for revising the policy is to be measured in months, not years. According to a Freedom of Information request made by pressure group Liberty last year, however, in the three years since the ruling the Met confessed it had only deleted 560 persons’ images because “the current I.T. system which holds MPS custody images was not designed or built to accommodate a complex retention policy.” In response to a Parliamentary question reported in the Birmingham Mail, Baroness Williams of Trafford reported that by 15 July this year, there were “over 19 million custody images, which may include images other than of faces, uploaded by forces onto the PND (Police National Database).” “Of these, 16,644,143 had been enrolled in the facial image recognition gallery and are searchable using automated facial recognition software,” Williams revealed – a figure representing roughly a quarter of the UK’s entire population. This area is expected to receive enhanced attention when the Home Office publishes its long-awaited Biometrics Review, as well as its Custody Images Review. Though both of these have been completed, the Home Office has not published them, which The Register’s sources have claimed is a result of redrafting the “rubbish” reports. [The Register]

Big Data

WW – Tech Giants Explore AI Ethics Standards Group

With the rise of artificial intelligence, some of the world’s biggest tech companies are commencing informal talks on how best to develop an ethical and self-policing framework for the burgeoning technology. Alphabet, Amazon, Facebook, IBM and Microsoft have been meeting to discuss its impact on jobs, transportation and warfare. Though a name for the standards group has not yet come to light, four people familiar with the meetings said the group intends to “ensure AI research is focused on benefiting people, not hurting them.” Stanford University has also released a report funded by Microsoft researcher Eric Horvitz. The report, titled “Artificial Intelligence and Life in 2030,” contends that it will be impossible for government to regulate AI. “The study panel’s consensus is that attempts to regulate AI in general would be misguided, since there is no clear definition of AI (it isn’t any one thing), and the risks and considerations are very different in different domains.” [The New York Times reports]

WW – Are Algorithms ‘Weapons of Math Destruction’?

Remember the 2008 financial crisis and the “dark financial arts” that caused it? Cathy O’Neil sees parallels between those calamitous days and the use of big data today. In her new book, “Weapons of Math Destruction,” O’Neil, a Harvard-trained mathematician who used to ply her talents on Wall Street, argues that, the “discriminatory and even predatory way in which algorithms are being used in everything from our school system to the criminal justice system is really a silent financial crisis.” To solve the problem, O’Neil has proposed a Hippocratic Oath for mathematicians and a host of regulatory reforms. [Time]

Canada

CA – NL OIPC Issues Guidelines on Legal Advice Exemption

The Newfoundland and Labrador (NL) OIPC has issued guidelines on applying the legal advice exception found in section 30 of the Access to Information and Protection of Privacy Act, 2015

  • The guidelines rely heavily on the decision by the NL Supreme Court in Newfoundland and Labrador (Information and Privacy Commissioner) v. Eastern Regional Integrated Health Authority, 2015 NLTD(G) 183 (Eastern Health case).
  • The Court in the Eastern Health case reviewed the current state of the law regarding solicitor and client privilege.
  • The guidance document annotates and summarizes the court’s review of both solicitor-client and litigation privileges, both of which are covered by the legal advice exception.
  • When relying on these exceptions the NL OIPC noted that “public bodies should consider the scope and intention of the privilege.”
  • The NL OIPC affirms that if a public body is relying on the exception of solicitor and client (legal advice) it must be able to show that:
  1.   the document was a communication between a solicitor, acting in his or her capacity, and the client;
  2.   the communication entailed the seeking or giving of legal advice, AND
  3.   the communication was intended to be confidential.
  • If a public body is relying on litigation privilege it must be able to show that:
  1.   the dominant purpose for the preparation of the document must be the litigation in question, AND
  2.   litigation must have been in reasonable contemplation at the time of preparation of the document.

Source: [OIPC NFLD – Section 30 – Legal Advice]

E-Mail

US – Yahoo Email Scanning Settlement Garners Criticism

Yahoo has agreed to a settlement on its alleged scanning of user emails, but is making no plans to stop the practice. The tech giant was accused of scanning emails without user consent. The lawsuit was one of six requesting Yahoo to halt its monitoring activities. The settlement awarded $4 million, but none of it will go to the public, with the entirety of the award going to lawyers. The settlement also allows Yahoo to continue to look over user emails without non-Yahoo users’ consent. Yahoo now agrees to only scan the emails when they are on its servers, not while they are in transit. [Ars Technica]

Encryption

US – Tech Companies Use Encryption as Marketing Tool, Not a Security One: FBI Director

At the 2016 Symantec Government Symposium, FBI Director James Comey discussed the problems of encryption by default and the need for a backdoor, maintaining that tech companies tout encryption not for security’s sake but for marketing’s. “What has happened in the three years I’ve been Director [of the FBI], post-Snowden, is that that dark corner of the room, especially through default encryption, especially through default encryption on devices, that shadow is spreading through more and more of the room,” he said. Technologists countered that his comments over-simplify the issue. “But when you look into it, what they’re really asking for is dramatic, it’s a huge thing,” said Errata Security CEO Robert Graham. “They’d need to outlaw certain kinds of code.” [The Daily Dot]

EU Developments

EU – EU Regulators to Look at Facebook-WhatsApp Changes

Fall out from recently announced plans for WhatsApp to share user data with parent company Facebook continue. The Wall Street Journal reports the Article 29 Working Party said it is following changes to WhatsApp’s privacy policy “with great vigilance.” Additionally, privacy advocates, including the Electronic Privacy Information Center and the Center for Digital Democracy, have filed a complaint with the U.S. Federal Trade Commission, arguing proposed changes that allow it to use WhatsApp user data for “marketing purposes” is an “unfair and deceptive trade practice.” Delhi’s High Court in India has asked the government, specifically the Telecom Regulatory Authority of India, for its response to the privacy policy changes. The New York Post reports that, in addition to individual users, businesses are also concerned about the changes, particularly how it can protect corporate and user data that is shared when companies communicate via WhatsApp with their consumers. [Full Story]

Facts & Stats

WW – Airbnb Releases First Transparency Report on Law Enforcement Requests

Airbnb has released its first transparency report on the amount of law enforcement data requests it has received. Airbnb provided data on 82 of the 188 requests sent to it from law enforcement agencies during the first six months of 2016. The report is published as part of Airbnb’s Community Compact initiative, where the home-sharing company works to become more transparent to the public and local governments in the cities where it operates. “We’re building a more transparent community and sharing data about our community with the general public,” said Airbnb spokesman Christopher Nulty. “We felt that this is an important first step. In the future, we’ll look to share additional sorts of data about our community.” [TechCrunch]

Filtering

WW – Google to Tweak Search Result Algorithm to Favor Sites that Make Content Readily Accessible

Google plans to alter its search result ranking algorithms so sites that have pop-up advertisements or interstitial pages that interfere with users’ ability to view content are less favored. Google cites examples of techniques that interfere with viewing content: pop-ups that cover portions of the main content; interstitial pages that must be closed before being able to view content; and advertisements that fill web browsers’ screens so users must scroll down to access content. Exceptions will include pop-ups that tell users about the use of cookies, and pages that require login information. [BBC: Google punishes sites with pop-up adverts | – Google Blog: Helping users easily access content on mobile]

Finance

US – FTC Opens Public Comment on Safeguards Rule

The Federal Trade Commission is asking for public comment on its Safeguards Rule as the agency reviews its rules and guidelines. The Safeguards Rule requires financial institutions to create and maintain comprehensive information security programs for handling customer data. “The FTC seeks comments on a number of questions, including the economic impact and benefits of the Rule; possible conflict between the Rule and state, local or other federal laws or regulations; and the effect on the Rule of any technological, economic or other industry changes,” the agency’s announcement said. In another blog post, FTC Chief Technologist Lorrie Cranor previews the agency’s “Putting Disclosures to the Test workshop.” The event will cover topics including measuring disclosure effectiveness and whether consumers actually pay attention to a disclosure. [FTC]

WW – Google, Amazon Offer to Build Wall Street Database

Major tech companies are vying for the right to build a new database for the Securities and Exchange Commission designed to track stock and options trading from exchanges and broker-dealers on a daily basis, Bloomberg reports. Amazon and Google’s parent company, Alphabet Inc., are looking to help build the Consolidated Audit Trail database, designed to host exchanges in the cloud, but will also hold personal information on more than 100 million customer accounts. Brokers and bankers are concerned about the database’s construction, fearing problems from data breaches and technology firms asserting themselves within the financial industry. “This is a huge opportunity for Amazon and Google,” said Harvard University Senior Fellow Jo Ann Barefoot. “Their involvement in this project I do think is a threat to the incumbents. If big tech firms can win more trust in Washington, that’s one of the biggest challenges facing banks.” [Full Story]

CA – 80,000 People Suffer Pay Crisis in Canada After IBM System Debacle

No-one in Canada can accuse public servants of being overpaid these days. The crisis affects 80,000 employees or almost one third of Canada’s federal public servants. Thanks to a massive breakdown of the Federal Government’s new, privatised pay system, tens of thousands of Canadian public servants have been going weeks, even months with reduced pay — or in many cases, no pay at all. It is a crisis on a huge scale for Prime Minister Justin Trudeau’s new Government, and the cause of thousands of crises on an individual level, with people forced to borrow money or max out their credit cards to make ends meet. [ABC News]

FOI

CA – AB OIPC Probes ‘Chronic’ Delays in Meeting Access Requests

Alberta’s privacy commissioner has launched an investigation into the justice department for she calls “chronic” delays in responding to freedom of information requests. The Information and Privacy Commissioner’s office said it has issued eight orders since February, after it found instances where the department did not meet the 30-day time limit for responding to an access requests under the Freedom of Information and Protection of Privacy Act. “Essentially, there has just been no response to the applicant to those requests, which is a significant compliance issue within the legislation.” Included in the orders issued by the OIPC are requests for communication records between an individual and Crown counsel, the entire file of a named individual with an Alberta Serious Incident Response Team file number, emails relating to a named individual, and an applicant’s request for records of his employment. Time extension requests, along with delays in responding to requests, have become an issue within the justice department as well. Pprivacy commissioner Jill Clayton said the justice department’s “apparent systemic issue” of not responding to access requests within the time limit is a “significant” compliance issue. There is no penalty under the act for delays in complying with the time limit. The investigation will review the department’s process for dealing with access requests to determine the reasons for the delays, and will make recommendations to improve its compliance. An emailed statement from press secretary on behalf of justice minister Kathleen Ganley said the government takes the concerns raised by the Information and Privacy Commissioner “extremely seriously.” [CBC News]

CA – Secretive Drug Policies Putting Injured Workers at Risk, Critics Say

It’s the body tasked with recommending which drug treatments are covered for tens of thousands of injured workers across the province. But no minutes are taken at its meetings, its members are a secret, possible conflicts of interest are not publicly reported and the full list of drugs subsidized by Ontario’s worker compensation board is unknown. Critics say that lack of transparency surrounding the Workplace Safety and Insurance Board’s Drug Advisory Committee and its overall drug policies are compromising the care of often-vulnerable injured workers — who sometimes have no idea whether drugs prescribed by their doctor will be paid for by the board until they’re out of pocket at the pharmacy. [The Star]

UK – New UK Commissioner Sets Out FOI Plans

In her first interview since becoming UK commissioner in July, Ms Denham told me about her plans for the FOI side of her new responsibilities. Ms Denham particularly wants to improve the transparency of public services delivered by private companies, as more and more national and local state functions are outsourced. She says she will be raising this issue with ministers. “Private contractors above a certain threshold for a contract or doing some specific types of work could be included under the FOI Act. The government could do more to include private bodies that are basically doing work on behalf of the public,” she says. The new commissioner also plans to review how her office tackles public authorities with a poor track record of handling FOI requests. [BBC]

Genetics

CA – Free DNA Tests Offered After Two Cases of Manitoba Men Switched at Birth

After four men revealed they were switched at birth at Norway House, Health Canada is offering free DNA tests to others born there in the mid-1970s. Two men from Norway House announced last week — and two men from nearby Garden Hill revealed last year — that they had been switched at birth at the federally run hospital in 1975. David Tait Jr. and Leon Swanson cried in front of news cameras Friday after receiving initial DNA test results. Tests last November showed Luke Monias and Norman Barkman also went home from the hospital with each other’s families. The two cases have raised the question of whether there could be more. Health Canada spokesman Eric Morrissette said Tuesday that the department is offering free DNA tests to anyone born at the Norway House hospital in the mid-1970s. [The Canadian Press]

Health / Medical

US – Facebook Argues No Concrete Harm from Disclosure of Health-Related Internet Communications

Facebook Inc. et al. have filed a reply to support their motion to dismiss a class action complaint by Winston Smith et al., alleging unlawful collection, use and disclosure of personal information. The social media company argued that its targeted advertising based on disclosures from various medical websites (of static links to public web pages) did not violate user privacy; the URLs disclosed indicated whether someone visited a website (sensitive medical information was not disclosed), many of the websites’ policies and procedures expressly stated that the URLs would be disclosed, and the individuals failed to take available measures to safeguard their information (e.g. by opting-out). [Smith et al. v. Facebook Inc. et al. – Defendants Joint Reply in Support of Motion to Dismiss the Complaint – US District Court for the Northern District of California, San Jose Division]

US – EHR Burden Weighs Heavily on Physicians, Leads to Burnout

Physicians are spending more time with patients’ electronic health records (EHRs) than they are with the patients themselves, according to an observational study looking at the allocation of physician time in ambulatory practice. For every hour of clinic time they spend with patients, physicians spend approximately 2 additional hours on EHR and desk work during office hours, Christine Sinsky, MD, vice president of professional satisfaction at the American Medical Association (AMA), and colleagues report in an article published online September 6 in the Annals of Internal Medicine. In addition to the time physicians spend at the office, they also spend another 1 to 2 hours on computer and other clerical work during their personal time each day. This finding adds to the growing body of evidence suggesting that the current generation of EHRs adds to physicians’ daily administrative burden and, as a result, may be increasing rates of professional burnout. [MedScape] SEE ALSO: [Recent study | Another study | Medscape EHR Report 2016]

CA – Computer Medical Records Breached at Grey Bruce Health Services

An investigation was initiated after four individuals came forward with concerns about access to personal information within their electronic medical records. Results of the investigation indicate that a former employee inappropriately accessed the electronic medical records of 246 individuals over a seven year period from January 2008 to September 2015. All individuals involved in the privacy breach have been notified in writing, and a summary of the investigation has been given to the province’s Information and Privacy Commissioner. This privacy breach does not impact any test results or diagnosis. This breach involves one individual who accessed electronic medical records for no work-related reason and appears to be related to personal curiosity. [Blackburn News]

Horror Stories

WW – Hackers Dump Data from Dropbox’s 2012 Hack Online

Unidentified hackers have dumped the stolen user passwords and emails from more than 68 million Dropbox users online. The data was from a 2012 hack that Dropbox had then reported only included passwords, and at the time compromised more than two-thirds of its customer base, the report states. “The hack highlights the need for tight security, both at the user end — the use of strong passwords, two-step authentication and no reuse of passwords — and for the companies storing user data,” the report adds. “Even with solid encryption practices for securing users’ passwords, Dropbox fell [a]foul of password reuse and entry into its company network.” [The Guardian ]

UK – Reported UK Data Breaches Soar 88% in a Year

The volume of data breach incidents reported to the Information Commissioner’s Office (ICO) has almost doubled in the space of a year, according to a new Freedom of Information (FoI) request. The figure rose from 1,089 in the period April 2014-March 2015 to 2,048 in virtually the same period a year later, according to Huntsman Security. Health, local government and education were the worst performing sectors in terms of the volume of breaches disclosed, accounting for 64% of the total in 2015-16. However, financial organizations were the worst hit by ICO fines. Despite accounting for fewer than 6% of incidents they were on the receiving end of 33% of the watchdog’s financial penalties during the period, which hints at the severity of these breaches. In three-quarters of the total number of cases, no action was taken by the ICO, either suggesting that the incidents themselves were fairly innocuous or that the watchdog needs to grow some sharper teeth. It’s believed that incoming commissioner Elizabeth Denham may be less forgiving of organizations in this regard than her predecessor. Data disclosed in error accounted for the vast majority of reported breaches (67%), followed by security incidents (30%). [InfoSecurity]

Identity Issues

US – NIST Publishes Major Revisions to Digital Authentication Guidance

The National Institute of Standards and Technology released a major update to Special Publication 800-63 for digital authentication. The third version was published Aug. 30, and divides the digital authentication document into four sections: digital authentication guidelines, enrollment and identity proofing, authentication and lifecycle management, and federation and assertions. The third revision has already received more than 200 comments. Michael Garcia, deputy director at NIST’s National Strategy for Trusted Identities in Cyberspace, said identity proofing is “a complete re-write,” based off good practices guidance like the kind seen in Canada and the UK. “It’s much more about the characteristics of quality evidence and the outcomes of the event itself,” Garcia said, pointing out that the Federations and Asserts document was practically all new. According to the draft, this type of system “is preferred over a number of siloed identity systems that each serve a single agency or RP [relying party].” the draft states. The benefits of “federated identity architecture,” NIST says in its draft, include enhanced privacy, data minimization, cost reduction and enhanced user experience. Garcia said the third iteration reflects a better understanding of the digital authentication space, however, “we’re not there yet.” [Federal News Radio]

WW – Identity Governance Red Flags Identified

Five of the most common warning signs that a company is struggling with identity governance issues are identified. They include orphaned accounts, poorly defined certification processes, inadequate access request approvals, lack of segregation-of-duty controls, and independent processes across the organization. The issues are very typical and can lead to employee-catalyzed breaches. “Fortunately, the right identity governance and intelligence solution can solve these issues to minimize your security risks and help you systematically achieve and manage your regulatory compliance.” [SecurityIntelligence]

UK – One in Five Mothers Say They Chose Wrong Name for Their Child: Poll

One in five mothers feels “namer’s remorse” and would pick another name for their child if they had the choice, according to a survey before this week’s annual announcement on baby names. Names most frequently regretted were Charlotte, Amelia, Anne, Daniel, Jacob, James and Thomas. Of the 245 mothers who regretted the names they gave their children, 12% “always knew it was the wrong choice”, 3% knew from the moment the child was born, 8% knew within a couple of days, 32% knew within the first six weeks and 23% began to regret their choice when their children first started nursery or school. The main reason for regretting the name was that it was too commonly used (25%). Just over one in five mothers who regretted their choice said it “just doesn’t feel right”. One in five said they had never liked the name but had been pressured into using it. Just over 10% of mothers said the name did not suit their child. Another 11% said it was not distinctive enough. A further 11% said it caused their child problems with spelling or pronunciation. Six percent regretted their choice because they disliked the shortened version of the name their child ended up being called. Only 3% pinned their regret on the fact there had been a change in public perception of the name since their child was born. Just 1% regretted their choice because a celebrity had used the name for their child. The consolation is that most children grow into their names – and those who don’t can always fall back on middle names, nicknames or (in extremis) deed polls.” Just 6% of mothers, however, have changed any of their children’s names, although one in three has considered it. [The Guardian]

Law Enforcement

CA – Ottawa Police Introduce Automatic Licence Plate Scanners, Privacy Concerns Raised

Technology that will allow Ottawa police to scan up to 5,000 licence plates per hour has already netted results in the city, while privacy advocates are voicing their concerns over how the data will be collected and safeguarded. Police unveiled the first Ottawa Police Service cruiser to implement the Automatic Licence Plate Recognition technology – a device with three all-weather infrared cameras mounted to the roof, with the ability to scan and record licence plates in multiple lanes of traffic and in multiple directions. The readings are fed into a database, and the officer is alerted to potential offenders within seconds if the plate number matches the police “hot list.” In accordance with the Ontario Privacy Commission’s stringent guidelines, Ottawa police have agreed to track data only for offenders – one of the ACLU’s primary recommendations. That information will be stored for five years, while licence plates of “non-hit” vehicles are immediately purged from the data bank. [Ottawa Citizen]

US – Alaskan Police Force Removes Body Cameras, Citing Privacy Fears

The Kodiak, Alaska, police department has stopped using body cameras, citing privacy and effectiveness concerns. While the department’s initial use of the technology in February 2015 “appeared beneficial to the community,” issues arose, said Kodiak Police Chief Rhonda Wallace. Among technological concerns and attachment problems, officers were fearful that the cameras were hurting citizen privacy, especially when they interacted with people on their “worst days” or when they had to deliver sensitive information. The police removed the cameras in December 2015, a move that has caused some controversy as police cameras successfully bolstered an autistic man’s suit earlier that year. “Once a person’s right to privacy has been addressed, we’ll work toward getting the program back up and using them again,” said City Manager Aimee Kniaziowski. [Govtech] [govtech.com]

CA – Cape Breton Prostitution Sting Raises Public Shaming Concerns

Experts in privacy and civil rights are raising questions about a police news conference that identified 27 men caught in a Cape Breton prostitution sting, saying the move amounted to unnecessary “public shaming.” “Public shaming is not something that our justice system should promote … [and] when you release names to try to deter others that sounds like public shaming to me,” said a spokeswoman for the Canadian Civil Liberties Association. “Deterrence is a feature of our criminal justice system, but we usually leave that to the sentencing process.” Last week, provincial court Judge Brian Williston rejected a legal challenge from one of the accused, saying police have the discretion to release personal information to the media, so long as it does not jeopardize a fair trial. However, the lawyer for John Russell Mercer, 73, argued in court that the news conference last September was akin to “locking someone in the stocks” — a form of public humiliation that violated his client’s rights under Section 7 of the Charter of Rights and Freedoms. But the judge disagreed, saying the information released by Cape Breton Regional Police was “limited to what was already accessible to the media and the public.” Deshman said that line of reasoning doesn’t recognize the impact of holding a news conference to draw attention to the accused. [The Canadian Press]

Location

US – Location Privacy and Use of ALPR at Airports

I’d just finished parking my car in the covered garage at Reagan National Airport when I noticed a dark green minivan slowly creeping through the row behind me. The vehicle caught my attention because its driver didn’t appear to be looking for an open spot. What’s more, the van had what looked like two cameras perched atop its roof — one of each side, both pointed down and slightly off to the side. I had a few hours before my flight boarded, so I delayed my walk to the terminal and cut through several rows of cars to snag a video of the guy moving haltingly through another line of cars. I approached the driver and asked what he was doing. He smiled and tilted the lid on his bolted-down laptop so that I could see the pictures he was taking with the mounted cameras: He was photographing every license plate in the garage (for the record, his plate was a Virginia tag number 36-646L). The man said he was hired by the airport to keep track of the precise location of every car in the lot, explaining that the data is most often used by the airport when passengers returning from a trip forget where they parked their vehicles. I checked with the Metropolitan Washington Airports Authority (MWAA), which manages the garage, and they confirmed the license plate imaging service was handled by a third-party firm called HUB Parking. “Reagan National uses this service to assist customers in finding their lost vehicles,” said MWAA spokesperson Kimberly Gibbs. “If the customer remembers their license plate it can be entered into the system to determine what garages and on what aisle their vehicle is parked.” What does HUB Parking do with the information its clients collect? Ilaria Riva, marketing manager for HUB Parking, says the company does not sell or share the data it collects, and that it is up to the client to decide how that information is stored or shared. “It is true the solution that HUB provides to our clients may collect data, but HUB does not own the data nor do we have any control over what the customer does with it,” Riva said. Gibbs said MWAA does not share parking information with outside organizations. [Krebs on Security]

Online Privacy

US – Online Tool Allows Users to Inspect Banks’ Privacy Notices

Computer scientists at Carnegie Mellon have developed an online tool designed to help users examine banks’ privacy notices. The tool, simply titled “Bank Privacy” inspects the notices of a user’s bank, and other banks within the area, giving the user the opportunity to possibly find a bank with a privacy notice they prefer. “We collected lists of financial institutions in the United States and wrote a computer program that automatically queries Google in search of companies’ standardized notices on their websites,” Carnegie Mellon wrote in a paper on the subject. “Upon finding such a notice, the program automatically parses the standardized notice and feeds the extracted information into a database, enabling a large-scale comparison of financial institutions’ privacy practices.” [Motherboard]

WW – Survey: Indians Most Likely to Share Sensitive Info on Public Wi-Fi Hubs During Vacation

An Intel Security survey of 13,960 respondents across 14 nations found that at 31%, India boasts the most leisure travelers comfortable with sharing personal information over public Wi-Fi. Among the personal information is credit card data, usernames and passwords, the report states. “More than one out of three Indians (36%) share their personal data even when they realize that this will make them vulnerable,” the survey states. This is potentially problematic as cyber thieves target public Wi-Fi with increased frequency. [Business Standard]

US – Facebook in Privacy Fail as Psychiatrist’s Patients Are Recommended to Become Friends With Each Other

Facebook’s mission, as defined by its founder Mark Zuckerberg, has always been to ‘connect the world’, but now it seems the social media giant has gotten too good at doing just that. Every Facebook user is familiar with the ‘People You May Know’ section of the site, which lists people with whom you have friends in common, or in whose photos you’ve been tagged. But Facebook seemingly takes other factors into account when suggesting whom you should friend, including phone contacts, and possibly geographical proximity. According to Fusion writer Kashmir Hill, she has been contacted recently by a psychiatrist named Lisa who discovered that Facebook had started recommending her own patients as potential friends. The mental health professional, who lives in a small town, was surprised and troubled by this development, since she was an infrequent Facebook user and had not granted the app access to her phone contacts.  However, upon reviewing her Facebook profile, Lisa realized that she had shared her own phone number on the social media site. The matter took a more disturbing turn when one of her patients, a snowboarder in his 30s, came to her saying that he had begun getting recommendations to ‘friend’ septuagenarians with whom he had nothing in common, and whom he never met. Sometime later, another patient of Lisa’s got a friend suggestion on Facebook for a person she recognized from a chance encounter in the office’s elevator. Now the woman had another patient’s full name and other personal information listed on his social media profile. ‘It’s a massive privacy fail,’ said Lisa, who asked Fusion not to use her real name. ‘I have patients with HIV, people that have attempted suicide and women in coercive and violent relationships.’ As a precaution, the psychiatrist and her colleagues in the medical community now urge their patients not go on Facebook while at the office, or even leave their phones at home when going for an appointment. However, Facebook says its friend-finding algorithm does not rely on geographic proximity. An alternative theory is that Lisa’s patients began popping up on each other’s Facebook pages because they have her phone number in their own phones, which the social network’s algorithm then possibly used to link them up. In a statement to Fusion, Facebook could not confirm that hypothesis, but a spokesperson said that the ‘People You May Know’ function uses a variety of data to source its suggestions, including mutual friends, phone contacts, school and work information, and networks to which users belong. [Daily Mail]

Other Jurisdictions

AU – NSW Gov’t Rejects Legal Remedies for Invasions of Privacy

The NSW government has knocked back the advice of its law and justice committee to adopt new legal protections that would allow residents to take court action against serious invasions of their privacy. Attorney-general Gabrielle Upton rejected the recommendation following the committee’s nine-month investigation into the remedies available to individuals who feel their personal privacy has been breached. The laws recommended by the NSW committee could have seen individuals handed the ability to sue people and organisations alike for serious breaches of privacy. Existing privacy laws only apply to government agencies and businesses with a turnover greater than $3 million per annum, and govern how they must store and manage personal data. Instead of introducing a privacy tort, the NSW government has indicated it will tweak existing criminal legislation to outlaw the “non-consensual sharing of intimate images” or ‘revenge porn’. She said in the absence of a uniform national law addressing the issue – which to date has been ignored by the Commonwealth – a NSW-only course of action would create inter-jurisdictional headaches for business and would open the Australian courts system up to “forum shopping” for preferential conditions by litigants. However, NSW has not ruled out continuing to lobby for a federal law with the help of its fellow states and territories. [Source]

WW – The World is Looking to the US for Third Party Risk Guidance

As more organizations here in North America and overseas increasingly utilize third party vendors with a global presence to perform critical functions, process key transactions and provide exposure to sensitive proprietary information, those organizations with mature third party risk (TPR) programs are receiving a loud call to provide assistance to those new to the TPR field. This issue is also not a US-centric challenge; organizations globally are struggling with standardization as well. Robin Jones, of the UK’s Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) discussed the fact that innovation in technology is receiving the strongest emphasis in the prudential specialists unit and that the unit is focused on those issues that surround events that involve an organization’s third parties (1). He further added his unit is paying renewed focus on technology resiliency and outsourcing (termed “TRO”) and that the FCA’s Cyber Risk Team is monitoring these elements of soundness and risk with the industry. [Huffington Post]

Privacy (US)

US – Google to Pay $5.5 Million for Sneaking Around Apple’s Privacy Settings to Scoop User Data

Google has agreed to pay a $5.5 million settlement in a class-action suit that resulted from cookie placement that worked around Apple Safari do-not-track settings. The lawsuit suggested Google collected the user data to boost ad revenue. “Behaviorally targeted advertisements based on a user’s tracked internet activity generally sell for at least twice as much as non-targeted, run-of-network ads,” the suit said. The settlement money will be sent to six technology and privacy groups, including the Berkeley Center for Law & Technology and the Center for Internet & Society at Stanford.Editor’s Note: Find the facts and analysis of the FTC settlement with Google in our FTC Casebook. [SiliconBeat]

US – Court Ruling Is A ‘Fatal Blow’ to Consumer Protections, Advocates Say

Companies such as Google and Facebook thrive on your personal data — the bits of information that tell advertisers how old you are, what brands you like and how long you lingered on that must-see cat video. Historically, how these companies use this data has been subject to oversight by the Federal Trade Commission, the government’s top privacy watchdog. A big court defeat for the FTC this week is putting the agency’s power to protect consumers in jeopardy, analysts say. The ruling could wind up giving Google and Facebook — not to mention other companies across the United States — the ability to escape all consumer-protection actions from the FTC, and possibly from the rest of government, too, critics claim, unless Congress intervenes. In the wake of the setback, the FTC is mulling an appeal — which would mean either asking for a rehearing at the U.S. Court of Appeals for the 9th Circuit, or escalating to the Supreme Court, according to a person close to the agency. But unless regulators can persuade the courts to overturn Monday’s decision, the result will be “a fatal blow” to consumer protection, said Jeffrey Chester, executive director of the Center for Digital Democracy. [Washington Post]

US – Clinton Campaign Switching to ‘Snowden-Approved’ Signal Messaging App

Following suspected Russian hacks of the DNC and the subsequent release of email messages through WikiLeaks, the Hillary Clinton campaign is said to be taking security advice from an unusual source: Edward Snowden. According to a new Vanity Fair article, campaign staffers were told: “If anyone was going to communicate about Donald Trump over e-mail or text message, especially if those missives were even remotely contentious or disparaging, it was imperative that they do so using an application called Signal…Signal, staffers in the meeting were told, was ‘Snowden-approved.’“ Signal is a messaging app for iOS and Android that allows for encrypted communication. The Clinton campaign has not yet responded to a request for comment about what messaging apps staffers are using. [CNET]

Privacy Enhancing Technologies (PETs)

WW – HP Builds First Laptop with Built-In Privacy Screen

Yahoo reports HP has built the first laptop to have a built-in privacy screen. Previously, consumers had to bolt on physical privacy screens designed to prevent anyone 35 degrees away from the center from seeing the contents of the monitor. Now, 3M’s solution will be built in. “Designed with more than 20 years of 3M optical films technology experience incorporated into the privacy screen, HP Sure View helps address the concern of protecting sensitive information through a world-class solution tailor-made for open work environments and for the mobile worker,” said 3M’s Vice President and General Manager of display materials and systems division, Makoto Ishii. [Full Story]

RFID / IoT

WW – Industrial IoT Groups Working Together to Develop Industrywide Standards

The Organization for Machine Automation and Control, OPC Foundation, and PLCopen have announced plans to band together and create industrial internet of things standards for data sharing and “seamless … interoperability.” This alliance comes on the heels of each group’s individual IIoT developments, like creating a global taskforce charged with developing a companion specification for industry tools. However, industrywide “standards are needed to support communications from machine-to-machine and from the plant floor to interfaces that will allow large scale data analytics and information transfer,” said OMAC’s John Kowal. “It just makes sense for these organizations which have individually done so much to advance automated manufacturing to collaborate and avoid redundant developments.” [AutomationWorld]

US – Chicago’s New Data-Collecting Sensors Stir Privacy Concerns

The Array of Things made its live debut in Chicago, where the city installed two 10-pound nodes on traffic posts last week. The nodes contain low resolution cameras, microphones and various air quality sensors, along with sensors that detect use of WiFi and Bluetooth devices within a 100-foot range. The Array of Things is a collaborative project between the University of Chicago, Argonne National Laboratory and the School of the Art Institute of Chicago that was originally launched in 2014 and is designed to be a “fitness tracker” for the city. But for privacy-minded citizens, there are glaring holes in the project that have yet to be addressed. The resolution on cameras is thought to be low, and the sound sensors are meant to only monitor sound levels – not record noises, as there will be audio and image files that will be used to calibrate the sensors. A written response from project managers explained, “These images will contain no sensitive PII, but some may show faces or license plate numbers.” All information gathered by AoT will be available to the public – except for ones containing PII. In an attempt to maintain transparency, the Department of Innovation and Technology fielded questions from residents about their concerns. PII data will not be made public but will be stored in a separate, safe facility, where access to this data is “restricted to operator employees, contractors and approved scientific partners who need to process the data for instrument design and calibration purposes, and who are subject to strict contractual confidentiality obligations and will be subject to discipline and/or termination if they fail to meet these obligations. … The privacy and governance policies nevertheless limit who will have access to data, under what circumstances, and for the limited purpose of research and development.” When it comes to warrants, the project managers were even vaguer, saying, “The University of Chicago, as copyright holder of the data, would be responsible for responding to law enforcement requests.” [rt.com]

WW – The Internet of Things: A 101 Guide to Privacy in The Digitized World

According to a new report by Altimeter, ‘Consumer Perception in the Internet of Things’ there’s a growing consumer anxiety concerning the ‘digitization of our physical world’. At the same time the report states that 87% of American citizens in one study didn’t even know what IoT is. They were worried about their privacy, but weren’t exactly sure how or why it was being plundered in the digital world. Other respondents in the study were aware their cookies were being tracked, but had little idea why, or at least asked for more transparency from those collecting the information. The gist of the study: “Roughly 60% of all respondents report such heightened discomfort in the sharing/selling of their data.” So what should the consumer be thinking about right now in terms of his/her privacy? “At a minimum, you need to be aware of two facts: (1) people and companies will want to collect data about you and might do so without your permission, and (2) there is no total security, and every system can be hacked. Follow some simple rules: be mindful about what data you share and ask yourself what somebody could do with it. If in doubt, reject to share and ask the vendor questions, and ask yourself if the vendor is trustworthy. For the security aspect, always keep your software and devices updated; don’t use weak passwords, be mindful of the risks, and encrypt your data wherever possible.” [siliconangle.com]

Security

US – FTC Cautions that Developing Secure APIs Remains a Challenge

The FTC examines the ongoing challenge of developing secure application programmable interfaces (“APIs”) in light of the InMobi settlement. Consumers are unaware that app developers or third party ad networks can use legitimately collected unique identifiers (e.g. BSSIDs) and other Wi-Fi network information to infer and track consumers’ location; despite related changes made to Android and iOS, app developers should ensure that their use of APIs are consistent with their privacy promises and consider contractual terms to ensure that their third party service providers (e.g. ad networks and analytics firms) do not circumvent consumers’ privacy choices. [FTC – A Deep Dive Into Mobile App Location Privacy Following The InMobi Settlement]

WW – Data Science Helping Organizations Stop Insider Threats

With physical boundaries of corporate networks and digital assets not as clearly defined as they once used to be, the focus in fighting insider threats needs to shift toward protecting user accounts. “Now that the traditional security perimeter has been erased by mobile and cloud computing, identities have become both an attack vector and security perimeter.” The truth is that credential theft does happen, and it happens a lot. In fact, a Verizon 2015 data breach report found that the majority of confirmed security incidents occur as a result of compromised user accounts. Massive lists of user credentials and passwords are being sold on the Dark Web at low prices, and, for a small fee, anyone can obtain access to all sorts of enterprise networks and cloud services, and impersonate legitimate users. Therefore, fighting insider attacks hinges on detecting anomalous user behavior. But this again presents its own set of challenges, because defining normal and malicious behavior is not an exact science and involves a lot of intricacies. Data science is helping organizations crack down on insider threats. Data science is used to extract knowledge and detect patterns. The information it produces can help an organization define normal user behavior based on identities, roles, and working circumstances. Using data science can help point out abnormal user behavior, stop insider threats, and help lower the amount of false positives. “Most users have rather clean and repeating patterns in their work from a statistics point of view,” said F-Secure Labs Lead Researcher Jarno Niemelä. “Thus, alarming changes in the users’ behavior can be detected with suitable near real-time statistics analysis tools, supported by heuristics and machine learning systems.” [TechCrunch]

MX – Mexican DPA Says Lost, Stolen or Improperly Discarded Devices Are Common Cause of Data Breaches

The Mexican data protection authority issues its “Guide to Securely Erasing Personal Data“. Individuals seeking to retrieve personal data for improper purposes collect discarded documents and tape them back together, find broken equipment parts and reuse them, and use specialized software to retrieve data from a “wiped” device; proper destruction methods include crushing, incinerating, pulverizing, shredding or chemical processes (physical media), and degaussing, over-writing or cryptographic erasure (electronic media. [DPA Mexico – Lost Stolen or Improperly Discarded Devices The Primary Cause of Data Breaches | Press release]

Smart Cards

WW – Apple’s New Patent Shows Future iPhones and iPads Will Capture the Biometrics, Photos, Videos and Audio of the Thief

Theft of smartphones is still rampant, despite current security measures such as fingerprint technology and Apple’s Touch ID. Thieves always find a way around these security protocols. However, a patent application by Apple will make life difficult for iPhone and iPad thieves in the future. Apple filed a patent with the USPTO on 25 August 2016. The patent details a technology that will allow a “trigger condition” to record the biometric, photos, audio, and video of an authorized user of a “computing device”, in this case, an iPhone or iPad, which are currently the only Apple devices that can capture biometrics. The technology will then store the acquired data which may be fingerprints, photos, and so on. The computing device may then provide the stored data for identification of the unauthorized user. From the information in the filed patent, the trigger conditions are unclear. Probably the trigger is a report by the authorized user to law enforcement authorities or Apple. Or maybe a single failed attempt to unlock the device using touch ID will be the trigger. However, there is a slight problem with Apple’s Touch ID. The technology requires a user to place the finger in different angles for verification. It is, therefore, a little unclear how Apple will register a failed unlock attempt(s) as a trigger condition. The fact that the patent suggests Apple will stealthily capture personal identifier data already raises security concerns. A more practical move would be to make the technology optional in future iOS releases. But even then we are not sure that would not make the company lose credibility among customers who mind about their privacy. [Mobipicker.com]

US – Delta Air Lines Introduces Tracking Tags to Combat Lost Luggage

Radio frequency identification (RFID) is also widely used in our daily lives, from keyless cars to pet microchips. Delta Air Lines, which says the amount of luggage it mishandles is low, has spent $50 million (U.S.) in new technology to keep better track of the 120 million bags it checks each year. The system launched this month. It’s replacing an old barcode system with RFID technology, also known as radio frequency identification. It allows for data to be read at a distance, easily pinpointing a single bag if it needs to come off a plane. The airline has deployed 4,600 scanners and 3,800 bag tag printers at airports around the world. Conveyer belt loaders have sensors that give the green light if the suitcase is headed to the right plane, and a red light if it’s not, so a baggage handler can redirect it. Australia’s Qantas Airways has used similar technology for its automatic bag drop system on domestic flights, which the airline says has shortened lines. Elite frequent flyers receive a reuseable RFID bag tag, and other passengers can buy one. An estimated 1.5 million permanent tags have been issued in the past two years. In Canada, no airline has plans to adopt the tags yet, though Air Canada is running a test in its Montreal and Frankfurt warehouses for cargo shipments. WestJet Airlines spokeswoman Lauren Stewart said the airline has reviewed the technology but has no plans to run any trials. “As a low-cost carrier we are highly aware of the expense of such tools,” she said. “In addition, the hardware and infrastructure would require installation at each airport.” Porter Airlines spokesman Brad Cicero said the carrier’s baggage mishandling rate for the last two years is 0.4 per 1,000 passengers, “so we’re very comfortable with this standard and our current processes.” [Toronto Star]

Surveillance

WW – Transit Systems Have their Eyes on You but Surveillance Footage Isn’t Always There When it Counts

Security cameras are ubiquitous on public transit across the country, but when it comes to using them to investigate sexual harassment or assault, what they record is often gone before it can be used. While victims might take weeks or even months to report an incident, surveillance footage can be erased in a matter of days. In Canada’s largest city, Toronto, security camera footage from streetcars, buses, subway trains and stations is kept for three days. It was the report of an alleged assault on a city bus that prompted Toronto’s transit agency to extend the amount of time that it holds on to footage a year ago. At the time, footage from streetcars and buses was held for only 15 hours, but after a teenage girl went to police to report an assault a few days after it allegedly happened and found there was no video evidence available, the Toronto Transit Commission extended that to 72 across its whole system. Some women who have experienced harassment or assault say 72 hours still doesn’t give victims enough time to report an incident. The TTC used to be allowed to hold on to surveillance camera footage for a week, but that changed eight years ago when it expanded the use of cameras throughout the transit network. At the time, Ontario’s privacy commissioner, Ann Cavoukian, approved the addition of 12,000 cameras on condition that images be held for a maximum of 72 hours to protect riders’ right to privacy. The exception to the 72-hour limit is the TTC’s wheelchair transportation service, which holds on to footage for seven days. The transit agency’s justification is that riders with handicaps or cognitive impairments might need more time to report incidents. An investigation by the city’s ombudsman also found that the footage has been used by the TTC to reassess whether riders are still eligible for the service. Transit agencies in some other Canadian cities keep their security footage for longer than the TTC. In Edmonton, footage from trains on the light rail transit system is retained for 48 hours, but footage from stations is held for 21 days. Bus system surveillance is held for 18 days. Vancouver used to keep surveillance footage from its SkyTrain system for only two hours when it was using video tapes, but since moving to a digital system in 2008, footage can be held for up to a week. Reports of sexual assaults on the Toronto subway system are significantly down, according to police, with 67 reported in 2014 compared to 56 last year, but police say that’s not necessarily a good thing given that the majority of sex assaults never get reported. [CBC] ‘Harassment on TransLink’ website lets victims speak out | TTC votes on whether to retain surveillance video longer | Sexual harassment on the rise on transit, say police | Ontario privacy chief gives green light to TTC surveillance plans | ETS starts ‘zero tolerance’ campaign to curb sexual harassment | TransLink safe despite recent assaults, officials say | TTC to develop new app that would enable riders to report harassment | New OnDuty transit police smartphone app released and [Considering Privacy in the Age of the Camera]

WW – Ambient Light Sensors an Up-and-Coming Privacy Issue

University College London’s Lukasz Olejnik’s new research maintains that online ambient light sensors could pose a threat to privacy. “Lighting conditions in the user’s surrounding convey rich and sensitive data describing users and their behavior,” Olejnik writes. “This information could be hijacked and abused, applied to profile the users and perhaps discriminate them.” The information at stake includes data about “the user, the user’s environment, the user’s behavior and life patterns,” as well as information about the user’s home, he adds. While Olejnik cautions users not to be fearful online, as many projects like SensorsPrivacy.com work to increase the safety of technology. However, he does encourage websites to limit the amount of ambient light sensors they collect. [The Daily Dot] [Privacy problems on the Web: Even your device’s battery life can be used to track you]

Workplace Privacy

EU – Spying on an Employee in France Breaches His Right to Privacy, Even Where He is Committing Breaches of His Employment Contract

The French Supreme Court recently ruled that an employer could not rely on the report of a private detective it had hired to spy on one of its employees to obtain an injunction against him because this was a breach of the employee’s privacy and that could not be justified, however legitimate were its concerns. The first instance Court accepted that the employer had legitimate reasons to secure evidence but on appeal the employee disputed the validity of the Order on the ground that the employer had breached the employee’s right to a private life as protected by Article 9 of the French Civil Code and Article 8 of the European Convention on Human Rights. The Supreme Court ruled that the first instance Court should have rejected the employer’s application because it had relied on unlawfully obtained evidence to sustain it (i.e. the report from the detective). It was immaterial to this that the report clearly showed the employee to be in breach of his obligations to the employer and that he could now potentially destroy evidence of that guilt before a trial on the issue. This decision is consistent with earlier case law of the French Supreme Court, which declares inadmissible any evidence collected by employers through covert surveillance of employees, whether the spying is done by someone hired by the employer or by the employer itself, on the ground that it breaches the employee’s privacy rights. More generally, the Supreme Court also usually rejects as inadmissible any other evidence that has been collected through clandestine means (i.e. without the employee having been informed of the control/surveillance methods) with the consequence that an employee’s dismissal based on that evidence will be deemed automatically unfair, almost however guilty of the misconduct in question he may actually be. [The National Law Review]

WW – Research: Customer Monitoring Also Affects Employees

Solon Barocas and Karen Levy discuss how retailers’ efforts to monitor customer behavior also affects their employees, a consequence they refer to as refractive surveillance. “This effect of data collection is often overlooked. Debates about consumer privacy have largely missed the fact that firms’ abilities to develop a better understanding of consumers also impacts workers’ day-to-day experiences, their job security, and their financial well-being,” they write. Barocas and Levy detail the repercussions of the tracking, saying it impacts employees’ relationships with customers, when they work, and the evaluation process. Since these are “still early days for in-store tracking,” Barocas and Levy contend that managers “have an opportunity to explore how to collect customer data in ways that both respect consumers’ privacy and advance the legitimate interests of workers.” [Harvard Business Review]

+++

 

 

19-25 August 2016

Biometrics

US – N.Y. State DMV Facial Recognition Tech Helps Nab 100 ID Thieves

In January, the New York State DMV enhanced its facial recognition technology by doubling the number of measurement points on a driver’s photograph. The DMV said this vastly improves its chances of matching new photographs with one already in a database of 16 million photos. As many as 8,000 new pictures are added each day. The state’s governor says has led to the arrest of 100 suspected identity thieves and opened 900 unsolved cases. In all, since New York implemented facial recognition technology in 2010, more than 14,000 people have been hampered trying to get multiple licenses. “Facial recognition plays a critical role in keeping our communities safer by cracking down on individuals who break the law,” Gov. Andrew M. Cuomo said in a statement. “New York is leading the nation with this technology, and the results from our use of this enhanced technology are proof positive that its use is vital in making our roads safer and holding fraudsters accountable.” The DMV said new licenses won’t be issued until a photo clears the DMV database. At least 39 US states use some form of facial recognition software. New York’s DMV first implemented facial recognition technology in 2010. Since then, more than 3,600 people have been arrested for possessing multiple licenses. The agency said it resolved another 10,500 facial recognition cases outside the criminal justice system because the statute of limitations had expired. In those instances, the cases were handled administratively—and the agency revoked licenses and transferred all tickets, convictions and accidents to the scofflaw’s true identity. New York’s DMV photo database is not among those databases forwarded to an FBI program containing about 411.9 million facial recognition images of people who have committed no crimes. [Ars Technica]

EU – Germany Eyes Facial Recognition Tech for Airports, Train Stations

Germany’s interior minister revealed plans for facial recognition systems in the country’s airports and train stations over the weekend—but digital rights activists have told Ars that the plan goes too far and would prove ineffective. Thomas de Maiziere told Bild am Sonntag that he wanted a system that would allow biometric information gathered from surveillance cameras to be matched against intelligence databases of known terror suspects. “There are opportunities for individuals to photograph someone and use facial recognition software on the Internet to find out if they have seen a celebrity or a politician. I want to use such face recognition software on video cameras at airports and train stations to show if a suspect is detected,” he said. “The authorities must use technology they are legally allowed to use.” [Ars Technical]

WW – Researchers Use 3-D Models to Break Facial Recognition Security

Security and computer vision specialists from the University of North Carolina have developed a method to break through facial recognition authentication systems. Using photos found on the internet, the researchers created 3-D models rendered with the motion and depth cues needed to pass through facial recognition security. The hack successfully spoofed four of the five authentication systems the researchers tested. The team also noted the photos were not supplied by any of the 20 volunteers, but were collected through search engines and social media networks. “We could leverage online pictures of the [participants], which I think is kind of terrifying,” says study author True Price. “You can’t always control your online presence or your online image.” [Wired]

Big Data

WW – CSA Issues 100 Best Practices for Keeping Big Data Secure

Big data is best known for its volume, variety, and velocity — collectively referred to as the “3 Vs” — and all three of those traits make security an elusive goal. Targeting companies grappling with that challenge, the Cloud Security Alliance has released a new report offering 100 best practices. As its name would suggest, the CSA focuses on promoting the use of security best practices within the cloud computing world; In an earlier report, the CSA broke down big data security risks into a set of the top 10 major challenges. Now, for each of those, it presents 10 best practices designed to help enterprises keep their information safe. To ensure that the privacy of data subjects is not compromised, all personally identifiable information such as names, addresses, and Social Security numbers must be either masked or removed. It’s also important to watch for the presence of “quasi-identifiers” that can almost identify a data subject, including ZIP code, date of birth, or gender, the report warns. Companies that use nonrelational data stores such as NoSQL databases, meanwhile, are hampered by the fact that such products typically include few robust embedded security features, the report’s authors say. For that reason, they suggest using strong encryption methods such as the Advanced Encryption Standard (AES), RSA, or Secure Hash Algorithm 2 (SHA-256) for data at rest. “The storage of code and encryption keys must be separate from the data storage or repository,” they advise. “The encryption keys should be backed up in an offline, secured location.” Also included in the report are suggestions for real-time security and compliance monitoring, privacy-preserving analytics, data provenance, cryptographic techniques, and more. The handbook is now available as a free download. There’s been growing concern about the use of big data and the associated risks to privacy and security. Early this year, the U.S. FTC issued a report with caveats and guidelines for businesses. Market researcher Gartner, meanwhile, predicts that the improper use of big data analytics will cause half of all business to experience ethics violations by 2018. [CIO.com] [CSA Big Data Privacy and Security Handbook]

Canada

CA – Canadian Security Establishment Increased Interceptions 26-fold in 2015

An Office of the Commissioner of the Communications Security Establishment report of the Canadian Security Establishment has found that the agency increased its rate of private communication interception 26-fold in 2015. While the government won’t explain the reason for the increase, the agency did find that all of the CSE’s proceedings were lawful. CSE watchdog Bill Robinson predicts that that agency “may have targeted social media conversations between individuals and counted each separate message in the string as a private communication,” the report states. “A small number of online conversations could be responsible for the rather large total.” [National Post] [Canada’s Spy Agency Now Intercepting Private Messages 26 Times More Than Previously]

CA – Main Terror Threat to Canada Comes From Lone Wolves: Report

The main terrorist threat on Canadian soil remains lone wolves or small groups inspired by ideology to carry out attacks, a new public safety report states. The 2016 report on terrorist threats to Canada drew a distinction between attacks “inspired” by extremist ideology versus those “directed” by terrorist organizations abroad. The report points out one area where that balance will be tested: the use of encrypted communications technology. Encryption allows private citizens, companies, and governments to protect their communications, business transactions and sensitive information. But law enforcement officials in Canada and beyond have argued that it also allows criminals and terrorists to evade arrest or capture. While encryption has been intensely debated in other Western countries — notably the United States — Canada has yet to have a public debate over its merits. “Encryption technology helps protect the privacy of Canadians but also creates new barriers in law enforcement and national security investigations,” the report states. “The government intends to work with Canadians, industry, and other key stakeholders and the international community to address these privacy and security concerns.” [Source]

CA – Online Privacy a Must in New Alberta Curriculum: Advocate

As the Alberta Education Ministry sets out on the massive task of overhauling the province’s school curriculums, one advocate is hoping to see a focus on privacy in the digital age. Sharon Polsky, director of the Rocky Mountain Civil Liberties Association said she feels it’s important Alberta Education make online privacy a priority in the Career and Life Management (CALM) portion of the new curriculum. “Considering something like 30% of children have a tablet for their own exclusive use by the time they’re one and the vast majority have daily time with electronic devices by the time they’re two– it’s the same thing as giving a kid your car keys and saying have a nice time, stay safe on the road– they don’t understand the implications of what they’re doing,” she said. Larissa Liepins, press-secretary for David Eggen, Minister of Education, said they’re interested in hearing input from concerned citizens about what should be included in the new provincial curriculum. [Source]

CA – Waterloo Changes Rental Bylaw After Privacy Complaint

The City of Waterloo had to change its rental housing bylaw after a complaint to the Ontario Privacy Commissioner about Waterloo collecting tenants’ personal information. Council voted this week to approve the changes. Waterloo’s controversial rental housing licensing bylaw limits bedrooms and requires landlords pay fees. It was criticized by landlords who called it a cash grab. It went into effect in 2012. At issue was a city requirement for landlords to provide the names and contact information for all tenants. In 2014, someone complained to the privacy commissioner about personal information being collected and an investigation was launched. Waterloo finally agreed to stop collecting tenant information altogether in late 2015, but didn’t want to make the bylaw change until a review of the entire licensing bylaw currently underway is complete. Staff relented at the privacy commission’s request and changed the bylaw this week. [Source]

E-Government

WW – Voting Online Means You’re Giving Up Privacy, Researchers Warn

A research initiative conducted by groups including the Electronic Privacy Information Center and the Verified Voting Foundation found that in the 32 states and one district where online voting is permitted, voters usually accept “technical limitations” that give up their right to a private ballot. Researchers therefore suggest voting in person instead of online. “Even if offered, avoid the use of an online method for marking and/or transmitting votes,” the study states. “Marking ballots without the use of a connection to the internet is the best way to keep your vote secret.” [Vocativ]  [Wired: America’s Electronic Voting Machines Are Scarily Easy Targets]

E-Mail

WW – Study: Business Email Compromise Costs $3B in Damage Worldwide

A new report from Trend Micro reveals an oft-underreported scam has bilked more than $3 billion from businesses around the world. “Business email compromise” — a method by which adversaries use email to trick employees into wiring company funds — has affected approximately 22,000 organizations, according to the FBI, since the beginning of 2015. Trend Micro tracked more than 2,000 BEC incidents in the U.S. and found that attackers often closely research a given target. An adversary may research a company’s legal settlement and imitate the law firm’s email account, for example. Trend Micro Chief Cybersecurity Officer Ed Cabrera said, “BEC doesn’t fall in line with data breach laws — it’s just a digital con game. And unlike other attacks, it does not cause a loss of operational time.” [The Hill]

Electronic Records

US – Many Hospitals Transmit Your Health Records Unencrypted

Healthcare IT organizations often lack budget and personnel to address security needs About 32% of hospitals and 52% of non-acute providers — such as outpatient clinics, rehabilitation facilities and physicians’ offices — are not encrypting data in transit, according to a new survey. Additionally, only 61% of acute providers and 48% of non-acute providers are encrypting data at rest. The Survey, conducted by the Healthcare Information and Management Systems Society (HIMSS), a Chicago-based trade group for the health information technology sector, also revealed that many of the facilities’ networks don’t even have firewalls. A study by the Brookings Institution predicts that one in four data breaches this year will hit the healthcare industry [IT World]

Encryption

WW – One Third of Transmitted Health Care Data Left Unencrypted: Study

The Healthcare Information and Management Systems Society’s Cybersecurity Survey found that 35% of hospitals and 52% of non-acute providers do not encrypt their transmitted data. Additionally, 61% of acute providers and 48% of non-acute providers encrypt resting data. The study also found that many health care facilities do not use firewalls. Researchers cautioned that where there is tech, there are opportunities for breaches or ransomware. “Without a program in place, there can be a large time window for hackers to exploit an unpatched system (especially if systems are patched or upgraded on a reactive, ad hoc basis).” “Time is money, including for hackers, and they are likely to go after low-hanging fruit.” [ITWorld] [Computerworld: Many hospitals transmit your health records unencrypted | HIMSS: 2016 HIMSS Cybersecurity Survey ]

EU – German, French Legislators Want EC Help Accessing Encrypted Tech

In the wake of multiple deadly terrorist attacks in their respective countries, German and French officials will petition the European Commission to provide states with the ability to force encrypted technology companies to provide governmental access. “It’s a central issue in the fight against terrorism,” said French Interior minister Bernard Cazeneuve. “The European Commission said it ‘welcomed’ the initiatives between the two countries, but said that data protection laws are already under review,” the report states. [ZDNet]

US – NIST Scientists ‘Nervous’ About Lightweight Crypto for IoT

Federal scientists at the National Institute for Standards and Technology are working on new cryptographic standards for the tiny computers embedded into car engines, lightbulbs and others devices connected to the internet — but the process makes some of them uneasy. The Internet of Things presents a unique challenge for cryptographers: How long should a key be? For instance, the tiny RFID chips embedded in electronic passports have very limited memory. And the standards for connected cars have to enable ultra-low latency — meaning those chips have to be near instantaneous as they encrypt and decrypt information. But as a result, some of the lightweight crypto standards might end up weaker, and this easier to crack. Keys for use in current NIST-approved encryption standards must be at least 112 bits long. Some have proposed using keys as short as 80 bits in the new lightweight standards. [FedScoop]

Facts & Stats

CA – Trying to Measure the Cost of a Breach

CISOs know that data breaches cost money. One question is how much; another is whether the rest of the organization knows. To answer the first question Deloitte recently issued a white paper with a calculation to show how many costs aren’t being considered by management. In one hypothetical case, as reported by David Wheldon, the damage could be up to US$1.6 billion over five years. That’s right. For a theoretical breach of 2.8 million records from a U.S. private health insurance company the damage could run into 10 figures. [Read the full report here] Not all of the numbers would be applicable to Canada in this particular example. For example, because most Canadians are covered under the government funded heath insurance, private insurers here are smaller — and, of course, we have a smaller population. While the dollar values would be smaller, the factors would be the same. So the Deloitte calculation includes an estimated $230 million loss to brand image to the insurer. There’s a lost value of customer relationships at $430 million over three years. These would apply to a retailer or manufacturer. However, there are a lot of other so-called beneath the surface costs the C-suite may not be thinking of today: operational costs, insurance premium increases, and, if necessary, the cost of raising debt to pay for these and other costs. Then there’s the expected costs: Notifying potentially-affected customers and partners, paying for customer protection services, hiring forensic investigators, possibly hiring a crisis reaction team for public relations, facing customer/partner lawsuits, paying regulatory fines, loss of intellectual property (perhaps incalculable) and — of course — cyber security improvements including awareness training. [Source]

WW – Study: Breaches Could Cost One-Fifth of Retail Customers

A KPMG survey found that one-fifth respondents said they would stop shopping with a company after a data breach, regardless of how it handled the data loss post-breach. One-third of the surveyed added that they would avoid shopping there for at least three months after the breach, the report states. Regardless, only 55% of surveyed organizations said they had invested in upgraded cybersecurity in the past year. “Make no mistake, there is a lot at stake here for retailers,” said KPMG’s Mark Larson. “Consumers are clearly demanding that their information be protected and they’re going to let their wallets do the talking.” [FedScoop]

FOI

CA – OIPC AB Upholds Law Enforcement Body’s Refusal to Confirm or Deny Existence of Disciplinary Records

This OIPC AB order addresses the Calgary Police Service’s handling of a request for access to records pursuant to Alberta’s Freedom of Information and Protection of Privacy Act. Confirmation or denial of the existence of a disciplinary record would indicate whether a complaint had been made or proceedings taken against an officer; disclosure of a disciplinary record would be an unreasonable invasion of privacy (it would reveal his/her employment history, and unfairly damage his/her reputation if a complaint did not go to a hearing) – the only exception would be a disciplinary record that arises from a public hearing. [OIPC AB – Order F2016-24 – Calgary Police Service]

CA – NFLD Public Bodies Should Consider Scope and Intention When Applying the Solicitor-Client Privilege Exception

The OIPC Newfoundland and Labrador has provided guidance on the scope of the legal advice exception in section 30 of the Access to Information and Protection of Privacy Act The scope of solicitor-client privilege must consider the context and rational for the privilege (e.g. civil litigation, criminal investigations or prosecutions), and whether the client intended that the communication be kept confidential; the privilege will not include documents that are attached, but not otherwise related to obtaining legal advice, and the capacity in which the communications are sent does not determine privilege (context must be assessed for each case). [OIPC NFLD – Section 30 – Legal Advice]

CA – IPC ON Upholds Hospital’s Decision to Withhold Meeting Notes Provided to Legal Counsel by Hospital Staff

The OIPC Ontario reviews a decision by a hospital to deny access to records, pursuant to the: PHIPA and FIPPA. In anticipation of litigation, staff were asked by a senior hospital staff member to provide their recollections of a meeting with Complainant where the health care of Complainant’s mother was discussed; the purpose of the records were to document the meeting for legal counsel with the intent of obtaining legal advice and preparing for litigation. [IPC Ontario – PHIPA Decision 30 – Mackenzie Health]

Health / Medical

UK – British Government Mulls Plans to Sell Patient Data

The British government is considering a plan to sell patient health data to private organizations. New guidelines state patient data will be collected and stored in a centralized database run by NHS Digital. The decision comes after the British government dropped their care.data plan after two independent reviews criticized the plan over poor consent and a lack of transparency regarding where patient data would be shared. The government is saying data sharing will only be for the patients’ benefit. “We have a strong legal framework to make sure NHS Digital only shares personal information where there is a clear health or care purpose,” a Department of Health spokesperson said. “This means data will only ever be used to deliver real benefits for people and puts beyond any doubt that data can be shared for commercial insurance or other solely commercial purposes.” [Politico]

US – Blockchain in Healthcare Getting a Lot of Attention

When the Office of the National Coordinator of Health Information Technology recently challenged developers and health IT thinkers to come up with uses for blockchain in healthcare, officials were surprised by the vigor of the response. While the blockchain-backed bitcoin cryptocurrency has become a worldwide phenomenon attracting both devotion and criticism, perhaps lesser known is that thinking around blockchain in healthcare is moving past the theoretical stages and is even spurring activity from major companies and venture capitalists. Health IT giant Philips has launched a blockchain-in-healthcare lab and joined a new blockchain-in-healthcare network led by blockchain vendor Gem. And accounting and consulting firm Deloitte has released several bullish reports on blockchain in healthcare and formed partnerships with several blockchain startups. Blockchain is in essence a distributed public ledger linked by what supporters say is a nearly impregnable cryptographic chain. As such, they say, it has the potential to solve health IT’s most intractable problems: lack of interoperability and securing the integrity, completeness and privacy of health records. [Source]

Horror Stories

CA – OPC Finds Dating Website’s Security Measures Were Lacking, Misled Consumers

The lead privacy regulators of Canada and Australia have released the results of their joint investigation into the Ashley Madison data breach. The dating service had inadequate authentication processes for employee remote access, stored encryption keys and passwords as plain, clearly identifiable text on its systems, fabricated the security trust-mark on its homepage, and inappropriately retained personal information after user profiles had been deactivated or deleted; the service must conduct a comprehensive review of its protections, augment its security framework, adequately train staff, and cease indefinite retention of personal information from deactivated and inactive accounts. [OPC Canada – PIPEDA Report of Findings 2016-005 – Joint investigation by the Privacy Commissioner, the Australian Privacy Commissioner and Acting Australian Information Commissioner News Release | Report of Findings | Compliance Agreement | Takeaways for All Organizations] [OAIC.gov.au | The Globe and Mail | OPCC: Ashley Madison investigation finds security measures lacking; fictitious security trustmark was ‘deceptive’]

Identity Issues

AU – Australia’s Government Is Copping Flack for its ‘Digital Identity’ Plans

“Digital Identity is having the ability for the government to trust that you are who you say you are,” is the explanation the Federal Government’s Digital Transformation Office (DTO) gives for the establishment of a singular digital profile that will allow you to access various government services. But trust has to go both ways, and the Australian Privacy Foundation (APF) has expressed “serious concern” about federated identity, stating the process has been “seriously deficient” and conducted “in a context of increasing distrust of government.” The DTO says the global trend of services moving online, and the economic benefits that produces, necessitates an online identity verification process — particularly in cases of sensitive data. The DTO is building both a verification model and a method for logins. The APF’s concerns surround the fact that the Digital Identity project has now been running for over a year, has reached the beta stage, and statements are being made about deployment. “Yet civil society has yet to be engaged,” APF says. “A single meeting has now been held, but materials were withheld until the last moment, and the very few advocates present had limited opportunity to gain clarifications, and virtually none to provide feedback”. The APF says that by its nature the project “harbours enormous threats to individuals, and to society as a whole”, warning the whole thing has “a very high” risk of failure. “This is the latest of many proposals that have come and gone over the last 30 years relating to citizen identifiers, accounts, authenticators and credentials,” the APF says. The APF says overall, there is a “lack of clarity” surrounding the scheme. “Apart from a brief remark to the effect that the scheme could be implemented administratively, i.e. without parliamentary approval or even oversight, no information has been provided about applicable laws, and the impact of laws in such areas as data retention, data breach notification, cybersecurity, disestablishment of the OAIC, and a privacy right of action”. [Gizmodo]

US – FTC’s Ramirez: We’re Expanding Definition of PII

Speaking at the Technology Policy Institute in Aspen, Colorado, FTC Chairwoman Edith Ramirez said consumer control and consent need to remain at the forefront of innovation, despite online privacy issues becoming increasingly complex. “We hear with increasing frequency the claim that technological innovation and big data have rendered certain fundamental tenets of privacy, particularly the idea of consumer consent, outdated and ill-suited for today’s digital world. I disagree,” said Ramirez. The FTC is working to address this issue by broadening the definition of personally identifiable information. “We now regard data as personally identifiable when it can be reasonably linked to a particular person, computer, or device,” Ramirez said. “In many cases, persistent identifiers, such as device identifiers, MAC addresses, static IP addresses, and retail loyalty card numbers meet this test.” [FedScoop]

Internet / WWW

WW – Survey: 51% of IT Execs Believe Public Cloud More Secure

A SADA Systems survey of 210 tech executives found that 51 percent feel that the public cloud is more secure than their private one, while 58% believe the public cloud is the most cost-efficient and safe data-storage option. In total, 84% of the surveyed said their companies used public clouds. Yet just because cloud “comfort levels” continue to grow doesn’t mean information technology professionals should dial back their vigilance, the report states. “Security still needs to be the front and center concern when you are relying on someone else to manage your data,” the report adds. “The key is that while cloud providers may have all the newest and shiniest security solutions … the cloud customer still needs to take ownership of security.” [ZDNet]

Law Enforcement

CA – Canada’s Police Chiefs Pass Resolution to Obtain Passwords

The Canadian Association of Chiefs of Police passed a resolution requesting legal measures to force people to deliver electronic passwords with a judge’s consent. The police chiefs cite criminals increasing use of encryption to hide illegal activities. RCMP Assistant Commissioner Joe Oliver said there is nothing in Canadian law compelling an individual to hand over a password during a law enforcement investigation. “The victims in the digital space are real,” Oliver said. “Canada’s law and policing capabilities must keep pace with the evolution of technology.” OpenMedia spokesman David Christopher called the proposal “wildly disproportionate,” believing handing over a password for a piece of technology such as a laptop would be similar to “handing over the key to your whole personal life.” A Toronto Star op-ed argues Canadian citizens need to protect their privacy rights when considering any proposal involving law enforcement password requests. [The Canadian Press] The lobbying group Canadian Association of Chiefs of Police is calling for a legal framework requiring Canadians to share electronic passwords during a police investigation]

CA – Police Don’t Want to Talk About How They Spend Surveillance Dollars

Police in Toronto, Ottawa, and the municipalities of Peel and York have received hundreds of thousands of dollars each to pay for the Provincial Electronic Surveillance Equipment Deployment Program (PESEDP). This little-known project is described by police as “funding for the purchase of, or improvements to, equipment used in the investigation of organized crime”, which doesn’t reveal much. Mentions of the program can be found in publicly-available meeting agendas and reports dating back to 2011. A 2016 report detailing the latest payment to the York Regional Police notes that the force has agreements with the Ontario Provincial Police to “share services to intercept personal communications” and “to monitor personal communications,” both expiring in November of 2017. Tamir Israel, staff lawyer at the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic, says that the PESEDP money could be spent in a number of ways. “Police services are investing in a range of new surveillance technologies, from license-plate recognition devices, to facial recognition or IMSI catchers. As for whether a privacy assessment has been done on the program, a media request made to the federal Office of the Privacy Commissioner was referred to the provincial office, then to MCSCS, which would neither confirm nor deny it. At this point, no one other than the police forces involved knows what kinds of equipment PESEDP is paying for, but some of the surveillance programs operated by police in Ontario and elsewhere in Canada are coming to light. [Source]

Online Privacy

US – EFF Voices Criticisms of Microsoft’s Windows 10 Updates

The Electronic Frontier Foundation voiced its criticisms over Microsoft’s Windows 10 updates, saying the reminders violate user privacy. The EFF also says Microsoft collects an “unprecedented amount of usage data,” including location data, text input, browsing history, and running programs. Microsoft defended its practices, saying the data collected helps make Windows 10 a more customizable experience for the user. The EFF wants to see Microsoft clarify whether opting out of the features is enough to ensure the user’s privacy rights are intact. “Microsoft should come clean with its user community,” said EFF Intake Coordinator Amul Kalia. “The company needs to acknowledge its missteps and offer real, meaningful opt outs to the users who want them, preferably in a single unified screen.” [Digital Trends] [Microsoft forces you to choose between privacy and security, say campaigners]

WW – WhatsApp to Begin Sharing User Data with Facebook

WhatsApp will start sharing user information with Facebook. The messaging app plans to send members’ phone numbers and analytics data to the social network, marking the first time WhatsApp has connected user accounts to Facebook. WhatsApp said neither company would be able to view users’ encrypted messages, and promised not to share phone numbers with advertisers. “Our values and our respect for your privacy continue to guide the decisions we make at WhatsApp,” Co-founder Jan Koum wrote in a blog post explaining the update to the company’s privacy policy. “It’s why we’ve rolled out end-to-end encryption, which means no one can read your messages other than the people you talk to. Not us, not Facebook, nor anyone else.” [The New York Times] [WhatsApp gives users 30 days to opt-out of handing phone number over to Facebook]

UK – UK Data Privacy Regulator to Track Whatsapp’s Data Sharing with Facebook

The UK’s data privacy regulator will monitor how the mobile messaging app WhatsApp shares data with parent business Facebook following an update to its privacy policy. The Information Commission’s Officer (ICO) aims to ensure that WhatsApp is being transparent about what and how its users’ data are shared, observing that new policy would likely split opinion among them. Under the new policy, the phone numbers of the more than one billion users of the app will be shared with Facebook, paving the way for more targeted ads and friend recommendations. “Some might consider it’ll give them a better service, others may be concerned by the lack of control. Our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared and protecting consumers by making sure the law is being followed” said Information Commissioner Elizabeth Denham. While the ICO does not have the power to block such a move, any change does need to abide by data protection laws. If it doesn’t and is found to breach the Data Protection Act then it could be fined up to £500,000 by the regulator. [Source]

Other Jurisdictions

NZ – Privacy Commissioner: Children’s Safety Comes Before Privacy Laws

New Zealand Privacy Commissioner John Edwards has officially agreed with the Minister of Social Development’s proposal to update privacy laws so that federal agencies can disclose information about children in danger with both greater ease and less fear about potential enforcement action, the Office of the Privacy Commissioner announced in a statement. “Agencies should not be concerned about breaking privacy laws when it comes to vulnerable children,” Edwards said. “They should already be sharing information and not be waiting for the law reform to take effect.” He added that whatever the proposed legal revisions, government officials should continue to encourage those who know of a child at risk to report that information. [privacy.org]

Privacy (US)

US – FTC Will Host Ransomware Panel Discussions

Next month, the FTC will host three panel discussions on ransomware to help organizations and consumers protect their computers. The event is scheduled for September 7 at 1:00PM ET and will be webcast from the FTC site. [Computerworld: Ransomware attracts FTC attention |- FTC: Fall Technology Series: Ransomware]

US – FTC Notice Workshop Agenda Announced

The FTC has released its agenda for its Sept. 15 workshop entitled, “Putting Notices to the Test,” the agency said in a press release. The free event will feature 22 different presentations and remarks by FTC Chairwoman Edith Ramirez and FTC Chief Technologist Lorrie Cranor, among others. The workshop will begin with a presentation of cognitive models and then split into six topic areas: “methods and procedures to evaluate the effectiveness of disclosures; whether and when people notice or pay attention to various types of disclosures; how much people understand or comprehend the information presented in disclosures; disclosures’ impact on consumers’ decision making processes; case studies; and a look at the future of research on disclosures,” the release states. [FTC]

US – Pennsylvania Court Confirms Unlawful Disclosure of Legally Protected Information Constitutes an Injury

The Court reviewed a debt collector’s motion in limine to dismiss an individual’s claim of injury under the Fair Debt Collection Practices Act. An individual received a debt collection letter in the mail that included a barcode next to his name and address, which was visible through the envelope’s glassine window; the Court found the injury was particularized because the individual alleged that his personal identifying information was disclosed, and concrete because the unlawful disclosure of legally protected information is sufficient to demonstrate a concrete harm. [John Daubert v. NRA Group, LLC – 2016 U.S. Dist. LEXIS 105909 – United States District Court for the Middle District of Pennsylvania | Subscription required

US – EPIC suing FAA for Lack of Privacy in Drone Regulations

The Electronic Privacy Information Center has sued the Federal Aviation Association for not including privacy regulations in its first formal rules for drone use. “EPIC argues that, since Congress directed the FAA to develop ‘comprehensive’ rules that ‘safely’ integrate drones into U.S. airspace, it’s obligated to consider privacy issues,” the report states. The suit calls for the DC Circuit Court of Appeals to overturn the regulations and compel the FAA to consider privacy protocols. [ZDNet]

Privacy Enhancing Technologies (PETs)

WW – Bitcoin Privacy Tool ‘CoinShuffle’ Sees First Transaction

A type of anonymous bitcoin transaction that privacy enthusiasts have been awaiting for years has finally been tested successfully. Sent on the bitcoin test network earlier this month, the transaction is possibly the first real-world implementation of CoinShuffle, a proposal that first generated excitement in April 2014 for building on existing privacy techniques in a way that doesn’t rely on third parties. Until now, it was just a proof-of-concept, but on 15th August, bitcoin developer Daniel Krawisz sent what he believes is the first transaction utilizing this tool. The big idea behind the technique is that it guards sensitive user information that may otherwise be visible on bitcoin’s public blockchain, but the short-term goal is to incorporate the technique into the bitcoin wallet service Mycelium, which is sponsoring the project. Launched in 2013, Mycelium recently released a roadmap with CoinShuffle scheduled for “phase 5”, or the final step, of its development plan. [Coindesk]

Security

US – Forthcoming NIST Guidelines On Passwords Embrace Emojis

The U.S. National Institute for Standards and Technology is developing guidelines for strong computer passwords. The guidelines recommend elongating the length of passwords, using emojis, and allowing users to check whether their potential password is among the most popular, the report states. Furthermore, the guidelines advise against hint questions, SMS verification, and “special character” or knowledge-based authentication hurdles. “Password policies need to evolve as we learn more about how people use and abuse them,” the report states. “NIST’s goal is to get us to protect ourselves reliably without unneeded complexity, because complexity works against security.” [Naked Security]

WW – Study: SMBs Lack Security Training

The Shred-it 2016 Security Tracker survey found security training is lacking in a majority of companies. The study found 78% of small- and medium-sized businesses only conduct security training once a year or less, with 51% of C-suite executives responding with similar results. 28% of organizations state they have never trained their employees on legal compliance requirements and 22% conduct training on an ad hoc basis. “With employees returning to work in the fall, business leaders have a prime opportunity to engage their teams and raise awareness of information security risks,” said Shred-it Global Director Andrew Lenardon. “They can consider taking advantage of this time to launch a comprehensive training program that makes information security best practices a part of all employees’ daily routine and responsibilities.” [Infosecurity Magazine]

Surveillance

UK – Terror Watchdog Backs Bulk Hacking Powers, Calls for Expert Tech Panel

Bulk hacking of equipment at home and abroad by UK spies can be justified, an independent review of proposed terror law has said—even though an operational case for such surveillance is yet to be proven. David Anderson QC confirmed in his 204-page report that mass snooping powers—some of which have been used by MI5, MI6, and GCHQ for years—were vital to help the security services combat terrorism and other serious crime in the UK. He said, in a review of the government’s operation case for bulk powers (PDF), that bulk interception and the scooping up and storing of vast amounts of communications data and bulk personal datasets had, over the years, helped those agencies to avert a wide range of threats. [Ars Technica] [Mixed reaction to Anderson review of bulk surveillance powers] [Review finds ‘proven’ or ‘distinct’ operational case for bulk surveillance powers]

US – Chicago’s ‘Smart City’ Networks Face Law Enforcement Access Questions

Chicago’s Array of Things sensor network approved a new privacy policy, but questions remain surrounding law enforcement requests. Chicago will activate the first wave of sensors, cameras and microphones later this summer, monitoring the city’s environment, as well as pedestrian and vehicular traffic. As for law enforcement requests, Chicago’s Commissioner of the Department of Innovation and Technology Brenna Berman believes law enforcement requests will be low, while saying the requests were not included in the privacy policies, as “a policy is designed to set a general framework around operations. We can’t actually answer what action would be taken under any possible circumstance in the future.” Senior Staff Attorney for the Electronic Frontier Foundation Lee Tien was critical of the omission. “The handling of law enforcement, it seems pretty clear it’s not in there at all and it should be,” Tien said. “So that’s definitely a failure.” [The Chicago Tribune]

US – Privacy and the New Tolling System in Massachusetts

Massachusetts is making the shift to an all-electronic tolling system that will end the need for drivers to stop, or even slow down, to pay tolls. State officials have said the new system will reduce congestion, pollution, accidents at toll plazas, and, hopefully, drivers’ commute times. But concerns have also been raised about the volume of data the technology collects as drivers pass through toll zones, and about how that data is being stored and used. According to a state transportation department spokeswoman, the new all-electronic tolling system captures the following information each time a vehicle passes through a toll zone: date and time, location, lane, vehicle speed, E-ZPass transponder number, photos of the front and rear of the vehicle to capture the license plate number and plate date, a video to capture vehicle axle count. The data is retained indefinitely and used primarily for business purposes, but also for “ research purposes “in the interest of identifying traffic patterns.” The new tolling system also includes a “hot list” feature that can send law enforcement instant alerts when cars with specified license plates or transponders pass under toll gantries. Officials say the feature will only be used to track vehicles in the case of urgent public safety emergencies, such as AMBER Alerts, the notices issued when children are abducted and believed to be in danger. Officials have said vehicle speed data that are collected are used to synchronize the cameras that record each license plate. Officials have pledged that speed data will not be used to ticket drivers. The department has reciprocal agreements to share a limited amount of tolling data with other states so that the department can bill out-of-state vehicle owners who drive on Massachusetts toll roads. Otherwise, the department said it shares tolling data when legally required to do so, including with federal officials, law enforcement agencies, and lawyers representing individuals in divorce and other civil cases who obtain court orders. The department said, that in accordance with state law, it notifies people whose information is sought through subpoenas allowing them to take legal action to fight the subpoenas. However, exceptions could be made for serious and time-sensitive cases in which law enforcement request to able to use the hot list feature, officials said. MassDOT offers special transponders that can be loaded by paying cash so the devices will not be associated with a drivers’ name, address, bank account, or credit card. [Boston Globe]

US Government Programs

US – Stolen NSA Tools Take Advantage of Zero-Day Vulnerabilities

Sophisticated “hacking tools” allegedly stolen from an NSA-related server have been leaked online. The thieves have said they plan to sell the tools in a digital auction. The tools bear digital signatures that match those used by the Equation Group, a group that has alleged links to the NSA. The incident highlights the risk of hoarding zero-day vulnerabilities. When intelligence agencies use them to develop tools, those tools could be stolen and make their way into the hands of malicious actors. [ eWeek: Hard Facts Scarce in Purported Theft of Hacking Tools from NSA Server | Washington Post: NSA hacking tools were leaked online. Here’s what you need to know. | Wired: The Shadow Brokers Mess is What Happens when the NSA Hoards Zero-days | Ars Technica: Confirmed: hacking tool leak came from “omnipotent” NSA-tied group | Computerworld: Alleged NSA data dump contains hacking tools rarely seen]

Workplace Privacy

UK – Ex-officer Wins Lawsuit After Department’s Illicit Monitoring

A former Met Police officer won her case after suing the department for illicitly monitoring her activities. The Met surveilled former Detective Constable Andrea Brown after she went on vacation with her daughter while on sick leave. The Met Police and the Greater Manchester Police both admitted to violating the Data Protection Act and Brown’s right to privacy before the final ruling. “What is significant is that the judge commented that the senior police officers involved in this case didn’t appear to have any appreciation or understanding of the laws that regulate their conduct in this area, and didn’t acknowledge that they had done anything wrong,” said Brown’s Solicitor Advocate David Gray-Jones. [BBC]

+++

 

06–18 August 2016

Biometrics

WW – Algorithms Can Identify Individuals Trying to Evade Facial Recognition

German researchers published a paper revealing algorithms can be used to identify individuals even if they have obscured their faces. The researchers from the Max Planck Institute call it the “Faceless Recognition System,” which “trains a neural network on a set of photos containing both obscured and visible faces, then uses that knowledge to predict the identity of obscured faces by looking for similarities in the area around a person’s head and body.” Depending on the level of obscurity, the success rate can range from 14.7% to 91.5%. Meanwhile, Facebook users filing a lawsuit against the social media network say the level of damages they received meet the level set in the Spokeo decision. Editor’s Note: The IAPP will be hosting a discussion on biometrics and consumer privacy at the Privacy. Security. Risk. conference from Sept. 13-16, in San Jose, California. [Motherboard]

Canada

CA – OPC Canada Provides Tips Protecting Employee Privacy

the Office of the Privacy Commissioner of Canada has published tips to human resources professionals regarding the protection of employee personal information. HR professionals should ensure the bcc field is used for emails sent to multiple recipients that include sensitive personal information, vet documents to remove personal information before disclosing to third parties, and only share information that is factual, objective and pertinent; HR professionals should be knowledgeable about relevant privacy legislation requirements when handling personal information and advising clients on sensitive personal matters. [OPC Canada – Key Privacy Protection Tips for Federal Human Resources Professionals – Fact Sheets]

CA – Clayton Rules Former Premier Violated Privacy Law

Alberta Privacy Commissioner Jill Clayton said the office of former Premier Alison Reford violated privacy laws when she leaked personal information about former Deputy Premier Thomas Lukaszuk and three other government officials. The information revealed Lukaszuk rang up more than $20,000 in international data roaming charges during a personal trip to Europe in 2012. Clayton said the disclosure of the information goes against the Freedom of Information and Privacy Act. “While it is arguable that the release of information about cellphone charges may have been in the public interest, it was leaked in an uncontrolled manner — nobody’s privacy interests were considered,” Clayton said. [Global News[

CA – NL OIPC Reports 66 Breaches between March and June

The Information and Privacy Commissioner has disclosed 66 breaches within public entities between March and June 2016, an increase from the 51 breaches during 2016’s first quarter. “Most of the private information was released through email or regular mail, and only one was intentional,” the report states. Institutions like Service NL, Central Health and the Newfoundland and Labrador English School District all reported breaches. [CBC News]

CA – Newfoundland OIPC Sees Rise in Access to Information Requests

Newfoundland and Labrador’s new Information and Privacy Commissioner Donovan Molloy has seen a large increase in access to information requests. Molloy said changes to the Access to Information and Protection of Privacy Act have made asking for information far easier, resulting in a large influx of applications. “It’s my understanding that there’s been a substantial increase in the number of requests since 2015,” said Molloy. Since taking over last month, Molloy said the large amount of requests have been taxing on his office. “It’s a real struggle right now in terms of volume, keeping up with the number of requests,” said Molloy. “Because of the capacity to store large volumes of information electronically, then the requests are often quite broad as well.” [CBC News]

CA – Lawsuits Filed Against ‘Pokemon Go’, IP Mapping Company

Two separate lawsuits have emerged against companies that use location data. A family in Alberta, Canada, has initiated a class-action lawsuit against the makers of “Pokemon Go” because their house is a “Gym” in the augmented reality game, meaning it’s a destination for players. Homeowner Barbra-Lyn Schaeffer said more than 100 players have wandered onto her property in the past month. A separate lawsuit has been filed by a Kansas, U.S., family against IP mapping company MaxMind. The issue, originally reported on by Fusion’s Kashmir Hill, involves a default GPS setting — which happens to be where the family lives, meaning law enforcement is often called out to the family’s home thinking it’s a place where a crime has been committed. MaxMind has changed the IP location, but not all users have updated their settings, meaning the issue could affect the family for years to come. [Calgary Herald]

E-Government

US – Interior Dept. Needs to Update Logical Access Controls: Report

According to a report from the US Department of the Interior (DOI) Office of the Inspector General (OIG), eight of nine systems OIG tested at the agency did not meet minimum federal standards for logical access controls. The report also found that DOI needs to encrypt mobile devices and to develop “the ability inspect encrypted traffic for malicious content.” The OIG report acknowledges that “DOI has implemented multifactor authentication to reduce the risk of unauthorized access” to systems. [SC Magazine: Interior Dept. must update access control standards to meet NIST guidelines – report | FCW: IG: Interior needs to tighten computer security | DOIOIG: Inspection of Federal Computer Security at the US Department of the Interior]

US – OIF Finds GSA Access Controls in Good Shape

The Office of Inspector General (OIG) of the US General Services Administration (GSA) found the agency’s “policies and procedures regarding access controls” to be in line with federal standards. Eleven of the GSA’s 18 examined systems use “multifactor authentication for privileged users consistent with government-wide policies.” The seven systems that do not have multifactor authentication use “compensating controls for privileged user access.” [Nextgov: GSA Gets Thumbs Up on Cybersecurity Act Assessment | GSAIG: US General Services Administration Office of Inspector General Cybersecurity Act Assessment]

E-Mail

WW – Google to Warn Users About Potentially Dangerous e-Mail

In a blog post, Google says it will send warnings to users when they receive email messages that could harm their computers. The warning will ask users if they want to open messages that Google deems untrustworthy either because they contain links to sites known to host malware, or because Google cannot authenticate that the sender is who it claims to be. [CNET: Don’t click on that: Google updates email warnings | ZDNet: Google Gmail: Now you about get security alerts about senders to beat email spoofing | Google: Making email safer with new security warnings in Gmail]

EU Developments

WW – ICDPPC Updates Upcoming Morocco Conference

In its latest communique, the International Conference of Data Protection and Privacy Commissioners provides an update to this year’s conference in Marrakech, Morocco. The conference’s closed session will feature discussion on artificial intelligence, robotics and encryption, while the program will also include themes such as “privacy as a driver for sustainable development, security and privacy, digital education, technology and social trends,” New Zealand Privacy Commissioner and ICDPPC Chair John Edwards wrote. The newsletter also features highlights from the executive committee’s meeting in Singapore, a Q&A with Macedonia Director of the Directorate for Personal Data Protection Goran Trajkovski, and an update on the cloud computing resolution that was adopted in 2012. [Full Story]

EU – E-Privacy Directive Draft on September Docket for European Commission

The European Commission will release its E-Privacy Directive update draft in September, which will mandate that apps like Skype and WhatsApp fall under the same privacy regulatory umbrella as SMS text messages and both mobile and landline calls. “It was obvious that there needs to be an adjustment to the reality of today,” said Green MEP Jan Philipp Albrecht. “We see telecoms providers being replaced and those companies who seek to replace them need to be treated in the same way.” He added that the proposed law will take special aim at upholding strong encryption. Critics counter that these laws must be careful not to curb economic innovation, and that re-tailoring older legislation to fit newer technology is “well-nigh impossible,” the report states. [The Gurdian]

Facts & Stats

WW – Study: ‘Insider Negligence’ Most Likely Cause of Data Breaches

A Ponemon Institute study revealed “insider negligence” is the most common cause of a data breach. The study polled more than 3,000 employees in the U.S., U.K., France and Germany, and found 76% of their organizations suffered a data breach in the last two years. The respondents said insider negligence results in more breaches than hackers, malicious employees or poor contractor security. The study also found that 87% of those polled said their jobs require access and use of customer data, employee records and financial information, but only 29% said their organizations allow access on a “need-to-know” basis, with 25% monitoring employee email and file activity. [ZDNet]

FOI

CA – OIPC SK Outlines Steps for Responding to Access and FOI Requests

The Office of the Information and Privacy Commissioner in Saskatchewan has provided guidance on granting individuals access to records within public bodies, pursuant to the: Freedom of Information and Protection of Privacy Act; and Local Authority Freedom of Information and Protection of Privacy Act. Applicant identity should not disclosed to anyone without a legitimate need to know, public bodies are not entitled to require applicants to explain the reason for their request (unless to refine/narrow it, deciding to waive fees, or it believes it is frivolous, vexatious, or in bad faith); fee estimates should be proportionate to the work required to respond efficiently and effectively, and notice should be given to third parties any time access is denied due to a third party exemption, or there is an OIPC review. [OIPC SK – Best Practices for Responding to Access Requests]

CA – OIPC NFLD Finds Government Employee Names, Titles and Remuneration Amounts Should Be Disclosed

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador has reviewed a complaint by third parties, regarding the decision of the Newfoundland and Labrador English School District to allow access to records pursuant to the Access to Information and Protection of Privacy Act, 2015. Disclosure is not an unreasonable invasion of privacy if the information is about a public employees’ position, function, or remuneration; the privacy of public employees must be balanced against the public’s right to know how tax dollars are spent, and to release specified information about employees without employee names would undermine the purpose of the Access to Information and Protection of Privacy Act. [OIPC NFLD – Report A-2016-015 – NFLD English School District]

Genetics

US – MIT Scientists Create System Protecting Patient Privacy Within Genomic Databases

MIT’s Computer Science and Artificial Intelligence Laboratory and Indiana University at Bloomington have developed a research database that allows queries from genome-wide association studies while decreasing privacy threats to “almost zero.” The database employs differential privacy techniques to keep vulnerabilities so low. “It does that by adding a little bit of misinformation to the query results it returns,” the report states. “That means that researchers using the system could begin looking for drug targets with slightly inaccurate data. But in most cases, the answers returned by the system will be close enough to be useful.” Decreased privacy risks and increased access cut database wait times down from the months-long queue period, the report adds. [MIT News] [Nature] See also: [Genetic analysis and its privacy pitfalls]

Health / Medical

WW – Some mHealth Apps Aren’t Making Privacy a Priority

A new study finds that health and wellness apps in particular aren’t making privacy policies easily available to users, even though they are collecting sensitive data. A study by the Future of Privacy Forum finds an overall improvement in the mHealth industry, with 76% of apps surveyed having a privacy policy – an 8% increase since the last survey in 2012. Among their findings was a marked difference in transparency between free and paid apps. Some 86% of the free apps have an accessible privacy policy, while only 66% of the paid apps have a policy. Researchers noted that free apps are usually sustained by advertising, and often are required to disclose their tracking practices to comply with that industry’s standards. [mHealthIntelligence]

Horror Stories

WW – IoT Sex Toy Shares Private Data With Manufacturer

Security researchers have revealed that an internet-connected sex toy is sending intimate data back to the manufacturer for “market research.” The We-Vibe 4 Plus can be controlled remotely through a mobile device and is intended to help couples be more intimate when they’re away from each other. However, the researchers demonstrated the device also shares temperature and vibration intensity data with the manufacturer, and can be easily hacked. “As teledildonics come into the mainstream,” their presentation description noted, “human sexual pleasure has become connected with the concerns of privacy and security already familiar to those who previously only wanted to turn on their lights, rather than their lover.” The president of the manufacturer said the data it receives is not granular enough to know how it’s being used. [Newsweek]

Location

EU – Irish Commissioner Releases Guidance on Location Data

The Office of the Data Protection Commissioner today released guidance on location data. “Aimed at both individuals and organizations, our guidance will assist individuals in understanding how much information relating to their location is collected and processed, and provides clarity to organizations on their obligations regarding such data. The overriding principle of the guidance centers on the protection of the individual’s right to data privacy,” the DPC said in a press release. Included in the guidance are tips about smartphone apps and public Wi-Fi networks collecting location data, as well as wearable devices. The guidance is part of an ongoing educational effort on behalf of the DPC. [Full Story]

US – FTC Offers Analysis, Guidance from InMobi Location Tracking Case

In a new FTC blog post, Nithan Sannappa and Lorrie Faith Cranor offer a deep dive into the location privacy issues revealed in the InMobi case. “In this post,” they write, “we explain the mechanism that the commission alleges InMobi used to track users’ location without permission, and discuss technical steps that mobile operating systems have taken to try to address this practice.” In addition to a detailed analysis of how InMobi tracked the location of users, Sannappa and Cranor write, “Given these complexities, all actors in the mobile ecosystem have a role to play in protecting consumer privacy.” Further, app developers should “consider contractual terms or other steps to help ensure that their third party service providers do not circumvent consumers’ privacy choices.” [Full Story]

Offshore

TH – Thai Government Could Require SIM Cards for Tourists

Thailand’s National Broadcasting and Telecommunications Commission could mandate tourists to carry “location-tracking SIM cards.” “It is not to limit tourists’ rights. Instead it is to locate them which will help if there are some tourists who overstay or run away (from police),” said Secretary-General Takorn Tantasith. Details surrounding the potential program are sparse, like the cost of the cards, how location tracking would work on the card, and when the program could start, the report states. [The Nation]

Online Privacy

WW – Facebook Update Overrides Ad Blockers

Ad blockers will no longer work on Facebook thanks to site updates. While ad blockers will continue to work on others sites and Facebook users can tailor their ad preferences on-site, the move will spark more debate about ads, privacy, and the blockers used to prevent them, the report states. Many are frustrated at the erosion of user control. “It takes a dark path against user choice,” said Eyeo G.m.b.H’s Ben Williams. Some feel Facebook’s updates strike a balance. “Many users rely on ad blockers because they are concerned about privacy or malware,” said the Future of Privacy Forum’s Jules Polonetsky. “Facebook’s change lets users continue to use ad blockers to protect themselves, while ensuring ads are displayed.” [The New York Times]

Other Jurisdictions

NZ – Privacy Commissioner Launches Tool for Privacy Questions

New Zealand’s Office of the Privacy Commissioner launched an online service allowing people to ask privacy-related questions whenever they need to. The “Ask Us“ tool allows anyone from individuals to small-business owners to government workers the chance to access privacy information, according to Privacy Commissioner John Edwards. “We have designed this tool with a 360-degree view of who might find it useful,” said Edwards. “We believe this is a leading model that is available to be shared with other public-sector agencies that are also on the Common Web Platform. People will be able to access information that is relevant to them in a convenient way without having to join a phone queue to a call centre.” [CIO]

Privacy (US)

US – FTC to Host Ransomware Event Sept. 7

The Federal Trade Commission will host a three-panel discussion on ransomware in Washington on Sept. 7 as part of its Fall Technology Series, the agency announced in a press release. FTC Chairwoman Edith Ramirez, FTC Chief Technologist Lorrie Faith Cranor, and representatives from organizations like PhishLabs, Red Canary and the FBI will speak. “In addition to the panel discussions, the FTC’s Office of Technology Research and Investigation and New York University’s computer science department will present research based on a study of dozens of ransomware variants,” the report states. This event is free and public. [FTC]

US – Judge Denies Google’s Request to Dismiss Email Interception Lawsuit

U.S. District Judge Lucy Koh denied Google’s request to dismiss a class-action lawsuit alleging the company illicitly intercepts and scans emails before reaching a user’s inbox. Google claims its process for obtaining emails and scanning their contents for use in targeted advertising is part of their standard operating procedure. Koh disagreed with Google, saying its policy may violate the California Wiretap Act. “Under the plain meaning of the Wiretap Act, the ‘ordinary course of business’ exception protects an electronic communication service provider’s interception of email where there is ‘some nexus between the need to engage in the alleged interception and the [provider’s] ultimate business, that is, the ability to provide the underlying service or good,’” Koh wrote in her ruling. [Courthouse News Service]

US – DOC Releases First List of Privacy Shield-Compliant Companies

Late last week, the International Trade Administration — an arm of the U.S. Department of Commerce — released a list of nearly 40 companies that have been approved under the EU-U.S. Privacy Shield. A DOC spokesman said the list would be updated on a rolling basis, adding, “There are nearly 200 applications currently involved in our rigorous review process.” However, businesses have been slow to join the agreement, mostly due to a lack of legal uncertainty in the EU. PwC’s Jay Cline, CIPP/US, said, “we don’t expect a stampede to join it in the next few days, but rather a steadily growing wave over the long run, especially if European companies begin to favor Privacy Shield membership in competitive bids.” [Wall Street Journal] See also: The EU-U.S. Privacy Shield is fully operational, as the U.S. Chamber of Commerce has opened registration for U.S. companies, the European Commission announced in a press release, and [Could privacy trust marks be a better Privacy Shield alternative?]

US – California’s Gang Member Database May Violate Privacy Rights

California’s database of suspected gang members may violate the privacy rights of those within the system. A state auditor report examined the CalGang database, a system shared by police agencies across the state, and contains information on nearly 150,000 gang members. The system “does not ensure that user agencies collect and maintain criminal intelligence in a manner that preserves individuals’ privacy rights,” wrote auditor Elaine Howle. The report found four court cases where the database was used as proof of an individual’s gang involvement, and three law enforcement agencies using the database for employment or military-related screenings. “These instances emphasize that inclusion in CalGang has the potential to seriously affect an individual’s life,” the report states. “Therefore, each entry must be accurate and appropriate. [SFGate]

Privacy Enhancing Technologies (PETs)

WW – Enterprise Privacy Tech Solutions Are On the Rise

With a major new privacy regulation on the horizon in Europe, and increased media and regulatory scrutiny of companies’ privacy practices around the world, the job of engendering consumer trust and maintaining privacy compliance is getting seemingly more difficult every day. Of course, employing privacy pros is the obvious first step in ensuring a robust internal privacy regime, but more and more, privacy pros are in need of tools to help them do their jobs. Fortunately, startups and venture capitalists are recognizing this need for better privacy and information management tools. In this post for Privacy Tech, Jedidiah Bracy, CIPP, looks at two startups looking to work further with privacy pros in an effort to provide technological solutions designed directly for the privacy pro. [IAPP] See also: [Op-ed: New tech could be the boon health care privacy needs]

Security

US – Study: 91% of Visual Hacking Attempts Successful

A Ponemon and 3M Company study found the vast majority of visual hacking attempts are successful. The Global Visual Hacking Experiment spanned 157 trials in 46 participating companies across eight countries, including China, France, Germany and the U.K. The study had a white hat visual hacker take information in different ways, including walking through offices for information, taking confidential business documents off desks and placing them into briefcases, or taking a picture of confidential information using a smartphone. The attempts were successful 91% of the time, with 52% of the sensitive information taken from employee computer screens. Hackers were normally not confronted, as 68% of visual hacking attempts resulted in the malicious party not receiving any questioning. [Full Story]

US – Active Response, Behavior Baselining Hot at Black Hat Conference

One of the popular security terms making their way into conversations during the Black Hat conference last week in Las Vegas is behavior baselining, where an organization focuses on understanding its system’s typical behavior in order to identity any deviations. “Most organizations accomplish this by employing people and technologies utilizing data science and machine learning for automated analysis,” the report reads. This is complemented by active response, another term making its way around Black Hat. “Active response is the ability to respond to an attack as soon as it is detected within the organization’s environment. The response could include communication with secondary systems such as a ticketing system, or it could include creating a ticket or collecting additional data.” [TechCrunch]

Surveillance

US – NYC Art Exhibit Examines Privacy in the Surveillance Age

An art exhibit in New York City is focusing on the attempts to stay private in a growing age of surveillance. “Public, Private, Secret” features a wide range of privacy-themed surveillance art from the 1940s to today, a video diary made up of an individual’s private online thoughts, and photos of celebrities. One of the themes of the exhibit is the growing number of people who have access to cameras, allowing more people to engage in visual communication. “The big difference is, it used to be a few people taking images that went out to millions,” said the International Center of Photography’s Executive Director Mark Lubell. “Now it’s millions and millions of people going out to millions and millions of people. I think that’s a seismic shift in the medium, and it’s something we should be looking at and exploring.” [PBS Newshour]

WW – AI Company Develops Drone Risk Analysis Program

An artificial intelligence company is developing a risk analysis program for commercial drones. Flock’s program allows drone operators to safely use their devices by leveraging real-time weather information, locating buildings, and predicting when areas will be filled with people in order to find less congested routes. “We extract actionable insights and predictions from big data by extracting multiple data sources and amassing a wealth of historical data in cities,” said Flock CEO Ed Leon Klinger. “The machine learning element of our technology is what allows us to predict when and where certain areas of cities will become particularly hazardous for drones.” Flock may also be used by insurance companies to help determine the risks of drone flight. [Yahoo!]

US Government Programs

US – Court of Appeals Finds Government’s Warrantless Use of Cell Phone Location Information was Justified

The US Court of Appeals reviewed an appeal by Frank Caraballo for a conviction by the District Court for the District of Vermont for conspiring to distribute drugs, possession of a firearm in furtherance of a drug trafficking crime, and causing the death of an individual. The Court found that emergency circumstances may make the needs of law enforcement so compelling that a warrantless search is objectively reasonable under the Fourth Amendment; the Defendant was reasonably believed to be armed, had recently been identified by the victim as a person who was likely to cause harm, was likely to escape if not quickly apprehended, and posed an imminent threat to law enforcement (undercover police and confidential informants). [US v. Frank Caraballo – 2016 US App. LEXIS 13870 – United States Court of Appeals for the Second Circuit]

US Legislation

US – New Illinois Law Requiring Stricter Rules for Stingray Use

SB 2343, An Act Concerning the Use of Cell Site Simulator Devices, was signed by the Illinois Governor. Before deploying cell site simulators, law enforcement agencies must submit a court application that includes a description of the nature and capabilities of the device to be used, the method of deployment, and procedures to protect the privacy of non-targets; all non-target data must be deleted within 24 hours (if the device is used to location or tracking) or 72 hours (if used for device identification). The Act is effective January 1, 2017. [SB2343 – An Act Concerning the Use of Cell Site Simulator Devices – Illinois General Assembly]

+++

29 July – 05 August 2016

Biometrics

WW – New Snapchat Facial Recognition Patent Could Have Retail Ramifications

Snapchat received a patent for technology to identify the face of specific individuals, then blur or obscure their faces if they have set their privacy settings to do so. The technology would allow Snapchat to surf through the database for anyone who has used the app, and if it finds a match, the app will place “a privacy-protected version of the image, wherein the privacy-protected version of the image has an altered image feature.” However, similar facial recognition technology, the report points out, could be used in a retail setting, where an organization could scan customers to determine their shopping habits and other information through social media and other online outlets. [Computerworld]

WW – Facial Recognition for Monitoring Crowd Reactions?

At each of the recent major political conventions held in the United States last month, Microsoft was on-site as part of an event with POLITICO where it demonstrated its Microsoft Research Division capabilities. One exhibit was titled “Realtime Crowd Insights” and displayed functionality whereby individual faces in a crowd could be singled out and identified by approximate age, emotional state and gender. The report questions whether the technology’s abilities mesh with consent-based privacy policies. “It’s difficult,” said Georgetown professor Alvaro Bedoya,” to envision how companies will obtain consent from people in large crowds or rallies.” [The Intercept]

WW – How Hackers Could Get Inside Your Head With ‘Brain Malware’

Hackers have spyware in your mind. You’re minding your business, playing a game or scrolling through social media, and all the while they’re gathering your most private information direct from your brain signals. Your likes and dislikes. Your political preferences. Your sexuality. Your PIN. It’s a futuristic scenario, but not that futuristic. The idea of securing our thoughts is a real concern with the introduction of brain-computer interfaces—devices that are controlled by brain signals such as EEG, and which are already used in medical scenarios and, increasingly, in non-medical applications such as gaming. Researchers at the University of Washington in Seattle say that we need to act fast to implement a privacy and security framework to prevent our brain signals from being used against us before the technology really takes off. “There’s actually very little time,” said electrical engineer Howard Chizeck over Skype. “If we don’t address this quickly, it’ll be too late.” “Broadly speaking, the problem with brain-computer interfaces is that, with most of the devices these days, when you’re picking up electric signals to control an application… the application is not only getting access to the useful piece of EEG needed to control that app; it’s also getting access to the whole EEG,” explained Bonaci. “And that whole EEG signal contains rich information about us as persons.” And it’s not just stereotypical black hat hackers who could take advantage. “You could see police misusing it, or governments—if you show clear evidence of supporting the opposition or being involved in something deemed illegal,” suggested Chizeck. “This is kind of like a remote lie detector; a thought detector.” [MotherBoard]

Big Data

WW – Privitar receives 3M GBP from Illuminate Financial Management

Big data privacy startup Privitar will receive 3 million GBP in financing from Illuminate Financial Management, with other investments coming from existing investors. Privitar will use the funds to boost its growth both in the U.K., and in Europe for its big data software, designed to let companies publish and share data privately, while meeting regulatory compliance. “Every organisation that collects and analyses data is grappling with the issue of data privacy. They are all potential customers for our privacy-enhancing software solution,” said Privitar CEO Jason du Preez. “That is why we are excited to be partnering with Illuminate Financial with their deep connectivity into one of our target vertical market.” [Finextra]

Canada

CA – Newfoundland & Labrador’s New Information and Privacy Commissioner Speaks Up

In an interview, Newfoundland and Labrador’s newly-appointed Information and Privacy Commissioner Donovan Molloy discusses elements of the role he looks forward to tackling and his goals for the province’s privacy. “At the end of the day, the public is entitled to every piece of information that exists in government, unless it is specifically exempted in the [Privacy] Act,” Molloy said. “The role of this office is to make sure the exemptions and qualifications are properly applied.” He added that he has a particular interest in privacy issues. It’s “one of the areas of law that’s developing very quickly, and will increasingly become more important in our society,” Molloy said. [The Telegram]

CA – BC SC Orders Voyeur to Pay $85,000 In Privacy Damages

The BC Supreme Court ordered $85,000 in damages to be paid to a young woman whose stepfather surreptitiously recorded her while she was undressed in her bathroom and bedroom. The damages finding was driven significantly by the “thoroughly undignified and humiliating actions” of the defendant, the age of the defendant and proof that the defendant’s actions caused a significant psychological disorder that the plaintiff was still recovering from at the time of trial (which was four years after discovering the defendant’s wrong). The plaintiff was recovering, the judge also noted, as well as noting that the defendant conducted his defence with “appropriate restraint.” The judge did not consider evidence that the plaintiff was herself provocative in his damages assessment. The Court also ordered damages to be paid for past loss of earning capacity, the cost of medication taken and health care received and the cost of future care. [Source] T.K.L. v. T.M.P., 2016 BCSC 789 (CanLII).

CA – Alberta Commish Issues ‘Landmark’ Trans-Privacy Ruling

In what’s being described as a “landmark” decision for the transgender community, the Office of the Information and Privacy Commissioner of Alberta has decided trans students have the right to protect their birth names from becoming public information. Following repeated incidents where teachers displayed the student’s birth name in front of other students or otherwise discussed the student’s birth gender status in public, the family complained. In the ruling, the adjudicator found the school in breach of the Freedom of Information and Privacy Act for disclosing personal information and failing to make proper security arrangements. The school has already amended practices, but Kris Wells, a professor with the University of Alberta’s Institute for Sexual Minority Studies and Services, called it a “landmark decision” because of the way it will force school boards to re-examine policies across Canada. [GlobalNews] [Trans student at centre of Edmonton school’s privacy breach hopes it doesn’t happen to others]

Consumer

WW – Windows 10 Privacy Concerns May Drive Customers Over to The Mac

A recent survey conducted by OnePoll reveals that two-thirds of the Windows-based population would consider switching to a Mac due to the privacy concerns over Microsoft’s latest platform, Windows 10. The poll arrives just after the French National Data Protection Commission (CNIL) presented Microsoft with examples late last month of how some of Windows 10’s user data collection is unwarranted. France’s reaction is just one of many reports of privacy concerns over Microsoft’s data collection. The OnePoll survey questioned 500 individuals in North America and 500 residents in the UK. It asked one simple question: If the controversial collection of user data in Windows 10 that’s causing privacy concerns would push them into considering a switch over to Mac. the survey found that 501 individuals said they “might” consider switching, while 141 individuals said they would “definitely” consider the switch. Another 358 individuals said they wouldn’t even consider it. The poll goes on to show that U.K. respondents are more concerned about the Windows 10 data collection than Americans, with 15.2% of the U.K. residents polled saying they would “definitely” consider a switch and 51.8 percent saying “maybe.” For the Americans, 13% said “definitely” and 48.4% said “maybe.” [Digital Trends]

E-Government

CA – Government of Canada Releases Cloud Adoption Strategy

The Government of Canada recognizes that a strong IT workforce and modern IT infrastructure are the backbone of better service delivery to Canadians. Treasury Board President Scott Brison has taken another step to modernize the Government of Canada’s use of IT by releasing the Cloud Adoption Strategy for public comment. This strategy prioritizes the security and privacy of Canadians while providing departments with new modern and flexible alternatives to make more efficient use of information technology. Using cloud computing services provides the Government with even more options in terms of data storage and running applications. The strategy is designed to allow the Government to select the right cloud solution for its evolving needs. This is the result of consultations with industry and provincial governments over the past two years, and a review of global trends in cloud computing. Feedback on the strategy will be collected until September 30, 2016, and will be used to finalize the Government’s approach. [Press Release] [Government of Canada Cloud Adoption Strategy | Security Control Profile for Cloud | Right Cloud Selection]

CA – General Insurance Council of Manitoba Fines Broker $1,000 For Unauthorized Access to Customer Database

The General Insurance Council of Manitoba investigated whether Basil Galarnyk violated the Insurance Act and the General Insurance Agent Code of Conduct. The broker accessed customer information 42 times without performing any transactions, without customer approval, and for no discernible reason; the broker acted in a manner that showed a lack of trust with regard to consumer privacy, and the rules for use of customer files in conducting business. [Decision of the General Insurance Council of Manitoba respecting Basil Galarnyk]

Electronic Records

US – Prominent Senator Calls for Open Access to Patient Data

U.S. Sen. Elizabeth Warren called recently for greater access to patient data created by drug and medical-device testing. “I appreciate that there are many policy, privacy and practical issues that need to be addressed in order to make data sharing practical and useful for the research community,” Warren said in an editorial in the New England Journal of Medicine, “but the stakes are too high to step back in the face of that challenge.” Counter-arguments did not involve privacy, however, but rather concern about “research parasites” and other intellectual property concerns. As a compromise, the International Committee of Medical Journal Editors has recently proposed that scientists publish research data within six months of publishing results — “stripped of any information that could identify patients.” Meanwhile, eight plaintiffs have sued a pair of anti-abortion activists in federal court to prevent their personal information from being released as part of the University of Washington’s Birth Defects Research Laboratory. [STAT]

EU Developments

WW – Morocco Launches Program for 38th DPAs Conference

This year, the International Conference of Data Protection and Privacy Commissioners will be held for the first time in an Arabic-speaking nation, when commissioners gather in Marrakech, Morocco, Oct. 17 through 20. Sam Pfeifle speaks with Morocco National Commission for the Control and Protection of Personal Data General Secretary Lahoussine Aniss about how this year’s program is designed “to show the world that privacy and data protection is taken seriously in Morocco.” [IAPP] [Program]

FOI

CA – OIPC BC Finds Disclosure of Info Related to Water Quality is in the Public Interest

The OIPC BC reviewed a complaint alleging the Ministry of Environment failed to meet its obligations under the Freedom of Information and Protection of Privacy Act. Disclosure of regulatory actions taken by a ministry body to address water contamination is clearly in the public interest; water quality and management of nitrate application was the subject of debate in the Legislature and media, the issues giving rise to significant harm to the environment, public health or safety is still ongoing, and disclosure of a summary of the information would not allow the public to assure itself that actions undertaken were appropriate. [OIPC BC – Investigation Report F16-02 – Disclosure of  Information Quality in Spallumcheen]

Health / Medical

UK – National Data Guardian Finds Healthcare Organisations Are Not Adequately Protecting Personal Data

The UK National Data Guardian reviews current approaches to data security in the National Health Services. Organisations were often confused about which data standard or principle they were to follow, 41% of all breaches reported to the ICO were from the health sector (mostly caused by employees), and there was a lack of clarity in processing responsibilities; recommendations include using appropriate tools to identify vulnerabilities (dormant accounts, default passwords, multiple log-ins from the same account), allowing opt-outs for uses beyond direct care, and stronger sanctions for malicious or intentional breaches. [UK Government – National Data Guardian for Health and Care – Review of Data Consent and Opt-Outs]

US – Federal Healthcare Rule Expands Use and Disclosure of Medicare Data

The Department of Health and Human Services issued a Final Rule to implement requirements under section 105 of the Medicare Access and CHIP Reauthorization Act of 2015, expanding availability of Medicare data: this Rule is effective September 6, 2016. Qualified entities may provide or sell combined or non-public analyses to authorized users provided that analyses are limited to de-identified data, a data use agreement has been executed, and authorized users do not use the data for marketing, harm or fraud; any violations of the terms of a data use agreement can result in an assessment being imposed by the Centers for Medicare & Medicaid Services. [Final Rule – 42 CFR Part 401 – Medicare Program – Expanding Uses of Medicare Data by Qualified Entities]

US – Cancer Database Allows Patients to Share Data Anonymously

Inspired by the Obama administration’s Cancer Moonshot Initiative, two professors joined forces to create CancerBase, a database allowing patients to share personal medical data to further cancer research. Stanford associate professor of bioengineering Jan Liphardt, Ph.D., and University of Southern California professor of medicine and engineering Peter Kuhn, Ph.D., created the database to give patients an opportunity to share their diagnosis and their location without revealing their identities. “So that’s the simple idea: A global map and give patients the tools they need to share their data — if they want to. They can donate information for the greater good. In return, we make a simple promise: When you post data, we’ll anonymize them and make them available to anyone on Earth in one second. We plan to display this information like real-time traffic data. HIPAA doesn’t apply to this direct data sharing,” said Liphardt. [Scopeblog][stanford.edu]

US – Advocate Health Care to Pay Largest HIPAA Settlement for Privacy Violations

Advocate Health Care has agreed to pay the largest HIPAA settlement ever to the Department of Health and Human Services’ Office for Civil Rights. Advocate will pay $5.55 million to settle multiple data protection violations over the last three years. The health system is also penalized for not properly assessing potential risks to its ePHI systems, and for failing to ensure the organization and its business associates had satisfactory protections for their systems. “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. [Modern Healthcare]

WW – Pregnancy-Tracking Exposes Extremely Sensitive Personal Information

Consumer Reports Labs tested Glow, a very popular menstrual cycle/fertility-tracking app, and found that the app’s designers had made a number of fundamental errors in the security and privacy design of the app, which would make it easy for stalkers or griefers to take over the app, change users’ passwords, spy on them, steal their identities, and access extremely intimate data about the millions of women and their partners who use the app. After being alerted to these problems, Glow fixed the app and re-released it. Consumer Reports has verified that the app’s known major problems have been fixed. This is the first cybersecurity audit that Consumer Reports has published, and the beginning of a wider project they’re commencing. [BoingBoing]

Horror Stories

WW – Hacker Dumps More Than 200M Yahoo Accounts On Deep Web

More than 200 million Yahoo accounts were discovered on a deep web marketplace. A hacker known by the name “Peace” dumped the data onto a marketplace called The Real Deal. Peace said the data was “most likely” from 2012, and the passwords were hashed with an MD5 algorithm. Yahoo has not confirmed whether the data is authentic, but is aware of the leak. “We are aware of a claim. We are committed to protecting the security of our users’ information and we take any such claim very seriously,” said a Yahoo representative. “Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.” [International Business Times]

US – Banner Health Alerting 3.7M Individuals Following Cyberattack

Banner Health suffered a cyberattack and has started to contact 3.7 million individuals whose information may have been compromised. The breach started on Banner’s credit card payment systems for food and beverage purchases, then expanded to include patient and health plan data. “The patient and health plan information may have included names, birth dates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and Social Security numbers,” read an investigation into the breach. Banner’s Vice President of Public Relations Bill Byron said there is no evidence the data has been used in an illicit manner. In related news, retailer Kmart agreed to settle their 2014 data breach lawsuit and will pay $5.2 million to hundreds of credit unions and banks. [Modern Healthcare]

WW – Sheer Number of Devices in Use Enlarges Security Gaps in Healthcare

Hospitals that want to improve network security should carefully assess the hundreds of medical devices they’re using, including fetal monitors, medical imaging devices, electrocardiographs, lasers and gamma cameras, to name a few. Some devices hold a sizable amount of data that can be hacked; others don’t have much data, but can increase network vulnerability. Infusion pumps, for instance, don’t have a lot of data but are a gateway to the network and “have become the poster child for medical device security gone wrong,” says Stephanie Domas, an ethical hacker and lead medical device security engineer at Battelle, a large research and development organization. [Source]

Internet / WWW

WW – Study: Mobile Streaming Represents New Privacy Frontier

In their research paper, “Up, Periscope: Mobile Streaming Video Technologies, Privacy in Public, and the Right to Record,” Lehigh University’s Jeremy Littau and Texas Christian University’s Daxton Stewart examine the privacy implications of live streaming technology. They found that U.S. privacy laws have yet to adapt to the new technology and that the First Amendment likely protects the rights of those streaming, the report states. “In this study, we advocate for less legal restraint of recording and live-streaming public matters or government officials in public places, which clearly deserve First Amendment protection,” Stewart said. “But we also call for wisdom by users and tech companies in controlling the spread of materials that may be more harmful to private individuals.” [Eurekalert] See also: [Amazon plans headphones that know when someone says your name]

Law Enforcement

US – Boston Police Used ‘Stingray’ Cellphone Spying Technology Without Warrants

Boston police never obtained warrants in the 11 instances when they used “Stingray” cell-site simulators, contradicting the commissioner’s claims that officers generally obtain permission from a judge to use the devices. The New England Center for Investigative Reporting (NECIR) reported that it had obtained documents indicating Boston police were using the spying devices without obtaining warrants. While Massachusetts does not have an explicit statute prohibiting the technology, judges will often throw out evidence obtained with Stingrays if their use is deemed to violate the privacy of the defendant. Boston Police Department (BPD) Commissioner William B. Evans said during a February radio interview that officers “normally” obtain a warrant before using the technology. In fact, the department had used Stingrays 11 times since 2009 and never obtained a search warrant for their use in any of those cases. However, BPD spokesman Lieutenant Detective Michael McCarthy told NECIR that there was no contradiction, because all of the situations in which the devices were used were considered to be emergencies. [RT]

US – Body Camera Scorecard Reveals Nationwide Failure to Promote Transparency and Accountability

An updated body camera scorecard highlights a disturbing state of affairs in body camera policy that lawmakers should strongly resist. A majority of the body camera policies examined by Upturn and the Leadership Conference on Civil and Human Rights received the lowest possible score when it came to officer review of footage and citizens alleging misconduct having access to footage, meaning that the departments were either silent on the issues or have policies in place that are contrary to the civil rights principles outlined in the scorecard. Such policies do not promote transparency and accountability and serve as a reminder that body cameras can only play a valuable role in criminal justice reform if they’re governed by the right policies. Upturn and the Leadership Conference on Civil and Human Rights looked at the body camera policies in fifty departments, including all departments in major cities that have either outfitted their officers with body cameras or will do so in the near future. Other departments that were scored include departments that received at least $500,000 in body camera grants from the Department of Justice as well as Baton Rouge Police Department and the Ferguson Police Department. Body cameras can only be tools for increased transparency and accountability in law enforcement with the right policies in place. Unfortunately, Upturn and the Leadership Conference on Civil and Human Rights’ scorecard reveals not only that many departments have poor accountability and transparency policies but also that the Department of Justice does not review these policies as disqualifying when it comes to body camera grants. [CATO] Also See: [Police body cam policies in San Jose and Oakland are flawed, report says | Police body cameras can provide accountability, but also risk, study finds | Harsh Consequences Required for Officers Who Fail to Activate Body Cameras]

Online Privacy

WW – Massive New Study Lifts the Lid on Top Websites’ Tracking Secrets

So, just how tracked are you? Plenty, according to the largest, most detailed measurement of online tracking ever performed: Princeton University’s automated review of the world’s top 1,000,000 sites, as listed by Alexa. To begin, huge numbers of folks are trying to track you: 81,000+ third-party trackers appeared on at least two of the top million sites. However, only 123 trackers showed up on at least 1% of those sites: “The number of third parties that a regular user will encounter on a daily basis is relatively small. [Moreover], all of the top 5 third parties, as well as 12 of the top 20, are Google-owned… Google, Facebook, and Twitter are the only third-party entities present on more than 10% of sites.” The researchers find “a trend towards economic consolidation” – fewer but larger third-party trackers. In their opinion, that’s actually good news for privacy advocates, as these “are large enough entities that their behavior can be regulated by public-relations pressure and the possibility of legal or enforcement actions.” According to the Princeton review, news, arts, and sports sites track the most, which typically provide content for free and “lack an external funding source, [and] are pressured to monetize page views with significantly more advertising.” The sites that track the least belong to government organizations, universities, and non-profit entities… websites [that] may be able to forgo advertising and tracking due to the presence of funding sources external to the web.” Oh, and adult sites, too. Next, the researchers turned to fingerprinting: techniques for individually identifying anonymous site visitors based on the unique characteristics of their hardware and software. (Check out our detailed primer on fingerprinting here.) The researchers wanted to know: Is it really being used in the wild? How widely? Which techniques? The reseachers say privacy tools like Ghostery do a nice job of protecting against standard tracking scripts from widely-used third-party trackers. However, they sometimes miss more obscure scripts using these emerging, exotic techniques. Since they’ve open-sourced OpenWPM, anyone can use it. That includes academics: it’s already been part of seven published studies. It also includes site owners who want to know what third-party trackers are doing on their sites. And it especially includes journalists and activists. [Naked Security]

CA – Ontario Defendant in Revenge Porn Case Seeking a Do-Over: Porter

How much is a lifetime of public humiliation worth? Ontario Superior Court Justice David Stinson pegged it at precisely $141,708.03 in January. That’s how much he ruled a young man had to pay his ex-girlfriend for the shame and psychological suffering he’d caused her by posting an intimate video of her on pornhub.com. He called it “college girl pleasures herself for ex boyfriends delight.” The decision set a new path for revenge porn victims. Since 2014, when Parliament passed the revenge porn law, victims can go to police and hope the jerk who put their images online without their permission lands in jail. But with Stinson’s ruling, they could also pursue some civil justice — cash, and a lot of it. He set the bar high, awarding the young victim the maximum damages — enough to pay her lawyer, and cover therapy bills for years of shame, fear, distrust … [Toronto Star]

Other Jurisdictions

EU – US Cloud Services Seeing Major Growth in Europe

U.S. cloud computing businesses is growing in Europe, despite pressure on European companies to keep sensitive data within the continent. The U.S. growth stems from European companies moving cloud computing needs to outside providers, with American organizations offering lower prices and the ability to rapidly put out new services and upgrades. Four U.S.-based businesses, for example, own 40 percent of the European market share, and more than a dozen new U.S. data centers have been built in Europe over the past couple of years, convincing European businesses U.S. providers can protect their data. “On paper, European companies should be poised to take advantage of this growth. But they are less nimble,” said RBC Capital Markets Senior Analyst Jonathan Atkin. [The Wall Street Journal]

Privacy (US)

US – FTC Issues Warnings to Companies Claiming APEC Privacy Certification

The FTC has issued warning letters to 28 companies claiming to be certified participants in the Asia-Pacific Economic Cooperative Cross-Border Privacy Rules system. This is an important reminder for companies, including Canadian companies, that the use of international certifications is something in which regulators take a keen interest. The FTC did not release the names of the organizations to which it sent letters. This gives the organizations a chance to demonstrate compliance and revise their websites and thereby avoid the reputational damage associated with being publicly cited by the regulator. However, the fact that the FTC publicized the issuance of the warning letters likely indicates that it views the problem of unsubstantiated certifications as an issue which needs to be addressed. [Cyberlex]

US – White House Announces New Drone Initiatives

Following a report on privacy by design in drones, the White House announced it will work on strengthening the integration of the technology by hosting workshops and deploying drones in different scenarios. The White House Office of Science and Technology Policy said the work will build on the Federal Aviation Administration’s drone rules from earlier this year. Reaction to the announcement was mixed: “Today’s announcement is another important step forward in realizing the enormous potential of unmanned aerial systems, and will help speed up our development and adoption of this technology, which still lags behind other countries,” said Sen. Mark Warner, D-Va. However, Sen. Ed Markey, D-Mass., expressed concern: “While I am pleased that the White House continues its efforts to safely integrate drones into our national airspace, when it comes to drone privacy, we are still essentially flying blind As more drones take flight, voluntary privacy guidelines and best practices are simply not enough.” [Broadcasting & Cable] See also: [FPF, Intel, PrecisionHawk advocate for privacy by design framework in drones] and May 2016 stakeholder-drafted Voluntary Best Practices for UAS Privacy, Transparency, and Accountability. And [New Hampshire town hit with wave of drone complaints]

US – Jimmy Carter Defends Edward Snowden, Says NSA Spying Has Compromised Nation’s Democracy

Former President Jimmy Carter announced support for NSA whistleblower Edward Snowden this week, saying that his uncovering of the agency’s massive surveillance programs had proven “beneficial.” Speaking at a closed-door event in Atlanta covered by German newspaper Der Spiegel, Carter also criticized the NSA’s domestic spying as damaging to the core of the nation’s principles. “America does not have a functioning democracy at this point in time,” Carter said,according to a translation by Inquisitr. No American outlets covered Carter’s speech, given at an Atlantic Bridge meeting, which has reportedly led to some skepticism over Der Spiegel’s quotes. But Carter’s stance would be in line with remarks he’s made on Snowden and the issue of civil liberties in the past. [Huffington Post]

US – Judge Blasts FBI for Bugging Courthouse, Throws Out 200 Hours of Recordings

The FBI violated the Fourth Amendment by recording more than 200 hours of conversation at the entrance to a county courthouse in the Bay Area, a federal judge has ruled. Federal agents planted the concealed microphones around the San Mateo County Courthouse in 2009 and 2010 as part of an investigation into alleged bid-rigging at public auctions for foreclosed homes. In November, lawyers representing five defendants filed a motion arguing that the tactic was unconstitutional, since the Fourth Amendment bans unreasonable searches. “[T]he government utterly failed to justify a warrantless electronic surveillance that recorded private conversations spoken in hushed tones by judges, attorneys, and court staff entering and exiting a courthouse,” US District Judge Charles Breyer wrote in an order published this week. “Even putting aside the sensitive nature of the location here, Defendants have established that they believed their conversations were private and they took reasonable steps to thwart eavesdroppers.” Breyer concluded that the disputed evidence must be suppressed. At a hearing next week, he’ll consider whether the recordings tainted the rest of the prosecution’s case. [Source]

Privacy Enhancing Technologies (PETs)

WW – Energy Monitoring Device Without the Cloud Sharing from MIT

MIT says it has the answer to those concerned with Google Nest’s privacy practices: an energy-monitoring device that measures in-home energy usage without sending data into the cloud. The system uses a wireless, sensor-based approach to energy measuring, the report states. “MIT electrical engineering professor Steven Leeb was particularly impressed with the team’s discovery that energy monitoring can be achieved despite keeping data within the home,” the report adds. “The system only releases ‘small subsets’ of data for cloud processing, which addresses bandwidth and privacy concerns.” If made commercially available, the device would cost an estimated $30 per household. [ZDNet]

RFID / IoT

US – NTIA Announces IoT Security and Education Initiative

The National Telecommunications & Information Administration has announced a new multistakeholder process to help consumers understand the security measures in internet of things devices and ensure security upgrades and patches are appropriately maintained. “The goal of the new multistakeholder process will be to promote transparency in how patches or upgrades to IoT devices and applications are deployed,” said NTIA Deputy Assistant Secretary for Communications and Information Angela Simpson. “Potential outcomes could include a set of common, shared terms or definitions that could be used to standardize descriptions of security upgradability or a set of tools to better communicate security upgradability.” The NTIA is encouraging “broad participation and diverse perspectives” and hopes to have its first meeting in early fall. [NTIA]

Security

WW – Most Healthcare Breaches Can Be Traced to One of Three Factors

Those include losses or thefts of laptops; improper or criminal accessing of credentials to information systems; and unintentional errors, such as sending sensitive information to the wrong person, according to Verizon Enterprise Solutions. [Information Management]

Surveillance

WW – Database Tracks Surveillance Companies Around the World

Privacy International has a new searchable database allowing users to find information on hundreds of surveillance companies around the globe. The Surveillance Industry Index possesses information on more than 520 surveillance companies, while also having information on the technology they have sent to government agencies and telecommunications companies. “State surveillance is one of the most important and polarizing issues of our time, yet the secrecy around it means it’s a debate lacking reliable facts,” said Privacy International Research Officer Edin Omanovic. “Understanding the role of the surveillance industry, and how these technologies are traded and used across the world, is crucial to not only understanding this debate, but also fostering accountability and the development of comprehensive safeguards and effective policy.” [The Verge]

US – Disney Obtains Patent to Track Theme Park Guests Through Their Feet

The U.S. Patent and Trademark Office has issued Walt Disney Co. a patent for a new type of technology: A system that can track theme-park guests through their feet. According to information supplied to the patent agency, sensors and cameras would help identify particular visitors, and the data “can be used to output a customized guest experience” including photographs. Theme parks could also use such a system to mine data about common paths from ride to ride. The company can already track guests at Walt Disney World who use MagicBands, RFID bracelets that function as theme-park tickets, FastPasses, hotel keys and credit cards. Current methods of tracking guests and matching them up “are limited to rather invasive methods, such as retinal and fingerprint identification methods,” the patent information said. “These methods are obtrusive and some guests may not feel comfortable providing this type of biometric information to a third party.” The company says that there are no immediate plans to use such a system. This project is part of Disney’s ongoing innovative research process, the company said, and many projects it explores may never actually end up in the parks. [Orlando Sentinel]

Telecom / TV

US – Comcast Asks FCC to Shoot Down Rules Prohibiting ‘Pay-For-Privacy’ Pricing

Comcast has sent a filing to the Federal Communications Commission requesting the agency to shoot down proposed rules stopping broadband providers from charging higher fees to customers declining behaviorally targeted ads. “A bargained-for exchange of information for service is a perfectly acceptable and widely used model throughout the U.S. economy, including the internet ecosystem, and is consistent with decades of legal precedent and policy goals related to consumer protection and privacy,” Comcast writes. The provider says prohibiting a pay-for-privacy pricing system “would harm consumers by, among other things, depriving them of lower-priced offerings,” while adding the FCC “has no authority to prohibit or limit these types of programs.” [MediaPost]

US Government Programs

US – Appointees named to New Evidence-based Policymaking Commission

All 15 appointees to the Evidence-Based Policymaking Commission have been named. The commission will determine whether the federal government should establish a clearinghouse for program and survey data, what data should be included in the clearinghouse, and which qualified researchers from both the private and public sector could access the data to perform program evaluations and related policy research. The commission will also study how best to ensure confidentiality of data and protect individuals’ privacy. See also: [H.R.1831 – Evidence-Based Policymaking Commission Act of 2016]

US – Student Data Policymaking Recommendations issued

DQC released its policy recommendations for state policymakers in April, and followed that up with district and federal recommendations. Each set of policy recommendations includes student data privacy and directs policymakers to align their policies across federal, state and district levels in four priority areas:

  • Measure What Matters
  • Make Data Use Possible
  • Be Transparent and Earn Trust
  • Guarantee Access and Protect Privacy

US – OMB Releases Updated Circular A-130

The Office of Management and Budget has released an update to Circular A-130, requiring every federal agency to, among other things, appoint a senior agency official for privacy, provide privacy training and conduct Privacy Impact Assessments. Under FISMA all NIST FIPS documents are now required. The 800 series documents are also going to be used by OMB as “best practices” when conducting their audits. Implementing these NIST standards is going to be quite a lot of work for most agencies. [FedScoop] [OMB] [Circular A-130] [Wikipedia on Circular A-130]

+++