10 June – 07 July 2017

Biometrics

CA – Spies, Cops & Border Agents Coordinating on Biometrics

For over a year, Canadian military, intelligence, police, and border agencies have been meeting to develop and coordinate their biometric capabilities, which use biological markers like facial recognition and iris scanning to identify individuals. This initiative—details of which were revealed in documents obtained through an access to information request—shows that the Canadian government is reigniting its focus on biometrics after a similar attempt a decade ago fizzled out. According to these documents, which include emails, meeting agendas, and briefing reports, the meetings are an effort to coordinate the critical mass of biometrics programs that exist across many government agencies, particularly those relating to national security. The Canadian effort is “informal,” spokespeople emphasized, and it hasn’t been promoted by the government except for four tweets from Defence Research and Development Canada (DRDC), the department that spearheaded the initiative. The Canadian Security Intelligence Service, the Royal Canadian Mounted Police, the Canadian Armed Forces, as well as the country’s border and immigration agencies are all participants in the “Government of Canada Biometrics Community of Practice” (CoP), which had its first meeting in March of 2016. RCMP documents showed the force was seeking to upgrade its fingerprint database with biometric facial recognition technology in order to keep pace with US law enforcement. Police documents stated that the force had “no authority” in Canada to use biometrics like facial and iris recognition, however, and the police have no specific plans to implement the technology. [Motherboard]

WW – UN Pushing Biometric-Based Digital ID for Every Person on Earth

At the summit [see here], tech companies like Microsoft and Accenture and humanitarian groups including the World Food Programme and the UN Refugee Agency want to create a digital identification for every person on the planet, one that’s tied to their fingerprints, birth date, medical records, education, travel, bank accounts and more. Accenture demonstrated a working prototype that would provide a person’s information through an app. In the absence of a personal device, that person could still be recognized through fingerprints or iris scans, as long as that information was in the database. It’s a scary thought to put all your personal information — including your medical records and banking information — in a single app, but experts at the summit believe that blockchain technology, a way of using databases to encrypt data that’s also used for bitcoin, can protect users. In 2009, India launched Aadhaar, a digital ID program in which citizens voluntarily enroll name, birth date, gender, address, phone number, email, 10 fingerprints, two eye scans and photo. In exchange, they can use the digital ID to sign documents online, apply for credit and jobs, go to hospitals and exchange money, among other features. While a government official told the Supreme Court in India that Aadhaar was “the most foolproof method that has evolved,” the Centre for Internet and Society discovered that 130 million people had their information leaked from four government websites. [CNET]

WW – Using Mouse Movements, AI Software Accurately Spots Online Lying

A surprising new method for catching out online fraudsters has been uncovered by researchers studying computer mouse movements. Cognitive scientists from Italy have created AI software that can spot when a person is lying thanks to changes in the way they move their onscreen pointer, with 95% accuracy. [See here] The researchers found that fake answers produced a different style of movement to people who were answering truthfully, particularly in these unexpected questions. The researchers said: ‘While truth-tellers respond automatically to unexpected questions, liars have to “build” and verify their responses. This lack of automaticity is reflected in the mouse movements used to record the responses as well as in the number of errors.” [Daily Mail]

Big Data / Analytics

WW – Data Quality, Staffing Issues Still Plague Data Analytics Efforts

A new study [see here and here] by Forbes and Dun & Bradstreet says that the majority of organizations lack tools and investment necessary for analytics usage in business. Indeed, 59% of organizations surveyed for the study reveal they are not using predictive models or advanced analytics. The study surveyed more than 300 senior executives in North America, Britain, and Ireland for the report. Its findings reveal that if analytics efforts are to provide the expected return on investment, corporate leadership needs to invest in the people, processes and technologies that empower decision support and automation. A general lack of skills is also hampering the success of many firms when dealing with analytics, as 27% cited skills gaps as a road block to their data and analytics efforts. Illustrating this lack of skills in-house, 55% of those surveyed reported that third-party analytics partners produced better work than analytics work done internally. [Information Management]

Canada

CA – OPC Recommends Amending Bill C-23 to Ensure Border Privacy Rights

The Office of the Privacy Commissioner of Canada sent letters to the Standing Committee on Public Safety and National Security regarding Bill C-23, An Act respecting the preclearance of persons and goods in Canada and the United States. The Bill should place border searches of electronic devices on the same footing as searches of persons (e.g., pat-down, strip and body cavity searches) which require reasonable grounds to search; electronic devices should not be considered as mere goods subject to border searches without legal grounds. [OPC Canada – Follow-up Letter to the Standing Committee on Public Safety and National Security Regarding Bill C-23, An Act respecting the preclearance of persons and goods in Canada and the United States | First Letter | CP via National News Watch: National Security Bill Aims at Some Border Agency Oversight]

CA – OPCC Investigation & Clarifying Border Search Rights for Lawyers

The recent launch of an investigation by the Office of the Privacy Commissioner of Canada into the Canadian Border Services Agency’s practices [see here and here and here] will help clarify how far mobile device inspections can go at the border, says Shaun Brown, a partner at nNovation LLP. He hopes the investigation will provide guidance to Canadians, including lawyers, about what their rights are during searches. Lawyers who practise in the area expect the matter to end up before a judge in the near future. Regardless of the country in which he’s pulled over, David Fraser the Halifax-based privacy lawyer, says he will explain to the authorities that he simply can’t unlock his devices or provide any passwords because of the possibility that they contain solicitor-client privileged information. “Solicitor-client privilege has been held sacrosanct, with only a couple of exceptions. Those are extremely narrow, and none of them are impacted at the border,” Fraser says. In any case, “it’s not the lawyer’s privilege to waive; it’s the client’s. In my view, that trumps virtually any other right of access to that sort of information,” he adds. BC Law Society president Herman Van Ommen remains concerned by the situation. In a letter [see here and here] to the federal ministers of justice and public safety, he claimed demands for passwords to devices that could be expected to contain privileged information would violate Canada’s Customs Act. Arguing that a lawyer’s electronic device constitutes a “law office” for the purposes of a search, Van Ommen suggested a simple solution: “We therefore seek your assurance that border service agents will not seek to obtain passwords from lawyers to their electronic devices when crossing the border into Canada. If such a request is made and a lawyer refuses it, we seek your assurance that border agents will not confiscate the electronic device or otherwise detain the lawyer. By refusing access to the password, the lawyer is only discharging his or her professional obligations as required by the various codes of professional conduct across the country.” [Law Times See also: The BC Civil Liberties Association issued a report outlining its proposals for civilian oversight and review of the agency. [See BCCLU PR here & 56 pg PDF here]

CA – Trudeau Government Peels Back Bill C-51 — Mostly

Bill C-59 [see here] was tabled by Public Safety Minister Ralph Goodale, and makes wide-ranging changes to Canada’s national security framework — adding significant and expansive new oversight for intelligence collection and surveillance; putting new limits on government surveillance; and codifying the powers of Canada’s signals intelligence service. The most significant change to the bill will create new powers that will allow the Canadian Security Intelligence Service (CSIS) to analyze and exploit datasets with information obtained on Canadians and foreign citizens. The new law will give clear directions for how CSIS can use advanced technology to analyze data, without worrying so much about the courts. Under this law CSIS has the authority to analyze and decrypt intelligence they’ve obtained through a warrant or collected from open sources — which could include “phonebook” information, but also social media profiles and information available online. This regime is subject to approval from within CSIS, by an independent intelligence commissioner, and by the courts. This new power is likely a boon for the Operational Data Analysis Centre [see here], which can pour through huge sums of intelligence to try and establish links or connections. While CSIS will have some updated powers to process its raw intelligence, much of C-59 will actually walk back powers given to it under C-51, introduced by the previous Harper government — which has become a scourge amongst privacy advocates and lawyers. Here’s what the bill does to the powers laid out in C-51. [vice.com]

CA – A Report Card on the National Security Bill

Bill C-59 [see companion Charter Statement here] is the government’s massive reform of Canada’s national security law. It is the biggest reform in this area since 1984, and the creation of the Canadian Security Intelligence Service (CSIS). It is a big deal: 150 pages. We have been pouring through it, contrasting its features against the views we expressed in our 2015 book, False Security, which addressed the Stephen Harper government’s controversial Bill C-51[see here & here]. We have not finished reviewing it yet, but we want to make observations and raise questions and issues in the hope of galvanizing discussion and commentary. Where we misstate, overstate or err, we appreciate feedback. So, this is a mid-term assessment, not the final grade. Our key takeaway based on close second and third readings of C-59 is there is much to like. There are, however, a few bugs in C-59, but they appear to be bugs, not features. Hopefully they can be corrected. There are also some omissions – new roles for special advocates, for instance, and intelligence to evidence. And the information-sharing law will rightly remain controversial. Not everyone will agree with the tradeoffs and compromises in the Bill. [Policy Options | [VICE News: Everything We Could Find Out About CSIS’s Secret Spy Database]

CA – Supreme Court of Canada Clears Way for Facebook Class Action to Be Heard in B.C.

Facebook Inc. must defend against a class action lawsuit that it violated user privacy in B.C. court, not California, despite laying the groundwork for handling litigation in its home state in its user agreement. That’s effectively what the Supreme Court of Canada ruled on Friday in a 4-3 decision in favour of Deborah Douez in her legal fight against the social network.[See here & here] Doeuz originally took action against Facebook regarding a breach of the B.C. Privacy Act, saying that Facebook’s use of her name and likeness in a “Sponsored Story” ad was done without her consent. Whether there was a violation of privacy or not hasn’t been considered by a court yet. Facebook’s Terms of Use includes a forum selection clause (also called a “choice of law” clause) that requires all disputes against it be filed in California courts only. Douez and her lawyers argued against that, saying the Privacy Act requires that the B.C. Supreme Court must hear court cases related to the provincial Privacy Act. [IT World Canada]

CA – Importing EU-Style RTBF Criteria into Canada Would Likely Prove Unconstitutional: Opinion

An analysis of whether the right to be forgotten (RTBF) would be legal in Canada. Canadian courts would likely find that the RTBF infringes on the right to freedom of expression; private corporations should not have to enforce the RTBF (they have an incentive to grant requests to reduce costs and avoid fines), the right would extend to personal information that is not intrinsically private (e.g. public activities), and authors, webmasters and members of the public would have no way to intervene to show that information requested for delisting is adequate and relevant. [Droit à l’oubli: Canadian Perspective on the Global ‘Right to be Forgotten’ Debate – Eloise Gratton and Jules Polonetsky]

CA – Landmark Legal Case: Canadian Precedent has International Implications

The case against Facebook was brought by Deborah Douez of British Columbia. She had clicked “like” on Facebook to a particular service, and then found that without her knowledge or permission, Facebook was distributing her “like” to all her Facebook friends implying that she endorses that company. She later tried to sue Facebook in British Columbia for violating her privacy. Facebook challenged and the case made it the provincial Supreme Court where it was accepted as a ‘class action’ lawsuit. Initially won by Douez, Facebook appealed and won its argument on the basis of its “forum selection/choice of law” clause stated in its terms of use policy. Facebook head office is in California, and the “forum” clause says any lawsuits against it would have to be filed in the jurisdiction of California under California law (its “forum”) and so the suit could not be heard in British Columbia. This “forum selection clause” was then appealed to the Supreme Court of Canada which ruled [see here] in a split decision that in fact Facebook’s ‘forum selection clause” in its terms of use was unenforceable and that the case against Facebook could indeed proceed in Canada, in this case British Columbia. Professor Jeremy De Beer, a professor of law at the Centre for Law Technology and Society (CLTS) at the University of Ottawa and a member of the team which appeared as intervenors in the case at the Supreme Court of Canada, says this is a landmark and major judgement which could affect all multi-nationals, in that the same reasoning in this case could apply to all manner of other companies selling or providing services to Canadians. Professor De Beer notes that there may well be implications not just for online sites, but that this ruling potentially also may be used for international offline companies. Additionally, the SCC ruling may be studied and used by other international jurisdictions in decisions in those countries. [RCI.net]

CA – Manitoba Ombudsman’s Comments for FIPPA and PHIA Review

Manitoba’s ombudsman is recommending improved public access to government information, including provincial cabinet documents. [see here] Charlene Paquin said consideration should be given to whether it is in the public’s interest for some government information now routinely kept under wraps to be disclosed. Earlier this year, the Manitoba government led by Premier Brian Pallister launched a formal review of both the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Act (PHIA). Neither have been reviewed since 2004. Paquin further recommended any cabinet document be released within a period of 15 years, as opposed to the current 20 years. She also proposed, under FIPPA and PHIA, the ombudsman be called the “information and privacy commissioner,” as it is in other provinces, to better reflect the office’s role in these areas. (The job would retain the ombudsman title in its oversight role in the delivery of other public services.) PHIA should be amended to make it mandatory for health bodies to notify individuals of a privacy breach that may result “in a real risk of significant harm,” Paquin said. Paquin said her office is not so concerned about minor breaches, such as a fax or email being sent to the wrong person. “We don’t feel that we need those to always to be reported to us unless they have significant risk of harm” [Winnipeg Free Press]

CA – NS OIPC Report, Access & Privacy Law ‘No Longer Up to Task’

Commissioner Catherine Tully released her annual report. [See 2 pg pdf PR here, 40 pg pdf Report here & 90 pg pdf Companion Report here] It shows the result of a failure by successive governments to follow recommendations from Tully and her predecessors: A system no longer in step with modern society and not doing enough to work in the interest of the public. Tully notes the Freedom of Information and Protection of Privacy Act has not been significantly updated since it was introduced in 1993. Given the advancements in the way personal information is collected, stored and used, Tully says that’s a problem. “Nova Scotia’s privacy laws lack virtually all of the essential modern privacy protections found in other Canadian jurisdictions,” she writes. “Without fundamental privacy protections, databases of citizen information are not adequately protected for the 21st century.” [CBC News]

CA – NS OIPC Calls for Mandatory Breach Notification

Nova Scotia privacy czar calls for mandatory breach notification. It was one of 34 recommendations Catherine Tully made in her annual report to update the provincial Freedom of Information and Protection of Privacy Act (FIOPOPA). The breach notification requirements would essentially mirror the upcoming changes to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) the covering federally-regulated organizations. [See here] Nova Scotia organizations would be required to keep of a record of all data breaches with specified details available to the provincial commissioner upon request, Tully said. She also recommended the breach notification to potential victims should include details about the cause of the breach, a list of the type of data lost or stolen, an explanation of the risks of harm affected individuals may experience as a result of the breach, and information about the right to complain to the provincial commissioner. Finally, she said the province should authorize the commissioner be able to order notification to an individual affected by a breach. See also: Gowlings: Overview of Data Breach Reporting Obligations, Class Actions and Breach Management in Canada]

CA – SK OIPC Tables Annual Report

In his annual report [see here], commissioner Ron Kruzeniski outlines nine areas of concern, including security breaches from inside workplaces, hacking from outside, as well as how government employees store emails and use smartphones. Kruzeniski said one employee conduct that is worrisome is when a worker clicks on an attachment or a link in an email that could let in a hacker. “I have no doubt that we will have to spend a lot more time and energy collectively as a society protecting ourselves against this,” he said. Kruzeniski said he doesn’t think the risk can be eliminated, but it must be reduced. Kruzeniski also raised concerns about privacy breaches on mobile devices. [CP via Metro Toronto]

CA – SK OIPC Report Critical of Premier Wall’s Private Email Server

Saskatchewan’s opposition NDP is renewing calls for an investigation into Premier Brad Wall’s use of a private email server. A new report [see here] from Saskatchewan’s Information and Privacy Commissioner Ron Kruzeniski encourages government leaders to use government email systems provided by the Ministry of Central Services. Wall’s use of private emails came to the fore in May, when the NDP requested documents relating to a 2016 trip he had taken to Texas. The premier’s office responded to the access to information request by releasing a portion, but not all, of the documentation requested. The IPC wrote “Questions about security and records management arise if and when government leaders or employees use non-government email accounts to do government-related activities.” The Interim NDP leader says the report, “really exposes the premier for hiding this from Saskatchewan people, and of course it also exposes the fact they were hiding the domain name, hiding the fact they were using this private political server housed at their party office. The question is why are they hiding that? Why are they housing this information inappropriately over at their party office?” He is renewing calls he made in May to have the matter of Wall’s private email use fully investigated by Kruzenski’s office. [LeaderPost]

CA – OIPC SK May Compel Production of Privileged Documents in Certain Circumstances: Court

The Court considered an application by the OIPC SK to compel the University of Saskatchewan to disclose records sought by the OIPC SK pursuant to The Local Authority Freedom of Information and Protection of Privacy Act. The OIPC is not required under the municipal FOI law to demand such production, but if a detailed affidavit is insufficient to determine whether the statutory privilege exemption from disclosure applies, the OIPC may demand the actual document for examination (but it cannot release them to an applicant seeking review); the Court rejected the argument that an applicant should be required to appeal to a Court to review the documents. [OIPC SK v. The University of Saskatchewan – 2017 SKQB 140 – Queen’s Bench for Saskatchewan]

CA – Manitoba Whistleblower Sues Health Authority and Lawyers

A whistleblower who sounded the alarm about financial mismanagement, nepotism and fraud at a West St. Paul personal care home is suing the Winnipeg Regional Health Authority and three lawyers after the person’s identity was allegedly revealed in court documents. The whistleblower, known as “Jean Doe” in a statement of claim filed in Manitoba’s Court of Queen’s Bench, is suing for an undisclosed amount of money for mental distress, psychiatric illness, depression, embarrassment and fear for their safety. Doe is a former employee of the Middlechurch Home of Winnipeg, located just north of Winnipeg in West St. Paul. The lawsuit alleges the WRHA’s lawyers failed to expunge information from documents that identified the whistleblower and that Rod Roy, a lawyer for Laurie Kuivenhoven, the home’s then executive director, didn’t take measures to protect Doe’s privacy. It also alleges Roy intentionally intruded on the whistleblower’s privacy in a way that would be “highly offensive to a reasonable person,” by reading the 2015 affidavit documents. [CBC]

CA – PEI Health Information Act Goes Live July 1

The P.E.I. government is hoping to strengthen protection from unauthorized “snooping” into private healthcare information records with new legislation coming into effect on July 1. Karen Rose, P.E.I.’s Information and Privacy Commissioner, said on CBC News: Compass that the “Health Information Act” will encourage people to provide all of their relevant personal health information on the grounds that it remains private. Otherwise, the concern is that people may be reluctant to provide full health information. Rose said the legislation helps protect private healthcare information by giving organizations and providers a unified set of rules to follow to help prevent breaches. She added that the legislation requires that breaches must be reported to the individual whose record was breached as well as the Office of the Information and Privacy Commissioner. [See HIA guide here] [CBC News]

CA – Health PEI Denies Privacy Commissioner Access to Report, Heads to Court

Health PEI wants to take the Island’s information and privacy commissioner to court to settle a dispute over an internal report which the government agency is refusing to let the commissioner see. Commissioner Karen Rose issued an order in April, insisting Health PEI hand her the report on the basis that she “has the power to compel the public body to produce the record at issue.” In response, Health PEI filed an application for a judicial review in P.E.I. Supreme Court, arguing the commissioner “does not have the jurisdiction or authority to inspect or review” the specific information she’s ordered the agency produce. [CBC]

CA – YK Missing Persons Law to Give Cops Access to Personal Info

The Yukon government is proposing new legislation that would allow police to access the personal information of missing persons. That could include things such as cell phone records, text messages, and health information. Right now, police in Yukon are limited in what they can do in a search for a missing person, unless there is evidence of criminal activity. The new legislation would allow police access to personal information “while still protecting a person’s right to privacy,” the release [see here] states. Several provinces already have similar missing persons legislation, including B.C., Alberta, Saskatchewan, Manitoba, Newfoundland and Labrador, and Nova Scotia. The legislation would also provide safeguards for organizations and businesses that may be required to release clients’ records or information to police. The government is accepting comments and completed surveys [see here] on the proposed legislation until September 11. [CBC News]

CA – BC IPC Updates Guidance on Social Media Background Checks

To assist employers, the Office of the Information & Privacy Commissioner for British Columbia recently published an updated guideline, Conducting Social Media Background Checks (“Updated Guideline”). When a private sector company conducts social media background checks, the use, disclosure, and collection of personal information is governed by the Personal Information Protection Act; whereas, public bodies are governed by the Freedom of Information and Protection of Privacy Act. This article focuses on the requirements for private sector companies. The Updated Guideline outlines the risks employers need to consider when conducting social media background checks, including: 1) Inaccuracy; 2) Collecting irrelevant and/or too much information; and 3) Over-reliance on consent. To minimize the risk of breaching an individual’s privacy when conducting social media background checks, the Updated Guideline reminds employers that any information collected about individuals is personal information and is subject to privacy laws. The Updated Guideline also recommends that companies conduct a privacy impact assessment of the risks associated with using social media in background checks. [Borden Ladner Gervais News & Publications]

CA – Saskatoon Gets 2 More ALPRs, Cops Promise No Info Sharing

The number of automatic licence plate readers being used to scan vehicles in Saskatoon will double when the Saskatoon Police Service buys two new devices in August. Police say no personal information collected by the readers will be shared with other police services. The devices have been controversial in other parts of North America due to privacy concerns. The readers, known as ALPRs, use infra-red technology to scan plates as police travel around the city. Officers are alerted if a plate is linked to a person wanted by police, a stolen or unregistered vehicle, or a suspended driver. The storage of information collected by ALPRs has raised privacy concerns that the devices could be used for other purposes, such as tracking a person’s location over time. In B.C., police changed their procedures after the province’s privacy commissioner raised concerns about how long “non-hit” data was being stored on RCMP computers. [see here] Saskatoon police said information collected by its scanners is kept for 40 days, and plates that register as a hit would be kept for 90 days. Sharon Polsky, the president of the Privacy and Access Council of Canada, raised concerns that information collected by police could be shared with other organizations and kept indefinitely. The police service said the same standards apply to an ALPR hit as any other standard traffic stop, adding that the Supreme Court of Canada allows officers to stop drivers to check for vehicle registration, driver impairment and vehicle safety equipment. [CBC News]

CA – NL Investigation Launched After Government Posts Employee IDs, RNC Officers in Sunshine List Screw-Up

Newfoundland and Labrador’s justice minister says an investigation is underway, after the release of the province’s first Sunshine List, when the government posted information officials had warned could put Royal Newfoundland Constabulary officers in danger. The so-called Sunshine List includes the names, job titles and pay information of public servants making more than $100,000. Government had agreed to a request from the Royal Newfoundland Constabulary Association (RNCA) to leave the names of officers off the list, but those names were included in public spreadsheets Friday. The information also included some employees whose salaries aren’t covered under the disclosure rules. For example, employees of the legislature aren’t supposed to be part of the Sunshine List, but their full information was also included. “It certainly has the appearance of a breach,” said Donovan Molloy, the province’s information and privacy commissioner. Molloy said the department had an obligation to review data before it’s sent out to ensure personal information like employee ID numbers aren’t included. He said an investigation would need to look at what the potential misuse of this information could mean. However, he said it’s much less serious than if the file had contained social insurance numbers. [CBC] [CBC: NL Sunshine List of Civil Service Salaries Goes Live Friday News | Telegram: Province releases sunshine list]

CA – Canada’s Political Parties, Media Vulnerable to Foreign Hacks: Spy Agency

The Communications Security Establishment said it expects multiple groups will “deploy cyber capabilities” in order to influence the outcome of the next federal election. CSE’s assessment is largely an outline of the different types of “cyber threats” to Canada’s electoral process. The good news is Canada’s low-tech, largely paper-based electoral system appears to be largely safe from the kind of hacks seen in other countries. Ballots are paper, voter lists at polling stations are paper-based, and CSE officials say the elections agency has strong cyber defences in place. The bad news is that politicians, political parties, and traditional and social media are much more vulnerable to hacking and influence operations. And it will be up to politicians and media — not CSE — to guard against them. According to the agency’s report, malicious actors can use “bots” to hijack political discussions online — basically millions of fake Twitter or Facebook accounts broadcasting “false or defamatory information” against a candidate or party. Canadian parties’ voter databases — huge stores of information on individual Canadian voters, not subject to federal privacy or information security rules — are also vulnerable to theft or manipulation, according to the report. [The Star]

CA – Conservative MP Says Constituency Office Computers Were Hacked

Conservative MP and former party leadership candidate Deepak Obhrai says the computers at his constituency office in Calgary fell victim to a virus. The apparent hack comes just two days after worldwide ransomware attacks disabled government, airline and banking networks, with Ukraine hit especially hard earlier in the week. There is no evidence that the virus affecting Obhrai’s office is part of that wider series of attacks, however. The incident in Calgary also comes about a week after Canada’s Communications Security Establishment (CSE), which monitors online threats against the government, launched a series of training sessions for all federal parties to help them better defend against cyberattacks. [GlobalNews]

CA – PMO Says It Can’t Reveal Staff Salaries Due to Privacy Issues

The Liberal government says it would violate privacy law to reveal the salary details of top aides to Prime Minister Justin Trudeau who are earning at least $150,000 annually. A spokesman for the Privy Council Office said that fewer than 10 PMO staff earn more than 150,000 but refused to name them or even provide an exact number. “We are unable to provide additional information due to privacy considerations,” said PCO spokesman Paul Duchesne. CTV News obtained a list of exempt staff working in the Trudeau’s office and their salary ranges, in a heavily-redacted document that excludes all the names and also blanks out the salary ranges for those in the $150,000 to $350,000 ranges. The salary ranges for Trudeau’s top aides — Chief of Staff Katie Telford and Principal Secretary Gerald Butts — are not provided. The lack of disclosure from the country’s top elected office contrasts with other jurisdictions, where salary information about senior officials is automatically disclosed. [CTV News]

CA – AB OIPC Says Thousands in Province Targeted by Hackers Annually

The growing number of breach notification decisions released by Alberta’s Office of the Information and Privacy Commissioner (OIPC) have shown an increasing trend of online hacks, phishing and so-called social engineering ploys that compromise the personal data of hundreds of thousands of Albertans every year. Jill Clayton, Alberta’s privacy commissioner says online data breaches are becoming a major focus of her office. Clayton said there’s been solid buy-in from the private sector on self-reporting breaches, with about 30% reporting them even if there doesn’t appear to be any real risk of harm based on stolen data. The rise in online breaches has meant a reciprocal increase in the number of files handed by OIPC, Clayton said. In 2016-17, her office saw a 70% increase in files compared to just five years ago. And those trends aren’t likely to reverse, Clayton added. [Calgary Herald]

CA – Alberta Police Draft Policy on Naming Victims Now with OIPC

A draft report from the Alberta Association of Chiefs of Police on standardizing the policy on naming homicide victims is now with the Office of the Privacy Commissioner. It’s the result of work done by the police chiefs and the lawyers from their organizations over the last couple of months after some inconsistencies were discovered around the province. EPS Chief Rod Knecht said in an interview “There clearly was differences in the way we were applying the release of homicide victims’ names across the province. We landed on some consensus. We developed a policy around that consensus. That has now gone to the privacy commissioner which is probably the best place for it to go. They’ll come back and say, ‘this is a policy, this is a good policy, this is how the policy should be interpreted and this is how all police across Alberta should be doing this. If you back up the bus a little bit I think our interpretation was a good interpretation, but let’s see what the privacy commissioner comes back with.” [Global News]

CA – Regina, Saskatoon Transit Have Provided Police with Transit Card Information in Investigations

Transit systems in Regina and Saskatoon say they have shared transit card information with police to help with an investigation. Saskatoon Transit said it hands over generic card information to police about five times a year, often to confirm whether or not a person was using the bus at a specific time. In Regina, spokesperson Nathan Luhning said police have asked for information once, in relation to a missing persons case. Luhning said police are often more interested in video recorded from the bus, which also requires a Freedom of Information request. [CBC]

CA – ON OIPC 2016 Annual Report Pushes Public-Sector Big Data Law

In his 2016 Annual Report, Facing Challenges Together, Ontario’s Information and Privacy Commissioner, Brian Beamish, is calling for a number of legislative changes to enhance both access to information and protection of privacy in Ontario. One proposal is for the government to enact legislation that would allow public institutions to share personal information for policy and research purposes while protecting individual privacy by establishing a strong, government-wide framework for big data programs. Ontario IPC Brian Beamish said “We now live in the era of big data, where information technology holds the promise of creating a more efficient and responsive public service. However, we must not overlook the risks to privacy in pursuit of the benefits. It is possible to use big data in a privacy-protective manner but it will require fundamental changes to privacy legislation, involving government, citizens, and regulators.” This recommendation is one of several tabled by the Commissioner in his 2016 annual report. Further recommendations include: 1) Clarify Solicitor-Client Privilege Exemption; 2) Framework for Electronic Health Records; 3) Increased Transparency of Ontario’s Medical System; 4) Ensure the Security of Abandoned Health Records; 5) Public Disclosure of Health Privacy Breach Prosecutions; and 6) Routine Audits of Freedom of Information Practices. [Information and Privacy Commissioner of Ontario]

CA – ON OIPC Calls for Transparency in Assisted Dying

In his annual report [see here] last week, privacy commissioner Brian Beamish took aim at the Medical Assistance in Dying Statute Law Amendment Act, or Bill 84, which became law in Ontario last month. The act, in part, is a green light for secrecy. Any information that could identify hospitals, long-term care homes or hospices that offer medically assisted death is now exempt from freedom of information laws. Before the bill became law, [Beamish] recommended amendments that kept the names of physicians anonymous but the names of facilities public. “Information should be public unless there’s a really good reason why it shouldn’t be,” Beamish told the Star. In this case, he said, there was no evidence presented by legislators to suggest any reason why hospitals and care facilities should be exempt from disclosing their practices. The same concern was presented by Hamilton Health Sciences ethicist Andrea Frolic at a committee meeting about the bill in March. Frolic praised the protection of physicians, but questioned why publicly funded facilities could draw a dark curtain over their practices. “Information-sharing with the public is essential to patients’ informed decision-making,” she told the room, recommending that facilities disclose whether they grant assisted-death requests. [The Star]

CA – Ontario Doctors Go to Court to Keep Billing Information Secret

The information and privacy commissioner last year ordered the public disclosure of the top billers’ identities, along with amounts each receives in payments from the taxpayer-funded insurance plan. The information is business-related, not personal, and should be public because of the importance of transparency of government expenditures, the ruling said. A judicial review of that decision is being sought by the OMA and two groups of doctors — known in court submissions only as “several physicians affected directly by the order” and “affected third-party doctors.” They are asking a three-judge panel in Divisional Court to quash the information and privacy commissioner tribunal’s order. [The Star]

CA – BC Court Finds Email Communications Mistakenly Disclosed Are Privileged

The BC Court of Appeals has considered whether communications between government lawyers and employees were protected by solicitor-client privilege. Email communications between a government employer and employees of the agency were inadvertently included in a package of documents disclosed in response to an access request; disclosure of communications where the lawyer recommended a particular decision be made, or involving employee discussions of the lawyer’s advice would reveal previous legal advice given, and inadvertent disclosure of a privileged document does not result in an implied waiver of privilege. [AG of BC v. Kyla Lee et al. – 2017 BCCA 219 CanLII – Court of Appeal for British Columbia]

Consumer

US – Survey Shows Consumers Need More Education on Identity theft

In 2016, over 15 million Americans were victims of identity theft, up 16% from the previous year. News of data breaches and the risks of identity theft and fraud persist, but consumers’ vigilance and awareness haven’t kept pace. A national survey by Experian revealed that not only is America’s collective guard down, but people feel they are at a disadvantage when it comes to identity theft. While 84% of respondents acknowledge being concerned about the security of personal information online, almost two-thirds (64%) agree it’s too much of a hassle to constantly worry about securing personal information online. The majority say staying on top of financial transactions is a challenge (53%), and nearly half (48%) don’t check their credit reports regularly for errors or suspicious activity. [Inside Counsel]

US – Privacy Paradox: People Like the Idea but Not the Effort Study Shows

In “Digital Privacy Paradox: Small Money, Small Costs, Small Talk,” a new paper published through the National Bureau of Economic Research, the authors explore a phenomenon that has been widely observed: The disconnect between what people say about privacy and what they do. t’s a discrepancy that calls into question the validity of notice and consent, the foundation of privacy rules. Susan Athey, professor of economics at Stanford, said the paper does not address how legislation should be calibrated. “It suggests that users’ preferences for privacy may not be particularly strong, which has the implication that if privacy regulation imposes costs, it can be important to carefully consider whether preferences are strong enough to outweigh the costs in the particular context.” [The Register]

WW – Global Survey Finds Most Consumers Read App Privacy Policies

More than half of consumers, 53%, say it is “extremely important” that they know an app or service is using their personal data, a new survey has found. [Mobile Ecosystem Forum’s Consumer Trust Report see here] The survey of 6,500 people in Belgium, China, France, Germany, Poland, Romania, South, Africa, Spain, UK and the US were surveyed in the second quarter of this year revealed 75% of respondents always or sometimes read privacy policies and terms of conditions before signing up to a mobile app or service. A total of 86% of them say they will go on to take some kind of action if their trust is challenged. Almost half will stop using a service (a year-on-year increase from 38% to 44%) and nearly one in three (30%) will warn friends and family. [Irish Times]

E-Mail

WW – Too Smart to Fall for A Spear-Phishing Message? Think Again

Researchers believe that under the right conditions anyone can be fooled by a spear-phishing message. Experts at GreatHorn, a cloud-security company with a vested interest in spear phishing, write in the company’s 2017 Spear Phishing Report that more than 90% of phishing emails captured from March to November 2016 contain spear-phishing components designed to impersonate a person familiar to a business user in order to fool the recipient into thinking the message came from a trusted source. For several years, security researchers from Friedrich-Alexander-Universitat [see here], and from Universitat des Saarlandes [see here], have been interested in what they consider unexplored territory related to spear phishing. In their paper Unpacking Spear Phishing Susceptibility, the researchers explore the decision-making process of users when they are enticed by an advertised link in a variety of spear-phishing messages. The selected participants were sent either an email or a personal Facebook message with a link from a non-existing person, claiming the link led to pictures from a party. Out of 720 participants, 117 clicked on the link, 502 did not, and the remaining 101 participants could not remember if they clicked or not. The proverb “curiosity killed the cat” seems applicable, as the number-one reason for clicking on the link was curiousness. “The participants explained that they knew the pictures could not be for them, but were interested in the supposedly funny or private content.” [TechRepublic]

US – CERT Issues Security Warning About Email Attachments

The U.S. Computer Emergency Readiness Team (“US-CERT”) has issued a security warning concerning email attachments. Recommended steps for protection include being wary of unsolicited attachments even from known senders (confirm the legitimacy of the email with the supposed sender), keep software up to date (install patches), trust one’s instincts (do not open a suspicious attachment even if anti-virus software says it is ok), save and scan any attachment prior to opening it, turn off the automatic download attachment option, consider creating a separate restricted account on the computer, and apply other security practices (e.g. a firewall). [Security Tip (ST04-10) – Using Caution with Email Attachments – US-CERT]

WW – Google Will Stop Scanning eMail for Targeted Ads

By the end of this year, Google will stop scanning Gmail messages to serve personalized advertisements to users. Google has already stopped the practice in its G Suite Gmail. Ads will instead be served based on users’ settings.

CA – CASL Survey Report Clarifies Anti-Spam Compliance Strategies

Fasken Martineau in collaboration with the Direct Marketing Association of Canada (DMAC) has launched the outcome of the first-ever CASL (Canada’s anti-spam legislation) Survey Report. The report gives a clear picture of how organizations comprehend CASL and comply with its terms and conditions when it comes to implementing effective strategies and programs. The report aims at assisting businesses and companies to apprehend the common barriers in acknowledging and accepting CASL compliance. The report also reflects the gap between how organizations understand CASL and what measures they have adopted to comply with the regulations. Additionally, it shows that even being in force for three years, the key elements of the CASL laws are still not fully understood or implemented. The survey output clearly indicates that most companies who assume that they are compliant. [MarTech Series Blog]

US – FTC Launches Review of Its Email Marketing Rule

The FTC announced that it is undertaking a review of its CAN-SPAM Rule, which sets out the requirements for sending commercial e-mail messages. Among other things, the CAN-SPAM Rule requires that senders of commercial e-mails provide recipients a mechanism to opt out of receiving commercial e-mails, honor opt-out requests within 10 business days, and include specific disclosures in the body of the commercial messages. The FTC specifically is asking for comments from the public on the following topics: a) The economic impact and benefits of the CAN-SPAM Rule; b) Possible conflict between the CAN-SPAM Rule and state, local, or other federal laws or regulations (note that the CAN-SPAM statute preempts state commercial e-mail laws, except to the extent they prohibit “falsity or deception”); and c) The effect any technological, economic, or other industry changes have had on the CAN-SPAM Rule. [Inside Privacy]

US – House Judiciary Continues Email Privacy Law Overhaul Debate

At a June 15 hearing of the House Judiciary Committee U.S. tech sector and bipartisan lawmakers pushed for updates to the nearly 30-year-old Email Communications Privacy Act (ECPA) [see here] and its related Stored Communications Act (SCA) [see here]. ECPA bans unauthorized interception of electronic communications. The SCA, which is part of ECPA, prohibits unauthorized access of electronic communications in a storage facility. Tech giants such as Alphabet Inc.’s Google, Apple Inc., Amazon.com Inc., and Microsoft Corp. have supported updates to ECPA and the SCA. Updating the law would lift legal uncertainty that U.S. technology companies and email service providers say they face. They often have overseas data centers and get requests from law enforcement agencies for data related to investigations. However, ECPA remains unclear as to how much and which data stored abroad is available under such requests, they say. The House Feb. 6 passed a measure to update ECPA. The Email Privacy Act (H.R. 387) [see here], introduced by Rep Kevin Yoder (R-Kan.), would require law enforcement to obtain a warrant before obtaining data “that is in electronic storage with or otherwise stored, held or maintained by that service,” regardless of the age of the communications. On the Senate side, Sen. Orrin Hatch (R- Utah) recently introduced the International Communications Privacy Act [see here], which would establish a legal framework for law enforcement bodies to use warrants to obtain emails sent to or from any U.S. citizen, even if that person—or the server being used to send and store emails—is overseas. The Senate has yet to take up the measure. [BNA.com]

Encryption

WW – Five Eyes Alliance Stress ‘More Timely and Detailed’ Information Sharing to Detect Terrorists

Public security ministers and attorneys general from Canada, the U.S., Britain, Australia and New Zealand gathered in Ottawa for two days of closed-door talks. A joint communique [see here & PR here] indicated Security officials are worried about the widespread availability of encryption tools and applications that can allow extremists to more easily communicate without their phone calls and texts being intercepted. Civil libertarians argue the right of law-abiding people to converse in private should not be compromised in the name of fighting terrorism by giving authorities the means to crack encryption or build back doors into security programs. The alliance said the ability of terrorists and other criminals to shield their electronic activities through encryption can “severely undermine public safety efforts by impeding lawful access to the content of communications.” They agreed to a common approach to engaging with communication service providers to deal with online terrorist activities and propaganda, while “upholding cybersecurity and individual rights and freedoms.” [The Star See also: Globe & Mail: The battle over encryption and what it means for our privacy | Australia Advocates Weakening Strong Crypto at Upcoming “Five Eyes” meeting | Five Eyes intelligence alliance meeting in Ottawa to tackle digital terror tactics | ‘Five Eyes’ talks in Canada to focus on encryption: Australian PM ]

UK – PM Pushes Demand for Gov’t Access to Encrypted Messages

Britain is once again focusing on a controversial plan: to regulate the internet. On one side are British policy makers and law enforcement officials, who want to crack down on how extremist messaging and communication are spread across the internet. On the other are privacy and freedom of speech groups — alongside the tech giants themselves — who say that the government’s proposals go too far. Recent legislation already gives Britain’s law enforcement officials some of the world’s strongest powers to read and monitor online chatter from potential extremists. Now the country’s politicians want to go further. Earlier this month, prime minister Theresa May told the British public. “We need to do everything we can at home to reduce the risks of extremism online” Echoing a similar message by her government after a previous attack in Manchester. Part of that plan is to demand that companies such as Apple and Facebook allow Britain’s national security agencies access to people’s encrypted messages on services like FaceTime and WhatsApp. [The New York Times]

EU – End-to-End Crypto Plan Puts Europe On Collision Course With UK

Proposed draft legislation [see here] by European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs [LIBE] potentially puts EU at loggerheads with the UK over the encryption debate. The proposals, which could enforce the use of end-to-end encryption as an extension of individual privacy, look to enshrine “a high level of protection of individuals with regard to their fundamental rights of private life and data protection” into European law. As such, Theresa May’s government, which has expressed concerns about the use of encryption, may find itself on a collision course with European legislators over internet privacy rights. The recommendation by European Parliament MEPs comes as the UK government – in addition to beginning Brexit negotiations has called for more power over the internet, including the possibilities of weakening encryption and being able to place backdoors into devices. [ZDNet]

EU Developments

EU – WP29 Fire Warning Shots Ahead of First Privacy Shield Review

Europe’s data protection chiefs have fired a warning shot across the bows of the executive body of the Union ahead of the first annual review of the EU-US Privacy Shield. The Article 29 Working Party set out a series of concerns about Privacy Shield as far back as April 2016. They’re now gearing up for the annual review, due to take place in the US in September, and today say they’ve sent the EC a letter setting out their views and recommendations, and reserving the right to publish their own report “subject to the outcome of the Joint Review and the report of the Commission”. The WP29 describes the forthcoming review as “a fact-finding mission in order to collect the relevant information and necessary evidence to assess the robustness of the Privacy Shield”. [see 2 pg PDF here] [TechCrunch]

EU – EU Deals Theresa May Encryption Setback as MEPs Propose Ban on Government Backdoors

EU MEPs have tabled laws that would forbid countries in the EU from breaking the electronic protection that prevents security services from reading messages sent via WhatsApp. The plans would also impose obligations on tech companies that do not currently apply encryption to messages to do so. The proposals would be a major setback to Theresa May’s election pledge that terrorists should have no “safe space” to conspire online, and threatens existing security legislation that requires companies to remove encryption where possible. The proposals, from MEPs on the European Parliament’s Civil Liberties, Justice and Home Affairs Committee[LIBE], have been tabled as amendments to draft EU privacy legislation. The proposals will first have to be approved by MEPs and scrutinised by the EU Council. As well as hampering any attempts to access encrypted messages, the rules could also imperil the Investigatory Powers Act [see here and here], [Telegraph.co] See also: [Highlights of the draft LIBE report on the ePrivacy Reg | EU Parliament Wants Stronger Privacy in e-Communications Proposal]

EU – Parliamentary Committee is Concerned About Technical Neutrality, Cookie and Tracking Provisions

An EU parliamentary committee has issued its rapporteur’s opinion and recommendations on the proposed ePrivacy Regulation. The Regulation is narrowly focused on browsers, making a strict distinction between first and third party cookies that is not future proof; the impact on privacy of a cookie should be based on its purpose, the types of data it collects and how the collected data is shared. Data emitted by terminal equipment and collected to enable to connect to another device should not occur, even if there is a sign informing users of the tracking area; this creates a risk of fears and anxiety among end-users without providing them with the ability to opt-out of being tracked. [European Parliament Committee on Industry, Research and Energy – Draft Opinion for the Committee on Civil Liberties, Justice and Home Affairs on the ePrivacy Regulation]

EU – Proposed Regulation Does Not Protect Communications Content and Metadata

The Directorate General for Internal Policies, on request from the EU Parliament, has assessed the standards of privacy protections in the proposed ePrivacy Regulation. Analysis of communications content and metadata should only be permitted in strictly necessary, limited circumstances, or if end users provide meaningful consent, and individuals should not be required to allow analysis for marketing purposes; storage of anonymised communications content should be permitted only in specific circumstances (given that it is difficult to anonymise email messages or phone conversations). [An Assessment of the Commissions Proposal on Privacy and Electronic Communications – Directorate General for Internal Policies

EU – EBA Issues Draft Guidance for Outsourcing Cloud Services

The European Banking Authority has issued a consultation paper on proposed recommendations on outsourcing to cloud service providers. Organisations should conduct assessments on the materiality of business activities proposed for outsourcing (impact of outages, disruptions), maintain a register of all information related to outsourced activities, and consider the potential risks and oversight limitations of outsourcing outside of the EEA; written agreements with providers should provide full access and audit rights, require that sufficient security protections are put in place, specify activities excluded from potential subcontracting, include an obligation for the provider to orderly transfer activities in case of termination. Comments can be submitted until August 18, 2017. [EBA – Consultation Paper – Draft Recommendations on Outsourcing to Cloud Service Providers under Article 16 of Regulation No. 1093/2010]

UK – NHS DeepMind Deal Broke Data Protection Law, Regulator Rules

A London hospital trust was wrong to share details of 1.6 million patients with Google’s artificial intelligence company DeepMind, the UK’s data protection regulator has said. [See PR here & blog post here] Following a year-long investigation the Information Commissioner’s Office (ICO) has ordered the Royal Free NHS Foundation Trust to set-out a proper legal basis for processing the patient data. The data watchdog said the Trust didn’t properly tell patients that their information would be used as part of the work with DeepMind. The ICO said the NHS Trust is the controller of personal data and as a result is responsible for how patient information is used. The regulator said patient information wasn’t processed fairly and lawfully, was excessive, wasn’t used within the rights of the subjects and contractual controls weren’t in place. Overall, four of the Data Protection Act 1998’s principles were broken. [Wired]

UK – ICO’s Strategic Plan for the ‘New Frontier’ of Data Protection

The ICO recently published its Information Rights Strategic Plan for 2017 – 2021. Within it, the ICO Commissioner, Elizabeth Denham, asserts that we are on the “edge of a new frontier,” and that the data protection landscape is about to be reshaped by the “game changing” General Data Protection Regulation (the ‘GDPR’). The Plan also emphasises the ICO’s commitment to achieving the aforementioned goals by: (i) exploring innovative and technologically agile ways to protect privacy; (ii) leading the implementation of the GDPR and other data protection reforms; (iii) strengthening transparency and accountability by promoting good information governance; and (iv) protecting the public in a digital world. The highest priorities for the ICO for the first two years of this five-year plan will be preparing business processes and guidance for the GDPR, the Law Enforcement Directive and the ePrivacy Regulation, in order to avoid the ICO’s biggest risk: not being prepared in time. [Technology Law Dispatch]

UK – ICO Announces Grants Programme for Independent Research

The ICO have launched their first ever Grants Programme for new, independent research into data protection and privacy enhancing solutions, and we believe it is a genuinely exciting development. The programme will also help us achieve many of the key goals set out in the ICO’s new Information Rights Strategic Plan – for example, staying relevant and keeping abreast of evolving technology, improving standards, increasing public trust and maintaining and developing international leadership and influence. For many years the ICO has run research tenders to support specific policy projects and we have very much valued our interactions with the academic community, NGOs and innovators and the input they’ve had into our work. This new programme will take a broader ‘horizon-scanning’ approach, encouraging them to develop new insight and solutions into key data protection and privacy challenges posed by new technologies such as artificial intelligence and machine learning. [Information Commissioner’s Office Blog]

EU – Article 29 Working Party Releases Extensive GDPR Guidance on Data Processing at Work

The EU’s Article 29 Working Party has issued new guidance on data processing in the employment context (available here). Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive, but also considers the developments coming into force on May 25, 2018 under the EU General Data Protection Regulation). The WP29 released the guidance partly as a result of the GDPR, but also due to the number of new technologies that have been adopted since previous WP29 publications relating to personal data in the workplace The new guidance is not restricted to the protection of persons with an employment contract, but is more expansive in scope and intended to cover a range of individuals in an employment relationship with an organization, such as applicants and part-time workers (the term “employee” applies broadly in all such contexts). The WP29 also intends to release guidance in the coming months on other GDPR topics such as transparency, certification, breach notification and data transfers, to add to recent guidance on data portability, Data Protection Officers and the “One Stop Shop.” [Inside Privacy]

EU – Germany Merkel’s CDU Party Criticizes Data Minimization Principle

Proposals that German firms could start scooping up more than just essential personal data have been met with anger by privacy advocates. “Der Spiegel” reported on a CDU Angela Merkel’s party strategy paper that criticizes the principle of data minimization, or “Datensparsamkeit”. The term refers to collecting only the data you really need through sensors and online platforms, rather than scooping up as much as you can. According to the CDU document, data minimization should no longer be a general guideline as it “reduces opportunities for new products and services and potential progress”. Rights activists see things quite differently. Joe McNamee, the executive director of the Brussels-based European Digital Rights (EDRi), said a shift towards recording and exploiting more data would reduce people’s trust in European digital services. “The CDU’s political spin is horrifyingly ill-informed, ill-conceived and naïve,” McNamee said. [ZDNet]

EU – Germany Probes Facebook Over Claims It ‘Extorts’ Data from Users

Germany’s Federal Cartel Office is examining whether Facebook essentially takes advantage of its popularity to bully users into agreeing to terms and conditions they might not understand. The details that users provide help generate the targeted ads that make the company so rich. In the eyes of the Cartel Office, Facebook is “extorting” information from its users, said Frederik Wiemer, a lawyer in Hamburg. “Whoever doesn’t agree to the data use, gets locked out of the social network community,” he said. “The fear of social isolation is exploited to get access to the complete surfing activities of users.” It’s “more radical” than the EU’s Google case [see here] “because it asserts that privacy concerns can be antitrust concerns” and that consumers have a broader role than buyers of services in an economy, said Alec Burnside, an attorney at Dechert in Brussels. Some lawyers say the Facebook case is so novel in its approach to antitrust that the Cartel Office should have left the question of whether the company abuses users’ data to privacy regulators. Those watchdogs, once relatively toothless, will be empowered next year when tougher EU data privacy rules take effect, allowing them to levy fines of as much as 4% of global annual sales. Ironically, Facebook may have less to fear financially from a Cartel Office probe as, unlike Google, it may not be fined. The current terms of the investigation rule out a financial penalty even if it’s found to breach antitrust rules. At worst, Facebook faces an order to change how it operates. [Bloomberg via The Independent]

UK – Privacy International Sends Brexit Teams Anti-Surveillance Package

Rights group Privacy International (PI) has sent Brexit negotiators advice and technology designed to mitigate the risk of surveillance by intelligence agencies on the opposite side.[See PR here] With the long-awaited EU divorce negotiations starting today, the privacy NGO claimed that there’s a heightened risk of sophisticated tools and tactics being used to enable one side or the other to gain the upper hand. The PI package contains a short briefing warning the recipient against the surveillance powers available to the UK and some European agencies, as well as a Faraday Cage to protect their mobile devices. The gesture is mainly symbolic given the range of powers at the disposal of the British and European intelligence agencies, Privacy International admitted. PI warned the Brexit negotiators that government agencies can remotely activate mobile device mics, webcams and GPS systems; force service providers to decrypt comms; intercept internet traffic travelling on undersea cables; and access intelligence collected by their spy agencies. [InfoSecurity]

Facts & Stats

US – Cost of Breaches in the US Hit Record High

Breaches cost companies an average of $225 per compromised record ($221 in 2016), and the average total cost was $7.35 million ($7.01 in 2016); heavily regulated industries have higher breach costs, e.g., healthcare ($380) and finance ($336), and malicious or criminal attacks continue to be the primary cause of breaches (52%) as well as the costliest ($244). [2017 Ponemon Cost of Data Breach – US]

CA – Breach Costs Down but Canada’s Are Second Highest in World

The average cost of a data breach suffered last year by 27 Canadian companies was $5.78 million, or $255 per lost or stolen record, according to a new study. It was the third annual report, paid for by IBM and conducted by the Ponemon Institute, part of a survey of 419 breached organizations in 11 countries and two regions.[See here] The good news is that the Canadian numbers represent a 4% decrease in the total cost of a data breach among the group studied, and a 9% decrease in the cost per lost or stolen record, compared to the 2015/2016 study period. The bad news is it’s still a lot of money. Of all nations studied the Canadian group had the second highest costs. One important take-away from the report is how being proactive can reduce the cost of a breach per record. [IT World Canada]

CA – Cost of Breaches to Canadian Companies Decreased

The average cost per compromised record decreased from $278 to $255, and the root cause of data breaches were malicious or criminal attacks ($269 per capita cost), system glitches ($243 per capita cost), and human error ($241 per capital cost); preventative measures taken after a data breach include training and awareness programs (65%), additional manual procedures and controls (50%), identify and access management solutions (41%), and expanded use of encryption (40%). [2017 Ponemon Cost of Data Breach – Canada]

Filtering

CA – Supreme Court Rules Search Engine Must De-Index Websites Worldwide

The Supreme Court has heard an appeal of a decision of the BC Supreme Court, requiring Google Inc.to de-index specific search results. The US search engine must stop indexing or referencing websites selling infringed products from locations outside Canada; the search engine was crucial to the website owners being able to sell counterfeit goods (which they were ordered not to sell by a BC court), the only way to ensure the injunction’s effectiveness is to apply it worldwide, and any negative impact on freedom of expression is outweighed by the need to prevent harm from facilitating the sale of the counterfeit goods. [Google Inc. v. Equustek Solutions Inc. – 2017 SCC 34 – Supreme Court of Canada | Related Article]

CA – Supreme Court Rules 7-2 to Facilitate Worldwide Internet Censorship

In a 7-2 majority decision written by Justice Rosalie Abella that has “troubling” implications for free expression online, the Supreme Court of Canada upheld a company’s effort to force Google to de-list entire domains and websites from its search index, effectively making them invisible to everyone using Google’s search engine [See Google v. Equustek] EFF intervened in the case, explaining [.pdf] that such an injunction ran directly contrary to both the U.S. Constitution and statutory speech protections. Issuing an order that would cut off access to information for U.S. users would set a dangerous precedent for online speech. In essence, it would expand the power of any court in the world to edit the entire Internet, whether or not the targeted material or site is lawful in another country. That, we warned, is likely to result in a race to the bottom, as well-resourced individuals engage in international forum-shopping to impose the one country’s restrictive laws regarding free expression on the rest of the world. Beyond the flaws of the ruling itself, the court’s decision will likely embolden other countries to try to enforce their own speech-restricting laws on the Internet, to the detriment of all users. As others have pointed out, it’s not difficult to see repressive regimes such as China or Iran use the ruling to order Google to de-index sites they object to, creating a worldwide heckler’s veto. The Equustek decision is part of a troubling trend around the world of courts and other governmental bodies ordering that content be removed from the entirety of the Internet, not just in that country’s locale. On the same day the Supreme Court of Canada’s decision issued, a court in Europe heard arguments as to whether to expand the right-to-be-forgotten worldwide. [Electronic Frontier Foundation] See also: Open Media: Disappointing Supreme Court ruling has worrying implications for online free expression and access to information in Canada and across the globe | Canada Claims Authority to Censor Your Internet Searches

Finance

US – Financial Institutions Cautioned that Communications Using Emerging Technologies May Fall Under FINRA Rules

The Financial Industry Regulatory Authority (“FINRA”) has provided guidance regarding the application of FINRA rules governing communications with the public to digital communications, in light of emerging technologies and communications innovations. Registered entities are required to retain interactions with investors conducted using text messaging apps and chat services if the communication is about business; entities must not establish links to any third party site that the entity knows contains false or misleading content, and “likes” or sharing of social media comments by a representative. Comments that were posted by a third party about an entity representative will be subject to FINRA’s communications rules. [Financial Industry Regulatory Authority – Regulatory Notice 17-18 – Social Media and Digital Communications]

US – Study: Why Are So Many Customers Still Afraid of Mobile Banking?

In a new study [see here], J.D. Power asked 5,364 adults in the U.S. what they thought of the mobile offerings of the 10 largest banks and the 10 biggest credit card issuers and USAA. Overall mobile adoption among Americans remains relatively low — 31% for banking and 17% for credit cards, according to J.D. Power. It’s not surprising that card apps are used less, because they’re typically limited to providing balances, payment due dates and loyalty points. Online banking adoption, by contrast, is 80%. A major barrier — and perhaps one of the easiest to address — is that many are unsure how to use mobile banking: 39% of users say they don’t fully understand their mobile banking and credit card apps. At least that’s down from 61% in 2012, when mobile banking was still in its early days. Only 32% of consumers trust mobile banking, the study found. Only 42% of consumers feel their personal data is adequately protected by their bank when they use mobile apps. [American Banker]

FOI

CA – NL Privacy Commissioner to Investigate Sunshine List Screw-Up

Their names were supposed to be kept off a published list of Newfoundland and Labrador public servants who earned $100,000 or more in 2016, and now the province’s Information and Privacy Commissioner is launching a formal investigation into why police officers didn’t get the protection they were promised. Donovan Molloy announced Thursday that his office is acting on its own, without a complaint. [See here] The investigation will look into why employees who were granted an exemption from the so-called Sunshine List disclosure had their privacy breached, and why information not authorized for disclosure was published. [CBC]

CA – OIPC BC: Landlords May Process Tenants’ Information to the Extent Necessary

The Office of the information and Privacy Commissioner for British Columbia has issued guidance to assist landlords and property managers in meeting their obligations under the Personal Information Protection Act. Landlords may collect tenant’s information to make a decision about whether or not to rent the property (e.g., pay-slip, T4, other landlords references, credit reports, etc.), but to use it for another purpose the tenant’s consent is required; landlords should examine their tenancy application forms to ensure that there is a business need for collecting the information and include statements about why it is collected. [OIPC BC – Privacy Guidance for Landlords and Tenants]

CA – OIPC AB May Authorize Entities to Disregard Access and Information Requests

The Office of the Information Privacy Commissioner of Alberta has issued a practice note about the authorization to disregard requests under the: Freedom of Information and Protection of Privacy Act (“FOIP Act”); Health Information Act (“HIA”); and Personal Information Protection Act (“PIPA”). The authorization is given under the criteria set out in the FOIP Act, HIA and the PIPA when the request would unreasonably interfere with the entity’s operation because of its repetitious or systematic nature, or is frivolous or vexatious. [OIPC AB – Practice Note Authorization to Disregard Requests]

CA – OIPC BC Provides Guidance on Preparing for a Written Inquiry

The BC Office of the Information and Privacy Commissioner has issued guidance for organizations participating in an OIPC-inquiry. When public bodies are participating in an OIPC-review of an FOI or access decision, submissions should include arguments about how relevant legislation applies, copies of letters, meeting minutes, transcripts, affidavits, expert reports, meeting minutes, or in camera material; information or records related to the mediation process and attempts to settle issues should not be included (to preserve the ‘without prejudice’ nature of the process), and new issues or exceptions not listed in the notice of inquiry should not be included. [OIPC BC – Instructions for Written Inquiries]

CA – Supreme Court Rules User May Sue U.S. Social Network in B.C. Courts

The Supreme Court of Canada has considered whether a U.S. social network may impose a forum selection clause on users. The Court ruled that while the social network’s terms of use forum selection clause is enforceable, there is strong cause not to do so; there is gross inequality of bargaining power between the parties (i.e. individual consumers have no choice but to agree to the terms of use), the B.C. Privacy Act cause of action implicates quasi-constitutional privacy rights of British Columbians, B.C. courts are in better position to adjudicate regarding local legislation, and B.C. citizens would face the expense and inconvenience of litigating in California. [Deborah Louise Douez v. Facebook, Inc. – 2017 SCC 33 – Supreme Court of Canada | CBC]

CA – OIPC AB: Information that Merely Relates to a Legal Service is not Privileged

The Office of the Information and Privacy Commissioner in Alberta has reviewed an inquiry into the Alberta Justice and Solicitor General’s response for records under the Freedom of Information and Protection of Privacy Act. The client-solicitor privilege does not apply to information that does not reveal the substance of the legal service such as date of emails, date of the proposed events, the subject lines of the emails, the participants in the emails or in the proposed events. [OIPC AB – Order F2017-44 April 28 2017 Alberta Justice and Solicitor General]

CA – OIPC AB Finds Public Body Was Authorized to Contact Petitioners

The Office of the Information and Privacy Commissioner of Alberta has reviewed a complaint regarding the unauthorised use of personal information by the Summer Village of West Cove, pursuant to the Freedom of Information and Protection of Privacy Act. An individual complained when the public body sent a letter asking questions about the petition she submitted (her name and address were documented next to her signature); however, the individual signed and submitted a written statement with the petition indicating that she could be reached if they had questions about the petition, and the public body used the information only to the extent required to obtain more information about why the petition was submitted. [OIPC AB – Order F2017-48 – Summer Village of West Cove]

CA – OIPC NL Issues Recommendations for Ensuring Proper PHI Handling

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador has provided guidance on compliance with the Personal Health Information Act. Healthcare custodians must ensure information policies and procedures include appropriate measures for processing, storage and disposition of PHI; all individuals handling PHI must sign confidentiality agreements and be made aware of obligations relating to consent for collection, use and disclosure of PHI. Outsourcing agreements must include prescribed uses and disclosures of PHI and security arrangements, and material breaches of PHI must be reported to the OIPC and affected patients. [OIPC NL – Safeguard Newsletter – Volume 01 Issue 01]

CA – PEI Muni’s Working to Avoid Inclusion in Access to Info Law

The Federation of P.E.I. Municipalities is taking steps to help towns and communities become more proactively transparent in an effort to keep municipalities from being brought under access to information law. The federation has issued a request for proposals [see here] for an open municipal government toolkit, which would be an online resource for municipalities to use to develop more open government practices. In 2015, Premier Wade MacLauchlan gave municipalities and post-secondary institutions a two-year window to develop more transparent policies prior to a review of the Freedom of Information and Protection of Privacy (FOIPP) Act, which is to be conducted later this year. Prince Edward Island is the only province in Canada where municipalities are not subject to freedom of information law. The province’s publicly funded university and colleges are also not covered. But that’s something municipalities would rather not see changed P.E.I.’s privacy commissioner Karen Rose told a provincial standing committee in March she will likely make a formal recommendation to bring municipalities and post-secondary institutions under FOIPP legislation as part of a number of recommended changes and updates to the act that she is set to deliver to government. [The Guardian (Charlottetown, PEI)]

Health / Medical

UK – Google DeepMind Report Fails to Justify Use by the NHS, Claim Privacy Campaigners

A report [see here] that claims Google DeepMind did not break the law in its use of NHS patient data has failed to address the company’s breach of UK privacy laws, campaigners have warned. The independent review panel released its findings this week after the Information Commissioner’s Office (ICO) ruled the Royal Free NHS Foundation Trust breached the Data Protection Act when it provided DeepMind with the personal data of around 1.6 million patients. “Our legal advice found that DMH [DeepMind] had acted only as a data processor on behalf of the Royal Free, which has remained the data controller,” the report states. “It found no evidence that DMH had violated the data sharing agreement or any other contractual arrangements with the Royal Free. It found no evidence to suggest that DMH has breached confidence.” This classification makes the Royal Free liable for the breach, as the collection of information falls under the responsibilities of the data controller. DeepMind may, however, have been liable under the terms of the GDPR, which comes into effect across the EU in May 2018. The limited criticisms of DeepMind have raised the ire of privacy campaigners. The report failed to hold DeepMind accountable for its unlawful data processing or to fully investigate the company’s more questionable actions, campaign group medConfidential warned. The independent review panel’s principle concerns around DeepMind Health were an inadequate public engagement and a lack of clarity in the original information sharing agreement with the Royal Free Hospital. A total of 11 vulnerabilities were identified, none of which were deemed critical or high-level. A single medium level issue was revealed, that the report states “should be addressed but is not thought to present an immediate threat to the environment or data handled by it”. In a written response to the report, DeepMind health acknowledged that it should have done more to engage with patients at an earlier stage, and that its initial legal agreement with the Royal Free should have been more detailed. It pledged to continue to publish all its NHS contracts, and to support other groups developing healthcare technology. [Techworld]

Horror Stories

US – Voting Record Database Configuration Error Exposes Nearly 200 Million Records

Databases containing information about 198 million US voters was found to be stored in an Amazon cloud account with no access protection. The databases belong to Deep Root Analytics, a contractor employed by the US Republican National Committee (RNC). While the information contained in the database is by and large a matter of public record, having all those data aggregated could prove valuable to data thieves.

US – Lawsuit Targets Firm that Failed to Secure 198 million Americans’ Data

Two Floridians James and Linda McAleer filed a lawsuit last week against Deep Root Analytics, the campaign consultancy that accidentally left information on 198 million Americans accessible online without protecting it with a password. They want to turn [it] into a class action suit. Deep Root specializes in using data analytics to determine how to target specific voters. The exposed data included contact information and estimates of political preferences for around 80% of voting-age Americans. On June 19, researcher Chris Vickery of the security firm UpGuard announced that he had found Deep Root had configured that data to be available to any who visited Deep Root’s Amazon cloud storage account without needing to log in. According to a statement from Deep Root, the data was only exposed for two weeks. The lawsuit claims that Deep Root was negligent in the way it protected data and seeks to cover two classes of victims — the general public and Florida residents in particular. [The Lawsuit is Dr. James A. McAleer, et al. v. Deep Root Analytics LLC, Case No. 6:17-cv-01142, in the U.S. District Court for the Middle District of Florida. See here | The Hill | Dr. James Albert McAleer and Linda McAleer v. Deep Root Analytics, LLC – Middle District of Florida Orlando Division]

US – Anthem to Pay 115 Million USD in Breach Settlement

US healthcare company Anthem will pay 115 million ISD to settle several lawsuits related to 2015 breach of customer data. Most of the money will be used to pay for victims’ credit monitoring. [Anthem will pay $115 million in largest data breach settlement in history | Anthem Agrees to Settle 2015 Data Breach for $115 Million]

US – WSU Safe Heist Included Hard Drive with PII on 1 Million

WSU learned on April 21, 2017 that a “locked safe containing a hard drive had been stolen.” The hard drive contained the backup files from WSU’s Social & Economic Science Research Center (SESRC). On April 26, WSU confirmed PII was compromised. On June 9, they began informing those affected and sending breach notification notices to various state’s Attorney General Offices. In WSU’s public statement, they noted, “The drive contained documents that included personal information from survey participants, such as names, Social Security numbers and, in some cases, personal health information. Entities that provided data to the SESRC include school districts, community colleges, and other customers.” Normally when we associate a breach of this size, we ascribe it to a hacking incident or other technological magic. In this case it was a physical theft, of the safe, which was serving to protect the data stored within. The university in its letter to the New Hampshire Attorney General’s Office (NHAGO) noted that not all (though apparently some) of the files on the hard drive were encrypted. [CSO Online]

CA – Hackers Dump Data from Calgary’s Cowboys Casino Breach

Personal information along with the gambling habits and payouts of hundreds of patrons of Calgary’s Cowboys Casino have been dumped online by hackers, a year after a massive cyber attack. Thousands of files purportedly containing the personal information of patrons, customer payouts, tracking of gambling habits and the Calgary’s Cowboys Casino’s “elite members list,” were leaked to the data-sharing website Pastebin, along with a dire warning that even more information could be made public in the coming weeks. The post warns the data dump is the first, and the smallest, of four planned for release. Last June, the casino announced it had been the victim of a cyber attack on its computer system, warning that information from patrons and employees, along with corporate data, had been compromised. [See here] [Calgary Herald]

Identity Issues

WW – At least 44 States Refuse Trump Commission’s Demand for Voter Info

CNN reported that 44 states have now refused a request by the Trump administration to provide certain information about registered voters, ranging from their criminal records to time spent abroad. A CNN inquiry into all 50 U.S. states found that state leaders and voting officials across the country have been fairly quick to respond to the request for voter data, sent by the Presidential Advisory Commission on Election Integrity [see here]–and, in most cases, to reject it. The requested information includes registered voters’ full names, addresses, birth dates, political parties, a list of the elections they’ve voted in since 2006, whether they’ve registered to vote in other states, their military status, info on any felony convictions, whether they’ve lived overseas, and the last four digits of their social security numbers. Kansas Secretary of State Kris Kobach, vice chairman of the commission stated twice in the letter [see here] that only “public” information was being requested, and reiterated that “Every state receives the same letter, but we’re not asking for it if it’s not publicly available” Numerous states have already responded that they can’t provide the social security numbers, in the very least, while others objected to the commission’s request that states surrender this information through an online portal. [Forbes]

Location

US –SCOTUS to Hear Mobile Locational Privacy Case

On June 5, 2017, the US Supreme Court granted cert in “Carpenter v. United States” [see here], a case in the hotly contested area of mobile cellular location data privacy. The question before the Court is whether law enforcement must obtain a warrant for historical cell-site location information. On appeal, a panel of the Sixth Circuit upheld Carpenter’s conviction. [See here] In the majority opinion, Judge Kethledge concluded that the Fourth Amendment does not require a warrant for law enforcement officers to request historical cell-site location information. In reaching this conclusion, Judge Kethledge relied on the third-party doctrine, which stands for the proposition that individuals do not have a reasonable expectation of privacy in information that they voluntarily disclose to third parties such as mobile carriers. Notably, in a concurring opinion [see here at P.14], Judge Stranch expressed concern about applying the third-party doctrine to records which reveal personal location information, noted that “[d]etermining the parameters of the Fourth Amendment is the task of the judiciary”, and stated that the courts “have more work to do to determine the best methods for assessing the application of the Fourth Amendment in the context of new technology.” Judge Stranch is far from the first to invite reexamination of the third-party doctrine. To give but one example, in a concurring opinion in the 2012 GPS-tracking case “United States v. Jones” [see here], Justice Sotomayor wrote, “I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.” Regardless of whether the Supreme Court accepts Judge Stranch’s invitation, “Carpenter v. United States” may hold important compliance implications for carriers. [Comm Law Monitor]

Offshore

WW – Due Diligence: Vendor Management is Crucial for Data Protection

This article provides an overview of data privacy and security obligations in vendor management in the United States. Organizations should maintain a vendor data protection program by using the RFP process to establish minimum data protection qualifications for the contract, conducting privacy and security due diligence when selecting vendors, and being clear about to what extent vendors can use data for its own purposes; when negotiating a contract, organizations should define personal information broadly to include any and all identifiable information, impose requirements for retention, transition and destruction or return of data at termination of the agreement, and require mandatory breach notification to the organization. [Deeper Dive – Vendor Management Crucial for Data Protection – Alan L. Friel, Partner, BakerHostetler]

Online Privacy

US – Facebook Can Track Your Browsing Even After You’ve Logged Out: Judge

Plaintiffs alleged that Facebook used the “like” buttons found on other websites to track which sites they visited, meaning that the Menlo Park, California-headquartered company could build up detailed records of their browsing history. The plaintiffs argued that this violated federal and state privacy and wiretapping laws. US district judge Edward Davila in San Jose, California, dismissed the case because he said that the plaintiffs failed to show that they had a reasonable expectation of privacy or suffered any realistic economic harm or loss. [see 14 pg PDF here] Davila said that plaintiffs could have taken steps to keep their browsing histories private, for example by using the Digital Advertising Alliance’s opt-out tool or using “incognito mode”, and failed to show that Facebook illegally “intercepted” or eavesdropped on their communications. The plaintiffs cannot bring privacy and wiretapping claims, Davila said, but can pursue a breach of contract claim. To address privacy concerns, Facebook introduced a way for users to opt out of this type of advertising targeting from within user settings. [The Gurdian]

WW – Google Takes 2 Steps to Protect User Privacy

Google announced two new steps to protect user privacy — moving to scrub personal medical records from search results and halting its long-standing policy of scanning emails to deliver targeted ads. Previously, Google surveyed the contents of emails to provide personalized ads to users of its free Gmail service. Although paying Gmail customers were never subject to such scanning, Diane Greene, a senior vice president at Google, told Bloomberg that there was confusion about the policy among businesses that pay for its service. The shift comes as Google tweaked its search engine to help hide results that include “confidential, personal medical records of private people.” The change was also first reported by Bloomberg. Google has previously taken steps to mask search results that included individuals’ financial information and revenge porn — explicit photos uploaded without a person’s consent. [LA Times]

Other Jurisdictions

AU – OAIC Publishes Draft Guidance on Breach Notification

The Office of the Australian Information Commissioner has issued a draft guidance about data breach notification. Comments from interested parties can be submitted until July 14, 2017. If practicable, entities can notify each of the individuals to whom the relevant information relates or only those at risk of serious harm; where notification is not practicable, entities should publish a copy of the statement sent to the commissioner on their website. [OAIC Australia – Notifying Individuals About an Eligible Data Breach]

Privacy (US)

US – Google Urges Congress to Revise Outdated Overseas Data Laws

Access to data stored overseas has become a contentious issue with tech companies and the US government. Today, in a speech given to the Heritage Foundation [watch here], a conservative think tank, Google’s senior vice president and general counsel, Kent Walker, urged Congress to update the laws concerning this topic. On this front, Microsoft scored a major victory last year. Other courts reached opposing rulings in similar trials. In February, a US District Court in Pennsylvania ruled that Google had to comply with an FBI warrant to hand over data stored on an overseas server. And additional cases involving Google and Yahoo came to similar conclusions in Wisconsin, Florida and California. Walker today urged Congress to change relevant laws, making it clear what tech companies are to do when faced with government requests for data. He also proposed that the US should allow countries that commit to privacy and human rights to directly request data from US companies without have to first consult with the US government. [Engadget]

US – FTC Issues Recommendations for Complying With COPPA

The FTC has provided guidance for operators of websites and online services on protection of children’s safety and privacy online to ensure compliance with the Children’s Online Privacy Protection Act. Organisations should determine if children’s personal information is collected by its sites or services (including allowing another company to collect PI through the site or service, or passive online tracking), notify parents of the specific information being collected, and post a privacy policy that describes all operators collecting information; verify consent by having parents sign a consent form, call a toll-free number, connect via video conference, or verify an identity document. [FTC – Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business]

US – Senate Considers Changes to ECPA to Ease Foreign Data Access

Members of the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism addressed practical issues regarding warrants for overseas data in a hearing titled “Law Enforcement Access to Data Stored Across Borders.” It featured representatives from the Attorney General’s office, the U.K. government, the private sector (Microsoft), as well as from academia. Senators and panelists raised a host of issues, but chief among them was the perceived absurdity that a U.S. enforcement agency that has a U.S.-issued warrant based on probable cause for the data of a U.S. citizen who is suspected of committing a crime in the U.S. against a U.S. victim will not be honored by a U.S. ISP if that individual’s data happens to be stored on a server in Ireland (or anywhere other than the U.S.). Senators participating in the hearing readily welcomed arguments that Congress should change the ECPA in a way that would (a) overturn Microsoft and return to the prior status quo, where warrants served on U.S. ISPs are honored even if the data is stored on a server located abroad, and (b) lift the restrictions in the EPCA that prevent U.S. ISPs from turning over data pursuant to foreign warrants (like those issued in the U.K.). The panel focused on the differences and similarities between data security laws in the U.S. and U.K., and in particular, discussed a proposed bilateral agreement between the countries that would essentially allow each country to honor the other’s search warrants. [Corporate Defense and Disputes Blog (Proskauer Rose) ]

US – FTC Said to be Probing Uber Over Privacy Practices

The FTC’s investigative staff is focusing its attention on potential data-handling problems at Uber, Recode reported Wednesday, citing four unnamed sources familiar with the matter. That might include an internal Uber feature known as “God View“ that lets employees see logs of customer activity. Recode said its sources cautioned that FTC staff members regularly question companies on consumer protection issues and then quietly close their inquiries without pursuing penalties. Uber was recently caught using an internal tool called Greyball to thwart efforts by local authorities to catch the ride-hailing company violating local regulations. Uber has since said it would stop using the tool for that purpose. The company was also caught using a program called Hell to spy on its rival Lyft. And Apple reportedly threatened to boot Uber from the App Store for violating privacy rules. (A consumer watchdog group later asked the FTC to investigate related matters.) [CNET]

US – Post-Snowden Efforts to Secure NSA Data Fell Short: Report

The government’s efforts to tighten access to its most sensitive surveillance and hacking data after the leaks of National Security Agency files by Edward J. Snowden fell short, according to a newly declassified report. The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Department’s inspector general completed in 2016. The report was classified at the time and made public in redacted form this week in response to a Freedom of Information Act lawsuit by The New York Times. The agency also failed to meaningfully reduce the number of officials and contractors who were empowered to download and transfer data classified as top secret, as well as the number of “privileged” users, who have greater power to access the N.S.A.’s most sensitive computer systems. And it did not fully implement software to monitor what those users were doing. The report said the chief information officer of the N.S.A., Gregory L. Smithberger, had cautioned the inspector general that “eliminating all risk of insider threats is not feasible.” [NYTimes]

US – FTC Recommends Tweaks to IoT Transparency Guidelines

The FTC has some suggested changes for a draft proposal on making the Internet of Things more secure and informing consumers about that level of security. Those came in comments on the National Telecommunications & Information Administration’s effort—through a multistakeholder working group—to draft guidelines for upgrading and improving security for the devices, which include everything from smart TVs, lightbulbs and fridges to fitness trackers, wine cellars and self-driving cars. [Broadcasting Cable]

US – Underwriters Laboratory Issuing Software Security Certifications

Underwriters Laboratory is now issuing security certifications for networked software. UL launched its Cybersecurity Assurance Program in April 2016. So far, just a few products have received certification.

US – Girl Scouts to Offer Cyber Security Badges

The Girl Scouts of the USA (GSUSA) will start offering badges in cyber security in 2018. In all, there will be 18 cyber security badges. GSUSA is partnering with Palo Alto Networks to develop the curriculum.

RFID / IoT

EU – ENISA Recommend Addressing Challenges of Emerging Disruptive Technologies

ENISA has issued a paper identifying principles and opportunities that should be addressed in the renewed EU cybersecurity strategy. New technologies such as robotics, IoT, artificial intelligence, and internet of people will have significant effects on the EU digital single market; the EU should assess risks over the entire lifecycle of products, ensure access to trustworthy products and services that do not depend on a single service provider, and examine software ownership and control issues (liability for compromised software or mistakes by autonomous devices, imposition of manufacturers’ terms and conditions on end users, and possible mandatory disclosure of security vulnerabilities). [ENISA – Principles and Opportunities for a Renewed EU Cyber Security Strategy]

Security

US – FBI Issues 2016 Internet Crime Report

The 2016 Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3) provides information about trends in online crime. In 2016, more than 10,000 incidents of tech support fraud were reported to IC3, with losses totaling nearly 8 million USD. Other trends noted in the report are email compromise, ransomware, and extortion. Online extortion, tech support scams and phishing attacks that spoof the boss were among the most costly cyber scams reported by consumers and businesses last year. [See here] The IC3 report [see 28 pg pdf here] correctly identifies some of the most prevalent and insidious forms of cybercrimes today, but the total financial losses tied to each crime type also underscore how infrequently victims actually report such crimes to law enforcement. One expert observed that the FBI’s ransomware numbers “are ridiculously small compared to what happens in the real world, where ransomware is one of today’s most prevalent cyber-threats. The only explanation is that people are paying ransoms, restoring from backups, or reinstalling PCs without filing a complaint with authorities.” [See here] The IC3 report notes that only an estimated 15% of the nation’s fraud victims report their crimes to law enforcement. For 2016, 298,728 complaints were received, with a total victim loss of $1.33 billion. If that 15% estimate is close to accurate, that means the real cost of cyber fraud for Americans last year was probably closer to $9 billion, and the losses from ransomware attacks upwards of $16 million. The IC3 said losses from CEO fraud (also known as the “business email compromise” or BEC scam) [see here] totaled more than $360 million. Applying that same 15% rule, that brings the likely actual losses from CEO fraud schemes to around $2.4 billion last year. [Krebs on Security | https://www.fbi.gov: IC3 Releases Annual Report Highlighting Trends in Internet Crime | https://pdf.ic3.gov: 2016 Internet Crime Report]

US – Companies Create Principles for Cybersecurity Risk Ratings

The U.S. Chamber of Commerce has announced that a consortium of more than two dozen chamber member companies, including prominent big banks, big-box retailers, and technology giants released a set of principles designed to promote fair and accurate cybersecurity ratings. The creation of the “Principles for Fair and Accurate Security Ratings“ comes in response to the recent emergence of several companies that collect and analyze publicly accessible data to develop a rating of a company’s cybersecurity risk posture. Importantly, however, cybersecurity ratings have the potential for being inaccurate, incomplete, unverifiable and unreliable if, for example, the source data is inaccurate or the methodology doesn’t account for risk mitigations in place at a company. The principles developed by the consortium were designed to increase confidence in and the usability of fair and accurate cybersecurity ratings by addressing the potential problems. The principles were modeled after the Fair Credit Reporting Act, which helped increase confidence in the credit process by ensuring the usability of ratings for legitimate purposes while recognizing the interests of consumers to ensure that the data underlying the scores was accurate and complete. The principles are as follows: 1) Transparency; 2) Dispute, correct and appeal; 3) Accuracy and validation; 4) Model governance; 5) Independence; and 6) Confidentiality. Becoming adept at understanding and effectively utilizing cybersecurity ratings will be an important strategic advantage for companies in the future. [Data Privacy Monitor (Baker Hostetler)]

US –NIST Issues Risk Management Implementation Guidance

The National Institute of Standards and Technology (NIST) issued a draft Cybersecurity Framework to be used by federal agencies in conjunction with the current and planned suite of NIST security and privacy risk management publications. The guidance, which includes 8 use cases in which agencies can leverage the cybersecurity framework to address common vulnerabilities, is designed to elicit feedback to determine which cybersecurity framework concepts are incorporated into future versions of the suite of NIST security and privacy risk management publications. Comments are due by June 30, 2017. [NIST – The Cybersecurity Framework – Draft NISTIR 8170]

US – Senators Weigh Conflicting Privacy, Security Concerns on FISA Rule

The delicate balance between national security and individual privacy came into stark relief as senators debated whether to extend a soon-to-expire intelligence-gathering tool for foreign suspects, which critics say has massive potential for abuse. [See here] At issue for Senate Judiciary Committee members is reauthorization of Section 702 of the Foreign Intelligence Surveillance Act [see here, here & here] beyond Dec. 31, 2017. That provision allows the federal government to acquire intelligence by targeting foreigners “reasonably believed” to be outside U.S. borders. The panel is divided over a permanent extension of Section 702, as advocated by Sen. Tom Cotton (R-Ark.) and others. Sen. Dianne Feinstein (D-Calif.), otherwise a supporter of the provision, said it should sunset every five years, with reauthorization needed from Congress. [Morning Consult]

EU – Mainframes Especially Vulnerable to Insider Threats: Study

While most chief information officers at large companies say their mainframes are more secure than other systems, a majority say their organizations are still exposed to a significant risk of insider threats due to blind-spots in internal data access and controls. That is the finding of a new report by research firm Vanson Bourne. [See here] For the study, sponsored by mainframe software company Compuware, the firm surveyed 400 CIOs in the U.S., France, Germany, Italy, Spain, and the U.K. in April 2017. Many of the CIOs (84%) say they find it difficult to track who has accessed data stored on the mainframe, exposing them to an increased risk of insider threats. [Information Management]

WW – 43% of Security Incidents Caused by Phishing, Hacking and Malware

Employee actions or mistakes caused 32% of breaches, 18% were caused by lost or stolen devices and records, and 3% were due to internal theft; organisations should identify and implement safeguards (authentication, segregation, intrusion detection/prevention systems, log retention), create a forensic plan, build business continuity into incident response planning, prepare for breach containment and management, and ensure breach notifications are clear and consistent. 2017 Baker Hostetler – Be Compromise Ready – Go Back to Basics – 2017 Data Security Incident Response Report

Smart Cars

US – Regulators, Carmakers Plot Road to Connected Car Privacy, Security

Regulators should exercise “humility” when considering government oversight of privacy and data security issues for vehicles connected to the internet, FTC Acting Chairman Maureen Ohlhausen said. Predicting the future of how connected cars will develop is very difficult, Ohlhausen said in remarks at a connected cars workshop [see here] sponsored by the FTC and the National Highway Traffic Safety Administration. [Read her opening remarks here] The FTC should address actual or likely injury to consumer privacy and data security while fostering development of connected cars, Ohlhausen said. The FTC will use its enforcement powers under the FTC Act but also wants to avoid overlap or conflict with NHTSA oversight efforts, she said. Terry T. Shelton, acting executive director of NHTSA, agreed, saying that her agency will work with the FTC on those goals. Lauren Smith, policy counsel at the Future of Privacy Forum, pointed to the self-regulatory efforts of the Alliance of Automobile Manufacturers, the Association of Global Automakers and their members The groups established Privacy Principles for Vehicle Technologies and Services voluntary industry standards, which went into effect in January 2016. [BNA.com] [Broadcasting Cable | Wilmerhale]

US Government Programs

US – DHS Updates Policy Guidance to Accommodate Changes in Privacy Protection for Non-US Citizens

The Department of Homeland Security issued an updated memorandum providing privacy policy guidance. For US citizens, lawfully permitted residents, and individuals protected by the Judicial Redress Act, disclosures to law enforcement agencies will continue to be made pursuant to System of Records Notices (SORNs) and authorized disclosures under the Privacy Act; however, for all other persons, employees must determine whether the proposed use of the records is consistent with the purpose for which DHS collected them, and routine or regular sharing must be described in applicable privacy notices and PIAs (however, DHS does not plan on collecting additional data targeting citizenship status when not otherwise required). DHS – Privacy Policy Guidance and Memorandum | Q&A]

US – New TSA Policy May Lead to Increased Scrutiny of Reading Material

The TSA is testing new requirements that passengers remove books and other paper goods from their carry-on baggage when going through airline security. Given the sensitivity of our reading choices, this raises privacy concerns. DHS Secretary John Kelly recently said that “we might, and likely will” apply the policy nationwide. Books raise very special privacy issues. As has been discussed, there is a long history of special legal protection for the privacy of one’s reading habits in the United States, not only through numerous Supreme Court and other court decisions, but also through state laws that criminalize the violation of public library reading privacy or require a warrant to obtain book sales, rental, or lending records. There have been multiple cases where passengers have been singled out because of their First Amendment-protected expressions. For example, in 2010 the ACLU sued on behalf of a man who was abusively interrogated, handcuffed, and detained for nearly five hours because he was carrying a set of Arabic-language flash cards and a book critical of U.S. foreign policy. We also know that the DHS database known as the “Automated Targeting System,” which tracks information on international travelers, has included notations in travelers’ permanent files about controversial books in their possession. If the TSA is to begin implementing this practice, I would make two recommendations for them. First, the agency and its screeners need to be sensitive to the potential privacy concerns at work here. Second, given any rule or practice requiring the unpacking and separation of books and other papers, the TSA should allow those materials to be contained by themselves within another package. [ACLU]

US Legislation

US – Bill Limits Collection and Use of Information from Vehicle Data Recorders

Senate Bill 196, amending the Wisconsin Statutes relating to motor vehicle data recorders, has been introduced in the Senate, and referred to the Committee on Government Operations, Technology and Consumer Protection. If passed, the amendments would take effect on the first day of the 7th month after publication. Express consent of owners is required for access, collection, or transfer of information stored on vehicle recorders; exceptions to the consent requirement include court orders, production requests, compliance with a service contract, law enforcement transfers for insurance purposes, for vehicle maintenance and repair, emergency medical responses, or insurance claim investigations. [SB 196 – An Act to Amend the Wisconsin Statutes Relating to Motor Vehicle Data Recorders – State of Wisconsin]

Workplace Privacy

EU – Article 29 WP Updates Opinion on Processing Employee Data

The Article 29 Working Party updated its Opinion 8/2001 on processing of personal data in the employment context. When implementing technologies that enable more systematic processing of employees’ personal data (e.g. BYOD, CCTV, and mobile device management) principles of proportionality and minimisation must be followed; employees should receive effective notice about any monitoring that takes place and consent should not be used a legal basis for processing. Article 29 WP – Opinion Opinion2-2017 – Data Processing At Work

CA – Overview of Provincial Privacy Statutes on Background Checks

This article provides an overview of what employers need to know about background checks in each Canadian province. Ontario, Alberta, Saskatchewan, Manitoba, New Brunswick, Nova Scotia, and Newfoundland and Labrador all permit employers to refuse to hire a candidate convicted of a criminal offence (Ontario employers may not refuse a candidate who has received a pardon); however, human rights legislation in British Columbia, Quebec and Prince Edward Island prohibit an employer from discriminating against a candidate for having a conviction of an offence unrelated to the intended employment. [Background Checks by Province – What Employers Need to Know – Michael Howcroft, Partner, and Noemi Blasutta, Associate, Blake Cassels and Graydon LLP]

+++

 

20 May – 09 June 2017

Biometrics

US – Washington Becomes the Third State with a Biometric Law

On May 16, 2017, Governor Jay Inslee signed into law H.B. 1493—Washington’s first statute governing how individuals and non-government entities collect, use, and retain “biometric identifiers,” as defined in the statute. The law prohibits any “person” from “enrolling a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.” It also places restrictions on the sale, lease, and other disclosure of enrolled biometric identifiers. With the new law, Washington has become only the third state after Illinois and Texas to enact legislation that regulates business activities related to biometric information. Legislatures in other states around the country are considering similar bills including Alaska, California, Massachusetts, and New Hampshire. The Washington law defines the content and activity it regulates in different terms, and, similar to Texas, but unlike Illinois, the Washington law does not provide a private right of action. On the same day that Governor Inslee signed H.B. 1493, he also signed H.B. 1717, which covers government agencies. Both laws go into effect on July 23, 2017. [Washington Becomes the Third State with a Biometric Law]

US – JetBlue Will Test Facial Recognition for Boarding

The airline will test facial-recognition check-in next month for flights from Boston to Aruba, the latest attempt by the industry to streamline boarding. Passengers will step up to a camera, and the kiosk will compare the facial scan to passport photos in the U.S. customs database to confirm the match. (You still have to bring your passport.) A screen above the camera will let passengers know when they’re cleared to board. JetBlue is collaborating on the technology with SITA, a tech company that specializes in air travel, including products like robotic check-in kiosks that autonomously rove around airports, sensing where they are needed. JetBlue says it will be the first airline to use facial recognition for boarding. The airline says it won’t have access to the photos – only SITA will. SITA said it will not store the photos. Delta Air Lines plans to test face-scanning technology with four kiosks at Minneapolis-St. Paul this summer for passengers to check their own luggage. [CNN Tech] See also: [Face it, this new Blippar mobile app may creepily destroy your privacy] and [UK police arrest man via automatic face recognition tech]

Canada

CA – Canada’s Privacy Czar Raises Flag Over Planned U.S. Border Password Searches

Canadian privacy could be imperilled by apparent U.S. plans to demand cellphone and social media passwords from foreign visitors, a federal watchdog says. In a letter [see here] to the House of Commons public safety committee, privacy commissioner Daniel Therrien warns the recent pronouncements from the Trump administration could mean intrusive searches — even at preclearance facilities in Canada. The Commons public safety committee is studying legislation [Bill C-23 see here] that would expand preclearance operations. Under the bill, U.S. searches at preclearance facilities would be governed by Canadian law, including the Charter of Rights and Freedoms. But Therrien says those protections appear to be hollow because they could not be enforced in court due to immunity provisions that significantly limit access to civil remedies for the actions of U.S. border officers carrying out preclearance duties. The Liberal government says the preclearance arrangements would strengthen security and prosperity while ensuring respect for the sovereignty of both countries. [Globe & Mail]

CA – CSIS Kept ‘All’ Metadata on Third Parties for a Decade: Top Secret Memo

When CSIS intercepted the communications of innocent people between 2006 and 2016 “all” the metadata related to those communications was retained in a controversial database, a top secret memo obtained by the Star suggests. The document relates to CSIS’s Operational Data Analysis Centre (ODAC) and a now-discontinued program that stored data intercepted from the service’s targets — and people who were in contact with them at the time. The Federal Court ruled in 2016 it was illegal for the service to indefinitely keep data on people who posed no threat to Canada’s national for future analysis. While the basics of the program were revealed in heavily censored court documents, the scale of the program is not widely understood. CSIS told parliamentarians earlier this year that it didn’t know how many Canadians were caught up in the ODAC. But in an October 2016 memo to Public Safety Minister Ralph Goodale, outgoing Canadian Security Intelligence Service director Michel Coulombe suggested the court’s ruling would have a significant impact. In a statement Thursday evening, CSIS spokesperson Tahera Mufti reiterated that all the ODAC data was collected legally via court warrants over the years. The Federal Court did not rule the collection of third-party metadata was illegal — just the indefinite retention. Mufti also confirmed the new six-month period to assess whether metadata is relevant to a CSIS investigation. “CSIS has implemented new retention practices for information, including associated data (metadata), collected via warrant that are in compliance with (Noël’s) decision, which will allow ODAC to recommence its analysis of newly acquired associated data,” Mufti wrote. “ODAC historical metadata holdings remain fenced off, and unavailable for use, until a final decision regarding their disposition is made.” Toronto Star: Top secret memo suggests large scale for CSIS metadata program, Federal Court ruled keeping the data was illegal in 2016]

CA – Report on C-51 Public Consultations, Most Disapprove

Last fall, the government asked Canadians to weigh in on the future of the country’s national security legislation. The government received 58,933 responses through an online questionnaire, and another 17,862 via email — in addition to feedback from cross-country meetings with constituents, academics and expert groups. On May 19, a report summarizing the results of the consultation was released, with one topic in particular drawing considerable attention: what sort of powers should law enforcement and intelligence agencies have when investigating crimes in the digital world? “Most participants in these Consultations have opted to err on the side of protecting individual rights and freedoms rather than granting additional powers to national security agencies and law enforcement, even with enhanced transparency and independent oversight,” the report reads. “The thrust of the report suggests that there’s significant appetite for reform,” said Craig Forcese, a law professor at the University of Ottawa who has written extensively on Bill C-51 — in particular, “a significant appetite for limiting state power in terms of the sorts of powers that security services have.” [CBC News: Canadians ‘reluctant’ to accept new police powers, prefer privacy online, government finds]

CA – Goodale Calls C-22 ‘Major Piece’ of National Security Agenda

Canada’s Public Safety Minister Ralph Goodale signalled that he’s hoping to bring in further national security legislation as he looks to the Senate to pass the Liberals’ first “major piece” of the government public safety and security agenda, Bill C-22 [see here] The legislation would establish the new joint National Security and Intelligence Committee of Parliamentarians, the first of its kind in Canada. It will set up its scope, mandate, and outline its legal rights and restrictions. It also establish a secretariat for the committee. The mandate of the committee is to review, monitor, and scrutinize the work of the country’s most secret intelligence agencies, including CSIS, the RCMP, the CSE, and the CBSA. As it’s drafted, the committee would be under the purview of the Government House Leader’s Office, but the secretariat will be established through the Privy Council Office and the committee will report to Prime Minister Justin Trudeau (Papineau, Que.). Mr. Trudeau appointed five-term Liberal MP David McGuinty (Ottawa South, Ont.) last January to chair the committee. Other members of the committee have not been chosen yet. [The Hill Times: Goodale calls C-22 ‘major piece’ of feds’ national security agenda, says amendments to Conservatives’ Anti-Terrorism Bill C-51 coming soon]

CA – Journalist Shield Law Could Soon Become Reality in Canada

The federal Liberal government is prepared to throw its support behind proposed legislation to protect the identity of journalists’ confidential sources. The government is expected to announce it will back a Conservative senator’s privately sponsored bill that would, for the first time in Canada, provide statutory protection for the identity of journalists’ sources. The bill would make it harder for police and other law enforcement or security agencies to spy on journalists’ communications or to seize documents that could reveal their sources. It would also make it harder for the cops to use whatever information is seized or captured by warranted surveillance. The Journalistic Sources Protection Act, S-231, was introduced by Sen. Claude Carignan in November after revelations that Montreal police spied on the communications of 10 journalists in Quebec in recent years — a scandal that has prompted a public inquiry in the province. In a major move that could see a new law adopted within a few months, the Liberals will propose a handful of technical amendments to address “legal and policy concerns” with the bill as drafted — changes that a senior government official characterized as “reasonable” and that Carignan said he supports. [The Star]

CA – Federal Housing Agency Boosting Its Ability to Detect Mortgage Fraud

The head of Canada Mortgage and Housing Corp. says it is beefing up its ability to detect mortgage fraud after being directed to do so by the federal government. CMHC president and CEO Evan Siddall says there is no evidence of a widespread mortgage fraud problem. But Siddall says there are incentives to commit fraud in the system and therefore the agency needs to be vigilant. Siddall says CMHC is looking at ways it can use data analytics to spot patterns that could be indicative of fraud networks or fraud rings. (Toronto Star)

CA – OIPC QC Rules Individuals Cannot Be Barred from Requesting Access to Information by Telephone

The Commission d’Accès à l’Information du Québec investigated a complaint against Surete du Quebec, alleging non-compliance with the Act on Access to Documents of Public Bodies and Protection of Information. The Quebec Commissioner received a complaint that the Police Headquarter’s telephone system barred callers from requesting access to information held; the institution does respond to written requests received from individuals within the legislated timeframe, however, modifications had to be made to its telephone message to ensure individuals could also request access orally, through speaking with an employee, or leaving a message after hours. [CAI QC – Decision 1011205 – Surete du Quebec]

CA – OIPC ON Issues Compliance Guidelines for Security, Breach Protocols, and Electronic Health Records

The Information and Privacy Commissioner in Ontario provided an update on the latest developments in healthcare and guidance on protection of personal health information, pursuant to the Personal Health Information Protection Act. Healthcare custodians should ensure the following – a written policy for sending and receiving emails, encryption of emails containing PHI (unless it is an urgent situation), restrictions on access to servers and portable devices, appropriate access controls (including staff training on access to PHI), and appropriate discipline for unauthorized access. PHI can be collected from the provincial EHR only to assist in healthcare provision, or eliminate significant risk of serious harm, and the IPC and affected individuals must be notified of theft, loss or unauthorised access to PHI. [IPC ON – Latest Developments in Protecting Personal Health Information]

CA – OIPC ON Issues Best Practices on Adequate Search

This IPC guidance examines the components of a reasonable search. Document the details of the search; ensure a full understanding of the request (contact the requester if necessary), consider the search methods (e.g. who conducted the search, who was consulted, what types of files were considered, and were any areas left out), consider destruction of records (if possible, provide details of record retention policies and schedules), and consider records outside the organization’s custody (who has them and why). [IPC ON – Reasonable Search Press Release | Guidance]

CA – OIPC AB ‘Fearful’ NDP Won’t Fix Flawed Freedom of Information Law

More than a month after the release of a report [see 55 Pg pdf here] raising alarm over government secrecy, information and privacy commissioner Jill Clayton is disappointed and frustrated with the lack of action by the NDP to ensure Albertans have proper access to government information. In a separate report [see 11 Pg pdf here], Clayton has called on the NDP government to amend the legislation to give her office that capacity — a power that had long been recognized by the province until recent years — but the province has given no signal on how it will proceed. “I am fearful that nothing’s going to happen,” Clayton said in a recent interview. “It’s impossible to imagine how citizens can hold a government to account, how they can engage fully in a democracy, if they’re not able to get information, and a big piece of that is to have independent, objective and effective oversight.” The most recent issues raised by Clayton follow reports see here she issued in February warning of “unacceptable” delays in processing information requests and a “lack of respect” for access to information among some senior officials within the civil service. [Calgary Herald]

CA – CRA Employee Fired After Agency’s Biggest Privacy Breach

Eight CRA staffers were fired during the fiscal year that ended March 31 for improperly accessing taxpayer data. Now comes news that another person was fired just before that for committing the biggest privacy breach in the department’s history. Sometime before March 23, 2016 the unnamed employee improperly accessed the accounts of 38 taxpayers in detail, and briefly accessed another 1,264 accounts using a search function to find surnames and postal codes. CRA spokesman said no taxpayer data was changed and stressed that of the 1,264 accounts briefly accessed files were viewed for approximately two seconds per account. So this is time for another reminder that the federal privacy commissioner’s office has issued guidance on ways to cut down on employee snooping. Suggestion number one is foster a culture of privacy. [IT World Canada | Tax worker fired after biggest privacy breach at Revenue Canada]

CA – SCoC Hears Fed’s Appeal on Residential School Records

Lawyers for the federal government and the National Centre for Truth and Reconciliation took turns Thursday trying to convince the Supreme Court how to handle the personal records of those who endured life inside Canada’s infamous residential schools. The Liberal government is appealing a lower court decision that allows the records to be destroyed after 15 years unless the individual in question directs otherwise. Justice Department lawyers say the documents are subject to federal laws governing access to information, privacy and the national archives, and should be preserved to ensure the residential school legacy is never forgotten. A lower court judge ruled the material should be destroyed after 15 years, but individuals could consent to have their stories preserved at the National Centre for Truth and Reconciliation in Winnipeg. In a split decision in April 2016, the Ontario Court of Appeal agreed, noting the documents were not government records subject to archiving laws. The court also rejected the idea the documents were “government records” but fell under judicial control. A dissenting justice maintained, however, that the documents should be turned over to Library and Archives Canada, subject to normal privacy safeguards and rules. The Assembly of First Nations argues the Ontario Court of Appeal upheld the promises of confidentiality made to former students of residential schools by ordering the destruction of records and ensuring former students maintain control over the accounts of their residential school experiences. [The Canadian Press via The Chronicle Herald]

CA – OIPC ON Recommendations for Creation and Analysis of Data Sets

The Information and Privacy Commissioner of Ontario has issued guidance on the use of big data by government institutions. Institutions should ensure they have the legal authority to collect personal information for big data projects, publish a description of the project on their website, de-identify linked data sets (to ensure adequate separation between policy analysis and administrative functions), ensure information analyzed is accurate, complete, and up-to-date, be aware of misleading correlations, and ensure profiling decisions that significantly affect individuals are verified. [IPC ON – Big Data Guidelines]

CA – OIPC SK Finds Health Authority Failed to Properly Respond to Privacy Breach

This OIPC report investigates the handling of a privacy breach by the Keewatin Yatthè Regional Health Authority (“Keewatin”) pursuant to Saskatchewan’s The Health Information Protection Act. The authority did not contain the breach (it did not recognize that a suspended nurse’s 3 hours of unsupervised access to patient records as a breach), conduct an adequate investigation (it does not interview employees on unpaid leave), or notify affected individuals (it should provide written notification, post a public notice regarding the breach, and provide patients with the opportunity to view their chart free of charge); the provincial nurses’ association and union should support the authority’s request for an interview with the employee. [OIPC SK – Investigation Report 230-2016 – Keewatin Yatthè Regional Health Authority]

CA – OIPC SK Issues Guidelines for Conducting Audits of Users’ Access to Medical Records

The Office of the Saskatchewan Information and Privacy Commissioner issued guidance about auditing users accessing personal health information in accordance with the Health Information Protection Act. A proactive audit and monitoring program includes random audits of user activity, focused audits as a result of a complaint made by a staff member or the general public, and monitoring procedures; a user viewing their own record, a record of an individual with the same last name or another employee’s are some of the events that should trigger an audit. [OIPC SK – Audit and Monitoring Guidelines for Trustees eHealth Saskatchewan]

CA – OIPC SK Finds Doctor’s Access to PHI for Training Purposes is Unlawful

The Office of the Information and Privacy Commissioner in Saskatchewan investigates a complaint against a doctor’s access to personal health information in contravention of the Health Information Protection Act. The doctor accessed personal health information of a non-patient without a legitimate need-to-know basis (i.e., to train his wife to assist with various aspects of his medical practice); if the doctor’s wife had a legitimate need to access the information to complete her job duties, the doctor should have registered her with her own user account. [OIPC SK – Investigation Report 282-2016 Eastside Medical Clinic Dr Serhii Haidash]

CA – OIPC SK Recommends GTH Board Quit Private Email

The provincial privacy commissioner says members of the Global Transportation Hub’s board of directors received “sensitive” information at private email addresses — and says board members should conduct government business with government email rather than their personal email accounts. The suggestion was contained in a report [see here] related to a Freedom of Information request filed by CBC Saskatchewan in April 2016 “It is clear from the record in this case that sensitive GTH information was sent to board members at their personal email addresses. I strongly sent to board members at their personal to reconsider this practice,” the report said. [see line 17 here] The report comes a month after Saskatchewan Premier Brad Wall was criticized by the Opposition New Democrats for conducting government business using his own personal email server. “We appreciate the advice of the Information and Privacy Commissioner and will consider all the recommendations,” a GTH spokesperson said through an email Tuesday afternoon. [GTH board shouldn’t use personal email to send ‘sensitive’ info: privacy report ]

CA – Saskatoon Health Region Sees Increase in Privacy Breaches and Complaints

The Saskatoon Health Region’s latest data shows that there has been a 50% increase in the total number of privacy breaches and complaints. The data was compiled between April 1 and March 31 in each fiscal year [from 2012 to 2016]. According to the region’s enterprise risk management director Lori Frank, the increase can be attributed to awareness. Social media has also played a role in the increase of violations and subsequent complaints. [GlobalNews]

CA – OIPC NFLD Guidance on Disclosure of Records Containing Policy Advice or Recommendations

The Office of the Information and Privacy Commissioner in Newfoundland and Labrador has issued recommendations on determining whether records requested, pursuant to the Access to Information and Protection of Privacy Act, are exempted from disclosure. Public bodies can refuse disclosure of records contain advice (identifying options for a decision without making specific recommendations), proposals, and recommendations (suggested course of action); however, since this a discretionary exemption, institutions should consider whether disclosure would subject its decisions and policy-making to excessive scrutiny, or whether there is a public interest in the information that overrides its interests in refusing disclosure. [OIPC NFLD – Policy Advice or Recommendations]

CA – Alberta Gov’t Says Shredded Documents an Isolated Incident

Alberta legislature visitor logs shredded in the months following the 2015 election have the Opposition demanding an investigation by the privacy commissioner. Justice Minister Kathleen Ganley said Wednesday it seems the missing documents were due to what she labelled “inappropriate” actions of a single person employed with the legislature’s sheriff’s office at the time. Wildrose democracy and accountability critic Nathan Cooper said shredding documents is a clear violation of the transparency the NDP pledged to Albertans. [Shredded documents an isolated incident: justice minister]

CA – Ottawa Police Back External Case Reviews Modelled After Philadelphia Approach

The Ottawa Police Service will adopt an external review of sexual assault cases modelled after an oversight program in Philadelphia that has been shown to improve the quality of sex-assault investigations dramatically and reduce the number of complaints dismissed as unfounded. The move is a significant reversal for the Ottawa service, which in December, 2015, after nearly two years of negotiations, rejected a proposal from local advocacy groups to adopt the oversight model. At the time, the service said it was advised that privacy laws prohibited sharing case files with civilians. Brian Beamish, the Information and Privacy Commissioner of Ontario, told The Globe in a statement that his office has been working with police services about how to implement the Philadelphia model in a way that complies with privacy legislation. “It is my view that external review of sexual-assault case files can make an important contribution to improving the investigation of sexual assault complaints while complying with privacy requirements, including through the use of agreements, oaths of confidentiality and privacy and confidentiality training,” Mr. Beamish said in the statement. [Source]

CA – Ontario Court Considers Harm as Factor for Merging Class Action Suits

The Court considers a carriage motion to join two separate class action complaints regarding a data security breach at Casino Rama Services Inc. Two similar class action suits were brought forward in Ontario regarding a data breach of confidential personal and financial information where the hacker dumped data on the Internet; the firm that is in a better position to provide class members with a speedy resolution is considered as with each passing month it becomes easier for the defendant to say that no harm has been done. [Kaplan v Casino Rama Services Inc. et al – 2017 ONSC 2671 CANLII – Superior Court of Justice Ontario]

CA – Winnipeg Transit Gave Rider Location Data to Cops, No Warrants

City officials confirmed that on four occasions since March of 2017, Winnipeg police have requested the data generated through the use of Peggo cards for a specific passenger to assist with an investigation. On each occasion, the transit service provided police with the desired records. In July of 2016, Winnipeg Transit launched its new Peggo card system, which allows users to pay their fare using an electronic card. It also allows Transit officials to track the exact travel habits of the 130,000 daily Transit passengers. Every time a passenger uses their Peggo card, data is generated on the date, time, bus number, boarding and transfer locations. If the user has registered their card online, the passenger’s name becomes linked to the data. Other government bodies also forward personal information to law enforcement without requiring a warrant or court orders. Bruce Owen, spokesperson for Manitoba Hydro, said requests from police for account information must be made in writing. “We provide police information on a customer’s account, including confirmation there has been a higher than normal kilowatt-hour consumption,” he said. Tom Keenan, a professor at the University of Calgary who specializes in information security says “I see a growing sensitivity to this kind of information and it is quite appropriate to question it” The privacy and information watchdog for the province says that under the Freedom of Information and Protection of Privacy Act, or FIPPA, any public body can release personal information to law enforcement without the need for a warrant or the consent of the individual being targeted under certain conditions. Specifically, Section 44(1) of the act outlines conditions under which a public body may disclose personal information to law enforcement Winnipeg Mayor Brian Bowman said while he has been assured transit complied with privacy legislation, he wants to know more about what councillors were told about Peggo privacy before the cards went online last year. [Winnipeg Transit gave Peggo card travel history to police without warrants]

CA – Toronto Committee Scraps Proposal for In-Cab Cameras Due to Privacy Concerns

At a May 29 city meeting, Toronto’s Government Management Committee voted to scrap a proposal that would place cameras in the cabs of the city’s garbage truck fleet. The intention of the proposal was to increase internal surveillance in order to improve safety management and determine causes of accidents when they happen. However most city officials predicted this proposal would have a negative effect on morale. Beaches-East York Councillor Janet Davis said at the meeting, “This is about invasion of personal privacy and the extent that management can do that,” InsideToronto.com reported. Some other committee members said the suggestion to monitor garbage truck drivers on their routes should be part of a bigger discussion about management. [wastedive.com]

CA – Court-Ordered Reconsideration by OIPC BC Upholds Government Corporation’s FOI Disclosure of Email Correspondence

This OIPC order is a court-ordered reconsideration of Order F13-23 and redetermination of an unpublished investigation report by the OIPC concerning a request from a journalist for correspondence pursuant to British Columbia’ Freedom of Information and Protection of Privacy Act. Emails that reflect 2 employees’ intertwined business and personal relationships must be disclosed (with portions severed); the emails were largely created for in the course of professional duties, and are under the corporation’s control (e.g. there were sent/received by the corporation’s email system and are stored on its servers). The corporation was not required to notify one of the employees that it was “collecting” his PI as it was not doing so; the employee voluntarily provided his PI in the emails and his PI was not solicited by his colleague. [OIPC BC – Order F17-20 – British Columbia Lottery Corporation]

CA – MB Freedom of Information Review Gives PCs Opportunity to Close Legislative Loopholes

The Manitoba Legislative Assembly Press Gallery is asking for clarity around exemptions, reports to cabinet. Manitoba is reviewing the Freedom of Information and Protection of Privacy Act (FIPPA), but balancing a transparent government with a right to privacy is a tricky act. The act came into force in 1998 and provides right of access to records held by public bodies while protecting privacy by setting rules for information collection, use and disclosure. Provincial legislation calls for it to undergo regular reviews and the last was in 2004, before it was significantly amended again in 2011. Reviewing the legislation is a good opportunity for the province to catch up to freedom of information laws in other provinces, said Steve Lambert, past-president of the Manitoba Legislative Assembly Press Gallery. The Manitoba Legislative Assembly Press gallery, which has 46 members and represents 11 media outlets, contributed a submission to the review calling for clarity and more reasonable time frames for access to information. “Our biggest concern is that background information, data reports, things that the public pays for on matters of public interest are currently kept hidden,” Lambert said. “Basically right now anything that is submitted to a cabinet minister or produced by a cabinet minister cannot be released to the public for 20 years and that is such a wide all-encompassing exception that if you are in government and wanted to hide something you could just give it to a cabinet minister and claim that exemption.” Manitobans are being asked to take part in the review and submissions will be collected until the end of the month. [CBC News]

CA – Proposed Amendments to PIPEDA Will Make It Mandatory to Notify a Breach

There is currently no mandatory requirement in Canadian legislation for organizations to notify of a breach, except in certain circumstances (e.g., private sector organizations in Alberta, and health information in Ontario, New Brunswick and Newfoundland and Labrador); organizations should make it a best practice to voluntarily notify affected individuals of privacy breaches, as once it is made mandatory under PIPEDA, organizations that fail to notify may be subject to a fine of up to $100,000, and may be publicly named by the Privacy Commissioner. [Privacy Breaches in Manitoba– A Mitigation and Prevention Primer – Andrew Buck, Lawyer, Pitblado Law: Manitoba: Whistleblower sues health authority and lawyers, alleging identity revealed

Consumer

CA – Canadians Want More Regulatory Review of Emerging Technologies: Accenture

Canadians prioritize regulatory reviews of drones, autonomous vehicles and online user agreements above those of other emerging technologies, according to new research from global professional services company Accenture on Canadian attitudes on government regulation of emergent technology-enabled products and services. The survey found that four in 10 (40%) of those polled said that “drones equipped with video cameras” should be a key area for government regulatory review. Nearly as many Canadians said that key areas for government regulatory review should include autonomous (driverless) vehicles and for online user agreements for new products or services (each cited by 38% of respondents). Other areas in which Canadians want to prioritize a regulatory review include connected homes and products, such as technology that controls a home’s lights, alarms, temperatures, or baby monitors from a mobile phone or other device (cited by 30% of respondents); social media, including privacy rights and/or guidelines around advertising (26%); ridesharing services like Uber and Lyft (26%); and sharing economy accommodations like Airbnb and HomeAway (23%). However, many Canadians believe that the government should step away from regulating certain technologies “because they are evolving well without the need for additional regulation.” For example, half (51%) of Canadians want government to step away from further regulating video/music streaming, and almost as many want government to stop regulating connected homes/products (48%), social media (46%) and artificial intelligence (43%). [Canadian Underwriter]

WW – Google Starts Tracking Offline Shopping — What You Buy at Stores in Person

Google already monitors online shopping — but now it’s also keeping an eye on what people buy in physical stores as it tries to sell more digital advertising. The Internet giant said that a new tool will track how much money people spend in merchants’ bricks-and-mortar stores after clicking on their digital ads. The analysis will be done by matching the combined ad clicks of people who are logged into Google services with their collective purchases on credit and debit cards. Google says it won’t be able to examine the specific items bought or how much a specific individual spent. But even aggregated data can sometimes be converted back to data that can identify individuals, said Larry Ponemon, chairman of the Ponemon Institute privacy research firm. Google’s tool doesn’t work for cash payments or the 30% of U.S. card transactions that Google can’t currently access. Google gives its users the option to limit the company’s tracking and control what types of ads they are shown — although in practice, relatively few users tweak such settings. [Associated Press | How the latest Google data mine digs into credit-card privacy] and also Be careful celebrating Google’s new Ad Blocker. Here’s what’s really going on

E-Government

NZ – Govt Backtracks On Data-for-Funding Proposal

Social service providers will no longer need to hand over the private details of their clients to the government until a new data protection policy is in place. The government had said it would only give funding to providers if they handed over client names, birth dates, ethnicity and the personal details of any dependants. Last month the Privacy Commissioner found handing over the details was “excessive”, disproportionate to the government’s need, and the Ministry of Social Development acted “prematurely” without considering privacy risks. Minister for Children Anne Tolley has temporarily suspended the process. She said an advisory group would be set up to consider the best way to increase the level of data being collected, while maintaining privacy and trust with providers. [Radio New Zealand]

US – DEFCON to Plumb Electronic Voting Machines’ Security

The DEFCON conference in July will include a “village” of electronic voting machines for attendees to try to crack. DEFCON founder Jeff Moss said that the voting machine companies are welcome to be involved in the process, but expects that they will not take him up on his offer. [Top hacker conference to target voting machines]

E-Mail

CA – Feds Suspend Implementation of CASL Private Right of Action

The federal government has issued an Order in Council today delaying the coming into force date of the private right of action under Canada’s Anti-Spam Legislation until completion of a parliamentary review “in order to promote legal certainty for numerous stakeholders claiming to experience difficulties in interpreting several provisions of the Act while being exposed to litigation risk.” “If they are delaying it, that’s definitely good news for businesses. A lot of them have been struggling in the past few months to make sure they are complying with CASL in light of the two changes that will be coming into force — the private right of action as well as the end of the transition period,” says Eloïse Gratton of Borden Ladner Gervais LLP. Inga Andriessen says the big message that will need to get out is that CASL hasn’t been repealed. CASL is still going to be in place. The government can still fine you the same way as they could before, but the good news is nobody is going to be suing you in court for any violation of CASL. If anything, it’s a time to really take a look at your CASL policies and make sure you’re still compliant or get compliant if you weren’t before.” [Last minute reprieve as feds suspend controversial private right of action provision in CASL] Canada: CASL – Government Suspends Private Right of Action

Electronic Records

CA – Conservative Party Takes Disciplinary Action After Membership List Shared

The Conservative party is demanding that the National Firearms Association destroy a party membership list that it appears to have illicitly obtained from one of the camps in the recent leadership contest. “We are aware that our members are being contacted by an outside organization,” the party said. “We will be issuing a cease-and-desist letter to the organization in question, demanding that they destroy the list.” The party did not identify the outside organization but the post came after numerous Conservatives complained through social media that they’d received a letter this week from the National Firearms Association, seeking a donation. They suspected that the association had obtained their names and addresses from the party membership list, distributed to each of the 14 candidates during the leadership race, which concluded last weekend with the election of Andrew Scheer. CBC News contacted spokespeople for all 14 campaigns, all of whom denied sharing the list with the National Firearms Association. The party did not name the culprit but said it has “identified the parties responsible for sharing the information, and will be taking disciplinary action against them.” [The Canadian Press]

EU Developments

EU – Cybersecurity Skills Gap of 350,000 Workers by 2022

This month sees the third release of data from the “Global Information Security Workforce Study 2017: Benchmarking Workforce Capacity and Response to Cyber Risk” [see here & here], which was conducted by Frost & Sullivan for the Center for Cyber Safety and Education, with the support of (ISC)2, Booz Allen Hamilton and Alta Associates; and offers up a deeper exploration of the growing cybersecurity skills gap. It predicts a] cybersecurity skills gap for Europe of 350,000 (globally 1.8 million) by 2022, resulting in European organisations planning their fastest rate of cybersecurity hiring in the world – as 38% of surveyed hiring managers in the region admitting they intend to grow their workforce by at least 15% in the coming year. Though, this is despite the fact that two-thirds of organisations have also stated that they currently have too few cybersecurity workers. The lack of professionals entering the industry has a two-fold impact on the profile of the workforce. Not only is it not increasing at a rate fast enough to fill the necessary roles, it has also led to a greying workforce, with just 12% of workers under 35, and 53% over 45. The profession faces a looming skills cliff edge, with the majority of workers getting closer to retirement and companies failing to recruit long-term replacements. Recommendations by this release suggest that organisations need to adapt their approach to recruitment and draw from a broader pool of talent. This is backed by findings that show that workers with non-computing related backgrounds account for nearly a fifth of the current workforce in Europe, and that they hold positions at every level of practice, with 63% at manager level or above. [What we learned from this month’s European GISWS report]

UK – ICO Promotes Funding for Data Protection and Privacy Research

The Information Commissioner’s Office (ICO) has announced that it will provide between £20,000 and £100,000 to organisations that meet its criteria for funding under the new grants programme. The ICO said there its grants programme has five objectives, which including supporting and encouraging research and “privacy enhancing solutions in significant areas of data protection risk”, in projects “that will make a real different to the UK public”, as well as raising data controllers’ awareness of “privacy enhancing solutions”. The watchdog said data protection and privacy research projects must meet at least one of the five strategic goals it set out in its recently published information rights strategic plan (14-page / 209KB PDF) to be eligible for funding. [Organisations given chance to win funding for data protection research by UK watchdog]

EU – EU Adopts Regulation for Wearable Technology

The European Union adopts Regulation 2017/745 on Medical Devices, which includes the issuance of a press release; and fact sheet. The Regulation, which applies to devices and related software, requires EU registration of each device, designation of an EU authorised representative for the manufacturer, and informed consent from the subjects of any clinical investigations concerning the device; a manufacturer must have a risk management plan for the lifecycle of each devices, and keep technical documentation available to EU authorities for 10 years. [Regulation 2017/745 on Medical Devices – European Union | Press Release | Fact Sheet | DLA Piper | Emergo]

UK – ICO Outlines 4-Year Plan to Strengthen Transparency and Accountability

The UK Information Commissioner’s Office released a 4 year plan outlining its mission, vision and strategic goals. The ICO will increase public trust and confidence in how their data is used and made available by creating a culture of accountability, improve standards of information rights practice through clear, targeted engagement and influence, and maintain and develop influence within the global regulatory community (despite Brexit); a technology strategy will be developed to assist organisations, and there will be continued focus on lead generation and data broking organisations to ensure compliance with the law. [ICO UK – Information Rights Strategic Plan 2017-2021]

Facts & Stats

US – FTC Finds Thieves Attempt to Use Stolen Data Within 9 Min of Breach

In an effort to see what happens after a data breach, the Federal Trade Commission leaked a database of 100 fake customers and found it only took 9 minutes for crooks to attempt to access the information. The FTC’s Office of Technology made the information realistic by using popular names based on Census data, addresses from across the country, email addresses that used common email address naming conventions, phone numbers that corresponded to the addresses, and one of three types of payment information (an online payment service, a bitcoin wallet or a credit card), according to a May 24 blog post. Researchers then twice posted the information to a popular hacker forum where stolen credentials are shared, within 9 minutes of the second post, hackers were attempting to use the stolen data to pay for all sorts of things, including clothing, games, online dating memberships and pizza. More than 1,200 attempts were made to exploit the stolen information. [scmagazine.com]

FOI

CA – Information Commissioner Tables 2016/17 Annual Report

Information Commissioner Suzanne Legault tabled her 2016–2017 Annual Report in Parliament today. [See here] The year began on a positive note for access to information and transparency with many constructive advancements and a promise by the government to reform the “Access to Information Act.”[See here] As the year drew to a close, Commissioner Legault says there is “a shadow of disinterest on behalf of the government.” Several investigations illustrate longstanding deficiencies with the Act, which include the deletion of emails subject to a request, difficulties accessing documents in a ministers’ office, failure to document decisions, and lengthy delays to obtain information. Institutional performance in relation to compliance with the Act is showing signs of decline. Much-needed reform is necessary to solve ongoing problems across the access system. Commissioner Legault says “our investigations highlight that the Act continues to be used as a shield against transparency and is failing to meet its policy objective to foster accountability and trust in our government. The Act urgently needs to be updated to ensure that Canadians’ access rights are respected. A lot of work needs to be done before this government delivers on its transparency promises.” [The Information Commissioner’s 2016−2017 annual report] Canada: The Information Commissioner’s 2016−2017 annual report

CA – Government Accused of Hoarding Canadian History in ‘Secret’ Archives

Some of Canada’s leading historians say the federal government is putting the country’s historical record at risk by hoarding piles of documents inside secret archives that together would make a stack taller than the CN Tower. Historian Dennis Molinaro of Trent University discovered ministries and agencies are stockpiling millions of decades-old papers rather than handing them over to Library and Archives Canada for safekeeping and public access. He’s launched a petition to try to convince the government to set them free. The Canadian Historical Association (CHA) has joined his campaign and is calling on the government to mark Canada’s 150th anniversary by overhauling the laws on access to government records. As part of his research, Molinaro has been asking government departments to hand over information about Canada’s Cold War domestic spy and surveillance programs run by the RCMP. Last fall, the federal government initially refused his access-to-information request for the papers (which were never transferred to the national archives) concerning a 65-year-old top secret RCMP wiretapping program dubbed Project Picnic. One day after CBC News reported on Molinaro’s battle with the bureaucracy, officials notified him they would release the 1951 “secret order” that authorized the wiretapping program targeting suspected Soviet spies and other subversives, signed by Prime Minister Louis St-Laurent. Access-to-information officials have told Molinaro the Privy Council Office holds at least 1.6 million more pages from the era, many of which could concern Cold War counter-espionage programs. He’s also learned many more intelligence-related records dating back four, five and six decades are being held by the Communications Security Establishment (CSE) and the departments of Justice and Foreign Affairs. He’s been told in email exchanges that there’s currently no public list to help him — or any other researcher — understand, let alone access, these mountains of papers kept inside closed government storerooms. “The government seems to be, in essence, running some kind of secret or shadow archive,” Molinaro told CBC News. Keeping millions of records from the national archives is “appalling,” he said. “You’re hiding the historical record from the Canadian people.” [CBC News]

WW – Apple Transparency Report

Apple’s transparency report for the second half of 2016 shows that the company received between 5,750 and 5,999 FISA orders and National Security Letters regarding between 4,750 and 4,999 accounts. [Apple transparency report shows increased U.S. national security requests | Apple Receives First National Security Letter, Reports Spike in Requests for Data | Report on Government and Private Party Requests for Customer Information: July 1 – December 31, 2016.

Health / Medical

WW – Medical Device Security ‘Is A Life or Death Issue’, Warns Researcher

There are more than 8,000 vulnerabilities in the code that runs in seven analyzed pacemakers from four manufacturers, according to a new [WhiteScope] study. And that’s just a subset of the overall medical device scene, in which devices have scarcely any security at all. A second, separate, study [Ponemon/Synopsys] that looked at the broader market of medical devices found that only 17% of manufacturers have taken serious steps to secure their devices, and only 15% of healthcare delivery organizations (HDOs) have taken significant steps to thwart attacks. Patients have already suffered adverse events and attacks. Its findings: a) 31% of device makers and 40% of HDOs surveyed by Ponemon Institute said that they’re aware of patients suffering from such incidents; b) Of those respondents, 38% of HDOs said they were aware of inappropriate therapy/treatment delivered to patients because of an insecure medical device; and c) Another 39% of device makers confirm that attackers have taken control of medical devices. As far as the pacemaker-specific vulnerabilities go, Researcher Billy Rios and Dr Jonathan Butts from security company WhiteScope found that few manufacturers encrypt or otherwise protect data on a device or when that data was being transferred to monitoring systems. Neither were any of the devices they looked at protected with the most basic authentication: login name and password. Nor did the devices authenticate the devices or systems to which they connect. [Naked Security (Sophos)]

UK – Health Sector Accounts for ‘43% of All Data Breach Incidents’

The UK health sector suffered a disproportionate number of data breach incidents between January 2014 and December 2016. In total, healthcare organisations suffered 2,447 incidents and accounted for 43% of all reported incidents in the time period. According to a data analysis by Egress, the data, received from the Information Commissioner’s office, also shows that human error accounts for the almost half of these incidents across every sector. Furthermore, the number of incidents rose year on year, with a 20% increase, from 184 incidents in the last quarter of 2014, to 221 in the last quarter of 2016. Taking the 221 incidents occurring between October and December 2016, the top-ranking incident types were: 1) Theft or loss of paperwork – 24%; 2) [Other principle 7 failure] – 22%; 3) Data faxed/posted to incorrect recipient – 19%; 4) Data sent by email to incorrect recipient – 9%; and 5) Failure to redact data – 5% [Source]

WW – Study: Most Dementia Apps Lack a Privacy Policy

Mobile health apps targeting dementia patients lack appropriate privacy policies, according to researchers, highlighting concerns about the possibility of privacy breaches within a particularly vulnerable population. Researchers with Harvard Medical School reviewed 125 iPhone apps built for dementia patients and found that 72 collected user data. Of those apps that collected data, just 33 had an available privacy policy, according to results published in the American Journal of Geriatric Psychiatry. Many of those mobile apps that had an accessible privacy policy lacked clarity, often failing to address the specific functions of the app, describe safeguards or differentiate between individual protections versus aggregate data protection. The authors said the findings of the study highlighted a significant concern for patients with cognitive impairment and their caregivers, eroding trust among users. [fiercehealthcare.com]

US – Healthcare Industry in Critical Condition, Says Cybersecurity Task Force

In a recent report, the U.S. Department of Health and Human Services has flagged the country’s healthcare industry as highly vulnerable to cyber-attacks and ransomware. The DHHS’ Health Care Industry Cybersecurity Task Force’s report [96 pg PDF see here, PR see here] has revealed damning details on the healthcare industry’s cyber-security standards and how well the industry is prepared to safeguard private information from hackers. “Healthcare cybersecurity is in critical condition,” said Josh Corman, a member of the task force and Atlantic Council Director of the Cyber Statecraft Initiative. The report revealed a lack of designated cyber-security officials in most hospitals and also that smaller hospitals did not invest in cyber-security as they [erroneously] believed only larger institutions were targeted by hackers. The task force has recommended that the Health and Human Services Secretary must publish standards and guidance consistent with the NIST Cybersecurity Framework, must establish a Task Force to explore options to incentivize risk-based cybersecurity, and should make recommendations to Congress about required statutory changes. [Source]

Horror Stories

EU – Commission Fines Facebook €110 Million for Providing Inaccurate Information about WhatsApp Takeover

The European Commission has imposed a fine on Facebook for provision of misleading information during its investigation of Facebook’s acquisition of WhatsApp. In its notification to the Commission about its acquisition of WhatsApp, Facebook stated it would not be able to automatically match its users’ IDs with WhatsApp users’ IDs; however, the technical possibility for automated matching existed, Facebook staff were aware of the possibility, and the omission prevented the Commission from having all relevant information for assessing the transaction (regardless of whether there would have been an impact on the outcome. [EC – Mergers: Commission Fines Facebook 110 Million Euros for Providing Misleading Information about WhatsApp Takeover]

CA – Massive Breach at PSPC Reveals Workers’ Salaries & More

The personal information of almost 13,000 public servants was exposed in one of the largest ever privacy breaches at a federal government department. The July 11, 2016, breach at Public Services and Procurement Canada (PSPC) included the salary, age, reading-and-writing test results and other private information of 12,901 employees — nearly everyone working in the department, which employed 13,300 people at the time. The largest ever privacy breaches at a federal government department. Also included was confidential employment-equity data of about 2,590 employees, such as whether they self-identified as a visible minority, disabled or Indigenous. The department reported the breach to Canada’s privacy commissioner, Daniel Therrien, more than a month later, on Aug. 19, 2016. Employees themselves were notified even later, by email, on Aug. 26 — six weeks after the fact. The July 2016 privacy breach was at least the third at PSPC in the space of about a year. The first two breaches — which occurred between March and July 2015, and February and April of 2016 — were the result of the wonky Phoenix payroll system which has been underpaying, overpaying or not paying federal workers. The earlier breaches affected more workers — 300,000 — but the kind of personal information exposed was relatively minor compared with the depth of private information revealed in the latest incident, which included the size of workers’ paycheques. Other federal government departments have a far worse record of privacy breaches than PSPC, as detailed in last fall’s annual report from Therrien, which covered the period between April 1, 2015, and March 31, 2016. The worst offenders were Veterans Affairs (84), Corrections Canada (50), Immigration (47), the Canada Revenue Agency (21) and Employment and Social Development (17). [Massive privacy breach at Public Services reveals workers’ salaries ]

CA – OHIP Card Renewal Notices Breach Caused by ‘Anomaly’

Ontario plans to resume mailing health card renewal notices more than a month after a printing “anomaly” caused a privacy breach. Incorrectly printed forms resulted in the personal information for thousands of children being mailed to strangers in April. All health card renewal notices were suspended while the province tried to find the cause of the problem, brought to its attention late in the last week of April by parents who received incorrect forms. A printing mistake on the double-sided form resulted in a mismatch between the mailing address on the front and the information on the back, including a full name, home address, birth date and health number. All the incorrectly printed health card renewal notices belonged to children with a birth date in early July. Kitchener-Waterloo MPP Catherine Fife called the explanation of an anomaly “thin” and said residents “deserve real answers” about the privacy breach. “It doesn’t leave people with a lot of confidence. How do you control against an anomaly? There’s still some outstanding questions,” Fife said. [Waterloo Record | Ontario considering offering system to renew health cards online

Identity Issues

US – Identity Manager OneLogin Has Suffered a Nasty Looking Data Breach

OneLogin—a company that allows users to manage logins to multiple sites and apps all at once—announced [see here] it had suffered some form of breach. OneLogin says that all customers served by the company’s US data centre are impacted, and has quietly issued a set of serious steps for affected customers to take. Notably, the public blog post omitted certain details that OneLogin mentioned to customers in an email; namely that hackers have stolen customer information. “Customer data was compromised, including the ability to decrypt encrypted data,” according to a message OneLogin sent to customers. Multiple OneLogin customers provided Motherboard with a copy of the message. The message also directed customers to a list of required steps to minimize any damage from the breach, which in turn gave an indication of just how serious this episode might be. It’s always worth remembering that when a service aggregates the ability to log into multiple apps or sites at once, it is creating a very juicy target for hackers. [Motherboard | OneLogin admits recent breach is pretty dang serious | OneLogin: Breach Exposed Ability to Decrypt Data | Identity Manager OneLogin Has Suffered a Nasty Looking Data Breach | Password manager OneLogin hacked, exposing sensitive customer data: Password manager OneLogin hacked, attackers could ‘decrypt encrypted data’ | http://www.onelogin.com/blog/may-31-2017-security-incident]

AU — Australia Post to Create Federal Government Identity Concept

Australia Post has announced a partnership with the Digital Transformation Agency to create a proof-of-concept identity platform that integrates its digital ID system with the Commonwealth’s Digital Identity Framework. “Our research shows these processes cost the Australian economy up to AU$11 billion a year in proving identity alone, and can be unlocked by making it easy, safe and secure to prove that you are who you say you are when interacting online,” said Australia Post managing director and group CEO Ahmed Fahour, who resigned from his position in February and is set to leave the role in July. “We envisage an identity solution, like Digital iD, could unlock significant benefits for everyday Australians doing business with government.” [ZDNet]

Law Enforcement

CA – Worries over Ottawa Police Nerve Centre & “Predictive Policing”

The $2-million Ottawa Police Service’s Strategic Operations Centre (OPSOC) began operating last October at the Greenbank police station. Located in a room now ringed by big-screen TVs tuned to cable news, the OPSOC is staffed from 6 a.m. to 2 a.m. by five employees drawn from a pool of 16 sworn officers and eight civilians. They sit in front of banks of computer screens, keeping an eye on traffic cameras, social media and other sources of information. OPSOC has an annual budget of $1,982,600, and is only in the first of a three-phase rollout. Civil liberties groups are concerned over OPSOC’s apparent reliance on what’s known as “predictive policing,” which involves the use of various analytical techniques to identify potential criminal activity before it occurs. Brenda McPhail, privacy director for the Canadian Civil Liberties Association (CCLA), said Canadians aren’t being given the opportunity to have a conversation about this level of surveillance by police. In particular, McPhail said it could have a chilling effect on protesters. We’ve been talking to activists who’ve experienced surveillance and [they say] it makes them think twice about protesting.” [Doubts swirl around new Ottawa police nerve centre]

CA – Cobourg Police Add ALPR Technology to Cruiser

Cobourg Police Service has launched an ALPR-equipped cruiser, and law enforcement has just gotten what Acting Sergeant Marc Bellemare considers a significant boost. “You go out on patrol. It scans license plates and, any license plates where there’s an issue, it creates a positive hit and alerts us to stop that vehicle,” Bellemare said. Issues that might cause a stop include everything from driving while suspended and expired validation stickers to Amber Alerts and involvement in a crime. [Northumberland Today]

CA – Doubts Swirl Around New Ottawa Police Nerve Centre

A $2-million police initiative billed as a sort of “virtual backup” for front-line officers is drawing criticism from both their union and civil liberties advocates. The Ottawa Police Service’s Strategic Operations Centre (OPSOC) began operating last October at the Greenbank police station. Located in a room now ringed by big-screen TVs tuned to cable news, the OPSOC is staffed from 6 a.m. to 2 a.m. by five employees drawn from a pool of 16 sworn officers and eight civilians. They sit in front of banks of computer screens, keeping an eye on traffic cameras, social media and other sources of information. Their task, according to the Ottawa Police Service, is “supporting front-line officers, particularly during high-risk and/or complex calls.” OPSOC staff use all the resources at their disposal to gather information for their colleagues as they rush to the scene of a crime or collision. Since it opened in October, the operations centre has assisted with more than 2,000 calls for service. OPSOC has an annual budget of $1,982,600, and is only in the first of a three-phase rollout. Civil liberties groups are concerned over OPSOC’s apparent reliance on what’s known as “predictive policing,” which involves the use of various analytical techniques to identify potential criminal activity before it occurs. Brenda McPhail, privacy director for the Canadian Civil Liberties Association (CCLA), said Canadians aren’t being given the opportunity to have a conversation about this level of surveillance by police. In particular, McPhail said it could have a chilling effect on protesters. “We’ve been talking to activists who’ve experienced surveillance and [they say] it makes them think twice about protesting.” Cartright dismissed those privacy concerns. “We are only accessing things that are available to the public,” he said. “That’s the balance.” The unit is still operating like a pilot project, he said, and a report assessing its usefulness is expected by the end of its first year of operation. Other police services have launched similar units with success, Cartright noted. “We’re not recreating any wheel,” he said. [CBC]

Location

US – Supreme Court Will Hear Mobile Phone Location Data Case

The US Supreme Court will hear arguments in a case regarding the need for a warrant to use cell-site data to track a suspect’s location. The case, Carpenter v. United States, No. 16-402, involves data held by a mobile phone company. The question is whether police are required to obtain a warrant to access mobile phone location histories. Police currently have access to the information without the need for a warrant through the third-party doctrine, which allows police to demand information from companies if the information is considered a normal business record. [Supreme Court Agrees to Hear Cellphone Tracking Case | Supreme Court agrees to rule if cops need warrant for cell-site data | Supreme Court to hear case on tracking phone location data]

Online Privacy

WW – 7 in 10 Smartphone Apps Share Your Data With Third-Party Services

More than 1,600 people who have used Lumen [see here] since October 2015 allowed us to analyze more than 5,000 apps. We discovered 598 internet sites likely to be tracking users for advertising purposes, including social media services like Facebook, large internet companies like Google and Yahoo, and online marketing companies under the umbrella of internet service providers like Verizon Wireless. We found that more than 70 percent of the apps we studied connected to at least one tracker, and 15% of them connected to five or more trackers. One in every four trackers harvested at least one unique device identifier, such as the phone number or its device-specific unique 15-digit IMEI number. Unique identifiers are crucial for online tracking services because they can connect different types of personal data provided by different apps to a single person or device. Most users, even privacy-savvy ones, are unaware of those hidden practices. Tracking users on their mobile devices is just part of a larger problem. More than half of the app-trackers we identified also track users through websites. Thanks to this technique, called “cross-device” tracking, these services can build a much more complete profile of your online persona. [Source]

WW – Synaptics Warns That Fingerprint Spoofing Makes Laptops Vulnerable

According to Godfrey Cheng, vice president of product at Synaptics, earlier this month [the company] issued a warning that some computer makers have chosen to use insecure smartphone fingerprint sensors instead of more secure laptop sensors The smartphone fingerprint sensors typically use unencrypted methods to store and send the fingerprint to a central processing unit (CPU) for processing. That makes the data vulnerable to snooping software and other hacks. Synaptics sensors, by contrast, use encryption and a secondary host processor to do the recognition work. That encryption makes it a lot harder for hackers to copy the fingerprint and use it to unlock a computer remotely, Cheng said. The insecure fingerprint sensors are disturbing because modern laptop users are conditioned to believe that fingerprints are unique and are much safer than passwords. This is largely true, but a laptop manufacturer’s choice in sensors can potentially lead to the theft of your fingerprint image. That makes a user’s laptop secrets vulnerable, as well as those of an entire enterprise, if it’s a work computer. “There are two types of fingerprint sensors in the notebook market today,” Cheng said. “Those that are encrypted and safe, and those that are unencrypted and unsafe.” [Source]

WW – Distributed Ledger Technology May Not Be Compliant with the GDPR

A review of the applicability of the General Data Protection Regulation in the blockchain context. It is virtually impossible to identify the entity responsible for the blockchain process (e.g., data controller, data processor) and to change or delete information contained on a blockchain (making the right to be forgotten impossible). [Blockchains and Personal Data Protection Regulations Explained] See alsol [Toyota pushes into blockchain tech to enable the next generation of cars]

CA – Ontario Owner of Website That Names and Shames Debtors Told to Shut Down

The Ministry of Government and Consumer Services has ordered the owner of a website that publishes public information about people who’ve been successfully sued but won’t pay up to “cease and desist”. “I will not be bullied by some officious twit at the Ministry of Government and Consumer Services, whose mandate is the protection of consumers and they seem to be hell bent to do exactly the opposite.” said Dougall Grange, the owner of the website publicexecutions.ca. “What I’m doing is allowing judgement creditors, ie those are people who are owed money certified by the courts, to publish that information online in an accessible way, to motivate the person who owes them money to pay.” But the ministry sees it differently. It said in a letter to Grange, he’s providing a consumer report without registering as a Consumer Reporting Agency, a violation of the Consumer Reporting Act. If Grange is convicted of violating the Consumer Reporting Act, he could face a fine of up to $100,000. Grange said the website doesn’t break even and he was considering shutting it down until he got the ministry’s letter. [CBC News]

NZ – Privacy Call to Limit Power Usage Monitoring

Smart meters that relay half-hourly power usage are a potential risk to people’s personal security and privacy, and standards should be set to curb data collection, NZ Privacy Commissioner John Edwards says. The commissioner said about 70% of households in New Zealand have smart meters. The devices automatically record and transmit power usage data in half hourly intervals, but that information can also reveal much about the comings and goings of people in a household at a given time. The information is collected by electricity retailers like Meridian or Mercury, who use it to prepare their bills. It is then passed on to lines companies under information-sharing pacts. Mr Edwards said it could indicate when people were out, at home or in the shower – and this could put their security at risk if abused. The trend all over the world was to require that collection of data about people’s private lives be kept to a minimum, he said. In an open letter to the industry, Mr Edwards recommended electricity companies ensure that personal information was not collected unnecessarily or held for longer than it had to be. He also suggested aggregating data into clusters to cover an entire community, or all the people in a street, rather than recording data on individual homes. [radionz.co.nz]

Other Jurisdictions

WW – How to Keep Track of Cloud Providers and Products for Security Compliance

Tracking to ensure cloud providers and their products are complaint with corporate security controls and with compliance demands of business partners isn’t easy, security consultant James Arlen told a recent meeting of the Toronto Area Security Klatch (TASK), a community of infosec pros and students, because few organizations have the leverage to get providers to divulge the secrets of their security processes. However, he said, by gathering information and asking incisive questions infosec pros may be able to create a risk model that will meet the needs of management. Ironically, in this digital age, security compliance with a cloud provider comes down to paper. “The contract with the provider is the whole damn thing,” Arlen told the meeting. However, unless the customer is a government or a global corporation, the provider usually holds the whip hand. On top of that CISOs may have a raft of security standards to comply with, including the federal PIPEDA, the EU privacy directive, PCI for credit cards, NIST and various ISO/IEC rules. How does that relate to what a provider follows? One answer is using the Cloud Security Alliance’s free cloud controls matrix, which cross-indexes major compliance regimes and discover how they map to another. But, Arlen said, the real work of tracking compliance is creating a tracking list for every cloud provider and service staff are entitled to use – or, if the CISO decides, services staff are known to use even without permission. Arlen admits to frustration with third party security attestations in contracts (“We attest to following ISO 27001”), which says nothing about the provider’s actual security capability. As for documenting the provider’s security compliance, Arlen urges CISOs to follow these seven steps: 1) Review contract documents/exhibits; 2) Request vendor compliance documentation; 3) Review the Cloud Security Alliance Star registry for vendor compliance statements; 3) If neither exist, submit your own vendor security risk assessment; 4) Consider the provider and product stance relative to your requirements using the CSA cloud controls matrix; 5) Document deviations and your recommendations to the business/technology owner; and 6) Revise this regularly [IT World]

Privacy (US)

US – FTC Issues Recommendations to Small Businesses for Protecting Personal Information

The FTC’s issues recommendations for small businesses trying to protect personal information. Strong, complex passwords should be used that mix numbers, symbols and capital letters into the middle of the password (rather than at the beginning or end) and do not use repeating patterns to lengthen the password; organizations should also stick to websites that use encryption to protect the information as it travels from the computer to their server (check for https in the URL of all pages, not just the login page) and avoid using mobile apps that require sharing personal or financial information over public Wi-Fi. [FTC – Small Business Security Basics]

CA – California Class Action Filed over “BART Watch APP”

A class action complaint was filed against BART [see here], the San Francisco Bay Area Rapid Transit District, on May 22, 2017 in the District Court for the Northern District of California alleging BART created a “clandestine collection of private cell phone identifiers.” In particular, the plaintiffs claim the “BART Watch APP” [see here] —a mobile application that provided users with transit information and the ability to contact the police—collected private data in violation of California’s privacy laws. Elerts Corporation, the software developer, was also named as a defendant for its development of the App. The Plaintiffs claim that “a detailed review of the BART Watch App reveals that Defendants have been using it to secretly collect Californians’ unique mobile device identification numbers and periodically track their location.” The Plaintiffs further allege that “by collecting the device identification numbers, locations, and other personal information…Defendants have amassed a trove of data through the App.” And, Plaintiffs claim that these actions by BART and BART Police are prohibited under California law. [App Users Throw Transit Provider Under The Bus On Privacy Issues And Use Of Data]

US – Supreme Court to Settle Major Cellphone Privacy Case

Police officers for the first time could be required to obtain warrants to get data on the past locations of criminal suspects based on cellphone use under a major case on privacy rights in the digital age taken up by the U.S. Supreme Court on Monday. The justices agreed to hear an appeal by a man [Timothy Carpenter] convicted in a series of armed robberies in Ohio and Michigan with the help of past cellphone location data who contends that without a warrant from a court such data amounts to an unreasonable search and seizure under the U.S. Constitution’s Fourth Amendment. The case reaches the high court amid growing scrutiny of the surveillance practices of U.S. law enforcement and intelligence agencies amid concern among lawmakers across the political spectrum about civil liberties and police evading warrant requirements. “Because cellphone location records can reveal countless private details of our lives, police should only be able to access them by getting a warrant based on probable cause,” said Nathan Freed Wessler, a staff attorney with the American Civil Liberty Union’s Speech, Privacy and Technology Project who represents Carpenter. The case will be heard and decided in the court’s next term, which starts in October and ends in June 2018. [Reuters]

US – Trump Backs Permanent FISA Sec. 702 Powers He Once Criticized

Just months after President Trump complained about being spied on by the Obama administration, his administration is embracing a full permanent extension of the secret snooping powers the government used to track conversations between his campaign aides and Russian operatives. Mr. Trump’s intelligence and counterterrorism team said Section 702 of the Foreign Intelligence Surveillance Act has saved hundreds of lives by preventing terrorist attacks and insisted — despite Mr. Trump’s claimed experiences — that the law is not being abused. Without congressional action, Section 702 is set to expire on Dec. 31. That part of the law allows federal intelligence agencies to scoop up the communications of foreigners outside the U.S. It does not allow Americans to be targets of snooping, but if foreigners who are targeted are communicating with Americans, then those exchanges can be tracked in what is dubbed “incidental collection.” About 10% of conversations monitored end up with incidental collection, National Security Agency Director Michael Rogers testified to Congress on Wednesday. [watch here starting at 22:37 min] Civil liberties advocates accused Mr. Trump of hypocrisy for complaining about snooping during the campaign and now supporting the very tools he was worried about. [Trump backs permanent snooping powers he once criticized as abusive]

US – Obligation to Notify is Triggered by Unauthorized Access and the Likelihood of Harm to Consumers

A review of the breach notification in the wake of a ransomware attack in accordance with the US Department of Health and Human Services and State law. HIPAA provides that if there is a low probability that the PHI affected by the breach has been compromised, then the notification requirement does not apply; the attorneys general and other authorities have not issued specific guidance, however, the majority of state breach notification obligations are triggered when an unauthorized actor accesses and acquires personal information stored on a company’s network, and the breach poses a reasonable likelihood of harm to the customer. [Ransomware Attacks When is Notification Required – Latham and Watkins]

US – $11.7 Million Class Action Suit Dismissed for Failure to Establish Real-World Harm

The Court considers Experian Information Solutions, Inc.’s appeal of a judgement awarded in a class action suit for violations of the Fair Credit Reporting Act. An individual alleged he suffered an injury when a consumer reporting agency identified a defunct credit card company, rather than the name of the current servicer, as the source of a trade-line on his consumer report; however, no real-world harm was caused by the error since the error did not hinder the accuracy of the report or efficiency of the credit report resolution process (the individual was still able to obtain the necessary information and resolve his credit issues). [Michael T. Dreher v. Experian Information Solution Inc. – No. 15-2119 – United States Court of Appeals for the Fourth Circuit]

RFID / IoT

US – GAO Issues Report on Security, Privacy & Governance Challenges of IoT

In May 2017, the Government Accountability Office (GAO) released a technology assessment of the Internet of Things (IoT) for Congressional members of the IoT Caucus. The GAO report offers an introduction to IoT; reviews the many uses and their associated benefits that connected devices may bring to consumers, industry, and the public sector; and highlights the potential implications of the use of IoT, including information security challenges, privacy challenges, and government oversight. The report also identifies areas of apparent consensus among experts regarding the challenges posed by IoT, though the appropriate responses are disputed. Accordingly, the report may act as a foundation for future policymaker discussions about regulating IoT. The GAO’s report provides an introduction to IoT and answers three overarching questions: (i) what is known about current and emerging IoT technologies, (ii) how and for what purpose IoT technologies are being applied, and (iii) the potential implications of the use of IoT technologies. [GAO Report Highlights Security, Privacy, and Governance Challenges of the Internet of Things]

WW – 94% Believe Unsecured IoT Devices Could Lead to ‘Catastrophic’ Cybersecurity Attack

A new research report on third-party IoT integrations shows a strong concern over IoT security, but not many actions taken to mitigate it. 94% of risk management professionals believe that a security incident resulting from unsecured IoT devices “could be catastrophic.” The report, jointly released by the Ponemon Institute and the Shared Assessments Program, was built on the responses of 553 individuals from various industries. The Internet of Things (IoT): A New Era of Third Party Risk takes a look at the concerns around third-party risks in IoT security, and what business leaders are doing to address it. …One of the most surprising points was how many survey respondents expected to be the victim of an attack. Some 76% of those surveyed said that a DDoS attack resulting from an unsecured IoT device would be “likely to occur within the next two years” Despite this belief, only 44% said their organization would be able to protect either their network or other systems from “risky” IoT devices. [Technical Republic]

Security

US – Healthcare Cyber Security Task Force Issues Report

The US Department of Health and Human Services Health Care Industry Cybersecurity Task Force has released its first report to US legislators. The report underscores the point that digital vulnerabilities are threats not only to information but also to patients’ safety. It calls for the government and private sector healthcare entities to work together on six imperatives that include defining leadership, governance, and expectations for healthcare cybersecurity; increasing the resilience and security of medical devices and IT; and identifying ways to protect research and development and intellectual property from theft. [Federal task force: Here’s how to fix healthcare cybersecurity | HHS Cyber Task Force wants better partnerships, stronger federal leadership | Health Care Industry Cybersecurity Task Force ]

US – Department of Health and Human Services OIG Report

The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has submitted its semi-annual report to Congress. Among OIG’s findings: HHS “faces challenges to protect the privacy and security of the data it collects and maintains.” [Health Data Security Tops HHS’ List of Challenges | Semiannual Report to Congress: October 1, 2016 to March 31, 2017]

UK – ICO Data on Reported Breaches

According to data obtained from the UK’s Information Commissioner’s Office (ICO), 43 percent of breaches reported between January 2014 and December 2016 affected the healthcare sector. While healthcare had the highest percentage of reported breaches, other sectors are seeing greater increases in the number of breaches reported. Across all sectors, more breaches were caused by human error than by external cyber threats. [Healthcare tops UK data breach chart – but it’s not what you’re thinking]

US – Classified Defense Data Found in Unprotected Cloud Storage

A US defense contractor appears to have stored top secret US intelligence data on a publicly-accessible Amazon cloud storage server. The account has been linked to contractors Booz Allen Hamilton. The data are related to the US National Geospatial-Intelligence Agency, which provides battlefield satellite and drone surveillance imagery. [Defense contractor stored intelligence data in Amazon cloud unprotected | US military data reportedly left on unsecured Amazon server | Intelligence contractor credentials left unsecured on Amazon server: report | Security company finds unsecured bucket of US military images on AWS]

US – Insider Threat Training Requirement for US Gov’t Contractors

US federal contractors wishing to maintain their clearances must have completed an insider threat training course by June 1, 2017. The requirement is described in the National Industrial Security Program Operating Manual (NISPOM) Change 2. The course is the second step of a new compliance requirement. The first part took effect late last year and required contractors implementing changes to protect their systems from insider threats. [Insider threat training deadline here for federal contractors | NISPOM Change 2 (May 18, 2016)]

US – Medical Device Vulnerabilities Reports issued

Two separate studies have found that numerous medical devices contain software vulnerabilities. One study that focused on implantable cardiac devices and their associated equipment found more than 8,000 vulnerabilities. That study found that in most cases, data were not protected either on the devices or while being transferred to monitoring equipment. In addition, the study found that there was no authentication for connecting devices. The second study examined a broader spectrum of devices, polling manufacturers, hospitals, and health organizations about the equipment; the majority said the devices are difficult to secure. [‘Thousands’ of known bugs found in pacemaker code]

WW – Cybersecurity: Third Parties are the Weakest Link

63% of all data breaches are linked in some way to third-parties such as contractors, suppliers and vendors that have access to a business’ system; organizations should utilize a service-level agreement with specific details of the types of security measures the vendor must use when handling data for the business, have the vendor perform periodic security assessments on its systems, and limit the third party’s access to the business network. [Third-Party Data Breaches: Weakest Link in Cybersecurity – John DiGiacomo, Lawyer, Revision Legal]

WW – Increase in Ransomware Attacks and Cyberespionage in 2016

Verizon has released the results of its 2017 data breach investigation, based on analysis of: 1,935 confirmed data breaches; and 42,068 incidents. 62% of breaches featured hacking (most of these breaches leveraged stolen and/or weak passwords), 51% of breaches included malware (66% of malware was installed via malicious email attachments), and 43% were social attacks; organizations should train staff to spot warning signs, only provide data access to employees that require it to perform their duties, promptly apply patches and updates, encrypt sensitive data, and use 2-factor authentication. [2017 Data Breach Investigations Report – Verizon]

AU – Ransomware Attack Will Count as Data Breach Under NDB

Leonard Kleinman [chief cyber security adviser at RSA] gave a rundown of what one could expect when the Privacy Amendment (Notifiable Data Breaches) Act 2017 [see here] takes effect [February 22, 2018], focusing on the security side of things, at a seminar in Melbourne on Tuesday. Given the cyber security environment at the moment, Kleinman said it was necessary to understand the legislation and its obligations, even if a company was not planning to take the necessary steps to plan for it. Indeed, this was a common theme which was advanced by the other two speakers at the seminar: Helaine Leggat, the director of Information Legal, and Mani Amini, GRC group manager at Content Security, the other firm that was involved in organising the seminar. The Office of the Australian Information Commissioner has a rundown of the data breach act here) The Office of the Australian Information Commissioner is currently seeking public comment on entities covered by the NDB scheme; notifying individuals about an eligible data breach; identifying eligible data breaches; and the Australian Information Commissioner’s role in the scheme. The last date for submitting comments is 14 July. [Ransomware attack will count as data breach: security pro]

WW – InfoSec 2017: A Look at the Family Album of Ransomware

Ransomware is among the topics at this week’s InfoSec Europe 2017 gathering this week in London. It’s been with us for some time and is considered old news by many security practitioners. But it remains a vexing problem for companies and continues to dominate many a conference agenda. SophosLabs recently looked at the most prolific ransomware families and attack vectors over a six-month period and boiled it down to the graphic below. In this article we break down the statistics, review some of the ransomware-themed events on the InfoSec agenda and offer up some defensive measures. [InfoSec 2017: a look at the family album of ransomware]

Surveillance

US – Nest Security Camera Knows Who’s Home With Google Face Tech

Nest Labs, owned by Alphabet Inc., is adding Google’s facial recognition technology to a high-resolution home-security camera, offering a glimpse of a future in which increasingly intelligent, internet-connected computers can see and understand what’s going on in people’s homes. Facebook deploys similar technology to automatically recognize and recommend tags of people in photos posted on its social network. The camera will only identify people you select through Nest’s app for iPhones and Android devices. It won’t try to recognize anyone that an owner hasn’t tagged. Even if a Nest Cam IQ video spies a burglar in a home, law enforcement officials will have to identify the suspect through their own investigation and analysis, according to Nest. Netatmo , for instance, introduced a security camera touting a similar facial recognition system in 2015. The way that the Nest and Netatmo cameras are being used doesn’t raise serious privacy concerns because they are only verifying familiar faces, not those of complete strangers, said Jennifer Lynch, who specializes in biometrics as a senior staff attorney for the Electronic Frontier Foundation, a digital advocacy group. [Source]

US – Explosive Revelation of Obama Administration Illegal Surveillance of Americans

During the Obama years, the National Security Agency intentionally and routinely intercepted and reviewed communications of American citizens in violation of the Constitution and of court-ordered guidelines implemented pursuant to federal law. The unlawful surveillance appears to have been a massive abuse of the government’s foreign-intelligence-collection authority, carried out for the purpose of monitoring the communications of Americans in the United States. While aware that it was going on for an extensive period of time, the administration failed to disclose its unlawful surveillance of Americans until late October 2016, when the administration was winding down and the NSA needed to meet a court deadline in order to renew various surveillance authorities under the Foreign Intelligence Surveillance Act (FISA). The administration’s stonewalling about the scope of the violation induced an exasperated Foreign Intelligence Surveillance Court to accuse the NSA of “an institutional lack of candor” in connection with what the court described as “a very serious Fourth Amendment issue.” The FISA-court opinion is now public, available here. The unlawful surveillance was first exposed in a report at Circa by John Solomon and Sara Carter here, who have also gotten access to internal, classified reports. The story was also covered extensively Wednesday evening by James Rosen and Bret Baier on Fox News’s Special Report. [See here] According to the internal reports reviewed by Solomon and Carter, the illegal surveillance may involve more than 5 percent of NSA searches of databases derived from what is called “upstream” collection of Internet communications. To summarize, we have the communications of Americans inside the United States being incidentally intercepted, stored, sifted through, and in some instances analyzed, even though those Americans are not targets of foreign-intelligence collection. The minimization procedures are supposed to prevent the worst potential abuses, particularly, the pretextual use of foreign-intelligence-collection authority in order to conduct domestic spying. But even when complied with, there is a colorable argument that the minimization procedures do not eliminate the Fourth Amendment problem — i.e., they permit seizure and search without adequate cause. Clearly, this new scandal must be considered in context. The NSA says it does not share raw upstream collection data with any other intelligence agency. But that data is refined into reports. To the extent the data collected has increased the number of Americans whose activities make it into reports, it has simultaneously increased the opportunities for unmasking American identities. Other reporting indicates that there was a significant uptick in unmasking incidents in the latter years of the Obama administration. More officials were given unmasking authority. At the same time, President Obama loosened restrictions to allow wider access to raw intelligence collection and wider dissemination of intelligence reports. [National Review]

US Government Programs

US – U.S. Now Can Ask Travelers for Facebook, Twitter Handles

Travelers wishing to visit the United States can now be asked for their social media handles and email addresses going back five years, a new U.S. government request that’s alarmed privacy advocates but which the Trump Administration says could help weed out travelers who intend harm. Citizens of most countries must apply for visas to travel to the United States, which are granted by the State Department. This generally involves a visit to a local U.S. embassy or consulate and an in-person interview with a consular official. The supplemental questionnaire will only be given to “a fraction of 1% of the 13 or so million people who apply for a visa to visit the United States each year and is meant for applications for which consular officials feel more information is necessary,” said Will Cox, a spokesman for the State Department’s Bureau of Consular Affairs. About 85% of those apply for visas are granted them, he said. Applicants are not being asked for the passwords to these accounts and consular officers will not be going into social media and friending people, Cox said. The questionnaire also asked about employment history, siblings, children and spouses, “current or previous” and “living or deceased. “The State Department asked for the right to collect the information under an emergency request on May 3 which was granted on May 23 by the Office of Budget and Management. It was implemented with no fanfare on May 23 and it wasn’t until Thursday, when Reuters first reported on it, that the existence of the new form became widely known. [USA TODAY | If you have a Twitter account, change these privacy settings now]

US – DHS Sec. Kelly Affirms US Citizens’ Phone Searched of at Border

American citizens coming to the United States from overseas risk having their cellphones confiscated and searched at airports or other border crossings, Homeland Security Secretary John Kelly confirmed on Capitol Hill, walking back previous statements. Pressed by Republican Senator Rand Paul about the searches and threats to detain or turn back travelers if they did not comply, including citizens and U.S. green card holders, Kelly affirmed [at 51.55 – 57.40 min] to the Senate Homeland Security and Governmental Affairs Committee: “We do it whether they’re citizens or noncitizens coming in.” The retired general acknowledged his statement was “a change” from his comments during an April 5 hearing, in which he told senators, “I don’t believe we ever turn back citizens or legal residents.” At that April hearing, Kelly had emphasized that the targets of the searches were foreigners, but Paul pointed out there had been news reports of Americans also being caught up in the dragnet. And on Tuesday, the Kentucky libertarian read from several public reports of Americans being detained by Customs and Border Patrol agents until they divulged the contents of their phones, including a NASA engineer and a couple returning from Canada. Paul and Democratic Senator Ron Wyden have introduced legislation that would require border agents to obtain warrants before searching Americans’ electronic devices. A bipartisan companion bill is also pending in the House. [Cellphone Privacy: Homeland Security Chief Acknowledges Searches of U.S. Citizens’ ] See also: [1Password’s new ‘travel mode’ keeps your data safe from border agents]

Workplace Privacy

CA – Federal Benefits Workers Told to Stay Off Social Media When Vetting Applications

Federal workers whose job it is to determine whether someone is eligible for employment, disability or seniors’ benefits have been told to stop being amateur sleuths by searching the Facebook profiles of applicants. The order came after senior officials learned that staff were logging on to social media websites to check on any suspicions they had with someone’s application for Canada Pension Plan disability benefits. And now other benefit programs — employment insurance, seniors’ benefits like old age security and the guaranteed income supplement — have been subjected to the same reminder. The only personal information the department is allowed to collect has to come from the applicant or from a third party like a doctor, employer, or family member, provided the applicant consents. The briefing note says that using publicly available information like social media posts and even address listings could be considered “an invasion of privacy” and a violation of the Privacy Act and the Charter of Rights and Freedoms. Staff were reminded that if they came across something odd in a file, including anything that could be easily found online, they were to send it to the wing of the department that investigates and roots out fraud in the federal benefits system. [The Star See also: Get Ready for the Next Big Privacy Backlash Against Facebook]

+++

24 April – 19 May 2017

Biometrics

US – Airport Facial Recognition Scans to be Mandatory for All Passengers

All US airports may soon have facial recognition software activated to scan each passenger regardless of their citizenship. The plan was first proposed for select airports and international passengers only, but the Customs and Border Protection (CBP) department has suggested it be made mandatory for all passengers, even if they are holding US passports. The initial plan was to register visitors leaving the country using facial recognition. But now it is proposed that facial scans be made mandatory for any passenger when they, leave, re-enter the country or pass through TSA checkpoints. The agency aims to create an airport-wide system dubbing it as The Biometric Pathway, where along with regular passenger details, facial scans become mandatory. At present, the Exit program is being tested on a flight from Atlanta to Tokyo, and will soon roll out in seven new airports. The mechanism is limited to the airport departure gates for now and expanding it to all check points will depend on the cooperation from partner agencies like the TSA. [IB Times]

AU – Australia Adds Millions of Citizen Photos to Govpass Face Rec System

The Australian government intends to add citizen’s passport photos to a national facial recognition database to be used for its Govpass digital identity system and criminal justice purposes. These 12 million records will bolster the system launched in 2016, which previously held only images of foreigners seeking Australian citizenship. But it has privacy advocates pushing for creation of a new national commissioner with biometrics oversight. In addition to the passport photos, InnovationAus.com reported that negotiations are underway that could result in the inclusion of millions of driver license images as well. A privacy impact assessment was conducted in 2015 but it focused on the design and governance rather than privacy protection. Recent academic research has led to the call for creation of a biometrics commissioner to address the governance gap. [Secure-IDNews]

US – NYPD Refuses to Disclose Information About Its Face Recognition Program, So Privacy Researchers Are Suing

Researchers at Georgetown University law school Center on Privacy and Technology [see here] filed a Freedom of Information lawsuit against the New York City Police Department today for the agency’s refusal to disclose documents about its longstanding use of face recognition technology. The researchers requested records pertaining to the NYPD’s program in January 2016 as part of The Perpetual Line-Up, a year-long study on law enforcement uses of facial recognition technology. After receiving public records from more than 90 agencies across the country the NYPD determined in January 2017 that it was unable to find any records responsive to the Center’s detailed records requests. Clare Garvie, one of the co-authors of Georgetown’s report and an expert on face recognition technology, described the NYPD’s lack of transparency as a “very worrying prospect” given the technology’s potential for invasive surveillance, including in real time. Because the NYPD’s own policies, manuals, and documents are “the only controls” on its own system, their disclosure is in the public interest, Garvie explained. “If no records exist, that means that there are no controls on the use of face recognition technology and we ought to worry about that. If there are records, then why did the Police Department say that it couldn’t find them?” said David Vladeck, a member of Georgetown’s law faculty, in a press release. [The Intercept]

US – Illinois Biometrics Privacy Law Could Be Adopted by Other States

Illinois’ Biometric Information Privacy Act [see here], which came into effect in 2008, established protocols which require organizations collecting biometric data to notify people about the practice before they begin to gather data, as well as provide an exact timeline for deleting the data. Five states are currently evaluating amendments to their biometric laws. Alaska, Montana and New Hampshire take a similar approach to BIPA and allow private causes of action. Connecticut’s bill takes a very different approach and aims to prohibit retailers from using facial recognition technology for marketing purposes. Washington has some similarities to BIPA and is also like Texas’ current biometric law, in that it can be enforced solely by the attorney general. The lack of federal laws has cleared the path for state-driven initiatives to take charge, with Illinois introducing three other privacy bills since January. BIPA allows for a private cause of action. ”It is unclear whether other states (will) adopt similar legislation, but we are seeing an uptick in states that care about biometric information,” Kadish said. [Biometric Update]

Canada

CA – MPs Calling on Government to Boost Protection of Canadian Civil Liberties

An influential group of Liberal MPs on the Commons standing committee on public safety released a report [see here] containing 41 recommendations [see here]. They urged Prime Minister Justin Trudeau to increase parliamentary, civilian and judicial oversight of national security agencies, to create a new watchdog agency for Canada’s border agency, and to dial back extraordinary threat reduction powers given to CSIS by the Conservatives in controversial changes to Canada’s anti-terror law under Bill C51. They want the law to require ministerial approval and prior judicial warrants for any measures that could be perceived as potential violations of the Charter of Rights and Freedoms. But the Liberals would not move to repeal that CSIS power altogether. Other recommendations say vague definitions in the Criminal Code, such as “terrorist propaganda,” must be clarified, and there must be an obligatory review of all appeals from persons who feel they are wrongly listed on the so-called “no fly” list for air travel. The Liberals recommended the government not legislate greater “lawful access” for police and intelligence agencies who want to acquire telecom companies’ customers’ subscriber information, online activities, telephone conversations, and encrypted communications, without further study. But the Liberals would make it easier to prosecute terror cases by allowing criminal trial judges to review secret information and decide on matters of confidentiality in national security cases, without requiring those questions be put before a separate Federal Court judge. The Conservatives issued a dissenting report that supported the previous government’s approach to Bill C51. Public safety critic Tony Clement said he supported the Liberal majority report on matters such as increased oversight for the Canada Border Services Agency, and the creation of an office with responsibility to oversee the information-sharing and national security activities of the roughly 17 departments and agencies that have some role in national security. [See here] The NDP issued a separate report that supported the majority of the Liberal report but said the government should go further and completely repeal Bill C51. [See here] Elizabeth May, Green Party leader, agreed. “I urge the Government to take this report as a floor, not a ceiling, of what is possible in undoing the harms of C-51.” Josh Paterson, head of the BC Civil Liberties Association, supported the call for a dedicated, integrated agency to provide review of national security operations across the whole of the government. [See here] [Toronto Star]

CA — Oversight of National Security in Canada Still Needs A Lot of Work, New Reports Show

Given the use of Stingrays, along with CSIS’s recently exposed (and illegal) practice of retaining large amounts of Canadian metadata, it should be clear that Canada’s capacity for holding our intelligence agencies accountable should be increased. And two recent reports show that there’s still a lot of work to be done on oversight of national security in Canada. One report is much more technical. It came from an assessment by the Commons Standing Committee on Access to Information, Privacy and Ethics of the Security of Canada Information Sharing Act, http://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-5/ which is contained in the controversial Bill C-51, also known as the Anti-terrorism Act. The other is much broader in its scope and recommendations, and is the product of cross-country hearings on Canadian national security conducted last year by the Commons Standing Committee on Public Safety and National Security. While both reports reinforce, in spirit and content, that Canadian national security oversight needs to be bolstered, they don’t really get at the details of how to do so on a practical level. This is especially true of the report from SECU, the public safety and national security committee, given its broad range. [CBC] See also: Globe editorial: Ottawa should stop delaying and start fixing Bill C-51 | Time to rein in security overreach: Editorial | Don’t change lawful access rules, Parliamentary committee recommends | Restrict spy powers and increase oversight, Liberal and NDP MPs recommend]

CA – Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the 2017-18 Main Estimates

Privacy Commissioner of Canada, Daniel Therrien, appeared before the Standing Committee on Access to Information, Privacy and Ethics to discuss the 2017 Main Estimates. In his remarks, he noted that to face the sustained volume but increased complexity of the work, the OPC will continue to make the most efficient use of its resources. Amidst competing demands, the OPC will not lose sight of its mandate: Ensuring that the privacy rights of Canadians are respected and that their personal information is protected. [Source]

CA – Federal Privacy Commissioner to Initiate Investigations, Not Just Wait for Complaints

The federal privacy commissioner says he’s temporarily no longer going to wait until people file complaints about alleged privacy issues before acting. [see here] Instead, Daniel Therrien will be more proactive, including launching investigations into questionable privacy practices or “chronic problems” on his own when necessary. It’s what Therrien called the commission’s new policy of “proactive compliance.” His office will draw on complaints and trends to determine if there are issues or sectors that would benefit from a special investigation. In an interview he said investigations would be on “issues of broad concern.” This “proactive enforcement” will will last at least until September, when Therrien files his annual report to Parliament, where he may call for changes to federal legislation to update his office’s mandate. As part of being proactive, to help the private sector Therrien is considering offering to audit companies – perhaps for a fee – to see if they comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). [ITWorld] [Course correction for improved outcomes for Canadians]

US – To Fight ‘Surveillance Culture,’ Activists Release Kid-Focused Privacy Toolkit

“You shouldn’t need a PhD or law degree to ensure that your child’s sensitive student data isn’t shared with commercial entities” The Parent Toolkit for Student Privacy: A Practical Guide for Protecting Your Child’s Sensitive School Data from Snoops, Hackers, and Marketers, released by the Parent Coalition for Student Privacy (PCSP) and the Campaign for a Commercial-Free Childhood (CCFC), teaches families about federal laws safeguarding their information, how to ask about schools’ data policies, and how to advocate for stronger protections in an age when records are increasingly stored digitally. The toolkit was released after the Electronic Frontier Foundation (EFF) published a report in April which found that “surveillance culture begins in grade school,” with tech companies spying on students through devices and software used in classrooms to collect kids’ names, birth dates, browsing histories, grades, disciplinary records, and other information. [Common Dreams]

CA – Canada’s Spies Examining ‘Vulnerabilities’ in Election System

CSE, Canada’s signals intelligence and cyberdefence agency, is conducting a “risk assessment” into how vulnerable Canadian elections are to foreign hacking and information operations. The review was ordered by the Liberal government in February, as the scope of Russian meddling in the 2016 U.S. presidential election was being made public by American intelligence agencies. The review is unlikely to focus on the security of the actual vote, which still relies on pens and paper rather than electronic voting. The greater risk is likely the kind of information – and disinformation – campaigns seen in the U.S. and the recent French presidential election. [The Star]

CA – RCMP Created, Then Abandoned Metadata-Crunching Tool to Extract Criminal Intelligence

The RCMP created, then suddenly abandoned, a tool to crunch electronic message trails gathered during criminal investigations — a previously unknown foray into the controversial realm of big-data analysis. Telecommunications Analytical Platform was operating as recently as mid-November, say internal RCMP notes obtained by The Canadian Press through the Access to Information Act. “The TAP is a platform that regroups copies of certain telecommunications metadata from concluded investigations only, such as phone numbers, associated crime types, source links to police records management systems and the geographical region where the metadata was recorded which are lawfully collected by the RCMP and other Canadian police services in the course of criminal investigations,” the RCMP notes say. The tool was a “proof of concept” that turned out to be unsuccessful and “therefore the project was ended,” said Cpl. Annie Delisle, an RCMP spokeswoman. “No data was retained.” The Mounties would not say why the tool was ineffective, nor exactly how long it existed. [The Star]

CA – Queries for B.C. Liberal government Text Messages, Skype Calls, And Slack Logs All Turn Up Empty

In order to analyze government record-keeping, the Straight filed dozens of FoI requests for communication logs created via text message, Blackberry BBM, Skype, and Slack. Five ministries were targeted as a sample of the government. Within each ministry, records were requested for the minister, deputy ministers, and chiefs of staff for those offices. Those requests pertained to more than 20 public servants. Only three resulted in government records. Vincent Gogolek, executive director of the B.C. Freedom of Information and Privacy Association, noted that these communication tools are primarily used on mobile devices and are examples of tools that have become crucial for modern business. “It’s concerning that something that is this common a means of communication has no records,” he told the Straight. “That’s clear. There should be something there. How can you have a very common means of communication where there is nothing?” The B.C. Ministry of Information and Technology—the agency responsible for government computer systems—declined to grant an interview, on account of the ongoing provincial election. “It’s hard not to come to the obvious conclusion that there are missing records. I simply find it not credible, the suggestion that there is a group of people that does not use text messages” said David Eby the NDP incumbent candidate for Vancouver-Point Grey. [Source]

CA – Lawful Access: The Privacy Commissioner Reiterates its Position

On April 5, 2017, Patricia Kosseim, Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis for the Office of the Privacy Commissioner of Canada (the “OPC”), gave testimony [read here] before the Quebec Commission of Inquiry on protection of confidential media sources. Ms. Kosseim took the opportunity to present a clear view of the OPC’s position on how lawful access, as articulated in section 7(3) of PIPEDA, should be addressed. Of particular interest is how this position differs from the position taken by the federal government in recent years. Ms. Kosseim went on to reiterate the position that the Privacy Commissioner of Canada, Daniel Therrien, has taken on the subject. The OPC would like to see the lawful access rights of government institutions, including police, be limited, clearly articulated, and supervised by the judiciary. Canadians have the right to be secure against unreasonable search and seizure under the Charter and have the right to have their personal information protected under PIPEDA. These rights must be balanced with the reality that circumstances will arise when personal information will need to be disclosed for purposes such as public safety. [Canadian Cyber Security Law]

CA – Implied Consent: Creditors Can Directly Obtain Mortgage Discharge Statements

A review of a recent Supreme Court of Canada decision about whether the Personal Information Protection and Electronic Documents Act (PIPEDA) precludes disclosure of mortgage statements. The Supreme Court of Canada ruled that, if a judgment has been obtained, creditors are entitled to a court order requiring disclosure of a mortgage discharge statement from mortgagees without express consent of the debtor; however, lenders should still try to obtain borrower’s express consent to disclose certain financial information in the terms of the agreement to avoid legal proceedings, or having to file motions to compel disclosure. [Privacy and Property – The Supreme Court Clarifies The Limits of PIPEDA – Scott R. Venton and Kyle Kuepfer – Fogler Rubinoff LLP]

CA – Some Canadian Bank Record Information Being Sent Directly to IRS

Thousands of reports containing confidential Canadian banking information records have been sent directly to the U.S Internal Revenue Service, without the Canadian government’s knowledge. According to information obtained under a U.S. Freedom of Information Act request, 31,574 such reports have been sent directly to IRS over the past two years under the U.S. Foreign Account Tax Compliance Act (FATCA). Under U.S. law, anyone who is a U.S. citizen or considered a U.S. person for tax purposes has to file an income tax return to the IRS, regardless of whether they are living in the States. Some estimate as many as a million Canadian residents could be affected by FATCA — from Americans and dual citizens who are living in Canada to someone born in a U.S. border hospital who has lived their entire lives in Canada. This week, the impact of the reporting regime on Americans living outside the United States will be front and centre when a House of Representatives subcommittee holds hearings on the issue in Washington. Stephen Kish, a member of the group fighting in Canada’s Federal Court to have the banking record sharing deal struck down, said one of the key concerns of those affected by FATCA is the confidentiality of their banking information. [CBC]

CA – OIPC SK Believes Stand-Alone Legislation Required for Data Matching

The Office of the Saskatchewan Information and Privacy Commissioner has issued guidance for organizations on use of data matching. Data matching is a highly invasive activity that can lead to inaccurate information about individuals due to the incorporation of implicit and explicit biases, use of poorly selected data sets, and lack of knowledge about the logic used; legislation should include principles of data minimization, openness, accuracy, de-identification, and establishing purpose and safeguards, projects should be limited to government and health institutions, and require prior completion of PIAs and notification to the OIPC. [OIPC SK – Data Matching]

CA – Privacy and Property: The Supreme Court Clarifies Limits of PIPEDA

In Royal Bank of Canada v Trang (Trang) [see here], the Supreme Court removed a number of hurdles that judgment creditors often face when attempting to execute against a judgment debtor’s real property. Whereas a judgment creditor was previously required to obtain a debtor’s consent or a court order before obtaining a mortgage discharge statement (a prerequisite to a sheriff’s sale), the “Trang” decision allows the same creditor to obtain the debtor’s implied consent simply by filing a writ of seizure and sale with the sheriff. At a broader level, Trang makes clear that individuals cannot hide behind the “Personal Information Protection and Electronic Documents Act” (PIPEDA) to escape their legal obligations. While “Trang” provides a principled justification for the disclosure of a mortgagor’s personal information, a prudent lender might nonetheless wish to obtain a borrower’s express consent to the disclosure of certain financial information as a term of the standard mortgage agreement. This preventive step may assist in avoiding the expense and trouble associated with legal proceedings commenced under PIPEDA or, as was the case in “Trang”, motions to compel the disclosure of private financial information. [Mondaq]

CA – Ontario Bill Outlines Obligations for Handling Personal Information of Children Under Government or Foster Care

Bill 89, Supporting Children, Youth and Families Act, 2017 is introduced in the Ontario Legislative Assembly: the Act amends and repeals the Child and Family Services Act; The Bill has passed second reading and referred to the Standing Committee on Justice Policy; and if passed, will come into force on a day to be named by proclamation of the Lieutenant Governor. Service providers (e.g., Minister, licensee or society) and other ministries may disclose personal information (PI) and collect PI from each other for the purpose of planning, managing or delivering a service that the ministry provides, and must comply with a court order requiring the disclosure of PI for the purposes of inspection; notification must be provided to affected individuals, the Privacy Commissioner and Minister of Child and Youth Services in the event of a data breach. [Bill 89 – Supporting Children, Youth and Families Act, 2017 – Ministry of Children and Youth Services – Legislative Assembly of the Province of Ontario ]

CA – IPC Ontario Recommends Bill 89 Amendments Regarding Handling PI Under Government or Foster Care

The Information and Privacy Commissioner of Ontario presented his comments on Bill 89, the Supporting Children, Youth and Families Act. The bill provides too much authority to the Minister of Children and Youth Services by conflating the authorities to collect and use PI, and the purposes for which indirection collection of PI is allowed (service delivery versus planning and managing the delivery of services); amendments include using a privacy framework that incorporates data minimization, oversight and transparency, and provisions prohibiting the Minister from disclosing any PI if other information will serve the purpose [IPC ON – Comments of the Information and Privacy Commissioner of Ontario on Bill 89]

CA – PEI Privacy Commissioner Upholds Public Body’s Decision to Withhold Records Covered by Solicitor-Client Privilege

The Information and Privacy Commissioner reviewed a request denied by the Public School Branch pursuant to the Freedom of Information and Protection of Privacy Act. the Information and Privacy Commissioner reviews a request denied by the Public School Branch pursuant to the Freedom of Information and Protection of Privacy Act. [IPC PEI – Order No FI17004 Public Schools Branch]

CA – Ontario Court Orders Insurance Company to Collaborate With Insured on Reasonableness of Consent Form

The Court considered Intact Insurance Company’s application for a determination of rights based on the Court’s interpretation of the Statutory Accident Benefits Schedule (SABS). The SABS is silent on the issue of the form of any consent that may be required by an examiner related to evaluations for insurance claims, and health professionals could experience negative consequences if they perform medical-legal examinations without having obtained consent in advance; since the essence of SABS is to have relevant, reasonable and necessary measures in place, collaborative efforts to develop a consent form that is reasonable would be beneficial to both parties. [Intact Insurance Company v Beaudry – 2016 ONSC 6127 CANLII – Ontario Supreme Court of Justice]

CA – Privacy Concerns Raised as Calgary Considers Electronic Parking Permit Proposal

Some Calgarians are up in arms over a proposed change to residential parking zone enforcement that would do away with physical parking permits and introduce an electronic registry of licence plates. Some residents fear the registry will provide the City with the ability to track and analyze their movements and potentially share this information with third parties. The system would be similar to the Calgary Parking Authority’s ParkPlus scheme where patrol cars scan licence plates and issue tickets to the owners of vehicles found to be in violation of the posted rules. Under the proposal, the practice of providing residents with plastic permits to place on the rearview mirrors of their vehicles or the vehicles of their visitors would be eliminated. Residents in Calgary’s 77 residential parking zones would be required to register their licence plates, and the licence plates of their visitors, online. Enforcement of residential parking zones would be patrolled by vehicles equipped with cameras as opposed to having officers on foot checking for the placards. Lee Tasker, a resident of Hillhurst, believes the proposed system is an invasion of privacy and suggests the City is prioritizing monetary gains over the security of its citizens. A report projects the introduction of the proposed system would result in $200,000 in additional revenue in 2018 and $400,000 the following year. The estimated cost of implementing the program is $400,000. Tasker and representatives of the Privacy and Access Council of Canada, who refer to the program as Orwellian and Kafkaesque, say the storing of personal information for an extended time is completely unreasonable. [CiviNews]

CA – Let Territorial Job Applicants See Their References, Says Nunavut MLA

MLA Pat Angnakak says]”as soon as somebody makes a reference about you that’s your information, it belongs to you, so you should be able to say, ‘I want my information about myself,’“ She says unsuccessful candidates should have the opportunity to defend claims made by their referees. Nunavut’s Privacy Commissioner, Elaine Keenan Bengts, addressed the MLA’s concerns at a standing committee meeting last week. “A policy which says we are simply not going to disclose any of the information we get from references, is clearly, in my opinion, contrary to the act,” Keenan Bengts said. She said access to personal information, such as references, was of the “highest level of entitlement.” [CBC]

CA – Nunavut Privacy Boss Says Privacy Not a Priority for GN Health

Nunavut’s IPC, Elaine Keenan Bengts says the health department’s lack of communication on the privacy shortfalls at the Qikiqtani General Hospital in Iqaluit proved privacy was not it’s top priority. Keenan Bengts told a standing committee of Nunavut MLAs May 10 that she has heard nothing from the Department of Health since her report was tabled last fall. Some of the more egregious violations noted by Keenan Bengts during her two days of testimony were: Fax machines printing off sensitive medical data in public hallways, computers left idle, lackluster security for medical records and even employees unofficially accessing their own medical data, were some of the more egregious violations noted by Keenan Bengts during her two days of testimony. The commissioner submitted 31 recommendations following her audit, calling for MLAs to enshrine patients’ privacy rights in standalone health information legislation, shifting fully to electronic records, and creating a dedicated privacy officer position at the hospital. [Source] [Nunavut’s health records ‘ripe for privacy breach’, says territory’s information commissioner]

CA – Security Camera Makers Urged to Beef Up Privacy After School Streaming Incident

Canada’s privacy commissioner will once again press companies that make security cameras to strengthen privacy on their devices so users don’t unwittingly stream personal images on the internet. Jennifer Rees-Jones, a senior advisor at the Office of the Privacy Commissioner of Canada said the action was inspired by a CBC News story last week about Rankin School of the Narrows in Iona, Cape Breton, where a surveillance camera was streaming images of students outside a bathroom live to the internet. She said the privacy commissioner sent similar letters in early 2015, but the threat to Canadians’ privacy is still acute. Robert Currie, director of the Law and Technology Institute at the Schulich School of Law at Dalhousie University said there are between 100 million and 200 million digital security cameras in Canada with varying levels of security. He thinks renewed action by the privacy commissioner will work. Currie said manufacturers “don’t want the government passing laws to fix this problem if they can fix it internally in the industry.” [CBC | N.S. privacy commissioner investigates after school webcam broadcasts images | Russian website broadcast live pictures of Cape Breton schoolchildren | Unsecured Webcams Are Broadcasting Canadian Daycares, Schools Online

Consumer

US – Over 80% of Americans Are More Worried About Privacy, Security Than a Year Ago

More than 80% of Americans are more concerned about their online privacy and security today than they were a year ago, a recent Anchor Free survey [PDF] of more than 2,000 Americans found. The survey found that over 95% of respondents are concerned about companies collecting and selling their personal information without their consent, and more than 50% are looking for new ways to safeguard their personal data. The survey also found that while 70% of respondents are doing more today to protect their online privacy than they were a year ago, just one in four believe they’re ultimately responsible for ensuring safe and secure Internet access. A separate TeleSign survey [PDF] of 1,300 U.S. adults found that 31% of consumers said their online life is worth $100,000 or more — and 55% said businesses are primarily responsible for account security. An EyeVerify survey of 1,002 U.S. adults recently found that 79% of respondents want the ability to use more biometric authentication methods beyond the fingerprint to access mobile banking or payment apps, and 42 percent said they wouldn’t use a banking or payment app that doesn’t offer biometric authentication. [eSecurity Planet]

E-Mail

CA – Sask Issue of MLA’s Using Private Email May Go to OIPC

A senior provincial cabinet minister says every MLA uses private email for government business, a statement seemingly at odds with the government’s position one week ago. All the members have used their private email for business related to government to respond to constituents and, you know, myself included, as has every other member,” Crown Investments Corporation Minister Joe Hargrave told reporters in Regina, following the end of the legislative session. Saskatoon man Marcus Grundahl said he was “surprised and alarmed” when Hargrave replied via private email to his concerns over the Saskatchewan Transportation Company. Hargrave has since admitted to the mistake and says it won’t happen again. Grundahl, though, said that isn’t the end of things. He’s taken the matter to Saskatchewan’s information and privacy commissioner for review. [CBC]

Electronic Records

UK – Hospitals Rapped for Sharing 1.6m Patient Records With Google

When the tie-up between Google’s DeepMind and London’s Royal Free NHS Trust was announced in 2016, it was praised as the sort of forward-looking innovation the NHS badly needed. But within weeks a wrinkle emerged – DeepMind had been given access to 1.6m patient records stretching back up to five years This week a leaked letter from the National Data Guardian (NDG) health watchdog described this transfer of data as having been carried out on an “inappropriate legal basis” – a formal way of saying it shouldn’t have happened in the way it did. The letter lays bare thorny issues, starting with the basis on which an NHS Trust can transfer data. Britain’s Information Commissioner’s Office (ICO) will soon publish its report on whether the data transfer to DeepMind was legal under the Data Protection Act (DPA). When it does, people on all sides of this tangled story will be paying close attention. [Naked Security]

EU Developments

EU – The State of Privacy 2017: EDPS Provides Mid-Mandate Report

As we approach the mid-point of the current EDPS mandate and continue the countdown to the General Data Protection Regulation (GDPR), the EU must build on current momentum to reinforce its position as the leading force in the global dialogue on data protection and privacy in the digital age, the European Data Protection Supervisor (EDPS) said to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), as he presented his 2016 Annual Report [see 75 pg pdf here]. [EDPS]

EU – European Data Protection Supervisor Calls for Additional Changes to Proposed ePrivacy Regulation

The European Data Protection Supervisor (EDPS) has recommended further changes to the proposed ePrivacy Regulation that would have significant impacts on the electronic communication sector and other online companies. In a 40-page opinion issued on April 24, 2017, the EDPS praises certain aspects of the current proposal as positive, voices key concerns about other aspects of the proposal, and makes several recommendations to change the proposed draft. The EDPS’s opinion follows another recent opinion by the Article 29 Working Party that recommended also changing the current proposal. The European Parliament and European Council are set to review and negotiate the final text over the coming months, with the ambitious goal of concluding negotiations by the end of 2017. The EDPS’s opinion focuses on the following key concerns and recommendations: 1) Privacy-focused definitions; 2) Strengthened consent requirements; 3) Limitations on legal grounds for processing electronic communications data and information related to terminal equipment of users; 4) Prohibition on “tracking walls” and other practices that exclude users with ad-blocking or similar applications installed; 5) Privacy-friendly default settings; 6) Mandatory adherence to accepted technical and policy compliance standards, which could include “Do Not Track”; 7) Restrictions on mobile location tracking; and 8) Safeguards against Member State restrictions on privacy rights and mandatory disclosures about government access requests. [WilmerHale]

EU – Article 29 Working Party Issues Guidance on Data Protection Impact Assessments

The steady trickle of GDPR guidance from the Article 29 Working Party continues. Fresh from finalising its guidance on data portability, lead supervisory authorities and data protection officers, the Working Party has published draft guidance on data protection impact assessments (DPIA), the full text of which is available on the Working Party website. Comments can be submitted to the Working Party by 23 May 2017, after which the guidance will be finalised. DPIAs are a key part of the GDPR accountability principle, and have to be carried out if a processing activity is “likely to result in a high risk” to data subjects. The Working Party’s guidance clarifies this phrase, and provides a series of concrete criteria which might trigger a DPIA There is a useful diagram in the guidance which sets out a seven-step generic process for DPIAs. There are also helpful Annexes to the guidance, including examples of existing national and Europe-wide DPIA frameworks and a checklist of items to be included in DPIAs. These are likely to be useful resources when preparing DPIA templates, as the regulators may well want to see clear evidence of each of these steps being followed and each element in the checklist covered. [HLDA]

UK – State of the Cyber Nation: Gov’t Report on Cybersecurity Breaches

On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cybersecurity breaches and how they affected UK companies in the last year. Headline statistics from the report include:

  • 61% of businesses hold personal data electronically;
  • 46% of all UK businesses identified at least one cybersecurity breach in the past year, rising to 51% of those that hold personal data on customers, 66% amongst medium-sized firms and 68% amongst large firms;
  • The most common breaches involved members of staff receiving fraudulent emails. This demonstrates that technical measures can only take an organisation so far, and that strong procedures and training are vital;
  • External reporting of breaches is still not common – only 26% of companies reported their most serious breach to someone other than a cybersecurity company who could assist with solving the problem. This will have to change where personal data is lost under the GDPR;
  • Only 37% of businesses have any rules around encryption of personal data, and 37% of businesses have segregated wireless networks; and
  • Only 13% of businesses require their suppliers to adhere to specific cyber security standards.

The report indicates that many UK companies have not implemented comprehensive cybersecurity policies or implemented strong safeguards to protect against cyber attacks. [HLDA]

EU – Article 29 Working Party Issues Recommendations on Draft Code of Conduct for Mobile Health Applications

The Article 29 Working Party issued recommendations on the draft code of conduct on privacy for mobile health (mhealth) applications. The definition of health data needs to be re-evaluated to ensure it is consistent with the definition provided in the General Data Protection Regulation (GDPR), and not all of the data protection principles are mentioned (the missing principles should be added, or it should be noted why they are absent); the Code should make clear that consent should fulfil all requirements of the GDPR, acknowledge the other conditions that render data processing fair and lawful, and ensure that wording does not imply that a controller may make a service conditional on consent for marketing. [Article 29 Working Party – Letter to the Project Editor of the Draft Code of Conduct on Privacy for Mobile Health Applications]

UK – ICO Recommendations on Prevention of Ransomware Attacks

The Information Commissioner’s Office in the UK has provided guidance on preventing ransomware attacks. Organizations should remove unnecessary user accounts, restrict user privileges to only what is necessary, ensure online and offline backups are encrypted, ensure remote access or control applications have strong credentials (2-factor authentication, and timely patch updates), and segment networks to limit any damage from successful attacks; if there is a successful attack, organisations should conduct a full security scan and penetration test of all systems and networks (attacks may have gained other undetectable access). [ICO UK – Statement on Recent Cyber Attacks at NHS]

UK – UK Information Commissioner Issues Guidelines for Organisations Using Big Data Analytics

The UK Information Commissioner’s Office issued guidance about big data, artificial intelligence, machine learning and data protection. Organizations should consider whether the analytics actually requires the processing of personal data (anonymized data is not considered personal data and does not fall under data protection laws); conduct privacy impact assessments to help identify privacy risks and assess the necessity and proportionality of the processing, and adopt a privacy by design approach (data minimization, purpose limitation and respecting individuals’ preferences in the metadata). [ICO UK – Big Data, Artificial Intelligence, Machine Learning and Data Protection]

EU – Facebook Fined $122 Million for Misleading EU Over WhatsApp

Facebook Inc. was fined 110 million euros by the E.U. for misleading regulators during a 2014 review of the WhatsApp messaging-service takeover. The European Commission won’t overturn approval for the $22 billion WhatsApp purchase as “the incorrect or misleading information provided by Facebook did not have an impact on the outcome of the clearance decision,” the regulator said. Vestager targeted Facebook after it announced privacy policy changes in August that would allow the advertising platforms on Facebook and Instagram to draw upon data from WhatsApp. The company informed the EU in 2014 it couldn’t combine WhatsApp data with its other services but moved to do that last year. Facebook said the firm “acted in good faith” in its interactions with the commission. “The errors we made in our 2014 filings were not intentional and the commission has confirmed that they did not impact the outcome of the merger review,” a Facebook spokesman said. “Today’s announcement brings this matter to a close.” The social networking company said it wouldn’t appeal the EU decision. [Bloomberg]

UK – Record Fine for Company Behind Nearly 100 Million Nuisance Calls

The UK’s Information Commissioner’s Office (ICO) has issued a record £400,000 fine to a business responsible for nearly 100 million nuisance calls over an 18 month period. [See ICO PR here] Keurboom Communications did not have the necessary prior consent to engage in the marketing activity from the people it targeted with the 99,535,654 calls, and was in “serious contravention” of the UK’s Privacy and Electronic Communications Regulations (PECR), the ICO said. The fine issued by the ICO to Keurboom Communications is the highest it has ever issued for a breach of PECR. It previously fined TalkTalk £400,000 for a serious breach of the Data Protection Act after the company suffered a data breach affecting approximately 157,000 customers [Out-Law]

Facts & Stats

WW – New Symantec Report 1.1 Billion Identities Exposed In 2016 Breaches

1.1 billion identities exposed in data breaches in 2016, says Symantec report. In the last eight years, more than 7.1 billion identities have been exposed in data breaches globally, which is almost the equivalent of one for every person on the planet, according to the findings of Symantec’s Internet Security Threat Report.[see here] In 2016 alone, almost 1.1 billion identities were stolen globally, a big jump from the 563.8 million stolen in 2015. This is despite the fact that the number of data breaches actually fell between 2015 and 2016—dropping from 1,211 to 1,209, said the report. In 2016, there were 15 mega breaches—breaches in which more than 10 million identities were stolen—an increase from 11 in 2014 and 13 in 2015. [LiveMint]

Finance

CA – Survey: Half of Us Are Ready for Cashless Canada

Forget about the end of the Canadian penny or even the possible impending demise of the nickel — half of Canadians are ready to abandon cash altogether. A new survey from Payments Canada finds 50 per cent of Canadians are ready to get rid of banknotes and coins. Two-thirds of respondents said they are ready to say goodbye to personal cheques. Some observers have raised privacy concerns about digital payments, noting that in a cashless society, every purchase can be tracked. But the Payments Canada survey suggests a large share of the population is willing to accept lesser privacy for greater convenience: 48% of respondents said they would trade away some of their privacy when paying digitally. [HuffPost]

FOI

WW – Facebook Transparency Report Signals Need for Privacy Guidelines

Facebook’s latest Global Government Requests Report [see PR here see Report here] covering the second half of 2016. It showed that requests for account data increased by nine percent – from 59,229 to 64,279 requests, globally – over first half 2016. Half of the data requests the firm received from law enforcement in the U.S. contained a non-disclosure order that prohibited Facebook from notifying the user. Facebook used the report to reiterate that it does not provide governments with backdoors or direct access points to users’ information. The company continues to seek ways to work with industry partners and civil society to push governments around the world to reform surveillance in a way that protects their citizens’ safety and security while respecting their rights and freedoms, the report said. The report is also reminder of how governments around the world are regularly prying open the digital lives of subscribers. Facebook said that reform is needed in the legal process for handling data requests. “The current process for handling cross border requests for data is slow and cumbersome, and legitimate requests are often subject to months and months of delays,” the report said. “We believe that companies, governments, civil society organizations, and academics should work together to improve this process and to raise human rights standards throughout the world” [SC Magazine]

Genetics

CA – New Genetic Non-Discrimination Law to Promote Privacy and Human Rights

The Privacy Commissioner of Canada and the Chief Commissioner of the Canadian Human Rights Commission are welcoming the coming into force of the “Genetic Non-Discrimination Act” [see here], as an important step for privacy and human rights in Canada. The Act, which received Royal Assent on May 4th, now prohibits genetic discrimination across Canada. It bars any person from requiring individuals to undergo a genetic test or disclose the results of a genetic test as a condition of providing goods or services, or entering into a contract. Both Commissioners acknowledge that the Government has stated it may refer the law to the Supreme Court of Canada for its opinion on the law’s constitutionality. In the meantime, the “Genetic Non-Discrimination Act” remains in place and represents the current law on this important public policy issue. Commissioner Therrien says he expects organizations subject to Canada’s federal private sector privacy law to re-examine their practices related to genetic tests and bring them in line with the new law. In light of Parliament’s passage of S-201, organizations that require genetic test results as a condition of providing a good or service will also generally be considered in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA). [Source]

Health / Medical

US – Health Care Industry Task Force Issues Recommendations to Protect Patient Information

The Health Care Industry Cybersecurity Task Force, established pursuant to the Cybersecurity Act of 2015, issued a report outlining recommendations to address challenges in protection of patient information. The health care industry faces cybersecurity risks from severe lack of security talent, use of unsupported legacy systems, significant recourse constraints, and lack of threat identification infrastructure; organizations should cooperate with vendors and providers to inventory and secure legacy systems, adopt strong authentication, ensure strategic, architectural approaches to reduce attack surfaces, and establish cybersecurity leadership positions. [Health Care Industry Cybersecurity Task Force – Report on Improving Cybersecurity in the Health Care Industry]

US – Five HHS Settlements Imposed for Lack of Safeguards, Risk Analysis and Management Plans

This article reviews the U.S. Department of Health and Human Services, Office for Civil Rights’ (OCR) 2017 settlements under the Health Insurance Portability and Accountability Act. Electronic personal health information was exposed due to hackers, inappropriate employee access and lost or stolen unencrypted devices; companies were asked to conduct a risk analysis and implement risk management plans to fix vulnerabilities, and to monitor their information systems’ activity (e.g., review audit logs, access reports and security incident tracking reports). [2017 OCR HIPAA Settlements Focus on Risk Analyses Safeguards – Elizabeth Snell – HealthIT and Security]

US – HHS Issues Guidance on How to Detect, Deter and Recover from Ransomware Attacks

A new HHS Fact Sheets reviews the U.S. Department of Health and Human Services’s guidance about ransomware and requirements under the Health Insurance Portability and Accountability Act and the HIPAA Rules. Entities may prevent malware intrusion by implementing security management processes to identify threats and vulnerabilities, to mitigate or remediate identified risks and to guard against and detect malicious software; ransomware attack recovery activities include conducting an initial analysis to determine the scope and origination of the incident, whether it is finished, how it occurred and vulnerabilities and restoring data lost during the incident. [HHS Fact Sheet: Ransomware and HIPPA]

Horror Stories

CA – 1.9 Million Bell Customer Email Addresses Stolen by ‘Anonymous Hacker’

Bell is apologizing to its customers after 1.9 million email addresses and approximately 1,700 names and phone numbers were stolen from a company database. The information appears to have been posted online, but the company could not confirm the leaked data was one and the same. Bell, the country’s largest telecommunications company, attributed the incident to “an anonymous hacker,” and says it is working with the RCMP to investigate the breach. “Bell said the incident was unrelated to the massive spike in ransomware infections that affected an estimated 200,000 computers in more than 150 countries late last week. It is not clear when the breach occurred, how the data was accessed, or how long the attacker had access to Bell’s systems. [Source]

WW – Two Billion Numbers Leaked by Chinese Phone App

The app, DU Caller, developed by DU Group, a subsidiary of Baidu, was initially for users to blacklist nuisance callers and filter them out. But a “reverse look-up” function allowed access to two billion phone numbers stored in Baidu’s Beijing server. Among those affected are security minister Lai Tung-kwok and privacy commissioner Stephen Wong, according to news agency FactWire – see here The Security Bureau has referred the case to the Office of the Privacy Commissioner for Personal Data for investigation. Independent news agency FactWire reported on Saturday that once downloaded and installed, the app would automatically gather sensitive information such as the address book and phone numbers even before users agreed to the privacy policy. [SCMP]

US – $2.5M Fine Imposed on Wireless Health Services Provider for PHI Breach

The Department of Health and Human Services, Office for Civil Rights entered into an agreement with CardioNet Inc. to settle alleged violations of the HIPAA Privacy and Security Rules. The provider did not have sufficient risk analysis and risk management processes in place at the time an employee’s laptop was stolen from their vehicle (containing ePHI of 1,391 individuals); the organization must conduct an enterprise-wide risk analysis, implement a risk management plan that addresses all security risks and vulnerabilities, revise and distribute policies and procedures among employees, and report the HHS at least annually for a 2 year period [HHS – Resolution Agreement – CardioNet Inc. [Press Release | Resolution Agreement]

Identity Issues

CA – Edmonton Man Sounds Alarm After ID Scanned While Buying Cigarettes

Nick Radloff said he was asked for ID last at an Esso Station owned by 7-Eleven. “She just automatically scanned it into her system” he said. A directive from 7-Eleven head office states that the store’s ID scanners do not collect personal information that could identify the customer. Instead the scanners “read only anonymous information (expiry date, province, date of birth, and only the last four digits of a driver’s licence).” A regional 7-Eleven manager wrote “if you do not want your ID or driver’s licence scanned, our sales associates have been instructed to respect your decision.” 7-Eleven’s policy was implemented on April 24 across their 650 stores. 7-Eleven said the policy was put in place “to further reduce the risk that tobacco products would be sold to minors.” The Office of the Information and Privacy Commissioner of Alberta has looked into a number of such complaints over the past decade. [CBC]

EU—Blockchain Startup Forms Partnership to Develop Identity Platform

Billed as an “identity platform,” the product is designed to allow businesses and consumers to store and exchange information while staying on the right side of regulations such as the European Union’s General Data Protection Regulation, which sets strict limits on what information companies are allowed to hold on their customers. The platform’s development, announced Monday, is a joint effort between Cambridge [see here] and LuxTrust [see here], an established firm that is already managing digital identities for the entire individual and corporate population of Luxembourg, according to a news release. [see here] A key piece of the platform will be Cambridge’s software, in which each individual holds his or her personal data in a private store and the blockchain holds proof that the data is valid. Such proof could include picture ID. A bank can refer to the blockchain to verify customers’ identities, but the information held there can’t be used to falsify personal data. [American Banker]

Internet / WWW

CA – WannaCry Ransomware “A Wakeup Event” for Directors

“It may be the WannaCry virus will be a watershed event for directors and officers liability in this area,” Bradley Freedman [see here], national leader of the cyber security law group at Borden Ladner Gervais, said. “And I say that because the primary result of it has been business disruption and financial loss. Shareholders are going to be asking what their directors did to make sure their organizations were doing the right thing to manage these types of risks. Did it have an appropriate patch management program? Was there proper oversight? Why was this organization running a Windows XP machine?” Freedman noted that when it comes to cyber risk management courts say directors and officers have to consider the same things when making any corporate risk decision: Exercise the care of a reasonable person, and make “reasonable and informed and properly advised independent decisions.” Perfection, he said, isn’t demanded. Still, he said, it may be the WannaCry attack, which according to the U.S. infected 300,000 computers around the world, may be a seminal event for directors. In making decisions in civil lawsuits relating to breaches on whether the organization took “reasonable care”, Freedman added, judges will look to what he called “soft law” — best practices, industry guidance, previous decisions in other jurisdictions. Rene Pelletier, IT audit principal in the Alberta auditor general’s office, said organizations are playing defensive because they don’t share their knowledge with other firms. Canada, he noted, is the second biggest target for reported ransomware incidents after the U.S. Ransomware works because it relies on ignorance and isolation of users, he said. “We all need to work together” on cyber security,” he added. “If we don’t we’re dead.” [IT World Canada]

Law Enforcement

CA – Alberta Police Inch Closer to Policy on Identifying Homicide Victims

After a meeting of the Edmonton Police Commission, police Chief Rod Knecht gave an update on a contentious issue which came to the fore this year after Edmonton police withheld the names of roughly half of the city’s 2017 homicide victims, a departure from long-standing practice. Critics say withholding names is a misreading of the province’s Freedom of Information and Protection of Privacy (FOIP) law, and which goes against the public interest. The opposition Wildrose has criticized the policy, saying in particular that withholding names in domestic violence cases could stigmatize victims. Edmonton police have cited privacy concerns and the lack of “an investigative purpose” in not naming some homicide victims this year. Members of the Alberta Association of Chiefs of Police met last Friday to discuss the issue, Knecht said. The departments’ FOIP lawyers will soon gather to discuss the legal issues. “We all agreed — every case on its own merits,” he said. “We may release the name in a certain case, and in another case we may not.” [Edmonton Journal See also: Alberta police chiefs try for common ground on naming homicide victims | Alberta chiefs of police to discuss homicide victim naming policies | Edmonton police chief defends policy of not releasing names of homicide victims | Edmonton police policy of not naming murder victims stands alone in Alberta | Secret murder: A tale of two police forces in Alberta | Bureaucratic secrecy erodes democratic rights | RCMP silent on Alberta murder victims citing Privacy Act ]

US – Police May Have Been Less than Forthcoming to Judge About Stingray Use

A California defense attorney maintains that law enforcement officers misled a judge when seeking a warrant to use cell-site simulator technology to track her client’s location. In a related story, the US Supreme Court plans to discuss the issue of whether law enforcement authorities require warrants to compel mobile phone companies to disclose customer’s cell site data. Read more in:

  • arstechnica.com: Lawyer: Cops “deliberately misled” judge who seemingly signed off on stingray
  • arstechnica.com: Supreme Court asked to rule if cops need warrant for cell-site data
  • arstechnica.com: DHS now needs warrant for stingray use, but not when protecting president
  • arstechnica.com: FBI, DEA and others will now have to get a warrant to use stingrays
  • www.usatoday.com: Bipartisan bill seeks warrants for police use of ‘stingray’ cell trackers
  • arstechnica.com: Appeals Court: No stingrays without a warrant, explanation to judge
  • www.reuters.com: In first, U.S. judge throws out cell phone ‘stingray’ evidence

Online Privacy

WW – Hundreds of Privacy-Invading Apps Are Using Ultrasonic Sounds to Track You

These near-silent tones can’t be picked up by the human ear, but there are apps in your phone that are always listening for them. This technology is called ultrasonic cross-device tracking, and it works by emitting high-frequency tones in advertisements and billboards, web pages, and across brick-and-mortar retail outlets or sports stadiums. Apps with access to your phone’s microphone can pick up these tones and build up a profile about what you’ve seen, where, and in some cases even the websites you’ve visited. In the past year, researchers found 234 Android apps that include the ability to listen for ultrasonic tones “without the user’s knowledge,” one paper said. The researchers criticize the technique as a “threat to the privacy of a user,” as they “enable unnoticeably tracking locations, behavior and devices.” Using this ad-tracking technology allows ad companies to link media-consuming habits to a person’s identity by picking up ultrasonic tones from websites, and radio and television broadcasts. The ultrasonic tones can also be used to track locations, behavior, and purchase habits across different devices, which allows the advertiser to serve more specific and tailored advertisements based on where you’ve been. Worst of all, the researchers say that this ultrasonic tracking technology can de-anonymize users of bitcoin, which is designed to be used without the need for a name. [ZDNet]

Other Jurisdictions

AU – Australian DPA Recommendations for Identifying Personal Information

The Office of the Australian Information Commissioner has provided guidance to organizations on determining whether information processed is personal information, pursuant to the Privacy Act 1988. Organizations should consider whether there is connection between the information and the individual, if the information reveals or conveys something about the individual, and whether the individual is reasonably identifiable (considering the nature and amount of information, and who will have access); personal information does not include de-identified information, information about deceased persons, business information, or cases where individuals are not identifiable (e.g. an aerial photo of a public event without enough detail to determine identifying features). [OIC Australia – What is Personal Information]

Privacy (US)

US – Advocates Urge FCC to Immediately Repeal Mandatory Data Retention Rule

Advocates urge the Federal Communications Commission to immediately end the data retention mandate. The rule, requiring telephone carriers to retain customer billing records for 18 months, is outdated (carriers no longer bill in a way that makes the retention of this data relevant), violates customers’ privacy rights by requiring carriers to retain sensitive personal data, and increases the likelihood of the data being exposed in a security breach. [Letter Urging FCC to Act Immediately on Petition to End Data Retention Mandate]

US – Security Spending: School Budgets Inadequate to Meet Increased Challenges

The Consortium for School Networks issued its 5th IT Leadership Survey: 495 surveys were completed by US school system technology leaders between January and February of 2017. 38% of IT departments spend 51-75% of their time reacting to technical problems as opposed to working in a proactive mode, and 37% see no change in the priority of security and privacy of student data compared to the last year; IT leaders overcome budget and funding issues by delaying maintenance and upgrades (65%), reducing technology purchases (37%), and relying on E-rate funds (53%) and grants (35%). [2017 K-12 IT Leadership Survey Report – Consortium for School Networking]

US – School Districts and Online Services Providers Must Better Protect Student Privacy

The Electronic Frontier Foundation has issued a report on student data handling practices of school districts and educational technology companies. Schools have issued devices to students without parental knowledge or consent, parents were unable to opt-out their children from device or software use, and provider policies (which lacked details about encryption, retention and sharing) were relied on by schools to ensure student data protection; schools and providers should have privacy policies that are accessible, not over-broad, and describe data collected, methods used, and data minimization measures employed, obtain explicit consent from parents before signing students up for services, and should not track student’s online behavior. [EFF – Spying on Students – School-Issued Devices and Student Privacy]

US – Parties Discuss Privacy Issues in Advance of FTC, NHTSA Workshop on Connected Cars

On June 28, 2017, the Federal Trade Commission and the National Highway Traffic Safety Administration (NHTSA) will hold a workshop to examine the consumer privacy and security issues posed by automated and connected vehicles. The workshop comes several months after the Department of Transportation and NHTSA promulgated a Notice of Proposed Rulemaking (NPRM) that would require all new passenger vehicles to be capable of vehicle-to-vehicle (V2V) communications by the early 2020s. The FTC and NHTSA have raised several questions to be addressed at the workshop Car manufacturers, tech organizations, privacy organizations, and other parties filed comments in advance of the workshop, responding to these questions and more. [Inside Privacy]

US – Second Circuit Limits Standing to Bring Data Breach Class Actions

The U.S. Court of Appeals for the Second Circuit issued an important decision [see 5 pg pdf here] in “Whalen v. Michaels Stores”, placing the court at the center of the controversy around what allegations are sufficient to establish Article III standing in data breach class actions. In “Whalen”, the plaintiff alleged that payment card information stolen in a data breach was used in unsuccessful, attempted fraudulent transactions. The payment card owner further alleged that she faced an increased risk of future identity fraud, forcing her to spend time and money resolving the attempted fraudulent charges and monitoring her credit. The court ruled that these allegations did not establish a concrete injury sufficient to confer Article III standing. [Fenwick]

US — California Senate Committee Votes Against Privacy for Our Travel Patterns

The Electronic Frontier Foundation and the ACLU of California joined forces with California State Sen. Joel Anderson (R-Alpine) to testify before the Senate Transportation and Housing Committee – watch the full hearing here] in favor of S.B. 712 (text), a bill that would have allowed drivers to cover their license plates when parked in order to protect their travel patterns from private companies operating automated license plate readers (ALPRs). Despite learning how this data may be misused to target vulnerable communities by the federal government, a Democratic majority voted to kill the bill 5-6. The bill would have adjusted current law, which allows drivers to cover their entire vehicles (for example with a tarp), so that a driver can cover just a portion: the plate. Police would still have the ability to lift the cover to inspect the plate, and since the measure only applied to parked vehicles, it would not have affected law enforcement’s ability to collect data on moving vehicles. [EFF.org]

US — Lawyers Demand Answers After Artist Forced to Unlock His Phone

In February, artist Aaron Gach flew home to San Francisco after putting on a gallery installation in Brussels. US Customs and Border Patrol (CBP) decided to interrogate Gach, to detain him, and to demand that he unlock and hand over his phone. It’s fruitless to try to surmise the actions of CBP detentions. The CBP isn’t in the habit of sharing whatever possibly reasonable suspicions they might have about a traveler that would lead agents to detain that traveler. But we are now in an era of skyrocketing device searches at the US border, and there are many who would very much like to dissect the reasons – and the constitutionality – of this type of search. As the American Civil Liberties Union (ACLU) notes, the Department of Homeland Security (DHS) has estimated that CBP officers searched 2,700 devices in January and 2,200 in February alone, putting it on pace to easily exceed the 19,000 devices they searched in all of 2016. On Thursday, the ACLU took action on behalf of Gach and others who’ve been subjected to similar non-consensual searches at the border. Six ACLU attorneys filed an eight-page administrative complaint, seeking answers from DHS, the parent agency of CBP. [Source]

US – Swabbing a Car Door Handle in A Public Lot to Collect DNA is a 4th Amendment Trespass Search

In United States v. Jones, 132 S.Ct. 945 (2012), the Supreme Court added a second test for what government action counts as a Fourth Amendment “search.” Since the 1970s, the Supreme Court had held that the government commits a search when it violates a person’s reasonable expectation of privacy. Jones added that the government also commits a search when it trespasses on to a person’s “persons, houses, papers, and effects.” The significance of Jones hinges on just what kind of trespass test courts interpret Jones to have adopted. In light of that uncertainty, I was fascinated by a new decision, Schmidt v. Stassi, from the Eastern District of Louisiana last week. When Schmidt drove to a local strip mall, parked and went inside a store, an agent used a cotton swab to wipe the exterior door handle on Schmidt’s Hummer to collect a DNA sample. Schmidt sued the officers, claiming that swabbing his car door handle was an unlawful Fourth Amendment search. In the new decision, Judge Lance M. Africk holds that collecting the DNA from the door handle using the cotton swab was a Fourth Amendment search because it trespassed on to the car. Notably, the idea here is that collecting the DNA was a search because it interfered with Schmidt’s rights in the car, not in the DNA itself. That’s different from the reasonable-expectation-of-privacy cases on collecting DNA, which generally focus on the potential privacy invasion in the testing of the DNA sample to reveal sensitive information. [Washington Post]

US – Google Data Privacy Fight Hinges on Cloud Storage Tech

U.S. District Court for the Northern District of California Magistrate Judge Laurel Beeler’s ruling [see here] that Alphabet Inc.’s Google turn over customer data stored overseas relied more on the specific storage technology at play than on an outdated federal email privacy law, attorneys told Bloomberg BNA. The ruling may not offer real clarity sought by companies that store large amounts of data in the cloud on whether they must comply with government demands for the release of consumer data stored outside the U.S. But it does offer some insight into how courts may parse the technological issues surrounding the storage of data and identification of the consumers tied to that data by focusing on the ability of the company to readily identify the citizenship of a particular user. [BNA]

US – NY Lawmakers Consider Adding a ‘Textalyzer’ to Accident Investigations

A bill before the New York State Senate would give law officers a tool to check drivers’ cell phones after an accident in order to determine if distracted driving was the cause. Titled Evan’s Law, named after Evan Lieberman, a New Castle teenager who lost his life in 2011 due to a distracted driver in Westchester County, the bill would be the first in the nation to receive legislative approval. But not everyone is excited about the prospect. Rashida Richardson of the New York Civil Liberties Union is concerned that private information would not be private with any phone-scanning technology. She also questioned its accuracy, according to CBS New York. [Patch.com]

Security

US – New ABA Opinion: Attorneys Must Take Reasonable Cybersecurity Measures to Protect Client Data

On May 11, 2017, the American Bar Association (ABA) issued Formal Opinion 477, making clear that a lawyer may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct so long as the lawyer takes reasonable efforts to prevent inadvertent or unauthorized access to client information. Lawyers may also be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security. This new opinion updates a prior opinion issued by the ABA in 1999 (Formal Opinion 99-413)[see here], in which the ABA concluded that attorneys may use the Internet to transmit unencrypted communications relating to a client without running afoul of the Model Rules of Professional Conduct. Although most enterprises and firms use some level of protection in their electronic communications, this new opinion highlights the growing focus on cybersecurity across all industries and professions. Encryption is increasingly becoming the industry standard in securing electronic data and communications, and is often the first line of defense when facing a data breach scenario. [Privacy and Security See also: 8 Steps to Evaluating Cloud Service Security]

WW – Google Docs Phishing Scam

An enormous phishing scheme disguised as a Google Docs request has been sent to as many as one million users. The attackers used Google developer tools that create an app that was designed to trick users into thinking they were viewing the real Google Docs app. It displayed a legitimate OAuth screen seeking permission to access and manage users’ email and contacts. Within an hour of learning about the phishing scheme, Google had taken steps to protect users. Read more in:
computerworld.com: Google Docs phishing scam underscores OAuth security risks
www.wired.com: Don’t Open That Google Doc Unless You’re Positive It’s Legit
www.scmagazine.com: Massive Google Docs phishing attack targeted credentials, permissions
www.eweek.com: Google Docs Phishing Attack Tricks Unsuspecting Users to Click
www.cyberscoop.com: OAuth-based phishing campaign gives Gmail users a scare
threatpost.com: 1 Million Gmail Users Impacted by Google Docs Phishing Attack
www.bleepingcomputer.com: It Took Google One Hour to Shut Down Massive Self-Replicating Phishing Campaign

US – HHS to Launch Cybersecurity Center

The Department of Health and Human Services (HHS) will soon launch a healthcare focused cybersecurity initiative modeled on the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC). The new center, to be called the Health Cybersecurity and Communications Integration Center (HCCIC) would seek to reduce the extensive “noise” in the health care industry about cyber threats and to analyze and “deliver best practices and the two or three things that a small provider, a small office, a doc in a box can do to protect his patient’s privacy and information security around those systems.” HHS also envisions the HCCIC working with developers of mobile health apps to promote data security best practices in that fast-growing area. In December, the Food & Drug Administration responded to the “growing number of medical devices designed to be networked to facilitate patient care” by issuing guidance addressing the management and reporting of post-market cybersecurity vulnerabilities in medical devices. On May 3, HHS’ Health Care Industry Cybersecurity Task Force released its draft report to Capitol Hill. The report includes recommendations to create a medical-device specific “MedCERT” modeled after the United States Computer Emergency Readiness Team, which “would assess vulnerabilities, evaluate patient safety risks, adjudicate between the vulnerability finder and product manufacturer, and consult organizations about how to navigate the vulnerability process.” [Security and Privacy Health Law]

WW – CompTIA Study Finds Old Tactics Often Used to Fight Breach Threats

Old tactics too often used to fight top data security threats Organizations recognize information security as a growing imperative, but too many remain on the defensive and use dated tactics and training to protect their data. That is the conclusion of the new study “The Evolution of Security Skills” from CompTIA, the leading technology association. According to the study, one of the challenges for many organizations is that they put their focus on the cyber threats they understand the best. Malware and viruses, two of the oldest forms of cyberattacks, generally get the most attention. Of the 350 organizations surveyed, 29 percent said they are highly proactive in their security posture, emphasizing detection and response. Another 34 percent said they balance a strong cyber defense with some proactive measures. Too many organizations remain on the defensive and use dated tactics and training to protect their data. That is the conclusion of the new study “The Evolution of Security Skills” [see here] from CompTIA . Of the 350 organizations surveyed, 29 percent said they are highly proactive in their security posture, emphasizing detection and response. Another 34 percent said they balance a strong cyber defense with some proactive measures. Seth Robinson, senior director, technology analysis, at CompTIA calls on organizations to adopt proactive measures to protect their data. These include identifying weak links before they are exploited, broadening the skills of their technology professionals, and increasing security training top to bottom throughout the organization. [Info Mgmt]

UK – ICO Reports Record Number of Data Breaches and Fines

The ICO’s annual performance statistics for 2016/17 also reveal that the regulator received more reported data protection breaches and fined more companies for unlawful activities than any previous year. The statistics show that data protection complaint cases rose to 18,354, around 2,000 more than the previous year. Some 2,565 self-reported data breaches resulted in 16 civil monetary penalties totalling £1,624,500 for serious breaches across a range of public, private and voluntary sectors. The ICO received more than 166,000 reports about nuisance calls and texts. The ICO issued a record number of 23 fines in this regard, totalling £1,923,000, and issued nine enforcement notices and placed 31 organisations under monitoring. More than 5,400 freedom of information (FOI) cases were received and 5,100 closed during the year, with 1,351 decision notices, which was “broadly similar” to the previous year, the ICO said. The ICO expects its work to intensify next year in the run up to deadline for compliance with the EU’s General Data Protection Regulation (GDPR) on 25 May 2018. .Testifying to the House of Lords EU Home Affairs Sub-Committee in a hearing on the new EU data protection ackage, Denham planned to expand the ICO’s staff to deal with the extra work burden to be imposed by the GDPR. [Computer Weekly]

WW – Organizations’ Lack of Attention to Printer Security Makes Them Vulnerable

This white paper surveyed individuals responsible for printer security at 16 organizations, which averaged 51 million pages printed per year by 8,800 printers used by 57,200 IT users and involving 4,500 IT staff. More than half of companies experienced an IT security breach in the last year that involved print security, yet almost 2/5 of senior managers are more likely to be involved in decision making for overall IT security than for print security; breaches commonly occur from the device’s network ports, print/copy/scan job interception, print/MFP hard drives and memory, printed or copied documents left in output trays or illegal use of secure media (checks, prescriptions). [The Business Value of Printer Security – IDC]

WW – Mobile Devices: Only 36% of Organizations Believe Cyberattacks Can Be Prevented

410 security professionals from an independent global database participated in a survey on mobile device security. Types of attacks experienced on employees’ mobile devices include malware, phishing using text messages, network attacks, intercepted calls and text messages over a carrier network, key logging, and credential theft; 62% of organizations do not use mobile security solutions (due to lack of budget, shortage of resources, lack of experience, or insufficient risk), despite 94% of organizations believing that the frequency and types of mobile device attacks will increase in the next year. [The Growing Threat of Mobile Device Security Breaches – Global Survey of Security Professionals – Check Point Software Technologies]

US – Uber Responds to Report That It Tracked Devices After Its App Was Deleted

Uber tracked former users even after they deleted the app from their iPhones, a practice that eventually earned CEO Travis Kalanick a scolding from Apple chief executive Tim Cook, the New York Times reports. Uber allegedly used a practice called fingerprinting to track devices after the app was deleted. Uber reportedly began fingerprinting iPhones as a fraud-prevention method in locations like China. Drivers there would register multiple Uber accounts on stolen iPhones and use them to request rides, thereby boosting the number of overall rides — a metric that Uber rewards with bonuses. Apple previously allowed developers to track their users with a Unique Device Identifier, or UDID. This kind of tracking was persistent across installs, but as Apple became more concerned with user privacy, it deprecated UDIDs in 2013. Apple replaced UDIDs with other variants of trackers that are designed to be less intrusive, including vendor IDs and advertising IDs. It’s not clear how Uber fingerprinted the devices in 2015 that led to the meeting between Kalanick and Cook. In order to prevent Apple engineers from discovering the fingerprinting, Uber allegedly geofenced Apple’s Cupertino headquarters to hide the code used in the process. But Apple engineers based in other offices discovered the trick, according to the New York Times [see here] and confirmed by TechCrunch, leading Cook to summon Kalanick to his office in early 2015. An Uber spokesperson said “We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users” [TechCrunch]

US – DHS Provides Guidance on Implementing Security Improvements for Mobile Devices

The Department of Homeland Security, in coordination with the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence, conducted a study on current and emerging threats to the government’s use of mobile devices. Mobile devices are vulnerable to attacks on back-end systems that require a security approach different from protection developed for desktop workstations; organizations should ensure timely patching of known vulnerabilities, block network access for obsolete devices (those no longer supported with updates), enable strong authentication methods, automatically monitor, detect and report any security policy violations, and enable remote wiping capabilities. [DHS – Study on Mobile Device Security]

US – NIST: Let Passwords Be Longer and Eliminate Character Variation Requirements

Later this summer, the US National Institute of Standards and Technology (NIST) will release new Digital Identity Guidelines. NIST appears likely to recommend against requiring periodic changes for passwords and instead, employing other measures to make passwords both easier to remember and more difficult to crack. For instance, allowing up to 64 characters could let people use passphrases rather than passwords. And allowing spaces and doing away with character variation requirements would help with memorization. NIST is currently reviewing public comment received on the guidelines. Read more in:
https://qz.com: The US standards office wants to do away with periodic password changes
https://pages.nist.gov: Digital Identity Guidelines

Smart Cars & Cities

WW – Report on IoT, Automation, Autonomy, and Megacities in 2025

Engineers designing and implementing internet-connected IOT devices face daunting challenges that is creating a discomfort with what they see evolving in their infrastructures. This paper brings their concerns to life by extrapolating from present trends to describe plausible future crises playing out in multiple global cities within 10 years. Much of what occurs in the scenarios is fully possible today. IoT, Automation, Autonomy, and Megacities in 2025

US – California Bill Mandates Privacy by Design for IoT Devices

Manufacturers of Internet-connected devices (better known as the Internet of Things) should be following a new California bill closely because it would create a mandate under California law that all IoT devices have built-in security features appropriate to the device and information collected. California Senate Bill 327 [see here], amended in March, is the latest in a trend of legislative and regulatory efforts by state and federal authorities to hold IoT device makers more accountable for consumer data security. The California bill was introduced at nearly the same time the FTC brought an enforcement complaint in federal court in California against a computer networking equipment manufacturer for failing to take reasonable steps to secure its products from hackers. California’s Senate Bill 327 would go much further than the FTC has in “encouraging” manufacturers to adopt industry best practices for device security by codifying the State of California’s ability to bring enforcement complaints against those companies that do not build adequate security safeguards into their devices. It could be the first legislative mandate for IoT device manufacturers to proactively implement “security by design” [WCSR]

WW – Securing the Internet of Things

Microsoft is calling for the development of a cybersecurity policy for the Internet of Things (IoT). While “industry can build security into the development of IoT devices and infrastructure, the number of IoT devices, the scale of their deployments, the heterogeneity of systems, and the technical challenges of deployment into new scenarios require an approach specific to IoT.” In a separate story, Japan’s Internal Affairs and Communications Ministry will introduce a certification system for IoT devices that will rate their resilience to cyberattacks. Read more in:
www.darkreading.com: Microsoft Calls for IoT Cybersecurity Policy Development
mscorpmedia.azureedge.net: Cybersecurity Policy for the Internet of Things (PDF)
www.sltrib.com: Japan to rate home devices on cyber-attack vulnerabilities

Surveillance

US – NSA Collected Americans’ Phone Records Despite Law Change: Report

The U.S. National Security Agency collected more than 151 million records of Americans’ phone calls last year, even after Congress limited its ability to collect bulk phone records, according to an annual report [see PR here & Report here] issued by the top U.S. intelligence officer the NSA collected the 151 million records of Americans’ phone calls last year even after Congress limited its ability to collect bulk phone records though it had warrants from the secret Foreign Intelligence Surveillance court to spy on only 42 terrorism suspects in 2016, in addition to a handful identified the previous year. The report came as Congress faced a decision on whether to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA), which permits the NSA to collect foreign intelligence information on non-U.S. persons outside the United States, and is scheduled to expire at the end of this year. Officials on Tuesday argued that the 151 million records collected last year were tiny compared with the number collected under procedures that were stopped after former NSA contractor Edward Snowden revealed the surveillance program in 2013. The report said the names of 1,934 “U.S. persons” were “unmasked” last year in response to specific requests, compared with 2,232 in 2015, but it did not identify who requested the names or on what grounds. [Reuters]

US – Cop Union Opposes New Bill That Would Thwart License Plate Readers

If the Electronic Frontier Foundation and a San Diego-based Republican state senator have their way [and here], it will soon become legal for Californians to cover their license plates while parked as a way to thwart automated license plate readers. As written, the new senate bill would allow for law enforcement to manually lift a cover, or flap, as a way to manually inspect a plate number. The idea is not only to prevent dragnet license plate data collection by law enforcement, but also by private companies. A California company, Vigilant Solutions, is believed to have the largest private ALPR database in America, with billions of records. The California Police Chiefs Association has already filed its opposition to the bill. In a letter to Sen. Joel Anderson, the group argued that the bill would only benefit one group: “those who are trying to evade law enforcement and detection.” Similarly, the bill has faced resistance from the California Public Parking Association, among other groups. .In March 2015, Ars obtained the Oakland Police Department’s 4.6 million reads of more than 1.1 million unique plates, which were gathered between December 23, 2010 and May 31, 2014, as part of a public records request. The dataset showed precisely how revelatory such information can be—we were able to discern the home of a city council member with little difficulty. [Ars Technica]

US – Study Lays Out Privacy Concerns That Kids and Parents Have About Toys That Listen

University of Washington researchers explored the attitudes of kids and parents toward Wi-Fi-enabled toys in a study. “It’s inevitable that kids’ toys, as with everything else in society, will have computers in them, so it’s important to design them with security measures in mind,” said Franziska Roesner, one of the co-authors of the study, which was funded by the Consumer Privacy Rights Fund at the Foundation for Communities and the Environment and by UW’s Tech Policy Lab. This year, sales of My Friend Cayla were banned in Germany due to concerns that personal data could be stolen. In the U.S., advocacy groups have filed a complaint with the FTC over Cayla and i-Que Robot. (The FTC is reviewing the complaint.) The researchers say toy designers, parents and policymakers should become more aware of the potential vulnerabilities. and the potential solutions. One of the suggested strategies is to program the toys themselves to tell kids that they’re being recorded – and to alert parents to any concerns that come up. [Geekwire]

US Government Programs

US – FTC Requests Comments on Significant Changes Proposed to Organization’s Safe Harbor Program Under COPPA Rule

The Federal Trade Commission issued a notice on proposed changes to TRUSTe’s safe harbor program under the COPPA Rule: The proposed changes include measures to reduce the risk of misrepresentation by participants in the program (the organization would have greater control over use of the trustmark); new obligations require participants to conduct an annual internal assessment of third parties’ use of tracking technologies to collect children’s PI, describe their retention policies, undergo an annual compliance review, implement a user complaint process, enhance security measures, and notify affected users and the organization of any data breach. Public comments are due by May 24, 2017. [FTC – 16 CFR Part 312 – Children’s Online Privacy Protection Rule Safe Harbor Proposed Self-Regulatory Guidelines; TRUSTe COPPA Safe Harbor Program Application to Modify Program Requirements Press Release | Consultation

US – NSA Announces Data Collection Changes

The US National Security Agency says it has stopped collecting email traffic for simply containing the email address or phone number of a foreign target. The NSA agreed to end the practice as part of an agreement with a federal court that allows the agency to continue its Section 702 surveillance program. Sources- www.wired.com: A Big Change in NSA Spying Marks a Win for American Privacy
www.theregister.co.uk: NSA pulls plug on some email spying before Congress slaps it down
www.scmagazine.com: NSA to end controversial warrantless surveillance practice
www.zdnet.com: NSA stops controversial program that searches Americans’ emails
arstechnica.com: NSA ends spying on messages Americans send about foreign surveillance targets
omputerworld.com: NSA ends surveillance tactic that pulled in citizens’ emails, texts
www.washingtonpost.com: NSA halts controversial email collection practice to preserve larger surveillance program

Workplace Privacy

CA – Wearables in the Workplace Have Major Implications

With the growth of wearables in the workplace, how employee information is gathered, stored and used is becoming cause for concern. Researchers Steven Richardson and Debra Mackinnon at Queen’s University have published a report titled ‘Left to their own devices? Privacy Implications of Wearable Technology in Canadian Workplaces‘ and highlighted some of the issues that have to be considered by all stakeholders. Researchers have identified more than 420 devices that are currently available for use in the workplace. The researchers argue that there is a need for greater accountability and transparency in how the devices are being implemented so that we have a more informed approach to privacy in the workplace. Wearables offer huge benefits and the technology is undoubtedly here to stay. However, the privacy issues do need more careful consideration by all the stakeholders involved prior to implementation. [Toronto Sun]

CA – Mandatory Locomotive Recorder Bill ‘Addresses A Key Safety Issue,’ Says Transportation Safety Board

Amendments to the federal “Railway Safety Act” [see here] mandating recording devices, if passed into law, could provide “essential information” to Transportation Safety Board of Canada staff investigating rail accidents and could help prevent such accidents in the future, TSB suggested Tuesday. Bill C-49, an omnibus piece of legislation, was tabled Tuesday in the House of Commons by Transport Minister Marc Garneau. [See here] This would mandate installation of locomotive voice and video recorders, TSB said in a separate release Tuesday. [See here] In September, 2016, the Canadian branch of International Brotherhood of Teamsters stated that railway companies should “not to be given access to the recordings because that would be an unprecedented and unparalleled intrusion into the workplace, one that is unnecessary, and would be tantamount to violating workers’ right to privacy.” [Canadian Underwriter]

CA – New Legislation Requiring Cameras on Trains Will Violate Workers’ Privacy, Rail Union Says

The union representing rail workers says new legislation [see here & here] that would require cameras to be installed on Canada’s trains threatens workers’ privacy and came as a surprise. But Transport Minister Marc Garneau said he’s spoken with the Teamsters Canada Rail Conference about the proposal, and the union knew what was being planned. The law would require railway companies to equip locomotives with voice and video recorders that could be used by the Transportation Safety Board of Canada after an accident to assess what went wrong. The union is upset that railway companies would also have access to the recordings to conduct random samples and look for safety risks. “From the workers’ perspective, the government has abandoned them,” union president Doug Finnson said. “I’m particularly pissed at this.” Finnson claims that once railway companies have access to the recordings, the government won’t be able to control how they use them. It’s still unclear how much power companies will have to act on what they see and hear in the recordings. Jean Laporte, chief operating officer of the Transportation Safety Board, said if railway companies observe employees engaged in criminal activity or gross negligence, they will have a “moral obligation to take action and deal with that.” According to the proposed legislation, companies can use the recordings “to address a prescribed threat to the safety of railway operations.” [National Post]

+++

 

08-23 April 2017

Biometrics

US – Border Patrol Seeking Facial Recognition Drones

Customs and Border Protection (CBP), a Department of Homeland Security (DHS) agency, has used drones originally designed for foreign battlefields in order to conduct border surveillance, although these efforts have hardly been efficient. Federal solicitation documents reveal that DHS is looking to smaller drones with facial recognition capabilities. This ought to concern Americans who value civil liberties. The solicitation lists required sensor capabilities for the drones, including, “Provides a surveillance range of 3 miles (objective),” “Able to track multiple targets persistently,” and “Identification of humans via facial recognition or other biometric at range.” “The sensor technology would have facial recognition capabilities that allow it cross-reference any persons identified with relevant law enforcement databases.” If you’re an American adult reading this there is a good chance that your facial image is in one of these “relevant law enforcement databases.” A Government Accountability Office report from last year found that the Federal Bureau of Investigation’s facial recognition system has access to more than 411 million facial images, including the driver’s license photos from sixteen states. Current law allows CBP officials to stop and search vehicles within 100 miles of America’s external boundary in order to prevent illegal immigration.[see ACLU map here] Roughly two-thirds of Americans live in this so-called “Constitution-free” zone. Although DHS’ solicitation mentions facial recognition drones being used as part of border patrol we should be prepared for them to make appearances at interior checkpoints as well as at ports of entry. [CATO | The US Border Patrol is trying to build face-reading drones]

WW – Researchers Develop Synthetic Skeleton Keys for Fingerprint Sensors

Those fingerprint-based security systems in your mobile phone might not be quite as secure as you wish they were. That’s the takeaway from just-published research by engineering researchers at New York University and Michigan State University. According to NYU’s press room, “the team analyzed the attributes of MasterPrints culled from real fingerprint images, and then built an algorithm for creating synthetic partial MasterPrints.” And their digitally simulated “synthetic partials” proved worryingly effective. This kind of research helps to identify areas where our security is weaker than we thought rather than practical forms of attack. They may come in time though and according to MSU Today, the research team is now investigating potential solutions for this vulnerability. [Naked Security]

Big Data

WW – Artificial Data Reduces Privacy Concerns and Helps with Big Data Analysis

Big data, more often than not, contains sensitive information pertaining to individuals serviced by the organization, and releasing that information to outside resources may place the organization or business in jeopardy with state and federal privacy regulations. Three researchers at MIT may have figured out a way to assuage privacy concerns. Principal researcher Kalyan Veeramachaneni along with researchers Neha Patki and Roy Wedge in their paper The Synthetic Data Vault (PDF) describe a machine-learning system that automatically creates what the researchers call “synthetic data.” The beauty of the machine-learning model from Veeramachaneni and his team is that it can be configured to create synthetic data sets of any size, and this can be done quickly to accommodate development or to stress-test schedules. Artificial data is also a valuable tool for educating students, as there is no need to worry about data sensitivity. The MIT press release [see here] concludes with, “This innovation can allow the next generation of data scientists to enjoy all the benefits of big data, without any of the liabilities.” [TechRepublic See also: Brandon Purcell Q&A on AI & fulfilling the failed promise of big data]

Canada

CA – Proposed Amendments to the Privacy Act Enhance Transparency

The Standing Committee on Access to Information, Privacy and Ethics issued recommendations following its review of the Privacy Act. The OPC should be granted the discretion to publicly report on government privacy issues when it is in the public interest, and share audit and investigative information with domestic and international counterparts; the scope of the Act should be extended to include ministers’ offices and the Prime Minister’s Office, information requests from law enforcement should be reported, and right of access should be extended to foreign nationals. [Protecting the Privacy of Canadians – Review of the Privacy Act – Report of the Standing Committee on Access to Information Privacy and Ethics]

CA – Manitoba Government Seeks Comments on Access to Information

The Manitoba Minister of Sport, Culture and Heritage seeks public commented on the Freedom of Information and Protection of Privacy Act (FIPPA), as part of its legislative review. Comments can be submitted until May 31, 2017. Comments are sought on whether FIPPA is appropriate for local public bodies (schools, municipalities, regional health authorities), public bodies should have greater flexibility in access request response times and extensions, or charge fees for voluminous, multiple, or concurrent requests, and on current discretionary and mandatory exceptions that may limit access to information. [Manitoba Government – FIPPA Legislative Review]

CA – Saskatoon Police Prepare for Changes to Freedom of Information Law

Starting this fall, Saskatchewan police forces will be subject to provincial freedom of information law. The Saskatoon Police Service hired its first access and privacy officer this spring and she [Kayla Oishi] is in the process of developing the forms and procedures people will need to use to request documents from the police. [Here are some relevant questions Oishi answered, including]: 1) What kind of information can be requested from the police?; 2) What information won’t be given out?; 3) When can FOIP requests be filed?; 4) How can people file freedom of information requests?; 5) How much does it cost to submit a FOIP request?; 6) How long will it take for police to respond to FOIP requests?; 7) How many FOIP requests does the Saskatoon Police Service expect to process?; and 8) Can people in other provinces file FOIP requests with police? [Star Phoenix See also: Saskatoon police hire first access and privacy officer]

CA – Cellphone Surveillance Technology Being Used by Local Police Across Canada

Calgary police, Ontario Provincial Police and Winnipeg police all confirmed to CBC News they own the devices — known as IMSI catchers, cell site simulators or mobile device identifiers (MDIs) — joining the RCMP, which has used the technology for its own investigations and to assist Toronto and Vancouver police. While Ontario and Winnipeg police refused to say whether they use the technology to intercept private communications, Calgary police and the RCMP insist they only deploy their IMSI catchers to identify — and occasionally, in the RCMP’s case, track — cellular devices. Micheal Vonn, policy director of the B.C. Civil Liberties Association and a legal expert on privacy, says she’s concerned there isn’t a warrant process specific to IMSI catchers that establishes strict limits on how the technology is used given its potential for mass surveillance. “It’s nothing but a policy choice for some law enforcement not to use the content interception capabilities,” said Vonn, referring to features some IMSI catchers have to eavesdrop on any cellphone within a radius of several blocks. It’s hard to believe “the tantalizing availability of such technology is not going to be exploited,” she said. “It will.” CBC News has since contacted 30 provincial and municipal police forces across Canada to ask how many IMSI catchers they own, the number of operators trained to use them, and how many times the technology was used in 2015 and 2016. Only Calgary police answered in full. The Office of the Privacy Commissioner of Canada is investigating the RCMP’s use of IMSI catchers, following a complaint filed last year. [CBC]

CA – CSIS Waiting On Liberal Reforms Before Using Threat-Disruption Powers

Nearly two years ago, the Canadian Security Intelligence Service (CSIS) was granted expanded legal authority to actively disrupt threats to national security, not simply gather information about such threats. The change was made when the former Conservative government passed Bill C-51 in June that year. The new law allows CSIS agents to take nearly any action — short of causing bodily harm or death, violating a person’s sexual integrity or obstructing justice — to stop or disrupt a threat, as long as CSIS obtains a warrant from a Federal Court judge for any steps that would violate an individual’s Charter rights. However, senior CSIS officials decided it wouldn’t be appropriate to pursue more serious so-called “threat-reduction activities” that require a judge’s sign-off, while the Liberal government is actively considering how it will amend the law, a source with direct knowledge of the discussions told the Star. Documents obtained by the Star lay out in detail three agreements CSIS has negotiated with other government departments and agencies setting out how they will co-ordinate these kinds of actions and how CSIS will notify its partner agencies in advance. One key agreement is with the Communications Security Establishment, or CSE, Canada’s sophisticated electronic spying and cyber-defence agency, which answers to the minister of national defence. CSIS has struck similar agreements to co-ordinate with the RCMP and Global Affairs Canada. Another agreement obliges CSIS to notify the foreign affairs department of any foreign policy or “strategic outcomes” that result from CSIS flexing its muscle abroad, in countries where there could be diplomatic fallout for Canadian spies acting in ways that may not accord with local laws. [The Star]

CA – B.C. Privacy Commissioner Rejects Call To Probe NDP List Sharing

British Columbia’s privacy watchdog. Drew McArthur, said in a statement Monday that the Liberal complaint does not meet the threshold for an investigation by his office. The New Democrats called the complaint an attempt to divert attention from serious issues facing the Liberals on the eve of an election campaign. A Liberal official said the party was reviewing McArthur’s response, but did not comment further. B.C. Liberal party president Sharon White had requested the investigation in a letter to McArthur on Friday. McArthur explained that the Personal Information Protection Act applies to private organizations in B.C., including political parties, and there are two circumstances that can result in an investigation. “The first is most common: we investigate complaints from individuals whose personal information has been directly affected,” said McArthur’s statement. But since there is no individual complaint, an investigation cannot proceed on those grounds, he said. “The second option is for the commissioner to initiate an investigation into a potential contravention of (the Act) if he has ‘reasonable grounds to believe that an organization is not complying.’ We have reviewed the documents submitted by the B.C. Liberal party and have determined that the information provided does not meet the threshold for a commissioner-initiated investigation.” The Liberals sent a second complaint letter Monday, alleging the B.C. NDP was in breach of the Act by attempting to use a voter support list collected by the federal NDP in the 2015 federal election. [CTV News]

CA – OIPC NS Recommends Regularly Reviewing the Need for Video Surveillance

The Office of the Information and Privacy Commissioner for Nova Scotia has issued guidelines on the use of video surveillance, pursuant to the: Freedom of Information and Protection of Privacy Act; and Municipal Government Act. The need for video surveillance must be pressing and substantial, requiring concrete, verifiable evidence of the problem to be addressed (e.g., crime rates); organizations should regularly review the use of existing video surveillance systems to ensure that the original problem still exists and requires the use of CCTV, and whether or not there is a less invasive way of achieving the same goal. [OIPC NS – Video Surveillance Guidelines]

CA – How the B.C. Government Quietly Gained Access to the Non-Voter List

When the B.C. Liberal government amended the Election Act in 2015 what was tucked into the eight-pages of stricken sections and subsections was a change requiring Elections B.C. to provide parties and candidates not only with the list of people who voted in the last election, but the list of those who didn’t. Less than a month before the legislation was introduced, the privacy commissioner flagged that section as an unwarranted intrusion. The sole reason that political parties need/want that information, she said, is to gain access to “personal information in a comprehensive and accessible format after voting day in order to perform analytics and other uses.” She said the information was “likely to be linked with other information in political databases and elsewhere.” Provincial Attorney General Suzanne Anton was unmoved by critics’ concerns. Her response was essentially: Trust us, we won’t misuse it. So, what is the big deal about getting the list of non-voters? Well, for one thing, the best predictor of who will vote is whether they voted in the last election. That is why voter suppression tactics are aimed at those who have a history of voting. But the converse is also true. Knowing who didn’t vote last time allows parties to ignore non-voting individuals and communities and direct their money and energy at those who do. It’s cynical and the antithesis of democracy. [Vancouver Sun]

CA – Liberals Accuse NDP of Sharing Supporter Lists Without Consent

The B.C. Liberal party has filed a complaint with the province’s privacy commissioner, alleging the B.C. NDP has breached protection laws by sharing its supporter list with “politically friendly” groups. A letter to Privacy Commissioner Drew McArthur signed by B.C. Liberal president Sharon White called for an immediate investigation into alleged breaches of B.C.’s Personal Information Protection Act by the NDP. “We have obtained documentation concerning the activities of the B.C. NDP, Strategic Communications, the municipal political parties, Vision Vancouver, Coalition of Progressive Electors and the Surrey Civic Coalition, and B.C. NDP officials in Saanich, B.C., which show serious and ongoing breaches of the Personal Information Protection Act.” The Liberals allege in the letter “there are clearly reasonable grounds to believe that a number of political organizations in B.C. have not complied with the Personal Information Protection Act.” The complaint to the privacy commissioner includes documents of three agreements dated Oct. 5, 2005 between the NDP and Vision Vancouver, COPE and Surrey Civic Coalition. “These agreements set out a secret arrangement whereby the B.C. NDP would share lists regarding its supporters with these politically friendly municipal parties to help them identify supporters and assist them to elect their candidates in municipal elections,” stated the letter. [Vancouver Sun]

CA — NL Privacy Commissioner Calls Cameras in Rental Home ‘Incredibly Unsettling’

“I can’t think of any more egregious way for your personal privacy to be breached, than to have cameras in your home, unbeknownst to you,” said Donovan Molloy, Newfoundland and Labrador’s privacy commissioner. In February, Rachel Tribble and her roommate discovered an elaborate system of cameras inside their rental property — including cameras in their bedrooms. Tribble said the cameras were hooked up to video and audio cables, that connected to a recording device in the attic. Police have seized equipment from the home. Their investigation is ongoing. Homeowner Kevin Vokey said that the system was installed for personal security while he was living there and maintained that it was an internal system, with no external access outside of the home, and that footage from the system was never streamed. In general terms, Molloy noted that the province’s Privacy Act prohibits “surveillance, auditory or visual, whether or not accomplished by trespass, of an individual, by any means including eavesdropping, watching, spying, harassing or following” without consent. [CBC]

CA – Western Librarians Publish First-Ever Online Privacy Guide by a Canadian University

A guide on the first steps you can take to protect your online privacy is close to home — right on the Western libraries website. The work is a collaborative effort between Melissa Seelye, a graduate student in library and information sciences and Erin Johnson, a library assistant in research and instructional services at Weldon Library, and is the first online privacy guide published by a Canadian university. The guide is curated for a general audience, from beginners to more advanced users. The guide lists privacy protection tools such as Internet browser alternatives, browser extensions, search engine alternatives, private messaging apps and password managers. Included is also more information on privacy policies and legislation implemented by Western and the Canadian government. [Western Gazette]

Consumer

EU – Commission Launches Public Consultation On Internet Fears

The EU is launching an unprecedented public consultation to find out what Europeans fear most about the future of the internet. A succession of surveys over the coming weeks will ask people for their views on everything from privacy and security to artificial intelligence, net neutrality, big data and the impact of the digital world on jobs, health, government and democracy. A dozen leading European publications are to publicise the surveys over the coming three weeks. Results will be compiled in early June. Readers can complete the first questionnaire here. [The Guardian]

EU – Survey: Europe Less Concerned About Privacy Than Counterparts

The survey from Forrester [see here] included 3588 responses from employees involved in planning, funding and the purchasing of business and tech products and services. And found that while 50% of security and risk (S&R) pros worry about customer privacy concerns in the US, the number in emerging markets – where many firms are looking for new customers – is significantly higher. When asked to rate their concern for each source of information risk and the potential impact it could have on their organisation, security decision makers from Germany (34%), France (36%) and the UK (42%) are highly or extremely concerned. Elsewhere in the world, respondents are more concerned with customer privacy. Security decision makers from India (76%), China (71%), the US (50%), Brazil (51%), Canada (47%) and Australia/New Zealand (43%) expressed such concerns. In these same markets, a majority of more security decision makers from outside of Europe consider privacy a competitive differentiator: India (44%); China (37%); Brazil (33%); the US (32%); Germany (27%); Canada (26%); Australia/New Zealand (26%); the UK (26%) and France (23%). Firms across the globe must therefore understand the risks and opportunities that come with privacy. The report identifies an effective privacy organisation has these attributes for success: 1) A privacy leader; 2) Identify and limit potential conflicts of interest; 3) Create escalation procedures; 4) Define the relationship between privacy and compliance; and 5) Audit data assets. [SC Magazine]

E-Government

NZ – New Zealand Privacy Commish Blasts Gov’t NGO Data Collection Plans

Social Development Minister Anne Tolley is pushing a policy to force non-government organisations (NGOs) to hand over personalised data of their clients, in order to be eligible for Government funding. Privacy Commissioner John Edwards today rejected the plan [see PR here see 49 pg pdf report here]. He described the Government plans to capture the individual and personal data of vulnerable clients as “excessive and unnecessary,” and it could have serious and unintended consequences. Little or no thought had been given to developing possible alternative means to achieve the Government’s aims without risking those consequences. Tolley revealed the ministry was forced to shut down its information sharing portal following a privacy breach. An error allowed one provider to view another provider’s folder, but there was no data contained in the folder at the time. [see here | Privacy Commissioner has slammed Social Development data collection plans as too intrusive | Government demands non-profit clients’ personal data before releasing funds]

US – Erosion of Public Trust Biggest Long-Term Impact of OPM Breaches, Experts Say

It’s been nearly two years after the Office of Personnel Management first announced that hackers had stolen personally identifiable information from 21.5 million people in two separate cyber breaches, and counterintelligence officials say it’s still unclear just how the adversary may use that data, if at all. Instead, the biggest harm from the OPM breaches has been the public’s erosion of trust in the agency and in government at large to protect personal data, said Charlie Phalen, director of the National Background Investigation Bureau (NBIB). Counterintelligence and security officials have little information about the long-term impacts of the OPM breaches, experts say impacted individuals shouldn’t be paranoid. They should take basic precautions when they post on social media, travel abroad and connect with new people online, yet those measures are no different than the steps every other American should take to protect their personal information. “My best sense of what the long-term impacts of this is that this information in the hands of the adversary might help them learn more about me, might help them get a little bit of an edge on me, might help them sort through data, but all in all, if I take the same precautions tomorrow that I would have taken three years ago with traveling, with dealing with my business, with my life, with contacts, I don’t think I would do much very differently,” Phalen said. He said he feels “fairly comfortable” that OPM’s current information system is “protected as well as it can be.” As NBIB director, Phalen is now working with the Defense Information Systems Agency and other stakeholders to develop the specifications of a completely new security clearance information system. OPM looking to rebuild trust | Federal News Radio]

US – Most People Don’t Trust Government to Keep Their Personal Data Private, Report

New survey results released on Monday by research firm Accenture show that citizens generally lack faith in the ability of government to keep information safe and are calling for stronger protections. Most — 74% — said they lacked confidence in their government’s ability to keep citizen data private and secure, and 65% said they lacked confidence in the ability of law enforcement to investigate and prosecute on cybercrime cases. Accenture’s state and local security advisor, Lalit Ahluwalia said this survey confirms that “cyber insecurity” remains pervasive and bolsters the existing belief among government agency leaders that cybersecurity should be a top priority. Indeed, cybersecurity was named as the top priority for state chief information officers for the fourth year in a row, according to an industry list. Ultimately, policies are just words on paper — agencies “need to act,” said Lee Tien, senior staff attorney and Adams Chair for internet rights at the Electronic Frontier Foundation, in an email to StateScoop. Having a policy doesn’t mean an agency is being responsible with citizen data, he said. “Does the agency actually have a good IT department that routinely patches and upgrades software and operating systems whenever security weaknesses are discovered?” he said. “Equally important, does the agency allow the IT department to do its job?” [StateScoop]

US – Up to 100,000 Taxpayers Compromised in Fafsa Tool Breach, I.R.S. Says

The Internal Revenue Service said on Thursday that the personal data of as many as 100,000 taxpayers could have been compromised through a scheme in which hackers posed as students using an online tool to apply for financial aid. The agency became concerned last fall when it realized that it was possible for criminals to take advantage of the student loan tool that allows aid applicants to automatically populate the applications with their and their parents’ tax information. The worry was that thieves might use the stolen data to file fraudulent returns and steal refunds, as they did two years ago. “Fortunately we caught this at the front end,” John Koskinen, the I.R.S. commissioner, said Thursday at a Senate Finance Committee hearing. The I.R.S. does not expect the tool to be secure and operational again until October. “Our highest priority is making sure that we protect taxpayers and their identity,” he said. But the breadth of the breach remains unknown, and Mr. Koskinen faced tough questions during the hearing as to why he did not act sooner. [NY Times]

AU – Whistleblowing: Australian Privacy Commissioner Concerned by Possible Forensic Audit of Members of Parliament’s Mobile Phones

A report prepared by the Office of the Privacy Commissioner regarding a forensic audit of mobile phones requested by the Premier of Victoria. Privacy laws may have been contravened by the audit as personal information may have been collected without proper notice to individuals; several requests for information have been sent to the Premier’s office which has claimed cabinet confidentiality to hide violations of law. [DPA Australia – Forensic Audit of Mobile Telephone Records

AU – Privacy Concerns Remain Over Sydney’s Public Bus Wi-Fi

Patrons of Sydney’s public transportation have been “actively warned” against the complementary Catch Wi-Fi-provided internet service, citing privacy concerns, after the controversial program’s 50-bus trial run. “To protect your privacy we recommend against using the Wi-Fi on this bus,” the warning message states. “The terms and conditions state by connecting to it they may collect your ‘name, address, date of birth, location details, drivers licence details, photographs, videos, credit card details, employer and other details’ and sell them to other businesses.” NSW Greens MP and Transport spokeswoman Mehreen Faruqi wondered why the Victorian government could enact a similar program without collecting personal information, and the NSW could not. [News.co.au]

US – Organizations Must Monitor and Manage Risks from their Digital Footprint

Much of organization’s digital footprint is controlled by employees, suppliers, and others that unknowingly expose sensitive information; organizations should understand cyber threats faced (leverage threat intelligence, profile attackers’ tools/techniques, understand target industries/geographies), monitor for data leakage (sensitive code, private encryption keys, employee credentials, intellectual property, security procedures), and monitor for risks to reputation (phishing, domain infringement, spoofed social media accounts and mobile apps). [Digital Shadows – Digital Risk Management – Identifying and Responding to Risks Beyond the Boundary]

E-Mail

CA – Alberta OIPC Investigates Purposely Deleted Gov’t Emails

Alberta privacy commissioner investigates deleted government emails. Wildrose MLA Don MacIntyre sent the request to the commissioner in November regarding an email from James Allen, who was assistant deputy minister in the department of energy, to Balancing Pool CEO Bruce Roberts, in which Allen writes that the email is “sensitive and transitory” and to “please delete” it. Privacy commissioner Jill Clayton confirmed the investigation in a letter to MacIntyre, writing that it “appears from my review of the complaint that information may have been inappropriately withheld in response to access requests made” to the Balancing Pool. MacIntyre had also asked for a wider investigation into a “culture of secrecy” in the government, but the commissioner declined to take that on, saying she didn’t fully understand the request and wasn’t sure if it was part of her office’s jurisdiction. [Edmonton Sun]

CA – Canada’s Anti-Spam Law Adds Teeth, Leaves Potential Opening for Class Actions

Canada already has one of the world’s strictest regimes regulating commercial electronic messages, and, just in time for the country’s 150th birthday, the consequences for breach are about to get much more severe. On July 1, 2017, this regime will add additional teeth in the form of a private right of action, which could drastically increase the threat of legal proceedings and financial consequences for those who violate it. Until July 1, 2017 the primary concern is that violations of Canada’s Anti-Spam Law (“CASL”) would be prosecuted by the bodies responsible for its enforcement (Canadian Radio-television and Telecommunications Commission (the “CRTC”), the Competition Bureau, and the Office of the Privacy Commissioner). After July 1, 2017 those who send commercial electronic messages also face the risk of class proceedings specifically permitted by CASL. This post considers the following: 1) What is CASL?; 2) What is the private right of action?; 3) Why should companies be concerned with the private right of action? (Broad scope of CASL, Different liability standard, Class action concerns); and 4) What are the limitations? CASL has been in force for nearly three years now, and most organizations should be familiar with the legislation’s requirements. Come July 1, however, the availability of CASL’s private right of action will undoubtedly increase the consequences of violations, making compliance with the legislation essential for anyone engaged in sending CEMs. [Source]

Electronic Records

US — Few Patients Electronically Access Their Health Information When Provided the Option

The Government Accountability Office (“GAO”) has reviewed the state of patients’ electronic access to their health information through the Medicare Electronic Health Record Incentive Program. A majority of hospitals/health care professionals offered patients access to an electronic portal (where information could be viewed, downloaded and transmitted), however, only 15% of hospital patients and 30% of professionals’ patients accessed the portal; lower levels of access were seen in high poverty areas, rural areas, health care groups of less than 50 members, specialty practitioners and older patients, and there was variability in the information made available through the portals (lab test results, current medications, clinical history, radiology results). [GAO – HHS Should Assess the Effectiveness of Efforts to Enhance Patient Access to and Use of Electronic Health Information]

EU Developments

EU – MEPs Vote for Full Review of Privacy Shield

MEPs have voted for a review of the controversial Privacy Shield data transfer agreement between the EU and US, concerned over key areas of weakness. The European Commission will now be forced to investigate whether the agreement offers enough protections to EU citizens in compliance with the EU Charter of Fundamental Rights and forthcoming privacy regulation the GDPR. “This resolution aims to ensure that the Privacy Shield stands the test of time and that it does not suffer from critical weaknesses,” said civil liberties committee chair Claude Moraes. As the resolution outlines, MEPs are concerned about a number of recent developments, not least new rules that since January this year have allowed the NSA to share large amounts of private data – obtained without warrants, court orders or the like – with 16 other agencies including the FBI. [InfoSecurity | EurActiv: MEPs want Commission to toughen up Privacy Shield under Trump EU Reporter: #PrivacyShield: MEPs alarmed by US developments that undermine privacy safeguards ]

US – Europe’s Digital Single Market Strategy Must Accommodate Multiple Online Identities and a Balance of Control Over Personal Data

A high level group of scientific advisors under the European Commission has provided an opinion on cybersecurity in the European digital single market. Digital transactions should only require a minimum amount of personal data to be divulged, which is relevant and exclusive to the given context, and different levels of security should be required for separate transactions that deal with various sets of data; the General Data Protection Regulation will require organisations to provide more transparency about what happens to personal data online, and will shift control away from private organisations to the data subject (important in the online world where users unwittingly provide their data) [European Commission – Scientific Opinion No. 2 2017 – Cybersecurity in the European Digital Single Market]

EU – EDPS Publishes Toolkit for Privacy-Friendly Policymaking

The EDPS has published a necessity toolkit. The toolkit is designed to help policymakers identify the impact of new laws on the fundamental right to data protection and determine the cases in which the limitation of this right is truly necessary, the EDPS said today. Almost all EU policy proposals now involve some form of personal data processing. With policymakers increasingly required to respond quickly to acute public security challenges and keep up with developments related to the digital economy or international trade, the need for help to ensure that new proposals respect fundamental rights is greater than ever. In this necessity toolkit, the EDPS provides policymakers with a practical step-by-step checklist, setting out the criteria to be considered by policymakers when they assess the necessity of new legislation, and providing examples to illustrate each step. The toolkit is based on decisions issued by the Court of Justice and the European Court of Human Rights, as well as on Opinions published by both the EDPS and the Article 29 Working Party. It also incorporates feedback gathered on an EDPS background paper on the topic, published in June 2016. This feedback was used to develop the toolkit and ensure that it meets the needs of EU policymakers in all sectors, ranging from security to the digital economy. [EDPS]

EU – Article 29 Working Party Supports Proposed Regulation but Says Terminal Equipment is Insufficiently Protected

The Article 29 Data Protection Working Party has issued an opinion on the proposed ePrivacy Regulation. The proposed Regulation incorrectly suggests that valid consent can be given through non-specific browser settings (the end-user must be able to give separate consent per website or app), and there should be mandatory adherence to the Do Not Track standard; the European Commission should promote a technical standard for mobile devices to automatically signal an objection against WiFi tracking. [Article 29 Data Protection Working Party – Opinion 01/2017 on the proposed Regulation for the ePrivacy Regulation (2002/58/EC) – Working Paper 247 Article 29 Working Party – Opinion 01/2017

EU – Article 29 WP Issues Final Guidelines on Data Portability

The Article 29 Working Party has issued final guidelines (revised April 5, 2017) on the right to data portability, the new elements of which are analyzed by a law firm. The guidelines were first issued in December 2016. Data processors will have contractual obligations to assist the controller in responding to portability requests; a controller must assess the interplay between any competing rights on a case-by-case basis under sectoral legislation (but such legislation will not automatically displace the GDPR right). “Observed” data remains within the scope of the right (e.g. raw data processed by a smart meter), but “inferred” data does not (e.g. risk profiles for credit scores); “hindrance” to the right is defined to include fees, excessive delays/complexity, or deliberate obfuscation. [Article 29 WP – Guidelines on the Right to Data Portability | https://www.twobirds.com/en/news/articles/2017/global/article-29-working-party-issues-final-guidelines-on-the-right-to-data-portability Bird & Bird]

UK – ICO Recommends Organizations to Implement Appropriate Record Keeping Practices to Prevent Data Breaches

The UK ICO has issued recommendations for safeguarding health information. Health records must be properly secured and tracked to prevent loss or accidental disclosure; examples of recent breaches included health records being stored in a garage, records left behind when a doctor moved to a new home (the doctor had taken files home and not returned them to the office), and records left behind during an office relocation. [ICO UK – Garages New Homes and Old Offices – The Records Management Mistakes That Put Health Records at Risk]

EU – Yahoo/US Gov’t Email Surveillance Bothers WP29 Privacy Chiefs

European Union privacy regulators intend to question U.S. national intelligence officials about the extent to which the government orders online communications companies to cooperate in surveillance, they said April 10. [see here] The EU Article 29 Working Party will send a letter to U.S. Director National of Intelligence (DNI) Dan Coates “asking for additional information regarding the legal basis and justification for any surveillance activities concerning EU data subjects.” The move comes after the EU privacy regulators in October 2016 said they were concerned about the alleged scanning of Yahoo! Inc. customers’ incoming emails at the request of U.S. intelligence agencies. U.S. surveillance of EU citizens’ has increasingly become an issue with the approach of the EU-U.S. Privacy Shield data transfer program’s first annual review in September. Similar surveillance concerns were raised by an April 6 European Parliament resolution. There are “great concerns” about broadening the authority of the National Security Agency to share data it collects with other law enforcement agencies, the resolution said. EU lawmakers are also “alarmed” about reports of surveillance of emails by an unnamed “US electronic communications service provider,” it said. [Yahoo U.S. Email Surveillance Bothers EU Privacy Chiefs]

EU – WP29 Issues Final Guidelines on Data Protection Officers

At its plenary session on 5 April, the Article 29 Working Party (“WP29”) approved revised guidance interpreting elements of the General Data Protection Regulation (“GDPR”), including on the appointment of data protection officers. The revisions to the draft guidance, which was initially released in December 2016, followed a period of open public consultation that ran through the end of January 2017. You can find our summary of the December 2016 highlights here. Some of the new points raised by the WP29 in its final guidance are as follows: 1) Accountability means that DPO assessments need to be kept up-to-date and can be requested at anytime; 2) No “a la carte” DPO appointments; 3) Big data now an example of ‘regular and systematic monitoring’; 4) Preferably, the DPO should be located within this EU; 5) There can only be one DPO, but supported by a team; 6) Duty to ensure the confidentiality of communications between the DPO and employees; 7) Senior managers including Head of HR, Marketing or IT individuals are barred from serving as the DPO; and 8) The GDPR does not prevent the DPO from maintaining records of processing The revised guidance on portability is available here. For a redline comparison with the earlier draft, click here. [Source]

EU – Proposed e-Privacy Regulation Permits Unacceptable Processing of Personal Data

The European Digital Rights has issued comments on the Proposal proposed draft regulation concerning privacy in electronic communications. The Regulation permits tracking of communication devices in public spaces (provided there is user notification), on first use of software or smart devices, users would be forced to accept privacy settings that may negate their rights, and declining consent for tracking using device fingerprinting is not addressed (only through third parties); the scope of retention of electronic communications data has increased without sufficient protections to ensure storage is limited to what is strictly necessary, or that only anonymised data is used. [European Digital Rights’ Position on the Proposal of an e-Privacy Regulation]

EU – Commission Requests Standardisation in Data Protection & Security Policy

Insight into the role of standardisation as a form of co-regulation in the data protection context. As regulation shifts from the European Commission to co-regulation with industry, the Commission has requested that the EU Standardisation Organisations create standards to address how to address/manage privacy by design; standards will also be created on how to realise privacy and personal data protection management processes, including descriptions of necessary roles, tasks, documentation, hardware/software requirements, and templates for applying the standards. [Co-Regulation in EU Personal Data Protection – The Case of Technical Standards and Privacy by Design Standardisation Mandate – Irene Kamara – European Journal of Law and Technology]

EU – H&W’s CIPL Issues Discussion Paper on GDPR Certifications

The Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP has issued a discussion paper on Certifications, Seals and Marks under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms. It sets forth recommendations concerning the implementation of the EU General Data Protection Regulation’s (“GDPR’s”) provisions on the development and use of certification mechanisms. Certifications, seals and marks have the potential to play a significant role in enabling companies to achieve and demonstrate organizational accountability and GDPR compliance for some or all of their services, products or activities. The capability of certifications to provide a comprehensive GDPR compliance structure will be particularly useful for small and medium-sized enterprises. For large and multinational companies, certifications may facilitate business arrangements with business partners and service providers. In addition, certifications, seals and marks can be used as accountable, safe and efficient cross-border data transfer mechanisms under the GDPR. [CIPL Issues Discussion Paper on GDPR Certifications]

Facts & Stats

US – Analysis Finds 1,800 Health Care Breaches Since 2009

An analysis of data from the Department of Health and Human Services found nearly 1,800 large data breaches involving patient information since 2009. Of the breaches, more than 1,200 affected health care providers, while 257 breaches were reported by 216 hospitals, including many large teaching hospitals. Trivalent CTO John Suit said the analysis shows data protection technology has failed to keep up with health care digitization, and traditional encryption is not enough to stop cyber threats. “The result is an extreme risk for patients who put their trust in health care organizations to address their medical concerns, but also protect their sensitive and personal information,” said Suit. “Hospitals, pharmacies, assisted living facilities, insurance providers, and research institutions must strengthen their security strategy and adopt a defense-in-depth approach with multiple layers of protection.” [Health Data Management]

Finance

WW – Hackers Release Files Indicating NSA Monitored Global Bank Transfers

Hackers released documents and files on Friday that cybersecurity experts said indicated the U.S. National Security Agency had accessed the SWIFT [Society for Worldwide Interbank Financial Telecommunication – see here] interbank messaging system, allowing it to monitor money flows among some Middle Eastern and Latin American banks. The documents and files were released by a group calling themselves The Shadow Brokers. Also published were many programs for attacking various versions of the Windows operating system, at least some of which still work, researchers said. In a statement to Reuters, Microsoft, maker of Windows, said it had not been warned by any part of the U.S. government that such files existed or had been stolen. The absence of warning is significant because the NSA knew for months about the Shadow Brokers breach, officials previously told Reuters. Under a White House process established by former President Barack Obama’s staff, companies were usually warned about dangerous flaws [Vulnerabilities Equities Process (VEP) – see here & here]. The SWIFT messaging system is used by banks to transfer trillions of dollars each day. Belgium-based SWIFT downplayed the risk of attacks employing the code released by hackers on Friday. Cris Thomas, a prominent security researcher with the cybersecurity firm Tenable, said the documents and files released by the Shadow Brokers show “the NSA has been able to compromise SWIFT banking systems, presumably as a way to monitor, if not disrupt, financial transactions to terrorists groups”. [Reuters]

FOI

CA – Two Alta OIPC Reports Highlight Obstacles Gov’t Oversight & FoI

The Information and Privacy Commissioner tabled two reports in the legislature related to the Commissioner’s functions under the Freedom of Information and Protection of Privacy Act (FOIP Act). Investigation Report F2017-IR-03 concerns allegations of delays and possible interference in the Government of Alberta’s (GoA) handling of access requests. The report identifies a number of factors that contribute to delays, including a significant increase in the number of access requests, the complexity of requests and applicant expectations. However, the investigation faced a number of challenges that made it impossible to make meaningful and reliable findings with respect to other potential issues in the access request response process. “I am deeply disappointed in how this matter has unfolded. What should have been a relatively straightforward investigation has concluded under a shadow that brings the very notion of independent oversight of the executive branch of government into question and has the potential to erode public confidence in an open and accountable government,” said Commissioner Jill Clayton. During the investigation, the question of whether the Commissioner has the power to require public bodies to produce records over which solicitor-client privilege has been claimed made its way through the court system. In November 2016, the Supreme Court of Canada (SCC) decided that the Alberta Legislature did not use the right words in the FOIP Act to give the Commissioner this power. [see here] Following the SCC’s decision, the Commissioner issued a statement saying that she would write to government with options for how to proceed on this issue. However, as an independent Officer of the Legislature who reports to the Legislative Assembly and not to government, and whose ability to perform core functions as an Officer of the Legislature has been compromised (as evidenced, in part, by the investigation referenced above), the Commissioner decided to table a Special Report and Request for Legislative Amendment in the legislature on producing records to the Commissioner. [Alberta Information & Privacy Commissioner Press Release | Investigation Report F2017-IR-03: Investigation into allegations of delays and possible interference in responding to access requests | Producing Records to the Commissioner: Restoring Independent and Effective Oversight under the FOIP Act]

CA – OIPC NFLD Recommends That Employees Who Conduct Searches for Records Do Not Determine Whether Records Are Responsive

New OIPC guidance outlines OIPC NL expectations and standards when it receives complaints alleging incomplete responses to requests for records pursuant to the Access to Information and Protection of Privacy Act (the “Act”). An FOI Coordinator is in the best position, as someone more experienced with requests for access to records, to determine whether records are responsive; the Coordinator should establish a written policy or practice as to how a search should be carried out and keep a copy of the instructions sent to employees regarding the search. [OIPC NFLD – Practice Bulletin: Reasonable Search]

CA — Institutions Should Provide Individuals with Information Regarding their Right to Access Records

The Office of the Saskatchewan Information and Privacy Commissioner has issued recommendations to government institutions on how to address access requests made under the Freedom of Information and Protection of Privacy Act or and the Local Authority Freedom of Information and Protection of Privacy Act. Individuals do not necessarily know about their right to access records; government institutions and local authorities should provide individuals with information on how to submit a formal access request, the timelines to receive a response, fees associated to the request, the right to appeal to the privacy commissioner and the importance of narrowing the request. [OIPC SK – Assisting the Applicant – Sharon Young]

WW – Microsoft Releases Biannual Transparency Reports

Microsoft released its most recent biannual transparency reports on the Microsoft Transparency Hub. These reports consist of the Law Enforcement Requests Report, U.S. National Security Orders Report which cover the period from July to December 2016, are largely consistent with previous reports and Content Removal Requests Report which details acceptance rates regarding requests to remove content from governments, copyright holders and individuals subject to the European Union’s “Right to Be Forgotten” ruling and victims of non-consensual pornography. It also disclosed a National Security Letter (NSL) received from the Federal Bureau of Investigation (FBI) in 2014, which sought data belonging to a customer of our consumer services. Microsoft is the latest in a series of companies able to disclose an NSL due to provisions in the USA Freedom Act requiring the FBI to review previously issued non-disclosure orders. The NSL was included in the aggregate data of a previous report, but we’re newly able to disclose its content for this reporting period. There are times when secrecy is vital to an investigation, but too often secrecy orders are unnecessarily used, or are needlessly indefinite and prevent us from telling customers of intrusions even after investigations are long over. That’s why we asked a federal court to weigh in on the increasing frequency of these orders. Our hope is this lawsuit will lead to new rules or laws that keep secrecy for times when it is truly essential. [MSFT Blog]

US – Trump’s White House on Defensive Over Transparency

The White House was forced Monday to defend its controversial positions to keep its visitor logs secret and President Donald Trump’s tax returns private. Under fire over the White House’s decision Friday to buck Barack Obama’s precedent by withholding visitor logs, Spicer said the prior administration was the one with a transparency issue. “Frankly, the faux attempt that the Obama administration put out where they would scrub who they didn’t want put out didn’t serve anyone well,” Spicer told reporters Monday. “It’s not really being transparent when you scrub out the names of the people that you don’t want anyone to know were here.” Spicer framed the visitor logs decision as a return to the pre-Obama policy and no different than the protocol for lobbyists and others who visit members of Congress. Spicer said the White House keeps the media abreast of the president’s activities. Reporters travel with Trump on Air Force One, after flying separately during the 2016 campaign. Members of the media also are given brief access to photograph many of Trump’s meetings, and he holds news conferences when major foreign leaders visit. [Politico]

Genetics

CA – Canada Passes Legislation Protecting Genetic Information

The Canadian Parliament recently passed Bill S-201, the Genetic Non-Discrimination Act, which protects individuals from having to disclose information related to genetic testing and test results. Contravention of the Act is punishable by significant fines and even potential imprisonment. There are express exceptions for health care practitioners who are providing health services to patients and researchers who are collecting information from participants in medical, pharmaceutical or scientific research. Supporters of the new legislation believe that this will remove perceived obstacles to genetic testing such as fear that the results of that testing will be used to discriminate against the patients. Canada’s legislative initiative on genetic testing is similar to the U.S. Genetic Information Nondiscrimination Act. Restrictions on the use of genetic test results have also been adopted in certain European jurisdictions, including France. The Association of British Insurers and government in the U.K. adopted a Concordat and voluntary moratorium limiting the use of genetic testing by insurers. Other countries have yet to address the issue. The evolving global quilt of responses to this issue indicates that a global consensus has yet to emerge. [Data Protection Report]

Health / Medical

CA – Ontario Proposes Prescribed Circumstances Under Which Health Information Custodians Must Notify IPC of Breach

Amendments are proposed to Ontario Regulation 329/04 under the Personal Health Information Protection Act (“PHIPA”). Public comments are due by May 8, 2017. The amendments, effective July 1, 2017, would require a custodian to notify the IPC of a suspected breach, if the breach is part of a pattern, if the custodian has notified a governing College of a breach, or if the breach is “significant” (based on the nature of the PHI, the number of records or individuals, or number of custodians/agents responsible for the breach”); a custodian would be required, effective 2019, to annually report the number of breaches it notified to affected individuals in the preceding calendar year. Proposed Amendments to Ontario Regulation 329/04 Regarding Notices to the Commissioner Under the Personal Health Information Protection Act – Ontario | Press Release | Proposed Amendments]

CA – Sask IPC: Private Health Firms Should Be “Trustees” Under HIPA

Sask. privacy commissioner recommends private health-care providers be governed by health info protections. It took a matter of moments for a ransomware attack to incapacitate the patient database of Saskatoon’s Professional Sport Rehabilitation Corporation. The ransomware incident in October 2016 affected [Saskatoon’s Professional Sport Rehabilitation Corporation – Pro Sport] database containing private information such as patients’ names, addresses, phone numbers, health numbers, details of their injuries and treatment plans. On the day of the incident (October 12), ProSport’s office manager reported the attack to Saskatchewan’s Information and Privacy Commissioner’s Office. On Oct. 26, it filed a formal incident report to the privacy commissioner’s office. In a report (see 10 pg pdf here) following his investigation into the incident, Information and Privacy Commissioner Ronald Kruzeniski recommended that patient information collected by private businesses whose primary purpose is to provide health services should be governed by provincial health information protections. Kruzeniski made the same recommendation previously, in his 2015-2016 annual report (see 19 pg pdf here). Kruzeniski recommended that ProSport only collect Saskatchewan Health numbers from patients for whom the service provided is publicly funded. He also recommended that the business “securely destroy” all health numbers it has on file that are not needed to collect public funding. [Star Pheonix]

WW – Google Study Seeks 10,000 Volunteers to Share Medical Data

Google’s health spinout, Verily, is looking for 10,000 American volunteers to share intimate and sensitive information about their bodies in an attempt to help predict heart disease and cancer. Called the Baseline Project, the multi-year study could cost upwards of $100 million. Volunteers will be asked to submit to an extensive amount of tests and physical monitoring, including a heart monitor to follow pulse and movements in real time. They will also get x-ray and heart scans, genomes deciphered, and blood tests over a four-year period. Sanjiv Sam Gambhir, a physician researcher at Stanford University and Baseline investigator, said, “No one has done this kind of deep dive on so many individuals. This depth has never been attempted. It’s to enable generations to come to mine it, to ask questions, without presupposing what the questions are.” [MIT Technology Review]

US – HIPAA Enforcement Issues Straight from the Regulator

At the March 26-29 Health Care Compliance Association’s annual “Compliance Institute,” [see here] Iliana Peters, HHS Office for Civil Rights’ Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR’s current and future endeavors. Ms. Peters identified key ten enforcement issues that OCR continues to encounter through its enforcement of HIPAA. Do any of them look familiar to you? These issues include: 1) Impermissible Disclosures; 2) Lack of Business Associate Agreements; 3) Incomplete or Inaccurate Risk Analysis; 4) Failure to manage identified risks; 5) Lack of transmission security; 6) Lack of Appropriate Auditing; 7) Patching of Software; 8) Insider Threats; 9) Disposal of PHI; and 10) Insufficient Backup and Contingency Planning. OCR also identified upcoming guidance and FAQs The presentation also identifies two long-term regulatory goals to implement certain provisions of the HITECH Act. One regulation will relate to providing individuals harmed by HIPAA violations with a percentage of any civil monetary penalties or settlements collected by OCR, while the second will implement a HITECH Act provision related to the accounting of disclosures of PHI. The presentation discussed the current status of OCR’s audit program. [Privacy and Security Matters]

US – Dept. of Health and Human Service Establishes Health Cybersecurity and Communications Integration Center

The US Department of Health and Human Services (HHS) is establishing its own version of the Department of Homeland Security’s (DHS’s) National Cybersecurity and Communications Integration Center (NCCIC). The Health Cybersecurity and Communications Integration Center (HCCIC) is expected to be operational by the end of June 2017. HHS has given the National Health Information Sharing and Analysis Center grants to help encourage wide participation and ensure that small health services offices can benefit from the information that is gathered. [HHS to stand up its own version of the NCCIC for health]

US – HHS Imposes $400,000 Fine for Breach of 3,200 Patients’ ePHI

The Department of Health and Human Services, Office for Civil Rights enters into an agreement with Metro Community Provider Network to settle alleged violations of the HIPAA Privacy and Security Rules. [HHS – Resolution Agreement – Metro Community Provider Network]

US – HHS Provides Checklist to Help Organizations Measure Effectiveness of Privacy Programs

The Department of Health and Human Services’, Officer of the Inspector General has provided guidance to organizations on measuring the effectiveness of privacy and compliance programs. Organizations should ensure standards, policies and procedures are readily available to employees, reviewed from external experts, based on assessed risks, and there is no contradiction/overlap of policies; ensure training requirements for high risk positions are established, a formal process is in place to make staff aware of new laws, regulations, and policies, and review policies/procedures following investigations or raised issues. [HHS – Measuring Compliance Program Effectiveness – A Resource Guide]

Horror Stories

US – Breach Exposes Student Data of 1.3 Million Kids

Earlier this month 1.3 million K-12 students’ personal information was exposed in a data breach of data warehouse platform Schoolzilla. Originally discovered by security researcher Chris Vickery, a “file configuration error” led to the exposure of the student data, including the Social Security numbers of some. Vickery did not produce evidence of the breach because he deleted the database from his own computer. “The sheer volume of private student data, including (test) scores and Social Security numbers for children, convinced me that it should be purged from my storage in an expedited fashion.” Vickery did applaud Schoolzilla’s quick actions to fix the error that led to the breach. [The Daily Dot]

WW – InterContinental Hotels Data Breach Affects Nearly 1,200 Properties

InterContinental Hotels Group now says that the number of properties affected by a payment system breach is close to 1,200, a notable increase from its first estimate of 12. All but one of the affected properties are in the US. The systems were compromised between September 29 and December 29, 2016. [InterContinental Hotel Chain Breach Expands | InterContinental Hotels data breach expands from 12 to 1,200 hotels | Holiday Inn hotels hit by card payment system hack | InterContinental Hotels Group (IHG) Notifies Guests of Payment Card Incident at IHG-Branded Franchise Hotel Locations in the Americas Region]

Identity Issues

IN – Gov’t Site Posts Over a Million Aadhaar Numbers & Details

Digital identities of more than a million citizens have been compromised by a programming error on a website maintained by the Jharkhand Directorate of Social Security. The glitch by the Jharkhand Directorate of Social Security revealed the names, addresses, Aadhaar numbers and bank account details of the beneficiaries of Jharkhand’s old age pension scheme. Jharkhand has over 1.6 million pensioners, 1.4 million of whom have seeded their bank accounts with their Aadhaar numbers to avail of direct bank transfers for their monthly pensions. Their personal details are now freely available to anyone who logs onto the website, a major privacy breach at a time when the Supreme Court, cyber-security experts and opposition politicians have questioned a government policy to make Aadhaar mandatory to get benefits of a variety of government schemes and services. [Details of over a million Aadhaar numbers published on Jharkhand govt website | Aadhaar & Lessons from countries that resisted biometric IDs]

Law Enforcement

US – Fight Continues Over CBP Prohibition On Recording Officers in Public

Government Can’t Shut Down Public Recording That Doesn’t Interfere with Law Enforcement

The US Border Patrol prohibits any recording within 150 feet of their location, which includes the public roadside. A federal district court found that the new rule was a valid time, place, or manner restriction on First Amendment-protected activity [see here]. Cato, with the assistance of the UCLA Law School First Amendment Clinic and noted scholar Eugene Volokh, has filed an amicus brief asking the U.S. Court of Appeals for the Ninth Circuit to reverse that ruling. [CATO At Liberty Blog]

Location

US – Uber Responds to Report That it Tracked Devices After its App Was Deleted

Uber tracked former users even after they deleted the app from their iPhones, a practice that eventually earned CEO Travis Kalanick a scolding from Apple chief executive Tim Cook, the New York Times reports. Uber allegedly used a practice called fingerprinting to track devices after the app was deleted. Uber reportedly began fingerprinting iPhones as a fraud-prevention method in locations like China. Drivers there would register multiple Uber accounts on stolen iPhones and use them to request rides, thereby boosting the number of overall rides — a metric that Uber rewards with bonuses. Apple previously allowed developers to track their users with a Unique Device Identifier, or UDID. This kind of tracking was persistent across installs, but as Apple became more concerned with user privacy, it deprecated UDIDs in 2013. Apple replaced UDIDs with other variants of trackers that are designed to be less intrusive, including vendor IDs and advertising IDs. It’s not clear how Uber fingerprinted the devices in 2015 that led to the meeting between Kalanick and Cook. In order to prevent Apple engineers from discovering the fingerprinting, Uber allegedly geofenced Apple’s Cupertino headquarters to hide the code used in the process. But Apple engineers based in other offices discovered the trick, according to the New York Times [see here] and confirmed by TechCrunch, leading Cook to summon Kalanick to his office in early 2015. An Uber spokesperson said]: “We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users” [TechCrunch]

Online Privacy

US – FTC Issues Recommendations on How to Assist Victims of Phishing Scams

The FTC has issued recommendations to prevent phishing scams. Organizations may support their customers by notifying them as soon as possible via social media sites, email or letter, including a warning to ignore suspicious emails or texts messages and a reminder that sensitive personal information is never required by the company through insecure channels; other steps organizations may take include, contacting law enforcement (FBI’s Internet Crime Complaint Center) and providing resources to affected customers (direct them to www.IdentityTheft.gov). [FTC – Has a Phishing Scam Hooked Your Company’s Good Name?]

US – Identity Theft: Services Are Limited at Detecting All Types of Fraud: GAO

The Government Accountability Office was asked to examine the marketplace for identity theft services;

  • the potential benefits and limitations of ID theft services available to consumers;
  • marketing, billing, and security issues associated with these services; and
  • factors that affect government and private-sector decision making about offering ID theft services.

Credit monitoring does not detect existing account fraud, and the effectiveness of ID monitoring is unclear (some types of fraud are not monitored, such as debit/check card fraud, tax refund fraud and medical ID theft); ID theft services typically process a broad range of sensitive PI (putting customers at risk in the event of a cyberattack), and some providers’ websites appear misleading or vague (e.g. o incorrectly implying that credit monitoring prevents, rather than just detects, ID theft) [Government Accountability Office – Identity Theft Services]

WW – Google May Unveil Ad-Blocking Tool in Chrome

Google is mulling plans to roll out an ad-blocking feature in its Chrome browser, though it may decide not to move forward if certain details are not ironed out. The feature “could be switched on by default” and would filter out “certain online ad types deemed to provide bad experience for users as they move around the web.” An official announcement of the tool is expected within weeks. One possible application being considered would “block all advertising that appears on sites with offending ads, instead of the individual offending ads themselves. In other words, site owners may be required to ensure all of their ads meet the standards, or could see all advertising across their sites blocked in Chrome,” the report states. [The Wall Street Journal | Google Working on an Ad Blocker for Chrome |- Report: Google will add an ad blocker to all version of Chrome web browser |- : Chrome: Is ad giant Google about to roll out in its own ad blocker? | Coalition for Better Ads Releases Initial Better Ads Standards for Desktop and Mobile Web in North America and Europe

Other Jurisdictions

US – Google Must Give Gov’t Overseas Data, Judge Says

On April 19 San Francisco US magistrate judge, Laurel Beeler, ruled Google Inc. can’t quash a search warrant requesting certain user content stored overseas; holding that the tech giant must produce all responsive information that is retrievable from the United States, regardless of where it is stored, and finding that the disclosure of information from the company’s headquarters in the United States is a domestic application of the Stored Communications Act. [See 9 pg pdf here]. The dispute stems from a June search warrant requesting data from specific Google email accounts, including subscriber information, evidence of specified crimes and information about the account holders’ true identities, locations and assets, according to the opinion. The tech giant asked to quash the search warrant in December, contending that the government can’t force it to turn over the extraterritorial content. Google cited the Second Circuit’s July decision [see 63 pg pdf here] in a similar case involving Microsoft, which held that the SCA didn’t apply outside the United States and the company needn’t disclose user content housed on a server in Ireland In that matter, the government sought rehearing en banc, which the Second Circuit denied in a 4-4 decision. [See 60 pg pdf here] However, Judge Beeler said Wednesday that she found the dissenters’ reasoning persuasive, holding the statute’s application here is lawful. [Source]

US – Department of Education Site Accidentally Publishes Student, Parent Data

The Victorian Department of Education has announced that it has accidentally published on its website the information of up to 115 families who submitted comments on proposed regulations for state schools. Data that was up for part of the past weekend included information on a domestic violence case and student absence due to self-harm, the report states. While the DoE said it was “very sorry” about the incident, it didn’t elaborate on its cause and said it was conducting an independent investigation to discover how it happened. “The department took immediate action to take the submissions down as soon as the breach was discovered,” a spokesperson said. “We understand the seriousness of this incident, and we are contacting those affected to apologise directly.” [ZDNet]

Privacy (US)

US – FTC Continues to Scrutinize Mobile Apps and Security Practices

The FTC highlights its enforcement efforts in 2016. Highlights from 2016 include:

During 2016, the FTC investigated issues related to marketing (bypassing user permissions and illegal robocalls), consumer tracking (of children in violation of COPPA and of individuals who opted out) and security (failure to prevent unauthorized access to personal information); companies deceived consumers with false claims about their products/services, undisclosed/inflated debt fees, and used consumer information inappropriately (to take money from bank accounts, public disclosure of sensitive medical information). [FTC Annual Highlights 2016 – Enforcement]

US – FTC Seeks Comment on Proposed Changes to Truste’s COPPA Safe Harbor Program

In a press release, the Federal Trade Commission announced it is seeking comment on proposed changes to TRUSTe’s COPPA safe harbor program. The FTC said it will publish a notice in the Federal Register shortly seeking input, including “the addition of a new requirement that participants conduct an annual internal assessment of third-parties’ collection of personal information from children on their websites or online services.” Specific questions the FTC is seeking comment on also include “whether the mechanisms used to assess compliance with the proposed modified program requirements are effective.” The comment period will be open until May 24. [FTRC.gov]

US – FTC Seeks Comment on Proposed Changes to TRUSTE’s COPPA Safe Harbor Program

The Federal Trade Commission is seeking comment on proposed changes to TRUSTe’s safe harbor program under the agency’s Children’s Online Privacy Protection Rule. The FTC’s COPPA Rule includes a “safe harbor” provision designed to encourage increased industry self-regulation in this area. Under this provision, industry groups and others may ask the Commission to approve self-regulatory guidelines that implement the protections of the Rule. Companies that comply with the FTC-approved guidelines receive safe harbor from agency enforcement action under the Rule. In a Federal Register notice to be published shortly, the FTC is seeking comment on proposed changes to TRUSTe’s existing safe harbor program including the addition of a new requirement that participants conduct an annual internal assessment of third-parties’ collection of personal information from children on their websites or online services. Among the questions the Commission is seeking comment on is whether the mechanisms used to assess compliance with the proposed modified program requirements are effective. The comment period will last for 30 days until May 24. [FTC]

US – EFF Releases Report on Tech Companies and Data Collection in Schools

The Electronic Frontier Foundation has released a new report on the education technology industry and its student data collection practices. The report, “Spying on Students: School-Issued Devices and Student Privacy,” argues that state and federal laws as well as industry self-regulation “has failed to keep up with a growing” industry. “At the same time,” the EFF blog post states, “schools are eager to incorporate technology in the classroom to engage students and assist teachers, but may unwittingly help tech companies surveil and track students. Ultimately, students and their data are caught in the middle without sufficient privacy protections.” The report surveyed more than 1,000 stakeholders in the U.S. and reviewed 152 education technology policies over the course of the last year. The EFF’s Amul Kalia said, “In this whitepaper, we lay out specific strategies” for parents, teachers, and other stakeholders so they can “push their schools and districts in the right direction.” [EFF.org]

US – School Districts Should Implement Acceptable Use Policy for All Online Activity

The National School Board Association (NSBA) has issued a legal and policy guide for school boards on data security. The policy should govern all online activity both internally, and on the Internet for both staff and students to protect the school from legal ramifications from education apps that use lengthy terms and conditions written in legalese; school districts should consider incorporating school security policies into staff job descriptions, assign specific individuals to monitor compliance, train staff on common risks and errors that lead to breaches, and use encryption for sensitive data or files transmitted by unsecured email. [Data Security for Schools – A Legal and Policy Guide for School Boards – National School Board Association]

Security

WW – Global Survey: 64% Of Security Pros Can’t Stop a Mobile Data Breach

64% of security professionals doubt their organizations can prevent a breach to employees’ mobile devices, a recent Dimensional Research survey of 410 security leaders found. sponsored by Check Point Software, “Security professionals worldwide from an independent global database were invited to participate in a survey on the topic of mobile device security. A total of 410 participants who have security leadership or frontline responsibilities completed the global survey. Participants represented each of the five continents with the full spectrum of job responsibilities and company sizes. The survey was administered electronically and participants were offered a token compensation for their participation.” See pg 9 here] found that 20% of businesses have experienced a mobile breach, and another 24% don’t know, or can’t tell, whether they’ve experienced one. Strikingly, 51% of respondents believe the risk of mobile data loss is equal to or greater than that for PCs. More than a third of companies fail to secure mobile devices adequately, with only 38% leveraging a dedicated mobile security solution. When asked why, 53% of respondents cited a lack of budget, and 41% cited a shortage of resources. 94% of respondents expect the frequency of mobile attacks to increase, and 79% expect the difficulty of securing mobile devices to grow. Separately, a CITO Research survey of more than 100 mobility professionals found that 57% of respondents are concerned about corporate data on personal and other non-managed devices. That’s an increase of 13% over a similar survey in 2016. [eSecurity Planet]

WW – Report Shows Hacking, Phishing, Malware Top Cause of Data Incidents

BakerHostetler has released its 2017 Data Security Incident Response Report highlighting the need for business leaders to understand and be prepared for the risks associated with cyberthreats. Analyzing more than 450 cyber incidents that the firm’s privacy and data protection team handled last year, the report found phishing, hacking or malware cause the majority of incidents at 43%— a 12% jump from last year. Human error came in second at 32%. The report also offers information on typical ransomware attack scenarios, the average incident response timeline for events, the value of a good forensics investigation, and the frequency with which events caused an investigation by regulators and lawsuits. [Report]

Surveillance

WW – Popular Bose Headphones Spy on Users, Lawsuit Says

The audio maker Bose, whose wireless headphones sell for up to $350, uses an app to collect the listening habits of its customers and provide that information to third parties—all without the knowledge and permission of the users, according to a lawsuit filed in Chicago on Tuesday. The complaint accuses Boston-based Bose of violating the WireTap Act and a variety of state privacy laws, adding that a person’s audio history can include a window into a person’s life and views. In addition to the QuietComfort 35 headphones, the other Bose products cited in the complaint are the SoundSport Wireless, Sound Sport Pulse Wireless, QuietControl 30, SoundLink Around-Ear Wireless Headphones II, and SoundLink Color II. If the allegations are true, the Bose case is just the latest privacy incident involving the so-called “Internet of things” in which more companies and devices that are connected to the web can’t resist the temptation of harvesting the consumer data they throw off. [Fortune]

CA – Winnipeg Police Using Technology to Intercept Cellphone Communications

In a statement, the Winnipeg Police Service said it “can confirm that it possesses a cell site simulator (CSS).” “It is only deployed under judicial authorization, or in exigent circumstances. We are concerned that providing too much information about investigative techniques could jeopardize active investigations and threaten public and officer safety. As such, we will not be providing the number of CSS technicians employed by the WPS, nor the number of investigations conducted using this device in 2015 and 2016.” A police spokeswoman admitted one of the main criticisms of CSS devices is about loss of privacy to third-party individuals. “The Winnipeg Police Service respects the privacy of innocent bystanders. The collected data does not include phone numbers or any other personal identifying information or data. The collected data relating to third parties is preserved and not accessed by anyone other than the CSS technicians, until ordered otherwise by an appropriate court,” she said. But lawyer Scott Newman, a spokesman for the Criminal Defence Lawyers Association, said he’s still concerned about the use of the technology by police. “It’s all well and good for police to say ‘trust us, we are protecting your privacy’, but without having seen the guidelines, we don’t know if the technology is being used appropriately.” [Winnipeg Free Press] See also: [CBC News: Cellphone surveillance technology being used by local police across Canada | Toronto Star: Regulate use of surveillance devices by police forces: Editorial  | CBC News: RCMP reveals use of secretive cellphone surveillance technology for the first time | Toronto Star: RCMP acknowledges using phone trackers to collect Canadians’ cellular details | Globe & Mail: RCMP reveals its use of cellphone-tracking machines | OpenMedia: After years of secrecy, RCMP finally admits to using mass cell phone surveillance tools on Canadians | CBC News: RCMP, CSIS launch investigations into phone spying on Parliament Hill after CBC story | CBC News: Someone is spying on cellphones in the nation’s capital

US – NSA/FBI FISA FAQ: We’re Spying On You for Your Own Protection

A new factsheet by the NSA and FBI [The FISA Amendments Act: Q&A – 10 pg pdf see here] has laid bare contradictions in how US intelligence agencies choose to interpret a law designed to prevent spying on American citizens, but which they use to achieve exactly that end. The document even claims that it is surveilling US citizens for their own protection while at the same time claiming that it is not doing so. The obvious and painful contradictions are testament to the very reason why the factsheet had to be prepared in the first place: Congress is threatening not to renew the legislation due to the intelligence agencies’ willful misrepresentation of the law to perform the very activities it was designed to prevent. There is of course one positive to the “factsheet” on Section 702: thanks to information in the public domain and Congressional hearings, the intelligence agencies have been forced to flag their own contradictions in how they chose to interpret the law. If Congress does its job properly, those contradictions will be removed and future-proofed before the intelligence agencies get their right to spy on US communications returned to them. [The Register]

US – Report: Tech Companies Are Spying on Children Through Devices and Software Used in Classroom

Technology companies are spying on school kids through devices and software used in classrooms. Those companies often collect and store children’s names, birth dates, browsing histories, location data and much more — often without adequate privacy protections or the awareness and consent of parents, according to a new report [Spying on Students: School-Issued Devices and Student Privacy] from the nonprofit Electronic Frontier Foundation (EFF). One-third of all K–12 students in the United States use school-issued devices running software and apps that collect far more information on kids than is necessary. Resource-poor school districts can receive these tools at deeply discounted prices or for free, as tech companies seek a slice of the $8 billion ed tech industry. But there’s a real, devastating cost — the tracking, cataloguing and exploitation of data about children as young as 5 years old. “Parents, teachers, and other stakeholders feel helpless in dealing with student privacy issues in their community. In some cases students are required to use the tools and can’t opt out, but they and their families are given little to no information about if or how their kids’ data is being protected and collected,” said EFF in a statement. [The Journal]

US Government Programs

US – Trump Fast Tracks Facial Recognition in US Airports

The United States is fast-tracking a facial recognition system in U.S. airports. Called Biometric Exit, the system employs facial matching to individuals leaving the country to identify whether a traveler entered the U.S. legally. Passengers would submit to a photo prior to boarding a plane; that photo would then be matched with passport-style photos in visa applications. If there’s no match, the report states, it could be evidence the traveller entered the country illegally. Biometric Exit has been under development for some time and has been tested on a flight from Atlanta to Tokyo, but, according to the report, the Trump administration has expedited implementation of the system, and it is expected to be used in other U.S. airports this summer, with the intention of rolling it out to every international flight and border crossing in the U.S. Larry Panetta, of the U.S. Customs and Border Protection, said, “Facial recognition is the path forward we’re working on.” [The Verge]

US Legislation

US – Bi-Partisan Federal Bill Provides Greater Privacy Protection for U.S. Citizens’ Digital Data at the Border

Senate Bill 823, the Protecting Data at the Border Act, is introduced. Border guards would generally be required to obtain a probable cause warrant to gain access to a citizen’s digital contents of their equipment or account; exceptions to the warrant requirement include government authority under FISA, emergency situations, protection of public health and safety and a citizen’s express consent. The bill imposes detailed audit and reporting requirements related to such searches on the Department of Homeland Security, which it must make publicly available and submit to Congress. Senate Bill 823 – Protecting Data at the Border Act – 115th Congress | The Register ]

US – CA Assemblyman Pulls Controversial Bill from Privacy Committee Hearing

California Assemblyman Jim Cooper (D-Elk Grove) has withdrawn AB-165 — a controversial bill that would have provided a student exclusion to the existing California Electronic Communications Privacy Act (CalECPA) — from a Privacy Committee scheduled for Tuesday, April 18. The bill would have allowed a local educational agency, or any individual acting on behalf of a local educational agency, to search an electronic device or online account of a student, parent, teacher of school staff member without complying with CalECPA rules. The bill faced massive opposition from civil rights and other groups. A coalition of more than 55 organizations, including the American Civil Liberties Union and Common Sense Kids Action, voiced their opposition to the bill and fueled an online campaign to tell legislators not to support the bill. [The Journal]

US – Federal Bill Amends FERPA to Regulate Access to Student Data Held by Outside Parties

Senators Edward Markey and Orrin Hatch introduced Senate Bill 877, the Protecting Student Privacy Act of 2017, amending the Family Education Rights and Privacy Act. The bill was previously introduced as the Protecting Student Privacy Act of 2015; and has been referred to the Committee on Health, Education, Labor and Pensions. If passed, outside parties (a person who is not an employee, officer or volunteer of an educational institution or government agency) must maintain educational records in a manner that provides parents with the right to access personal information, and a process to challenge, correct or delete inappropriate data held in an education record; institutions and agencies must require each outside party to whom data is disclosed to have in place information security policies and procedures that include a comprehensive security program to protect personal data. [Senate Bill 877 – Protecting Student Privacy Act of 2017 – 115th Congress – In The Senate of the United States]

US – Utah Act Mandates Privacy Training for School Employees Handling Student Records

Senate Bill 102, an amendment to the Utah Student Privacy Act has been passed into law. Authorized school employees must attest to having completed the privacy training and submit such certification to the School Board; unauthorized school employees may handle students records if consent is obtained or if authorized by federal and state privacy laws. [S.B. 102 – Amending the Utah Student Privacy Act – General Session 2017 – State of Utah Legislature]

US – California Bill Prohibits Disclosure of Criminal History on Job Application Forms

AB 1008, An Act to add Section 12952 to the Government Code, relating to Employment Discrimination, has been introduced in the California Assembly and been referred to the Committee on Labor and Education. It would be unlawful to include any question seeking disclosure of criminal history on job applications, inquire into/consider conviction history before an individual receives a conditional offer, or consider arrests not followed by conviction; denial of employment based on a prior conviction requires an individualized assessment of the nature/gravity of the offense, the time passed since the offense, and the nature of the job, and notification to the applicant, with examples of mitigation/rehabilitation evidence voluntarily provided by the job applicant. [AB 1008 – An Act to Amend section 12952 to the Government Code Relating to Employment Discrimination – State of California]

US – Maryland Legislation Would See Task Force Study Police Use of Facial Recognition

A bill [HB 1065 ] passed in the Maryland House of Delegates and currently under consideration by a Senate committee would see a task force formed to study police use of surveillance technologies, such as facial recognition software Under the proposed legislation, law enforcement departments would have to disclose to the task force surveillance technologies that they are using and the task force would ascertain which technologies are constitutional. Delegate Charles Sydnor, D-Baltimore, said. “It seems as if we are moving toward a surveillance state with the type of surveillance used by law enforcement.” The ACLU of Maryland, said that the task force would help to ensure that Fourth Amendment protections are not violated by police use of new surveillance technologies. Sydnor said that he is unsure whether the Senate committee would pass the bill, but plans to reintroduce it for the next General Assembly if the committee rejects it. Sydnor decided to back the bill in response to reports that Baltimore Police were using an aerial surveillance aircraft without first alerting city officials. [Biometric Update | Legislation creates task force to study surveillance tactics]

US – 10 States Take Internet Privacy Matters into Their Own Hands

Just days after President Donald Trump signed legislation into law allowing Internet service providers (ISPs) to sell the personal data of customers, several states moved ahead with legislation to protect the data of their constituents, including: 1) Connecticut, 2) Illinois, 3) Kansas, 4) Maryland, 5) Massachusetts, 6) Minnesota, 7) Montana, 9) Washington and 10) Wisconsin. [GovTech]

Workplace Privacy

WW – Insider Threats: 2/3 of Employees Have Access to Corporate Data After They Leave

This December 2016 study surveyed 187 IT and/or HR decision makers and influencers in organizations, primarily in North America, regarding the issue of taking data with them when they leave; and was sponsored by Archive360, Druva, Intralinks, OpenText, Sonian, Spanning by Dell EMC, ThinkHR, and VMware. 1 in 5 of those employees uploaded the data specifically for sharing it outside of the company; 1/4 of companies never require departing employees to sign a document indicating they returned all corporate data assets. Best practices include physical activities (obtain custody of all company-supplied equipment and security cards), account activities (disable access to user account/company network), archiving (be able to rapidly restore deleted/corrupted files), and management activities (create a positive work environment to reduce potential for malicious theft). [Best Practices for Protecting Your Data When Employees Leave Your Company – White Paper – Osterman]

US – Dell End-User Security Survey Highlights Security Concern vs. Productivity

Having to choose between data security and productivity, employees are more apt to go for the latter, according to the Dell End-User Security Survey 2017 released today.[see here] The recent Dell survey solicited responses from about 2,600 business professionals who handle confidential data at companies with more than 250 employees. The global survey was conducted in eight countries including Australia, Canada, France, Germany, India, Japan, the U.K. and the U.S. About two in three employees, or 65 percent, noted that they felt it is their responsibility to protect confidential data, including educating themselves on the possible risks and behaving in a way that protects the company. However, only 36 percent of employees feel confident in their knowledge of how to protect sensitive information. At the same time, about two-thirds of employees reported being required to complete cybersecurity training on protecting sensitive data. 76% of survey respondents said their company prioritizes security at the expense of employee productivity. At the same time about the same number of survey takers admitted that they would share sensitive, confidential or regulated company information under certain circumstances. [Source]

US – Case Illustrates Problems of BYOD & Commingled Work/Personal Info

Technology in the workplace has developed to a point where we now have our personal data and our employer’s data commingled on the same devices. This commingling of data and equipment is usually not a problem until an employee leaves their position and the employer must decipher what equipment and data the employee has a right to take with them. It is becoming increasingly clear that employee training, including discussions of acceptable uses of employer equipment and data, are the best way to avoid conflicts when an employee departs. One case in particular demonstrates the confusion that may arise when an employee commingles work and personal data with work and personal equipment was decided April 12, 2017 by the California Court of Appeals in Mendez v. Piper (unpublished) This is not the first time we have seen disputes arise over data when an employee is terminated. For example, we have seen disputes involving account passwords where, after being terminated, the sole person that has possession of important workplace passwords demands money to provide the passwords to his former employer. These situations are avoidable if employees and employers take the time before the stress of employee’s departure to determine how personal and business data and equipment should be treated. Further, these issues could be addressed during quarterly meetings employers should have with employees to address data and privacy issues in the workplace. [Privacy Risk Report]

+++

23 March – 07 April 2017

Biometrics

US – Facial Recognition Database Used by FBI Is Out of Control, House Committee Hears

Approximately half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI, without their knowledge or consent, in the hunt for suspected criminals. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports. The algorithms used to identify matches are inaccurate about 15% of the time, and are more likely to misidentify black people than white people. These are just some of the damning facts presented at last week’s House oversight committee hearing, where politicians and privacy campaigners criticized the FBI and called for stricter regulation of facial recognition technology at a time when it is creeping into law enforcement and business. “No federal law controls this technology, no court decision limits it. This technology is not under control,” said Alvaro Bedoya, executive director of the center on privacy and technology at Georgetown Law. Unlike with the collection of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively. The FBI made arrangements with 18 different states to gain access to their databases of driver’s license photos. Last year, the US government accountability office (GAO) analyzed the FBI’s use of facial recognition technology and found it to be lacking in accountability, accuracy and oversight, and made recommendations of how to address the problem. “It doesn’t know how often the system incorrectly identifies the wrong subject,” explained the GAO’s Diana Maurer. “Innocent people could bear the burden of being falsely accused, including the implication of having federal investigators turn up at their home or business.” [The Guardian | Facial-recognition technology will make life a perpetual police lineup for all | Real-Time Face Recognition Threatens to Turn Cops’ Body Cameras Into Surveillance Machines | Police Body Cameras Will Do More Than Just Record You]

US – California Cops and the FBI Want to Keep Their Facial Recognition Tech Secret

A California proposal requiring law enforcement agencies to disclose all surveillance equipment to the public took the first steps towards becoming law this week, while a congressional committee gave the side-eye to FBI officials who declined to give specifics about some of the bureau’s own surveillance tech. First, California.A bill [see here] sponsored by State Sen. Jerry Hill (D-San Mateo) would require police and sheriff’s departments to explain to local officials how they use surveillance technology like facial recognition programs and social media trackers. The disclosures would have to be made at a hearing that is open to the public. Hill’s proposal builds on two laws that took affect last year in California requiring law enforcement to disclose when they use license plate scanners to track vehicles, and when they use so-called “Stingrays” [see here & here] the committee voted 4-2 on Tuesday [see here] to approve the bill. It is now awaiting another vote in the Senate Judiciary Committee. There’s really no good reason to oppose this sort of transparency. The bill does not jeopardize ongoing investigations and does not limit what law enforcement agencies can do Keeping those secrets also jeopardizes the outcomes of investigations to a greater degree. We know that the FBI has ordered local prosecutors to drop cases rather than risk the public exposure of secret surveillance technology that helped track suspects [also see here & here]. We have no idea how often this happens, but it’s clear that potential criminals have gotten off scot-free because law enforcement inverted its priorities to value secrecy over keeping the public safe. There’s one key element missing from the bill: an outline of how law enforcement agencies would be punished for violating the mandatory disclosures. That matters, as we saw this week in Washington, D.C., when officials from the FBI were in front of the House Oversight and Government Reform Committee to answer questions about how the bureau secretly uses facial recognition software and other surveillance technology. The FBI has agreements with 18 states to share photos from state-level drivers’ license databases, and that report from the GAO revealed that as many as 64 million Americans might be entered into the FBI’s facial recognition database without knowing it. When you include similar databases maintained by the state and local law enforcement agencies around the country, one in every two American adults is included in a facial recognition network, the Center on Privacy and Technology at Georgetown Law concluded in a recent report. Other states, and Congress, would do well to require similar transparency from local, state, and federal law enforcement agencies—and to hold those law enforcement agencies accountable for failing to make public disclosures when required by law. [Reason.com | Now it’s easier to know if the FBI’s facial-recognition team can access your driver’s license photo ]

WW – Real-Time Face Recognition Threatens to Turn Cops’ Body Cameras Into Surveillance Machines

For years, the development of real-time face recognition has been hampered by poor video resolution, the angles of bodies in motion, and limited computing power. But as systems begin to transcend these technical barriers, they are also outpacing the development of policies to constrain them. Civil liberties advocates fear that the rise of real-time face recognition alongside the growing number of police body cameras creates the conditions for a perfect storm of mass surveillance. On Wednesday morning, the House Oversight Committee held a hearing on law enforcement’s use of facial recognition technology, where advocates emphasized the dangers of allowing advancements in real-time recognition to broaden surveillance powers. As Alvaro Bedoya, executive director of the Center on Privacy and Technology at Georgetown Law, told Congress, pairing the technology with body cameras, in particular, “will redefine the nature of public spaces.” A recent Justice Department-funded survey conducted by Johns Hopkins University found that at least nine out of 38 manufacturers of body cameras currently have facial recognition capacities or have built in an option for such technology to be used later. At least five U.S. police departments, including those in Los Angeles and New York, have already purchased or looked into purchasing real-time face recognition for their CCTV cameras, according to a study of face recognition technology published by Bedoya and other researchers at Georgetown. The databases, too, have already been built. Georgetown researchers estimated that one in every two faces of adults in the United States — many of whom have never committed a crime — are captured in searchable federal, state, or local databases. The Department of Defense, the Drug Enforcement Administration, and Immigration and Customs Enforcement are just a few of the federal agencies that can gain access to one or more state or local face recognition systems. Other types of real-time searches of biometric databases — such as mobile fingerprinting and rapid DNA tests — are now part of law enforcement routines and face few legal challenges. FBI searches of state driver’s license databases using face recognition software are almost six times more common than federal court-ordered wiretaps, according to the Georgetown study. [The Intercept | Police Body Cameras Will Do More Than Just Record You | It’s time to face the ugly reality of face recognition | Can automatic facial recognition systems account for aging?]

WW – Facebook Unveils New Tools To Combat Nonconsensual Pornography

To help stymie the unauthorized dissemination of intimate photos on its social network, Facebook has launched a new set of tools, including photo-matching technology, to prevent so-called revenge porn. Members of Facebook’s content operations team will review flagged images and the accounts of those sharing said images. The photo-matching tool will detect images that have been previously flagged and removed. Rep. Jackie Speier, D-Calif., who introduced federal anti-revenge porn legislation last year, said, “These new tools are a huge advancement in combatting non-consensual pornography and I applaud Facebook for their dedication in addressing this insidious issue, which impacts the lives of individuals and their loved ones across the country and around the world.” University of Miami School of Law professor Mary Anne Franks recently published a research paper on revenge porn reform. [The Hill]

Big Data

AU – Australian Privacy Foundation Criticizes Machine-Learning Centrelink Tech

In a submission to the Senate Community Affairs References Committee, the Australian Privacy Foundation has recommended that the Department of Human Services’ Centrelink bring back the human involvement in its automated debt-recovery process, instead of its new data-matching technology. Among the APF’s many concerns was the security of the data as the set size grows, as well as the accuracy of the data. However, the DHS said in its latest inquiry submission that “that the data-matching process is not new; rather it is just being performed at a larger scale.” Regardless, the APF called the robo-debt process “procedurally unfair,” requiring “evidence from the Centrelink recipient to prove that a debt is ‘not’ owed. The individual needs to prove a negative,” it wrote. [ZDNet]

US – Minority Neighborhoods Pay Higher Insurance Premiums with Same Risk

In a report copublished with Consumer Reports, ProPublica has released an in-depth investigation into car insurance premiums based on location and how minority neighborhoods pay higher premiums than white areas with the same risk. The investigation looked into premiums in four states — California, Illinois, Texas, and Missouri — and found that minority neighborhoods paid as much as 30 percent more than non-minority regions for similar accident costs. The report states that “many of the disparities in auto insurance prices between minority and white neighborhoods are wider than differences in risk can explain.” The American Civil Liberties Union’s Rachel Goodman said, “We already know that zip code matters far too much in our segregated society.” The Insurance Information Institute, however, disputes the report’s findings. I.I.I. Chief Actuary James Lynch said companies “do not discriminate on the basis of race.” [ProPublica]

Canada

CA – Canada’s Spy Agencies Work Out Deal on ‘Threat Disruption’ Operations

Canada’s two most powerful intelligence agencies have crafted a formal deal to cooperate on using controversial powers to disrupt domestic threats to the country’s security. The spy agency Canadian Security Intelligence Service (CSIS) and the electronic signals-gathering agency Communications Security Establishment (CSE) signed an agreement in July 2016 on how CSE will assist with “threat reduction” activities. The power to actively intervene to disrupt threats to Canadian national security, rather than simply collect information on them, was granted to CSIS in the previous Conservative government’s contentious anti-terrorism law, Bill C-51. It allows CSIS to actively disrupt perceived threats to national security, with few limits to the power except obtaining a warrant. The agreement with CSE allows for the combination of CSIS’s expertise in human intelligence and field work with the technical sophistication of Canada’s premier electronic intelligence agency. CSIS has the power to collect intelligence on Canadian citizens who are deemed a threat to national security whether they are on Canadian soil or abroad. On the other hand, CSE is explicitly prohibited from directing its electronic intelligence-gathering powers at Canadian citizens; its job is to gather signals intelligence on foreigners deemed a threat. [The Star]

CA – Manitoba Gov’t Launches Review of Two Pieces of Privacy Legislation

Government of Manitoba announced on Wednesday that it is reviewing two pieces of privacy legislation: the Personal Health Information Act (PHIA) [see here] and the Freedom of Information and Protection of Privacy Act (FIPPA) [see here] and is inviting residents to provide input. PHIA came into force in 1997, with major amendments in 2010 and 2011, the provincial government reported. The legislation provides a right of access for an individual to their personal health information and protects this information by setting rules for the collection, use, disclosure, security and destruction of this information by public bodies and healthcare providers. FIPPA came into force one year after PHIA (in 1998) and was significantly amended in 2011. The legislation provides a right of access to information in records held by public bodies and also protects personal information by setting rules for the collection, use and disclosure by public bodies. Public consultations will begin on March 31 and remain open until May 31. To review information about, and possible issues related to, PHIA and to share ideas or concerns, visit www.gov.mb.ca/health/phia/review.html. For FIPPA, visit www.gov.mb.ca/fippareview [Canadian Underwriter]

CA – Key Priorities of the Privacy Commissioner of Canada in 2017

On March 21, 2017, senior representatives of the Office of the Privacy Commissioner of Canada (OPC) met with privacy practitioners in Toronto to provide updates on policy, legal, compliance and enforcement activities of the OPC. The information disseminated at this annual meeting is important to all businesses collecting personal information of Canadians for two reasons: 1) The information highlights what the OPC believes to be its most significant actions from the prior year; and 2) The information signals the policy and enforcement priorities of the OPC for the current year. This alert summarizes three of the significant topics addressed by the OPC of concern to businesses whose operations involve the collection, use or disclosure of personal information of Canadians. Including updates on: a) Policy (the consent conundrum); b) Enforcement (extra-territorial application of PIPEDA); and c) Compliance (flexible use of compliance agreements) [DLA Piper]

CA – What the Federal Privacy Watchdog Did After an Insurer Pried into Crash Victim’s Credit Rating

An insurance company handling a car-crash victim’s accident claim violated the senior citizen’s privacy rights by accessing his credit rating for no good reason, the federal Privacy Commissioner has ruled. The Personal Insurance Company argued it needs such information to help weed out fraudulent claims, but the privacy watchdog said there was little evidence that examining clients’ credit worthiness helps counter insurance cheating. The decision this month dealt a blow to what appears to be a common industry practice. “This is very worrisome,” said [Rhona DesRoches, who heads the Association of Victims for Accident Insurance Reform]. “Just knowing how much debt a person carries might be an indicator of what that breaking point is. If they know a person is in dire financial straits, then they know how far along that person might go before giving in to perhaps a lower settlement than they should.” [National Post]

CA – P.Commish OK with Bill Allowing More Snooping Into Your Mail

On March 30, 2017, Privacy Commissioner of Canada, Daniel Therrien, appeared before the Standing Senate Committee on Legal and Constitutional Affairs to discuss Bill C-37, An Act to amend the Controlled Drugs and Substances Act and to make related amendments to other Acts. In his remarks, he acknowledged the importance of addressing drug abuse and addiction in a comprehensive manner. While Bill C-37 touches upon a number of matters, the Commissioner focused his comments on those clauses that amend the Customs Act and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. [Appearance before the Senate committee on Legal and Constitutional Affairs (LCJC) on Bill C-37, An Act to amend the Controlled Drugs and Substances Act and to make related amendments to other Acts | C-37 gets privacy commissioner’s approval, despite concerns raised | The Canada Border Services Is Getting Authority To Open All Cross-Border Mail]

CA – Ottawa Airport Kiosks Launched Before Independent Privacy Review Was Complete

Last fall, the immigration department and Canada Border Services Agency met with the federal privacy commissioner to discuss a “biometric expansion project” that included the new Primary Inspection Kiosks, which scan international travellers’ faces to verify they match passport photographs. At that time, the commissioner noted the need for a Privacy Impact Assessment (PIA), according to spokeswoman Anne-Marie Cenaiko. Federal departments are required to complete PIAs to identify potential privacy risks for new programs, along with how they plan to reduce them. The privacy commissioner doesn’t approve or reject the PIAs, but his staff often make recommendations.. But in an email, Cenaiko said the commissioner was still studying the PIA when the kiosks launched Monday. “We received the PIA at the beginning of March and are currently in the process of reviewing it,” she wrote. That means there’s been no independent look at how much data is collected, how securely it’s stored or deleted, and whether it will be shared. Micheal Vonn, policy director for the BC Civil Liberties Association, said she was alarmed by CBSA announcing the kiosks publicly before submitting a PIA. [MetroNews]

CA – BC OIPC Reminds Businesses Video Surveillance Is a Last Resort

In February 2017, at the 18th annual Privacy and Security Conference, Acting Commissioner Drew McArthur commented on the first-ever audit of a private sector business conducted by the Office of the Information and Privacy Commissioner for British Columbia, Acting Commissioner Drew McArthur stated that OIPC “used this audit as an important opportunity for public education, and a reminder to private businesses that they should only use video surveillance as a last resort after exploring other less privacy-invasive options.” [see here] OIPC initiated the audit of the lower mainland medical clinic after receiving a complaint about the Clinic’s collection of personal information through video and audio surveillance. The Clinic used surveillance cameras on a 24/7 basis in its lobby, hallways, back exists, and fitness room to collect personal images and audio of patients, employees, contractors, and others. The Commissioner concluded that the Clinic’s use of video and audio surveillance was excessive in the circumstances. The Privacy Audit and Compliance Report [see PR here & Audit/Report here ] covers: 1) the methodology used; 2) the information covered; 3) the Commissioner’s findings; and 4) 12 recommended actions [BC Employer Law]

CA – Bill C-22: Liberals Undermining Goal of Strong National Security Oversight

The protection of Canadians’ rights is at a crossroads. Since 2001, the Canadian government — under the leadership of both the Conservatives and Liberals — has consistently and continuously granted new powers and resources to Canada’s national security agencies. This has been ostensibly in the pursuit of protecting Canada from terrorist threats. The result, though, has been the creation of a far-reaching national security apparatus spanning 20 government agencies — all without consistent, in-depth or independent review or oversight. So when the Liberals announced Bill C-22 to establish a Committee of Parliamentarians to oversee our national security agencies and activities, it was a welcomed and long-awaited announcement. It is also why the government’s recent actions, culminating with last Friday’s vote to reject sending the bill back to committee and passing it on to third reading, are all the more frustrating. The final vote in the House of Commons is slated for Monday, April 3, and it is fully expected to pass, sending the bill on to the Senate. Canadians should be concerned: What we have ended up with is an oversight committee in name only. And that is no comfort at all. [HuffPost]

CA – OPC Guidance: Disclosure Exceptions for Investigations & Fraud

On March 17, 2017, the Office of the Privacy Commissioner of Canada (OPC) published guidance [see here] on two new exceptions in PIPEDA permitting disclosure without consent. The guidance is very helpful to interpreting these new provisions and the OPC’s expectations of organizations. However, as expected, there is an undercurrent to the guidance suggesting that that the OPC would like to restrict organizations from setting up systematic information-sharing programs. This is very unfortunate given that these provisions are directly connected to improving confidence in the digital economy. Systematic sharing of information, particularly for fraud detection, suppression and prevention should be able to be accomplished if PIPEDA is truly technologically neutral. Without these tools, the OPC is incentivizing organizations to use much less transparent methods, such as predictive analytics. [Privacy and CyberSecurity Law]

CA – NB IPC Says Gov’t Hiding Behind “Privacy Law” in Child Deaths

New Brunswick’s IPC, Anne Bertrand, says government is using privacy law to maintain ‘secrecy’ around child deaths it is incorrectly using privacy law to maintain a level of “secrecy” around the child death review process.. The government has said privacy law prevents it from revealing the findings of the committee that reviews child deaths. It has also said reports written by the child death review committee are confidential advice to minister. Bertrand, the independent officer who is responsible for interpreting New Brunswick’s privacy laws, disagrees.” This is not rocket science,” she said. Bertrand cited a section of the province’s Right to Information and Protection of Privacy Act that overrides the privacy of third parties in cases of “significant public interest” where “public health or safety or protection of the environment” is at stake. [CBC]

CA – Will Mandatory Breach Reporting Spread to the Public Sector?

Hard on the heels of legislation requiring mandatory reporting of data breaches for the private sector come recommendations for a similar overhaul of the public sector. In relation to the private sector, s. 10.1 of the federal Personal Information and Electronic Documents Act [see here] requires mandatory reporting of data breaches that pose a substantial risk of harm to individuals. The new legislation was passed in 2015, underwent a consultation period in 2016 and is expected to come into force once regulations have been passed. The Ministry of Innovation, Science and Economic Development Canada advises that regulations will be published this year and will be subject to public consultation and a transition period. In relation to the public sector, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled a report in December 2016 entitled “Protecting the Privacy of Canadians: Review of the Privacy Act.” It includes recommendations “to create an explicit requirement for government institutions to report material breaches of personal information to the Office of the Privacy Commissioner of Canada in a timely manner” and “to notify affected individuals of material breaches of personal information, except in appropriate cases, provided that the notification does not compound the damage to the individuals.” [Law Times | See also: Feds set to regulate reporting of digital data breaches ]

CA – Man Arrested in Relation to BC Pharmanet Privacy Breach

One man has been arrested in connection to a series of PharmaNet breaches that may have compromised the personal medical information of about 20,500 British Columbians. Health Ministry spokeswoman Lori Cascaden said “This inappropriate access to PharmaNet is not because of a direct hack into the system. It is suspected that access was obtained through impersonation of physicians and other methods.” In February, the Health Ministry sent out letters to about 7,500 people affected by the breach, which officials became aware about after users and vendors reported incidents of “suspicious access.” Since then, another 13,000 people may have had their PharmaNet information accessed, said the ministry Monday. An independent security review of PharmaNet and an overall modernization of the system, which would include security enhancements, are underway. [Vancouver Sun | Thousands more affected by PharmaNet privacy breach, government reveals and PharmaNet breach compromises personal information of 7,500 B.C. residents, says province ]

CA – BC Government Action Needed to Protect Privacy of Student Data

Delegates at the 2017 B.C. Teachers’ Federation (BCTF) Annual General Meeting approved a six-part recommendation on Saturday about student-data protection. It states “employer-mandated digital programs for reporting and communication with parents should only be used when privacy impact assessments have been developed and district, school, and classroom policies have been defined and are followed. It also says district, school, and classroom policies should include definitions of how the data will be used during the time that it is being collected (e.g., a school year), whether it will be saved and accessible after the current use, and if so, who has access to that data, and a plan for how and when the data will be destroyed. It adds that students and parents should have access to all privacy impact assessments and technology-use policies and that “all data created by a student should be recognized as belonging to the student and not to the provider of the program, nor should it be used for any commercial purpose nor linked to other education, government, or commercial databases.” [Vancouver Observer]

CA – Alberta’s Wildrose Bill Aims to Fight Cyber-Bullying/Photo Abuse

On March 14, Alberta MLA Scott Cyr introduced Bill 202, the Protecting Victims of Non-Consensual Distribution of Intimate Images Act, to the Alberta Legislature. Bill 202 would create laws in Alberta that would allow for victims of these types of actions to seek damages in a court of law. Cyr commented on the bill saying, “We know Albertans, especially youth, across Alberta, are suffering from cyber-bullying. The sharing of an intimate image without consent can have a devastating impact on a victim, leading them to feel betrayed and violated. This legislation if passed would raise awareness about this issue, and remove barriers to seeking damages for victims.” Under Bill 202, provisions would also be added to the Education Act, allowing for students who engage in that behaviour to be suspended or otherwise punished. Bill 202 would apply to anyone under the age of 18 who has their images shared without their consent and is similar to other laws in place in Manitoba [see here] and Nova Scotia [see here & here]. [Cold Lake Sun]

CA – Ontario Court Allows Class Action Complaint Alleging Risk from Pre-Installed Software

The Court considered Lenovo (Canada) Inc.’s motion to strike pleadings for a class action complaint alleging it sold a computer with a malicious adware program. Pre-installed adware on new laptops scanned web traffic to inject unauthorized advertisements into the web browser without consumers’ knowledge and consent, and created security vulnerabilities that allowed hackers to collect confidential sensitive information; the act of implanting the software was an intrusion upon the plaintiff’s privacy (it exposed him to significant risks that his personal and financial information would be stolen), and the risk of unauthorized access to private information is a concern in itself (even without any actual removal or theft. [Bennet v Lenovo – 2017 ONSC 1082 CanLII – Superior Court of Justice – Ontario]

CA – Alberta Bill Prohibits Non-Consensual Distribution of Intimate Images

Bill 202, Protecting Victims of Non-Consensual Distribution of Intimate Images Act passed the second reading in the Legislative Assembly of Alberta: The Act will next be reviewed by the Committee of the Whole. If passed, the bill would make it illegal to distribute an intimate image of another person without consent or being reckless as to whether or not that person consented to the distribution; the courts may award general, aggravated and punitive damages or issue an injunction. [Bill 202 – Protecting Victims of Non-Consensual Distribution of Intimate Images Act – Legislative Assembly of Alberta]

CA – Canada’s Ministry of Transport Imposes New Rules for Recreational Drone Use, Including Penalties

The Minister of Transport issues an interim order for recreational drone use. The Order is effective March 13, 2017. Drone operators must mark their drone with contact information, and may not fly higher than 90 metres, at night, within 75 metres of building, vehicles, animals or people, or within 9 kilometres of a working airport; any recreational drone operator who fails to comply with the restrictions could be subject to fines of up to $3,000 for individuals and up to $15,000 for corporations. The rules do not apply to drones operations for commercial, academic or research purposes. Interim Order Respecting the Use of Model Aircraft – Transport Canada | Press Release]

CA – Trudeau Gov’t Reneges on Promise, Delays Transparency Reforms

Treasury Board President Scott Brison says the government has run up against “important considerations” in the efforts to broaden the access system to include ministers’ offices, the Prime Minister’s Office and the federal court system. Those considerations include “the neutrality of the public service,” “the independence of the judiciary” and Canadians’ privacy rights, the minister said. The Star asked Brison’s office on Sunday how Canadians’ privacy rights are an impediment to making government documents available to Canadians. In an emailed response, Brison’s office suggested minister was speaking broadly about the principles that underpin the access system, including censoring information about private citizens. Canada’s access to information (ATIP) system was established in 1982. It allows any Canadian to access internal federal government documents. Citizens, businesses and researchers can use it to figure out how Ottawa makes decisions and to dig up historical records, basically pry loose information the government has kept from public eyes for whatever reason. In the 2015 campaign, the Liberals proposed sweeping reforms to the system, including expanding its application to ministers’ offices, giving an independent watchdog the power to compel departments to release information and making access to government documents “open by default.” A number of those changes have now been delayed indefinitely. [Scott Brison explains delay in promised transparency reforms |Justin Trudeau’s promise of transparency is starting to look empty: Editorial]

CA – Ontario Court Refuses to Restore Landmark Damages Award in Revenge Porn Case

The Court considers a Plaintiff’s appeal of a court judgment setting aside damages awarded to her for non-consensual distribution of intimate images. The Court ruled that the motion judge, in setting aside the findings of liability and assessment of damages against the Defendant, did not fail to look at ongoing psychological harm as a form of non-compensable prejudice to the Plaintiff; the Defendant must pay $10,000 in costs, and present a statement of defence (i.e. the case will proceed to trial. [Jane Doe 464533 v. N.D. – 2017 ONSC 127 – Superior Court of Justice Ontario]

CA – Employees Continue to be the Weakest Link in IT Security

An overview of the biggest risks to IT systems. 60 to 90% of the time, insiders are the cause of IT security threats, specifically for responding to phishing emails that appear to come from an internal source (e.g., senior management); employers should hold training sessions every 4 to 6 months to educate employees on specific social engineering behaviours such as suspicious URLs or requests for personal information. [Employee Behaviours and IT Cyber Risk – Paige Backman, Partner, Meghan Cowan, Associate, and Donald Johnson, Lawyer, Aird and Berlis LLP

CA – Manitoba Ombudsman Issues Recommendations to Prevent Employee Snooping

The Manitoba Ombudsman issues recommendation for public bodies and trustees to prevent employee snooping. Steps to ensure the information is only accessed by employees who need it and when it is required include, promoting a culture of privacy by establishing clear expectations and requirements for employees (supported by senior management), raising employee awareness by conducting regular training and reminders, making sure employees understand the consequences, granting access to information on a need-to-know basis, monitoring employees’ behaviour and investigating all snooping allegations. [Ten Tips for Addressing Employee Snooping – Manitoba Ombusman]

CA – BC Government Ordered to Disclose Aggregate Health Data to Tobacco Industry

The Court considers the Province of British Columbia’s appeal against an order compelling production of documents containing personal health information. In an action against the tobacco industry to recover health care expenditures for tobacco related disease, the government refused to produce anonymised data from its health databases, even though it would be relying on that same data to determine damages; provisions under the Tobacco Damages and Health Care Costs Recovery Act does not prohibit the production of anonymized or statistical health data, and once stripped of personal identifiers, the data poses no realistic threat to personal privacy. [HMTQ v. Philip Morris International Inc. – 2017 BCCA 69 CanLII – Court of Appeal for British Columbia]

Consumer

WW – UN Human Rights Council Resolution Calls on Nations and Private Sector to Respect Individual Rights

The UN Human Rights Council, along with 35 other UN member states, adopted a resolution on the right to privacy in the digital age on March 23, 2017. Member states should implement domestic oversight mechanisms to ensure transparency of and accountability for State surveillance of communications, permit individuals subject to arbitrary or unlawful surveillance an effective judicial remedy, and enable business enterprises to adopt adequate voluntary transparency measures; business enterprises should implement technical solutions to secure digital communications (including encryption and anonymity), with which states should not interfere. [Resolution 34/7 – The Right to Privacy in the Digital Age – United Nations Human Rights Council]

CA – CPAC Survey: Consumers Conflicted Over Safety of Personal Info

Consumers from the Great White North worry that Canadian businesses are vulnerable to cyberattacks yet trust that companies are doing their best to protect the personal information of customers, according to a new fraud survey by the 2017 Chartered Professional Accountants of Canada. Perceptions about the safety of personal information and trust in business could drastically change by the time the next survey is conducted. Canada’s tightened up data breach notification laws take effect later this year. Some privacy professionals warn that there could be a huge uptick in breach reporting as guidance from the Canadian Securities Administrators requires companies to report more information about cyberattacks [see here], and expected Digital Privacy Act regulations will require more breaches to be reported. [BNA] See also: Fewer Canadians concerned about identity theft, says CPA Canada]

US – Americans Unwilling to Share Electronic Info for Terrorist Investigations

A Reuters-Ipsos poll found a majority of American citizens are unwilling to share their electronic communications and online activity with U.S. counterterrorism agencies. Compared to results from when the poll was last conducted in 2013, Americans are even more reluctant to share information. Of the respondents, 75% said they would not allow law enforcement agencies to access their internet activity to aid in terrorism investigations, up from 67% in 2013. Opinions on surveillance were mixed, with 32% saying agencies such as the FBI and National Security Agency are conducting “as much surveillance as is necessary,” while 37 percent said those agencies are “conducting too much surveillance on American citizens.” [Reuters]

US – Most Americans Unwilling to Give Up Privacy to Thwart Attacks: Survey

A majority of Americans are unwilling to share their personal emails, text messages, phone calls and records of online activity with U.S. counter-terrorism investigators – even to help foil terror plots, according to a Reuters/Ipsos opinion poll released on Tuesday. 75% of adults said they would not let investigators tap into their Internet activity to help the U.S. combat domestic terrorism. That’s up from 67% who answered the same way in June 2013. But Americans were more evenly divided when asked whether the government is conducting too much surveillance. According to the March 11-20 survey, 32% said intelligence agencies such as the FBI and National Security Agency are conducting “as much surveillance as is necessary” and 7% said they wanted more surveillance. Another 37% of adults said agencies are “conducting too much surveillance on American citizens.” The remaining 24% said they did not know. For a graphic of the poll results see here The entire poll can be found here. [Reuters/Ipsos poll]

EU – EU to Propose New Rules Targeting Encrypted Apps in June

The European Commission will propose new measures in June to make it easier for police to access data on internet messaging apps like WhatsApp, EU Justice Commissioner Věra Jourová said yesterday (28 March), heeding calls from national interior ministers. The announcement comes as interior ministers from EU countries have amped up pressure on the Commission to introduce new rules to help police crack through secure encryption and demand private data for investigations. “At the moment, prosecutors, judges, also police and law enforcement authorities, are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action,” said [EU Justice Commissioner Věra] Jourová. Jourová said the measures would make it easier for law enforcement authorities to request and access data from online services that are registered outside their jurisdictions. UK Home Secretary Amber Rudd said on Sunday (26 March) that encrypted messaging services should be forced to give access to police. German Interior Minister Thomas de Maizière and his French counterpart Matthias Fekl told MEPs they want police to have the same legal right to access online services as they do to demand phone call information from telecoms companies. National ministers in favour of laws regulating encryption complain that they have no legal power to force internet firms to hand over secured data. Five out of 12 EU countries – Hungary, Croatia, Italy, Latvia and Poland – that responded to a questionnaire sent out last year by the Slovakian government, when it held the rotating Council of the EU presidency, said they wanted an EU-wide law on encryption. [Euractiv] WhatsApp must be accessible to authorities, says Amber Rudd | Call for encryption ban pits Rudd against industry and colleagues | Encryption debate needs to be nuanced, says FBI’s Comey]

E-Government

NZ – Privacy Commissioner of NZ Rejects Data-for-Funding Proposal

New Zealand Privacy Commissioner John Edwards has rejected the controversial Ministry of Social Development-proposed policy to require nongovernment organizations to provide personalized data of their clients in exchange for government funding, Stuff.co.nz reports. His decision comes the day after the MSD had to shut down their information-sharing portal after a breach. While Edwards acknowledged that good information allowed for the government to weigh the efficacy of NGOs, the MSD had taken “insufficient consideration” regarding the consequences of its proposal and that its data capture plan was “excessive and unnecessary.” Ultimately, “there is a real risk that the new arrangement will deter some people who are most in need from seeking support or assistance,” Edwards said. [Stuff.co.uk]

WW – Google and Jigsaw Are Offering Free Election Cybersecurity Tools

Google and Jigsaw, both part of the Alphabet family, have developed a package of tools to help organizations facilitating elections protect themselves from digital threats. The “Protect Your Election” suite of tools includes two-factor authentication, the Password Alert Chrome extension, and access to Project Shield, which offers free DDoS defense to independent news site and human rights groups. [A Cybersecurity Arsenal That’ll Help ‘Protect Your Election’ | Google, sister company Jigsaw offer cybersecurity to election groups | Google, Jigsaw seek to stop election hacks | Google will provide free cybersecurity tools for election organizers in Europe]

HK – Tablet with Census Data Lost Last Year, Government Announces

Hong Kong’s Census and Statistics Department has revealed that a tablet containing the personal information of 46 citizens was lost last year after it was misplaced by a census officer gathering information. The department said “the tablet was one of two such devices lost by census officers” but that in this case, the officer misplaced the device while eating at a fast-food restaurant, the report states. A department spokesman said that while the information on the tablet wasn’t deleted quickly enough by remote software, it “believed the risk of data leakage was ‘extremely low’ because the information had been encrypted and the tablet was locked by dual-password authentication.” Additionally, while the public was just hearing about the breach, victims, law enforcement, and the privacy commissioner were informed last year. [South China Morning Post] and [Lawmakers dub explanation behind voter data theft ‘nonsensical’]

IN – 46,000 Phone Numbers Leaked Via Local Indian Police’s Twitter Account

Bengaluru police leaked the 46,000 phone numbers of those who dialed 100 via the Suraksha app to complain about harassment, quarrels and more, to Twitter. The police made the account private after concern about the leak increased, but were otherwise “unapologetic regarding the matter,” the report states. The police said the leak was a result of tweets auto-generated from its Twitter account. Policy Director at the Centre for Internet and Society Pranesh Prakash argued that the “police officer who ordered to create such an account should be held responsible if any harm comes to a complainant.” [India Today]

US – FPF Smart City Resource Looks To Assuage Iot Fears

The Future of Privacy Forum has unveiled a new interactive tool to help companies, communities, and citizens understand internet-of-things technology used in so-called smart cities. FPF notes that while smart cities do inspire their fair share of privacy concerns, mature data privacy programs can protect citizens while allowing cities to embrace IoT technology. The infographic explores typical concerns about smart city innovation, like discrimination, surveillance, and unexpected uses of data. It couples those issues with practical solutions, such as transparency and consent, vendor management, and de-anonymization tactics, as well as providing readers with additional smart city resources. [FPF.org]

US – Senator Asks FTC to Look Into IoT Toy Privacy Concerns

Sen. Bill Nelson, D-Fla., has written a letter to the FTC asking the agency to address issues surrounding internet-connected children’s toys. Nelson is concerned about the privacy and security risks the toys possess as they continue to gain prominence in light of a recent data breach. “Please explain what actions the FTC has taken in response to these recent data breaches, which have exposed the personal information of millions of children,” writes Nelson. “Specifically, I would like to know what actions the FTC has taken under the COPPA Rule to protect the personal data of children using connected toys.” Nelson has previously written a report and a letter to the CEO of connected-toy company Spiral Toys outlining similar concerns. [SD Times]

E-Mail

US – USPS Daily Mail Digital Preview a Double-Edged Security Sword, Some Say

Informed Delivery, a new, free offering from the U.S. Postal Service, allows users to access pictures and information of the mail they’re set to receive that day, and could be used to help those enrolled protect against identity theft and fraud. “If an important piece of mail that was supposed to be delivered isn’t in the mailbox … [users] can assume it was stolen or delivered to the wrong address and start working to find out what happened,” the report states. However, some critics contend it’s not that simple. Should a hacker compromise a user’s account, he or she could discover that a check or important document was en route and grab it before the intended recipient does. That’s why strong passwords for these types of services are imperative, said CyberScout’s Adam Levin. [NBC News]

UK – Startup Raises $2.7M for Pro-Privacy Email Tool

British startup CheckRecipient looks to protect employee-generated data breaches by utilizing machine learning to keep emails from being mailed to the wrong recipient. So far, the startup has raised $2.7 million in capital. The funds were raised in conjunction with companies like Accel, Amadeus Capital Partners and LocalGlobe. “While there are lots of products on the market designed to make email more secure, they all require a high degree of behavior change from end users or significant administration from IT teams, meaning that their effectiveness is diminished,” the startup argues, maintaining that its product makes those practices obsolete. The team added that the startup has seen success in London, working with legal, health care and financial service companies, and hopes to launch in the U.S. “shortly.” [TechCrunch]

Encryption

CA – Court Nixes Probation Condition Forbidding Encryption Use

The US government has much broader authority over the speech of probationers than it does over ordinary citizens; but even probation conditions are subject to some scrutiny. Thursday’s California appellate decision in In re Mike H. concluded that a ban on the probationer’s use of anonymizing tools to access the Internet, and a requirement that he accurately identify himself when setting up any online communications services, was permissible: “The juvenile court could reasonably conclude that requiring Mike to use his true identity online and avoid encryption or hacking tools could help the probation department assess whether Mike was in violation [of] other uncontested conditions of his probation.” But the ban on using any electronic devices that contain “any encryption software” was too broad: “While it may not be apparent to the everyday user, encryption technology is now a fact of everyday life This means that encryption is applied automatically without a user needing to switch it on. As drafted, [this condition] is therefore unconstitutionally overbroad.” [Washington Post | Court Strikes Probation Condition Against Using a Device Containing Encryption–In re Mike H.]

UK – New Survey Claims Most Brits Feel “Safer” Without Encryption

Two-thirds of the British public claim the ability of police to intercept and read communications between terrorists is more important than privacy, according to a new study. Advice site Cable.co.uk polled [see here] 2000 UK adults last week following the home secretary’s controversial and widely criticized comments that WhatsApp and other services should effectively be backdoored to allow law enforcement to monitor suspects. Along with the headline stat, over half (51%) claimed they’d feel safer if services like WhatsApp were unencrypted, whilst only a quarter (25%) said they’d feel less safe because cyber-criminals could potentially intercept their communications. Nearly a quarter of men (23%) compared to just 14% of women said the digital privacy of UK citizens should come first, while 26% of 25-34-year-olds felt the same, as opposed to just 10% of the over-55s. [InfoSecurity See also: UK government can force encryption removal, but fears losing, experts say | Politicians call – again – for backdoors into encrypted messages | WhatsApp must be accessible to authorities, says Amber Rudd | Call for encryption ban pits Rudd against industry and colleagues ]

EU Developments

UK – UK Seeks To Create Independent Body to Monitor Police Online Surveillance

The Home Office is creating an independent surveillance program to prevent police officers from granting themselves permission to access personal emails and browsing histories. Labour Party Deputy Leader Tom Watson said the project is a response to a judgment made by the European Court of Justice demanding stricter legal safeguards for law enforcement agencies handling communications data. Members of Parliament have yet to be notified about the project, but information about the new body recently appeared in an online tender document. [Guardian]

UK – Interactive Map Shows Intrusive Surveillance-Tech Exports

The UK is a worldwide exporter of surveillance technology. From devices that hoover up phone calls and text messages, to hardware for monitoring internet traffic, Her Majesty’s Government has granted myriad licenses to ship spying gear over the past few years. Some of the recipient countries will have legitimate uses for such products, but many—Egypt, Turkey, Saudi Arabia—also have abhorrent human rights records, especially when it comes to abusing powerful surveillance tech. IMSI catchers, intrusion software, internet monitoring solutions: UK companies provide it all. Her Majesty’s Government has granted myriad licenses to ship spying gear over the past few years. Some of the recipient countries will have legitimate uses for such products, but many—Egypt, Turkey, Saudi Arabia—also have abhorrent human rights records, especially when it comes to abusing powerful surveillance tech. To better illustrate this proliferation, Motherboard has created an interactive map using data published by the Department of International Trade, as well as extra details obtained through the Freedom of Information Act, such as the specific product exported, or the company that sold it. The map shows which countries the government has granted export licenses to since 2015, and includes telecommunications interception equipment, intrusion or hacking software, and internet monitoring tools. Motherboard will update the map as more data becomes available. (Currently, the map dates back to April 2016). You can find the map here, and various related datasets [here, here & here] [MotherBoard]

EU – Lawmakers Question Data Transfer Program Ahead of Review

The European Union-U.S. Privacy Shield data transfer pact has flaws that must be addressed during the first annual review of the program, EU lawmakers said in a draft [European Parliament Civil Liberties, Justice and Home Affairs Committee or LIBE] resolution narrowly adopted March 23 [see 6 pg pdf here]. The resolution said the review of the program scheduled for this summer should focus on continued U.S. surveillance of foreigners abroad and the viability of redress mechanisms for EU citizens over alleged U.S. government misuse of data. Claude Moraes, the committee’s chair and resolution’s sponsor, told Bloomberg BNA March 23 that EU lawmakers are concerned about data retention provisions in the Privacy Shield agreement. Additionally, the Privacy Shield doesn’t prevent U.S. authorities from carrying out “the bulk collection of personal data for national security purposes,” he said. The draft resolution also called into question the “effective independent oversight” of the program by a U.S.-based ombudsman The LIBE resolution is provisional until confirmed by a vote of the full European Parliament. LIBE backed the resolution in a 29-25 vote, with one abstention. The European Commission, the EU’s executive arm, is obligated to review the Privacy Shield annually. The pact became effective Aug. 1, 2016. [BNA.com]

EU – Resolution Adopted by European Parliament Criticizing Privacy Shield

The European Parliament adopted a resolution criticizing the EU-U.S. Privacy Shield agreement. German Green MEP Jan Philipp Albrecht calls upon the European Commission and EU Justice Commissioner Věra Jourová to ensure more is done to protect European citizens’ data. “The Privacy Shield does not make the US a safe haven. Personal data from people in the European Union is not being adequately protected against access by intelligence services in the US. People in the EU have no real rights when it comes to accessing their data or having it deleted,” Albrecht stated, adding, “The European Justice Commissioner should not allow the US government to palm her off with non-binding declarations of intent or letters of assurance. Vera Jourová must increase the pressure on the US government to make the Privacy Shield a genuine safeguard.” [Greens-EFA]

EU – ePrivacy Reform & the UK ICO Role and Plans

While preparations for the GDPR dominate the headlines, it’s not the only change for the digital economy. As technology evolves at a phenomenal rate, the laws that govern internet-based services are moving at an equally rapid pace. The next piece of legislation in line for an overhaul is the European directive that forms the basis of the Privacy and Electronic Communications Regulations (PECR). Earlier this year, the European Commission published its proposal for the new updated ePrivacy Regulation (ePR), to better protect people’s privacy in the digital age. This proposal is just the beginning of the process, and the details are likely to change as we move forward. It will be a tough deadline for EU lawmakers to meet – the ePR is due to come into effect in May 2018 alongside the GDPR. As a regulation, it will apply directly within every EU member state. As with GDPR, the UK government has confirmed it would be implemented in the UK before we leave the EU. The current draft proposal includes some headline changes The responsibility for enforcement will mirror the GDPR and therefore will fall to the ICO. We’ll be watching the negotiations closely to understand how they might affect the UK. [Information Commissioner’s Office Blog]

UK – ICO UK Issues Guidelines to Health Sector on Managing Patient Records

The UK Information Commissioner’s Office has issued guidelines for the health sector. Organisations should assign responsibility for ensuring the location of records is known at all times, including appointing a records manager, records officer, and local information asset owner; tracking procedures should be put in place (including what to do if a file goes missing), records should be logged in and out, and a formal records management training programme should comprise mandatory induction and periodic refresher training for all staff with access to personal data. [ICO UK – Health Sector Resources | News Release]

EU – European Parliament Issues Opinion on the Fundamental Rights Implications of Big Data

The European Parliament has issued its opinion on the fundamental rights implications of big data. The complexity of automated processing of big data can be challenging for individuals to assess the collection, analysis and use of personal data, the merging of personal and non-personal data can create new personal data, and it can be possible to re-identify individuals by correlating different types of anonymised data; organisations should apply the principle of data protection by design and pseudonymize, anonymize or encrypt personal data used in big data applications. [European Parliament – Resolution of 14 March 2017 – Fundamental Rights Implications of Big Data]

UK – Government Advised to Establish Minimum Internet Safety Standards

The House of Lords Select Committee on Communications released its 2nd report of session 2016-17 on children and the Internet. Social media sites terms and conditions are at odds with children’s right to privacy, the commercial uses of data in regards to children present difficulties in regards to transparency, choice and control, the effectiveness of filters is limited by children’s use of multiple devices/access points, encryption of websites and use of apps; there is widespread flouting of rules concerning age (particularly on social media sites and in gaming), and internet services are not designed with children in mind (an updated operating system automatically restores default settings. [Growing Up With The Internet – House of Lords]

CA – British Columbia Man Arrested For Stealing Patient Information

A British Columbia man has been arrested for stealing the information of more than 20,000 PharmaNet patients. The Vancouver Police Department released a statement saying the man gained unauthorized access to the PharmaNet system to obtain the patient data, then used the information for “fraudulent purposes.” Law enforcement agencies have not shared any information on the ways the data was used or how the man breached the system. The Ministry of Health said the man may have gained access by impersonating a doctor and promised to implement stronger security measures with PharmaNet vendors. British Columbia offered free credit monitoring for all of the impacted patients. [CTV News]

Facts & Stats

WW – Reports: Number Of Compromised Records in the Billions In 2016

Gemalto released its 2016 data breach report, finding the number of compromised records increased 86 percent from 2015. Gemalto’s Breach Level Index found 1.4 billion records were compromised in 2016, pushing the overall total to 7 billion since the BLI was created in 2013. The report found most of the cyberattacks targeted large consumer databases, such as social media, entertainment, and email websites. Despite the record amount of compromised records, the number of data breaches actually decreased by 4 percent last year. Another report from IBM Security found more than 4 billion records were leaked worldwide in 2016, a 566 percent increase from the previous year. [Gemalto]

US – Eight Companies Plan to Pay $5.3M to Settle Privacy Lawsuit

A group of eight companies could pay $5.3 million for a proposed privacy settlement. The payments from Instagram, Foursquare, Kik, Gowalla, Foodspotting, Yelp, Twitter, and Path would help settle a 2012 lawsuit surrounding the use of the “Find Friends” iOS feature. The feature allowed users to find out if their friends were using the same app, but the plaintiffs in the case allege the app makers violated their privacy by failing to alert users it would send their contact lists to company servers. A judge still needs to approve the settlement before it takes effect. If approved, only Apple and LinkedIn will be among the 18 original defendants still attached to the case. [Fortune]

Finance

US – Coalition of US Groups Push to Repeal Globally-Hated FATCA

A coalition of 23 taxpayer protection and grassroots organizations sent a letter today urging Congressional leadership to include repeal of the Foreign Account Tax Compliance Act (FATCA) as part of comprehensive tax reform. Co-authored by the Center for Freedom and Prosperity and the Campaign to Repeal FATCA. The letter makes 5 key points: 1) FATCA fails in its primary goal to catch wealthy tax cheats; 2) It ensnares innocent Americans with excessive reporting requirements and draconian penalties for the slightest oversights; 3) It makes U.S. citizens living and working abroad toxic assets in the eyes of both financial institutions and employers; 4) Its compliance costs far outstrip the revenue it collects; and 5) It encourages other nations and international organizations to pursue aggressive tax grabs that threaten American businesses and the global economy. [Freedom and Prosperity]

US-Born Canadian Citizens Allege FATCA Infringes on Their Right to Privacy

Virginia Hillis, Gwendolyn Deegan and Kazia Highton (“Plaintiffs”) filed a statement of claim against the Attorney General of Canada and the Minister of National Revenue (“Defendants”) arguing that the Foreign Account Tax Compliance Act (“FATCA”) violates their rights as Canadians under the Charter Of Rights And Freedoms: Defendants filed a response to Plaintiffs’ claims. Canadian financial institutions are required to disclose account information relating to US reportable accounts without notice to the individual, an opportunity for the individual to object, consideration of the usefulness of information, or sufficient restrictions on the use of the information; the government argues that reported information can only be disclosed for tax purposes, and FATCA is tailored to only collect required information. [Virginia Hillis et al v. Attorney General of Canada and the Minister of National Revenue – Amended Statement of Claim to the Defendants – Federal Court | Government Response]

US – IRS Seeks Bitcoin Exchange User Data, Raising Privacy Concerns

Privacy concerns have arisen as the Internal Revenue Service aims to obtain consumer information from popular bitcoin service, Coinbase. The IRS served a “John Doe” summons to Coinbase demanding transaction and user profile records on all of its U.S. users from 2013 to 2015 as part of a tax evasion probe. Coinbase has yet to turn over any of the data and is asking the government to narrow the scope of the information it is seeking. While Coinbase’s general practice states they will cooperate with law enforcement agencies, the company said it will fight back against the request unless the demands are scaled back. “It amounts to nothing more than asking for large amounts of hay in the hope they might find a needle,” said Internet Association CEO Michael Beckerman. [The Wall Street Journal]

CA –Canada’s First Commercial Blockchain Service Could Become the ‘Interac’ for Digital Transactions

With the announcement of a major commercial service with backing from Canada’s ‘Big 5’ banks and a new research institute driven by the Tapscotts, complete with government funding, it’s fair to say that blockchain is having its moment in emerging to the mainstream. “Banks haven’t done something like this since the formation of Interac in 1984” says Greg Wolfond, founder and CEO of SecureKey Technologies [see here] They are getting ready for a push to launch a new brand that is centered around enabling privacy-protected digital transactions Later this year. The service will be the first blockchain project with such a wide commercial launch in Canada, signaling that the digital ledger technology has moved on from its days as the stuff of cryptocurrencies bearing odd names and firmly into the establishment. The bottom line is that customers will just have more control over their privacy than they do today [says Chuck Hounsell, senior vice-president of payments at TD Bank]. Blockchain hasn’t just arrived in Canada, its commercial embrace is global. SecureKey [see here] plans to collaborate with IBM to take the work its done in Canada to other countries. It may be buoyed in part by its status as a Privacy by Design ambassador, showing it’s adopted former Ontario privacy commissioner Anne Cavoukian’s internationally-recognized privacy framework in its design. That helped facilitate a triple-blind model that ensures user privacy, Wolfond says. The provider of the attribute doesn’t know what you’re using it for, the receiver doesn’t know who’s providing it, and there’s no middle man in between to watch what you’re doing. [IT World]

US – FTC releases 2016 Annual Highlights, Cites Continued Efforts Toward Privacy

The Federal Trade Commission released its 2016 Annual Highlights, touting the agency’s efforts to protect consumers. Acting FTC Chairman Maureen Ohlhausen said, “2016 was a historic year for the FTC. We obtained almost $12 billion in redress for consumers, and took action in more than a dozen merger cases to preserve competition. The Commission’s enforcement, policy and consumer and business education work shows our strong commitment to protecting consumers and promoting competition and innovation.” The report also discusses the FTC’s continued efforts to make privacy and security a high priority. [FTC]

WW – Study Evaluates Top Companies’ Privacy Commitments

A new study examined 22 of the top global telecommunications, internet, and mobile companies on their public commitments to and disclosed policies on users’ freedom of expression and privacy. “The 2017 Ranking Digital Rights Corporate Accountability Index” measured the companies based on three sets of criteria: governance, freedom of expression, and privacy. Key findings include evidence that companies are not doing a proper job disclosing information to consumers, mobile ecosystems lack disclosure, freedom of expression “is getting shortchanged,” and handling of user data is opaque, among others. Among internet and mobile companies, Google had the best marks, while AT&T had the best score among telecommunications companies. [Ranking Digital Rights]

FOI

CA – Alta Gov’t Opposition Recommendations on Fixing FOI System

The Wildrose, Alberta’s Official Opposition party, made 10 suggestions for improving Alberta’s broken freedom of information system, including firing issues managers in the premier’s office and Public Affairs Bureau to free up cash for processing requests. [see PR here & pdf report here] Nathan Cooper, the Wildrose critic for democracy and accountability, said access to information is a critical tool for the opposition, media and the public to hold the government to account. He said the government needs to change its attitude.. Earlier this year, Alberta privacy and information commissioner Jill Clayton issued a scathing assessment of the government’s attitude towards the FOIP act. [see PR here & report pdf’s here & here] Clayton said the government has a “lack of respect” for freedom of information and needs a culture change that starts at the top. [CBC] See also: [Information commissioner slams Alberta government for poor state of freedom of information]

CA – Despite SK OIPC’s insistence, Gov’t does not Release GTH Info

Saskatchewan’s Highways minister is defending his ministry’s record of providing information on its projects, despite not following Information and Privacy Commissioner recommendations or even reading the commissioner’s reports on his ministry’s actions. “I just think that our ministry has been very responsible and respective of the FOIs,” Dave Marit said. That’s despite the fact he told CBC he hasn’t read any of the Information and Privacy Commissioner’s five reports condemning his ministry on its handling of requests for information about the Global Transportation Hub. The Ministry of Highways has consistently dragged its feet on information requests — a fact the commissioner has pointed out time and again after CBC filed complaints about the delays. See OIPC reports from Nov. 9, 2016, Nov. 10, 2016, Jan. 5, 2017 and Jan. 17, 2017 ] Here’s a summary of those reports:

  • Nov. 9, 2016: Commissioner recommends the ministry release a land sale agreement with CP for property at the GTH. The ministry refuses to release the document.
  • Nov. 10, 2016: Commissioner finds the ministry was more than three months late in responding to CBC’s requests related to the GTH. He described the delays as excessive and a violation of the law. “Highways must take their obligations under FOIP [Freedom of Information and Protection of Privacy] more seriously. The Legislative Assembly has passed FOIP and I expect that ministries will comply with the laws passed by it. Highways has failed to do so,” he wrote.
  • Jan. 5, 2017: Ministry proposes to charge CBC $70,000 for a series of 13 information requests. The commissioner found the ministry failed to consult with CBC as it is required to do. He also found the ministry’s “excessive fee was an unreasonable barrier to access.”
  • Jan. 17, 2017: Commissioner finds the ministry had delayed its response to information requests in a way that “was unnecessary, inappropriate and unauthorized under FOIP.”

When asked why he hadn’t read any of the commissioner’s reports, Marit responded, “I guess that’s where I trust my deputy minister and my ministry staff to look after the FOIs.” [CBC | 3 strikes: Sask. government chastised again for handling of GTH document requests]

CA – OIPC AB Requires Disclosure of Former Employee Records

The Office of the Information and Privacy Commissioner in Alberta reviewed a decision by Children’s Services to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. Disclosure of information relating to an Edmonton Police Service file involving the individual would not reveal information supplied in confidence by the police (the police service already disclosed some information to the individual), or harm relations between the public body and the police service. [OIPC AB – Order F2017-28 – Children’s Services]

CA – Unauthorized Disclosure of Images Penalized by Laws in Manitoba

A review of changes in common law and in statute in regards to cyber-bullying. Non-consensual sharing of intimate images creates a private right of action, empowering the courts to award damages to the plaintiff to amend humiliation and cyber-bullying acts; perpetrators can be held liable for invasion of privacy. A similar law in Nova Scotia has been found unconstitutional. [Cyberbullying and Revenge Porn – An Update on Canadian Law – Kristen thompson – CyberLex]

CA – BC OIPC Upholds Public Body’s Decision to Deny Parent Access to Child’s Records

The British Columbia Information and Privacy Commissioner reviewed an access request made to the Ministry of Children and Family Development pursuant to the Freedom of Information and Protection of Privacy Act and the Freedom of Information and Protection of Privacy Regulation. [OIPC BC – Order F17-04 – Ministry of Children and Family Development]

WW – Study: Large Teaching Hospitals More Likely To Suffer Data Breach

A study published by JAMA Internal Medicine found large teaching hospitals are more likely to suffer data breaches, SC Magazine reports. The study found 216 hospitals accounted for 257 of the 1,798 data breaches between Oct. 21, 2009 and Dec. 31, 2016. Most of the affected hospitals were discovered to be teaching hospitals. Larger teaching hospitals are more likely to be targets due to more individuals having access to private patient data and aging infrastructure. “Due to tight budgets, aging systems and rich confidential data, hospitals will continue to be victimized by targeted attacks in 2017,” Plixer International CEO Michael Patterson said. “To avoid falling prey, insured contractors should be leveraged to patch systems and audit cyber defenses.” [SC Magazine]

US – Twitter Sues DOJ Over Request For User’s Information

After receiving a summons from a Customs and Border Protection agent related to an account, Twitter is filing a lawsuit against the Department of Justice in order to protect the user from being revealed. The agent is ordering Twitter to turn over information regarding the @ALT_USCIS account, including usernames, account login, phone numbers, mailing address, and IP addresses. Twitter said revealing the user’s identity “would have a grave chilling effect.” Center for Democracy and Technology’s Emma Llansó said, “These tech companies have so much really personal information about all of us, and part of what we do when we give them this information is trust them to be stewards of it,” adding, “For Twitter to fight back against such a broad demand from the government to unmask is really significant.” [San Francisco Chronicle]

US – NY Attorney General’s Office Announces COPPA Settlement

The New York Attorney General’s office today announced a settlement with TRUSTe regarding its certifying of companies under the U.S. Federal Trade Commission’s COPPA safe harbor program. TRUSTe will pay a $100,000 fine and has agreed to make certain changes to its certification program. The case is a continuation of what the New York Attorney General calls “Operation Child Tracker,” which led to nearly $1 million in fines for four firms this past September. [IAPP.org]

Genetics

US – FDA Approves DNA-Test Company’s at-Home Genetic Diagnostic

The Food and Drug Administration has approved 23andMe to market its at-home genetic test allowing users to test their DNA for 10 diseases, like Parkinson’s or Alzheimer’s. While questions remain about the accuracy of these tests, proponents argue that they’re ultimately beneficial. “We’re moving as a society toward empowering people with health related information and this is, I think, a welcome step, along that journey,” said Harvard University geneticist, Dr. Robert Green. New York University bioethicist Art Caplan, however, who maintained the at-home tests could end up “frightening” consumers, said that “it’s also not clear what privacy people have and how well 23andMe could safeguard their test results, or even their actual samples,” the report adds. [NBC News]

Health / Medical

CA – Ontario Bill Amends FOI Legislation to Create Disclosure Exemptions for Medical Assistance in Dying

Bill 84, amending the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act and related to medical assistance in dying, is read and referred to the Standing Committee on Finance and Economic Affairs. The Freedom of Information and Protection of Privacy Act and Municipal Freedom of Information and Protection of Privacy Act are amended to provide that they do not disclose identifying information relating to medical assistance in dying; “identifying information” means information that identifies a person or facility or that could be utilized with other information, to identify a person or facility. [Bill 84 – Medical Assistance in Dying Statute Law Amendment Act, 2017 – 41st Legislature, Ontario]

CA – Retiring Doctors Must Notify Patients of Who Will Hold Their Health Records

The Information Protection Commissioner of Ontario has issued recommendations regarding medical records. To ensure the ongoing right of access, either before or shortly after their retirement, doctors and other health care providers must give patients notice indicating who will take over their practice or details on the specialized medical record storage facility where they will be transferred to. [IPC ON – Your Doctor Is Retiring – What You Should Know About Your Medical Records]

EU – OCR Leader: Agency Will Release Guidance on ‘Hot Button’ Privacy Issues

At the Health Care Compliance Association’s Compliance Institute, Iliana Peters of the Health and Human Services Office for Civil Rights said that the agency will prioritize guidance surrounding “hot button” privacy issues this year. She added that the OCR was wrapping up a round of audits and predicted that enforcement fines would increase in the future. In tandem with her talk, the HHS Office of Inspector General released “Measuring Compliance Program Effectiveness: A Resource Guide.” It covers the results of an “effectiveness roundtable” in collaboration with the Health Care Compliance Association in early 2017, and looks to “provide measurement options to a wide range of organizations with diverse size, operational complexity, industry sectors, resources, and compliance programs.” [WilmerHale]

Horror Stories

CA – McDonald’s Canada Jobs Web Site Hacked, 95,000 Affected

The home page of McDonald’s Canada .revealed that its career Web site — where job applicants leave their resumes — has been hacked. The personal information of approximately 95,000 restaurant job applicants has been compromised,” he company said in a statement.[see here] That covers anyone who applied online for a job between March 2014 and this month. “The personal information compromised was limited to applicant name, address, email address, phone number, employment background and other standard application information. Our application forms do not request highly sensitive personal information such as social insurance numbers, banking information or health information” the company said. Ann Cavoukian, head of Ryerson University’s Privacy and Big Data Institute, said “All sensitive documents that retain personal identification, especially in an employment context, should be encrypted In this day and age it is not a big deal to encrypt data. And it doesn’t matter that they don’t have the social insurance number [of applicants]. They have a lot of other sensitive information — their employment history, when they worked. Just because they don’t have your social insurance number or banking information doesn’t mean its not sensitive. Why not protect the data when you can do it so easily in this day and age?” In an interview Ira Nishisato, national leader of the cyber security and risk practice at the law firm Borden Ladner Gervais said Canadian law on an organization’s “standard of care” for personal information is still evolving. A court would likely look to best practices suggested by industry associations, he said. But he believes these days “encryption is expected” even if personal information doesn’t include social insurance numbers and the like. “If you fail to encrypt you’re at risk.” [IT World]

UK – Data From UK Parliament’s Staff Accidentally Published Online

The Independent Parliamentary Standards Authority has said that “extremely sensitive” information about an estimated 3,000 members of Parliament’s staff was accidentally published online for four hours before someone noticed the mistake, BBC reports. The information included salaries, work and vacation patterns and was accidentally uploaded to a version of the MP site soon to be archived, the report states. A Parliament spokesman said that a “small number” of people had viewed the information until the watchdog was alerted and the data removed. “An investigation is currently underway and we have notified the Information Commissioner,” the spokesman added. “We will be writing directly to all of those affected.” [BBC.com]

Identity Issues

US – NIST Extends Comment Period for Digital Identity Guidelines

The US National Institute of Standards and Technology (NIST) has extended by one month the deadline for public comment on part of its digital identity guidelines. Initially, comments were due by March 31, 2017, but the deadline has been extended to May 1, 2017 for the parent volume, SP 800-63-3 because of changes made to risk management and mitigation issues. http://trustedidentities.blogs.govdelivery.com | – https://gcn.com: NIST extends comment period for digital identity guidelines |

WW – ‘Internet Noise’ Website Helps Obscure Users’ Online Identity

Responding to Congress rolling back the Federal Communications Commission’s broadband privacy rules, a new website has launched to help make it difficult for anyone to collect browser data, Wired Reports. Internet Noise is a site designed to deliberately obscure a user’s online identity by repeatedly opening browser tabs going to random webpages. The site’s founder, Dan Schultz, accomplished this by Googling “Top 4,000 nouns” and implementing it into the site’s code. When a user clicks the “make some noise” button,” a new tab will generate every couple of seconds, functioning similar to Google’s “I’m Feeling Lucky” button. The site features another button to stop the process from occurring. While Schultz admits the site has been created mainly for awareness purposes, users have reached out to offer fixes in order to make it a more effective privacy tool. [Wired]

Law Enforcement

US – Prosecutors Post Data from Locked Phones of 100 Trump Protesters

Federal prosecutors are creating a cloud-based database full of personal data extracted from the locked phones of Trump protesters arrested on Inauguration day. Police seized the phones of more than 100 of those arrested. Although all of the devices were locked They want to make the data available to the lawyers of 214 defendants accused of felony rioting. According to court papers (PDF) prosecutors filed on Wednesday, the Feds are seeking an order from the court that would prohibit the defense lawyers from copying or sharing the information unless it’s relevant to defend their clients. If there’s one thing this case makes crystal clear, it’s that the authorities’ success in getting past Apple encryption [see here] goes well beyond the prolonged battle over the unlocking of Syed Farook’s iPhone following the San Bernardino shootings. In the case of the Trump protesters, government officials said they have search warrants to extract data from the phones. Arraignments are scheduled through early April. Follow-up hearings will start in mid-April. At that point, the judge will likely consider evidence-related issues and motions. [Naked Security]

US – ACLU Lawsuit Over Cop Confiscating Phone & Deleting Pics

ACLU of Louisiana filed a federal lawsuit [see 11 pg pdf here] alleging a Lafayette police officer improperly deleted cellphone photos a woman [Chelline Carter] had taken of her son in the back of police cruiser. The suit claims the officer told the woman she was breaking the law by taking pictures of “evidence,” then deleted those photos before handing the phone back to her ACLU of Louisiana Executive Director Marjorie Esman said citizens have a long-established First Amendment right to photograph police in a public place if they are not interfering with an officer’s duties and that law enforcement officers must have a warrant to access a cellphone. The lawsuit seeks damages, a court judgment declaring that the officer’s actions violated Carter’s rights and an injunction blocking police in the future from interfering with citizens who are photographing police and from seizing and searching their cellphones or other photographic equipment. [The Advocate]

CA – Fredericton Police Try on Body Cameras for 90-Day Test

Six Fredericton police officers started using body cameras Friday for a 90-day trial of the technology that could help increase public trust, the Deputy Chief Martin Gaudet says. He hopes the cameras will raise the public’s trust in the force, now that more police interactions with residents will be recorded. “We want to always continue to build public trust,” he said. “This is just another tool to help us in our investigations and in public transparency.” The Fredericton department also worked with the province’s privacy commissioner, the Office of the Attorney General and the city solicitor on the project. Once an officer hits record, the file is directly uploaded to encrypted cloud storage, where it can only be accessed by an authorized member of the force, which will be Staff Sgt. Paul Battiste. Battiste said he can only share a file with the courts if the person on the other end is authorized to receive it. The public can request access to footage by submitting a right to information request to the force by email. Battiste said the videos are stored based on the same policing standards that apply to any other information collected as part of an investigation. Officers cannot access the footage, edit or delete files, he said. People will be told that they are being recorded, and they cannot refuse, he said. To protect the privacy of people not connected to a case, videos will be redacted when necessary, “but the original file is always kept,” he said. [CBC News]

US – Taser to Provide Free Body Cameras To Police Nationwide

Stun gun company Taser has announced that it will offer free body cameras to all American law enforcement, and one year of access to the company’s cloud storage service. The organization added that it has changed its name to Axon to better reflect its range of products. “Our belief is that a body camera is to a cop what a smartphone is to a civilian,” said Axon CEO Rick Smith. “We believe, within 10 years, we can automate police reporting. We can effectively triple the world’s police force.” The move has raised some eyebrows, with University of California, Davis’ Elizabeth Joh speaking out against the “basic relationship” between a vendor and the police. “A tech vendor is making important decisions about policing,” Joh said. [Ars technica]

Location

US – Illinois Bill Restricts Processing of Geolocation Information by Private Sector

House Bill 3449, the Geolocation Privacy Protection Act, receives first reading: The Act takes effect upon becoming law. A private entity cannot generally process geolocation data from a location-based app unless the individual provides informed express consent; an aggrieved individual may file a civil action for damages. Exemptions from the consent obligation include location of a minor, a legally incapacitated person, or provision of emergency services; the general prohibition does not apply to healthcare or other providers subject to HIPAA, financial institutions or affiliates subject to GLBA, or a cable, Internet or telecom services provider. [House Bill 3449 – Geolocation Privacy Protection Act – 100th General Assembly, State of Illinois]

Online Privacy

US – Facebook Loses Appeal to Block Bulk Search Warrants

New York State’s highest court dealt a blow to Facebook and other social media companies seeking to expand privacy protections, ruling [see 74 pg pdf here] that Facebook had no right to ask an appellate court to quash search warrants ordering the company to hand over information from hundreds of accounts in a disability fraud case. The state Court of Appeals, in a 5-to-1 decision, with one judge recusing himself, upheld lower court rulings that New York law does not allow a social media company to appeal a judge’s decision to issue search warrants in a criminal case, even if the company believes those warrants violate the constitutional rights of its users. The Facebook case is part of a broader battle between the government and technology companies over the limits on law enforcement requests for data under the federal Stored Communications Act. Much of that fight is playing out in New York.. The case — known formally as In Re 381 Search Warrants Directed to Facebook Inc. — had been closely watched as a test as Facebook sought to expand its ability to fight what it sees as fishing expeditions by prosecutors. Several tech giants, including Google, LinkedIn, Amazon, Microsoft and Twitter, filed amicus briefs, as did the New York Civil Liberties Union. [NYT | New York’s top court rejects Facebook search warrant challenge]

US – NAI, DAA Launch New Version of Consumer Choice Tools

The Network Advertising Initiative and Digital Advertising Alliance have together launched new versions of consumer choice tools for interest-based advertising. Changes to the “NAI tool and DAA tool include an enhanced user experience, the ability for companies to easily disclose to consumers their use of both cookie-based and non-cookie technologies for digital interest-based advertising … and controls for users to opt-out of such use,” a press release states. “The tool is the first to offer a technology-based opt-out for both cookie-based and non-cookie technologies,” said NAI President and CEO Leigh Freund. “The improvements in this tool provide increased transparency into emerging data practices, regardless of technology,” added DAA Executive Director Lou Mastria. [NAI]

Other Jurisdictions

US – Pew Researches Future Of Online Anonymity, Fake News

The Pew Research Center has released a new report on the future of free speech, trolls, anonymity, and fake news online. “Many experts fear uncivil and manipulative behaviors on the internet will persist — and may get worse.” “This will lead to a splintering of social media into AI-patrolled and regulated ‘safe spaces’ separated from free-for-all zones. Some worry this will hurt the open exchange of ideas and compromise privacy.” The research also revealed that those surveyed believe anonymity has contributed to much of the “uncivil discourse” online, but such anonymity will likely get purged in the future, “setting the stage for governments and dominant institutions to even more freely employ surveillance tools to monitor citizens, suppress free speech and shape social debate.” [PEW Internet]

Privacy (US)

US – Data Localization Laws Tracked in USTR Trade Barriers Report

Barriers to digital trade have spread to such an extent that the Office of the U.S. Trade Representative analyzed how the topic is playing out in dozens of countries in its 2017 annual report on foreign barriers to trade. The 492-page U.S. Trade Representative annual report, released March 31, defined digital trade barriers as “restrictions and other discriminatory practices affecting cross-border data flows, digital products, Internet-enabled services, and other restrictive technology requirements.” The report tracked “data residency” laws, requiring companies to store certain types of data within a country’s borders, that have sprung up around the world. Two broad trends are emerging with data residency laws The first is the increasing emergence of data residency laws “that require private sector companies to store information locally”— with Russia’s law [see here] serving as the model for such private-sector aimed residency laws The second trend involves laws that require government data to be stored locally, Cohen said. Such laws can be found in China, Indonesia, Canada and Nigeria. Lothar Determann, a privacy partner at Baker McKenzie LLP in Palo Alto, Calif., told Bloomberg BNA that Data residency laws are often sold by government’s as “privacy and civil rights protection measures but they really have the opposite purpose and effect” in that they really just secure access to data for intelligence and law enforcement purposes [Data Residency Laws Tracked in Trade Barriers Report]

US – 4th Circuit Weighs in on “Injury-in-Fact” in Data Breach Cases

In Beck v. McDonald, the U.S. Court of Appeals for the Fourth Circuit joined at least five other circuits in analyzing whether mere allegations of future identity theft can establish injury-in-fact as required to confer Article III standing [see here]. There, the Court found that allegations of future harm were too speculative, particularly where there was no allegation or evidence that the confidential information was targeted or had been used fraudulently. The analysis aligns with distinctions made by other circuits between misplaced or stolen physical property cases, where the loss of confidential information is incidental, and cyberattack and hacking cases, where the thief’s intent to wrongfully use the information can be inferred. This ruling shows that district and circuit courts are looking at the allegations in data breach cases with care, and not simply assuming an injury just because plaintiffs’ confidential information has been compromised. Rather, the courts are looking at the particulars of the breach itself – physical property vs. data hack, allegations of actual fraudulent use or access vs. conclusory allegation of prospective harm – in determining whether plaintiffs have suffered injury-in-fact sufficient to confer Article III standing. [Data Protection Report | The Fourth Circuit Holds That Threat of Future Harm Is Insufficient To Confer Standing on Victims of a Data Breach]

US – Geek Squad Under Fire for ‘Cozy’ and ‘Extensive’ Links to FBI

When Best Buy customers need to retrieve lost data, stores from around the US send their computer equipment to a giant Best Buy repair shop in Brooks, Kentucky, for its Geek Squad techs to work on and, apparently, to search for child abuse imagery on behalf of the FBI. Unbeknown to customers, recent federal court documents claim, the [Best Buy] Geek Squad techs have been in a “cozy” secret relationship with the FBI, which over a few years has trained and paid them to search for child abuse imagery on computer equipment. Geek Squad employees have gone so far as to search unallocated space on hard drives – ie the place where forensics specialists use specialized software to find and retrieve deleted files. That’s what happened to Mark Rettenmaier. His house was subsequently searched, and Rettenmaier was indicted in November 2014 by a federal grand jury on two counts of possessing child abuse imagery. The case has dragged on. it’s looking like that image – and others like it – might not be permissible as evidence, given that the Geek Squad employees are accused of acting as government agents. That’s because government agents need to first get a warrant, based on probable cause, to search a computer. The government is facing multiple problems with its case against Rettenmaier. As pointed out by R Scott Moxley, a few weeks before Rettenmaier was arrested, federal judges ruled in a separate case that images found in unallocated space couldn’t be used to win a possession conviction, since there’s almost no way to figure out who put them there, who viewed them, or when/why they were deleted. A trial is tentatively scheduled to begin on June 6 in Santa Ana. [Naked Security]

US – Minnesota Police Obtain Warrant Asking Google to Identify People Who Searched for Man’s Name

Police in Minnesota are asking Google to identify people who searched for certain terms associated with a crime they are investigating. Edina police are working in a bank fraud case in which USD 28,500 was wired out of an individual’s account earlier this year. The perpetrator used a passport photo possibly obtained online. The warrant applies only to residents of Edina and only to searches conducted between December, 2016 and January 7, 2017. [Minn. Police seek data on who Googled a victim’s name | Minnesota judge signs a search warrant for personal information on anyone who Googled someone’s name | Judge Wants Google to Tell Cops Everyone Who Googled One Man’s Name]

US – Fourth Amendment Border Search Exception Should Not Apply to Digital Devices and a Probable Cause Warrant Should Be Required

Various advocacy group submit an amicus brief in support of an appeal by an individual (the “appellant”) of a denial of his motion to suppress evidence seized from his iPhone, which was searched at the U.S. border. The border search exception is intended to serve the narrow purpose of enforcing immigration and customs laws (which are enforced through inspection of physical documents, luggage, vehicles and persons); both manual and forensic searches of digital devices, containing vast amounts of highly personal information, are “non-routine” (in light of the CBP’s current use of sophisticated forensic tools that can be rapidly deployed at the border). [United States of America v. Hamza Kolsuz – Brief of Amici Curiae Electronic Frontier Foundation, Asian Americans Advancing Justice-Asian Law Caucus, Brennan Center for Justice, Council on American-Islamic Relations (CAIR), CAIR California, CAIR Florida, CAIR Missouri, CAIR New York, CAIR Ohio, CAIR Dallas/Forth Worth, and The National Association of Criminal Defense Lawyers in Support of Defendant-Appellant]

WW – Advocates Emphasize Risks of IoT and Request Algorithmic Transparency

Advocates submit their comments on cybersecurity to a U.S. Senate committee. IoT poses numerous risks to privacy (the vast quantity of data reveals a wealth of PI about consumers that can be used for secondary purposes, and many devices feature “always on” tracking technology) and security (current security risks are able to expand due to increasingly large array of networks in which to spread); algorithms are often used to make adverse decision about individuals (regarding employment, insurance and credit) who rarely know about the decisions, or whether those decision were fair or accurate. [Letter to U.S. Senate Committee on Commerce, Science, & Transportation’s Hearing on “The Promises and Perils of Emerging Technologies for Cybersecurity” – Electronic Privacy Information Center]

US – NY AG Settles with App Developers for Insufficient Privacy Notice

New York’s Attorney General has settled with Cardiio, Runstastic and Matis, three application developers for misleading marketing and privacy practices. The developers’ privacy policies were updated to request affirmative consumer consent to the privacy policy and to indicate the personal information that they process including, users’ GPS location, unique device identifier, possible re-identification of de-identified information. [A.G. Schneiderman Announces Settlements With Three Mobile Health Application Developers For Misleading Marketing And Privacy Practices – NY AG]

Privacy Enhancing Technologies (PETs)

WW – Splinter: Protecting the Privacy of Public Database Queries

Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have developed a system called Splinter that protects the privacy of users querying public databases by breaking the query into pieces to be handled by different but identical databases. As long as just one of the providers is trustworthy, the content of the query cannot be detected. Splinter employs a “cryptographic primitive” called Function Secret Sharing (FSS) that keeps the query private “unless all the providers collude” and does not make undue demands on system CPUs. The researchers presented a paper on Splinter at the USENIX Symposium on Networked Systems Design and Implementation in Boston earlier this week. [CompSci boffins propose scheme to protect privacy in database searches | Practical Private Queries on Public Data]

WW – Privacy Badger Surpasses 1M Users

The Electronic Frontier Foundation reports the Privacy Badger browser extension has surpassed 1 million users. The extension is designed to automatically block hidden third-parties tracking users’ browsing history. “With this milestone, the Privacy Badger team remains as committed as ever to end non-consensual browser tracking and promote responsible advertising. Although Privacy Badger blocks many ads in practice, it is more a privacy tool than a strict ad blocker,” the EFF blog post states. “Privacy Badger encourages advertisers to treat users respectfully and anonymously rather than follow the industry status quo of online tracking.” [EFF.org]

WW – Privacy-Focused AI Bot Warns Users When Posting Personal Data Online

A study published by researchers at the Max Planck Institute for Informatics in Germany outlines an AI-powered privacy tool designed to stop individuals from posting private information online. The Visual Privacy Advisor analyzes a user’s privacy preferences on their phone or computer, then alerts them whenever sensitive information, such as a medical prescription or bank account details, may be exposed when they post a picture onto social media. “Our model is trained to predict the user specific privacy risk and even outperforms the judgment of the users, who often fail to follow their own privacy preferences,” the researchers wrote in a recent paper. “In fact — as our study shows — people frequently misjudge the privacy relevant information content in an image — which leads to failure of enforcing their own privacy preferences.” [Vocativ]

US – If You Want a VPN to Protect Your Privacy, Start Here

On March 28 the House of Representatives voted to reverse FCC privacy regulations It’s a disappointing setback for anyone who doesn’t want big telecoms profiting off of their personal data. So what to do? Try a Virtual Private Network. It won’t fix all your privacy problems, but a VPN’s a decent start. A VPN is a private, controlled network that connects you to the internet at large. Your connection with your VPN’s server is encrypted, and if you browse the wider internet through this smaller, secure network, it’s difficult for anyone to eavesdrop on what you’re doing from the outside. VPNs also take your ISP out of the loop on your browsing habits, because they just see endless logs of you connecting to the VPN server. For a VPN to be any more private than an ISP, the company that offers the VPN needs to be trustworthy. That’s a very tricky thing to confirm. One solid indicator? Check whether the VPN keeps logs of user activity. Many privacy-focused VPNs are intentionally very up front about their no-log policies, because they want to make it clear to law enforcement groups around the world that even if they are served with a warrant or subpoena, they won’t have the ability to produce customer records. It’s worthwhile to specifically check a company’s Terms of Service to see what it says there about logging and scenarios where it would (or wouldn’t) disclose user information. A simple way to improve your chances of landing on a safe and well-meaning VPN is to pay for one. Free VPNs aren’t inherently bad, but all services have to make money somehow. [Wired | Post-FCC Privacy Rules, Should You VPN? | A VPN can protect your online privacy. But there’s a catch | Unblock-Us: Smart DNS And VPN For The Masses? | Protect your online privacy with the 5 best VPNs | VPN and maintaining corporate privacy | How to use a VPN: How to set up a VPN for secure, private browsing & access to blocked content | Make sure your VPN is setup correctly using a DNS Leak Tool | The actual privacy benefits of virtual private networks | Krebs on Security: To VPN or Not to VPN]

RFID / IOT

EU – Swedish Company Implanting Microchips in Employees

Swedish startup Epicenter has begun implanting microchips in employees’ bodies, allowing them to buy smoothies, open doors and manage printers via the device. Some employees are even hosting parties for those interested in getting chipped, the report states. However, the move is not without privacy worries, and some technologists warn that hackers can easily access the chips and gain a wealth of information from them. “Conceptually you could get data about your health, you could get data about your whereabouts, how often you’re working, how long you’re working, if you’re taking toilet breaks and things like that,” said microbiologist Ben Libberton. The ethical dilemmas will also grow, the more sophisticated chip programs become, the report adds. [The Associated Press]

WW – IoT Device Maker Shuts Down Customer’s Device After ‘Abusive’ Review

Denis Grisak, the creator of Wi-Fi-powered garage door opener Garadget, has come under fire after bricking a “toxic” customer who reviewed his product negatively after experiencing a technical difficulty. The consumer in question had posted to the Garadget message board seeking assistance for his difficulty over the weekend. Having not received an immediate response, he took to Amazon and gave the device a one-star review. Grisak responded, calling the poster’s language “abusive” and denying the user’s unit server connection. The dialogue sparked outrage on Twitter, leading Grisak to issue a statement arguing that the move wasn’t based off the review, but rather his desire “to distance from the toxic individual ASAP,” he said. [Ars Technica]

Security

US – If You Want to Stop Big Data Breaches, Start With Databases

Over the past few years, large-scale data breaches have become so common that even tens of millions of records leaking feels unremarkable. One frequent culprit that gets buried beneath the headlines? Poorly secured databases that connect directly to the internet. Any type of database can be left open or unprotected, a string of breaches over the last few years have all centered around one type in particular: open-source “NoSQL” databases, particularly those using the popular MongoDB database program. Memorable unprotected database breaches include the 2015 MacKeeper incident in which usernames, passwords and other data leaked for more than 13 million of the security scanner’s customers. In April 2016, security researcher Chris Vickery discovered an exposed database containing the full names, addresses, birthdays and voter registration numbers for all 93.4 million Mexican voters, which had been accessible online for seven months. Also in April, hackers stole user data for 1.1 million people from the insecure database of the dating website BeautifulPeople.com, and in October hackers compromised personal data from 58 million customers of the data storage firm Modern Business Solutions. And those are just some of the most publicized hacks. Unprotected databases are also trivial to find. Both criminals and researchers alike use network visibility tools like the search engine Shodan, which indexes internet-connected devices, to get a sense of how many exposed databases are out there. Currently searching “MongoDB” on Shodan reveals more than 50,000 exposed databases. They may or may not be vulnerable to attack, but simply being visible increases their risk. [Wired]

US – Pew Center Survey Finds Americans Lack Understanding of Cybersecurity Measures

According to a survey from the Pew Research Center, most Americans lack a basic understanding of online security measures. While most of the people responding to the survey were able to identify string passwords from a list and knew that public Wi-Fi is not safe, just one-third knew what HTTPS is and just one-tenth were able to identify two-factor authentication. The survey of 1,055 American adults consisted of a 13 question online quiz. The median score was 5.5. [Americans ignorant on cybersecurity, Pew poll shows | Most American Internet Users Have No Idea How to Protect Their Accounts | What the Public Knows About Cybersecurity ]

UK – Survey: UK Employees Among the Worst At Protecting Data

The Barclays Digital Development Index found U.K. employees were among the worst at protecting their data and devices. The survey placed the U.K. ninth out of 10 countries, finishing behind Brazil, China and South Africa. Among the issues cited by Barclays was the lack of digital skills in U.K. businesses. The survey found only 13% of U.K. employees use password-generating software, compared to 32% in both China and India, while only 41% change their passwords on a regular basis. Barclays found the majority of respondents store payment information on frequently visited websites. “Productivity and convenience are put above security,” said Glasswall Solutions Vice President Chris Dye. [Financial Times]

Smart Cars

US – Self-Driving Cars Will Collect Your Data — and Canada’s Privacy Commissioner is Concerned

At a hearing held by a Senate committee studying autonomous cars, Privacy Commissioner Daniel Therrien testified [see here] that cities, parking facilities, carmakers and other groups could be interested in data collected by vehicles. “There are probably hundreds of players, public or private, that can ultimately receive information from the car,” he told senators. He said his office is working on a Code of Practice for the automotive industry and also looking at online consent forms that Canadians tend to click through blindly. He said carmakers seem open to suggestions so far. Therrien said his office has received few complaints about autonomous or connected vehicles so far, as well as some complaints about GPS devices. Consumers generally don’t realize what they’ve agreed to in purchasing and setting up such devices, he said. “What we found in the investigation is that the consumer, the owner of the device, is rarely if ever well informed about who will get the information,” he said. [MetroNews | Appearance before the Senate Committee on Transportation and Communications (TRCM) on the Study on the regulatory and technical issues related to the deployment of connected and automated vehicles]

US – FTC and NHTSA to Explore Vehicle Privacy and Security Issues

The Federal Trade Commission (FTC) and National Highway Traffic Safety Administration (NHTSA) are co-hosting a workshop on June 28, 2017, to explore the privacy and security issues raised by automated and connected vehicle technologies. [see PR here] The agencies are looking to explore the types of data such technologies collect, store, transmit, and share; the potential benefits and challenges posed by the technologies; the privacy and security practices of vehicle manufacturers; the roles that federal agencies should play in regulating privacy and security issues; and how self-regulatory standards apply to connected vehicle privacy and security issues. In advance of the workshop, the FTC and NHTSA are seeking public comment on privacy and security issues. The workshop and the public comments present industry with a valuable opportunity to educate the agencies about the ways in which they have already been addressing privacy and security concerns and to provide the agencies with feedback regarding possible legislative and regulatory proposals.. Comments may be submitted through April 20, 2017. [HLDA]

US – For Privacy Sake Say No to NHTSA Vehicle-to-Vehicle Comms Rule

Comments on the National Highway Traffic Safety Administration‘s proposed vehicle-to-vehicle communications mandate are due on April 12. If approved, it will add around $300 dollars to the price of every car, or (at recent car sales rates) well over $5 billion per year. Despite the high cost, the NHTSA predicts the rule will save no more than 31 lives in 2025, mainly because it will do little good until most cars have it. The danger is not that it will cost too much per life saved but that mandating one technology will inhibit the development and use of better technologies that could save even more lives at a lower cost. All of the benefits claimed for the DSRC mandate assume that no other technology improvements take place. In fact, self-driving cars (which will work just as well with or without vehicle-to-vehicle systems) will greatly reduce auto fatalities, rendering the projected savings from vehicle-to-vehicle communications moot. A mandate that one technology be used in all cars also opens the transportation system to potential hackers. There is also a privacy issue: vehicle-to-vehicle also means infrastructure-to-vehicle communications, raising the possibility that the government could monitor and even turn off your car if you were doing something it didn’t like, such as drive “too many” miles per year. That’s a very real concern because the Washington legislature has mandated a 50% reduction in per capita driving by 2050. Oregon and possibly other states have passed similar rules. [CATO See also: Cars Would Be Required to Talk to Each Other Under U.S. Plan]

US – The Fourth Amendment and Access to Automobile ‘Black Boxes’

Most cars manufactured in the past three years come with event data recorders, sometimes known as “black boxes.” These devices are computers that record and store crash data in the event of an accident. A new Florida state court decision, State v. Worsham, considers an interesting question: How does the Fourth Amendment apply to government efforts to retrieve data from event data recorders? Worsham was in a terrible accident, and his car was impounded. Twelve days later, the police downloaded the data from the event data recorder without obtaining a warrant. Worsham has been charged with drunken driving and vehicular homicide, and the police want to use the data from the event data recorder to show Worsham’s guilt. The question is: Does the Fourth Amendment allow it? The Florida court divides 2-1. According to the majority, accessing the data is a search that requires a warrant. Because the police accessed the data without a warrant, the evidence must be suppressed. The dissent argues that people have no reasonable expectation of privacy in the data stored in event data recorders. Here’s my tentative take: This is a pretty tricky question based on current Fourth Amendment caselaw. Applying that caselaw, I would think that accessing the event data recorder was likely a search. On the other hand, it’s not obvious to me that it requires a warrant. [Washington Post]

Surveillance

CA – RCMP Reveals Use of Secretive Cellphone Surveillance Technology for the First Time

The RCMP for the first time is publicly confirming it uses cellphone surveillance devices in investigations across Canada. RCMP Chief Supt. Jeff Adam, who is in charge of technical investigations services, held an unprecedented technical briefing with reporters from CBC News, the Toronto Star and the Globe and Mail. The RCMP held the briefing in the wake of a CBC News investigation that found evidence that devices known as IMSI catchers may be in use near government buildings in Ottawa for the purpose of illegal spying. Public Safety Minister Ralph Goodale said the devices detected did not belong to any Canadian police or intelligence agency. Adam told reporters that while he isn’t “personally aware” of foreign agencies using the technology in Canada, “I can’t rule that out.” The RCMP and CSIS are now investigating. The RCMP says that MDIs — of which it owns 10 — have become “vital tools” deployed scores of times to identify and track mobile devices in 19 criminal investigations last year and another 24 in 2015. He says in all cases but one in 2016, police got warrants. The one exception was an exigent circumstance — in other words, an emergency scenario “such as a kidnapping,” said Adam, whose office tracks every instance where an MDI has been used by the RCMP. He said the RCMP’s devices are restricted in their use, with software that only allows them to identify a mobile device and to potentially track the location of that phone. “What the RCMP technology does not do is collect private communication,” Adam said. “In other words, it does not collect voice and audio communications, email messages, text messages, contact lists, images, encryption keys or basic subscriber information.” Adam conceded that until two months ago the RCMP itself failed to get express approval to use MDIs from Innovation, Science and Economic Development Canada (ISED, formerly Industry Canada), the government body responsible for regulating technology that might interfere with wireless communications. [CBC | RCMP acknowledges using phone trackers to collect Canadians’ cellular details | RCMP reveals its use of cellphone-tracking machines  | After years of secrecy, RCMP finally admits to using mass cell phone surveillance tools on Canadians | RCMP, CSIS launch investigations into phone spying on Parliament Hill after CBC story | Someone is spying on cellphones in the nation’s capital ]

US – Obama’s Rule Changes Opened Door for NSA Intercepts to Reach Political Hands

To intelligence professionals, the public revelations affirm an undeniable reality. Over the last decade, the assumption of civil liberty and privacy protections for Americans incidentally intercepted by the NSA overseas has been eroded in the name of national security. Today, the power to unmask an American’s name inside an NSA intercept — once considered a rare event in the intelligence and civil liberty communities — now resides with about 20 different officials inside the NSA alone. The FBI also has the ability to unmask Americans’ names to other intelligence professionals and policymakers. [in his final days in office, Obama created the largest ever expansion of access to non-minimized NSA intercepts, creating a path for all U.S. intelligence to gain access to unmasked reports by changes encoded in a Reagan-era Executive Order 12333.[see here] The government officials who could request or approve an exception to unmask a U.S. citizen’s identity has grown substantially. Executives in 16 agencies — not just the FBI, CIA and NSA — have the right to request unmasked information.] And the justification for requesting such unmasking can be as simple as claiming “the identity of the United States person is necessary to understand foreign intelligence information or assess its importance,” according to a once-classified document that the Obama administration submitted in October 2011 for approval by the Foreign Intelligence Surveillance Court. It laid out specifically how and when the NSA could unmask an American’s identity. [see here] But those directly familiar with the processes acknowledged the breadth of access today could be abused for political espionage or pure prurient interests, instead of just compelling national security interests. “There may be very good reasons for some political appointees to need access to a non-minimized intelligence reporting but we don’t know and given the breadth of unmasked sharing that went on, there is the strong possibility of abusive or excessive access that harmed Americans’ privacy,” said an intel source familiar with the data. Added another: “Wholesale access to unmasked incidental NSA intercepts essentially created the potential for spying on Americans overseas after the fact, which is exactly what our foreign intelligence arms are not supposed to be doing.” Perhaps the most consequential outcome of the new revelations is that it may impact the NSA’s primary authority to intercept foreigners: Section 702 of the Foreign Intelligence Surveillance Act is up for renewal at the end of the year. [Circa | See also: Obama Opens NSA’s Vast Trove of Warrantless Data to Entire Intelligence Community, Just in Time for Trump | National Security Agency Databases Open for Business | Obama Expands Surveillance Powers on His Way Out | E.O. 12333 Raw SIGINT Availability Procedures: A Quick and Dirty Summary | N.S.A. Gets More Latitude to Share Intercepted Communications | Trump to Inherit Vast Surveillance Powers ]

Telecom / TV

US – Legislators Vote to Undo FCC’s ISP Privacy Laws

The US House of Representatives has voted to undo the Federal Communications Commission’s broadband privacy rules, allowing Internet service providers to sell customers’ data, including browsing history, without obtaining their consent. This include browsing history. The Senate approved the change earlier this month. [House votes to repeal FCC privacy laws for ISPs]

US – Democrats Ask ISPs to Obtain Customer Consent Before Using Data

A group of senators have written a letter to seven broadband providers pressing them to obtain customers’ permission before using their data, despite the repeal of the Federal Communications Commission’s broadband privacy rules. The letter was sent by Sens. Ed Markey, D-Mass., Al Franken, D-Minn., Richard Blumenthal, D-Conn., Bernie Sanders, I-Vt., Ron Wyden, D-Ore., Patrick Leahy, D-Vt., and Chris Van Hollen, D-Md. In the letter, the senators ask the broadband providers to clarify whether they receive opt-in consent before using and sharing data and whether they use a pay-for-privacy strategy. “We … believe that broadband providers should follow strong privacy and security rules that give consumers control over how their information is used and shared, as well as confidence their information will be protected,” the senators wrote. [MediaPost]

WW – Ranking Digital Rights 2017 Corporate Accountability Index

The 2017 Ranking Digital Rights Corporate Accountability Index [see Index here, to watch the March 23 Index launch event see here] finds the world’s most powerful internet, mobile and telecommunications companies leave users in the dark, failing to disclose key information about policies affecting users’ rights. While some companies have improved since they were first evaluated in 2015, most of the world’s internet users do not receive adequate information about how companies’ policies affect what users can or cannot say online or who is tracking them. Ranking Digital Rights analyzed a representative group of 22 companies whose products and services collectively are used by over half of the world’s 3.7 billion internet users. It builds on the 2015 Corporate Accountability Index, which found widespread failure by companies evaluated to disclose key information about their policies and practices affecting freedom of expression and privacy. Selected findings are included below. [Ranking Digital Rights]

US Government Programs

US – Bipartisan Bill Aims to Rein in Warrantless Device Searches at Border

As promised by Sen. Wyden in February, a bill was introduced this week in Congress that would require U.S. Customs and Border Protection or other government agents to obtain a probable cause warrant before searching the digital devices of U.S. citizens and legal permanent residents at the border. Sen. Wyden (D-OR) and Sen. Paul (R-KY) are original sponsors of the Protecting Data at the Border Act in the Senate (S. 823), while Rep. Polis (D-CO), Rep. Smith (D-WA), and Rep. Farenthold (R-TX) are taking the lead on this issue in the House (H.R. 1899). US advocacy group EFF has been arguing for a while that the Fourth Amendment requires a warrant based on probable cause for border searches of cell phones, laptops, and other digital devices that contain gigabytes of highly personal information. EFF most recently made these arguments in an amicus brief before the U.S. Court of Appeals for the Fourth Circuit in the case U.S. v. Kolsuz. CBP unreasonably argues that the privacy interest travelers have in digital devices is no different than that of luggage or other physical items travelers may bring with them across the border, thus CBP applies to digital devices the traditional “border search exception” to the Fourth Amendment, which permits warrantless and suspicionless “routine” border searches. However, there is nothing “routine” about unregulated government intrusion into a device that contains, as the Supreme Court has said, “the sum of an individual’s private life.” As the bill’s findings state, the privacy interest in digital data “differs in both degree and kind from [the] privacy interest in closed containers.” In addition to the warrant requirement, the Protecting Data at the Border Act would prohibit the government from delaying or denying entry or exit to a U.S. person based on that person’s refusal to hand over a device passcode, online account login credentials, or social media handles to a border agent. [EFF] | Bill would block warrantless searches of Americans’ phones at borders | Lawmakers Move To Stop Warrantless Cellphone Searches at the U.S. Border | Lawsuit Seeks Transparency as Searches of Cellphones and Laptops Skyrocket at Borders | Digital Privacy at the U.S Border: A New How-To Guide from EFF]

US – Re-Introduced Federal Bill Would Require Vehicle Manufacturers to Protect Against Hackers

S.680, the SPY Car Act of 2017, was introduced in the US Senate and referred to the Committee on Commerce, Science and Transportation. Protection measures would include isolation of critical software systems from non-critical systems, evaluation of security vulnerabilities, and securing all driving data stored on-board or in transit; an opt-out from collection and retention of driving data must be provided to drivers without any impact on access to navigation tools, and information collected by vehicles cannot be used for marketing/advertising without express consent. [S.680 – SPY Car Act of 2017 – US Senate – 115th Congress]

US Legislation

US – GOP Votes to Destroy Online Privacy to Serve AT&T and Comcast

It’s hard to overstate what a blow to individual privacy this is. There is literally no constituency in favor of this bill other than these telecom giants. It’d be surprising if even a single voter who cast their ballot for Trump or a GOP Congress even thought about, let alone favored, rescission of privacy-protecting rules for ISPs. So blatant is the corporate-donor servitude here that there’s no pretext even available for pretending this benefits ordinary citizens. It’s a bill written exclusively by and for a small number of corporate giants exclusively for their commercial benefit at the expense of everyone else. But the inane idea that individuals should lose all online privacy protections in the name of regulatory consistency or maximizing corporate profits is something that is almost impossible to sell even to the most loyal ideologues. [The Intercept | Six Reasons FCC Rules Aren’t Needed to Protect Privacy | Clearing up the Senate’s confusion on FCC privacy rules]

US – Tennessee Bill Aims to Clarify Breach Notice Encryption Exemption

Tennessee’s 2005 breach notice law specifically provided an exception to providing notice if the breached data were encrypted. But in 2016, the law was amended to remove the specific exemption but still mentioned encryption as a means of protecting data. That change cast doubt for many on whether the breach notice encryption exception was still allowed under the Tennessee law. The new amendment [see S.B. 547 here] would reinstate the encryption language in the statute to remove any doubt that companies need not give breach notice of encrypted data, unless the encryption key was also breached. The bill helps remove a perceived disincentive to encrypt data, its sponsors said when introducing it. The bill would help harmonize Tennessee’s data breach notification standards with those of other states, Jason C. Gavejian, privacy attorney and principal at Jackson Lewis PC in Morristown, N.J., told Bloomberg BNA. In addition to exempting encrypted data from notification requirements, S.B. 547 would clarify that the 45-day time limit for providing notice of a breach could be extended “due to the legitimate needs of law enforcement.” [BNA]

US – New York’s ‘Unconstitutional’ Right to Be Forgotten Bill Sparks Concern

New York state politicians have introduced a right-to-be-forgotten bill that would require the removal of some online statements about others. To be exact, statements that are judged “inaccurate”, “irrelevant”, “inadequate” or “excessive.” New York Assembly Bill 5323 was introduced by David Weprin and as Senate Bill 4561 by state senator Tony Avella.. The bill would cover the following wide range of online publishers, running the gamut from search giants like Google all the way down to ordinary individuals like you and me: “search engines, indexers, publishers and any other persons or entities which make available, on or through the internet or other widely used computer-based network, program or service, information about an individual. Failure to comply would carry fines of at least $250/day, plus attorney fees. The bill contains no exception for materials of genuine historical interest Nor would it exempt autobiographic material, whether it’s found “in a book, on a blog or anywhere else.” Ditto for information on political figures or celebrities. How does the NY bill compare to Europe’s right to be forgotten? For one thing, the European Commission has made it clear that the courts meant for journalistic work to be protected when they passed the right to be forgotten judgment. In comparison, the NY bill is toddling into this contentious debate practically stripped of any exceptions at all for freedom of speech and with no signs that it’s been crafted to protect against censorship.[NakedSecurity | NY Legislators Looking At Installing A Free Speech-Stomping ‘Right To Be Forgotten’ | ‘Right to Be Forgotten’ Legislation Attempts Foothold in New York| N.Y. bill would require people to remove ‘inaccurate,’ ‘irrelevant,’ ‘inadequate’ or ‘excessive’ statements about others]

US – Dem Senators Reintroduce Cybersecurity Bills for Cars, Planes

Democratic Sens. Ed Markey (Mass.) and Richard Blumenthal (D-Conn.) are reintroducing two bills aimed at improving cybersecurity in automobiles and airplanes. “Whether in their cars on the road or in aircraft in the sky, Americans should be protected from cyberattack and violations of their privacy,” said Markey in a joint press release [see here] announcing the legislation on Wednesday. The Security and Privacy in Your Car (SPY Car) Act [see here] would require the National Highway Traffic Safety Administration and Federal Trade Commission to develop automotive cybersecurity and privacy standards. It also calls for a “cyber dashboard” rating system that would inform consumers how cars went above and beyond those standards. The Cybersecurity Standards for Aircraft to Improve Resilience (Cyber AIR) Act [see here] would introduce a bevy of new baseline standards for air carriers. [The Hill | Sens. Reintroduce Connected-Car Data Security, Privacy Bill]

Workplace Privacy

CA – Ontario Court Finds Company’s Substance Abuse Testing Practices Reasonable

The Court considers Amalgamated Transit Union, Local 113’s motion for an interlocutory injunction against random alcohol and drug testing by the Toronto Transit Commission. The policy requires all employees in safety sensitive positions (drivers and operators of the city’s public transportation), as well as senior management, to undergo random drug and alcohol testing; the procedure is non-invasive (includes a breathalyzer and cheek swab) and takes place in a secluded place, test results are not used in a manner inconsistent with the expectations of the person being tested, and there is little to no chance of flawed or false-positive results (a second swab is taken in the event of a dispute). [Amalgamated Transit Union Local 113 v Toronto Transit Commission – 2017 ONSC 2078 CanLII – Ontario Superior Court]

AU – Australian DPA Recommends Holding Employees and Contractors Liable for Data Breaches

The New South Wales Office of the Privacy Commissioner has issued recommendations to amend the Privacy and Personal Information Protection Act 1998 and Health Records and Information Privacy Act 2002. Proposed amendments to privacy legislation provide victims of privacy breaches with a right to complain against public or private employees and contractors, and to ensure organizations make contractual arrangements capable of binding contractors and any subcontractors for the proper handling of personal information; where organizations have adequate safeguards, employees should be added as respondents in the case. [DPA Australia – NSW informational Privacy Rights – Legislative Scope and Interpretation – Employer Employee and Agent Responsibilities]

+++

 

15-22 March 2017

Biometrics

CA – Canada Revenue Agency Can Collect Your Fingerprints

Did you know the Canada Revenue Agency can collect your fingerprints? Neither did the rest of us. All it takes now for someone to be fingerprinted is to be charged, but not necessarily convicted, of tax evasion. Toronto tax lawyer David Rotfleisch sees the CRA’s approach as problematic, for two reasons. First, “there are plenty of cases where someone accused of tax evasion will be acquitted.” Second, even when tax evasion charges are laid, they can be prosecuted either as a major or minor offence. The CRA’s approach means you’d get fingerprinted like a bank robber even if prosecutors decided your tax-dodging amounted to something more akin to getting caught with a bit of marijuana. Your fingerprints, taken by agencies like the RCMP and local police, would be recorded in Canada’s national police database at the Canadian Police Information Centre (CPIC). The CPIC database is accessible not only to all Canadian police officers but also some foreign law enforcement agencies, including the U.S. Department of Homeland Security and its border protection officers, said Rotfleisch. [Global News] See also: [ComputerWorld: It’s Time to Face the Ugly Reality of Face Recognition]

WW – Privacy-Enhancing Technologies Provide Advantages Over Traditional Biometric Systems

The International Working Group on Data Protection in Telecommunications has issued a paper on use of biometrics for online authentication. Biometric encryption and cancellable biometrics allow for the revocability of stored biometric data, and a remote biometric authentication protocol provides security if a user’s device or a server is compromised; organisations should ensure that systems securely store biometric templates locally, delete raw data once a template has been generated, and do not make biometric authentication a condition of service (non-biometric options should be available) [Working Paper on Biometrics in Online Authentication – International Working Group on Data Protection in Telecommunications – Guidance Document ]

US – House Oversight Committee Grills FBI Over Facial Recognition

The House Oversight Committee held a two-hour hearing exploring privacy and security issues around the deployment and use of facial recognition technology. Though the panel featured witnesses from government, industry, and civil society, much of the discussion turned on the FBI’s use of and access to nearly 412 million face images from various databases and its apparent difference of opinion with a Government Accountability Office report that was critical of the FBI program. Additionally, one specific concern among congressional lawmakers from both sides of the aisle was the FBI’s access to state driver’s license photos. [Privacy Tech]

WW – Beijing-Based Facial Recognition Startup Allows Users to Authorize Payments

MIT Technology Review released its list of 10 Breakthrough Technologies, including a startup located in a suburb of Beijing working on facial recognition technology used in several popular apps. Face++ technology allows Chinese citizens to make money transfers using only their face as credentials through the Alipay mobile payment app used by more than 120 million users. China’s most popular ride-hailing company, Didi, uses the Face++ software to allow passengers to confirm the person driving the vehicle is a legitimate driver. Face++, currently valued at roughly $1 billion, is gaining prominence as facial recognition technology becomes more popular within China, a country already possessing a large centralized database of ID card photos. “The face recognition market is huge,” said Peking University assistant professor Shiliang Zhang, adding, “Lots of companies are working on it.” [Technology Review]

Big Data

EU – MEPs Call for Stronger Considerations for Big Data Use

Members of the European Parliament are calling for stronger protections around the use of big data. The nonlegislative resolution was drafted by MEP Ana Gomes and discusses the increasing use of big data as well as the ways it impacts fundamental rights, specifically privacy and data protection. MEPs are hoping to minimize the amount of discrimination stemming from the use of big data, including in law enforcement investigations, and price differentiation among consumers. “It is not just a question of data protection. These algorithms do have a real impact on peoples’ private lives because they can actually provoke what is happening and they can actually call into question and put at risk our fundamental rights through social media,” Gomes said. The MEPs are also seeking better security measures, including privacy by design, mandatory privacy impact assessments and encryption. [Europarl]

UK – ICO Updates Big Data Advice for GDPR

In March 2017, the ICO issued an update to its 2014 Report on Big Data in light of the imminent implementation of the GDPR. The updated ICO report has added a focus on artificial intelligence and machine learning to its discussion of big data. The ICO argues it is the combination of the three that makes up ‘big data analytics’. The ICO looks at big data analytics from the GDPR perspective and provides practical guidance for compliance in its new report. Data accuracy and data quality are key issues raised in the updated Big Data report. If big data analytics is based on inaccurate data, machine learning algorithms may make decisions that are erroneous or unjustified. Businesses relying on big data analytics will need to ensure that they build discrimination detection into their machine learning systems to prevent discriminatory outcomes. The ICO provides six key recommendations for compliance with the GDPR: 1) anonymise personal data, where personal data is not necessary for the analysis; 2) be transparent about the use of personal data for big data analytics and provide privacy notices at appropriate stages throughout a big data project; 3) embed a privacy impact assessment process into big data projects to help identify privacy risks and address them; 4) adopt a privacy by design approach in the development and application of big data analytics; 5) develop ethical principles to help reinforce key data protection principles; and, 6) implement internal and external audits of machine learning algorithms to check for bias, discrimination and errors. [Global IP & Privacy Law Blog] [Out-Law] [Data protection report] See also: [National Magazine: The $4 trillion question: How can we protect online privacy without stifling innovation?]

Canada

CA – Federal Courts Extra-Territorial Application of PIPEDA

Earlier this year, a Canadian trial court ruled that Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) has extra-territorial application and restricts the dissemination of personal information of Canadians, even where the information is already public, and even though it is made available from outside Canada. In “A.T. v. Globe24h.com et al.”, 2017 FC 114, the Federal Court applied Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) expansively and granted declaratory and injunctive relief against a Romanian national operating a Romanian-based website. This decision underscores the broad application that Canadian courts will give to PIPEDA in order to prevent the use and dissemination of personal information of Canadians. While Globe24h.com’s scheme to profit from the misuse of personal information was particularly offensive, the implications of this decision extend beyond the particular facts. Companies, regardless of the jurisdiction in which they are operating, that possess personal information of Canadians can expect to have their use of that information scrutinized for compliance with PIPEDA. [Data Protection Report]

CA – Privacy Commissioner investigating CBSA Over Electronic Media Searches

The Office of the Privacy Commissioner is launching an investigation into the way the Canada Border Services Agency searches the electronic devices of travelers at the Canadian border. The inquiry comes as concerns have arisen over whether the CBSA’s U.S. counterparts are also downloading data when searching through the devices. CBSA spokeswoman Line Guibert-Wolff said the agency does not collect statistics on device searches and would only collect data for “customs purposes.” While the CBSA states it is committed to balancing privacy with national safety, some are concerned about the border procedures. “There’s an enormous amount of uncertainty in what feels like a no-privacy zone,” said University of Ottawa law professor Michael Geist. “There’s a sense that customs officials are empowered to do whatever they see fit … But the lack of transparency associated with these processes is enormously disturbing.” [National Post]

US – Organizations Must Implement Security Measures to Protect Information When Employees Travel Internationally

A law firm has reviewed the options available to employers for protecting company data on personal devices when employees travel internationally. Possible solutions include policy directives development, and providing employees with phones that are wiped of all company information and full encryption of the information (although employees may be asked to provide the key just like any other option. [Border Searches May Compromise the privacy and Security of Company Technology – Taylor A. Gast – Foster Swift Collins and Smith PC]

US – Border Check Methods Have Privacy Advocates Concerned

While the U.S. borders have long been considered a constitutional “gray area,” privacy advocates and some in Congress are concerned that more aggressive stances bolstered by the Trump administration could lead to increasingly egregious privacy violations for travelers and immigrants. Instances of travelers stopped for lengthy secondary security checks, coupled with comments from some officials like Homeland Security Secretary John Kelly acknowledging that the administration wants to ask for social media passwords as part of visa applications, have increased concern, the report states. “There’s been bad cases in terms of the scope of privacy rights,” said the American Civil Liberties Union. [CNN]

CA – SCoC Throws Out Conviction Over Warrantless Search/Seizure

Is the smell of marijuana emanating from a home enough evidence to allow police to enter without a search warrant and uncover a trove of guns and illegal drugs? The Supreme Court of Canada, in a strong defence of privacy rights in the home, said no, dismissing convictions against Langley, B.C., resident Brendan Patterson, who was caught with four loaded guns and large stashes of cocaine, methamphetamine and ecstasy. Although two of the seven judges disagreed, the majority ruled in favour of the sanctity of the home. Writing for the majority, Justice Russell Brown pointed out in his judgment, police can enter a home without a warrant if there are “exigent circumstances” that make it impractical to get a warrant, if there is a need for urgency, or if there is a risk of evidence being destroyed or a risk to officer or public safety. But in this case, the officers stated they intended to destroy the evidence anyway, thereby removing that urgency, according to the judgment. “The police conduct, while not egregious, represented a serious departure from well-established constitutional norms” Brown wrote. Caily DiPuma with the BCCLA says the case sets an important precedent. “The BCCLA is very pleased that the court has clarified the law around no-case seizures and affirmed the sanctity of Canadians’ homes when it comes to police searches of their property” [CBC]

CA – CSIS Failed To Give Updates On Data Spying: Privacy Commissioner

When intelligence-agency analysts reported to federal privacy officials about their budding data-mining efforts they conceded the scale and scope of the early efforts would surely snowball over time, [and] they vowed to give formal, written updates to the Office of the Privacy Commissioner of Canada. This has not happened in the seven years since CSIS submitted its first Privacy Impact Assessment (PIA) in 2010 ”It’s the only PIA that we have received,” Privacy Commissioner Daniel Therrien said in an interview with The Globe and Mail on Thursday. In 2006, CSIS launched an initiative known as the Operational Data Analysis Centre. Details have lately emerged about failed followups and curious omissions related to ODAC that the spy service has had with judges, ministers and federal watchdog bodies. The Globe recently reported that, in 2012, CSIS analysts circulated a PowerPoint where they mulled how much could they enhance the efficacy of ODAC by obtaining “bulk datasets.” [The Globe and Mail]

CA – Drew McArthur Re-appointed Acting BC IPC

British Columbia has had no information and privacy commissioner since Monday March 13 when the acting commissioner’s appointment expired. A special committee of the legislature has been seeking a new commissioner after Elizabeth Denham resigned a year ago to take a similar role in England. On Thursday that committee reported that it had failed to come to a unanimous agreement on a new commissioner, and recommended that a new committee be appointed following the May 9 election. The report, signed by chair Sam Sullivan, also said the committee would like to thank “Drew McArthur for his continuing service as Acting Information and Privacy Commissioner during this time of transition, ensuring strong leadership and continuity for the Office of the Information and Privacy Commissioner.” “It’s our understanding that Acting Commissioner’s term expired on Monday, March 13. As to when a new Acting Commissioner will be appointed, as s. 39 notes, that is the responsibility of the Lieutenant Governor and Council.” The spokesperson said the work of the office had not stopped and they expected McArthur to be reappointed via an order in council [This was done Friday March 17] [The Tyee]

E-Mail

US – Federal Judge Rejects Google Class Action Deal Over Email Scanning

San Francisco federal judge Lucy Koh rejected a legal settlement that proposed to pay $2.2 million to lawyers, but nothing to consumers who had the contents of their email scanned by Google without their knowledge or permission. ”This notice is difficult to understand and does not clearly disclose the fact that Google intercepts, scans and analyzes the content of emails sent by non-Gmail users to Gmail users for the purpose of creating user profiles of the Gmail users to create targeted advertising for the Gmail users,” Koh wrote in her March 15 opinion. Any future settlement will presumably also have to do more to inform email users about Google’s scanning practices and, possibly, direct some of the settlement money to consumers instead of only the lawyers. Under the deal Koh rejected, Google would have paid $2.2 million to the attorneys, plus up to $140,000 in online ads to publicize the agreement. [Fortune] [Google Privacy Settlement Draws Fire in 9th Circ] [Ninth Circuit Hears Critique of Cy Pres in Google Privacy Settlement

CA – Two Important CASL Changes in Effect July 1, 2017

Canada’s anti-spam law (CASL) came into effect on July 1, 2014. Almost three years later, Canadian businesses and their lawyers are still grappling with CASL compliance issues and trying to understand how CASL’s broad and often unclear provisions apply in practice. And, on July 1, 2017, two new things happen under CASL. These are: 1) When CASL came into force in 2014, it included a 3-year transition period that allowed organizations to rely on deemed implied consent for sending commercial electronic messages (CEMs) in certain circumstances. That transition period, and the implied consent, expire on July 1, 2017 meaning organizations can no longer rely on this implied consent, and will have to remove those recipients from their mailing lists; and, 2) CASL’s private right of action comes into effect on July 1, 2017 CASL creates a statutory cause of action under which persons who allege that they are affected by a CASL breach can apply to court for an order against the alleged violator. Available remedies include compensation in an amount equal to the actual loss or damage suffered or expenses incurred, and additional amounts for different CASL violations (each with a maximum amount). For example, the court can award statutory damages of $200 per day for each breach of section 6 (the CEM obligations), not exceeding $1 million for each day on which a breach occurred. [DLA Piper Publications]

Electronic Records

UK – Study: NHS, Deepmind Made ‘Inexcusable’ Errors In Health Care Partnership

An academic report published in “Health and Technology” contends that Google’s AI subsidiary DeepMind had made “inexcusable” oversight and transparency errors analyzing medical data during its partnership with the U.K.’s NHS Royal Free Trust. While DeepMind had said at the beginning of the project that it would only access certain data, it was in fact allowed access to a wide range of sensitive health information, in some cases going back five years. Both the Royal Free Trust and DeepMind denied the study’s allegations, arguing that they had taken steps to protect data and inform the public on its work. However, study authors Hal Hadson and the University of Cambridge’s Julia Powles contend those moves aren’t sufficient, calling for the two groups to respond to their criticisms in a public forum.  [The Verge | HNS Deal with DeepMind: How Tech Could Outgun Privacy Laws]

UK – ICO Close to Concluding Investigation Into Deepmind-NHS Partnership

The U.K. Information Commissioner’s Office said it is close to finishing its investigation into consent complaints stemming from the patient data-sharing agreement between Google’s AI subsidiary DeepMind and Royal Free NHS Trust. DeepMind agreed to create an app, called Streams, using an NHS algorithm to alert to the risk of a person developing acute kidney injury. The data used for the app was obtained without permission, while 1.6 million medical records were said to have gone through DeepMind under the agreement. “We continue to work with the National Data Guardian and have been in regular contact with the Royal Free and DeepMind who have provided information about the development of the Streams app,” an ICO spokesperson said. “This has been subject to detailed review as part of our investigation. It’s the responsibility of businesses and organisations to comply with data protection law.” [TechCrunch]

EU Developments

UK – National Surveillance Camera Strategy Encourages Voluntary Adoption of Code of Practice

The UK Surveillance Camera Commissioner launched a national surveillance camera strategy for England and Wales. The strategy applies to the entire surveillance camera sector, which includes CCTV, body worn video, automatic number plate recognition, vehicle borne cameras, and drones; strategy objectives include enabling certification for manufacturers, installers, designers, and system operators, and make training requirements freely available for organisations operating or supporting surveillance camera systems. [Surveillance Camera Commissioner – A National Surveillance Camera Strategy for England and Wales] | Executive Summary | Press Release]

Facts & Stats

WW – People Who Identify as ‘Tech Savvy’ Are 18% More Likely to Suffer ID Theft

IT training specialist CBT Nuggets carried out some research among more than 2,000 people in the US to find out, with some intriguing results. People who self-identified as ‘tech savvy’ are 18% more likely to be victims of online identity theft than those who didn’t. Additionally, respondents with PhDs are more frequently victims than high school graduates. Plus Apple users are 22% more likely than Windows users to be victims of ID theft. That flips around with mobiles though, with Android users 4.3 times more likely to suffer ID theft than iOS users. When asked why they fail to follow basic security recommendations, 40% of Americans say it’s because they’re too lazy, find it to be too inconvenient, or don’t really care. This attitude is strongest among millennials at 53% and lowest among baby boomers at 29%. You can read more about the results on the CBT Nuggets blog [Beta News]

US – More Than 300 Data Breaches to Date in 2017

The latest count from the Identity Theft Resource Center (ITRC) reports that there have been 312 data breaches recorded this year through March 14, 2017, and that over 1.3 million records have been exposed since the beginning of the year. The medical/health care sector leads all sectors in the number of records compromised so far in 2017. The sector posted 25.3% (79) of all data breaches. The number of records exposed in these breaches tops 740,000, or about 57.2% of the 2017 total. The business sector accounts for more than 470,000 exposed records in 155 incidents. That represents 49.7% of the incidents and 36.4% of the exposed records so far in 2017. The educational sector has experienced 54 data breaches since the beginning of the year. The sector accounts for 17.3% of all breaches for the year and nearly 40,000 exposed records, about 3% of the year’s total. The government/military sector has suffered 19 data breaches to date in 2017, representing about 3.4% of the total number of records exposed and 6.1% of the incidents. More than 43,000 records have been compromised in the government/military sector. [247 Wall Street] [New York suffered a 60-percent increase in data breaches last year]

Finance

CA – Agency Monitors Social Media of Citizens Making Large Financial Transactions

The Financial Transactions and Reports Analysis Centre is monitoring the social media accounts of Canadian citizens who make large cash transactions, international wire transfers, or even if they hit the jackpot at a casino for potential money laundering and terrorist financing. FINTRAC states rules coming from those governing the agency allow it to monitor social media posts, but others feel the agency is too invasive. “One of the things about social media right now is it’s kind of the Wild West, because the technology has moved a lot faster than regulation and a lot of Canadians may not realize that their social media account is being used and viewed in this way,” said New Democratic Party MP Daniel Blaikie. “So, it does make sense to have a look at that and to ask whether or not there ought to be rules around how government uses information that’s available on people’s social media accounts.” [CBC News]

CA – Canadians Should Be Told If Their Banking Info Shared with IRS, says MP

NDP’s revenue critic Pierre-Luc Dusseault says informing Canadian residents their information is being sent to the IRS could prevent others from landing in the same predicament as Jeffrey Pomerantz, a Vancouver area man facing a $1.1-million lawsuit for failing to file a form reporting his bank accounts outside the U.S. Canada’s Privacy Commissioner Daniel Therrien has already recommended that Canadian residents be notified when their bank account information is transferred, Dusseault pointed out. In September 2016, the CRA shared information about 315,160 bank accounts — double the number it shared a year earlier in the first year of the agreement. While the government has no plans to inform people whose bank account information has been shared, those who want to know can contact their financial institution or the CRA, the Revenue Minister’s spokesperson Chloé Luciani-Girouard said The CRA will respond to any request to confirm whether information relating to a particular individual or entity has been reported and provided to the U.S. under FATCA. To date, fewer than 10 such requests have been received by the CRA,” she added. [CBC News]

FOI

CA – OIPC NFLD Warns Use of Personal Email Accounts for Public Body Business May Violate FOI Legislation

This OIPC guidance advises the public sector about the use of personal email accounts for public body business pursuant to the Access to Information and Protection of Privacy Act, 2015. In the absence of a clear prohibition, FOI legislation applies to the use of personal email to conduct such business; all public bodies should create a policy requiring use of its own email system for work purposes and make it a condition of employment. A personal email account, often web-based, is unlikely to meet the statutory security requirements; the terms of service for personal accounts may allow third-party access to content in a way that contravenes the law, and security features for webmail services may be inadequate. [OIPC NFLD and Labrador – Use of Personal Email Accounts for Public Body Businesses]

CA – University of PEI Creates New Access to Information Policy

University of Prince Edward Island UPEI says it’s playing catch up with other universities in Canada, and adopting a new policy aimed at making accessing information easier. However, unlike in every other province, colleges and universities on P.E.I. don’t have to follow provincial freedom of information legislation. And while UPEI has had its own personal information and privacy policy in place since 2004, its stated purpose isn’t to help people access information, but solely to “provide for the protection and privacy of personal information held by the University.” In comparison, the new policy — which takes effect in May — lays out a process on how to apply for information, and the circumstances where the university can withhold it. It also gives the responsibility to enforce the policy to a newly hired access to information and privacy officer. UPEI’s Student Union said it’s pleased to see the university creating an access to information policy, but as it’s been demanding for a few years, the union still wants to see P.E.I. colleges and universities included under the province’s Freedom of Information and Protection of Privacy Act. At this point, it’s not clear whether the P.E.I. government plans to add colleges and universities to its freedom of information act. [CBC News]

CA – PEI Municipalities, Post-Secondary Under FOI: Commissioner

Privacy commissioner Karen Rose says many towns, cities and post-secondary institutions in P.E.I. do have policies that cover information disclosure and protection, but they lack oversight by an independent commissioner. She says she will likely make a formal recommendation to government to place them under access of information law. Rose is set to deliver a number of recommended changes and updates to the freedom of information act as part of the Communities, Land and Environment committee’s ongoing review of the legislation. The review was spurred by a unanimous motion passed by the legislature last fall. Premier Wade MacLauchlan has repeatedly stated he will not make towns, cities and post-secondary schools subject to access to information law, despite the fact this has drawn criticism. [The Guardian]

Genetics

New Federal Law Prohibits Mandatory Employee Genetic Testing

Bill S-201, the Genetic Non-Discrimination Act has passed the House of Commons and the Senate, and awaits royal assent. An employee’s refusal to undergo or disclose the results of a genetic test cannot be used to dismiss, suspend, demote or lay off an employee, impose any penalty on an employee, refuse remuneration, or threaten to take disciplinary action against an employee; no individual can disclose to an employer that an employee had undergone a genetic test or the results of an employee’s genetic test without written consent. [Bill S-201 – An Act to Prohibit and Prevent Genetic Discrimination – Senate of Canada]

US – House Bill Would Circumvent Genetic Privacy Protections

On March 2, Rep. Virginia Foxx, R-N.C., introduced to the U.S. House HR 1313, the Preserving Employee Wellness Programs Act. The bill “includes findings that Congress seeks to protect and preserve employee workplace wellness programs,” and considers them to be a means of reducing health care costs. What’s notably missing “are findings that wellness programs are in any way at risk and requiring preservation. Even so, the bill proposes means of preserving wellness programs while weakening employee rights to privacy and confidentiality with respect to their genetic information.” This overview of the bill’s provisions highlights the effect it would have on protections put in place by the Genetic Information Nondiscrimination Act, the Public Health Service Act and the Americans with Disabilities Act. [Privacy Tracker]

Health / Medical

CA – Ont. Grad Student Issued $25K Fine for a Health Privacy Breach

A Masters of Social Work student who was on an educational placement with a family health team in Central Huron, has been ordered to pay a $20,000 fine and a $5,000 victim surcharge for accessing personal health information without authorization. This is the highest fine to date for a health privacy breach in Canada. The student pled guilty to willfully accessing the personal health information of five individuals. As part of her plea, she agreed that she accessed the personal health information of 139 individuals without authorization between September 9, 2014 and March 5, 2015. This is the fourth person convicted under the Personal Health Information Protection Act (PHIPA). Previous convictions include two radiation therapists at the University Health Network and a registration clerk at a regional hospital. [Information and Privacy Commissioner of Ontario]

CA – CHEO Employee Breached Privacy; 300 Patients’ Info Shared With Students

A former part-time instructor at Algonquin College and CHEO [Children’s Hospital of Eastern Ontario] employee shared the private information of 283 patients with students, prompting the end of their employment at the college and a privacy investigation at the hospital. The instructor, a CHEO employee, disclosed the medical information on handouts distributed during classes on Feb. 1 and 2. The handouts listed an operating room schedule “meant as teaching resources during class time.” The handouts were distributed “to teach future health professionals how to support surgeries in a hospital setting.” They revealed patients’ names, dates of birth, their CHEO medical registration number, their surgical procedure, their allergies, gender, age and any other pertinent information related to the surgery they were scheduled to receive at the hospital, CHEO said. [Ottawa Citizen]

Horror Stories

UK – Security Breach Fears Over 26 Million NHS Patients

The medical records of 26 million patients are embroiled in a major security breach amid warnings that the IT system used by thousands of GPs is not secure. The Information Commissioner is investigating concerns that records held by 2,700 practices – one in three of those in England – can be accessed by hundreds of thousands of strangers. The investigation centres on one of the most popular computer systems used by GPs SystmOne, owned by TPP see here]. Unbeknown to doctors, switching on “enhanced data sharing” – so records could be seen by the local hospital – meant they can also be accessed by hundreds of thousands of workers across the country. Phil Booth, from privacy campaign group medConfidential said: “This is a truly devastating breach which involves millions of patients’ GP records – for some, the most deeply personal, sensitive and confidential data about them – being exposed to hundreds of thousands of people, with no mechanism to prevent them if any of them chooses to look.” A TPP spokesman said practices using SystmOne must either “fully inform patients about who might be able to see their records, what parts of the their records and in what circumstances” or “turn off record sharing”. [The Telegraph]

Identity Issues

CA – BC Tribunal Grants Application for De-Identified Wage Records

The British Columbia Human Rights Tribunal considered an application to compel the disclosure of documents and anonymize information relating to a third party. There is no public interest in knowing the identity of a non-party individual who was a newly hired supervisor at the time of the plaintiff’s termination (disclosure may hinder his ability to negotiate his compensation with future employees, and harm his reputation); disclosure of the wages earned by an anonymized individual does not constitute an invasion of privacy. [Preik v. Finning Canada – 2017 BCHRT 47 CANLII – British Columbia Human Rights Tribunal]

Internet / WWW

IS – Israel Enacts Landmark Data Security Regulations

Culminating more than six years of back and forth negotiations, the Israeli Parliament approved extensive, far-reaching data security regulations March 21. The Privacy Protection Regulations (Data Security), 5777-2017, gives expanded powers to the Israeli Law, Information and Technology Authority and includes requirements for breach notification to ILITA and, in some cases, data subjects; data minimization; an information security officer; and privacy training, among others. “The regulations set forth a long list of requirements practically unprecedented around the world for their scope, level of detail, and legal effect,” writes Tene, and they will surely pose compliance challenges for many organizations operating in Israel. [Full Story]

Law Enforcement

CA – Montreal Mafia Stayed Charges Raise Questions of Privacy

When the RCMP announced the first batch of arrests resulting from an investigation dubbed “Project Clemenza” back in 2014, it proudly boasted the force had intercepted more than a million private cellphone messages through the use of wireless signal interception techniques. But now federal prosecutors are set to seek a stay of proceedings in the cases, a decision that is being linked back to those intercepted cellphone messages. Though the Crown is not required to divulge why it will cease prosecuting a case, it’s believed one of the factors behind the decision is the RCMP’s refusal to disclose how it was able to intercept the Blackberry messages in the first place. ”If that is the core reason, it’s a really serious problem,” said Christopher Parsons, a research associate with the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. Across the country, Parsons said, law enforcement agencies are using devices known as “IMSI catchers” or as they’re called in Canada, “mobile device identifiers.” But police have been hesitant to release information about how the devices work, Parsons said. If the Project Clemenza cases had gone to trial, the Crown would have had to reveal the full extent to which the RCMP relied on the devices, exposing the technique to defence lawyers rightfully trying to determine exactly how accurate and reliable they are. [Montreal Gazette] [RCMP Fights to Keep Lid on High-Tech Investigation Tool]

Online Privacy

US – Twitter Releases Its Latest Transparency Report

Twitter released its 10th Transparency Report, highlighting a couple of new additions. One of the new sections in the U.S. report covers the social media network’s ability to shed light on national security letters after the FBI lifted the gag order on the requests. Twitter also added a section covering requests to remove content from journalists and other media and news outlets. “The need for transparency into government and company actions has never been more important given the current climate of continued crackdowns on freedom of expression and limitations on citizens rights around the globe,” the announcement read. “On the positive side, it has been encouraging to see transparency reports become a mainstay of the technology industry, with more than 60 reports now in existence.” [Full Story]

Privacy (US)

US – 3rd Circuit Upholds Contempt Ruling for Man Who Didn’t Unlock Devices

On March 20 the U.S. Court of Appeals for the Third Circuit held that a court order compelling a suspect to decrypt his laptop and hard drives did not violate his right against self-incrimination. The appeals court decision affirmed a civil contempt order against a John Doe defendant, who refused to provide law enforcement with passwords to some of his devices while doing so for others. Under the “foregone conclusion” doctrine, the Fifth Amendment didn’t come into play because much of the evidence law enforcement wanted they obtained themselves, according to the decision. That included images found on the devices Doe did provide passwords for, images uncovered through forensic investigations, and through testimony provided by Doe’s sister, who said he showed her hundreds of the images. Judge Thomas Vanaskie wrote in the Third Circuit’s opinion: “Based on these facts, the magistrate judge found that, for the purposes of the Fifth Amendment, any testimonial component of the production of decrypted devices added little or nothing to the information already obtained by the government. The magistrate judge determined that any testimonial component would be a foregone conclusion. The magistrate judge did not commit a clear or obvious error in his application of the foregone conclusion doctrine.” An attorney with the Electronic Frontier Foundation, Mark Rumold, said the Third Circuit’s ruling was a lost chance to dive deeper into the interplay between the Constitution and technology. “The court missed the opportunity to clarify that the Fifth Amendment prohibits the government from forcing someone to disclose a password to a device, whether that’s by announcing it in court or entering it into the device itself.” [Legal Intelligencer]

US – Drones: Advocacy Group Challenges FAA Order in Federal Court for Unlawfully Failing to Include Privacy Hazards

An advocacy group has submitted a petition for review of the Federal Aviation Administration’s June 2016 drone order. Privacy concerns were raised by 180 commentators prior to the issuance of the final order, and the FAA itself previously underscored the need for privacy protections in its letters to Congressional representatives, requests for public comment and comprehensive plan; there are substantial threats to privacy posed by increased drone operations in the U.S. (small drones are capable of widespread covert surveillance due to their small size and low flight path, and lack cybersecurity safeguards to prevent being hacked. [Electronic Privacy Information Center v. Federal Aviation Administration – On Petition for Review of an Order of the Federal Aviation Administration – Brief For Petitioner – In The United States District Court Of Appeals District Of Columbia Circuit]

US – FTC, NHTSA to Host Workshop on Connected Vehicles

The Federal Trade Commission will team up with the National Highway Traffic Safety Administration to host a workshop on the consumer privacy and security issues raised by automated and connected motor vehicles. The workshop, taking place June 28 in Washington, will feature opening remarks by Acting FTC Chairman Maureen Ohlhausen and bring together stakeholders, consumer advocates and government regulators. Topics will include the types of data collected, stored, transmitted, and shared by vehicles; the potential benefits and challenges posed by data collection; the privacy and security practices implemented by vehicle manufacturers; the FTC, NHTSA, and other government agencies’ role in monitoring the privacy and security concerns surrounding connected vehicles; and self-regulatory standards that could factor into those privacy and security issues. [FTC]

RFID / IoT

US – Secrets from Smart Devices / IoT Find Path to US Legal System

Vast amounts of data collected from our connected devices—fitness bands, smart refrigerators, thermostats and automobiles, among others—are increasingly being used in US legal proceedings to prove or disprove claims by people involved. Trying to come to grips with data collected, stored and analyzed by all these devices can be daunting. “When one looks at the expectation of privacy today it is radically different than it was a generation ago,” said Erik Laykin, a digital forensics specialist with the consultancy Duff & Phelps and author of a 2013 book on computer forensics. “Privacy is dead.” He said the “always on” nature of “internet of Things” devices means huge amounts of personal information is circulating among companies, in the internet cloud and elsewhere, with few standards on how the data is protected or used. “The net result of these technologies is that we are forgoing our personal privacy and our personal autonomy and even sovereignty as humans and relinquishing that to a combination of state, harvesters of big data, omnipresent institutions and systems.” John Sammons, a Marshall University professor of digital forensics and a former police officer He presented research on use of connected cars this year at the American Academy of Forensic Sciences, saying newer vehicles with improved connectivity offer “a significant new source of potential evidence” for both criminal and civil litigation. Privacy activists meanwhile worry that these devices can unleash new kinds of surveillance without the knowledge of users, and that the legal system must define limits for constitutional protections against unreasonable searches. Jay Stanley of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, said gathering data from connected speakers such as the Amazon Echo should face the same standard as wiretaps, which need a warrant from a judge based on probable cause of a crime, rather than a more streamlined law enforcement subpoena. “In your house you should have absolute privacy,” Stanley said. One gray area in the law is that conversations recorded on home speakers may be sent to the cloud; in that case the holding of the data by a “third party” may wipe away constitutional privacy protection. “We think there needs to be jurisprudential and legislative means of addressing these issues,” Stanley said. “The privacy invasions are so significant.” [Phys.Org] See also: [A deep dive into FTC’s first smart TV action]

Security

US – Advocates Provide Recommendations for Physical Destruction or Overwriting of Data

A U.S. Privacy advocacy group has issued guidelines on the safe destruction of personal information. According to the CDT guidelines, organizations should establish a data life-cycle that includes requirements for regular disposal of unnecessary data and review how often data has been accessed or used to determine what can be disposed (criteria include data that is redundant or owned by employees no longer with the company); deletion requests should be logged so regular audits of deletion practices can be performed to provide a basis for companies to modify their deletion schedules as necessary. [Should It Stay or Should It Go – The Legal Policy and Technical Landscape Around Data Deletion – – Centre for Democracy and Technology | Press Release]

US – Department of Defense May Require Physical Access to Cloud Computing Data Centers

The U.S. Department of Defense (“DoD”) issued updated FAQs on the implementation of the rules regarding network penetration reporting and contracting requirements for cloud services. Updated FAQs on security requirements for contracts involving “covered defense information” (e.g., unclassified information that requires safeguarding or dissemination controls pursuant to laws, regulations, or government-policy) state that such contracts must include a requirement that the DoD may physically access cloud computing data centers where necessary to conduct a forensic analysis; DoD will not normally require physical access if the cloud service provider captures, preserves and protects images and the state of all systems known to be affected by a cyber incident. [Network Penetration Reporting and Contracting for Cloud Services – FAQs – Department of Defense] See also: [FTC releases video on its alignment with the NIST Cybersecurity Framework]

Surveillance

UK – Surveillance Cam Commissioner Unveils New Three-Year Strategy

UK Public Faces Mass Invasion of Privacy As Big Data And Surveillance Merge: Surveillance camera commissioner, Tony Porter, has launched a new three-year strategy. He said he was alarmed by the way overt surveillance from CCTV, body cameras and drones could become even more invasive than intended as captured images of people are brought together with advances in facial recognition and then compared against other monitored data about individuals and their movements. “What most worries me is the impact of big data and integration of video surveillance” he said. As an example, he warned that the Metropolitan police was playing “fast and loose” with citizens’ data by its failure to delete number-plate records beyond a two-year limit. The database of millions of vehicle number plate records has been retained since the London Olympics in 2012. Porter’s new strategy points out that an overwhelming majority of people currently support the use of CCTV in public places. But he questions whether this support can continue because of the way surveillance is changing. Porter said part of his new strategy would set a “tripwire” to warn authorities about the privacy impact of new technology. In recent weeks Porter has expressed alarm about the proliferation of body-worn video, notably in hospitals, and by the way the security contractor G4S was using it in the homes of asylum seekers without their consent. [The Guardian] [New strategy to curb officials’ drone, phone and CCTV snoop jollies

US – Trump’s Wiretap Accusations Renew Debate About Privacy

Elizabeth Goitein, a director of the liberty and national security program at the Brennan Center for Justice who has no sympathy for Mr. Trump’s policies, believes his clumsy comments on wiretapping, even if not true, should be an opening for a broader discussion of government surveillance and American privacy. She is among the civil libertarians who believe Mr. Trump’s critics have been too quick to dismiss the real possibility that the National Security Agency or F.B.I. might actually have picked up Trump campaign communications under eavesdropping rules that civil libertarians see as too permissive. “I don’t think we can laugh it off,” she said. When the libertarian Senator Rand Paul, Republican of Kentucky, used the Trump claims to suggest a broader concern about privacy, Glenn Greenwald, a left-wing writer for the online publication The Intercept, backed him up in a column titled “Rand Paul Is Right.” “Paul’s explanation is absolutely correct,” Mr. Greenwald wrote. He said that the National Security Agency “is empowered to spy on Americans’ communications without a warrant,” calling current procedures a violation of the Fourth Amendment and “the dirty little secret of the U.S. Surveillance State.” What these odd political bedfellows were pointing out is a truism inside the intelligence world but less understood outside it: When the National Security Agency or the F.B.I. eavesdrop on foreigners’ communications, they often pick up the Americans who are talking to them. National Security Agency and F.B.I. officials call this “incidental” collection, but it can have serious consequences. There is also the possibility of what is called “reverse targeting” — say, eavesdropping on Mr. Kislyak, ostensibly to find out what the Russian ambassador is up to — but with the real goal of catching Mr. Flynn. Reverse targeting is prohibited by law, but Ms. Goitein points out that it is difficult to prove because it requires showing what was in the eavesdropper’s mind. The volume of communications available for searching can be mind-boggling. In 2011, the National Security Agency collected and stored 250 million internet communications from a single program, known as Section 702, according to a report from the government’s Privacy and Civil Liberties Oversight Board. In 2015, the same program targeted more than 94,000 foreigners — and carried out more than 23,000 searches of its data for “U.S. persons,” meaning citizens or permanent residents. Many Americans inevitably turn up in the data, either because they are communicating with a foreigner or are mentioned in a foreigner’s messages. [New York Times]

US Legislation

US – Indiana Proposes Restrictions on Automated License Plate Readers

House Bill 1558, an act to amend the Indiana Code concerning criminal law and procedures, and relating to the privacy of license plate information, was introduced in the General Assembly of Indiana: the Bill was referred to the Committee on Veterans Affairs and Public Safety. License plate data captured by an automated reader can only be used for law enforcement investigations and cannot be retained for longer than 30 days unless it was obtained under a warrant, or the investigation is ongoing; law enforcement agencies must maintain staff that is properly trained in the use and maintenance of all software and hardware related to captured data, and establish and implement protocols that allow for compliance with warrants, subpoenas, court orders, and written requests for disclosure. [House Bill No. 1558 – An Act to Amend the Indiana Code Concerning Criminal Law and Procedure – Legislature of the State of Indiana]

US – Kentucky Supreme Court to Weigh Privacy Concerns With License Plate Readers

The Kentucky Supreme Court will consider whether license plate readers can be used for traffic stops. A Burlington man contends he was unlawfully arrested when his plate was caught by a tracker. A police officer followed the man, despite the fact no moving violation had been made, after it was found he failed to appear for a misdemeanor charge for writing a bad check. The man was arrested for drunken driving. The cameras can capture up to 60 plates a second, across four lanes at speeds up to 150 mph. Law enforcement officials say the readers help police identify stolen cars and find missing people, while privacy advocates believe the readers are a potential tool for mass surveillance. [The Courier-Journal]

+++

 

 

 

01-14 March 2017

Big Data

US – Privacy Pros and the Ethics of Big Data Tech

Uber has created a controversial program to allegedly evade law enforcement and regulation of its services. Called “Greyball,” the program leveraged information collected by Uber’s app with several other techniques to identify potential law enforcement and regulatory officials, including by geofencing offices, scraping publicly available social media posts, and identifying credit card information linked to law enforcement. Though many of these practices might not have violated the law, they are, at the very least, ethically dubious. The news is part of a larger trend whereby technology, and its corresponding surveillance capabilities, has the power to isolate groups or individuals for exploitation. Privacy Perspectives looks into the trend and the important role privacy pros can play curbing these practices within their organizations. [Privacy Perspectives]

WW – MIT Researchers Create System to Protect Privacy in Data Analytics

A group of researchers from the Data to AI Lab at the MIT Laboratory for Information and Decision Systems released a paper detailing a machine learning system designed to create synthetic data to help data scientists access data without compromising privacy. “Once we model an entire database, we can sample and recreate a synthetic version of the data that very much looks like the original database, statistically speaking,” said Principal Research Scientist Kalyan Veeramachaneni. “If the original database has some missing values and some noise in it, we also embed that noise in the synthetic version. In a way, we are using machine learning to enable machine learning.” [MIT News]

US – FTC Hosts FinTech Forum on AI and Blockchain Technologies, Summary

The FTC hosted a forum on the consumer implications of recent developments in artificial intelligence (AI) and blockchain technologies. This is the second of two entries on the March 9 FinTech Forum. Today’s post focuses blockchain technologies. Coverage of the opening remarks and the AI discussion may be found here. The panel discussions on blockchain technologies reflected the nascent stage of the technology, with industry representatives expressing confusion over the applicability of current regulation, and regulators expressing a lack of clarity over jurisdictional questions. The panelists all agreed that there was a great need for education on blockchain technologies—for consumers, regulators, and even large financial institutions. The panelists urged interested parties to begin educating themselves now so that they could be positioned to develop effective policies and practices when appropriate. Video and transcripts from the forum will be available here. [HLDA Data Protection]

Canada

CA – OPC Writes to the Ministers of Justice, Public Safety and Defence Calling for Greater Protection of Canadians’ Privacy Rights in The U.S.

The Privacy Commissioner of Canada has been asked by concerned Canadians to consider the implications of President Donald Trump’s Executive Order excluding non U.S. citizens and lawful permanent residents from the protections of the U.S. Privacy Act regarding personally identifiable information. Commissioner Daniel Therrien concluded that Canadians have some privacy protection in the United States, but that protection is fragile because it relies primarily on administrative agreements that do not have the force of law. Therefore, the Commissioner has called on Canadian government officials to ask their U.S. counterparts to strengthen privacy protections for Canadians. In the following letter, the Commissioner urged the Canadian federal government to ask the United States for Canada to be added to a list of designated countries under the Judicial Redress Act, which would extend certain judicial recourse rights established under the U.S. Privacy Act to Canadians. [priv.gc.ca]

CA – Canada, U.S. Talk Data Sharing

Homeland Security chief, John Kelly met March 10, 2017 with his Canadian counterpart Ralph Goodale, minister of Public Safety and Emergency Preparedness [see here], in a follow-up to a cross-border preclearance and data-sharing agreement signed a year ago  They talked about two pieces of legislation making their way through parliament that would increase biographic data sharing [Bill C-21 see here] and establish more preclearance facilities [Bill C-23 see here] in each other’s countries. [FCW]

CA – Whether Sending Threatening Emails or Youtube Videos, There’s No Anonymity Online

Carmi Levy, a tech analyst for CTV Bell Media, said in an interview with the Montreal Gazette “I’d be surprised if it took the cops more than 15 seconds to pinpoint this suspect and send the cruisers his way Anonymity and privacy no longer exist online and this should be a case study that anyone should think twice about doing something similar. If you think you can go online and be completely anonymous, you’ve got another thing coming. Truth of the matter is that everything we do online can and will be tracked. It is ridiculously easy for law enforcement to find out where we are.” Levy stressed that even though threatening emails may have refocused the spotlight on the Internet’s lack of actual anonymity, that same spotlight shines on every computer 24/7 no matter what it’s being used for. [Montreal Gazette]

CA – Proposed Security Oversight Committee ‘Shadow’ of What it Should Be, Opposition Says

Bill C-22, “An Act to establish the National Security and Intelligence Committee of Parliamentarians and to make consequential amendments to certain Acts,” comes up for debate this week. The government has already given notice it will reject opposition amendments that would have given the new committee powers to subpoena information and to stay on top of ongoing police investigations, and to make it more difficult for ministers to refuse to turn over information. During the 2015 election campaign, the Liberals also promised to repeal the “problematic elements” of bill C-51, the previous government’s anti-terrorism bill and introduce legislation that “better balances our collective security with our rights and freedoms.” The new oversight committee was to be at the heart of that balancing act. While the government plans to reject the opposition amendments, it is amending the bill to increase the number of members from nine to 11. If the bill becomes law, the committee would consist of eight MPs and three senators. [CBC]

CA – Comment: Security-Agencies Oversight Legislation Lacking

Canada’s three core security and intelligence agencies spend nearly $4 billion a year, employ 34,000 people and, since Liberals and Conservatives voted to pass Bill C-51, wield unprecedented powers to investigate and disrupt suspected threats. And yet Canada stands alone amongst our G7 peers in lacking parliamentary oversight of these powerful agencies To plug this gap in oversight, a proposal [Bill C-22 see here ] now before Parliament would give a committee of Top Secret-cleared MPs and senators access to classified information to oversee and investigate the security and intelligence activities of any government agency. parts of this plan sparked controversy in Parliament and raised red flags for security experts [on issues like: lack of independent oversight, gov’ts prerogative to withhold information and gov’ts prerogative to shut down investigations entirely] Why pursue such a weak oversight model? Part of the answer is the government’s plan isn’t new: In fact, the bill is cut and pasted from a 2005 initiative of the Paul Martin government. [Times-Colonist | Make sure security oversight is strong: Editorial | Give Parliamentary committee a chance to shine | New National Security Oversight committee likely to cost more than any other House or Senate security committees | Real Oversight Needed for Law-breaking National Security Agencies | Appearance before the Standing Committee on Public Safety and National Security (SECU) on Bill C-22 An Act to Establish the National Security and Intelligence Committee of Parliamentarians ]

CA – Critivcs Say B.C. Government’s Proposed Duty to Document Law is ‘Inadequate,’ ‘Pathetic’

The B.C. government is proposing a law requiring public servants and politicians to write down the reasons for their decisions, but it falls well short of what was asked for by the province’s independent information watchdog. The change comes after a scathing report last year [see here & here] into how government officials were “triple-deleting” emails to scrub them permanently from systems so they wouldn’t turn up in responses to freedom of information requests by the public and media. De Jong consulted with B.C.’s acting information and privacy commissioner, Drew McArthur, who asked for the law to give him oversight powers into any “duty to document” rules. Instead, the proposed legislation gives oversight to the chief records officer, and makes the changes under an act that McArthur, an officer of the legislature, can’t oversee. Still, he [McArthur] called the bill “a good first step.” [The Province]

CA – Feds Set to Regulate Reporting of Digital Data Breaches

Canadian companies will soon be legally required to file a report with the Office of the Privacy Commissioner (OPC) when they experience a network breach that compromises personal data. Companies will also be required to notify all those affected by the breach: employees, customers and relevant third parties. Companies that fail to comply could face fines of up to $100,000. Breaches that require notification are, according to the Digital Privacy Act [see here ], instances that pose “real risk of significant harm to affected individuals.” This definition includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft. Many companies will have to update their systems and invest in new technologies to meet these standards. That might seem like a costly investment, but if you don’t have the right tools, tracking down a breach and figuring out what happened can take a massive financial toll, along with drawing resources away from more important projects. [Canadian Manufacturing]

CA – BC Liberals Spied on NDP Youth Meeting, Eby Charges

When the British Columbia NDP hosted a youth meeting [10 young people, many of them minors] on housing on the weekend, they had an unexpected guest recording the proceedings — a BC Liberal caucus researcher. These young people had organized a discussion about politics for youth in a multipurpose room at their local community centre, yet a government employee showed up posing as a young New Democrat She then secretly recorded these youths, using a cell phone she tried to hide on her lap” NDP housing critic David Eby said in the legislature Eby said he believes that for a government official to record the meeting without the participants’ knowledge was a violation of the Freedom of Information and Protection of Privacy Act. “It violated the privacy rights of these youth.” Eby said the NDP has confirmed the woman is a research officer in government caucus research in the legislature. [The Tyee]

CA – Judge Denies Request to Keep Details About Top-Billing Doctors Secret

The Toronto Star has been seeking the identities of highest paid fee-for-service doctors in Ontario since 2014. The identities of the province’s [Ontario] top-billing physicians must be disclosed to the court, a Toronto judge has ruled, adding that details about some of them must also be made available to the public. In a seven-page decision released this week, Superior Court Justice Ian Nordheimer denied a request to keep the court and public in the dark about the doctors, pending a judicial review of an order [see here] from the province’s privacy commissioner to make the names public.  His decision is the latest development in a three-year quest by the Toronto Star for information on the 160 highest paid fee-for-service doctors. In 2014, the Star filed a Freedom-of-Information request to the province’s Health Ministry about the largest billers to the taxpayer-funded Ontario Health Insurance Plan. Three separate groups of doctors are seeking a judicial review of the privacy commissioner’s order. It will be heard before a three-judge panel on June 19 and 20. Nordheimer concluded the court must have access to the same material that the privacy commissioner’s office used to reach its decision. The relevance of the information cannot be determined until the judicial review is conducted, he said. Nordheimer turned down a request from lawyers for two of three groups of doctors to proceed without revealing to the court the names of their clients or making public any details about them. [TorStar | Even judges shouldn’t know names of Ontario’s top-billing doctors, lawyer argues]

Consumer

US – Consumer Reports Will Evaluate Privacy and Data Security

The non-profit, product-testing organization Consumer Reports (CR) will start including evaluations of products’ online security and privacy features in its product reviews. CR is also part of a collective that is creating a standard to guide the development of digital products. “The goal [of the Digital Standard] is to help consumers understand which digital products do the most to protect their privacy and security, and give them the most control over their personal data.” [Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security | – Consumer Reports to test products for privacy, data security | CNET: Consumer Reports to factor cybersecurity into reviews | The Digital Standard]

WW – Consumer Reports to Score Privacy, Security in Product Reviews

The nonprofit group Consumer Reports will begin to consider privacy and cybersecurity in its reviews. The group has worked with several organizations to develop methodologies for identifying whether a product can easily be hacked and how well a product can secure consumer data. Consumer Reports Director of Electronics Testing Maria Rerecich said the organization will start to implement the new methodologies gradually on a limited number of products. “We want to rate products on measures such as security, in much the same the way we currently assess products for physical safety and performance. That will give consumers the power to make choices based on solid information,” the company said in a statement. “When consumers vote with their wallets and their clicks, we’ve seen that companies pay attention. We think companies will strive to outdo their competitors when it comes to privacy, security, and other consumer rights.” [Reuters]

WW – Mozilla Survey 90% Don’t Know How to Protect Themselves Online

Mozilla asked [see here] about 30,000 members of its community from Australia, Canada, France, Germany, the UK, and the US questions about security, encryption, and privacy & how they rate their ability to protect themselves online. Ashley Boyd, VP of advocacy at Mozilla, said the company launched the survey knowing that, even among the web-savvy, many people feel their privacy and security is eroding. “What was surprising was the high percentage of people who identified as truly feeling defenseless,” said Boyd. “Over 90% of survey respondents said they don’t know much about protecting themselves online. And nearly a third of respondents feel like they have no control at all over their personal information online.” Mozilla also reports that 8 in 10 respondents fear being hacked and that 61 per cent expressed concern about being tracked by advertisers. The survey also found that those who were the most knowledgeable about privacy were the most concerned about being tracked by governments and law enforcement. Chief business and legal officer at Mozilla, Denelle Dixon said such worries are not just the product of experts playing out theoretical problems. “Concern about surveillance and tracking is realistic, even if you are completely abiding by the law,” she said. “No one wants to feel like they aren’t in control of their data or their online life.” [The Register]

WW – ‘Smart Billboards’ May Be Coming to A Highway Near You

Synaps Labs is planning to test its targeted advertising model on digital billboards in the U.S. this summer. Synaps expects to be operating on 20 to 50 billboards in Russia this year. The company uses high-speed cameras to identify cars and its “machine-learning” system to recognize the type of car and what corresponding ads advertisers want to target the driver with, the report states. “Synaps won’t sell data on individual drivers.” Additionally, “out of safety concerns, license plate data is encrypted, and the company says it will comply with local regulations limiting the time this kind of data can be stored, as well.” [MIT Technology Review]

E-Government

WW – IA Leak Exposes Government Insider-Threat Problem

The disclosure this week of what appears to be documents detailing CIA hacking methods once again exposes the U.S. government’s failure to mitigate its insider-threat problem, if, as some U.S. officials and cybersecurity pros suspect, the source was from a government contractor. The CIA leak is the third major incident in recent years in which threat software and resource programs designed to prevent such threats did not work. Part of the problem, the report states, is the increased access government employees and contractors have to sensitive information — partly because of post-9/11 mandates that increased information-sharing. Agencies also tend to rely on contractors instead of permanent staff because of budget constraints. Meanwhile, UN Special Rapporteur on the Right to Privacy Joseph Cannataci has released a report on the need for civil liberties in light of growing surveillance in the digital world. [Reuters]

US – As Many as 7.5 Million Voter Records Involved in Georgia Data Breach

The Federal Bureau of Investigation opened an investigation at Kennesaw State University’s Center for Election Systems involving an alleged data breach. As many as 7.5 million voter records may be involved, according to a top state official briefed on the information but not authorized to speak on the record. Neither federal officials nor university officials would confirm the scope of the investigation or how many records had potentially been accessed. State officials found out about the breach after being notified by the university. The governor’s office said it asked the Georgia Bureau of Investigation to contact the FBI after learning about the scope of the problem. [MyAJC]

UK – More Than Half of UK Councils Give Body Cameras to Staff

More than half of UK councils have given body-worn cameras to their officials to snoop on minor offences such as littering, bad parking and dog-fouling. Two-thirds of the local authorities have also failed to conduct a privacy impact assessment before taking the controversial measure, according to research by Big Brother Watch. The civil liberties campaign group, which revealed its findings in a new report, claimed the “widespread filming” was not “proportionate” to the often trivial offences committed. The report found 227 local authorities (54%) were at least trialling the cameras, 3,760 cameras had been purchased and 150 local authorities (66%) did not know if they had completed a privacy impact assessment. Pensioner Sue Peckitt was fined £80 after a camera caught her pouring coffee down the drain in London. [Independent]

E-Mail

US – Apple, Amazon, and Microsoft Are Helping Google Fight an Order to Hand Over Foreign Emails

Apple, Microsoft, Amazon, and Cisco have filed an amicus brief in support of Google, after a Pennsylvania court [U.S. magistrate Judge Thomas Rueter in Philadelphia ruled February 3, 2017 that the company had to hand over emails stored overseas in response to an FBI warrant. [see 29 pg pdf here ] In the brief, the companies argue: “When a warrant seeks email content from a foreign data center, that invasion of privacy occurs outside the United States — in the place where the customers’ private communications are stored, and where they are accessed, and copied for the benefit of law enforcement, without the customer’s consent.” They claim that handing over foreign data “invites” other countries to demand emails from US citizens, stored on US soil, in the same way. They also referenced a similar case won by Microsoft in January. The company refused to hand over emails belonging to the non-US citizen stored on Irish servers, and the US government lost an appeal to have the case reheard. [Business Insider]

EU Developments

EU – EDPS Publishes Opinion on Border Screening System

European Data Protection Supervisor Giovanni Buttarelli released his opinion on the European Travel Information and Authorisation System, arguing that while it is important to secure borders, its equally important to ensure initiatives designed to strengthen them do not erode privacy rights. Buttarelli cautioned that screening techniques bring with them myriad privacy concerns, and stressed the need for a privacy assessment on the ETIAS’ proposal. Additionally, “as the information gathered will be used to grant or deny individuals access to the EU, based on the migration, security or health risks they may pose, it is vital that the law clearly defines what these risks are and that reliable methods are used to determine in which cases they exist,” Buttarelli said. [EDPS]

UK – ICO to Probe Use of Voters’ Personal Data in Political Campaigns

The U.K. Information Commissioner’s Office is launching an investigation into the collection and use of voters’ personal data in political campaigns. The move comes after a recent report from the Observer, which alleged U.S.-based technology company Cambridge Analytica played a role in the Brexit and Trump victories in 2016. “We are conducting a wide assessment of the data-protection risks arising from the use of data analytics, including for political purposes, and will be contacting a range of organisations,” an ICO spokeswoman said, adding, “We intend to publicise our findings later this year.” The ICO also said, “We have concerns about Cambridge Analytica’s reported use of personal data, and we are in contact with the organisation.” [The Guardian]

EU – Other EU Developments

  • A ruling from the Court of Justice of the EU is forcing the U.K. Home Office to delay the implementation of the Investigatory Powers Act. [Ars Technica]
  • The European Parliament announced Civil Liberties MEPs voted for stronger safeguards and a shorter period of data retention within the EU entry-exit system. [EuroParl]
  • In a blog post, 2 March, the U.K. Information Commissioner’s Office released its first specific GDPR implementation guidance, focusing on consent, for public consultation. [ICONewsBlog]
  • Germany’s interior ministry announced a draft law last month that would allow authorities to access personal data from electronic devices of asylum seekers without their consent. [The Verge]
  • After an inquiry, Australian Privacy Commissioner Timothy Pilgrim has said that “agency-specific laws” can override the Privacy Act, giving the heads of agencies the ability to access and release public information, iTnews reports. [Tnews]

Facts & Stats

WW – Verizon: 90% of Breaches Involve Phishing, Social Engineering

In Verizon’s newest “Data Breach Digest,” the companion to its annual breach report, researchers said that 90% of the data-loss incidents the team investigates have a “phishing or social engineering component” to them. User credentials are often the hot-ticket data for hackers, who sell the information on the dark web to those looking to masquerade as actual employees on company networks. “Because organizations don’t have multifactor [authentication] rolled out, it makes it trivial to get in.” [BankInfoSecurity]

FOI

CA – NFLD Court Finds Disclosure of Employee Names, Titles and Remunerations Unreasonable Invasion of Privacy

A Newfoundland and Labrador court reviewed the Newfoundland and Labrador English School District’s decision to disclose employee personal information, pursuant to the Access to Information and Protection of Privacy Act, 2015. A district school agreed to disclose the requested information to a member of the media (this was prior to legislation specifically designed for the release of “Sunshine Lists”); the records contained the names of the teachers in connection with their position and salaries, the information was held by the school for tax purposes, and the school did not supply any reasoning why the information should be released to the media. [Newfoundland and Labrador Teachers Association v. Newfoundland and Labrador English School District – 2016 CANLII 89960 NL SCTD – In the Supreme Court of NFLD and Labrador Trial Division]

CA – PEI Gov’t Redacts Information from Document It’s Already Made Public

The P.E.I. government says “human error” led it to redact information it had already made public from a document obtained under the province’s Freedom of Information legislation. CBC News filed a request in January 2017, seeking information on the province’s plans to implement a carbon tax. In response the province provided 228 pages comprised of various documents, with much of the information severed or redacted. The problem is, some of the information that was withheld had already been released to the public, and is freely available on the province’s website. [CBC]

CA – OPC Canada Finds Viewing Records Without Getting Copies Meets Organization’s Access Obligations

The Office of the Privacy Commissioner of Canada reviewed a complaint from a condominium owner, pursuant to PIPEDA. Organizations must respond to access to information requests at minimal or no cost to the individual; allowing individuals to view the records for free without also getting copies of them satisfies an organization’s access obligations under PIPEDA. [OPC Canada – Access to Personal Information Request Revised to Accommodate Both Requestor and Organization]

CA – OIPC BC Orders Disclosure of Law Enforcement Investigative Records

The Office of the Information and Privacy Commissioner of British Columbia reviewed the Insurance Corporation of British Columbia’s decision to withhold access to information, pursuant to the Freedom of Information and Protection of Privacy Act. Withheld records containing information that is not about identifiable individuals can be disclosed, such as time of the interview, date and place of the incident, insurance claim and SIU file numbers, and vehicle descriptions; consent was provided by the applicant’s spouse for the disclosure of her personal information, the applicant is already aware of details of the investigation, and it is unclear how disclosure of the information could unfairly damage the third party’s reputation. [OIPC BC – Order F17-06 – Insurance Corporation of British Columbia]

CA – OIPC AB Concludes Failure of Public Bodies to Timely Respond to Access Requests is Unacceptable

This OIPC report investigates the failure of Alberta Justice and Solicitor General to meet legislative timelines for responding to access requests pursuant to the Freedom of Information and Protection of Privacy Act. Reasons for delays include consultation within the government (despite no statutory requirement to do so), unnecessary application of discretionary exemptions to withhold access, an inefficient and unnecessary funneling of requests through the head of a public body, an increased volume of requests versus fewer staff to handle them, the need for judicious application of the “frivolous and vexatious” provision to some complex applicants, and a lack of respect for the FOI regime in some areas of government. [OIPC AB – Investigation Report IR-F2017-IR-01 – Alberta Justice and Solicitor General]

CA – OIPC BC Finds Disclosure of a City’s Job Evaluation Process Would Not Harm its Financial Interests

The Office of the Information and Privacy Commissioner in British Columbia reviewed a decision by the City of Nanaimo to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. Information relating to the evaluation process did not contain any plans or proposals (only the raw materials on which they would be based), and would not lead to morale issues (employees have already filed grievances without the information); the City did not provide any details showing how disclosure would put it at a disadvantage in collective bargaining or would result in an increase in employee wages. [OIPC BC – Order F17-03 – City of Nanaimo]

US – California Top Court: Information on Personal Devices Dealing With Official

The California Supreme Court ruled that texts and e-mails sent by public employees on their personal devices are a matter of public record when they deal with official business. The court found in its unanimous opinion that communications must be disclosed to the public if they “relate in some substantive way to the conduct of the public’s business.” The court did not provide a clear balancing rule on where such a line should be drawn between employees’ privacy and public record. [Jurist]

US – FBI’s New Online FOIA Portal is Now Live

The FBI’s controversial changes to its FOIA request system are now fully implemented. [see here and FAQ here] For the FBI, a popular target for FOIA requests, the new online portal replaces the standard email system. According to the bureau, the new online portal transitions the agency from a manual system to an automated system that will help it handle its large volume of requests, though detractors argue that the new web portal creates additional barriers to those seeking information from the FBI and makes tracking the paper trail more difficult. Afraid of change? If you feel more comfortable doing things the really old fashioned way, you can just file your FBI FOIA request by fax or mail, though we wouldn’t exactly recommend it. [TechCrunch]

Genetics

CA – Debate Over Contentious Genetic Discrimination Bill Continues

The debate over the contentious Genetic Non-Discrimination Act continues through the House of Commons and could come down to a final vote. The legislation, also known as Bill S-201, would make it illegal for companies to require an individual to undergo or reveal the results of genetic testing in order to sign an insurance policy, or obtaining any other goods or services. The Canadian Life and Health Insurance Association believes health costs will rise if the bill passes, while the Canadian Coalition for Genetic Fairness’ Bev Heim-Myers said she supports the bill, as the fear of genetic discrimination could lead to people avoiding important diagnostic tests. [Global News]

CA – 100 Liberal MPs Defy Trudeau On & Vote for Genetic Privacy Law

The Genetic Non-Discrimination Act [Bill S-201] is aimed at preventing the use of information generated by genetic tests to deny health insurance, employment, and housing, or to influence child custody and adoption decisions. It calls for fines of up to $740,000 and prison terms of up to 5 years for anyone who requires any Canadian to undergo a genetic test, or to disclose test results, in order to obtain insurance or enter into legal or business relationships. The bill bars discrimination on the grounds of genetics, and the sharing of genetic test results without written consent (with exemptions for researchers and doctors). Trudeau’s Liberal Party cabinet also formally opposed the measure, with Justice Minister Jody Wilson-Raybould arguing that the bill is unconstitutional because it intrudes on powers given to Canada’s 13 provincial and territorial governments to regulate insurance. On 9 March, members of Parliament voted 222–60 to approve the measure. More than 100 Liberal members voted for the bill, taking advantage of a so-called free vote, which allows members to vote their conscience rather follow the party line. The result has prompted Trudeau’s government to consider extraordinary measures to block the legislation. To delay and potentially kill the legislation, Trudeau’s government is considering not sending the bill to the governor-general (a tactic that doesn’t appear to have been used since the 1920s), and instead asking Canada’s Supreme Court to rule on the bill’s constitutionality. That process could take up to 2 years. [Science Mag | Genetic non-discrimination bill unconstitutional: Trudeau | Liberal backbenchers defy cabinet wishes and vote to enact genetic discrimination law | | Does this genetic testing bill threaten the insurance industry? | Life insurers’ new genetic test policy called an 11th-hour stalling attempt | Canadian insurance industry pens rules on use of genetic test results | Genetic discrimination private member’s bill pits Grit backbenchers against cabinet | Canada: Genetic Discrimination And Canadian Law | Genetic testing bill perpetuates myths and fears]

CA – Google’s Montreal ‘Cloud Region’ Allows Data to Stay In Canada

Google Inc announces first Canadian ‘cloud region’ in Montreal, allows sensitive data to stay within borders. Located in Montreal, the new cloud region now lets customers such as large corporations move large amounts of information to online storage without having to leave Canadian borders It will not just store the information but also provide its algorithms to make more sense of the data. “Canadians always love to know that their data is still on this soil, especially as there is legislation in the U.S. that allows the government to go into data centres under the Patriot Act,” said Roland Gossage, chief executive of the Toronto-based e-commerce provider GroupBy Inc. Though Amazon.com Inc and Microsoft Corp has already offered cloud storage options in Canada, Google reiterates that what sets its services apart from others is the ability to gain insight from the large amounts of data being stored through machine learning and artificial intelligence. [Financial Post]

Health / Medical

WW – Medical Device Security Still a Major Problem

Health care organizations continue to face problems when trying to protect medical devices from hackers. U.S. hospitals average 10 to 15 connected devices per bed, and each of those devices create several points of exposure for hackers to compromise and implement ransomware and other types of network attacks. Security firm TrapX found hackers were specifically targeting medical devices connected to outdated software in order to avoid detection. The Food and Drug Administration is one of the first agencies to take a stand against medical device hacking. The FDA began to seriously examine device cybersecurity as a requirement for approval starting in 2013 and has continued to update the criteria to this day. [WIRED]

Horror Stories

US – Florida Senator Demands Answers from Spiral Toys After Cloud Hack

Sen. Bill Nelson, D-Fla., has written to the CEO of Spiral Toys, seeking answers on the company’s data protection practices in light of a breach affecting its CloudPets brand and more than 800,000 of its customers. Nelson said that incident called into question how well Spiral Toys was able to adhere to the Children’s Online Privacy Protection Act. Among his nine questions for the company were inquiries into the type of information Spiral Toys collects from its users via their products, if that information was sold to third-party vendors, and if the company provided notice of these collection practices, should they exist, to its customers, the letter states. He asked for a response from Spiral Toys by March 23. [ComputerWorld] [Is your IoT teddy bear safe? MondgoDB data breach allegedly leaks and ransoms millions of kid’s voice recordings | Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings | Banned In Germany: Kids’ Doll Is Labeled An Espionage Device | These Toys Don’t Just Listen To Your Kid; They Send What They Hear To A Defense Contractor | These Toys Don’t Just Listen To Your Kid; They Send What They Hear To A Defense Contractor | Talking Dolls May Spread Children’s Secrets, Privacy Groups Allege | You should probably still avoid toys that talk with your kids | Parents are worried about the new WiFi-connected Barbie, but should they be?]

WW – Spammer Accidentally Leaks 1.34B User Accounts

Email marketing group River City Media failed to protect its 1.34 billion user accounts, inadvertently making them available for anyone to see. MacKeeper security researcher Chris Vickery discovered the breach in January. He said that River City Media “masquerades as a legitimate marketing firm” when instead is a large-scale spamming organization. It’s accrued names, emails and IP addresses through emails advertising phony credit checks and sweepstakes. Vickery worked with CSO Online to verify the breach, ultimately finding that River City Media employees didn’t “properly configure its backup system.” The unsecured database is so vast that “chances are that you, or at least someone you know, is affected.” [Fortune]

Law Enforcement

US – DoJ Drops Child Porn Case to Protect Tor Hacking Technique

The US Department of Justice (DOJ) has asked a federal court to dismiss its case against an alleged suspect in a child pornography case because the department does not want to reveal the “network investigative technique” it used to discover identities of people on Tor who accessed a certain dark web site. Last spring, Mozilla filed a brief in the case asking the FBI to privately reveal the flaw the technique exploits because it affects users’ security. (The Tor browser uses much of the same code as Firefox.) [ZDNet: Justice Dept. drops Playpen child porn case to prevent release of Tor hack | To keep Tor hack source code secret, DOJ dismisses child porn case | Child porn case dropped to prevent FBI disclosure | U.S. drops child porn case to avoid disclosing Tor exploit | DoJ Wants to Keep Tor Hack Code Used Secret, Dismisses Playpen Child Porn Case]

Location

US – Mass. Lawmakers Push for Restrictions on Use of Sensitive Driver Data

Massachusetts lawmakers have filed a proposal to restrict the ways the state can use sensitive driver data collected by its new all-electronic tolling system. A pair of bills sent to the state House and Senate would prohibit the Massachusetts Department of Transportation from using the data, including driving speeds and travel history, for anything but collecting tolls. The bills would stop the agency from sharing the data unless a warrant was involved. Representative Marjorie C. Decker said if the data must be shared, strong privacy protections must be in place, and the state needs to be transparent about the way the data is used. “Many people don’t even realize that if you have an E-ZPass, it can track your whereabouts,” Decker said. “People have a right to know this is happening.” [The Boston Globe]

Online Privacy

US – ACLU Challenges Facebook Search Warrant

The American Civil Liberties Union has filed a motion challenging a warrant allowing police to search a Facebook community page for information on a group protesting the Dakota Access Pipeline, according to an ACLU press release. The ACLU argued in its motion that the warrant eroded both First and Fourth Amendment rights. Additionally, the warrant wasn’t “particularized” as the Fourth Amendment requires, meaning that it hadn’t indicated “in detail items for which the government has probable cause to search,” the report states. The ACLU also argued that “when searches involve broad intrusions, such as searches of computers or online accounts like Facebook, the need for such limitations on warrants is especially great, courts have found.” The challenge is scheduled to have its day in Whatcom County Superior Court on March 14. [ACLU]

Privacy (US)

US – Survey Rates States With Best Online Privacy Protections

Comparitech has developed a scoring system to find the states with the most online data protection laws. The system was based on 14 different laws, including laws to protect internet-of-things data, safeguard employee and children’s privacy, and mandate data retention time limits. Delaware scored the highest out of all 50 states, with a privacy score of 85.7%, only missing two of the 14 criteria. California finished with the second best score, with 78.6%, while Utah and Arkansas tied for third with 71.4%. There was a three-way tie for the worst states for online privacy, with Wyoming, South Dakota and Alabama all finishing with a 28.6% score. [Comparitech]

US – EFF Releases Guide to Help Travelers Protect Privacy at the US Border

The Electronic Frontier Foundation released a guide to help travelers protect their digital information when traveling across borders. “Digital Privacy at the U.S. Border“ helps travelers perform a risk assessment by evaluating personal details such as immigration status and travel history. By assessing those factors, travelers may be able to protect themselves by leaving certain devices at home or using encryption. “Border agents have more power than police officers normally do, and people crossing the border have less privacy than they usually expect,” said EFF. “Border agents may demand that you unlock your phone, provide your laptop password, or disclose your social media handles. Yet this is where many of us store our most sensitive personal information.” [EFF]

US – FPF, George Mason Law Seeking Paper Submissions

The Program on Economics & Privacy at George Mason University’s Antonin Scalia Law School and the Future of Privacy Forum have announced they are seeking paper submissions considering the development of a benefit-cost framework for privacy policy. Potential areas of special interest for the papers include “developing metrics to measure the costs and impacts of privacy controls; unpacking the economics of privacy using microeconomic tools; and calculating the value of privacy for consumers through analysis of competitive offerings.” Chosen submissions will be presented at the Fifth Annual Public Policy Symposium on the Law & Economics of Privacy and Data Security Policy in June, and will also be published in an issue of the Journal of Law, Economics & Policy. The deadline for submissions is April 15. [FPF]

US – Washington CPO Releases Open-Source Privacy-Law App

The state of Washington’s Office of Privacy and Data Protection has launched a “privacy modeling” web app, which allows government agencies aiming to roll out various programs and products to find relevant state and federal privacy laws and, ostensibly, make smart choices based on those parameters. Washington Chief Privacy Officer Alex Alben said the office will release the app’s source code sometime this week on GitHub so other state agencies can adopt their own versions. [Privacy Advisor]

US – Other Privacy News

  • As data collection has become more ubiquitous, technologies more advanced and consumer data more valuable, the definition of “personal information” within U.S. state data breach notification laws has expanded to include things like login credentials, biometric information and health data. [org]
  • Voting along party lines, the U.S. Federal Communications Commission voted 2-1 last Wednesday to halt data privacy measures that were slated to go into effect March 2. [IAPP]
  • A landmark case about metadata in Australia has challenged the scope of Australian privacy laws, overruled the privacy commissioner, and left practitioners with questions. [org]
  • All this month, Max Schrems is back in court in Dublin. Not content with bringing down Safe Harbor, Schrems is sticking to his guns and coming after standard contractual clauses and may even inadvertently demolish Privacy Shield. [org]
  • The U.S. House of Representatives Judiciary Committee held a hearing last week on Section 702 of the Foreign Intelligence Surveillance Act. Testimony suggested, with caveats, that s.702 be reauthorized. [org]
  • Federal Communications Commission Chairman Ajit Pai is planning to delay the implementation of the agency’s broadband privacy rules. [Reuters]
  • A California court has ruled electronic communications sent by public employees on their personal devices that relate to public business are public information. [Jurist]

Privacy Enhancing Technologies (PETs)

US – Design Jam to Focus on Privacy Solutions

“Privacy by design” has come to mean a lot of things. For many, it has boiled down to simply thinking about privacy and data protection from the outset of a project and all the way through to completion. It’s getting privacy in at the “whiteboard stage.” Lost, perhaps, in that way of thinking is the “design” piece. How do organizations literally design and engineer their products and services to emphasize privacy and bring user control over their data to the fore? That’s the question being presented to participants in an inaugural Design Jam in Berlin, Germany this week, March 10 through 12, hosted by Facebook, Ctrl-Shift, Work Play Experience, and the University of Southampton. The Privacy Advisor discusses the event’s goals and potential outputs. [Full Story]

WW – R3 Consortium Study Compares Blockchain Privacy Tools

The R3 consortium released a summary last November of the various schemes that software developers have devised for protecting privacy for blockchain-based transactions The study [“Survey of Confidentiality and Privacy Technologies for Blockchains“, which has not previously been made public, provides a comparison of the level of privacy offered by each approach. The study was done by Jack Gavigan [with Danny Yang & Zook Wilcox], a co-founder of Zcash, a cryptocurrency that uses zero-knowledge proofs, one of the methods evaluated in the report. Financial institutions are anxious to use the efficiency features of blockchain technology, but the lack of privacy has proven a stumbling block. Following is a summary of the different privacy technologies reviewed in the report: 1) Permissioned Ledgers; 2) Off-Chain Approaches; 3) Coin Mixing; 4) Ring Signatures; 5) Pederson Commitments; 6) Zero-Knowledge Proofs; and 7) Stealth Addresses [CryptoCoinsNews]

RFID / IoT

WW – Amazon Echo Data Shared With Authorities in Arkansas Murder Case

Amazon has ended its fight against an Arkansas court’s subpoena demanding access to the defendant’s Amazon Echo device. James Andrew Bates had plead not guilty to first-degree murder of a man found dead in his house, adding that he “wouldn’t mind” if Amazon shared information from the device to aid investigators with their case, the report states. While Amazon had initially pushed back against the subpoena, arguing in favor of Bates’ privacy rights, it handed over the Echo data to the court, after Bates granted permission. “A hearing had been set on whether any information gathered was even pertinent.” [The Associated Press]

WW – The Latest Iot Device? A ‘Smart Condom’

The “world’s first smart condom,” the i.Con Smart Condom, is now available for preorder. The device functions akin to a Fitbit and has a ring-like design that allows it to go over basic condoms, where it is able to measure sexual performance and other elements. Users can track these measurements in an app. On the privacy front, distributor British Condoms said that “all data will be kept anonymous, but users will have the option to share their recent data with friends, or, indeed the world.” [CNet]

Security

WW – WikiLeaks Releases Host of Alleged CIA Hacking Documents

In another leak with potentially massive implications for U.S. intelligence, WikiLeaks has released a trove of documents that appears to demonstrate the CIA’s hacking capabilities, The New York Times reports. The documents are said to show the agency’s ability to break into smartphones, computers and other internet-connected devices. The first release includes 7,818 web pages with 943 attachments. WikiLeaks claims the entire archive, which is dated from 2013 to 2016, includes several hundred million lines of code, the report states. WikiLeaks will not name the source of the documents but said the source “wishes to initiate a public debate about the security, creation, use, proliferation, and democratic control of cyberweapons.” [Full Story]

US – Tech Sector Scrambles in Wake of CIA-Hacking Leaks

As the dust begins to settle after Tuesday’s WikiLeaks data dump of the CIA’s hacking methods, the technology sector is scrambling to patch security fixes and warn users to update their software. The 9,000 pages of documents released by WikiLeaks, which security professionals believe are legitimate, reveal methods the CIA has developed to circumvent the hardware and software of some of the world’s top technology products, including exploiting smartphone operating systems, which allows agents to go around encryption apps. In this post for Privacy Tech, Jedidiah Bracy rounds up the latest reaction from several technology companies, comments from the CIA and FBI Director James Comey, and other developments since the leaks. [IAPP.org]

WW – CIA Hacking Disclosure Could Lead to Consumer Distrust of Iot Devices

Cybersecurity professionals believe the recent revelations about the CIA’s hacking efforts could affect the way consumers and companies view internet-of-things devices, Mashable reports. Professionals say consumers should take every measure they can to protect their privacy and inform themselves with what privacy protections companies will offer them. “I know that’s a big fear for a lot of these companies — they don’t want their product to be the one that is considered unsafe,” said the Center for Strategic and International Studies’ James Lewis. “There’s probably a competitive advantage to being more secure than your competitor.” The Atlantic Council’s Cyber Statecraft Initiative’s Beau Woods adds if consumers feel threatened by the vulnerabilities within smart technology, it could lead to an increased amount of distrust and a drop in sales. [Mashable]

WW – WikiLeaks Will Offer Tech Companies Access to CIA Hacking Tools

Julian Assange says that WikiLeaks will offer tech companies access to the technical details of hacking tools in the cache of leaked classified CIA documents so that the companies can address the vulnerabilities the tools exploit. Companies are wary of the offer because of the legal ramifications of accepting stolen classified data. [WikiLeaks promises to leak Vault 7 code archive to tech firms first | WikiLeaks: We will work with tech companies to fix CIA hacking holes | WikiLeaks Will Help Tech Companies Fix Security Flaws, Assange Says | Assange: WikiLeaks Will Help Tech Firms Defend Against CIA Hacking ]

EU – Risk Assessment: Proposed Guidelines Will Help Organisations Evaluate the Functionality and Effectiveness of Video Surveillance Systems

The CEN Workshop Agreement, based on the results of the Evaluation and Certification Schemes for Security Products (“CRISP project”), issues a final draft of guidelines for the evaluation of installed security systems based on STEFi dimensions. The STEFi approach (security, trust, efficiency, freedom infringement) applies to all types of security systems, but is specifically suitable for planned or installed video surveillance, and is intended to be used to establish a certification scheme; evaluation of a security system involves an assessment to identify conflicting criteria for the security system between the STEFi criteria, and resolving conflicts in consultation with relevant stakeholder and experts by negotiating solutions, and implementing technical changes to the system or operating procedures. [Guidelines for the Evaluation Process of Installed Security Systems Based on the S-T-E-Fi Criteria – CEN Workshop Agreement – European Committee for Standardization]

CA – A 5-Step Data Breach Risk Mitigation Plan for Boards & Directors

On January 19, 2017, the Canadian Securities Administrators (CSA) issued Multilateral Staff Notice 51-347 disclosure of cyber security risk and incidents. The Staff Notice only applies to reporting issuers, but it reflects a broader prevalence of, and heightened concern about, cyber security risks and the related liability exposure that all organizations, officers and directors face. Case in point: on February 3, 2017, the Québec Superior Court authorized a consumer privacy class action in Zuckerman v. Target Corporation seeking financial compensation for – you guessed it – a data / privacy breach. Here’s a five-step cyber security mitigation plan that organizations and their directors can and should implement now to minimize the growing liability risks of suspected and actual cyber attacks [including]: 1) Make it a (priority) corporate governance matter; 2) Get a good handle on your legal notification obligations; 3) And have a good handle on your risk and incident disclosure obligations too; 4) Assess your current situation; and, 5) Be well-prepared, well in advance. [McInnesCooper]

US Government Programs

US – DHS Issues Breach Notification Best Practices

The US Department of Homeland Security (DHS) is putting the finishing touches on breach notification guidance for agencies, state and local governments, and other organizations. The DHS Data Privacy and Integrity Committee approved a final draft of the best practices document last month. The guidance addresses deciding whether and how to notify affected individuals; the risks of over-notification; and offers suggestions for additional support for those affected by a breach. [DHS finalizing best practices for notifying victims of major cyber breaches | See ALSO: Best Practices for Notifying Affected Individuals of a Large-Scale Data Breach

US – The Data Tool Helping Enforce Trump’s New Immigration Policies

Immigration and Customs Enforcement has deployed a Palantir Technologies-developed intelligence tool, dubbed Investigative Case Management, to assist with the Trump administration’s potential immigration deportation plans, The Intercept reports. Documents indicate that ICE viewed the tool as “mission critical,” the report states, “meaning that the agency will not be able to properly function without the program.” The tool, which will hit “final operating capacity” in September of this year, allows users to access a vast “ecosystem” of information on a person from an array of federal agencies. “If President Trump’s rhetoric on mass deportations is going to be turned into reality, then we’re going to see these tools turned in that direction, and these documents show that there are very powerful and intrusive tools that can be used toward that end,” said the ACLU’s Jay Stanley. Earlier this week, several organizations sent letters to 50 data brokers asking them to not build any so-called “Muslim registries.” [Full Story]

US Legislation

US – Iowa Bill Imposes Restrictions and Limitations on Processing and Disclosure of Student Data

House Bill 48, adding a new section to Chapter 256 of Iowa Code and relating to student data collection policies and plans, has been introduced and referred to the Education Committee. The Department of Education, school districts and certain schools are prohibited from including certain data in student files of both the student and student’s family (such as income, certain personality traits, political/religious affiliations and criminal/juvenile justice records); student data must generally not be provided outside of the state and kept confidential (exemptions include a court order, the lawful custodian of the data, another authorized person, or for out-of-state student transfers. [House File 48 – An Act Relating to Student Data Collection – Iowa]

US – House Committee Forwards Bill That Would Give NIST Auditing Authority

The U.S. House Science Committee has passed (19-14) a bill that would place the onus of auditing government agencies’ cybersecurity on the shoulders of the National Institute of Standards and Technology (NIST). Those opposing the measure say that auditing is outside of NIST’s expertise. The bill calls for NIST to conduct an initial assessment of all agencies’ cybersecurity preparedness within six months. [NextGov: NIST as Enforcer? House Committee Passes Bill to Expand Agency’s Responsibilities | Full Committee Markup – H.R. 1224, the “NIST Cybersecurity Framework Auditing Act of 2017: “

US – Other Legislative Developments

  • Four U.S. lawmakers have proposed legislation to set up a cybersecurity grant program to help state, local and tribal governments more effectively fight cyber threats. [Augusta Free Press]
  • A Missouri Senate bill would require schools to notify affected individuals of a data breach. [KSPR]
  • In response to fears of a crackdown on legal marijuana by the new administration, a group of Oregon lawmakers has proposed legislation requiring marijuana businesses to destroy customer information within 48 hours. [CBS News]
  • A Utah bill aiming to protect voter-registration records has cleared committee and is now headed to the full House. [The Salt Lake Tribune]
  • The House Committee on Science, Space and Technology passed the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017. [The Hill]

+++

 

16-28 February 2017

Biometrics

CA – CRA to Record Fingerprints of Tax Evaders

The Canada Revenue Agency has started to record the fingerprints of every individual charged with tax evasion. “Introducing a mandatory fingerprinting policy would serve as a powerful deterrent to those considering committing a serious tax offence or those who may contemplate reoffending,” an internal CRA memorandum states. “The mobility restriction is an important deterrent, especially for people engaged in offshore tax evasion.” The fingerprints of all accused tax evaders will be stored in the Canadian Police Information Centre database. Nearly 70,000 Canadian police officers have admittance to the database, with foreign agencies such as the U.S. Department of Homeland Security having access as well. The move could end up affecting foreign travel for individuals who have been accused, but not convicted of a criminal tax offense. [CBC News]

CA – Parliamentary Press Gallery Pushes Back Against Plan to Fingerprint, Screen Reporters

The parliamentary press gallery is challenging a plan to impose RCMP security screening measures on new members, including fingerprinting for criminal record checks. The proposal from the House of Commons made public today recommends that all new members of the press gallery be subject to mandatory screening to access Parliament Hill, which would include the RCMP running the person’s fingerprints against a database to determine a match with anyone convicted of a criminal offence. The same measures are recommended for MPs’ staff, contractors, volunteers and interns. The proposed changes follow an independent security assessment and an internal audit of physical access to the Parliamentary Precinct carried out in 2015. It concluded that mandatory site access security screening should be conducted for all individuals who regularly access buildings within the Parliamentary Precinct, according to a fact sheet created by the House of Commons. [CBC |

US – Montana May Regulate ‘Faceprints

A proposed biometric privacy bill in Montana is drawing support from the digital rights group Electronic Frontier Foundation, which argues that new laws are needed to protect people from privacy threats posed by facial recognition technology. “Cameras are increasingly accurate at long distances, and facial recognition algorithms are increasingly able to match images against each other,” the organization wrote in a letter to Montana lawmakers. “Once captured, it is easy for someone to use our biometrics against us.” The potential Montana law (HB 518) would require companies to obtain people’s written permission before collecting, sharing or using biometric identifiers like faceprints, retinal scans and voice patterns. The measure excludes photos from the definition of biometric identifier, unless a company has collected the photos in order to use them as a source of biometric data. The definition means that Facebook and other Web companies would be required to obtain consumers’ consent before applying the kind of software that enables them to create faceprints, according to EFF. Montana isn’t the only state considering new biometric privacy protections. Lawmakers in Alaska, Connecticut, New Hampshire and Washington also have introduced similar measures. To date, only Illinois and Texas have passed laws specifically protecting biometric privacy. The Illinois law has been at the center of class-action privacy complaints against several companies, including Google, Shutterfly and Facebook. The case against Shutterfly has been resolved, but Google and Facebook are still fighting the lawsuits. [MediaPost Policy Blog] Outlines of biometric privacy bills being considered in U.S. states including Alaska, Connecticut, Illinois, Montana, New Hampshire and Washington. legislature is considering a biometric privacy bill similar to that of Illinois. [Find Biometrics]

UK – Police Told to Delete on Request Millions of Images of Innocent People

The home secretary has ordered police forces to delete on request millions of images of innocent people unlawfully retained on a searchable national police database. A Home Office review published this week found that police forces make extensive use of more than 19m pictures and videos, known as custody images, of people they have arrested or questioned on the police national database. Despite a high court ruling in 2012 that keeping images of innocent people was unlawful, police forces have quietly continued to build up a massive database without any of the controls or privacy safeguards that apply to police DNA and fingerprint databases. Renate Samson, of Big Brother Watch, said: “Whilst the opportunity for people to have their custody photo deleted from the database is welcome, we believe they shouldn’t have to ask, it should be an automatic process. The explanation as to why this can’t be done reveals a poorly designed IT system which is impacting innocent people’s right to privacy. A system should be created whereby those who are found to be innocent have their images deleted automatically, as is the case with DNA and fingerprints.” [The Guardian]

IN – India to Share World’s Largest Biometric Database With Tech Firms

India’s efforts to create the world’s largest biometric identity database and share that data with tech companies. The initiative, known as “India Stack,” is designed to standardize the exchange of digital data to help tech firms, health care providers, and app developers transfer official documents to help citizens get jobs, make financial transactions, and access government services, but the database has caught the eye of privacy advocates. “It’s the worst time for privacy policy in the country,” said Centre for Internet and Privacy Executive Director Sunil Abraham. “We are very caught up in technological exuberance. Techno-utopians are ruling the roost.”[The Wall Street Journal]

Canada

CA – CSIS Saw ‘No High Privacy Risks’ With Metadata Crunching: Internal Report

The Canadian Security Intelligence Service centre touched off a firestorm late last year when a judge said CSIS had broken the law by keeping and analyzing the digital metadata of innocent people.[see here ] The ruling also prompted debate about what future role the spy service should have — if any — in using such potentially revealing information in its work. But a privacy impact assessment of the [CSIS] Operational Data Analysis Centre prepared in August 2010 — and secret until now — offered little hint of such concerns. “The assessment process has identified no high privacy risks,” says the 62-page CSIS report. CSIS director Michel Coulombe testified that he hoped the spy service would be in a position within about six months to decide what to do with the associated metadata collected over the 10-year period. [CBC]

CA – US Border Guards Can Ask for Your Passwords

The BC Civil Liberties Association is warning people to think hard before deciding to take cell phones or other electronic devices across the border between Canada and the United States. Even if they have no grounds for suspicion, border guards can ask for them and might arrest a person who refuses to give them the passwords. The charge would be obstruction, but in Canada, such a case would probably violate the Charter of Rights and Freedom guarantees of privacy, says Micheal Vonn, policy director of the B.C. Civil Liberties Association. In the U.S., there is a document which clearly sets out the policy on border guards’ examination of electronic devices. But in Canada, there is not and the information has been pieced together through requests under the Access to Information Law. The Canadian Border Services Agency does believe it has the right to ask for passwords. Vonn would like the Canadian government to produce a clear policy for the public and have it reviewed by Canada’s privacy commissioner to ensure it conforms with the constitution. [Listen to the full interview is here] [RCINet | Are U.S. border agents allowed to search phones and other devices? | I’ll never bring my phone on an international flight again. Neither should you | If A Border Agent Asks You To Unlock Your Phone, Do You Have To Comply? | A Guide to Getting Past Customs With Your Digital Privacy Intact | A US-born NASA scientist was detained at the border until he unlocked his phone]

CA – Canadian Border Officials Can Search Your Cellphone, Confiscate Your Device

Canada Border Services Agency (CBSA) officers have the right to inspect your device. And if you don’t comply, they might even confiscate your phone. Devices such as cellphones and laptops are classified as “goods,” according to CBSA policy. Under the Customs Act, officers have the authority to examine them as part of a routine examination. The CBSA does not require a warrant, the Office of the Privacy Commissioner of Canada notes, and “Officers may examine devices for photos, files, contacts and other media.” What they do with those files — and whether the CBSA can make a copy of any or all the information found on your phone — is unclear. Travellers are really left few options. Anyone with concerns about their experience during a search at the border can file a complaint with the Office of the Privacy Commissioner. [Global News | Is The Border Safe? US Could Detain Canadians In Canada Under Bill | Pre-clearance bill would give U.S. border agents in Canada new powers | The Canada Border Services Is Getting Authority To Open All Cross-Border Mail | Looking for fentanyl: Should the government be able to open your letters? | Fentanyl fear drives police to push for greater power to search mail]

CA – Bill Letting U.S. Border Guards Detain Canadians Could Face Legal Challenges

A bill [C-23] proposing to bolster the powers American border guards yield in Canada – including the ability to strip search and detain Canadians – could lead to legal challenges against the federal government, immigration experts are warning. Part of a bilateral agreement with the U.S., the bill, when passed, will grant American customs agents the right to carry weapons within Canada, perform body searches and detain – but not arrest – them. It will also allow U.S. agents to force a Canadian in a preclearance area, who has decided not to travel to the U.S., to stay in the area for questioning. Right now, that same traveller has the right to simply turn around and leave the area without action or consequence. Howard Greenberg, an immigration lawyer in Toronto, agrees the bill could be open to court challenges [GlobalNews]

CA — British Columbia Privacy Commissioner Investigating Vigilante Group

The Office of the Information and Privacy Commissioner for British Columbia is investigating the controversial vigilante group, Surrey Creep Catchers. Creep Catchers is a group of organizations across Canada that aim to expose people they claim are sexual predators by posing as minors online, then setting up meetings in person to shame their targets. The group was allegedly involved in an incident involving an RCMP officer who was arrested and charged for attempting to meet an underage child. Law enforcement agencies have voiced their concerns about the groups, stating citizens could be in danger if a potential child predator was confronted in public. [CBC News]

CA – Privacy Issues Still Not Fixed on Gov’t Computers: B.C. Auditor General

A 2015 audit found social work case management system did not adequately protect personal info. B.C.’s auditor general says the government has made progress in addressing potential privacy issues with a problematic computer system, but there’s still work to be done. Carol Bellringer’s office first audited the $182-million Integrated Case Management System in 2015 and found it was incomplete and did not protect sensitive personal information. The system, used by the Ministry of Social Development and Social Innovation, dates back to 2008 and was meant to replace outdated computer systems used to deliver social programs including child protection, child-care subsidies and income assistance. [The Canadian Press]

CA – OPC Canada Identifies Best Options for VPN Access to Corporate Info

The Office of the Privacy Commissioner of Canada analyses what to look for when choosing between different Virtual Private Networks services. IPsec is an end-to-end security protocol (the data is only meant to be accessible by the device and the server that is being tunneled to) and SSL/TLS provides highly encrypted communications by relying on the same key exchange standards as HTTPS-secured websites (provided the software has been properly patched if based on open source software libraries); PPTP is an older method no longer recommended as it possesses a range of vulnerabilities that undermine the security and authentication process. [OPC Canada – Privacy Tech-Know Blog: The actual privacy benefits of virtual private networks | Make sure your VPN is setup correctly using a DNS Leak Tool | How to use a VPN: How to set up a VPN for secure, private browsing & access to blocked content | VPN and Maintaining Corporate Privacy]

CA – Alberta Court Refuses to Accept Photos from Locked Mobile Phone into Evidence

The Court considered the Crown’s application to enter photos from a locked mobile device into a main voir dire. Law enforcement failed to meet the standards of the Supreme Court’s decision in Fearon when determining what use to make of notifications displayed on a seized cellphone; the fact that an individual cellphone owner has locked the device but allowed notification of incoming communications to be displayed on the screen does not mean that the owner has waived his right to privacy, and the police failed to record what they did with the cellphone. [Her Majesty the Queen v. Trevor Leigh Millett – 2017 ABQB 9 – Court of Queen’s Bench of Alberta]

CA – Superior Court of Québec Authorizes Privacy Class Action in Zuckerman v. Target Corporation

Privacy class actions triggered by data breaches are growing in popularity in Canada, with more than 30 of them pending throughout the country. While none of these cases have yet been heard on their merits, some are being certified or authorized. In Québec, there are at least seven privacy class actions before the courts. The Superior Court of Québec recently rendered judgment on a motion to authorize a privacy class action in Zuckerman v. Target Corporation, in which the petitioner alleged damages as a result of a data breach involving an estimated 40 million credit and debit cards, as well as the personal information of up to 70 million customers. This case provides a number of takeaways for businesses on how to manage privacy breaches. [Mondaq]

CA – Secrecy Often Chokes Off Public Information from Tribunal Hearings

When attending a public hearing at the Ontario Labour Relations Board, lots of personal information, including names and employment history, is said out in the open. All of this can be reported by the media. But trying to access the same documents that are relied upon in those hearings is an entirely different matter. Case in point: Toronto Star reporters had been researching [ Laborers’ International Union of North America (LiUNA) and its Local 183 ], including possible connections with organized crime. But their quest for documents [from the Ontario Labour Relations Board] that were filed at a public hearing turned into a legal and bureaucratic nightmare, and ultimately sparked the Star’s much broader legal challenge launched last week against secrecy in Ontario’s tribunals. The tribunal system was created to take cases out of the overcrowded court system, and into a more efficient process. But as mentioned in an editor’s note published last week when the Star launched its legal challenge, “tribunals appear, on the surface, no different than traditional courts — with adjudicators, hearing rooms, dockets and generally open hearings — but they depart dramatically from open court rules when it comes to providing records.” [The Star]

Consumer

US – New CDT Study Examines Data-Deletion ‘Disconnect’

The Center for Democracy and Technology’s new research paper, “Should it stay or should it go? The legal, policy, and technical landscape around data deletion,” examines the “disconnect” between how companies delete data and how its consumers understand what deletion means, the CDT’s Michelle De Mooy writes. While some companies have viewed data removal in the past as unfathomable, now embracing the practice could improve data quality. “As the novelty of big data wears off, companies are faced with enormous data holdings that present huge risks and high costs for them and their customers,” she says. “Not only do huge data stores generate costs and liability, they damage customer trust and loyalty, and make it much harder to find the data diamonds among the slurry.” [CDT.org]

E-Government

AU – Rogue Public Servants Stealing Information to Use in Court Cases

ROGUE public servants are snooping on people’s private lives and stealing information to use in court cases and neighbourhood disputes. Bureaucrats have accessed confidential databases to pay their own parking fines and road tolls using other people’s names and addresses, the state’s privacy watchdog revealed yesterday. Australian Privacy Commissioner Elizabeth Coombs warned gaps in privacy laws let nosy public servants and government contractors get away with shocking invasions of privacy. She wants to let victims sue individual workers, as well government agencies. In a new report to state parliament, Dr Coombs revealed personal information had been accessed and leaked for neighbourhood disputes and court cases, while health information had been stolen to use in family law cases or inheritance disputes. Dr Coombs wants the state government to give victims the right to lodge complaints against government agencies and private companies — as well as the employee who stole or leaked data. Dr Coombs said government agencies and private businesses were not required to report data breaches but had voluntarily notified her office of 50 violations in the past seven months. She said notifications had almost doubled in each of the past three years. [The Daily Telegraph]

Encryption

US – 25% of Healthcare Orgs Not Encrypting Patient Data in Cloud

While more healthcare organizations are considering some form of cloud computing, they might be putting sensitive information at risk by failing to encrypt patient data, according to a recent survey. HyTrust found that even though healthcare entities list security as a top concern in cloud migration, 25% that are already utilizing the public cloud report that they are not encrypting patient data. Even with the lack of encryption, 82% of those surveyed said that security was their top concern. The Department of Health and Human Services (HHS) released updated HIPAA cloud computing guidance toward the end of 2016. The goal was to assist covered entities, business associates, and cloud service providers (CSPs) in understanding how properly utilize cloud computing while still remaining HIPAA compliant. The agency added that covered entities and business associates can also store or process ePHI in a cloud service. The guidance also did not specifically require encryption for cloud computing, but it noted that it can significantly reduce the risk of data exposure. [HealthIT Security]

WW – Cellebrite Announces Product That Can Crack Locked Phones

Cellebrite has announced its Advanced Investigative Service tool can “unlock and extract” locked iPhones’ full file system, including those from the 6 and the 6+. “These capabilities dramatically increase law enforcement’s ability to access critical digital evidence and solve cases faster, by providing forensically sound access and extraction capabilities not found anywhere else in the industry,” the company said. “Furthermore, we now make the world’s first ‘decrypted physical extraction’ capability a reality for key iPhone and Samsung Android devices.” Their announcement comes a little over a year after Apple and the FBI’s clash over decrypting the San Bernardino shooter’s locked iPhone, which the agency was able to eventually do without the help of Apple. Meanwhile, the Princeton University Center for Information Technology Policy’s Edward Felten has released a paper called “Nuts and Bolts of Encryption: A Primer for Policymakers.” [CyberScoop]

EU Developments

EU – WP29 Releases Privacy Shield Rules of Procedure and Complaint Form

The Article 29 Working Party has released two forms related to the EU-U.S. Privacy Shield agreement. The rules of procedure for the “Informal Panel of EU DPAs” provides a road map for handling complaints under Shield. “The panel is competent for providing binding advice to the US organisations following unresolved complaints from individuals about the handling of personal information that has been transferred from” the EU under Shield. According to the document, the panel will attempt to provide advice for a complaint within 60 days after receipt. The group also released a form for submitting commercial-related complaints to EU DPAs. Though the use of the form “remains optional,” the document requests all of the necessary data for completing a request. In related news, the high stakes Facebook-Ireland court case continues. A lawyer for Facebook argued the EU would face an “enormous” crisis if it does not trade with countries that do not match its data-protection standards. [Irish Tmes]

EU – Article 29 Working Party Still Concerned With Windows 10 Privacy Settings

The Article 29 Working Party is still expressing concerns about the privacy settings within Microsoft’s Windows 10 operating system. The Working Party’s questions come a year after the group wrote to Microsoft voicing concerns with Windows 10’s default installation settings. “In light of the above, which are separate to the results of ongoing inquiries at a national level, even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data,” the group said in a statement. The group said it is still unclear to what extent users will be informed about the specific data Microsoft will collect, despite the changes to the installation process. However, the group also said Microsoft has been cooperative, and in January, Microsoft announced a new web-based privacy dashboard for users to see and control what data is collected about them. [Reuters]

UK – Privacy Office to Issue Consent Standard Guidance

The U.K. privacy office will issue guidance for companies on obtaining consent from consumers to use their data. In order to be legally sufficient, consent “will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data.” A check the box approach won’t be sufficient to show valid consent. The ICO also plans to publish GDPR-relevant guidance on individual profiling once the Article 29 Working Party of data protection officials from the 28 EU countries has completed updating its profiling guidance. [BNA]

EU – Other Privacy News

  • Security Intelligence reports, The U.K. Home Office has stalled data collection plans under the new Investigatory Powers law after a European Court of Justice Ruling. [Ars Technica]
  • The Article 29 Working Party has released two forms related to the EU-U.S. Privacy Shield agreement. The rules of procedure for the “Informal Panel of EU DPAs” and a form for submitting commercial-related complaints to EU DPAs.
  • European Data Protection Supervisor Giovanni Buttarelli outlined his agency’s top three strategic areas of importance for 2017. [More]
  • The Article 29 Working Party discussed announced that it will publish amended guidelines for the DPO, lead authority and data portability provisions of the General Data Protection Regulation by April at the latest. [More]

Facts & Stats

US – Survey: 26% of US Consumers Had Health Care Data Compromised

An Accenture survey found 26% of 2,000 U.S. consumers have had their health care information exposed in a data breach. Of those compromised, 36 percent said it happened at a hospital, with 22 percent stating the breach occurred either at an urgent care clinic or a pharmacy. The study found half the victims detected the breach on their own, normally through anomalies on their credit card statements. Only a third of the victims were alerted by the organization suffering the attack. Accenture’s health practice Managing Director of Cybersecurity Reza Chapman said, “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.” [SC Magazine]

US – One in Four U.S. Consumers Victim of Healthcare Data Breach: Accenture

Just over one in four U.S. consumers (26%) have had their personal medical information stolen from technology systems, according to results of a survey from Accenture released on Monday. [see 14 pg pdf here] [the] survey of 7,580 consumers aged 18+ to assess their attitudes toward healthcare data, digital trust, roles and responsibilities, data sharing and breaches. The online poll included consumers across seven countries: Australia, Brazil, England, Norway, Saudi Arabia, Singapore and the U.S. The survey was conducted by Nielsen on behalf of Accenture. In the U.S., half (50%) of 2,000 consumers polled who experienced a breach were victims of medical identity theft and had to pay approximately US$2,500 in out-of-pocket costs per incident, on average, Accenture said in a press release. [See here] [Canadian Underwriter]

Filtering

US – Digital Copyright Holders Want US ISPs to Filter Out Pirated Content

The Recording Industry Association of America (RIAA) and other digital copyright groups are asking U.S. legislators to require Internet service providers (ISPs) to filter out pirated content. Currently, the Digital Millennium Copyright Act (DMCA) offers ISPs safe harbor as long as they remove identified pirated content “expeditiously.” The groups say that the current DMCA notice-and-takedown process is “burdensome – and ultimately ineffective.” Forget DMCA takedowns – RIAA wants ISPs to filter for pirated content | RIAA, Other Copyright Holder Want ISPs to Introduce Piracy Filters

Finance

EU – European Supervisory Authorities Issue Joint Discussion Paper on the Use of Big Data by Financial Institutions

The European Securities and Markets Authority, European Banking Authority and European Insurance and Occupational Pensions Authority have issued a joint discussion paper on the use of big data by financial institutions: Comments must be submitted by March 17, 2017. Under the forthcoming GDPR, organisations will need to acknowledge the wide range of rights that will be afforded to consumers by implementing mechanisms to comply with a request for human intervention in profiling, and objection to a decision based on profiling, or profiling for direct marketing purposes; financial institutions must implement appropriate technical and organisational measures at the time the processing system is designed, and during the data processing. [ESMA, EBA and EIOPA – Joint Committee Discussion Paper on The Use of Big Data By Financial Institutions ]

FOI

CA – OIPC AB Slams Government for Poor State of Freedom of Information

Alberta’s information and privacy commissioner says [see PR here] the government of Premier Rachel Notley needs a top-down culture change to address a “lack of respect” for freedom of information. In the preface to one of two scathing investigation reports issued Thursday [see pdf’s here & here ], Commissioner Jill Clayton said the investigations uncovered a troubling attitude toward freedom of information (FOIP). for years, delays in processing these requests have grown steadily worse. Last year, Clayton ordered investigations into delays in processing FOIP requests from the Wildrose Party by Alberta Justice and Solicitor General, the Public Affairs Bureau, and Executive Council, which includes the premier’s office. The investigations by senior information and privacy manager Catherine Taylor [found a] main factor in the delays was simply the unwillingness of program areas to respond to requests for records from FOIP staff within the legislated timeframes. Taylor said she heard from FOIP staff that one contributing factor to the delays was “a lack of respect for the FOIP Act itself across pockets of the (Government of Alberta).” [CBC | Alberta privacy commissioner blasts government for ‘lack of respect for the FOIP Act itself’ | Alberta Education using FOIP laws to ‘prevent disclosure’: privacy expert | Alberta Justice hires Ontario lawyer to represent ministry in FOIP investigation | Waits for access to information get longer in Alberta, report finds | Access to information in Alberta nearing ‘crisis situation,’ FOIP commissioner says | Alberta MLA says request for documents detailing opioid deaths was rejected | Reality of Right to Know Week in Alberta is grim | Opinion: Citizens have the right to know what governments know about them | Calgary presses ahead with ‘Orwellian’ freedom of information policy draft ]

US – EPIC Handed FBI’s PIAs and Threshold Analyses in FOIA Request

The Electronic Privacy Information Center was handed two legal victories involving public access to the FBI’s record-keeping systems and their impact on privacy. EPIC originally filed the Freedom of Information Act requests in 2014 seeking the FBI’s privacy impact assessments and privacy threshold analyses of its databases containing personal information. The agency handed EPIC approximately 2,200 pages of “heavily” redacted pages on grounds they involved sensitive investigatory data. But in an “unusual” ruling Tuesday, U.S. District Court Judge Amit Mehta said the FBI failed to demonstrate the redacted information met a threshold test for exemption. The legal victory for EPIC, however, may be short-lived, as Mehta will give the agency and Justice Department attorneys another chance to defend the redactions. [Politico]

Genetics

CA – Does This Genetic Testing Bill Threaten The Insurance Industry?

Bill S-201, the Genetic Non-Discrimination Act, seeks to revise the Canada Labour Code and the Canadian Human Rights Act to make it illegal for employers, insurance companies and anyone else entering into a contract or providing goods or services to require anyone to undergo genetic testing or to disclose the results of a genetic test. The insurance industry, however, disagrees with the bill. It argues the legislation would impede Canadians’ access to insurance and severely compromise the industry’s viability. Others argue that the bill’s potential impact is much less: the Office of the Privacy Commissioner of Canada, citing 2011 and 2012 studies, has concluded the legislation “would not have significant adverse impact on the viability of the life and health insurance industry,” and that premiums would likely rise about three per cent overall, an increase the industry could absorb. [Benefits Canada | Life insurers’ new genetic test policy called an 11th-hour stalling attempt | Canadian insurance industry pens rules on use of genetic test results | Genetic discrimination private member’s bill pits Grit backbenchers against cabinet | Canada: Genetic Discrimination And Canadian Law | Genetic testing bill perpetuates myths and fears]

Health / Medical

US – $5.5M HIPAA Fine Shows Importance of Audit

Memorial Healthcare System, of Hollywood, Florida, has settled with the U.S. Department of Health and Human Services for $5.5 million following a HIPAA violation. It must also institute “a robust corrective action plan.” While Memorial did have access control policies in place, a former employee of an affiliated physician’s office was still able to access protected health information repeatedly, without detection, for a year, affecting 80,000 individuals. Acting HHS Office for Civil Rights Director Robinsue Frohboese said the settlement shows “organizations must implement audit controls and review audit logs regularly.” [HHS.gov]

Horror Stories

WW – Breach of Smart Teddy Bear Data Leaks 800,000 Users’ Info

Smart toy manufacturer Spiral Toy’s CloudPets database of 800,000 customer credentials and more than two million users’ messages was stored for a little over two weeks on an unsecured server and discovered by security researchers and potentially hackers. Researchers said that the exposed data has been overwritten twice. However, the company has not yet publicly disclosed the breach or notified victims. “They were very irresponsible because they had to know about this,” GDI Foundation’s Victor Gevers said. “People make mistakes. It’s the action that follows up which defines your character. Handling serious data leaks like this proves a lack of the right personality and then you should not be in this industry or in any in which you are responsible for such data.” [Motherboard]

Identity Issues

US – NY Bill Restricts Unlawful Use of a Driver’s License or Identification Card

S00271, relating to the unlawful use of a New York driver’s license or identification card, and amending the General Business Law, has been introduced in the New York Senate and referred to the Consumer Protection Committee: The act will take effect immediately upon being passed. An individual’s driver’s license or identification card may be scanned to verify the identify of an individual making a purchase or returning or exchanging an item, prevent fraud, or transmit information to a consumer reporting agency, financial institution, or debt collector; unlawful collection and use of a license or identification card is punishable by a civil penalty of not more than $1,000. [Bill S00271 – Unlawful Use of a New York Driver’s License or Identification Card]

US – Philly’s Municipal-ID Plan on Ice Over Privacy Concerns

When Mayor Kenney committed to launching a municipal ID program, he argued that having a photo identification card would improve the lives of undocumented immigrants living in the shadows. A year later, his plans are on hold amid concerns that the program could actually put undocumented immigrants at risk. The programs have always faced controversy. Some critics see the cards as a stealth path to legal status for undocumented immigrants. Even some immigration advocates have opposed the efforts. The New York Civil Liberties Union did not endorse the municipal ID card there, saying the city had not done enough to protect application documents from being used by law enforcement. That issue is now being tested [in an] ongoing fight in New York over the applications of nearly a million people issued municipal ID cards in the last two years. A judge recently blocked Mayor Bill de Blasio’s attempts to destroy the personal information on those applications. A bill introduced to the state Senate goes one step further, requiring the city to hand over the information to the U.S. Department of Homeland Security. Philadelphia officials are watching cautiously. [Philly.com]

WW – Researchers De-Anonymise Your Web Surfing Using Twitter Handles

Researchers have found a way to de-anonymise web surfing records. What if you could deduce a person’s identity by matching their anonymous web surfing with their social media timeline? What if, instead of a customer ID, you could replace it with their Twitter handle? Academics from Stanford and Princeton have done just that. Their research relies on the idea that people are more likely to follow links showing up on their social media feed, and in particular the links from people they follow on Twitter that show up in their feed. They reasoned that because the set of links in a Twitter feed is often unique, you can match it against links in an anonymous surfing history. The researchers found that they could identify more than 70% of volunteers on average. This isn’t just a theoretical exercise. The team built a system to de-anonymise web browsing histories in under a minute using the concept, proving that it’s workable in practice. Who else might use this information? The NSA, for one. It already tracks Google ads to find Tor users. The research points out that well-resourced adversaries could eavesdrop on network traffic to work out which domains a particular device is visiting (although thankfully HTTPS makes that more difficult). How can you stop this from happening? Tracker-blockers such as Ghostery, uBlock Origin or Privacy Badger can help, the researchers say, while not revealing your real-world identity on social media profiles is a useful albeit cumbersome form of protection. Given the recent actions of US border guards, the latter might be a good idea anyway. [NakedSecurity]

CA – New Online Survey Platform Complies With Canadian Privacy Laws

Surveypal, a San Francisco, Calif.-based online survey platform, has launched a business-level survey solution designed to be compliant with Canada’s Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how organizations in the country collect, use and disclose personal information while doing business. In order to be compliant with these privacy regulations, all data collected by both public and private organizations must be stored within Canadian borders. Surveypal’s new data servers in Toronto guarantee that Canadian government agencies and businesses can collect data safely and legally. [ITWorld]

Internet / WWW

EU – ENISA Issues Guidelines for Digital Service Providers on Minimum Security Measures

The European Union Agency for Network and Information Security (“ENISA”) issues security guidance for digital service providers. Cloud providers, online market places and search engines are provided with 27 security objectives (e.g., information security policy, change management, and monitoring and logging), broken down by industry standard and state-of-the-art security measures to be implemented; by conforming to these security objectives, digital service providers will comply with ISO27001, BSI C5, CoBiT, NIST guidance and PCI-DSS, among other security frameworks. [ENISA – Technical Guidelines for the Implementation of Minimum Security Measures for Digital Service Providers]

WW – Cloudflare Bug Exposes Private Data

A bug discovered in Cloudflare’s software earlier in February accidentally exposed data like private messages on dating sites, frames from adult sites, and hotel bookings. “Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it,” said Cloudflare Chief Operating Officer John Graham-Cumming. The company has since fixed the issue, and Graham-Cumming said he wasn’t worried that the exposed data was misused. “I am not changing any of my passwords,” he said. “I think the probability that somebody saw something is so low it’s not something I am concerned about.” [BBC News]

Law Enforcement

US – Federal Court: Cops Can’t Just Walk Into a Building and Force Unlock iPhones With Fingerprints

Earlier this year, FORBES revealed a search warrant that allowed police to walk into a building and unlock all phones inside that could be opened with a fingerprint, including iPhones with Apple’s famous TouchID feature. Not long after, multiple other warrants allowing similar access were uncovered. At the time, lawyers declared the warrants overly broad. And now, in what may be a landmark decision, a federal court in Illinois has determined that feds could not proceed with such a search, saying the government needed to be more specific about the devices and data they wanted. [see here] Judge M. David Weisman wrote “This Court agrees that the context in which fingerprints are taken, and not the fingerprints themselves, can raise concerns under the Fourth Amendment. In the instant case, the government is seeking the authority to seize any individual at the subject premises and force the application of their fingerprints as directed by government agents. Based on the facts presented in the application, the Court does not believe such Fourth Amendment intrusions are justified based on the facts articulated,” He raised Fifth Amendment issues around self-incrimination too. Previously, courts had argued that fingerprints were not testimonial as they did not constitute a form of communication, so Fifth Amendment protections didn’t apply. “with a touch of a finger, a suspect is testifying that he or she has accessed the phone before, at a minimum, to set up the fingerprint password capabilities, and that he or she currently has some level of control over or relatively significant connection to the phone and its contents.” [Forbes | Judge: No, feds can’t nab all Apple devices and try everyone’s fingerprints | Minnesota court on the Fifth Amendment and compelling fingerprints to unlock a phone | Court rules against man who was forced to fingerprint-unlock his phone | Here’s Why Feds Are Winning The Fight To Grab iPhone Passcodes And Fingerprints | Cops Could Force Google Pixel Users To Voice-Unlock Their Phones | Feds Walk Into A Building, Demand Everyone’s Fingerprints To Open Phones | How the Feds Justify Collecting Fingerprints to Unlock Everyone’s Phones | Can warrants for digital evidence also require fingerprints to unlock phones? | For the First Time, Federal Judge Says Suspect Must Use Fingerprint to Unlock Smartphone | Search Warrants Could Force You to Unlock Your iPhone via Touch ID ]

UK – Proposed Legislation Would Allow Justice Secretary to Order the Use of IMSI Catchers Around Prisons

Legislation introduced in British Parliament would allow the use of IMSI catchers, or cell-site simulators, around prisons. The Justice Secretary would have the authority to order mobile networks to deploy the technology near prisons to prevent, detect, or investigate the use of mobile phones in prisons. Currently, the technology can be used only within prison walls and must be commissioned by prison governors. New prison law will let mobile networks deploy IMSI catchers | New bill to allow prisons to deploy IMSI catchers outside of prisons ]

Location

US – Legislators Introduce Bills to Curtail Access to Geolocation Data Without a Warrant

Bills introduced in the U.S. House and Senate aim to establish rules regarding law enforcement agencies’ access to geolocation data. The Senate’s Geolocation Privacy and Surveillance Act would establish rules for when law enforcement agencies may access geolocation data. The House’s Cell Location Privacy Act of 2017 would require law enforcement to obtain a warrant prior to the use of cell-site simulators with exceptions for certain emergencies. Proposed federal law demands probable-cause warrants for geolocation data | Legislation revived to curb warrantless geolocation tracking ]

Online Privacy

WW – Goodbye Privacy, Hello Personalisation

A new study of Millennials across four countries suggests that the future of digital devices, apps and services is going to be personal, public and artificially intelligent. Top of the list is greater personalization. Nearly 60% of respondents said they’d be happy to pay for services that exactly reflect their needs, and 71% said they’d be willing to sacrifice data anonymity in return for it. Taking customisation a step further, 53% of those polled said that they’d be willing to pay for a mobile service that doubled as a personal assistant or concierge service. Four-in-ten also want such services to be intuitive — whether it be setting up and inviting people to a meeting or automatically posting certain types of content to social media for instance. That level of intuition is only possible via artificial intelligence. [AFP Relaxnews]

Open Government

US – Harvard Issues Privacy Guide for Cities and Open Data Initiatives

For any city, open data is a double-edged sword; the most useful information can also be the most sensitive. To help officials balance the risks and benefits, researchers at Harvard University have created a playbook for open data, complete with best practices, examples of what has and hasn’t worked so far, and a thorough checklist of what to consider when embarking on a new data project. The playbook makes four main recommendations for technology officers in the municipal government, and each is broken down into “here’s what you need to know, here’s what you need to do, and then here’s how you do it.”

  1. Find the balance between risk and value: Zero risk is impossible. But according to the researchers, the trick is to find a level of risk that officials and the public are willing to accept. That can be done by conducting thorough risk-benefit analysis before designing any data sharing program. In determining the value, the key question to ask is who will use the data, who benefits from it, and how.
  2. Consider privacy at each stage of the data lifecycle: That lifecycle includes data collection, maintenance, release, and retirement—when unpublished data should be removed because it’s no longer relevant. It’s typical for cities to think about privacy only when data is about to be released, but those concerns should be considered at the very first stage.
  3. Develop a structure for privacy management: “The harder challenge is developing the internal and operational expertise, and valuing protecting privacy as an essential component of open data program,” The researchers call for cities to develop their own privacy standards and establish a formal process for releasing data.
  4. Keep the public informed: Nearly 80% of Americans are concerned about government surveillance, according to Pew surveys cited in the report. So the researchers stress the need for cities to engage the public, to earn its support by showing how open data has benefited the city and gaining trust by being transparent about the entire process. [citylab.com]

Privacy (US)

US – Sen .Wyden to Introduce Legislation Limiting Phone Searches at Border

“I intend to introduce legislation shortly that will guarantee that the Fourth Amendment is respected at the border by requiring law enforcement agencies to obtain a warrant before searching devices, and prohibiting the practice of forcing travelers to reveal their online account passwords,” Wyden wrote in a letter [see here ] to Department of Homeland Security Secretary John Kelly, condemning the practice. Wyden’s letter also requests that Kelly respond to questions about the legal authority and frequency of such searches by March 20, 2017. [Meritalk | Wyden objects to DHS password collection plan | Sen. Wyden Calls for Warrants for Tech Searches on the Border | A US-born NASA scientist was detained at the border until he unlocked his phone | Complaints Describe Border Agents Interrogating Muslim Americans, Asking for Social Media Accounts | Will US border officials demand social network handles from visitors? | Wyden Pushes for Warrants for Phone Searches at US Border ]

WW – What Makes A Great DPA?

The global population of privacy and data protection regulators is understandably diverse. Some data protection agencies are still in their infancy, established by brand-new laws. Others have robust histories of enforcement and deep, experienced staffs. But what makes a regulatory agency effective? Is it experience, approach, philosophy, the law that creates it? Such are the questions explored in a new report authored by the U.S. Chamber of Commerce and Hunton & Williams, “Seeking Solutions: Attributes of Effective Data Protection Authorities.” The 40-page white paper identifies seven key traits that effective DPAs share and offers examples of how those traits play out in the real world. [Full Story]

RFID / IoT

WW – Samsung Warns Customers Not To Discuss Personal Information in Front of Smart TVs

Samsung has confirmed that its “smart TV” sets are listening to customers’ every word, and the company is warning customers not to speak about personal information while near the TV sets. The company revealed that the voice activation feature on its smart TVs will capture all nearby conversations. The TV sets can share the information, including sensitive data, with Samsung as well as third-party services. The news comes after discovery of a troubling line in Samsung’s privacy policy: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.” Samsung has now issued a new statement clarifying how the voice activation feature works. The company added that it does not retain or sell the voice data, but it didn’t name the third party that translates users’ speech. [The Week]

Security

CA – CSA Publishes Expectations for Cyber Security Risk Disclosure

The results of the Canadian Securities Administrators’ (CSA) review of the cyber security risk disclosure of S&P/TSX Composite issuers were recently reported by the the Autorité des marchés financiers, the Ontario Securities Commission and the B.C. Securities Commission in CSA Multilateral Staff Notice 51-347 (the Notice). Focused particularly on risk factor disclosure and disclosure of cyber security incidents, the CSA’s review follows last year’s publication of CSA Staff Notice 11-332 Cyber Security, which reiterated that cybersecurity would continue to be one of the CSA’s priorities through 2019. With respect to risk factor disclosure, the CSA focused on three topics: 1) the disclosure of the risk itself; 2) the disclosure of potential impacts of a cyber security incident; and, 3) the disclosure of governance practices and cyber security risk mitigation. [Canadian Securities Law] New York’s mandated cybersecurity regulations for banking and financial services are set to go into effect March 1. [SC Magazine]

US – Data-Related Jobs See Huge Growth in January Hirings

The information technology sector added 1,200 data-related jobs in January, more than four times the average monthly gain for all of 2016. “An analysis of U.S. employment numbers by the Bureau of Labor Statistics reveals a net increase of 7,000 information technology jobs in January 2017 across four industry job segments commonly associated with technology professionals.” Those four job segments are: 1) Management/technical consulting services; 2) Computer systems design/related services; 3) Telecommunications; and, 4) Data processing/hosting/related. [Source]

US – Less Than 25% of Cybersecurity Job Applicants Are Qualified

According to a report from ISACA, fewer than 25% of applicants for cybersecurity positions are qualified for the job. More than half of available positions take from three to six months to fill. The report notes that hands-on experience is more important than training. [Fewer Than One Fourth Of Cybersecurity Job Candidates Are Qualified | Growing security skills gap raising fears of cyberattacks

CA – 50% of Canadian Executives Say Their Businesses Were Hacked Last Year

A new survey [see here ], conducted by Ipsos Canada found that nearly 60% of Canadian small business owners and C-suite executives either suspect or know for certain they were the victims of an external cyberattack during the last year, with 50% of C-suite executives indicating that they know for certain that their company experienced a breach. An additional three in 10 suspected their company was the victim of a breach in the past year, but didn’t know for certain. And despite the overwhelming evidence indicating otherwise, eight executives in 10 reported being confident in their business’s ability to prevent an external hacking attempt, while 93% of survey respondents indicated confidence in their ability to protect customer data. [ITWorld | Canadian infosec pros still too confident they can protect enterprise, says Accenture ]

Smart Cars

US – Privacy Makes IoT Toy Innovation Difficult, Say Developers

Smart toy developers must walk a “fine line” between technological innovation, protecting children’s privacy, and complying with the laws that regulate it. For many toymakers, privacy considerations are a considerable roadblock. “To take smart toys to the next level of engagement and give kids what they want, you have to take data and create an engaging experience that’s connected to their friends and based on their persona,” said Dynepic CEO Krissa Watry. She added that requirements for children’s privacy in the tech sphere were a “massive burden for toy companies.” She’s not alone. “Companies have been moving cautiously when it comes to smart toys because children’s privacy gets a great deal of scrutiny.” [CNet ]

US – Used Connected Cars Pose Security Risk: RSA

IBM’s Charles Henderson told an audience at the RSA Security Conference in San Francisco how he was able to remotely access systems on a car he had traded in several years earlier. Even though Henderson did a factory reset to remove all personal data from the car before he sold it, the car remained connected to the app on his phone. Even when the app is deleted from a phone, information still in the cloud is not as simple to delete. Connected car in the second-hand lot? Don’t buy it if you’re not hack-savvy | Warning on used on cars failing to forget old owners | IBM Reveals Security Risks to owners of Previously Owned IoT Devices | Android Phone Hacks Could Unlock Millions of Cars | Android apps create theft risk ]

Surveillance

US – Judge: FBI’s NIT Warrant Invalid, IP Addresses Have Expectation of Privacy, But No Suppression Granted

Thanks to the FBI’s one-to-many NIT [Network Investigative Technique see here] warrant, which was issued in Virginia but reached thousands of computers all over the world, yet another federal judge is dealing with the fallout of the feds’ efficiency. Michigan federal judge Thomas Ludington finds plenty he doesn’t like about the FBI’s malware and the DOJ’s defense of it, but still can’t quite find enough to warrant suppression of the evidence [PDF link]. That being said, the opinion does offer plenty of counters to the DOJ’s legal rationale. The court, like others, finds the FBI exceeded the jurisdictional limitations of Rule 41 [see here ] and no amount of creative phrasing is going to change that. In the future, the FBI won’t have to deal with nearly as many suppression hearings, thanks to changes to Rule 41. These decisions are becoming relics of statutorial limitations almost as soon as they’re issued. Even if courts find the malware deployment to be a search invasive enough to trigger Fourth Amendment protections, the lack of jurisdictional limits going forward will prevent them from being challenged. [Techdirt | Firefox users left feeling vulnerable as judge keeps Tor hack under wraps | Privacy Watchdogs Vow to Fight ‘Dystopian’ Rule 41 | This rule change just made it easier for the government to hack you, wherever you are]

UK – Cameras in Classrooms: Invasion of Privacy or Future of Teaching?

In a world-first, two British schools are trialling body-worn video cameras for teachers, triggering outrage among privacy campaigners. For their part the teachers have been kitted out with cameras that can be activated at the touch of a button to record “incidents” or bad behaviour among pupils in class. Footage is then securely stored online for a month, before being deleted. Privacy campaigners are already rallying against the cameras as yet another intrusion. However, surveillance has been shown to be effective in policing. Over 20,000 body-worn cameras have been given to Met police across London, with thousands more being rolled out across the UK. “We’ve noticed huge drops in complaints against police officers, because people knew their actions are recorded, people generally calm down quicker and become more apologetic because of the cameras… We’re expecting to see similar outcomes in education.” [The Memo]

Telecom / TV

WW – Mobile-Based Spyware for Consumers Is Powerful and Cheap

A Motherboard reporter tested spyware software that uses an SMS message to access the user’s camera, GPS and microphone, allowing the spy to hear the conversation of the person being surveilled. These types of software are easily available for both iPhone and Android users for $170 or less. These products are vastly unregulated and “can be extremely potent.” While governments use similar malware, this “consumer spyware is not marketed to governments. Instead, many of the companies explicitly gear products toward jealous lovers — especially men — who want to monitor their spouses.” [Motherboard]

US Government Programs

US – Homeland Security’s New Privacy Review Process to Tighten Programs

The Department of Homeland Security has issued an official policy on its new Privacy Compliance Review process, which aims to help improve the agency’s methods for documenting compliance efforts and their efficacy. A PCR might be used, for example, to revisit an already-conducted Privacy Impact Assessment to evaluate how things are working, examine any changes that may have taken place within the privacy program since the PIA was conducted, and ensure the program is still effective. [IAPP]

US – Legislators Question Use of Secure Messaging Apps at EPA

U.S. legislators are seeking an inquiry into reports that staff at the Environmental Protection Agency (EPA) are using end-to-end encrypted messaging apps to communicate. The legislators say that the use of the apps such as Signal runs afoul of federal record-keeping requirements, which demand transparency. In a related story, reports suggest that “numerous senior GOP operatives and several members of the trump administration” may be using the Confide app, which also uses end-to-end encryption. Confide messages self-destruct GOP demands inquiry into EPA use of encrypted messaging apps | House members: EPA officials may be using Signal to “spread their goals covertly | Republicans send anti-Signal signal to US EPA | Self-destructing messages won’t fly in government | Washington Elites Use Secure Messaging Apps to Keep or Leak Secrets]

US Legislation

US – Legislative news

  • U.S. House Judiciary Committee Chairman Bob Goodlatte, R-Va., has set the committee agenda for the year, underscoring the importance of the Email Privacy Act. [The National Law Review]
  • Sen. Ron Wyden, D-Ore., Rep. Jason Chaffetz, R-Utah, and Rep. John Conyers, Jr., D-Mich., introduced the Geolocation Privacy and Surveillance Act, designed to create rules for when agencies can track and access a citizen’s geolocation data. [More]
  • Republican lawmakers are preparing to make a legislative move to overturn the Federal Communications Commission’s broadband privacy rules following requests from ISPs to undo the legislation. [More]
  • Sen. Ed Markey, D-Mass., and five public interest groups are rallying against Republican lawmakers’ push to overturn FCC broadband privacy rules using the Congressional Review Act. [Broadcasting Cable]
  • U.S. Republican Reps. Justin Amash, R-Mich., and Thomas Massie, R-Ky., have introduced legislation to repeal the Cybersecurity Act of 2015. [The Libertarian Republic]
  • A Colorado bill to eliminate a loophole allowing government agencies to access certain emails without a warrant has died in committee. [The Durango Herald]
  • A Georgia state Representative has introduced the Social Media Privacy Protection Act, which would prohibit employers from demanding access to employees’ social media accounts. [More]
  • A Missouri bill that aims to help bring the state in compliance with the REAL ID Act passed the House. [St. Louis Post-Dispatch]
  • The Article 29 Working Party is planning to formally petition the Trump administration to clarify the executive order’s impact on Shield in the upcoming days. [BNA]
  • New Mexico’s Senate unanimously approved the Electronic Data Privacy Act, which would block the use of cell site simulators and ban law enforcement agencies from accessing electronic communications data from service providers without a warrant. [The Tenther]
  • A Florida court has struck down parts of a law restricting doctors from asking patients about gun ownership, saying it violates the doctors’ First Amendment rights. [More]
  • Georgia’s State Senate has passed a law that would make “upskirting” illegal in the state. It now goes to the House. [More]
  • A Massachusetts senator has introduced a bill to require law enforcement to get a warrant before accessing data collected through automatic tolls in the state. [More]
  • Massachusetts Rep. Kate Hogan, D-Stow, has introduced a bill that would protect confidential information from being shared when multiple people are on the same plan. [More]
  • JDSupra offers part two of its U.S. state privacy and data security laws. [More]

 

+++

4-15 February 2017

Biometrics

US – Fingerprinting for Federal Contractors Takes Effect Feb. 1

The RCMP is ending its old practice of checking criminal history using a person’s name. New contractors taking on work with the federal government will have to submit their fingerprints electronically to the RCMP as of Feb. 1, so the law enforcement agency can run a criminal record check in its database. Public Services and Procurement Canada said it needs to make the change because the RCMP is ending its old practice which sometimes led to problems because names could be misspelled, too common or swapped for nicknames. The new rules apply to all levels of clearance, from the basic “reliability status” to “top secret.” In some ways, it’s an expansion of a controversial new standard for public servants that is nearing the end of a three-year rollout that began in October 2014. That policy requires all federal employees to submit to an updated security screening, including credit checks and fingerprinting. [see here & here ] The Office of the Privacy Commissioner of Canada doesn’t have a problem with fingerprinting, in general. “I can tell you that our office believes that the use of fingerprints for a criminal record check is appropriate to ensure authentication,” wrote a spokesperson. “We understand that fingerprints submitted for security screening will be destroyed after the check is complete.” [CBC News]

CA – Feds Lobbying Against Trump Push for Biometric Screening for U.S. Visitors

Canada has launched a behind-the-scenes lobbying campaign against a push by Donald Trump to subject all visitors to the United States to biometric screening – such as finger-printing, retina scans or facial recognition tests – upon both entry and exit. Public Safety Minister Ralph Goodale raised the issue during a phone call with John Kelly, the new U.S. Homeland Security Secretary, Mr. Goodale’s office confirmed. The lobbying effort will likely be aimed not just at Mr. Kelly and other members of Mr. Trump’s administration but also at members of Congress, who would need to approve large related expenditures in order for implementation to proceed. To the extent the US has monitored who is exiting, other than a few biometric pilot projects, it has been through other measures – including an agreement with Canada, struck in 2011, in which the two countries inform each other when visitors return home. Ottawa appears optimistic that the success of that recent data-sharing will help it make the case that Canadians should be exempted from any new entry-exit measures. But it is also struggling with unpredictability of a new presidential administration that has thus far displayed very different priorities from any previous one. [G&M]

Big Data

WW – ACM Council Releases Seven Principles to Handle Algorithm Biases

The ACM US Public Policy Council released their “Statement on Algorithmic Transparency and Accountability,” including seven principles organizations should follow to address potentially harmful biases stemming from using algorithms. The seven principles include users of analytic systems maintaining awareness of biases arising within their design, institutions maintaining accountability for the decisions they make based on their algorithms, and ensuring all decisions are recorded in case an audit is conducted in the event harm is suspected. “Following these principles cannot guarantee that there will be no biased algorithms or biased outputs,” ACM US Public Policy Council Chair Stuart Shapiro said in a press release. “But they will serve to keep computing professionals on the lookout for ways biases could creep into systems and provide guidelines on how to minimize the potential for harm.” [Techpolicy]

WW – Pew, Elon Examine the ‘Age of Algorithms’

A newly released Pew Research Center and Elon University’s Imagining the Internet Center study on algorithms and the future hinges on the question, “Will the net overall effect of algorithms be positive for individuals and society or negative for individuals and society?” Pew Research Center reports that of 1,302 respondents, 38% answered algorithms would positively impact society, 37% answered they would have a negative impact, and 25% felt that their consequences could be evenly split. Among the potential pitfalls identified in the study is the way algorithms can create hyper-specific profiles of internet users, without those users having an ability to see how they were identified or targeted. “‘Algorithmic transparency’ should be established as a fundamental requirement for all AI-based decision-making,” said the Electronic Privacy Information Center’s Marc Rotenberg. “There is a larger problem with the increase of algorithm-based outcomes beyond the risk of error or discrimination — the increasing opacity of decision-making and the growing lack of human accountability.” [Pew Internet]

WW – Uber Is Making Ride-Booking Data Publicly Available

Uber recently debuted a new online tool called Movement, which provides data like ride durations between two points, based on GPS information. The tool is a dream for city planners and local governments, who can use it to learn more about commute patterns, and target infrastructure projects. And in the coming months, Uber wants to make Movement accessible to everyone. It’s a gift, for certain. But some privacy experts worry the new tool could be a Pandora’s box. “Key, of course, to all of this, is, ensuring that the privacy of individual user data will be protected,” says Marc Rotenberg, president of the Electronic Privacy Information Center.If it turns out that Uber’s ride information can’t be de-identified, for sure, Rotenberg says the data dump could open the door to a host of other serious concerns. “You have to be considering everything from surveillance, stalking, cyberhacking, credit card theft, identity theft, financial fraud,” he says. “There’s a long list of potential risk to the users of the Uber service, and that’s why you need to deal with a threshold problem, which is the de-identification issue.” [PRI.org]

Canada

CA – Court Awards Damages Against a Foreign Website Over PIPEDA

In a recent decision, A.T. v Globe24h.com, 2017 FC 114, Canada’s Federal Court asserted jurisdiction over a foreign-based website that republished Canadian court and tribunal decisions from Canadian legal websites and allowed them to be indexed and rendered searchable on Google and other search engines. The Court declared that the owner and operator of the website, based in Romania, contravened the provisions of the federal private sector privacy legislation (the Personal Information Protection and Electronic Documents Act – PIPEDA), by collecting, using and disclosing online personal information contained in publicly available legal decisions for inappropriate purposes, and without the consent of the individuals concerned. The Federal Court of Canada has previously determined that PIPEDA will apply to a foreign-based organization where there is evidence of a sufficient connection between the organization’s activities and Canada. The relevant connecting factors include: a) the location of the target audience of the website; b) the source of the content on the website; c) the location of the website operator; and, d) the location of the host server. The Court noted that Romanian authorities had cooperated with the Privacy Commissioner’s investigation, and had taken action to curtail Globe24h’s activities including by issuing a fine against it for contravening Romanian data protection laws. However, this fact did not prevent the Court from asserting jurisdiction over the matter, on the basis that the Court’s findings would complement rather than offend any action that taken in a Romanian court. While the monetary damages awarded in this case were modest, the Court sent a clear signal that damages will be awarded where the privacy rights of Canadians are disregarded in the pursuit of profit, in a manner that is non-compliant with Canadian privacy laws. The decision emphasizes that available exemptions under PIPEDA are limited and specific, and will be interpreted narrowly in order to afford maximum protection to individual privacy interests. [Gowling | PIPEDA’s global extra-territorial jurisdiction: A.T. v. Globe24h.com | When are public documents too public?: A.T. v. Globe24h.com tests the limits ] [PIPEDA’s global extra-territorial jurisdiction: A.T. v. Globe24h.com | When are public documents too public?: A.T. v. Globe24h.com tests the limits | Michael Geist: Canadian Court Makes ‘Landmark’ Ruling That Could Establish Its Own Right To Be Forgotten]

CA – The New U.S. Executive Order: Effects on Canadian Privacy Laws and Cross Border Data Transfers

President Donald J. Trump’s executive order issued January 25, 2017, contained one little paragraph with big words about Canadians’—and other non-U.S. citizens’—privacy: [see Section 14 here ] This paragraph has triggered alarm in some corners of the Internet. However, on closer inspection, it doesn’t appear to change much, at least legally speaking and from a Canadian private-sector perspective. The executive order has no direct impact on the treatment of personal information by the private sector. In particular, the order does not appear to change the circumstances in which US law enforcement or security agencies can compel private actors to disclose information about Canadians (or other non-U.S. citizens). The effect of the executive order on Canadian regulators’ views of cross border information transfers in the private sector is uncertain at this point in time. Canadian regulators generally require Canadian organizations to disclose the consequences of information sharing across national borders and it is currently unclear what, if any, effect, the executive order have on those disclosures. While President Trump’s executive order may not have altered substantive legal protections for personal information, it has clearly attracted public attention to the issue. Moving forward, it appears likely that the public will pay increased attention to cross-border information-sharing with the U.S.—a development of which organizations should remain cognizant. [Canadian CyberSecurity Law | Canadians’ personal data at risk thanks to U.S. executive orders | Canadians’ Internet Data Affected As Trump Cancels Privacy Rules | Trump’s Executive Order Eliminates Privacy Act Protections for Foreigners | One quarter of Canadian online traffic vulnerable to NSA sweeps: researchers

CA – Trudeau’s Bill C-23 Gives US Border Agents Spooky New Powers

U.S. border guards would get new powers to question, search and even detain Canadian citizens on Canadian soil under a bill proposed by the Liberal government. Legal experts say Bill C-23 [see here ] will give new powers to U.S. border guards to question, search and even detain Canadian citizens on Canadian soil. It could also erode the standing of Canadian permanent residents by threatening their automatic right to enter Canada. It takes away important rights found in the existing law and raises the prospect of a Canadian being arrested simply for deciding he or she has had enough with a certain line of questioning. Under the existing law, a strip search can only be conducted by a Canadian officer, though a U.S. officer can be present. Greene points out C-23 says if a Canadian officer is unavailable or unwilling, the U.S. officer can conduct the search. “So you could have a circumstance where the Canadian officer says, ‘No I don’t think a search is warranted here. I’m not willing to do it.’ But the U.S. officer just says, ‘Fine, we’re going to do it anyway.’” [CBC News See also: Your rights at the U.S. border: Three perspectives | Trump’s travel ban could run up against Canada’s pre-clearance agreement with U.S. | Is The Border Safe? US Could Detain Canadians In Canada Under Bill | A Guide to Getting Past Customs With Your Digital Privacy Intact | New border bill allows sharing of biographic data | New bill would allow border guards to collect biographic data on those leaving Canada | Op-Ed: Canada to share information with U.S. on land border crossers]

CA – Yukon IPC Believes Government ATIPPA Review Would Reduce Individuals’ Privacy Rights

The Information and Privacy Commissioner in the Yukon has commented on the review of the Access to Information and Protection of Privacy Act conducted by the Minister of Highways and Public Works. The review indicated that ‘personal information’ was defined too broadly; however, the definition is similar to other federal and provincial privacy laws, and it is unclear how the definition could be narrowed without a negative impact on individuals’ right to informational privacy. Any difficulties the public has in verifying what their information is being used for, or the accuracy of personal information held by public bodies can be resolved through better notice to individuals, and better procedures to ensure information collected is accurate. IPC Yukon – Comments on the ATIPPA Review Report Issued by Yukon Government in December 2016 | Press Release ]

CA – OIPC SK Issues Guidance on the Determining Who is a Trustee of Personal Health Information

A review by the Office of the Information privacy Commissioner of the trustee requirement under the Health Information Protection Act. The Trustee is the physician or organization that has custody (i.e. physical possession) and control (i.e. authority to manage use, disclosure and retention) of records containing PHI; to prevent confusion and disputes about who is the Trustee, physician associations or business corporations should have written agreements in place that clearly spells out which party (i.e. the entity or each physician) is considered the Trustee. [“A” Trustee vs. “THE” Trustee – Office of the Saskatchewan Information and Privacy Commissioner]

CA – OIPC NS Alarmed by Surveillance Camera Findings

The Office of the Information and Privacy Commissioner for Nova Scotia recently found 98 video surveillance cameras located on downtown streets in Halifax, Sydney, Kentville, Windsor, Digby and Yarmouth. Nova Scotia Privacy Commissioner Catherine Tully said about three-quarters of the cameras are owned by private businesses, while the others belong to the government, libraries, and Crown corporations. Tully’s office sent out a survey to 53 cities and towns in Nova Scotia, with 25 responding. Tully has expressed alarm with some of the findings. “It certainly heightened my concern, mainly because not only did they have cameras, very few had privacy policies,” Tully said. “Just six said they had privacy policies and none had conducted what we call a privacy impact assessment.” [CBC News]

CA – Class Action Lawsuit Granted in Quebec for Damages from Data Breach

The Court considered Target Corporation Inc.’s motion to dismiss a class action lawsuit filed by Evan Zuckerman for lack of jurisdiction. The expense incurred by an individual in Quebec for credit monitoring was sufficient for a Quebec court to establish jurisdiction; regardless of potential lawsuits in US courts, the lawsuit will proceed in a Quebec court because the plaintiff, his witness, and approximately 60,000 class members reside in Quebec. [Zuckerman c. Target Corporation – 2017 QCCA 110 CanLII – Superior Court of Quebec]

CA – BC Premier Clark: We’ll Fire Anyone Involved With Breach

A breach of PharmaNet, the system used to track information regarding prescription drugs, has British Colombia’s Premier Christy Clark “profoundly disturbed.” With 7,500 citizens affected, Clark said, “If anyone in the government, anyone in the employ of the public service, anyone who gets their fees from the government is found to be responsible for this, they will be fired immediately.” The issue, uncovered by a vendor contracted to identify unusual activity in the system, is being mitigated with help from the British Columbia Office of the Information and Privacy Commissioner. Acting Information and Privacy Commissioner Drew McArthur said he would liked to have seen quicker work: “It took them several months to get the notification letters out. We would have preferred that they notified people earlier, so that people can start to take action to protect their personal information.” [Global News] [PharmaNet breach compromises personal information of 7,500 B.C. residents, says province]

CA – BC Lib’s Consultation Effort Over Provincial Records Lampooned

The B.C. government is asking the public to weigh in on new rules for how the province handles its records. But critics say the exercise is meaningless without requiring the government to create records in the first place – a so-called “duty to document” that has been repeatedly recommended but ignored by the province. The former privacy commissioner, Elizabeth Denham, also called for a “duty to document” requiring government workers to keep records, after discovering that many Freedom of Information requests were coming back empty. In 2015 [she] released a scathing report on the government’s actions to frustrate public requests for information, including the deletion of records. A former government staffer was later charged and pleaded guilty. Ms. Clark appointed a previous privacy commissioner, David Loukidelis, to review the commissioner’s report. Mr. Loukidelis made 27 recommendations, including penalties for destruction of records. He, too, recommended a “duty to document.” [G&M]

E-Government

EU – Netherlands Will Count Ballots by Hand

The Dutch government has said that ballots in the country’s parliamentary election scheduled for March 15, 2017, will be counted by hand to assuage concerns that digital tabulation systems could be compromised. Intelligence agencies have cautioned that elections in France, Germany, and the Netherlands could be at risk of manipulation. Watch This Security Researcher Hack a Voting Machine | Paperless voting machines a hacking risk | Edward Snowden Demonstrates How Easy It is to Hack a Voting Machine – All for Just $30 | Dutch will hand count ballots due to hacking fears | Dutch revert to an all-paper ballot, fearing election hack | Netherlands reverts to hand-counted votes to quell security fears]

CA – DVD Containing Tax Info on 28,000 Yukon Citizens Lost

The Canada Revenue Agency announced a courier company has lost an encrypted DVD containing the tax information of nearly 28,000 Yukon taxpayers. The CRA released a statement saying it has been made aware of the lost DVD, but did not identify when the incident occurred. The CRA has notified the Office of the Privacy Commissioner of Canada, while the courier service has commenced a search for the missing DVD. “At this time, there is no indication that the data has been accessed or used,” the CRA release states. “And given the strong security measures in place, the risk is thought to be very low that the taxpayers’ information would be compromised even if an unauthorized individual were to gain possession of the DVD.” [CBC.ca]

CA – Windsor Councillor Calls for Drone Use Regulations

Windsor Councillor Irek Kusmierczyk is pushing for specific rules concerning drone use in city parks, citing privacy and safety concerns. Kusmierczyk said individuals using remote control airplanes and similar devices must get a permit from the city. Kusmierczyk wants to ensure drone use does not make citizens uncomfortable. “They don’t want to have somebody snapping their pictures, taking photographs of their children playing soccer or baseball or in festivals,” he said. “I just want to make sure we’ve got coverage in terms of finding that right balance, where we don’t dissuade people from using drones, but we do protect residents that do utilize the parks.” [CBC News]

E-Mail

US – Judge Breaks Precedent, Orders Google to Give Foreign Emails to FBI

A potentially major blow for privacy advocates occurred when a U.S. magistrate [Judge Thomas Rueter in Philadelphia] ruled against Google and ordered it to cooperate with FBI search warrants demanding access to user emails that are stored on servers outside of the United States. The case is certain to spark a fight, because an appeals court ruled in favor of Microsoft in a similar case recently. In the ruling against Google, Judge Rueter is arguing that even though “the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States.” It’s unclear if that decision means that evidence from a foreign server would be a violation of privacy if disclosed in a U.S. court of law. Clarity is what tech companies and privacy advocates have been pushing for over the years. Both the Microsoft and Google cases relied on warrants issued under the Stored Communications Act from 1986. The search giant released a statement today saying, “The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on overbroad warrants.” Gizmodo | Reuters | US judge orders Google to hand over data to the FBI from overseas emails | Google must turn over foreign-stored emails pursuant to a warrant, court rules | Microsoft’s cloud privacy battle may go to US Supreme Court | Court Declines to Reconsider Microsoft Email Seizure Ruling | Court Keeps Microsoft’s Irish Servers Safe From U.S. | US government wants Microsoft ‘Irish email’ case reopened  | Lawmakers question DOJ’s appeal of Microsoft Irish data case | Microsoft Cloud Warrant Case Edges Closer to Supreme Court | Reuters: Court Rules Google Must Turn Over Emails Located on Foreign Server]

Encryption

US – Minnesota State Court Upholds Compelled Unlocking of Criminal Defendant’s Cellphone

A Minnesota State court rules on a criminal Defendant’s appeal of his convictions partially based on evidence seized from his mobile phone. The Defendant’s Constitutional rights were not violated when a district court ordered him to provide his fingerprint so police could search his cellphone; the Defendant was not required to disclose any knowledge he might have (it was akin to standing in a lineup), and the district court did not ask Defendant whether his prints would unlock the phone or which print would unlock it (he asked which finger police wanted when he was ready to comply with the district court’s order, and he did not object at the time). [State of Minnesota v. Matthew Vaughn Diamond – A15-2075 – State of Minnesota In Court Of Appeals]

EU Developments

EU – Buttarelli Outlines EDPS’ Top Priorities for 2017

European Data Protection Supervisor Giovanni Buttarelli outlined his agency’s top three strategic areas of importance for 2017. The three areas include ensuring electronic communications receive the appropriate levels of privacy and protection, specifically within the context of the ePrivacy Directive; working toward a new framework for the EDPS; and contributing to a Security Union and stronger borders built upon respect for fundamental rights. “We aim to be accountable for our work across the range of our responsibilities, and in our priorities for advice you will find those European Commission proposals that, in our assessment, seem most likely to have implications for the fundamental rights to privacy and to the protection of personal data,” Buttarelli writes, adding his agency will be working with the Article 29 Working Party to make sure the EU has a consistent voice on data protection matters. [edps.eu]

EU – Facebook-Schrems Privacy Case Set to Begin

The highly anticipated privacy case that could determine the validity of standard contractual clauses is set to begin in the commercial division of Ireland’s High Court. Facebook and privacy campaigner Max Schrems are each part of the case. Ireland’s Data Protection Commissioner Helen Dixon wants the High Court to examine the validity of SCCs and to refer them to the Court of Justice of the European Union. Dixon has expressed concerns about the validity of the clauses in light of articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union and the CJEU’s ruling in the first Schrems’ case. SCCs allow businesses to transfer EU citizens’ personal data to countries outside of the European Economic Area. Joining Schrems and Facebook in the case as “friends of the court” are the U.S. government, the Business Software Alliance, Digital Europe, and the Electronic Information Privacy Center. [The Irish Times] [The Irish Times: Govt Concerned About ‘Sweeping’ Ramifications of Facebook-Schrems Case]

EU – EU Verifies Google’s Data Transfer Contractual Clauses

The Article 29 Working Party has ruled the contractual clauses used by Google to cover international data transfers for European users of its G Suite applications and cloud services are compliant with EU data protection requirements. Google said EU data protection authorities approved the language used in the company’s contracts for business customers in the EU and that they align with the European Commission’s “model contract clauses.” Google’s Head of Global Compliance Marc Crandall and its Head of Security and Compliance Matthew O’Connor wrote about the news in a blog post, noting the confirmation will help the company get similar certifications in countries with data protection requirements similar to the EU. Crandall and O’Connor also said the move will give EU businesses the needed legal protection to proceed with international data transfers without further authorizations. [blog.Google]

EU – French Man Wants $48 Million from Uber for Allegedly Breaking Up His Marriage

A French businessman from Côte d’Azur has sued Uber, asking for no less €45 million in damages. As French news site Le Figaro explains, a notification bug in Uber allowed his wife to spy on him without his knowledge. The man used her iPhone to order Ubers, and then he signed out of the app. However, notifications for his Uber account kept arriving on her phone after that, even though he was signed out. She may not have been able to track his location in real time or see the destinations, but she received plenty of information that would let her know when he was lying. For example, a “working late at the office” excuse doesn’t really work in your favor if you keep taking Uber rides all evening long, and someone can prove it. Le Figaro was able to replicate the bug, but only on iPhones and only using an Uber app version older than the December 15th update. That update apparently fixed the issue. The case should head to court next month. [BGR.com]

Facts & Stats

CA – Data Breach Reporting Expected to ‘Skyrocket’ in 2017

Following the Canadian government passing the Digital Privacy Act and the Canadian Securities Administrators taking measures to ensure businesses are more transparent about their cybersecurity practices, the number of reported data breaches is expected to skyrocket in 2017. The changes will result in companies not only having to disclose the incidents after they happen, they must also disclose specific risks potentially leading to other data breaches in the future. KPMG’s Kevvie Fowler said the increased reporting in data breaches will likely result in more companies facing lawsuits, but the transparency could also lead to stronger efforts to protect data and fewer data breaches in the long term. [CBC News]

US – The Worst Data Breaches in the U.S., Ranked State by State

15.2m Americans had confidential personal and financial information compromised last year. Researchers at Safetica USA have explored a vast database maintained by the US Government’s Department of Health and Human Services of every major data breach by a health clinic, doctor, dentist or hospital since 2009. Each entry chronicles how 500 or more confidential records were compromised in a single breach. There are two basic ways of looking at which states were worst affected by data breaches last year: by the number of cases, and by the number of individual records compromised. When it comes to the highest number of cases, the list of the worst-hit states closely follows population. Overall, the number of major breaches across the US increased last year to its highest level on record: 318 cases in 2016 compared to 270 in 2015. California, New York, Texas, Florida and Illinois were also the five worst affected states in 2015. A slightly different top 10 emerges if you look at the number of records compromised. A single hacking incident suffered by Banner Health revealed last summer affected 3.7m people and pushed Arizona to the top of the list. [Entrepreneur]

UK – 1.1M GBP Study to Examine Human Error and Breaches

A University of Surrey-led study is giving 1.1 million GBP to researchers to discover why human error is the cause of so many cyberattacks and why users don’t seem to learn from cybersecurity awareness initiatives. “The project’s overall aim is therefore to develop a framework through which we can analyze the behavioral co-evolution of cybersecurity/cybercrime ecosystems and effectively influence behaviors of a range of actors in the ecosystems in order to reduce human-related risks,” the researchers write. The project will take two years and begin in April, and will include contributors from multiple disciplines, like crime science, engineering, computer science, engineering, and behavioral science at University of Surrey, TRL, University of Warwick, and UCL. [CSO]

US – Breaches Snip $300M from Yahoo Price Tag

A new deal has been worked out for Verizon to buy Yahoo, at roughly $300 million less than Verizon’s original offer. The takeover deal was originally announced in July 2016, with a price of $4.8 billion. However, in the interim, Yahoo released information about two separate hacks that exposed the personal data of as many as a billion customers. Yahoo CEO Marissa Mayer said in January that the company has an “unwavering” commitment to security. [CNBC]

WW – App Extension Can Unveil Linkedin Users’ Email Addresses

Charlie, a free app that notifies users of forthcoming meetings and provides information on those in the meeting, now has a Chrome extension that gives users access to LinkedIn users’ emails. It also provides “the option to copy the email address, compose an email or request Charlie to research and send you information about that person.” “The research information is similar to what the app sends before a meeting, containing professional achievements and news.” Aaron Frazin, CEO of Charlie, explained that the tool will not override security measures that protect emails on LinkedIn, but rather uses algorithms to “take a guess,” at what the email address is. [CNET]

Filtering

WW – Privacy and Anti-Piracy Advocates Square Off On Browser Updates

The World Wide Web Consortium is considering standardizing the digital rights/restrictions management-enabling Encrypted Media Extensions, which protect media from piracy while reportedly limiting a browser’s security and damaging the internet’s open architecture. The potential move is a controversial one, with anti-piracy advocates supporting it while privacy proponents are critical. “DRM is a dangerous feature to standardise and have enabled across everyone’s browser because it essentially enforces a black box of code to be installed on your browser which cannot be audited or looked at or even talked about by security researchers,” said former W3C employee Harry Halpin. This “black box” is not accessible by internet users, either. [Ars Technica UK]

Finance

EU – Brussels Eyes Sweeping Cash Ban: Are Gold and Silver Next?

European Union officials just published a “Proposal for an EU Initiative on Restriction on Payments in Cash.” Predictably, the restrictions are being sold to citizens as a means of fighting terrorism – much like a host of other privacy and liberty-destroying power grabs in recent decades. This despite a telling admission contained in the proposal: “There remains the lack of readily available and solid evidence on legitimate versus illegitimate cash transactions.” Ban the use of cash first, ask questions later. In Germany, 79% of transactions are done in cash. Many there aren’t going to take restrictions lying down. Some see the war on cash for what it is – bureaucrats using the lever of fear to once again ratchet up controls and restrict privacy. Attempts to regulate the trade of physical gold and silver will not be far behind any restrictions on cash. Precious metals are an obvious target because they are a premier form of private, off-the-grid, and portable wealth. [GoldSeek See also: Who’s Powering the War on Cash? | Cashless Economy will lead to a Starving Economy | India’s Demonetization “Shock Therapy”: State Sponsored Financial Repression | Government Invades Privacy Under Money Bill ]

Health / Medical

US – HHS Imposes $3.2 Million Fine on Children’s Medical Center for Loss of Unencrypted Devices 

the Department of Health and Human Services, Office for Civil Rights has issued a notice of final determination against Children’s Medical Center of Dallas, a covered entity, for violations of the HIPAA Privacy and Security Rule. An unencrypted, non-password protected mobile device was lost at an airport, which contained PHI of 3,800 patients; the penalty was imposed due to lack of access controls ($923,000) and device/media controls ($772,000) and impermissible disclosure of PHI ($1,522,000). Aggravating factors taken into account when imposing the penalty included 5 prior separate thefts of laptops and mobile devices, and a previous externally-produced report highlighting the need to encrypt such devices. HHS – Notice of Final Determination – Children’s Medical Center of Dallas Press Release | Notice of Final Determination

US – NY Bill  Prohibits Making or Broadcasting  Visual Images of Patient Medical Treament Without Consent

Assembly Bill 1190, amending Public Health Law and Civil Rights Law and relating to making and/or broadcasting visual images of patient medical treatment, is introduced and referred to the Health Committee: the companion bill is Senate Bill 3696. The right to privacy requires obtaining prior written express consent from the patient (or legal representative) for such broadcasting; exceptions include broadcasting for the purposes of health care treatment of the patient, a quality assurance program, the education/training of health care personnel (about which the patient has the right to know and refuse broadcasting), and necessary security purposes. [Assembly Bill 1190 – Relating to Prohibiting the Making and/or Broadcasting of Visual Images of Individuals Undergoing Medical Treatment Without Prior Consent – New York State Assembly

Horror Stories

US – VIZIO to Pay 2.2 Million to Settle Consumer Tracking Charges

Vizio, one of the world’s biggest makers of Smart TVs, is paying $2.2 million to settle charges [see 12 pg pdf here ] that it collected viewing habits from 11 million devices without the knowledge or consent of the people watching them. In an e-mailed statement, Vizio officials wrote: “The ACR [automated content recognition] program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors.” The tracking started in February 2014 on both new TVs and previously sold devices that didn’t originally ship with ACR software installed. The software periodically appended IP addresses to the collected data and also made it possible for more detailed personal information—including age, sex, income, marital status, household size, education level, home ownership, and home values—to be associated. …The allegations are only the latest to raise troubling privacy concerns about Internet-connected TVs and other so-called Internet-of-things devices. In late 2015, security researchers found that Vizio TVs failed to properly validate the HTTPS certificates of servers they connected to when transmitting viewing-habit data. That made it trivial for anyone who had the ability to monitor and control the Internet traffic passing between the TV and the Vizio servers to impersonate the servers and view or tamper with the transmitted data. Smart TVs manufactured by LG have also been caught collecting potentially sensitive data, including a list of shows being watched, the names of files contained on connected USB. Vizio must also delete any data collected before March 1, 2016, implement a comprehensive privacy program, and undergo biennial assessments of that program. FTC Acting Chairman Maureen Ohlhausen issued a concurring statement to the unanimous decision. [FTC.gov | WilmerHale See also [Samsung warns customers not to discuss personal information in front of smart TVs: Samsung has confirmed that its “smart TV” sets are listening to customers’ every word, and the company is warning customers not to speak about personal information while near the TV sets.]

Identity Issues

CA – OPC Canada Outlines Different Methods of Secure Authentication

The Office of the Privacy Commissioner of Canada has issued guidance on authentication types. Context-based authentication examines an individual’s current behaviour and habits and compares it with known/expected behaviour (significant deviations, such as a change in device/location, would result in a challenge to present other credentials), proximity-based authentication uses a token to enable automatic access when close to a device (e.g. smartphone or watch), and software-based authentication uses smartphone apps to calculate pseudo-random access codes (instead of carrying a separate hardware token). [OPC Canada – Your Identity – Ways Services Can Robustly Authenticate You]

CA – Canada’s SecureKey Wins U.S. 800K Grant for Digital Identity Network

SecureKey Technologies and The Digital ID and Authentication Council of Canada (DIACC) have received a grant for up to $800,000 from Command Control and Interoperability Center for Advanced Data Analytics (CCICADA), a research center funded by the U.S. Department of Homeland Security, to help build a digital identity network. The aim is to build a national system that allows the public to access online services without memorizing dozens of passwords, or prove their identity, while still maintaining their privacy and security by using blockchain to create a “triple blind” privacy protocol that allow individuals to easily connect to partnering online services using an existing, trusted log in credential, while limiting the actual amount of data being transmitted for security. [Reuters See also: What Role Does Government Play in Blockchain Technology’s Future? | Bank of Canada’s blockchain tests spotlight challenges | Project Jasper: Lessons From Bank of Canada’s First Blockchain ProjectA Complete Beginner’s Guide To Blockchain]

US – Data Re-Identification Law Should Be Passed: Senate Committee

Overriding concerns about the scope, burden of proof reversal, criminalization, and retrospective application of the law, a Senate committee has recommended that the data re-identification Bill be passed in a report tabled in Parliament. Under the laws introduced to the Senate in October, intentionally re-identifying a de-identified dataset will become punishable by up to two years’ imprisonment, with the laws to be retrospectively applied from September 29, 2016. Senators from both the Labor and Greens parties dissented with the committee’s recommendations, saying that the Bill should not be passed because it is “disproportionate” to the aforementioned gap in privacy legislation, and also does not achieve its objectives. “The Bill adopts a punitive approach towards information security researchers and research conducted in the public interest. In contrast, government agencies that publish poorly de-identified information do not face criminal offences and are not held responsible,” Labor and Greens senators argued. Electronic Frontiers Australia (EFA) said “The proposed Bill creates no incentives for Australian government agencies or other organizations to increase their data security, or to adopt data austerity measures. Conversely, the proposed Bill creates (as intended) a strong disincentive for researchers to announce a real or potential vulnerability of re-identification.” [ZDNet See also: Clear-cut definition of de-identified data critical in legislation: Pilgrim | De-identification: the de-vil is in the de-tail | Brandis flags Privacy Act changes to protect anonymised data Brandis to criminalise re-identifying anonymous data under Privacy Act | Research work could be criminalised under George Brandis data changes | Fears that patients’ personal medical information has been leaked in Medicare data breach | NZ privacy commissioner recommends Australia’s data re-identification criminalisation lead]

Internet / WWW

WW – CISPE Announces 30 Services Comply with its Code of Conduct

The Cloud Infrastructure Services Providers in Europe announced more than 30 services comply with the CISPE Data Protection Code of Conduct. The CISPE, a coalition of cloud providers serving millions of European customers, states Amazon Web Services and UpCloud are among the services committing to the code of conduct. Cloud infrastructure services are operated in data centers in Bulgaria, Finland, France, Germany, Ireland, Italy, the Netherlands, Spain, and the U.K. The CISPE Data Protection Code of Conduct is designed to help customers ensure cloud providers are using the proper data protection standards consistent with both the current Data Protection Directive, and the upcoming General Data Protection Regulation. “Any customer will know that if their Cloud Infrastructure Provider is complying with the CISPE Code of Conduct, their data will be protected to clear standards,” said CISPE Chairman Alban Schmutz. “CISPE Code of Conduct provides Europeans with the confidence that their information will not be used for anything other than what they stipulate.” [CISPE.cloud]

WW – Private Search Browser Cliqz Acquires Ghostery’s Consumer Biz

Cliqz, a Mozilla-backed German startup, has acquired Ghostery’s consumer-focused product suite. Ghostery will now revert to its former name, Evidon, and focus on its B2B business, helping enterprises with privacy compliance, especially related to self-regulatory programs like AdChoices. Cliqz, which is currently building its own anti-tracking browser with a built-in private search feature, will take on Ghostery’s anti-tracking browser extensions and mobile apps. The acquisition will help Cliqz gain Ghostery’s 10 million active users, in hopes of spurring international growth. “We plan to launch in the U.S. and some Western European markets soon,” said a Cliqz spokesman. “The Ghostery acquisition will be a big help. Ghostery users around the world can opt-in to contribute anonymous statistical data via our Human Web technology.” [TechCrunch]

Law Enforcement

US – Bills to Limit Use of ‘Stingray’ Data Are Back

The influential chairman of a House committee is again putting his support behind two bipartisan bills that would curb law enforcement’s use of intercepted mobile-phone data without a warrant. The revival of the legislation comes after the House Oversight and Government Reform Committee published a yearlong investigation in December that delved into the devices agencies use to intercept wireless communications, called cell site simulators, IMSI catchers or “stingrays.” Chaffetz and two other [ Sen. Ron Wyden & Rep. John Conyers ] members of Congress reintroduced The Geolocation Privacy and Surveillance Act, which would make it illegal to intercept Americans’ geolocation information without their knowledge, or to use or disclose information collected that way, except after obtaining a warrant or in other specified circumstances. Chaffetz also reintroduced Wednesday the Cell Location Privacy Act [see here], which [requires] law enforcement to get a warrant before using devices known as “stingrays,” cell-site simulators or IMSI-catchers. His committee [House Oversight and Government Reform Committee] released a bipartisan staff report in December that found the departments of Justice and Homeland Security spent more than $95 million cumulatively on cell site simulators, as FedScoop reported at its release. [FedScoop See also: Chaffetz: Autonomous Cars, Drones, IoT on Oversight Committee’s Agenda | Bipartisan bill seeks warrants for police use of ‘stingray’ cell trackers | Stingray: A New Frontier in Police Surveillance | FCC Helped Create the Stingray Problem, Now it Needs to Fix It | Feds back police in FOIA fight over cell site simulators | Government use of surveillance devices must be restricted: privacy experts | Long-Secret Stingray Manuals Detail How Police Can Spy on Phones | Stingray documents offer rare insight into police and FBI surveillance

US – Taser to Bring AI to Police Bodycams

Taser International has made a pair of acquisitions as it attempts to help police departments sift through the large amount of footage obtained by body cameras. Taser is acquiring both Dextro and the computer vision team of Misfit to create Axon AI, a group that will use artificial intelligence to help police departments categorize and analyze all bodycam footage, making it easily searchable. Bodycam use has been welcomed as a way to boost police accountability, but privacy advocates are concerned adding AI to the process could lead to issues down the line. “We support bodycams on the condition that they serve as an effective police oversight tool and not as yet another set of government surveillance cameras,”American Civil Liberties Union Senior Policy Analyst Jay Stanley said. “The storing of video and running analytics on it does not strike the right balance between privacy, oversight and usefulness to the police.” [Forbes]

Location

US – Lawmakers Introduce GPS Act to Prevent Illicit Geolocation Tracking

Sen. Ron Wyden, D-Ore., Rep. Jason Chaffetz, R-Utah, and Rep. John Conyers, Jr., D-Mich., introduced a bill designed to create rules for when agencies can track and access a citizen’s geolocation data. The Geolocation Privacy and Surveillance Act is aimed at any law enforcement agencies looking to obtain geolocation information on any individual without their knowledge. The GPS Act will create penalties for anyone attempting to track any person without prior authorization, and prohibits commercial service providers from sharing geolocation data without the subject’s consent. “Outdated laws shouldn’t be an excuse for open season on tracking Americans, and owning a smartphone or fitness tracker shouldn’t give the government a blank check to track your movements,” Wyden said. “Law-enforcement should be able to use GPS data, but they need to get a warrant. This bill sets out clear rules to make sure our laws keep up with the times.” [Wyden.senate.gov]

Offshore

WW – 2017 A Big Year for The Hybrid Cloud

The idea “hybrid cloud,” where companies use a mix of private and public cloud services as part of their operations, will “likely” enter the mainstream in 2017. Cloud services are not optional tools for companies anymore, and the forthcoming General Data Protection Regulation will require businesses to question how they are using data, and in some cases overhaul how they manage it in order to comply. Such processes “in turn will result in additional benefits in terms of reduced data storage and management costs.” [ITProPortal]

Online Privacy

WW – Anonymous Web Browsing Doesn’t Mean You Stay Anonymous: Study

A study conducted by Stanford University and Princeton University researchers has found that anonymous browsing data can be frequently tied back to actual identities. After having users “donate” their browsing history, researchers attempted to connect the data with their Twitter accounts. “Seventy-two percent of people who we tried to deanonymize were correctly identified as the top candidate in the search results, and 81% were among the top 15 candidates,” researcher Jessica Su writes. “This is, to our knowledge, the largest-scale demonstration of deanonymization to date, since it picks the correct user out of hundreds of millions of possible Twitter users,” she adds. “In addition, our method requires only that a person clicks on the links appearing in their social media feeds, not that they post any content — so even people who are careful about what they share on the internet are still vulnerable to this attack.” [The Conversation]

WW – Researchers Create Cross-Browser Tracking Method

Researchers have developed a way to track users across multiple browsers. The method uses code to instruct browsers to perform numerous tasks in the background while users visit a webpage, with those tasks then drawing on operating system and hardware resources that create a unique profile. While cross-browser tracking has its benefits, it also possesses numerous privacy concerns, the researchers note. “From the negative perspective, people can use our cross-browser tracking to violate users’ privacy by providing customized ads,” said lead researcher Yinzhi Cao. “Our work makes the scenario even worse, because after the user switches browsers, the ads company can still recognize the user. In order to defeat the privacy violation, we believe that we need to know our enemy well.” The researchers released a website to demonstrate the technique. During a test run conducted over a three-month period, it was able to correctly identify users 99.2% of the time. [Ars Technica]

UK – Study: Low Data Quality Plagues UK Marketers

Royal Mail Data Services has found that U.K. organizations estimate that “poor-quality consumer data” costs them an “average of 6% of their annual revenues.” Additionally, 91.4% of marketers said their organizations have data-quality issues, while 58% expressed concerns about the compliance of their “in-house customer data.” Organizations must improve their data quality by the time the General Data Protection Regulation goes live in May 2018. Specifically, “untangling this web starts with recognising the proliferation of sources that capture a variety of customer data, which needs to be permissioned, validated, cleansed and managed.” [Information Age]

UK – Some UK Dating Apps Have Privacy Vulnerabilities, Research Finds

Some of the most popular dating apps in the U.K. are leaking personal information. “During testing, four of the free apps exposed customer information by not fully securing data sent from the app’s owners to customers’ phones.” “These were Happn, Hookup Now, AnastasiaDate, and AffairD. The analysis also highlighted the amount of personal data being collected by MeetMe and specific location data being gathered by Once.” The investigation was conducted with the help of an American security researcher who wished to rema