Biometrics
CA – Spies, Cops & Border Agents Coordinating on Biometrics
For over a year, Canadian military, intelligence, police, and border agencies have been meeting to develop and coordinate their biometric capabilities, which use biological markers like facial recognition and iris scanning to identify individuals. This initiative—details of which were revealed in documents obtained through an access to information request—shows that the Canadian government is reigniting its focus on biometrics after a similar attempt a decade ago fizzled out. According to these documents, which include emails, meeting agendas, and briefing reports, the meetings are an effort to coordinate the critical mass of biometrics programs that exist across many government agencies, particularly those relating to national security. The Canadian effort is “informal,” spokespeople emphasized, and it hasn’t been promoted by the government except for four tweets from Defence Research and Development Canada (DRDC), the department that spearheaded the initiative. The Canadian Security Intelligence Service, the Royal Canadian Mounted Police, the Canadian Armed Forces, as well as the country’s border and immigration agencies are all participants in the “Government of Canada Biometrics Community of Practice” (CoP), which had its first meeting in March of 2016. RCMP documents showed the force was seeking to upgrade its fingerprint database with biometric facial recognition technology in order to keep pace with US law enforcement. Police documents stated that the force had “no authority” in Canada to use biometrics like facial and iris recognition, however, and the police have no specific plans to implement the technology. [Motherboard]
WW – UN Pushing Biometric-Based Digital ID for Every Person on Earth
At the summit [see here], tech companies like Microsoft and Accenture and humanitarian groups including the World Food Programme and the UN Refugee Agency want to create a digital identification for every person on the planet, one that’s tied to their fingerprints, birth date, medical records, education, travel, bank accounts and more. Accenture demonstrated a working prototype that would provide a person’s information through an app. In the absence of a personal device, that person could still be recognized through fingerprints or iris scans, as long as that information was in the database. It’s a scary thought to put all your personal information — including your medical records and banking information — in a single app, but experts at the summit believe that blockchain technology, a way of using databases to encrypt data that’s also used for bitcoin, can protect users. In 2009, India launched Aadhaar, a digital ID program in which citizens voluntarily enroll name, birth date, gender, address, phone number, email, 10 fingerprints, two eye scans and photo. In exchange, they can use the digital ID to sign documents online, apply for credit and jobs, go to hospitals and exchange money, among other features. While a government official told the Supreme Court in India that Aadhaar was “the most foolproof method that has evolved,” the Centre for Internet and Society discovered that 130 million people had their information leaked from four government websites. [CNET]
WW – Using Mouse Movements, AI Software Accurately Spots Online Lying
A surprising new method for catching out online fraudsters has been uncovered by researchers studying computer mouse movements. Cognitive scientists from Italy have created AI software that can spot when a person is lying thanks to changes in the way they move their onscreen pointer, with 95% accuracy. [See here] The researchers found that fake answers produced a different style of movement to people who were answering truthfully, particularly in these unexpected questions. The researchers said: ‘While truth-tellers respond automatically to unexpected questions, liars have to “build” and verify their responses. This lack of automaticity is reflected in the mouse movements used to record the responses as well as in the number of errors.” [Daily Mail]
Big Data / Analytics
WW – Data Quality, Staffing Issues Still Plague Data Analytics Efforts
A new study [see here and here] by Forbes and Dun & Bradstreet says that the majority of organizations lack tools and investment necessary for analytics usage in business. Indeed, 59% of organizations surveyed for the study reveal they are not using predictive models or advanced analytics. The study surveyed more than 300 senior executives in North America, Britain, and Ireland for the report. Its findings reveal that if analytics efforts are to provide the expected return on investment, corporate leadership needs to invest in the people, processes and technologies that empower decision support and automation. A general lack of skills is also hampering the success of many firms when dealing with analytics, as 27% cited skills gaps as a road block to their data and analytics efforts. Illustrating this lack of skills in-house, 55% of those surveyed reported that third-party analytics partners produced better work than analytics work done internally. [Information Management]
Canada
CA – OPC Recommends Amending Bill C-23 to Ensure Border Privacy Rights
The Office of the Privacy Commissioner of Canada sent letters to the Standing Committee on Public Safety and National Security regarding Bill C-23, An Act respecting the preclearance of persons and goods in Canada and the United States. The Bill should place border searches of electronic devices on the same footing as searches of persons (e.g., pat-down, strip and body cavity searches) which require reasonable grounds to search; electronic devices should not be considered as mere goods subject to border searches without legal grounds. [OPC Canada – Follow-up Letter to the Standing Committee on Public Safety and National Security Regarding Bill C-23, An Act respecting the preclearance of persons and goods in Canada and the United States | First Letter | CP via National News Watch: National Security Bill Aims at Some Border Agency Oversight]
CA – OPCC Investigation & Clarifying Border Search Rights for Lawyers
The recent launch of an investigation by the Office of the Privacy Commissioner of Canada into the Canadian Border Services Agency’s practices [see here and here and here] will help clarify how far mobile device inspections can go at the border, says Shaun Brown, a partner at nNovation LLP. He hopes the investigation will provide guidance to Canadians, including lawyers, about what their rights are during searches. Lawyers who practise in the area expect the matter to end up before a judge in the near future. Regardless of the country in which he’s pulled over, David Fraser the Halifax-based privacy lawyer, says he will explain to the authorities that he simply can’t unlock his devices or provide any passwords because of the possibility that they contain solicitor-client privileged information. “Solicitor-client privilege has been held sacrosanct, with only a couple of exceptions. Those are extremely narrow, and none of them are impacted at the border,” Fraser says. In any case, “it’s not the lawyer’s privilege to waive; it’s the client’s. In my view, that trumps virtually any other right of access to that sort of information,” he adds. BC Law Society president Herman Van Ommen remains concerned by the situation. In a letter [see here and here] to the federal ministers of justice and public safety, he claimed demands for passwords to devices that could be expected to contain privileged information would violate Canada’s Customs Act. Arguing that a lawyer’s electronic device constitutes a “law office” for the purposes of a search, Van Ommen suggested a simple solution: “We therefore seek your assurance that border service agents will not seek to obtain passwords from lawyers to their electronic devices when crossing the border into Canada. If such a request is made and a lawyer refuses it, we seek your assurance that border agents will not confiscate the electronic device or otherwise detain the lawyer. By refusing access to the password, the lawyer is only discharging his or her professional obligations as required by the various codes of professional conduct across the country.” [Law Times See also: The BC Civil Liberties Association issued a report outlining its proposals for civilian oversight and review of the agency. [See BCCLU PR here & 56 pg PDF here]
CA – Trudeau Government Peels Back Bill C-51 — Mostly
Bill C-59 [see here] was tabled by Public Safety Minister Ralph Goodale, and makes wide-ranging changes to Canada’s national security framework — adding significant and expansive new oversight for intelligence collection and surveillance; putting new limits on government surveillance; and codifying the powers of Canada’s signals intelligence service. The most significant change to the bill will create new powers that will allow the Canadian Security Intelligence Service (CSIS) to analyze and exploit datasets with information obtained on Canadians and foreign citizens. The new law will give clear directions for how CSIS can use advanced technology to analyze data, without worrying so much about the courts. Under this law CSIS has the authority to analyze and decrypt intelligence they’ve obtained through a warrant or collected from open sources — which could include “phonebook” information, but also social media profiles and information available online. This regime is subject to approval from within CSIS, by an independent intelligence commissioner, and by the courts. This new power is likely a boon for the Operational Data Analysis Centre [see here], which can pour through huge sums of intelligence to try and establish links or connections. While CSIS will have some updated powers to process its raw intelligence, much of C-59 will actually walk back powers given to it under C-51, introduced by the previous Harper government — which has become a scourge amongst privacy advocates and lawyers. Here’s what the bill does to the powers laid out in C-51. [vice.com]
CA – A Report Card on the National Security Bill
Bill C-59 [see companion Charter Statement here] is the government’s massive reform of Canada’s national security law. It is the biggest reform in this area since 1984, and the creation of the Canadian Security Intelligence Service (CSIS). It is a big deal: 150 pages. We have been pouring through it, contrasting its features against the views we expressed in our 2015 book, False Security, which addressed the Stephen Harper government’s controversial Bill C-51[see here & here]. We have not finished reviewing it yet, but we want to make observations and raise questions and issues in the hope of galvanizing discussion and commentary. Where we misstate, overstate or err, we appreciate feedback. So, this is a mid-term assessment, not the final grade. Our key takeaway based on close second and third readings of C-59 is there is much to like. There are, however, a few bugs in C-59, but they appear to be bugs, not features. Hopefully they can be corrected. There are also some omissions – new roles for special advocates, for instance, and intelligence to evidence. And the information-sharing law will rightly remain controversial. Not everyone will agree with the tradeoffs and compromises in the Bill. [Policy Options | [VICE News: Everything We Could Find Out About CSIS’s Secret Spy Database]
CA – Supreme Court of Canada Clears Way for Facebook Class Action to Be Heard in B.C.
Facebook Inc. must defend against a class action lawsuit that it violated user privacy in B.C. court, not California, despite laying the groundwork for handling litigation in its home state in its user agreement. That’s effectively what the Supreme Court of Canada ruled on Friday in a 4-3 decision in favour of Deborah Douez in her legal fight against the social network.[See here & here] Doeuz originally took action against Facebook regarding a breach of the B.C. Privacy Act, saying that Facebook’s use of her name and likeness in a “Sponsored Story” ad was done without her consent. Whether there was a violation of privacy or not hasn’t been considered by a court yet. Facebook’s Terms of Use includes a forum selection clause (also called a “choice of law” clause) that requires all disputes against it be filed in California courts only. Douez and her lawyers argued against that, saying the Privacy Act requires that the B.C. Supreme Court must hear court cases related to the provincial Privacy Act. [IT World Canada]
CA – Importing EU-Style RTBF Criteria into Canada Would Likely Prove Unconstitutional: Opinion
An analysis of whether the right to be forgotten (RTBF) would be legal in Canada. Canadian courts would likely find that the RTBF infringes on the right to freedom of expression; private corporations should not have to enforce the RTBF (they have an incentive to grant requests to reduce costs and avoid fines), the right would extend to personal information that is not intrinsically private (e.g. public activities), and authors, webmasters and members of the public would have no way to intervene to show that information requested for delisting is adequate and relevant. [Droit à l’oubli: Canadian Perspective on the Global ‘Right to be Forgotten’ Debate – Eloise Gratton and Jules Polonetsky]
CA – Landmark Legal Case: Canadian Precedent has International Implications
The case against Facebook was brought by Deborah Douez of British Columbia. She had clicked “like” on Facebook to a particular service, and then found that without her knowledge or permission, Facebook was distributing her “like” to all her Facebook friends implying that she endorses that company. She later tried to sue Facebook in British Columbia for violating her privacy. Facebook challenged and the case made it the provincial Supreme Court where it was accepted as a ‘class action’ lawsuit. Initially won by Douez, Facebook appealed and won its argument on the basis of its “forum selection/choice of law” clause stated in its terms of use policy. Facebook head office is in California, and the “forum” clause says any lawsuits against it would have to be filed in the jurisdiction of California under California law (its “forum”) and so the suit could not be heard in British Columbia. This “forum selection clause” was then appealed to the Supreme Court of Canada which ruled [see here] in a split decision that in fact Facebook’s ‘forum selection clause” in its terms of use was unenforceable and that the case against Facebook could indeed proceed in Canada, in this case British Columbia. Professor Jeremy De Beer, a professor of law at the Centre for Law Technology and Society (CLTS) at the University of Ottawa and a member of the team which appeared as intervenors in the case at the Supreme Court of Canada, says this is a landmark and major judgement which could affect all multi-nationals, in that the same reasoning in this case could apply to all manner of other companies selling or providing services to Canadians. Professor De Beer notes that there may well be implications not just for online sites, but that this ruling potentially also may be used for international offline companies. Additionally, the SCC ruling may be studied and used by other international jurisdictions in decisions in those countries. [RCI.net]
CA – Manitoba Ombudsman’s Comments for FIPPA and PHIA Review
Manitoba’s ombudsman is recommending improved public access to government information, including provincial cabinet documents. [see here] Charlene Paquin said consideration should be given to whether it is in the public’s interest for some government information now routinely kept under wraps to be disclosed. Earlier this year, the Manitoba government led by Premier Brian Pallister launched a formal review of both the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Act (PHIA). Neither have been reviewed since 2004. Paquin further recommended any cabinet document be released within a period of 15 years, as opposed to the current 20 years. She also proposed, under FIPPA and PHIA, the ombudsman be called the “information and privacy commissioner,” as it is in other provinces, to better reflect the office’s role in these areas. (The job would retain the ombudsman title in its oversight role in the delivery of other public services.) PHIA should be amended to make it mandatory for health bodies to notify individuals of a privacy breach that may result “in a real risk of significant harm,” Paquin said. Paquin said her office is not so concerned about minor breaches, such as a fax or email being sent to the wrong person. “We don’t feel that we need those to always to be reported to us unless they have significant risk of harm” [Winnipeg Free Press]
CA – NS OIPC Report, Access & Privacy Law ‘No Longer Up to Task’
Commissioner Catherine Tully released her annual report. [See 2 pg pdf PR here, 40 pg pdf Report here & 90 pg pdf Companion Report here] It shows the result of a failure by successive governments to follow recommendations from Tully and her predecessors: A system no longer in step with modern society and not doing enough to work in the interest of the public. Tully notes the Freedom of Information and Protection of Privacy Act has not been significantly updated since it was introduced in 1993. Given the advancements in the way personal information is collected, stored and used, Tully says that’s a problem. “Nova Scotia’s privacy laws lack virtually all of the essential modern privacy protections found in other Canadian jurisdictions,” she writes. “Without fundamental privacy protections, databases of citizen information are not adequately protected for the 21st century.” [CBC News]
CA – NS OIPC Calls for Mandatory Breach Notification
Nova Scotia privacy czar calls for mandatory breach notification. It was one of 34 recommendations Catherine Tully made in her annual report to update the provincial Freedom of Information and Protection of Privacy Act (FIOPOPA). The breach notification requirements would essentially mirror the upcoming changes to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) the covering federally-regulated organizations. [See here] Nova Scotia organizations would be required to keep of a record of all data breaches with specified details available to the provincial commissioner upon request, Tully said. She also recommended the breach notification to potential victims should include details about the cause of the breach, a list of the type of data lost or stolen, an explanation of the risks of harm affected individuals may experience as a result of the breach, and information about the right to complain to the provincial commissioner. Finally, she said the province should authorize the commissioner be able to order notification to an individual affected by a breach. See also: Gowlings: Overview of Data Breach Reporting Obligations, Class Actions and Breach Management in Canada]
CA – SK OIPC Tables Annual Report
In his annual report [see here], commissioner Ron Kruzeniski outlines nine areas of concern, including security breaches from inside workplaces, hacking from outside, as well as how government employees store emails and use smartphones. Kruzeniski said one employee conduct that is worrisome is when a worker clicks on an attachment or a link in an email that could let in a hacker. “I have no doubt that we will have to spend a lot more time and energy collectively as a society protecting ourselves against this,” he said. Kruzeniski said he doesn’t think the risk can be eliminated, but it must be reduced. Kruzeniski also raised concerns about privacy breaches on mobile devices. [CP via Metro Toronto]
CA – SK OIPC Report Critical of Premier Wall’s Private Email Server
Saskatchewan’s opposition NDP is renewing calls for an investigation into Premier Brad Wall’s use of a private email server. A new report [see here] from Saskatchewan’s Information and Privacy Commissioner Ron Kruzeniski encourages government leaders to use government email systems provided by the Ministry of Central Services. Wall’s use of private emails came to the fore in May, when the NDP requested documents relating to a 2016 trip he had taken to Texas. The premier’s office responded to the access to information request by releasing a portion, but not all, of the documentation requested. The IPC wrote “Questions about security and records management arise if and when government leaders or employees use non-government email accounts to do government-related activities.” The Interim NDP leader says the report, “really exposes the premier for hiding this from Saskatchewan people, and of course it also exposes the fact they were hiding the domain name, hiding the fact they were using this private political server housed at their party office. The question is why are they hiding that? Why are they housing this information inappropriately over at their party office?” He is renewing calls he made in May to have the matter of Wall’s private email use fully investigated by Kruzenski’s office. [LeaderPost]
CA – OIPC SK May Compel Production of Privileged Documents in Certain Circumstances: Court
The Court considered an application by the OIPC SK to compel the University of Saskatchewan to disclose records sought by the OIPC SK pursuant to The Local Authority Freedom of Information and Protection of Privacy Act. The OIPC is not required under the municipal FOI law to demand such production, but if a detailed affidavit is insufficient to determine whether the statutory privilege exemption from disclosure applies, the OIPC may demand the actual document for examination (but it cannot release them to an applicant seeking review); the Court rejected the argument that an applicant should be required to appeal to a Court to review the documents. [OIPC SK v. The University of Saskatchewan – 2017 SKQB 140 – Queen’s Bench for Saskatchewan]
CA – Manitoba Whistleblower Sues Health Authority and Lawyers
A whistleblower who sounded the alarm about financial mismanagement, nepotism and fraud at a West St. Paul personal care home is suing the Winnipeg Regional Health Authority and three lawyers after the person’s identity was allegedly revealed in court documents. The whistleblower, known as “Jean Doe” in a statement of claim filed in Manitoba’s Court of Queen’s Bench, is suing for an undisclosed amount of money for mental distress, psychiatric illness, depression, embarrassment and fear for their safety. Doe is a former employee of the Middlechurch Home of Winnipeg, located just north of Winnipeg in West St. Paul. The lawsuit alleges the WRHA’s lawyers failed to expunge information from documents that identified the whistleblower and that Rod Roy, a lawyer for Laurie Kuivenhoven, the home’s then executive director, didn’t take measures to protect Doe’s privacy. It also alleges Roy intentionally intruded on the whistleblower’s privacy in a way that would be “highly offensive to a reasonable person,” by reading the 2015 affidavit documents. [CBC]
CA – PEI Health Information Act Goes Live July 1
The P.E.I. government is hoping to strengthen protection from unauthorized “snooping” into private healthcare information records with new legislation coming into effect on July 1. Karen Rose, P.E.I.’s Information and Privacy Commissioner, said on CBC News: Compass that the “Health Information Act” will encourage people to provide all of their relevant personal health information on the grounds that it remains private. Otherwise, the concern is that people may be reluctant to provide full health information. Rose said the legislation helps protect private healthcare information by giving organizations and providers a unified set of rules to follow to help prevent breaches. She added that the legislation requires that breaches must be reported to the individual whose record was breached as well as the Office of the Information and Privacy Commissioner. [See HIA guide here] [CBC News]
CA – Health PEI Denies Privacy Commissioner Access to Report, Heads to Court
Health PEI wants to take the Island’s information and privacy commissioner to court to settle a dispute over an internal report which the government agency is refusing to let the commissioner see. Commissioner Karen Rose issued an order in April, insisting Health PEI hand her the report on the basis that she “has the power to compel the public body to produce the record at issue.” In response, Health PEI filed an application for a judicial review in P.E.I. Supreme Court, arguing the commissioner “does not have the jurisdiction or authority to inspect or review” the specific information she’s ordered the agency produce. [CBC]
CA – YK Missing Persons Law to Give Cops Access to Personal Info
The Yukon government is proposing new legislation that would allow police to access the personal information of missing persons. That could include things such as cell phone records, text messages, and health information. Right now, police in Yukon are limited in what they can do in a search for a missing person, unless there is evidence of criminal activity. The new legislation would allow police access to personal information “while still protecting a person’s right to privacy,” the release [see here] states. Several provinces already have similar missing persons legislation, including B.C., Alberta, Saskatchewan, Manitoba, Newfoundland and Labrador, and Nova Scotia. The legislation would also provide safeguards for organizations and businesses that may be required to release clients’ records or information to police. The government is accepting comments and completed surveys [see here] on the proposed legislation until September 11. [CBC News]
CA – BC IPC Updates Guidance on Social Media Background Checks
To assist employers, the Office of the Information & Privacy Commissioner for British Columbia recently published an updated guideline, Conducting Social Media Background Checks (“Updated Guideline”). When a private sector company conducts social media background checks, the use, disclosure, and collection of personal information is governed by the Personal Information Protection Act; whereas, public bodies are governed by the Freedom of Information and Protection of Privacy Act. This article focuses on the requirements for private sector companies. The Updated Guideline outlines the risks employers need to consider when conducting social media background checks, including: 1) Inaccuracy; 2) Collecting irrelevant and/or too much information; and 3) Over-reliance on consent. To minimize the risk of breaching an individual’s privacy when conducting social media background checks, the Updated Guideline reminds employers that any information collected about individuals is personal information and is subject to privacy laws. The Updated Guideline also recommends that companies conduct a privacy impact assessment of the risks associated with using social media in background checks. [Borden Ladner Gervais News & Publications]
CA – Saskatoon Gets 2 More ALPRs, Cops Promise No Info Sharing
The number of automatic licence plate readers being used to scan vehicles in Saskatoon will double when the Saskatoon Police Service buys two new devices in August. Police say no personal information collected by the readers will be shared with other police services. The devices have been controversial in other parts of North America due to privacy concerns. The readers, known as ALPRs, use infra-red technology to scan plates as police travel around the city. Officers are alerted if a plate is linked to a person wanted by police, a stolen or unregistered vehicle, or a suspended driver. The storage of information collected by ALPRs has raised privacy concerns that the devices could be used for other purposes, such as tracking a person’s location over time. In B.C., police changed their procedures after the province’s privacy commissioner raised concerns about how long “non-hit” data was being stored on RCMP computers. [see here] Saskatoon police said information collected by its scanners is kept for 40 days, and plates that register as a hit would be kept for 90 days. Sharon Polsky, the president of the Privacy and Access Council of Canada, raised concerns that information collected by police could be shared with other organizations and kept indefinitely. The police service said the same standards apply to an ALPR hit as any other standard traffic stop, adding that the Supreme Court of Canada allows officers to stop drivers to check for vehicle registration, driver impairment and vehicle safety equipment. [CBC News]
CA – NL Investigation Launched After Government Posts Employee IDs, RNC Officers in Sunshine List Screw-Up
Newfoundland and Labrador’s justice minister says an investigation is underway, after the release of the province’s first Sunshine List, when the government posted information officials had warned could put Royal Newfoundland Constabulary officers in danger. The so-called Sunshine List includes the names, job titles and pay information of public servants making more than $100,000. Government had agreed to a request from the Royal Newfoundland Constabulary Association (RNCA) to leave the names of officers off the list, but those names were included in public spreadsheets Friday. The information also included some employees whose salaries aren’t covered under the disclosure rules. For example, employees of the legislature aren’t supposed to be part of the Sunshine List, but their full information was also included. “It certainly has the appearance of a breach,” said Donovan Molloy, the province’s information and privacy commissioner. Molloy said the department had an obligation to review data before it’s sent out to ensure personal information like employee ID numbers aren’t included. He said an investigation would need to look at what the potential misuse of this information could mean. However, he said it’s much less serious than if the file had contained social insurance numbers. [CBC] [CBC: NL Sunshine List of Civil Service Salaries Goes Live Friday News | Telegram: Province releases sunshine list]
CA – Canada’s Political Parties, Media Vulnerable to Foreign Hacks: Spy Agency
The Communications Security Establishment said it expects multiple groups will “deploy cyber capabilities” in order to influence the outcome of the next federal election. CSE’s assessment is largely an outline of the different types of “cyber threats” to Canada’s electoral process. The good news is Canada’s low-tech, largely paper-based electoral system appears to be largely safe from the kind of hacks seen in other countries. Ballots are paper, voter lists at polling stations are paper-based, and CSE officials say the elections agency has strong cyber defences in place. The bad news is that politicians, political parties, and traditional and social media are much more vulnerable to hacking and influence operations. And it will be up to politicians and media — not CSE — to guard against them. According to the agency’s report, malicious actors can use “bots” to hijack political discussions online — basically millions of fake Twitter or Facebook accounts broadcasting “false or defamatory information” against a candidate or party. Canadian parties’ voter databases — huge stores of information on individual Canadian voters, not subject to federal privacy or information security rules — are also vulnerable to theft or manipulation, according to the report. [The Star]
CA – Conservative MP Says Constituency Office Computers Were Hacked
Conservative MP and former party leadership candidate Deepak Obhrai says the computers at his constituency office in Calgary fell victim to a virus. The apparent hack comes just two days after worldwide ransomware attacks disabled government, airline and banking networks, with Ukraine hit especially hard earlier in the week. There is no evidence that the virus affecting Obhrai’s office is part of that wider series of attacks, however. The incident in Calgary also comes about a week after Canada’s Communications Security Establishment (CSE), which monitors online threats against the government, launched a series of training sessions for all federal parties to help them better defend against cyberattacks. [GlobalNews]
CA – PMO Says It Can’t Reveal Staff Salaries Due to Privacy Issues
The Liberal government says it would violate privacy law to reveal the salary details of top aides to Prime Minister Justin Trudeau who are earning at least $150,000 annually. A spokesman for the Privy Council Office said that fewer than 10 PMO staff earn more than 150,000 but refused to name them or even provide an exact number. “We are unable to provide additional information due to privacy considerations,” said PCO spokesman Paul Duchesne. CTV News obtained a list of exempt staff working in the Trudeau’s office and their salary ranges, in a heavily-redacted document that excludes all the names and also blanks out the salary ranges for those in the $150,000 to $350,000 ranges. The salary ranges for Trudeau’s top aides — Chief of Staff Katie Telford and Principal Secretary Gerald Butts — are not provided. The lack of disclosure from the country’s top elected office contrasts with other jurisdictions, where salary information about senior officials is automatically disclosed. [CTV News]
CA – AB OIPC Says Thousands in Province Targeted by Hackers Annually
The growing number of breach notification decisions released by Alberta’s Office of the Information and Privacy Commissioner (OIPC) have shown an increasing trend of online hacks, phishing and so-called social engineering ploys that compromise the personal data of hundreds of thousands of Albertans every year. Jill Clayton, Alberta’s privacy commissioner says online data breaches are becoming a major focus of her office. Clayton said there’s been solid buy-in from the private sector on self-reporting breaches, with about 30% reporting them even if there doesn’t appear to be any real risk of harm based on stolen data. The rise in online breaches has meant a reciprocal increase in the number of files handed by OIPC, Clayton said. In 2016-17, her office saw a 70% increase in files compared to just five years ago. And those trends aren’t likely to reverse, Clayton added. [Calgary Herald]
CA – Alberta Police Draft Policy on Naming Victims Now with OIPC
A draft report from the Alberta Association of Chiefs of Police on standardizing the policy on naming homicide victims is now with the Office of the Privacy Commissioner. It’s the result of work done by the police chiefs and the lawyers from their organizations over the last couple of months after some inconsistencies were discovered around the province. EPS Chief Rod Knecht said in an interview “There clearly was differences in the way we were applying the release of homicide victims’ names across the province. We landed on some consensus. We developed a policy around that consensus. That has now gone to the privacy commissioner which is probably the best place for it to go. They’ll come back and say, ‘this is a policy, this is a good policy, this is how the policy should be interpreted and this is how all police across Alberta should be doing this. If you back up the bus a little bit I think our interpretation was a good interpretation, but let’s see what the privacy commissioner comes back with.” [Global News]
CA – Regina, Saskatoon Transit Have Provided Police with Transit Card Information in Investigations
Transit systems in Regina and Saskatoon say they have shared transit card information with police to help with an investigation. Saskatoon Transit said it hands over generic card information to police about five times a year, often to confirm whether or not a person was using the bus at a specific time. In Regina, spokesperson Nathan Luhning said police have asked for information once, in relation to a missing persons case. Luhning said police are often more interested in video recorded from the bus, which also requires a Freedom of Information request. [CBC]
CA – ON OIPC 2016 Annual Report Pushes Public-Sector Big Data Law
In his 2016 Annual Report, Facing Challenges Together, Ontario’s Information and Privacy Commissioner, Brian Beamish, is calling for a number of legislative changes to enhance both access to information and protection of privacy in Ontario. One proposal is for the government to enact legislation that would allow public institutions to share personal information for policy and research purposes while protecting individual privacy by establishing a strong, government-wide framework for big data programs. Ontario IPC Brian Beamish said “We now live in the era of big data, where information technology holds the promise of creating a more efficient and responsive public service. However, we must not overlook the risks to privacy in pursuit of the benefits. It is possible to use big data in a privacy-protective manner but it will require fundamental changes to privacy legislation, involving government, citizens, and regulators.” This recommendation is one of several tabled by the Commissioner in his 2016 annual report. Further recommendations include: 1) Clarify Solicitor-Client Privilege Exemption; 2) Framework for Electronic Health Records; 3) Increased Transparency of Ontario’s Medical System; 4) Ensure the Security of Abandoned Health Records; 5) Public Disclosure of Health Privacy Breach Prosecutions; and 6) Routine Audits of Freedom of Information Practices. [Information and Privacy Commissioner of Ontario]
CA – ON OIPC Calls for Transparency in Assisted Dying
In his annual report [see here] last week, privacy commissioner Brian Beamish took aim at the Medical Assistance in Dying Statute Law Amendment Act, or Bill 84, which became law in Ontario last month. The act, in part, is a green light for secrecy. Any information that could identify hospitals, long-term care homes or hospices that offer medically assisted death is now exempt from freedom of information laws. Before the bill became law, [Beamish] recommended amendments that kept the names of physicians anonymous but the names of facilities public. “Information should be public unless there’s a really good reason why it shouldn’t be,” Beamish told the Star. In this case, he said, there was no evidence presented by legislators to suggest any reason why hospitals and care facilities should be exempt from disclosing their practices. The same concern was presented by Hamilton Health Sciences ethicist Andrea Frolic at a committee meeting about the bill in March. Frolic praised the protection of physicians, but questioned why publicly funded facilities could draw a dark curtain over their practices. “Information-sharing with the public is essential to patients’ informed decision-making,” she told the room, recommending that facilities disclose whether they grant assisted-death requests. [The Star]
CA – Ontario Doctors Go to Court to Keep Billing Information Secret
The information and privacy commissioner last year ordered the public disclosure of the top billers’ identities, along with amounts each receives in payments from the taxpayer-funded insurance plan. The information is business-related, not personal, and should be public because of the importance of transparency of government expenditures, the ruling said. A judicial review of that decision is being sought by the OMA and two groups of doctors — known in court submissions only as “several physicians affected directly by the order” and “affected third-party doctors.” They are asking a three-judge panel in Divisional Court to quash the information and privacy commissioner tribunal’s order. [The Star]
CA – BC Court Finds Email Communications Mistakenly Disclosed Are Privileged
The BC Court of Appeals has considered whether communications between government lawyers and employees were protected by solicitor-client privilege. Email communications between a government employer and employees of the agency were inadvertently included in a package of documents disclosed in response to an access request; disclosure of communications where the lawyer recommended a particular decision be made, or involving employee discussions of the lawyer’s advice would reveal previous legal advice given, and inadvertent disclosure of a privileged document does not result in an implied waiver of privilege. [AG of BC v. Kyla Lee et al. – 2017 BCCA 219 CanLII – Court of Appeal for British Columbia]
Consumer
US – Survey Shows Consumers Need More Education on Identity theft
In 2016, over 15 million Americans were victims of identity theft, up 16% from the previous year. News of data breaches and the risks of identity theft and fraud persist, but consumers’ vigilance and awareness haven’t kept pace. A national survey by Experian revealed that not only is America’s collective guard down, but people feel they are at a disadvantage when it comes to identity theft. While 84% of respondents acknowledge being concerned about the security of personal information online, almost two-thirds (64%) agree it’s too much of a hassle to constantly worry about securing personal information online. The majority say staying on top of financial transactions is a challenge (53%), and nearly half (48%) don’t check their credit reports regularly for errors or suspicious activity. [Inside Counsel]
US – Privacy Paradox: People Like the Idea but Not the Effort Study Shows
In “Digital Privacy Paradox: Small Money, Small Costs, Small Talk,” a new paper published through the National Bureau of Economic Research, the authors explore a phenomenon that has been widely observed: The disconnect between what people say about privacy and what they do. t’s a discrepancy that calls into question the validity of notice and consent, the foundation of privacy rules. Susan Athey, professor of economics at Stanford, said the paper does not address how legislation should be calibrated. “It suggests that users’ preferences for privacy may not be particularly strong, which has the implication that if privacy regulation imposes costs, it can be important to carefully consider whether preferences are strong enough to outweigh the costs in the particular context.” [The Register]
WW – Global Survey Finds Most Consumers Read App Privacy Policies
More than half of consumers, 53%, say it is “extremely important” that they know an app or service is using their personal data, a new survey has found. [Mobile Ecosystem Forum’s Consumer Trust Report see here] The survey of 6,500 people in Belgium, China, France, Germany, Poland, Romania, South, Africa, Spain, UK and the US were surveyed in the second quarter of this year revealed 75% of respondents always or sometimes read privacy policies and terms of conditions before signing up to a mobile app or service. A total of 86% of them say they will go on to take some kind of action if their trust is challenged. Almost half will stop using a service (a year-on-year increase from 38% to 44%) and nearly one in three (30%) will warn friends and family. [Irish Times]
E-Mail
WW – Too Smart to Fall for A Spear-Phishing Message? Think Again
Researchers believe that under the right conditions anyone can be fooled by a spear-phishing message. Experts at GreatHorn, a cloud-security company with a vested interest in spear phishing, write in the company’s 2017 Spear Phishing Report that more than 90% of phishing emails captured from March to November 2016 contain spear-phishing components designed to impersonate a person familiar to a business user in order to fool the recipient into thinking the message came from a trusted source. For several years, security researchers from Friedrich-Alexander-Universitat [see here], and from Universitat des Saarlandes [see here], have been interested in what they consider unexplored territory related to spear phishing. In their paper Unpacking Spear Phishing Susceptibility, the researchers explore the decision-making process of users when they are enticed by an advertised link in a variety of spear-phishing messages. The selected participants were sent either an email or a personal Facebook message with a link from a non-existing person, claiming the link led to pictures from a party. Out of 720 participants, 117 clicked on the link, 502 did not, and the remaining 101 participants could not remember if they clicked or not. The proverb “curiosity killed the cat” seems applicable, as the number-one reason for clicking on the link was curiousness. “The participants explained that they knew the pictures could not be for them, but were interested in the supposedly funny or private content.” [TechRepublic]
US – CERT Issues Security Warning About Email Attachments
The U.S. Computer Emergency Readiness Team (“US-CERT”) has issued a security warning concerning email attachments. Recommended steps for protection include being wary of unsolicited attachments even from known senders (confirm the legitimacy of the email with the supposed sender), keep software up to date (install patches), trust one’s instincts (do not open a suspicious attachment even if anti-virus software says it is ok), save and scan any attachment prior to opening it, turn off the automatic download attachment option, consider creating a separate restricted account on the computer, and apply other security practices (e.g. a firewall). [Security Tip (ST04-10) – Using Caution with Email Attachments – US-CERT]
WW – Google Will Stop Scanning eMail for Targeted Ads
By the end of this year, Google will stop scanning Gmail messages to serve personalized advertisements to users. Google has already stopped the practice in its G Suite Gmail. Ads will instead be served based on users’ settings.
CA – CASL Survey Report Clarifies Anti-Spam Compliance Strategies
Fasken Martineau in collaboration with the Direct Marketing Association of Canada (DMAC) has launched the outcome of the first-ever CASL (Canada’s anti-spam legislation) Survey Report. The report gives a clear picture of how organizations comprehend CASL and comply with its terms and conditions when it comes to implementing effective strategies and programs. The report aims at assisting businesses and companies to apprehend the common barriers in acknowledging and accepting CASL compliance. The report also reflects the gap between how organizations understand CASL and what measures they have adopted to comply with the regulations. Additionally, it shows that even being in force for three years, the key elements of the CASL laws are still not fully understood or implemented. The survey output clearly indicates that most companies who assume that they are compliant. [MarTech Series Blog]
US – FTC Launches Review of Its Email Marketing Rule
The FTC announced that it is undertaking a review of its CAN-SPAM Rule, which sets out the requirements for sending commercial e-mail messages. Among other things, the CAN-SPAM Rule requires that senders of commercial e-mails provide recipients a mechanism to opt out of receiving commercial e-mails, honor opt-out requests within 10 business days, and include specific disclosures in the body of the commercial messages. The FTC specifically is asking for comments from the public on the following topics: a) The economic impact and benefits of the CAN-SPAM Rule; b) Possible conflict between the CAN-SPAM Rule and state, local, or other federal laws or regulations (note that the CAN-SPAM statute preempts state commercial e-mail laws, except to the extent they prohibit “falsity or deception”); and c) The effect any technological, economic, or other industry changes have had on the CAN-SPAM Rule. [Inside Privacy]
US – House Judiciary Continues Email Privacy Law Overhaul Debate
At a June 15 hearing of the House Judiciary Committee U.S. tech sector and bipartisan lawmakers pushed for updates to the nearly 30-year-old Email Communications Privacy Act (ECPA) [see here] and its related Stored Communications Act (SCA) [see here]. ECPA bans unauthorized interception of electronic communications. The SCA, which is part of ECPA, prohibits unauthorized access of electronic communications in a storage facility. Tech giants such as Alphabet Inc.’s Google, Apple Inc., Amazon.com Inc., and Microsoft Corp. have supported updates to ECPA and the SCA. Updating the law would lift legal uncertainty that U.S. technology companies and email service providers say they face. They often have overseas data centers and get requests from law enforcement agencies for data related to investigations. However, ECPA remains unclear as to how much and which data stored abroad is available under such requests, they say. The House Feb. 6 passed a measure to update ECPA. The Email Privacy Act (H.R. 387) [see here], introduced by Rep Kevin Yoder (R-Kan.), would require law enforcement to obtain a warrant before obtaining data “that is in electronic storage with or otherwise stored, held or maintained by that service,” regardless of the age of the communications. On the Senate side, Sen. Orrin Hatch (R- Utah) recently introduced the International Communications Privacy Act [see here], which would establish a legal framework for law enforcement bodies to use warrants to obtain emails sent to or from any U.S. citizen, even if that person—or the server being used to send and store emails—is overseas. The Senate has yet to take up the measure. [BNA.com]
Encryption
WW – Five Eyes Alliance Stress ‘More Timely and Detailed’ Information Sharing to Detect Terrorists
Public security ministers and attorneys general from Canada, the U.S., Britain, Australia and New Zealand gathered in Ottawa for two days of closed-door talks. A joint communique [see here & PR here] indicated Security officials are worried about the widespread availability of encryption tools and applications that can allow extremists to more easily communicate without their phone calls and texts being intercepted. Civil libertarians argue the right of law-abiding people to converse in private should not be compromised in the name of fighting terrorism by giving authorities the means to crack encryption or build back doors into security programs. The alliance said the ability of terrorists and other criminals to shield their electronic activities through encryption can “severely undermine public safety efforts by impeding lawful access to the content of communications.” They agreed to a common approach to engaging with communication service providers to deal with online terrorist activities and propaganda, while “upholding cybersecurity and individual rights and freedoms.” [The Star See also: Globe & Mail: The battle over encryption and what it means for our privacy | Australia Advocates Weakening Strong Crypto at Upcoming “Five Eyes” meeting | Five Eyes intelligence alliance meeting in Ottawa to tackle digital terror tactics | ‘Five Eyes’ talks in Canada to focus on encryption: Australian PM ]
UK – PM Pushes Demand for Gov’t Access to Encrypted Messages
Britain is once again focusing on a controversial plan: to regulate the internet. On one side are British policy makers and law enforcement officials, who want to crack down on how extremist messaging and communication are spread across the internet. On the other are privacy and freedom of speech groups — alongside the tech giants themselves — who say that the government’s proposals go too far. Recent legislation already gives Britain’s law enforcement officials some of the world’s strongest powers to read and monitor online chatter from potential extremists. Now the country’s politicians want to go further. Earlier this month, prime minister Theresa May told the British public. “We need to do everything we can at home to reduce the risks of extremism online” Echoing a similar message by her government after a previous attack in Manchester. Part of that plan is to demand that companies such as Apple and Facebook allow Britain’s national security agencies access to people’s encrypted messages on services like FaceTime and WhatsApp. [The New York Times]
EU – End-to-End Crypto Plan Puts Europe On Collision Course With UK
Proposed draft legislation [see here] by European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs [LIBE] potentially puts EU at loggerheads with the UK over the encryption debate. The proposals, which could enforce the use of end-to-end encryption as an extension of individual privacy, look to enshrine “a high level of protection of individuals with regard to their fundamental rights of private life and data protection” into European law. As such, Theresa May’s government, which has expressed concerns about the use of encryption, may find itself on a collision course with European legislators over internet privacy rights. The recommendation by European Parliament MEPs comes as the UK government – in addition to beginning Brexit negotiations has called for more power over the internet, including the possibilities of weakening encryption and being able to place backdoors into devices. [ZDNet]
EU Developments
EU – WP29 Fire Warning Shots Ahead of First Privacy Shield Review
Europe’s data protection chiefs have fired a warning shot across the bows of the executive body of the Union ahead of the first annual review of the EU-US Privacy Shield. The Article 29 Working Party set out a series of concerns about Privacy Shield as far back as April 2016. They’re now gearing up for the annual review, due to take place in the US in September, and today say they’ve sent the EC a letter setting out their views and recommendations, and reserving the right to publish their own report “subject to the outcome of the Joint Review and the report of the Commission”. The WP29 describes the forthcoming review as “a fact-finding mission in order to collect the relevant information and necessary evidence to assess the robustness of the Privacy Shield”. [see 2 pg PDF here] [TechCrunch]
EU – EU Deals Theresa May Encryption Setback as MEPs Propose Ban on Government Backdoors
EU MEPs have tabled laws that would forbid countries in the EU from breaking the electronic protection that prevents security services from reading messages sent via WhatsApp. The plans would also impose obligations on tech companies that do not currently apply encryption to messages to do so. The proposals would be a major setback to Theresa May’s election pledge that terrorists should have no “safe space” to conspire online, and threatens existing security legislation that requires companies to remove encryption where possible. The proposals, from MEPs on the European Parliament’s Civil Liberties, Justice and Home Affairs Committee[LIBE], have been tabled as amendments to draft EU privacy legislation. The proposals will first have to be approved by MEPs and scrutinised by the EU Council. As well as hampering any attempts to access encrypted messages, the rules could also imperil the Investigatory Powers Act [see here and here], [Telegraph.co] See also: [Highlights of the draft LIBE report on the ePrivacy Reg | EU Parliament Wants Stronger Privacy in e-Communications Proposal]
EU – Parliamentary Committee is Concerned About Technical Neutrality, Cookie and Tracking Provisions
An EU parliamentary committee has issued its rapporteur’s opinion and recommendations on the proposed ePrivacy Regulation. The Regulation is narrowly focused on browsers, making a strict distinction between first and third party cookies that is not future proof; the impact on privacy of a cookie should be based on its purpose, the types of data it collects and how the collected data is shared. Data emitted by terminal equipment and collected to enable to connect to another device should not occur, even if there is a sign informing users of the tracking area; this creates a risk of fears and anxiety among end-users without providing them with the ability to opt-out of being tracked. [European Parliament Committee on Industry, Research and Energy – Draft Opinion for the Committee on Civil Liberties, Justice and Home Affairs on the ePrivacy Regulation]
EU – Proposed Regulation Does Not Protect Communications Content and Metadata
The Directorate General for Internal Policies, on request from the EU Parliament, has assessed the standards of privacy protections in the proposed ePrivacy Regulation. Analysis of communications content and metadata should only be permitted in strictly necessary, limited circumstances, or if end users provide meaningful consent, and individuals should not be required to allow analysis for marketing purposes; storage of anonymised communications content should be permitted only in specific circumstances (given that it is difficult to anonymise email messages or phone conversations). [An Assessment of the Commissions Proposal on Privacy and Electronic Communications – Directorate General for Internal Policies
EU – EBA Issues Draft Guidance for Outsourcing Cloud Services
The European Banking Authority has issued a consultation paper on proposed recommendations on outsourcing to cloud service providers. Organisations should conduct assessments on the materiality of business activities proposed for outsourcing (impact of outages, disruptions), maintain a register of all information related to outsourced activities, and consider the potential risks and oversight limitations of outsourcing outside of the EEA; written agreements with providers should provide full access and audit rights, require that sufficient security protections are put in place, specify activities excluded from potential subcontracting, include an obligation for the provider to orderly transfer activities in case of termination. Comments can be submitted until August 18, 2017. [EBA – Consultation Paper – Draft Recommendations on Outsourcing to Cloud Service Providers under Article 16 of Regulation No. 1093/2010]
UK – NHS DeepMind Deal Broke Data Protection Law, Regulator Rules
A London hospital trust was wrong to share details of 1.6 million patients with Google’s artificial intelligence company DeepMind, the UK’s data protection regulator has said. [See PR here & blog post here] Following a year-long investigation the Information Commissioner’s Office (ICO) has ordered the Royal Free NHS Foundation Trust to set-out a proper legal basis for processing the patient data. The data watchdog said the Trust didn’t properly tell patients that their information would be used as part of the work with DeepMind. The ICO said the NHS Trust is the controller of personal data and as a result is responsible for how patient information is used. The regulator said patient information wasn’t processed fairly and lawfully, was excessive, wasn’t used within the rights of the subjects and contractual controls weren’t in place. Overall, four of the Data Protection Act 1998’s principles were broken. [Wired]
UK – ICO’s Strategic Plan for the ‘New Frontier’ of Data Protection
The ICO recently published its Information Rights Strategic Plan for 2017 – 2021. Within it, the ICO Commissioner, Elizabeth Denham, asserts that we are on the “edge of a new frontier,” and that the data protection landscape is about to be reshaped by the “game changing” General Data Protection Regulation (the ‘GDPR’). The Plan also emphasises the ICO’s commitment to achieving the aforementioned goals by: (i) exploring innovative and technologically agile ways to protect privacy; (ii) leading the implementation of the GDPR and other data protection reforms; (iii) strengthening transparency and accountability by promoting good information governance; and (iv) protecting the public in a digital world. The highest priorities for the ICO for the first two years of this five-year plan will be preparing business processes and guidance for the GDPR, the Law Enforcement Directive and the ePrivacy Regulation, in order to avoid the ICO’s biggest risk: not being prepared in time. [Technology Law Dispatch]
UK – ICO Announces Grants Programme for Independent Research
The ICO have launched their first ever Grants Programme for new, independent research into data protection and privacy enhancing solutions, and we believe it is a genuinely exciting development. The programme will also help us achieve many of the key goals set out in the ICO’s new Information Rights Strategic Plan – for example, staying relevant and keeping abreast of evolving technology, improving standards, increasing public trust and maintaining and developing international leadership and influence. For many years the ICO has run research tenders to support specific policy projects and we have very much valued our interactions with the academic community, NGOs and innovators and the input they’ve had into our work. This new programme will take a broader ‘horizon-scanning’ approach, encouraging them to develop new insight and solutions into key data protection and privacy challenges posed by new technologies such as artificial intelligence and machine learning. [Information Commissioner’s Office Blog]
EU – Article 29 Working Party Releases Extensive GDPR Guidance on Data Processing at Work
The EU’s Article 29 Working Party has issued new guidance on data processing in the employment context (available here). Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive, but also considers the developments coming into force on May 25, 2018 under the EU General Data Protection Regulation). The WP29 released the guidance partly as a result of the GDPR, but also due to the number of new technologies that have been adopted since previous WP29 publications relating to personal data in the workplace The new guidance is not restricted to the protection of persons with an employment contract, but is more expansive in scope and intended to cover a range of individuals in an employment relationship with an organization, such as applicants and part-time workers (the term “employee” applies broadly in all such contexts). The WP29 also intends to release guidance in the coming months on other GDPR topics such as transparency, certification, breach notification and data transfers, to add to recent guidance on data portability, Data Protection Officers and the “One Stop Shop.” [Inside Privacy]
EU – Germany Merkel’s CDU Party Criticizes Data Minimization Principle
Proposals that German firms could start scooping up more than just essential personal data have been met with anger by privacy advocates. “Der Spiegel” reported on a CDU Angela Merkel’s party strategy paper that criticizes the principle of data minimization, or “Datensparsamkeit”. The term refers to collecting only the data you really need through sensors and online platforms, rather than scooping up as much as you can. According to the CDU document, data minimization should no longer be a general guideline as it “reduces opportunities for new products and services and potential progress”. Rights activists see things quite differently. Joe McNamee, the executive director of the Brussels-based European Digital Rights (EDRi), said a shift towards recording and exploiting more data would reduce people’s trust in European digital services. “The CDU’s political spin is horrifyingly ill-informed, ill-conceived and naïve,” McNamee said. [ZDNet]
EU – Germany Probes Facebook Over Claims It ‘Extorts’ Data from Users
Germany’s Federal Cartel Office is examining whether Facebook essentially takes advantage of its popularity to bully users into agreeing to terms and conditions they might not understand. The details that users provide help generate the targeted ads that make the company so rich. In the eyes of the Cartel Office, Facebook is “extorting” information from its users, said Frederik Wiemer, a lawyer in Hamburg. “Whoever doesn’t agree to the data use, gets locked out of the social network community,” he said. “The fear of social isolation is exploited to get access to the complete surfing activities of users.” It’s “more radical” than the EU’s Google case [see here] “because it asserts that privacy concerns can be antitrust concerns” and that consumers have a broader role than buyers of services in an economy, said Alec Burnside, an attorney at Dechert in Brussels. Some lawyers say the Facebook case is so novel in its approach to antitrust that the Cartel Office should have left the question of whether the company abuses users’ data to privacy regulators. Those watchdogs, once relatively toothless, will be empowered next year when tougher EU data privacy rules take effect, allowing them to levy fines of as much as 4% of global annual sales. Ironically, Facebook may have less to fear financially from a Cartel Office probe as, unlike Google, it may not be fined. The current terms of the investigation rule out a financial penalty even if it’s found to breach antitrust rules. At worst, Facebook faces an order to change how it operates. [Bloomberg via The Independent]
UK – Privacy International Sends Brexit Teams Anti-Surveillance Package
Rights group Privacy International (PI) has sent Brexit negotiators advice and technology designed to mitigate the risk of surveillance by intelligence agencies on the opposite side.[See PR here] With the long-awaited EU divorce negotiations starting today, the privacy NGO claimed that there’s a heightened risk of sophisticated tools and tactics being used to enable one side or the other to gain the upper hand. The PI package contains a short briefing warning the recipient against the surveillance powers available to the UK and some European agencies, as well as a Faraday Cage to protect their mobile devices. The gesture is mainly symbolic given the range of powers at the disposal of the British and European intelligence agencies, Privacy International admitted. PI warned the Brexit negotiators that government agencies can remotely activate mobile device mics, webcams and GPS systems; force service providers to decrypt comms; intercept internet traffic travelling on undersea cables; and access intelligence collected by their spy agencies. [InfoSecurity]
Facts & Stats
US – Cost of Breaches in the US Hit Record High
Breaches cost companies an average of $225 per compromised record ($221 in 2016), and the average total cost was $7.35 million ($7.01 in 2016); heavily regulated industries have higher breach costs, e.g., healthcare ($380) and finance ($336), and malicious or criminal attacks continue to be the primary cause of breaches (52%) as well as the costliest ($244). [2017 Ponemon Cost of Data Breach – US]
CA – Breach Costs Down but Canada’s Are Second Highest in World
The average cost of a data breach suffered last year by 27 Canadian companies was $5.78 million, or $255 per lost or stolen record, according to a new study. It was the third annual report, paid for by IBM and conducted by the Ponemon Institute, part of a survey of 419 breached organizations in 11 countries and two regions.[See here] The good news is that the Canadian numbers represent a 4% decrease in the total cost of a data breach among the group studied, and a 9% decrease in the cost per lost or stolen record, compared to the 2015/2016 study period. The bad news is it’s still a lot of money. Of all nations studied the Canadian group had the second highest costs. One important take-away from the report is how being proactive can reduce the cost of a breach per record. [IT World Canada]
CA – Cost of Breaches to Canadian Companies Decreased
The average cost per compromised record decreased from $278 to $255, and the root cause of data breaches were malicious or criminal attacks ($269 per capita cost), system glitches ($243 per capita cost), and human error ($241 per capital cost); preventative measures taken after a data breach include training and awareness programs (65%), additional manual procedures and controls (50%), identify and access management solutions (41%), and expanded use of encryption (40%). [2017 Ponemon Cost of Data Breach – Canada]
Filtering
CA – Supreme Court Rules Search Engine Must De-Index Websites Worldwide
The Supreme Court has heard an appeal of a decision of the BC Supreme Court, requiring Google Inc.to de-index specific search results. The US search engine must stop indexing or referencing websites selling infringed products from locations outside Canada; the search engine was crucial to the website owners being able to sell counterfeit goods (which they were ordered not to sell by a BC court), the only way to ensure the injunction’s effectiveness is to apply it worldwide, and any negative impact on freedom of expression is outweighed by the need to prevent harm from facilitating the sale of the counterfeit goods. [Google Inc. v. Equustek Solutions Inc. – 2017 SCC 34 – Supreme Court of Canada | Related Article]
CA – Supreme Court Rules 7-2 to Facilitate Worldwide Internet Censorship
In a 7-2 majority decision written by Justice Rosalie Abella that has “troubling” implications for free expression online, the Supreme Court of Canada upheld a company’s effort to force Google to de-list entire domains and websites from its search index, effectively making them invisible to everyone using Google’s search engine [See Google v. Equustek] EFF intervened in the case, explaining [.pdf] that such an injunction ran directly contrary to both the U.S. Constitution and statutory speech protections. Issuing an order that would cut off access to information for U.S. users would set a dangerous precedent for online speech. In essence, it would expand the power of any court in the world to edit the entire Internet, whether or not the targeted material or site is lawful in another country. That, we warned, is likely to result in a race to the bottom, as well-resourced individuals engage in international forum-shopping to impose the one country’s restrictive laws regarding free expression on the rest of the world. Beyond the flaws of the ruling itself, the court’s decision will likely embolden other countries to try to enforce their own speech-restricting laws on the Internet, to the detriment of all users. As others have pointed out, it’s not difficult to see repressive regimes such as China or Iran use the ruling to order Google to de-index sites they object to, creating a worldwide heckler’s veto. The Equustek decision is part of a troubling trend around the world of courts and other governmental bodies ordering that content be removed from the entirety of the Internet, not just in that country’s locale. On the same day the Supreme Court of Canada’s decision issued, a court in Europe heard arguments as to whether to expand the right-to-be-forgotten worldwide. [Electronic Frontier Foundation] See also: Open Media: Disappointing Supreme Court ruling has worrying implications for online free expression and access to information in Canada and across the globe | Canada Claims Authority to Censor Your Internet Searches
Finance
US – Financial Institutions Cautioned that Communications Using Emerging Technologies May Fall Under FINRA Rules
The Financial Industry Regulatory Authority (“FINRA”) has provided guidance regarding the application of FINRA rules governing communications with the public to digital communications, in light of emerging technologies and communications innovations. Registered entities are required to retain interactions with investors conducted using text messaging apps and chat services if the communication is about business; entities must not establish links to any third party site that the entity knows contains false or misleading content, and “likes” or sharing of social media comments by a representative. Comments that were posted by a third party about an entity representative will be subject to FINRA’s communications rules. [Financial Industry Regulatory Authority – Regulatory Notice 17-18 – Social Media and Digital Communications]
US – Study: Why Are So Many Customers Still Afraid of Mobile Banking?
In a new study [see here], J.D. Power asked 5,364 adults in the U.S. what they thought of the mobile offerings of the 10 largest banks and the 10 biggest credit card issuers and USAA. Overall mobile adoption among Americans remains relatively low — 31% for banking and 17% for credit cards, according to J.D. Power. It’s not surprising that card apps are used less, because they’re typically limited to providing balances, payment due dates and loyalty points. Online banking adoption, by contrast, is 80%. A major barrier — and perhaps one of the easiest to address — is that many are unsure how to use mobile banking: 39% of users say they don’t fully understand their mobile banking and credit card apps. At least that’s down from 61% in 2012, when mobile banking was still in its early days. Only 32% of consumers trust mobile banking, the study found. Only 42% of consumers feel their personal data is adequately protected by their bank when they use mobile apps. [American Banker]
FOI
CA – NL Privacy Commissioner to Investigate Sunshine List Screw-Up
Their names were supposed to be kept off a published list of Newfoundland and Labrador public servants who earned $100,000 or more in 2016, and now the province’s Information and Privacy Commissioner is launching a formal investigation into why police officers didn’t get the protection they were promised. Donovan Molloy announced Thursday that his office is acting on its own, without a complaint. [See here] The investigation will look into why employees who were granted an exemption from the so-called Sunshine List disclosure had their privacy breached, and why information not authorized for disclosure was published. [CBC]
CA – OIPC BC: Landlords May Process Tenants’ Information to the Extent Necessary
The Office of the information and Privacy Commissioner for British Columbia has issued guidance to assist landlords and property managers in meeting their obligations under the Personal Information Protection Act. Landlords may collect tenant’s information to make a decision about whether or not to rent the property (e.g., pay-slip, T4, other landlords references, credit reports, etc.), but to use it for another purpose the tenant’s consent is required; landlords should examine their tenancy application forms to ensure that there is a business need for collecting the information and include statements about why it is collected. [OIPC BC – Privacy Guidance for Landlords and Tenants]
CA – OIPC AB May Authorize Entities to Disregard Access and Information Requests
The Office of the Information Privacy Commissioner of Alberta has issued a practice note about the authorization to disregard requests under the: Freedom of Information and Protection of Privacy Act (“FOIP Act”); Health Information Act (“HIA”); and Personal Information Protection Act (“PIPA”). The authorization is given under the criteria set out in the FOIP Act, HIA and the PIPA when the request would unreasonably interfere with the entity’s operation because of its repetitious or systematic nature, or is frivolous or vexatious. [OIPC AB – Practice Note Authorization to Disregard Requests]
CA – OIPC BC Provides Guidance on Preparing for a Written Inquiry
The BC Office of the Information and Privacy Commissioner has issued guidance for organizations participating in an OIPC-inquiry. When public bodies are participating in an OIPC-review of an FOI or access decision, submissions should include arguments about how relevant legislation applies, copies of letters, meeting minutes, transcripts, affidavits, expert reports, meeting minutes, or in camera material; information or records related to the mediation process and attempts to settle issues should not be included (to preserve the ‘without prejudice’ nature of the process), and new issues or exceptions not listed in the notice of inquiry should not be included. [OIPC BC – Instructions for Written Inquiries]
CA – Supreme Court Rules User May Sue U.S. Social Network in B.C. Courts
The Supreme Court of Canada has considered whether a U.S. social network may impose a forum selection clause on users. The Court ruled that while the social network’s terms of use forum selection clause is enforceable, there is strong cause not to do so; there is gross inequality of bargaining power between the parties (i.e. individual consumers have no choice but to agree to the terms of use), the B.C. Privacy Act cause of action implicates quasi-constitutional privacy rights of British Columbians, B.C. courts are in better position to adjudicate regarding local legislation, and B.C. citizens would face the expense and inconvenience of litigating in California. [Deborah Louise Douez v. Facebook, Inc. – 2017 SCC 33 – Supreme Court of Canada | CBC]
CA – OIPC AB: Information that Merely Relates to a Legal Service is not Privileged
The Office of the Information and Privacy Commissioner in Alberta has reviewed an inquiry into the Alberta Justice and Solicitor General’s response for records under the Freedom of Information and Protection of Privacy Act. The client-solicitor privilege does not apply to information that does not reveal the substance of the legal service such as date of emails, date of the proposed events, the subject lines of the emails, the participants in the emails or in the proposed events. [OIPC AB – Order F2017-44 April 28 2017 Alberta Justice and Solicitor General]
CA – OIPC AB Finds Public Body Was Authorized to Contact Petitioners
The Office of the Information and Privacy Commissioner of Alberta has reviewed a complaint regarding the unauthorised use of personal information by the Summer Village of West Cove, pursuant to the Freedom of Information and Protection of Privacy Act. An individual complained when the public body sent a letter asking questions about the petition she submitted (her name and address were documented next to her signature); however, the individual signed and submitted a written statement with the petition indicating that she could be reached if they had questions about the petition, and the public body used the information only to the extent required to obtain more information about why the petition was submitted. [OIPC AB – Order F2017-48 – Summer Village of West Cove]
CA – OIPC NL Issues Recommendations for Ensuring Proper PHI Handling
The Office of the Information and Privacy Commissioner in Newfoundland and Labrador has provided guidance on compliance with the Personal Health Information Act. Healthcare custodians must ensure information policies and procedures include appropriate measures for processing, storage and disposition of PHI; all individuals handling PHI must sign confidentiality agreements and be made aware of obligations relating to consent for collection, use and disclosure of PHI. Outsourcing agreements must include prescribed uses and disclosures of PHI and security arrangements, and material breaches of PHI must be reported to the OIPC and affected patients. [OIPC NL – Safeguard Newsletter – Volume 01 Issue 01]
CA – PEI Muni’s Working to Avoid Inclusion in Access to Info Law
The Federation of P.E.I. Municipalities is taking steps to help towns and communities become more proactively transparent in an effort to keep municipalities from being brought under access to information law. The federation has issued a request for proposals [see here] for an open municipal government toolkit, which would be an online resource for municipalities to use to develop more open government practices. In 2015, Premier Wade MacLauchlan gave municipalities and post-secondary institutions a two-year window to develop more transparent policies prior to a review of the Freedom of Information and Protection of Privacy (FOIPP) Act, which is to be conducted later this year. Prince Edward Island is the only province in Canada where municipalities are not subject to freedom of information law. The province’s publicly funded university and colleges are also not covered. But that’s something municipalities would rather not see changed P.E.I.’s privacy commissioner Karen Rose told a provincial standing committee in March she will likely make a formal recommendation to bring municipalities and post-secondary institutions under FOIPP legislation as part of a number of recommended changes and updates to the act that she is set to deliver to government. [The Guardian (Charlottetown, PEI)]
Health / Medical
UK – Google DeepMind Report Fails to Justify Use by the NHS, Claim Privacy Campaigners
A report [see here] that claims Google DeepMind did not break the law in its use of NHS patient data has failed to address the company’s breach of UK privacy laws, campaigners have warned. The independent review panel released its findings this week after the Information Commissioner’s Office (ICO) ruled the Royal Free NHS Foundation Trust breached the Data Protection Act when it provided DeepMind with the personal data of around 1.6 million patients. “Our legal advice found that DMH [DeepMind] had acted only as a data processor on behalf of the Royal Free, which has remained the data controller,” the report states. “It found no evidence that DMH had violated the data sharing agreement or any other contractual arrangements with the Royal Free. It found no evidence to suggest that DMH has breached confidence.” This classification makes the Royal Free liable for the breach, as the collection of information falls under the responsibilities of the data controller. DeepMind may, however, have been liable under the terms of the GDPR, which comes into effect across the EU in May 2018. The limited criticisms of DeepMind have raised the ire of privacy campaigners. The report failed to hold DeepMind accountable for its unlawful data processing or to fully investigate the company’s more questionable actions, campaign group medConfidential warned. The independent review panel’s principle concerns around DeepMind Health were an inadequate public engagement and a lack of clarity in the original information sharing agreement with the Royal Free Hospital. A total of 11 vulnerabilities were identified, none of which were deemed critical or high-level. A single medium level issue was revealed, that the report states “should be addressed but is not thought to present an immediate threat to the environment or data handled by it”. In a written response to the report, DeepMind health acknowledged that it should have done more to engage with patients at an earlier stage, and that its initial legal agreement with the Royal Free should have been more detailed. It pledged to continue to publish all its NHS contracts, and to support other groups developing healthcare technology. [Techworld]
Horror Stories
US – Voting Record Database Configuration Error Exposes Nearly 200 Million Records
Databases containing information about 198 million US voters was found to be stored in an Amazon cloud account with no access protection. The databases belong to Deep Root Analytics, a contractor employed by the US Republican National Committee (RNC). While the information contained in the database is by and large a matter of public record, having all those data aggregated could prove valuable to data thieves.
US – Lawsuit Targets Firm that Failed to Secure 198 million Americans’ Data
Two Floridians James and Linda McAleer filed a lawsuit last week against Deep Root Analytics, the campaign consultancy that accidentally left information on 198 million Americans accessible online without protecting it with a password. They want to turn [it] into a class action suit. Deep Root specializes in using data analytics to determine how to target specific voters. The exposed data included contact information and estimates of political preferences for around 80% of voting-age Americans. On June 19, researcher Chris Vickery of the security firm UpGuard announced that he had found Deep Root had configured that data to be available to any who visited Deep Root’s Amazon cloud storage account without needing to log in. According to a statement from Deep Root, the data was only exposed for two weeks. The lawsuit claims that Deep Root was negligent in the way it protected data and seeks to cover two classes of victims — the general public and Florida residents in particular. [The Lawsuit is Dr. James A. McAleer, et al. v. Deep Root Analytics LLC, Case No. 6:17-cv-01142, in the U.S. District Court for the Middle District of Florida. See here | The Hill | Dr. James Albert McAleer and Linda McAleer v. Deep Root Analytics, LLC – Middle District of Florida Orlando Division]
US – Anthem to Pay 115 Million USD in Breach Settlement
US healthcare company Anthem will pay 115 million ISD to settle several lawsuits related to 2015 breach of customer data. Most of the money will be used to pay for victims’ credit monitoring. [Anthem will pay $115 million in largest data breach settlement in history | Anthem Agrees to Settle 2015 Data Breach for $115 Million]
US – WSU Safe Heist Included Hard Drive with PII on 1 Million
WSU learned on April 21, 2017 that a “locked safe containing a hard drive had been stolen.” The hard drive contained the backup files from WSU’s Social & Economic Science Research Center (SESRC). On April 26, WSU confirmed PII was compromised. On June 9, they began informing those affected and sending breach notification notices to various state’s Attorney General Offices. In WSU’s public statement, they noted, “The drive contained documents that included personal information from survey participants, such as names, Social Security numbers and, in some cases, personal health information. Entities that provided data to the SESRC include school districts, community colleges, and other customers.” Normally when we associate a breach of this size, we ascribe it to a hacking incident or other technological magic. In this case it was a physical theft, of the safe, which was serving to protect the data stored within. The university in its letter to the New Hampshire Attorney General’s Office (NHAGO) noted that not all (though apparently some) of the files on the hard drive were encrypted. [CSO Online]
CA – Hackers Dump Data from Calgary’s Cowboys Casino Breach
Personal information along with the gambling habits and payouts of hundreds of patrons of Calgary’s Cowboys Casino have been dumped online by hackers, a year after a massive cyber attack. Thousands of files purportedly containing the personal information of patrons, customer payouts, tracking of gambling habits and the Calgary’s Cowboys Casino’s “elite members list,” were leaked to the data-sharing website Pastebin, along with a dire warning that even more information could be made public in the coming weeks. The post warns the data dump is the first, and the smallest, of four planned for release. Last June, the casino announced it had been the victim of a cyber attack on its computer system, warning that information from patrons and employees, along with corporate data, had been compromised. [See here] [Calgary Herald]
Identity Issues
WW – At least 44 States Refuse Trump Commission’s Demand for Voter Info
CNN reported that 44 states have now refused a request by the Trump administration to provide certain information about registered voters, ranging from their criminal records to time spent abroad. A CNN inquiry into all 50 U.S. states found that state leaders and voting officials across the country have been fairly quick to respond to the request for voter data, sent by the Presidential Advisory Commission on Election Integrity [see here]–and, in most cases, to reject it. The requested information includes registered voters’ full names, addresses, birth dates, political parties, a list of the elections they’ve voted in since 2006, whether they’ve registered to vote in other states, their military status, info on any felony convictions, whether they’ve lived overseas, and the last four digits of their social security numbers. Kansas Secretary of State Kris Kobach, vice chairman of the commission stated twice in the letter [see here] that only “public” information was being requested, and reiterated that “Every state receives the same letter, but we’re not asking for it if it’s not publicly available” Numerous states have already responded that they can’t provide the social security numbers, in the very least, while others objected to the commission’s request that states surrender this information through an online portal. [Forbes]
Location
US –SCOTUS to Hear Mobile Locational Privacy Case
On June 5, 2017, the US Supreme Court granted cert in “Carpenter v. United States” [see here], a case in the hotly contested area of mobile cellular location data privacy. The question before the Court is whether law enforcement must obtain a warrant for historical cell-site location information. On appeal, a panel of the Sixth Circuit upheld Carpenter’s conviction. [See here] In the majority opinion, Judge Kethledge concluded that the Fourth Amendment does not require a warrant for law enforcement officers to request historical cell-site location information. In reaching this conclusion, Judge Kethledge relied on the third-party doctrine, which stands for the proposition that individuals do not have a reasonable expectation of privacy in information that they voluntarily disclose to third parties such as mobile carriers. Notably, in a concurring opinion [see here at P.14], Judge Stranch expressed concern about applying the third-party doctrine to records which reveal personal location information, noted that “[d]etermining the parameters of the Fourth Amendment is the task of the judiciary”, and stated that the courts “have more work to do to determine the best methods for assessing the application of the Fourth Amendment in the context of new technology.” Judge Stranch is far from the first to invite reexamination of the third-party doctrine. To give but one example, in a concurring opinion in the 2012 GPS-tracking case “United States v. Jones” [see here], Justice Sotomayor wrote, “I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection.” Regardless of whether the Supreme Court accepts Judge Stranch’s invitation, “Carpenter v. United States” may hold important compliance implications for carriers. [Comm Law Monitor]
Offshore
WW – Due Diligence: Vendor Management is Crucial for Data Protection
This article provides an overview of data privacy and security obligations in vendor management in the United States. Organizations should maintain a vendor data protection program by using the RFP process to establish minimum data protection qualifications for the contract, conducting privacy and security due diligence when selecting vendors, and being clear about to what extent vendors can use data for its own purposes; when negotiating a contract, organizations should define personal information broadly to include any and all identifiable information, impose requirements for retention, transition and destruction or return of data at termination of the agreement, and require mandatory breach notification to the organization. [Deeper Dive – Vendor Management Crucial for Data Protection – Alan L. Friel, Partner, BakerHostetler]
Online Privacy
US – Facebook Can Track Your Browsing Even After You’ve Logged Out: Judge
Plaintiffs alleged that Facebook used the “like” buttons found on other websites to track which sites they visited, meaning that the Menlo Park, California-headquartered company could build up detailed records of their browsing history. The plaintiffs argued that this violated federal and state privacy and wiretapping laws. US district judge Edward Davila in San Jose, California, dismissed the case because he said that the plaintiffs failed to show that they had a reasonable expectation of privacy or suffered any realistic economic harm or loss. [see 14 pg PDF here] Davila said that plaintiffs could have taken steps to keep their browsing histories private, for example by using the Digital Advertising Alliance’s opt-out tool or using “incognito mode”, and failed to show that Facebook illegally “intercepted” or eavesdropped on their communications. The plaintiffs cannot bring privacy and wiretapping claims, Davila said, but can pursue a breach of contract claim. To address privacy concerns, Facebook introduced a way for users to opt out of this type of advertising targeting from within user settings. [The Gurdian]
WW – Google Takes 2 Steps to Protect User Privacy
Google announced two new steps to protect user privacy — moving to scrub personal medical records from search results and halting its long-standing policy of scanning emails to deliver targeted ads. Previously, Google surveyed the contents of emails to provide personalized ads to users of its free Gmail service. Although paying Gmail customers were never subject to such scanning, Diane Greene, a senior vice president at Google, told Bloomberg that there was confusion about the policy among businesses that pay for its service. The shift comes as Google tweaked its search engine to help hide results that include “confidential, personal medical records of private people.” The change was also first reported by Bloomberg. Google has previously taken steps to mask search results that included individuals’ financial information and revenge porn — explicit photos uploaded without a person’s consent. [LA Times]
Other Jurisdictions
AU – OAIC Publishes Draft Guidance on Breach Notification
The Office of the Australian Information Commissioner has issued a draft guidance about data breach notification. Comments from interested parties can be submitted until July 14, 2017. If practicable, entities can notify each of the individuals to whom the relevant information relates or only those at risk of serious harm; where notification is not practicable, entities should publish a copy of the statement sent to the commissioner on their website. [OAIC Australia – Notifying Individuals About an Eligible Data Breach]
Privacy (US)
US – Google Urges Congress to Revise Outdated Overseas Data Laws
Access to data stored overseas has become a contentious issue with tech companies and the US government. Today, in a speech given to the Heritage Foundation [watch here], a conservative think tank, Google’s senior vice president and general counsel, Kent Walker, urged Congress to update the laws concerning this topic. On this front, Microsoft scored a major victory last year. Other courts reached opposing rulings in similar trials. In February, a US District Court in Pennsylvania ruled that Google had to comply with an FBI warrant to hand over data stored on an overseas server. And additional cases involving Google and Yahoo came to similar conclusions in Wisconsin, Florida and California. Walker today urged Congress to change relevant laws, making it clear what tech companies are to do when faced with government requests for data. He also proposed that the US should allow countries that commit to privacy and human rights to directly request data from US companies without have to first consult with the US government. [Engadget]
US – FTC Issues Recommendations for Complying With COPPA
The FTC has provided guidance for operators of websites and online services on protection of children’s safety and privacy online to ensure compliance with the Children’s Online Privacy Protection Act. Organisations should determine if children’s personal information is collected by its sites or services (including allowing another company to collect PI through the site or service, or passive online tracking), notify parents of the specific information being collected, and post a privacy policy that describes all operators collecting information; verify consent by having parents sign a consent form, call a toll-free number, connect via video conference, or verify an identity document. [FTC – Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business]
US – Senate Considers Changes to ECPA to Ease Foreign Data Access
Members of the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism addressed practical issues regarding warrants for overseas data in a hearing titled “Law Enforcement Access to Data Stored Across Borders.” It featured representatives from the Attorney General’s office, the U.K. government, the private sector (Microsoft), as well as from academia. Senators and panelists raised a host of issues, but chief among them was the perceived absurdity that a U.S. enforcement agency that has a U.S.-issued warrant based on probable cause for the data of a U.S. citizen who is suspected of committing a crime in the U.S. against a U.S. victim will not be honored by a U.S. ISP if that individual’s data happens to be stored on a server in Ireland (or anywhere other than the U.S.). Senators participating in the hearing readily welcomed arguments that Congress should change the ECPA in a way that would (a) overturn Microsoft and return to the prior status quo, where warrants served on U.S. ISPs are honored even if the data is stored on a server located abroad, and (b) lift the restrictions in the EPCA that prevent U.S. ISPs from turning over data pursuant to foreign warrants (like those issued in the U.K.). The panel focused on the differences and similarities between data security laws in the U.S. and U.K., and in particular, discussed a proposed bilateral agreement between the countries that would essentially allow each country to honor the other’s search warrants. [Corporate Defense and Disputes Blog (Proskauer Rose) ]
US – FTC Said to be Probing Uber Over Privacy Practices
The FTC’s investigative staff is focusing its attention on potential data-handling problems at Uber, Recode reported Wednesday, citing four unnamed sources familiar with the matter. That might include an internal Uber feature known as “God View“ that lets employees see logs of customer activity. Recode said its sources cautioned that FTC staff members regularly question companies on consumer protection issues and then quietly close their inquiries without pursuing penalties. Uber was recently caught using an internal tool called Greyball to thwart efforts by local authorities to catch the ride-hailing company violating local regulations. Uber has since said it would stop using the tool for that purpose. The company was also caught using a program called Hell to spy on its rival Lyft. And Apple reportedly threatened to boot Uber from the App Store for violating privacy rules. (A consumer watchdog group later asked the FTC to investigate related matters.) [CNET]
US – Post-Snowden Efforts to Secure NSA Data Fell Short: Report
The government’s efforts to tighten access to its most sensitive surveillance and hacking data after the leaks of National Security Agency files by Edward J. Snowden fell short, according to a newly declassified report. The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Department’s inspector general completed in 2016. The report was classified at the time and made public in redacted form this week in response to a Freedom of Information Act lawsuit by The New York Times. The agency also failed to meaningfully reduce the number of officials and contractors who were empowered to download and transfer data classified as top secret, as well as the number of “privileged” users, who have greater power to access the N.S.A.’s most sensitive computer systems. And it did not fully implement software to monitor what those users were doing. The report said the chief information officer of the N.S.A., Gregory L. Smithberger, had cautioned the inspector general that “eliminating all risk of insider threats is not feasible.” [NYTimes]
US – FTC Recommends Tweaks to IoT Transparency Guidelines
The FTC has some suggested changes for a draft proposal on making the Internet of Things more secure and informing consumers about that level of security. Those came in comments on the National Telecommunications & Information Administration’s effort—through a multistakeholder working group—to draft guidelines for upgrading and improving security for the devices, which include everything from smart TVs, lightbulbs and fridges to fitness trackers, wine cellars and self-driving cars. [Broadcasting Cable]
US – Underwriters Laboratory Issuing Software Security Certifications
Underwriters Laboratory is now issuing security certifications for networked software. UL launched its Cybersecurity Assurance Program in April 2016. So far, just a few products have received certification.
US – Girl Scouts to Offer Cyber Security Badges
The Girl Scouts of the USA (GSUSA) will start offering badges in cyber security in 2018. In all, there will be 18 cyber security badges. GSUSA is partnering with Palo Alto Networks to develop the curriculum.
RFID / IoT
EU – ENISA Recommend Addressing Challenges of Emerging Disruptive Technologies
ENISA has issued a paper identifying principles and opportunities that should be addressed in the renewed EU cybersecurity strategy. New technologies such as robotics, IoT, artificial intelligence, and internet of people will have significant effects on the EU digital single market; the EU should assess risks over the entire lifecycle of products, ensure access to trustworthy products and services that do not depend on a single service provider, and examine software ownership and control issues (liability for compromised software or mistakes by autonomous devices, imposition of manufacturers’ terms and conditions on end users, and possible mandatory disclosure of security vulnerabilities). [ENISA – Principles and Opportunities for a Renewed EU Cyber Security Strategy]
Security
US – FBI Issues 2016 Internet Crime Report
The 2016 Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3) provides information about trends in online crime. In 2016, more than 10,000 incidents of tech support fraud were reported to IC3, with losses totaling nearly 8 million USD. Other trends noted in the report are email compromise, ransomware, and extortion. Online extortion, tech support scams and phishing attacks that spoof the boss were among the most costly cyber scams reported by consumers and businesses last year. [See here] The IC3 report [see 28 pg pdf here] correctly identifies some of the most prevalent and insidious forms of cybercrimes today, but the total financial losses tied to each crime type also underscore how infrequently victims actually report such crimes to law enforcement. One expert observed that the FBI’s ransomware numbers “are ridiculously small compared to what happens in the real world, where ransomware is one of today’s most prevalent cyber-threats. The only explanation is that people are paying ransoms, restoring from backups, or reinstalling PCs without filing a complaint with authorities.” [See here] The IC3 report notes that only an estimated 15% of the nation’s fraud victims report their crimes to law enforcement. For 2016, 298,728 complaints were received, with a total victim loss of $1.33 billion. If that 15% estimate is close to accurate, that means the real cost of cyber fraud for Americans last year was probably closer to $9 billion, and the losses from ransomware attacks upwards of $16 million. The IC3 said losses from CEO fraud (also known as the “business email compromise” or BEC scam) [see here] totaled more than $360 million. Applying that same 15% rule, that brings the likely actual losses from CEO fraud schemes to around $2.4 billion last year. [Krebs on Security | https://www.fbi.gov: IC3 Releases Annual Report Highlighting Trends in Internet Crime | https://pdf.ic3.gov: 2016 Internet Crime Report]
US – Companies Create Principles for Cybersecurity Risk Ratings
The U.S. Chamber of Commerce has announced that a consortium of more than two dozen chamber member companies, including prominent big banks, big-box retailers, and technology giants released a set of principles designed to promote fair and accurate cybersecurity ratings. The creation of the “Principles for Fair and Accurate Security Ratings“ comes in response to the recent emergence of several companies that collect and analyze publicly accessible data to develop a rating of a company’s cybersecurity risk posture. Importantly, however, cybersecurity ratings have the potential for being inaccurate, incomplete, unverifiable and unreliable if, for example, the source data is inaccurate or the methodology doesn’t account for risk mitigations in place at a company. The principles developed by the consortium were designed to increase confidence in and the usability of fair and accurate cybersecurity ratings by addressing the potential problems. The principles were modeled after the Fair Credit Reporting Act, which helped increase confidence in the credit process by ensuring the usability of ratings for legitimate purposes while recognizing the interests of consumers to ensure that the data underlying the scores was accurate and complete. The principles are as follows: 1) Transparency; 2) Dispute, correct and appeal; 3) Accuracy and validation; 4) Model governance; 5) Independence; and 6) Confidentiality. Becoming adept at understanding and effectively utilizing cybersecurity ratings will be an important strategic advantage for companies in the future. [Data Privacy Monitor (Baker Hostetler)]
US –NIST Issues Risk Management Implementation Guidance
The National Institute of Standards and Technology (NIST) issued a draft Cybersecurity Framework to be used by federal agencies in conjunction with the current and planned suite of NIST security and privacy risk management publications. The guidance, which includes 8 use cases in which agencies can leverage the cybersecurity framework to address common vulnerabilities, is designed to elicit feedback to determine which cybersecurity framework concepts are incorporated into future versions of the suite of NIST security and privacy risk management publications. Comments are due by June 30, 2017. [NIST – The Cybersecurity Framework – Draft NISTIR 8170]
US – Senators Weigh Conflicting Privacy, Security Concerns on FISA Rule
The delicate balance between national security and individual privacy came into stark relief as senators debated whether to extend a soon-to-expire intelligence-gathering tool for foreign suspects, which critics say has massive potential for abuse. [See here] At issue for Senate Judiciary Committee members is reauthorization of Section 702 of the Foreign Intelligence Surveillance Act [see here, here & here] beyond Dec. 31, 2017. That provision allows the federal government to acquire intelligence by targeting foreigners “reasonably believed” to be outside U.S. borders. The panel is divided over a permanent extension of Section 702, as advocated by Sen. Tom Cotton (R-Ark.) and others. Sen. Dianne Feinstein (D-Calif.), otherwise a supporter of the provision, said it should sunset every five years, with reauthorization needed from Congress. [Morning Consult]
EU – Mainframes Especially Vulnerable to Insider Threats: Study
While most chief information officers at large companies say their mainframes are more secure than other systems, a majority say their organizations are still exposed to a significant risk of insider threats due to blind-spots in internal data access and controls. That is the finding of a new report by research firm Vanson Bourne. [See here] For the study, sponsored by mainframe software company Compuware, the firm surveyed 400 CIOs in the U.S., France, Germany, Italy, Spain, and the U.K. in April 2017. Many of the CIOs (84%) say they find it difficult to track who has accessed data stored on the mainframe, exposing them to an increased risk of insider threats. [Information Management]
WW – 43% of Security Incidents Caused by Phishing, Hacking and Malware
Employee actions or mistakes caused 32% of breaches, 18% were caused by lost or stolen devices and records, and 3% were due to internal theft; organisations should identify and implement safeguards (authentication, segregation, intrusion detection/prevention systems, log retention), create a forensic plan, build business continuity into incident response planning, prepare for breach containment and management, and ensure breach notifications are clear and consistent. 2017 Baker Hostetler – Be Compromise Ready – Go Back to Basics – 2017 Data Security Incident Response Report
Smart Cars
US – Regulators, Carmakers Plot Road to Connected Car Privacy, Security
Regulators should exercise “humility” when considering government oversight of privacy and data security issues for vehicles connected to the internet, FTC Acting Chairman Maureen Ohlhausen said. Predicting the future of how connected cars will develop is very difficult, Ohlhausen said in remarks at a connected cars workshop [see here] sponsored by the FTC and the National Highway Traffic Safety Administration. [Read her opening remarks here] The FTC should address actual or likely injury to consumer privacy and data security while fostering development of connected cars, Ohlhausen said. The FTC will use its enforcement powers under the FTC Act but also wants to avoid overlap or conflict with NHTSA oversight efforts, she said. Terry T. Shelton, acting executive director of NHTSA, agreed, saying that her agency will work with the FTC on those goals. Lauren Smith, policy counsel at the Future of Privacy Forum, pointed to the self-regulatory efforts of the Alliance of Automobile Manufacturers, the Association of Global Automakers and their members The groups established Privacy Principles for Vehicle Technologies and Services voluntary industry standards, which went into effect in January 2016. [BNA.com] [Broadcasting Cable | Wilmerhale]
US Government Programs
US – DHS Updates Policy Guidance to Accommodate Changes in Privacy Protection for Non-US Citizens
The Department of Homeland Security issued an updated memorandum providing privacy policy guidance. For US citizens, lawfully permitted residents, and individuals protected by the Judicial Redress Act, disclosures to law enforcement agencies will continue to be made pursuant to System of Records Notices (SORNs) and authorized disclosures under the Privacy Act; however, for all other persons, employees must determine whether the proposed use of the records is consistent with the purpose for which DHS collected them, and routine or regular sharing must be described in applicable privacy notices and PIAs (however, DHS does not plan on collecting additional data targeting citizenship status when not otherwise required). DHS – Privacy Policy Guidance and Memorandum | Q&A]
US – New TSA Policy May Lead to Increased Scrutiny of Reading Material
The TSA is testing new requirements that passengers remove books and other paper goods from their carry-on baggage when going through airline security. Given the sensitivity of our reading choices, this raises privacy concerns. DHS Secretary John Kelly recently said that “we might, and likely will” apply the policy nationwide. Books raise very special privacy issues. As has been discussed, there is a long history of special legal protection for the privacy of one’s reading habits in the United States, not only through numerous Supreme Court and other court decisions, but also through state laws that criminalize the violation of public library reading privacy or require a warrant to obtain book sales, rental, or lending records. There have been multiple cases where passengers have been singled out because of their First Amendment-protected expressions. For example, in 2010 the ACLU sued on behalf of a man who was abusively interrogated, handcuffed, and detained for nearly five hours because he was carrying a set of Arabic-language flash cards and a book critical of U.S. foreign policy. We also know that the DHS database known as the “Automated Targeting System,” which tracks information on international travelers, has included notations in travelers’ permanent files about controversial books in their possession. If the TSA is to begin implementing this practice, I would make two recommendations for them. First, the agency and its screeners need to be sensitive to the potential privacy concerns at work here. Second, given any rule or practice requiring the unpacking and separation of books and other papers, the TSA should allow those materials to be contained by themselves within another package. [ACLU]
US Legislation
US – Bill Limits Collection and Use of Information from Vehicle Data Recorders
Senate Bill 196, amending the Wisconsin Statutes relating to motor vehicle data recorders, has been introduced in the Senate, and referred to the Committee on Government Operations, Technology and Consumer Protection. If passed, the amendments would take effect on the first day of the 7th month after publication. Express consent of owners is required for access, collection, or transfer of information stored on vehicle recorders; exceptions to the consent requirement include court orders, production requests, compliance with a service contract, law enforcement transfers for insurance purposes, for vehicle maintenance and repair, emergency medical responses, or insurance claim investigations. [SB 196 – An Act to Amend the Wisconsin Statutes Relating to Motor Vehicle Data Recorders – State of Wisconsin]
Workplace Privacy
EU – Article 29 WP Updates Opinion on Processing Employee Data
The Article 29 Working Party updated its Opinion 8/2001 on processing of personal data in the employment context. When implementing technologies that enable more systematic processing of employees’ personal data (e.g. BYOD, CCTV, and mobile device management) principles of proportionality and minimisation must be followed; employees should receive effective notice about any monitoring that takes place and consent should not be used a legal basis for processing. Article 29 WP – Opinion Opinion2-2017 – Data Processing At Work
CA – Overview of Provincial Privacy Statutes on Background Checks
This article provides an overview of what employers need to know about background checks in each Canadian province. Ontario, Alberta, Saskatchewan, Manitoba, New Brunswick, Nova Scotia, and Newfoundland and Labrador all permit employers to refuse to hire a candidate convicted of a criminal offence (Ontario employers may not refuse a candidate who has received a pardon); however, human rights legislation in British Columbia, Quebec and Prince Edward Island prohibit an employer from discriminating against a candidate for having a conviction of an offence unrelated to the intended employment. [Background Checks by Province – What Employers Need to Know – Michael Howcroft, Partner, and Noemi Blasutta, Associate, Blake Cassels and Graydon LLP]
+++
