COVID-19
Digital vaccination ‘passports’ coming to Quebecers Thursday, but they have no purpose yet
Starting this week, Quebecers will start getting the province’s long-awaited official digital proof of vaccination. It will take the form of an individual QR code that can be scanned on a cellphone, similar to a boarding pass at the airport. However, it doesn’t have any uses yet — no one will be able to read it for now. Health Minister Christian Dubé said no one will have the corresponding system to read the codes, except for the government. “The first step is just a technology,” he explained.
CNIL issues opinion on health pass project
France’s data protection authority, the Commission nationale de l’informatique et des libertés, issued its opinion on the government’s plan to require proof of vaccination or a negative COVID-19 test to enter certain establishments. The CNIL supports the initiative on the basis the information is not used beyond the COVID-19 pandemic. The agency also asked for the system to be continuously studied to determine whether the plan is still necessary.
NHS app to add vaccine passport functionality 17 May
The U.K. government announced the National Health Service application will be able to function as a vaccine passport starting 17 May, BBC News reports. The feature will be available to fully vaccinated citizens. The app will not be able to show COVID-19 test results; however, NHS will add the capability in a future update.
Report Details Checkpoints for vaccine passports
The Ada Lovelace Institute has published a research report outlining the requirements for a socially beneficial vaccine passport system. Key requirements for governments and developers include:
- Scientific confidence in the impact on public health
- Clear, specific and delimited purpose
- Ethical consideration and clear legal guidance about permitted and restricted uses, and mechanisms to support rights and redress, and to tackle illegal use
- Sociotechnical system design, including operational infrastructure
- Public legitimacy
- Protection against future risks and mitigation strategies for global harms.
Americans Support Vaccine Passports But Not For Work
The polling firm Ipsos announced: “A new Ipsos survey for the World Economic Forum finds that, on average, about three in four adults across 28 countries agree that COVID-19 vaccine passports should be required of travelers to enter their country and that they would be effective in making travel and large events safe.” On May 7 Gallup announced that “U.S. adults favor mandated vaccination certification for travel by airplane (57%) and to attend events with large crowds, such as concerts or sporting events (55%)”. Nevertheless majorities of Americans in Gallup’s survey oppose requiring proof of vaccination for people headed to the workplace, hotel stays, or restaurants.
Surveillance / Online Privacy
250 iPhone Apps Analyzed for Tracking
In March 2021, Wirecutter examined the privacy labels and practices of 250 apps across several categories, including the top apps of 2020, as well as popular games, browsers, weather apps, streaming-video apps, photography apps, notes apps, dating apps, shopping apps, news apps, and health and fitness apps. Among those apps, they found:
- 60% of the apps had a Data Used to Track You label.
- Of these apps, 96% used identifiers, 70% measured advertising data, 38% of the apps used location, and 19% used contact info.
- 57% explicitly mentioned advertising as their purpose for tracking you.
- 17 apps shared data with third parties without disclosing that sharing on their privacy label.
- Apps that cost money collect and share less data than their free counterparts do.
- Weather, shopping, health and fitness, dating and news apps did the most tracking.
See also: Amazon and Apple Built Vast Wireless Networks Using Your Devices. Here’s How They Work
Report: Apple gets 4% US opt-in rate under ATT
Recent data collected by Flurry Analytics shows only 4% of U.S. mobile device users are opting in under Apple’s App Tracking Transparency framework. The average daily opt-in rate worldwide is 12%. Flurry tracked opt-in rates from 2.5 million devices since ATT took effect in April.
Google to shed light on apps’ data practices
Google has announced the Google Play store will launch a safety section aimed at creating transparency on how applications collect, use and store personal data. Frey said Google will devise a policy for the app store “that requires developers to provide accurate information” about their data practices. Noncompliance with the standard will result in an order to fix descriptions or “be subject to policy enforcement,”
CMU researchers show potential of privacy-preserving activity tracking using radar
Carnegie Mellon University’s Future Interfaces Group has demonstrated a novel approach to activity tracking that does not rely on cameras as the sensing tool. CMU researchers are investigating the use of millimeter wave (mmWave) doppler radar as a medium for detecting different types of human activity. The results can be seen in this video — where the model is shown correctly identifying a number of different activities, including cycling, clapping, waving and squats. Purely from its ability to interpret the mmWave signal the movements generate — and purely having been trained on public video data.
Data mining questioned following remote cheating accusations
Accusations of cheating on remote exams at Dartmouth College’s Geisel School of Medicine are raising questions about data mining. The school used the Canvas system to track student activity during remote exams without their knowledge to try to identify cheating. Of 17 accused students, seven have had their cases dismissed. In one dismissed case, administrators said “automated Canvas processes are likely to have created the data that was seen rather than deliberate activity by the user.”
Attorneys general call on Facebook to cancel children’s version of Instagram
A coalition of 44 U.S. attorneys general called on Facebook to stop creating a version of Instagram for children. In a letter to Facebook CEO Mark Zuckerberg, the attorneys general wrote the application could affect the privacy and mental health of children who “are not equipped to navigate the challenges of having a social media account.” Meanwhile, Common Sense Media released a guide on how behavioral advertisements impact children.
Sens. propose bipartisan bill to update COPPA
U.S. Sens. Ed Markey, D-Mass., and Bill Cassidy, R-La., introduced the Children and Teens’ Online Privacy Protection Act, which aims to modernize provisions of the Children’s Online Privacy Protection Act. The bill prohibits collection of data from users ages 13 to 15 without consent, creates an “Eraser Button” on websites to delete children’s data and adds a children’s privacy unit to the U.S. Federal Trade Commission. Markey said Congress must “swiftly put in place strict safeguards that stop” companies from “tracking young people at every turn in the online ecosystem.”
Senators Reintroduce Bill to Amend COPPA
Senators introduced the “Clean Slate for Kids Online Act of 2021” last week. Bill S.1423 seeks to amend the Children’s Online Privacy Protection Act. The bill provides individuals with the right to delete personal information the operator collected from the individual as a child. The right to delete applies even in instances where parental consent was provided for the collection of the personal information. The bill provides limited exceptions to the deletion requirement. Senators previously introduced the “Clean Slate for Kids Online Act” in 2018 and 2019 without success.
NYC Passes Data Privacy Bill on Owners of “Smart Access” Buildings
New York City has passed the Tenant Data Privacy Act [TDPA], which would impose on owners of “smart access” buildings obligations related to their collection, use, safeguarding, and retention of tenant data. The TDPA would require building owners to develop and maintain policies and procedures to address the following requirements: 1) Express Consent; 2) Privacy Policy; 3) Stringent Security Safeguards; and 4) Data Destruction. The TDPA would impose strict limits on the categories of tenant data that building owners would be permitted to collect, generate, or utilize through their smart access systems. Building owners would also be prohibited, subject to certain exceptions, from selling, leasing, or otherwise disclosing tenant data to any third parties. Significantly, the TDPA would also create a private right of action for tenants whose data is unlawfully sold.
Law Enforcement
New B.C. traffic cameras will help investigate crashes, say RCMP
110 new traffic cameras are being installed on B.C. roads to help aid in crash investigations. RCMP and Richmond city officials said the cameras won’t just be taking pictures, but will be constantly recording video to get a better idea of what happens in car crashes. This will help determine fault, as well as gather data about how to make intersections safer. The footage will only be accessed in the event of a collision or if a crime is committed, and the resolution of the cameras isn’t good enough to provide details such as licence plates or facial recognition. If an outside agency wishes to access the video footage, the fee is $375. In order to maintain privacy, B.C.’s Office of the Information and Privacy Commissioner issued a directive that the cameras must not be monitored by the police, or the decision would not be supported. Instead, the footage will be monitored by the city’s transportation department.
Ontario to introduce detectors for contraband cell phones in adult correctional facilities
Ontario has announced that it will implement new specialized devices at 25 adult correctional facilities across Ontario to help detect, locate and prevent the use of prohibited cell phones and to enhance security, said a news release dated Apr. 27. These devices are expected to be fully operational by summer 2021.
The Feds Can Access the Private Data on Your Phone Through Your Car
According to a report from The Intercept, the U.S. Customs And Border Protection has now found a convenient back door to siphon much of the information from the fortress of your smartphone: your car. Even though your car tries to keep you physically safe with airbags and ABS and seatbelts, it’s shockingly inept when it comes to keeping your data safe from the prying eyes of police agencies, per the report from The Intercept. As if that weren’t bad enough, our dumb cars are letting the CBP into our smartphones while we constantly and unknowingly pass data along.
Biometrics / Identity
Biometrics commissioner: Police shouldn’t be banned from using facial recognition
U.K. Biometrics and Surveillance Camera Commissioner Fraser Sampson said police departments should not be barred from using facial recognition technology. Sampson said the use of facial recognition tech should be addressed by law enforcement rather than lawmakers. The commissioner added the use of artificial intelligence will be “inevitable” and an “increasingly necessary component of policing.”
Civil rights groups call on Amazon to ban police use of facial recognition
In a letter to Amazon leadership, 44 civil rights groups called on the company to permanently ban use of its facial recognition software and stop selling the technology to law enforcement. Following national racial protests, IBM and Microsoft indefinitely suspended sales of their software to law enforcement, while Amazon implemented a one-year moratorium that expires next month. Amazon has not said whether it will continue or lift the ban.
Other Biometric News
Anyone can use this powerful facial recognition tool — and that’s a problem
You probably haven’t seen PimEyes, a mysterious facial-recognition search engine, but it may have spotted you. If you upload a picture of your face to PimEyes’ website, it will immediately show you any pictures of yourself that the company has found around the internet. PimEyes is open to anyone with internet access. It’s a stark contrast from Clearview AI.
NYC Creates BIPA-Like Requirements for Retail, Hospitality Businesses Concerning Biometric Information Collected from Customers
Effective July 9, 2021, certain retail and hospitality businesses that collect and use “biometric identifier information” from customers will need to post conspicuous notices near all customer entrances to their facilities. These businesses will also be barred from selling, leasing, trading, sharing or otherwise profiting from the biometric identifier information they collect from customers. Customers will have a private right of action to remedy violations, subject to a 30-day notice and cure period, with damages ranging from $500 to $5,000 per violation, along with attorneys’ fees.
These new requirements are set forth in an amendment to Title 22 of the NYC Admin. Code (the “Amendment”), and apply to “commercial establishments.”
Clearview hires DC lobbyists to educate on face biometrics technology
A lobbying firm founded by former Senate aides has been hired by Clearview AI to carry out “education around facial recognition technology.” A bill introduced in April by Senator Ron Wyden (D-OR) and Rand Paul (R-KY) and titled ‘The Fourth Amendment is Not for Sale Act of 2021’, would bar Clearview and any company that obtains data from personal accounts or devise without the owner’s consent from selling the data to government agencies. Clearview is also fighting a consolidated biometric data privacy lawsuit and critics are demanding the Department of Homeland Security (DHS) cease all use of the app.
Calgary retailers launch ID entry
Four Calgary liquor stores are installing entry systems that will require customers to scan identification cards to verify age and ability to enter. The systems have been found to mitigate rising cases of theft, but privacy advocates are wary of potential data breaches associated with the system and its data collection. Office of the Information and Privacy Commissioner of Alberta Spokesman Scott Sibbald said, “There has been no consultation with our office on this project.”
Pandemic gives boost as more states move to digital IDs
With the advent of digital wallets, people are relying more on their phones to prove their identity. Some industry experts estimate that the coronavirus pandemic has sped up the widespread adoption of contactless identification methods by at least a decade. At least five states have implemented a mobile driver’s license program. Three others intend to launch programs by next year, with more expected to follow suit. According to some state officials mobile licenses will give people more privacy by allowing them to decide what personal information they share. However most states with these programs recommend that users still carry their physical driver’s license as a backup. Industry leaders say safeguards will prevent anyone’s information from being stolen, but some critics argue that having so much personal data on a phone is too risky. The National Motorists Association doesn’t believe drivers should be handing their phones over to police, potentially violating people’s Fourth Amendment rights against unreasonable searches and seizures.
Security / Breaches
UK National Cyber Security Centre (NCSC) publishes guidance on securing smart cities
The UK NCSC has published a new set of security principles to help UK authorities secure smart cities and their underlying infrastructure and protect themselves from cyberattacks. Connected Places Cyber Security Principles advises local authorities on understanding their connected places by considering required cybersecurity governance and skills, the role of suppliers, risks and more. See also: White paper: Securing smart city systems against cyberattacks and Cybersecurity: a smart city imperative
NCSC says smart cities a ‘target’ for cyberattacks, urges cybersecurity measures
The U.K. National Cyber Security Centre warned authorities that internet-connected technology used to power smart cities is “an attractive target” for cyberattacks and encouraged them to think about cybersecurity. As these systems emerge, NCSC Technical Director Ian Levy said they should be designed and built properly because “as these ‘connected places’ become increasingly joined up, the ubiquity of the services they provide will likely make them a target for malicious actors.” The NCSC also released its fourth annual report on its Active Cyber Defence programme.
Report: Remote work leads to increase in email data breaches
A report from Egress, based on a poll of 500 IT professionals and 3,000 remote workers in the U.K and U.S., found Microsoft 365 users have seen an increase in email data breaches. 67% of IT professionals said the increase is due to remote working, while 26% attributed incidents to an employee mistakenly sharing data through email. Of the Microsoft 365 users, 15% experienced more than 500 data breaches in 2020, and 93% reported subsequent negative impacts.
A ransomware cyberattack knocks out crucial fuel pipeline to the East Coast
More than 1,000 gas stations in eastern US states ran out of gasoline after a cyberattack knocked out a crucial US pipeline that supplies much of the region’s gasoline. The crunch in fuel supply has been blamed on a ransomware attack that forced the closing of part of the 5,500-mile Colonial Pipeline that supplies about 45% of the East Coast’s fuel.
Hackers release personal info of 22 D.C. police officers
A ransomware gang that hacked Washington’s Metropolitan Police Department published extensive profiles of 22 officers Tuesday as part of an extortion attempt. The files on current and former police officers are detailed and include personal information such as Social Security numbers, dates of birth, results of psychological assessments, copies of driver’s licenses, fingerprints, polygraph test results, as well as residential, financial and marriage history. The hack is entirely distinct from the attack on the Colonial Pipeline and conducted by a different group, though both are Russian-speaking outfits.
Information on 73,000 Durham students breached in ‘cybersecurity incident’
The information of about 73,000 students may have been accessed during a “cybersecurity incident”
Names of students, date of births, addresses, school locations, grades and class information may have been accessed. The cybersecurity incident allegedly involved a third-party software provider used by Durham Region’s Health Department.
Security researchers find a severe vulnerability that may affect up to 30% of all Android phones
The Check Point security research group claim that 3G to 5G connectivity can be exploited in a way that might allow a hacker to read a user’s messages and even listen in on phonecalls. This flaw involves an interface found on up to 30% of all phones worldwide.
Open source tool automates CCPA data deletion requests
Graduate students at the University of California, Berkeley’s School of Information are developing an open source tool to automate California Consumer Privacy Act data deletion requests. Through a Gmail account, PrivacyBot would enable individuals to send requests to delete data from a list of data brokers and search sites. Consumer Reports Digital Lab Product Consultant Ginny Fahs said “automating the sending of requests is a big win for consumers.”
Sarnia Police, school board investigating ‘inappropriate’ content tied to hacked online classes
Police and school board officials say they’re investigating complaints tied to offensive content after multiple online classes in Sarnia were hacked. An unknown person used language and displayed images to students and staff that were “inappropriate” after gaining access to Google online classroom meetings. Multiple allegations of inappropriate behaviour have surfaced amid students across Ontario spending the bulk of the last year-plus learning virtually due to the COVID-19 pandemic.
Malicious Office 365 Apps Are the Ultimate Insiders (item reposted in full)
Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.
OPC reports privacy breaches double under new Privacy Act
New Zealand’s Office of the Privacy Commissioner reported a 97% increase in privacy breaches in the Privacy Act’s first four months. The OPC said approximately one-third of breaches caused identity theft risk or financial harm. Email errors caused the most breaches at 25%, followed by unauthorized sharing of personal information at 21% and unauthorized access to information at 17%. Privacy Commissioner John Edwards said breaches span industries, adding a summary will be published yearly to help organizations “know where the greatest privacy risks are.”
Biden issues EO to boost US cybersecurity
U.S. President Joe Biden signed an executive order aimed at enhancing U.S. cybersecurity practices and protecting federal government systems. The order “ensures that IT service providers are able to share information with the government and requires them to share certain breach information.” Any data sharing between private contractors and federal government agencies related to breaches will be done “consistent with applicable privacy laws, regulations, and policies.”
NSW Privacy commissioner releases guide for managing risks while transitioning to cloud
New South Wales Information and Privacy Commissioner Samantha Gavel released a guide to help government agencies implement privacy practices when implementing cloud-based technologies. The guide explains privacy risks and potential impacts, including harm to individuals, and provides a framework and checklist to manage risks, including data and training practices.
