Biometrics
CA – Canada Expands Its Biometrics Screening Program
On July 31, 2018, all nationals from countries in Europe, Africa and the Middle East are required to provide biometrics (fingerprints and a photo) if they are applying for a Canadian visitor visa, a work or study permit, or permanent residence. Accurately establishing identity is an important part of immigration decisions and helps keep Canadians safe. For more than 20 years, biometrics (fingerprints and a photo) have played a role in supporting immigration screening and decision-making in Canada. Canada currently collects biometrics from in-Canada refugee claimants and overseas refugee resettlement applicants, individuals ordered removed from Canada and individuals from 30 foreign nationalities applying for a temporary resident visa, work permit, or study permit. .More than 70 countries are using biometrics in immigration and border management. Canada’s Migration 5 partners – the United Kingdom, Australia, the United States, and New Zealand – have implemented biometric programs; so have the 26 Schengen states in Europe, and other countries around the world like Japan, South Africa and India. [Immigration, Refugees and Citizenship Canada and iPolitics]
US – Amazon Face Recognition Matches 28 Members of Congress With Mugshots
Amazon’s face surveillance technology is the target of growing opposition nationwide, and today, there are 28 more causes for concern. In a test the ACLU recently conducted of the facial recognition tool, called “Rekognition“, the software incorrectly matched 28 members of Congress, identifying them as other people who have been arrested for a crime. The members of Congress who were falsely matched with the mugshot database we used in the test include Republicans and Democrats, men and women, and legislators of all ages, from all across the country. The false matches were disproportionately of people of color, including six members of the Congressional Black Caucus, among them civil rights legend Rep. John Lewis (D-Ga.). These results demonstrate why Congress should join the ACLU in calling for a moratorium on law enforcement use of face surveillance. To conduct our test, we used the exact same facial recognition system that Amazon offers to the public, which anyone could use to scan for matches between images of faces. And running the entire test cost us $12.33 — less than a large pizza. [Free Future Blog (ACLU) and at: Seattle PI, WIRED, NPR and The Washington Post]
US – Schools Face Civil Liberties Battles in Effort to Adopt Facial Recognition
As schools around the country attempt to deploy new facial recognition functionality as part of their video surveillance systems, the ACLU is challenging those efforts in the name of protecting civil rights. And they’re not alone in their concerns about the controversial student surveillance tactic. As EdTech Strategies recently reported, both Magnolia School District in Arkansas and Lockport City School District in New York recently approved purchases of camera systems that include the ability to identify people captured on camera and track them. In both scenarios, however, the ACLU has objected to the use of facial recognition for several reasons. They’re “vulnerable to hacking and abuse,” asserted the ACLU of Arkansas, and they compromise “students’ privacy.” The national organization stated that once somebody’s facial image is captured by the technology and uploaded into the system planned for New York, the program has the ability to “go back and track that person’s movements around the school” for the previous two months. [T.H.E. Journal coverage at: CNET News, Narcity Planet Biometrics and also Hey mom, did you see this? Camps are using facial recognition and also at: Biometric Update
US – Lawmakers to Investigate Use and Abuse of Face Recognition Tech
Less than a week after a damaging report [see ACLU blog post here and PRs here, here & here] exposed substantial flaws in facial recognition technology marketed to law enforcement by Amazon, five Democratic lawmakers are calling for an investigation into the commercial and government use, and potential abuse, of the technology. In a letter [PR here] to Gene Dodaro, head of the U.S. Government Accountability Office (GAO), lawmakers raised concerns about the use of facial recognition and its impact on privacy rights, underscoring, in particular, the “disparate treatment of minority and immigrant communities within the United States we ask that you investigate and evaluate the facial recognition industry and its government use.” The letter was signed by Senators Ron Wyden, Chris Coons, Ed Markey, and Corey Booker, and Jerrold Nadler, the ranking Democrat on the House Judiciary Committee. [GIZMODO and at: The Hill, Healthcare IT News and Techdirt]
UK – Government Has Created an Automated Facial Recognition “Policy Void”
A lack of clear government action has created a UK “policy void” when it comes to using automated facial recognition technology in CCTV analytics, according to a leading cyberlaw academic. Andrew Charlesworth, professor of law, innovation and society at the University of Bristol, called for an informed debate into the use of artificial intelligence (AI) in video surveillance. UK police are increasingly using automated facial recognition on CCTV footage to identify persons of interest. A recent report by Big Brother Watch [PDF & blog post] found that automated facial recognition technology used by police falsely identified 98% of people in UK cases. However, Charlesworth, in a white paper named “CCTV, Data Analytics and Privacy: The Baby and the Bathwater“ said that public debate over the issue had become “distorted”. He warned that the two sides of the argument had become polarised, fuelled by the government’s lack of stringent regulations. The UK Government’s long-awaited biometrics strategy, released in June, was criticised for not being comprehensive enough. Charlesworth’s report was commissioned by Cloud-based video surveillance system company Cloudview. [Verdict and at Security Boulevard]
UK – Consultation on Police Handling of Biometric Data Launched
The Scottish Government wants to introduce additional safeguards to ensure the safe and proportionate use of fingerprints, DNA and facial recognition technology. A public consultation is now underway in response to recommendations made by an Independent Advisory Group on biometrics earlier this year. It asks for views on the creation of a code of practice on the use, storage and disposal of biometric data to be overseen by a new Scottish Biometrics Commissioner. The arrangements will cover data held by the likes of Police Scotland, the Scottish Police Authority and other bodies involved in law enforcement activity in Scotland. The Scotsman
Face Recognition ‘Tickets’ Are Coming to Baseball Games
MLB and Clear announced a partnership that will soon let baseball fans enter stadiums using fingerprints, and eventually, just their face, instead of tickets. Clear, which offers similar biometric fast-tracking for participating airports, says it will let baseball fans link their Clear and MLB.com accounts. By sharing fingerprint data, visitors can bypass long lines at stadiums. 13 stadiums use Clear already. GIZMODO
Big Data / Artificial Intelligence
US – NIST Identifies Challenges of Big Data
The National Institute of Standards and Technology issued an interoperability framework for big data. Challenges include the ability to infer identity from anonymized datasets by correlating with apparently innocuous public databases, and shifts in protection requirements and governance as processing roles change and responsible organizations merge or disappear; where data is stored and moved between multi-tiered storage media, systematic analysis of threat models and development of novel techniques is required. NIST – Big Data Interoperability Framework: Volume 1 Definitions – NIST Special Publication 1500-1r1
US – Strategy Experts Split Over Effect of Privacy Concerns on Big Data: Survey
In a new survey, a group of the world’s top strategy experts found they could not agree on the effect privacy concerns will have on how businesses use data. Fifty two percent disagreed with the statement “concern over consumer privacy will fundamentally limit businesses’ ability to use big data,” while 48% agreed or strongly agreed. The forum’s findings come from the MIT SMR Strategy Forum, a new regular feature at MIT SMR where strategy scholars react to a provocative question on strategy development and execution. The forum is led by Joshua Gans of the Rotman School of Management, University of Toronto and Timothy Simcoe of Boston University’s Questrom School of Business. MIT Sloan Management Review
WW – Google’s Approach to Big Data and Artificial Intelligence
Google has unveiled it’s strategy for development of artificial intelligence applications. The company will incorporate privacy principles in AI development and use (e.g. notice and consent, privacy safeguards), develop systems to be overly cautious, test technologies in constrained environments, avoid unfair biases based on sensitive information (e.g. race, income, gender, ethnicity), and evaluate likely uses (based on primary purposes, and whether the technology will have significant impact). [AI at Google – Our Principles]
WW – FPF Provides Risk Assessment Framework for Machine Learning
The Future of Privacy Forum assessed the three line of defense when using machine learning models. The first line is focused on the development and testing of models, the second line on model validation and legal and data review, and the third line on periodic auditing over time. [FPF – Beyond Explainability: A Practical Guide to Managing Risk in Machine Learning Models]
WW – Key Findings from Value of Artificial Intelligence in Cybersecurity Study
A day seldom passes without any exposure to the term artificial intelligence (AI). But when our survey team conceptualized this topic, we were stunned to learn that there wasn’t much publicly available information that documented end users’ perspectives on the impact of AI on organizations’ cybersecurity efforts. So, we’re pleased to share our comprehensive findings — and help answer the critical question: What value does AI bring to cybersecurity? The Ponemon Institute 2018 Artificial Intelligence (AI) in Cyber-Security Study, sponsored by IBM Security, includes detailed and high-level cybersecurity discoveries, as well as a comprehensive look at the impact of AI technologies on application security testing. Here are our top 10 key findings from the study. Make plans to register and attend our webinar on this compelling topic on Aug. 2. After our live session, the webinar will be available on demand for your listening and sharing pleasure. Security Intelligence
CN – Ethics of Big Data: A Look at China’s Social Credit Scoring System
There is much good to be gained from data science, but the negative side includes concerns over data privacy, risk management and cybersecurity, not to mention valid ethical debates over the fairness of digital divides, open access and the democratic use of public information. Now there is a new system being pioneered in China that has the potential to encompass many of these concerns: the creation of social credit scores by the government for its citizens. Will China’s social credit scores represent a grand technological breakthrough for society or ultimately be an example of ethical quicksand? Beyond traditional concerns over data privacy and cybersecurity, this form of social ranking poses deeper ethical dilemmas. First, the dilemma of “conformity vs. coercion” is central to address. A second ethical dilemma is the issue of “transparency vs. trafficking.” The use of gamification with social status scores means that both your absolute score and position relative to others is important. There are other ethical issues that public social credit systems may present. If unaddressed, these issues can become an ethical quicksand that widens the divide across people through the use of a socially constructed algorithm of “trustworthiness.” Do these social credit systems represent an opportunity or are they ethical quicksand? I wonder what George Orwell would say. Forbes
US – Big Data Is Getting Bigger. So Are the Privacy and Ethical Questions
The next step in using “big data” for student success is upon us and also raises issues around ethics and privacy. Whenever you log on to a wireless network with your cellphone or computer, you leave a digital footprint. Move from one building to another while staying on the same network, and that network knows how long you stayed and where you went. That data is collected continuously and automatically from the network’s various nodes. Now, with the help of a company called Degree Analytics, a few colleges are beginning to use location data collected from students’ cellphones and laptops as they move around campus. Some colleges are using it to improve the kind of advice they might send to students, like a text-message reminder to go to class if they’ve been absent. Others see it as a tool for making decisions on how to use their facilities. Many colleges now collect such data to determine students’ engagement with their coursework and campus activities. Of course, the 24-7 reporting of the data is also what makes this approach seem kind of creepy. My concerns are broad: Just because colleges and companies can collect this information and associate it with all sorts of other academic and demographic data they have on students, should they? How far should colleges and companies go with data tracking? The Chronicle of Higher Education
EU – Ethical Matters Raised by Algorithms and AI: CNIL Report
The Commission nationale de l’informatique et des libertés (CNIL) in France discusses ethical matters raised by algorithms and artificial intelligence. The CNIL proposes that the principles of fairness and vigilance could be used to form part of a new generation of principles and human rights in the digital age, and recommendations include education for all players in the algorithmic chain (designers and professionals), setting up organisational ethics committees, and designating a role to oversee social responsibility of the company. CNIL – How Can Humans Keep the Upper Hand – The Ethical Matters Raised by Algorithms and Artificial Intelligence
Canada
CA – CSE Annual Report Tabled in Parliament
The Annual Report of the Communications Security Establishment Commissioner, the Honourable Jean-Pierre Plouffe, cd, was tabled in Parliament. All of the CSE activities reviewed in 2017-2018 complied with the law. The Commissioner did, however, make four recommendations to promote compliance with the law and strengthen privacy protection. One recommendation related to CSE information sharing with international partners to ensure an adequate assessment of authorities and privacy protection measures prior to undertaking new sharing activities. A second recommendation related to disclosure of Canadian identity information and requiring client departments to note both lawful authority and a robust operational justification to acquire that information. Two other recommendations dealt with ministerial authorizations one that CSE should clarify language to reflect the legal protection afforded solicitor-client communications; and the other that CSE should restore the inclusion of comprehensive information in its request to the Minister for one particular MA to assist the Minister in making his decision. Office of the CSE Commissioner
CA – Federal Government Supports PIPEDA Changes
The Federal Minister of Innovation, Science and Economic Development responded to recommendations from the Standing Committee on Access to Information, Privacy and Ethics following its review of PIPEDA. Specific rules are needed for collection and use of minors’ PI (given recent breaches involving PI obtained from social media), some GDPR rights and protections can be incorporated into PIPEDA to enhance privacy protections (algorithmic transparency, privacy by design, data portability), and there are active discussions with the EU Commission to ensure adequacy standing is maintained. Letter to the Chair of the Standing Committee on Access to Information, Privacy and Ethics – Minister of Innovation, Science and Economic Development Committee Recommendations | Minister’s Response
CA – NS Board Conditionally Permits Smart Meter Implementation
The Nova Scotia Utility and Review Board reviews an application by Nova Scotia Power Inc. for approval of a $133.2 million smart meter project. The utility must permit customers to opt-out of the smart meters, subject to a cost (TBD) of continuing with non-standard meter service, and devise a detailed plan of how to inform customers of the opt-out process; the Board is satisfied that the utility’s data collection will not involve PI (there will be an identifier for each customer account), and security is sufficient (data will be protected by security certificates and end-to-end encryption). Nova Scotia Utility and Review Board – 2018 NUSARB 120 – Decision
CA – Waterfront Toronto, Sidewalk Labs Walk Back Plans In New Deal
After months of talks, Waterfront Toronto and Sidewalk Labs LLC have signed a deal [PR here] that reins in some of the Google-affiliate’s plans around its proposed “test bed” for new urban technologies on the city’s lakeshore. Waterfront Toronto released both a new “plan development agreement“ as well as the original “framework agreement“ it had signed last fall with the New York-based Sidewalk, the full text of which had until now been kept secret [W.T. also posted an FAQ ]. The new deal walks back or clarifies a number of provisions contained in that original deal, signed after Sidewalk Labs, a unit of Google parent Alphabet Inc., was chosen as the “funding and innovation partner” to develop a five-hectare (12-acre) parcel of land on the waterfront known as Quayside that sits at the end of Parliament Street. Waterfront Toronto and Sidewalks Labs praised the deal as an important milestone as they continue to develop the project. It was approved unanimously by Waterfront Toronto’s board, but only after Toronto developer Julie Di Lorenzo, who has previously publicly questioned the plan, resigned from her seat on the board. The agreement comes after the sudden departure in early July of Waterfront Toronto’s CEO, Will Fleissig, who had been a driving force behind the project. The deal is only a step toward a final “master innovation and development plan,” which the waterfront agency said won’t be signed until next year. Toronto Mayor John Tory said the agreement will allow “the City to consider an innovative new approach to development, housing, public space and mobility in the Quayside District,” and that he was confident Waterfront Toronto and all three levels of government would ensure it proceeds “in the best interests of Toronto residents.” [The Globe and Mail and at: MobileSyrup ]
CA – BCCLA Launches Handbook to Protect Privacy at the Border
The BC Civil Liberties Association (BCCLA) and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC) released the online guide “Electronic Devices Privacy Handbook – a Guide to your Rights at the Border“ [overview, short PDF version] The Handbook helps travellers understand what is known about their data privacy rights at these border areas, best practices for securing digital devices and interacting with border officers, and what to do if they’ve been searched. The handbook is for every person who crosses the Canadian border and the U.S. border through preclearance areas, but has particularly important implications for marginalized populations and professionals carrying sensitive documents. All people with personal information on their devices have vested interests in protecting their data from being seized at the border and shared with Canada’s vast network of coordinating departments and national security partners. [BC Civil Liberties Association and at: The Vancouver Province & The Toronto Star]
CA – OIPC NS Recommends Amendments to PHIA
The OIPC NS releases its findings of its review of Nova Scotia’s Personal Health Information Act. PHIA should be amended to permit an executor to determine the collection, use and disclosure of a decedent’s PHI, and require security breaches with a risk of harm notified to individuals to also be notified to the OIPC; a working group should consider the issues of PHI data matching/linking for research and planning purposes, the disposition/outsourcing of storage of health records (including outside NS), and whether there are sufficient safeguards for genetic data and EHRs. [OIPC NS – Personal Health Information Act – Three Year Review Findings] See also: Health Records: DPA Cyprus Sets Retention at 15 Years
CA – Yukon Privacy Commissioner Worried About City Drone Proposal
Diane McLeod-McKay, the Yukon’s Information and Privacy Commissioner is concerned about a proposal that could see the City of Whitehorse using drones to enforce certain bylaws. At the July 16 council meeting, one of the recommendations made was to consider purchasing a drone for use patrolling trails. Council heard that other municipalities have used drones in search and rescue, but that they could also be effective in preventing illegal dumping. Council has accepted a new bylaw review document, but that doesn’t mean all of its recommendations will be implemented. McLeod-McKay noted that the city isn’t subject to the Yukon’s ATIPP Act., or PIPEDA. “Even if ATIPP or PIPEDA did apply, the lack of transparency around what a drone is recording, at any given time, hinders accountability. It’s difficult to make a complaint when you don’t know what personal information is being collected.” Yukon News
CA – OIPC ‘Following Up’ With Calgary Mall Using Facial Recognition Software
The Office of the Privacy Commissioner of Canada [here] said it is “following up” with Cadillac Fairview – the company that owns the Chinook Centre – after the company disclosed it is testing facial recognition technology in mall directories. News of the software came to light after a shopper saw a window on a directory at the Chinook Centre that showed what appeared to be facial-recognition data, including codes like “gender/inception” and “age/inception.” “Given we are not storing images, we do not require consent,” a statement from the company said.[see here] The agency has reached out to Alberta’s privacy commissioner [here] to discuss the matter as well. To date, the agency has not received any complaints involving the Chinook Centre directories. [Global News and at: CBC News and 660 News]
CA – Court Affirms Expectation of Privacy in Devices Under Repair
A Canadian appeals court has decided in favor of greater privacy protections for Canadians. The case involves the discovery of child porn by a computer technician who was repairing the appellant’s computer. This info was handed over to the police who obtained a “general warrant” to image the hard drive to scour it for incriminating evidence [see R v Villaroman, 2018 ABCA 220]. “General warrants” are still a thing in the Crown provinces. These days, it has more in common with All Writs orders than the general warrants of the pre-Revolution days. “General warrants” are something the government uses when the law doesn’t specifically grant permission for what it would like to do. The appellant’s challenge of the general warrant (rather than a more particular search warrant) almost went nowhere, but this decision grants him (and others like him) the standing to challenge the warrant in the first place. As the court notes, handing a computer over to a technician doesn’t deprive the device’s owner of an expectation of privacy. Standing helps, but ultimately didn’t help the appellant here. The court decides the failure to obtain the proper warrant is indeed a violation, but one not severe enough to trigger suppression of the evidence. The court goes on to note the failure to follow proper procedures when obtaining the warrant (ultimately the wrong sort of warrant) was negligent. It was anything but a “trivial” breach of protocol. Even if the officer’s inexperience resulted in erroneous actions, the violation is severe enough for the court to take note of. But this negligence isn’t enough to overcome the inevitable outcome of the search, in the court’s opinion. TechDirt
CA – OIPC NL Directs Healthcare Custodians
The OIPC NL published a newsletter addressing issues pertaining to:
- personal representative of a deceased individual;
- privacy training expectations; and
- the importance of auditing access
Custodians should conduct ongoing training programs for employees handling PHI (training new employees, continuing education throughout the employment, and avoid reliance on general external training), and monitor and assess access to PHI (addressing who should conduct audits and when they should be conducted, what information is being assessed, and what areas will need to be audited). [OIPC NL – Safeguard – A Quarterly Newsletter – Volume 2 – Issue 2]
CA – A Cross-Border Perspective on Privacy Class Actions in Canada
This post explores trends in Canadian privacy class actions and points out similarities and differences in the approaches taken in the United States and Canada in these types of lawsuits. Canadian privacy class actions have been on the rise for the last decade. In both Canada and the U.S., privacy class actions largely fall into three categories: 1) claims that challenge a corporation’s business practices (e.g., cookies, targeted advertising); 2) claims that arise from accidental breaches (e.g., lost storage devices); and 3) claims relating to intentional, targeted misconduct (e.g., hacking, employee snooping). In all categories, the size of the classes and the quantum of damages claimed tend to be large. Importantly however, most cases settle for a fraction of the compensation sought. Generally, plaintiffs must establish some evidence of actual harm and may not simply seek damages for mere fear of identity theft, although no decisions have yet tested the line between harm and mere fear in a trial on the merits. Although moral damages for humiliation or anxiety arising from privacy violations are sometimes awarded, they are nominal—in the range of $2,000–$20,000 per claim. Compared to Canada, many more privacy class actions are commenced in the U.S. Canadian class actions are growing in number, but Canada is still developing its statutory causes of actions related to misuses of technology, while the data breach privacy class actions in the U.S. are largely founded on statutes such as the Electronic Communications Privacy Act [see here & wiki here] and the Computer Fraud and Abuse Act [see here & wiki here]. Unlike the U.S., Canada has an expansive federal regulatory regime—the Personal Information Protection and Electronic Documents Act [see here & wiki here], which provides a simple administrative procedure for complaints and remedies, arguably making class actions less preferable. The European Union (EU) General Data Protection Regulation (GDPR), which purports to extend to organizations based outside the EU that offer goods or services to individuals in the EU or to those who engage in practices that monitor online behaviour of individuals in the EU, may impact privacy litigation and force business to modify their practices in the U.S. and Canada. Mondaq
CA – Ontario Children’s Lawyer Records Exempt from FIPPA
The Ontario Court of Appeals reviewed a decision of the OIPC ON ordering the Children’s Lawyer for Ontario to disclose records pursuant to the FIPPA. The court quashed the IPC order for the Office of the Children’s Lawyer to issue a decision to a father requesting access to his children’s records; the entity is not a government agent (it does not receive direction from, or report to the Attorney General), and it has a fiduciary duty to child clients to keep information provided confidential (which is separate from solicitor-client privilege). Children’s Lawyer for Ontario v. IPC ON, AG ON and John Doe – 2018 ONCA 559 CanLII – Court of Appeal of Ontario
CA – Canada Amends AML/ATF Regulations
The Regulations Amending Certain Regulations Made Under the Proceeds of Crime Money Laundering and Terrorist Financing Act 2018 were published in the Canada Gazette on June 9, 2018. The Regulations update customer due diligence requirements to permit confirmation of identity from a reliable source (e.g., a prescribed financial entity), and beneficial ownership reporting requirements that include information about the beneficiary’s occupation, and user name if receiving payment online. Regulations Amending Certain Regulations Made Under the Proceeds of Crime Money Laundering and Terrorist Financing Act 2018 – Government of Canada
CA – Canada Spending $500 Million on Cybersecurity Over 5 Years
The Canadian federal government announces its renewed national cybersecurity strategy following its public consultation. National objectives are security and resilience (combatting increased cybercrime and the growing impact of IoT), cyber innovation (investing to address the cyber skills gap), and leadership and collaboration (establishing a national plan and clear focal point for cyber incidents and enhancing public awareness). National Cyber Security Strategy – Public Safety Canada | Press Release
CA – Ontario Survey Not Covered under Research Exemption
An Ontario Court reviewed an order of the IPC for Carleton University to disclose records requested, pursuant to the Freedom of Information and Protection of Privacy Act. A court upheld an IPC ON decision that a university survey of Jewish students and faculty was not for pure academic purposes; it is market research based on an administrative request to identify areas for improvement for minority students, and there would not be serious adverse consequences if the records were disclosed (survey data was coded to eliminate identification of respondents, and any identifiable information would be exempt from disclosure). Carleton University v. IPC ON and John Doe – Ontario Superior Court of Justice – 2018 ONSC 3696 CanLII
Consumer
US – Walmart Patents Audio Surveillance Technology to Record Customers and Employees
America’s largest retailer has patented surveillance technology that could essentially spy on cashiers and customers by collecting audio data in stores. The proposal raises questions about how recordings of conversations would be used and whether the practice would even be legal in some Walmart stores. “This is a very bad idea,” Sam Lester, consumer privacy counsel of the Electronic Privacy Information Center in Washington, D.C., told CBS News. “If they do decide to implement this technology, the first thing we would want and expect is to know which privacy expectations are in place.” [Daily Mail]
CA – Canada Tackles Malicious Online Advertising
On July 11, 2018, the Canadian Radio-television and Telecommunications Commission imposed sanctions against the installation of malicious software through online advertising for the first time in its history. This decision was taken under the provisions of the Canadian Anti-Spam Legislation, which came into effect on July 1, 2014. The federal agency issued Notices of Violation [see CRTC PR here & Investigation Summary here] to Datablocks and Sunlight Media, for allegedly facilitating the installation of malware through online advertising. The companies are subject to penalties of $100,000 and $150,000, respectively. Among other things found, these two companies were not verifying their new customers and allowed payment by cryptocurrency. While both companies have been warned of these weaknesses in their practice in a 2015 report by cybersecurity researchers and then again in 2016 by the CRTC, neither implemented basic safety measures. While this CRTC fine is a first of its kind in Canada, this type of threat is nothing new in the industry. We Live Security Blog
E-Government
UK – Voter Analytics and Data Protection: Early Findings from the ICO
The question of the role of big data analytics in modern elections is the question that the ICO has tackled in its report on voter analytics released this month [see July 10 PR here, the 60 pg PDF report “Democracy Disrupted? Personal information and political influence” here & related progress report here ]. For the first time, a DPA has tried to draw the curtain back on the very complicated world of voter analytics, to paint a picture of the range of organizations involved in contemporary elections, and of the practices they engage in. There has been a lot of hype about the importance of the “data-driven” election, and recent scholarly work that sheds a skeptical light on the extent to which data analytics do indeed influence election outcomes. [Democracy Disrupted ] does not go there, although there is an accompanying research report from Demos which reviews the current and future trends in campaigning technologies. Democracy Disrupted provides a detailed and empirically based description of the various sources of personal data that are used to profile the electorate and of how micro-targeting works across a variety of media. Around 40 organizations were the focus of this ongoing inquiry; many other individuals assisted. For privacy professionals, the report raises some intriguing questions about the application of the General Data Protection Regulation to political parties and election campaigns going forward. [IAPP.org and at: ByLine, Information Law Blog (Inksters) and Financial Times]
US – Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States
The nation’s top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them. In a letter sent to Sen. Ron Wyden (D-OR) in April, Election Systems and Software acknowledged that it had “provided pcAnywhere remote connection software to a small number of customers between 2000 and 2006,” which was installed on the election-management system ES&S sold them. The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. “None of the employees, including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software,” the spokesperson said. The company told Wyden it stopped installing pcAnywhere on systems in December 2007, after the Election Assistance Commission [here], which oversees the federal testing and certification of election systems used in the US, released new voting system standards. Motherboard
US – For Sale: Survey Data on Millions of High School Students
At the end of June, three thousand high school students from across the United States trekked to UMass in Lowell sports arena to attend an event with an impressive-sounding name: the Congress of Future Science and Technology Leaders. Many students were selected for the event because they had once filled out surveys that they believed would help them learn about colleges and college scholarships. Many had taken a college-planning questionnaire, called MyCollegeOptions or surveys that came with the SAT or the PSAT, tests administered by the College Board. In filling out those surveys, the teenagers ended up signing away personal details that were later sold and shared with the future scientists event. Consumers’ personal details are collected in countless ways these days, from Instagram clicks, dating profiles and fitness apps. The recruiting methods for some student recognition programs give a peek into the widespread and opaque world of data mining for millions of minors — and how students’ profiles may be used to target them for educational and noneducational offers. These marketing programs are generally legal, but the handling of student surveys is receiving heightened scrutiny In May, the Department of Education issued “significant guidance” [11 pg PDF] that recommended that public schools make clearer to students and their parents that surveys with the SAT and the ACT, a separate college admissions exam, are optional. Over the last few years, several states have passed laws that might also limit the spread of some student profiles. The laws generally prohibit online educational vendors to schools from selling students’ personal data or using it for targeted advertising. The New York Times
US – FBI Provides Guidance for Email Scams
The Federal Bureau of Investigations (“FBI”) released guidance on an increasing threat related to requests for money transfers from compromised email accounts. The business email compromise and individual account compromise scam; targets businesses and real estate sectors performing wire transfers payments; organisations must verify any changes in the vendor payment type or location, and include a two-step verification process for wire transfer payments (form code phrases known only to the legitimate parties. FBI Public Service Announcement – Business Email Compromise the 12 Billion Dollar Scam
Electronic Records
AU – Privacy Commissioner Report: Health Sector Tops Breaches
The healthcare sector has topped the list for data breaches once again, with the Office of the Australian Information Commissioner releasing its delayed quarterly report into the Notifiable Data Breaches scheme [see PR here & report here], with most caused by malicious conduct and human error. According to the report, 49 notifications of data breaches in healthcare were made from April to 30 June 2018, surpassing the finance sector’s 36 notifications. A total of 242 notifications were received during the quarter. The report shows 59% of data breaches were caused by malicious or criminal attacks (142 notifications), with the majority of those linked to the compromise of credentials such as usernames and passwords. 36% of breaches were the result of human error such as sending emails containing personal information to the wrong recipients. The OAIC said the data breaches do not relate to the My Health Record system [see here & here]. But the stats are another setback to the national health information database as it continues to be buffeted by data privacy concerns. Up to 900,000 health professionals will have access to My Health Record via numerous software systems, creating a substantial “attack surface”, according to former Privacy Commissioner Malcolm Crompton. [Healthcare IT News Au, ABC News, CNET News, The Register and OAIC]
US – OCR Issues Guidance on Disclosures to Family, Friends and Others
In its most recent cybersecurity newsletter, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) provided guidance regarding identifying vulnerabilities and mitigating the associated risks of software used to process electronic protected health information. The guidance, along with additional resources identified by OCR, are outlined in this post. Privacy & Information Security Law Blog (Hunton Andrews Kurth)
EU Developments
EU – EU Modernises Convention 108
The Council of Europe has approved amendments to modernise Convention 108. Amendments include conducting impact assessments to ensure processing is designed to minimise risks to data subjects, and processing is carried out on the basis of informed, express consent or some other legal basis; data subjects have the same rights afforded under the GDPR, and breaches must be notified where there is a serious risk to data subjects. Modernised Convention 108 – Council of Europe | Comparative table | See Analysis by Graham Greenleaf
EU – Supreme Court of Ireland to Review Facebook Privacy Case
On July 31, 2018, the Supreme Court of Ireland granted Facebook, Inc.’s leave [see ruling here] to appeal a lower court’s ruling sending a privacy case to the Court of Justice of the European Union (the “CJEU”). Austrian privacy activist Max Schrems challenged Facebook’s data transfer practices, arguing that Facebook’s use of standard contractual clauses failed to adequately protect EU citizens’ data. Schrems, supported by Irish Data Protection Commissioner Helen Dixon, argued that the case belonged in the CJEU, the EU’s highest judicial body. The High Court agreed. Facebook’s request to appeal followed. In granting Facebook leave to appeal, the Supreme Court noted that “it is in the interest of justice” that the Court hear its arguments. The hearing will take place within the next five months. Privacy & Information Security Law Blog (Hunton) coverage at: TechCrunch]
EU – Parliament Calls for Suspension of Privacy Shield
The EU Parliament passed a resolution on the adequacy of the EU-US Privacy Shield calling on the European Commission to ensure the Shield will comply with the GDPR; and suspend the Shield if the US is not fully compliant by September 1, 2018 if US authorities do not address identified deficiencies including unclear rules for automated decision making and processing of HR data, failure to follow the EU model of consent, and lack of effective judicial redress for EU citizens. EU Parliament – Motion for a Resolution on Adequacy of Protection Afforded by EU-US Privacy Shield
EU – Privacy Shield Under Pressure as Lawyers Back MEPs’ Call for Suspension
The Council of Bars and Law Societies of Europe (CCBE) [comments] – which represents 32 member countries and 13 associate and observer countries – has repeated its concerns over the deal’s suitability and called for an immediate suspension. The intervention comes as a group of MEPs, who called for a ban on the deal if the issues aren’t addressed by September, travels to Washington to discuss data privacy. The CCBE’s intervention comes as MEPs on the EU’s civil liberties and justice committee (LIBE) begin a four-day trip to Washington to discuss Privacy Shield, along with other data protection issues, with the US government. [The Register Related coverage at: CIO, DBR on Data and Legaltech News] Adequacy: EU Parliament Calls for Suspension of Privacy Shield
EU – Proposed EU Cybersecurity Act Released
The Council of the European Union released a proposal for the future of cybersecurity regulation in Europe. At a time of increased cybersecurity risks, the EU Cybersecurity Act would strengthen the powers of the European Union Agency for Network and Information Security by making it a permanent agency of the European Union. The EU Cybersecurity Act would also create a European cybersecurity certification framework for information and communications technology goods. The goal of the EU Cybersecurity Act is to build cyber resilience and response capabilities within the EU. Harmonizing standards to promote efficiency is also a central theme of the EU’s Digital Single Market strategy. The EU Cybersecurity Act is an output of a broader Cybersecurity Package which was first introduced in 2017 before going through several impact assessments and a comment period. To become law, the proposal will have to be approved by the European Parliament. CyberLex (McCarthyTetrault)
UK – ICO Release Annual Report
The Information Commissioner’s Office has released their Annual Report for 2018 [PDF here]. Commissioner Elizabeth Denham highlights the following in her foreword to the Report: The ICO…
- has been involved in producing significant GDPR guidance in the last 12 months and has also run an internal change management process to ensure it is up to the demands placed upon it by GDPR (think: extra staff, new breach reporting functions and helplines);
- pay levels have fallen out of step with the rest of the public sector. UK Government has given the ICO 3-year pay flexibility and some salaries have increased;
- has taken decisive action on nuisance calls and misuse of personal data;
- began investigation of over 30 organisations in relation to use of personal data and analytics for political campaigns; and
- launched a “Why Your Data Matters” campaign – designed to work as a series of adaptable messages that organisations can tailor to inform their own customers of their data rights.
Privacy and Cybersecurity (Dentons)
EU – European Court of Justice Clarifies Who Is a ‘Data Controller’ Under GDPR
The European Court of Justice (ECJ) in Luxembourg rendered a judgment on July 12 [see CJEU Press Release & Judgment of the CJEU], that explains, among other things, what a (joint) data controller is. The judgment is on the “old” EU Data Protection Directive 95/46/EC, but the relevant provisions in the General Data Protection Regulation (GDPR), Art. 4 and 26, are very similar. The case is about Jehovah’s Witnesses Community and whether taking notes in the course of their door-to-door preaching falls under the GDPR. The ECJ states that (a) their activities don’t fall under the exemptions for religious communities, and that (b) the community is a data controller jointly with its members who engage in this preaching activity. Tech & Sourcing at Morgan Lewis
EU – ECHR Ruling Confirms Freedom of Expression Trumps Right of Erasure
The European Court of Human Rights (“ECHR”) decided on 28 June 2018 that the right to request the erasure of personal data on prior convictions, may be trumped by the right to freedom of expression and information. The court confirmed prior case law deciding that the public’s legitimate right of access to electronic press archives is protected by the fundamental right of freedom of expression and information and that limitations to this right must be justified by particularly compelling reasons. Inside Privacy
EU – The eData Guide to GDPR: What is Sensitive Personal Data?
Information on health, race/ethnic origin, sexual orientation, and religious and political beliefs are among a special category of data that have been classified as sensitive personal data under the EU’s GDPR and are given a higher degree of protection. This installment of The eData Guide to GDPR discusses how sensitive personal data is defined, under what conditions it can be processed, and what steps businesses can take to ensure compliance with the GDPR’s special protections of sensitive personal data. Morgan Lewis Insight
EU – Heirs Can Access Facebook Account of Deceased Relatives: German Court
Heirs in Germany have the right to access the Facebook accounts of their deceased relatives, a court said in a landmark privacy ruling on Thursday, saying a social media account can be inherited in the same way as letters. Reuters Additional coverage at: Technology Law Dispatch, Deutsche Welle, Quartz, AFP, Naked Security and GIZMODO]
EU – DPA Brandenburg Advises Caution for Photography
The Brandenburg Data Protection Authority issued guidance on the processing of photos under the GDPR. The taking and publication of photos is permitted under the GDPR (pursuant to data subject consent, a controller’s legitimate interests, or journalistic activity); however, photographers should be careful about photos of large groups of people (notice may be impossible to provide), employees (consent may not be truly voluntary), and existing photo stock (which should comply with prior legal requirements). DPA Brandenburg – Processing of Photos – Legal Requirements Under GDPR
EU – EDPS Comments on Monitoring for Copyright Infringement
The European Data Protection Supervisor commented on a draft resolution for a proposal regarding copyright in the Digital Single Market. According to the EDPS, the draft EU resolution appropriately addresses the obligation for online sharing service providers to monitor their platforms for copyright infringement by not targeting end users who might download or stream uploaded content, and requiring observance of the data minimisation principle; it will be impossible, however, for providers to avoid processing personal data while complying with monitoring and reporting obligations. EDPS – Formal Comments on a Proposal for a Directive of the European Parliament and Council on Copyright in the Digital Single Market
UK – ICO Seeks Views on Age Appropriate Design
The UK ICO is calling for evidence and views on the Age Appropriate Design Code under the Data Protection Act, 2018. The ICO UK is calling for suggestions from information service providers and child development experts to design the Age Appropriate Design Code, with a focus on the different development stages of children and the websites or applications that children access or are likely to access; specific areas of interest include profiling, geolocation, and strategies used to encourage extended user engagement. The Code will be submitted to the Secretary of State for Parliamentary approval within 18 months from May 25, 2018; and the call for evidence closes on September 19, 2018. ICO UK: Blog – Children’s Privacy – Call for evidence | Consultation
WW – Big Tech Companies’ Privacy Policies Not Totally GDPR Compliant: Report
A new report from a consumer protection group indicates that even though privacy policies were revamped right before the GDPR came into effect in late May, “there is still room for significant improvements.” The survey used artificial intelligence to analyze 14 privacy policies at major tech companies, including Google, Facebook, Amazon and Apple. The Recorder (Law.com)
EU – Cloud Security and Due Diligence Checklists
A UK law firm highlights industry best practices from regulators and associations, which include risk profiling, monitoring of security controls, and defining access controls to service interfaces and administration systems; to demonstrate compliance, cloud buyers can demonstrate provider compliance through contractual commitment, third party certification and/or independent testing. [Kemp Law]
Facts & Stats
US – Major Breaches in the First Six Months of 2018
The most serious breaches of the first half of 2018 include the US government acknowledging that Russian hackers have managed access to a power utility’s control systems; hackers using phishing attacks to gain access to university systems, private companies, and government agencies around the world and stealing many terabytes of intellectual property; and many instances of organizations misconfiguring data storage mechanisms, exposing stored information. Wired: The Worst Cybersecurity Breaches of 2018 So Far.
WW – Survey Finds Breach Discovery Takes an Average 197 Days
A global study based on 500 interviews conducted by The Ponemon Institute on behalf of IBM [see PR here, infographic here] finds that the average amount of time required to identify a data breach is 197 days, and the average amount of time needed to contain a data breach once it is identified is 69 days. When it comes to cost containment, the study makes it clear time is of the essence. Companies that were able to contain a breach in less than 30 days saved more than $1 million compared to those that took more than 30 days ($3.09 million versus $4.25 million average total). 2018 Cost of a Data Breach Study [PDF] Security Boulevard, Security Intelligence, listen Audio interview – 26 min
EU – The GDPR and Blockchain
Blockchain technology has the potential to revolutionise many industries; it has been said that “blockchain will do to the financial system what the internet did to media”. Its transformative capability also extends far beyond the financial sector, including in smart contracts and the storage of health records to name just a few. Notwithstanding its tremendous capabilities, in order for the technology to unfold its full potential there needs to be careful consideration as to how the technology can comply with new European privacy legislation, namely the GDPR. This article explores some of the possible or “perceived” challenges blockchain technology faces when it comes to compliance with the GDPR. The European Commission has recently launched the EU Blockchain Observatory and Forum which is focused on promoting blockchain throughout Europe. The Forum recently ran a series of workshops on the impact of the GDPR on blockchain technology. Inside Privacy (Covington)
Finance
CA – Canada 2020 Issues Open Banking Report
On July 5, 2018, Canada 2020, a Canadian think-tank, published its report on open banking [see 10 pg PDF here] following a Policy Lab which brought together various stakeholders to discuss open banking in Canada. “Open Banking” refers to an emerging financial services business model that focuses on the portability and open availability of customer data, including transactional information. The core aim of open banking is to enable consumers to share their financial data between their financial institution and third party providers (and between financial institutions), typically through the use of application programming interfaces (APIs). While still a relatively new concept in Canada, open banking has the potential to transform the financial services sector. The federal government is currently undergoing a review of open banking to assess whether it could have a positive impact on consumers while considering the risks to consumer privacy, data security, and financial stability. The purpose of the Canada 2020 Policy Lab was to encourage stakeholders to share information and to discuss the future of open banking in Canada and identified nine broad areas of consensus. CyberLex Blog (McCarthy Tétrault)
FOI
CA – NL Government Breaking Its Own Laws on Access to Info Requests: OIPC
Newfoundland and Labrador is breaking its own laws by exceeding the legal deadlines for responding to access to information (ATIPP) requests, the information and privacy commissioner says. In a report [ruling], Molloy said the government flouts the law based on the volume of work it takes to complete requests, something that would never be tolerated from average citizens. The result is long delays. Molloy’s report, which looked into a case where it took 86 business days for a response to an access to information request, when the law says that should happen within 20 business days concerned the Department of Transportation and Works, and found that over the last fiscal year the department was late on approximately 15 per cent of deadlines and received extensions on another 15%. CBC News
Genetics
WW – Privacy Concerns After 23andme Shares Genetic Data With Major Drugmaker
Drug giant GlaxoSmithKline is investing US$300 million in the DNA-testing company 23andMe in a deal they say could spark the creation of important new medicines, but one that is also raising privacy concerns. Under the deal, GSK will have exclusive rights for four years to use 23andMe’s DNA database to develop new medicines using human genetics. Both the funding and proceeds will be split equally, with the option of extending the partnership for a fifth year. For more than a decade, 23andMe has been selling saliva-based DNA kits to consumers. The company has more than 5 million users – 80% of whom have checked boxes to consent to participating in medical research as well. Genetics is playing an increasingly important role in the world of drug discovery. Researchers use genetic data to help them understand how diseases begin and which proteins and pathways diseases use to progress. Peter Pitts, the president of the U.S.-based non-profit Center for Medicine in the Public Interest told Time he’s worried that whenever one organization shares personal data with another organization, there is a risk the information could be misused. Pitts also wonders whether 23andMe customers are entitled to be compensated if the genetic information they paid for is then used to lead to profitable drugs. “Are they going to offer rebates to people who opt in, so their customers aren’t paying for the privilege of 23andMe working with a for-profit company in a for-profit research project?” Pitts wondered to NBC. 23andMe insisted in its announcement Wednesday that its customers are still in control of their own data. [CTV News, BioNews, Forbes and Scientific American]
US – DTC Genetic-Testing Giants Throw Their Weight Behind Privacy
For years, consumer and privacy advocates have railed against the potential for the direct-to-consumer (DTC) genetic testing to go horribly wrong. In what ways? Privacy violations, for one, along with the idea that companies could get rich off patient data, all while freely sharing our most personal information with law enforcement. But news this week suggests solutions for these problems could be on the way. On July 31, Future of Privacy Forum [allong with testing companies 23andMe, Ancestry, Helix, MyHeritage, and Habit released a set of best practices for the DTC genetic-testing industry, outlining eight key areas and a war chest of possible fixes [see FPF blog post here]. The best practices cover transparency, consent, accountability, security, privacy by design and consumer education, along with data access, integrity, retention and deletion. Recommendations range from providing clear privacy notices of a company’s practices and asking separately for consent to share with third-party organizations to enabling consumers to delete their data, including biological samples. In no way, however, does the document serve as a call to disarm the growing genetic-testing industry. [Healthcare Analytics News, Chicago Tribune, Engadget and GIZMODO]
Health / Medical
US – HHS Releases Interim Guidance on Authorizations for Research
The Department of Health and Human Services (HHS) recently released interim guidance on sufficiency of authorizations for future uses or disclosures of protected health information (PHI) for research purposes. The HIPAA rule permits covered entities and business associates to use or disclosure PHI only as permitted by the Privacy Rule or as authorized in writing by the information’s owner or that person’s personal representative. The 21st Century Cures Act, enacted in 2016, sought, in part, to improve accessibility to medical information for research purposes. It mandated HHS issue guidance on how to allow for this improved access while still protecting patients’ rights under HIPAA. HHS recognizes that additional input from the public on this complex question would better help it provide meaningful guidance. Therefore, HHS is inviting comments from the public before issuing final rules. Data Privacy Monitor (BakerHostetler)
US – FDA: Make Sure EHRs Used for Clinical Studies are Secure
The Food and Drug Administration has issued new guidance spelling out its policy for organizations using electronic health record data in FDA-regulated clinical investigations, such as studies of the long-term safety and effectiveness of various drugs. Among other criteria, the EHRs need to contain certain privacy and security controls. EHRs used for clinical investigations should be certified under the Department of Health and Human Services’ Office of the National Coordinator for Health IT’s EHR certification program, which requires products to meet a variety of privacy and security protection requirements for patient data. But if data from EHRs that are not ONC-certified is collected from “foreign” sources – such as from clinical studies conducted outside the U.S. – sponsors need to consider whether such systems also have “certain privacy and security controls in place to ensure that the confidentiality, integrity and security of data are preserved,” the agency says. GovInfo Security
US – Health Data Breach Tally: Lots of Hacks, Fewer Victims
As of July, some 199 breaches affecting 3.9 million individuals had been added to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website, commonly called the “wall of shame.” The website lists health data breaches affecting 500 or more individuals. By comparison, the 2015 cyberattack on Anthem Inc. affected nearly 79 million individuals. Plus, 2015 attacks against Premera Blue Cross, Excellus BlueCross BlueShield, and UCLA Health affected many millions more. Of the breaches added to the wall of shame so far this year, 74 are listed as hacking/IT incidents. Those incidents affected nearly 2.65 million individuals. But other types of breaches have also been added to the tally in the last seven months. Those include 84 “unauthorized access/disclosure” breaches impacting a total of more than 562,000 individuals, with some of the largest of these incidents involving email. Another 37 breaches involved loss or theft; those affected a total of about 672,000 individuals. Of the loss/theft breaches, 28 involved unencrypted devices. Those incidents impacted a total of about 80,000 individuals. The largest breach tied to loss or theft so far this year involved paper/film records. That incident – which, with 582,000 affected, is also the largest breach posted added to the tally so far this year – was reported in April by the California Department of Developmental Services. GovInfoSecurity
US – Cyberattacks on Health-Care Providers Are Up in Recent Months
Health-care providers and government agencies across the U.S. have seen an increase in cybersecurity breaches in recent months, exposing sensitive data from hundreds of thousands of people as the sector scrambles to find adequate defense mechanisms. The breaches include malware attacks, computer thefts, unauthorized network access and other security breaches, according to a government database that tracks attacks in the health-care sector. Last year’s global WannaCry ransomware attack crippled parts of the U.K.’s National Health Service for days. In a 2015 hack, U.S. health insurance giant Anthem Inc. had about 79 million customers’ personal information exposed. Bloomberg
US – California Bill Requires Security for Health Sensors
AB-2167, an Act Relating to Digital Health Feedback Systems was introduced in the Legislative Assembly of California and has been engrossed to the Senate. If passed, a manufacturer or operator that sells a device or software application that may be used with a digital health feedback system (ingestible sensor that collects or sends health information) must implement reasonable security features appropriate to the nature of the device/software application and the information it may collect, contain or transmit. AB-2167 – An Act Relating to Digital Health Feedback Systems – Legislative Assembly of California
US – Relaxing Patient Privacy Protections Will Harm People With Addiction
The nation is in the midst of a staggering opioid epidemic. Over 115 people die from an overdose each day – and all signs indicate that the problem is getting worse. Unfortunately, of the more than 20 million Americans who need treatment for addiction, it’s estimated that only about 7 percent of them will actually receive specialty care. We would expect policymakers and medical providers to do everything possible to increase the number of people entering treatment, not take actions that will discourage individuals from seeking treatment. But unfortunately, that’s exactly what the Overdose Prevention and Patient Safety Act would do. Despite its benevolent title, this legislation, which has already passed the House of Representatives, would jeopardize the confidentiality of substance use treatment and discourage patients from seeking the care they need. [The Hill and coverage at: STAT News, Scientific American and The Journal of Law, Medicine & Ethics]
WW – Mobile Apps Expose Sensitive and Regulated Data
Appthority’s Enterprise Mobile Threat Report uncovers a new variant of the HospitalGown data privacy vulnerability. The Mobile Threat Report showcases mobile apps’ failures to require authentication to a Google Firebase cloud database, exposing the system to data leak; implement user authentication on all database tables and rows to protect against exploit. Other mitigation steps to reduce risks include prohibiting employees from downloading unsecured apps and performing security reviews on private and public apps. Enterprise Mobile Threat Report – Unsecured Firebase Databases – Exposing sensitive data via thousands of mobile apps – Q-2 2018 – Appthority
WW – Insider Health Data Security Threats Bigger Concern than External
Many healthcare professionals are more concerned about insider threats to health data security than external breaches, according to a survey by HIMSS on behalf of SailPoint. There is an acute level of concern about the threats posed by insiders. On a scale of 1 to 10, the mean score for the level of concern of respondents was 8.2. Among respondents who implemented or managed cybersecurity solutions for their organization, 43% said that insider threats were of greater concern than external threats. Another 35% were equally concerned about insider threats and external threats to data security, according to the survey of 101 healthcare professionals.- HealthIT Security, Healthcare Informatics, CISION]
Horror Stories
US – Patient Data Exposed for Months After Phishing Attack On Sunspire
Several employees of Sunspire Health, a nationwide network of addiction treatment facilities, fell victim to a phishing email campaign, which may have exposed personal patient information for about two months. [see notice here] Hackers were able to access some employee email accounts between Mar. 1 and May 4, but officials did not become aware of the cyberattack until sometime between April 10 and May 17. Officials did not give an explanation as to why the discovery took more than a month. The impacted email accounts contained names, dates of birth, Social Security numbers, medical data like diagnoses and treatments, and health insurance information. All patients are being notified and offered a year of free credit monitoring. While officials have notified the U.S. Department of Health and Human Services, the number of patients impacted by the breach haven’t been posted to the breach reporting tool [here]. [Healthcare IT News and coverage at: Health Data Management]
US – Phishing Attacks Breach Alive Hospice for 1 to 4 months
Two employees of Tennessee-based Alive Hospice fell for phishing attacks, which potentially breached patient data for one to four months. During a review of their email system on May 15, officials discovered unauthorized access to two separate employee email accounts that began on December 2017 for one account and around April 5 for the other. While the breached data varied by patient, it included a vast store of highly-sensitive information including: Social Security information, passport numbers, driver’s licenses or state identification cards, copies of marriage and or birth certificates, financial data, medical histories, IRS pin numbers, digital signatures — and even security questions and answers. Notification letters were sent to impacted patients on July 13. Healthcare IT News See also: Phishing attack compromised the data of 1.4 million UnityPoint Health patients and at: SecurityInfoWatch, ISBuzz News and Latest Hacking News
NZ – Allegations 800,000 NZers at Risk of Medical Privacy Breach
Four New Zealand and Australasian healthcare IT companies, Healthlink, Medtech Global, My Practice, and Best Practice Software New Zealand, have jointly contacted the Privacy Commissioner with a claim the privacy of up to 800,000 Auckland patients has been put at risk. They said primary health organisation (PHO) ProCare Health was putting private information of up to 800,000 Auckland patients into a large database, including patient name, age, address, and all financial, demographic, and clinical information.ProCare Health runs a network of community-based healthcare services, including GPs, throughout Auckland. It strongly denies patient privacy is being compromised. The IT companies said they didn’t know how widespread the data collection was in New Zealand, but it wasn’t acceptable to hold so much identifiable information in one place. In a joint letter to the Privacy Commissioner, the companies said most patients seemed unaware of the ProCare database, as well as potentially some GPs. [The New Zealand Herald coverage at: Tripwire and New Zealand Doctor Online]
Identity Issues
CA – Feds Studying Mobile Passports Despite Privacy Fears
New public opinion research [PDF] published by Immigration, Refugees and Citizenship Canada suggests officials there are considering whether Canadians should be able to renew their passport via a mobile application, as well as what Canadians’ attitudes are towards the idea of using virtual or mobile passports. Through 15 focus groups held across the country earlier this year, participants were asked for their perspectives on what sort of “passport of the future” they would be most interested in using and as with most new technologies, there was general enthusiasm but also a marked wariness about the potential for misuse. Millennials and those over the age of 58 also said they would not be likely to use a mobile passport option. While participants suggested they would be all right with using a passport renewal app or a passport stored on their phone, they were less convinced the ease of use would be worth the security concerns. Convenience seemed to be the biggest motivator overall to consider any move away from the current passport. Mobile passport apps are not yet widespread but South of the border, U.S. Customs and Border Protection has officially endorsed an app called Mobile Passport and it’s being used in 25 American airports so far. Personal data on the app is encrypted and stored by Customs and Border Protection. It’s not clear whether Immigration, Refugees and Citizenship Canada is looking to develop its own app for mobile passports or use the existing one. Global News
CA – Canadian Bankers Push for Federated Approach to Digital ID
The Canadian Bankers Association discuss Canada’s need for a digital identity system. Digital ID can be standardized for use between entities (unlike physical documents), and ensures only one version of an individual’s identity exists, reducing the potential for misinformation, identity theft, or the use of outdated data; Canada should learn from the successes of Estonia and India, ensuring digital ID meets legislative and regulatory requirements for customer identification, and using government as a catalyst to bring digital ID to market. White Paper – Canada’s Digital ID Future – A Federated Approach – Canadian Bankers Association
CA – Health Records: Anonymised PHI Not Compellable
The Supreme Court of Canada reviewed an appeal by the Province of British Columbia regarding disclosure of personal health information to Philip Morris International, Inc. The Supreme Court of Canada found that the anonymization of health data in government databases did not change the nature of the information as data derived from a particular individual’s clinical record, and the relevance of the records to a claim brought on an aggregate basis does not alter that nature. [British Columbia v. Philip Morris International Inc. – 2018 SCC 36 CanLII – Supreme Court of Canada]
Law Enforcement
UK – Police Chief Explains ‘Justice by Algorithm’ Tool
A police chief pioneering new ways of dealing with offenders vigorously defended his force’s pilot of a controversial algorithm-based system for picking suitable candidates. Michael Barton, chief constable of Durham Constabulary, was appearing at the first public evidence-gathering hearing of the Law Society’s Technology and Law Policy Commission on algorithms in the justice system [see here & here]. Durham Constabulary has come under fire after revealing last year that it was testing whether an algorithmic ‘Harm Assessment Risk Tool’ (HART) [see “risk assessment“] could help custody officers identify offenders eligible for a deferred prosecution scheme called Checkpoint designed to encourage offenders away from criminality. The tool employs advanced machine learning to predict the likelihood that an individual will reoffend in the next two years. Barton said that HART was intended as a decision support tool and would never take the kind of nuanced decisions made by custody officers. The main reason for its use is to ensure that people released under the Checkpoint scheme do not go on to commit serious crimes, he said. ‘We are halfway through the pilot of finding out whether custody officers do better than the algorithm he said, promising that results will be peer-reviewed and published. [The Law Society Gazette and at: WIRED and BBC News]
Location
WW – Polar Flow Fitness App Reveals Location of Users in Military and Intelligence Agencies
The Polar Flow fitness app exposes sensitive information about its users, which include US intelligence employees, and military personnel. The Polar Flow Explore function could be used to obtain not only a user’s geolocation data, but also their name and home address. Polar has temporarily suspended the Explore API. Polar is not the first fitness app to expose user data; several months ago, the Strava app was found to be exposing soldiers’ locations and routes. Threat Post: Polar Fitness App Exposes Location of ‘Spies’ and Military Personnel | Bleeping Computer: Polar App Disables Feature That Allowed Journalists to Identify Intelligence Personnel | Fifth Domain Polar fitness app broadcasted sensitive details of intelligence and service members | The Register: Fitness app Polar even better at revealing secrets than Strava.
Online Privacy
WW – Low Accuracy in Device Fingerprinting Techniques
Researchers study the accuracy of fingerprinting of smartphone motion sensors. Existing browser fingerprinting techniques (used to track users without using cookies) are less effective on mobile platforms; additional features and external auxiliary information can be used to improve accuracy (but are unlikely to uniquely identify devices), and combining multiple classifiers provides better accuracy than current techniques. Every Move You Make – Exploring Practical Issues in Smartphone Motion Sensor Fingerprinting and Countermeasures – Anupam Dua et al. – Carnegie Mellon University
WW – Google Admits Third-Party Developers Can Read Your Emails
According to the WSJ, developers of third-party apps can read your Gmail messages. The thing is, you gave the application permission to do that. You just don’t remember. Or weren’t paying attention. After long-running complaints from users, Google stopped scanning the contents of Gmail messages to create targeted ads last year. But the company still allows third-party applications to do so. What skeeves so many people out is discovering that this process isn’t all done by computer. Some companies give human developers access to emails. This enables the developer to check if the code they’ve written to scan the text is finding what it’s supposed to scan. Or to know what to scan for in the first place. [Cult of Mac, Google Blog, CNET, CBC News, VentureBeat, The Verge, Digital Trends, Naked Security and The Sydney Morning Herald]
CA – New Zealand Company Violated Rights of Canadians, Says Privacy Commissioner
How far can companies go using personal information of people copied from a publicly-available website? Not far at all if it involves Canadians who don’t give their consent, according to a decision released by Canada’s privacy commissioner [see Announcement here & report here]. New Zealand’s Profile Technology Ltd. violated the privacy rights of potentially some 4.5 million Canadians by copying the profiles of Facebook users around the globe and posting them on its own website, the office of the federal privacy commissioner has ruled. The company said it merely indexed information publicly accessible on Facebook It also argued Canadian law didn’t apply. However, the commission said under Canadian law these people had to give their consent because Profile Technology used the information not just for indexing but also to start its own social networking website called the Profile Engine. The OPC has sent its findings to the Office of the Privacy Commissioner of New Zealand, which is considering what options may be available under that country’s laws. IT World Canada
US – 3 of 16 Providers Have Sufficient Takedown Processes: EFF
The Electronic Frontier Foundation, an advocacy organization, released its annual report on transparency of online service providers. The Apple App Store, Google Play store and YouTube earned full marks for transparency in reporting government takedown requests based on both legal requests and requests alleging platform policy violations, providing meaningful notice to users of every content takedown and account suspension, providing users with an appeals process to dispute takedowns and suspensions, and limiting the geographic scope of takedowns when possible. Who Has Your Back? Censorship Edition 2018 – Electronic Frontier Foundation | Chart only
US – EFF Files Amicus Brief Supporting Warrant for Border Searches of Electronic Devices
EFF, joined by ACLU, filed an amicus brief in the U.S. Court of Appeals for the Seventh Circuit arguing that border agents need a probable cause warrant before searching personal electronic devices like cell phones and laptops. We filed our brief in a criminal case involving Donald Wanjiku. In 2015 border agents at Chicago’s O’Hare International Airport searched Wanjiku’s cell phone manually and forensically. Border agents also forensically searched Wanjiku’s laptop and external hard drive. Wanjiku asked the district court in U.S. v. Wanjiku to suppress evidence obtained from the warrantless border searches of his electronic devices, but the judge denied his motion. He then appealed to the Seventh Circuit. In their amicus brief, EFF argued that the Supreme Court’s decision in Riley v. California (2014) supports the conclusion that border agents need a warrant before searching electronic devices because of the unprecedented and significant privacy interests travelers have in their digital data. They also cited the Supreme Court’s recent decision in U.S. v. Carpenter (2018) holding that the government needs a warrant to obtain historical cell phone location information. In our amicus brief, we explained that historical location information can be obtained from a border search of a cell phone. DeepLinks Blog (Electronic Frontier Foundation)
Privacy (US)
US – FTC Wants Expanded Authority in Data Security, Privacy
While HHS is the primary federal agency that enforces HIPAA Security and Privacy Rules, the FTC has expanded its enforcement activities in data security and privacy, including taking on now-defunct medical testing firm LabMD over poor data security that led to PHI breaches. The FTC was recently rebuffed by a federal appeals court in its effort to compel LabMD to overhaul its data security program. Despite this setback, the FTC is looking for additional authority from Congress in the privacy and data security area, FTC Chairman Joseph Simons told the House Energy and Commerce Committee’s digital commerce and consumer protection subcommittee on Wednesday. Specifically, the FTC wants the ability to impose civil penalties in privacy and data security cases, authority over nonprofits and common carriers, and authority to issue implementing rules under the Administrative Procedure Act (APA). Currently, the FTC issues rules under the Magnuson-Moss Warranty Act, which is more burdensome than the APA process, Simons noted. [HealthIT Security and at: Imperial Valley News]
US – Judge Rebukes FBI Agent over Improper Stingray Use
A federal judge chastised an FBI agent for improper use of a stingray, also known as a cell-site simulator or IMSI catcher, and an improper search of a cellphone. In April 2016, an FBI agent sought and obtained warrants from a county superior court judge in California to search a suspect’s cellphone and to use a stingray to locate a second suspect. California law does not permit state judges to sign off on warrants for federal agents. Court documents also show that the FBI agent misled the judge about what a stingray does. [Ars Technica: Judge slams FBI for improper cellphone search, stingray use | SC Magazine: Federal Judge scolds FBI agent for improper stingray use]
WW – CIPL Issues Discussion Papers on the Central Role of Accountability
On July 23, 2018, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP issued two new discussion papers on the Central Role of Organizational Accountability in Data Protection [7 pg PDF notice & overview here]. The goal of these discussion papers is to show that organizational accountability is pivotal to effective data protection and essential for the digital transformation of the economy and society, and to emphasize how its many benefits should be actively encouraged and incentivized by data protection authorities, and law and policy makers around the globe. The first discussion paper [PDF] explains how accountability provides the necessary framework and tools for scalable compliance, fosters corporate digital responsibility beyond pure legal compliance, and empowers and protects individuals. The second discussion paper [PDF] explains why and how accountability should be specifically incentivized, particularly by DPAs and law makers. It argues that given the many benefits of accountability for all stakeholders, DPAs and law makers should encourage and incentivize organizations to implement accountability. Privacy & Information Security Law Blog | see also: CIPL Hosts Special Executive Retreat with APPA Privacy Commissioners on Accountable AI
US – Florida Man Jailed for Failing to Unlock His Phone
What started as a routine traffic stop has quickly escalated into a civil rights case in a Florida courtroom after a man was put behind bars for failing to unlock his phone. William Montanez was given 180 days in jail by a judge after he was asked to unlock two separate phones seized from him by police. Montanez told the court that he couldn’t remember the passwords, so the judge found him in civil contempt and threw him in jail. According to an emergency writ filed by Montanez’s lawyer, he was pulled over by police on June 21 for not properly yielding while pulling out of a driveway. The officers making the stop asked to search his car, which he refused, so the police brought in a drug-sniffing dog. The police got a search warrant for the devices, claiming that they contain evidence of “Possession of Cannabis Less Than 20 grams” and “Possession of Drug Paraphernalia”—both of which Montanez already admitted to, which makes it unclear why the cops still want to search the phone to prove the charges. [Gizmodo coverage at: Fox 13 News, Miami Herald, WPLG Local 10 and Phone Arena]
US – $2 Million FTC Fine for Nonconsensual Posting of PI
A US Court granted the FTC and State of Nevada a permanent injunction against Emp Media Inc. et al for alleged violations of the FTC Act. Website operators are permanently banned from publicly disseminating individuals’ intimate images, name, employer and social media account information, and charging a fee for removal; verifiable express consent must be obtained (after provision of a separate, conspicuous notice), individuals must have the right to revoke consent at any time, and any third party hosting the company’s websites must ensure they are no longer accessible. FTC and State of Nevada v. Emp Media Inc. et al – Order Granting Default Judgment, Permanent Injunction and other Relief – US District Court for Nevada | Press Release
Privacy Enhancing Technologies (PETs)
WW – Privacy Pros Gaining Control of Technology Decision-Making Over IT
The results of new TrustArc research that examines how privacy technology is bought and deployed to address privacy and data protection challenges. Surveying privacy professionals worldwide, the findings of the survey show that privacy management technology usage is on the rise across all regions and that privacy teams have significant influence on purchasing decisions for eight of the ten technology categories surveyed. To understand the different types of privacy and security technologies that are being used – and by whom, more than 300 privacy professionals in the U.S., EU, UK and Canada were surveyed. Key findings from the survey include: A) Privacy tech adoption approaching the tipping point; B) Data mapping, assessment management, and data discovery among fastest growing solutions; and C) Privacy has a strong influence on purchase decisions across most product categories. Help Net Security
RFID / IoT
WW – Advocates Push for More User Control Over IoT Devices
The IoT Privacy Forum, a think tank, discusses governance and strategies regarding the Internet of Things. The Forum advocates for data minimization, built in “do not collect” switches (e.g., mute buttons and software toggles), wake words and manual activation for data collection, and mechanisms to make it easy for users to delete their data or revoke consent; only the user should decide if IoT data should be published on social media or indexed by search engines. Clearly Opaque – Privacy Risks of the Internet of Things – IoT Privacy Forum
WW – Digital Security Threats from New and Unexpected Sources
Symantec issued volume 23 of its internet security threat report, providing information on 2017 trends in targeted attacks, email spam, ransomware and mobile threats. The report identifies the threats as including attacks against IoT devices (by using most used login names like admin, guest and supervisor), attacks on mobile devices (using malware in apps related to photography and music), and attacks on supply chain software (by hijacking network traffic and compromising software supplier directly). Internet Security Threat Report Volume 23.
US – FTC Asked To Investigate Smart TVs
US Senators Blumenthal and Markey have asked the FTC to investigate privacy policies and practices of smart TV manufacturers. The smart TV manufacturers allegedly collect sensitive information and use it for tailoring advertisements on the basis of viewed and accessed content (e.g., applications, video games and cable shows), without obtaining express consent or notifying the user about such collection or tracking activities. Letter to FTC regarding smart TVs collecting personal data of viewers – Senator Markey and Blumenthal, U.S. Senate | Press Release
Security
US – Final Report on U.S. Government Policies and Public-Private Frameworks to Address Botnets, Security and Resiliency Challenges Released
The U.S. Department of Commerce and the Department of Homeland Security, through the National Telecommunications and Information Administration (NTIA), has released the final report on enhancing the resilience of the Internet and communications ecosystem against botnets and automated distributed threats [see “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and other Automated, Distributed Threats“]. This report continues the work initiated under Presidential Executive Order 13800 titled “Strengthening the Cyber Security of Federal Networks and Critical Infrastructure“. The report aims to build upon consensus on various governmental and private initiatives and new approaches for the government either to adopt or to encourage the development of a more resilient ecosystem that can more effectively defend against threats and attacks by botnets. These attacks are expected to gain in both scale and complexity over time as vectors for attack (both end user devices and Internet of Things endpoints) proliferate. The final report does not differentiate between threats from nation states, cybercriminals or other actors; it observes that developing better cooperation and countermeasures within the ecosystem will generally be effective against all threats regardless of the threat origin. The final report was delayed from its originally scheduled May 11 deadline, it was released in late May 2018, along with a number of other reports relating to cybersecurity and linked to the Presidential Executive Order. A full list and links to the released reports is available [DBR on Data].
WW – Malware Attacks Have Doubled In First Half of 2018
The “malware boom” of 2017 has shown no signs of stopping through the first half of 2018, according to a new report from security company SonicWall. The company’s Capture Labs threat researchers recorded 5.99 billion malware attacks during the first two quarters of the year. At the same point in 2017 SonicWall logged 2.97 billion malware attacks [“2018 SonicWall Cyber Threat Report“]. On a month-to-month basis in 2018, malware volume remained consistent in the first quarter before dropping to less than 1 billion per month across April, May, and June. These totals were still more than double that of 2017, the report said. The study shows ransomware attacks surging in first six months of 2018, with 181.5 million ransomware attacks identified for the period. That marks a 229 percent increase over this same timeframe of 2017. [Information Management, SonicWall Blog, Tarsus Today]
US – US CERT Issues Best Practice to Reduce Phishing Risks
Verify unsolicited calls, visits or emails from individuals asking about employees or company internal information (however do not use contact information provided by the individual), check website URLs for spelling variations or domain changes, and do not provide personal, financial or company information in emails (unless assured of the person’s authority to have the information). Security Tip ST04-014 – Avoiding Social Engineering and Phishing Attacks – US-CERT
US –NIST Releases Security Assessment Requirements
NIST issues a publication for assessing security requirements for controlled unclassified information. Recommended controls include those under security categories such as access control, awareness/training, audit/accountability, configuration management, identification/authentication, incident response, maintenance (of connections/systems), media protection, personnel security, physical protection (escort/monitor visitors), risk and security assessments, system/communications protection and system/information integrity. NIST – Assessing Security Requirements for Controlled Unclassified Information – NIST Special Publication 800-171A | Press Release
EU – EU Commission Amends Draft ICT Certification Framework
The EU Commission amended its proposal for a regulation concerning cybersecurity and ENISA, the European Union Agency for Network and Information Security. Certificates issued under the framework will be valid in all EU countries, making it easier for companies to carry out their business across borders, certification will be voluntary (unless otherwise specified by EU or Member State law), and companies seeking certification will be evaluated against three assurance levels (basic, substantial, high). EC – Proposed Regulation on ENISA and ICT Cybersecurity Certification | Press Release
WW – Companies Overwhelmed by Data Collection: Survey
Gemalto’s fifth annual Data Security Confidence Index surveyed IT decision makers in organizations worldwide about data security mechanisms in place for compliance with GDPR. The study presents the status of organizations in protecting data collected from users, including that only 35% effectively analyze collected data and 65% are unable to analyze or categorize stored user data, while the collection of user data from sources such as apps and connected devices is only expected to increase in the future. Gemalto – Data Security Confidence Index
WW – 45% of US Companies Fell Victim to Phishing in 2017
Wombat Security Technologies, a security technology company, issued its 2018 report on phishing. The results are based on reported attacks from information security professionals; and analysis of simulated phishing attacks in more than 16 industries. The company reports that corporate phishing templates are the most frequently used by attackers (44%), with the most successful being corporate email improvements (89%); to combat phishing attacks, organizations train end users on how to identify and respond to suspicious email, and use email/spam filters, advanced malware analysis, and URL wrapping. State of the Phish 2018 – Wombat Security Technologies
Surveillance
CA – Controversial Gunshot Detector Technology Approved by Toronto Police
In an effort to curb gun violence, the Toronto Police Services Board (TPSB) has requested the city fund a motion to double the amount of public CCTV cameras and introduce a controversial audio recording technology called “ShotSpotter“ [wiki] that provides police with real-time shooting locations. The system is already in use by more than 90 cities in the U.S, including Louisville, Cincinnati and Chicago. The system uses microphones to detect and locate gunfire, and automatically informs police. According to its privacy policy, ShotSpotter said its devices only record and provide police with audio beginning two seconds before a gunshot has been fired and ending four seconds after. The effectiveness of the technology, however, is up for debate. The idea of using the ShotSpotter technology and increasing surveillance cameras raises questions about privacy. As for ShotSpotter, its privacy policy says it “does not have the ability to listen to indoor conversations” and does not have the ability to “overhear normal speech or conversations on public streets.” The company said there has been “three extremely rare ‘edge cases’” (out of 3 million incidents detected in the past 10 years) in which a human voice was overheard. City council will meet Monday and make the decision as to whether to approve the new measures. [Global News, The Toronto Star]
UK – GCHQ Spy Agency Given Illegal Access to Citizens’ Data
The British government broke the law by allowing spy agencies to amass data on UK citizens without proper oversight from the Foreign Office, Investigatory Powers Tribunal has ruled [see Judgment here]. GCHQ, the UK’s electronic surveillance agency, was given vastly increased powers to obtain and analyse citizens’ data after the 9/11 terrorist attacks in 2001, on the condition that it agreed to strict oversight from the foreign secretary. The Foreign Office on several occasions gave GCHQ an effective “carte blanche” to demand data from telecoms and internet companies, which could include visited websites, location information and email contacts. Monday’s ruling is the second from the IPT in a case brought by Privacy International [see PI’s July 23/18 PR here], the campaign group, on the harvesting and sharing of citizens’ data by British spy agencies. The UK government is currently seeking to convince the EU that it should be considered an “adequate” country for data transfer purposes after it leaves the bloc next March. On Monday, the tribunal updated its initial ruling [October 2016 – see here & PI’s PR here] to say that laws protecting UK citizens’ data had not been followed in full until October 2016, not November 2015 as it had previously concluded. A government spokesperson, speaking on behalf of the Foreign Office and GCHQ, said the unlawful requests for citizens’ data referred to in the tribunal’s judgment on Monday had since been replaced and were no longer in force. [Financial Times, The Register, Silicon UK, BBC News, Bloomberg, Computing and The Times]
EU – Statewatch Launches New Observatory of Centralised Big Brother Database
This Observatory covers the so-called “interoperability” of EU JHA databases which in reality will create a centralised EU state database covering all existing and future JHA databases – through combining biometrics and personal data in a single search. The intention is to bring together in one place the biometrics of millions – non-EU citizens now and EU citizens later – directly linked to the Common Identity Repository with personal details. The European Data Protection Supervisor says that the measure would mark a “point of no return” with all the inherent dangers that over time function creep will build up a highly detailed personal file attached to biometrics. For example when the EU-PNR (Passenger Name Record) comes into effect this will contain details of all travellers in and out of the EU and inside the EU as well.Statewatch (London)
WW – Does Your Phone Secretly Listen To You, Two-Year Study Says No
It’s the smartphone conspiracy theory that just won’t go away: Many, many people are convinced that their phones are listening to their conversations to target them with ads. Vice recently fueled the paranoia with an article that declared “Your phone is listening and it’s not paranoia,“ a conclusion the author reached based on a 5-day experiment where he talked about “going back to uni” and “needing cheap shirts” in front of his phone and then saw ads for shirts and university classes on Facebook. Some computer science academics at Northeastern University had heard enough people talking about this technological myth that they decided to do a rigorous study to tackle it. They ran an experiment involving more than 17,000 of the most popular apps on Android to find out whether any of them were secretly using the phone’s mic to capture audio. The apps included those belonging to Facebook, as well as over 8,000 apps that send information to Facebook. They found no evidence of an app unexpectedly activating the microphone or sending audio out when not prompted to do so. On the other hand, the strange practice they started to see was that screenshots and video recordings of what people were doing in apps were being sent to third party domains. In other words, until smartphone makers notify you when your screen is being recorded or give you the power to turn that ability off, you have a new thing to be paranoid about. The researchers will be presenting their work at the Privacy Enhancing Technology Symposium Conference in Barcelona next month. [Gizmodo, Business Insider and BGR]
US Government Programs
CA – Canadian Pot Investors Are Being Banned From Entering the U.S.
Sam Znaimer is a Vancouver, Canada-based venture capitalist who has been investing in everything from tech to telecommunications for more than 30 years. Recently, he put more than $100,000 into legal American cannabis companies. In May, when he attempted to drive across the border, he was flagged for a secondary inspection and questioned for four hours. “To my shock and horror, I was told that I was deemed to be inadmissible to the United States because I was assisting and abetting in the illicit trafficking of drugs,” Znaimer said. “They never asked whether I had consumed marijuana, the only thing that they’re interested in is that I’ve been an investor in U.S.-based cannabis companies.” Marijuana in some form is legal in 30 states and Washington D.C., but it’s still outlawed by the U.S. federal government. American immigration attorney Len Saunders said he’s seen at least a dozen cases like Znaimer’s at the Blaine land crossing as well as airports in Vancouver and Edmonton over the past few months. In the prior 15 years that he’s practiced law on the border, he’d never seen one. CBS News See also: How the tech behind bitcoin could safeguard marijuana sales data
CA – OPC Warns Canadians to Keep Data Secure When Crossing the Border
The OPC is warning citizens to be aware that their digital devices can be searched — and civil liberties advocates say every precaution must be taken. The commissioner’s updated guidelines on privacy at airports and borders advises that officers on both sides of the border can search your devices and ask for passwords. The guidelines include new advice on searches conducted at “preclearance” sites, where U.S. border officials can do searches on Canadian ground, part of an act passed in late 2017. They come following the release of a new U.S. Customs and Border Protection directive [see PR here] on searches of electronic devices, which clarifies previous search rules. It also includes updates on electronic searches for people going back through Canadian customs. Meghan McDermott, staff counsel at the BC Civil Liberties Association, said that due to the new powers of customs officers at preclearance sites and more detailed abilities for U.S. border patrols, she recommends taking every precaution to ensure your data is secure and protected should a search take place “the best guarantee is to not even bring your device at all, but if you do bring a device, you can use a burner phone [see here] or substitute. One of the other things people can do is to delete all the apps and documents and texts as well.” Toronto Star
US Legislation
US – California Enacts Comprehensive Privacy Rules
Effective January 1, 2020, organizations must comply with individual requests to provide categories of personal information collected and shared, stop selling personal information (services cannot be refused and prices cannot be increased as a result), delete personal information, and provide their information in a portable format; the Attorney General can impose civil penalties for violations and there is a private right of action for breaches resulting from reckless behavior. [AB 375 – The California Consumer Privacy Act of 2018 – State of California]
US – Tech Companies Cool Toward California Consumer Privacy Act
On the heels of the EU’s General Data Protection Regulation, California lawmakers passed a tough new privacy law, California Consumer Privacy Act, which is designed to give consumers more control over their personal information. Under the act, which goes into effect Jan. 1, 2020, consumers will be able to request details on how their personally identifiable information (PII) is used and how it is collected. The question now for California—and those state governments watching—is whether companies will embrace the California Consumer Privacy Act or will they find loopholes to skirt the law. California’s tech companies, usually out on the front line of innovation and new ideas, are soundly against the state’s new privacy law and are expected to fight for changes before the law goes into effect. The bill was pushed through too quickly, they say, and it is too vague. Yet, supporters of the bill point out, these same companies already have groundwork in place because of GDPR. Many large companies still have a long way to go in finishing the technical aspects of GDPR, and now California companies need to be ready for CCPA a year and a half later. Security Boulevard See also: California Consumer Privacy Act: What you need to know now | Key Takeaways from the California Consumer Privacy Act of 2018 | Out of the pot and into the fire? What the heck happened in California?! | California’s privacy law a commendable step toward national standard | New California Consumer Privacy Act increases the risk of additional data breach class actions
Workplace Privacy
US – Judge: No ‘Risk of Harm’ From Fingerprint Scan Time Clocks
A federal judge [Manish S. Shah, U.S District Court for the Northern District of Illinois] has kicked back to Cook County court [Illinois] a class action lawsuit accusing manufacturer Rexnord of violating an Illinois state privacy law by requiring employees to scan their fingerprints when using employee punch clocks to track work hours. The underlying complaint was brought by former Rexnord Industries employee Salvador Aguilar, who said the company violated the Illinois Biometric Information Privacy Act [see here] through its use of a fingerprint-based time clock system [see Rexnord policy here]. According to Aguilar, he never signed a written release allowing the company to collect or store his fingerprint. Further, he said the company never fully explained why it was keeping his fingerprint data and how long it would retain the information. Although Aguilar and his attorneys originally filed his complaint in Cook County, Rexnord removed the suit to federal court. The company then moved to have it dismissed for failure to state a claim. However, in an opinion issued July 3, U.S. District Judge Manish Shah remanded [see here] the matter because he said the federal court lacked jurisdiction in the case. Cook County Record
+++
