Biometrics
CN – Facial-Recognition Database Exposed 2.5M Users
According to security researcher Victor Gevers, one of the facial-recognition databases used in China’s Xinjiang region has been left open on the internet for months. Gevers stated the MongoDB database belonging to Chinese company SenseNets contained information on 2,565,724 users and included names, ID numbers, nationalities, addresses, dates of birth, employer information and GPS data. Gevers also noted that the database was active and had received nearly 6.7 million GPS coordinates within a 24-hour period. After informing SenseNets, the database has been made secure and now blocks access from non-Chinese IP addresses. [ZDNet]
EU – Swedish Data Authority to Investigate School’s Use of Facial Recognition
The Swedish Data Inspection Authority, the Datainspektionen, plans to investigate the use of facial-recognition technology at a Skelleftea school. The Anderstorp school has used facial recognition to take attendance. Datainspektionen Legal Adviser Ranja Bunni will lead the inquiry to see whether the school is in compliance with the EU General Data Protection Regulation. The authority seeks to find out what personal information has been collected, the way the technology has been used, and whether the school board conducted a risk assessment for the technology. [Telecompaper]
Canada
CA – Commissioner Calls for Revamped Privacy Laws in Nova Scotia
Nova Scotia Information and Privacy Commissioner Catherine Tully called for an overhaul to the province’s privacy laws. Appearing before Nova Scotia Legislature’s public accounts committee, Tully said the province’s privacy laws need to be revamped, as they do not include features such as data breach notification requirements and rules on risk assessments. Her appearance follows a report she issued last month, scathing in its criticism of the way the Nova Scotia government handled the province’s largest privacy breach [CBC coverage]. “This law will not do, it will not protect Nova Scotians,” Tully said [watch starting at 14:34]. “Europe is miles ahead of us, why would we want this? Why would we want less for Nova Scotians than everybody else has?” Opposition members offered their full endorsement of Tully’s call for an overhaul, with NDP MLA Lisa Roberts calling for reform of the act. Tory MLA Tim Halman voiced a similar opinion.. Nova Scotia Premier Stephen McNeil said he will commit to updating the province’s privacy laws but added he does not plan to give the privacy commissioner’s office more order-making authority, as Tully has previously requested. [The Canadian Press | CBC News | Commissioner makes plea for an overhaul of Nova Scotia privacy law]
CA – Nova Scotia Receives Recommendations After Review of FOI Site Breach
Deloitte offered the Nova Scotian government 35 recommendations after it conducted a review about the breach of the province’s freedom-of-information website. The audit was ordered after Information and Privacy Commissioner for Nova Scotia Catherine Tully recommended the government put forth “an internal post-incident review.” Deloitte held “a no-fault, lessons learned discussion” with the individuals who helped conduct the portal. After the interviews were finished, Deloitte released its recommendations, which included creating guidance to define “responsible parties,” determining an incident leader earlier in the event of a breach, and considering whether any misinformation reported by the media should be corrected. [CBC]
CA – Police Are Tracking People’s ‘Negative’ Behavior in a ‘Risk’ Database
Documents obtained by Motherboard from Ontario’s Ministry of Community Safety and Correctional Services (MCSCS) through an access to information request show that at least two provinces—Ontario and Saskatchewan—maintain a “Risk-driven Tracking Database” –a collaborative approach to policing called the Hub model [described in a 2015 Public Safety Canada report] that partners cops, school staff, social workers, health care workers, and the provincial government use. It is used to amass highly sensitive information of detailed, but “de-identified” information about people’s lives including whether a person uses drugs, has been the victim of an assault, or lives in a “negative neighborhood.” The information is culled from conversations the subject has with police, social services, health workers, and more. Police, social services, and health workers use the shared databases to track the behaviour of vulnerable people—including minors and people experiencing homelessness—with little oversight and often without consent. Information is added to the database when a person is being evaluated for a rapid intervention intended to lower their risk levels. Interventions can range from a door knock and a chat to forced hospitalization or arrest. Saskatchewan and Ontario officials say data in the RTD is “de-identified” though experts said that scrubbing data so it may never be used to identify an individual is difficult if not impossible. A Motherboard investigation—which involved combing through MCSCS, police, and city documents—found that in 2017, children aged 12 to 17 were the most prevalent age group added to the database in several Ontario regions, and that some interventions were performed without consent. In some cases, children as young as six years old have been subject to intervention. More than 100 Hubs are now operating in cities and towns across Canada and the US, with 37 in Ontario (where Hubs are usually called Situation Tables) contributing to the Risk-driven Tracking Database as of April 2018, according to MCSCS documents. In total, 55 are expected to be contributing by the end of this year. [The remainder of this lengthy piece examins in some detail with]: 1) How does people’s information get added to the database?; 2) What’s in the database?; and 3) Predictive policing concerns. [Motherboard | Canada’s ‘Pre-Crime’ Model of Policing Is Sparking Privacy Concerns | The Canadian Government Is Going to Scan Social Media to See If You Smoke Pot | Academics Confirm Major Predictive Policing Algorithm is Fundamentally Flawed
CA – B.C. Privacy Commissioner Launches PIPA Educational Campaign
Michael McEvoy, British Columbia information and privacy commissioner has announced [Press Release] his office has launched new programs to help the roughly 1 million firms, non-profits, doctor’s offices, trade unions and other organizations there understand their obligations under the provincial Personal Information Protection Act (PIPA). The campaign, largely aimed at small and medium-sized organizations, will include webinars, animated pop-up online videos, podcasts and guidance documents. New tools will be published on the first Wednesday of each month throughout 2019 on the OIPC website. The idea for the campaign started when McEvoy looked at responses to a privacy self-assessment toolkit sent randomly to B.C. businesses asking for details about their privacy management program: “Many of them didn’t really understand the most fundamental aspects under our personal information protection act. We also had the same sense from the kind of calls we receive from businesses.” McEvoy officially launched the project on March 7. IT World Canada
CA – Ontario Privacy Commissioner to Investigate Sale of Health Data
The Office of the Information and Privacy Commissioner of Ontario announced it will investigate a data-sharing arrangement between U.S. health organization IQVIA and a company that sells electronic medical record software to doctors in the province. The Star first reported the unnamed software company sold anonymized data to IQVIA. The company has access to the medical records of 5 million Ontario citizens. “The article indicates that information from patient records is being provided to private sector organizations,” the privacy commissioner’s office said in a statement. “We have reason to believe that these arrangements may be contrary to the law.” [Toronto Star]
CA – Élections Québec: Political Parties Should Be Covered by Privacy Laws
Élections Québec released a report that recommends policies where parties should be covered by privacy legislation. The group suggests any data held by political parties should receive the same level of protection as the information held by public and private organizations in Quebec. Those privacy laws would also extend to municipal political parties, representatives and candidates for school elections. Élections Québec also wants The National Assembly to create a special committee to examine these issues. “Technologies are evolving, as are the challenges surrounding the protection of personal information,” the group states. “Laws must evolve to reflect these new realities. Our recommendations are meant to provide the basis for a broader reflection on the oversight of political parties with respect to the protection of personal information.” [Élections Québec]
CA – Supreme Court Rules Students Have Privacy Rights in Schools
In a decision that is expected to impact future privacy-related cases, the Supreme Court of Canada ruled that a teacher who secretly filmed female students’ chests with a camera pen is guilty of voyeurism. While lower courts had previously ruled that students had no reasonable expectation of privacy while at school, the Supreme Court’s unanimous decision found that students had a reasonable expectation of privacy, even if the school employs security cameras. Writing for the majority, Chief Justice Richard Wagner wrote, “The explicit focus of the videos on the bodies of the students recorded, including their breasts, leaves me in no doubt that the videos were made in violation of the students’ reasonable expectations of privacy.” [CBC | Commentary: Insights (Dentons) | Insights (McInnes Cooper) | Teresa Scassa Blog | Canadian Lawyer ]
Consumer
CA – CIRA Report on Canadians’ Views on Fake News, Privacy, Cybersecurity and Internet Access
The Canadian Internet Registration Authority (CIRA) released a research report based on a survey of over 1,200 Canadian internet users in December 2018 displaying Canadians’ opinions and experiences regarding the internet and fake news, privacy, cybersecurity and access. Of those surveyed
- 72% are willing to disclose some or a little personal information in exchange for a valuable/convenient service
- 87% are concerned that businesses with access to customers’ personal data willingly share it with third parties without consent
- 86% believe it is important that government data, including the personal information of Canadians, be stored and transmitted in Canada only
- 87% are concerned about a potential cyberattack against organizations with access to their personal data.
- Only 19% say they would continue to do business with an organization if their personal data were exposed in a cyberattack.
- 78% are concerned about the potential security threats related to the Internet of Things.
CIRA’s report offers several recommendations to improve Canada’s internet, including enhanced investments by the Canadian government, actions around cybersecurity and privacy that Canadian businesses can take right away and opportunities for Canadian citizens to improve the internet they rely on every day. [Canadian Internet Registration Authority| CIRA report highlights Canadians’ concerns about cybersecurity, privacy and fake news ]
Electronic Records
US – GAO Identifies Challenges in EHR Accuracy
The Government Accountability Office reviewed current approaches to matching of electronic health records. There are difficulties faced in inputting correct patient demographic information, requiring use of the same fields across all providers (due to proprietary software), and assessing algorithm matching accuracy. Improvements should include implementing a national unique patient identifier, common standards for demographic data, allowing patients to share data with their providers using smartphones, and improving matching abilities of algorithms used. [GAO – Health Information Technology – Approaches and Challenges to Electronically Matching Patients Records Across Providers]
Encryption
WW – International Civil Liberties and Technology Coalition Files Submission Regarding Australia’s Encryption Laws
A coalition of civil liberties advocates and technology companies have filed a submission regarding Australia’s encryption laws. The submission argues against Australia’s plan to force service providers to allow law enforcement to be secretly added to encrypted communications as “ghost users.” The group also voiced its opposition to plans to force companies to reveal source code to the government, to requiring phone makers to take screenshots and send then to law enforcement, and to imposing gag orders on companies that receive technical capabilities requests from the government.
- www.zdnet.com: Tech giants and civil liberty groups call out ghost cops and source code demands under Australian encryption laws
EU Developments
EU – EDPS releases 2018 Annual Report
The European Data Protection Supervisor has released its 2018 Annual Report. The document covers the data protection authority’s efforts to prepare for the EU General Data Protection Regulation and its work with the European Data Protection Board. In the introduction letter to the report, EDPS Giovanni Buttarelli also cited the work to reach an adequacy decision with Japan and continued efforts with the EU-U.S. Privacy Shield agreement as other notable occurrences in 2018. The EDPS also issued its guidelines “for assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data.” [EDPS]
EU – Ireland’s Data Regulator Lists 16 Big Tech Investigations
Helen Dixon, Ireland’s data regulator has listed details for the first time of 16 investigations into Facebook, Twitter, Apple and LinkedIn and warned that the companies will inevitably face significant fines if they are found to have violated the EU’s new privacy rules under the General Data Protection Regulation (GDPR), which came into force last May. The investigations into Facebook include a single case involving 12 separate data breaches since May which is separate to Ms Dixon’s investigation into cyber attack on Facebook last September in which hackers gained access to up to 50m accounts. She published a report into her current slate of investigations [DPC Annual Report 25 May – 31 December 2018 – see PR] She said that “what’s important to know is that where we do identify that there are infringements, I am obliged to apply a fine.” Breaches of GDPR carry a maximum penalty of €20m, or up to 4% of a company’s annual worldwide revenues. Ms Dixon is expected to start publishing her findings over the summer while some cases will not be finished until later in the year. She said the initial investigations are likely to set a precedent for enforcement elsewhere. Her office has initiated seven inquiries of its “own volition” since May, four of which are on Facebook, another on WhatsApp, and two on Twitter. Another nine inquiries were started with complaints to her office, including three on Facebook itself, one each on WhatsApp and Instagram, two on Apple and one each on Twitter and LinkedIn. “The issues that we’re covering between the complaint-driven and own-volition inquiries will allow us set very important standards that we anticipate all entities should reach under the different articles of the GDPR,” she said. [FT.com]
UK – ICO Releases Video on Sandbox Workshop
The U.K. Information Commissioner’s Office has released a video on a workshop it held on its sandbox initiative. The ICO used the workshop to inform stakeholders about the sandbox, where organizations can pitch their solutions that use personal data. Sandbox participants can work with the ICO to ensure their product is in compliance with data protection laws. Attendees of the workshop had the opportunity to offer feedback on the initiative. “I think there is a general perception that privacy and innovation can’t sit comfortably together,” Refinitiv Chief Privacy Officer and IAPP Board Member Vivienne Artz said. “I see this initiative as an opportunity to dispel that myth and to demonstrate that both innovation and privacy can work together to generate excellent results.” [Full Story]
Facts & Stats
WW – Human Negligence to Blame for the Majority of Insider Threats
Behavioral intelligence firm Dtex found that in 98% of the employee assessments conducted for its 2019 Insider Threat Intelligence Report [PR] employees exposed proprietary customer company information on the Web – a 20% jump from 2018. Nearly two-thirds (64%) of insider threats are caused by users who introduce risk due to careless behavior or human error 13% of threats due to compromised credentials and 23% caused by intent on harming the organization. The study also found that in 95% of the assessments, employees looked to circumvent company security policies – a notable jump from 60% last year. In many instances, people are using private VPNs and TOR browsers in the hope of shielding their activities, Koo says. While often employees are simply looking to bypass security so they can do their work more efficiently, Dtex has found the use of such tools is often motivated by malicious intent. In related research released this week, Endera [PR] reported that companies suffer from at least three workforce-related incidents per week, adding up to 156 incidents per year. And, according to Egress Technologies [PR & report] more than four out of five companies (83%) have had employees expose customer or business data. Dark Reading | Analytics, Intelligence & Response: Getting Ahead of the Insider Threat in 2019
Finance
US – N.Y. Department of Financial Services Issues Guidance Regarding Life Insurers’ Use of External Consumer Data in Underwriting
On January 18, 2019, the New York State Department of Financial Services (NYDFS) issued Circular Letter 2019-1, addressing insurers’ use of external consumer data and information sources in underwriting for life insurance. The Circular Letter follows an investigation commenced by NYDFS regarding life insurers’ use of external data, which was initiated in light of reports that insurers were using algorithms and predictive models that include unconventional sources or types of external data. Among other things, the Circular Letter provides guidance that when insurers use external data sources in connection with underwriting decisions: 1) the use of external data sources must not result in any unlawful discrimination; 2) the underwriting or rating guidelines must be based on sound actuarial principle; and 3) life insurers must have adequate consumer disclosures to notify insureds or potential insureds of the right to receive the specific reasons for any adverse underwriting decision based on such data. The bulk of this blog post discusses these issues in some detail and concludes with the following: Life insurers interested in using external data sources, algorithms or predictive modeling in accelerated underwriting processes should exercise caution to ensure that the use of data contained in such materials is not unlawfully discriminatory and would otherwise be permitted by law or regulation. In addition, life insurers should be aware that they are responsible for establishing that the external data sources, algorithms or predictive models are based on sound actuarial principles and that they must notify insureds or potential insureds of their right to receive the specific reasons for any adverse underwriting decision. Finally, life insurers are ultimately responsible for ensuring compliance with such laws through diligence, even in the event that such external data, algorithm or predictive model is provided by a third-party vendor. Data Matters Blog (Sidley)
UK – Financial Services See Fivefold Increase in Data Breaches
According to the U.K.’s Financial Conduct Authority, financial services companies in the U.K. experienced a fivefold increase in data breaches for 2018 when compared to 2017, the Financial Times reports. Companies reported 145 breaches for the year, compared to just 25 reported breaches in 2017. The article notes that while the EU General Data Protection Regulation’s breach-reporting requirements are likely to explain part of the increase, bank executives also cite an increased and constant hacking threat. [FT.com]
FOI
CA – Alberta Court Overturns OIPC’s Disclosure Order
The Court considered law enforcement’s appeal of an OIPC AB order to disclose records believed to be privileged, pursuant to the Freedom of Information and Privacy Act. The OIPC erred in its considerations for asserting privilege over records requested for public disclosure; a lawyer who provides legal information to their client is doing so for the purpose of advising their client and, when asserting privilege, the asserter does not need to consider the public interest or whether their exercise of discretion is consistent with the purpose of FOIP. [Calgary Police Service v Alberta OIPC – 2019 ABQB 109 CanLII – Court of Queens Bench of Alberta]
CA – BC Supreme Court Denies Disclosure of Medical Information
The British Columbia Supreme Court considered whether a Health Authority must produce personal information of individuals for litigation purposes. A Health Authority does not have to disclose personal information of individuals who contracted E. Coli while attending a pet farm; the Public Health Act prohibits disclosure of the information to identify potential witnesses for use in legal proceedings, and there are no benefits to the disclosure that would outweigh the privacy interests of the individuals. [Svangtun v. Pacific National Exhibition – 2019 BCSC 121 CanLII – Supreme Court of BC]
Health / Medical
CA – OIPC AB Investigating Security of Patient Health Records
Alberta’s privacy commissioner is investigating whether Alberta Health Services (AHS) properly safeguards the public’s personal health information after a 2018 audit revealed lax cybersecurity practices [CBC coverage]. The assessment by an external security firm Procyon Security Group found several “significant risks” with the health authority’s administration of the Alberta Netcare Portal. The system gives health-care providers access to key information from a patient’s medical file, such as laboratory test results and hospital visits. According to OIPC spokesperson Scott Sibbald, commissioner Jill Clayton launched her investigation on Aug. 8. “The investigation is examining safeguards of patient health records at AHS.” The audit found 108 security risks in the Portal and its associated infrastructure: 11 critical, 34 high, and 63 medium. Of particular concern to Procyon was the Alberta Netcare Portal’s “highly insecure” database access. They discovered AHS last applied security updates to its system in July 2014 — three and a half years before the company conducted its review — and the health authority did not securely store users’ passwords. The portal protects users’ passwords through a common method called hashing. But Procyon was able to obtain the password hashes of database users and crack nearly 40% of their actual passwords. From there, the firm would have been able to “exfiltrate all data in the database,” including the password hashes of Alberta Netcare Portal users and to also access “personally identifiable medical records.” As a condition of its operating agreement with Alberta Health, AHS must conduct vulnerability assessments every two years and meet certain service-level targets. Procyon’s review concluded the health authority is “in breach” of its targets. [CBC News]
CA – EHRs: Circle of Care is a Misleading Concept
The OIPC Saskatchewan investigated a privacy breach by a health authority, pursuant to the Health Information Protection Act. An investigation by the OIPC SK found that physicians accessed PHI without a need-to-know after the patients were transferred out of the physicians’ care; the concept of circle of care is not recognized under HIPA, and focuses on the physicians, rather than patients, suggests a static kind of entitlement to information, and is often misinterpreted to only include trustees and their employees (non-trustees such as police or teachers may have a need-to-know). OIPC SK – Investigation Report 180-2018_181_2018_226_2018 – Saskatchewan Health Authority involving Dr. R Dr. L and Dr. F]
US – All-Time Record Year for HIPAA Enforcement
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced that 2018 was an all-time record year for Health Insurance Portability and Accountability Act (“HIPAA“) enforcement activity [see PR]. Enforcement actions in 2018 resulted in the assessment of $28.7 million in civil money penalties [see summary of 2018 OCR HIPAA actions]. Enforcement activity focused primarily on breaches of electronic protected health information (ePHI). Another enforcement theme in 2018 focused on physical theft of PHI or devices containing ePHI. OCR’s record-breaking enforcement activities in 2018 serve as a reminder to covered entities and business associates to conduct frequent and meaningful assessment of the security of any PHI they hold, to swiftly remediate any vulnerabilities discovered, and to carefully document the assessment, remediation, and general HIPAA policies and procedures. This blog post is part of our ongoing coverage of HIPAA issues, which includes, among others: 1) HHS Releases Voluntary Cybersecurity Guidance; 2) HHS Announces More HIPAA Enforcement Actions; 3) Twenty-First Century Cures Act Includes HIPAA Provisions; and 4)Significant HIPAA Fine Follows Business Associate’s Stolen iPhone
Source: Inside Privacy (Covington) | HIPAA Data Breach Reports Due to OCR by 2/28/19
Horror Stories
US – Marriott Service Allows Users to Check if They are Data Breach Victims
Marriott has released a tool to help individuals discover whether they were victims of the hotel chain’s data breach. The tool, which is hosted by OneTrust, also will determine whether a person’s passport numbers were stolen in the incident. Marriott has not announced how long it will take to answer each request. Meanwhile, a report from Risk Based Security found about 5 billion records were stolen around the world in 2018, down from 7.9 billion in 2017. ZDNet also reports on a hacker who has sold three databases that contained the data of millions of users. [TechCrunch]
Identity Issues
US – Potential Privacy Lapse Found in Americans’ 2010 Census Data
An internal team at the Census Bureau found that basic personal information collected from more than 100 million Americans during the 2010 head count could be reconstructed from obscured data, but with lots of mistakes chief scientist John Abowd told the American Association for the Advancement of Science annual meeting on Saturday. The age, gender, location, race and ethnicity for 138 million people were potentially vulnerable. So far, however, only internal hacking teams have discovered such details at possible risk, and no outside groups are known to have grabbed data intended to remain private for 72 years. In the internal tests, Abowd said, officials were able to match of 45% of the people who answered the 2010 census with information from public and commercial data sets such as Facebook. But errors in this technique meant that only data for 52 million people would be completely correct—little more than 1-in-6 of the U.S. population. The Census Bureau is now scrapping its old data shielding technique for a state-of-the-art method that Abowd claimed is far better than Google’s or Apple’s. He said “I promise the American people they will have the privacy that they deserve the 2020 census will be the safest and best protected ever.” The new system involves complex mathematical algorithms that inject “noise” into the data, making it harder to get accurate information and providing “a very strong guarantee” of privacy. This increases privacy while lowering the accuracy for researchers who use the statistics. Phys.Org | Court will review census citizenship dispute this term | Supreme Court to Hear Case on Census Citizenship Question | Supreme Court to decide whether citizenship question can be included in 2020 census | Supreme Court Fast Tracks Census Case, Because They Already Know How They’re Going To Rule
Law Enforcement
CA – Vancouver Police Suspends Camera Registration Program Over Privacy Concerns
The Vancouver Police Department announced it has suspended its recently launched Community Camera Registration Program over citizens’ privacy concerns. The department asked residents and business owners to register information about their privately owned camera systems in order to assist in law enforcement investigations. Vancouver Police Department Spokeswoman Kim Kapp said in an email individuals were concerned personal information may be leaked to the public through the program. “We decided to temporarily suspend the program so that we could modify the registration form in an effort to better protect the privacy of citizens while still collecting meaningful information for investigators,” Kapp said. [The Columbian]
US – Privacy Advocate Held at Gunpoint After License Plate Reader Database Mistake: Lawsuit
Bay Area police pulled over a California privacy advocate and held him at gunpoint after a database error caused a license plate reader to flag a car as stolen, alleges a lawsuit filed by Brian Hofer, chair of Oakland’s Privacy Advisory Commission in December. According to the suit, Hofer had rented a car and was traveling with his brother when he was pulled over by a Contra Costa Sheriff’s Office deputy, and more police cars joined. Hofer alleges that an officer had a gun drawn and told him and his brother to exit the rental car, and that a deputy injured his brother by throwing him to the ground and that the officers searched the car without consent. After allegedly spending about 40 minutes detained by the officers, the two brothers were released. The complaint, filed against multiple officers, alleges that the incident was a violation of Hofer’s Fourth Amendment rights. A spokesperson for the sheriff’s office said in a statement: “The Deputy Sheriffs involved in this case followed procedure and acted appropriately” adding that the car was stolen at one point but that, for an unknown reason, the system wasn’t updated after the stolen car was recovered. The Verge | ‘They went cowboy on us’: Privacy advocate says East Bay police held him at gunpoint over license plate reader mix-up
Location
US – Survey: 83% of US Citizens Know Companies Track Location Data
A survey conducted by location-intelligence company Blis found the majority of Americans are more aware of marketers’ use of their personal data. Of the 2,000 U.S. citizens polled, 63% said they have become more cognizant of marketers’ data use compared to a year ago. When asked about location tracking, 83% said they were aware companies “actively track their location data.” Respondents were also asked to put a price on their personally identifiable information. Nearly 60% said they would sell their data for a price. Of that 60 percent, 57% said their data was worth a minimum of $10. [MarTech Today]
WW – Rise of 5G Could Lead to Location Data Privacy Issues
Columbia University’s Steve Bellovin has identified potential privacy issues related to 5G networks. Since 5G signals in the U.S. will have a shorter range, Bellovin said, more cell towers will need to be erected. Bellovin believes this gives companies the ability to collect more precise location data, and since 5G cannot go through walls, the computer science professor said towers will be placed inside buildings for even more accurate location information. “We need much clearer regulation of what carriers can do with location data,” Bellovin said. [The Wall Street Journal]
Online Privacy
WW – Study Finds 17K Android Apps Gather Information from Smartphones
A study conducted by the International Computer Science Institute found about 17,000 Android apps gather identifying information to create a record of users’ activity on their devices. The researchers found the apps link a user’s Advertising ID with other identifiers found on a smartphone, such as a Mac address and Android ID. Google announced it has looked into the report and has taken action on a number of app developers. “We take these issues very seriously,” a Google spokesperson said in a statement. “Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We’re constantly reviewing apps — including those listed in the researcher’s report — and will take action when they do not comply with our policies.” [CNET]
US – EFF Puts a Spotlight on Apps’ ‘Dark Patterns’
The Electronic Frontier Foundation (EFF) looks at the tactics tech companies use to encourage users to consent to more data collection. “Dark patterns” are techniques where tech companies will use visual indicators to highlight different app functionalities. Apps may have a button that allows it to connect with another service placed in a bright box to entice users to agree. The flipside of this is “opinionated design,” which warns users about potential online dangers, such as when an app warns a connection may not be private, and the highlighted box instead allows an individual to go back to a safe website. The EFF states the best way to combat “dark patterns” is to build apps with a focus on privacy by design. [EFF.org]
WW – How Mobile Data Collection Could Raise Taxes and Privacy Concerns
The growing practice of collecting mobile-tracking data raises questions for consumers as they navigate concerns. While there are concerns around the data-collection process in terms of what data is collected, who has access to it, and how it is being shared, “the potential for this same data to be monetized via auditing and compliance fees is even more problematic.” As more state and local governments move to utilize such data to generate revenue via congestion pricing and infrastructure fees, it not only creates business opportunities for companies to harvest and analyze mobile tracking data, but as the article also points out, its use to create an additional tax will raise some “pretty significant privacy concerns.” [TechCrunch]
WW – Majority of Chrome Apps, Extensions Do Not Have Privacy Policies: Study
Research conducted by Duo Security found 85% of Google Chrome apps and extensions do not have privacy policies. Duo Security examined 120,463 Chrome extensions and apps found in the Chrome Web Store as of January 2019. The company discovered 35% of the apps and extensions can read the data of the sites a user visits, and 32% use third-party libraries with previously known vulnerabilities. Meanwhile, a survey conducted by ERP Maestro found only 9% of 2,000 Americans polled take the proper steps to protect themselves from identity theft. [Engadget]
WW – Some Apps Stop Sharing Data with Facebook After WSJ Report
New York Governor Andrew Cuomo has called for an investigation into reports that health apps were sending sensitive data to Facebook. The Wall Street Journal report said that the apps were sending health and financial data to Facebook even when users were not logged into Facebook or did not have Facebook accounts. Facebook’s response to the initial WSJ report was to contact app developers and advertisers to tell them that Facebook’s terms of service prohibits them from sending Facebook sensitive user data. Facebook maintains that the app developers are the ones who should be under scrutiny. Others say that Facebook should take responsibility for what it has created. Some of the apps have stopped sending the data to Facebook.
- www.wsj.com: Popular Apps Cease Sharing Data With Facebook (paywall)
- www.wsj.com: You Give Apps Sensitive Personal Information. Then They Tell Facebook. (paywall)
- www.wsj.com: Eleven Popular Apps That Shared Data With Facebook (paywall)
- www.bleepingcomputer.com: NY Governor Cuomo Calls For Investigation on Facebook Health Data Collection
- www.zdnet.com: Another Facebook privacy scandal, this time involving its mobile analytics SDK
Other Jurisdictions
AU – Political Parties Should be Stripped of Privacy Act Exemptions After Hack: Experts
In the wake of an online attack that left political parties exposed to fears that a “sophisticated” agency had obtained highly confidential records [see PM’s statement] several former privacy commissioners have called for an end to the exemption from privacy and security laws political parties have been afforded since the Privacy Act in 2000 which some experts say spares parties from the obligation to protect valuable information based on the electoral roll. Former federal privacy commissioner, Malcolm Crompton [see bio] who opposed the exemption for political parties when he was the federal privacy commissioner in 2000 said the parties should be compelled by law to notify authorities of a “notifiable data breach” under legislation that came into effect one year ago and applies to all federal agencies, health service providers and businesses with a turnover of more than $3 million. “The political parties have access to some of the most accurate details about voters in Australia that there is. They have access to the electoral roll and it contains more demographic detail than simply name and address. In addition, each of the major parties have their own systems for ingesting further detailed information about voters, for example in regard to every contact somebody might have with the electoral office of each parliamentarian, and other information that they can purchase from information aggregators.” While it has become common for banks or others to notify customers of a privacy breach, there is no similar requirement for the political parties. The Australian Law Reform Commission recommended an end to the special treatment in 2008 [see ALRC Report 108 here: 833 pg PDF vol 1 here, 870 pg PDF vol 2 here & 997 pg PDF vol 3 here]. The Sydney Morning Herald | Australia’s major political parties hacked in ‘sophisticated’ attack ahead of election | With elections weeks away, someone “sophisticated” hacked Australia’s politicians | Australia’s major political parties targeted by ‘sophisticated state actor’, PM says | China rejects claims it hacked Australian political parties
Privacy (US)
US – Department of Education Issues Updated Student Privacy Guidance Following Federal Commission on School Safety Report
On February 5, 2019, the U.S. Department of Education (ED) released new and important regulatory guidance entitled “School Resource Officers, School Law Enforcement Units, and the Family Educational Rights and Privacy Act“ [see PR] This guidance document was prepared and issued in response to the December 2018 final report of the Federal Commission on School Safety [see 180 pg PDF report here] One of that report’s specific recommendations was that ED clarify the parameters of information sharing between school staff, school resource officers (SROs) and school safety officers (SSOs), with special consideration and training regarding the privacy requirements of Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA). The new guidance aims to give school officials a better understanding of how FERPA specifically relates to circumstances that threaten the health or safety of individuals, and thus to empower such officials to act more quickly and decisively when challenges arise. It consolidates multiple prior guidance and technical assistance documents into a single resource. DBR on DATA (DrinkerBiddle)
US – FTC’s Record Fine to TikTok Makes One Thing Clear: Illegally Collecting Kids’ Data Won’t Be Tolerated
Musical.ly, the lip-dubbing app that became a part of video app TikTok last year, agreed to pay the Federal Trade Commission $5.7 million over allegations that it collected personal information from children under the age of 13 without getting parental consent [see FTC blog post here, PR here & 11 pg complaint and 25 pg Order]. The TikTok app allows users to create short 15-second videos, showing everything from dancing to silly stunts, which can then be strung together to create minute-long stories that can be shared with other people on the social platform. “The operators of Musical.ly—now known as TikTok—knew many children were using the app, but they still failed to seek parental consent before collecting names, email addresses, and other personal information from users under the age of 13,” FTC Chairman Joe Simons said It’s the largest civil penalty ever collected in a privacy case related to children, according to the FTC’s news release. In a statement the company said it will create “a limited, separate app experience that introduces additional safety and privacy protections designed specifically” for a younger audience under which “users cannot do things like share their videos on TikTok, comment on others’ videos, message with users, or maintain a profile or followers. However, they will be able to experience what TikTok is at its core—showcasing creativity—as they enjoy curated content and experiment with TikTok’s unique, fanciful, and expressive features.” Fortune | FTC Hits Musical.ly With Record-Setting $5.7M Fine | FTC Exacts Record Fine for Kids Privacy Violation
US – Privacy Issues With School Safety Technology
As schools embrace technologies to monitor and collect data, there is a need to balance privacy and security in a school environment. A recent panel discussion at SXSW EDU brought together privacy advocates, a school administrator and a school safety software product manager to discuss this balance and left one assistant principal to admit feeling “caught in the middle” when it came to ensuring student safety and protecting student data. New Knowledge Researcher Bill Fitzgerald noted, “The vast majority of people in this space are doing it for the right reasons,” but added, “a lot of these tools are less about what’s better for kids, and more about what’s easier for adults.” [EdSurge]
NZ – Pilot Project Introduces AI to Track Truancy
A pilot project implementing facial-recognition technology to monitor student attendance at two New Zealand tertiary providers is set to complete in the coming month. Run by Aware Group, the $150,000 project utilizes artificial intelligence to track arrivals and departures in an effort to monitor “safety and truancy” in real time. Aware Group CEO Brandon Hutcheson did not confirm which institutions had used the technology but noted that students involved in the project had signed consent forms. [Stuff]
US – Lack of K–12 CPOs isn’t likely to end
While employing a chief privacy officer in K–12 education would offer benefits to student privacy, the reality is that the education system is far away from actually employing dedicated privacy employees. After reaching out to various educational nonprofits, a technology association and several privacy professionals, EdSurge states that none could identify a single K–12 CPO. Linnette Attai, founder of global compliance consulting firm PlayWell, said the main reason the role is sidelined is due to funding constraints. “It should be a leadership position, but it’s not,” she said. “We’re a really long way off from it ever being there, and we may never be there.” [EdSurge]
US – Children’s Advocacy Groups File FTC Complaint Against Facebook
The U.S. Federal Trade Commission received a complaint from 17 children’s advocacy groups accusing Facebook of deceiving children into accruing fees from games on the platform. The groups argue that in-app purchases were often completed without parental consent. In the complaint, the groups said, “Facebook’s exploitative practices targeted a population universally recognized as vulnerable — young people.” The groups have asked the FTC to investigate. In its response, Facebook noted, “As part of our long history of working with parents and experts to offer tools for families navigating Facebook and the web, Facebook also has safeguards in place regarding minors’ purchases.” [The New York Times]
Privacy Enhancing Technologies (PETs)
WW – Google Announces Shift in Approach to Global Policy
An internal email from Google Global Policy Chief Karan Bhatia outlined a reorganization of the company’s approach to global policy. According to a source familiar with the decision, the move will include additional resources for emerging markets and is a reaction to the ability of policymakers worldwide to regulate the company’s core businesses. Meanwhile, Google announced an “error“ in not disclosing a built-in microphone in devices belonging to the company’s Nest Secure home security system. The company said, “The on-device microphone was never intended to be a secret and should have been listed in the tech specs. That was an error on our part. The microphone has never been on and is only activated when users specifically enable the option.” [Bloomberg]
WW – Blockchain May Be More Vulnerable Than Previously Thought
Blockchain technology, once revered as impenetrable to hacking, appears to be highly vulnerable. The flip side to the technology’s unique security features is unique vulnerabilities. While vulnerabilities can exist from a development perspective, the article highlights that in other instances, it stems from “more of a gray area — the complicated result of interactions between the code, the economics of the blockchain, and human greed.” [MIT Technology Review]
Security
WW – Employees’ Emails, File Sharing Are Data Breach Trojan Horses: Survey
Employees’ emailing and file sharing practices are the leading cause of accidental data breaches, according to a new survey of 1,000-plus U.S. companies conducted by Opinion Matters research group on behalf of data security platform Egress [see here – see PR here & download the full survey and report here]. The respondents were senior and midlevel security professionals. Eighty-three percent of organizations surveyed said they experienced an accidental data breach. When an employee has unintentionally exposed sensitive data, 51% of respondents said it was through an external email provider, such as Gmail and Yahoo. Meanwhile, 46% said corporate email was used in an accidental data breach. Common employee email pitfalls include sending emails to the wrong address, forwarding sensitive information and sharing attachments with hidden sensitive content, according to the survey. Collaboration and file share services like Dropbox and Slack are becoming commonly used at organizations and as a result, sensitive information is being exposed. 40% said file sharing technology was used in employee-caused breach accidents, followed closely (38%) by collaboration tools. The survey singled out encryption technology as a standard best practice for securing and sharing sensitive data through emails and file sharing. However, only 79% of employees said they are required to use encryption when externally sharing personally identifiable information (PII) or critical business data, while, 64% were required to use encryption when internally sharing PII or critical business data. While most respondents said their biggest IT security risk was ransomware and malware (48%) and external attacks (45%), only 40% said accidental data breaches by employees was a risk. New regulations such as the GDPR and the pending California Consumer Privacy Act have influenced 54% of respondents to invest in new security technology, according to the survey. Data privacy regulations have also led to 52% of organizations to invest in employee training and 44% have restricted the use of external data sharing tools. Meanwhile, only 8% said new regulations haven’t changed their organization’s data sharing habits. [Legal Tech News (Law.com) | Human Negligence to Blame for the Majority of Insider Threats | Analytics, Intelligence & Response: Getting Ahead of the Insider Threat in 2019
Surveillance
CN – Surveillance Project Raises Privacy Concerns
By the end of March, 12 surveillance cameras will be mounted on streetlights as part of a pilot project to identify whether a car is parked illegally or not. The project, put forward by the Development Bureau’s Energising Kowloon East Office, would automatically read the license plate and alert police. The report notes that various legal and privacy concerns have been raised during the project’s public consultation process. [The South China Morning Post]
WW – Google Says Nest’s Secret Microphone Was ‘Never Intended to be a Secret’
When Google announced earlier this month that its Nest Secure smart home hub [here & wiki here] would double-up as a Google Assistant [here & wiki here], it sparked anger. Google hadn’t told anyone that the security hub had a microphone inside to begin with. There was no mention of the microphone on the initial list of tech specifications, nor was it mentioned after the company announced Google Assistant integration. (It’s there now.) In an email to TechCrunch Google spokesperson Nicol Addison said: “The on-device microphone was never intended to be a secret and should have been listed in the tech specs. That was an error on our part. The microphone has never been on and is only activated when users specifically enable the option.” Not disclosing the inclusion of a microphone in a device that sits in your home just looks bad. And it couldn’t come at a worst time for tech giants, as they try to clamber back any ounce of respect they have from privacy-conscious consumers. It makes you wonder how many other devices you have in your home — and out in the world — that could be used to spy on you. TechCrunch | Google says the built-in microphone it never told Nest users about was ‘never supposed to be a secret’ (GOOG, GOOGL) | Users alarmed by undisclosed microphone in Nest Security System |Google calls Nest’s hidden microphone an ‘error’
US Government Programs
US – U.S. Shared Terror Watchlist With 1,400 Private Groups
The U.S. federal government has acknowledged that it shares its terrorist watchlist [see Terrorist Screening Database here & wiki here], with more than 1,400 private entities, including hospitals and universities, prompting concerns from civil libertarians that those mistakenly placed on the list could face a wide variety of hassles in their daily lives. The watchlist is supposed to include only those who are known or suspected terrorists but contains hundreds of thousands of names. The government’s no-fly list is culled from a small subset of the watchlist. The exact number on the list is kept secret by the government, but it has acknowledged that it adds hundreds of thousands of names to the list every year. It also emphasized that names are routinely removed from the list. Critics say that the watchlist is wildly overbroad and mismanaged, and that large numbers of people wrongly included on the list suffer routine difficulties and indignities because of their inclusion. The government’s admission that it shares the list so broadly comes — after years of insistence that the list is generally not shared with the private sector in a constitutional challenge/class-action lawsuit filed in Federal Court, Eastern District of Virginia [see El Hady v. Kable: Case No. 1:16-cv-375 (AJT/JFA), PR here] by Gadeir Abbas [LinkedIn here], a lawyer with the Council on American-Islamic Relations [here & wiki here] on behalf of Muslims who say they regularly experience difficulties in travel, financial transactions and interactions with law enforcement because they have been wrongly added to the list [see CAIR blog post here]. Abbas said now that the government has disclosed how many private entities receive access to [the database] it needs to explain exactly which private entities are receiving it and what they’re doing with it. He’s asked a judge to require the government to be more specific. A hearing is scheduled for Friday. In some quarters, the government has been criticized for failing to widely disseminate the list to private agencies who might need to know about suspected terrorists. A 2007 report from a government watchdog criticized the government for just that [see 106 pg PDF here]. CTV News | More than 1,000 private entities have access to terrorism watch list, government says
US Legislation
US – Democrats Vow Congress Will ‘Assert Itself’ Against Tech — Starting With Silicon Valley’s Privacy Practices
The House Energy and Commerce Consumer Protection Subcommittee here] embarked on a wide-ranging campaign to probe Facebook, Google and their peers in the tech industry, a new burst of oversight that could bring heightened attention to some of Silicon Valley’s controversial business practices. At the first major tech policy hearing [see Democrat PR, details & witnesses witnesses & watch starting at 11:37] since Democrats took control of the House [members] charged that long-standing inaction on Capitol Hill had left consumers unprotected in the digital age. They pledged to grill tech companies, shine a harsher light on their missteps and write tough federal laws, including new rules to protect web users’ online privacy. Chairperson Rep. Jan Schakowsky (D-Ill.) opened the session by saying some tech giants’ data-collection practices “undoubtedly give Americans the creeps,” pointing to recent reports that apps pass sensitive information, including details about women’s menstrual cycles, along to Facebook. “Without a comprehensive federal privacy law,” she said, “the burden has fallen completely on consumers to protect themselves, and this has to end.” Rep. Greg Walden (R-Ore.), who chaired hearings with top tech executives on the Energy and Commerce Committee last year, also endorsed a federal law during the session Tuesday. In the Republican-controlled Senate, lawmakers [in the Senate Commerce, Science and Transportation Committee] plan to hold their own hearing focused on online privacy on Wednesday [Feb. 27 at 10:00 am – see details]. Adding to the pressure on Silicon Valley are new, tech-savvy Republicans who arrived this year in the Senate, including Sen. Josh Hawley (Mo.). The former Missouri attorney general has spent his first two months in the chamber sharply criticizing tech giants’ privacy practices and urging the Trump administration to take a closer look at the industry. [The Washington Post | House United on Privacy, Still Divided on Details | US lawmakers kick off debate over online privacy
US – GAO to Congress: It’s Time for Data Privacy Legislation
A report from the US Government Accountability Office (GAO) [see report, highlights and recommendations – also see House Energy & Commerce Committee PR] recommends that Congress develop data privacy protection legislation much like the European Union’s General Data Protection regulation (GDPR). Among the incidents referenced in the report is the Cambridge Analytica scandal, in which “Facebook disclosed that a Cambridge University researcher may have improperly shared the data of up to 87 million of [its] users with a political consulting firm.” The report is the result of a request from the House Energy and Commerce Committee two years ago.
- www.cnet.com: US needs an internet data privacy law, GAO tells Congress
- www.zdnet.com: GAO gives Congress go-ahead for a GDPR-like privacy legislation
- www.gao.gov: INTERNET PRIVACY: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility (PDF)
- DBR on DATA (DrinkerBiddle)
- Privacy Data Regulations For Internet Is Need Of The Hour For The US, Says GAO
- Federal GAO Supports New Privacy Laws, Fines For Violators
- Government watchdog finds weak enforcement of US privacy regulations
- House panel to hold hearing on data privacy legislation
US – The FTC Decides to Uphold the CAN-SPAM Rule Without Any Changes
On February 12, 2019, the Federal Trade Commission [FTC] announced that it completed its first review of the CAN-SPAM Rule [see here & text here], a rule governing commercial e-mail. Based on its review, the FTC announced its decision, available here, to “retain the Rule in its present form.” [see FTC’s Federal Register confirmation of the Rule] The FTC reviewed public comments and proposals in making its determination [see FTC notice for public comment]. According to the FTC’s confirmation of the Rule, of the 92 comments received, most were submitted by individual consumers and many suggested modifications to the Rule. Many comments were responses to specific issues raised by the FTC regarding whether the FTC should: 1) modify the type of messages treated as “transactional or relationship messages,”; 2) shorten the time period for processing opt-out requests; or 3) identify additional practices that constitute “aggravated violations.” In rejecting all of the suggested modifications, the FTC found that no proposed modification presented sufficient evidence that its added consumer benefit would outweigh its increased burden on businesses. However, the FTC stated that it would monitor matters and, if necessary, amend the Rule at some point in the future. The FTC also stated that it will “review and consider revising its existing Compliance Guide for Business” to help businesses “more easily understand the Rule’s protections and requirements.” Finally, the FTC noted that many of the suggested modifications could “inform industry best practices” even if they ultimately didn’t become requirements under the Rule. Privacy & Data Security Blog (Alston & Bird) | No Change to CAN-SPAM | FTC Retains Current CAN-SPAM Rules | FTC Enforcement Trends in Consumer Protection
US – ACLU, Advocacy Groups Voice Support of Calif. ‘Privacy for All’ bill
The American Civil Liberties Union of California and a collection of advocacy organizations have voiced their support for the “Privacy for All” state bill introduced by Assemblymember Buffy Wicks, D-Calif. Bill AB 1760 would ensure companies get consumer consent before any of their data is shared. The “Privacy for All” bill seeks to close a loophole within the California Consumer Privacy Act, as in its current form, companies only need to obtain consent when data is sold. AB 1760 would give California citizens the ability to find out what data companies share and who it is shared with and would prohibit discrimination against anyone who exercises their data rights. [ACLU]
+++
