Biometrics
UK – Report Confirms Deep Flaws of Automated Facial Recognition Software
Big Brother Watch [here] has produced a report bringing together everything we know about the use by UK police of automated facial recognition software, and its deep flaws. The report supplements that information with analyses of the legal and human rights framework for such systems, and points out that facial recognition algorithms often disproportionately misidentify minority ethnic groups and women. Alongside its report, Big Brother Watch has launched the “Face Off“ campaign calling for the UK public authorities to stop using automated facial recognition software with surveillance cameras, and to remove the thousands of images of unconvicted individuals from the UK’s Police National Database. [TechDirt and at: Edgy Labs and Android Headlines]
UK – Cops’ Facial Recog Tech Slammed: Zero Arrests, 2 Matches, No Criminals
London cops’ facial recognition kit has only correctly identified two people to date – neither of whom were criminals – and the UK capital’s police force has made no arrests using it, figures published today revealed. According to information released under Freedom of Information laws, the Metropolitan Police’s automated facial recognition (AFR) technology has a 98% false positive rate. That figure is the highest of those given by UK police forces surveyed by the campaign group Big Brother Watch as part of a report [see PR here and 56 pg PDF report here] that urges the the police to stop using the tech immediately. And, despite cops’ insistence that it works, the report showed an average false positive rate – where the system “identifies” someone not on the list – of 91% across the country. The Met has the highest, at 98%, with 35 false positives recorded in one day alone, at the Notting Hill Carnival 2017. However, the Met Police claimed that this figure is misleading because there is human intervention after the system flags up the match. [The Register and coverage at: Siliconrepublic, BBC News, Metro.co.uk, Software Testing News, Nextgov, The Independent, The Washington Tomes and HuffPost UK]
UK – Sky News Will Use AI to ID Guests at Royal wedding
When Prince Harry and Meghan Markle said “I do” at their royal wedding, online viewers tuning into the Sky News stream did not have to guess the names of international celebrities and British nobility in attendance. Instead, the U.K. broadcaster used artificial intelligence to identify famous guests as they made their grand entrances at St. George’s Chapel at Windsor Castle — displaying the invitees’ names and details about how they are connected to the royal couple. Dubbed “Who’s Who Live,” Sky News announced the live-stream service in partnership with Amazon.com and several data and engineering firms. As the 600 guests entered the chapel, Sky News highlighted notable attendees using Amazon Rekognition, a cloud-based technology that can recognize and compare faces in images and video using artificial intelligence. Along with identifying the wedding guests, the live-stream service also showed facts about them, using captions and on-screen graphics through the company’s app. The data was displayed alongside the video of the procession into the chapel. The celebrity recognition feature’s debut could pave the way for its use at other high-profile events that often invite the audience to interact on social media. [Washington Post]
CA – $30B Facebook Privacy Suit Headed for Jury Trial
A $30 billion class action claiming Facebook harvested the facial data of up to 6 million Illinois residents without consent must be decided by a jury, a federal judge ruled . Facebook argued that its technology doesn’t scan users’ facial geometry in a way that violates a 2008 Illinois privacy law. U.S. District Judge James Donato found only a jury can answer that question. Lead plaintiff Nimesh Patel sued Facebook in 2015 in one of three consolidated class actions, claiming the social network harvested users’ facial data for its “Photo Tag Suggest” function, starting in 2011, without express permission from users. Under the Illinois Biometric Information Privacy Act of 2008, companies must obtain consent before collecting or disclosing biometric data, such as retina scans, fingerprints, voiceprints, hand scans or facial geometry. Facebook also argued that it should not be liable for any damages because it reasonably understood the Illinois privacy law as not applying to data harvested from photographs. Donato rejected that argument too, concluding that “ignorance of the law” has never been accepted as a valid excuse for breaking the law. The judge also scolded Facebook for continuing to cling to legal arguments that were rejected in prior rulings When he denied Facebook’s motion to dismiss in February [see here] and certified a class of up to 6 million Illinois Facebook users in April. The judge described Facebook’s refusal to accept his prior decisions as “troubling.” In an emailed statement, Facebook said: “We are reviewing the ruling. We continue to believe the case has no merit and will defend ourselves vigorously.” [Courthouse News and at: The Register, Business Insurance and Biometric Update]
Big Data / Artificial Intelligence / Data Analytics
EU – EU Commission Issues Artificial Intelligence Strategy
The EU Commission issued recommendations to take advantage of opportunities offered by artificial intelligence. Investments in AI should be increased to develop applications in key sectors (e.g. healthcare), facilitate data access for small and medium-sized companies, and ensure an appropriate framework is applied that promotes innovation, respects EU values, the GDPR, and ethical principles. [EU Commission – Artificial Intelligence for Europe]
WW – Google’s AI Sounds Like A Human on the Phone
It came as a total surprise: the most impressive demonstration at Google’s I/O conference was a phone call to book a haircut. Of course, this was a phone call with a difference. It wasn’t made by a human, but by the Google Assistant, which did an uncannily good job of asking the right questions, pausing in the right places, and even throwing in the odd “mmhmm” for realism. The crowd was shocked, but the most impressive thing was that the person on the receiving end of the call didn’t seem to suspect they were talking to an AI. It’s a huge technological achievement for Google, but it also opens up a Pandora’s box of ethical and social challenges. For example, does Google have an obligation to tell people they’re talking to a machine? Does technology that mimics humans erode our trust in what we see and hear? And is this another example of tech privilege, where those in the know can offload boring conversations they don’t want to have to a machine, while those receiving the calls (most likely low-paid service workers) have to deal with some idiot robot? As Google’s researchers explain, the feature, called Duplex, it can only converse in “closed domains” — exchanges that are functional, with strict limits on what is going to be said. “You want a table? For how many? On what day? And what time? Okay, thanks, bye.” Easy! Duplex works in just three scenarios at the moment: making reservations at a restaurant; scheduling haircuts; and asking businesses for their holiday hours. It will also only be available to a limited (and unknown) number of users sometime this summer [The Verge]
WW – RightsCon 2018 Conference Debates Resolution on Discrimination in Machine Learning
This week marked the opening in Toronto of the seventh RightsCon conference. Attendees will have a choice of 450 sessions on a wide range of rights topics related to the online world.: How to leverage blockchain as a force for good, the digital divide in Indigenous Communities in North America, content regulation, free speech and censorship, false news, online surveillance and Internet governance. One of the highlights will be a preparation of the “Toronto Declaration on Discrimination in Machine Learning” [see here & 11 pg PDF here], a step toward developing detailed guidelines for the promotion of equality and protection of the right to non-discrimination in machine learning. The Declaration will address necessary protections for companies and governments exploring and implementing the future of machine learning. The goal of the declaration is to encourage data scientists to think early when creating machine learning algorithms about implications of assumptions in their work. [IT World] See also: [The 7 Craziest IoT Device Hacks]
Canada
CA – Canada Has ‘Fallen Behind’ in Privacy Powers: Denham
The power made available to the Canadian privacy watchdog to investigate companies like Facebook and Cambridge Analytica have not kept pace with those granted to his counterparts around the world. That was the message brought by Elizabeth Denham, the United Kingdom’s information commissioner, to a House of Commons committee studying the breach of personal information harvested from 87 million Facebook accounts by British political profiling firm, Cambridge Analytica. “The Canadian privacy commissioner’s powers have fallen behind the rest of the world,” Denham told the committee members. Her observation comes as Canadian politicians struggle to catch up to other jurisdictions such as the European Union that have pursued stringent new privacy rules in recent years in light of concerns that tech giants like Facebook and Google are not doing enough to protect personal information. [Global News]
CA – Ontario Law Prohibits Inquiries into Compensation History
Ontario’s Bill 3, the Pay Transparency Act, 2018, related to disclosure of compensation for applicants and employees, receives Royal Assent and goes into effect January 1, 2019. Exemptions include a job applicant’s voluntary and unprompted disclosure of their compensation history, compensation ranges or aggregate compensation for comparable positions, or publicly available compensation history, and employers must submit and post pay transparency reports; a government compliance officer may enter a workplace without a warrant to assess the employer’s compliance with the law. [Bill 3 – Pay Transparency Act, 2018 – 41st Legislature, Ontario | Status]
CA – Canadian Government Reassures on Border Searches
The Minister of Public Safety and Emergency Preparedness reported to the Parliamentary Standing Committee on Access to Information, Privacy and Ethics on border privacy. The government believes that it is unnecessary to provide further preconditions for searches of electronic devices at the border in the Customs Act, (which could hinder an ability to respond to threats and contraventions); the recently signed Preclearance Act (which gives U.S. officers an ability to search in certain areas) requires U.S. border officials to comply with Canadian law. [Report: Protecting Canadians’ Privacy at the U.S. Border – Minister of Public Safety and Emergency Preparedness]
CA – Balsillie urges MPs to Regulate ‘Surveillance Capitalism’ of Facebook and Google
A group representing Canada’s tech CEOs told MPs that Facebook and Google represent a new form of “surveillance capitalism” and called for European-style regulation over the U.S.-based web giants. Jim Balsillie, chair of the Council of Canadian Innovators [here], told MPs that immediate government action is required to protect Canada’s commercial interests and the privacy of individuals. “Facebook and Google are companies built exclusively on the principle of mass surveillance,” he said. “Their revenues come from collecting and selling all sorts of personal data, in some instances without a moral conscience.” Mr. Balsillie, the former chair and co-CEO of Research in Motion (now BlackBerry Ltd.) made the comments while sharing a panel [see ETHI Parliamentary Committee meeting May 10, 2018 here] with Colin McKay, Google Canada’s head of public policy and government relations. Mr. McKay challenged Mr. Balsillie’s characterization of Google and told MPs that Google’s products “prioritize user privacy” and the company promotes a service called MyAccount that lets users manage their privacy and security. Earlier in the day, the committee heard from Elizabeth Denham, the United Kingdom’s Information Commissioner who is investigating the Cambridge Analytica issue, as well as Michael McEvoy, British Columbia’s Information and Privacy Commissioner, who is also conducting a related investigation. [G&M and at: Global News, CBC News, The Canadian Press (Via Ottawa Citizen) and National Observer]
CA – Former Elections Watchdog Says Liberals’ Bill C-76 Falls Short on Privacy
Marc Mayrand [wiki here], the man who ran Elections Canada from 2007 to 2016 [says] the federal government’s new election bill [the Elections Modernization Act – Bill C-76 – see PR here & Text here] falls seriously short of expectations when it comes to safeguarding Canadians’ private information In what Mayrand judged “a very small step,” the new bill will require political parties to post a policy on the treatment of people’s personal information: how they use, collect and protect it. Parties will be required to state how they train employees on safeguarding private data, and to provide contact information for a person to whom concerns can be addressed. The bill also states that parties must publish the circumstances under which personal information may be sold, although federal officials said they were unaware of any cases in which this had happened. The Elections Modernization Act, however, contains no independent verification measures and no penalties for violations. There are also, he noted, no assurances that Canadians will find out about breaches, nor avenues for them to request to see the information parties hold about them. The legislation is silent on whether parties can trade the data to anybody or whether they must obtain people’s consent to collect the data, he said. Teresa Scassa [here], Canada research chair in information law at the University of Ottawa, has also blasted the government [see here] for what she calls “an almost contemptuous and entirely cosmetic quick fix designed to deflect attention from the very serious privacy issues raised by the use of personal information by political parties.” [HuffPost]
CA – Alberta Privacy Commissioner Powerless to Investigate Political Parties’ Use of Voter Data
Alberta’s privacy commissioner is powerless to investigate how political parties are collecting and using voters’ personal information, but there’s little incentive for parties to change the status quo, observers say. Alberta’s Personal Information Protection Act (PIPA) [text here & overviews here] governs how companies are able to collect and use personal data, but exempts political parties — limiting the commissioner’s ability to investigate complaints of personal data misuse. The law can only be applied to political parties under exceptional circumstances related to commercial activity, such as selling, bartering or leasing of donor, fundraising or membership lists. University of Victoria Political scientist Colin Bennett has spent years researching privacy protection policies in Canada and abroad and studied how political parties accumulate voter data from social media sites, such as Facebook. “Essentially, individuals have no rights over their personal information that political parties capture” Bennett said provincial political parties don’t want to fall under privacy laws because it can limit campaigning abilities. “In a competitive electoral environment — and lord knows Alberta’s competitive — they’re not going to want to constrain their ability to campaign,” he said. “I would hope (privacy commissioner) Jill Clayton would be very forceful in advocating that Alberta political parties be covered under the Alberta legislation,” he said. “There’s no reason why Alberta should be any different from B.C.” British Columbia is unique among provinces in that its privacy commissioner has the authority to investigate and audit private companies and political parties suspected of skirting the law. [The Star]
CA – Trend of Police Secrecy Over Names in Homicides Raises Alarm
The names of the dead have not been released in a police-involved shooting in Nanaimo nor in a Victoria homicide. It’s becoming increasingly common practice among some agencies probing violent deaths not to release the identities. That’s because the RCMP, B.C. Coroners Service and the Independent Investigations Office, that probes fatal interactions, with police have all declined to identify the deceased. It’s an increasingly common, if inconsistent, practice across B.C. and other jurisdictions in Canada, in which agencies tasked with investigating violent deaths have, in some cases, stopped releasing victims’ names. Legal experts say it’s a trend that prevents Canadians from scrutinizing the criminal-justice system and the people who operate within it. Law-enforcement agencies and others argue that they’re simply obeying privacy laws and respecting grieving families. The Edmonton Police Service has taken a similar approach Steven Penney [here], law professor at the University of Alberta, said it’s a “troubling” practice that departs from Canada’s long-standing tradition of having an open, transparent and accountable criminal-justice system, adding “Our entire criminal-justice system is premised on the idea that when a serious crime occurs, it’s a crime against the entire society. And the entire society deserves to be informed about the implications of that crime and potentially become involved in scrutinizing the behaviour of all of those who are responsible for dealing with it.” [Victoria Times Colonist]
CA – Canada’s Privacy Commissioner Shares View on Autonomous Vehicles
Canada’s privacy commissioner Daniel Therrien presented his views on the privacy implications of autonomous and connected vehicles [remarks here] at a House of Commons transportation committee meeting on May 9th [see here]. Therrien appeared before the Standing Committee on Transport, Infrastructure and Communities (TRAN), in response to a study that was released in January of this year [see 78 pg PDF report here & Infographic here], which pointed to five key areas to help the government better prepare for a self-driving car-filled future including that the “government should put forward legislation to empower the Office of the Privacy Commissioner to proactively investigate and enforce industry compliance with privacy legislation.” He expressed concern with the fact that data flows in connected vehicles are very complex and, as a result of this fact, are not transparent. He touched on how his office has been looking to improve consent for users data by trying to find ways to give “individuals the ability to make decisions about their data.” Ideally, Therrien would like to see an amendment to the law that would allow the privacy office to “independently confirm that the principles in our privacy laws are being respected – without necessarily suspecting a violation of the law.” [MobileSyrup]
CA – Potential Privacy Class Action Against Ontario Auto Insurer
A class-action lawsuit was filed April 10 in Federal Court against The Personal over alleged use of credit scores in adjusting accident benefits claims. It’s not clear yet how many claimants there will be if the lawsuit is approved. Law firm Waddell Phillips Professional Corporation is asking Federal Court to certify the lawsuit as a class action on behalf of a specific class of Canadian auto insurance claimants [see PR here]. If approved by the court, that class would include people who made auto claims with The Personal Insurance Company after Jan. 18, 2012 “and who had their credit score information accessed by The Personal or its agents.” If the class action prevails in court] the insurer might have to pay up to $10,000 a claimant. In the lawsuit against The Personal, the plaintiffs are asking for an injunction prohibiting The Personal from “further using or accessing” personal credit scores for the purpose of adjusting auto accident benefits claims. They are asking Federal Court to award damages of $50 million, as well as aggravated, punitive or exemplary damages of $10 million. [Canadian Underwriter and at: Canadian Underwriter, The Insurance and Investment Journal and LowestRates.ca]
Consumer
CA – 3 out of 4 Facebook Users Still Active Despite Privacy Scandal: Poll
Three-quarters of Facebook users have remained as active, or even more active, on the platform since the company’s recent privacy scandal, a joint Reuters/Ipsos poll revealed. According to the survey, Facebook’s reputation has suffered little among users. The poll comprised over 2,000 American Facebook users over the age of 18, and found that half of those surveyed had not changed the way they used the site, and another quarter said they were using it more. Analyst Michael Pachter of Wedbush Securities told Reuters that Facebook is lucky the scandal revolves around data being used for political ads and not for “nefarious” purposes. “I have yet to read an article that says a single person has been harmed by the breach,” he said. “Nobody’s outraged on a visceral level.” In its first quarter financial results, Facebook said the number of monthly users in the United States and Canada rose to 241 million on March 31 from 239 million on Dec. 31, growth that was roughly in line with recent years. While many seem unaffected by the privacy concerns, a segment of Facebook users is taking action to protect their information. According to the poll, the one quarter of Facebook users whose activity hasn’t stayed the same or increased has either gone down or ceased entirely. Although user activity seems to be returning to normal a few months after the initial story broke, an Angus Reid Institute/Global News poll released in the middle of March told a very different story about users’ trust in Facebook’s platform. The poll revealed that almost three-quarters of Canadians would change the way they use Facebook as the massive data scandal plaguing the company continues to unfold. [Global News]
WW – ISO Incorporates PbD Guidelines for Consumer Goods and Services
A new ISO project committee, ISO/PC 317, “Consumer protection: privacy by design for consumer goods and services”, will develop guidelines that will not only enforce compliance with regulations, but generate greater consumer trust at a time when it is needed most [see PbD wiki here]. Dr Cavoukian pioneered the concept of “privacy by design”, a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure and business practices. In her video address at the ISO workshop “Consumer protection in the digital economy”, which took place in Bali, Indonesia, –the week of May 6–she said “Regulatory compliance alone is unsustainable as the sole model for ensuring the future of privacy Prevention is needed.” “Privacy by design” is now recognized as a core part of the EU General Data Protection Regulation (GDPR) [see Article 25 of GDRP here] and forms the basis of the ISO standardization work now underway. Implementing the standard will help companies comply with regulations and avoid potentially devastating data breaches that erode consumers’ confidence in online services. [ISO News and at: ACROFAN, SC Magazine]
CA – CRTC Fines Retailers $100,000 for Lack of Consent
The Canadian Radio-television and Telecommunications Commission fined Quebec Inc. 9118-9076 and 9310-6359 for violations of Canada’s Anti-Spam Legislation. Marketing text messages offered recipients an opportunity to receive future commercial offers, and did not include the prescribed information to enable recipients to easily identify and contact the sender; the joint retailers have agreed to put in place a compliance program that includes employee training, adequate disciplinary measures for non-compliance with internal procedures, and corporate policies to ensure compliance with CASL. [CRTC – Undertaking 9118-9076 and 9310-6359 – Quebec Inc.]
Encryption
CA – Citizen Lab Publishes Canadian Field Guide to Encryption
Shining a Light on the Encryption Debate: A Canadian Field Guide [see 107 pg PDF here] — co-authored by the Citizen Lab and the Canadian Internet Policy and Public Interest Clinic (CIPPIC) [here] — examines the parameters of the encryption debate, paying particular attention to the Canadian context. It provides critical insight and analysis for policymakers, legal professionals, academics, journalists, and advocates who are trying to navigate the complex implications of these technologies. The guide includes five sections: Section One provides a brief primer on key technical principles and concepts associated with encryption in the service of improving policy outcomes and enhancing technical literacy; Section Two explains how access to strong, uncompromised encryption technology serves critical public interest objectives; Section Three explores the history of encryption policy across four somewhat distinct eras, with a focus on Canada to the extent the Canadian government played an active role in addressing encryption; Section Four reviews the broad spectrum of legal and policy responses to government agencies’ perceived encryption “problem,” including historical examples, international case studies, and present-day proposals; and Section Five examines the necessity of proposed responses to the encryption “problem.” A holistic and contextual analysis of the encryption debate makes clear that the investigative and intelligence costs imposed by unrestricted public access to strong encryption technology are often overstated. [CitizenLab and at: BoingBoing]
EU Developments
EU – Eight Countries to Miss EU Data Protection Deadline
Eight EU states, Belgium, Bulgaria, Cyprus, the Czech Republic, Greece, Hungary, Lithuania and Slovenia will not be GDPR ready until far beyond the 25 May deadline. Vera Jourova, the European commissioner for justice, told reporters on Thursday (17 May) She would not hesitate to take the EU capitals to court in serious cases, noting that member states have had more than enough time to get their acts together. She blamed negligence and domestic debates for the delays. Some data authorities say they will still be able to impose sanctions and fines regardless of the missing national legislation. Only Austria, Germany, France, Croatia, the Netherlands, Sweden and Slovakia are ready with everyone else set to have their national acts passed by 25 May. Others like Spain, Italy, Portugal, Romania and Latvia are expected to be ready either end of May or beginning of June. [EU Observer]
EU – Article 29 Working Party Issues Final Guidelines on Consent
On 10 April 2018, the Article 29 Working Party (WP29) published revised guidelines [download 31 pg PDF] on consent under the General Data Protection Regulation (GDPR). Consent is one of the six GDPR bases for the lawful processing of personal data. WP29’s draft guidelines on consent were issued earlier this year. This article examines the differences between the draft and final guidelines [along the following lines]: 1) Conditions for valid consent – freely given; 2) Unambiguous indication of wishes; 3) Explicit consent; 4) Children; 5) Interaction between consent and other lawful grounds for processing; and 6) Re-consenting. [Technology Law Dispatch]
EU – Article 29 WP Adopts Finalized Guidelines on Transparency
The Article 29 Working Party (WP29) adopted, on 11 April 2018, finalized guidelines on transparency (the Guidelines) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) [download 40 pg PDF here], following its public consultation. Draft guidance on transparency were issued earlier this year, so this blog focuses on the key issues and what is new in the final guidelines [along the following lines]: 1) Information being “intelligible”; 2) Informing data subjects about changes to transparency-related information; 3) Providing information to children; 4) Clear and plain language; 5) Changes to Article 13 and 14 information; and 6) Layered privacy statements and notices. [Technology Law Dispatch]
EU – WP29 Issues Position Paper on GDPR Record-Keeping Obligation
The Article 29 Working Party (WP29) has published a position paper on the scope of the derogation from the obligation to maintain records of processing activities. Article 30.5 [see here] provides that the record-keeping obligation does not apply to organisations with less than 250 employees in certain circumstances. The WP29 has stated that the position paper was published as a result of a high number of requests from companies received by national Supervisory Authorities. Despite the existence of the derogation, the WP29 encourages SMEs to maintain records of their processing activities, as it is a useful means of assessing the risk of processing activities on individuals’ rights, and identifying and implementing appropriate security measures to safeguard personal data. In light of the new accountability principle in the GDPR requiring organisations to be able to demonstrate how they comply with their GDPR obligations, it would certainly be prudent for all organisations, regardless of size, to maintain such records. [Ireland IP]
UK – Court Orders Government to Rewrite Investigatory Powers Act
A UK Court considered a request for judicial review of the retention provisions of the UK’s Investigatory Powers Act 2016, and ruled that the retention provisions of the Act are incompatible with fundamental rights in EU law (access to retained data is not limited to the purpose of combating “serious crime”, and access to retained data is not subject to prior review by a court or an independent administrative body), and the government must amend the Act by November 1, 2018. [The National Council for Civil Liberties (Liberty) v. Secretary of State for the Home Department & Secretary of State for Foreign and Commonwealth Affairs – [2018] EWHC 975 (Admin) – England and Wales High Court (Administrative Court) ]
Facts & Stats
UK – ICO Reports Data Incidents Spike 17%, Human Error Dominates
The number of data security incidents reported to the UK’s Information Commissioner’s Office (ICO) jumped 17% between the final three months of 2017 and the first quarter of 2018, according to new figures. In its last update [see here] before the EU GDPR takes effect, the privacy watchdog revealed a rise in incident reports from 815 to 957. Although cybersecurity-related incidents increased by 31% from the previous quarter, the first month-on-month increase since Q4 2016-17, human error dominated. In fact, over the 2017-18 financial year, 3325 reports were filed with the ICO, with the number one breach type “data emailed to incorrect recipient,” (13%) followed closely behind by “data faxed to wrong recipient” (13%). Also high was “loss or theft of paperwork” (13%). The healthcare sector accounted for by far the largest volume of reports (37%), although this figure is likely to be a result of mandatory reporting rules. After health came “general business” (11%), education (11%) and local government (10%). [[Infosecurity Magazine and at: ISBuzz News]
US – Equifax Reveals How Much Information Was Really Exposed in Data Breach
How bad was Equifax’s data breach? Bad. In a new filing with the Securities and Exchange Commission, the credit reporting agency broke down in detail the types of – and how much exactly – sensitive personal information was exposed to hackers in the breach. A statement for the record from Equifax included in the SEC filing breaks down what types of personal information and data was exposed in the September 2017 data breach. The disclosure comes at the urging of several Congressional committees. According to Equifax, the company recently sent a letter to several Congressional committees providing additional detail on the data that was exposed in the breach. In its letter, Equifax said that the names and dates of birth for approximately 146.6 million people were exposed, as well as 145.5 million Social Security numbers, the address information for 99 million people, the gender data for 27.3 million people, 20.3 million consumers’ phone numbers, 17.6 million driver’s license numbers, 1.8 million email addresses, 209,000 payment card numbers and expiration dates, 97,500 tax ID numbers, and the state information for 27,000 driver’s licenses. Additionally, Equifax noted that the hackers also gained access to images uploaded to the company’s online dispute portal by approximately 182,000 consumers, including: 38,000 driver’s licenses; 12,000 Social Security and tax ID cards; 3,200 passports and passport cards; and 3,000 other documents, including military and state IDs and resident alien cards. According to Equifax, it is releasing this information as part of its “commitment to transparency.” [Housingwire]
Filtering
CA – RTBF: PIPEDA Should Not Regulate Online Speech
The Stanford Center for Internet and Society comments on the Office of the Privacy Commissioner of Canada’s draft position on online reputation. Academics note that data protection laws lack well-developed standards that balance and protect expression rights, introduce unintended consequences (e.g. online platforms and search engines would be required to seek consent before processing user-generated information), and platforms would likely comply with abusive or mistaken notices to avoid litigation risks [Response to the OPC Consultation and Call for Comments on Draft Online Reputation Position Paper – Stanford Center for Internet and Society]
Finance
CA – OPC Concerned Bank Act Changes Could Open Door to More Data Abuses
Privacy Commissioner Daniel Therrien is expressing concern with new banking powers over customer data that are contained in the government’s latest budget bill, telling the Senate banking committee [here] that his office was never consulted on the Bank Act changes [see PR here & Commissioner’s remarks here]. Senators have heard conflicting testimony as to what the Bank Act changes [see Division 16 of Part 6 of Bill C-74, the Budget Implementation Act, 2018, No.1 here & Bill status here] would allow in practice. The Finance Department and the banking sector say they are simply about modernizing language to reflect the growth of financial technology firms, or fintechs. However critics warn that the changes would give banks new powers to sell customer data to fintechs, which are in many cases not subject to federal financial regulation. Mr. Therrien said more co-operation between banks and fintechs may be a good thing, but consumers should be able to approve how their data are used through a clear and understandable consent form. He said there is nothing in the bill that would ensure that is the case. [Globe & Mail]
FOI
CA – Government Won’t Appeal Decision in Star’s Challenge to Secrecy in Tribunals
The Ontario government will not be appealing a Toronto Star legal victory which should lead to more openness in the province’s tribunal system. Last month, the court ruled in favour of a constitutional challenge launched by the Star that sought greater access to records from such quasi-judicial bodies as the Human Rights Tribunal and the Landlord and Tenant Board. Justice Edward Morgan found [see Toronto Star v. AG Ontario, 2018 ONSC 2586 – here] that denying access to tribunal records was an “infringement” of the Charter of Rights and Freedoms that the provincial government had failed to justify he ruled this violates section 2(b) of the Charter – here]. The judge gave the province one year to make the tribunal system more accessible to journalists and the public. Morgan declared as “invalid” provisions of Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) that delay or block public access to tribunal records. [Toronto Star] [Ontario Court Finds FIPPA Blocks Public Access to Tribunal Records | Toronto Star Newspapers Ltd. v. AGO – 2018 ONSC 2586 CanLII – Ontario Superior Court of Justice]
CA – Transparency Study Shows Inadequate Access Processes
The Citizen Lab, a university research group, compared responses to data access requests made under PIPEDA, to 23: telecommunications companies; fitness trackers; and online dating services. Information provided by telecoms, fitness trackers and online dating services responses to access requests varied widely in types of data provided, specificity of questions answered, and clarity about disclosures to third parties, and there were barriers to access including identity verification procedures, secure data transfer requirements, fees charged, and companies stating they were not bound by Canadian privacy laws. [Approaching Access – A Comparative Analysis of Company Responses to Data Access Requests in Canada – The Citizen Lab | Coverage]
CA – CSIS Permitted to Refuse Access Request
The Federal Court of Canada reviewed the Canadian Security Intelligence Service’s response to an access request, pursuant to the Access to Information Act. The Federal Court of Canada upheld CSIS’ refusal to confirm or deny the existence of records identifying an individual; investigative records consist predominantly of sensitive national security information, and if such records did exist, they would likely be exempt from disclosure on the basis of protecting a CSIS investigation. [VB v. Canada Attorney General – 2018 FC 394 CanLII – Federal Court of Canada
Health / Medical
CA – Ontario Health Minister: People Have a Right to ‘As Much Transparency as Possible’ When It Comes to Doctors’ Pasts
Ontario Health Minister Helena Jaczek says the province’s medical watchdog should provide patients with “as full a picture” as possible of physicians’ disciplinary and criminal histories after a Toronto Star investigation found the public is being deprived of information about sanctions imposed in other jurisdictions. “Obviously, I’m in favour of as much transparency as possible,” Jaczek said in an interview at Queen’s Park. “I think that people have a right to know.” The Star’s 18-month investigation identified 159 disciplined doctors who have held licences on both sides of the Canada-U.S. border, and used public records to piece together their disciplinary histories across provincial, state and country lines. Ninety per cent of these doctors’ public profiles in Canada failed to fully report sanctions taken against them for a range of offences, including incompetence, improper prescribing, sexual misconduct and fraud, the investigation found. The College of Physicians and Surgeons of Ontario (CPSO), the self-regulating body that oversees the province’s doctors, recently amended its bylaws to allow it to post some information about discipline imposed in other jurisdictions on its physician profiles. However, the college only posts sanctions imposed on Ontario doctors outside the province after Sept. 1, 2015. Jaczek said the disciplinary information on the college’s website should be “retrospective.” NDP health critic France Gélinas said greater transparency by the CPSO should have been “mandated long ago.” “The health minister must demand the physicians’ college posts all disciplinary measures that have happened to any of their members, no matter what jurisdiction it’s from,” she said. “We know full well that physicians move. The CPSO is there to protect the public. People expect that. Let’s meet people’s expectations.” Earlier this week, Alberta’s health minister pledged to work with her province’s medical college to post information about sanctions imposed on its doctors by regulators in other jurisdictions. Sarah Hoffman also said she would review the college’s current practice of scrubbing all disciplinary details from doctors’ online profiles after five years. Unlike in the U.S., Canada has no national agency that collects and disseminates licensing and disciplinary information on doctors. The Star’s investigation found some Canadian physicians’ colleges keep secret basic information readily disclosed by other regulators. Quebec’s college, for example, told the Star that a physicians’ credentials — when and where they graduated from medical school — is confidential information. The secrecy of Canadian colleges is in sharp contrast to their counterparts in the U.S., where consumer legislation governs many medical boards and mandates openness. [Toronto Star]
CA – SK OIPC Calls on Health Authority to Fire Employee Who Breached 880 Patient Files
Saskatchewan’s Information and Privacy Commissioner is recommending the provincial health authority fire an employee of the former Sun Country Regional Health Authority who accessed the information of 880 home care clients without a “need to know.” Ronald Kruzeniski, in a report issued on April 30, also recommended the Saskatchewan Health Authority send its investigation file to the Ministry of Justice’s public prosecutions division to determine whether an offence occurred and whether charges should be laid under the Health Information Protection Act. The employee’s name was not disclosed in Kruzeniski’s report. [Saskatoon StarPhoenix]
US – OCR To Share HIPAA Data Breach Settlements With Victims
OCR is proposing to share a percentage of HIPAA data breach settlements with victims, as required by the HITECH law. In the HHS semiannual regulatory agenda [see RIN: 0945-AA04 here & full agenda here] OCR said it is soliciting the public’s view on establishing a methodology for those harmed by a data breach or other HIPAA violation to receive a percentage of any penalty or settlement resulting from the breach. The office plans to issue an advance notice of proposed rulemaking with the proposal in November. While this is an intriguing proposal, its implementation might be a huge challenge for OCR. “The devil is in the details. There are potential issues with this approach,” Marcus Christian, a cybersecurity and data privacy attorney with the law firm of Mayer Brown said. [Health IT Security and at: Bloomberg Law here & here]
US – HHS Distinguishes Between Risk and Gap Analyses
The HHS Office of Civil Rights issued guidance on safeguarding electronic protected health information by conducting risk and gap analyses. Entities subject to the HIPAA Privacy and Security Rule must conduct analyses of all potential risks to ePHI, including identifying all potential threats and vulnerabilities, assessing effectiveness of controls in place, and assigning risk levels. Gap analyses do not satisfy risk analysis obligations because they provide a high level overview of controls and do not thoroughly assess all ePHI risks. [HHS – Risk Analyses vs. Gap Analyses – What is the Difference]
Horror Stories
CA – Insider Threats: OIPC SK Finds Health Entity Had Insufficient Safeguards
This OIPC SK report investigates a complaint against the Saskatchewan Health Authority involving personal health information pursuant to the Health Information Protection Act. An employee admitted to inappropriately accessing PHI in a healthcare system despite having access only on a need-to-know basis; the employee had signed a confidentiality agreement (but 4 years prior) and had never received any privacy training (the employee had not heard of the Health Information Protection Act). [OIPC SK – Investigations Report 066-2018 – Saskatchewan Health Authority]
Identity Issues
CA – Ontario Issues First Non-Binary ‘X’ Birth Certificate
A Vancouver filmmaker and writer has received Ontario’s first non-binary birth certificate. Ontario-born Joshua M. Ferguson identifies as non-binary trans and uses the pronouns “they” and “them.” The birth certificate is marked with an “X” designation, indicating a non-binary person. Ferguson applied to Service Ontario for the document in 2017, and filed a human rights claim when it was not initially granted. The province issued new guidelines on gender designations last year. Ontario says it is the first jurisdiction in the world to implement a two-fold policy, allowing the selection of either male, female or non-binary, and allowing the option of not displaying such identification on a birth certificate. Ferguson has also fought for an “X” designation on BC Health Cards. They were also among the first to have their application for an “X” designation approved under new rules for passports and other documents issued by Immigration, Refugees and Citizenship Canada. Ferguson called the Ontario birth certificate a “victory,” both personally and for all trans Canadians. “This policy makes it clear that non-binary people exist,” they said. “We are Ontarians and Canadian citizens. [CTVNews]
Law Enforcement
UK – Amnesty Int’l Report Hits Met Police’s Gang Mapping Database
A secret police database aimed at tackling rising violence in London could lead to black families being evicted from their homes and as well as young people denied access to education or employment, according to a new report. An investigation by Amnesty International (called “Trapped in the Matrix” – see PR here and 54 pg PDF report here] into the Metropolitan Police’s gang mapping database which is called the Gang Violence Matrix, highlighted criticisms about the disproportionate number of young black males that feature on it. As well as the seemingly discriminatory nature behind how information is collated the report also raised serious concerns about how police officers share this data with housing associations, schools and job centres. [Voice Online and at: The Conversation UK, UKAuthority, CNBC and Apolitical]
Location
WW – Apple Reportedly Hits Back at Apps That Are Snooping on You
Apple is reportedly kicking third-party apps out of the App Store that are sharing users’ locations, as privacy remains in the spotlight in the wake of the Facebook/Cambridge Analytica scandal and pending regulation across the Atlantic. 9to5Mac reports that Apple has recently been removing apps that are sharing location data with third parties and sending the app developers a notice that the app is violating two different parts of the App Store Review Guidelines. The two sections in question are Legal 5.1.1 and Legal 5.1.2 which state: The app transmits user location data to third parties without explicit consent from the user and for unapproved purposes. 9to5Mac noted that Apple also wants developers to explain what the location data is used for, how it is shared, as well as asking for permission. [Fox News]
CA – OPC Looking into Reports Bell, Telus, Rogers Shared Location Data
Privacy officials in Canada plan to look into reports that Canadian telecom companies share location data on subscribers with third-parties, a practice that, in at least one case, appears to have allowed similar data on Americans to be accessed by police without a warrant. Bell, Rogers and Telus were named in an article on ZDNet.com as among the North American telecom companies selling real-time location data on subscribers to a company called LocationSmart. A spokesperson from the office of Privacy Commissioner said there were few details to share right now, but that the office would be looking into the matter. Telus did not respond to a request for comment but spokespersons for Bell and Rogers said the location data in question is not directly shared by them. Instead, it is done by a joint venture owned by all three telecom companies called Enstream. One of its partners is LocationSmart. Enstream is described on its website as providing identity verification services for third-party applications. It operates as a sort of hub of information held by the Canadian telecom companies and others can buy access to the data to do things like verify mobile subscriber identity, allow a roadside assistance company to locate a caller, or verify credit card information used in mobile payment systems. Enstream has launched a security review of its relationship with LocationSmart in light of the reports. [Global News and at: Krebs on Security, CNNTech, Motherboard, WIRED and Reuters | Globe & Mail | The Star | The Star]
Online Privacy
WW – Period Tracking Apps Monetizing Your Menstrual Cycle
Women who use menstruapps are sharing information about their health, sex life and social behaviours that may be sold to advertisers. Whether it’s Clue, FitBit or Eve, there has been a surge in popularity for period tracker apps in recent years. According to researchers at Columbia University, ‘menstruapps’ are now the fourth most popular app category among adults and second most popular among adolescent women in the ‘health apps’ category. From inputting information about moods, pain, cervical fluid and forms of contraception, the apps can be used to better inform women about their sexual health and indicate potential health issues. However, many of us won’t be considering that the apps also track and store vast amounts of personal information, which have the potential to making companies some serious money. Chupadados, a Brazil-based cyber security guide powered by women-led think tank Coding Rights recently delved into what menstruapp users sign up for when they agree to an apps’s terms and conditions. In studying the companies’s privacy policies, Chupadados found that ‘all of the apps rely on the production and analysis of data for financial sustainability’. In other words, the apps make money by sharing users’ personal information and activity on the apps with other businesses, target users for advertisements and product sales. In addition, users’ digital footprints help inform marketing strategies and business models. ‘Every piece of information that we put online becomes something valuable for companies, making our online activities a key component of their economic survival strategies,’ the website explains. ‘Feeding on our data, these tools serve as laboratories for observing physiological and behavioural patterns from period frequency and associated symptoms to users’ buying and Internet navigation habits.’ ‘Monitoring your cycle using a menstruapp means telling the app regularly if you went out, drank, smoked, took medication, got horny, had sex, had an orgasm and in what position, what your poop looked like, if you slept well, if your skin is clear, how you feel, and if your vaginal discharge is green, has a strong odour or looks like cottage cheese,’ Chupadados notes on its website. [Elle] See also: How Worried Should Parents Be About Apps and Websites Collecting Children’s Data?
WW – Data on 3 Million Facebook Users Exposed, Report Says
Researchers at the University of Cambridge uploaded user data from 3 million Facebook users onto a shared portal. They locked the data with a username and password. But students later posted the login credentials online. That exposed the data to anyone who did a quick web search to find the username and password, according to a report from New Scientist. In the new data exposure incident revealed by New Scientist, a different set of researchers collected user information with consent through a personality app, called myPersonality, and then made it available through a web portal. About four years ago, students with access to the data set posted the username and password online on the data sharing website GitHub. While the data was anonymized, privacy experts told the publication that it would be easy to associate data in the collection with the person who originally posted it on Facebook. The myPersonality app has been suspended since April 7. Facebook is aware that the login credential was published on GitHub; the issue was flagged in the company’s program for fielding information about potential misuse or abuse of Facebook user data. [CNET]
UK – “Safari Workaround” Class Action Could Cost Google $4.3 Billion
Google appeared in a UK court to argue against a privacy case brought by the group Google You Owe Us, representing 4.4 million iPhone users that could lead to the search giant paying up $4.3 billion if it loses. Each of class members could receive about $1,000. A lawsuit, filed in July, alleged the tech company violated their privacy from 2011 to 2012 through the “Safari Workaround” [see here]. While Apple’s iOS devices have default privacy settings on its Safari browser, Google was able to bypass it and collect browser data without people’s consent, according to the allegations. The workaround was first discovered in 2012 by a Stanford University researcher. Google agreed to pay $17 million to 37 states and Washington, DC, in a 2013 settlement. The company also agreed to pay a $22.5 million fine from the Federal Trade Commission over the data-tracking practice. [CNET and at: Bloomberg, The Guardian, The Inependent and AppleInsider]
Privacy (US)
US – Suspicionless Border Searches of Electronic Devices Unconstitutional
The U.S. Court of Appeals for the Fourth Circuit’s May 9 ruling in U.S. v. Kolsuz is the first federal appellate case after the Supreme Court’s seminal decision in Riley v. California (2014) to hold that certain border device searches require individualized suspicion that the traveler is involved in criminal wrongdoing. Two other federal appellate opinions this year—from the Fifth Circuit and Eleventh Circuit—included strong analyses by judges who similarly questioned suspicionless border device searches. EFF filed an amicus brief in Kolsuz arguing that the Supreme Court’s decision in Riley supports the conclusion that border agents need a probable cause warrant before searching electronic devices EFF has long argued that border agents need a warrant from a judge, based on probable cause of criminality, to conduct electronic device searches of any kind. The Supreme Court’s pre-Riley case law, however, permits warrantless and suspicionless “routine” searches of items like luggage that travelers carry across the border, a rule known as the border search exception to the Fourth Amendment’s warrant requirement. Based on these pre-Riley cases, the government claims it has the power to search and confiscate travelers’ cell phones, tablets, and laptops at airports and border crossings for no reason or any reason, and without judicial oversight. While we would have liked to see the Fourth Circuit go further by expressly requiring a warrant for all border device searches, we’re optimistic that we can win such a ruling in our civil case with ACLU against the U.S. Department of Homeland Security, Alasaad v. Nielsen, challenging warrantless border searches of electronic devices. [EFF and at: ACLU Blog, Reuters and Reason]
US – Justices Rule Unanimously for Driver in Rental-Car Case
The Fourth Amendment protects us from (among other things) a warrantless search of a place – such as our homes – that we can reasonably expect to remain private. Today the Supreme Court ruled that a driver who has permission to use a rental car is generally entitled to the same protections under the Fourth Amendment as the driver who rented the car. The court’s decision came in the case of Terrence Byrd [see all court docs for Byrd v. United States here], a New Jersey man who was driving a car rented by Latasha Reed, his fiancée (or former girlfriend, depending on whose account you are reading), when he was pulled over by a state trooper in Pennsylvania. The trooper gave him a warning for driving in the left lane and then searched the car, believing that he didn’t need Byrd’s consent because Byrd was not listed as an authorized driver on the rental agreement. The troopers found body armor and 49 bricks of heroin in the trunk, leading to federal charges against Byrd. In a unanimous decision by Justice Anthony Kennedy [see Byrd v. United States – 21 pg PDF decision here], the justices rejected the federal government’s argument that a driver who is not listed on the rental agreement can never have a reasonable expectation of privacy in the car, because the rental company has not given him permission to use it. That rule, the justices concluded, “rests on too restrictive a view of the Fourth Amendment’s protections.” Under the Supreme Court’s cases, the justices explained, whether someone has an expectation of privacy in a car shouldn’t hinge on whether the person who gave them permission to drive it owns the car or rented it. [SCOTUS Blog and at: Reason, ABA Journal, JURIST, The Associated Press (via WP) and Bloomberg]
US – Children and Minors: Updated Meaning of PI Benefits COPPA Safe Harbor
The Electronic Privacy Information Center responded to the FTC’s request for public comment into the Entertainment Software Rating Board’s COPPA safe harbor program. In response to an FTC public consultation, advocates urge the adoption of an enhanced definition of personal information to address changes in technology and prevent online operators from alleging an exemption to the scope of COPPA; geographic limitations should be removed so that its clear COPPA applies to all web operators regardless of a child’s residency or nationality, and risk assessments and self-assessments are critical for necessity and proportionality. [EPIC – Comments to the FTC on COPPAs Entertainment Software Rating Boards Safe Harbor Program Application to Modify Program Requirements]
Security
US – Banks Adopt Military-Style Tactics to Fight Cybercrime
Cybercrime is one of the world’s fastest-growing and most lucrative industries. At least $445 billion was lost last year, up around 30% from just three years earlier, a global economic study found, and the Treasury Department recently designated cyberattacks as one of the greatest risks to the American financial sector. For banks and payment companies, the fight feels like a war — and they’re responding with an increasingly militarized approach. Former government cyberspies, soldiers and counterintelligence officials now dominate the top ranks of banks’ security teams. They’ve brought to their new jobs the tools and techniques used for national defense: combat exercises, intelligence hubs modeled on those used in counterterrorism work and threat analysts who monitor the internet’s shadowy corners. At least a dozen banks have opened fusion centers (a concept originally developed by the US DHS see here) in recent years, and more are in the works. Having their own intelligence hives, the banks hope, will help them better detect patterns in all the data they amass. Cybersecurity has, for many financial company chiefs, become their biggest fear, eclipsing issues like regulation and the economy. [NY Times]
UK – 41% of Cyber-Security Apps Contain High-Risk Open Source Vulnerabilities
According to the 2018 Open Source Security and Risk Analysis (OSSRA) report from Black Duck by Synopsys and published today, open source adoption in the enterprise is growing fast. Unfortunately, the statistics regarding vulnerabilities in open source codebases are equally high. Analysing anonymised data from more than 1,100 commercial codebases, the researchers found that 96% of the applications audited across 2017 contained open source components. Representing industries from automotive to healthcare, financial services to manufacturing, and even cyber-security, the report reckons this reflects a 75% growth in open source adoption over the previous year. Indeed, the research suggests that most applications now contain more open source code than they do proprietary code. Which is all good news for fans of open source. The less good news is that 78% of the audited codebases contained at least one open source vulnerability. More worrying is that 54% of these vulnerabilities were considered to be high-risk, and 17% were very well publicised ones such as Freak, Heartbleed and Poodle. While the most vulnerable open source components were found within the Internet and Software Infrastructure vertical, with 67% of applications containing high-risk vulnerabilities, the cyber-security industry also fared badly with 41% of apps having them as well. [SC Magazine UK | Synopsis ]
CA – Apps and Websites Collecting Children’s Data
In recent months, the Cambridge Analytica scandal has raised discussion over the privacy risks associated with online data collection. These risks apply to everyone, including young children, says Florian Martin-Bariteau [see here], assistant professor and director of the Centre for Law, Technology and Society at the University of Ottawa. He says websites and apps that are aimed at children may obtain more personal information about them than they, or their parents, realize. And there are concerns about how all this data may be used – whether it’s for personalized advertising, potentially accessed by hackers, or used by organizations aiming to influence users’ attitudes. Last month, a study in the journal Proceedings on Privacy Enhancing Technologies found thousands of popular children’s apps potentially violate U.S. privacy rules. Researchers found 73% of the 5,855 apps they analyzed transmitted confidential data over the internet, and nearly 20% of them collected identifiers or other personally identifiable information using software development kits (SDKs) that are not intended to be used for apps aimed at children. These findings echo the results of a 2015 global privacy sweep that found many websites and apps that were popular among children collected, and sometimes shared, personal data, including full names, genders and hometowns. That sweep, conducted by the Global Privacy Enforcement Network [see here], which included the Office of the Privacy Commissioner of Canada (OPC), found 62% of websites and apps popular in Canada said they may share users’ personal information with third parties, while only 29 per cent sought parental consent before collecting children’s data. (Since then, the OPC has reported that some apps and websites had responded, including five targeted sites that said they had made changes, such as asking for a parent or guardian’s full name and contact details instead of the child’s.) [Globe & Mail]
Smart Cars
WW – The Vehicles Record Everything Around Them—And Can Be Used To Profile Pedestrians
According to officials at Waymo, the company developing Google’s self-driving cars, its autonomous vehicles are months away from reaching everyday people. Since January 2017, the organization has sent test cars to motor around cities including Atlanta, Austin, Detroit, and Phoenix. Driving more than 2.7 million miles without human input, the vehicles have only been involved in one accident—a fact that’s prompted Waymo’s chief executive John Krafcik to announce that its fleet could ferry ordinary Phoenix residents as soon as next year. In short—self-driving cars have arrived. There are, however, huge risks. Hacking, software failures, and letting computers make life-and-death decisions inspire unease among individuals. But for one industry expert, the biggest issues will be around data collection and privacy. “The technology works through a number of sensors. The principal one is lidar—a radar that uses infrared light to give a very accurate 3D picture. Then there’s radar for longer-distance detection, and ultrasonic sensors for things that are close—similar to the back-up warnings in a regular vehicle. There are also cameras with machine vision that check for traffic lights, road signs, and other obstacles. It sees 360-degrees around itself, 10 to 20 times a second. That’s a lot of data.” “These vehicles aren’t just going to have data on your journey,” he says. “They see everything from the road. Even if you don’t sign up to their services, if you’re out on the streets, it’s possible to see you regularly, profile you—even without facial recognition—and learn things about your habits. “These cars are basically mobile sensors that gather data,” he continues. “We can use them to wherever we want data to be collected. So overnight, between the hours of midnight and seven in the morning, most people aren’t looking for a ride. If a company owns a fleet of vehicles, they can offer those cars to businesses or factories that want external security. The vehicle can be parked outside the premises, and companies would pay to have it monitor the surroundings. There are whole new business models that could be based on the sensors on these vehicles.” [Straight]
CA – Smart Cars: Meaningful Consent Plays Vital Role
The OPC Canada appeared before the Standing Committee on Transport, Infrastructure and Communities regarding their study of automated and connected vehicles in Canada. The OPC Canada believes drivers do not necessarily need to control how information is used for road safety purposes and proper functioning of the vehicle, but many other situations should be subject to individual choice (e.g., collection and use of biometric or health data); in complex situations, consent should be supported by industry codes of practice, organizational accountability and privacy by design. [OPC Canada – Appearance Before the Standing Committee on Transport Infrastructure and Communities in Relation to its Study of Automated and Connected Vehicles in Canada.]
Surveillance
US – Spy Agency NSA Triples Collection of U.S. Phone Records: Official Report
The U.S. National Security Agency collected 534 million records of phone calls and text messages of Americans last year, more than triple gathered in 2016, a U.S. intelligence agency report [see PR here & 41 pg PDF here] released on Friday said. This occurred during the second full year of a new surveillance system established at the spy agency after U.S. lawmakers passed a law in 2015 that sought to limit its ability to collect such records in bulk. The 2017 call records tally remained far less than an estimated billions of records collected per day under the NSA’s old bulk surveillance system, exposed Edward Snowden in 2013. The records collected by the NSA include the numbers and time of a call or text message, but not their content. The report also showed a rise in the number of foreigners living outside the United States who were targeted under a warrantless internet surveillance program, known as Section 702 of the Foreign Intelligence Surveillance Act, that Congress renewed earlier this year. [Reuters and at: Forbes, ZDNet, CSO Online, Common Dreams and GIZMODO]
Telecom / TV
CA – Ontario Bill Prohibits Unsolicited Phone Calls
Bill 27, the Stop the Calls Act, 2018, has been introduced for first reading in the Ontario Legislature. The Act would come into force two months after receiving Royal Assent. If passed, prior consent (orally, in writing, or other affirmative action) must be obtained for calls selling or advertising a product or service; contracts entered into based on an unsolicited call will be void (consumers are entitled to repayment for the product or service, and reasonable costs incurred for uninstalling and returning the product), and violations can result in fines ranging from $5,000 to $25,000. [Bill 27 – An Act to Prohibit Unsolicited Phone Calls for the Purpose of Selling, Leasing, Renting or Advertising Prescribed Products or Services – Legislative Assembly of Ontario | Bill Status | Bill Text
+++
