July 2018

Biometrics

CA – Canada Expands Its Biometrics Screening Program

On July 31, 2018, all nationals from countries in Europe, Africa and the Middle East are required to provide biometrics (fingerprints and a photo) if they are applying for a Canadian visitor visa, a work or study permit, or permanent residence. Accurately establishing identity is an important part of immigration decisions and helps keep Canadians safe. For more than 20 years, biometrics (fingerprints and a photo) have played a role in supporting immigration screening and decision-making in Canada. Canada currently collects biometrics from in-Canada refugee claimants and overseas refugee resettlement applicants, individuals ordered removed from Canada and individuals from 30 foreign nationalities applying for a temporary resident visa, work permit, or study permit. .More than 70 countries are using biometrics in immigration and border management. Canada’s Migration 5 partners – the United Kingdom, Australia, the United States, and New Zealand – have implemented biometric programs; so have the 26 Schengen states in Europe, and other countries around the world like Japan, South Africa and India. [Immigration, Refugees and Citizenship Canada and iPolitics]

US – Amazon Face Recognition Matches 28 Members of Congress With Mugshots

Amazon’s face surveillance technology is the target of growing opposition nationwide, and today, there are 28 more causes for concern. In a test the ACLU recently conducted of the facial recognition tool, called “Rekognition“, the software incorrectly matched 28 members of Congress, identifying them as other people who have been arrested for a crime. The members of Congress who were falsely matched with the mugshot database we used in the test include Republicans and Democrats, men and women, and legislators of all ages, from all across the country. The false matches were disproportionately of people of color, including six members of the Congressional Black Caucus, among them civil rights legend Rep. John Lewis (D-Ga.). These results demonstrate why Congress should join the ACLU in calling for a moratorium on law enforcement use of face surveillance. To conduct our test, we used the exact same facial recognition system that Amazon offers to the public, which anyone could use to scan for matches between images of faces. And running the entire test cost us $12.33 — less than a large pizza. [Free Future Blog (ACLU) and at: Seattle PI, WIRED, NPR and The Washington Post]

US – Schools Face Civil Liberties Battles in Effort to Adopt Facial Recognition

As schools around the country attempt to deploy new facial recognition functionality as part of their video surveillance systems, the ACLU is challenging those efforts in the name of protecting civil rights. And they’re not alone in their concerns about the controversial student surveillance tactic. As EdTech Strategies recently reported, both Magnolia School District in Arkansas and Lockport City School District in New York recently approved purchases of camera systems that include the ability to identify people captured on camera and track them. In both scenarios, however, the ACLU has objected to the use of facial recognition for several reasons. They’re “vulnerable to hacking and abuse,” asserted the ACLU of Arkansas, and they compromise “students’ privacy.” The national organization stated that once somebody’s facial image is captured by the technology and uploaded into the system planned for New York, the program has the ability to “go back and track that person’s movements around the school” for the previous two months. [T.H.E. Journal coverage at: CNET News, Narcity Planet Biometrics and also Hey mom, did you see this? Camps are using facial recognition and also at: Biometric Update

US – Lawmakers to Investigate Use and Abuse of Face Recognition Tech

Less than a week after a damaging report [see ACLU blog post here and PRs here, here & here] exposed substantial flaws in facial recognition technology marketed to law enforcement by Amazon, five Democratic lawmakers are calling for an investigation into the commercial and government use, and potential abuse, of the technology. In a letter [PR here] to Gene Dodaro, head of the U.S. Government Accountability Office (GAO), lawmakers raised concerns about the use of facial recognition and its impact on privacy rights, underscoring, in particular, the “disparate treatment of minority and immigrant communities within the United States we ask that you investigate and evaluate the facial recognition industry and its government use.” The letter was signed by Senators Ron Wyden, Chris Coons, Ed Markey, and Corey Booker, and Jerrold Nadler, the ranking Democrat on the House Judiciary Committee. [GIZMODO and at: The Hill, Healthcare IT News and Techdirt]

UK – Government Has Created an Automated Facial Recognition “Policy Void”

A lack of clear government action has created a UK “policy void” when it comes to using automated facial recognition technology in CCTV analytics, according to a leading cyberlaw academic. Andrew Charlesworth, professor of law, innovation and society at the University of Bristol, called for an informed debate into the use of artificial intelligence (AI) in video surveillance. UK police are increasingly using automated facial recognition on CCTV footage to identify persons of interest. A recent report by Big Brother Watch [PDF & blog post] found that automated facial recognition technology used by police falsely identified 98% of people in UK cases. However, Charlesworth, in a white paper named “CCTV, Data Analytics and Privacy: The Baby and the Bathwater“ said that public debate over the issue had become “distorted”. He warned that the two sides of the argument had become polarised, fuelled by the government’s lack of stringent regulations. The UK Government’s long-awaited biometrics strategy, released in June, was criticised for not being comprehensive enough. Charlesworth’s report was commissioned by Cloud-based video surveillance system company Cloudview. [Verdict and at Security Boulevard]

UK – Consultation on Police Handling of Biometric Data Launched

The Scottish Government wants to introduce additional safeguards to ensure the safe and proportionate use of fingerprints, DNA and facial recognition technology. A public consultation is now underway in response to recommendations made by an Independent Advisory Group on biometrics earlier this year. It asks for views on the creation of a code of practice on the use, storage and disposal of biometric data to be overseen by a new Scottish Biometrics Commissioner. The arrangements will cover data held by the likes of Police Scotland, the Scottish Police Authority and other bodies involved in law enforcement activity in Scotland. The Scotsman

Face Recognition ‘Tickets’ Are Coming to Baseball Games

MLB and Clear announced a partnership that will soon let baseball fans enter stadiums using fingerprints, and eventually, just their face, instead of tickets. Clear, which offers similar biometric fast-tracking for participating airports, says it will let baseball fans link their Clear and MLB.com accounts. By sharing fingerprint data, visitors can bypass long lines at stadiums. 13 stadiums use Clear already. GIZMODO

Big Data / Artificial Intelligence

US – NIST Identifies Challenges of Big Data

The National Institute of Standards and Technology issued an interoperability framework for big data. Challenges include the ability to infer identity from anonymized datasets by correlating with apparently innocuous public databases, and shifts in protection requirements and governance as processing roles change and responsible organizations merge or disappear; where data is stored and moved between multi-tiered storage media, systematic analysis of threat models and development of novel techniques is required. NIST – Big Data Interoperability Framework: Volume 1 Definitions – NIST Special Publication 1500-1r1

US – Strategy Experts Split Over Effect of Privacy Concerns on Big Data: Survey

In a new survey, a group of the world’s top strategy experts found they could not agree on the effect privacy concerns will have on how businesses use data. Fifty two percent disagreed with the statement “concern over consumer privacy will fundamentally limit businesses’ ability to use big data,” while 48% agreed or strongly agreed. The forum’s findings come from the MIT SMR Strategy Forum, a new regular feature at MIT SMR where strategy scholars react to a provocative question on strategy development and execution. The forum is led by Joshua Gans of the Rotman School of Management, University of Toronto and Timothy Simcoe of Boston University’s Questrom School of Business. MIT Sloan Management Review

WW – Google’s Approach to Big Data and Artificial Intelligence

Google has unveiled it’s strategy for development of artificial intelligence applications. The company will incorporate privacy principles in AI development and use (e.g. notice and consent, privacy safeguards), develop systems to be overly cautious, test technologies in constrained environments, avoid unfair biases based on sensitive information (e.g. race, income, gender, ethnicity), and evaluate likely uses (based on primary purposes, and whether the technology will have significant impact). [AI at Google – Our Principles]

WW – FPF Provides Risk Assessment Framework for Machine Learning

The Future of Privacy Forum assessed the three line of defense when using machine learning models. The first line is focused on the development and testing of models, the second line on model validation and legal and data review, and the third line on periodic auditing over time. [FPF – Beyond Explainability: A Practical Guide to Managing Risk in Machine Learning Models]

WW – Key Findings from Value of Artificial Intelligence in Cybersecurity Study

A day seldom passes without any exposure to the term artificial intelligence (AI). But when our survey team conceptualized this topic, we were stunned to learn that there wasn’t much publicly available information that documented end users’ perspectives on the impact of AI on organizations’ cybersecurity efforts. So, we’re pleased to share our comprehensive findings — and help answer the critical question: What value does AI bring to cybersecurity? The Ponemon Institute 2018 Artificial Intelligence (AI) in Cyber-Security Study, sponsored by IBM Security, includes detailed and high-level cybersecurity discoveries, as well as a comprehensive look at the impact of AI technologies on application security testing. Here are our top 10 key findings from the study. Make plans to register and attend our webinar on this compelling topic on Aug. 2. After our live session, the webinar will be available on demand for your listening and sharing pleasure. Security Intelligence

CN – Ethics of Big Data: A Look at China’s Social Credit Scoring System

There is much good to be gained from data science, but the negative side includes concerns over data privacy, risk management and cybersecurity, not to mention valid ethical debates over the fairness of digital divides, open access and the democratic use of public information. Now there is a new system being pioneered in China that has the potential to encompass many of these concerns: the creation of social credit scores by the government for its citizens. Will China’s social credit scores represent a grand technological breakthrough for society or ultimately be an example of ethical quicksand? Beyond traditional concerns over data privacy and cybersecurity, this form of social ranking poses deeper ethical dilemmas. First, the dilemma of “conformity vs. coercion” is central to address. A second ethical dilemma is the issue of “transparency vs. trafficking.” The use of gamification with social status scores means that both your absolute score and position relative to others is important. There are other ethical issues that public social credit systems may present. If unaddressed, these issues can become an ethical quicksand that widens the divide across people through the use of a socially constructed algorithm of “trustworthiness.” Do these social credit systems represent an opportunity or are they ethical quicksand? I wonder what George Orwell would say. Forbes

US – Big Data Is Getting Bigger. So Are the Privacy and Ethical Questions

The next step in using “big data” for student success is upon us and also raises issues around ethics and privacy. Whenever you log on to a wireless network with your cellphone or computer, you leave a digital footprint. Move from one building to another while staying on the same network, and that network knows how long you stayed and where you went. That data is collected continuously and automatically from the network’s various nodes. Now, with the help of a company called Degree Analytics, a few colleges are beginning to use location data collected from students’ cellphones and laptops as they move around campus. Some colleges are using it to improve the kind of advice they might send to students, like a text-message reminder to go to class if they’ve been absent. Others see it as a tool for making decisions on how to use their facilities. Many colleges now collect such data to determine students’ engagement with their coursework and campus activities. Of course, the 24-7 reporting of the data is also what makes this approach seem kind of creepy. My concerns are broad: Just because colleges and companies can collect this information and associate it with all sorts of other academic and demographic data they have on students, should they? How far should colleges and companies go with data tracking? The Chronicle of Higher Education

EU – Ethical Matters Raised by Algorithms and AI: CNIL Report

The Commission nationale de l’informatique et des libertés (CNIL) in France discusses ethical matters raised by algorithms and artificial intelligence. The CNIL proposes that the principles of fairness and vigilance could be used to form part of a new generation of principles and human rights in the digital age, and recommendations include education for all players in the algorithmic chain (designers and professionals), setting up organisational ethics committees, and designating a role to oversee social responsibility of the company. CNIL – How Can Humans Keep the Upper Hand – The Ethical Matters Raised by Algorithms and Artificial Intelligence

Canada

CA – CSE Annual Report Tabled in Parliament

The Annual Report of the Communications Security Establishment Commissioner, the Honourable Jean-Pierre Plouffe, cd, was tabled in Parliament. All of the CSE activities reviewed in 2017-2018 complied with the law. The Commissioner did, however, make four recommendations to promote compliance with the law and strengthen privacy protection. One recommendation related to CSE information sharing with international partners to ensure an adequate assessment of authorities and privacy protection measures prior to undertaking new sharing activities. A second recommendation related to disclosure of Canadian identity information and requiring client departments to note both lawful authority and a robust operational justification to acquire that information. Two other recommendations dealt with ministerial authorizations one that CSE should clarify language to reflect the legal protection afforded solicitor-client communications; and the other that CSE should restore the inclusion of comprehensive information in its request to the Minister for one particular MA to assist the Minister in making his decision. Office of the CSE Commissioner

CA – Federal Government Supports PIPEDA Changes

The Federal Minister of Innovation, Science and Economic Development responded to recommendations from the Standing Committee on Access to Information, Privacy and Ethics following its review of PIPEDA. Specific rules are needed for collection and use of minors’ PI (given recent breaches involving PI obtained from social media), some GDPR rights and protections can be incorporated into PIPEDA to enhance privacy protections (algorithmic transparency, privacy by design, data portability), and there are active discussions with the EU Commission to ensure adequacy standing is maintained. Letter to the Chair of the Standing Committee on Access to Information, Privacy and Ethics – Minister of Innovation, Science and Economic Development Committee Recommendations | Minister’s Response

CA – NS Board Conditionally Permits Smart Meter Implementation

The Nova Scotia Utility and Review Board reviews an application by Nova Scotia Power Inc. for approval of a $133.2 million smart meter project. The utility must permit customers to opt-out of the smart meters, subject to a cost (TBD) of continuing with non-standard meter service, and devise a detailed plan of how to inform customers of the opt-out process; the Board is satisfied that the utility’s data collection will not involve PI (there will be an identifier for each customer account), and security is sufficient (data will be protected by security certificates and end-to-end encryption). Nova Scotia Utility and Review Board – 2018 NUSARB 120 – Decision

CA – Waterfront Toronto, Sidewalk Labs Walk Back Plans In New Deal

After months of talks, Waterfront Toronto and Sidewalk Labs LLC have signed a deal [PR here] that reins in some of the Google-affiliate’s plans around its proposed “test bed” for new urban technologies on the city’s lakeshore. Waterfront Toronto released both a new “plan development agreement“ as well as the original “framework agreement“ it had signed last fall with the New York-based Sidewalk, the full text of which had until now been kept secret [W.T. also posted an FAQ ]. The new deal walks back or clarifies a number of provisions contained in that original deal, signed after Sidewalk Labs, a unit of Google parent Alphabet Inc., was chosen as the “funding and innovation partner” to develop a five-hectare (12-acre) parcel of land on the waterfront known as Quayside that sits at the end of Parliament Street. Waterfront Toronto and Sidewalks Labs praised the deal as an important milestone as they continue to develop the project. It was approved unanimously by Waterfront Toronto’s board, but only after Toronto developer Julie Di Lorenzo, who has previously publicly questioned the plan, resigned from her seat on the board. The agreement comes after the sudden departure in early July of Waterfront Toronto’s CEO, Will Fleissig, who had been a driving force behind the project. The deal is only a step toward a final “master innovation and development plan,” which the waterfront agency said won’t be signed until next year. Toronto Mayor John Tory said the agreement will allow “the City to consider an innovative new approach to development, housing, public space and mobility in the Quayside District,” and that he was confident Waterfront Toronto and all three levels of government would ensure it proceeds “in the best interests of Toronto residents.” [The Globe and Mail and at: MobileSyrup ]

CA – BCCLA Launches Handbook to Protect Privacy at the Border

The BC Civil Liberties Association (BCCLA) and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC) released the online guide “Electronic Devices Privacy Handbook – a Guide to your Rights at the Border“ [overview, short PDF version] The Handbook helps travellers understand what is known about their data privacy rights at these border areas, best practices for securing digital devices and interacting with border officers, and what to do if they’ve been searched. The handbook is for every person who crosses the Canadian border and the U.S. border through preclearance areas, but has particularly important implications for marginalized populations and professionals carrying sensitive documents. All people with personal information on their devices have vested interests in protecting their data from being seized at the border and shared with Canada’s vast network of coordinating departments and national security partners. [BC Civil Liberties Association and at: The Vancouver Province & The Toronto Star]

CA – OIPC NS Recommends Amendments to PHIA

The OIPC NS releases its findings of its review of Nova Scotia’s Personal Health Information Act. PHIA should be amended to permit an executor to determine the collection, use and disclosure of a decedent’s PHI, and require security breaches with a risk of harm notified to individuals to also be notified to the OIPC; a working group should consider the issues of PHI data matching/linking for research and planning purposes, the disposition/outsourcing of storage of health records (including outside NS), and whether there are sufficient safeguards for genetic data and EHRs. [OIPC NS – Personal Health Information Act – Three Year Review Findings] See also: Health Records: DPA Cyprus Sets Retention at 15 Years

CA – Yukon Privacy Commissioner Worried About City Drone Proposal

Diane McLeod-McKay, the Yukon’s Information and Privacy Commissioner is concerned about a proposal that could see the City of Whitehorse using drones to enforce certain bylaws. At the July 16 council meeting, one of the recommendations made was to consider purchasing a drone for use patrolling trails. Council heard that other municipalities have used drones in search and rescue, but that they could also be effective in preventing illegal dumping. Council has accepted a new bylaw review document, but that doesn’t mean all of its recommendations will be implemented. McLeod-McKay noted that the city isn’t subject to the Yukon’s ATIPP Act., or PIPEDA. “Even if ATIPP or PIPEDA did apply, the lack of transparency around what a drone is recording, at any given time, hinders accountability. It’s difficult to make a complaint when you don’t know what personal information is being collected.” Yukon News

CA – OIPC ‘Following Up’ With Calgary Mall Using Facial Recognition Software

The Office of the Privacy Commissioner of Canada [here] said it is “following up” with Cadillac Fairview – the company that owns the Chinook Centre – after the company disclosed it is testing facial recognition technology in mall directories. News of the software came to light after a shopper saw a window on a directory at the Chinook Centre that showed what appeared to be facial-recognition data, including codes like “gender/inception” and “age/inception.” “Given we are not storing images, we do not require consent,” a statement from the company said.[see here] The agency has reached out to Alberta’s privacy commissioner [here] to discuss the matter as well. To date, the agency has not received any complaints involving the Chinook Centre directories. [Global News and at: CBC News and 660 News]

CA – Court Affirms Expectation of Privacy in Devices Under Repair

A Canadian appeals court has decided in favor of greater privacy protections for Canadians. The case involves the discovery of child porn by a computer technician who was repairing the appellant’s computer. This info was handed over to the police who obtained a “general warrant” to image the hard drive to scour it for incriminating evidence [see R v Villaroman, 2018 ABCA 220]. “General warrants” are still a thing in the Crown provinces. These days, it has more in common with All Writs orders than the general warrants of the pre-Revolution days. “General warrants” are something the government uses when the law doesn’t specifically grant permission for what it would like to do. The appellant’s challenge of the general warrant (rather than a more particular search warrant) almost went nowhere, but this decision grants him (and others like him) the standing to challenge the warrant in the first place. As the court notes, handing a computer over to a technician doesn’t deprive the device’s owner of an expectation of privacy. Standing helps, but ultimately didn’t help the appellant here. The court decides the failure to obtain the proper warrant is indeed a violation, but one not severe enough to trigger suppression of the evidence. The court goes on to note the failure to follow proper procedures when obtaining the warrant (ultimately the wrong sort of warrant) was negligent. It was anything but a “trivial” breach of protocol. Even if the officer’s inexperience resulted in erroneous actions, the violation is severe enough for the court to take note of. But this negligence isn’t enough to overcome the inevitable outcome of the search, in the court’s opinion. TechDirt

CA – OIPC NL Directs Healthcare Custodians

The OIPC NL published a newsletter addressing issues pertaining to:

  • personal representative of a deceased individual;
  • privacy training expectations; and
  • the importance of auditing access

Custodians should conduct ongoing training programs for employees handling PHI (training new employees, continuing education throughout the employment, and avoid reliance on general external training), and monitor and assess access to PHI (addressing who should conduct audits and when they should be conducted, what information is being assessed, and what areas will need to be audited). [OIPC NL – Safeguard – A Quarterly Newsletter – Volume 2 – Issue 2]

CA – A Cross-Border Perspective on Privacy Class Actions in Canada

This post explores trends in Canadian privacy class actions and points out similarities and differences in the approaches taken in the United States and Canada in these types of lawsuits. Canadian privacy class actions have been on the rise for the last decade. In both Canada and the U.S., privacy class actions largely fall into three categories: 1) claims that challenge a corporation’s business practices (e.g., cookies, targeted advertising); 2) claims that arise from accidental breaches (e.g., lost storage devices); and 3) claims relating to intentional, targeted misconduct (e.g., hacking, employee snooping). In all categories, the size of the classes and the quantum of damages claimed tend to be large. Importantly however, most cases settle for a fraction of the compensation sought. Generally, plaintiffs must establish some evidence of actual harm and may not simply seek damages for mere fear of identity theft, although no decisions have yet tested the line between harm and mere fear in a trial on the merits. Although moral damages for humiliation or anxiety arising from privacy violations are sometimes awarded, they are nominal—in the range of $2,000–$20,000 per claim. Compared to Canada, many more privacy class actions are commenced in the U.S. Canadian class actions are growing in number, but Canada is still developing its statutory causes of actions related to misuses of technology, while the data breach privacy class actions in the U.S. are largely founded on statutes such as the Electronic Communications Privacy Act [see here & wiki here] and the Computer Fraud and Abuse Act [see here & wiki here]. Unlike the U.S., Canada has an expansive federal regulatory regime—the Personal Information Protection and Electronic Documents Act [see here & wiki here], which provides a simple administrative procedure for complaints and remedies, arguably making class actions less preferable. The European Union (EU) General Data Protection Regulation (GDPR), which purports to extend to organizations based outside the EU that offer goods or services to individuals in the EU or to those who engage in practices that monitor online behaviour of individuals in the EU, may impact privacy litigation and force business to modify their practices in the U.S. and Canada. Mondaq

CA – Ontario Children’s Lawyer Records Exempt from FIPPA

The Ontario Court of Appeals reviewed a decision of the OIPC ON ordering the Children’s Lawyer for Ontario to disclose records pursuant to the FIPPA. The court quashed the IPC order for the Office of the Children’s Lawyer to issue a decision to a father requesting access to his children’s records; the entity is not a government agent (it does not receive direction from, or report to the Attorney General), and it has a fiduciary duty to child clients to keep information provided confidential (which is separate from solicitor-client privilege). Children’s Lawyer for Ontario v. IPC ON, AG ON and John Doe – 2018 ONCA 559 CanLII – Court of Appeal of Ontario

CA – Canada Amends AML/ATF Regulations

The Regulations Amending Certain Regulations Made Under the Proceeds of Crime Money Laundering and Terrorist Financing Act 2018 were published in the Canada Gazette on June 9, 2018. The Regulations update customer due diligence requirements to permit confirmation of identity from a reliable source (e.g., a prescribed financial entity), and beneficial ownership reporting requirements that include information about the beneficiary’s occupation, and user name if receiving payment online. Regulations Amending Certain Regulations Made Under the Proceeds of Crime Money Laundering and Terrorist Financing Act 2018 – Government of Canada

CA – Canada Spending $500 Million on Cybersecurity Over 5 Years

The Canadian federal government announces its renewed national cybersecurity strategy following its public consultation. National objectives are security and resilience (combatting increased cybercrime and the growing impact of IoT), cyber innovation (investing to address the cyber skills gap), and leadership and collaboration (establishing a national plan and clear focal point for cyber incidents and enhancing public awareness). National Cyber Security Strategy – Public Safety Canada | Press Release

CA – Ontario Survey Not Covered under Research Exemption

An Ontario Court reviewed an order of the IPC for Carleton University to disclose records requested, pursuant to the Freedom of Information and Protection of Privacy Act. A court upheld an IPC ON decision that a university survey of Jewish students and faculty was not for pure academic purposes; it is market research based on an administrative request to identify areas for improvement for minority students, and there would not be serious adverse consequences if the records were disclosed (survey data was coded to eliminate identification of respondents, and any identifiable information would be exempt from disclosure). Carleton University v. IPC ON and John Doe – Ontario Superior Court of Justice – 2018 ONSC 3696 CanLII

Consumer

US – Walmart Patents Audio Surveillance Technology to Record Customers and Employees

America’s largest retailer has patented surveillance technology that could essentially spy on cashiers and customers by collecting audio data in stores. The proposal raises questions about how recordings of conversations would be used and whether the practice would even be legal in some Walmart stores. “This is a very bad idea,” Sam Lester, consumer privacy counsel of the Electronic Privacy Information Center in Washington, D.C., told CBS News. “If they do decide to implement this technology, the first thing we would want and expect is to know which privacy expectations are in place.” [Daily Mail]

CA – Canada Tackles Malicious Online Advertising

On July 11, 2018, the Canadian Radio-television and Telecommunications Commission imposed sanctions against the installation of malicious software through online advertising for the first time in its history. This decision was taken under the provisions of the Canadian Anti-Spam Legislation, which came into effect on July 1, 2014. The federal agency issued Notices of Violation [see CRTC PR here & Investigation Summary here] to Datablocks and Sunlight Media, for allegedly facilitating the installation of malware through online advertising. The companies are subject to penalties of $100,000 and $150,000, respectively. Among other things found, these two companies were not verifying their new customers and allowed payment by cryptocurrency. While both companies have been warned of these weaknesses in their practice in a 2015 report by cybersecurity researchers and then again in 2016 by the CRTC, neither implemented basic safety measures. While this CRTC fine is a first of its kind in Canada, this type of threat is nothing new in the industry. We Live Security Blog

E-Government

UK – Voter Analytics and Data Protection: Early Findings from the ICO

The question of the role of big data analytics in modern elections is the question that the ICO has tackled in its report on voter analytics released this month [see July 10 PR here, the 60 pg PDF report “Democracy Disrupted? Personal information and political influence” here & related progress report here ]. For the first time, a DPA has tried to draw the curtain back on the very complicated world of voter analytics, to paint a picture of the range of organizations involved in contemporary elections, and of the practices they engage in. There has been a lot of hype about the importance of the “data-driven” election, and recent scholarly work that sheds a skeptical light on the extent to which data analytics do indeed influence election outcomes. [Democracy Disrupted ] does not go there, although there is an accompanying research report from Demos which reviews the current and future trends in campaigning technologies. Democracy Disrupted provides a detailed and empirically based description of the various sources of personal data that are used to profile the electorate and of how micro-targeting works across a variety of media. Around 40 organizations were the focus of this ongoing inquiry; many other individuals assisted. For privacy professionals, the report raises some intriguing questions about the application of the General Data Protection Regulation to political parties and election campaigns going forward. [IAPP.org and at: ByLine, Information Law Blog (Inksters) and Financial Times]

US – Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States

The nation’s top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them. In a letter sent to Sen. Ron Wyden (D-OR) in April, Election Systems and Software acknowledged that it had “provided pcAnywhere remote connection software to a small number of customers between 2000 and 2006,” which was installed on the election-management system ES&S sold them. The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. “None of the employees, including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software,” the spokesperson said. The company told Wyden it stopped installing pcAnywhere on systems in December 2007, after the Election Assistance Commission [here], which oversees the federal testing and certification of election systems used in the US, released new voting system standards. Motherboard

US – For Sale: Survey Data on Millions of High School Students

At the end of June, three thousand high school students from across the United States trekked to UMass in Lowell sports arena to attend an event with an impressive-sounding name: the Congress of Future Science and Technology Leaders. Many students were selected for the event because they had once filled out surveys that they believed would help them learn about colleges and college scholarships. Many had taken a college-planning questionnaire, called MyCollegeOptions or surveys that came with the SAT or the PSAT, tests administered by the College Board. In filling out those surveys, the teenagers ended up signing away personal details that were later sold and shared with the future scientists event. Consumers’ personal details are collected in countless ways these days, from Instagram clicks, dating profiles and fitness apps. The recruiting methods for some student recognition programs give a peek into the widespread and opaque world of data mining for millions of minors — and how students’ profiles may be used to target them for educational and noneducational offers. These marketing programs are generally legal, but the handling of student surveys is receiving heightened scrutiny In May, the Department of Education issued “significant guidance” [11 pg PDF] that recommended that public schools make clearer to students and their parents that surveys with the SAT and the ACT, a separate college admissions exam, are optional. Over the last few years, several states have passed laws that might also limit the spread of some student profiles. The laws generally prohibit online educational vendors to schools from selling students’ personal data or using it for targeted advertising. The New York Times

E-Mail

US – FBI Provides Guidance for Email Scams

The Federal Bureau of Investigations (“FBI”) released guidance on an increasing threat related to requests for money transfers from compromised email accounts. The business email compromise and individual account compromise scam; targets businesses and real estate sectors performing wire transfers payments; organisations must verify any changes in the vendor payment type or location, and include a two-step verification process for wire transfer payments (form code phrases known only to the legitimate parties. FBI Public Service Announcement – Business Email Compromise the 12 Billion Dollar Scam

Electronic Records

AU – Privacy Commissioner Report: Health Sector Tops Breaches

The healthcare sector has topped the list for data breaches once again, with the Office of the Australian Information Commissioner releasing its delayed quarterly report into the Notifiable Data Breaches scheme [see PR here & report here], with most caused by malicious conduct and human error. According to the report, 49 notifications of data breaches in healthcare were made from April to 30 June 2018, surpassing the finance sector’s 36 notifications. A total of 242 notifications were received during the quarter. The report shows 59% of data breaches were caused by malicious or criminal attacks (142 notifications), with the majority of those linked to the compromise of credentials such as usernames and passwords. 36% of breaches were the result of human error such as sending emails containing personal information to the wrong recipients. The OAIC said the data breaches do not relate to the My Health Record system [see here & here]. But the stats are another setback to the national health information database as it continues to be buffeted by data privacy concerns. Up to 900,000 health professionals will have access to My Health Record via numerous software systems, creating a substantial “attack surface”, according to former Privacy Commissioner Malcolm Crompton. [Healthcare IT News Au, ABC News, CNET News, The Register and OAIC]

US – OCR Issues Guidance on Disclosures to Family, Friends and Others

In its most recent cybersecurity newsletter, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) provided guidance regarding identifying vulnerabilities and mitigating the associated risks of software used to process electronic protected health information. The guidance, along with additional resources identified by OCR, are outlined in this post. Privacy & Information Security Law Blog (Hunton Andrews Kurth)

EU Developments

EU – EU Modernises Convention 108

The Council of Europe has approved amendments to modernise Convention 108. Amendments include conducting impact assessments to ensure processing is designed to minimise risks to data subjects, and processing is carried out on the basis of informed, express consent or some other legal basis; data subjects have the same rights afforded under the GDPR, and breaches must be notified where there is a serious risk to data subjects. Modernised Convention 108 – Council of Europe | Comparative table | See Analysis by Graham Greenleaf

EU – Supreme Court of Ireland to Review Facebook Privacy Case

On July 31, 2018, the Supreme Court of Ireland granted Facebook, Inc.’s leave [see ruling here] to appeal a lower court’s ruling sending a privacy case to the Court of Justice of the European Union (the “CJEU”). Austrian privacy activist Max Schrems challenged Facebook’s data transfer practices, arguing that Facebook’s use of standard contractual clauses failed to adequately protect EU citizens’ data. Schrems, supported by Irish Data Protection Commissioner Helen Dixon, argued that the case belonged in the CJEU, the EU’s highest judicial body. The High Court agreed. Facebook’s request to appeal followed. In granting Facebook leave to appeal, the Supreme Court noted that “it is in the interest of justice” that the Court hear its arguments. The hearing will take place within the next five months. Privacy & Information Security Law Blog (Hunton) coverage at: TechCrunch]

EU – Parliament Calls for Suspension of Privacy Shield

The EU Parliament passed a resolution on the adequacy of the EU-US Privacy Shield calling on the European Commission to ensure the Shield will comply with the GDPR; and suspend the Shield if the US is not fully compliant by September 1, 2018 if US authorities do not address identified deficiencies including unclear rules for automated decision making and processing of HR data, failure to follow the EU model of consent, and lack of effective judicial redress for EU citizens. EU Parliament – Motion for a Resolution on Adequacy of Protection Afforded by EU-US Privacy Shield

EU – Privacy Shield Under Pressure as Lawyers Back MEPs’ Call for Suspension

The Council of Bars and Law Societies of Europe (CCBE) [comments] – which represents 32 member countries and 13 associate and observer countries – has repeated its concerns over the deal’s suitability and called for an immediate suspension. The intervention comes as a group of MEPs, who called for a ban on the deal if the issues aren’t addressed by September, travels to Washington to discuss data privacy. The CCBE’s intervention comes as MEPs on the EU’s civil liberties and justice committee (LIBE) begin a four-day trip to Washington to discuss Privacy Shield, along with other data protection issues, with the US government. [The Register Related coverage at: CIO, DBR on Data and Legaltech News] Adequacy: EU Parliament Calls for Suspension of Privacy Shield

EU – Proposed EU Cybersecurity Act Released

The Council of the European Union released a proposal for the future of cybersecurity regulation in Europe. At a time of increased cybersecurity risks, the EU Cybersecurity Act would strengthen the powers of the European Union Agency for Network and Information Security by making it a permanent agency of the European Union. The EU Cybersecurity Act would also create a European cybersecurity certification framework for information and communications technology goods. The goal of the EU Cybersecurity Act is to build cyber resilience and response capabilities within the EU. Harmonizing standards to promote efficiency is also a central theme of the EU’s Digital Single Market strategy. The EU Cybersecurity Act is an output of a broader Cybersecurity Package which was first introduced in 2017 before going through several impact assessments and a comment period. To become law, the proposal will have to be approved by the European Parliament. CyberLex (McCarthyTetrault)

UK – ICO Release Annual Report

The Information Commissioner’s Office has released their Annual Report for 2018 [PDF here]. Commissioner Elizabeth Denham highlights the following in her foreword to the Report: The ICO…

  • has been involved in producing significant GDPR guidance in the last 12 months and has also run an internal change management process to ensure it is up to the demands placed upon it by GDPR (think: extra staff, new breach reporting functions and helplines);
  • pay levels have fallen out of step with the rest of the public sector. UK Government has given the ICO 3-year pay flexibility and some salaries have increased;
  • has taken decisive action on nuisance calls and misuse of personal data;
  • began investigation of over 30 organisations in relation to use of personal data and analytics for political campaigns; and
  • launched a “Why Your Data Matters” campaign – designed to work as a series of adaptable messages that organisations can tailor to inform their own customers of their data rights.

Privacy and Cybersecurity (Dentons)

EU – European Court of Justice Clarifies Who Is a ‘Data Controller’ Under GDPR

The European Court of Justice (ECJ) in Luxembourg rendered a judgment on July 12 [see CJEU Press Release & Judgment of the CJEU], that explains, among other things, what a (joint) data controller is. The judgment is on the “old” EU Data Protection Directive 95/46/EC, but the relevant provisions in the General Data Protection Regulation (GDPR), Art. 4 and 26, are very similar. The case is about Jehovah’s Witnesses Community and whether taking notes in the course of their door-to-door preaching falls under the GDPR. The ECJ states that (a) their activities don’t fall under the exemptions for religious communities, and that (b) the community is a data controller jointly with its members who engage in this preaching activity. Tech & Sourcing at Morgan Lewis

EU – ECHR Ruling Confirms Freedom of Expression Trumps Right of Erasure

The European Court of Human Rights (“ECHR”) decided on 28 June 2018 that the right to request the erasure of personal data on prior convictions, may be trumped by the right to freedom of expression and information. The court confirmed prior case law deciding that the public’s legitimate right of access to electronic press archives is protected by the fundamental right of freedom of expression and information and that limitations to this right must be justified by particularly compelling reasons. Inside Privacy

EU – The eData Guide to GDPR: What is Sensitive Personal Data?

Information on health, race/ethnic origin, sexual orientation, and religious and political beliefs are among a special category of data that have been classified as sensitive personal data under the EU’s GDPR and are given a higher degree of protection. This installment of The eData Guide to GDPR discusses how sensitive personal data is defined, under what conditions it can be processed, and what steps businesses can take to ensure compliance with the GDPR’s special protections of sensitive personal data. Morgan Lewis Insight

EU – Heirs Can Access Facebook Account of Deceased Relatives: German Court

Heirs in Germany have the right to access the Facebook accounts of their deceased relatives, a court said in a landmark privacy ruling on Thursday, saying a social media account can be inherited in the same way as letters. Reuters Additional coverage at: Technology Law Dispatch, Deutsche Welle, Quartz, AFP, Naked Security and GIZMODO]

EU – DPA Brandenburg Advises Caution for Photography

The Brandenburg Data Protection Authority issued guidance on the processing of photos under the GDPR. The taking and publication of photos is permitted under the GDPR (pursuant to data subject consent, a controller’s legitimate interests, or journalistic activity); however, photographers should be careful about photos of large groups of people (notice may be impossible to provide), employees (consent may not be truly voluntary), and existing photo stock (which should comply with prior legal requirements). DPA Brandenburg – Processing of Photos – Legal Requirements Under GDPR

EU – EDPS Comments on Monitoring for Copyright Infringement

The European Data Protection Supervisor commented on a draft resolution for a proposal regarding copyright in the Digital Single Market. According to the EDPS, the draft EU resolution appropriately addresses the obligation for online sharing service providers to monitor their platforms for copyright infringement by not targeting end users who might download or stream uploaded content, and requiring observance of the data minimisation principle; it will be impossible, however, for providers to avoid processing personal data while complying with monitoring and reporting obligations. EDPS – Formal Comments on a Proposal for a Directive of the European Parliament and Council on Copyright in the Digital Single Market

UK – ICO Seeks Views on Age Appropriate Design

The UK ICO is calling for evidence and views on the Age Appropriate Design Code under the Data Protection Act, 2018. The ICO UK is calling for suggestions from information service providers and child development experts to design the Age Appropriate Design Code, with a focus on the different development stages of children and the websites or applications that children access or are likely to access; specific areas of interest include profiling, geolocation, and strategies used to encourage extended user engagement. The Code will be submitted to the Secretary of State for Parliamentary approval within 18 months from May 25, 2018; and the call for evidence closes on September 19, 2018. ICO UK: Blog – Children’s Privacy – Call for evidence | Consultation

WW – Big Tech Companies’ Privacy Policies Not Totally GDPR Compliant: Report

A new report from a consumer protection group indicates that even though privacy policies were revamped right before the GDPR came into effect in late May, “there is still room for significant improvements.” The survey used artificial intelligence to analyze 14 privacy policies at major tech companies, including Google, Facebook, Amazon and Apple. The Recorder (Law.com)

EU – Cloud Security and Due Diligence Checklists

A UK law firm highlights industry best practices from regulators and associations, which include risk profiling, monitoring of security controls, and defining access controls to service interfaces and administration systems; to demonstrate compliance, cloud buyers can demonstrate provider compliance through contractual commitment, third party certification and/or independent testing. [Kemp Law]

Facts & Stats

US – Major Breaches in the First Six Months of 2018

The most serious breaches of the first half of 2018 include the US government acknowledging that Russian hackers have managed access to a power utility’s control systems; hackers using phishing attacks to gain access to university systems, private companies, and government agencies around the world and stealing many terabytes of intellectual property; and many instances of organizations misconfiguring data storage mechanisms, exposing stored information. Wired: The Worst Cybersecurity Breaches of 2018 So Far.

WW – Survey Finds Breach Discovery Takes an Average 197 Days

A global study based on 500 interviews conducted by The Ponemon Institute on behalf of IBM [see PR here, infographic here] finds that the average amount of time required to identify a data breach is 197 days, and the average amount of time needed to contain a data breach once it is identified is 69 days. When it comes to cost containment, the study makes it clear time is of the essence. Companies that were able to contain a breach in less than 30 days saved more than $1 million compared to those that took more than 30 days ($3.09 million versus $4.25 million average total). 2018 Cost of a Data Breach Study [PDF] Security Boulevard, Security Intelligence, listen Audio interview – 26 min

EU – The GDPR and Blockchain

Blockchain technology has the potential to revolutionise many industries; it has been said that “blockchain will do to the financial system what the internet did to media”. Its transformative capability also extends far beyond the financial sector, including in smart contracts and the storage of health records to name just a few. Notwithstanding its tremendous capabilities, in order for the technology to unfold its full potential there needs to be careful consideration as to how the technology can comply with new European privacy legislation, namely the GDPR. This article explores some of the possible or “perceived” challenges blockchain technology faces when it comes to compliance with the GDPR. The European Commission has recently launched the EU Blockchain Observatory and Forum which is focused on promoting blockchain throughout Europe. The Forum recently ran a series of workshops on the impact of the GDPR on blockchain technology. Inside Privacy (Covington)

Finance

CA – Canada 2020 Issues Open Banking Report

On July 5, 2018, Canada 2020, a Canadian think-tank, published its report on open banking [see 10 pg PDF here] following a Policy Lab which brought together various stakeholders to discuss open banking in Canada. “Open Banking” refers to an emerging financial services business model that focuses on the portability and open availability of customer data, including transactional information. The core aim of open banking is to enable consumers to share their financial data between their financial institution and third party providers (and between financial institutions), typically through the use of application programming interfaces (APIs). While still a relatively new concept in Canada, open banking has the potential to transform the financial services sector. The federal government is currently undergoing a review of open banking to assess whether it could have a positive impact on consumers while considering the risks to consumer privacy, data security, and financial stability. The purpose of the Canada 2020 Policy Lab was to encourage stakeholders to share information and to discuss the future of open banking in Canada and identified nine broad areas of consensus. CyberLex Blog (McCarthy Tétrault)

FOI

CA – NL Government Breaking Its Own Laws on Access to Info Requests: OIPC

Newfoundland and Labrador is breaking its own laws by exceeding the legal deadlines for responding to access to information (ATIPP) requests, the information and privacy commissioner says. In a report [ruling], Molloy said the government flouts the law based on the volume of work it takes to complete requests, something that would never be tolerated from average citizens. The result is long delays. Molloy’s report, which looked into a case where it took 86 business days for a response to an access to information request, when the law says that should happen within 20 business days concerned the Department of Transportation and Works, and found that over the last fiscal year the department was late on approximately 15 per cent of deadlines and received extensions on another 15%. CBC News

Genetics

WW – Privacy Concerns After 23andme Shares Genetic Data With Major Drugmaker

Drug giant GlaxoSmithKline is investing US$300 million in the DNA-testing company 23andMe in a deal they say could spark the creation of important new medicines, but one that is also raising privacy concerns. Under the deal, GSK will have exclusive rights for four years to use 23andMe’s DNA database to develop new medicines using human genetics. Both the funding and proceeds will be split equally, with the option of extending the partnership for a fifth year. For more than a decade, 23andMe has been selling saliva-based DNA kits to consumers. The company has more than 5 million users – 80% of whom have checked boxes to consent to participating in medical research as well. Genetics is playing an increasingly important role in the world of drug discovery. Researchers use genetic data to help them understand how diseases begin and which proteins and pathways diseases use to progress. Peter Pitts, the president of the U.S.-based non-profit Center for Medicine in the Public Interest told Time he’s worried that whenever one organization shares personal data with another organization, there is a risk the information could be misused. Pitts also wonders whether 23andMe customers are entitled to be compensated if the genetic information they paid for is then used to lead to profitable drugs. “Are they going to offer rebates to people who opt in, so their customers aren’t paying for the privilege of 23andMe working with a for-profit company in a for-profit research project?” Pitts wondered to NBC. 23andMe insisted in its announcement Wednesday that its customers are still in control of their own data. [CTV News, BioNews, Forbes and Scientific American]

US – DTC Genetic-Testing Giants Throw Their Weight Behind Privacy

For years, consumer and privacy advocates have railed against the potential for the direct-to-consumer (DTC) genetic testing to go horribly wrong. In what ways? Privacy violations, for one, along with the idea that companies could get rich off patient data, all while freely sharing our most personal information with law enforcement. But news this week suggests solutions for these problems could be on the way. On July 31, Future of Privacy Forum [allong with testing companies 23andMe, Ancestry, Helix, MyHeritage, and Habit released a set of best practices for the DTC genetic-testing industry, outlining eight key areas and a war chest of possible fixes [see FPF blog post here]. The best practices cover transparency, consent, accountability, security, privacy by design and consumer education, along with data access, integrity, retention and deletion. Recommendations range from providing clear privacy notices of a company’s practices and asking separately for consent to share with third-party organizations to enabling consumers to delete their data, including biological samples. In no way, however, does the document serve as a call to disarm the growing genetic-testing industry. [Healthcare Analytics News, Chicago Tribune, Engadget and GIZMODO]

Health / Medical

US – HHS Releases Interim Guidance on Authorizations for Research

The Department of Health and Human Services (HHS) recently released interim guidance on sufficiency of authorizations for future uses or disclosures of protected health information (PHI) for research purposes. The HIPAA rule permits covered entities and business associates to use or disclosure PHI only as permitted by the Privacy Rule or as authorized in writing by the information’s owner or that person’s personal representative. The 21st Century Cures Act, enacted in 2016, sought, in part, to improve accessibility to medical information for research purposes. It mandated HHS issue guidance on how to allow for this improved access while still protecting patients’ rights under HIPAA. HHS recognizes that additional input from the public on this complex question would better help it provide meaningful guidance. Therefore, HHS is inviting comments from the public before issuing final rules. Data Privacy Monitor (BakerHostetler)

US – FDA: Make Sure EHRs Used for Clinical Studies are Secure

The Food and Drug Administration has issued new guidance spelling out its policy for organizations using electronic health record data in FDA-regulated clinical investigations, such as studies of the long-term safety and effectiveness of various drugs. Among other criteria, the EHRs need to contain certain privacy and security controls. EHRs used for clinical investigations should be certified under the Department of Health and Human Services’ Office of the National Coordinator for Health IT’s EHR certification program, which requires products to meet a variety of privacy and security protection requirements for patient data. But if data from EHRs that are not ONC-certified is collected from “foreign” sources – such as from clinical studies conducted outside the U.S. – sponsors need to consider whether such systems also have “certain privacy and security controls in place to ensure that the confidentiality, integrity and security of data are preserved,” the agency says. GovInfo Security

US – Health Data Breach Tally: Lots of Hacks, Fewer Victims

As of July, some 199 breaches affecting 3.9 million individuals had been added to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website, commonly called the “wall of shame.” The website lists health data breaches affecting 500 or more individuals. By comparison, the 2015 cyberattack on Anthem Inc. affected nearly 79 million individuals. Plus, 2015 attacks against Premera Blue Cross, Excellus BlueCross BlueShield, and UCLA Health affected many millions more. Of the breaches added to the wall of shame so far this year, 74 are listed as hacking/IT incidents. Those incidents affected nearly 2.65 million individuals. But other types of breaches have also been added to the tally in the last seven months. Those include 84 “unauthorized access/disclosure” breaches impacting a total of more than 562,000 individuals, with some of the largest of these incidents involving email. Another 37 breaches involved loss or theft; those affected a total of about 672,000 individuals. Of the loss/theft breaches, 28 involved unencrypted devices. Those incidents impacted a total of about 80,000 individuals. The largest breach tied to loss or theft so far this year involved paper/film records. That incident – which, with 582,000 affected, is also the largest breach posted added to the tally so far this year – was reported in April by the California Department of Developmental Services. GovInfoSecurity

US – Cyberattacks on Health-Care Providers Are Up in Recent Months

Health-care providers and government agencies across the U.S. have seen an increase in cybersecurity breaches in recent months, exposing sensitive data from hundreds of thousands of people as the sector scrambles to find adequate defense mechanisms. The breaches include malware attacks, computer thefts, unauthorized network access and other security breaches, according to a government database that tracks attacks in the health-care sector. Last year’s global WannaCry ransomware attack crippled parts of the U.K.’s National Health Service for days. In a 2015 hack, U.S. health insurance giant Anthem Inc. had about 79 million customers’ personal information exposed. Bloomberg

US – California Bill Requires Security for Health Sensors

AB-2167, an Act Relating to Digital Health Feedback Systems was introduced in the Legislative Assembly of California and has been engrossed to the Senate. If passed, a manufacturer or operator that sells a device or software application that may be used with a digital health feedback system (ingestible sensor that collects or sends health information) must implement reasonable security features appropriate to the nature of the device/software application and the information it may collect, contain or transmit. AB-2167 – An Act Relating to Digital Health Feedback Systems – Legislative Assembly of California

US – Relaxing Patient Privacy Protections Will Harm People With Addiction

The nation is in the midst of a staggering opioid epidemic. Over 115 people die from an overdose each day – and all signs indicate that the problem is getting worse. Unfortunately, of the more than 20 million Americans who need treatment for addiction, it’s estimated that only about 7 percent of them will actually receive specialty care. We would expect policymakers and medical providers to do everything possible to increase the number of people entering treatment, not take actions that will discourage individuals from seeking treatment. But unfortunately, that’s exactly what the Overdose Prevention and Patient Safety Act would do. Despite its benevolent title, this legislation, which has already passed the House of Representatives, would jeopardize the confidentiality of substance use treatment and discourage patients from seeking the care they need. [The Hill and coverage at: STAT News, Scientific American and The Journal of Law, Medicine & Ethics]

WW – Mobile Apps Expose Sensitive and Regulated Data

Appthority’s Enterprise Mobile Threat Report uncovers a new variant of the HospitalGown data privacy vulnerability. The Mobile Threat Report showcases mobile apps’ failures to require authentication to a Google Firebase cloud database, exposing the system to data leak; implement user authentication on all database tables and rows to protect against exploit. Other mitigation steps to reduce risks include prohibiting employees from downloading unsecured apps and performing security reviews on private and public apps. Enterprise Mobile Threat Report – Unsecured Firebase Databases – Exposing sensitive data via thousands of mobile apps – Q-2 2018 – Appthority

WW – Insider Health Data Security Threats Bigger Concern than External

Many healthcare professionals are more concerned about insider threats to health data security than external breaches, according to a survey by HIMSS on behalf of SailPoint. There is an acute level of concern about the threats posed by insiders. On a scale of 1 to 10, the mean score for the level of concern of respondents was 8.2. Among respondents who implemented or managed cybersecurity solutions for their organization, 43% said that insider threats were of greater concern than external threats. Another 35% were equally concerned about insider threats and external threats to data security, according to the survey of 101 healthcare professionals.- HealthIT Security, Healthcare Informatics, CISION]

Horror Stories

US – Patient Data Exposed for Months After Phishing Attack On Sunspire

Several employees of Sunspire Health, a nationwide network of addiction treatment facilities, fell victim to a phishing email campaign, which may have exposed personal patient information for about two months. [see notice here] Hackers were able to access some employee email accounts between Mar. 1 and May 4, but officials did not become aware of the cyberattack until sometime between April 10 and May 17. Officials did not give an explanation as to why the discovery took more than a month. The impacted email accounts contained names, dates of birth, Social Security numbers, medical data like diagnoses and treatments, and health insurance information. All patients are being notified and offered a year of free credit monitoring. While officials have notified the U.S. Department of Health and Human Services, the number of patients impacted by the breach haven’t been posted to the breach reporting tool [here]. [Healthcare IT News and coverage at: Health Data Management]

US – Phishing Attacks Breach Alive Hospice for 1 to 4 months

Two employees of Tennessee-based Alive Hospice fell for phishing attacks, which potentially breached patient data for one to four months. During a review of their email system on May 15, officials discovered unauthorized access to two separate employee email accounts that began on December 2017 for one account and around April 5 for the other. While the breached data varied by patient, it included a vast store of highly-sensitive information including: Social Security information, passport numbers, driver’s licenses or state identification cards, copies of marriage and or birth certificates, financial data, medical histories, IRS pin numbers, digital signatures — and even security questions and answers. Notification letters were sent to impacted patients on July 13. Healthcare IT News See also: Phishing attack compromised the data of 1.4 million UnityPoint Health patients and at: SecurityInfoWatch, ISBuzz News and Latest Hacking News

NZ – Allegations 800,000 NZers at Risk of Medical Privacy Breach

Four New Zealand and Australasian healthcare IT companies, Healthlink, Medtech Global, My Practice, and Best Practice Software New Zealand, have jointly contacted the Privacy Commissioner with a claim the privacy of up to 800,000 Auckland patients has been put at risk. They said primary health organisation (PHO) ProCare Health was putting private information of up to 800,000 Auckland patients into a large database, including patient name, age, address, and all financial, demographic, and clinical information.ProCare Health runs a network of community-based healthcare services, including GPs, throughout Auckland. It strongly denies patient privacy is being compromised. The IT companies said they didn’t know how widespread the data collection was in New Zealand, but it wasn’t acceptable to hold so much identifiable information in one place. In a joint letter to the Privacy Commissioner, the companies said most patients seemed unaware of the ProCare database, as well as potentially some GPs. [The New Zealand Herald coverage at: Tripwire and New Zealand Doctor Online]

Identity Issues

CA – Feds Studying Mobile Passports Despite Privacy Fears

New public opinion research [PDF] published by Immigration, Refugees and Citizenship Canada suggests officials there are considering whether Canadians should be able to renew their passport via a mobile application, as well as what Canadians’ attitudes are towards the idea of using virtual or mobile passports. Through 15 focus groups held across the country earlier this year, participants were asked for their perspectives on what sort of “passport of the future” they would be most interested in using and as with most new technologies, there was general enthusiasm but also a marked wariness about the potential for misuse. Millennials and those over the age of 58 also said they would not be likely to use a mobile passport option. While participants suggested they would be all right with using a passport renewal app or a passport stored on their phone, they were less convinced the ease of use would be worth the security concerns. Convenience seemed to be the biggest motivator overall to consider any move away from the current passport. Mobile passport apps are not yet widespread but South of the border, U.S. Customs and Border Protection has officially endorsed an app called Mobile Passport and it’s being used in 25 American airports so far. Personal data on the app is encrypted and stored by Customs and Border Protection. It’s not clear whether Immigration, Refugees and Citizenship Canada is looking to develop its own app for mobile passports or use the existing one. Global News

CA – Canadian Bankers Push for Federated Approach to Digital ID

The Canadian Bankers Association discuss Canada’s need for a digital identity system. Digital ID can be standardized for use between entities (unlike physical documents), and ensures only one version of an individual’s identity exists, reducing the potential for misinformation, identity theft, or the use of outdated data; Canada should learn from the successes of Estonia and India, ensuring digital ID meets legislative and regulatory requirements for customer identification, and using government as a catalyst to bring digital ID to market. White Paper – Canada’s Digital ID Future – A Federated Approach – Canadian Bankers Association

CA – Health Records: Anonymised PHI Not Compellable

The Supreme Court of Canada reviewed an appeal by the Province of British Columbia regarding disclosure of personal health information to Philip Morris International, Inc. The Supreme Court of Canada found that the anonymization of health data in government databases did not change the nature of the information as data derived from a particular individual’s clinical record, and the relevance of the records to a claim brought on an aggregate basis does not alter that nature. [British Columbia v. Philip Morris International Inc. – 2018 SCC 36 CanLII – Supreme Court of Canada]

Law Enforcement

UK – Police Chief Explains ‘Justice by Algorithm’ Tool

A police chief pioneering new ways of dealing with offenders vigorously defended his force’s pilot of a controversial algorithm-based system for picking suitable candidates. Michael Barton, chief constable of Durham Constabulary, was appearing at the first public evidence-gathering hearing of the Law Society’s Technology and Law Policy Commission on algorithms in the justice system [see here & here]. Durham Constabulary has come under fire after revealing last year that it was testing whether an algorithmic ‘Harm Assessment Risk Tool’ (HART) [see “risk assessment“] could help custody officers identify offenders eligible for a deferred prosecution scheme called Checkpoint designed to encourage offenders away from criminality. The tool employs advanced machine learning to predict the likelihood that an individual will reoffend in the next two years. Barton said that HART was intended as a decision support tool and would never take the kind of nuanced decisions made by custody officers. The main reason for its use is to ensure that people released under the Checkpoint scheme do not go on to commit serious crimes, he said. ‘We are halfway through the pilot of finding out whether custody officers do better than the algorithm he said, promising that results will be peer-reviewed and published. [The Law Society Gazette and at: WIRED and BBC News]

Location

WW – Polar Flow Fitness App Reveals Location of Users in Military and Intelligence Agencies

The Polar Flow fitness app exposes sensitive information about its users, which include US intelligence employees, and military personnel. The Polar Flow Explore function could be used to obtain not only a user’s geolocation data, but also their name and home address. Polar has temporarily suspended the Explore API. Polar is not the first fitness app to expose user data; several months ago, the Strava app was found to be exposing soldiers’ locations and routes. Threat Post: Polar Fitness App Exposes Location of ‘Spies’ and Military Personnel | Bleeping Computer: Polar App Disables Feature That Allowed Journalists to Identify Intelligence Personnel | Fifth Domain Polar fitness app broadcasted sensitive details of intelligence and service members | The Register: Fitness app Polar even better at revealing secrets than Strava.

Online Privacy

WW – Low Accuracy in Device Fingerprinting Techniques

Researchers study the accuracy of fingerprinting of smartphone motion sensors. Existing browser fingerprinting techniques (used to track users without using cookies) are less effective on mobile platforms; additional features and external auxiliary information can be used to improve accuracy (but are unlikely to uniquely identify devices), and combining multiple classifiers provides better accuracy than current techniques. Every Move You Make – Exploring Practical Issues in Smartphone Motion Sensor Fingerprinting and Countermeasures – Anupam Dua et al. – Carnegie Mellon University

WW – Google Admits Third-Party Developers Can Read Your Emails

According to the WSJ, developers of third-party apps can read your Gmail messages. The thing is, you gave the application permission to do that. You just don’t remember. Or weren’t paying attention. After long-running complaints from users, Google stopped scanning the contents of Gmail messages to create targeted ads last year. But the company still allows third-party applications to do so. What skeeves so many people out is discovering that this process isn’t all done by computer. Some companies give human developers access to emails. This enables the developer to check if the code they’ve written to scan the text is finding what it’s supposed to scan. Or to know what to scan for in the first place. [Cult of Mac, Google Blog, CNET, CBC News, VentureBeat, The Verge, Digital Trends, Naked Security and The Sydney Morning Herald]

CA – New Zealand Company Violated Rights of Canadians, Says Privacy Commissioner

How far can companies go using personal information of people copied from a publicly-available website? Not far at all if it involves Canadians who don’t give their consent, according to a decision released by Canada’s privacy commissioner [see Announcement here & report here]. New Zealand’s Profile Technology Ltd. violated the privacy rights of potentially some 4.5 million Canadians by copying the profiles of Facebook users around the globe and posting them on its own website, the office of the federal privacy commissioner has ruled. The company said it merely indexed information publicly accessible on Facebook It also argued Canadian law didn’t apply. However, the commission said under Canadian law these people had to give their consent because Profile Technology used the information not just for indexing but also to start its own social networking website called the Profile Engine. The OPC has sent its findings to the Office of the Privacy Commissioner of New Zealand, which is considering what options may be available under that country’s laws. IT World Canada

US – 3 of 16 Providers Have Sufficient Takedown Processes: EFF

The Electronic Frontier Foundation, an advocacy organization, released its annual report on transparency of online service providers. The Apple App Store, Google Play store and YouTube earned full marks for transparency in reporting government takedown requests based on both legal requests and requests alleging platform policy violations, providing meaningful notice to users of every content takedown and account suspension, providing users with an appeals process to dispute takedowns and suspensions, and limiting the geographic scope of takedowns when possible. Who Has Your Back? Censorship Edition 2018 – Electronic Frontier Foundation | Chart only

US – EFF Files Amicus Brief Supporting Warrant for Border Searches of Electronic Devices

EFF, joined by ACLU, filed an amicus brief in the U.S. Court of Appeals for the Seventh Circuit arguing that border agents need a probable cause warrant before searching personal electronic devices like cell phones and laptops. We filed our brief in a criminal case involving Donald Wanjiku. In 2015 border agents at Chicago’s O’Hare International Airport searched Wanjiku’s cell phone manually and forensically. Border agents also forensically searched Wanjiku’s laptop and external hard drive. Wanjiku asked the district court in U.S. v. Wanjiku to suppress evidence obtained from the warrantless border searches of his electronic devices, but the judge denied his motion. He then appealed to the Seventh Circuit. In their amicus brief, EFF argued that the Supreme Court’s decision in Riley v. California (2014) supports the conclusion that border agents need a warrant before searching electronic devices because of the unprecedented and significant privacy interests travelers have in their digital data. They also cited the Supreme Court’s recent decision in U.S. v. Carpenter (2018) holding that the government needs a warrant to obtain historical cell phone location information. In our amicus brief, we explained that historical location information can be obtained from a border search of a cell phone. DeepLinks Blog (Electronic Frontier Foundation)

Privacy (US)

US – FTC Wants Expanded Authority in Data Security, Privacy

While HHS is the primary federal agency that enforces HIPAA Security and Privacy Rules, the FTC has expanded its enforcement activities in data security and privacy, including taking on now-defunct medical testing firm LabMD over poor data security that led to PHI breaches. The FTC was recently rebuffed by a federal appeals court in its effort to compel LabMD to overhaul its data security program. Despite this setback, the FTC is looking for additional authority from Congress in the privacy and data security area, FTC Chairman Joseph Simons told the House Energy and Commerce Committee’s digital commerce and consumer protection subcommittee on Wednesday. Specifically, the FTC wants the ability to impose civil penalties in privacy and data security cases, authority over nonprofits and common carriers, and authority to issue implementing rules under the Administrative Procedure Act (APA). Currently, the FTC issues rules under the Magnuson-Moss Warranty Act, which is more burdensome than the APA process, Simons noted. [HealthIT Security and at: Imperial Valley News]

US – Judge Rebukes FBI Agent over Improper Stingray Use

A federal judge chastised an FBI agent for improper use of a stingray, also known as a cell-site simulator or IMSI catcher, and an improper search of a cellphone. In April 2016, an FBI agent sought and obtained warrants from a county superior court judge in California to search a suspect’s cellphone and to use a stingray to locate a second suspect. California law does not permit state judges to sign off on warrants for federal agents. Court documents also show that the FBI agent misled the judge about what a stingray does. [Ars Technica: Judge slams FBI for improper cellphone search, stingray use | SC Magazine: Federal Judge scolds FBI agent for improper stingray use]

WW – CIPL Issues Discussion Papers on the Central Role of Accountability

On July 23, 2018, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP issued two new discussion papers on the Central Role of Organizational Accountability in Data Protection [7 pg PDF notice & overview here]. The goal of these discussion papers is to show that organizational accountability is pivotal to effective data protection and essential for the digital transformation of the economy and society, and to emphasize how its many benefits should be actively encouraged and incentivized by data protection authorities, and law and policy makers around the globe. The first discussion paper [PDF] explains how accountability provides the necessary framework and tools for scalable compliance, fosters corporate digital responsibility beyond pure legal compliance, and empowers and protects individuals. The second discussion paper [PDF] explains why and how accountability should be specifically incentivized, particularly by DPAs and law makers. It argues that given the many benefits of accountability for all stakeholders, DPAs and law makers should encourage and incentivize organizations to implement accountability. Privacy & Information Security Law Blog | see also: CIPL Hosts Special Executive Retreat with APPA Privacy Commissioners on Accountable AI

US – Florida Man Jailed for Failing to Unlock His Phone

What started as a routine traffic stop has quickly escalated into a civil rights case in a Florida courtroom after a man was put behind bars for failing to unlock his phone. William Montanez was given 180 days in jail by a judge after he was asked to unlock two separate phones seized from him by police. Montanez told the court that he couldn’t remember the passwords, so the judge found him in civil contempt and threw him in jail. According to an emergency writ filed by Montanez’s lawyer, he was pulled over by police on June 21 for not properly yielding while pulling out of a driveway. The officers making the stop asked to search his car, which he refused, so the police brought in a drug-sniffing dog. The police got a search warrant for the devices, claiming that they contain evidence of “Possession of Cannabis Less Than 20 grams” and “Possession of Drug Paraphernalia”—both of which Montanez already admitted to, which makes it unclear why the cops still want to search the phone to prove the charges. [Gizmodo coverage at: Fox 13 News, Miami Herald, WPLG Local 10 and Phone Arena]

US – $2 Million FTC Fine for Nonconsensual Posting of PI

A US Court granted the FTC and State of Nevada a permanent injunction against Emp Media Inc. et al for alleged violations of the FTC Act. Website operators are permanently banned from publicly disseminating individuals’ intimate images, name, employer and social media account information, and charging a fee for removal; verifiable express consent must be obtained (after provision of a separate, conspicuous notice), individuals must have the right to revoke consent at any time, and any third party hosting the company’s websites must ensure they are no longer accessible. FTC and State of Nevada v. Emp Media Inc. et al – Order Granting Default Judgment, Permanent Injunction and other Relief – US District Court for Nevada | Press Release

Privacy Enhancing Technologies (PETs)

WW – Privacy Pros Gaining Control of Technology Decision-Making Over IT

The results of new TrustArc research that examines how privacy technology is bought and deployed to address privacy and data protection challenges. Surveying privacy professionals worldwide, the findings of the survey show that privacy management technology usage is on the rise across all regions and that privacy teams have significant influence on purchasing decisions for eight of the ten technology categories surveyed. To understand the different types of privacy and security technologies that are being used – and by whom, more than 300 privacy professionals in the U.S., EU, UK and Canada were surveyed. Key findings from the survey include: A) Privacy tech adoption approaching the tipping point; B) Data mapping, assessment management, and data discovery among fastest growing solutions; and C) Privacy has a strong influence on purchase decisions across most product categories. Help Net Security

RFID / IoT

WW – Advocates Push for More User Control Over IoT Devices

The IoT Privacy Forum, a think tank, discusses governance and strategies regarding the Internet of Things. The Forum advocates for data minimization, built in “do not collect” switches (e.g., mute buttons and software toggles), wake words and manual activation for data collection, and mechanisms to make it easy for users to delete their data or revoke consent; only the user should decide if IoT data should be published on social media or indexed by search engines. Clearly Opaque – Privacy Risks of the Internet of Things – IoT Privacy Forum

WW – Digital Security Threats from New and Unexpected Sources

Symantec issued volume 23 of its internet security threat report, providing information on 2017 trends in targeted attacks, email spam, ransomware and mobile threats. The report identifies the threats as including attacks against IoT devices (by using most used login names like admin, guest and supervisor), attacks on mobile devices (using malware in apps related to photography and music), and attacks on supply chain software (by hijacking network traffic and compromising software supplier directly). Internet Security Threat Report Volume 23.

US – FTC Asked To Investigate Smart TVs

US Senators Blumenthal and Markey have asked the FTC to investigate privacy policies and practices of smart TV manufacturers. The smart TV manufacturers allegedly collect sensitive information and use it for tailoring advertisements on the basis of viewed and accessed content (e.g., applications, video games and cable shows), without obtaining express consent or notifying the user about such collection or tracking activities. Letter to FTC regarding smart TVs collecting personal data of viewers – Senator Markey and Blumenthal, U.S. Senate | Press Release 

Security

US – Final Report on U.S. Government Policies and Public-Private Frameworks to Address Botnets, Security and Resiliency Challenges Released

The U.S. Department of Commerce and the Department of Homeland Security, through the National Telecommunications and Information Administration (NTIA), has released the final report on enhancing the resilience of the Internet and communications ecosystem against botnets and automated distributed threats [see “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and other Automated, Distributed Threats“]. This report continues the work initiated under Presidential Executive Order 13800 titled “Strengthening the Cyber Security of Federal Networks and Critical Infrastructure“. The report aims to build upon consensus on various governmental and private initiatives and new approaches for the government either to adopt or to encourage the development of a more resilient ecosystem that can more effectively defend against threats and attacks by botnets. These attacks are expected to gain in both scale and complexity over time as vectors for attack (both end user devices and Internet of Things endpoints) proliferate. The final report does not differentiate between threats from nation states, cybercriminals or other actors; it observes that developing better cooperation and countermeasures within the ecosystem will generally be effective against all threats regardless of the threat origin. The final report was delayed from its originally scheduled May 11 deadline, it was released in late May 2018, along with a number of other reports relating to cybersecurity and linked to the Presidential Executive Order. A full list and links to the released reports is available [DBR on Data].

WW – Malware Attacks Have Doubled In First Half of 2018

The “malware boom” of 2017 has shown no signs of stopping through the first half of 2018, according to a new report from security company SonicWall. The company’s Capture Labs threat researchers recorded 5.99 billion malware attacks during the first two quarters of the year. At the same point in 2017 SonicWall logged 2.97 billion malware attacks [“2018 SonicWall Cyber Threat Report“]. On a month-to-month basis in 2018, malware volume remained consistent in the first quarter before dropping to less than 1 billion per month across April, May, and June. These totals were still more than double that of 2017, the report said. The study shows ransomware attacks surging in first six months of 2018, with 181.5 million ransomware attacks identified for the period. That marks a 229 percent increase over this same timeframe of 2017. [Information Management, SonicWall Blog, Tarsus Today]

US – US CERT Issues Best Practice to Reduce Phishing Risks

Verify unsolicited calls, visits or emails from individuals asking about employees or company internal information (however do not use contact information provided by the individual), check website URLs for spelling variations or domain changes, and do not provide personal, financial or company information in emails (unless assured of the person’s authority to have the information). Security Tip ST04-014 – Avoiding Social Engineering and Phishing Attacks – US-CERT

US –NIST Releases Security Assessment Requirements

NIST issues a publication for assessing security requirements for controlled unclassified information. Recommended controls include those under security categories such as access control, awareness/training, audit/accountability, configuration management, identification/authentication, incident response, maintenance (of connections/systems), media protection, personnel security, physical protection (escort/monitor visitors), risk and security assessments, system/communications protection and system/information integrity. NIST – Assessing Security Requirements for Controlled Unclassified Information – NIST Special Publication 800-171A | Press Release

EU – EU Commission Amends Draft ICT Certification Framework

The EU Commission amended its proposal for a regulation concerning cybersecurity and ENISA, the European Union Agency for Network and Information Security. Certificates issued under the framework will be valid in all EU countries, making it easier for companies to carry out their business across borders, certification will be voluntary (unless otherwise specified by EU or Member State law), and companies seeking certification will be evaluated against three assurance levels (basic, substantial, high). EC – Proposed Regulation on ENISA and ICT Cybersecurity Certification | Press Release

WW – Companies Overwhelmed by Data Collection: Survey

Gemalto’s fifth annual Data Security Confidence Index surveyed IT decision makers in organizations worldwide about data security mechanisms in place for compliance with GDPR. The study presents the status of organizations in protecting data collected from users, including that only 35% effectively analyze collected data and 65% are unable to analyze or categorize stored user data, while the collection of user data from sources such as apps and connected devices is only expected to increase in the future. Gemalto – Data Security Confidence Index

WW – 45% of US Companies Fell Victim to Phishing in 2017

Wombat Security Technologies, a security technology company, issued its 2018 report on phishing. The results are based on reported attacks from information security professionals; and analysis of simulated phishing attacks in more than 16 industries. The company reports that corporate phishing templates are the most frequently used by attackers (44%), with the most successful being corporate email improvements (89%); to combat phishing attacks, organizations train end users on how to identify and respond to suspicious email, and use email/spam filters, advanced malware analysis, and URL wrapping. State of the Phish 2018 – Wombat Security Technologies

Surveillance

CA – Controversial Gunshot Detector Technology Approved by Toronto Police

In an effort to curb gun violence, the Toronto Police Services Board (TPSB) has requested the city fund a motion to double the amount of public CCTV cameras and introduce a controversial audio recording technology called “ShotSpotter“ [wiki] that provides police with real-time shooting locations. The system is already in use by more than 90 cities in the U.S, including Louisville, Cincinnati and Chicago. The system uses microphones to detect and locate gunfire, and automatically informs police. According to its privacy policy, ShotSpotter said its devices only record and provide police with audio beginning two seconds before a gunshot has been fired and ending four seconds after. The effectiveness of the technology, however, is up for debate. The idea of using the ShotSpotter technology and increasing surveillance cameras raises questions about privacy. As for ShotSpotter, its privacy policy says it “does not have the ability to listen to indoor conversations” and does not have the ability to “overhear normal speech or conversations on public streets.” The company said there has been “three extremely rare ‘edge cases’” (out of 3 million incidents detected in the past 10 years) in which a human voice was overheard. City council will meet Monday and make the decision as to whether to approve the new measures. [Global News, The Toronto Star]

UK – GCHQ Spy Agency Given Illegal Access to Citizens’ Data

The British government broke the law by allowing spy agencies to amass data on UK citizens without proper oversight from the Foreign Office, Investigatory Powers Tribunal has ruled [see Judgment here]. GCHQ, the UK’s electronic surveillance agency, was given vastly increased powers to obtain and analyse citizens’ data after the 9/11 terrorist attacks in 2001, on the condition that it agreed to strict oversight from the foreign secretary. The Foreign Office on several occasions gave GCHQ an effective “carte blanche” to demand data from telecoms and internet companies, which could include visited websites, location information and email contacts. Monday’s ruling is the second from the IPT in a case brought by Privacy International [see PI’s July 23/18 PR here], the campaign group, on the harvesting and sharing of citizens’ data by British spy agencies. The UK government is currently seeking to convince the EU that it should be considered an “adequate” country for data transfer purposes after it leaves the bloc next March. On Monday, the tribunal updated its initial ruling [October 2016 – see here & PI’s PR here] to say that laws protecting UK citizens’ data had not been followed in full until October 2016, not November 2015 as it had previously concluded. A government spokesperson, speaking on behalf of the Foreign Office and GCHQ, said the unlawful requests for citizens’ data referred to in the tribunal’s judgment on Monday had since been replaced and were no longer in force. [Financial Times, The Register, Silicon UK, BBC News, Bloomberg, Computing and The Times]

EU – Statewatch Launches New Observatory of Centralised Big Brother Database

This Observatory covers the so-called “interoperability” of EU JHA databases which in reality will create a centralised EU state database covering all existing and future JHA databases – through combining biometrics and personal data in a single search. The intention is to bring together in one place the biometrics of millions – non-EU citizens now and EU citizens later – directly linked to the Common Identity Repository with personal details. The European Data Protection Supervisor says that the measure would mark a “point of no return” with all the inherent dangers that over time function creep will build up a highly detailed personal file attached to biometrics. For example when the EU-PNR (Passenger Name Record) comes into effect this will contain details of all travellers in and out of the EU and inside the EU as well.Statewatch (London)

WW – Does Your Phone Secretly Listen To You, Two-Year Study Says No

It’s the smartphone conspiracy theory that just won’t go away: Many, many people are convinced that their phones are listening to their conversations to target them with ads. Vice recently fueled the paranoia with an article that declared “Your phone is listening and it’s not paranoia,“ a conclusion the author reached based on a 5-day experiment where he talked about “going back to uni” and “needing cheap shirts” in front of his phone and then saw ads for shirts and university classes on Facebook. Some computer science academics at Northeastern University had heard enough people talking about this technological myth that they decided to do a rigorous study to tackle it. They ran an experiment involving more than 17,000 of the most popular apps on Android to find out whether any of them were secretly using the phone’s mic to capture audio. The apps included those belonging to Facebook, as well as over 8,000 apps that send information to Facebook. They found no evidence of an app unexpectedly activating the microphone or sending audio out when not prompted to do so. On the other hand, the strange practice they started to see was that screenshots and video recordings of what people were doing in apps were being sent to third party domains. In other words, until smartphone makers notify you when your screen is being recorded or give you the power to turn that ability off, you have a new thing to be paranoid about. The researchers will be presenting their work at the Privacy Enhancing Technology Symposium Conference in Barcelona next month. [Gizmodo, Business Insider and BGR]

US Government Programs

CA – Canadian Pot Investors Are Being Banned From Entering the U.S.

Sam Znaimer is a Vancouver, Canada-based venture capitalist who has been investing in everything from tech to telecommunications for more than 30 years. Recently, he put more than $100,000 into legal American cannabis companies. In May, when he attempted to drive across the border, he was flagged for a secondary inspection and questioned for four hours. “To my shock and horror, I was told that I was deemed to be inadmissible to the United States because I was assisting and abetting in the illicit trafficking of drugs,” Znaimer said. “They never asked whether I had consumed marijuana, the only thing that they’re interested in is that I’ve been an investor in U.S.-based cannabis companies.” Marijuana in some form is legal in 30 states and Washington D.C., but it’s still outlawed by the U.S. federal government. American immigration attorney Len Saunders said he’s seen at least a dozen cases like Znaimer’s at the Blaine land crossing as well as airports in Vancouver and Edmonton over the past few months. In the prior 15 years that he’s practiced law on the border, he’d never seen one. CBS News See also: How the tech behind bitcoin could safeguard marijuana sales data

CA – OPC Warns Canadians to Keep Data Secure When Crossing the Border

The OPC is warning citizens to be aware that their digital devices can be searched — and civil liberties advocates say every precaution must be taken. The commissioner’s updated guidelines on privacy at airports and borders advises that officers on both sides of the border can search your devices and ask for passwords. The guidelines include new advice on searches conducted at “preclearance” sites, where U.S. border officials can do searches on Canadian ground, part of an act passed in late 2017. They come following the release of a new U.S. Customs and Border Protection directive [see PR here] on searches of electronic devices, which clarifies previous search rules. It also includes updates on electronic searches for people going back through Canadian customs. Meghan McDermott, staff counsel at the BC Civil Liberties Association, said that due to the new powers of customs officers at preclearance sites and more detailed abilities for U.S. border patrols, she recommends taking every precaution to ensure your data is secure and protected should a search take place “the best guarantee is to not even bring your device at all, but if you do bring a device, you can use a burner phone [see here] or substitute. One of the other things people can do is to delete all the apps and documents and texts as well.” Toronto Star

US Legislation

US – California Enacts Comprehensive Privacy Rules

Effective January 1, 2020, organizations must comply with individual requests to provide categories of personal information collected and shared, stop selling personal information (services cannot be refused and prices cannot be increased as a result), delete personal information, and provide their information in a portable format; the Attorney General can impose civil penalties for violations and there is a private right of action for breaches resulting from reckless behavior. [AB 375 – The California Consumer Privacy Act of 2018 – State of California]

US – Tech Companies Cool Toward California Consumer Privacy Act

On the heels of the EU’s General Data Protection Regulation, California lawmakers passed a tough new privacy law, California Consumer Privacy Act, which is designed to give consumers more control over their personal information. Under the act, which goes into effect Jan. 1, 2020, consumers will be able to request details on how their personally identifiable information (PII) is used and how it is collected. The question now for California—and those state governments watching—is whether companies will embrace the California Consumer Privacy Act or will they find loopholes to skirt the law. California’s tech companies, usually out on the front line of innovation and new ideas, are soundly against the state’s new privacy law and are expected to fight for changes before the law goes into effect. The bill was pushed through too quickly, they say, and it is too vague. Yet, supporters of the bill point out, these same companies already have groundwork in place because of GDPR. Many large companies still have a long way to go in finishing the technical aspects of GDPR, and now California companies need to be ready for CCPA a year and a half later. Security Boulevard See also: California Consumer Privacy Act: What you need to know now | Key Takeaways from the California Consumer Privacy Act of 2018 | Out of the pot and into the fire? What the heck happened in California?! | California’s privacy law a commendable step toward national standard | New California Consumer Privacy Act increases the risk of additional data breach class actions

Workplace Privacy

US – Judge: No ‘Risk of Harm’ From Fingerprint Scan Time Clocks

A federal judge [Manish S. Shah, U.S District Court for the Northern District of Illinois] has kicked back to Cook County court [Illinois] a class action lawsuit accusing manufacturer Rexnord of violating an Illinois state privacy law by requiring employees to scan their fingerprints when using employee punch clocks to track work hours. The underlying complaint was brought by former Rexnord Industries employee Salvador Aguilar, who said the company violated the Illinois Biometric Information Privacy Act [see here] through its use of a fingerprint-based time clock system [see Rexnord policy here]. According to Aguilar, he never signed a written release allowing the company to collect or store his fingerprint. Further, he said the company never fully explained why it was keeping his fingerprint data and how long it would retain the information. Although Aguilar and his attorneys originally filed his complaint in Cook County, Rexnord removed the suit to federal court. The company then moved to have it dismissed for failure to state a claim. However, in an opinion issued July 3, U.S. District Judge Manish Shah remanded [see here] the matter because he said the federal court lacked jurisdiction in the case. Cook County Record

 

+++

Advertisements

10-30 June 2018

Biometrics

US – Police Use of Facial Recognition With License Databases Spur Privacy Concerns

31 U.S. states now allow law-enforcement officials to access license photos to help identify potential suspects. Roughly one in every two American adults—117 million people—are in the facial-recognition networks used by law enforcement. Police in Maryland used a cutting edge, facial recognition program last week to track down a robbery suspect, marking one of the first such instances of the tactic to be made public. In the process of identifying a possible suspect, investigators said they fed an Instagram photo into the state’s vast facial recognition system, which quickly spit out the driver’s license photo of an individual who was then arrested. This digital-age crime-solving technique is at the center of a debate between privacy advocates and law-enforcement officials: Should police be able to use facial recognition software to search troves of driver’s license photos, many of which are images of people who have never been convicted of a crime? Wall Street Journal

US – 150,000 People Tell Amazon: Stop Selling Facial Recognition Tech to Police

On Monday afternoon, civil rights, religious, and community organizations [took] their demand that Amazon stop providing face surveillance technology to governments, including police departments, to the company’s headquarters in Seattle. The groups delivered over 150,000 petition signatures, a coalition letter signed by nearly 70 organizations representing communities nationwide, and a letter from Amazon shareholders. Monday’s action is a part of a nationwide campaign to stop the spread of face surveillance technology in government before it is unleashed in towns, cities, and states across the country. Documents obtained by the ACLU reveal Amazon is aggressively marketing its Rekognition face surveillance tool to law enforcement in the United States, and even helping agencies deploy it. Among other capabilities, the technology provides governments the ability to rewind backwards in time to see where we’ve been, who we’ve been with, and what we’ve been doing. [ACLU and at: Mashable, CNN Tech, Planet Biometrics and GeekWire]

US – School Facial Recognition System Sparks Privacy Concerns

New York’s Lockport City School District has committed to purchase the facial and object recognition software from Ontario-based firm SN Technologies, as part of a $3.8m security update using a grant provided by the 2014 Smart School Bond Act SSBA). The district wants to be a model of security, but it has privacy and civil rights advocates up in arms. In a letter to the New York State Education Department (NYSED), the New York Civil Liberties Union protested the purchase, disputing the accuracy of facial recognition systems and voicing privacy concerns [NYCLU Blog post here]. Student images are part of students’ biometric records and classified as personally identifiable information under New York state law, said the NYCLU. It added that because student images would be stored for 60 days in the SN Technologies system, schools could use the images to analyse students’ movements and interactions. Lockport won’t be the first school district in the US to use facial recognition technology. Arkansas’ Magnolia School District is also spending $287,000 on similar systems, according to reports. [NakedSecurity and at: Security Info Watch and Lockport Union Sun & Journal]

WW – Biometric Driver ID Market Expected to Grow to US$ 25 Billion by 2022

Biometric driver identification systems are being used to prevent unauthorized access to vehicles. Automobile industry is increasingly adopting biometric identification system to ensure security of the car. Manufacturers are offering various biometrics technology for authentication such as facial and fingerprint recognition, voice analysis, iris-based in-car biometrics, hand geometry, etc. biometric identification system are being developed with some advanced features such as behavior-based algorithms to ensure performance and safety. This Research Report Insights report discusses key prospects for growth of global biometric driver identification system market during the forecast period, 2017-2022, offering pragmatic insights to lead market players towards devising & implementing informed strategies. True Industry News

US – FaceFirst Launches Biometric Shoplifter Alert System for Retailers

L.A.-based FaceFirst has launched a new facial recognition solution for security surveillance aimed at the retail market. Dubbed “Sentinel-IQ”, the platform is designed to identify known shoplifters and criminals, and to send an alert to administrators the moment such individuals are detected by the surveillance system. And it’s available in multiple deployment configurations including a SaaS-based setup that allows it to run on almost any HD camera with a compatible processor. Sentinel-IQ’s ability to identify criminals can only be as effective as the databases upon which it relies, and FaceFirst offers Watchlist as a Service solutions for this purpose. And the company has a track record, with its facial recognition surveillance technology having previously seen some heavy duty deployments including an airport security implementation in Panama and a CCTV deployment for police in the Indian city of Bengaluru. Now, with facial recognition becoming ever more mainstream, FaceFirst could find more interest than ever in this technology from the retail sector at which Sentinel-IQ is aimed. [Find Biometrics]

Canada

CA – Federal Bill Expands OPC Enforcement Powers

Bill C-413, amending PIPEDA in relation to the Office of the Privacy Commissioner of Canada’s enforcement abilities, had its first reading in the House of Commons. If passed, the OPC can order organizations that contravened PIPEDA to take any reasonable action to ensure compliance, and can decide not to conduct investigations where not necessary or reasonably practicable; fines up to $30 million can be imposed for knowing, reckless violations considering the nature and gravity of the violation, organization’s resources and size, number of affected individuals, and mitigation measures taken. [Bill C-413 – An Act to Amend PIPEDA (Compliance with Obligations) – Parliament of Canada Bill Status | Bill Text

CA – Federal Government Launches Consultations on National Data Strategy

The Trudeau government will take fresh steps towards equipping the country for the rapidly advancing era of big data. The Minister of Innovation, Science, and Economic Development Navdeep Bains announced that the federal government would be launching a series of consultations regarding a national data strategy [see PR here]. According to the Ministry of Innovation, Science, and Economic Development, the consultations will take the form of several roundtable discussions [see here] that will be held over the summer in cities across Canada, with businesses, educational institutions, and private citizens invited to participate. Whether the target is businesses or government, however, not every privacy expert believes Canada’s current data standards are an issue. Halifax-based internet, technology, and privacy lawyer David Fraser called the data gathering policies employed by tech giants such as Google and Facebook nothing more than “simple reality The reason Facebook has information on 28 million Canadians is because 28 million Canadians choose to use Facebook” [ITWorld Canada see also: MobileSyrup and iPolitics | The Globe and Mail | National Post]

CA – Apply Privacy Laws to Canadian Political Parties, Committee Recommends

The House of Commons’ ethics committee unanimously recommended sweeping changes to Canada’s privacy regime, including bringing in strict data protection rules similar to those recently adopted by the European Union. The committee’s recommendations [see report notice here & 56 pg PDF report here] can be grouped into three broad categories. First, they suggest applying Canada’s privacy laws to federal political parties, as well as increasing transparency around how political actors use big data to target voters or advertising. Second, the committee restated earlier recommendations to increase the power of the federal privacy commissioner, giving the office enforcement powers like levying fines and seize company’s documents in the course of an investigation. Finally, and perhaps most consequentially, the committee recommended the Liberals urgently move to mirror the strict privacy framework recently adopted by the European Union, the General Data Protection Regulation (GDPR). Taken together, the measures would represent a significant shift in Canada’s privacy regime. [Toronto Star and at: CBC News, iPolitics, The Canadian Press (via NP) and The Globe and Mail]

CA – Poll: 72% Majority Want Stronger Privacy Rules for Political Parties

According to an Innovative Research Group poll, people in Canada overwhelmingly support greater privacy standards for political parties, which are currently not subject to any federal privacy legislation. Only 3% of those polled support the status quo policy of fewer privacy requirements for political parties. The law that governs the privacy practices of businesses in Canada (PIPEDA) [see here, OPC info here & wiki here], does not currently apply to political parties. Bill C-76 [the Elections Modernization Act — see PR here & Text here], the government’s current proposal to amend our elections laws, only proposes one change to this; requiring that parties publish a privacy policy. C-76 does not put any limitations or requirements for how individuals’ data is handled once collected. Key findings from the polling include: 1) A large majority – 72% – supported changing the law so that political parties follow the same privacy rules as private companies; 2) Only 3% of those polled supported the status quo policy of fewer restrictions for political parties; 3) Support for extending PIPEDA to political parties has broad support across partisans from all parties; and 4) 65% of respondents are concerned about the possibility of private companies collecting personal information about Canadians and using it in an attempt to influence the next election – Of those that followed the issue closely, 80% were concerned. [Open Media and also Elections Canada ‘blind’ to how political parties could use – or abuse – personal information and HuffPost Canada and The Globe and Mail]

CA – OPC Issues New PIPEDA Guidance on Inappropriate Data Practices

The OPC released a critical interpretation document [PR here] intended to guide how companies subject to the PIPEDA, will be allowed to collect, use and disclose personal information, as viewed from the perspective of the reasonable person. The guidance on inappropriate data practices is intended to offer interpretation on s. 5(3) of PIPEDA, which requires that organizations may collect, use or disclose personal information only for purposes that a “reasonable person would consider appropriate in the circumstances.” The OPC will begin to apply the guideline on July 1, 2018. Recognizing that any evaluation of an organization’s information practices under this subsection will necessarily require both contextual analysis and a review of the particular facts, the OPC has nonetheless established six “no-go zones” of behaviour that are completely offside PIPEDA and are essentially prohibited. The current no-go zones described in the guideline are as follows: 1) Collection, use of disclosure that is otherwise unlawful; 2) Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law; 3) Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual; 4) Publishing personal information with the intended purpose of charging individuals for its removal; 5) Requiring passwords to social media accounts for the purposes of employee screening; and 6) Surveillance by an organization through audio or video functionality of the individual’s own device. [Canadian Lawyer Magazine]

CA – Canada’s Rape-Shield Law Can’t Be Used to Prevent an Accused from Mounting Defence, Ont. Court Rules

Canada’s so-called rape-shield law, which aims to protect sexual-assault complainants from unfair and irrelevant scrutiny of their sex lives, cannot be used to prevent an accused from mounting a reasonable defence, Ontario’s top court ruled [see R. v. R.V. here]. The court acknowledged the critical importance of protecting complainants from questioning about their sexual activity when that activity does not form the subject matter of the charge. “Notwithstanding these powerful considerations, there are times when such questioning must be permitted,” the Appeal Court said. “This is one of those cases where a proper balancing requires that such questioning be permitted.” In October 2016, Judge Robert Gee convicted R.V. after upholding the earlier ruling as binding on him. Both those decisions were in error, the Appeal Court said. The higher court said the pre-trial judge was wrong in finding that R.V.’s attempt to question the teen amounted to a “fishing expedition” despite knowing exactly what the cross-examination would have entailed. [CBC]

CA – OIPC ON Annual Report Celebrates 30 Years

2017 was a milestone year for the OIPC Ontario, which proudly celebrated 30 years of service on behalf of all Ontarians. The OIPC released its 2017 Annual Report, Thirty Years of Access and Privacy Service [see PR here], in which the OIPC calls for a number of legislative changes to enhance both access to information and protection of privacy in Ontario. Among the recommendations is a call to expand the IPC’s oversight to include Ontario’s political parties. Political parties collect and use personal information to target individuals in specific and unique ways. These increasingly sophisticated big data practices raise new privacy and ethical concerns and the need for greater transparency is evident. Subjecting Ontario’s political parties to privacy regulation and oversight will help to address the privacy, ethical and security risks associated with how political parties collect and use personal information. The OIPC also tabled the following recommendations in this year’s report: 1) Enact legislation that provides a strong, government-wide big data framework; 2) Ensure smart city initiatives are privacy protective; 3) Implement MOU for police services who adopt the use of the Philadelphia Model; and 4) Amend Ontario’s access laws to affirm IPC’s power to compel the production of records [IPC and at: The Canadian Press (via CTV)]

CA – OIPC SK Annual Report Emphasizes Privacy Breach Risk Reduction

“Reducing the Risk” is the title of OIPC SK Commissioner’s 2017-2018 annual report [see PR here]. In the report, Ron Kruzeniski [IPC] reflects on the progress and accomplishments of his team during the past year, hopes for the upcoming year and provides recommendations to reduce the risk of future privacy breaches. Recommendations for organizations to reduce risk were broken down into four sections [Prevention (p.14), Specific Controls (p.15), Policies (p.16) & Monitoring and Taking Action (p.18)] and include things like mandatory annual privacy training for all staff, and for staff to sign confidentiality agreements at least once a year. The report urges people to use complex passwords, not let co-workers use your computer if it means they will have access to information they shouldn’t, and use email encryption. The office has experienced an increase in the number of reviews, investigations and consultations, resulting in more files being opened [from 182 in 2014-2015 to 345 in 2017-2018] Kruzeniski also repeated the office’s recommendations from last year’s report [see here] to make amendments to The Health Information Protection Act, which the Ministry of Health has yet to implement. [Leader Post and at: CBC News]

CA – CSIS Risks Privacy of Innocent People Despite Scathing Court Ruling

In a report made public, the Security Intelligence Review Committee said the Canadian Security Intelligence Service has failed to ensure it doesn’t illegally hold on to sensitive information about innocent people, a federal spy watchdog says.[It also expresses concern that CSIS lacks the ability to make the necessary changes, two years after a scathing court ruling about its practices [2017-2018 SIRC Annual Report – see PR here]. An October 2016 Federal Court decision [see redacted Ruling here & Summary here] said CSIS broke the law by keeping and analyzing electronic data about people who were not actually under investigation. The report noted that CSIS has since destroyed most of the metadata in question. But it found the spy service was “still dealing with the implications” of the court decision when it comes to handling information about third parties. In a statement [see here], Public Safety Minister Ralph Goodale said he takes the matter “very seriously,” and a full review of such cases is underway. [Penticton Herald and at: The Globe and Mail and CBC News]

CA – OPC Funding Research on Public Wi-Fi ‘Privacy Leakage’, Smart Cities

The office of Canada’s privacy commissioner has announced it will fund research into privacy risks related to public Wi-Fi hotspots through its 2018 to 2019 contributions program. The project will assess privacy policies, measure personal information leakage to hotspot operators, and identify issues such as potential attack opportunities for malicious users. Research and analysis from the report will culminate in a public hotspot privacy report card and presentation of recommendations. Eight other projects will receive funding, as well. Among them is a project that examines the potential privacy impact for children when parents share their personal information on social networks. There are also studies on the privacy implications of smart cities in Canada, as well as children’s smart toys. Funding for the projects ranges from $21,155 to $74,110 CAD. betakit

CA – OIPC AB Issues Guidelines in Light of Post Election Paper-Shredding

AB OIPC wants to see more in-depth training for government workers who deal with freedom of information and privacy requests. The office also wants the government to close a loophole that allows some public bodies to avoid being subject to the Alberta government’s records management program. The recommendations are contained in two new reports, released Tuesday. The first report [20 pg PDF], written by senior information and privacy manager Chris Stinner, examined the government’s FOIP request tracking system. The office’s second investigation [18 pg PDF – by senior information and privacy manager Elaine LeBuke] centred on two access to information requests made to the Balancing Pool in 2016 and 2017. [Edmonton Journal and at: Alberta OIPC]

CA – Liberal Backbencher Tables Bill to Give Privacy Commissioner More Power

On June 20, Liberal backbencher Nathaniel Erskine-Smith introduced a bill [Bill C-413 – see here & Text here] to give “new powers” to Canada’s privacy commissioner allowing the office to hold social media companies and other to account for breaking the law. [The bill aims to] allow the commissioner to make orders, impose fines, conduct audits and undergo investigations into suspected breaches of the Personal Information Protection and Electronic Documents Act. Under his proposed legislation, when companies are found in violation of the law and aren’t taking steps to comply with it thereafter, hefty financial penalties would ensue. Fines could range from $15 million to $30 million, depending on the offence. Unlike the EU’s GDPR which] encompasses acts of negligence, Erskine-Smith’s bill only captures “intentional conduct” — groups that have acted recklessly towards the law. Some provincial privacy commissioners technically have “more power” than their federal counterpart. For instance, B.C.’s representative Michael McEvoy has the authority to make orders and issue fines of up to $100,000.To that end, a company operating in B.C. would be subject to stronger privacy regulations than a company operating in Ontario. Erskine-Smith’s bill was adopted following question period and will be addressed when the House returns in the fall. [iPolitics]

CA – Complainants in Intimate Images Cases Don’t Get Automatic Publication Ban

In a recent Nova Scotia Supreme Court advisory, there is a stipulation stating adults will not be able to count on a publication ban when they come forward in cases of cyberbullying and the non-consensual sharing of intimate images. On June 22, the Supreme Court issued advice for lawyers on how they should handle the relatively new Intimate Images and Cyber-Protection Act. Adults will be able to request a publication ban on their name, but will have to go through an application process. In 2017, the Intimate Images and Cyber-Protection Act replaced the Cyber-Safety Act, which was deemed unconstitutional. Though it was released last year, the new law is not in effect. In the meantime, the Supreme Court has released the advisory to instruct lawyers as to how to implement the law. The stipulation about adults having their names used as the default position, while minors remain unnamed, is bringing up concerns. [CBC News]

Consumer

CA – Common Sense Finds Social Media Privacy Matters To Teens

New research from nonprofit org Common Sense Media shows that nine out of 10 teens think it’s important that sites clearly label what data they collect and how it will be used. The research follows recent blunders by big social media companies that have unnerved young users and their parents, including the scandal surrounding political consulting firm Cambridge Analytica harvesting raw data from up to 87 million Facebook profiles unbeknownst to the users. The majority, 69% of teens and 77% of parents, responded that it is “extremely important” for sites to ask permission before selling or sharing their personal information. The vast majority, 97% of parents and 93% of teens, also agree that it is at the very least, moderately important. Very few people surveyed think that sites do a good job of explaining what they do with user’s information. Only 36% of teenagers and 25% of parents agree that social networking sites and apps actually do a good job of explaining what they do with users’ data. On top of that, most parents and teens are concerned about ad targeting by social media sites with 82% of parents and 68% of teens saying they are at least “moderately” worried that those sites already use their data to allow advertisers to target them with ads. Many of those surveyed have already taken action with 79% of teens saying they have changed their privacy settings on a social networking site to limit what they share with others. Parents are also concerned, with 86% changing their own privacy settings. Despite these concerns, 30% of parents and 57% of teens reported never reading the terms of service, with 66% of parents and 65% of teens saying it’s because they are not interested in what those privacy terms have to say. Parents of teens are far more concerned about bots on social media, with 85% saying that they are moderately to extremely concerned about the fake accounts’ influence online. Teens are less concerned, with 72% reporting they are moderately to extremely concerned. This new data also comes on the heels of GDPR rolling out in Europe on May 25, only a few days after the survey was completed. One of the changes with the new EU data privacy and security legislation is that countries can choose at what age someone is considered a child online. In Italy, Germany and Ireland, for example, the cut-off ranges from ages 13 to 16. A number of social apps have already responded to the changes, including WhatsApp which changed its required age of use to 16 all across Europe. [kidscreen]

CA – Canadian Businesses Not Guarding Private Information Carefully: Survey

The results of a government-commissioned survey reveal that a staggering 94% of Canadian companies now collect basic contact information like names, phone numbers and email addresses from their customers. Opinions, evaluations, and comments are collected by 29% of businesses, financial information like credit card numbers by 25%, and identity documents (even social insurance numbers) are collected by 21%. 15% tracked “purchasing habits.” Once they have it in hand, 73% of businesses store this information on-site in electronic form, which the survey notes is “a shift from previous years” when storing information on paper was the most popular method. The research was conducted late last fall by Phoenix Strategic Perspectives, and involved 1,014 Canadian businesses, the vast majority of which were small or medium-sized. The survey was commissioned by the Office of the Privacy Commissioner of Canada. There was a mixture of good and bad news when it came to the security of customers’ personal data. [Global News]

Encryption

CA – Government of Canada Mandates HTTPS, HSTS

Effective June 27, 2018, all Canadian government websites should implement HTTPS for web connections. The government of Canada has issued an Information Technology Policy Implementation Notice (ITPIN) directing all “departments” to implement Transport Layer Security and migrate to HTTPS. The Notice is effective as of June 27th. All departments, agencies and organizations that in Canadian government that are not subject to the Policy on Management of Information Technology are advised to abide the ITPIN. Canadian departments are to implement safeguards that ensure their services are only offered via a secure connection. [Hashed Out]

EU Developments

EU – LIBE Wants Privacy Shield Axed by September If US Doesn’t Act

Yet more pressure on the precariously placed EU-US Privacy Shield [see here, here & wiki here]: The European Union parliament’s civil liberties committee [LIBE – here] has called for the data transfer arrangement to be suspended by September 1 unless the US comes into full compliance. Though the committee has no power to suspend the arrangement itself, it has amped up the political pressure on the EU’s executive body, the European Commission. In a vote late yesterday the Libe committee agreed [see PR here] the mechanism as it is currently being applied does not provide adequate protection for EU citizens’ personal information. The Libe committee says it wants US authorities to act upon privacy scandals such as Facebook Cambridge Analytica debacle without delay — and, if needed, remove companies that have misused personal data from the Privacy Shield list. MEPs also want EU authorities to investigate such cases and suspend or ban data transfers under the Privacy Shield where appropriate. The EU parliament as a whole is also due to vote on the committee’s text on Privacy Shield next month, which — if they back the Libe position — would place further pressure on the EC to act. Though only a legal decision invalidating the arrangement can compel action. [TechCrunch and at: Out-Law (Pinsent Masons), ITPro, EURACTIV and The Register]

EU – Parliament Advocates Blockchain Ledger Technology

The EU Parliament issued an opinion on blockchain technology. Blockchains shift control over daily interactions with technology to users, provides transparency through its immutability, and permits decoupling of user identities from tracking the movement of goods; issues to consider include that with enough effort, it can still be possible to connect transactions to particular parties, and the ledger’s immutability may compromise a user’s right to be forgotten. [European Parliament – How Blockchain Technology Could Change Our Lives: Report | Press Release]

UK – ICO Guidance on Data Protection by Design and Default

The UK’s Information Commissioners’ Office issued guidance on data protection by design and default under the GDPR. Data protection by design and default should begin at the time of the determination of the means of processing, time of processing, and initial phase of any system, service, product or process; organisations should make data protection an essential part of the core functionality of processing systems and services, practice data minimisation, and provide individuals with tools to determine how their data is used and whether the organisation properly enforces its policies. [UK ICO – Data Protection by Design and Default]

UK – ICO Seeks Views on How Kid-Friendly Websites Should Be Designed

The UK Information Commissioner’s Office is crowdsourcing ideas for the code that will govern how websites and apps aimed at under-16s are designed [see Commissioner’s Blog post here]. The ICO, which must publish a statutory code on age-appropriate design as part of the Data Protection Act – has today acknowledged this fine balancing act as it called for opinions on the code [see here]. The ICO is seeking views [consultation closes September 19] on how websites and apps should be designed to take into account children’s rights and needs, from industry, online service providers, academics and children’s advocacy services. Separately, the ICO said it plans to run a direct consultation with children, parents and guardians – an effort to emphasise the importance it is putting on the opinions of those who are going to be affected by the code. [The Register]

UK – ICO Penalizes Failure to Protect Against Ransomware

The UK Information Commissioner’s Office issued a monetary penalty notice against the British and Foreign Bible Society for violations of the Data Protection Act. A Society failed to take preventative measures to ensure the security of the personal data of its supporters and protect its network from ransomware attacks, including by changing default credentials, restricting access rights, and using network segmentation; the unauthorized access to sensitive information could be used for fraudulent activities and identity theft. [ICO UK – Monetary Penalty Notice – The Bible Society]

Facts & Stats

CA – Canada Revenue Agency Logs 2,338 Privacy Breaches in 2 Years

The personal, confidential information of over 80,000 individual Canadians held by the Canada Revenue Agency may have been accessed without authorization over the last 21 months, according to government documents made public. But while the number of potential privacy breaches may be eye-popping, the CRA is downplaying the seriousness of most of them. Government documents tabled in the House of Commons outline privacy breaches across all government departments and agencies since mid-September 2016. The CRA has experienced the most privacy breaches, recording a total of 2,338 in the 21-month time span. There have been dozens of cases involving unauthorized access over the last 21 months, and 24 of them were considered serious enough to notify the Office of the Privacy Commissioner. [Global News and at: Narcity]

WW – Data Breaches Decline in 2018

According to Risk Based Security’s Q1 2018 Data Breach QuickView Report [see PR here, see 30 pg PDF here or download here], following year over year increases in the number of publicly reported data breaches, the first three months of 2018 saw a respectable decline. But while the numbers look good, they may reflect a change in criminal targeting and goals and less an indication that cyber-criminals are waving white flags. According to the report the number of breaches disclosed in the first three months of this year declined to 686 compared to 1,444 breaches reported in the same year-ago period. Still, the number of records exposed were high: more than 1.4 billion. It seems, for the period, a shift from targeting files for theft to mining cryptocurrencies could explain the turn of events. [Security Boulevard/]

Finance

US – Free Credit Freezes Are Coming

Thanks to a new federal law [Economic Growth, Regulatory Relief, and Consumer Protection Act – signed by POTUS May 24 – see S.2155 here & wiki here], soon you can get free credit freezes and year-long fraud alerts. When the law takes effect in September, Equifax, Experian and TransUnion must each set up a webpage for requesting fraud alerts and credit freezes. The FTC will also post links to those webpages on IdentityTheft.gov. And if you’re in the military, there’s more. Within a year, credit reporting agencies must offer free electronic credit monitoring to all active duty military. Here’s what to look forward to when the law takes effect on September 21st [FTC and at: Cuna.org and All Things Finreg]

CA – Class-Action Lawsuits Filed Against Bank of Montreal, CIBC’s Simplii

Law firms Siskinds LLP and JSS Barristers say [see PR here] they have filed in the Ontario Superior Court of Justice proposed class-action lawsuits against Bank of Montreal and CIBC’s direct banking division Simplii Financial over recently disclosed cybersecurity breaches impacting up to 90,000 customers. They are alleging the institutions failed to establish robust security measures to protect clients’ sensitive information. Simplii and BMO warned in May that “fraudsters” may have accessed certain personal and financial information of some of its customers, up to 40,000 clients and 50,000 clients, respectively. [CTV News]

FOI

CA – Best Practices: Calculating FOI Request Fees in Ontario

The Ontario OIPC issued guidance on calculating fees for access requests, pursuant to the:

The IPC outlined when entities can charge fees for responding to access requests, including manual record searches, preparing records for disclosure, shipping costs, costs for locating and copying records, photocopies, and CD-ROM records; fees cannot be charged for associated legal costs, third party processing costs, registered mail, employee overtime in responding to requests, or restoring records to their original state. [IPC ON – Fees, Fee Estimates and Fee Waivers – June 2018]

Genetics

WW – Investigative Strategy of Police Prompts Debate on DNA Privacy Rights

A new investigative technique [genetic genealogy] that American police have been using to comb through the genetic family trees of potential suspects in unsolved crimes has prompted debate in Canada about privacy rights. Josh Paterson, executive director for the B.C. Civil Liberties Association, warned that positive results don’t necessarily justify the process. “The fact of one story or a handful of stories seemingly going in a positive way doesn’t take away our concern for the potential of misuse for these kinds of tools,” he said. Even in cases where a website warns users that their genetic information may be shared with police, Paterson said, it means someone’s third cousin may be consenting on their behalf. In Canada, there are strict rules for good reason around the use of genetic information in the National DNA Data Bank, which limits samples to individuals convicted of certain crimes and regulates their use by police. In contrast, he said American detectives appear to be fishing for suspects through genealogy sites that store genetic information. “They’re basically throwing a net in the sea and asking these companies what they might come back with,” he said. On the other hand, Eike-Henner Kluge, a professor of philosophy at the University of Victoria with an interest in biomedical and information ethics, said there are cases where privacy rights can be breached if there’s a threat of harm to others, and unsolved murders may be one of them. “Any right is subject to the equal and competing rights of others,” Kluge said in an email. “This is also recognized in the classic legal statement, ‘Your right to swing your arms ends just where the other man’s nose begins.’” It’s unclear if Canadian law enforcement are using the same techniques. [The Star and at: Infosurhoy, GenomeWeb and Connecticut Law Tribune. Additional coverage at: Science (Vol. 360, Issue 6393, pp. 1078-1079), Science News, Here & Now (Audio – WBUR) and MediaPost Communications]

Health / Medical

CA – Ontario to Let Companies Access Database of Patient Health Records

The government of Ontario announced Project Spark, an initiative to make healthcare data more accessible to healthcare professionals, researchers, companies, and the people of Ontario themselves. So there’s reason to be excited, and a bit nervous. The government of Ontario has accumulated a vast, central database of its citizens’ electronic health records that in other healthcare systems might be fragmented among various doctor’s offices, health maintenance organizations, and medical labs. While the people of Ontario won’t have to contribute additional data to Project Spark — the government isn’t going to come knocking with cheek swabs for genetic tests — it does turn them and their medical histories into commodities. Commodities that could bring about medical breakthroughs but could also share more personal details than they may want to give. If Project Spark, or any other holder of big data repositories, is about to open for business, it needs to take extra care in advance. Ontario only gets one shot to do this right. Project Spark will have to invest in the right kind of digital infrastructure before kicking into high gear. [Futurism and at: QUARTZ and Canadian Reviewer]

CA – Health Information Breach Notification Obligations under Alberta’s Health Information Act

Commencing August 31, 2018, Alberta’s Health Information Act will require custodians of personal health information to give notice of any health information security breach that presents a risk of harm to an individual. The security breach obligations under the HIA join an increasing number of Canadian statutory regimes that impose information security breach reporting and notification obligations. Custodians subject to the HIA should assess their readiness to comply with the security breach obligations, and make appropriate changes to prepare for compliance. [Borden Ladner Gervais, Lexology]

US – Walmart Wins Patent for Medical Records Stored on Biometric Blockchain

Walmart has been awarded a patent for a system that would store a person’s medical information in a blockchain database and allow first responders to retrieve it in the event of an emergency. The patent, issued by the U.S. Patent and Trademark Office, describes three key parts to the system: a wearable device in which the blockchain is stored; a biometric scanner for an individual’s biometric signature; and an RFID scanner to scan the wearable device, ideally a bracelet or wrist band. According to the patent, first responders would scan the device to access an encrypted private key. They would decrypt that using the biometric identifier and, with a second public key, retrieve the victim’s records. Walmart has been revving up its focus on healthcare. The retail giant has touted the idea of “optimized networks” to improve consumer price and cost transparency while steering patients to providers with better performance ratings. Planet Biometrics

CA – OHIP Billings Should Not Be Public Because ‘Doctors Are Different’

The names of high-billing doctors should not be made public, lawyers for the Ontario Medical Association and two other doctor groups have told the Ontario Court of Appeal. “Doctors are different Why are they different? Because they do not have a contract with government,” lawyer Linda Galessiere, acting for a group of physicians described as “affected third-party doctors,” argued. Others paid from the public purse — including lawyers, consultants and contractors — have actual contracts with government, she said, but with doctors, it is simply legislation that mandates their OHIP payments come from the public treasury, not contracts, Galessiere argued. The contract between the government and the Ontario Medical Association (OMA) is only about the value of specific fees doctors can charge OHIP, she said. Galessiere said physician-identified billings are public in British Columbia, Manitoba and New Brunswick because governments in those provinces passed legislation forcing disclosure. She said that if the Ontario government wants disclosure, then it can also introduce legislation. The doctors and the OMA are appealing a ruling made a year ago by the Ontario Divisional Court that upheld an order by the Information and Privacy Commissioner of Ontario (IPC) [The Star and see IPC Blog here and Order here] to release physician-identified billings of the 100 highest-paid doctors.

US – OCR to Distribute Enforcement Funds to Victims of HIPAA Violations

OCR will seek comments on establishing a way to distribute funds collected from Health Insurance Portability and Accountability Act (HIPAA) enforcement actions to individuals harmed by the underlying incident [see here]. This would fulfill a long-awaited and overdue requirement included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which required OCR to issue regulations about this methodology within three years of HITECH’s 2009 enactment date. This advanced notice of proposed rulemaking will be released sometime in November 2018. [Data Privacy Monitor]

Horror Stories

US – Equifax Agrees to Cybersecurity Requirements; Former Employee Charged with Insider Trading

Equifax has agreed to comply with security requirements put in place by financial regulators from eight US states. The requirements are a response to the massive data breach that compromised information belonging to more than 147 million individuals. In a related story, a former Equifax employee has been charged with insider trading. Sudhakar Reddy Bonthu, who was one of the Equifax employees orchestrating the company’s public response to the breach, allegedly profited from making trades prior to the breach’s disclosure. [NY Times: 8 States Impose New Rules on Equifax After Data Breach | SC Magazine.com: Equifax agrees to cybersecurity regulations set forth by 8 U.S. States | Reuters: U.S. charges former Equifax manager with insider trading | CNet: Former Equifax exec charged with insider trading following data breach | Justice.gov: Charges filed against second defendant for insider trading related to the Equifax data breach

EU – Irish DPA Finds Against Yahoo in Massive Email Breach

The Irish Data Protection Commissioner has found against Yahoo for a 2014 data breach that affected 500m people and 39m EU citizens. However, the watchdog’s offices said that it will issue no fine or other punitive measure, largely because the events took place before the introduction of the GDPR, which came into force last month. Instead, the DPC has ordered Yahoo to update its data processing systems. Yahoo’s European headquarters are in Dublin. The breach was reported to the DPC in September 2016. It involved the unauthorised copying and taking, “by one or more third parties”, of material contained in approximately 500 million user accounts from Yahoo in 2014. It is the largest breach which has ever been notified to and investigated by the DPC. [Independent and at: Bloomberg, Reuters and SiliconRepublic]

CA – Data Breach Defendant Must Hand Over Computer Forensics Reports: Court

Casino Rama, located near Lake Simcoe, had its computer system hacked in 2016 when a significant amount of information on vendors, employees and customers was stolen facing a class-action lawsuit over the breach, it has lost its bid to prevent plaintiffs from getting their hands on part of a computer forensics investigation report. The casino claimed the report was protected by litigation privilege or solicitor-client privilege. Justice Benjamin Glustein of the Ontario Superior Court of Justice ruled [June 6, 2018 – see 10 pg PDF here] that if the computer forensics reports were subject to solicitor-client privilege or litigation privilege, “then the defendants waived privilege to the extent that the Mandiant Reports address the size and scope of the prospective class. A party cannot disclose and rely on certain information obtained from a privileged source and then seek to prevent disclosure of the privileged information relevant to that issue.” [Canadian Underwriter]

Identity Issues

AU – Australians to Soon Get MyGovId Single Government Identity

The first of several pilot programs using a beta version of a myGovID will begin in October, the Australian government confirmed. In a statement, Minister for Human Services and Minister Assisting the Prime Minister for Digital Transformation Michael Keenan said having 30 different log-ins for government services is “not good enough”, and it is anticipated the single log-in will allow Australians to access almost all government services by 2025. “Think of it as a 100-point digital ID check that will unlock access to almost any government agency through a single portal such as a myGov account,” he said. “The old ways of doing things, like forcing our customers to do business with us over the counter, must be re-imagined and refined.” Citizens will need to establish a digital identity before being able to use it across services, the minister explained. Keenan confirmed the first of several pilot programs using a beta version of the myGovID will begin in October, after the Digital Transformation Agency (DTA) revealed last month it had pencilled in the date for delivery of its first Govpass pilot. ZDNet

CA – Mogo Survey: 86% Believe Risk of Identity Fraud Is Growing

A recent survey conducted by Maru/Blu on behalf of Mogo Finance Technology Inc. [here] revealed that 86% of Canadians believe they are increasingly at risk of identity theft and identity fraud – yet only 24% of respondents currently have identity fraud protection. The survey which included more than 1,500 participants, revealed the following: 1) 86% of Canadians believe that in today’s digital world, they are increasingly at risk of identity theft and identity fraud; 2) While Canadians know the risk, only 24% have some sort of identity fraud protection solution; 3) 85% of Canadians believe that if they are a victim of identity theft or fraud, it will have an impact on their financial life; and 4) 35% of Canadians know someone who has been a victim of identity fraud. [PR Newswire]

EU – Plans to Include Fingerprints in Identity Cards Unjustified and Unnecessary

The European Commission has published a proposal calling for the mandatory inclusion of biometrics (two fingerprints and a facial image) in all EU Member States’ identity cards. The demands to include fingerprints are an unnecessary and unjustified infringement on the right to privacy of almost 85% of EU citizens, as explained in an analysis published by civil liberties organisation Statewatch. The foreseen rules would not oblige Member States to introduce any kind of national identity card and do not require the establishment of any kind of database, either at EU or national level. However, national governments may well take the opportunity provided by the introduction of biometrics into ID cards to establish national databases. An appetite may then develop for linking up them up under the EU’s ongoing “interoperability” initiative, which foresees bringing together all existing and future EU databases and the establishment of a giant, EU-level ‘Central Identity Repository’ which, in its first phase, will hold the biometric and biographical data of almost all “third-country nationals” who enter the EU. Proposals currently under discussion foresee this being extended in the future to include national databases holding information on EU citizens [see 12 pg PDF here]. [Statewatch]

WW – ID Management Study Finds Unfettered Access to Sensitive Information

A data risk report on 130 organizations that were assessed to help them understand where sensitive and classified data reside in their IT environment, and how much is exposed and vulnerable. Assessments performed in more than 50 countries and across 30+ industries, including: insurance; financial services; healthcare; pharma and biotech; manufacturing; retail; utilities and energy; construction; IT and computer software; education; and local, state and regional governments. This study provides recommendations to mitigate key data exposure issues, namely, stale user accounts Spot inactive users and govern active user accounts), toxic permissions (remove global access and restrict user access to relevant data), and password issues Set expiration dates for passwords and use multifactor authentication). [Data Under Attack – 2018 Global Data Risk Report – Varonis]

Law Enforcement

CA – Report Calls for Changes to Edmonton Police’s Use of Street Checks

A report examining the Edmonton Police Service’s use of street checks has recommended the force increase its diversity, monitor for inappropriate stops and initiate a public dialogue around the practice sometimes referred to as carding. The 300-plus page report was released by the Edmonton Police Commission, which oversees the Edmonton police force and is comprised of city councillors and members of the community. The commission announced the review in July, shortly after Black Lives Matter Edmonton obtained street-check data from the police force through a Freedom of Information request. The group released a report that found people who were black or Indigenous were more likely to be subjected to street checks than individuals who were white. [The Globe and Mail]

CA – Ontario Cops Push Access to Private Surveillance Footage

The St. Thomas police service is among a growing number of Ontario police forces that want to tap into home and business video surveillance systems to help fight crime. Police are encouraging home and business owners in St. Thomas to voluntarily identify their video surveillance locations in the community, so they can be mapped and stored on an internal database. Homeowners and businesses can register [see here] their information on the St. Thomas police website. And if there’s a crime in their community, police may come and ask if they can view their video. While police think it could help solve and deter crimes in the community, the trend disturbs former Ontario privacy commissioner Ann Cavoukian. She is worried about homeowners handing over videos that could include images of their neighbours and others who have no idea the information is being shared. She is also concerned about how easily police could obtain the information. [CBC News]

Online Privacy

CA – NEB Plan to Monitor Social Media En Masse “Alarming”

The National Energy Board’s plan to hire a security firm to monitor “vast amounts” of social media chatter may seem like the simple aggregation of publicly available data but actually raises a host of privacy concerns, says a prominent digital security and human rights researcher. Ron Deibert, director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, has written an open letter asking the Calgary-based NEB to clarify exactly why it wants to accrue all this data and how it plans to use and share the information. In a recently posted request for information, the NEB — which is responsible for regulating pipelines and other energy infrastructure in Canada — says it is only looking to monitor publicly available data in accordance with existing privacy laws in order to identify potential risks or threats. But Deibert says many Canadians don’t realize just how much of their information could be considered public and the extent to which their online activity can be tracked. “Many of these companies have technologies and tools that enable them to gather up a lot of information that they would consider to be public information but is much deeper and far more revealing than what is posted publicly on a Facebook page,” he said. Social media platforms are constantly changing, he added, and it’s not always clear what defines public versus private data. The NEB has received Deibert’s letter and “will provide a response in due course.” [CBC News]

WW – ICANN Appeals Court Decision to Minimize WHOIS Data Collection

ICANN, has appealed [see PR here & 37 pg PDF Text here] a decision made by a German court last month over the information that should be collected on domain registrants. The German court’s decision [see 6 pg PDF here] was the latest development in a situation that has left many registrars unclear on what approach to take on WHOIS data in order to comply with the EU’s General Data Protection Regulation. The court ruled that while EPAG [located in Bonn, here], which is a subsidiary of the world’s second largest domain registrar, Tucows, has a contractual obligation to collect data to prevent misuse, it’s not required to collect the additional data ICANN wants it to collect e.g. administrative and technical contact data. ICANN argues that while the court ruled that EPAG was only required to collect data on the domain holder, it didn’t rule whether collecting technical and administrative contact data contravened the GDPR. It is asking the court to order EPAG to collect the additional data requested or face a penalty of 250,000 EUR. [Indivigital and at: The Register, World Trademark Review, Domain Name Wire,

EU – German Authorities: Tracking and Profiling Cookies Require Opt-In Consent

The Conference of German Data Protection Authorities released a position paper on the applicability of the German Telemedia Act (TMA) after 25 May 2018. The Position Paper clearly states that tracking and profiling cookies now require informed prior opt-in consent. The Position Paper has received a great deal of criticism. [Technology Law Dispatch]

WW – Facebook Quiz App Leaked Data on ~120M Users For Years

Facebook’s historical app audit [see Zuckerberg’s announcement here] conducted in the wake of the Cambridge Analytica data misuse scandal has already suspended around 200 apps But you do have to question how much the audit exercise is, first and foremost, intended to function as PR damage limitation for Facebook’s brand — given the company’s relaxed response to a data abuse report concerning a quiz app [NameTests.com] with ~120M monthly users, which it received right in the midst of the Cambridge Analytica scandal. Because despite Facebook being alerted about the risk posed by the leaky quiz apps in late April — via its own data abuse bug bounty program — they were still live on its platform a month later. Self-styled “hacker” Inti De Ceukelaire went hunting for data abusers on Facebook’s platform after the company announced a data abuse bounty on April 10 [read De Ceukelaire’ account here] and quickly realized the company was exposing Facebook users’ data to “any third-party that requested it”. NameTests was displaying the quiz taker’s personal data Such as full name, location, age, birthday) in a javascript file — thereby potentially exposing the identify and other data on logged in Facebook users to any external website they happened to visit. He also found it was providing an access token that allowed it to grant even more expansive data access permissions to third party websites — such as to users’ Facebook posts, photos and friends. He reckons people’s data had been being publicly exposed since at least the end of 2016. De Ceukelaire found that NameTests would still reveal Facebook users’ identity even after its app was deleted. Here are the details. [TechCrunch and at: Medium, The Register, CNET, The Verge and GIZMODO]

WW – Facebook Patents System That Can Use Your Phone’s Mic to Monitor You

Facebook has patented a system that can remotely activate the microphone on someone’s phone using inaudible signals broadcast via a television. The patent application describes a system where an audio fingerprint embedded in TV shows or ads, inaudible to human ears, would trigger the phone, tablet or long-rumoured smart speaker to turn on the microphone and start recording “ambient audio of the content item”. The recording could then be matched to a database of content to allow Facebook to identify what the individual was watching – like Shazam for TV, but without the individual choosing to activate the system. The patent positions the technology as a way for broadcasters to know exactly who is watching their TV shows or ads and for how long. Privacy experts are concerned about the intrusion into people’s homes, particularly as the ambient audio recording would likely catch snippets of people’s private conversations without their knowledge. Such a system could also give Facebook a better understanding of people’s social connections as it would show the social network which people were meeting up in real life. Facebook was quick to downplay [see here] the patent filing. [The Guardian and at: Mashable, Ars Technica, Fortune, Naked Security, New York Times and Engadget and also The Verge: No, Facebook did not patent secretly turning your phone mics on when it hears your TV and at: GIZMODO Australia]

US – Groups ask FTC to Probe Facebook’s Nudging Users for Max Data

Consumers Union, the advocacy division of Consumer Reports, which helmed a study of Facebook in the wake of the Cambridge Analytica third-party sharing fiasco that led to congressional hearings and increased scrutiny, said it is calling for an FTC investigation [see CU PR here, CR report here & 8 pg PDF letter here] …The Consumer Reports study is being released at the same time as a Norwegian Consumer Council report, “Deceived by Design” [see PR here & 44 pg PDF Report here], looking at the pop-up privacy boxes announcing companies’ new privacy policies in Europe in the wake of the enhanced privacy framework — General Data Protection Regulation or GDPR — adopted by the EU in May. Consumer Watchdog and [seven] other groups are also calling on the FTC to investigate Google based on the NCC findings [see PR here & 3 pg PDF letter here] Jeff Chester, executive director of the Center for Digital Democracy [here], said that almost two dozen organizations in Europe are part of a letter-writing campaign to seven different regulatory jurisdictions. [Multichannel News and at: Consumer Reports, The Hill and Compliance Week]

US – Facebook Gives Lawmakers the Names of Firms It Gave Deep Data Access

In a major data dump, Facebook handed Congress a ~750-page document with responses to the 2,000 or so questions it received from US lawmakers sitting on two committees in the Senate and House back in April. Facebook repeats itself a distressing amount of times. TextMechanic‘s tool spotted 3,434 lines of duplicate text in its answers — including Facebook’s current favorite line to throw at politicians, where it boldly states: “Facebook is generally not opposed to regulation but wants to ensure it is the right regulation”, followed by the company offering to work with regulators like Congress “to craft the right regulations”. Below is the full list of 52 companies Facebook has now provided to US lawmakers — though it admits the list might not actually be comprehensive, writing: “It is possible we have not been able to identify some integrations, particularly those made during the early days of our company when our records were not centralized. It is also possible that early records may have been deleted from our system”. Last month the New York Times revealed that Facebook had given device makers deep access to data on Facebook users and their friends, via device-integrated APIs. [TechCrunch and at: BankInfo Security]

US – Facebook Releases Privacy Safeguards After Pressure from Advertisers

Facebook is installing new controls it says will better inform its members about the way companies are targeting them with advertising, the latest step to quell a public outcry over the company’s mishandling of user data. Starting July 2, Facebook for the first time will require advertisers to tell its users if a so-called data broker supplied information that led to them being served with an ad. Data brokers are firms that collect personal information about consumers and sell it to marketers and other businesses. Facebook has also set up new procedures for the handling of names of potential customers supplied by data brokers. Advertisers seeking to upload lists of these prospects onto Facebook’s platform will first have to promise that the data vendor obtained any legally required consent from those consumers. Facebook says the new policies will create more transparency for its users and require more accountability from advertisers. The new policies are the second big push by Facebook this year to shore up its policy regarding data brokers. On March 28, Facebook moved to banish data brokers from its platform as part of efforts to burnish its image. But the company quickly softened its stance after big marketers threatened to pull their ad dollars from Facebook, according to three people familiar with the decision. Advertisers said the restrictions on data brokers would hurt their ability to aim their ads at customers most likely to buy their products. Details of advertisers’ pushback, and Facebook’s retreat, have not been previously reported. Reuters

WW – Apple Cracks Down on Apps Sharing Info on Users’ Friends

Apple Inc. changed its App Store rules last week to limit how developers harvest, use and share information about iPhone owners’ friends and other contacts. The move cracks down on a practice that’s been employed for years. Developers ask users for access to their phone contacts, then use it for marketing and sometimes share or sell the information — without permission from the other people listed on those digital address books. On both Apple’s iOS and Google’s Android, the world’s largest smartphone operating systems, the tactic is sometimes used to juice growth and make money. Sharing of friends’ data without their consent is what got Facebook Inc. into so much trouble when one of its outside developers gave information on millions of people to Cambridge Analytica, the political consultancy. Apple has criticized the social network for that lapse and other missteps, while announcing new privacy updates to boost its reputation for safeguarding user data. The iPhone maker hasn’t drawn as much attention to the recent change to its App Store rules, though. Bloomberg News, adage.com

US – Google to Fix Location Data Leak in Google Home and Chromecast

Google plans to fix a privacy issue that affects its Google Home and Chromecast devices. An authentication vulnerability allows attackers to obtain location data for the devices by tricking users into opening a link while connected to the same Wi-Fi network as a vulnerable device. Google is scheduled to release the fix next month. [krebsonsecurity.com: Google to Fix Location Data Leak in Google Home, Chromecast | www.tripwire.com: Google’s Newest Feature: Find My Home]\

Other Jurisdictions

AU – Experts Call for Kids’ Data Protection in Australia

Australia will inevitably need to follow other countries legislating against the collection of data about children from the internet, a data privacy protection expert warns. Dylan Collins, the chairman of the kids’ digital media company TotallyAwesome, believes the internet was designed for adults and many services are struggling to adapt to the extraordinary number of youngsters logging on every day. “Pretty much everything is based around capturing personal data and monetising it in some form,” the Irish entrepreneur said. “That’s just not safe or appropriate for six, seven or eight years olds.” In recent years, the US, Europe and China have created so-called “zero-data environments” which prohibit companies from collecting data on people under a set age – ranging between 13 and 16. “It’s probably inevitable that something similar will come to Australia in the not too distant future,” Mr Collins said. He predicted that over the next five to seven years there will be a universal right for children to have access to the internet without being tracked. Australian Associated Press

Privacy (US)

US – Supreme Court: Warrant Needed to Access Cell Site Location Data

The US Supreme Court has ruled that law enforcement must obtain a warrant to collect a suspect’s cell site location information (CSLI). In a 5-4 decision, Chief Justice John Roberts wrote in the majority opinion that “when the Government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user.” The ruling does not overturn the “third-party doctrine,” a legal precedent that found that people have no “reasonable expectation of privacy” regarding information collected by a third party, nor does it cover real-time tracking. [Supremecourt.com: Carpenter V. United States: Certiorari to the United States Court of Appeals for the Sixth Circuit (PDF) | Wired.com: The Supreme Court Just Greatly Strengthened Digital Privacy
SCmagazine.com: Supreme Court rules government generally needs warrant for long-term surveillance using location data | ZDnet.com: Supreme Court says police need a warrant for historical cell location records | Ars Technica: Supreme Court rules: Yes, gov’t needs warrant to get cellphone location data]

US – Analysis: SCOTUS “Carpenter v. United States” a Big Win for Privacy

Over 40 years ago, the Supreme Court outlined what has come to be known as the “third-party doctrine“– the idea that the Fourth Amendment does not protect records or information that someone voluntarily shares with someone or something else. On June 22 in “Carpenter v. United States” [see here & 119 pg PDF text here] an opinion [written] by Chief Justice John Roberts [and] joined by Justices Ruth Bader Ginsburg, Stephen Breyer, Sonia Sotomayor and Elena Kagan, the Supreme Court ruled that, despite this doctrine, police will generally need to get a warrant to obtain cell-site location information, a record of the cell towers (or other sites) with which a cellphone connected. …Roberts characterized the case as involving two, potentially conflicting lines of the Supreme Court’s precedent. The first involves whether someone like Carpenter can expect to have his whereabouts kept private [the so-called reasonable expectation of privacy test – wiki here]. The second line of precedent is the third-party doctrine [see wiki here]. Roberts emphasized that today’s ruling “is a narrow one” that applies only to historical cell-site location records. He took pains to point out that the ruling did not “express a view on” other privacy issues, such as obtaining cell-site location records in real time, or getting information about all of the phones that connected to a particular tower at a particular time. He acknowledged that law-enforcement officials might sometimes still be able to obtain cell-site location records without a warrant – for example, to deal with emergencies such as “bomb threats, active shootings, and child abductions.” And in a footnote, he also left open the possibility that law-enforcement officials might not need a warrant to obtain cell-site location records for a shorter period of time than the seven days at issue in Carpenter’s case – which might allow them to get information about where someone was on the day of a crime, for example. But what law-enforcement officials do not have, he wrote in closing, is “unrestricted access to a wireless carrier’s database of” cell-site location information. Justice Anthony Kennedy dissented from today’s ruling, in an opinion that was joined by Alito and Justice Clarence Thomas [starting at pg 28 here]. Alito filed a lengthy dissent, joined by Thomas, in which he stressed that, as originally understood, the Fourth Amendment would not have applied at all to the methods that law-enforcement officials use to obtain documents. [starting at pg 72 here]. Thomas also wrote alone to suggest that the court should reconsider its use of the “reasonable expectation of privacy” test, complaining that it “has no basis in the text or history of the Fourth Amendment.” [starting at pg 51 here]. …the most interesting separate dissent of the day came from Justice Neil Gorsuch [starting at pg 99 here], who specifically agreed with what he described as the majority’s “implicit but unmistakable conclusion that the rationale” for the third-party doctrine is wrong. Gorsuch would scrap both the third-party doctrine and the “reasonable expectation of privacy” test and focus instead on whether someone has a property interest (even if not a complete one) in the records at issue. But here, he pointed out, the court does not have any information on this question, because Carpenter didn’t make this argument in the lower courts. [SCOTUSblog and at: Lawfare Blog, DeepLinks Blog (EFF), Inside Privacy (Covington), The Volokh Conspiracy, Ars Technica, The New York Times, CNET and WIRED | Neil Gorsuch Joins Sonia Sotomayor in Questioning the Third-Party Doctrine and at: Cato at Liberty Blog, Hot Air , Slate, Washington Examiner and The Originalism Blog]

US – Eleventh Circuit LabMD Decision Potentially Limits FTC’s Remedial Powers

The Eleventh Circuit has issued its decision in LabMD v. FTC, a closely watched case in which LabMD challenged the FTC’s authority to regulate the data security practices of private companies. The Court of Appeals declined to decide that issue, instead finding that the FTC’s order requiring LabMD to implement certain data security reforms was unenforceable because it lacked specificity. The court’s decision may nevertheless impact many of the FTC’s consent orders. It is not yet clear how the FTC will respond to this decision. The Commission might seek rehearing en banc or appeal the decision to the Supreme Court in order to address some of the questions left unanswered by the Eleventh Circuit’s opinion. If the decision stands, however, it could affect the viability of some of the Commission’s remedial powers. Many of the consent orders that the FTC has required companies to adopt—particularly those involving data security but also some related to other issues—have included broad prophylactic remedies that are similarly premised on a reasonableness standard. [Inside Privacy andat: Ward PLLC Blog, Data Security Law Blog (Patterson Belknap), BNA on Data, Data Privacy Monitor (Baker Hostetler), Mayer Brown, Health IT Security and Law360 | FTC Rebuked in LabMD Case: What’s Next for Data Security?

US – Federal Appeals Court Throws Out FTC’s LabMD Ruling

A US federal appeals court has thrown out the Federal Trade Commission’s (FTC’s) ruling requiring LabMD to revamp its security policies and practices, saying that the FTC’s order is unenforceable. The FTC filed the complaint against the medical testing company, in 2013 following a series of breaches that compromised patient data. LabMD challenged the FTC’s ruling in court on the grounds that the agency lacked the authority to regulate how the company handled consumer data. A federal appeals court granted a stay of the FTC’s order, which LabMD challenged in 2016, filing a petition for review. files.consumerfinance.gov: Dwolla Consent Order (PDF) | healthitsecurity.com: Court Dismisses FTC Order on LabMD’s Data Security Lapses | media.ca11.uscourts.gov: Petition for Review of a Decision of the FTC.

US – FTC Hitting the Road for Ideas on Privacy & Regulating Tech

The FTC announced plans to embark on a cross-country listening tour to gauge how academics and average Web users believe the U.S. government should address digital-age challenges that include the rise of artificial intelligence and the data-collection mishaps [see PR here]. The tour includes 15 or more public sessions in a series of cities that have yet to be announced. The hearings are expected to touch on topics like the agency’s “remedial authority” to address privacy and security abuses, the potential risks posed by big data, and the commission’s tools to enforce antitrust laws as media, tech and telecom companies gobble each other up or seek to enter new lines of business [see comments topics here]. The public outreach will begin in September and continue into January 2019, the agency said. It could presage tougher scrutiny of Silicon Valley in response to complaints that the FTC has been too soft on tech giants and the ways they collect, swap and manipulate personal information about billions of people. [The Washington Post and at: The Hour, The Hill, Multichannel News, USA Today and The National Law Journal]

US – Court Rules No Privacy for Cellphone With 1-2-3-4 Passcode

A man serving 18 years in prison in South Carolina for burglary was rightfully convicted in part because he left his cellphone at the crime scene and a detective guessed his passcode as 1-2-3-4 instead of getting a warrant, the state Supreme Court ruled. Lawyers for Lamar Brown argued detectives in Charleston violated Brown’s right to privacy by searching his phone without a warrant. After storing the cellphone in an evidence locker for six days in December 2011, the detective guessed right on Brown’s easy passcode, found a contact named “grandma” and was able to work his way back to Brown. The justices ruled in a 4-1 decision that Brown abandoned his phone at the Charleston home and made no effort to find it. The law allows police to look at abandoned property without a court-issued warrant allowing a search. The Associated Press

US – Amazon, Microsoft, Uber Oppose California Consumer Privacy Act

Amazon, Microsoft, and Uber have made large contributions to a group attempting to prevent a privacy act from becoming law in California. As per state disclosure records, the three tech giants join a number of other well-known companies, including Facebook, Google, AT&T, and Verizon, which are all working against the proposed California Consumer Privacy Act by donating to the Committee to Protect California Jobs (CPCJ). Amazon and Microsoft recently donated $195,000 each to the Committee, while Uber has offered up $50,000. Facebook, Google, AT&T, and Verizon, on the other hand, have all contributed $200,000, though after Mark Zuckerberg faced tough questions from Congress about Facebook’s privacy practices, Facebook has pledged to withdraw support from the group. According to CPCJ spokesperson Steven Maviglio] tech giants are not the only ones opposed to the legislation …”Credit unions, grocers, and car manufacturers are among the many recent additions to the coalition and are the top of the iceberg” [Digital Trends and at: engadget, Techwire, The Verge, PYMNTS, Morgan Lewis Law Flash, Bloomberg BNA and Media Post]

RFID / IoT

US – Build Privacy Controls Into IoT Devices Now: Report

Limiting the cyber security risks of Internet of Thing devices has long been a plea by experts. But a new report says lawmakers, regulators and manufacturers need to pay equal attention to sealing off the privacy risks of sharing data through so-called smart devices, according to a new report from the University of California’s Center for Long-Term Cybersecurity and the IoT Privacy Forum. Policymakers should take steps to regulate the privacy effects of the IoT before mass sensor data collection becomes ubiquitous, rather than after, the authors say. Omnibus privacy legislation can help regulate how data is handled in the grey areas between sectors and contexts. At the same time makers of IoT products and services should employ a variety of standard measures to provide greater user management and control, as well as more effective notification about how personal data is captured, stored, analyzed, and shared. “The IoT has the potential to diminish the sanctity of spaces that have long been considered private, and could have a “chilling effect” as people grow aware of the risk of surveillance,” the report says. “Yet the same methods of privacy preservation that work in the online world are not always practical or appropriate for the personal types of data collection that the IoT enables.” Clearly Opaque: Privacy Risks of the Internet of Things | IT World Canada]

US – Cybersecurity: Advocates Push For Internet of Things Standards

EPIC responded to the Consumer Product Safety Commission’s request for comments on potential safety issues and hazards associated with internet-connected consumer products. The Consumer Product Safety Commission should develop mandatory privacy and security standards (e.g. certification before devices can be sold, vulnerability disclosure policies, system outage resiliency, mechanisms for consumers to delete their data), require IoT manufacturers to conduct PIAs (to examine data flows and flag potential hazards), and remove products from the marketplace where baseline requirements are not implemented. [Comments of EPIC to the Consumer Product Safety Commission on IoT and Consumer Product Hazards]

US – MIT Frequency Hopping Transmitter Could Help Secure IoT

Researchers at MIT have developed technology that could be used to help secure Internet of Things (IoT) devices. A frequency-hopping transmitter scatters data packets onto different, random radio frequency channels. [Eurekalert.org: Novel transmitter protects wireless devices from hackers | SC Magazine.com: MIT researchers develop frequency-hopping transmitter that fends off attackers | v3.co.uk: MIT researchers develop transmitter to prevent hackers from attacking IoT devices]

Security

CA – Businesses Unprepared for Mobile Workplace Data Breaches: Study

While Canadian businesses are continuing to embrace workplace mobility, they aren’t implementing proper data protection policies and training, according to a new findings from the Shred-it Security Tracker [see PR here & report here] The study, conducted by Ipsos, found that nearly 90 percent of C-Suite Executives (C-Suites) and half of Small Business Owners SBOs) reported their employees are able to work off-site in some capacity. Further, more than two-thirds of businesses said they believe that the trend towards working remotely will only increase over the next five years. That said, 82 percent of C-Suites and 63 percent of SBOs said they feel that they are more susceptible to data breaches when employees work off-site. …Additionally, Shred-it found that out of all age groups, millennials (18-34) are less effective at implementing safe data protection practices than generation X (35-55) and baby boomers (55+). [MobileSyrup]

WW – 86% of CXOs Say Remote Workers Increase Chances of Breach

The majority of C-Suite executives and small business owners SBOs) agree cyber security risks increase with remote workers, according to Shred-it’s State of the Industry Report, released Wednesday [see here]. Shred-it’s report unveils information security risks currently threatening businesses and features survey results conducted by Ipsos. When studying the cause of cybersecurity breaches, 47% of CXOs and 42% of SBOs cited accidental loss or employee negligence as the top reason, according to the report. “The study’s findings clearly show that seemingly small habits can pose great security risk and add up to large financial, reputational and legal risks,” said Shred-it vice president Monu Kalsi in the press release [see here]. The report found 86% of business executives agreed data breaches are more likely to occur when employees are working out of office. While CXOs do have security plans in place for these occurrences, only 35% of SBOs currently have a policy for storing or deleting confidential data remotely, and 54% of SBOs have no policy whatsoever, said the report. [TechRepublic and at: CNBC, Infosecurity Magazine and Insurance Business]

Surveillance

EU – 60 NGOs Join Call to Halt Mandatory Communications Data Collection

UK-based Privacy International, Liberty, and Open Rights Group have joined more than 60 non-governmental organisations, community groups and academics across Europe in calling for a halt to the collection of communications data [see 4 pg PDF letter here]. The groups have filed complaints to the European Commission calling for EU governments to stop requiring companies to store all communications data. Despite the two major rulings by the CJEU in 2014 and 2016, which made blanket and indiscriminate retention of personal data unlawful, the groups said the majority of EU member states have yet to stop this form of surveillance. The groups say it is clear that current data retention regimes in Europe violate the right to privacy and other fundamental human rights. Complaints have been filed in 11 EU member states: Belgium, the Czech Republic, France, Germany, Ireland, Italy, Poland, Portugal, Spain, Sweden and the UK. [Computer Weekly and at: Infosecurity Magazine, Forbes, The Register]

CN – China to Mandate Car-Tracking Chips from 2019: Report

Tracking devices will soon be fitted to cars registered in China [ostensibly] in an effort to tackle the country’s notorious congestion and pollution problem. Starting in July the country will begin fitting cars with radio-frequency identification (RFID) tags at registration time. Although the scheme won’t be compulsory at first, it looks likely it will become mandatory for new cars starting from 2019. The program will be run by the Traffic Management Research Institute, which is part of the country’s Ministry of Public Security. This has raised fears it could be another plank in the country’s growing surveillance apparatus, which includes the recently-introduced social credit scheme and more widespread use of facial recognition technology. [CarAdvice and at: The Wall Street Journal, The Verge, BusinessInsider, Futurism and SiliconANGLE News]

Telecom / TV

US – Verizon, AT&T to End Location Data Sales to Brokers

Verizon and AT&T have pledged to stop providing information on phone owners’ locations to data brokers, stepping back from a business practice that has drawn criticism for endangering privacy. The data has apparently allowed outside companies to pinpoint the location of wireless devices without their owners’ knowledge or consent. Verizon said that about 75 companies have been obtaining its customer data from two little-known California-based brokers that Verizon supplies directly — LocationSmart and Zumigo. Verizon became the first major carrier to declare it would end sales of such data to brokers that then provide it to others. It did so in a June 15 letter to Sen. Ron Wyden, an Oregon Democrat who has been probing the phone location-tracking market. AT&T followed suit Tuesday after The Associated Press reported the Verizon move. Neither company said they are getting out of the business of selling location data. Verizon and AT&T are the two largest U.S. mobile carriers in terms of subscribers. [KSFY and at: CNET, Ars Technica and TechCrunch and also CBC – US Phone Companies Limit Sharing Of Location Data, While Canadian Carriers Insist They Already Do]

US Government Programs

US – NSA Deletes Hundreds of Millions of Call Records Over Privacy Violations

The NSA unfortunately has a long history of violating privacy rules, although this time the agency might not be entirely to blame. The NSA is deleting hundreds of millions of call and text message data records (collected since 2015) after learning of “technical irregularities” that led to receiving records it wasn’t supposed to obtain under the USA Freedom Act. General counsel Glenn Gerstell said in an interview that “one or more” unnamed telecoms had responded to data requests for targets by sending logs that included not just the relevant data, but records for people who hadn’t been in contact with the targets. As it was “infeasible” to comb through all the data and find just the authorized data, the NSA decided to wipe everything. The deletions began on May 23rd. It’s not certain when the purge ends, but this is all metadata, not the content of the calls and messages themselves. A spokesperson also told the NYT that it didn’t include location data, as the Freedom Act doesn’t allow gathering that information under this collection system. The companies involved have “addressed” the cause of the problem for data going forward, the NSA said. While the step shows that the NSA is willing to err on the side of caution, it continues a streak of privacy violations at the agency since its bulk phone data collection fell under the Foreign Intelligence Surveillance Act in 2004. It also illustrates the problem with keeping such large-scale monitoring in check. The system depends on both the NSA and telecoms strictly honoring the law, and all it takes is a mistake to create a serious privacy breach. [Engadget | The NSA and the USA Freedom Act and at: CSO Online, The Verge, The New York Times, The Associated Press, Tech Republic, and GIZMODO]

US Legislation

US – Legislation: California Enacts Comprehensive Privacy Rules

AB 375, the California Consumer Privacy Act of 2018, has been approved by the Legislature and signed by the Governor. Effective January 1, 2020, organizations must comply with individual requests to provide categories of personal information collected and shared, stop selling personal information Services cannot be refused and prices cannot be increased as a result), delete personal information, and provide their information in a portable format; the Attorney General can impose civil penalties for violations and there is a private right of action for breaches resulting from reckless behavior. [AB 375 – The California Consumer Privacy Act of 2018 – State of California]

US – California Data Privacy Bill Becomes Law

California Governor Jerry brown has signed the California Consumer Privacy Act of 2018. Taking effect on January 1, 2020, the law will give California residents the right to know what data companies collect about them and how that information is shared. Consumers will also have the authority to prohibit companies from selling their data. The bill bears similarities to the EU’s GDPR, which went into effect in late May. The bill’s passage has prompted the withdrawal of a state ballot initiative that would have accomplished many of the same things. One of the differences is that the ballot initiative would have prohibited companies from denying services to consumers who choose not to have their data stored and tracked; the bill allows companies to charge consumers varying rates for service depending on the level of data sharing they have chosen. [Wired: California Unanimously Passes Historic Privacy Bill | money.com: California passes strictest online privacy law in the country | Fortune: California Passes Groundbreaking Consumer Data Privacy Law With Fines for Violations | Mercury News: California data privacy bill signed to head off ballot initiative]

+++

 

20 May–09 June 2018

Biometrics

CA – Canada Will Make Foreign Visitors Pay for Biometrics Collection

Details have emerged about the expansion of a program for collecting fingerprints and facial images from foreign nationals visiting Canada. The program previously applied only to refugee claimants, asylum seekers, and visa applicants from countries considered to present a heightened risk of ID document fraud. The previously announced expansion from 30 to roughly 150 countries will strengthen border security and immigration systems, Immigration Minister Ahmed Hussen said. Applicants will have to pay a CAD$85 fee to cover the cost of the program. It will apply to visitors from Europe, the Middle East, and Africa as of July 31, and to those from Asia, the Asia-Pacific region, and the Americas as of December 31. It only applies to those between 14 and 79 years old, and there are several exemptions, such as for U.S. citizens on work or student visas. [Biometrics Update and at: Digital JournalCBC NewsBusiness in Vancouver and One World Identity and also U of T researchers developing tool to jam facial recognition software and at Naked SecurityThe Toronto Star and Digital Journal]

US – Facial Recognition Product Should Not Be Sold to Government

A coalition of consumer and privacy advocacy, labor and legal groups wrote to Amazon.com about their Rekognition product. Amazon is providing product and consultation support to government customer for its Rekognition product, which can identify people in real-time by instantaneously searching databases containing tens of millions of faces; privacy advocates are concerned that Amazon does not restrict government use of the product, which could be used to identity certain vulnerable groups and minorities. [Letter to Amazon.com Regarding Rekognition – American Civil Liberties Union et al.]

US – JetBlue Will Test Facial Recognition for Boarding

Jetblue will test facial-recognition check- for flights from Boston to Aruba, the latest attempt by the industry to streamline boarding. Passengers will step up to a camera, and the kiosk will compare the facial scan to passport photos in the U.S. customs database to confirm the match. (You still have to bring your passport.) A screen above the camera will let passengers know when they’re cleared to board. JetBlue is collaborating on the technology with SITA, a tech company that specializes in air travel, including products like robotic check-in kiosks that autonomously rove around airports, sensing where they are needed. JetBlue says it will be the first airline to use facial recognition for boarding. The airline says it won’t have access to the photos — only SITA will. SITA said it will not store the photos. Delta Air Lines plans to test face-scanning technology with four kiosks at Minneapolis-St. Paul this summer for passengers to check their own luggage. [CNN Tech]

Canada

CA – Privacy Commissioners Offer Best Practices on Meaningful Consent

The Office of the Privacy Commissioner of Canada, the Alberta and British Columbia Privacy Commissioners have issued final guidance on obtaining meaningful consent based on: PIPEDA; the Alberta Personal Information Protection Act; and the British Columbia Personal Information Protection Act. The OPC will begin applying these guidelines on January 1, 2019. Consent should be a dynamic, ongoing process (through regularly updated FAQs, smart technologies, and chatbots), innovative consent processes should be used (just-in-time, interactive walkthroughs, videos, infographics), and individuals should be periodically reminded about their privacy options; consent is not a free pass to engage in indiscriminate collection and use, and does not waive other privacy obligations (i.e. accountability, safeguards). [OPC Canada – Guidelines for Obtaining Meaningful Consent]

CA – OPC Issues Guidelines for Consent and Inappropriate Data Practices

On May 24, 2018, the OPC published two important PIPEDA guidance documents:

The publication of the above guidance documents comes on the heels of the Commissioner’s consultation on consent and the recent updating of guidance on “Recording of Customer Telephone Calls“.

The Consent Guidelines provide that organizations should follow seven key principles in seeking to obtain meaningful consent under PIPEDA:

  1. Emphasize key notice elements – this contributes to meaningful consent, especially:
    1. What personal information is being collected, used and disclosed:
    2. The purpose for which the information is being collected, used or disclosed:
    3. Information-sharing with third parties:
    4. Whether there is a risk of harm arising from the collection, use or disclosure of information:
  2. Use layered approach to notices – allow individuals to control the level of detail
  3. Provide individuals with clear options to say ‘yes’ or ‘no’
  4. Experiment and adapt to contextual needs
  5. Consider the individual’s perspective – consult and test
  6. Make consent a dynamic and ongoing process
  7. Be accountable: stand ready to demonstrate compliance

The Guideline also reminds organizations to consider what type of consent is appropriate given the circumstances. While in some situations implied consent may be adequate, others will require express consent, including: (a) when the information being collected, used or disclosed is sensitive in nature; (b) when an individual would not reasonably expect certain information to be collected, used or disclosed given the circumstances, and (c) when there is a more than minimal risk of significant harm.

Another contextual factor is whether the target individuals include children. The OPC requires that, for children 13 and under, a parent or guardian give consent on the child’s behalf.

At the conclusion of the Consent Guidelines, the Commissioner provides a checklist of “Should do” and “Must do” action items for organizations seeking to obtain meaningful consent under PIPEDA.

Concurrently with publishing the Guidelines, the Commissioner published the Data Practices Guidance, which sets out various considerations that organizations should keep in mind when assessing whether purposes are reasonable and appropriate. Like meaningful consent, whether or not a purpose is inappropriate requires a contextual approach. The following factors have been applied by the Commissioner and the courts:

  • Whether the organization’s purpose represents a legitimate need / bona fide business interest;
  • Whether the collection, use and disclosure would be effective in meeting the organization’s need;
  • Whether there are less invasive means of achieving the same ends at comparable cost and with comparable benefits; and
  • Whether the loss of privacy is proportional to the benefits (which includes consideration of the degree of sensitivity of the personal information at issue).

The Commissioner has also established a list of prohibited purposes under PIPEDA, which they have deemed “No-Go Zones.” The Commissioner considers that a reasonable person would not consider the collection, use or disclosure of information to be appropriate in these circumstances. Currently, the list of “No-Go Zones” are:

  • Collection, use or disclosure that is otherwise unlawful (e.g. violation of another law);
  • Collection, use or disclosure that leads to profiling or categorization that is unfair, unethical or discriminatory in a way which is contrary to human rights law;
  • Collection, use or disclosure for purposes that are known or likely (on a balance of probabilities) to cause significant harm to the individual (e.g. bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record or damage to or loss of property);
  • Publishing personal information with the intended purpose of charging individuals for its removal (i.e. “blackmail”);
  • Requiring passwords to social media accounts for the purpose of employee screening; and
  • Surveillance by an organization through the use of electronic means (e.g. keylogging) or audio or video functionality of the individual’s own device.

While these “No-Go Zones” are important to note, organizations should also remember that the list is not binding, determinative or exhaustive, and that subsection 5(3) requires a contextual analysis. What a reasonable person would consider appropriate is a flexible and evolving concept which will be revisited by the Commissioner from time to time. [Fasken Martineau DuMoulin LLP] See also: The OPC Publishes its Report on Consent | Canadian firms must improve personal data collection practices: Privacy czar | Canada’s Privacy Commissioner Pursues a Stronger Consent Framework and More Proactive Enforcement | Commissioner: Digital revolution and Canadians’ privacy fears demand real solutions | Do customers really consent to how you use their data? Federal privacy commissioner wants to know ]

CA – CSIS Kept ‘All’ Metadata on Third Parties for a Decade: Top Secret Memo

When CSIS intercepted the communications of innocent people between 2006 and 2016 “all” the metadata related to those communications was retained in a controversial database, a top secret memo obtained by the Star suggests. The document relates to CSIS’s Operational Data Analysis Centre (ODAC) and a now-discontinued program that stored data intercepted from the service’s targets — and people who were in contact with them at the time. The Federal Court ruled in 2016 it was illegal for the service to indefinitely keep data on people who posed no threat to Canada’s national security — such as the family, friends or coworkers of CSIS targets — for future analysis. While the basics of the program were revealed in heavily censored court documents, the scale of the program is not widely understood. CSIS told parliamentarians earlier this year that it didn’t know how many Canadians were caught up in the ODAC. But in an October 2016 memo to Public Safety Minister Ralph Goodale, outgoing CSIS director Michel Coulombe suggested the court’s ruling would have a significant impact… [Toronto Star]

CA – Journalist Shield Law Could Soon Become Reality in Canada

The federal Liberal government is prepared to support proposed legislation to protect the identity of journalists’ confidential sources. The government will back a Conservative senator’s privately sponsored bill that would, for the first time in Canada, provide statutory protection for the identity of journalists’ sources. The bill, The Journalistic Sources Protection Act, S-231, would make it harder for police and other law enforcement or security agencies to spy on journalists’ communications or to seize documents that could reveal their sources. It would also make it harder for the cops to use whatever information is seized or captured by warranted surveillance. The Liberals will propose a handful of technical amendments to address “legal and policy concerns” with the bill as drafted. The amendments are intended to ensure that journalistic source protections would not interfere with the ability of law enforcement or security agencies to act in urgent or emergency situations “particularly in a national security context.” The amendments would also ensure that the protection extends to the sources, not to a reporter as an individual if he or she was the object of a criminal investigation. “Without that amendment there would be a risk that the search warrant against journalists who themselves commit crimes would be improperly invalidated.” It’s unusual for governments to back private member’s bills, let alone a senator’s bill and an opposition one at that. [The Star]

CA – Ontario Bill Requires Written Tenant Notice

Bill 45, An Act to Amend the Residential Tenancies Act, 2016 with respect to Tenant Privacy, had its first reading in the Legislative Assembly of Ontario. If passed, tenants must receive 48-hour written notice from landlords, brokers and salespersons to take photos or visual records of rental units; the notice must set out which area will be photographed or recorded, the purpose, the date and time this will take place, and how long the photo or record will be used and retained. [Bill 45 – Residential Tenancies Amendment Act (Tenant Privacy) 2018 – Legislative Assembly of Ontario]

CA – OIPC ON Finds Problematic School Photo Processing

The IPC ON decision addresses a privacy complaint about the Toronto District School Board pursuant to the Municipal Freedom of Information and Protection of Privacy Act. A school’s collection and use of student photos and disclosure to a vendor is lawful for administrative/security purposes, and authorized by provincial education law; however, the notice of photo day to parents was not sufficiently transparent (it lacked the school’s authority for collection, purpose of the photos and a school/Board contact), and the Board’s service agreement with the vendor requires amending to address retention and security for students’ PI. [IPC ON – Privacy Complaint Report MC16-4 – Toronto District School Board]

CA – OIPC SK Recommends Employee Termination for Insider Threats

The OIPC SK investigates a complaint against the Saskatchewan Health Authority involving personal health information pursuant to the Health Information Protection Act. The employee intentionally accessed the PHI of 880 individuals without a business purpose (including co-workers, clients, and relatives); the health entity conducted an extensive audit of the employee’s actions in its electronic database, interviewed the employee and their current and previous manager, and plans to continue staff education regarding privacy and confidentiality of PHI. [OIPC SK – Investigation Report 284-2017 – Saskatchewan Health Authority]

CA – OIPC SK Finds University Appropriately Handled Breach

The OIPC SK investigates a breach by the University of Regina pursuant to the Local Authority Freedom of Information and Protection of Privacy Act. After a hacker accessed the student grading system to alter the grades of 31 students, the University reset account credentials and passwords, and conducted a thorough analysis of suspicious system activity; recommendations include enforcing changes to default passwords, conducting random system audits and notifying affected individuals of all compromised PI. [OIPC SK – Investigation Report 260-2017 – University of Regina]

CA – OIPC SK Formalizes Proactive Breach Reporting

This OIPC SK has issued guidance on voluntary breach reporting. Public bodies are encouraged to proactively report breaches to the OIPC, which can provide expert guidance on what to consider, what questions to ask and what parts of legislation may be applicable; the OIPC will issue a formal report, which may include recommendations, if a breach is egregious or affects a large number of individuals or an individual makes a formal complaint. [OIPC SK – Proactively Reporting Breaches to the IPC]

CA – Canadians ‘Reluctant’ to Accept New Police Powers, Prefer Privacy Online, Government Finds

Last fall, the government asked Canadians to weigh in on the future of the country’s national security legislation. It was, in part, a response to outcry over elements of the controversial anti-terrorism Bill C-51, parts of which the Liberal government has promised to repeal. A report summarizing the results of the consultation was released, with one topic in particular drawing considerable attention: what sort of powers should law enforcement and intelligence agencies have when investigating crimes in the digital world? Police have called for warrantless access to basic subscriber information, arguing that it is too difficult to obtain from telecom companies in a timely manner, and said that encrypted communications have made their investigations more difficult. There have also long been calls for so-called lawful access legislation — a legal requirement that all telecommunications providers install interception equipment on their networks — and a requirement that phone and internet companies retain certain types of data to assist police in criminal investigations.

But it seems that Canadians — at least, those that participated in the government’s consultation — generally disagree. “Most participants in these Consultations have opted to err on the side of protecting individual rights and freedoms rather than granting additional powers to national security agencies and law enforcement, even with enhanced transparency and independent oversight,” the report reads. “The thrust of the report suggests that there’s significant appetite for reform,” said Craig Forcese, a law professor at the University of Ottawa who has written extensively on Bill C-51 — in particular, “a significant appetite for limiting state power in terms of the sorts of powers that security services have.” Some numbers:

  • 70% consider basic subscriber information — that is, metadata such as name, home address, phone number, and email address — to be as private as the content of their communications (law enforcement disagree).
  • 48% said basic subscriber information “should only be provided in ‘limited circumstances’ and with judicial approval” — similar to what is currently required.
  • 68% believed that “law enforcement should operate the same in both the physical and the digital worlds” with regards to privacy rights, due process, and how warrants are granted and scrutinized.
  • More than 80% of respondents believed that “the expectation of privacy in the digital world is the same as or higher than in the physical world.”
  • 78% opposed a law mandating telecom companies maintain interception capabilities.
  • Most of the online respondents and organizations consulted opposed implementing backdoors in encryption, while law enforcement believed they should have “the tools they need to access the communications of those who use secure communications technologies for criminal purposes”.
  • 68% opposed a legal requirement for telecom companies to retain user data.
  • 44% were against giving law enforcement and intelligence agencies updated tools, while 41% supported the idea given proper justification and oversight. [CBC News]

Consumer

CA – Privacy a Make-or-Break Issue for Cannabis Users and Retailers: Report

As cannabis legalization approaches, Canadian consumers say cybersecurity tops the list of “must-haves” in a legal market, according to a new report from Deloitte [see PR here & report here]. The report, which looks at a wide range of consumer behaviours and preferences related to the cannabis market, shows one-third of cannabis consumers would prefer to purchase pot online. Assurances of online privacy are cited as their No. 1 concern. The Deloitte report suggests this landscape of uncertainty regarding how cannabis use will affect employment is at least partly behind consumers’ concerns for privacy protection. The report also notes that even in-store pot buyers “will be sharing personal information with retailers, such as allowing their ID to be scanned at point-of-sale terminals and their image captured on security cameras.” Cybersecurity will therefore be as much of a concern for brick and mortar retailers as for online operations. [The Star and at: Global NewsCBC News and Sault Online]

US – How Americans Have Viewed Government Surveillance and Privacy Since Snowden Leaks

Five years ago, news organizations broke stories about federal government surveillance of phone calls and electronic communications of U.S. and foreign citizens, based on classified documents leaked by then-National Security Agency contractor Edward Snowden. The initial stories and subsequent coverage sparked a global debate about surveillance practices, data privacy and leaks. Here are some key findings about Americans’ views of government information-gathering and surveillance, drawn from Pew Research Center surveys since the NSA revelations:

1)   Americans were divided about the impact of the leaks immediately following Snowden’s disclosures, but a majority said the government should prosecute the leaker;

2)   Americans became somewhat more disapproving of the government surveillance program itself in the ensuing months, even after then-President Barack Obama outlined changes to NSA data collection;

3)   Disclosures about government surveillance prompted some Americans to change the way they use technology;

4)   Americans broadly found it acceptable for the government to monitor certain people, but not U.S. citizens, according to the 2014-15 survey;

5)   About half of Americans (52%) expressed worry about surveillance programs in 2014 and 2015, but they had more muted concerns about surveillance of their own data;

6)   The vast majority of Americans (93%) said that being in control of who can get information about them is important, according to a 2015 report;

7)   Some 49% said in 2016 that they were not confident in the federal government’s ability to protect their data; and

8)   Roughly half of Americans (49%) said their personal data were less secure compared with five years prior, according to the 2016 survey.

[PEW Research and at The Guardian here & hereSouth China Morning PostThe Associated PressLawfare Blog and The Australian Financial Review ]

E-Government

CA – Conservative Party Takes Disciplinary Action After Membership List Shared

The Conservative party is demanding that the National Firearms Association destroy a party membership list that it appears to have illicitly obtained from one of the camps in the recent leadership contest. “We are aware that our members are being contacted by an outside organization,” the party said in a Facebook post. “We will be issuing a cease-and-desist letter to the organization in question, demanding that they destroy the list.” The party did not identify the outside organization but the post came after numerous Conservatives complained through social media that they’d received a letter this week from the National Firearms Association, seeking a donation. They suspected that the association had obtained their names and addresses from the party membership list, distributed to each of the 14 candidates during the leadership race, which concluded last weekend with the election of Andrew Scheer. [The Canadian Press

US – FireEye Report: State Election Systems at Risk

A report from FireEye titled “Attacking the Ballot Box” notes that “state and local election infrastructure is increasingly at risk for targeting by a range of threat actors, in particular state-sponsored cyber espionage actors.” The report examines threats to electronic voter registration, state elections websites, voting machines, and election management systems. [www.scmagazine.com: State elections systems still hackable, report | www.bloomberg.com: State Election Systems Increasingly at Risk for Cyberattacks, FireEye Says | media.scmagazine.com: Attacking the Ballot Box: Threats to Election Systems]

E-Mail

CA – Government Suspends CASL Private Right of Action

The Government of Canada published an Order in Council suspending the implementation of the private right of action under Canada’s Anti-Spam Legislation (CASL). The rest of CASL remains in force, July 1, 2017 still marks the end of the special transition rule for implied consent to receive CEMs, and CASL contraventions continue to be subject to regulatory enforcement and potentially severe administrative monetary penalties.

  • CASL’s private right of action, which was scheduled to come into force on July 1, 2017, allows any individual or organization affected by a CASL contravention to sue the persons who committed the contravention or are otherwise liable for the contravention and seek: (1) compensation for actual loss, damage and expense suffered or incurred by the applicant; and (2) statutory (non-compensatory) damages of up to $200 for each contravention and $1,000,000 for each day on which the contravention occurred. It was generally expected that CASL’s private right of action would be invoked to support class actions seeking large statutory damages awards on behalf of large groups of individuals affected by unlawful CEM campaigns.
  • Order in Council P.C. 2017-0580, dated June 2, 2017, indefinitely suspends the effective date of the private right of action. The Precis for the Order in Council explains that the purpose of the Order is to delay the coming into force date of the private right of action “in order to promote legal certainty for numerous stakeholders claiming to experience difficulties in interpreting several provisions of the Act while being exposed to litigation risk”.
  • The Government’s News Release explains that the private right of action is being suspended “in response to broad-based concerns raised by businesses, charities and the not-for-profit sector”, who should “not have to bear the burden of unnecessary red tape and costs to comply with the legislation”. The News Release includes the following statement by the Minister of Innovation, Science and Economic Development. [Mondaq]

EU Developments

EU – EDPB Adopts Art. 29 Working Papers

With the GDPR having come into force, the EDPB [The European Data Protection Board — made up of representatives of national data protection authorities across the EU and the European data protection supervisor] thus replaces the Art. 29 Data Protection Working Party. At its first constituent meeting on 25 May 2018, the EDPB confirmed many of the previous positions of Art. 29 Group [see overview of the position papers adopted here]. Many of the interpretations of the GDPR published first by the Art. 29 Group and now endorsed by the EDPB are regarded as excessively strict by many data protection practitioners. The positions of the EDPB are recommendations for the practical application of the GDPR. They have no binding effect for courts. However, it is to be expected that courts may very well take the EDPB’s requirements into account when applying and interpreting the GDPR. [HLDA Data Protection]

EU – EDPB Issues Criteria for Certification Mechanisms

The EU Data Protection Board identified overarching criteria relevant to certification mechanisms under the GDPR. Certification criteria should clearly describe the scope of processing operations, allow for practical application, allow for application to different types and sizes of organisations, and should take GDPR principles into account (lawfulness, data subjects’ rights, DPIAs, breach notification obligations); existing technical standards can be leveraged (however consider that they are not typically aimed at data protection), and use cases should be provided to allow for compliance assessments. [EDPB – Guidelines on Certification and Identifying Certification Criteria in Accordance with Articles 42 and 43 of the GDPR]

EU – European Commission Proposes Draft Whistleblowing Directive

On 23 April 2018, the European Commission published a proposal for a Directive on the protection of whistleblowers reporting on breaches of EU law, accompanied by an explanatory memorandum [see relevant docs here also see 44 pg PDF text here & 10 pg PDF Annex here]. The intention behind the proposal is to harmonise the minimum level of protection available to whistleblowers across the EU. The draft Directive applies to reports of breaches across a wide range of EU areas of law, including the protection of privacy and personal data, and security of network and information. The proposal is open for feedback via the Commission’s Have Your Say website until 20 June 2018, although this deadline will be extended to allow further opportunities for public consultation. The draft Directive is pending adoption by the European Parliament and Council, and it is anticipated to become applicable in 2021. [Tech Law Dispatch and at: Kramer Levin Perspectives]

UK – ICO Issues GDPR Guidance Documents:

——-   Right to Data Portability

The right only applies when the lawful basis for processing data is consent or for the performance of a contract, and processing is carried out by automated means; pseudonymous data that can be clearly linked to the individual should be included in the response, and controllers are only responsible for the secure and accurate transmission of the data (not for subsequent processing after transmission. [ICO UK – Right to Data Portability]

——-   Codes of Conduct

An organisation can sign up to a code of conduct relevant to its data processing activities or sector (an extension or an amendment to a current code or a brand new code); compliance with such a code can assist the organisation to mitigate against enforcement action (adherence to a code of conduct serves as a mitigating factor). [ICO UK – Codes of Conduct]

——-   High Risk Processing – Data Protection Impact Assessments

Final guidance on data protection impact assessments. Personal data processing requiring DPIAs – intelligent transport systems, dating websites, market research involving neuro-measurement, contract pre-check processes, social media networks, list brokering, wealth profiling, re-use of publicly available data, and eye tracking; consider risks to individual rights and freedoms (inability to access services or exercise rights, identity theft or fraud), and identify mitigating measures (reducing retention periods or processing scope, anonymisation, human review of automated decisions). [ICO UK – GDPR DPIAs]

——-   Transparency

Final guidance on the right to be informed. Conduct data audits and mapping to determine what personal data is held, any data sharing, sources of the data, and retention periods (to ensure drafted policies capture all processing activities), conduct user testing to get feedback on the transparency of policies, provide individuals with the organisation’s privacy policy where data is bought, and be upfront about AI use, including the processing purpose, any new uses of personal data, and automated decisions with legal or significant effect. [ICO UK – Right to be Informed]

——-   Children’s Data Processing

Draft guidance on processing of children’s personal information. A consultation document was previously issued in January 2018. Children should not subjected to automated decisions with legal or significant effect (unless for performance of a contract, authorised by law, or based on explicit consent), consent can be used as a legal basis only where the child understands what they are consenting to, and borderline data subjects’ requests should be assessed based on the child’s level of maturity, nature of personal data, and any detriments to the child if parents or guardians can or cannot access their data [ICO – Children and the GDPR Guidance]

UK – ICO to Fund Research into Big Data, Blockchain, Emerging Tech

The UK’s data watchdog is offering up to £100,000 for projects looking at how emergent tech affects information rights, saying that practical research “needs a stronger voice”. As survey after survey shows declining public trust in the use of their data and the government plans to slurp even more, the UK ICO has decided to fund a research programme. Launched last month, the ICO will award a yet-to-be-decided number of projects between £20,000 and £100,000 (out of a total annual budget of £250,000) to assess the privacy implications of new technologies, and come up with ways to address them. Commissioner Elizabeth Denham said that it was “designed to give practical research and policy a stronger voice in this evolution” of information rights. It is linked to the watchdog’s April 2017 Information Rights Strategic Plan, which sets out five priorities for the organisation, including increasing its leadership and influence as well as working to increase public trust and create a “culture of accountability”. Research projects would last for up to a year, the ICO said, adding that it was particularly interested in work on emerging technologies, such as big data, artificial intelligence, machine learning, social scoring and blockchain. The ICO is also working to build up its technology capacity – it recently hired a CTO and its April Information Rights Strategic Plan lists “staying relevant” and “keeping abreast of evolving technology” as one of its priorities. [The Register]

UK – Study Indicates Widespread Use and Disclosure of Student Data

A UK advocacy group released findings from its review of children’s privacy and data protection in education pursuant to the GDPR. Prior to age 10, most students’ personal data is sent to over 10 commercial companies without parents’ knowledge (data is then often forwarded to app and platform partner affiliates who use it for profiling or marketing purposes), submitted over 25 times in national school censuses and tests (which is fed into a national database for perpetual re-use), and given away to data analytics researchers. [The State of Data 2018 – defenddigitalme.com]

FOI

CA – Federal Information Commissioner Issues 2016−2017 Annual Report

Suzanne Legault tabled her 2016–2017 Annual Report in Parliament. The year began on a positive note for access to information and transparency with many constructive advancements and a promise by the government to reform the Access to Information Act. As the year drew to a close, Commissioner Legault says there is “a shadow of disinterest on behalf of the government.” Several investigations illustrate longstanding deficiencies with the Act, which include the deletion of emails subject to a request, difficulties accessing documents in a ministers’ office, failure to document decisions, and lengthy delays to obtain information. Commissioner Legault says “our investigations highlight that the Act continues to be used as a shield against transparency and is failing to meet its policy objective to foster accountability and trust in our government. The Act urgently needs to be updated to ensure that Canadians’ access rights are respected. A lot of work needs to be done before this government delivers on its transparency promises.” [Newswire]

US – Facebook Complied with Over 70% of Government Requests

Facebook reported on government requests for user data between July and December 2017. A total of 82,341 requests were received between July and December of 2017 from government agencies for disclosure of account or user information (through legal process or for emergency purposes); the US had the highest number of total requests, followed by India and the UK, while Canada had the highest percentage of emergency requests (50.7%). [Government Requests for User Data – July to December 2017 – Facebook]

Health / Medical

US – State Strengthens Health Records Privacy in Discrimination Lawsuits

A Washington state law (SB 6027) set to take effect June 7 limits the use of medical and mental health records in discrimination lawsuits, strengthening patient privacy rights. Employment discrimination attorney Beth Touschner said that the new law prohibits private therapy sessions of plaintiffs from being used in court. Touschner said that defense attorneys had previously been able to use discovery to obtain medical and mental health records that had nothing to do with the alleged discrimination. Jeff James, a lawyer who defends private-sector employers, argued that there are legitimate reasons for introducing medical records into discrimination lawsuits, such as challenging the cause or magnitude of alleged damages. Under the new law, defense attorneys can only request medical and mental health records going back two years in three specific circumstances: 1) Plaintiff alleges a specific and diagnosable physical or psychiatric injury; 2) Plaintiff relies on the records or testimony of a health care provider or expert witness; and 3) Plaintiff alleges failure to accommodate a disability or alleges discrimination on the basis of a disability The law reverses a 2013 state Court of Appeals Division I decision in Lodis v. Corbis Holdings Inc. [see here] that ruled plaintiffs must produce mental-health records when seeking emotional harm or distress in a discrimination suit. [Health IT Security and at: Seattle Times]

CA – Employer-Mandated Physician Visit Is Not A Privacy Violation

Employers are entitled to require employees to visit in-house occupational health department physicians to obtain reasonably necessary medical information if that right is provided for in their collective agreement. This was confirmed in Rio Tinto Alcan Inc (RTA) v UNIFOR, Local 2301 (Medical Information Grievance) when the arbitrator found that the employer [RTA which operates a safety-sensitive aluminium smelter in Kitimat, British Columbia] had not violated employee privacy rights when it required employees to visit in-house occupational health department physicians to confirm eligibility for wage loss protection benefits. The arbitrator also recognises an employer’s right to seek reasonably necessary medical information to ensure that employees are absent from work for legitimate reasons only, and to facilitate their return to work. In-house OHDs can be a valuable tool for employers to learn important medical information about their employees without infringing on privacy rights. [Fasken]

WW – Most Dementia Apps Lack A Privacy Policy: Study

Researchers with Harvard Medical School reviewed 125 iPhone apps built for dementia patients and found that 72 collected user data. Of those apps that collected data, just 33 had an available privacy policy. Many of those mobile apps that had an accessible privacy policy lacked clarity, often failing to address the specific functions of the app, describe safeguards or differentiate between individual protections versus aggregate data protection. The authors said the findings of the study highlighted a significant concern for patients with cognitive impairment and their caregivers, eroding trust among users. [fiercehealthcare.com]

US – HHS Issues Best Practices for Physical Security Measures

U.S. Health and Human Services issued guidance on workstation security. Physical security measures for workstations include port locks for USBs, device locks for CD/ DVD drives, maintenance of current inventory of all electronic devices, relocation of devices from public or vulnerable areas, and awareness training for employees on physical security policies. [HHS – May 2018 OCR Cyber Security Newsletter – Workstation Security – Don’t Forget About Physical Security]

Internet / WWW

WW – Facebook Gave Device Makers Deep Access to Data on Users and Friends

Facebook reached data-sharing partnerships with at least 60 device makers — including Apple, Amazon, BlackBerry, Microsoft and Samsung — over the last decade, starting before Facebook apps were widely available on smartphones, company officials said. The deals allowed Facebook to expand its reach and let device makers offer customers popular features of the social network, such as messaging, “like” buttons and address books. Facebook allowed the device companies access to the data of users’ friends without their explicit consent. Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing. Most of the partnerships remain in effect, though Facebook began winding them down in April. This contradicts Facebook’s leaders who said that the kind of access exploited by Cambridge in 2014 was cut off by the next year, when Facebook prohibited developers from collecting information from users’ friends. But the company officials did not disclose that Facebook had exempted the makers of cellphones, tablets and other hardware from such restrictions. In interviews, Facebook officials defended the data sharing as consistent with its privacy policies, the F.T.C. consent decree agreement [see FTC posts here & here & 10 pg PDF decree document here & 9 pg PDF order here] and pledges to users. [NYTimes and at: Mother JonesBusiness StandardCNET and The Hill]

WW – Chrome Outlines Plans to Alert Users to Unsecure Websites

In a Chromium blog post, Google has described some of the steps it will take to alert Chrome browser users that they are visiting unsecure websites. In September (Chrome 69), Chrome will stop identifying HTTP sites as secure in the address bar. In October, (Chrome 70) Chrome will begin displaying a red “not secure” warning when users enter data on HTTP sites. Google is in essence turning security indication on their head; instead of labeling sites as secure, Chrome security team project manager Emily Schechter wrote in a blog that “Users should expect that the web is safe by default.” [blog.chromium.org: Evolving Chrome’s security indicators | www.computerworld.com: Google details how it will overturn encryption signals in Chrome]

WW – ICANN’s Proposed Legitimate Processing

The Internet Corporation for Assigned Names and Numbers issues a proposed temporary specification for generic top-level domains pursuant to the GDPR. Personal data included in Registration Data may only be processed for prescribed legitimate purposes, including enabling a reliable mechanism for identifying and contacting the Registered Name Holder, supporting a framework to address issues involving domain name registrations (e.g. investigation of cybercrime and DNS abuse), and providing mechanisms for safeguarding Registration Data in the event of a business or technical failure. [Proposed Temporary Specification for gTLD Registration Data: Working Draft – ICANN]

Law Enforcement

CA – TPS to Embark on Six-Month Pilot Project for Using Body-Scanners

Toronto Police are moving ahead with a six-month pilot project as they prepare to use body-scanners like those used at airports. The scanners are intended to locate evidence or contraband without “level 3” searches, also known as strip searches, police said in a press release [TPS FAQ here]. The use of the technology will not eliminate the use of strip-searches entirely. Rob De Luca, director of the public safety program with the Canadian Civil Liberties Association (CCLA), noted that importance of maintaining personal privacy with the scanner technology. “We don’t have a concern with the technology, as long as there are sufficient safe-guards in place. If they’re using the search solely in cases where a strip search is justified under the law, then I think it could be a helpful addition,” said De Luca. Toronto police conduct some 55 strip searches a day, or 20,000 a year. The project team handling the scanners’ implementation has consulted with Ontario’s Information and Privacy Commissioner, and has received a legal opinion from the Ministry of the Attorney General. The data would be stored for 30 days following the scan provided nothing is found, police say. [Toronto Star and also at: CTV NewsNarcityGlobal News and Blue Line]

Online Privacy

US – Ninth Circuit Stays $30B Facebook Privacy Suit

The Ninth Circuit granted Facebook’s emergency petition to stay a $30 billion privacy suit pending appeal just hours after a lower court refused to delay an upcoming trial. Two Ninth Circuit judges issued theirruling just after 3 p.m. on Tuesday, mere hours after U.S. District Judge James Donato denied [see 4 pg PDF here] Facebook’s motion to stay the case. Facebook argued it was being forced to spend money and risk reputational harm notifying users about an upcoming trial, which could become moot if the Ninth Circuit overturns a prior ruling in the case. Last week, Donato ordered Facebook [see here] to use emails, newsfeed posts and jewel notices, or Facebook alerts, to notify millions of Illinois Facebook users about the lawsuit by May 31. Facebook is accused of harvesting users’ facial data for its “Photo Tag Suggest” function without consent and in violation of a 2008 Illinois privacy law. A jury trial was set for July 9. [Courthouse News and at: Biometric UpdateFindLaw BlogsThe Recorder (Law.com), FindBiometricsMedia Post and The Register]

Privacy (US)

US – 11th Circuit Hands LabMD a Major Victory & Rebukes FTC in Process

On June 6, the U.S. Court of Appeals for the Eleventh Circuit decided the long-awaited LabMD saga [see 31 pg PDF here]. As Wiley Rein attorneys recently explained in a webinar on agency priorities, this case is an important milestone and inflection point for the new Federal Trade Commission (FTC) leadership. The FTC’s authority and role in data security has been key to ongoing debates over federal privacy and security policy domestically and globally. This case raised issues going to FTC power and practice, but ultimately turned on the remedy imposed by the agency which was found to be so vague as to be unenforceable. The court did not address the key substantive questions:

1) First, in a data breach case, what type of consumer injury gives rise to “unfairness” under Section 5 of the FTC Act, an issue sometimes identified as the “informational injury” question? and

2) Second what type of notice is the FTC required to provide regarding reasonable data security measures? Despite its failure to answer these questions, the decision has implications for those issues and the agency’s overall approach to data security. In particular the Eleventh Circuit’s decision was a rebuke to the agency’s remedial efforts, which lean heavily on consent decrees to prod action the agency could not otherwise mandate. The Court found that the FTC’s cease and desist order “mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.” According to three appeals court judges, “[t]his is a scheme that Congress could not have envisioned.” The FTC will now face the decision of whether to appeal the 11th Circuit’s decision. In light of the narrow scope of the 11th Circuit’s holding, such further appeal may be unattractive to the FTC. [Wiley Rein News & Insights and at: BankInfoSecurity here & hereMultichannel NewsCenter for Democracy & Technology (CDT),Reuters and Law360]

US – FTC Posts Blog on Data Deletion Rule under COPPA

On May 31, 2018, the FTC published on its Business Blog a post addressing the easily missed data deletion requirement under the Children’s Online Privacy Protection Act. The post cautions that companies must review their data policy in order to comply with the data retention and deletion rule. Under Section 312.10 of COPPA [see here], an online service operator may retain personal information of a child “for only as long as is reasonably necessary to fulfill the purposes for which the information was collected.” After that, the operator must delete it with reasonable measures to ensure secure deletion. [Hunton & Privacy and at:Privacy & Security Law Blog (Davis Wright Tremaine)]

Security

US – NIST Issues Drafts Risk Management Framework

The National Institute of Standards and Technology has issued a draft risk management framework for information systems and organizations. The draft guidelines are intended to ensure security and privacy requirements and controls are effectively integrated into the enterprise architecture, and support consistent, informed and ongoing authorization decisions; the framework breaks down the tasks at the different stages of the assessment process (preparation, selection, implementation, assessment and authorization), and identifies the primary responsible roles for achieving the task. [NIST – Risk Management Framework for Information Systems and Organizations – SP 800-37 Rev.2 Draft]

US – DHS Issues Cyber Risk Strategy

A new cybersecurity strategy from the US Department of Homeland Security describes five pillars of cyber risk management: risk identification, vulnerability reduction, threat reduction, consequence mitigation, and enabling cybersecurity outcomes. [www.executivegov.com: DHS Sets Approach to National Cyber Risk Management Through New Strategy | www.dhs.gov

US – Federal Vehicle Telematics Cybersecurity

A March 2015 Executive Order requires that all US federal government vehicle fleet managers gather operational data, including fuel consumption, maintenance, and vehicle location. Because the data are collected and transmitted using telematics, the process raises cybersecurity concerns. The Department of Homeland Security (DHS) and Department of Transportation (DoT) have together developed a Telematics Cybersecurity Primer for Agencies. The guidelines cover protecting communications to and from the devices; protecting device firmware; protecting actions on the device through the “least privilege” principle; and protecting device integrity. [ www.dhs.gov: DHS, DOT Partner on Government Vehicle Telematics Cybersecurity Primer | www.scmagazine.com: DHS, DoT team up to secure federal vehicle fleets]

Telecom / TV

US – Pentagon Tightens Rules for Personal Mobile Devices

A US Defense Department policy memo released on May 22, 2018, says that all Pentagon personnel, contractors, and visitors are no longer permitted to have personal mobile devices in areas involved in “processing, handling, or discussion of classified information.” People who violate the policy could face loss or delay of security clearances, fines, and administrative discipline. The policy must be implemented within 180 days. [media.defense.gov: Memorandum for Chief Management Officer of the Department of Defense | fcw.com: Pentagon cracks down on personal mobile devices]

US Government Programs

US – Federal CyberSecurity Report Finds 2/3 of Agencies at Risk

The Office of Management and Budget issued a federal cybersecurity risk report on the performance of 96 agencies in accordance with: Executive Order 13800 on federal networks and critical infrastructure; and OMB Memorandum M-17-25 on federal networks and critical infrastructure. One quarter of federal agencies are sufficiently managing their cybersecurity risk, but almost 2/3 are at risk (some processes in place but gaps remain) and a minority are at high risk (key processes are not deployed); challenges include limited situational awareness, lack of standardized IT capabilities, limited network visibility, and lack of accountability for managing risks. [Executive Office of the President of the United States – Federal Cybersecurity Risk Determination Report and Action Plan]

US – Individualized Suspicion Required for Border Phone Search

The Court considered a request by Hamza Kolsuz to suppress evidence seized from his mobile phone, which was searched at the US border. The US Appeals Court confirmed that a forensic search of an individual’s phone by border officers was lawful; he did not have a license for firearm parts found in his luggage, had previously attempted to illegally export firearm parts, and there was reason to believe the phone search would reveal information related to other ongoing illegal export attempts. [USA v. Hamza Kolsuz – Decision – US Court of Appeals for the Fourth Circuit]

US – Feds Need to Do Better Job With EHR Data Security, Privacy: GAO

The U.S. federal government needs to do a better job at EHR data security and privacy, concluded a federal IT systems audit by the Government Accountability Office released last month [Highlights | Report]. The federal government also must ensure privacy is guaranteed when facial recognition systems are used and better protect the privacy of users’ data on state-based health insurance marketplaces, GAO concluded. To accomplish these goals and improve lax federal cybersecurity in general, agencies should implement the information security program mandated by the Federal Information Security Management Act (FISMA), GAO recommended. GAO said that it has made around 2,700 recommendations to federal agencies to improve their IT security since 2010, including measures required by FISMA. But as of May 2018, around 800 of its recommendations had not been implemented. [Health IT Security]

US Legislation

US – Federal Bill Introduces Deletion Rights for Minors

Senate Bill 2965, the Clean Slate for Kids Online Act of 2018 amending the Children’s Online Privacy Protection Act, was introduced in the US Senate and referred to the Committee on Commerce, Science and Transportation. If passed, COPPA would be amended to require website and online service operators to, upon request, delete all PI collected from children under 13 years and provide written confirmation; PI is exempt from deletion if necessary to respond to judicial process, or provide information for law enforcement investigations (however, the information cannot be used, shared or maintained for any other purpose). [S. 2965 – Clean Slate for Kids Online Act of 2018 – 115th Congress]

US – Federal Bill Amends COPPA

Senate Bill 2932, the Do Not Track Kids Act of 2018, was introduced in the United States Congress. The Act was previously introduced under Senate Bill 2187. If passed, the Do Not Track Kids Act of 2018 would make it illegal for an online operator to collect PI from a minor (unless it has adopted a Digital Marketing Bill of Rights for Minors), or use, disclose to third parties or compile PI for marketing purposes without verifiable parental consent, or the consent of the minor. [S.2932 – Do Not Track Kids Act of 2018 – United States Congress]

+++

6-19 May 2018

Biometrics

UK – Report Confirms Deep Flaws of Automated Facial Recognition Software

Big Brother Watch [here] has produced a report bringing together everything we know about the use by UK police of automated facial recognition software, and its deep flaws. The report supplements that information with analyses of the legal and human rights framework for such systems, and points out that facial recognition algorithms often disproportionately misidentify minority ethnic groups and women. Alongside its report, Big Brother Watch has launched the “Face Off“ campaign calling for the UK public authorities to stop using automated facial recognition software with surveillance cameras, and to remove the thousands of images of unconvicted individuals from the UK’s Police National Database. [TechDirt and at: Edgy Labs and Android Headlines]

UK – Cops’ Facial Recog Tech Slammed: Zero Arrests, 2 Matches, No Criminals

London cops’ facial recognition kit has only correctly identified two people to date – neither of whom were criminals – and the UK capital’s police force has made no arrests using it, figures published today revealed. According to information released under Freedom of Information laws, the Metropolitan Police’s automated facial recognition (AFR) technology has a 98% false positive rate. That figure is the highest of those given by UK police forces surveyed by the campaign group Big Brother Watch as part of a report [see PR here and 56 pg PDF report here] that urges the the police to stop using the tech immediately. And, despite cops’ insistence that it works, the report showed an average false positive rate – where the system “identifies” someone not on the list – of 91% across the country. The Met has the highest, at 98%, with 35 false positives recorded in one day alone, at the Notting Hill Carnival 2017. However, the Met Police claimed that this figure is misleading because there is human intervention after the system flags up the match. [The Register and coverage at: Siliconrepublic, BBC News, Metro.co.uk, Software Testing News, Nextgov, The Independent, The Washington Tomes and HuffPost UK]

UK – Sky News Will Use AI to ID Guests at Royal wedding

When Prince Harry and Meghan Markle said “I do” at their royal wedding, online viewers tuning into the Sky News stream did not have to guess the names of international celebrities and British nobility in attendance. Instead, the U.K. broadcaster used artificial intelligence to identify famous guests as they made their grand entrances at St. George’s Chapel at Windsor Castle — displaying the invitees’ names and details about how they are connected to the royal couple. Dubbed “Who’s Who Live,” Sky News announced the live-stream service in partnership with Amazon.com and several data and engineering firms. As the 600 guests entered the chapel, Sky News highlighted notable attendees using Amazon Rekognition, a cloud-based technology that can recognize and compare faces in images and video using artificial intelligence. Along with identifying the wedding guests, the live-stream service also showed facts about them, using captions and on-screen graphics through the company’s app. The data was displayed alongside the video of the procession into the chapel. The celebrity recognition feature’s debut could pave the way for its use at other high-profile events that often invite the audience to interact on social media. [Washington Post]

CA – $30B Facebook Privacy Suit Headed for Jury Trial

A $30 billion class action claiming Facebook harvested the facial data of up to 6 million Illinois residents without consent must be decided by a jury, a federal judge ruled . Facebook argued that its technology doesn’t scan users’ facial geometry in a way that violates a 2008 Illinois privacy law. U.S. District Judge James Donato found only a jury can answer that question. Lead plaintiff Nimesh Patel sued Facebook in 2015 in one of three consolidated class actions, claiming the social network harvested users’ facial data for its “Photo Tag Suggest” function, starting in 2011, without express permission from users. Under the Illinois Biometric Information Privacy Act of 2008, companies must obtain consent before collecting or disclosing biometric data, such as retina scans, fingerprints, voiceprints, hand scans or facial geometry. Facebook also argued that it should not be liable for any damages because it reasonably understood the Illinois privacy law as not applying to data harvested from photographs. Donato rejected that argument too, concluding that “ignorance of the law” has never been accepted as a valid excuse for breaking the law. The judge also scolded Facebook for continuing to cling to legal arguments that were rejected in prior rulings When he denied Facebook’s motion to dismiss in February [see here] and certified a class of up to 6 million Illinois Facebook users in April. The judge described Facebook’s refusal to accept his prior decisions as “troubling.” In an emailed statement, Facebook said: “We are reviewing the ruling. We continue to believe the case has no merit and will defend ourselves vigorously.” [Courthouse News and at: The Register, Business Insurance and Biometric Update]

Big Data / Artificial Intelligence / Data Analytics

EU – EU Commission Issues Artificial Intelligence Strategy

The EU Commission issued recommendations to take advantage of opportunities offered by artificial intelligence. Investments in AI should be increased to develop applications in key sectors (e.g. healthcare), facilitate data access for small and medium-sized companies, and ensure an appropriate framework is applied that promotes innovation, respects EU values, the GDPR, and ethical principles. [EU Commission – Artificial Intelligence for Europe]

WW – Google’s AI Sounds Like A Human on the Phone

It came as a total surprise: the most impressive demonstration at Google’s I/O conference was a phone call to book a haircut. Of course, this was a phone call with a difference. It wasn’t made by a human, but by the Google Assistant, which did an uncannily good job of asking the right questions, pausing in the right places, and even throwing in the odd “mmhmm” for realism. The crowd was shocked, but the most impressive thing was that the person on the receiving end of the call didn’t seem to suspect they were talking to an AI. It’s a huge technological achievement for Google, but it also opens up a Pandora’s box of ethical and social challenges. For example, does Google have an obligation to tell people they’re talking to a machine? Does technology that mimics humans erode our trust in what we see and hear? And is this another example of tech privilege, where those in the know can offload boring conversations they don’t want to have to a machine, while those receiving the calls (most likely low-paid service workers) have to deal with some idiot robot? As Google’s researchers explain, the feature, called Duplex, it can only converse in “closed domains” — exchanges that are functional, with strict limits on what is going to be said. “You want a table? For how many? On what day? And what time? Okay, thanks, bye.” Easy! Duplex works in just three scenarios at the moment: making reservations at a restaurant; scheduling haircuts; and asking businesses for their holiday hours. It will also only be available to a limited (and unknown) number of users sometime this summer [The Verge]

WW – RightsCon 2018 Conference Debates Resolution on Discrimination in Machine Learning

This week marked the opening in Toronto of the seventh RightsCon conference. Attendees will have a choice of 450 sessions on a wide range of rights topics related to the online world.: How to leverage blockchain as a force for good, the digital divide in Indigenous Communities in North America, content regulation, free speech and censorship, false news, online surveillance and Internet governance. One of the highlights will be a preparation of the “Toronto Declaration on Discrimination in Machine Learning” [see here & 11 pg PDF here], a step toward developing detailed guidelines for the promotion of equality and protection of the right to non-discrimination in machine learning. The Declaration will address necessary protections for companies and governments exploring and implementing the future of machine learning. The goal of the declaration is to encourage data scientists to think early when creating machine learning algorithms about implications of assumptions in their work. [IT World] See also: [The 7 Craziest IoT Device Hacks]

Canada

CA – Canada Has ‘Fallen Behind’ in Privacy Powers: Denham

The power made available to the Canadian privacy watchdog to investigate companies like Facebook and Cambridge Analytica have not kept pace with those granted to his counterparts around the world. That was the message brought by Elizabeth Denham, the United Kingdom’s information commissioner, to a House of Commons committee studying the breach of personal information harvested from 87 million Facebook accounts by British political profiling firm, Cambridge Analytica. “The Canadian privacy commissioner’s powers have fallen behind the rest of the world,” Denham told the committee members. Her observation comes as Canadian politicians struggle to catch up to other jurisdictions such as the European Union that have pursued stringent new privacy rules in recent years in light of concerns that tech giants like Facebook and Google are not doing enough to protect personal information. [Global News]

CA – Ontario Law Prohibits Inquiries into Compensation History

Ontario’s Bill 3, the Pay Transparency Act, 2018, related to disclosure of compensation for applicants and employees, receives Royal Assent and goes into effect January 1, 2019. Exemptions include a job applicant’s voluntary and unprompted disclosure of their compensation history, compensation ranges or aggregate compensation for comparable positions, or publicly available compensation history, and employers must submit and post pay transparency reports; a government compliance officer may enter a workplace without a warrant to assess the employer’s compliance with the law. [Bill 3 – Pay Transparency Act, 2018 – 41st Legislature, Ontario | Status]

CA – Canadian Government Reassures on Border Searches

The Minister of Public Safety and Emergency Preparedness reported to the Parliamentary Standing Committee on Access to Information, Privacy and Ethics on border privacy. The government believes that it is unnecessary to provide further preconditions for searches of electronic devices at the border in the Customs Act, (which could hinder an ability to respond to threats and contraventions); the recently signed Preclearance Act (which gives U.S. officers an ability to search in certain areas) requires U.S. border officials to comply with Canadian law. [Report: Protecting Canadians’ Privacy at the U.S. Border – Minister of Public Safety and Emergency Preparedness]

CA – Balsillie urges MPs to Regulate ‘Surveillance Capitalism’ of Facebook and Google

A group representing Canada’s tech CEOs told MPs that Facebook and Google represent a new form of “surveillance capitalism” and called for European-style regulation over the U.S.-based web giants. Jim Balsillie, chair of the Council of Canadian Innovators [here], told MPs that immediate government action is required to protect Canada’s commercial interests and the privacy of individuals. “Facebook and Google are companies built exclusively on the principle of mass surveillance,” he said. “Their revenues come from collecting and selling all sorts of personal data, in some instances without a moral conscience.” Mr. Balsillie, the former chair and co-CEO of Research in Motion (now BlackBerry Ltd.) made the comments while sharing a panel [see ETHI Parliamentary Committee meeting May 10, 2018 here] with Colin McKay, Google Canada’s head of public policy and government relations. Mr. McKay challenged Mr. Balsillie’s characterization of Google and told MPs that Google’s products “prioritize user privacy” and the company promotes a service called MyAccount that lets users manage their privacy and security. Earlier in the day, the committee heard from Elizabeth Denham, the United Kingdom’s Information Commissioner who is investigating the Cambridge Analytica issue, as well as Michael McEvoy, British Columbia’s Information and Privacy Commissioner, who is also conducting a related investigation. [G&M and at: Global News, CBC News, The Canadian Press (Via Ottawa Citizen) and National Observer]

CA – Former Elections Watchdog Says Liberals’ Bill C-76 Falls Short on Privacy

Marc Mayrand [wiki here], the man who ran Elections Canada from 2007 to 2016 [says] the federal government’s new election bill [the Elections Modernization Act – Bill C-76 – see PR here & Text here] falls seriously short of expectations when it comes to safeguarding Canadians’ private information In what Mayrand judged “a very small step,” the new bill will require political parties to post a policy on the treatment of people’s personal information: how they use, collect and protect it. Parties will be required to state how they train employees on safeguarding private data, and to provide contact information for a person to whom concerns can be addressed. The bill also states that parties must publish the circumstances under which personal information may be sold, although federal officials said they were unaware of any cases in which this had happened. The Elections Modernization Act, however, contains no independent verification measures and no penalties for violations. There are also, he noted, no assurances that Canadians will find out about breaches, nor avenues for them to request to see the information parties hold about them. The legislation is silent on whether parties can trade the data to anybody or whether they must obtain people’s consent to collect the data, he said. Teresa Scassa [here], Canada research chair in information law at the University of Ottawa, has also blasted the government [see here] for what she calls “an almost contemptuous and entirely cosmetic quick fix designed to deflect attention from the very serious privacy issues raised by the use of personal information by political parties.” [HuffPost]

CA – Alberta Privacy Commissioner Powerless to Investigate Political Parties’ Use of Voter Data

Alberta’s privacy commissioner is powerless to investigate how political parties are collecting and using voters’ personal information, but there’s little incentive for parties to change the status quo, observers say. Alberta’s Personal Information Protection Act (PIPA) [text here & overviews here] governs how companies are able to collect and use personal data, but exempts political parties — limiting the commissioner’s ability to investigate complaints of personal data misuse. The law can only be applied to political parties under exceptional circumstances related to commercial activity, such as selling, bartering or leasing of donor, fundraising or membership lists. University of Victoria Political scientist Colin Bennett has spent years researching privacy protection policies in Canada and abroad and studied how political parties accumulate voter data from social media sites, such as Facebook. “Essentially, individuals have no rights over their personal information that political parties capture” Bennett said provincial political parties don’t want to fall under privacy laws because it can limit campaigning abilities. “In a competitive electoral environment — and lord knows Alberta’s competitive — they’re not going to want to constrain their ability to campaign,” he said. “I would hope (privacy commissioner) Jill Clayton would be very forceful in advocating that Alberta political parties be covered under the Alberta legislation,” he said. “There’s no reason why Alberta should be any different from B.C.” British Columbia is unique among provinces in that its privacy commissioner has the authority to investigate and audit private companies and political parties suspected of skirting the law. [The Star]

CA – Trend of Police Secrecy Over Names in Homicides Raises Alarm

The names of the dead have not been released in a police-involved shooting in Nanaimo nor in a Victoria homicide. It’s becoming increasingly common practice among some agencies probing violent deaths not to release the identities. That’s because the RCMP, B.C. Coroners Service and the Independent Investigations Office, that probes fatal interactions, with police have all declined to identify the deceased. It’s an increasingly common, if inconsistent, practice across B.C. and other jurisdictions in Canada, in which agencies tasked with investigating violent deaths have, in some cases, stopped releasing victims’ names. Legal experts say it’s a trend that prevents Canadians from scrutinizing the criminal-justice system and the people who operate within it. Law-enforcement agencies and others argue that they’re simply obeying privacy laws and respecting grieving families. The Edmonton Police Service has taken a similar approach Steven Penney [here], law professor at the University of Alberta, said it’s a “troubling” practice that departs from Canada’s long-standing tradition of having an open, transparent and accountable criminal-justice system, adding “Our entire criminal-justice system is premised on the idea that when a serious crime occurs, it’s a crime against the entire society. And the entire society deserves to be informed about the implications of that crime and potentially become involved in scrutinizing the behaviour of all of those who are responsible for dealing with it.” [Victoria Times Colonist]

CA – Canada’s Privacy Commissioner Shares View on Autonomous Vehicles

Canada’s privacy commissioner Daniel Therrien presented his views on the privacy implications of autonomous and connected vehicles [remarks here] at a House of Commons transportation committee meeting on May 9th [see here]. Therrien appeared before the Standing Committee on Transport, Infrastructure and Communities (TRAN), in response to a study that was released in January of this year [see 78 pg PDF report here & Infographic here], which pointed to five key areas to help the government better prepare for a self-driving car-filled future including that the “government should put forward legislation to empower the Office of the Privacy Commissioner to proactively investigate and enforce industry compliance with privacy legislation.” He expressed concern with the fact that data flows in connected vehicles are very complex and, as a result of this fact, are not transparent. He touched on how his office has been looking to improve consent for users data by trying to find ways to give “individuals the ability to make decisions about their data.” Ideally, Therrien would like to see an amendment to the law that would allow the privacy office to “independently confirm that the principles in our privacy laws are being respected – without necessarily suspecting a violation of the law.” [MobileSyrup]

CA – Potential Privacy Class Action Against Ontario Auto Insurer

A class-action lawsuit was filed April 10 in Federal Court against The Personal over alleged use of credit scores in adjusting accident benefits claims. It’s not clear yet how many claimants there will be if the lawsuit is approved. Law firm Waddell Phillips Professional Corporation is asking Federal Court to certify the lawsuit as a class action on behalf of a specific class of Canadian auto insurance claimants [see PR here]. If approved by the court, that class would include people who made auto claims with The Personal Insurance Company after Jan. 18, 2012 “and who had their credit score information accessed by The Personal or its agents.” If the class action prevails in court] the insurer might have to pay up to $10,000 a claimant. In the lawsuit against The Personal, the plaintiffs are asking for an injunction prohibiting The Personal from “further using or accessing” personal credit scores for the purpose of adjusting auto accident benefits claims. They are asking Federal Court to award damages of $50 million, as well as aggravated, punitive or exemplary damages of $10 million. [Canadian Underwriter and at: Canadian Underwriter, The Insurance and Investment Journal and LowestRates.ca]

Consumer

CA – 3 out of 4 Facebook Users Still Active Despite Privacy Scandal: Poll

Three-quarters of Facebook users have remained as active, or even more active, on the platform since the company’s recent privacy scandal, a joint Reuters/Ipsos poll revealed. According to the survey, Facebook’s reputation has suffered little among users. The poll comprised over 2,000 American Facebook users over the age of 18, and found that half of those surveyed had not changed the way they used the site, and another quarter said they were using it more. Analyst Michael Pachter of Wedbush Securities told Reuters that Facebook is lucky the scandal revolves around data being used for political ads and not for “nefarious” purposes. “I have yet to read an article that says a single person has been harmed by the breach,” he said. “Nobody’s outraged on a visceral level.” In its first quarter financial results, Facebook said the number of monthly users in the United States and Canada rose to 241 million on March 31 from 239 million on Dec. 31, growth that was roughly in line with recent years. While many seem unaffected by the privacy concerns, a segment of Facebook users is taking action to protect their information. According to the poll, the one quarter of Facebook users whose activity hasn’t stayed the same or increased has either gone down or ceased entirely. Although user activity seems to be returning to normal a few months after the initial story broke, an Angus Reid Institute/Global News poll released in the middle of March told a very different story about users’ trust in Facebook’s platform. The poll revealed that almost three-quarters of Canadians would change the way they use Facebook as the massive data scandal plaguing the company continues to unfold. [Global News]

WW – ISO Incorporates PbD Guidelines for Consumer Goods and Services

A new ISO project committee, ISO/PC 317, “Consumer protection: privacy by design for consumer goods and services”, will develop guidelines that will not only enforce compliance with regulations, but generate greater consumer trust at a time when it is needed most [see PbD wiki here]. Dr Cavoukian pioneered the concept of “privacy by design”, a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure and business practices. In her video address at the ISO workshop “Consumer protection in the digital economy”, which took place in Bali, Indonesia, –the week of May 6–she said “Regulatory compliance alone is unsustainable as the sole model for ensuring the future of privacy Prevention is needed.” “Privacy by design” is now recognized as a core part of the EU General Data Protection Regulation (GDPR) [see Article 25 of GDRP here] and forms the basis of the ISO standardization work now underway. Implementing the standard will help companies comply with regulations and avoid potentially devastating data breaches that erode consumers’ confidence in online services. [ISO News and at: ACROFAN, SC Magazine]

E-Mail

CA – CRTC Fines Retailers $100,000 for Lack of Consent

The Canadian Radio-television and Telecommunications Commission fined Quebec Inc. 9118-9076 and 9310-6359 for violations of Canada’s Anti-Spam Legislation. Marketing text messages offered recipients an opportunity to receive future commercial offers, and did not include the prescribed information to enable recipients to easily identify and contact the sender; the joint retailers have agreed to put in place a compliance program that includes employee training, adequate disciplinary measures for non-compliance with internal procedures, and corporate policies to ensure compliance with CASL. [CRTC – Undertaking 9118-9076 and 9310-6359 – Quebec Inc.]

Encryption

CA – Citizen Lab Publishes Canadian Field Guide to Encryption

Shining a Light on the Encryption Debate: A Canadian Field Guide [see 107 pg PDF here] — co-authored by the Citizen Lab and the Canadian Internet Policy and Public Interest Clinic (CIPPIC) [here] — examines the parameters of the encryption debate, paying particular attention to the Canadian context. It provides critical insight and analysis for policymakers, legal professionals, academics, journalists, and advocates who are trying to navigate the complex implications of these technologies. The guide includes five sections: Section One provides a brief primer on key technical principles and concepts associated with encryption in the service of improving policy outcomes and enhancing technical literacy; Section Two explains how access to strong, uncompromised encryption technology serves critical public interest objectives; Section Three explores the history of encryption policy across four somewhat distinct eras, with a focus on Canada to the extent the Canadian government played an active role in addressing encryption; Section Four reviews the broad spectrum of legal and policy responses to government agencies’ perceived encryption “problem,” including historical examples, international case studies, and present-day proposals; and Section Five examines the necessity of proposed responses to the encryption “problem.” A holistic and contextual analysis of the encryption debate makes clear that the investigative and intelligence costs imposed by unrestricted public access to strong encryption technology are often overstated. [CitizenLab and at: BoingBoing]

EU Developments

EU – Eight Countries to Miss EU Data Protection Deadline

Eight EU states, Belgium, Bulgaria, Cyprus, the Czech Republic, Greece, Hungary, Lithuania and Slovenia will not be GDPR ready until far beyond the 25 May deadline. Vera Jourova, the European commissioner for justice, told reporters on Thursday (17 May) She would not hesitate to take the EU capitals to court in serious cases, noting that member states have had more than enough time to get their acts together. She blamed negligence and domestic debates for the delays. Some data authorities say they will still be able to impose sanctions and fines regardless of the missing national legislation. Only Austria, Germany, France, Croatia, the Netherlands, Sweden and Slovakia are ready with everyone else set to have their national acts passed by 25 May. Others like Spain, Italy, Portugal, Romania and Latvia are expected to be ready either end of May or beginning of June. [EU Observer]

EU – Article 29 Working Party Issues Final Guidelines on Consent

On 10 April 2018, the Article 29 Working Party (WP29) published revised guidelines [download 31 pg PDF] on consent under the General Data Protection Regulation (GDPR). Consent is one of the six GDPR bases for the lawful processing of personal data. WP29’s draft guidelines on consent were issued earlier this year. This article examines the differences between the draft and final guidelines [along the following lines]: 1) Conditions for valid consent – freely given; 2) Unambiguous indication of wishes; 3) Explicit consent; 4) Children; 5) Interaction between consent and other lawful grounds for processing; and 6) Re-consenting. [Technology Law Dispatch]

EU – Article 29 WP Adopts Finalized Guidelines on Transparency

The Article 29 Working Party (WP29) adopted, on 11 April 2018, finalized guidelines on transparency (the Guidelines) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) [download 40 pg PDF here], following its public consultation. Draft guidance on transparency were issued earlier this year, so this blog focuses on the key issues and what is new in the final guidelines [along the following lines]: 1) Information being “intelligible”; 2) Informing data subjects about changes to transparency-related information; 3) Providing information to children; 4) Clear and plain language; 5) Changes to Article 13 and 14 information; and 6) Layered privacy statements and notices. [Technology Law Dispatch]

EU – WP29 Issues Position Paper on GDPR Record-Keeping Obligation

The Article 29 Working Party (WP29) has published a position paper on the scope of the derogation from the obligation to maintain records of processing activities. Article 30.5 [see here] provides that the record-keeping obligation does not apply to organisations with less than 250 employees in certain circumstances. The WP29 has stated that the position paper was published as a result of a high number of requests from companies received by national Supervisory Authorities. Despite the existence of the derogation, the WP29 encourages SMEs to maintain records of their processing activities, as it is a useful means of assessing the risk of processing activities on individuals’ rights, and identifying and implementing appropriate security measures to safeguard personal data. In light of the new accountability principle in the GDPR requiring organisations to be able to demonstrate how they comply with their GDPR obligations, it would certainly be prudent for all organisations, regardless of size, to maintain such records. [Ireland IP]

UK – Court Orders Government to Rewrite Investigatory Powers Act

A UK Court considered a request for judicial review of the retention provisions of the UK’s Investigatory Powers Act 2016, and ruled that the retention provisions of the Act are incompatible with fundamental rights in EU law (access to retained data is not limited to the purpose of combating “serious crime”, and access to retained data is not subject to prior review by a court or an independent administrative body), and the government must amend the Act by November 1, 2018. [The National Council for Civil Liberties (Liberty) v. Secretary of State for the Home Department & Secretary of State for Foreign and Commonwealth Affairs – [2018] EWHC 975 (Admin) – England and Wales High Court (Administrative Court) ]

Facts & Stats

UK – ICO Reports Data Incidents Spike 17%, Human Error Dominates

The number of data security incidents reported to the UK’s Information Commissioner’s Office (ICO) jumped 17% between the final three months of 2017 and the first quarter of 2018, according to new figures. In its last update [see here] before the EU GDPR takes effect, the privacy watchdog revealed a rise in incident reports from 815 to 957. Although cybersecurity-related incidents increased by 31% from the previous quarter, the first month-on-month increase since Q4 2016-17, human error dominated. In fact, over the 2017-18 financial year, 3325 reports were filed with the ICO, with the number one breach type “data emailed to incorrect recipient,” (13%) followed closely behind by “data faxed to wrong recipient” (13%). Also high was “loss or theft of paperwork” (13%). The healthcare sector accounted for by far the largest volume of reports (37%), although this figure is likely to be a result of mandatory reporting rules. After health came “general business” (11%), education (11%) and local government (10%). [[Infosecurity Magazine and at: ISBuzz News]

US – Equifax Reveals How Much Information Was Really Exposed in Data Breach

How bad was Equifax’s data breach? Bad. In a new filing with the Securities and Exchange Commission, the credit reporting agency broke down in detail the types of – and how much exactly – sensitive personal information was exposed to hackers in the breach. A statement for the record from Equifax included in the SEC filing breaks down what types of personal information and data was exposed in the September 2017 data breach. The disclosure comes at the urging of several Congressional committees. According to Equifax, the company recently sent a letter to several Congressional committees providing additional detail on the data that was exposed in the breach. In its letter, Equifax said that the names and dates of birth for approximately 146.6 million people were exposed, as well as 145.5 million Social Security numbers, the address information for 99 million people, the gender data for 27.3 million people, 20.3 million consumers’ phone numbers, 17.6 million driver’s license numbers, 1.8 million email addresses, 209,000 payment card numbers and expiration dates, 97,500 tax ID numbers, and the state information for 27,000 driver’s licenses. Additionally, Equifax noted that the hackers also gained access to images uploaded to the company’s online dispute portal by approximately 182,000 consumers, including: 38,000 driver’s licenses; 12,000 Social Security and tax ID cards; 3,200 passports and passport cards; and 3,000 other documents, including military and state IDs and resident alien cards. According to Equifax, it is releasing this information as part of its “commitment to transparency.” [Housingwire]

Filtering

CA – RTBF: PIPEDA Should Not Regulate Online Speech

The Stanford Center for Internet and Society comments on the Office of the Privacy Commissioner of Canada’s draft position on online reputation. Academics note that data protection laws lack well-developed standards that balance and protect expression rights, introduce unintended consequences (e.g. online platforms and search engines would be required to seek consent before processing user-generated information), and platforms would likely comply with abusive or mistaken notices to avoid litigation risks [Response to the OPC Consultation and Call for Comments on Draft Online Reputation Position Paper – Stanford Center for Internet and Society]

Finance

CA – OPC Concerned Bank Act Changes Could Open Door to More Data Abuses

Privacy Commissioner Daniel Therrien is expressing concern with new banking powers over customer data that are contained in the government’s latest budget bill, telling the Senate banking committee [here] that his office was never consulted on the Bank Act changes [see PR here & Commissioner’s remarks here]. Senators have heard conflicting testimony as to what the Bank Act changes [see Division 16 of Part 6 of Bill C-74, the Budget Implementation Act, 2018, No.1 here & Bill status here] would allow in practice. The Finance Department and the banking sector say they are simply about modernizing language to reflect the growth of financial technology firms, or fintechs. However critics warn that the changes would give banks new powers to sell customer data to fintechs, which are in many cases not subject to federal financial regulation. Mr. Therrien said more co-operation between banks and fintechs may be a good thing, but consumers should be able to approve how their data are used through a clear and understandable consent form. He said there is nothing in the bill that would ensure that is the case. [Globe & Mail]

FOI

CA – Government Won’t Appeal Decision in Star’s Challenge to Secrecy in Tribunals

The Ontario government will not be appealing a Toronto Star legal victory which should lead to more openness in the province’s tribunal system. Last month, the court ruled in favour of a constitutional challenge launched by the Star that sought greater access to records from such quasi-judicial bodies as the Human Rights Tribunal and the Landlord and Tenant Board. Justice Edward Morgan found [see Toronto Star v. AG Ontario, 2018 ONSC 2586 – here] that denying access to tribunal records was an “infringement” of the Charter of Rights and Freedoms that the provincial government had failed to justify he ruled this violates section 2(b) of the Charter – here]. The judge gave the province one year to make the tribunal system more accessible to journalists and the public. Morgan declared as “invalid” provisions of Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) that delay or block public access to tribunal records. [Toronto Star] [Ontario Court Finds FIPPA Blocks Public Access to Tribunal Records | Toronto Star Newspapers Ltd. v. AGO – 2018 ONSC 2586 CanLII – Ontario Superior Court of Justice]

CA – Transparency Study Shows Inadequate Access Processes

The Citizen Lab, a university research group, compared responses to data access requests made under PIPEDA, to 23: telecommunications companies; fitness trackers; and online dating services. Information provided by telecoms, fitness trackers and online dating services responses to access requests varied widely in types of data provided, specificity of questions answered, and clarity about disclosures to third parties, and there were barriers to access including identity verification procedures, secure data transfer requirements, fees charged, and companies stating they were not bound by Canadian privacy laws. [Approaching Access – A Comparative Analysis of Company Responses to Data Access Requests in Canada – The Citizen Lab | Coverage]

CA – CSIS Permitted to Refuse Access Request

The Federal Court of Canada reviewed the Canadian Security Intelligence Service’s response to an access request, pursuant to the Access to Information Act. The Federal Court of Canada upheld CSIS’ refusal to confirm or deny the existence of records identifying an individual; investigative records consist predominantly of sensitive national security information, and if such records did exist, they would likely be exempt from disclosure on the basis of protecting a CSIS investigation. [VB v. Canada Attorney General – 2018 FC 394 CanLII – Federal Court of Canada

Health / Medical

CA – Ontario Health Minister: People Have a Right to ‘As Much Transparency as Possible’ When It Comes to Doctors’ Pasts

Ontario Health Minister Helena Jaczek says the province’s medical watchdog should provide patients with “as full a picture” as possible of physicians’ disciplinary and criminal histories after a Toronto Star investigation found the public is being deprived of information about sanctions imposed in other jurisdictions. “Obviously, I’m in favour of as much transparency as possible,” Jaczek said in an interview at Queen’s Park. “I think that people have a right to know.” The Star’s 18-month investigation identified 159 disciplined doctors who have held licences on both sides of the Canada-U.S. border, and used public records to piece together their disciplinary histories across provincial, state and country lines. Ninety per cent of these doctors’ public profiles in Canada failed to fully report sanctions taken against them for a range of offences, including incompetence, improper prescribing, sexual misconduct and fraud, the investigation found. The College of Physicians and Surgeons of Ontario (CPSO), the self-regulating body that oversees the province’s doctors, recently amended its bylaws to allow it to post some information about discipline imposed in other jurisdictions on its physician profiles. However, the college only posts sanctions imposed on Ontario doctors outside the province after Sept. 1, 2015. Jaczek said the disciplinary information on the college’s website should be “retrospective.” NDP health critic France Gélinas said greater transparency by the CPSO should have been “mandated long ago.” “The health minister must demand the physicians’ college posts all disciplinary measures that have happened to any of their members, no matter what jurisdiction it’s from,” she said. “We know full well that physicians move. The CPSO is there to protect the public. People expect that. Let’s meet people’s expectations.” Earlier this week, Alberta’s health minister pledged to work with her province’s medical college to post information about sanctions imposed on its doctors by regulators in other jurisdictions. Sarah Hoffman also said she would review the college’s current practice of scrubbing all disciplinary details from doctors’ online profiles after five years. Unlike in the U.S., Canada has no national agency that collects and disseminates licensing and disciplinary information on doctors. The Star’s investigation found some Canadian physicians’ colleges keep secret basic information readily disclosed by other regulators. Quebec’s college, for example, told the Star that a physicians’ credentials — when and where they graduated from medical school — is confidential information. The secrecy of Canadian colleges is in sharp contrast to their counterparts in the U.S., where consumer legislation governs many medical boards and mandates openness. [Toronto Star]

CA – SK OIPC Calls on Health Authority to Fire Employee Who Breached 880 Patient Files

Saskatchewan’s Information and Privacy Commissioner is recommending the provincial health authority fire an employee of the former Sun Country Regional Health Authority who accessed the information of 880 home care clients without a “need to know.” Ronald Kruzeniski, in a report issued on April 30, also recommended the Saskatchewan Health Authority send its investigation file to the Ministry of Justice’s public prosecutions division to determine whether an offence occurred and whether charges should be laid under the Health Information Protection Act. The employee’s name was not disclosed in Kruzeniski’s report. [Saskatoon StarPhoenix]

US – OCR To Share HIPAA Data Breach Settlements With Victims

OCR is proposing to share a percentage of HIPAA data breach settlements with victims, as required by the HITECH law. In the HHS semiannual regulatory agenda [see RIN: 0945-AA04 here & full agenda here] OCR said it is soliciting the public’s view on establishing a methodology for those harmed by a data breach or other HIPAA violation to receive a percentage of any penalty or settlement resulting from the breach. The office plans to issue an advance notice of proposed rulemaking with the proposal in November. While this is an intriguing proposal, its implementation might be a huge challenge for OCR. “The devil is in the details. There are potential issues with this approach,” Marcus Christian, a cybersecurity and data privacy attorney with the law firm of Mayer Brown said. [Health IT Security and at: Bloomberg Law here & here]

US – HHS Distinguishes Between Risk and Gap Analyses

The HHS Office of Civil Rights issued guidance on safeguarding electronic protected health information by conducting risk and gap analyses. Entities subject to the HIPAA Privacy and Security Rule must conduct analyses of all potential risks to ePHI, including identifying all potential threats and vulnerabilities, assessing effectiveness of controls in place, and assigning risk levels. Gap analyses do not satisfy risk analysis obligations because they provide a high level overview of controls and do not thoroughly assess all ePHI risks. [HHS – Risk Analyses vs. Gap Analyses – What is the Difference]

Horror Stories

CA – Insider Threats: OIPC SK Finds Health Entity Had Insufficient Safeguards

This OIPC SK report investigates a complaint against the Saskatchewan Health Authority involving personal health information pursuant to the Health Information Protection Act. An employee admitted to inappropriately accessing PHI in a healthcare system despite having access only on a need-to-know basis; the employee had signed a confidentiality agreement (but 4 years prior) and had never received any privacy training (the employee had not heard of the Health Information Protection Act). [OIPC SK – Investigations Report 066-2018 – Saskatchewan Health Authority]

Identity Issues

CA – Ontario Issues First Non-Binary ‘X’ Birth Certificate

A Vancouver filmmaker and writer has received Ontario’s first non-binary birth certificate. Ontario-born Joshua M. Ferguson identifies as non-binary trans and uses the pronouns “they” and “them.” The birth certificate is marked with an “X” designation, indicating a non-binary person. Ferguson applied to Service Ontario for the document in 2017, and filed a human rights claim when it was not initially granted. The province issued new guidelines on gender designations last year. Ontario says it is the first jurisdiction in the world to implement a two-fold policy, allowing the selection of either male, female or non-binary, and allowing the option of not displaying such identification on a birth certificate. Ferguson has also fought for an “X” designation on BC Health Cards. They were also among the first to have their application for an “X” designation approved under new rules for passports and other documents issued by Immigration, Refugees and Citizenship Canada. Ferguson called the Ontario birth certificate a “victory,” both personally and for all trans Canadians. “This policy makes it clear that non-binary people exist,” they said. “We are Ontarians and Canadian citizens. [CTVNews]

Law Enforcement

UK – Amnesty Int’l Report Hits Met Police’s Gang Mapping Database

A secret police database aimed at tackling rising violence in London could lead to black families being evicted from their homes and as well as young people denied access to education or employment, according to a new report. An investigation by Amnesty International (called “Trapped in the Matrix” – see PR here and 54 pg PDF report here] into the Metropolitan Police’s gang mapping database which is called the Gang Violence Matrix, highlighted criticisms about the disproportionate number of young black males that feature on it. As well as the seemingly discriminatory nature behind how information is collated the report also raised serious concerns about how police officers share this data with housing associations, schools and job centres. [Voice Online and at: The Conversation UK, UKAuthority, CNBC and Apolitical]

Location

WW – Apple Reportedly Hits Back at Apps That Are Snooping on You

Apple is reportedly kicking third-party apps out of the App Store that are sharing users’ locations, as privacy remains in the spotlight in the wake of the Facebook/Cambridge Analytica scandal and pending regulation across the Atlantic. 9to5Mac reports that Apple has recently been removing apps that are sharing location data with third parties and sending the app developers a notice that the app is violating two different parts of the App Store Review Guidelines. The two sections in question are Legal 5.1.1 and Legal 5.1.2 which state: The app transmits user location data to third parties without explicit consent from the user and for unapproved purposes. 9to5Mac noted that Apple also wants developers to explain what the location data is used for, how it is shared, as well as asking for permission. [Fox News]

CA – OPC Looking into Reports Bell, Telus, Rogers Shared Location Data

Privacy officials in Canada plan to look into reports that Canadian telecom companies share location data on subscribers with third-parties, a practice that, in at least one case, appears to have allowed similar data on Americans to be accessed by police without a warrant. Bell, Rogers and Telus were named in an article on ZDNet.com as among the North American telecom companies selling real-time location data on subscribers to a company called LocationSmart. A spokesperson from the office of Privacy Commissioner said there were few details to share right now, but that the office would be looking into the matter. Telus did not respond to a request for comment but spokespersons for Bell and Rogers said the location data in question is not directly shared by them. Instead, it is done by a joint venture owned by all three telecom companies called Enstream. One of its partners is LocationSmart. Enstream is described on its website as providing identity verification services for third-party applications. It operates as a sort of hub of information held by the Canadian telecom companies and others can buy access to the data to do things like verify mobile subscriber identity, allow a roadside assistance company to locate a caller, or verify credit card information used in mobile payment systems. Enstream has launched a security review of its relationship with LocationSmart in light of the reports. [Global News and at: Krebs on Security, CNNTech, Motherboard, WIRED and Reuters | Globe & Mail | The Star | The Star]

Online Privacy

WW – Period Tracking Apps Monetizing Your Menstrual Cycle

Women who use menstruapps are sharing information about their health, sex life and social behaviours that may be sold to advertisers. Whether it’s Clue, FitBit or Eve, there has been a surge in popularity for period tracker apps in recent years. According to researchers at Columbia University, ‘menstruapps’ are now the fourth most popular app category among adults and second most popular among adolescent women in the ‘health apps’ category. From inputting information about moods, pain, cervical fluid and forms of contraception, the apps can be used to better inform women about their sexual health and indicate potential health issues. However, many of us won’t be considering that the apps also track and store vast amounts of personal information, which have the potential to making companies some serious money. Chupadados, a Brazil-based cyber security guide powered by women-led think tank Coding Rights recently delved into what menstruapp users sign up for when they agree to an apps’s terms and conditions. In studying the companies’s privacy policies, Chupadados found that ‘all of the apps rely on the production and analysis of data for financial sustainability’. In other words, the apps make money by sharing users’ personal information and activity on the apps with other businesses, target users for advertisements and product sales. In addition, users’ digital footprints help inform marketing strategies and business models. ‘Every piece of information that we put online becomes something valuable for companies, making our online activities a key component of their economic survival strategies,’ the website explains. ‘Feeding on our data, these tools serve as laboratories for observing physiological and behavioural patterns from period frequency and associated symptoms to users’ buying and Internet navigation habits.’ ‘Monitoring your cycle using a menstruapp means telling the app regularly if you went out, drank, smoked, took medication, got horny, had sex, had an orgasm and in what position, what your poop looked like, if you slept well, if your skin is clear, how you feel, and if your vaginal discharge is green, has a strong odour or looks like cottage cheese,’ Chupadados notes on its website. [Elle] See also: How Worried Should Parents Be About Apps and Websites Collecting Children’s Data?

WW – Data on 3 Million Facebook Users Exposed, Report Says

Researchers at the University of Cambridge uploaded user data from 3 million Facebook users onto a shared portal. They locked the data with a username and password. But students later posted the login credentials online. That exposed the data to anyone who did a quick web search to find the username and password, according to a report from New Scientist. In the new data exposure incident revealed by New Scientist, a different set of researchers collected user information with consent through a personality app, called myPersonality, and then made it available through a web portal. About four years ago, students with access to the data set posted the username and password online on the data sharing website GitHub. While the data was anonymized, privacy experts told the publication that it would be easy to associate data in the collection with the person who originally posted it on Facebook. The myPersonality app has been suspended since April 7. Facebook is aware that the login credential was published on GitHub; the issue was flagged in the company’s program for fielding information about potential misuse or abuse of Facebook user data. [CNET]

UK – “Safari Workaround” Class Action Could Cost Google $4.3 Billion

Google appeared in a UK court to argue against a privacy case brought by the group Google You Owe Us, representing 4.4 million iPhone users that could lead to the search giant paying up $4.3 billion if it loses. Each of class members could receive about $1,000. A lawsuit, filed in July, alleged the tech company violated their privacy from 2011 to 2012 through the “Safari Workaround” [see here]. While Apple’s iOS devices have default privacy settings on its Safari browser, Google was able to bypass it and collect browser data without people’s consent, according to the allegations. The workaround was first discovered in 2012 by a Stanford University researcher. Google agreed to pay $17 million to 37 states and Washington, DC, in a 2013 settlement. The company also agreed to pay a $22.5 million fine from the Federal Trade Commission over the data-tracking practice. [CNET and at: Bloomberg, The Guardian, The Inependent and AppleInsider]

Privacy (US)

US – Suspicionless Border Searches of Electronic Devices Unconstitutional

The U.S. Court of Appeals for the Fourth Circuit’s May 9 ruling in U.S. v. Kolsuz is the first federal appellate case after the Supreme Court’s seminal decision in Riley v. California (2014) to hold that certain border device searches require individualized suspicion that the traveler is involved in criminal wrongdoing. Two other federal appellate opinions this year—from the Fifth Circuit and Eleventh Circuit—included strong analyses by judges who similarly questioned suspicionless border device searches. EFF filed an amicus brief in Kolsuz arguing that the Supreme Court’s decision in Riley supports the conclusion that border agents need a probable cause warrant before searching electronic devices EFF has long argued that border agents need a warrant from a judge, based on probable cause of criminality, to conduct electronic device searches of any kind. The Supreme Court’s pre-Riley case law, however, permits warrantless and suspicionless “routine” searches of items like luggage that travelers carry across the border, a rule known as the border search exception to the Fourth Amendment’s warrant requirement. Based on these pre-Riley cases, the government claims it has the power to search and confiscate travelers’ cell phones, tablets, and laptops at airports and border crossings for no reason or any reason, and without judicial oversight. While we would have liked to see the Fourth Circuit go further by expressly requiring a warrant for all border device searches, we’re optimistic that we can win such a ruling in our civil case with ACLU against the U.S. Department of Homeland Security, Alasaad v. Nielsen, challenging warrantless border searches of electronic devices. [EFF and at: ACLU Blog, Reuters and Reason]

US – Justices Rule Unanimously for Driver in Rental-Car Case

The Fourth Amendment protects us from (among other things) a warrantless search of a place – such as our homes – that we can reasonably expect to remain private. Today the Supreme Court ruled that a driver who has permission to use a rental car is generally entitled to the same protections under the Fourth Amendment as the driver who rented the car. The court’s decision came in the case of Terrence Byrd [see all court docs for Byrd v. United States here], a New Jersey man who was driving a car rented by Latasha Reed, his fiancée (or former girlfriend, depending on whose account you are reading), when he was pulled over by a state trooper in Pennsylvania. The trooper gave him a warning for driving in the left lane and then searched the car, believing that he didn’t need Byrd’s consent because Byrd was not listed as an authorized driver on the rental agreement. The troopers found body armor and 49 bricks of heroin in the trunk, leading to federal charges against Byrd. In a unanimous decision by Justice Anthony Kennedy [see Byrd v. United States – 21 pg PDF decision here], the justices rejected the federal government’s argument that a driver who is not listed on the rental agreement can never have a reasonable expectation of privacy in the car, because the rental company has not given him permission to use it. That rule, the justices concluded, “rests on too restrictive a view of the Fourth Amendment’s protections.” Under the Supreme Court’s cases, the justices explained, whether someone has an expectation of privacy in a car shouldn’t hinge on whether the person who gave them permission to drive it owns the car or rented it. [SCOTUS Blog and at: Reason, ABA Journal, JURIST, The Associated Press (via WP) and Bloomberg]

US – Children and Minors: Updated Meaning of PI Benefits COPPA Safe Harbor

The Electronic Privacy Information Center responded to the FTC’s request for public comment into the Entertainment Software Rating Board’s COPPA safe harbor program. In response to an FTC public consultation, advocates urge the adoption of an enhanced definition of personal information to address changes in technology and prevent online operators from alleging an exemption to the scope of COPPA; geographic limitations should be removed so that its clear COPPA applies to all web operators regardless of a child’s residency or nationality, and risk assessments and self-assessments are critical for necessity and proportionality. [EPIC – Comments to the FTC on COPPAs Entertainment Software Rating Boards Safe Harbor Program Application to Modify Program Requirements]

Security

US – Banks Adopt Military-Style Tactics to Fight Cybercrime

Cybercrime is one of the world’s fastest-growing and most lucrative industries. At least $445 billion was lost last year, up around 30% from just three years earlier, a global economic study found, and the Treasury Department recently designated cyberattacks as one of the greatest risks to the American financial sector. For banks and payment companies, the fight feels like a war — and they’re responding with an increasingly militarized approach. Former government cyberspies, soldiers and counterintelligence officials now dominate the top ranks of banks’ security teams. They’ve brought to their new jobs the tools and techniques used for national defense: combat exercises, intelligence hubs modeled on those used in counterterrorism work and threat analysts who monitor the internet’s shadowy corners. At least a dozen banks have opened fusion centers (a concept originally developed by the US DHS see here) in recent years, and more are in the works. Having their own intelligence hives, the banks hope, will help them better detect patterns in all the data they amass. Cybersecurity has, for many financial company chiefs, become their biggest fear, eclipsing issues like regulation and the economy. [NY Times]

UK – 41% of Cyber-Security Apps Contain High-Risk Open Source Vulnerabilities

According to the 2018 Open Source Security and Risk Analysis (OSSRA) report from Black Duck by Synopsys and published today, open source adoption in the enterprise is growing fast. Unfortunately, the statistics regarding vulnerabilities in open source codebases are equally high. Analysing anonymised data from more than 1,100 commercial codebases, the researchers found that 96% of the applications audited across 2017 contained open source components. Representing industries from automotive to healthcare, financial services to manufacturing, and even cyber-security, the report reckons this reflects a 75% growth in open source adoption over the previous year. Indeed, the research suggests that most applications now contain more open source code than they do proprietary code. Which is all good news for fans of open source. The less good news is that 78% of the audited codebases contained at least one open source vulnerability. More worrying is that 54% of these vulnerabilities were considered to be high-risk, and 17%  were very well publicised ones such as Freak, Heartbleed and Poodle. While the most vulnerable open source components were found within the Internet and Software Infrastructure vertical, with 67% of applications containing high-risk vulnerabilities, the cyber-security industry also fared badly with 41% of apps having them as well. [SC Magazine UK | Synopsis ]

CA – Apps and Websites Collecting Children’s Data

In recent months, the Cambridge Analytica scandal has raised discussion over the privacy risks associated with online data collection. These risks apply to everyone, including young children, says Florian Martin-Bariteau [see here], assistant professor and director of the Centre for Law, Technology and Society at the University of Ottawa. He says websites and apps that are aimed at children may obtain more personal information about them than they, or their parents, realize. And there are concerns about how all this data may be used – whether it’s for personalized advertising, potentially accessed by hackers, or used by organizations aiming to influence users’ attitudes. Last month, a study in the journal Proceedings on Privacy Enhancing Technologies found thousands of popular children’s apps potentially violate U.S. privacy rules. Researchers found 73% of the 5,855 apps they analyzed transmitted confidential data over the internet, and nearly 20% of them collected identifiers or other personally identifiable information using software development kits (SDKs) that are not intended to be used for apps aimed at children. These findings echo the results of a 2015 global privacy sweep that found many websites and apps that were popular among children collected, and sometimes shared, personal data, including full names, genders and hometowns. That sweep, conducted by the Global Privacy Enforcement Network [see here], which included the Office of the Privacy Commissioner of Canada (OPC), found 62% of websites and apps popular in Canada said they may share users’ personal information with third parties, while only 29 per cent sought parental consent before collecting children’s data. (Since then, the OPC has reported that some apps and websites had responded, including five targeted sites that said they had made changes, such as asking for a parent or guardian’s full name and contact details instead of the child’s.) [Globe & Mail]

Smart Cars

WW – The Vehicles Record Everything Around Them—And Can Be Used To Profile Pedestrians

According to officials at Waymo, the company developing Google’s self-driving cars, its autonomous vehicles are months away from reaching everyday people. Since January 2017, the organization has sent test cars to motor around cities including Atlanta, Austin, Detroit, and Phoenix. Driving more than 2.7 million miles without human input, the vehicles have only been involved in one accident—a fact that’s prompted Waymo’s chief executive John Krafcik to announce that its fleet could ferry ordinary Phoenix residents as soon as next year. In short—self-driving cars have arrived. There are, however, huge risks. Hacking, software failures, and letting computers make life-and-death decisions inspire unease among individuals. But for one industry expert, the biggest issues will be around data collection and privacy. “The technology works through a number of sensors. The principal one is lidar—a radar that uses infrared light to give a very accurate 3D picture. Then there’s radar for longer-distance detection, and ultrasonic sensors for things that are close—similar to the back-up warnings in a regular vehicle. There are also cameras with machine vision that check for traffic lights, road signs, and other obstacles. It sees 360-degrees around itself, 10 to 20 times a second. That’s a lot of data.” “These vehicles aren’t just going to have data on your journey,” he says. “They see everything from the road. Even if you don’t sign up to their services, if you’re out on the streets, it’s possible to see you regularly, profile you—even without facial recognition—and learn things about your habits. “These cars are basically mobile sensors that gather data,” he continues. “We can use them to wherever we want data to be collected. So overnight, between the hours of midnight and seven in the morning, most people aren’t looking for a ride. If a company owns a fleet of vehicles, they can offer those cars to businesses or factories that want external security. The vehicle can be parked outside the premises, and companies would pay to have it monitor the surroundings. There are whole new business models that could be based on the sensors on these vehicles.” [Straight]

CA – Smart Cars: Meaningful Consent Plays Vital Role

The OPC Canada appeared before the Standing Committee on Transport, Infrastructure and Communities regarding their study of automated and connected vehicles in Canada. The OPC Canada believes drivers do not necessarily need to control how information is used for road safety purposes and proper functioning of the vehicle, but many other situations should be subject to individual choice (e.g., collection and use of biometric or health data); in complex situations, consent should be supported by industry codes of practice, organizational accountability and privacy by design. [OPC Canada – Appearance Before the Standing Committee on Transport Infrastructure and Communities in Relation to its Study of Automated and Connected Vehicles in Canada.]

Surveillance

US – Spy Agency NSA Triples Collection of U.S. Phone Records: Official Report

The U.S. National Security Agency collected 534 million records of phone calls and text messages of Americans last year, more than triple gathered in 2016, a U.S. intelligence agency report [see PR here & 41 pg PDF here] released on Friday said. This occurred during the second full year of a new surveillance system established at the spy agency after U.S. lawmakers passed a law in 2015 that sought to limit its ability to collect such records in bulk. The 2017 call records tally remained far less than an estimated billions of records collected per day under the NSA’s old bulk surveillance system, exposed Edward Snowden in 2013. The records collected by the NSA include the numbers and time of a call or text message, but not their content. The report also showed a rise in the number of foreigners living outside the United States who were targeted under a warrantless internet surveillance program, known as Section 702 of the Foreign Intelligence Surveillance Act, that Congress renewed earlier this year. [Reuters and at: Forbes, ZDNet, CSO Online, Common Dreams and GIZMODO]

Telecom / TV

CA – Ontario Bill Prohibits Unsolicited Phone Calls

Bill 27, the Stop the Calls Act, 2018, has been introduced for first reading in the Ontario Legislature. The Act would come into force two months after receiving Royal Assent. If passed, prior consent (orally, in writing, or other affirmative action) must be obtained for calls selling or advertising a product or service; contracts entered into based on an unsolicited call will be void (consumers are entitled to repayment for the product or service, and reasonable costs incurred for uninstalling and returning the product), and violations can result in fines ranging from $5,000 to $25,000. [Bill 27 – An Act to Prohibit Unsolicited Phone Calls for the Purpose of Selling, Leasing, Renting or Advertising Prescribed Products or Services – Legislative Assembly of Ontario | Bill Status | Bill Text

+++

 

24 April – 05 May 2018

Biometrics

US – Legal Ambiguity Surrounds Biometric Authentication

A recent report involving a police attempt to use a dead man’s fingerprint to unlock his phone is a reminder of the problems with biometric security and the legal protections for users of the technology. Additional reporting shows the prevalence of the practice among law enforcement is “relatively common,” raising the legal ambiguity associated with biometric authentication. Although there may be vulnerabilities with passwords, the article states that current legislation does not extend the same protections to biometric authentication as it does to traditional passwords. [TechRepublic]

US – Facial Recognition May Be Coming to a Police Body Camera Near You

Axon, the maker of Taser electroshock weapons and the wearable body cameras now used by most major American city police departments, has voiced interest in pursuing face recognition for its body-worn cameras. It convened a corporate board devoted to the ethics and expansion of artificial intelligence, a major new step toward offering controversial facial-recognition technology to police forces nationwide. The technology could allow officers to scan and recognize the faces of potentially everyone they see while on patrol. A growing number of surveillance firms and tech start-ups are racing to integrate face recognition and other AI capabilities into real-time video. A group of 42 civil rights, technology and privacy groups, including the ACLU and the NAACP, sent board members a letter voicing “serious concerns with the current direction of Axon’s product development.” The letter urged an outright ban on face recognition, which it called “categorically unethical to deploy” because of the technology’s privacy implications, technical imperfections and potentially life-threatening biases. [WashPost and at: NBC News, PCMag, Fortune, Engadget and The Verge]

Canada

CA – OPC Canada Calls for Commitment to Privacy in Smart Cities

The OPC Canada and a number of provincial and territorial counterparts send an open letter to the federal government regarding personal information handling in smart cities: the government recently launched a competition for submissions of proposals for smart city designs. Data that smart technologies collect and use can come from many sources, often without knowledge, consent or an opportunity to opt-out; privacy impact and threat risk assessments must be conducted, data governance and privacy management programs put in place (appointing a privacy lead, breach response, and monitoring compliance), and full transparency of information practices provided OPC Canada – Joint Letter to the Minister of Infrastructure and Communities on Smart Cities Challenge | Press Release]

CA – Court Finds Tribunal Secrecy Unconstitutional

Ontario Superior Court declared as “invalid” provisions of Ontario’s Freedom of Information and Protection of Privacy Act that delay or block public access to tribunal records [he ruled they violate section 2(b) of the Charter]. The province has one year to consider how to make its tribunal system more open and accessible to journalists and the public. Ontario’s network of provincial tribunals rule on matters as important as human rights, workplace safety and police conduct, and have been operating well outside the spirit and practice of an open court system for far too long. Tribunals were born of the court system and designed to hive off specialized matters and relieve overburdened courts. They were not created to drop a veil of secrecy over important matters of public interest. But that, unfortunately, is what’s been happening far too often in Ontario. Toronto Star v. AG Ontario, 2018 ONSC 2586 | Ontario Court says FOI statute fails in providing access to administrative tribunal records | Toronto Star | Ontario’s tribunals ‘fundamentally different’ from courts, province argues | Ontario says tribunals should not be as open as courts]

CA – Ontario Law Firm Files Class Action Suit Against Facebook

A London, Ontario-based law firm [Siskinds LLP] has launched a class action lawsuit against Facebook and its Canadian subsidiary for the social network’s role in the Cambridge Analytica data privacy scandal. The filing was submitted to the Ontario Superior Court of Justice on May 2nd, 2018 — the same day that Cambridge Analytica announced that it would be ceasing its operations in the U.K. The class action seeks $62,216,100 CAD in damages as well as an additional $1,000 for all Canadian Facebook users affected by the breach. Facebook reported that 622,160 Canadians were affected by the Cambridge Analytica privacy scandal. While the class action mentions Cambridge Analytica, it’s important to note that the lawsuit doesn’t seek damages from the U.K.-based data analytics company. Instead, the suit specifically outlines Facebook and Facebook Canada as the sole defendants. Siskinds lawyer Sajjad Nematollahi said that the “class action concerns the fundamental privacy rights of hundreds of thousands of Canadians, and engages the interests of Canadians at large in protecting the privacy of their affairs.” [Mobilesyrup and at: The Toronto Star]

CA – OIPC SK Permits Disclosure of Termination Letter

This OIPC SK report investigated the Northern Lights School Division No. 113’s disclosure of personal information pursuant to: The Local Authority Freedom of Information and Protection of Privacy Act; and The Local Authority Freedom of Information and Protection of Privacy Regulations. A school board whose former employee was assigned by a new employer to work in the board had the authority to disclose the letter to the new employer; the letter was a concise expression of the reasons why the board did not want the individual working in their schools or with their students, and the board respected the data minimization principle by redacting an irrelevant paragraph containing the individual’s PI. [OIPC SK – Investigation Report 296-2017 – Northern Lights School Division No. 113]

CA – IPC ON Upholds Utility’s Refusal to Confirm or Deny FOI Records

Ontario IPC order reviewed the response by Toronto Hydro Corporation to a request for records pursuant to the Municipal Freedom of Information and Protection of Privacy Act. Confirmation or denial of records concerning possible privatization would constitute an unlawful act by the utility under another governing provincial statute, and the utility has not made any public statement on the matter (the mayor may have, but not the utility itself). [IPC ON – Order MO-3575 – Appeals MA16-132 and MA16-133 – Toronto Hydro Corporation]

Consumer

US – Citizens Do Not Trust Tech Companies to Protect Their Data: Study

A survey conducted by HarrisX found U.S. citizens do not trust tech companies to protect their information. Of the respondents polled within 24 hours of Facebook CEO Mark Zuckerberg’s testimony on Capitol Hill, 83% said tougher regulations and penalties are needed for privacy breaches, while 67% said they support privacy legislation, such as the EU General Data Protection Regulation. However, 38% believes the federal government is not capable of regulating large tech companies. When asked about specific tech companies, 44% said they do not believe Facebook cares about privacy, with Twitter having the next highest number at 33%. [Axios]

E-Government

CA – OIPC Ontario Says Smart Cities Privacy ‘Must Be Front and Centre’

Ontario’s information and privacy commissioner Brian Beamish believes that privacy and security need to be part of the discussions surrounding smart city projects in the province. In an April 26th, 2018 media release [see PR here also see 5 pg PDF letter to Minister], Beamish wrote that “privacy and security of citizens must be front and centre in smart city projects.” Beamish’s statement comes amidst a series of smart city ventures taking place across Ontario — most notably, the Sidewalk Toronto venture between Waterfront Toronto and Alphabet’s Sidewalk Labs urban development firm. Mobilesyrup| Critics seek more details from Sidewalk Labs about proposed Toronto neighbourhood, The Economist | Smart Cities Are The Next Frontier In The Data Protection Debate | Data solutions present ‘smart’ way for cities to grow, says Surrey | Sidewalk Labs proposal stirs fears, raises hopes |

CA – Ottawa Sees Internet Data Cloud as Alternative to Computer Systems

The federal government is willing to accept the privacy and security risks of storing data in the internet cloud as an alternative to its own aging computers that are “at risk of breaking down,” says an internal policy paper. The federal paper on “data sovereignty,” obtained through the Access to Information Act, fleshes out the government’s plan to embrace the cloud as a solution to its file management woes. Privately run cloud companies provide customers, such as federal departments, with virtual computer services — from email systems to vast storage capacity — using software, servers and other hardware hosted on the company’s premises. The government sees the cloud as a way to meet the needs of Canadians in an era of increasing demand for online services. However, the paper says, “a number of concerns” related to data control, protection and privacy have been raised within the government. [CBC and at: 6 Ways Cloud Computing Technology Is Changing | How cloud technology can help seal cyber loopholes | Box CEO Aaron Levie talks Canada, AI and the future of cloud computing]

CA – Electoral Reform Bill Lacks Voter Privacy Detail: Professor

According to professor Colin Bennett of the University of Victoria, the guidelines laid out in the Liberal’s omnibus bill on electoral reform [the Elections Modernization Act – Bill C-76 – see PR here] about the use of public information during elections is “pretty minimal. And is not much more than what the parties already say in their privacy policies, which he has analyzed and thinks have a lot of shortcomings. Bennett’s research on privacy rights, surveillance, social networks and their impact on democratic values led him to the House of Commons ethics committee last week. There, he stressed that the committee acknowledge the urgent need to “bring our political parties within Canada’s regime of privacy protection law.” He noted that there’s a severe lack of knowledge among the Canadian public, and within government, about how much data is gathered by political parties, with little to no accountability. How social media fits into the conversation and whether data gathered on those platforms is included in the proposed privacy provisions is also not listed in Bill C-76’s current form. Canada’s current privacy protection laws applied to political parties are scattered across institutions and laid out in a variety of regulations. PIPEDA’s mandate covers part of this issue, the Privacy Act, the CRTC, and the Canada Elections Act cover other aspects. [iPolitics, CBC News, CTV News, The Globe and Mail, IT World Canada and Liberal elections bill looks to make voting easier, tighten rules on privacy, spending

US – Waze Announces Data-Sharing Agreement with Traffic Analytics Startup

Waze announced a data-sharing agreement with artificial intelligence–based traffic management startup Waycare. Part of the company’s Connected Citizens Program, Waycare will collaborate with Waze to combine anonymized navigation data crowdsourced from drivers who use Waze with Waycare’s traffic analytics, including proprietary deep learning algorithms to figure out how to improve traffic and road conditions. While the partnership is active in Nevada, Florida, California and Nevada, there are plans to expand coverage over the next year. [TechCrunch]

E-Mail

CA – Canadian Privacy Commissioner Investigates Rogers, Yahoo Over Email Terms of Service Issue

The OPC has confirmed that it is investigating both Rogers and Oath over recent changes to Oath’s terms of service agreement. Additionally, the OPC confirmed that the company [Oath] responsible for providing email services to Rogers email customers has removed the clause related to “personal data of friends and contacts” from its terms of service, as it was deemed unnecessary. The Rogers email service is powered by Yahoo, which was acquired by U.S.-based telecommunications service provider Verizon in 2017. In turn, Verizon — which also owns AOL — merged both Yahoo and AOL into a new company called Oath in 2017. [Mobile Syrup and at: The Globe and Mail, Canadian Press (via CTV) and iPhone in Canada]

Encryption

US – Tech Giants Hit by NSA Spying Slam Encryption Backdoors

A tech coalition formed in 2014 and called Reform Government Surveillance including Apple, Facebook, Google, Microsoft, and Verizon and Yahoo’s parent company Oath, which focuses on efforts to reform government surveillance, said in a statement that it continues to advocate for strong encryption, and decried attempts to undermine the technology. The renewed criticism follows a lengthy Wired article, in which former Microsoft software chief Ray Ozzie proposed a new spin on key escrow. But security experts and cryptographers say that any kind of backdoor can’t be done without it risking being abused or exploited by hackers — and criticized Ozzie’s plan as flawed. The statement comes a week after the group announced the importance of strong encryption as a new core principle behind its mission, calling on governments to “avoid any action that would require companies to create any security vulnerabilities in their products and services.” [ZDNet and at: AppleInsider and iPhone in Canada]

EU Developments

UK – High Court Rules Part of Snoopers’ Charter Illegal

The High Court has ruled part of the government’s controversial Investigatory Powers Act illegal, giving ministers just six months to redraft it. Rights group Liberty is celebrating after the first part of its crowd-funded legal bid to force the government to change large chunks of the so-called ‘Snoopers’ Charter’ largely succeeded. The ruling focused on part four of the legislation, related to the mandate that communications providers and ISPs retain phone records, location data, internet browsing history and info on everyone a user emails and texts for a year. Dozens of public bodies including local police forces and financial regulators can access this information without independent authorization and for reasons unrelated to investigating terrorism or serious crime. However, the court didn’t agree that the IPA was unlawful in allowing for “general and indiscriminate retention of traffic and location data.” [InfoSecurity and at: Out-Law (Pinsent Masons), Silicon UK, Help Net Security, Tom’s Hardware and The Guardian]

EU – Facebook Denied A Stay to Schrems II Privacy Referral

Earlier this week Facebook’s lawyers had asked the Irish High Court to stay the referral to the CJEU of a number of key legal questions pertaining to existing data transfer mechanisms that are being used by thousands of companies (Facebook included) to authorize flows of personal data outside the bloc. Both the lawfulness of Standard Contractual Clauses and the EU-US Privacy Shield mechanism [see here & wiki here] are now facing questions as a result of this challenge. However in a ruling today the Irish High Court denied the company’s request for a stay on the CJEU referral — with the judge ordering the referral to be immediately delivered to the Court of Justice, and emphasizing the risk that “millions” of EU data subjects, including privacy campaigner and lawyer Max Schrems whose complaint triggered the court case and subsequent referral, could be having their data processed unlawfully. [TechCrunch and at: The Irish Times, Irish Examiner, ComputerWeekly, Reuters, Tom’s Hardware and also Reuters, U.S. News & World Report, FirstPost and The Register, Facebook is trying to block Schrems II privacy referral to EU top court | Is this a Perfect Storm Toward Privacy Shield’s Demise?]

EU – EC Proposes Rules for Protection of Whistleblowers

The European Commission proposed new rules for the protection of whistleblowers. Legal entities will be required to design, set up and operate in a manner that ensures confidentiality of the identity of the reporting person, and prevents access to non-authorized staff members; any processing of personal data shall be done in accordance with the GDPR, and personal data not relevant for handling the report must be immediately deleted. [EC – Proposal for a Directive of the EU Parliament and Council on the Protection of Persons Reporting on Breaches of Union Law | Communication from EC to EU Parliament | Factsheet on whistleblower protection]

EU – Companies Turn to Blockchain Ahead of GDPR

As businesses invest in innovative technologies to preserve their data-heavy business models ahead of the EU GDPR, some are turning to implementing blockchain technology. Market research company YouGov is one such company turning to blockchain to ensure the survival of its data-driven business under the GDPR. YouGov CEO Stephan Shakespeare said, “The blockchain, being visible and public, shows a receipt for the information used,” adding, “That lets people know their permissions are being respected.” Speaking at a conference, Amber Baldet, the former head of JPMorgan Chase & Co.’s blockchain program, said the focus should be on creating a “privacy preserving system that gives us the option to create something that might be disruptive.” [AdExchanger

WW – IAB Releases Transparency & Consent Framework

IAB Europe and IAB Technology Laboratory released the technical specifications for its Transparency & Consent Framework designed to help organizations comply with the EU GDPR. The framework will aid organizations in allowing users to be aware of the ways online services use personal data and how third parties use their data for targeted advertising. “The Transparency & Consent Framework will sit at the intersection of users, publishers, and the third-party partners (vendors) that support the publishers in monetising their content, giving both users and publishers more control and transparency in the new environment,” IAB Europe CEO Townsend Feehan said. [IAB.org]

UK – Denham Calls for More Powers to Investigate Data Breaches

U.K. Information Commissioner Elizabeth Denham voiced her agency’s need to have more power to investigate data breaches. Denham made the plea while discussing the U.K. Information Commissioner’s Office’s investigations of the Facebook-Cambridge Analytica revelations, where her agency is currently looking into 30 different organizations. In order to look into data breaches, Denham said there needs to be a “streamlined warrant processes with a lower threshold than we currently have in law.” Denham also discussed the agency’s funding status, and the expectation is for the ICO to have 700 staff members by 2020. [MediaPost]

Facts & Stats

US – Equifax’s Data Breach Expenses Reach $242.7M

In its first-quarter earnings report, Equifax revealed it has spent $45.7 million on IT and data security and $28.9 million on legal fees, bringing the total amount it has spent since its September 2017 data breach to $242.7 million so far. Equifax spent $114 million in 2017 on the breach, with $50 million of it having been covered by insurance. The company plans to spend heavily on IT through 2019 and has been bringing in new staff members to strengthen its security efforts. “We’re investing heavily to ensure we’re market leaders around data security and we will also enhance the transparency of all our transformation efforts with all our constituents, our customers, consumers and the public as we drive this transformation forward,” Equifax CEO Mark Begor said. [ZD Net]

Filtering

CA – BC Supreme Court Upholds De-Indexing Order

The Court considered a request by Google to set aside a previous court order requiring it to de-index specific search results. The US search engine must continue to stop indexing or referencing websites selling infringed product outside Canada (despite a US court ruling that it did not have to comply); there is no US law prohibiting de-indexing of websites, and the injunction has been somewhat effective (the website owners have had to constantly evade the injunction by creating new websites) [Equustek Solutions Inc. et al. v. Morgan Jack et al. – 2018 BCSC 610 (CanLII) – Supreme Court of BC

EU – Law Would Change Relationship Between Tech Companies, Small Businesses

The European Union has proposed a law regulating tech companies’ relationship with smaller businesses. The bill specifically targets app stores, search engines, and e-commerce sites and will require them to be transparent about their methods for ranking search engine results and their processes for delisting services. Companies will also be given the opportunity to sue those tech organizations if they are found to have violated the new rules. “Platforms and search engines are important channels for European businesses to reach consumers but we must make sure they are not abusing their power, and thus bring harm to their business users,” the EU Commissioner for the Digital Economy said. [Reuters]

Finance

CA – IIROC Proposes Cybersecurity Incident Reporting

The Investment Industry Regulatory Organization of Canada (IIROC) proposes amendments to require dealer members to report cybersecurity incidents. Dealer members would be required to report any unauthorized access, disruption, or misuse of their information systems within 3 calendar days of discovery; incidents would not need to be reported unless they result in substantial harm or inconvenience to any person, have a material impact on normal operations, invoke the business continuity/disaster recovery plan, or require notification to government agencies, securities regulators, or other self-regulatory organizations. [IIROC – Proposed Amendments to Dealer Member Rule 3100 – Reporting and Recordkeeping Requirements]

US – Americans Skeptical Financial Services Can Protect their Data

Financial clients have little to no confidence in financial companies to protect their data, and are generally skeptical that corporations and government agencies can do so. According to a study by the New York City-based American Institute of CPAs (AICPA) [here], 80% of Americans say ID theft is “likely” to cost them financially sometime in the next year. Cybercrime cost U.S. consumers $19.4 billion in 2017. Evidence is beginning to mount that the financial sector is increasingly a target of data thieves. According to the Verizon 2018 Data Breach Report, data breach attacks against financial institutions are at an all-time high. Banking trojan botnets and denial of service (DoS) are the most common attacks in the financial industry. In such a vulnerable and risk-laden data security environment, what can financial advisory firms do to hold (and boost) the trust of clients worried about the safety of their private data? Here’s a short list of tips to get that job done: 1) Learn where the weak spots are in your clients’ knowledge of online fraud; 2) Empower your customers to be their own security experts; and 3) Instill loyalty in your clients by providing them with 360-degree awareness of not only their financial situation but also their security situation. [Insurance News]

FOI

CA – Timeline Covers Events Leading Up to, Following Nova Scotia FOI Breach

CBC News has compiled a timeline of the events leading up to the breach of the Nova Scotia government’s freedom-of-information website. The timeline dates back to April 2016, when design work began on the website, covering Auditor General Michael Pickup’s concerns with the software used on the website in November 2016, the launch of the portal in January 2017, and the illicit download taking place March 3 this year. Other events cover the fallout from the breach, including the arrest of the 19-year-old man connected to the breach, statements made by the suspect, and the support he has received from tech professionals from around the world. Pickup’s office announced it will conduct an audit of the province’s privacy services in response to the breach. [CBC]

WW – What Estonia Can Teach Privacy Pros About Blockchain

Though a small nation in northeastern Europe, Estonia has long been a leader in digital government services with strong information security. It was the first country to vote online, and nearly all citizens can now file their taxes online. But the nation isn’t stopping there. According to Former Estonian President Toomas Hendrik Ilves, “Estonia is now a blockchain nation.” In this third post in a three-part series on blockchain for Privacy Tech, Duff & Phelps Regulatory Consultant Seth Litwack discusses a practical use case of blockchain for privacy pros through the lens of Estonia. [IAPP.org]

Genetics

WW – DNA Facial Prediction Could Make Protecting Your Privacy More Difficult

Everywhere we go we leave behind bits of DNA. We can already use this DNA to predict some traits, such as eye, skin and hair colour. Soon it may be possible to accurately reconstruct your whole face from these traces. This is the world of “DNA phenotyping” – reconstructing physical features from genetic data. Research studies and companies like 23andMe sometimes share genetic data that has been “anonymised” by removing names. But can we ensure its privacy if we can predict the face of its owner? Here’s where the science is now, and where it could go in the future. [The Conversation] See also: Calgary police use DNA technology to sketch mother of infant found dead in Calgary dumpster and at: The Canadian Press, CBC News and BBC News]

Health / Medical

UK – NIH Seeks Health Data of 1 Million People, Genetic Privacy an Issue

The National Institutes of Health announced the launch of its attempt to enroll 1 million people in a landmark research effort aimed at developing “personalized” methods of prevention, treatment and care for a wide variety of diseases. Its goal is to supplement and in some cases replace the need to repeatedly recruit human subjects for research by providing a huge database of health and lifestyle information for scientists to plumb. NIH Director Francis Collins and the project’s director, Eric Dishman, said volunteers’ personal data will be carefully shielded. They said the information is off limits to subpoenas and search warrants via “certificates of confidentiality” given to each subject. The rules protect researchers from being forced to release identifying information in judicial proceedings. Personalized medicine, also known as “precision medicine,” is a relatively new approach to treatment that uses genetic and other information to develop therapies targeted at individuals rather than groups of people. Information culled from the project will be available at three levels: some to the general public, some under more tightly controlled circumstances to researchers because of the risk of identifying people participating in the trial, and the rest under the tightest control because of that risk. Participants in the study will have access to their information at all times. Organizers are recruiting only adults but hope to include children later. [WashPost and at: Stat News and Associated Press]

Horror Stories

AU – Info Watchdog ‘Dropped the Ball’ Over Huge Bank Data Loss

Australia’s information commissioner has “dropped the ball” by not reacting to the loss of data from 19m Commonwealth Bank customer accounts privacy campaigners have said. Kat Lane, the vice chair of the Australian Privacy Foundation, has criticised the Office of the Australian Information Commissioner (OAIC) after it failed to tell customers of CBA that their personal account information had been misplaced. “It’s unclear to me how the bank and two regulators came to the view that we weren’t entitled to know. They dropped the ball,” she said. The Commonwealth Bank is in damage control after admitting it may have lost control of data – including customer names, addresses, account numbers and transaction details – of almost 19 million customer accounts, covering a period from 2000 to early 2016, and that it never told its customers. [The Guardian and at: The National Business Review, The Australian Financial Review, ABC Online, Financial Times and ZDNet ]

US – Cambridge Analytica to File for Bankruptcy After Misuse of Facebook Data

Cambridge Analytica announced that it would cease most operations and file for bankruptcy amid growing legal and political scrutiny of its business practices. The decision was made less than two months after Cambridge Analytica and Facebook became embroiled in a data-harvesting scandal that compromised the personal information of up to 87 million people. In a statement posted to its website, Cambridge Analytica said the controversy had driven away virtually all of the company’s customers, forcing it to file for bankruptcy in both the United States and Britain. The elections division of Cambridge’s British affiliate, SCL Group, will also shut down, the company said. Cambridge Analytica also said the results of an independent investigation it had commissioned, which it released on Wednesday, contradicted assertions made by former employees and contractors about its acquisition of Facebook data. The report played down the role of a contractor turned whistle-blower, Christopher Wylie, who helped the company acquire Facebook data, calling it “very modest.” [NY Times and at: The Associated Press, BBC News, GIZMODO and The Wall Street Journal]

WW – Unsecured Database Exposed Personal Data of Cryptocurrency Investors

A recent report from Kromtech Security found that a MongoDB database was left unsecured, exposing sensitive personal data for more than 25,000 investors in the new Bezop cryptocurrency. The report stated “full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses, and other IDs” were involved in the data breach. Bezop Chief Technology Officer Deryck Jones notified those impacted by the data breach that the company had been targeted by a distributed-denial-of-service attack, as well as “security holes exposing that data.” [Gizmodo]

Intellectual Property

CA – Rogers Personal Data Fees Case Raises Privacy Concerns

A case in front of the Supreme Court of Canada has raised privacy concerns. Rogers Communications has filed an appeal in a case with Voltage Pictures over whether it has the right to charge fees for offering personal data on its subscribers to a copyright holder. Voltage Pictures has attempted to gather the information of Rogers subscribers who have illegally downloaded its movies in order to file a lawsuit but has asked the telecom to provide the information for free. Internet Policy and Public Interest Clinic Lawyer Jeremy de Beer offered a warning about the case in his court briefing. “Courts should be especially concerned about innocent defendants caught in the ‘dragnet’ of online copyright enforcement,” de Beer said. [iPolitics]

Internet / WWW

WW – Twitter Updates Privacy Policy Ahead of GDPR

Twitter is changing its privacy policy and will let users opt out of letting the social media platform share their data with its business partners ahead of major new rules set to come into effect next month in Europe. The changes, announced by Twitter, will also apply to users in Canada. According to a blog post published by the company, the new privacy policy focuses on giving users more controls over their personal data and how it is shared by Twitter with developers and business partners. It will go into effect on May 25, which is the same day the European Union’s new General Data Protection Regulation (GDPR) will go into effect and place tough new requirements on companies to comply with tightened consumer and data protection rules. So what exactly do the new changes do and how can you tighten what data the company collects on you? [Global News and at: MarTech Today, Reuters and CNET]

WW – Google Aims to Give Users More Privacy Control in Gmail Update

Google announced updates to the web-based Gmail platform that aims to make email more efficient and gives users more control over how their email is used by others. A new “confidential” mode is designed to afford users greater privacy controls, giving users the ability to prohibit others from forwarding, copying, downloading or printing a message. The update also allows users to set an expiration period for a message. Meanwhile, some argue vulnerabilities would be easy to expose. Sydney Li, a staff technologist at the Electronic Frontier Foundation, called the new “confidential” mode misleading, adding, “This ‘privacy’ feature is potentially harmful to users with a real need for private and secure communications.” [Google Blog]

Law Enforcement

US – Virginia Court Rules ALPR System May Violate State Law

The Supreme Court of Virginia ruled that automatic license plate reader data is “personal information” (it infers personal characteristics about a vehicle owner and his/her presence in a certain location at a certain time) and that police “passive use” of ALPR data (i.e. randomized surveillance not related to criminal investigations) is not exempt from state law, Government Data Collection and Dissemination Practices Act. Previously, the case filed by the American Civil Liberties Union was dismissed after a Fairfax County judge ruled license plate data was not personal information. [Harrison Neal v. Fairfax County Police Department et al. – 2018 Va. LEXIS 42 – Supreme Court of Virginia coverage at: The Associated Press]

Privacy (US)

US – EPIC asks the FTC to Investigate Facebook for Deceptive Practices

The advocacy group Electronic Privacy Information Center (EPIC) has filed a complaint before the FTC against Facebook for violations of the Federal Trade Commission Act [PR here]. EPIC believes that Facebook’s revisions to user privacy settings constitute an unfair and deceptive trade practice; Facebook now categorizes as “publicly available information” the user’s name, profile photos, lists of friends, pages they are fans of, gender, etc., resulting in these categories of data no longer being subject to user privacy settings. EPIC is pushing for the unredacted release of biennial privacy assessments that Facebook agreed to submit under a 2011 consent agreement with the FTC [see FTC posts here & here & 10 pg PDF decree document here & 9 pg PDF ordrer here]. The FTC recently released a heavily redacted version of the latest assessment [see 54 pg PDF here], from 2017 and conducted by the firm PwC, which signed off on Facebook’s privacy program. [EPIC v Facebook – Complaint Request for Investigation Injunction and Other Relief – Before the Federal Trade Commission] Coverage at: The Hill and: Compliance Week]

US – FTC Puts Kids Smart Watches on Privacy Watch List

The FTC has sent warning letter to two foreign companies about kids-targeted smart watches and apps sold through the Google Play and Apple iTunes stores. [see FTC PR here] The FTC has told China-based Gator Group and Sweden-based Tinnitell Inc. that they could be running afoul of the Children’s Online Privacy Protection Act (COPPA) — Gator Group with its Kids GPS Gator Watch [here] (billed as a child’s first cell phone) and Tinitell [here] with its app that works with a mobile phone worn as a watch. In the letters, copies of which were sent as an FYI to Google and Facebook, the FTC pointed out that even though they are based outside the U.S., the companies are required to comply with COPPA when their products are directed to kids in the U.S. [Broadcasting & Cable and at: Wareable and The Outline]

US – Blu Phone Maker Settles with FTC Over Data Privacy

The company behind low-priced, top-selling phones on Amazon has reached a settlement with the US FTC over privacy practices [see PR here & 11 pg PDF Decision/Order here]. After security researchers discovered in 2016 that Blu’s phones were sending personal data — including text messages, contact lists and locations — to servers in China, the Florida-based company said it would update the software to fix the “mistake.” Eight months later, the same security researchers found that Blu phones were still siphoning off the same data to Chinese servers. The issue is tied to preinstalled software from a company called Shanghai Adups Technology. The software, which Blu uses to help update phones, mined data and couldn’t be removed. Blu didn’t tell consumers their phones were sending that data to Chinese servers, according to the FTC. The company agrees to a security plan regarding security risks with all its devices, both new and old. Blu will also be required to undergo third-party checks every two years for the next 20 years. Blu and its president, Samuel Ohev-Zion, will also be prohibited from misleading the public about how it protects people’s privacy. Breaking the terms of the settlement could result in a fine of up to $41,484 for each violation. The settlement isn’t final. It’s open for public comment until May 30. [CNET and at: Android Police, PC Mag, Ubergizmo and Ars Technica]

US – WhatsApp Founder Plans to Leave After Broad Clashes With Parent Facebook

Chief executive of WhatsApp, Jan Koum, is planning to leave the company after clashing with its parent, Facebook, over the popular messaging service’s strategy and Facebook’s attempts to use its personal data and weaken its encryption, according to people familiar with internal discussions. Koum, who sold WhatsApp to Facebook for more than $19 billion in 2014, also plans to step down from Facebook’s board of directors, according to these people. The date of his departure isn’t known. The independence and protection of its users’ data is a core tenet of WhatsApp that Koum and his co-founder, Brian Acton, promised to preserve when they sold their tiny start-up to Facebook. It doubled down on its pledge by adding encryption in 2016. The clash over data took on additional significance in the wake of revelations in March that Facebook had allowed third parties to mishandle its users’ personal information. [WashPost and at: The Verge, The Guardian, Reuters and TechCrunch See also: WhatsApp agrees not to share user info with the Zuckerborg… for now – ICO probe: No legal basis for Facebook slurps| TechCrunch, The Guardian, The INQUIRER, 9to5Mac and FutureScot and France puts Facebook on notice over WhatsApp data transfers | The Guardian, Reuters, Android Headlines and ZDNet]

Security

UK – 43% of Businesses Suffered A Cyberattack Over Last 12 Months

A study from the U.K. Department for Digital, Culture, Media and Sport found 43% of British businesses suffered a cyberattack over the past 12 months. The overall number of affected organizations dropped from 46 percent last year but rose among large businesses, growing from 68 to 72% in the 2018 survey. The survey found data breaches cost organizations more than 22,000 GBP. Meanwhile, another study conducted by Proofpoint finds 25% of employees still answers questions on protecting confidential information incorrectly, a result raising some alarms as the EU General Data Protection Regulation draws closer. [Info Security]

NZ – App Inadvertently Shared Personal Customer Data

New Zealand electricity network provider Vector reported a glitch in the company’s Outage app that exposed the email address, GPS location, and phone number of customers who downloaded that app. The app, which is designed to help customers report power outages, allowed for anyone with the app to access other customers’ data without evading security measures. Vector Chief Digital Officer Nikhil Ravishankar said, “While we believe we have identified the app vulnerability and taken steps to prevent future app users’ data being accessible, and work has already commenced to overhaul the Vector Outage App, I have taken the immediate step of disabling the Vector Outage App until we can have total confidence our customers’ data remains secure while using it.” [Stuff.nz]

Surveillance

US – Oakland Passes “Strongest” Surveillance Oversight Law in US

The Oakland City Council formally approved a new city ordinance [passed unanimously] that imposes community control over the use of surveillance technology in the city. Oakland is now one of a number of California cities, including Berkeley and Davis, that mandates a formal annual report that details “how the surveillance technology was used,” among other requirements. The city has now also created a “Privacy Advisory Commission“, or PAC. This body, composed of volunteer commissioners from each city council district, acts as a privacy check on the city when any municipal entity (typically the police department) wants to acquire a technology that may impinge on individual privacy. The new law requires that the PAC be notified if the city is spending money or seeking outside grant money to be spent on any hardware or software that could potentially impact privacy. Notably, Oakland’s law specifically includes provisions that forbid non-disclosure agreements and protect whistleblowers. [Ars Technica and at: East Bay Times, Gizmodo, Boing Boing and also: Technology turns our cities into spies for ICE, whether we like it or not | Oakland Should Ensure Community Control of Surveillance Technology | Berkeley Mayor: We Passed The “Strongest” Police Surveillance Law | Oakland may become rare American city with strict rules for spy gear use | Oakland Privacy Commission Holds Hearing on ‘Stingray’ Cell Phone Surveillance Devices]

CA – Vancouver Says No to CCTV on Downtown Granville Strip

The City of Vancouver will not be installing surveillance cameras along the popular Granville Entertainment District. The motion was discussed along with other proposed changes to the area as part the city’s liquor policy update at a recent council meeting [see Minutes & Video]. Opponents of surveillance cameras questioned their effectiveness. Micheal Vonn, policy director of the B.C. Civil Liberties Association, said while CCTV can help reduce crime in certain contexts and spaces, it has proved less effective in public street corners. “They do nothing to deter drunk people from doing anti-social things,” Vonn said. Privacy is another concern, Vonn said. In this case, she said, the onus is on the city to show it has tried non-surveillance kinds of solutions and it has reason to believe it can solve the problem with surveillance. Ultimately, a city staff report advised against CCTV. [CBC and at: Vancouver Sun and Global News]

Telecom / TV

CA – CRTC’s First CASL Fine Over Sending of Mobile Text Messages

On May 1, 2018, the CRTC Commission announced [Undertaking here] that the companies operating the 514-BILLETS ticket resale business agreed to pay $100,000 as part of a voluntary settlement of alleged violations of Canada’s Anti-Spam Legislation (commonly known as “CASL“) regarding the sending of text messages without the recipient’s consent and without prescribed information about the message sender. The undertaking is the first settlement of an investigation regarding the sending of text messages to mobile devices. There are a number of important steps that an organization might take to enhance its CASL compliance and mitigate the risks of regulatory enforcement, including: (1) establish/update its CASL compliance program; (2) verify its due diligence documentation; and (3) establish/update its CASL complaint/litigation response plan. [CASL Bulletin (Borden Lagner Gervais and at: MobileSyrup, The Canadian Press and Cartt | Settlement of Alleged CASL Violation – Text Messages Sent Without Consent or Prescribed Information | Federal government looks to overhaul parts of CASL]

US Legislation

US – California Privacy Proposal Poised to Advance

Voters in California could decide this November whether to approve a ballot initiative that would allow them [more] control over their data. Backers said that they had submitted 625,000 signatures in favor of the initiative — almost twice as many as the 365,880 needed to qualify for a spot on November’s ballot. The California Consumer Privacy Act would require companies to tell consumers what “personal information” has been collected about them, upon their request. The proposed ballot initiative would also give consumers the right to prevent data about them from being sold. Additionally, the measure would increase fines and penalties for businesses that fail to implement reasonable security to protect consumers’ data. The initiative’s sweeping definition of personal information includes not only names, street addresses and email addresses, but also information that many marketers don’t consider personally identifiable — like IP addresses, device identifiers and web-browsing history. MediaPost | The Mercury News, The Associated Press, IVN News and California privacy initiative likely to increase costs of civil litigation if passed in November | U.S. Senate Duo and California Ballot Initiative Propose to Radically Alter U.S. Consumer Internet Privacy and Upend Digital Advertising | MediaPost Communications | California’s GDPR-Like Privacy Law Could Rewrite Digital Ad Rules]

Workplace Privacy

WW – Study Examines Trends in Privacy Law Compensation

JW Michaels conducted a study on compensation trends for corporate privacy protection counsel. The study examines the qualifications for an ideal candidate and the challenges companies are facing when trying to hire an individual for the position. Several Fortune companies in Silicon Valley, Washington state, San Francisco and one major e-commerce client gave the salaries they are offering to potential employees, the number of years they would like the candidate to be out of law school, and the percentage of equity they could receive. Candidates could receive between a $200,000 to $285,000 salary and up to 25% equity. [FJW Michaels]

+++

 

 

17-23 April 2018

Biometrics

US – State Court Ruling to Shed Light on Police Use of Biometrics

A decision by the Minnesota Supreme Court [Webster v. Hennepin County see here] will help the public learn more about how law enforcement use of privacy invasive biometric technology. The decision is mostly good news for the requester in the case, who sought the public records as part of a 2015 EFF and MuckRock campaign to track mobile biometric technology use by law enforcement across the country. EFF filed a brief in support of Tony Webster, arguing that the public needed to know more about how officials use these technologies. [EFF and at: Minnesota ACLU and Tony Webster]

US – Keep Facial Recognition Away from Body Cameras

Facial recognition in the U.S. poses a unique and significant threat to privacy, and it’s a threat that is not being adequately addressed. One of the FBI’s facial recognition services allows agents to search through databases that mostly include information related to law-abiding Americans, with only 8% of the facial images in the network being associated with criminal or forensic investigations. This is in part thanks to the fact that the FBI has access to drivers license photos from at least 16 states as well as passport photos from the State Department. All told, this Facial Analysis Comparison and Evaluation services allows the FBI to access more than 411 million facial images. A Georgetown study on facial recognition estimates that about half of American adults can be found in a law enforcement facial recognition network. Facial recognition poses a unique threat to law-abiding American citizens, millions of whom are in facial recognition networks merely because they drive. Lawmakers can prevent increased risk of surveillance by forbidding real-time facial recognition on police body cameras. With such devices, police won’t need a “Papers, please” law to identify citizens going about their business; our faces will be our papers. [CATO Institute]

WW – Facial Recognition Technology Commonplace at Venues

There is a growing trend of sports and entertainment venues top use facial recognition technology to produce data to support fan engagement, sponsorships and security. Lee Igel, a clinical associate professor at New York University’s Tisch Institute for Global Sport, said the practice is nothing new, adding, “What is new, as the Facebook scandal is forcing people to face, is the realization that there is a trade-off between getting the experiences we want and maintaining privacy.” One of the larger companies capturing the market is South African–based company Fancam, which sells its technology to venues across the U.S. Managing Director of North America Michael Proman said, “We anonymize all our data. What’s most important is being able to identify macro level trends, not profile fans.” [CNBC]

EU – Article 29 WP Inquiring About Facebook’s Facial Recognition Feature

The Article 29 Data Protection Working Party sent a letter to Facebook’s Global Deputy Privacy Chief about the facial recognition feature. Clarification is needed on whether Facebook will obtain explicit consent for each feature or a global consent to use images, whether the technology will be used to compare against all images already uploaded to Facebook (or only newly added images), and if templates will be created and retained. [Article 29 WP – Request for Information Regarding Facial Recognition on Facebook]

Big Data / Data Analytics

CA – Quebec Commissioner Issues AI Best Practices

The Commission d’Accès à l’Information du Québec issued recommendations for development of artificial intelligence. Organizations should conduct PIAs to document risks posed by AI projects, adopt default privacy settings (including rigorous access rights and retention periods), designate an internal privacy officer, and be transparent with consumers about measures put in place. Determine how to adequately correct algorithmic decisions made based on inaccurate, incomplete or outdated information (the burden should not be placed on consumers). [CAI QC – Brief on Responsible Development of Artificial Intelligence]

Canada

CA – Feds Publish Final Text of New Private Sector Data Breach Reporting Rules

The federal government released the final version of new regulations for the private sector that, once in force, will require businesses to disclosure and notify the privacy commissioner and affected individuals about data breaches that pose a “real risk of significant harm” “as soon as feasible.” [Canada Gazette at pg 701] The regulations require companies to record any breach they know of and keep those documents for two years. Per a March 26 order-in-council, the new reporting rules will come into force on Nov. 1, 2018. Following that, any company found in violation of the regulations will be subject to fines of up to $100,000. The government pegged the “nationwide cost impact” of the regulations’ enforcement at “less than $1 million per year.” The Gazette also notes the department of Innovation, Science and Economic development will “evaluate the need for amendments to the Regulations on an ongoing basis.” An OPC spokesperson said the office “strongly supports” the implementation of the new mandatory breach reporting rules – but at the same time, believes the new regulations represent “limited progress in protecting the personal information of Canadians.” There was mixed reaction to the new regulations Former Ontario privacy commissioner Ann Cavoukian, said the wording in the regulations is far too loose to sufficiently protect consumers. “This lets everybody off the hook,” Cavoukian said. [iPolitics and at: The Globe and Mail | Financial Post]

CA – Facebook Faces Tough Questions Over Canadian Data Collection

Kevin Chan, head of public policy for Facebook in Canada, faced tough questions from MPs about the company’s past practice of allowing third-party developers to access their users’ personal data, a policy that may have violated Canadian law. Just 272 Canadians participated in a personality quiz that allowed the researcher behind the Cambridge Analytica scandal to harvest the data of more than 622,000 Canadians, explained Robert Sherman, Facebook’s deputy chief privacy officer, who also testified before the committee [Standing Committee on Access to Information, Privacy and Ethics here & Minutes of Proceedings here]. In most cases, the data was mined without the knowledge or consent of those affected. Both Sherman and Chan spoke about the need to restore users’ trust in Facebook’s handling of personal data. Chan, who is the company’s public face in Ottawa, was also asked why he has not registered as a lobbyist, despite meeting with numerous federal cabinet members, including Finance Minister Bill Morneau. “At no time has Facebook come close to meeting the threshold for registration as a lobbyist,” Chan said. “We will of course register, if and when we meet the threshold.” Chan said that Morneau requested his assistance in setting up a Facebook Live event for his recent budget. New Democratic MP Charlie Angus expressed some doubt over that explanation. “You are registered as the company’s leading public policy-maker in Canada,” Angus said. “My light bulb breaks, I don’t call the head of General Electric to come and fix it. And yet you show up to help him figure out how to get more ‘likes.’” The committee is scheduled to resume its study of the Cambridge Analytica/Facebook scandal next week. [The Star]

CA – Facebook Promises to Join Registry of Lobbyists

Facebook has said it will join Canada’s registry of lobbyists, after questions were raised over whether it is following the rules when it comes to lobbying the government. In a letter sent to Lobbying Commissioner Nancy Bélanger, NDP MP Charlie Angus [here] questioned whether the social media giant is finding ways around the rules, especially the rules that require it to register its lobbyists. The company has no registered lobbyists, despite frequent meetings with senior decision-makers. After CBC News reported on the controversy, Facebook sent a statement saying it will “soon” register its personnel as lobbyists. “Facebook understands the need for greater transparency and, while we do not meet the threshold required for registration, we are committed to being added to the Lobbyist Registry. We will do so as soon as possible,” a Facebook spokesperson said [CBC]

CA – Political Parties Self-Police Use of Voters’ Data, Privacy Watchdog Says

The federal privacy watchdog is calling on the government to address what he calls significant gaps in the law that allow political parties themselves to police how they gather and use voter data. Political parties are only bound by internal, voluntary privacy policies in the absence of an independent body to ensure they follow their own rules, federal privacy commissioner Daniel Therrien told [read Commissioner’s statement here] a parliamentary committee [Standing Committee on Access to Information, Privacy and Ethics (ETHI) here]. Therrien has been calling for changes to strengthen privacy laws to cover how political parties use data — a campaign that has been attracting fresh attention in recent weeks following revelations about how Facebook and other companies treat the personal data of its users. [CTV News and at: Global News, CBC News, Toronto Star, Finacial Post and Radio Canada International]

CA – What Are Quebec’s Political Parties Doing With Your Personal Information?

Facebook/Cambridge Analytica data abuse controversy comes at a critical time for political parties in Quebec. They are already gearing up for the October election, and amassing information on voters is the lifeblood of any campaign. But they are now also facing greater scrutiny about how they gather information about voters, and what they do with it. Here is a closer look at the big data techniques Quebec parties are using. [CBC]

CA – Cameras to Keep Rolling in Paradise as Town Takes Issue to Court

Dozens of surveillance cameras in Paradise, Newfoundland will continue to record, despite a recommendation from the province’s privacy commissioner. The Town of Paradise sent an official response to commissioner Donovan Molloy, saying it will take the issue to court. Earlier this month, Molloy requested [see PR here & Report here] the town remove the cameras until it provides further evidence to justify its need for all 87 cameras. Molloy says he got no response. Both sides will continue to try to reach an agreement, but failing that, the matter will go to Supreme Court and a judge will rule on whether the town has to follow the privacy commissioner’s advice. [CBC]

CA – Privacy Breach Accused Gets Support from Lawyer, Tech Community

While an online legal defence fundraiser gains steam, the 19-year-old accused in the Nova Scotia freedom-of-information scandal has secured legal help from one of Canada’s leading experts in privacy law. David Fraser of the firm McInnes Cooper in Halifax has confirmed he’ll assist with the teenager’s legal defence. He says he’s “optimistic” the case can be resolved once it’s in the hands of the Nova Scotia Public Prosecution Service.  Fraser has already been in touch with an IT security expert and security conference organizer, Dragos Ruiu, who has started a GoFundMe page [see here] for the teenager’s legal defence. “It looks like a lot of tech folks who could easily see themselves in the shoes of this young man being persecuted instead of him, and it resonates with them,” said Ruiu. Both Fraser and Ruiu drew comparisons to the case of Aaron Swartz [see Wiki here], a pioneering coder and internet activist who was charged in Boston in 2011 for mass unauthorized downloading of academic journal articles from MIT. Swartz took his own life in 2013. Ruiu says at the time he wished he’d done more to support Swartz, which is why he’s taking action now. “We can’t let a politician bully a young man like this,” he said. [CBC | Dear Canada: Accessing Publicly Available Information on the Internet Is Not a Crime | Crowdfunding campaign aims to pay legal defence of NS teen charged after data breach | Government softens tone on reaction to privacy breach | You’re a govt official. You accidentally slap personal info on the web. Quick, blame a kid! | Teen Faces 10 Years in Prison for Downloading 7K Freedom of Information Releases | Teen charged in Nova Scotia government breach says he had ‘no malicious intent’ | Halifax law firm looking into possible class action over NS data breach ]

CA – OIPC BC Finds Excessive Collection by Landlords

The OIPC BC investigated the collection and retention of personal information of potential tenants by landlords, pursuant to the Personal Information Protection Act: 13 landlords from both for-profit and not-for-profit rental management companies were asked to provide information; and the OIPC previously issued guidance on PI handling for landlords. PI was collected, that if used, would be a violation of the Human Rights Code, including ages of other occupants of the unit, whether the applicant speaks English, was born in Canada, or is pregnant, and questions seeking marital status and sex; credit checks can only be done with consent and a reasonable purpose, such as a lack of satisfactory references or employment and income verification. [OIPC BC – Investigation Report P18-01 – Personal Information and Tenant Screening]

 

CA – SK Clinic’s Employee Should be Reprimanded

The OIPC Saskatchewan addressed a complaint against Prince Albert Co-operative Health Centre Community Clinic for unauthorized disclosure. The Saskatchewan Privacy Commissioner recommended that the clinic apply appropriate disciplinary actions to the employee who posted on social media the positive pregnancy test results of a patient, and to notify the patient of the outcome of the investigation and steps taken to prevent future breaches of privacy. [OIPC SK – Investigation Report 239-2017 – Prince Albert Co-operative Health Centre Community Clinic]

CA – Increased Risk of Harm Due to Duration of Unauthorized Access

The OIPC Alberta was notified by Preferred Hotels & Resorts of unauthorized access to personal information, pursuant to the Personal Information Protection Act. An organization’s service provider reported a breach of user credentials, enabling an unauthorized viewing of reservations of customers that may have included credit or debit information; the financial information could be used to cause identity theft and fraud, and the risk of harm is increased because the information was exposed for about 1 1/2 years. [OIPC AB – Breach Notification Decision – P2018-ND-043 – Preferred Hotels & Resorts]

CA – BC Court Allows Appeal of IPC Decision

The Court considered a response by the University of British Columbia to a court ruling upholding an IPC BC decision concerning disclosure of records pursuant to the Freedom of Information and Protection of Privacy Act. The Court agreed that an educational institution’s disclosure of its rubrics for undergraduate admissions would cause harm, by disclosing a grading system that would diminish the value of questions for future use (regardless of whether the questions themselves are already known to others), and because the institution had spent money for several years on the process; the matter is remitted back to the IPC for a new decision. [University of British Columbia v. Geoff Lister and IPC BC – 2018 BCCA 139 – Court of Appeals for British Columbia]

CA – Legal Pot Buying Data Could Get You Banned from U.S., Lawyers Warn

When Canadians are able to buy legal recreational marijuana sometime this year, we are going to start generating a lot of consumer data. Some of it will be clearly linked to individuals. If your Canadian marijuana-buying data ends up on a server in the United States, could it make its way to U.S. border officials? There’s little to stop it, privacy experts say. Canadians can be barred for life from the United States — even after legalization here — if a border officer decides that they are an “abuser” of marijuana. Canadians banned from the U.S. can apply for a waiver allowing them to cross the border, but the process is cumbersome and expensive, and the application has to be restarted from scratch every few years for the rest of the person’s life. As attitudes toward marijuana have softened on both sides of the border, attitudes at the border itself have hardened, warns Len Saunders, an immigration lawyer in Blaine, Wash. Saunders is now seeing a flood of Canadian clients who want help with waivers related to marijuana after being banned for life by U.S. border officials. [Global News]

E-Mail

CA – New Rogers Email ToS Raises Privacy Concerns

The Globe and Mail reports a new terms of service seen by Rogers Communications email users has raised concerns. Anyone who has logged in to their Rogers email account in recent weeks has seen a prompt alerting them they will need to agree to a new terms of service from Oath, as Yahoo no longer handles Rogers’ email services. The new terms of service will allow Oath to analyze messages to send targeted content. Users have gone to forums to express their concerns about a situation similar to the Facebook-Cambridge Analytica revelations. Canadian Internet Policy and Public Interest Clinic Staff Lawyer Tamir Israel said a Cambridge Analytica situation is unlikely, but it is encouraging for citizens to be aware of potential privacy issues. [G& M]

Encryption

US – Legislators Seek Answers from FBI Director About Unlocking iPhones

Ten US legislators have sent a letter to FBI Director Christopher Wray asking about the agency’s ability to decrypt seized iPhones. While Wray has been vocal about the FBI’s inability to break into 7,800 phones last year, a report from Department of Justice (DOJ) Office of Inspector General (OIG) indicated that in the case of the San Bernardino shooter’s iPhone, the FBI did not explore all possible avenues for accessing the data it held before seeking a court order to force Apple to decrypt the device. The report observes that the FBI did not consult third party companies that have the capability to break into iPhones and that it did not ask its own remote Operations Unit (ROU) for help. Sources:

  • house.gov: Letter to FBI Director Christopher Wray (PDF)
  • The Hill: Lawmakers question FBI director on encryption

EU Developments

EU – Article 29 WP Updates GDPR Consent Components

The Article 29 Working Party revises previously issued guidance on consent under the GDPR.

Assessing freely given consent must consider whether it is tied into a contract or provision of service (inappropriate pressure or influence will render the consent invalid), parental consent will remain valid after the child reaches the age of digital consent (the minor must be informed of their right to withdraw), and explicit consent is valid when obtained via phone call if the choice is fair and specific. [Article 29 WP – Guidelines on Consent Under the GDPR – WP259 Rev.01es]

EU – Article 29 WP Updates GDPR Transparency Requirements

The Article 29 Working Party revised previously issued guidance on transparency requirements under the GDPR. Knowledge of the individuals controllers collect information about (this should be used to determine what they would likely understand), parental consent does not mean children lose their data subject rights (easily understandable notice should be provided to them through cartoons, pictograms, etc.), individuals should not be surprised when new processing purposes are communicated, and where notice would be impossible or involve a disproportionate effort, documentation must be maintained to demonstrate accountability. [Art 29 WP – Guidelines on Transparency under the GDPR – WP260 Rev. 1]

EU – Commission Proposes Rules Similar to US Cloud Act

The EU Commission proposed new rules to allow law enforcement in EU Member States to obtain electronic evidence, regardless of the location of data. Judicial authorities in Member States can request access to stored electronic data (including content, transactional, access and subscriber data) directly from service providers (data must be transmitted within 10 days of receipt, or 6 hours for emergency cases) and require them to preserve the data for up to 60 days; compliance is required regardless of where the data is stored, unless the order violates the EU Charter of Fundamental Rights, contains manifest errors, or is not for a valid offence. [EU Commission – Proposal for a Regulation on EU Production and Preservation Orders for Electronic Evidence in Criminal Matters]

EU – Tech Companies Forced to Give Police Overseas Data Under EU Proposal

Technology companies such as Google, Microsoft and Facebook will be forced to hand over users’ data to European law enforcement officials even when it is stored on servers outside the bloc, under a law proposed by the EU. The law would allow European prosecutors to force companies to turn over data such as emails, text messages and pictures stored online in another country, within 10 days or as little as six hours in urgent cases. The United States recently moved to address the same problem, passing a law making it clear that U.S. judges could issue warrants for data held abroad while giving companies an avenue to object if the request conflicts with foreign law. The proposal will apply only in cases where crimes carry a minimum jail sentence of three years. In cases of cybercrime there will be no minimum penalty requirement. Where companies find themselves in a conflict-of-law situation because the country where data is stored forbids them from handing it over to a foreign authority, they will be able to challenge the seizure request. According to Maryant Fernandez Perez, senior policy adviser at campaign group European Digital Rights “The Commission is proposing dangerous shortcuts to allow national authorities to obtain people’s data directly from companies, basically turning them into judicial authorities.” [Reuters and at: Bloomberg, The Wall Street Journal, Silicon UK and Financial Times]

EU – WP29 Concerned with EU Agreements on PNR

The Article 29 Data Protection Working Party expressed concern to the European Commission about the EU-Canada passenger name record agreement, in light of the EU Court of Justice – recommendations. The agreements between the EU and Canada, US and Australia do not reflect the recommendations raised by the EU Court of Justice; there is no clear and precise description of data concerned, explicit exclusion of sensitive data, or sufficient guarantee of independent oversight. Retention provisions do not reflect appropriate conditions for access to the data or a requirement to delete data after the departure of a passenger after their stay in a third country. [Article 29 WP – Letter to European Commission on EU PNR Agreement with Canada]

EU – Law Enforcement: Article 29 WP Concerns on Central EU Database

The Article 29 Working Party commented on the EU Commission’s draft regulations on interoperability between existing and future EU information systems relating to border control, migration, police and judicial cooperation. The database would cross link all information systems such as the Schengen System, Entry-Exit system and Travel Information and Authorisation System; there is no justification for the necessity of the database (identity fraud is not an essential threat to EU internal security), there is potential for broad and common use of data (national police will have access for overall identity checks), and long retention periods could result from the system of links. [Article 29 WP – Opinion on Commission Proposals on Establishing a Framework for Interoperability between EU information systems in the field of Borders and Visa Borders]

UK – Privacy Chief Wants Powers to Access Data More Quickly

The U.K.’s privacy regulator, who’s leading European investigations into how political consultants accessed the data of millions of Facebook Inc. users, said British data-protection laws are slowing her progress. Elizabeth Denham, the U.K.’s Information Commissioner, said she is “in intense discussion” with the government to broaden the nation’s data protection law. She wants a “streamlined warrant processes with a lower threshold than we currently have in the law. I’m in intense discussion with government to ensure that as part of the data protection bill, the ICO has the ability to move more quickly to obtain information that we need to carry out our investigations in the public interest,” Denham said on Wednesday. [Bloomberg]

WW – A Flaw-By-Flaw Guide to Facebook’s New GDPR Privacy Changes

Facebook is about to start pushing European users to speed through giving consent for its new GDPR privacy law compliance changes [see here]. It will ask people to review how Facebook applies data from the web to target them with ads, and surface the sensitive profile info they share. Facebook will also allow European and Canadian users to turn on facial recognition after six years of the feature being blocked there. But with a design that encourages rapidly hitting the “Agree” button, a lack of granular controls, a laughably cheatable parental consent request for teens and an aesthetic overhaul of Download Your Information [see here] that doesn’t make it any easier to switch social networks, Facebook shows it’s still hungry for your data. The new privacy change and terms of service consent flow will appear starting this week to European users Facebook says it will roll out the changes and consent flow globally over the coming weeks and months with some slight regional differences There are a ton of small changes, so we’ll lay out each with our criticisms. [TechCrunch]

WW – Reaction to WP29’s Accreditation of Certification Bodies Guidelines

The Centre for Information Policy Leadership published recommendations on the Article 29 Working Party’s draft guidance on accreditation of certification bodies under the GDPR. The think tank recommends that accreditation by Supervisory Authorities take place under a common EU-wide accreditation standard approved by the EDPB, and taking into account the requirements adopted by the European Commission; ISO criteria should be considered instructive, not mandatory, and further forthcoming guidance should consider flexibility and scalability for smaller enterprises.

Comments on the WP29 Draft Guidelines on the Accreditation of Certification Bodies under the GDPR – CIPL]

Facts & Stats

WW – Lessons from Verizon’s Annual Data Breach Investigations Report

According to the recently released Data Breach Investigations Report [see PR here, 8 pg PDF Exec. Summary here & 68 pg PDF Report here] from Verizon, the majority of data breaches (73%) are perpetrated by outsiders and involved either hacking techniques (48%) or malware (30%). The annual report examined 53,308 security incidents in 65 countries from November 2016 through October 2017, an increase of 11,000 more incidents than the previous year’s report. Additionally, the report analysed 2,216 confirmed data breaches (defined as a security incident that results in confirmed disclosure – not merely potential exposure – of data to an unauthorised party), an increase from 1,935 the previous year. If consumers feel like data breaches are becoming more and more common, that’s because they are. Here are our top takeaways from the report: 1) Keep sensitive data out of business infrastructures; 2) Continually train and educate employees; 3) Enforce the least-privilege user access (LUA) principle on computer systems; and 4) Champion compliance [Semafone and at: Threatpost, CNET, BankInfoSecurity, Gigabit Magazine, eWEEK and Healthcare IT News]

FOI

CA – IPC Ontario Requires Disclosure of Commercial Service Agreements

An IPC ON order reviewed the City of Windsor’s denial of access to portions of documents requested pursuant to the Municipal Freedom of Information and Protection of Privacy Act. Most of the information withheld by a municipality did not consist of trade secrets or technical information, was not supplied (it was mutually generated or negotiated) and would not cause harm if disclosed; it was unsuccessfully argued that disclosure might have a negative affect on the municipality’s ability to attract business (the IPC ruled that disclosure of the municipality’s commitments might actually encourage private companies to partner with the city). [IPC ON – Order MO-3583-I – Appeal MA15-242 – City of Windsor]

Horror Stories

WW – 71% of Incidents Include Exploitation of Software Vulnerabilities’

Ponemon study surveyed 627 IT security practitioners in a variety of healthcare organizations that are subject to HIPAA. Other security incidents identified by the Ponemon Institute include web-borne malware attacks (69%), exploit of existing software vulnerability less than 3 months old (66%), lost/stolen devices (62%), spear phishing (61%), SQL injection (53%), zero day attacks (48%), botnet attacks (45%), click-jacking (44%), ransomware (37%), DDoS (36%), targeted attacks (32%), and rootkits (30%). [The State of Cybersecurity in Healthcare Organizations – Ponemon Institute]

WW – Unsecured Database Contained Profiles of 48M People

UpGuard Director of Cyber Risk Research Chris Vickery discovered an unsecured Amazon S3 database containing profiles of 48 million people created by a data firm. LocalBlox used data-scraping tools to create the profiles by mining information found on sites such as Facebook, Twitter and LinkedIn. Information found in the database included names, physical addresses and employment information. In a report UpGuard published on the leak, the firm informed LocalBlox about the unsecured database in February, with the data firm locking down the information within a matter of hours. Meanwhile, web trackers have been exploiting the “Login with Facebook” feature on third-party sites to gather information. [ZD Net]

CA – Waste Management Apps Compromised in Data Breach

Users of Recycle Coach and My Waste were informed the apps were affected by a data breach. The owner of the apps, Municipal Media Inc., told users a subscriber database was hit during the cyberattack. The database held 55,000 email addresses, with Municipal Media saying some of those addresses were compromised during the breach. “There were no names associated with them, no locations, and of course no passwords or any other personal information,” Municipal Media President Creighton Hooper said. The company is advising users of the apps to be cautious of any suspicious emails and to avoid clicking links they do not recognize. [CTV News]

CA – Firm Releases AggregateIQ’s Canadian Clients

Cybersecurity consulting firm UpGuard has discovered some of the Canadian clients of AggregateIQ. Among AggregateIQ’s clients are three British Columbia Liberal candidates running in last year’s provincial election and a Liberal MLA who ran for party leadership and for the British Columbia Green Party in 2016. UpGuard Director of Cyber Risk Research Chris Vickery found exposed data from the data firm following revelations it was tied with Cambridge Analytica. “It was an eye-opening moment, once it hits you: ‘Oh my god, this is what they’re using to influence elections across the globe,’” Vickery said. The UpGuard director told the Standing Committee on Access to Information, Privacy and Ethics that Facebook may be involved in another breach involving the private messages of 48 million users. [G & M]

WW – Ethereum Thieves Exploited BGP Leak

Thieves exploited vulnerabilities in public facing DNS servers to steal $152,000 USD worth of Ethereum cryptocurrency. The attackers used a Border Gateway Protocol (BGP) leak to redirect users to a phony MyEtherWallet site. Sources:

  • SC Magazine: $152,000 in Ethereum stolen in Amazon DNS server attack
  • ZD Net: AWS traffic hijack: Users sent to phishing site in two-hour cryptocurrency heist
  • Ars Technica: Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency
  • Cyberscoop: Internet infrastructure server hijacked for $152,000 Ether theft

WW – Five Most Dangerous New Attack Techniques

At the Keynote Panel at the RSA Conference in San Francisco, SANS’s Ed Skoudis, Johannes Ullrich, and James Lyne spoke about the most dangerous new attack techniques. Skoudis spoke about the security risks posed by the cloud, noting “There is leakage when you have data stored in the wrong repositories or not stored correctly,” for example, misconfigured Amazon S3 buckets. There have been many attacks, Verizon twice, Time Warner and Uber and the U.S. Army leaked over 100 gigabytes of data because of a bug in an Amazon S3 storage bucket. Skoudis suggested that organizations step up to track and manage data assets, not just systems. Ullrich spoke about the shift from stealing or locking up data to stealing processing power through cryptocurrency mining. Ullrich also showed why assuming that hardware is inherently trustworthy is increasingly dangerous. Sources:

  • SANS Org: RSA Session and summary of their remarks
  • eWeek: Security Experts Warn of New Cyber-Threats to Data Stored in Cloud
  • Fifth Domain: Future cyber threats will come from inside the architecture
  • Infosecurity: #RSAC: The Five Most Dangerous New Attacks According to SANS

WW – Fixes Available for Hotel Card Key Electronic Lock Weaknesses

Security flaws in a card key system used by hotels around the world can be exploited to create a master key, allowing access to rooms. Researchers at F-Secure found that expired card keys can provide enough information to create a master key. The vulnerable system is Vision by VingCard, made in Sweden by Assa Abloy, which has released fixes to address the vulnerabilities. Sources:

  • SC Magazine: Lock maker offers fixes to prevent hackers from using fake master keys to open hotel locks
  • Reuters: Hotel key cards, even invalid ones, help hackers break into rooms
  • The Register: Hotel, motel, Holiday Inn? Doesn’t matter – they may need to update their room key software
  • ZD Net: Hackers built a ‘master key’ for millions of hotel rooms
  • Bleeping Computer: Device Can Generate Master Keys From Valid or Expired Hotel Keys

Identity Issues

EU – Commission Proposes Making Fingerprints Mandatory in ID Cards

Identity cards held by EU citizens will be required to include digital images of the holder’s fingerprints as part of a crackdown on fraudulent documents used by criminals and extremists, the European Commission proposed on Tuesday [see PR here]. The Commission said that it would not oblige countries to introduce ID cards, but those countries that use them would be required to include two pieces of biometric data: an image of two fingerprints and a facial image. The Commission estimates 80 million Europeans currently have ID cards that cannot be read by machines and do not contain biometric identifiers. The Commission also proposed other security measures on Tuesday, which include making it easier for authorities to access electronic and bank account information in other EU countries. [Reuters and at: Deutsche Welle, EuroNews, findBIOMETRICS, Biometric Update and New Europe]

Internet / WWW

WW – Academics Make Recommendations on IoT Security

PETRAS IoT Research Hub issued recommendations to the UK Government regarding the security of IoT. A UK government-commissioned study recommends using multi-factor or biometric authentication, disclosing vulnerabilities that pose threats to consumers, allowing user control of data, providing controls for users to edit privacy settings, updating software and testing all updates, requesting user consent to share data with third parties, and providing user or proxy option to delete personal data. Summary Literature Review of Industry Recommendations and International Developments on IoT Security – PETRAS IoT Research Hub |  Government’s Commitment

Online Privacy

WW – Facebook Fuels Broad Privacy Debate by Tracking Non-Users

Chief Executive Mark Zuckerberg said the world’s largest social network tracks people whether they have accounts or not. Zuckerberg said under questioning by U.S. Representative Ben Luján that, for security reasons, Facebook also collects “data of people who have not signed up for Facebook” [watch here at 1:15].  Critics said that Zuckerberg has not said enough about the extent and use of the data. “It’s not clear what Facebook is doing with that information,” said Chris Calabrese, vice president for policy at the Center for Democracy & Technology, a Washington advocacy group. [Reuters and at: FastCompany and The Mac Observer (audio)]

WW – Facebook Makes End Run Around GDPR for Non-EU Customers

Facebook has changed its terms of service, which will exempt 1.5 billion Facebook users from protection under the European Union’s General Data Protection Regulation (GDPR). While Facebook users in Canada and the US have never been subject to EU rules, the 1.5 billion Facebook users in Latin America, South America, Africa, Asia, and Oceania have until now been governed by Facebook’s Irish terms of service, but now they will be governed by Facebook’s US terms of service. The move reduces Facebook’s GDPR liability; Under GDPR rules, EU regulators can fine companies that collect or use personal data without user’s consent. Facebook maintains that they “apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc. or Facebook Ireland.” Sources:

  • Reuters: Exclusive: Facebook to put 1.5 billion users out of reach of new EU privacy law
  • fb.com: Complying With New Privacy Laws and Offering New Privacy Protections to Everyone, No Matter Where You Live
  • ZD Net: Facebook moving 1.5 billion users away from GDPR protection
  • BBC: Facebook to exclude billions from European privacy laws
  • SC Magazine: Looking to reduce GDPR liability, Facebook ports 1.5B non-U.S. users to domestic HQ
  • The Register: Facebook puts 1.5bn users on a boat from Ireland to California

Privacy (US)

US – Supreme Court Tosses Out Microsoft Case on Digital Data Abroad

The Supreme Court announced on Tuesday that it would not decide whether federal prosecutors can force Microsoft to turn over digital data stored outside the United States. The move followed arguments in the case [United States v. Microsoft, No. 17-2] in February and the enactment of a new federal law that both sides said made the case moot. “No live dispute remains between the parties,” the court said in a brief, unsigned opinion.  The case posed the question of whether a 1986 law, enacted before the dawn of the big-data era, applied to digital information stored outside the nation’s borders. On March 23, Congress enacted the Cloud Act — more formally, the Clarifying Lawful Overseas Use of Data Act. The new law, unlike the one from 1986, clearly applied to data held overseas.  After the new law was passed, the government withdrew the earlier warrant and obtained a new one. In recent Supreme Court filings, both sides told the justices that the case was moot. [NY Times and at: Jurist, SCOTUSblog, TechCrunch, The Wall Street Journal and Hit & Run Blog (Reason)]

WW – Tech Firms Sign ‘Digital Geneva Accord’ Not to Aid Governments in Cyberwar

More than 30 high-tech companies, led by Microsoft and Facebook, announced a set of principles [Cyber Tech Accord PR here] that includes a declaration that they will not help any government — including that of the United States — mount cyberattacks against “innocent civilians and enterprises from anywhere,” reflecting Silicon Valley’s effort to separate itself from government cyberwarfare. It also commits the companies to come to the aid of any nation on the receiving end of such attacks, whether the motive for the attack is “criminal or geopolitical. Although the list of firms agreeing to the accord is lengthy, several companies have declined to sign on at least for now, including Google, Apple and Amazon. [NY Times and at: Inside Privacy ( Covington), Bloomberg (video), Engadget, Inc and TechNewsWorld]

US – Attorney-Client Privilege the First Casualty of Michael Cohen Investigation

The extraordinary attempt by Michael Cohen, the president’s longtime fixer and personal attorney, to recoup materials collected during a law enforcement raid last week failed in federal court. A federal judge ruled that, for the time being, the government would control access to the materials, while forbidding investigators to review any potential evidence. The idea of Trump sorting through Cohen’s correspondence and deciding what should be shared with prosecutors prompted eye rolls and audible sighs in the courtroom. But it got to the core question of the hearing: To whom does the power to determine the scope of attorney-client privilege belong? The attorney? The client? The government? That Trump and the Blind Sheik now share the legally novel experience of having their attorneys’ offices raided by the FBI is not a synchronism; it is a reflection of our current political conditions. As a principle, attorney-client privilege is foundational to our system of justice, no matter how unpopular the attorney or their client. Cohen’s attorneys struggled to push back. “I think in the future this could affect people’s willingness to consult an attorney,” Steve Ryan said, to chuckles, the principle he was invoking clouded by the allegations surrounding his client. While the president’s critics may have claimed victory, a cornerstone of our judicial system — attorney-client privilege — fared less well. Gerald Lefcourt, a criminal defense attorney and former president of the National Association of Criminal Defense Lawyers offered a law school-seminar chestnut to warn of the potential precedent that could follow from Cohen’s case: “Bad facts make bad law.”[The Intercept]

Security

WW – Prevent the Largest Cause of Data Security Incidents – Your Employees

BakerHostetler’s 2018 Data Security Incident Response Report [PR here Webinar here] documents over 560 incidents, more than a third of which stemmed from phishing incidents in which an employee was tricked by an email message into providing access credentials to an unauthorized party, visiting a phony website, downloading an infected document or clicking on a link that installed malware. Other sizeable incident types also involved employee errors: 17% of incidents were inadvertent disclosures and 11% were due to stolen or lost devices. Providing proper training and technical safeguards is one of the most important means to enhance your company’s security profile. However training is not enough. Technological safety nets are needed. Companies should consider implementing the a number of data security measures, which can make it more difficult for criminals to succeed with attacks that prey upon employee vulnerabilities. In addition to the above training and safeguards, companies should enable logging on email and other systems that contain sensitive data. Logging should be retained for at least one year, preferably longer. In many security incidents, the existence of logging is crucial to determining an attacker’s actions and to limiting notifications to information that is known to have been accessed or acquired without authorization. [Data Privacy Monitor]

WW – Key Findings from Baker Hostetler’s 2018 Data Security Incident Report

In their 2018 Data Security Incident Report, “Building Cyber Resilience: Compromise Response Intelligence in Action,” [see PR here, Webinar here & download Report here] BH identifies and analyzed the most important trends and takeaways from the more than 560 incidents we handled last year. These incidents affected nearly every industry and impacted anywhere from a single individual to millions of people. The report distills the lessons learned from those incidents into eight key takeaways for boards, senior management, auditors, IT leaders and general counsel. [Data Privacy Monitor aand t: here & here]

  • MFA is the gold standard. Much like encryption of external devices several years ago, multifactor authentication (MFA) has become an essential security measure and is increasingly becoming a regulatory expectation. However, MFA is not infallible, and not all MFA solutions are equally secure.
  • It’s not the cloud, it’s you. As entities migrate to the cloud, most security issues are not caused by the cloud service provider but by how the entity or its service provider configures access to the cloud.
  • Rise of the regulator. Recent high-profile incidents have rekindled regulatory interest. Moreover, large multistate settlements have given state attorneys general the funds to hire experts and more aggressively investigate breaches.
  • New year, same issues. Entities still are not executing on the basics. Endpoint monitoring agents, SIEM (security information and event management) solutions and privileged account management tools have become more common, but good hygiene could have prevented many incidents.
  • Everyone’s involved. With incidents on the rise and the stakes higher than ever, senior management, boards and external auditors are becoming involved in data breach prevention and response.
  • No one is “too small.” Any entity, of any size, may become the victim of a cyberattack. Hackers are happy to hit “singles” and take advantage of the lax security practices of small and medium-sized entities, and attacker techniques and tools simplify the process of finding even obscure targets of opportunity.
  • The EU General Data Protection Regulation (GDPR) countdown drives uncertainty. With the May 25, 2018, effective date looming, organizations have been racing against the clock to get their privacy, data security and incident response practices in order. Expect adjustments to continue as the regulation is implemented.
  • Reading the litigation tea leaves is an inexact science. The line determining cognizable damages continues to blur. In addition, recent cases show that privilege may not apply to all incident-related communications, and some entities choose to waive privilege.

CA – OPC Canada Emphasizes Risk of Password Reuse

The OPC Canada summarized a number of incidents cases that it investigated in 2017. Customer login data obtained from previous, unrelated breaches were likely the cause of the compromise of an airline’s loyalty website and subsequent ransom demand for the PI of 25,000 members, the unlawful acquisition of the PI of 100,000 loyalty customer of a retailer, and the redemption of a digital media company’s users’ rewards; all 3 companies either reset passwords, forced password changes and/or considered changes to password creation processes. [OPC Canada – Multiple Breach Incidents as a Result of Password Reuse]

WW – Incident Response Procedures: Best Practices

Working Group 11 of the Sedona Conference guidance to help organizations prepare and implement an incident response plan. An industry association recommends that pre-incident planning includes mapping of data and legal obligations and vendor due diligence, conducting initial assessments of an incident before activating the incident response team (cause, time frame, affected systems or information), considering if law enforcement engagement would result in liability exposure or business disruptions, and reviewing actions taken to address blind spots, and areas for improvement. [Incident Response Guide – The Sedona Conference]

WW – Cybersecurity Trend: Complex Business and IT Systems Highest Risk

A new Ponemon study surveyed more than 1,100 senior information technology practitioners from the US, Europe and the Middle East/North Africa region on cybersecurity trends. Other organization risks identified by the Ponemon Institute include lack of funding to support cyber defense (58%), inability to integrate disparate technologies (53%), and lack of cybersecurity leadership (51%); technologies that pose the highest risk were identified as document collaboration tools (58%), use of digital identities (47%), and insecure connectivity (37%). [2018 Study on Global Megatrends in Cybersecurity – Ponemon]

Smart Cars

US – Expectation of Privacy Exists in Vehicle Black Box Data

The Court considered an appeal by the State of Missouri’s to suppress evidence collected from a warrantless search and seizure. A Missouri Court confirmed that a truck’s black box contained information unique to the driver’s use and operation of the vehicle, which was in itself protected by the Fourth Amendment as an “effect”, the intrusion constituted an actionable trespass on the driver’s possessory interest in the vehicle, and there were no exigent circumstances that could not have been addressed in an application for a warrant. [State of Missouri v. Anthony West – 2018 -Mo. App. LEXIS 378 – Court of Appeals of Missouri Western District Division Four]

Surveillance

WW – Research Study: Google’s Play Apps Improperly Track Children

Thousands of apps may be tracking the online activity of children in ways that violate US privacy laws, according to a recent survey of Android apps available on the Google Play store. It concluded that of 5,855 apps in the Play Store’s Designed for Families program, 28% “accessed sensitive data protected by Android permissions” and 73% of the applications “transmitted sensitive data over the internet.” Though the survey noted that simply collecting that information did not necessarily violate the Children’s Online Privacy Protection Act (COPPA). Among the most concerning findings was that approximately 256 apps collected geolocation data, 107 shared the device owner’s email address, and 10 shared phone numbers. 1,100 shared persistent identifiers, which can be used for behavioral advertising techniques that are banned for use on children by COPPA. 2,281 transmitted Android Advertising IDs Those apps appear to be in violation of Google policy. [Gizmodo and at: Education Week, engadget, Ubergizmo, See also: Fake messaging apps could compromise your Android phone | Study Says Many Android Vendors Regularly ‘Forget’ Security Patches]

US – Advocate Alleges Deceptive Tracking App

The Electronic Privacy Information Center filed a complaint against AccuWeather International, Inc., alleging tracking of consumers’ location in violation of the D.C. Consumer Protection Procedures Act. A weather media company’s mobile app collected and used consumers’ personal location data for marketing purposes, including sharing with partners and affiliates; claims against the company include that latitude, longitude and altitude data was collected even if the app was not open, and access permissions were denied by the individual. [EPIC v. Accuweather International Inc. – Complaint – Superior Court of the District of Columbia, Civil Division]

US Government Programs

US – Positive Assessment of Privacy Shield from US Government

The Department of Commerce assessed implementation, oversight and enforcement of the:

The US Department of Commerce noted that certification and monitoring processes have been enhanced (random spot checks, online reviews, delayed public notice of participation), limitation and safeguards on national security access to data have been reauthorized by Congress, an Ombudsperson has been appointed, and 3 individuals have been nominated to the Privacy and Civil Liberties Oversight Board.

DoC – US Implementation, Oversight and Enforcement of the EU-US and Swiss-US Privacy Shield Frameworks]

US Legislation

US – Federal Bill Imposes Student Data Restrictions on Online Services

Senate Bill 2640, the Safeguarding American Families from Exposure by Keeping Information and Data Secure Act (“SAFE KIDS Act”) was introduced and referred to the Senate Committee on Commerce, Science, and Transportation: The Bill stipulates, in regards to online providers of services to educational institutions for pre K-12 purposes, restrictions (targeted advertising) and permitted uses of student PII (disclosures required by federal or state law, or pursuant to student or parental consent), and imposes certain requirements (limited retention or destruction requirements, and security procedures); the FTC would enforce the law. The Bill, if passed, will take effect 18 months after enactment. [Senate Bill 2640 – SAFE KIDS Act – 115th Congress]

 

+++

10-16 April 2018

Biometrics

WW – Fingerprints Can Show If You’ve Done Drugs

A raft of sensitive new fingerprint-analysis techniques is proving to be a potentially powerful new avenue for extracting intimate personal information—including what drugs a person has used. New techniques can determine, from a single fingerprint, not whether you have handled these drugs, but whether you have taken them. The new methods use biometrics to analyze biochemical traces in sweat found along the ridges of a fingerprint. And those trace chemicals can quickly reveal whether you have ingested cocaine, opiates, marijuana, or other drugs. One novel, noninvasive forensic technique developed by U.K. researchers can detect cocaine and opiate use from a fingerprint in as little as 30 seconds. The assay—which was so sensitive that it could still detect trace amounts of cocaine after subjects washed their hands with soap—correctly identified 99% of the users, and gave false positive results for just 2.5 percent of the nonusers. The researchers say they hope to expand the range of controlled substances that can be detected, which could include methamphetamines, amphetamines, and marijuana. The test can be modified to detect therapeutic drugs prescribed by physicians too. [The Atlantic]

CN – Facial-Recognition Cameras Caught Suspect Among 60,000 Concertgoers

China is pursuing an ambitious plan to make an omnipresent video surveillance network. On the night of April 7, nearly 60,000 people had gathered at the Nanchang International Sports Center for a concert by Cantopop legend Jacky Cheung. In the middle of an upbeat song, a pair of police officers began descending the aisles, according to footage posted on the Chinese video sharing site Miaopai. Soon, they had arrived at the row they were looking for and apprehended the 31-year-old. Before Cheung had finished singing the refrain, officers were escorting the man out of the show. The man, identified only by his surname Ao, was reportedly wanted for “economic crimes,” according to Kan Kan News. Details about Ao had been in a national database, and when he had arrived at the stadium, cameras at the entrances with facial-recognition technology had identified him — and flagged authorities, the news site reported. “He was completely shocked when we took him away,” police officer Li Jin told Xinhua news agency. “He couldn’t fathom that police could so quickly capture him in a crowd of 60,000.” Ao’s unlikely capture became the latest example of China’s growing use of facial-recognition technology. As The Washington Post’s Simon Denyer reported, law enforcement and security officials in China hope to use such technology to track suspects and even predict crimes. Ultimately, officials there want to create a comprehensive, nationwide surveillance system known as “Xue Liang,” or “Sharp Eyes” to monitor the movements of its citizens. At the back end, these efforts merge with a vast database of information on every citizen, a “Police Cloud” that aims to scoop up such data as criminal and medical records, travel bookings, online purchase and even social media comments — and link it to everyone’s identity card and face. A goal of all of these interlocking efforts: to track where people are, what they are up to, what they believe and who they associate with — and ultimately even to assign them a single “social credit” score based on whether the government and their fellow citizens consider them trustworthy. Images from Denyer’s visits to three technology companies showed people monitoring cars and people as they passed through an intersection. Attached to each entity were text bubbles that showed identifying characteristics: the person’s gender and home town, for example. “Surveillance technologies are giving the government a sense that it can finally achieve the level of control over people’s lives that it aspires to,” Adrian Zenz, a German academic who has researched ethnic policy and the security state in China’s western province of Xinjiang, told Denyer. Many have voiced their concerns about the ethical ramifications of such a system. Human Rights Watch has a page dedicated to mass surveillance and the use of “big data” in China. “For the first time, we are able to demonstrate that the Chinese government’s use of big data and predictive policing not only blatantly violates privacy rights, but also enables officials to arbitrarily detain people,” Wang wrote. “People in Xinjiang can’t resist or challenge the increasingly intrusive scrutiny of their daily lives because most don’t even know about this ‘black box’ program or how it works.” As for Ao, the man caught at the Jacky Cheung concert, he said he thought he would be safe in a crowd of tens of thousands. He and some friends had bought the concert tickets, and Ao had driven with his wife about 60 miles to see the show, according to the news site. [Opinion: China’s new surveillance state puts Facebook’s privacy problems in the shade]

Big Data / Data Analytics / Artificial Intelligence

EU – A Privacy Pro’s Guide to Explainability in Machine Learning Models

With the EU GDPR just around the corner, there has been some debate and discussion about whether the law requires a “right to an explanation” from machine learning models. “Regardless of the regulation’s effects on machine learning, however, the practical implications of attempting to explain machine learning models presents significant difficulties,” Immuta Legal Engineer Stuart Shirrell writes. “These difficulties will become an increasing focus for privacy professionals as machine learning is deployed more and more throughout organizations in the future.” [IAPP.org]

Canada

CA – Federal Privacy Commissioner Argues for Right to Be Forgotten

Canada’s privacy commissioner took the stage at a Canadian Journalism Foundation (CJF) privacy summit in Toronto to advocate for the right to online reputation. The half-day summit was an opportunity for members of the media, as well as lawyers and legislators to meet and discuss the right to privacy in relation to freedom of expression. Daniel Therrien’s core position is that Canadians should be able to access the internet without having to fear that their reputations will be ruined as a result. A draft paper published in January 2018 established the OPC position, while also suggesting that ‘de-indexing’ and ‘source takedown’ are possible solutions to maintain individual online reputation. Also known as the ‘right to be forgotten,’ de-indexing refers to the process by which individuals can request that search engines remove results when an individual’s name is used in the search. Source takedown, by comparison, refers to the removal of the original source of content from the internet entirely. As individuals at the summit pointed out, there’s some contention between the right to privacy, freedom of expression and the freedom to access information. In response to freedom of speech advocates, Therrien argued, “there are real consequences to incorrect information being out there to be seen by many.” “The solution can be discussed at length, and a reason why we have put this out as a draft position paper is that we’re pretty sure that there’s a harm to be remedied here, and as a regulator, the tool that I have… is the legislation to limit or enforce,” he said. Therrien further argued that the in the age of the internet, more information is easily accessible than ever before. As such, it’s necessary to find some way to regulate the information that’s available. [betakit.com] Canadian Government Leaning Towards A Right to Be Forgotten it Can Enforce Anywhere in The World]

CA – Quebec Commissioner’s Suggests Amendments to Privacy Law

The Quebec Commission on Access to Information’s has issued recommendations for amending the Private Sector Privacy Act. Quebec’s private sector privacy law should be amended to compel organizations to destroy personal information once the purposes for which they were collected are fulfilled (except when kept under a legal provision), and delete any provision recognizing the right of an organization to retain information, even if it can no longer use it according to the law. [CAI QC – Five-Year Report (Pages 120-122)

CA – Supreme Court Rules on B.C. Campaign Financing Case

In a unanimous decision, the Supreme Court of Canada dismissed a bid by the B.C. Freedom of Information and Privacy Association (FIPA) that challenged a section of B.C.’s Election Act that requires even small spenders to register with the province’s chief elections officer if they sponsor election advertising during a campaign. [see here] But in its 7-0 ruling, the top court clarified the law so that people who wear T-shirts bearing political messages, or put bumper stickers on their cars or signs in their windows during an election, will not have to register with the province’s election office, providing they spend less than $500. But people or groups who sponsor advertising must continue to register. FIPA, a non-profit public advocacy group, had argued the requirement to register inhibits “political expression by persons who don’t wish names and addresses to become public knowledge,” and is a violation of the Charter of Rights and Freedoms’ guarantee of freedom of expression. In B.C., a person or group wishing to sponsor advertising during one of the province’s 28-day provincial election campaigns must register with a full name, address and a service address, and provide a signed statement. The Chief Electoral Officer then makes that information public, although the factum of the Attorney General of B.C. says telephone numbers and home addresses can be obscured upon request. Failing to register could result in a fine up to $10,000 or imprisonment up to a maximum of one year, or both. Reacting to the decision, the Canadian Civil Liberties Union said “small voices” could still be silenced under the B.C. Elections Act. B.C. Freedom of Information and Privacy Association v. British Columbia (Attorney General) | BC’s election gag law being challenged in Supreme Court of Canada | Canadian Lawyer magazine | Top Court Upholds BC Law Requiring Election Advertisers to Register | SCC rules on election campaign sponsorship in B.C.  | Wearing a T-shirt isn’t ‘sponsored’ election advertising, top court rules

CA – Insurance Company Must Delete Personal Information

The OPC investigated a complaint against an insurance company, alleging violations of PIPEDA. The OPC investigation determined that a company should have treated an individual’s request to delete his data as a withdrawal of consent; the company initially denied the request (retention was necessary to provide insurance details to other insurers), however, once the individual accepted that deletion could result in higher premiums or coverage denial, his information was deleted. [OPC Canada – Case Summary 2017-005 – Insurance Company Required to Delete Individuals Personal Information After They Withdraw Consent]

CA – Nurse Fined for Criticizing Grandfather’s Healthcare Loses Appeal

A Prince Albert nurse fined for criticizing her grandfather’s palliative care online has lost her appeal of a $26,000 fine ordered by her professional regulatory board. In a written decision, Saskatoon Queen’s Bench Justice J. Currie said Carolyn Strom violated professional conduct rules relating to her profession as a registered nurse. Even though Strom was away from work on maternity leave at the time she wrote the online posts, Currie upheld an earlier decision from the Saskatchewan Registered Nurses’ Association (SRNA) that found Strom guilty of professional misconduct. In his decision, Currie said his role was not to determine whether the decision from the disciplinary committee was correct, but rather whether it “falls within the realm of reasonable decisions in the circumstances.” In that respect, Currie agreed with the discipline committee. The Saskatchewan Union of Nurses acted as an intervenor in the case, and said it is disappointed the SRNA ruling was upheld, saying the decision will affect nurses and other professionals, who will think twice before expressing their personal opinions. [paNOW]

CA – Alphabet to Start Toronto Smart-City Tech Pilot in Summer, Build in 2020

Alphabet Inc’s urban innovation company Sidewalk Labs hopes to break ground on its first ever smart-city project in Toronto in 2020, and begin testing some of the proposed technologies this summer, its chief executive said. This is the first time a timeline has been publicly disclosed for the project. A development plan is expected to be approved by the Sidewalk and Waterfront Toronto boards by the end of 2018, and the first residents could move in as early as 2022. The timeline is subject to government approvals and other processes that Sidewalk expects to spend most of 2019 working through. Other smart city projects have largely failed because of budgets, the involvement of too many parties, and the use of public resources on development with no immediate benefits for the broader population. Corporate access to personal information is a growing concern. Sidewalk Labs has faced growing scrutiny over its plans to put sensors and cameras all over Quayside. Doctoroff said Sidewalk Labs would destroy non-essential information, only retain data that would improve the quality of life, and not sell them to advertisers. Third parties must adopt privacy policies developed for the plan, he added. [Reuters]

CA – Man Arrested for Breaching Nova Scotia’s FOI Website

A 19-year-old Halifax man has been arrested for illicitly accessing the Nova Scotia government’s freedom-of-information website. The man was able to see more than 7,000 documents, some of which contained sensitive information, including birth dates, social insurance numbers, addresses and government-services client information. The Nova Scotia government said no credit card information was compromised in the breach, with government officials saying thousands of citizens in the province were likely affected. Halifax Regional Police searched the suspect’s house before his arrest. The man has been charged with the unauthorized use of a computer. Software and privacy professionals have expressed concerns the Nova Scotia government is using the 19-year-old man as a scapegoat for the breach. [CBC News See also: Teen charged after personal information exposed in Nova Scotia government website breach | Police refute claim they asked province to keep a lid on information breach | Province just sort of stumbles across massive data breach ]

Consumer

US – Majority of US Consumers Concerned About Privacy: Survey

The Network Advertising Initiative conducted a survey asking 10,000 U.S. consumers about their opinions on online privacy. Of the respondents, 85% said the current state of online privacy was at least “somewhat concerning,” with 50% of those consumers saying they are either “very” or “extremely” concerned about privacy. When asked about their top privacy concerns, 56% said hackers, while 15% said data collection by any federal government around the world. The majority of consumers said they want their online content to be paid by advertising, and 79% of respondents said individuals should be in control of opting out of any online marketing campaigns. [NAI]

CA – Canadians Skeptical About Cloud Security, Except at Work: Study

Nearly half of Canadians aren’t comfortable storing sensitive information in the cloud, according to a new study. 46% of Canadians don’t like the thought of storing family information on the cloud, a figure that rises to 52% when it comes to medical information, and 59% for financial information. Citrix Cloud and Security Survey says 62% of employed Canadians felt that documents uploaded to the cloud were either somewhat, or very secure. At the same time, 42% of workers think their employer is solely responsible for maintaining and upgrading security on all devices. A lot of employees, however – 34% – don’t even know if their company uses cloud services. In addition, more than 40% of all Canadians weren’t sure what the cloud was. [IT Business]

WW – Study Highlights Privacy Concerns with Gaming Platforms

Academic researchers published a paper that examined data handling practices in modern gaming. Platforms and consoles. These collect different types of user data through hardware (cameras, sensors, microphones), platform features (social media, user-generated content) and tracking technologies (cookies, beacons, and scripts). All games studied shared user data with advertising platforms and partners, while, mobile games stored private message contents and had a right to access and review these messages.[Privacy in Gaming – N. Cameron Russell, Joel R. Reidenberg and Sumyung Moon – Center on Law and Information Policy at Fordham Law School | Gaming Platform Updates Its Privacy Setting Default | DigitalTrends]

E-Mail

UK – ICO Fines Royal Mail Over 300,000 “Spam” Emails

Royal Mail, which claims to be the most trusted letter delivery service in the UK, was today fined for sending out more than 300,000 nuisance emails. The UK ICO said it launched a probe [see 16 pg PDF notice here] after an individual complained they had received a marketing email from Royal Mail, despite having opted out. Royal Mail argued the email in question was a service because it was telling customers there was a price drop for second-class parcels – but the ICO disagreed. Deeming the message to be marketing, the ICO issued a £12,000 fine for breaching the Privacy and Electronic Communications Regulations (PECR) since recipients hadn’t consented to receiving the mail. The ICO acknowledged that Royal Mail has an obligation to publicise price changes, but said there were more appropriate ways to do this, such as putting an update on its website. [The Register | BBC News, City A.M. and The Times]

Electronic Records

US – 25% of Patients Did Not Access Data Over Patient Privacy Concerns

A recent study by the Office of the National Coordinator for Health Information Technology (ONC) found that 25% of individuals who were offered access to their online medical records declined out of privacy and security concerns. Increasing access and adoption of electronic health records is stated to be a cornerstone of the ONC’s efforts. In response, the ONC created a guide to help individuals get and use medical records. National Coordinator for Health Information Technology Don Rucker said, “It’s important that patients and their caregivers have access to their own health information so they can make decisions about their care and treatments,” adding, “This guide will help answer some of the questions that patients may have when asking for their health information.” [HealthITSecurity | PR here | NAP.edu]

EU Developments

EU – Proposal Gives Consumers More Power to Sue Companies

The European Union has unveiled a proposal to give consumers more power to sue companies if their rights have been violated. The proposal would call for any offending company to be penalized up to 4 percent of their annual turnover. Under the new rules, EU consumer law would be extended to cover “free” digital services where consumers provide personal data, including social media information, email accounts and cloud storage services. While business groups said the proposed bill could lead to a wave of lawsuits, Justice Commissioner Věra Jourová said profit-seeking class-action lawsuits would not be permitted under the pending legislation. [Reuters]

EU – EDPS Launches ‘Privacy by Design’ Mobile Health App Contest

The European Data Protection Supervisor is launching a contest for creators to design the best mobile health apps using “privacy by design” and “privacy by default” principles. Contestants are encouraged to create apps designed to be user friendly and give users more control over their information. The top two winners will receive prizes of 20,000 and 10,000 euros respectively and will be able to present their projects during the 40th International Conference of Data Protection and Privacy Commissioners in October. Submissions must be sent in by the end of June. [Telecompaper]

EU – WP29 Forming Social Media Working Group

Article 29 Working Party Chairwoman Andrea Jelinek said the agency is forming a Social Media Working Group in response to the Facebook-Cambridge Analytica revelations. “What we are seeing today is most likely only one instance of the much wider spread practice of harvesting personal data from social media for economic or political reasons,” Jelinek said. During his second day on Capitol Hill, Facebook CEO Mark Zuckerberg said regulation of his company is “inevitable,” but lawmakers and privacy professionals are skeptical of when it may happen. [Reuters]

EU – Group Calls for EU to Exempt Blockchain from GDPR

A blockchain group is calling for the European Union to exempt the technology from the GDPR. In a blog post, Coin Center Executive Director Jerry Brito writes the GDPR is “incompatible with the reality of open blockchain networks,” and if technology is regulated under the impending rules without any changes to either, the outcome could be troublesome. “The result of the law, then, may be that Europe is closing itself off from the future of the internet to its detriment.” [The Verge | Gizmodo]

UK – ICO Releases Data Protection Self-Assessment Toolkit

The U.K. ICO has released a data protection self-assessment toolkit. The resource has been created to help organizations, particularly small- and medium-sized businesses, make sure they are compliant with data protection laws, such as the EU GDPR. The toolkit includes checklists for controllers and processors, as well as for other areas of compliance, such as information security, direct marketing, records management, data sharing and subject access, and CCTV. Once a checklist has been completed, a report will be generated advising companies on practical steps they can take to improve their compliance efforts. [ICO.org]

US – GDPR: Study Shows 35% of Organisations Ready

The Centre for Information Policy Leadership conducted its second global survey to understand organisational preparedness for the GDPR. 239 organisations were surveyed across several industries: The first global survey was conducted in 2017. A think tank notes that mandatory DPOs will be appointed in 47% of companies surveyed, 35% have a procedure in place to identify and classify privacy risks to individuals, and only 38% will have to re-obtain individual consent; areas that still require further clarity include legitimate interests, breach notification, DPIAs, privacy by design, certifications, codes of conduct, and internal processing records. [Organisational Readiness for the EU GDPR 2nd Edition – CIPL]

FOI

CA – 80-Year Extension on Access-to-Info Request Appears to be a Record

A federal institution has given itself what may be the longest-ever time extension to respond to a citizen’s request under the Access to Information Act — at least 80 years, which will delay the delivery of documents to 2098 or beyond. 70-year-old Michael Dagg, the requester and longtime user of the act, asked Library and Archives Canada (LAC) for files from Project Anecdote, an RCMP investigation into money laundering and public corruption that was launched in May 1993. No charges were ever laid in the massive probe, which concluded in 2003. The voluminous Mountie files were eventually turned over to the government archives. Library and Archives determined there are a minimum of 780,000 document pages to review, in addition to audio and video recordings. Dagg was advised that the review of the material would normally take at least 130 years, but many of the records will automatically become public after 80 years, without need for review under the Access to Information Act, helping to shorten the extension period. Dagg says he plans to contact Library and Archives to negotiate a smaller subset of the Project Anecdote documents. “I would narrow the scope so I can get something within a year or two, rather than beyond my lifetime,” he said in an interview. Timeliness of responses has been a growing issue under the act. In 2016-2017, for example, responses to 2,326 requests took more than a year, up from 1,526 the year previous — or 2.7%t of all requests, up from 2.1%. And 19.3% of all responses to requests in 2016-2017 were in so-called “deemed refusal,” that is, they were late — delivered beyond legislated deadlines. That level of ‘deemed refusals’ has almost doubled in the last five years. And some 1,741 of these late requests were delivered more than a year after deadline. In 2016, former commissioner Suzanne Legault warned of a “culture of delay” within the federal government that has created “a slow and arcane system that seems bent on denying access.” [CBC]

Health / Medical

US – Report Finds Insider Data Breaches Most Common in Health Care Industry

According to Verizon’s 2018 Data Breach Investigations Report, 25% of all attacks over the year were perpetrated by said insiders and were driven largely by financial gain, espionage and simple mistakes or misuse. It also reports that organised criminal groups continue to be behind around half of all breaches, while state-affiliated groups were involved in more than one in 10. Financial gain, unsurprisingly, continued to be the top motivation for cybercriminals. The health care industry ranks worst when it comes to preventing insider data breaches. As the only sector reported to have more internal actors behind data breaches than external, errors were the leading type of cyber incident across health care, followed by malware, hacking and privilege misuse. The report also found that for the malware detected in health care, ransomware accounted for 85%. Simple errors – such as failing to shred confidential information, sending emails to the wrong person or misconfiguring web services – were at the heart of nearly one in five breaches. More than 20 per cent people still click on at least one phishing campaign during a year. [The Washington Post]

Horror Stories

US – Consumer Reports Publisher to Pay $16.4M to Settle Privacy Lawsuit

The publisher of Consumer Reports magazine will pay $16.375 million to settle a lawsuit alleging it violated Michigan privacy law. The publisher was accused of selling customers’ subscription and personal information to third parties without consent. The personal information included customers’ age, race, religion, income, medical conditions and political affiliations. “We have long advocated for the rights of consumers to have control over their private information,” a Consumer Reports spokeswoman said. “While we believe that our practices were in compliance with Michigan law, we chose to settle this case, without admitting liability, so that we can spend our time, effort and resources on protecting consumers.” [Reuters | Insurance Journal

AU – Study Shows Willingness to Pay Malware Ransom Demands

According to findings from the Telstra Security Report, 47% of Australian businesses paid malware ransom demands when found to be the victim of a cyberattack. The report, which surveyed 1,252 people across 13 countries and 15 industries, found that a willingness to pay ransom demands was consistent across all respondents, with 60% of ransomware victims in New Zealand, 55% in Indonesia, and 41% in Europe stating they have paid a ransom demand. Furthermore, 87% of Asian businesses and 82% of European respondents stated they recovered stolen data once the ransom was paid. [ZDNet]

Identity Issues

AU – Anonymization: Australian DPA Finds Publication of Dataset Flawed

The Office of the Australian Information Commissioner issued the results of its investigation into the publication of a dataset by the Department of Health. A dataset had the potential to identify service providers and some individuals because a public agency’s process for de-identification of PI and assessment of the risk of re-identification was flawed; it unlawfully disclosed PI for a purpose other than that of collection, and failed to take adequate steps to remove PI from the dataset relative to the sensitivity of the information (medical/pharm benefits information), and the context of its release (online to the public). [OIC Australia – Publication of MBS/PBS Data]

Location

US – Can GPS Tracking Stop Customers from Stealing Rental Cars? In California, A New Debate Over Privacy Begins

The use of GPS to track stolen vehicles is at the center of a debate between car rental companies and privacy advocates in California. Most rental cars are equipped with navigation and GPS technology. But unlike automakers that can begin tracking their customer’s movements as soon as they drive off the lot, California law bars rental companies from tracking their customer’s location until the vehicle has been missing at least five days past its return date. Some car rental companies want to decrease the number of days significantly, making it possible to track the movements of customers who failed to return vehicles on time. Meanwhile, privacy advocates worry that allowing companies to track customers — even if only after they’ve failed to return a rental vehicle — could open the door to privacy abuses, such as collecting and selling valuable consumer data. The ease of stealing rental vehicles may explain why there were more than 92,000 rental cars thefts across the United States between 2015 and 2018, with nearly 18,000 of those thefts occurring in California, according to the National Insurance Crime Bureau. California remains a leading state for car theft alongside Nevada and Washington State, according to the NCIB. But privacy advocates such as state Sen. Hannah-Beth Jackson (D-Santa Barbara) say the rental industry hasn’t provided data proving that enough thieves are posing as customers to warrant a change in existing laws, such as allowing companies to track the location of overdue rental vehicles. [Wash Post| zdnet.com]

Other Jurisdictions

RU – Russia Seeks to Ban Telegram Messaging App

Russia’s Roskomnadzor, the Federal Service for Supervision of Communications, Information Technologies and Mass Media, has filed a lawsuit asking a court in that country to block the Telegram messaging app. Telegram has refused to provide Russian authorities with encryption keys. [www.v3.co.uk: Russia set to ban Telegram app for refusing to hand over decryption keys on demand | www.zdnet.com: Russia moves to block Telegram after encryption key denial]

CN – China Ranking Citizens With A Creepy ‘Social Credit’ System

The Chinese state is setting up a vast ranking system system that will monitor the behaviour of its enormous population, and rank them all based on their “social credit.” The “social credit system,” first announced in 2014, aims to reinforce the idea that “keeping trust is glorious and breaking trust is disgraceful,” according to a government document. The program is due to be fully operational by 2020, but is being piloted for millions of people already. The scheme is mandatory. At the moment the system is piecemeal — some are run by city councils, others are scored by private tech platforms which hold personal data. Like private credit scores, a person’s social score can move up and down depending on their behaviour. The exact methodology is a secret — but examples infractions include bad driving, smoking in non-smoking zones, buying too many video games and posting fake news online. China has already started punishing people by restricting their travel. Nine million people with low scores have been blocked from buying tickets for domestic flights. Three million people are barred from getting business-class train tickets. The eventual system will punish bad passengers specifically. Potential misdeeds include trying to ride with no ticket, loitering in front of boarding gates, or smoking in no-smoking areas. According to Foreign Policy, credit systems monitor whether people pay bills on time, much like financial credit trackers — but also ascribe a moral dimension. Other mooted punishable offences include spending too long playing video games, wasting money on frivolous purchases and posting on social media. Spreading fake news, specifically about terrorist attacks or airport security, will also be punishable offences. 17 people who refused to carry out military service last year were barred from enrolling in higher education, applying for high school, or continuing their studies, Beijing News reported. Citizens with low social credit would also be prohibited from enrolling their children at high-paying private schools. “Trust-breaking” individuals would also be banned from doing management jobs in state-owned firms and big banks. Some crimes, like fraud and embezzlement, would also have a big effect on social credit. People who refused military service were also banned from some holidays and hotels — showing that vacation plans are fair game too. The regime rewards people here as well as punishes them. People with good scores can speed up travel applications to places like Europe. Naming and shaming is another tactic available. A 2016 government notice encourages companies to consult the blacklist before hiring people or giving them contracts. However, people will be notified by the courts before they are added to the list, and are allowed to appeal against the decision within ten days of receiving the notification. It’s not clear when the list will start to be implemented. A prototype blacklist already exists, and has been used to punish people. There is also a list for good citizens — that will reportedly get you more matches on dating websites. They can also get discounts on energy bills, rent things without deposits, and get better interest rates at banks. Despite the creepiness of the system — Human Rights Watch called it “chilling,” while others call it “a futuristic vision of Big Brother out of control” — some citizens say it’s making them better people already. A 32-year-old entrepreneur, who only gave his name as Chen, told Foreign Policy: “I feel like in the past six months, people’s behaviour has gotten better and better. “For example, when we drive, now we always stop in front of crosswalks. If you don’t stop, you will lose your points. “At first, we just worried about losing points, but now we got used to it.” [Business Insider]

Privacy (US)

US – California Ballot Initiative Seeks to Establish Consumer Privacy Rights

Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., have proposed the Customer Online Notification for Stopping Edge-provider Network Transgressions Act aimed at enhancing consumer privacy. The “privacy bill of rights” would require edge providers, such as Facebook and Google, to obtain consumers’ consent before selling sensitive information. “The avalanche of privacy violations by Facebook and other online companies has reached a critical threshold, and we need legislation that makes consent the law of the land,” Markey said in a statement. The bill would prevent edge providers from forcing customers to provide consent in order to use any services. [Ars Technica | Engadget | Broadcasting Cable | MediaPost | LA Times | LW.com]

US – Consumer Groups Say YouTube Is Collecting, Using Children’s Data Improperly

A coalition of more than 20 consumer advocacy groups is expected to file a complaint with federal officials claiming YouTube has been violating a children’s privacy law. The complaint contends that YouTube, a subsidiary of Google, has been collecting and profiting from the personal information of young children on its main site, although the company says the platform is meant only for users 13 and older. The coalition of consumer groups said YouTube failed to comply with the Children’s Online Privacy Protection Act, a federal law that requires companies to obtain consent from parents before collecting data on children younger than 13. The groups are asking for an investigation and penalties from the FTC, which enforces the law. The New York Times and The Associated Press (via FT), USA Today, WIRED and The Guardian

US – Uber Agrees to Expanded FTC Data Breach Settlement

Uber has agreed to expand its proposed settlement with the FTC related to its 2016 data breach. The FTC released a revised complaint against the ride-hailing company, alleging Uber knew hackers used a key to access 25 million names and email addresses, 22 million names and phone numbers, and 600,000 names and driver’s license numbers. Uber could face civil penalties as a result of the expanded settlement if it fails to notify the agency of any future data breaches. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future,” Acting FTC Chairman Maureen Ohlhausen said. The FTC also offered lessons companies can learn from Uber’s data breach. [FTC.gov]

US – D.C. Court: Accessing Public Information is Not a Computer Crime

A district court in Washington, D.C. has ruled that using automated tools to access publicly available information on the open web is not a computer crime—even when a website bans automated access in its terms of service. The court ruled that the notoriously vague and outdated Computer Fraud and Abuse Act (CFAA)—a 1986 statute meant to target malicious computer break-ins—does not make it a crime to access information in a manner that the website doesn’t like if you are otherwise entitled to access that same information. The case, Sandvig v. Sessions, involves a First Amendment challenge to the CFAA’s overbroad and imprecise language. The plaintiffs are a group of discrimination researchers, computer scientists, and journalists who want to use automated access tools to investigate companies’ online practices and conduct audit testing. The problem: the automated web browsing tools they want to use (commonly called “web scrapers”) are prohibited by the targeted websites’ terms of service, and the CFAA has been interpreted by some courts as making violations of terms of service a crime. This is the second time in a year a court has recognized that a broad interpretation of the CFAA will negatively impact open access to information on the web. Judge Edward Chen found that a “broad interpretation of the CFAA invoked by LinkedIn, if adopted, could profoundly impact open access to the Internet, a result that Congress could not have intended when it enacted the CFAA over three decades ago.” The web is the largest, ever-growing data source on the planet. It is a critical resource for journalists, academics, businesses, and ordinary individuals alike. Meaningful access sometimes requires the assistance of technology to automate and expedite an otherwise tedious process of accessing, collecting and analyzing public information. Using technology to expedite access to publicly available information shouldn’t be a crime—and we’re glad to see another court recognize that. [EFF]

US – Woman Awarded $6.45 Million in Revenge Porn Case

A federal district court in California last week entered a default judgment against a man and ordered him to pay $6.45 million in damages after he was accused of spreading an ex-girlfriend’s naked pictures and videos online. It’s believed to be the second-largest payout for a victim of revenge porn who was not a celebrity, according to the woman’s lawyers. The unnamed woman, who was listed as Jane Doe in legal filings, sued the man, David Elam II, in civil court. She alleged copyright infringement, online impersonation with intent to harm, stalking and the intentional infliction of emotional distress. The case, which was filed in 2014, also underscores how complicated it can be to seek justice. There’s no federal law against revenge porn — just a patchwork of state laws. Doe was awarded $450,000 in damages because of copyright infringement. She also received $3 million in compensatory damages for emotional distress, and $3 million in punitive damages. [CNNMoney]

US – State AGs Opposed to Federal Bill

The New York Attorney General and 29 other State Attorneys General submitted their concerns to Congress regarding HR 4508, the PROSPER Act, specifically potential student-loan related abuses. The Bill would prohibit states from overseeing or addressing certain state law violations by student loan collectors or servicers and there are not federal protections for borrowers of student loans; such servicers have come under increased scrutiny from government agencies for practices that include collections on debt not owed, failures to provide borrowers about repayments options, and difficulties in contacting servicers through call centers. [New York Attorney General et al. – Letter to Congress Regarding PROSPER Act]

US – Copyright Office Considering DMCA Exemption for Voting Machines

As part of its triennial exemption process for the Digital Millennium Copyright Act (DMCA), the US Copyright Office is considering expanding the scope of exceptions to DMCA to include voting machines, which would allow researchers to probe the devices for vulnerabilities without fear of legal repercussion. At a hearing earlier this week, researchers and vendor representatives voiced their opinions about the possible change. [Cyberscoop: Security researchers and industry reps clash over voting machine security testing]

US – American Lawyers Urged to Use ‘Burner Phones’ When Travelling Abroad

Lawyers in the US are being advised to use “burner phones” when they travel abroad to protect information from government inspection on re-entering the country. The advice, given by the New York Bar Association, comes against the backdrop of the Trump administration tightening border security. Anyone entering the US can be asked to turn over their computers and phones to Customs and Border Protection for inspection. They will also be expected to disclose passwords to enable officials to examine their correspondence. Foreigners who refuse to comply can be denied entry into the country while US citizens face having their equipment confiscated temporarily to allow further inspection. The American Bar Association, which has 400,000 members, has been trying to persuade the Department of Homeland Security to devise a policy which will protect lawyer-client privilege. But no agreement has been reached, leading the New York Bar Association to suggest drastic measures. It has urged lawyers to use “burner phones” – cheap throwaway devices often seen in modern crime shows. The Association has also advised lawyers to install software to wipe sensitive information and to disconnect from cloud services. As things stand, the courts have yet to reach a conclusive decision on the legality of inspecting phones and computers. Currently 0.017 per cent of people entering the US are subjected to an electronic device search. [The Telegraph]

US – Data Breach Notification Laws Now Enacted in All 50 States

South Dakota and Alabama are the last of the 50 states to have enacted breach notification laws, along with Washington, D.C., Guam, Puerto Rico and the Virgin Islands. South Dakota became the 49th state to enact a data breach notification law when Governor Dennis Daugaard signed Senate Bill 62 into law on March 21. It goes into effect on July 1, 2018. On March 28, 2018, Alabama Governor Kay Ivey signed into law Alabama Senate Bill 318, effective May 1, 2018. Below are the parameters of these new data breach notification laws. As reported in a blog by Daniel Walbright, 32 state attorneys general have released a letter to Congress preemption of state data breach and security laws with a draft bill, “Data Acquisition and Technology Accountability and Security Act.” [DBR on Data]

US – FTC Launching Small Business Cybersecurity Education Campaign

The FTC announced a national education campaign to assist small businesses in strengthening their cybersecurity efforts. The campaign will include training modules and videos on subjects small business owners have identified as trouble spots, including ransomware, phishing attacks and email authentication. “Small businesses understand the importance of cybersecurity and the need to protect their networks and data, but many feel overwhelmed about how to address the myriad of cyber threats they face,” said the FTC. “Our new campaign aims to help these small businesses with targeted, plain-language advice on everything from protecting against phishing scams to tips on what to look for when choosing a cybersecurity vendor.” [FTC.gov]

US – FTC Report Makes Security Recommendations to the Mobile Device Industry

A new report by the FTC takes aim at how data security tech for mobile devices can be both improved and better utilized. The report, published in February 2018 and titled, Mobile Security Updates: Understanding the Issues [PR here], presents findings based upon information requested by the FTC in 2016 of eight mobile device manufacturers. The report recommends that both the devices themselves as well as their corresponding support services need to do a better job by deployed security updates quicker and more frequently. It recommends that manufacturers provide a minimum period during which security updates are to be provided, and make that period known to the consumer prior to purchase. It also recommended that manufacturers consider providing security updates that are separate and distinct from other updates that are often bundled together in one package. The report is intended to bolster consumer protection, however it is also relevant for small businesses and their use of mobile devices in the workplace such as bring-your-own-device (BYOD). While a BYOD policy helps a small business save on device and carrier costs, it also increases the likelihood of security threats to the business. [Working Place Privacy]

US – EPIC Releases US Privacy Law Updated Guide

The Electronic Privacy Information Center has released a guide on the major developments in U.S. privacy law ahead of the 63rd meeting of the International Working Group on Data Protection in Telecommunications in Budapest. The guide covers topics such as the passing of the CLOUD Act, the Facebook-Cambridge Analytica revelations, the investigation into potential interference with the 2016 U.S. presidential election, and the nominations of four new commissioners to the Federal Trade Commission, as well as U.S. Supreme Court affairs, including the U.S. v. Microsoft and the Carpenter v. U.S. cases. EPIC.org

Privacy Enhancing Technologies (PETs)

WW – Apple’s ‘Private by Design’ Health Care App Aims to Capture Market

With tech companies moving in to capture the health care market, Apple’s “private-by-design” strategy aims to ensure the security and privacy needs of organizations. A recent survey found that 47% of health care IT professionals expect to see mobile devices increase in use over the next two years, highlighting that health care providers are more willing to adopt mobile technology. Apple’s recently introduced Health Records app for iPhone users puts patients in control of data portability. Mike Restuccia, CIO at Penn Medicine, said, “I think the good thing about the Apple solution is that the data only resides on the end-user’s device,” adding, “So, we don’t have access to that. Apple doesn’t have access to the data. The beauty of the solution is it is patient managed, patient controlled and patient centered.” [Computerworld]

Security

AU – Human Error (Not Hackers) Behind Most Data Breaches in Australia

The Office of the Australian Information Commissioner released the first quarterly report since the country’s mandatory data breach notification scheme came into effect and noted an increase in the number of data breaches reported. The OAIC received notification of 63 data breaches in the first six weeks, compared to the 114 instances for the entire 2016–17 period when reporting was voluntary. The majority of breaches stemmed from human error, but an estimated 44% was the result of malicious or criminal behavior. The OAIC also stated that 78% of breaches included “contact information,” 24% contained “identity information,” and 73% of all eligible breaches “involved the personal information of under 100 individuals.” [iTnews | The Mandarin]

CA – Ontario Energy Board Establishes Cyber Security Framework

The Ontario Energy Board (OEB) established a Cyber Security Framework that is to be used by transmitters and distributors as the common basis for assessing and reporting their level of risk and security capability, as a means to move towards a more mature level of control and security. [Ontario Cyber Security Framework – Version 1.0 – Ontario Energy Board]

Surveillance

US – DHS to Compile Database of Journalists and ‘Media Influencers’

The Department of Homeland Security wants to track the comings and goings of journalists, bloggers and other “media influencers” through a database. The DHS’s “Media Monitoring” plan would give the contracting company “24/7 access to a password protected, media influencer database, including journalists, editors, correspondents, social media influencers, bloggers etc.” in order to “identify any and all media coverage related to the Department of Homeland Security or a particular event.” The database would be designed to monitor the public activities of media members and influencers by “location, beat and influencers,” the document says. The chosen contractor should be able to “present contact details and any other information that could be relevant including publications this influencer writes for, and an overview of the previous coverage published by the influencer.” Also, the contractor would have access to a password protected, mobile app that provides an “overview of search results in terms of online articles and social media conversations,” in several different languages such as Arabic, Chinese and Russian. The request comes amid concerns regarding accuracy in media and the potential for U.S. elections and policy to be influenced via “fake news.” The plan calls for the ability to track 290,000 news sources including online, print, broadcast and social media. Also, it would have the ability to track media coverage in over 100 languages, along with the “ability to create unlimited data tracking, statistical breakdown, and graphical analyses on ad-hoc basis.” DHS spokesman Tyler Q. Houlton tweeted that the practice of monitoring the press is considered “standard.” [Chicago Sun Times]

+++

03-10 April 2018

Big Data / Data Analytics 

CA – Big Data: Deceptive Use Is Harmful to Consumers

The Canada Competition Bureau released a study on Big Data, including its use in deceptive marketing practices. The Competition Bureau says Big Data collection is not always apparent to consumers because it may not be incidental to the main purpose of an app or service, and data is often collected from various sources surreptitiously by lead generators and sold; Big Data is also used to make false or misleading representations, target advertising to vulnerable consumers, and produce fake reviews (astroturfing). [Competition Bureau – Big Data and Innovation: Implications for Competition Policy in Canada]

Canada

CA – Canada Flagged Facebook’s Third-Party App Privacy Problem in 2009

Canadian federal privacy officials warned that third-party developers’ access to Facebook users’ personal information “raises serious privacy risks” back in 2009, documents show. The report also pointed out that app developers could access information about the Facebook friends of people using apps. In a 2009 speech, then-assistant privacy commissioner Elizabeth Denham said that her office’s top Facebook concern was “the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes.” “We were alarmed by a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information – as well as information about their online ‘friends,’” she said. In 2010, the commissioner’s office said it was satisfied with Facebook’s solution to the third-party app problem, which involved clearer user consent when apps were installed. “The privacy commissioner at the time kind of gave the green light to Facebook, and from our perspective that was really problematic, especially the access to third-party content through the API,” said David Fewer of the Canadian Internet Policy and Public Interest Clinic, whose complaints against Facebook led to the original investigation. “They reached a resolution which did away with our complaint, and basically gave the green light to Facebook to keep on doing what they do.” [Global News]

CA – OPC Joins U.K. and B.C. Counterparts in Probe of Brexit Tampering

Canada’s federal privacy commissioner is joining privacy watchdogs in B.C. and the U.K. in an investigation to determine whether Canadian privacy laws were violated by the Victoria-based political data firm, AggregateIQ, that was hired by the Leave side during the U.K.’s referendum on whether to remain in the European Union [see OPC announcement here]. Since the Leave side won, the company has been accused of being part of a scheme to sidestep U.K. campaign spending rules to sway the vote. Facebook is also being investigated in a separate joint probe by the B.C. and federal Canadian privacy watchdogs. Both probes will look at whether Facebook or AggregateIQ violated PIPEDA or B.C.’s PIPA.[CBC News at: CTV News, Reuters and TheTyee See also: UK probing AggregateIQ as part of inquiry into privacy law breach | Facebook claims its very busy man in Ottawa is not a lobbyist | Canada’s privacy commissioner isn’t surprised about the Facebook privacy scandal | Privacy watchdog suggests he may join ongoing AggregateIQ investigations

CA – NL OIPC Scolds Town of Paradise for the 6th Time in 5 Months

For the sixth time in five months Donovan Molloy, Newfoundland’s privacy commissioner, has made recommendations to the Town of Paradise — this time, it’s to shut off its security cameras [see PR here & Report here]. While he said he can’t comment on specifics of the case yet, Molloy said the Access to Information and Protection of Privacy Act prevents public bodies from putting up cameras without reason. When questioned by Molloy, the town said it installed 87 cameras after incidents of vandalism, false fire alarms, bomb threats and property damage. On two occasions, the footage was used to investigate criminal activity on town property. But when Molloy asked for more detailed information on those incidents, the report says there was no response. [CBC News and at: The Telegram and VOCM]

CA – Opinion: Privacy Laws Should Apply to Political Parties

The Harper Conservatives were innovators in the field of data-driven campaigning. In defeating Harper, the Trudeau Liberals drew on similar micro-targeting techniques. More and more, political parties thrive on big data, the more granular the better. Our privacy protections, however, have failed to keep pace. The current legal framework does almost nothing to ensure that political parties obtain and use citizens’ personal information responsibly. Canadian political parties are exempt from privacy laws. This is “not a good thing,” according to Daniel Therrien, Canada’s privacy commissioner. As he told the Canadian Press last week, “The absence of regulation facilitates the manipulation of information to influence elections in a way which I think is completely contrary to the public interest.” To the extent that micro-targeting happens without voters’ knowing about it or agreeing to it, the practice is manipulative in a way that distorts democracy. Data-hungry political parties are the last entities that should be exempt from privacy laws. If they want to know about us, they should be forced to ask. [Toronto Star and at: Montreal Gazette, The Globe and Mail, CBC News, Hill Times and The Toronto Star]

CA – Ontario Bill Prohibits Inquiries into Employee Compensation History

Ontario’s Bill 3, the Pay Transparency Act, 2018, related to disclosure of compensation for applicants and employees, was introduced and carried at first reading. Exemptions include an applicant’s voluntary and unprompted disclosure of their compensation history, compensation ranges or aggregate compensation for comparable positions, or publicly available compensation history, and employers must submit and post pay transparency reports; a government compliance officer may enter a workplace without a warrant to assess the employer’s compliance with the law. If passed it goes into effect January 1, 2019. [Bill 3 – Pay Transparency Act, 2018 – 41st Legislature, Ontario | Press Release | Status]

Consumer

WW – Number of Facebook Users Affected by Scandal Grows

Facebook now says that the number of users whose information was improperly used by political consulting company Cambridge Analytica could be as high as 87 million, up from an earlier estimate of 50 million. Facebook says it has adopted new measures to restrict third-part access to user data. Subsequently, Facebook decided to end the drip drip drip of increasing size of the compromise and now just says that its search tools were so easily misused that *most* of the 2 billion Facebook users should consider their personal information to have been harvested without their knowledge or permission. The FTC moved against Facebook in 2011 for privacy abuse and Facebook entered into a settlement that they appear to have violated, since they agreed to obtain” consumers’ express consent before their information s shared beyond the privacy settings they have established.” [nytimes: Facebook Says Cambridge Analytica Harvested Data of Up to 87 Million Users | thehill: Facebook says up to 87 million people affected by Cambridge Analytica scandal]

WW – Facebook: Majority of Two Billion Users May Have Had Data Scraped

Facebook has disabled a feature it believes may have allowed malicious actors to scrape the data of most of its two billion users, while also raising the amount of affected individuals from the Cambridge Analytica revelations. The social media company deactivated the feature letting users enter phone numbers and email addresses into its search tool, which it said could be used to gather information on the majority of its users. The tech company now says 87 million users were affected by the Cambridge Analytica revelations, up from the 50 million initially reported. Meanwhile, Mark Zuckerberg will testify in front of both the U.S. Senate Judiciary and Commerce Committees April 10 on the Cambridge Analytica situation. Facebook also announced a plan to restrict data access on its platform, while Zuckerberg said the companywill offer EU General Data Protection Regulation privacy controls worldwide, disputing previous reports. [FBloomberg]

E-Mail

CA – SK OIPC Advises MLA Against Using Personal Email for Government Business

Saskatchewan Information and Privacy Commissioner Ron Kruzeniski offered advice to Minister of Crowns and SGI Joe Hargrave about his use of his personal email account. A Saskatoon man filed a complaint after sending an email to Hargrave’s government email address, only to receive a response from the minister’s personal account. The man was concerned about the security protections for both of the email accounts. While Kruzeniski determined he had no jurisdiction to investigate the matter as it was not a “government institution,” the commissioner advised Hargrave to observe best practices and not use his personal email for government-related activities. [CBC News]

CA – NL OIPC Advises Caution When Sending PHI Via Email

New guidance from the OIPC Newfoundland and Labrador examined the use of email for communicating personal health information. According to the 3-page guidance, custodians should confirm that patients wish to be contacted via email, inform them of possible risks and verify their email address; prior to sending the email, consider whether it is necessary to send the PHI via email, send the PHI in a separate encrypted attachment (with encryption keys sent by a different method), limit the PHI to what is necessary, and maintain a copy for the patient’s file. [OIPC Newfoundland and Labrador – Use of Email for Communicating Personal Health Information]

FOI

CA – CJF Poll Finds 74% Support Right to Access News Over R2BF

A new poll commissioned by The Canadian Journalism Foundation (CJF) finds the right to access news outweighs personal reputation considerations when it comes to online news stories. The poll, conducted by Maru/Matchbox earlier this month among more than 1,500 people, found that 74% believe broadly that Canadians’ right to access news overrides the right to remove accurate and lawful stories that have a negative impact on a person’s reputation. “As the Office of the Privacy Commissioner contemplates a ‘right to be forgotten,’ it will need to strike a balance between those rights protecting freedom of expression and the right to manage reputation online,” says CJF executive director Natalie Turvey. “These polling results suggest Canadians may prioritize their Charter rights and that we care deeply about our right to access news and information.” The poll results come ahead of a topical half-day symposium in Toronto exploring the right to be forgotten, ‘Striking the Balance: Privacy and Freedom of Expression in a Digital Age‘ featuring Daniel Therrien, privacy commissioner of Canada; Michael Geist, law professor at the University of Ottawa; Peter Fleischer, global privacy counsel for Google; and other top privacy experts. [Newswire and at: TCP via CityNews]

Genetics

US – California Supreme Court Lets Stand Controversial Law Allowing DNA Collection Upon Arrest

The fight for more protective rules in the California government’s DNA collection suffered a major setback when the California Supreme Court. On a 4-3 vote [see 95 pg PDF ruling here], the state’s highest court refused to throw out that part of the [2004 voter initiative, Proposition 69 see here], which has led to the storing of DNA profiles of tens of thousands of people arrested but never charged or convicted. A majority of states collects DNA from arrestees, and the U.S. Supreme Court has approved the practice. Privacy advocates, though, argued that California’s law was more invasive than rules in other places. Of the 200,000 to 300,000 people arrested in California annually on suspicion of a felony, about a third are either acquitted or never formally charged. California, unlike most other states, takes DNA from people before they are even arraigned and has no automatic process for expunging DNA profiles when charges are dropped or people acquitted [Source and at: DeepLinks Blog (EFF), Courthouse News Service, The Recorder (Law.com) and JURIST]

Health / Medical

US – ONC Releases Guide on Sharing Patient Data

The Office of the National Coordinator for Health Information Technology released a guide to help educate patients on accessing and sharing their medical data. The resource informs patients on the benefits of accessing their data and offers advice on the best ways to view the data within their electronic health records. “It’s important that patients and their caregivers have access to their own health information so they can make decisions about their care and treatments,” National Coordinator for Health Information Technology Don Rucker said. [HealthITAnalytics]

US – Health Care Professionals Remain Concerned About Data Security

A recent survey showed that while health care professionals are overwhelmingly concerned about health care data security, 68% believes their own organizations are taking appropriate measures to ensure cybersecurity. The survey conducted by Venafi took place at last month’s HIMSS18 conference and queried 122 health care professionals on sector response to cyber threats. Despite their shared concern, only 29% of respondents believes cybersecurity can be enhanced through more regulation. BakerHostetler’s fourth annual Data Security Incident Response report found that of the 560 security incidents handled by the firm’s privacy and data protection team, more than one-third involved the health care industry, marking an increase from previous years. [HealthITSecurity]

WW – Facebook Sent Doctor on a Secret Mission to Ask Hospitals to Share Patient Data

Facebook was in talks with top hospitals and other medical groups as recently as last month about a proposal to share data about the social networks of their most vulnerable patients. The idea was to build profiles of people that included their medical conditions, information that health systems have, as well as social and economic factors gleaned from Facebook. The proposal never went past the planning phases and has been put on pause after the Cambridge Analytica data leak scandal raised public concerns over how Facebook and others collect and use detailed information about Facebook users. Facebook’s pitch, according to two people who heard it and one who is familiar with the project, was to combine what a health system knows about its patients (such as: person has heart disease, is age 50, takes 2 medications and made 3 trips to the hospital this year) with what Facebook knows (such as: user is age 50, married with 3 kids, English isn’t a primary language, actively engages with the community by sending a lot of messages). The issue of patient consent did not come up in the early discussions, one of the people said. Critics have attacked Facebook in the past for doing research on users without their permission. Notably, in 2014, Facebook manipulated hundreds of thousands of people’s news feeds to study whether certain types of content made people happier or sadder. Facebook later apologized for the study. Health policy experts say that this health initiative would be problematic if Facebook did not think through the privacy implications. [CNBC and at: Inquisitr, GIZMODO, Ars Technica, The Verge, Fast Company, The Hill and Becker’s Hospital Review ]

Horror Stories

AU – Apple Watch Health Data Is Being Used as Evidence in Murder Trial

Myrna Nilsson, 57, was murdered in Adelaide in September of 2017. Nilsson’s daughter-in-law, Caroline Nilsson, 26, told law enforcement that a group of men had invaded her home and attacked her following a road rage incident. Prosecutor Carmen Matteo presented evidence in court that Caroline Nilsson fabricated her story and should be held on charges of murder without bail. A forensic analyst studied the data on the victim’s Apple Watch and determined that the attack and her death occurred within a seven minute window. A flurry of activity was recorded followed by calm when the victim was presumably unconscious, then her heart rate stopped. “The prosecution accumulates those timings and the information about energy levels, movement, heart rate, to lead to a conclusion that the deceased must have been attacked at around 6.38pm and had certainly died by 6.45pm,” Matteo told the court.  The judge agreed with the prosecution and denied bail. Mrs. Nilsson will return to court on June 13th. [Gizmodo and at: News.com.au, The Daily Mail and New York Post]

EU – Norwegian Consumer Council Files Privacy Complaint Against Grindr Following Revelation of HIV Status Data Sharing

The Norwegian Consumer Council has filed a privacy complaint against popular gay dating app Grindr, after it was revealed the app had been sharing the HIV statuses of its users with third parties. Shortly after Grindr announced a new feature for the app which would remind users to get tested for HIV every few months, a report revealed that Grindr shares its user data, including HIV status and location, with at least two third-party companies. In a document published on Tuesday, the Norwegian Consumer Council claimed they were filing the complaint against Grindr “for breaching data protection law.” Citing a section of Grindr’s privacy policy that informs users they are responsible for “all associated risks” surrounding their data, the Council called the policy “unfortunate.” The Council also expressed that in their view, the current policy “is in breach of Norwegian and European data protection law.” [Brietbart and: TechCrunch, Forbrukerrådet and PinkNews and at: Grindr defends HIV-related data sharing | Grindr Sets Off Privacy Firestorm After Sharing Users’ H.I.V.-Status Data  | Dating app Grindr vows to stop sharing data after HIV scandal | The Guardian view on Grindr and data protection: don’t trade our privacy

WW – Grindr Changes Policy of Sharing Users’ HIV Status with Outside Vendors

In response to an outcry, Grindr will stop sharing users’ HIV statuses with third parties after a report disclosed that the company passed the information on to outside vendors hired by Grindr to test the performance of its app. Grindr’s vendors, Apptimize and Localytics, are fed user data that includes HIV statuses, GPS data, phone numbers and e-mail addresses that, when combined, could expose someone’s private health information In a statement Grindr said it would never sell personally identifiable information to third parties, including advertisers. Apptimize and Localytics — services that help Grindr test features on its platform — are under contract to safeguard user privacy and security, the company said. [LA Times and at: BuzzFeed News, Bloomberg, TechCrunch and The Verge]

WW – Panera Website Data Leak

The Panera Bread restaurant website was leaking customer data for at least eight months until it was taken offline on Monday, April 2. The compromised data include names, email and physical addresses, birth dates, and the last four numbers of payment cards. The leak affected customers who had signed up for an account to order food online. The data were accessible in part because “Panera Bread uses sequential integers for account IDs.” [krebsonsecurity: Panerabread.com Leaks Millions of Customer Records]

CA – Upscale Department Store Payment System Breached

Payment systems at some brick-and-mortar Saks Fifth Avenue and Lord & Taylor department stores have been breached. As many as five million payment card numbers allegedly stolen from the stores’ systems are being offered for sale online. The breach does not appear to affect online transactions. Both stores are owned by The Hudson’s Bay Company, which says that steps have been taken to contain the breach. [reuters: Saks, Lord & Taylor hit by payment card data breach | scmagazine: Saks, Lord & Taylor breached, 5 million payment cards likely compromised | theregister: Hacks Fifth Avenue: Crooks slurp bank cards from luxury chain Saks | nytimes: Card Data Stolen From 5 Million Saks and Lord & Taylor Customers]

WW – Under Armour Breach Affects 150 Million MyFitnessPal Accounts

Under Armour disclosed that its MyFitnessPal app and website had been breached, exposing personal Account information of as many as 150 million accounts. The incident occurred in February 2018. The breach did not affect payment account data, as Under Armour processes that information separately. [investor.underarmour: Under Armour Notifies MyFitnessPal Users Of Data Security Issue | scmagazine: Under Armour deftly manages breach, dodges GDPR scrutiny | zdnet: Under Armour says 150 million MyFitnessPal accounts hit by data breach | threatpost: Under Armour Reports Massive Breach of 150 Million MyFitnessPal Accounts]

Intellectual Property

EU – Group Calls for EU to Exempt Blockchain from GDPR

A blockchain group is calling for the European Union to exempt the technology from the General Data Protection Regulation. In a blog post, Coin Center Executive Director Jerry Brito writes the GDPR is “incompatible with the reality of open blockchain networks,” and if technology is regulated under the impending rules without any changes to either, the outcome could be troublesome. “The result of the law, then, may be that Europe is closing itself off from the future of the internet to its detriment,” Brito writes. [The Verge]

CA – DriveHer App Suspends Service Following Data Breach

The founder of the DriveHer app has suspended the service following a data breach. The app was created as a way to increase the safety and security of women drivers and riders. IT Consultant Darryl Burke discovered vulnerabilities within the app leading to the breach, such as finding the data provided by users was not encrypted. “The data accessed may have included personal information such as name, gender, telephone number, profile image,” DriveHer Founder Aisha Addo wrote in an email informing users of the breach. “DriveHer values your privacy and deeply regrets that this incident occurred.” [Toronto Star]

Internet of Things

US – Connecting the Dots Between Security Practices and Legal Obligations: California’s Connected Devices Bill

Internet connected devices can present serious privacy and security issues. California has had an information privacy connected devices bill [for SB-327 status see here] in the works since Feb. 13, 2017. In March 2017, we identified the bill and privacy concerns the state and regulators may be considering when it comes to connected devices. Less than a year later, in January 2018, the bill moved from the state’s Senate to being considered in the state’s Assembly. It has been read once and is currently being “held at desk” in the Assembly, waiting to be referred to a committee. After being introduced, the bill was transformed substantially, with several of its proposed requirements for connected devices stripped entirely at one point it had both privacy and security related requirements, but now largely calls for security obligations. The bill applies to manufacturers that “sell or offer to sell a connected device to a consumer” in California. It obligates manufacturers to “equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” The bill would not obligate manufacturers to seek out the highest level of security measures on the market, but rather creates a floor of at least the most “basic security standards,” according to the latest Senate Floor Analyses. It seems that the purpose of the bill is not so much to force companies to heighten their levels of security, but rather to ensure that IoT devices have some sort of security in place, such as basic encryption, as soon as they hit the market. Despite certain privacy obligations being stricken from the bill, companies should still consider the benefits of employing privacy by design, following the Fair Information Practice Principles, and consider the FTC’s general guidance on IoT devices and comments on draft guidance regarding communicating upgradability, security patches, and transparency. Also consider the evolving efforts to develop international standards, such as guidance published by the IoT Security Foundation from the U.K., security best practices published by the Institute of Electrical and Electronics Engineers, a global nonprofit, and the National Institute of Standards and Technology’s current draft of its Interagency Report on international cybersecurity IoT standardization. With the GDPR becoming effective on May 25, 2018, companies with ties to Europe should also look to what European Data Protection Supervisors have discussed regarding IoT devices in each European member state. [Data Privacy Monitor]

Law Enforcement

UK – Police Can Download All Smartphone’s Data Without A Warrant

A new report by Privacy International shows that since 2012, police forces across the UK have been downloading data from the smartphones of suspects, victims and witnesses, often without obtaining permission. What’s more, they may be storing this data indefinitely, even when no charges are brought. The report is based on Freedom of Information requests to 47 police forces. 26 forces (55%) confirmed that they are using mobile phone extraction technology. This follows on from a 2017 Big Brother Watch report which found that 93% of police forces in the UK are extracting data from digital devices. Data is being collected not only for serious crimes, but also for low-level offences, and several police forces have indicated that they want extraction of mobile data to become the ‘default‘. Police forces across the UK are extracting data from tens of thousands of mobile phones each year. There is no clear national guidance on when forces can use this technology, how data should be stored and for how long it can be kept. [Rights Info and at: The Telegraph, DIGIT and The Times]

Online Privacy

WW – Google Moves to Protect Chrome Web Store Users from Cryptomining

Google’s Chrome Web Store is no longer accepting extensions that mine cryptocurrency, even if it is the express purpose of the extension. In June, Google plans to delist all current cryptomining extensions. Google’s policy prior to this change was to allow cryptomining extensions as long as cryptomining was the extension’s sole function and users were sufficiently informed about the activity. [blog.chromium.org: Protecting users from extension cryptojacking | zdnet: Google to crack down on cryptojacking on Chrome]

Security

CA – Phishing and Ransomware Biggest Concerns: Survey

CIRA issued its 2018 Internet security survey of Canadians that own at least one .CA domain registered to a business or institution. Participants included 1,985 business professionals who play a significant role in their organization’s IT and security-related decisions; and domain name users include: companies – 58%; non-profit organizations – 34%; and government – 8%. The survey shows 22% of large Canadian organizations have been victims of a DDoS attacks in the last year that have negatively impacted business performance, and 32% had users within the organization unwittingly divulge information to hackers; IT security services are obtained through peers (70%), IT security events (50%), current vendors (43%), analyst research (43%) and webinars (40%). [2018 CIRA Canadian Internet Security Survey]

Surveillance

US – DHS Acknowledges Rogue IMSI Catchers in Washington, DC Area

In a March 26 letter responding to a November 2017 from US Senator Ron Wyden (D-Oregon), the US Department of Homeland Security (DHS) acknowledged that it had detected unauthorized cell-site simulators in the Washington, DC area. Also known as international mobile subscriber identity (IMSI) catchers, the technology has been used by law enforcement agencies for years. DHS has not attributed the IMSIs use to “specific entities.” [apnews: APNewsBreak: US suspects cellphone spying devices in DC } wyden.senate.gov: Wyden’s November 2017 letter to DHS (PDF) | scmagazine: DHS acknowledges unauthorized foreign Stingray use in Washington D.C. | theregister: Hold the phone: Mystery fake cell towers spotted slurping comms around Washington DC | zdnet: Evidence of stingrays found in Washington, DC, Homeland Security says | arstechnica: Feds: There are hostile stingrays in DC, but we don’t know how to find them | cyberscoop: DHS says unauthorized Stingrays could be in D.C. area]

 

+++

 

27 March – 03 April 2017

Big Data / Analytics / Artificial Intelligence

IS – Israel Launching Big Data Health Project

Israel Prime Minister Benjamin Netanyahu said the country will invest nearly $287 million for a big data project designed to make citizens’ health information available to researchers and privacy companies. Netanyahu said the project will help with personalizing medicine for each citizen and for preventive treatments. The information will come from the four health maintenance organizations within Israel that hold almost all the health data belonging to the nine million citizens of the country. Netanyahu’s office released a statement saying it will address data concerns by ensuring the information will be protected by the proper privacy and security measures while making sure access to the information is restricted. [Reuters]

Canada

CA – BC Political Parties and Online Privacy Protection: No Smoking Gun, But Plenty of Smoke

As questions swirl around the globe over Facebook, and how people’s digital profiles are analyzed for ever more precise targeting, B.C.’s Office of the Information and Privacy Commissioner is studying to what extent the phenomenon exists in our backyard. According to the IPC “The unique thing about our position in B.C. is we’re the only jurisdiction in Canada that has the ability to investigate political parties” That’s because B.C. political parties fall under the jurisdiction of B.C.’s Personal Information and Privacy Act. People in charge of digital communications for major B.C. parties will tell you that a data breach on the scale of Cambridge Analytica hasn’t happened here for a couple of reasons: one, British Columbia doesn’t have a large enough population to make the sort of bulk data scraping effective; and, second, there are metrics that political parties can use to create targeted Facebook ads in America that aren’t available in Canada. But that still leaves plenty of room for targeting on a smaller scale, say privacy advocates. [CBC News and at: The Times Colonist and CTV News]

CA – Privilege: Tribunal Orders Client Financial Information Redacted

The Law Society Tribunal considered an application by the Law Society of Upper Canada to make certain financial information non-public. Solicitor-client privilege belongs to the client (not the lawyer) and is not lost by a client who complains to the Law Society that her lawyer committed misconduct; the communications are between the lawyer and his client that have neither been made public nor been disclosed by the client in her civil lawsuit against the lawyer.[Law Society of Upper Canada v. Ian Neil McLean – 2018 ONLSTH 25 – Law Society Tribunal Hearing Division]

CA – OIPC BC: PIPA Does Not Provide Same Level of Protection

The OIPC BC compared PIPA’s obligations against the GDPR. PIPA does not incorporate mandatory breach notification or ensure the same level of individual rights (e.g., right to be forgotten and data portability), and permits implicit consent and opt-out (pre-checked boxes) as valid consent; with the exception of these differences, BC organizations can largely ensure compliance with the GDPR by complying with PIPA. [OIPC BC – Competitive Advantage – Compliance with PIPA and the GDPR]

Consumer

EU – European Commission Outlines Blockchain Development Plans, Calls for a Feasibility Study and Unveils Fintech Action Plan.

The EU Commission continues to show its support and investment in new technologies in the digital economy. On February 1, 2018, the Commission and the European Parliament launched the EU Blockchain Observatory and Forum, and earlier this month, the Commission also unveiled its FinTech Action Plan. The observatory is designed to be a comprehensive repository of blockchain expertise and a source of innovation and development. The action plan will assist EU businesses and investors utilize advances offered by blockchain, artificial intelligence and cloud services, as part of the push towards the digital single market. The observatory and the FinTech Action Plan represent a collaborative and thoughtful approach that is appropriate for addressing quickly proliferating and developing technologies in a highly regulated international financial industry. [Source]

CA – Nearly 75% Of Canadian Facebook Users Plan to Change Behaviour in Wake of Controversy

Nearly three-quarters of Facebook users in Canada say they will make some changes to how they use the social-media network after [it was] revealed a U.K.-based consulting firm surreptitiously obtained personal information of 50 million users. According to [a new] Angus Reid poll [see here]. The survey asked 1,500 Canadians what – if any – effect allegations that Cambridge Analytica gathered data from unsuspecting Facebook users will have on their personal use of the social-media platform. Sixty-four per cent of respondents said they will change their privacy settings or use Facebook less in the future, while 10 per cent said they would suspend their account or delete it altogether. The remaining respondents said they would continue to use Facebook as they always have. [The Globe & Mail and at: Global News and CBC News Also See: Worried about online privacy? Here’s how to delete data-mining apps off your Facebook | Victoria mayor deletes Facebook because it ‘rewards anger and outrage’ | Here is how to delete Facebook | What the coverage of #DeleteFacebook is missing

E-Government

CA – Conservatives, NDP Say They’ve Never Accessed Facebook Profiles to Microtarget Voters, Liberals Point to Privacy Policy

The Hill Times sent each of the major federal parties and the Liberal Research Bureau a series of questions about their methods of collecting data from and about Canadians, including data from Facebook. The Liberal Research Bureau did not respond, and the Liberal Party responded after the deadline for the print edition. Spokespeople for the federal Conservatives and NDP said neither they nor any organizations working on their behalf had ever asked Canadians for access to their Facebook accounts, directly or indirectly, in order to gather information. They said they had never accessed Facebook accounts to collect information on Canadians’ Facebook “friends,” and had never collected information on Canadians that was not provided with consent or already publicly-available, or employed an outside firm to do so. A Liberal Party spokesperson did not definitely answer “yes” or “no” when asked the same questions twice, but did imply that the Liberals had not done so either. Susan Delacourt’s 2016 book Shopping for Votes [see here] revealed how the Liberals used Facebook to help them win the last election, with a tool called The Console using information from Facebook to rank ridings on how winnable they were for the party, and how likely individuals were on a scale of one to 10, to vote Liberal. The Conservatives were the first federal party to develop a database technology, dubbed the Constituent Information Management System (CIMS), in 2004. The Liberals were next to follow in 2008, adopting a voter identification and relationship management system dubbed The Liberalist, which is similar to the Voter Activation Network used by the U.S. Democratic Party. The NDP once used a database system dubbed NDP Vote. Federally, there’s nothing to govern how parties collect, use, or distribute information. The Privacy Act only covers government institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA) only refers to organizations collecting information for commercial purposes. Federal parties have developed their own internal privacy policies, but on top of not being legally binding, they’re not always easy to find online. [Hill Times]

Encryption

US – DOJ Still Seeking Phone Encryption Backdoor

Federal law enforcement officials in the US are renewing their efforts to require technology companies to build tools into devices that would allow access to encrypted information. FBI and the US Department of Justice (DOJ) are meeting with researchers to find a way to allow “extraordinary access” to encrypted devices for law enforcement. [www.nytimes.com: Justice Dept. Revives Push to Mandate a Way to Unlock Phones]

EU Developments

EU – European Council Warns Digital Platforms After Facebook-Cambridge Analytica

The European Council issued a warning to digital platforms in the wake of the Facebook-Cambridge Analytica revelations. In a statement, the group of national leaders said, “Social networks and digital platforms need to guarantee transparent practices and full protection of citizens’ privacy and personal data.” European Council President Donald Tusk said the group “discussed recent developments concerning Facebook and Cambridge Analytica. It was clear to all the leaders that citizens’ privacy and personal data must be protected.” Meanwhile, U.K. Culture Secretary Matt Hancock characterized the revelations as a “turning point” for privacy online. Politico profiles U.K. Information Commissioner Elizabeth Denham, who is leading an investigation into Cambridge Analytica. Mozilla has said it will no longer advertise on Facebook, and in the U.S., the House Energy and Commerce Committee has called on Facebook CEO Mark Zuckerberg to testify at an upcoming hearing. “After committee staff received a briefing from Facebook officials,” said Rep. Frank Pallone Jr., D-N.J., “we felt that many questions were left unanswered.” [Euractiv]

UK – ICO Seeks Comments on Data Protection Impact Assessment Guidance

The ICO has for many years championed the benefits of voluntary Privacy Impact Assessments The new General Data Protection Regulation (GDPR) formalises this situation by making the use of Data Protection Impact Assessments (DPIAs) a legal requirement in certain circumstances. Controllers will be required to complete a DPIA where their processing is ‘likely to result in a high risk to the rights and freedoms of natural persons’. Our draft DPIA guidance builds on our previous PIA code, with further detail on specific GDPR requirements. This includes a DPIA template, although controllers who anticipate doing lots of DPIAs may wish to consider develop their own. We are seeking comment [from 22 March until 13 April 2018] on the draft guidance published last week, particularly on whether or not it is clear when a DPIA will be necessary. [ICO News blog]

Facts & Stats

US – BakerHostetler Releases 2018 Data Security Incident Response Report

BakerHostetler has released its 2018 Data Security Incident Response Report. The report examines 560 incidents from 2017, including the most common types of attacks, with phishing leading the way at 34%, followed by network intrusion at 19%. Key findings from the study include the uncertainty surrounding the EU General Data Protection Regulation, the need for an increase in multifactor authentication, and the rise in the roles of regulators. “Our goal in publishing this report is to offer practical steps you can take to reduce your risk profile, build resilience, and be better prepared to respond when an incident occurs,” writes BakerHostetler. [BakerHostetler and at: Law360]

Genetics

CA – Ontario Police Need Not Remove DNA Profiles: Court

An Ontario Court reviewed 54 applications under the Human Rights Code alleging discrimination by the Ontario Provincial Police. Although the Police had no ongoing need to retain/use the DNA profiles after the applicants were cleared of the crime for which their samples were taken, the likelihood of use of the DNA profile is highly remote since the samples were listed in a database using a code to which only the investigator had access and there is a legal prohibition to use it except where the DNA donor has been convicted of an offence. [Hosein et al v Ontario – 2018 HRTO 298 – Community Safety and Correctional Services]

Horror Stories

WW – Panera Website Data Leak

The Panera Bread restaurant website was leaking customer data for at least eight months until it was taken offline on Monday, April 2. The compromised data include names, email and physical addresses, birth dates, and the last four numbers of payment cards. The leak affected customers who had signed up for an account to order food online. The data were accessible in part because “Panera Bread uses sequential integers for account IDs.” [krebsonsecurity.com: Panerabread.com Leaks Millions of Customer Records]

CA – Upscale Department Store Payment System Breached

Payment systems at some brick-and-mortar Saks Fifth Avenue and Lord & Taylor department stores have been breached. As many as five million payment card numbers allegedly stolen from the stores’ systems are being offered for sale online. The breach does not appear to affect online transactions. Both stores are owned by The Hudson’s Bay Company, which says that steps have been taken to contain the breach. Sources: www.reuters.com: Saks, Lord & Taylor hit by payment card data breach | www.scmagazine.com: Saks, Lord & Taylor breached, 5 million payment cards likely compromised | www.theregister.co.uk: Hacks Fifth Avenue: Crooks slurp bank cards from luxury chain Saks | www.nytimes.com: Card Data Stolen From 5 Million Saks and Lord & Taylor Customers]

US – Under Armour Breach Affects 150 Million MyFitnessPal Accounts

Under Armour disclosed that its MyFitnessPal app and website had been breached, exposing personal Account information of as many as 150 million accounts. The incident occurred in February 2018. The breach did not affect payment account data, as Under Armour processes that information separately. [investor.underarmour.com: Under Armour Notifies MyFitnessPal Users Of Data Security Issue | www.scmagazine.com: Under Armour deftly manages breach, dodges GDPR scrutiny | www.zdnet.com: Under Armour says 150 million MyFitnessPal accounts hit by data breach | threatpost.com: Under Armour Reports Massive Breach of 150 Million MyFitnessPal Accounts]

WW – Orbitz Breach Affects 880,000 Payment Cards

Expedia subsidiary Orbitz has acknowledges that a data breach has compromised personal information associated with as many as 880,000 payment card accounts. The breach affected the company’s consumer platform between January and June 2016, and its partner platform between January 2016 and December 2017. [threatpost.com: Orbitz Warns 880,000 Payment Cards Suspected Stolen | – www.scmagazine.com: Orbitz hit with data breach, info on 880,000 payment cards at risk | www.reuters.com: Expedia’s Orbitz says 880,000 payment cards hit in breach]

Identity Issues

IN – A New Data Leak Hits Aadhaar, India’s National ID Database

India’s national ID database, called Aadhaar, which includes biometrics on more than 1.1 billion registered Indian citizens], has been hit by yet another major security lapse. A data leak on a system run by a state-owned utility company Indane allowed anyone to download private information on all Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and information about services they are connected to, such as their bank details and other private information. Karan Saini, a New Delhi-based security researcher who found the vulnerable endpoint, said that anyone with an Aadhaar number is affected India’s Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database, issued a strong denial. “There is no truth in this story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” says a portion of the statement, posted to Twitter, which you can read here. Government is currently defending the identity scheme in front of the country’s Supreme Court. Critics have called the database unconstitutional. Enrolling in the database isn’t mandatory [yet], but Indian citizens who aren’t subscribed are unable to access even basic government services. [ZDNet and at: Firstpost, National Herald, Financial Express, Reuters, The National and Times of India Also See: Narendra Modi app shares private data of users with American firm without consent, says cyber expert | ‘Absolutely No Breach Of Aadhaar Database’: Read UIDAI’s Full Statement On Report Of Data Leak | In Aadhaar vs Privacy Debate, Union Minister KJ Alphons’ Argument: ‘Getting Naked Before White Man Not A Problem’ | MoS KJ Alphons slams Aadhaar critics: What’s so private about iris? See also: India – Amid privacy fears, a list of the many apps launched by the Modi government]

Internet of Things

WW – Berlin Group Issues Recommendations for Updating IoT Firmware

The International Working Group on Data Protection in Telecommunications provides recommendations on firmware embedded in Internet of Things devices. The working paper focuses on risks associated with the failure to update the firmware controlling the behaviour of an IoT device. The following devices are excluded from the scope of this paper: desktop PCs, tablets; smartphones, smart TVs; and entertainment systems in connected vehicles. Device manufacturers should inform individuals about procedures to make security updates, consider privacy-friendly default settings, and ensure third-party suppliers support firmware included in components they supply; organizations should document an auditable process for installing firmware updates, and consider testing above and beyond that which was done by the manufacturer. [Working Paper – Updating Firmware of Embedded Systems in the Internet of Things – International Working Group on Data Protection in Telecommunications]

Law Enforcement

US – FBI Did Not Reach Conclusion Before Asking Apple for Help in Encryption Case

A report from U.S. Department of Justice Inspector General Michael Horowitz finds the Federal Bureau of Investigation had not fully come to a conclusion whether it could have opened the phone belonging to the San Bernardino shooter before an attempt to force Apple to do so, The Washington Post reports. Poor communication between FBI units was cited as the reason for the disconnect, while the report corroborated former FBI Director James Comey’s testimony stating the agency could not break into the iPhone in February and March 2016. “The issues identified in this report continue to stress the need for the FBI and other law enforcement to invest internally on processes and procedures,” Access Now U.S. Policy Manager Amie Stepanovich said. [Full Story

Online Privacy

US – Fordham CLIP releases ‘Privacy in Gaming’ research

Fordham Law School’s Center on Law and Information Policy has released its “Privacy in Gaming” research. The study looks at privacy issues and data collection practices surrounding mobile and console gaming, as well as with virtual reality devices. The research points out the many different ways gaming technology collects data from users, such as through cameras, sensors and other hardware. Among the conclusions include the enhancement of transparency regarding data collection practices and the need for special attention to be paid when handling the information belonging to children. [Fordham Law School]

CA – Kids Learn to Defend their Data with New Privacy Game

A new game is coming to Canadian classrooms and homes, designed not just to entertain children but also to teach them how to protect their privacy. Data Defenders, produced by the not-for-profit digital literacy organization MediaSmarts, shows kids how ad brokers try to collect their personal information and offers strategies to keep that information private. The online game is accompanied by parent and teacher guides and a lesson plan for grades 4 to 6 that further reinforces privacy learning. All materials, including the game, can be accessed free of charge on the MediaSmarts website at http://mediasmarts.ca/digital-media-literacy/educational-games/data-defenders-grades-4-6. Data Defenders was made possible by financial contributions from the Office of the Privacy Commissioner of Canada. [GlobeNewswire] and at Digital Journal

WW – Apple Really Wants You to Know It Values Students’ Privacy

At its Chicago event on Tuesday, the company makes a point of emphasizing data privacy in regard to its new educational app Schoolwork. Apple introduced a new way for teachers to hand out assignments and monitor student progress through an app called Schoolwork at its education event in Chicago last week. The Schoolwork app stores student data in the cloud, but the company really wants you to know that keeping this data safe from prying eyes is its No. 1 priority. Privacy is at the forefront of the tech world’s agenda at the moment, following a week of revelations about Facebook user data being harvested without people’s full understanding and therefore consent. Data belonging to children is an even more sensitive topic for many, and a number of toy companies have come under fire in the past for collecting children’s data without permission, or even just not taking security seriously enough. Apple promises it won’t make the same mistakes. “While teachers see each students’ progress information,” said Prescott, “we don’t, and neither can anybody else.” [CNet]

WW – Facebook Launching Privacy Setting System

In response to the Cambridge Analytica revelations, Facebook announced it will launch a centralized system designed to let users control their privacy and security settings. The system will be available to users all around the world and gives users the opportunity to control the information Facebook holds on them, as well as a file to download to see what data Facebook has already collected. Meanwhile, the Cambridge Analytica whistleblower, Christopher Wylie, said the number of people affected by the Facebook revelations is more than the 50 million currently being reported, while New Zealand Privacy Commissioner John Edwards voiced his criticism of the social media site’s handling of personal information. Pew Research Center released a study documenting U.S. citizens’ views toward social media and their privacy. [The New York Times]

WW – Facebook Introduces Central Page for Privacy and Security Settings

The system, which will be introduced to Facebook users globally over the coming weeks [see FB post here], will allow people to change their privacy and security settings from one place rather than having to go to roughly 20 separate sections across the social media platform. From the new page, users can control the personal information the social network keeps on them, such as their political preferences or interests, and download and review a file of data Facebook has collected about them. Facebook also will clarify what types of apps people are currently using and what permissions those apps have to gather their information. Facebook began developing the centralized system last year but sped it up after revelations that a British political consulting firm, Cambridge Analytica, improperly harvested the information of 50 million users of the social network. [NY Times and at: The Guardian, The Verge, Ars Technica and Financial Times See also Here’s a Long List of Data Broker Sites and How to Opt-Out of Them] and Google: Balancing rights and the right to be forgotten]

WW – Security Flaws Found Within Grindr Dating App

A cybersecurity professional discovered a pair of security issues with the Grindr dating app. Atlas Lane CEO Trever Faden set up a website where users could find out who blocked them on Grindr by entering their usernames and passwords, after which Faden could see user data, including email addresses, deleted photos and location data, even if the user opted out of sharing their location. Faden also discovered portions of user data are not protected, allowing anyone observing web traffic to see where a person is located when they open the app. Grindr said in a statement it has worked to patch the vulnerabilities. [NBC Bews]

Privacy (US)

US – FTC Confirms Investigation into Facebook Privacy Practices; Senate Committee Calls on Zuckerberg to Testify

The U.S. FTC announced that it had opened a non-public investigation into Facebook following media reports that it said raise “substantial concerns about the privacy practices” of the company. Also on Monday, the chairman for the Senate Judiciary Committee announced [see here] it had summoned Zuckerberg to testify before Congress on data privacy. The chairman, Chuck Grassley (R-Iowa), said Google CEO Sundar Pichai and Twitter CEO Jack Dorsey were also called to testify at the hearing, which is scheduled for April 10. Additionally on Monday, a bipartisan group of 37 state attorneys general sent a letter [see PR here & 4 pg PDF letter here] to Facebook inquiring about the company’s role in Cambridge Analytica’s activities and how this would affect the protection of data in the future. [The Knife Media and at: Facebook Draws Scrutiny From FTC, Congressional Committees and at: : The New York Times, Bloomberg & PBS NewsHour also see: Mark Zuckerberg has decided to testify before Congress | Zuckerberg will reportedly face the music before Congress instead of sending his deputies | Watch out, Zuckerberg — Congress is a trap | State Attorneys General Asked Facebook These 7 Questions About Cambridge Analytica | Dozens of US states are demanding answers from Facebook over the Cambridge Analytica scandal | State attorneys general send letter to Zuckerberg over data scandal | Facebook’s privacy practices are under investigation, FTC confirms | The Verge, BBC News, ZDNet and Forbes | Facebook scraped call, text message data for years from Android phones and at Global News, BetaNews, Android Central, CNET and Reuters]

US – State Attorneys General Advocate Continuing State Leadership in Privacy Enforcement, Denounce Federal Preemption of State Breach and Security Laws

A coalition of 32 attorneys general wrote a bipartisan letter [see 6 pg PDF here] on March 19, 2018, to the U.S. House of Representatives Committee on Financial Services and the Subcommittee on Financial Institutions and Consumer Credit regarding the proposed Data Acquisition and Technology Accountability and Security Act [see 34 pg PDF here], a draft bill introduced in the House last month. They are concerned that the bill, among other things, places consumer reporting agencies and financial institutions out of the reach of state enforcement. The AGs argue that the states have consistently proven themselves capable of rapidly and effectively responding to and protecting consumers at the state level through their own laws. The letter points out three key shortcomings of the Act beyond the preemption of state laws: (1) it allows entities themselves to judge whether to notify consumers of a breach, which reduces the transparency afforded by state notification requirements; (2) it allows entities that decide to notify consumers to notify after the harm has already occurred, preventing the opportunity consumers currently have under state law to take proactive steps upon timely notification; and (3) it addresses breaches that affect 5,000 or more consumers, leaving attorneys general without the ability to redress the majority of breaches affecting consumers today that do not occur on a national scale [Source and at: The Clarion-Ledger] and at Divonne Smoyer, Kimberly Chow & Kelley Chittenden – and see also Workplace Privacy Report: South Dakota: The 49th State to Enact a Data Breach Notification Law and: Data Privacy Monitor (BakerHostetler) and Oregon Strengthens Consumer Protections in Wake of Data Breaches

US – FPF, Nymity Release Legitimate Interest Report

The Future of Privacy Forum and Nymity collaborated to release a report on legitimate interest. The two organizations gathered cases from national data protection authorities and guidance from the Article 29 Working Party to detail how legitimate interest can be used as a lawful method for processing data under European Union data protection law. The 40 cases detailed the data-processing activities from more than 15 countries, including disclosing health data for litigation purposes, recording employee misconduct and research purposes, using GPS data for private investigations, and sending emails without consent for political purposes. [Full Story]

US – NY AG Penalizes Health Plan for Disclosure of Social Security Numbers

New York Attorney General Eric T. Schneiderman announced [March 6] a $575,000 settlement with EmblemHealth [see here] and its subsidiary, Group Health Incorporated, (together, “EmblemHealth”) after EmblemHealth admitted a mailing error that resulted in the disclosure of 81,122 social security numbers. EmblemHealth is one of the largest health plans in the United States. .The settlement agreement also obligates EmblemHealth to implement a Corrective Action Plan and conduct a comprehensive risk assessment of security risks associated with the mailing of policy documents to policyholders. EmblemHealth must also review and revise its policies and procedures based on the results of said risk assessment. EmblemHealth is also tasked with cataloguing, reviewing, and monitoring its mailings [DBR on Data and at: Becker’s ASC Review and HealthITSecurity]

Security

EU – IAPP and OneTrust map ISO 27001 to the GDPR

According to the International Standards Organization, in 2016 more than 33,000 organizations globally held certification to the ISO 27001 standard, which relates to information security management systems and security controls. That same year, the European Union’s General Data Protection Regulation was finalized, launching a two-year scramble for compliance by May 25, 2018, for companies of all sizes around the world. Noting the significant common ground between the GDPR and ISO 27001 requirements, the IAPP and OneTrust have endeavored to map these two risk-focused documents to each other, demonstrating the overlap in both principles and requirements as part of a significant new piece of research being released for the first time here at the Summit. [Read More]

UK – UK Issues 4-Phase Defensive Approach on Phishing

The UK National Cyber Security Centre HAS issued guidance on phishing. an effective multi-layer approach includes making it difficult for attackers to reach users (anti-spoofing controls), helping users identify and report suspected phishing emails (employee training), protecting the organization from the effects of undetected phishing emails (2-factor authentication), and responding quickly to incidents (incident response plan). A company was able to reduce 1,500 phishing emails to only 1 instance of malware installation. [National Cyber Security Centre, United Kingdom – Phishing Attacks: Defending Your Organisation| Infograph | Case Study]

Surveillance

WW – Tooth-Mounted Sensor Can Track Food Intake

Tufts University scientists have created a device designed to attach to a person’s tooth in order to monitor what they eat and drink. The device is similar to a Fitbit and can track glucose, salt and alcohol intake, with the scientists hoping to examine other “nutrients, chemicals and physiological states.” “If you are somebody with an eating disorder, it could be a checkpoint that monitors your diet a little more closely, or it could be an early detection for disease,” Tufts Professor of Biomedical Engineering Fiorenzo Omenetto said. “It’s a nice way to monitor these things because you have unusual access to these fluids.” [New York Post]

Telecom / TV

WW – Facebook Scraped Call, Text Message Data for Years from Android Phones

This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing [see here]: Facebook also had about two years’ worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received. [see Facebook response here] If you granted permission to read contacts during Facebook’s installation on Android a few versions ago—specifically before Android 4.1 (Jelly Bean)—that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017—the point at which the latest call metadata in Facebook users’ data was found. Apple iOS has never allowed silent access to call data. Facebook provides a way for users to purge collected contact data from their accounts, but it’s not clear if this deletes just contacts or if it also purges call and SMS metadata. [Ars Technica and at: Global News, BetaNews, Android Central, CNET and Reuters, Facebook logged phone records from Android users with older devices: reports]

US Government Programs

US – 14.7 Million Visitors to U.S. Could Face Social Media Screening

Nearly all applicants for a visa to enter the United States — an estimated 14.7 million people a year — will be asked to submit their social-media user names for the past five years, under proposed rules that the State Department issued last week. The proposal covers about 20 social media platforms. Most of them are based in the United States: Facebook, Flickr, Google+, Instagram, LinkedIn, Myspace, Pinterest, Reddit, Snapchat, Tumblr, Twitter, Vine and YouTube. But several are based overseas: the Chinese sites Douban, QQ, Sina Weibo, Tencent Weibo and Youku; the Russian social network VK; Twoo, which was created in Belgium; and Ask.fm, a question-and-answer platform based in Latvia. As news of the proposal emerged Friday, so did criticism. “This attempt to collect a massive amount of information on the social media activity of millions of visa applicants is yet another ineffective and deeply problematic Trump administration plan,” said Hina Shamsi, director of the ACLU’s National Security Project. “It will infringe on the rights of immigrants and U.S. citizens by chilling freedom of speech and association, particularly because people will now have to wonder if what they say online will be misconstrued or misunderstood by a government official.” [Toronto Star]

US Legislation

US – CLOUD Act Becomes Law, Increases Government Access to Online Info

The federal spending bill [read the 2232 pg document here] signed by US President Donald Trump on Friday does more than fund the budget. It also makes it easier for law enforcement agencies to demand access to online information no matter what country the data is stored in. Lawmakers added the CLOUD Act [32 pg PDF here], which stands for Clarifying Lawful Overseas Use of Data Act, to the spending bill before the final House and Senate votes Thursday. It updates the rules for criminal investigators who want to see emails, documents and other communications stored on the internet. Now law enforcement won’t be blocked from accessing someone’s Outlook account, for example, just because Microsoft happens to store the user’s email on servers in Ireland. The law also lets the US enter into agreements to send information from US servers to criminal investigators in other countries with limited case-by-case review of requests.Pprivacy advocates at groups like the ACLU [see here] and the Electronic Frontier Foundation [see here] criticized the change, saying it lets law enforcement bypass constitutional protections against unreasonable searches. It also could lead the US to send user data to police in countries known for abusing the human rights of their citizens, they argue. [CNET and at: Android Central, Bitsonline, Engadget, SC Magazine, Top Tech News, Just Security and TechTarget and also As the CLOUD Act sneaks into the omnibus, big tech butts heads with privacy advocates and at: Reuters, Forbes, Beebom, Slate Magazine and New Media and Technology Law Blog (Proskaur) and see also: Congress Could Sneak a Bill Threatening Global Privacy Into Law and at: Eurasia Review | |Why the CLOUD Act is Good for Privacy and Human Rights and at EFF blog here & here] and CLOUD Act passing likely means end to US v. Microsoft case]

Workplace Privacy

UK – ‘Vicarious Liability’ Breach Case May Have Big Consequences

The High Court of England and Wales, in December 2017, held a company “vicariously liable” for a deliberate data breach carried out by a disgruntled employee. In retaliation for a warning, an employee of supermarket chain owner Wm Morrison posted to the internet the personal data of approximately 100,000 of its employees. Marc Stauch, a research associate at Leibniz Universität Hannover, offers an analysis of Various Claimants v. Wm Morrisons, in which affected employees seek compensation from the company for distress due to the breach. In the case, the court cleared Morrisons of primary liability for the breach but determined that “just as an employer takes the benefits from the activities of his employees, so too should he take the risks of the employee wrongfully performing his duties and injuring others,” Stauch writes. [Full Story]

CA – Right-to-Disconnect Talk Picks Up as Popularity of Workplace Messaging Apps Rises

There’s growing chatter in North America about adopting right-to-disconnect laws to free workers from being tethered to their phones around the clock, but some labour experts say that while the digital demands of work in the 21st century need to be openly discussed, rigid regulations and fines may not be the solution. Last week, a New York councilman proposed making it illegal to force employees to access “work-related electronic communications” from home, with some exceptions including emergency situations. Companies would have to draft written policies spelling out the hours of work and time off, and employers would not be allowed to threaten penalties against anyone who refused to check their email or work-related social networks off-hours. Quebec’s Solidaire’s Gabriel Nadeau-Dubois also tabled a private member’s bill in the Quebec national assembly last week that aims to “ensure that employee rest periods are respected by requiring employers to adopt an after-hours disconnection policy.” The proposal calls for fines between $1,000 to $30,000 for companies that refuse to draft a proper policy, or reassess it annually to ensure it remains up to date and effective. The federal government has also signalled its interest in exploring the right-to-disconnect trend, which made headlines last year when France enacted its own legislation to help protect the free time of its workforce. As part of its public consultation earlier this year on how “labour standards should be updated to better reflect and respond to the new reality” of evolving workplaces, Employment and Social Development Canada released an online survey that included several questions about right-to-disconnect policies. One of the questions asked whether right-to-disconnect regulations should be one of the government’s “most important” labour issues. [CityNews]

 

+++

19-26 March 2018

Biometrics

WW – Businesses to Incorporate Biometric Authentication as Security Feature

There is a growing trend among businesses to incorporate biometric data into security settings, rather than relying solely on the use of passwords. Alex Simons, director of program management in Microsoft’s identity division, said, “Passwords are the weak link. They have terrible characteristics about them, and they’re hard for you to keep track of,” adding, “Passwords are also super expensive for companies.” Spiceworks, a professional network for the IT industry, reports that by 2020, the use of biometric authentication will grow to encompass 90% of businesses, up from the current 62%. Laws restricting the collection and use of biometric data are beginning to emerge, with Illinois and Texas both passing state laws, and the EU General Data Protection Regulation set to introduce consent requirements this May. [CNN Money]

US – Biometrics: Lawsuit Against Social Network to Proceed

A California Court considered a consolidated class action alleging Facebook’s practices violate Illinois’ Biometric Information Privacy Act. The court ruled that Plaintiffs adequately plead a concrete injury because Illinois’ biometric legislation provides them with a right to privacy in their biometric information, which requires their notice and consent. [Nimesh Patel et al. v. Facebook, Inc. – 2018 U.S. Dist. LEXIS 30727 – United States District Court For The Northern District Of California]

Big Data / Data Analytics / Artificial Intelligence

UK – Uber Releases Anonymized Data to Aid City Planning

In the aftermath of the Transport for London’s finding that Uber is not “fit and proper” to operate as a taxi service, the company has announced several changes to its business model, including a move that will provide anonymized data of its operations. While Uber is appealing the finding, it has also introduced a 24/7 telephone support line and began proactively reporting serious incidents to the police. Fred Jones, Uber’s head of U.K. cities, said the company is also responding to feedback that access to aggregated ride data would be helpful for city planning, adding “…we want to be a better partner to city planners and regulators, so we hope this data will help give them valuable insights for the future.” [Reuters]

Canada

CA – Therrien to Take Part in RTBF Symposium

Privacy Commissioner of Canada Daniel Therrien will take part in a half-day symposium in Toronto April 4 examining the “right to be forgotten” making its way into the country. Privacy professionals, journalists and tech leaders will discuss the ways the right to be forgotten will affect Canada and whether the country should embrace the rule. Speakers for the symposium include Canada Post Compliance and Chief Privacy Officer Amanda Maltby, Google Global Privacy Counsel Peter Fleischer, McInnes Cooper Partner David Fraser, and University of Ottawa Law Professor Michael Geist. [Full Story]

CA – B.C. Landlords’ Systemic Invasion of Renters’ Privacy Has to Stop

With near-zero vacancy rates in Vancouver and other cities around B.C., landlords are routinely asking for and getting more personal information than they have a legal right to. Some applicants have been asked whether they might get pregnant within the next year. Others are required to complete behavioural questionnaires, submit to credit checks, or provide three months’ worth of bank statements, according to a report by Drew McArthur, B.C.’s privacy commissioner, released last week. One of the 13 landlords investigated even asked applicants if he could inspect their current homes to determine whether he would rent to them. Another demanded to see an applicant’s child’s report card. Once they’ve collected all this information, few landlords have any policy or plan about what to do with it. But all of this is illegal. Even social media and internet searches are illegal. The interpretation of the Personal Information Privacy Act’s section on “publicly available” sources of information seems quaint to the point of foolishness. Regardless, McArthur says it has to stop. But his 39-page report with its 13 recommendations — including to not do those internet searches — is more educational and explanatory than punitive or threatening. [Vancouver Sun and at: BCLocalNews, The Globe and Mail, CBC News and The Canadian Press (via The Province) see also: Digital tool for landlords measures potential tenants’ kindness, cleanliness and Probe launched into B.C. landlords’ demands for sensitive information Read PR here (August 2017)

CA – OPC Decries ‘Gap’ in Law for Political Parties Handling Personal Info

The fact that political parties are excluded from federal laws on handling personal information — such as social media data – amounts to “an important gap” that could jeopardize the integrity of the electoral process, Canada’s privacy czar says. There should be a law governing the use of personal data by parties to prevent manipulation of the information to influence an election, said privacy commissioner Daniel Therrien. “From a privacy perspective, personal information is unregulated with respect to political parties, so that’s clearly not a good thing.” Neither of the two federal privacy statutes — one for government institutions, the other for private-sector organizations — covers political parties. Therrien’s comments come as he begins investigating the alleged unauthorized use of some 50 million Facebook profiles – possibly including those of Canadians — by Cambridge Analytica, a firm accused of helping crunch data for Donald Trump’s presidential campaign. This week’s events have shown that weak privacy safeguards can have serious effects that go beyond the commercial realm, potentially distorting democracy, Therrien said. “It’s a wake up call, frankly, if not a crisis in confidence. [CTV News and at: The Globe and Mail See also: Liberals awarded $100,000 contract to man at centre of Facebook data controversy | Canada’s privacy watchdog launches investigation into Facebook after allegations of data leak

CA – BC Hydro Handing Customer Information to Police Without Warrants

BC Hydro gave police the electricity bills of 3,500 to 5,000 customers per year without a warrant up until 2014. But shifting priorities — and perhaps the promise of marijuana legalization by the new federal government in 2015 — have led to a plunge in police requests for power bills. Since 2014, police requests for BC Hydro bills — usually to identify a marijuana grow op — have fallen 90% to 300 to 500 per year, said BC Hydro. Grow ops and hydro theft were a larger concern in past years. In 2010, BC Hydro said it was losing $100 million a year to grow ops that bypassed meters avoid detection. The Crown corporation now says its revenues from known grow ops — still illegal — are worth $50 million a year. BC Hydro still hands over customer information to police, including power use, without requiring a warrant. [The Tyee]

CA – Ontario Says Tribunals Should Not Be as Open as Courts

Ontario’s quasi-judicial tribunals are not courts and should not be subject to the same principles of openness when it comes to their records, the province argued in a court filing. Responding to a constitutional challenge from the Toronto Star that calls on Ontario’s various administrative tribunals — such as the Landlord and Tenant Board, and the Ontario Municipal Board, among others — to disclose hearing records as readily as courts do, the province’s lawyers said that while openness and transparency are “important features” of tribunals and the hearings themselves are typically open to the public, the right to access documents related to those hearings must be balanced against privacy concerns. The Star launched its legal challenge against the province last year in an effort to gain faster and fuller access to documents the paper argues are a matter of public interest. While reporters can attend and report on what happens at the tribunals’ public hearings, obtaining documents related to those hearings after they occur is inconsistent, onerous and often significantly delayed, the Star has argued. Unlike courts, some of Ontario’s tribunals require members of the public, including the media, to file formal freedom of information requests in order to access to documents related to a case. The province argues that tribunals do not require the same public scrutiny as courts because they are created by government legislation and subject to government oversight. [The Star]

CA – Some Advice to the Minister on How to Improve the BC FOIPPA

B.C.’s minister for citizens’ services has invited members of the public to offer their views on our provincial freedom-of-information and privacy legislation [Freedom of Information and Protection of Privacy Act (FOIPPA) see text here & IPC overview here] The legislation as it stands is frequently ambiguous, occasionally unintelligible, and an invitation to a game of hide and seek. It enables various public bodies to withhold information that by any reasonable standard should be made available. It has become common practice for public agencies such as health authorities or government ministries to withhold the names of employees dismissed for cause. The justification invariably given is the need to preserve “privacy.” But what right to privacy does an employee possess who has committed a breach of duty sufficient to get fired? There is a valid public interest in knowing this person’s identity, particularly on the part of future employers who are entitled to know who they might be hiring. Here is the nub of the problem. The commissioner has the authority to investigate spurious claims of privacy, but uses it only rarely. That creates an incentive, both for politicians and bureaucrats, to hide their dirty linen. My advice to the minister is simple. Ask the commissioner to spell out in plain language the rules that govern legitimate claims of privacy. Demand also a list of specific instances in which a claim of privacy would not be valid. (Previous commissioners, to be fair, have asked the legislature to clean up the existing muddle, and gone unheard.) And, if need be, rewrite the statutes to introduce greater clarity. [The (Victoria) Times Colonist]

CA – BC Privacy Law & Disclosing Private Info in A Civil Case

Disclosing a Litigant’s Private Information during Judicial Proceedings is not a Privacy Breach. It has long been settled that in civil actions, the public interest in getting at the truth will, absent special circumstances, trump the litigants’ right to privacy. In fact, the introduction of legal proceedings allows the parties, at the discovery stage, to probe into each other’s files and force the disclosure of otherwise confidential information, including private information, for the purpose of verifying the allegations of the parties. Relevant evidence thusly compelled is a permissible invasion of privacy based on the condition that it is solely used in the ongoing matter, for instance, as evidence at trial. But what about a litigant’s private information acquired by an opponent outside pre-trial discovery? Would the disclosure of this information by the opponent in support of their pleadings amount to an actionable breach of privacy against themselves or their counsel? Not under the Privacy Act of British Columbia, according to the BC Court of Appeal in Duncan v. Lessing, 2018 BCCA 9. The immediate implication of Duncan is to relieve counsels and litigants, at least in BC, from the fear that, in advocating their cause and mounting their case, they expose themselves to privacy breach claims from their opponent or third parties. Although not binding in the rest of the country, Duncan will most likely be taken into account in jurisdictions whose privacy legislation contains similar provisions. [CyberLex Blog (McCarthy Tétrault) See also: Truth, Privacy and the Public Interest in Securing Justice | BCCA – No privacy claim against lawyer | BCSC dismisses privacy claim against lawyer ]

CA – B.C. Court Re-examines Google Takedown Order in Light of U.S. Ruling

Last year’s Supreme Court of Canada Google v. Equustek case, which upheld a B.C. court’s global takedown order, continues to play out in the courts. The Supreme Court decision noted that it was open to Google to raise potential conflict of laws with the B.C. court in the hopes of varying the order: “If Google has evidence that complying with such an injunction would require it to violate the laws of another jurisdiction” Google thus argued in U.S. courts that “the Canadian order is ‘unenforceable in the United States because it directly conflicts with the First Amendment, disregards the Communication Decency Act’s immunity for interactive service providers [see wiki here & EFF take here], and violates principles of international comity.’” A U.S. court agreed [see 6 pg PDF here], noting that CDA immunity protections would be lost as a result of the Canadian court order. In doing so, the court concluded that the order “threatens free speech on the global internet.” In early March the case shifted back to Canada with Google seeking to vacate or vary the takedown order in light of the U.S. ruling. The judge confirmed that the hearing should go ahead in light of the U.S. ruling and the Supreme Court’s invitation to seek a variance …The court notably agreed that the case now engages core values of freedom of expression and comity [Geist and at: Barry Sookman Blog, Social Media Law Bulletin, Deeth Williams Wall Blog, Vancouver Sun and Motherboard]

Consumer

US – US Consumers Feel Companies Are Not Doing Enough to Protect Data

The free flow of data may be coming to an end due to security concerns, according to Deloitte’s Digital Media Trends Survey. It found 69% of consumers believe that companies aren’t doing everything they can to protect data. But 73% of consumers say they’d share data if they had visibility and control over it. Another wrinkle is that 93% of U.S. consumers believe they should be able to delete their online data when they want. The Deloitte survey data was collected from 2,088 consumers in November 2017. [ZDNet and at: Los Angeles Times, Variety and Recode]

E-Government

US—More States Adopting Auditable Paper Trails to Safeguard Election Reliability

US states are taking steps to make sure that their voting systems provide an auditable paper trail. Currently, there are five states that use only direct recording electronic voting machines (DREs), which do not include a paper trail. Other states have a mix of systems. While some states are moving quickly to make changes, others are incorporating the changes into the lifecycle of current equipment and may not have their auditable systems in place until 2020 or later. Two states, Colorado and Rhode Island, use entirely paper-based voting systems and both require post election risk-limiting audits. [www.cyberscoop.com: Spooked by election hacking, states are moving to paper ballots]

EU Developments

EU – European Data Protection Supervisor Presents 2017 Annual Report

On March 20, Giovanni Buttarelli, European Data Protection Supervisor (EDPS) presented his 2017 Annual Report to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) [see here & wiki here]. ”In the EDPS Strategy 2015-2019, Buttarelli set out three goals and an action plan to help the EU lead by example in the global dialogue on data protection and privacy in the digital age. Buttarelli confirmed the plans for new cloud computing guidance in his newly published annual report for 2017. New guidelines on IT governance and management will also be issued by the supervisor in 2018, according to the report. Another “main objective” for 2018 is preparing for the European Data Protection Board (EDPB) [see here] to become operational. The EDPB will replace the existing Article 29 Working Party as a regulatory body under the EU’s General Data Protection Regulation (GDPR) when the GDPR begins to apply on 25 May. It also promised to provide “targeted input where appropriate” to the continuing development of the proposed new EU regulation on privacy and electronic communications (e-Privacy). [EDPS | Out-Law]

EU – EDPS Releases Cloud Computing Guidelines

The European Data Protection Supervisor has released guidelines on the best ways for European institutions and bodies to use cloud-computing services. The guidelines are designed to help assess and manage the data protection and privacy risks entities may face when personal data is processed by cloud-based services. The guidelines highlight the relevant provisions related to the EU General Data Protection Regulation and focus on several topics, including assessments on whether cloud computing is an appropriate option, determining the proper cloud-computing option by examining and considering data protection requirements, and relevant organizational and technical safeguards. [EDPS]

EU – Reaction to Children’s Data Processing Requirements in GDPR

The Centre for Information Policy Leadership has published recommendations for processing children’s personal data under the GDPR. The think tank notes that parental consent is not the only legal basis for processing by information society services (contractual necessity or legitimate interests can apply), organisations should not have to create standard and child-friendly notices (they should cater to a general audience), and advertising to a child is not automatically a high-risk processing activity (it is a common, expected activity that can be based on legitimate interest). [GDPR Implementation In Respect of Children’s Data and Consent – CIPL]

Finance

CA – Royal Bank Offers Info to Help Create Data-Sharing Portals

The Royal Bank is allowing external software developers to access banking data in order to create a portal allowing customers to share their information. The move is a step toward “open banking,” where startups and developers have the ability to create apps using bank data. Royal Bank is currently offering application programming interface portals based on several different types of information, including credit card rates and fees and minimum down payments for buying a home. The portals are only using public information, but with open banking, the goal would be to eventually have customers share their personal banking data. [Financial Post]

US – Americans Spent $1.4B on Credit Freeze Fees in Wake of Equifax Breach

Almost 20% of Americans froze their credit file with one or more of the big three credit bureaus in the wake of last year’s data breach at Equifax, costing consumers an estimated $1.4 billion, according to a new study. The findings come as lawmakers in Congress are debating legislation that would make credit freezes free in every state. The figures, commissioned by small business loan provider Fundera and conducted by Wakefield Research, surveyed some 1,000 adults in the U.S. Respondents were asked to self-report how much they spent on the freezes; 32% said the freezes cost them $10 or less, but 38% said the total cost was $30 or more. The average cost to consumers who froze their credit after the Equifax breach was $23. .Curious about what a freeze involves, how to file one, and other options aside from the credit freeze? Check out this in-depth Q&A that KrebsOnSecurity published not long after the Equifax breach. [Krebs and at: International Business Times, FinancialBuzz and ConsumerAffairs]

Health / Medical

CA – Paper Documents in Hospitals Not Always Properly Destroyed: Study

Dr. Nancy Baxter, the chief of general surgery at St. Michael’s Hospital, Toronto, has just published a new research letter in JAMA [see “Disposal of Paper Records Containing Personal Information in Hospitals” that finds that while all patients have the right to expect their personal health information will be kept safe in hospital, that doesn’t always happen. Baxter and a team of researchers rifled through the recycling bins at five Toronto hospitals to see what got left behind. Among that half tonne of paper bound for recycling [591.6 kilograms of papers from emergency departments, intensive care units, hospital clinics and physician offices] were 2,687 documents containing personal information that should have been shredded. Of those items, 802 were documents with low sensitivity, 843 with medium, and 1,042 with high sensitivity. Though sensitive documents were found in recycling bins of all areas of all five hospitals, most of the items –1,449 of them — came from physicians’ offices. Ontario’s privacy commissioner Brian Beamish reviewed the study and says it is a good reminder that even though there is a move towards electronic medical records, there are still lots of paper medical records out there that need to be disposed of securely. [CTV News at: The Canadian Press (via CBC)]

CA – BC Public Starved for Details When Health Professionals Misbehave

When it comes to the misbehaviour of healthcare professionals, it’s sometimes a maddening process for regular British Columbians to find thorough information about how serious and widespread the offences were. The 23 professional colleges that regulate health workers in B.C. take inconsistent approaches to how much information they reveal in disciplinary decisions. And for anyone who wants to know more, the process for filing a Freedom of Information request can be frustratingly opaque. Unfortunately, the lack of information from many of these colleges leaves the public in the dark on the details we need to make critical decisions about our healthcare. For Mike Larsen, president of the Freedom of Information and Privacy Association, public discipline notices from many colleges look more like press releases than genuine efforts to keep people informed. “I don’t think, and FIPA doesn’t think, they’re doing as good a job as they could be,” Larsen said. [CBC News and at: CBC News and The Vancouver Sun]

CA – No Access to Deceased Spouse’s Medical Records

The BC OIPC reviewed a decision by St. Paul’s Hospital to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. A BC hospital correctly denied an individual access to her deceased husband’s medical records; the request for access was not made on behalf of the deceased individual (it was for use in legal action against the deceased’s daughter), and personal privacy rights continue for at least 20 years after death. [OIPC BC – Order F18-08 – St. Paul’s Hospital]

Horror Stories

US – Facebook Draws Scrutiny from FTC, Congressional Committees

Facebook Inc. is drawing scrutiny from the main U.S. Federal Trade Commission and half a dozen congressional committees over how the personal data of 50 million users was obtained by a data analytics firm Cambridge Analytica [see here & wiki here] — [Note: This is in addition to the UK Electoral Commission here, the UK OPC here, the Canadian Privacy Commissioner here & here, and the Irish Data Protection Commissioner here] The FTC is probing whether Facebook violated terms of a 2011 consent decree [see FTC post here & here] over handling of personal user data that was transferred to Cambridge Analytica without users’ knowledge. The FTC could fine the company into the millions of dollars if it finds Facebook violated the 2011 agreement — [it has the power to fine the company more than $40,000 a day per violation]. Facebook previously said in a statement it rejects “any suggestion of violation of the consent decree.” New York State Attorney General Eric Schneiderman announced that he and Massachusetts Attorney General Maura Healey had sent a demand letter to Facebook as part of a joint probe stemming from the fallout. Connecticut Attorney General George Jepsen announced his own probe. In addition to the briefings, Senator Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, said he wants to hear testimony from Facebook Chief Executive Officer Mark Zuckerberg, as well as Twitter Inc. CEO Jack Dorsey. Senator Richard Burr of North Carolina, chairman of the Intelligence Committee, said any decision about calling Zuckerberg to appear before the panel is farther off. [Bloomberg and at: The New York Times, Bloomberg & PBS NewsHour See also: Top EU privacy watchdog calls Facebook data allegations the ‘scandal of the century’ | Cambridge Analytica revelations are only ‘tip of the iceberg’, warns EU data protection chief | Irish Data Protection Commissioner to probe Facebook’s ‘oversight’ of political targeting on the platform | Facebook Has a Long History of Resolving Privacy Claims on the Cheap | Facebook needed third-party apps to grow. Now it’s left with a privacy crisis | A Facebook shareholder launched a lawsuit against the social network over the Cambridge Analytica scandal | ‘It just felt right’: David Carroll on suing Cambridge Analytica | Facebook Besieged by Wall Street, Washington and Europe | Cambridge Analytica CEO suspended as data scandal grows | Facebook data scandal: Canadian whistleblower was axed by Liberals over data harvesting ideas | A grossly unethical experiment’: Canadian whistleblower at centre of Facebook data breach scandal | Facebook loses control of 50 million users’ data, suspends analytics firm | Cambridge Analytica’s Ad Targeting Is the Reason Facebook Exists | Facebook privacy flaw was flagged with Irish regulator in 2011 | Why We’re Not Calling the Cambridge Analytica Story a ‘Data Breach’ | Canada’s privacy watchdog asks Facebook for info on data misuse that raises ‘serious concerns’ and at: MobileSyrup, CTV News, Global News, The Globe and Mail, National Post] Facebook suspends Cambridge Analytica, SCL, says data shared with third parties violated platform policies at: Reuters, The Wall Street Journal, The Guardian, The New York Times, and USA Today | Facebook may have broken FTC deal in Cambridge Analytica incident | Facebook on Defensive as Cambridge Case Exposes Data Flaw]

WW – Cambridge Analytica Facing Investigations After Revelation of Facebook Data Harvesting

Cambridge Analytica allegedly gathered data illegally from 50 million Facebook users through an online quiz and used them to serve targeted advertisements aimed at discrediting Hillary Clinton and promoting Trump’s presidential campaign. The UK’s Information Commissioner and the Massachusetts attorney general have launched investigations. Wikipedia describes Cambridge Analytica as “a privately held company that combines data mining and data analysis with strategic communication for the electoral process.” Read more in: www.bbc.com: Cambridge Analytica: Warrant sought to inspect company | www.theregister.co.uk: BOOM! Cambridge Analytica explodes following extraordinary TV expose | www.scmagazine.com: Probes launched after Facebook boots professor, Cambridge Analytica for harvesting info on 50M Americans without permission | www.zdnet.com: How Cambridge Analytica used your Facebook data to help elect Trump | www.nytimes.com: Cambridge Analytica, Trump-Tied Political Firm, Offered to Entrap Politicians | www.washingtonpost.com: Cambridge Analytica CEO appears to talk about using bribes and sex workers to sway elections on secretly recorded news video | www.wired.com: Cambridge Analytica Execs Caught Discussing Extortion And Fake News]

US – Former Equifax Exec Facing Insider Trading Charges

Former Equifax CIO Jun Ying is facing insider trading charges from both the US Securities and Exchange Commission (SEC) and the Department of Justice. The charges allege that Ying exercised company stock options work nearly $1 million USD before news of the company’s massive breach became public. [www.justice.gov: Former Equifax employee indicted for insider trading | www.sec.gov: Former Equifax Executive Charged With Insider Trading | www.scmagazine.com: SEC charges former Equifax U.S. CIO with insider trading related to data breach | www.zdnet.com: Former Equifax executive charged with insider trading after data breach | arstechnica.com: Senior ex-Equifax executive charged with insider trading | www.cyberscoop.com: Former Equifax executive charged with insider trading after mega breach]

Identity Issues

US – FTC Announces Blockchain Working Group

Following the FTC’s lawsuit against four individuals who allegedly promoted deceptive cryptocurrency schemes, Neil Chilson, the FTC’s acting chief technologist, announced that an internal Blockchain Working Group has been organized to protect consumers and promote competition in light of cryptocurrency and blockchain developments. “Fraudsters often attempt to capitalize on the excitement and confusion around hot new technologies, and they are quick to dress up old schemes in the clothes of the latest and greatest innovations,” Chilson wrote. “I expect that fraudsters will repurpose old schemes to capitalize on the current glamour and mystery of cryptocurrency.” The goals of the working group will include building upon staff expertise, facilitating communication and coordination of enforcement actions, and to serve as an “internal forum for brainstorming potential impacts on the FTC’s dual missions and how to address those impacts.” Full Story

EU – Blockchain Observatory and Forum Calls for Contributors

The EU Blockchain Observatory and Forum is calling for contributors to participate in two Working Groups it hopes to establish. Contributors can join the Blockchain Policy and Framework Conditions Working Group, which will look to establish the proper policy, legal and regulatory conditions needed to assist in the deployment of blockchain applications, and the Use Cases and Transition Scenarios Working Group, which will focus on public sector use cases for blockchain, including for health care, energy and environmental reporting. The forum is looking for EU citizens who have experience with blockchain technology and will be accepting applications until 9 April. [Full Story]

Internet / WWW

WW – ICANN Considering Limiting Access to Domain Name Registration Data

The Internet Corporation for Assigned Names and Numbers (ICANN) is considering limiting the scope of information about domain name registrations that will be publicly available. Currently, the names, addresses and contact information of entities who register domain names is usually publicly available. ICANN is considering limiting that information to basic website information, such as its location, to comply with European Union rules set to take effect in May 2018. The US government and technology companies are objecting to the proposed changes because they say it will make tracking down criminals more difficult. [thehill.com: Tech companies push back against internet watchdog’s new privacy rules]

WW – Google Announces New Privacy Tools for Data Privacy and Security

Google recently announced products and services to spotlight data privacy and help enhance cybersecurity. Among those included in the release, the new Cloud Security Command Center provides data risk analysis and threat intelligence dashboard to assist businesses gathering threat data, the VPC service controls allow for increased data privacy, and the new Access Transparency Logs, which was already used internally, is now available in a consumer-facing product. Google’s director of security, trust and privacy, said all these features are rooted in artificial intelligence. “We’re constantly evolving and pushing machine learning models so we can learn from literally billions of threat landscape indicators and quickly identify the source of an attack in the making,” she said. [PC Magazine]

Internet of Things

US – NIST Privacy Engineering Program hosting IoT roundtable

The National Institute of Standards and Technology (NIST) Privacy Engineering Program will be hosting a roundtable on the internet of things March 29. The roundtable will help develop a NIST document on the privacy and security risk considerations regarding the IoT. The group is seeking privacy professionals to participate in the roundtable in order to identify privacy risks involving the internet of things and has released a discussion draft offering information about their proposed approaches to the considerations. [NIST]

Law Enforcement

CA – Waterloo Police Considering Using Drones for Missing Person Searches

Waterloo Regional Police are considering the use of drones to assist in missing person cases and investigating car crashes. The drones will be fully operational by May 2018, and a Police Services Board report states the drones will be a faster and more efficient way to search large areas. The report also states the drones will not be used for surveillance purposes without “judicial authorization and completed privacy impact assessment.” [CBC News]

Location

US – Police Ask Google for Location Data to Narrow Suspect Lists

Police in North Carolina have hit on a simple if potentially controversial way to firm up suspect lists – use location data from Google to work out which devices were being used near the scene of crimes. Police in Raleigh used warrants in at least four recent investigations to make the search giant reveal the IDs of every device within certain map locations. Based on one or a combination of GPS, Wi-Fi and cellular location data, police were first given a list of anonymised time-stamped identifiers corresponding to every device within the map coordinates they were interested in. From an example warrant, this area of interest was as small as 150 metres from specific GPS coordinates, covering two narrow time ranges of around an hour each. The problem is that while treating device location data as evidence sounds logical, the inferences that can be drawn from it are fraught with danger. The obvious limitation is proving that a device’s registered owner was the one using it at the time and location police are interested in. If location data is requested while building a case based on a variety of evidence, that might be legitimate. The danger is that this data becomes the incriminating evidence from which the case is built. [Naked Security and at: WRL.com]

US – Spy Lab Wants to Geolocate Any Video or Photo Taken Outdoors

US intelligence is working on geotagging every possible outdoor location in the world. Difficulty of tracking down outdoor photos that haven’t been geotagged has led a US spy lab to launch Finder: a research program of the Intelligence Advanced Research Projects Agency (IARPA), the Office of the Director of National Intelligence’s dedicated research organization. The project aims to build on existing research systems to develop technology that augments analysts’ geolocating skills. At this point, analysts rely on information such as visible skyline and terrain; digital elevation data; existing, well-understood image collections; surface geology; geography; and architecture (think red phone booths). The goal is all-encompassing: IARPA wants Finder to find everything, as in, the ability to geolocate any video or photo taken anywhere outdoors. Once you realize how many of your photos are out there, bearing EXIF data that contains times, dates and locations of, say, your kids in the playground, you might want to start scrubbing your old photos clean. Here’s a guide on that from How-To Geek. [Naked Security and at: Ars Technica]

Online Privacy

WW – Updated Privacy Policies from Microsoft, Linkedin and Slack Leave Much to Be Desired

A week after the Facebook-Cambridge Analytica scandal came to light, Microsoft, LinkedIn and Slack emailed users updated policies committed to privacy. But while experts applauded the transparency efforts, they criticized them for being written in legalese or so vague that they end up raising more questions than answers. ”Companies think of privacy as an afterthought. It needs to be at the forefront,” said Imran Ahmad, a partner at Miller Thomson who leads the firm’s cybersecurity practice. “If you read a privacy statement and can’t understand it, are you really giving informed consent?” Teresa Scassa, the Canada research chair in information law and policy at the University of Ottawa, poked around the links and said she thought “wow, the ordinary consumer lost interest minutes ago.” [The Star]

Privacy (US)

US – 9th Circuit Further Split Over Standing in Data Breach Cases

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc.[see 18 pg PDF here], finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing [see here]. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, and Eighth Circuits over whether the mere exposure of personal information – without actual identity theft or credit/debit card fraud – establishes Article III standing. The Ninth Circuit has now joinwd its sister courts in the D.C., Sixth and Seventh Circuits to make it easier for plaintiffs to maintain data breach cases beyond the pleading stage despite no showing of actual injury. [Data Protection Coverage and at: Data Law Insights and Business Insurance]

US – FTC Modifies Sears’ Consent Order for Tracking Software App

Sears Holdings Management Corporation petitioned the FTC to reopen and modify its previous Consent Order. Sears must continue to notify and obtain express consent prior to disseminating any software program or app that monitors or records consumer activities, except where the tracked information is limited to the configuration of the software program itself, the functionality of the app, or consumers’ use of the app. [In the Matter of Sears Holding Management Corporation – Docket No. C-4264 – Before the FTC | Press Release | See also: Hogan Lovells Represents Sears in Achieving First-Ever Modification to FTC Privacy Consent Order]

Privacy Enhancing Technologies (PETs)

AU – Breach Notification: OIC Australia Releases Comprehensive Guide

The Office of the Australian Information Commissioner (OAIC) issued guidance on how to prepare and respond to data breaches. Entities must notify affected individuals and the Information Commissioner of “eligible data breaches”, which are defined as unauthorised access to or disclosure of PI held by an entity or information is lost in circumstances where unauthorised access or disclosure is likely to occur, that is likely to result in serious harm to any of the individuals to whom the information relates, and the entity has been unable to prevent the likely risk of serious harm with remedial action. 4 steps: Contain, assess, notify, review. [OIC Australia – Data Breach Preparation and Response and OAIC Received 31 Notifications Since Data Breach Scheme Took Effect]

Security

CA – Most Canadian Organizations Feel Insecure

A study, conducted for Scalar by IDC Canada, surveyed 421 IT security and risk compliance professionals in November-December 2017. Organizations expect to be breached but

  • 1/5 cite their security processes as ineffective
  • core security processes are not performed across the entire organization
  • less than 1/3 conduct formal employee training
  • vulnerabilities in third-party relationships are not accounted for
  • the speed of installing security updates and patches is inadequate, and
  • response planning lacks documentation and regular updating.

[The Cyber Security Readiness of Canadian Organizations – Scalar]

Surveillance

CA – Sidewalk Labs Addresses Privacy Concerns Over Proposed High-Tech Quayside District

The Google-affiliated company proposing a high-tech district in the Port Lands is trying to reassure Torontonians their privacy and data will be protected if the project proceeds. Hundreds of people turned out last week for an evening public consultations co-hosted by New York-based Sidewalk Labs and Waterfront Toronto at the Metro Toronto Convention Centre. Rohit (Rit) Aggarwala, Sidewalk Labs’ chief policy officer, told the crowd he has heard loud and clear concerns over privacy and the use of data that would be collected by sensors monitoring and controlling everything from traffic to snow-melting sidewalks in hyper-connected “Quayside.” Audience members seemed unsatisfied with answers about who would own data generated in the district and where it would be stored — officials could only say that negotiations continue. [Toronto Star and at: The Canadian Press (Global News), MobileSyrup, The Globe and Mail and ITBusiness.ca]

Workplace Privacy

CA – When Can HR Legally ‘Snoop’ on an Employee?

Spying, snooping, sleuthing – whatever you choose to call monitoring your employees, there’s no denying it’s a contentious issue in the workplace. But what legally constitutes snooping on your staff? And when are you allowed, or prohibited, from perusing their computers, emails and phones? We spoke to Cameron Wardell [see here], a lawyer at ‎Mathews, Dinsdale & Clark LLP, who gave us his take on this complicated topic.” The framework for privacy protections in BC and Canada is quite complex, and the law about it can be surprising,” observed Wardell “I would say that the biggest take-home point in this digital age is that the Courts and other decision-makers will assign privacy rights outside of what we might historically think of as private. In 2018, employers are well-advised to consider this—and to consult legal counsel—before searching any workplace computer or even the social media profiles of employees or prospective employees.” [HRMonline]

 

+++