23 March – 07 April 2017

Biometrics

US – Facial Recognition Database Used by FBI Is Out of Control, House Committee Hears

Approximately half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI, without their knowledge or consent, in the hunt for suspected criminals. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports. The algorithms used to identify matches are inaccurate about 15% of the time, and are more likely to misidentify black people than white people. These are just some of the damning facts presented at last week’s House oversight committee hearing, where politicians and privacy campaigners criticized the FBI and called for stricter regulation of facial recognition technology at a time when it is creeping into law enforcement and business. “No federal law controls this technology, no court decision limits it. This technology is not under control,” said Alvaro Bedoya, executive director of the center on privacy and technology at Georgetown Law. Unlike with the collection of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively. The FBI made arrangements with 18 different states to gain access to their databases of driver’s license photos. Last year, the US government accountability office (GAO) analyzed the FBI’s use of facial recognition technology and found it to be lacking in accountability, accuracy and oversight, and made recommendations of how to address the problem. “It doesn’t know how often the system incorrectly identifies the wrong subject,” explained the GAO’s Diana Maurer. “Innocent people could bear the burden of being falsely accused, including the implication of having federal investigators turn up at their home or business.” [The Guardian | Facial-recognition technology will make life a perpetual police lineup for all | Real-Time Face Recognition Threatens to Turn Cops’ Body Cameras Into Surveillance Machines | Police Body Cameras Will Do More Than Just Record You]

US – California Cops and the FBI Want to Keep Their Facial Recognition Tech Secret

A California proposal requiring law enforcement agencies to disclose all surveillance equipment to the public took the first steps towards becoming law this week, while a congressional committee gave the side-eye to FBI officials who declined to give specifics about some of the bureau’s own surveillance tech. First, California.A bill [see here] sponsored by State Sen. Jerry Hill (D-San Mateo) would require police and sheriff’s departments to explain to local officials how they use surveillance technology like facial recognition programs and social media trackers. The disclosures would have to be made at a hearing that is open to the public. Hill’s proposal builds on two laws that took affect last year in California requiring law enforcement to disclose when they use license plate scanners to track vehicles, and when they use so-called “Stingrays” [see here & here] the committee voted 4-2 on Tuesday [see here] to approve the bill. It is now awaiting another vote in the Senate Judiciary Committee. There’s really no good reason to oppose this sort of transparency. The bill does not jeopardize ongoing investigations and does not limit what law enforcement agencies can do Keeping those secrets also jeopardizes the outcomes of investigations to a greater degree. We know that the FBI has ordered local prosecutors to drop cases rather than risk the public exposure of secret surveillance technology that helped track suspects [also see here & here]. We have no idea how often this happens, but it’s clear that potential criminals have gotten off scot-free because law enforcement inverted its priorities to value secrecy over keeping the public safe. There’s one key element missing from the bill: an outline of how law enforcement agencies would be punished for violating the mandatory disclosures. That matters, as we saw this week in Washington, D.C., when officials from the FBI were in front of the House Oversight and Government Reform Committee to answer questions about how the bureau secretly uses facial recognition software and other surveillance technology. The FBI has agreements with 18 states to share photos from state-level drivers’ license databases, and that report from the GAO revealed that as many as 64 million Americans might be entered into the FBI’s facial recognition database without knowing it. When you include similar databases maintained by the state and local law enforcement agencies around the country, one in every two American adults is included in a facial recognition network, the Center on Privacy and Technology at Georgetown Law concluded in a recent report. Other states, and Congress, would do well to require similar transparency from local, state, and federal law enforcement agencies—and to hold those law enforcement agencies accountable for failing to make public disclosures when required by law. [Reason.com | Now it’s easier to know if the FBI’s facial-recognition team can access your driver’s license photo ]

WW – Real-Time Face Recognition Threatens to Turn Cops’ Body Cameras Into Surveillance Machines

For years, the development of real-time face recognition has been hampered by poor video resolution, the angles of bodies in motion, and limited computing power. But as systems begin to transcend these technical barriers, they are also outpacing the development of policies to constrain them. Civil liberties advocates fear that the rise of real-time face recognition alongside the growing number of police body cameras creates the conditions for a perfect storm of mass surveillance. On Wednesday morning, the House Oversight Committee held a hearing on law enforcement’s use of facial recognition technology, where advocates emphasized the dangers of allowing advancements in real-time recognition to broaden surveillance powers. As Alvaro Bedoya, executive director of the Center on Privacy and Technology at Georgetown Law, told Congress, pairing the technology with body cameras, in particular, “will redefine the nature of public spaces.” A recent Justice Department-funded survey conducted by Johns Hopkins University found that at least nine out of 38 manufacturers of body cameras currently have facial recognition capacities or have built in an option for such technology to be used later. At least five U.S. police departments, including those in Los Angeles and New York, have already purchased or looked into purchasing real-time face recognition for their CCTV cameras, according to a study of face recognition technology published by Bedoya and other researchers at Georgetown. The databases, too, have already been built. Georgetown researchers estimated that one in every two faces of adults in the United States — many of whom have never committed a crime — are captured in searchable federal, state, or local databases. The Department of Defense, the Drug Enforcement Administration, and Immigration and Customs Enforcement are just a few of the federal agencies that can gain access to one or more state or local face recognition systems. Other types of real-time searches of biometric databases — such as mobile fingerprinting and rapid DNA tests — are now part of law enforcement routines and face few legal challenges. FBI searches of state driver’s license databases using face recognition software are almost six times more common than federal court-ordered wiretaps, according to the Georgetown study. [The Intercept | Police Body Cameras Will Do More Than Just Record You | It’s time to face the ugly reality of face recognition | Can automatic facial recognition systems account for aging?]

WW – Facebook Unveils New Tools To Combat Nonconsensual Pornography

To help stymie the unauthorized dissemination of intimate photos on its social network, Facebook has launched a new set of tools, including photo-matching technology, to prevent so-called revenge porn. Members of Facebook’s content operations team will review flagged images and the accounts of those sharing said images. The photo-matching tool will detect images that have been previously flagged and removed. Rep. Jackie Speier, D-Calif., who introduced federal anti-revenge porn legislation last year, said, “These new tools are a huge advancement in combatting non-consensual pornography and I applaud Facebook for their dedication in addressing this insidious issue, which impacts the lives of individuals and their loved ones across the country and around the world.” University of Miami School of Law professor Mary Anne Franks recently published a research paper on revenge porn reform. [The Hill]

Big Data

AU – Australian Privacy Foundation Criticizes Machine-Learning Centrelink Tech

In a submission to the Senate Community Affairs References Committee, the Australian Privacy Foundation has recommended that the Department of Human Services’ Centrelink bring back the human involvement in its automated debt-recovery process, instead of its new data-matching technology. Among the APF’s many concerns was the security of the data as the set size grows, as well as the accuracy of the data. However, the DHS said in its latest inquiry submission that “that the data-matching process is not new; rather it is just being performed at a larger scale.” Regardless, the APF called the robo-debt process “procedurally unfair,” requiring “evidence from the Centrelink recipient to prove that a debt is ‘not’ owed. The individual needs to prove a negative,” it wrote. [ZDNet]

US – Minority Neighborhoods Pay Higher Insurance Premiums with Same Risk

In a report copublished with Consumer Reports, ProPublica has released an in-depth investigation into car insurance premiums based on location and how minority neighborhoods pay higher premiums than white areas with the same risk. The investigation looked into premiums in four states — California, Illinois, Texas, and Missouri — and found that minority neighborhoods paid as much as 30 percent more than non-minority regions for similar accident costs. The report states that “many of the disparities in auto insurance prices between minority and white neighborhoods are wider than differences in risk can explain.” The American Civil Liberties Union’s Rachel Goodman said, “We already know that zip code matters far too much in our segregated society.” The Insurance Information Institute, however, disputes the report’s findings. I.I.I. Chief Actuary James Lynch said companies “do not discriminate on the basis of race.” [ProPublica]

Canada

CA – Canada’s Spy Agencies Work Out Deal on ‘Threat Disruption’ Operations

Canada’s two most powerful intelligence agencies have crafted a formal deal to cooperate on using controversial powers to disrupt domestic threats to the country’s security. The spy agency Canadian Security Intelligence Service (CSIS) and the electronic signals-gathering agency Communications Security Establishment (CSE) signed an agreement in July 2016 on how CSE will assist with “threat reduction” activities. The power to actively intervene to disrupt threats to Canadian national security, rather than simply collect information on them, was granted to CSIS in the previous Conservative government’s contentious anti-terrorism law, Bill C-51. It allows CSIS to actively disrupt perceived threats to national security, with few limits to the power except obtaining a warrant. The agreement with CSE allows for the combination of CSIS’s expertise in human intelligence and field work with the technical sophistication of Canada’s premier electronic intelligence agency. CSIS has the power to collect intelligence on Canadian citizens who are deemed a threat to national security whether they are on Canadian soil or abroad. On the other hand, CSE is explicitly prohibited from directing its electronic intelligence-gathering powers at Canadian citizens; its job is to gather signals intelligence on foreigners deemed a threat. [The Star]

CA – Manitoba Gov’t Launches Review of Two Pieces of Privacy Legislation

Government of Manitoba announced on Wednesday that it is reviewing two pieces of privacy legislation: the Personal Health Information Act (PHIA) [see here] and the Freedom of Information and Protection of Privacy Act (FIPPA) [see here] and is inviting residents to provide input. PHIA came into force in 1997, with major amendments in 2010 and 2011, the provincial government reported. The legislation provides a right of access for an individual to their personal health information and protects this information by setting rules for the collection, use, disclosure, security and destruction of this information by public bodies and healthcare providers. FIPPA came into force one year after PHIA (in 1998) and was significantly amended in 2011. The legislation provides a right of access to information in records held by public bodies and also protects personal information by setting rules for the collection, use and disclosure by public bodies. Public consultations will begin on March 31 and remain open until May 31. To review information about, and possible issues related to, PHIA and to share ideas or concerns, visit www.gov.mb.ca/health/phia/review.html. For FIPPA, visit www.gov.mb.ca/fippareview [Canadian Underwriter]

CA – Key Priorities of the Privacy Commissioner of Canada in 2017

On March 21, 2017, senior representatives of the Office of the Privacy Commissioner of Canada (OPC) met with privacy practitioners in Toronto to provide updates on policy, legal, compliance and enforcement activities of the OPC. The information disseminated at this annual meeting is important to all businesses collecting personal information of Canadians for two reasons: 1) The information highlights what the OPC believes to be its most significant actions from the prior year; and 2) The information signals the policy and enforcement priorities of the OPC for the current year. This alert summarizes three of the significant topics addressed by the OPC of concern to businesses whose operations involve the collection, use or disclosure of personal information of Canadians. Including updates on: a) Policy (the consent conundrum); b) Enforcement (extra-territorial application of PIPEDA); and c) Compliance (flexible use of compliance agreements) [DLA Piper]

CA – What the Federal Privacy Watchdog Did After an Insurer Pried into Crash Victim’s Credit Rating

An insurance company handling a car-crash victim’s accident claim violated the senior citizen’s privacy rights by accessing his credit rating for no good reason, the federal Privacy Commissioner has ruled. The Personal Insurance Company argued it needs such information to help weed out fraudulent claims, but the privacy watchdog said there was little evidence that examining clients’ credit worthiness helps counter insurance cheating. The decision this month dealt a blow to what appears to be a common industry practice. “This is very worrisome,” said [Rhona DesRoches, who heads the Association of Victims for Accident Insurance Reform]. “Just knowing how much debt a person carries might be an indicator of what that breaking point is. If they know a person is in dire financial straits, then they know how far along that person might go before giving in to perhaps a lower settlement than they should.” [National Post]

CA – P.Commish OK with Bill Allowing More Snooping Into Your Mail

On March 30, 2017, Privacy Commissioner of Canada, Daniel Therrien, appeared before the Standing Senate Committee on Legal and Constitutional Affairs to discuss Bill C-37, An Act to amend the Controlled Drugs and Substances Act and to make related amendments to other Acts. In his remarks, he acknowledged the importance of addressing drug abuse and addiction in a comprehensive manner. While Bill C-37 touches upon a number of matters, the Commissioner focused his comments on those clauses that amend the Customs Act and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. [Appearance before the Senate committee on Legal and Constitutional Affairs (LCJC) on Bill C-37, An Act to amend the Controlled Drugs and Substances Act and to make related amendments to other Acts | C-37 gets privacy commissioner’s approval, despite concerns raised | The Canada Border Services Is Getting Authority To Open All Cross-Border Mail]

CA – Ottawa Airport Kiosks Launched Before Independent Privacy Review Was Complete

Last fall, the immigration department and Canada Border Services Agency met with the federal privacy commissioner to discuss a “biometric expansion project” that included the new Primary Inspection Kiosks, which scan international travellers’ faces to verify they match passport photographs. At that time, the commissioner noted the need for a Privacy Impact Assessment (PIA), according to spokeswoman Anne-Marie Cenaiko. Federal departments are required to complete PIAs to identify potential privacy risks for new programs, along with how they plan to reduce them. The privacy commissioner doesn’t approve or reject the PIAs, but his staff often make recommendations.. But in an email, Cenaiko said the commissioner was still studying the PIA when the kiosks launched Monday. “We received the PIA at the beginning of March and are currently in the process of reviewing it,” she wrote. That means there’s been no independent look at how much data is collected, how securely it’s stored or deleted, and whether it will be shared. Micheal Vonn, policy director for the BC Civil Liberties Association, said she was alarmed by CBSA announcing the kiosks publicly before submitting a PIA. [MetroNews]

CA – BC OIPC Reminds Businesses Video Surveillance Is a Last Resort

In February 2017, at the 18th annual Privacy and Security Conference, Acting Commissioner Drew McArthur commented on the first-ever audit of a private sector business conducted by the Office of the Information and Privacy Commissioner for British Columbia, Acting Commissioner Drew McArthur stated that OIPC “used this audit as an important opportunity for public education, and a reminder to private businesses that they should only use video surveillance as a last resort after exploring other less privacy-invasive options.” [see here] OIPC initiated the audit of the lower mainland medical clinic after receiving a complaint about the Clinic’s collection of personal information through video and audio surveillance. The Clinic used surveillance cameras on a 24/7 basis in its lobby, hallways, back exists, and fitness room to collect personal images and audio of patients, employees, contractors, and others. The Commissioner concluded that the Clinic’s use of video and audio surveillance was excessive in the circumstances. The Privacy Audit and Compliance Report [see PR here & Audit/Report here ] covers: 1) the methodology used; 2) the information covered; 3) the Commissioner’s findings; and 4) 12 recommended actions [BC Employer Law]

CA – Bill C-22: Liberals Undermining Goal of Strong National Security Oversight

The protection of Canadians’ rights is at a crossroads. Since 2001, the Canadian government — under the leadership of both the Conservatives and Liberals — has consistently and continuously granted new powers and resources to Canada’s national security agencies. This has been ostensibly in the pursuit of protecting Canada from terrorist threats. The result, though, has been the creation of a far-reaching national security apparatus spanning 20 government agencies — all without consistent, in-depth or independent review or oversight. So when the Liberals announced Bill C-22 to establish a Committee of Parliamentarians to oversee our national security agencies and activities, it was a welcomed and long-awaited announcement. It is also why the government’s recent actions, culminating with last Friday’s vote to reject sending the bill back to committee and passing it on to third reading, are all the more frustrating. The final vote in the House of Commons is slated for Monday, April 3, and it is fully expected to pass, sending the bill on to the Senate. Canadians should be concerned: What we have ended up with is an oversight committee in name only. And that is no comfort at all. [HuffPost]

CA – OPC Guidance: Disclosure Exceptions for Investigations & Fraud

On March 17, 2017, the Office of the Privacy Commissioner of Canada (OPC) published guidance [see here] on two new exceptions in PIPEDA permitting disclosure without consent. The guidance is very helpful to interpreting these new provisions and the OPC’s expectations of organizations. However, as expected, there is an undercurrent to the guidance suggesting that that the OPC would like to restrict organizations from setting up systematic information-sharing programs. This is very unfortunate given that these provisions are directly connected to improving confidence in the digital economy. Systematic sharing of information, particularly for fraud detection, suppression and prevention should be able to be accomplished if PIPEDA is truly technologically neutral. Without these tools, the OPC is incentivizing organizations to use much less transparent methods, such as predictive analytics. [Privacy and CyberSecurity Law]

CA – NB IPC Says Gov’t Hiding Behind “Privacy Law” in Child Deaths

New Brunswick’s IPC, Anne Bertrand, says government is using privacy law to maintain ‘secrecy’ around child deaths it is incorrectly using privacy law to maintain a level of “secrecy” around the child death review process.. The government has said privacy law prevents it from revealing the findings of the committee that reviews child deaths. It has also said reports written by the child death review committee are confidential advice to minister. Bertrand, the independent officer who is responsible for interpreting New Brunswick’s privacy laws, disagrees.” This is not rocket science,” she said. Bertrand cited a section of the province’s Right to Information and Protection of Privacy Act that overrides the privacy of third parties in cases of “significant public interest” where “public health or safety or protection of the environment” is at stake. [CBC]

CA – Will Mandatory Breach Reporting Spread to the Public Sector?

Hard on the heels of legislation requiring mandatory reporting of data breaches for the private sector come recommendations for a similar overhaul of the public sector. In relation to the private sector, s. 10.1 of the federal Personal Information and Electronic Documents Act [see here] requires mandatory reporting of data breaches that pose a substantial risk of harm to individuals. The new legislation was passed in 2015, underwent a consultation period in 2016 and is expected to come into force once regulations have been passed. The Ministry of Innovation, Science and Economic Development Canada advises that regulations will be published this year and will be subject to public consultation and a transition period. In relation to the public sector, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled a report in December 2016 entitled “Protecting the Privacy of Canadians: Review of the Privacy Act.” It includes recommendations “to create an explicit requirement for government institutions to report material breaches of personal information to the Office of the Privacy Commissioner of Canada in a timely manner” and “to notify affected individuals of material breaches of personal information, except in appropriate cases, provided that the notification does not compound the damage to the individuals.” [Law Times | See also: Feds set to regulate reporting of digital data breaches ]

CA – Man Arrested in Relation to BC Pharmanet Privacy Breach

One man has been arrested in connection to a series of PharmaNet breaches that may have compromised the personal medical information of about 20,500 British Columbians. Health Ministry spokeswoman Lori Cascaden said “This inappropriate access to PharmaNet is not because of a direct hack into the system. It is suspected that access was obtained through impersonation of physicians and other methods.” In February, the Health Ministry sent out letters to about 7,500 people affected by the breach, which officials became aware about after users and vendors reported incidents of “suspicious access.” Since then, another 13,000 people may have had their PharmaNet information accessed, said the ministry Monday. An independent security review of PharmaNet and an overall modernization of the system, which would include security enhancements, are underway. [Vancouver Sun | Thousands more affected by PharmaNet privacy breach, government reveals and PharmaNet breach compromises personal information of 7,500 B.C. residents, says province ]

CA – BC Government Action Needed to Protect Privacy of Student Data

Delegates at the 2017 B.C. Teachers’ Federation (BCTF) Annual General Meeting approved a six-part recommendation on Saturday about student-data protection. It states “employer-mandated digital programs for reporting and communication with parents should only be used when privacy impact assessments have been developed and district, school, and classroom policies have been defined and are followed. It also says district, school, and classroom policies should include definitions of how the data will be used during the time that it is being collected (e.g., a school year), whether it will be saved and accessible after the current use, and if so, who has access to that data, and a plan for how and when the data will be destroyed. It adds that students and parents should have access to all privacy impact assessments and technology-use policies and that “all data created by a student should be recognized as belonging to the student and not to the provider of the program, nor should it be used for any commercial purpose nor linked to other education, government, or commercial databases.” [Vancouver Observer]

CA – Alberta’s Wildrose Bill Aims to Fight Cyber-Bullying/Photo Abuse

On March 14, Alberta MLA Scott Cyr introduced Bill 202, the Protecting Victims of Non-Consensual Distribution of Intimate Images Act, to the Alberta Legislature. Bill 202 would create laws in Alberta that would allow for victims of these types of actions to seek damages in a court of law. Cyr commented on the bill saying, “We know Albertans, especially youth, across Alberta, are suffering from cyber-bullying. The sharing of an intimate image without consent can have a devastating impact on a victim, leading them to feel betrayed and violated. This legislation if passed would raise awareness about this issue, and remove barriers to seeking damages for victims.” Under Bill 202, provisions would also be added to the Education Act, allowing for students who engage in that behaviour to be suspended or otherwise punished. Bill 202 would apply to anyone under the age of 18 who has their images shared without their consent and is similar to other laws in place in Manitoba [see here] and Nova Scotia [see here & here]. [Cold Lake Sun]

CA – Ontario Court Allows Class Action Complaint Alleging Risk from Pre-Installed Software

The Court considered Lenovo (Canada) Inc.’s motion to strike pleadings for a class action complaint alleging it sold a computer with a malicious adware program. Pre-installed adware on new laptops scanned web traffic to inject unauthorized advertisements into the web browser without consumers’ knowledge and consent, and created security vulnerabilities that allowed hackers to collect confidential sensitive information; the act of implanting the software was an intrusion upon the plaintiff’s privacy (it exposed him to significant risks that his personal and financial information would be stolen), and the risk of unauthorized access to private information is a concern in itself (even without any actual removal or theft. [Bennet v Lenovo – 2017 ONSC 1082 CanLII – Superior Court of Justice – Ontario]

CA – Alberta Bill Prohibits Non-Consensual Distribution of Intimate Images

Bill 202, Protecting Victims of Non-Consensual Distribution of Intimate Images Act passed the second reading in the Legislative Assembly of Alberta: The Act will next be reviewed by the Committee of the Whole. If passed, the bill would make it illegal to distribute an intimate image of another person without consent or being reckless as to whether or not that person consented to the distribution; the courts may award general, aggravated and punitive damages or issue an injunction. [Bill 202 – Protecting Victims of Non-Consensual Distribution of Intimate Images Act – Legislative Assembly of Alberta]

CA – Canada’s Ministry of Transport Imposes New Rules for Recreational Drone Use, Including Penalties

The Minister of Transport issues an interim order for recreational drone use. The Order is effective March 13, 2017. Drone operators must mark their drone with contact information, and may not fly higher than 90 metres, at night, within 75 metres of building, vehicles, animals or people, or within 9 kilometres of a working airport; any recreational drone operator who fails to comply with the restrictions could be subject to fines of up to $3,000 for individuals and up to $15,000 for corporations. The rules do not apply to drones operations for commercial, academic or research purposes. Interim Order Respecting the Use of Model Aircraft – Transport Canada | Press Release]

CA – Trudeau Gov’t Reneges on Promise, Delays Transparency Reforms

Treasury Board President Scott Brison says the government has run up against “important considerations” in the efforts to broaden the access system to include ministers’ offices, the Prime Minister’s Office and the federal court system. Those considerations include “the neutrality of the public service,” “the independence of the judiciary” and Canadians’ privacy rights, the minister said. The Star asked Brison’s office on Sunday how Canadians’ privacy rights are an impediment to making government documents available to Canadians. In an emailed response, Brison’s office suggested minister was speaking broadly about the principles that underpin the access system, including censoring information about private citizens. Canada’s access to information (ATIP) system was established in 1982. It allows any Canadian to access internal federal government documents. Citizens, businesses and researchers can use it to figure out how Ottawa makes decisions and to dig up historical records, basically pry loose information the government has kept from public eyes for whatever reason. In the 2015 campaign, the Liberals proposed sweeping reforms to the system, including expanding its application to ministers’ offices, giving an independent watchdog the power to compel departments to release information and making access to government documents “open by default.” A number of those changes have now been delayed indefinitely. [Scott Brison explains delay in promised transparency reforms |Justin Trudeau’s promise of transparency is starting to look empty: Editorial]

CA – Ontario Court Refuses to Restore Landmark Damages Award in Revenge Porn Case

The Court considers a Plaintiff’s appeal of a court judgment setting aside damages awarded to her for non-consensual distribution of intimate images. The Court ruled that the motion judge, in setting aside the findings of liability and assessment of damages against the Defendant, did not fail to look at ongoing psychological harm as a form of non-compensable prejudice to the Plaintiff; the Defendant must pay $10,000 in costs, and present a statement of defence (i.e. the case will proceed to trial. [Jane Doe 464533 v. N.D. – 2017 ONSC 127 – Superior Court of Justice Ontario]

CA – Employees Continue to be the Weakest Link in IT Security

An overview of the biggest risks to IT systems. 60 to 90% of the time, insiders are the cause of IT security threats, specifically for responding to phishing emails that appear to come from an internal source (e.g., senior management); employers should hold training sessions every 4 to 6 months to educate employees on specific social engineering behaviours such as suspicious URLs or requests for personal information. [Employee Behaviours and IT Cyber Risk – Paige Backman, Partner, Meghan Cowan, Associate, and Donald Johnson, Lawyer, Aird and Berlis LLP

CA – Manitoba Ombudsman Issues Recommendations to Prevent Employee Snooping

The Manitoba Ombudsman issues recommendation for public bodies and trustees to prevent employee snooping. Steps to ensure the information is only accessed by employees who need it and when it is required include, promoting a culture of privacy by establishing clear expectations and requirements for employees (supported by senior management), raising employee awareness by conducting regular training and reminders, making sure employees understand the consequences, granting access to information on a need-to-know basis, monitoring employees’ behaviour and investigating all snooping allegations. [Ten Tips for Addressing Employee Snooping – Manitoba Ombusman]

CA – BC Government Ordered to Disclose Aggregate Health Data to Tobacco Industry

The Court considers the Province of British Columbia’s appeal against an order compelling production of documents containing personal health information. In an action against the tobacco industry to recover health care expenditures for tobacco related disease, the government refused to produce anonymised data from its health databases, even though it would be relying on that same data to determine damages; provisions under the Tobacco Damages and Health Care Costs Recovery Act does not prohibit the production of anonymized or statistical health data, and once stripped of personal identifiers, the data poses no realistic threat to personal privacy. [HMTQ v. Philip Morris International Inc. – 2017 BCCA 69 CanLII – Court of Appeal for British Columbia]

Consumer

WW – UN Human Rights Council Resolution Calls on Nations and Private Sector to Respect Individual Rights

The UN Human Rights Council, along with 35 other UN member states, adopted a resolution on the right to privacy in the digital age on March 23, 2017. Member states should implement domestic oversight mechanisms to ensure transparency of and accountability for State surveillance of communications, permit individuals subject to arbitrary or unlawful surveillance an effective judicial remedy, and enable business enterprises to adopt adequate voluntary transparency measures; business enterprises should implement technical solutions to secure digital communications (including encryption and anonymity), with which states should not interfere. [Resolution 34/7 – The Right to Privacy in the Digital Age – United Nations Human Rights Council]

CA – CPAC Survey: Consumers Conflicted Over Safety of Personal Info

Consumers from the Great White North worry that Canadian businesses are vulnerable to cyberattacks yet trust that companies are doing their best to protect the personal information of customers, according to a new fraud survey by the 2017 Chartered Professional Accountants of Canada. Perceptions about the safety of personal information and trust in business could drastically change by the time the next survey is conducted. Canada’s tightened up data breach notification laws take effect later this year. Some privacy professionals warn that there could be a huge uptick in breach reporting as guidance from the Canadian Securities Administrators requires companies to report more information about cyberattacks [see here], and expected Digital Privacy Act regulations will require more breaches to be reported. [BNA] See also: Fewer Canadians concerned about identity theft, says CPA Canada]

US – Americans Unwilling to Share Electronic Info for Terrorist Investigations

A Reuters-Ipsos poll found a majority of American citizens are unwilling to share their electronic communications and online activity with U.S. counterterrorism agencies. Compared to results from when the poll was last conducted in 2013, Americans are even more reluctant to share information. Of the respondents, 75% said they would not allow law enforcement agencies to access their internet activity to aid in terrorism investigations, up from 67% in 2013. Opinions on surveillance were mixed, with 32% saying agencies such as the FBI and National Security Agency are conducting “as much surveillance as is necessary,” while 37 percent said those agencies are “conducting too much surveillance on American citizens.” [Reuters]

US – Most Americans Unwilling to Give Up Privacy to Thwart Attacks: Survey

A majority of Americans are unwilling to share their personal emails, text messages, phone calls and records of online activity with U.S. counter-terrorism investigators – even to help foil terror plots, according to a Reuters/Ipsos opinion poll released on Tuesday. 75% of adults said they would not let investigators tap into their Internet activity to help the U.S. combat domestic terrorism. That’s up from 67% who answered the same way in June 2013. But Americans were more evenly divided when asked whether the government is conducting too much surveillance. According to the March 11-20 survey, 32% said intelligence agencies such as the FBI and National Security Agency are conducting “as much surveillance as is necessary” and 7% said they wanted more surveillance. Another 37% of adults said agencies are “conducting too much surveillance on American citizens.” The remaining 24% said they did not know. For a graphic of the poll results see here The entire poll can be found here. [Reuters/Ipsos poll]

EU – EU to Propose New Rules Targeting Encrypted Apps in June

The European Commission will propose new measures in June to make it easier for police to access data on internet messaging apps like WhatsApp, EU Justice Commissioner Věra Jourová said yesterday (28 March), heeding calls from national interior ministers. The announcement comes as interior ministers from EU countries have amped up pressure on the Commission to introduce new rules to help police crack through secure encryption and demand private data for investigations. “At the moment, prosecutors, judges, also police and law enforcement authorities, are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action,” said [EU Justice Commissioner Věra] Jourová. Jourová said the measures would make it easier for law enforcement authorities to request and access data from online services that are registered outside their jurisdictions. UK Home Secretary Amber Rudd said on Sunday (26 March) that encrypted messaging services should be forced to give access to police. German Interior Minister Thomas de Maizière and his French counterpart Matthias Fekl told MEPs they want police to have the same legal right to access online services as they do to demand phone call information from telecoms companies. National ministers in favour of laws regulating encryption complain that they have no legal power to force internet firms to hand over secured data. Five out of 12 EU countries – Hungary, Croatia, Italy, Latvia and Poland – that responded to a questionnaire sent out last year by the Slovakian government, when it held the rotating Council of the EU presidency, said they wanted an EU-wide law on encryption. [Euractiv] WhatsApp must be accessible to authorities, says Amber Rudd | Call for encryption ban pits Rudd against industry and colleagues | Encryption debate needs to be nuanced, says FBI’s Comey]

E-Government

NZ – Privacy Commissioner of NZ Rejects Data-for-Funding Proposal

New Zealand Privacy Commissioner John Edwards has rejected the controversial Ministry of Social Development-proposed policy to require nongovernment organizations to provide personalized data of their clients in exchange for government funding, Stuff.co.nz reports. His decision comes the day after the MSD had to shut down their information-sharing portal after a breach. While Edwards acknowledged that good information allowed for the government to weigh the efficacy of NGOs, the MSD had taken “insufficient consideration” regarding the consequences of its proposal and that its data capture plan was “excessive and unnecessary.” Ultimately, “there is a real risk that the new arrangement will deter some people who are most in need from seeking support or assistance,” Edwards said. [Stuff.co.uk]

WW – Google and Jigsaw Are Offering Free Election Cybersecurity Tools

Google and Jigsaw, both part of the Alphabet family, have developed a package of tools to help organizations facilitating elections protect themselves from digital threats. The “Protect Your Election” suite of tools includes two-factor authentication, the Password Alert Chrome extension, and access to Project Shield, which offers free DDoS defense to independent news site and human rights groups. [A Cybersecurity Arsenal That’ll Help ‘Protect Your Election’ | Google, sister company Jigsaw offer cybersecurity to election groups | Google, Jigsaw seek to stop election hacks | Google will provide free cybersecurity tools for election organizers in Europe]

HK – Tablet with Census Data Lost Last Year, Government Announces

Hong Kong’s Census and Statistics Department has revealed that a tablet containing the personal information of 46 citizens was lost last year after it was misplaced by a census officer gathering information. The department said “the tablet was one of two such devices lost by census officers” but that in this case, the officer misplaced the device while eating at a fast-food restaurant, the report states. A department spokesman said that while the information on the tablet wasn’t deleted quickly enough by remote software, it “believed the risk of data leakage was ‘extremely low’ because the information had been encrypted and the tablet was locked by dual-password authentication.” Additionally, while the public was just hearing about the breach, victims, law enforcement, and the privacy commissioner were informed last year. [South China Morning Post] and [Lawmakers dub explanation behind voter data theft ‘nonsensical’]

IN – 46,000 Phone Numbers Leaked Via Local Indian Police’s Twitter Account

Bengaluru police leaked the 46,000 phone numbers of those who dialed 100 via the Suraksha app to complain about harassment, quarrels and more, to Twitter. The police made the account private after concern about the leak increased, but were otherwise “unapologetic regarding the matter,” the report states. The police said the leak was a result of tweets auto-generated from its Twitter account. Policy Director at the Centre for Internet and Society Pranesh Prakash argued that the “police officer who ordered to create such an account should be held responsible if any harm comes to a complainant.” [India Today]

US – FPF Smart City Resource Looks To Assuage Iot Fears

The Future of Privacy Forum has unveiled a new interactive tool to help companies, communities, and citizens understand internet-of-things technology used in so-called smart cities. FPF notes that while smart cities do inspire their fair share of privacy concerns, mature data privacy programs can protect citizens while allowing cities to embrace IoT technology. The infographic explores typical concerns about smart city innovation, like discrimination, surveillance, and unexpected uses of data. It couples those issues with practical solutions, such as transparency and consent, vendor management, and de-anonymization tactics, as well as providing readers with additional smart city resources. [FPF.org]

US – Senator Asks FTC to Look Into IoT Toy Privacy Concerns

Sen. Bill Nelson, D-Fla., has written a letter to the FTC asking the agency to address issues surrounding internet-connected children’s toys. Nelson is concerned about the privacy and security risks the toys possess as they continue to gain prominence in light of a recent data breach. “Please explain what actions the FTC has taken in response to these recent data breaches, which have exposed the personal information of millions of children,” writes Nelson. “Specifically, I would like to know what actions the FTC has taken under the COPPA Rule to protect the personal data of children using connected toys.” Nelson has previously written a report and a letter to the CEO of connected-toy company Spiral Toys outlining similar concerns. [SD Times]

E-Mail

US – USPS Daily Mail Digital Preview a Double-Edged Security Sword, Some Say

Informed Delivery, a new, free offering from the U.S. Postal Service, allows users to access pictures and information of the mail they’re set to receive that day, and could be used to help those enrolled protect against identity theft and fraud. “If an important piece of mail that was supposed to be delivered isn’t in the mailbox … [users] can assume it was stolen or delivered to the wrong address and start working to find out what happened,” the report states. However, some critics contend it’s not that simple. Should a hacker compromise a user’s account, he or she could discover that a check or important document was en route and grab it before the intended recipient does. That’s why strong passwords for these types of services are imperative, said CyberScout’s Adam Levin. [NBC News]

UK – Startup Raises $2.7M for Pro-Privacy Email Tool

British startup CheckRecipient looks to protect employee-generated data breaches by utilizing machine learning to keep emails from being mailed to the wrong recipient. So far, the startup has raised $2.7 million in capital. The funds were raised in conjunction with companies like Accel, Amadeus Capital Partners and LocalGlobe. “While there are lots of products on the market designed to make email more secure, they all require a high degree of behavior change from end users or significant administration from IT teams, meaning that their effectiveness is diminished,” the startup argues, maintaining that its product makes those practices obsolete. The team added that the startup has seen success in London, working with legal, health care and financial service companies, and hopes to launch in the U.S. “shortly.” [TechCrunch]

Encryption

CA – Court Nixes Probation Condition Forbidding Encryption Use

The US government has much broader authority over the speech of probationers than it does over ordinary citizens; but even probation conditions are subject to some scrutiny. Thursday’s California appellate decision in In re Mike H. concluded that a ban on the probationer’s use of anonymizing tools to access the Internet, and a requirement that he accurately identify himself when setting up any online communications services, was permissible: “The juvenile court could reasonably conclude that requiring Mike to use his true identity online and avoid encryption or hacking tools could help the probation department assess whether Mike was in violation [of] other uncontested conditions of his probation.” But the ban on using any electronic devices that contain “any encryption software” was too broad: “While it may not be apparent to the everyday user, encryption technology is now a fact of everyday life This means that encryption is applied automatically without a user needing to switch it on. As drafted, [this condition] is therefore unconstitutionally overbroad.” [Washington Post | Court Strikes Probation Condition Against Using a Device Containing Encryption–In re Mike H.]

UK – New Survey Claims Most Brits Feel “Safer” Without Encryption

Two-thirds of the British public claim the ability of police to intercept and read communications between terrorists is more important than privacy, according to a new study. Advice site Cable.co.uk polled [see here] 2000 UK adults last week following the home secretary’s controversial and widely criticized comments that WhatsApp and other services should effectively be backdoored to allow law enforcement to monitor suspects. Along with the headline stat, over half (51%) claimed they’d feel safer if services like WhatsApp were unencrypted, whilst only a quarter (25%) said they’d feel less safe because cyber-criminals could potentially intercept their communications. Nearly a quarter of men (23%) compared to just 14% of women said the digital privacy of UK citizens should come first, while 26% of 25-34-year-olds felt the same, as opposed to just 10% of the over-55s. [InfoSecurity See also: UK government can force encryption removal, but fears losing, experts say | Politicians call – again – for backdoors into encrypted messages | WhatsApp must be accessible to authorities, says Amber Rudd | Call for encryption ban pits Rudd against industry and colleagues ]

EU Developments

UK – UK Seeks To Create Independent Body to Monitor Police Online Surveillance

The Home Office is creating an independent surveillance program to prevent police officers from granting themselves permission to access personal emails and browsing histories. Labour Party Deputy Leader Tom Watson said the project is a response to a judgment made by the European Court of Justice demanding stricter legal safeguards for law enforcement agencies handling communications data. Members of Parliament have yet to be notified about the project, but information about the new body recently appeared in an online tender document. [Guardian]

UK – Interactive Map Shows Intrusive Surveillance-Tech Exports

The UK is a worldwide exporter of surveillance technology. From devices that hoover up phone calls and text messages, to hardware for monitoring internet traffic, Her Majesty’s Government has granted myriad licenses to ship spying gear over the past few years. Some of the recipient countries will have legitimate uses for such products, but many—Egypt, Turkey, Saudi Arabia—also have abhorrent human rights records, especially when it comes to abusing powerful surveillance tech. IMSI catchers, intrusion software, internet monitoring solutions: UK companies provide it all. Her Majesty’s Government has granted myriad licenses to ship spying gear over the past few years. Some of the recipient countries will have legitimate uses for such products, but many—Egypt, Turkey, Saudi Arabia—also have abhorrent human rights records, especially when it comes to abusing powerful surveillance tech. To better illustrate this proliferation, Motherboard has created an interactive map using data published by the Department of International Trade, as well as extra details obtained through the Freedom of Information Act, such as the specific product exported, or the company that sold it. The map shows which countries the government has granted export licenses to since 2015, and includes telecommunications interception equipment, intrusion or hacking software, and internet monitoring tools. Motherboard will update the map as more data becomes available. (Currently, the map dates back to April 2016). You can find the map here, and various related datasets [here, here & here] [MotherBoard]

EU – Lawmakers Question Data Transfer Program Ahead of Review

The European Union-U.S. Privacy Shield data transfer pact has flaws that must be addressed during the first annual review of the program, EU lawmakers said in a draft [European Parliament Civil Liberties, Justice and Home Affairs Committee or LIBE] resolution narrowly adopted March 23 [see 6 pg pdf here]. The resolution said the review of the program scheduled for this summer should focus on continued U.S. surveillance of foreigners abroad and the viability of redress mechanisms for EU citizens over alleged U.S. government misuse of data. Claude Moraes, the committee’s chair and resolution’s sponsor, told Bloomberg BNA March 23 that EU lawmakers are concerned about data retention provisions in the Privacy Shield agreement. Additionally, the Privacy Shield doesn’t prevent U.S. authorities from carrying out “the bulk collection of personal data for national security purposes,” he said. The draft resolution also called into question the “effective independent oversight” of the program by a U.S.-based ombudsman The LIBE resolution is provisional until confirmed by a vote of the full European Parliament. LIBE backed the resolution in a 29-25 vote, with one abstention. The European Commission, the EU’s executive arm, is obligated to review the Privacy Shield annually. The pact became effective Aug. 1, 2016. [BNA.com]

EU – Resolution Adopted by European Parliament Criticizing Privacy Shield

The European Parliament adopted a resolution criticizing the EU-U.S. Privacy Shield agreement. German Green MEP Jan Philipp Albrecht calls upon the European Commission and EU Justice Commissioner Věra Jourová to ensure more is done to protect European citizens’ data. “The Privacy Shield does not make the US a safe haven. Personal data from people in the European Union is not being adequately protected against access by intelligence services in the US. People in the EU have no real rights when it comes to accessing their data or having it deleted,” Albrecht stated, adding, “The European Justice Commissioner should not allow the US government to palm her off with non-binding declarations of intent or letters of assurance. Vera Jourová must increase the pressure on the US government to make the Privacy Shield a genuine safeguard.” [Greens-EFA]

EU – ePrivacy Reform & the UK ICO Role and Plans

While preparations for the GDPR dominate the headlines, it’s not the only change for the digital economy. As technology evolves at a phenomenal rate, the laws that govern internet-based services are moving at an equally rapid pace. The next piece of legislation in line for an overhaul is the European directive that forms the basis of the Privacy and Electronic Communications Regulations (PECR). Earlier this year, the European Commission published its proposal for the new updated ePrivacy Regulation (ePR), to better protect people’s privacy in the digital age. This proposal is just the beginning of the process, and the details are likely to change as we move forward. It will be a tough deadline for EU lawmakers to meet – the ePR is due to come into effect in May 2018 alongside the GDPR. As a regulation, it will apply directly within every EU member state. As with GDPR, the UK government has confirmed it would be implemented in the UK before we leave the EU. The current draft proposal includes some headline changes The responsibility for enforcement will mirror the GDPR and therefore will fall to the ICO. We’ll be watching the negotiations closely to understand how they might affect the UK. [Information Commissioner’s Office Blog]

UK – ICO UK Issues Guidelines to Health Sector on Managing Patient Records

The UK Information Commissioner’s Office has issued guidelines for the health sector. Organisations should assign responsibility for ensuring the location of records is known at all times, including appointing a records manager, records officer, and local information asset owner; tracking procedures should be put in place (including what to do if a file goes missing), records should be logged in and out, and a formal records management training programme should comprise mandatory induction and periodic refresher training for all staff with access to personal data. [ICO UK – Health Sector Resources | News Release]

EU – European Parliament Issues Opinion on the Fundamental Rights Implications of Big Data

The European Parliament has issued its opinion on the fundamental rights implications of big data. The complexity of automated processing of big data can be challenging for individuals to assess the collection, analysis and use of personal data, the merging of personal and non-personal data can create new personal data, and it can be possible to re-identify individuals by correlating different types of anonymised data; organisations should apply the principle of data protection by design and pseudonymize, anonymize or encrypt personal data used in big data applications. [European Parliament – Resolution of 14 March 2017 – Fundamental Rights Implications of Big Data]

UK – Government Advised to Establish Minimum Internet Safety Standards

The House of Lords Select Committee on Communications released its 2nd report of session 2016-17 on children and the Internet. Social media sites terms and conditions are at odds with children’s right to privacy, the commercial uses of data in regards to children present difficulties in regards to transparency, choice and control, the effectiveness of filters is limited by children’s use of multiple devices/access points, encryption of websites and use of apps; there is widespread flouting of rules concerning age (particularly on social media sites and in gaming), and internet services are not designed with children in mind (an updated operating system automatically restores default settings. [Growing Up With The Internet – House of Lords]

CA – British Columbia Man Arrested For Stealing Patient Information

A British Columbia man has been arrested for stealing the information of more than 20,000 PharmaNet patients. The Vancouver Police Department released a statement saying the man gained unauthorized access to the PharmaNet system to obtain the patient data, then used the information for “fraudulent purposes.” Law enforcement agencies have not shared any information on the ways the data was used or how the man breached the system. The Ministry of Health said the man may have gained access by impersonating a doctor and promised to implement stronger security measures with PharmaNet vendors. British Columbia offered free credit monitoring for all of the impacted patients. [CTV News]

Facts & Stats

WW – Reports: Number Of Compromised Records in the Billions In 2016

Gemalto released its 2016 data breach report, finding the number of compromised records increased 86 percent from 2015. Gemalto’s Breach Level Index found 1.4 billion records were compromised in 2016, pushing the overall total to 7 billion since the BLI was created in 2013. The report found most of the cyberattacks targeted large consumer databases, such as social media, entertainment, and email websites. Despite the record amount of compromised records, the number of data breaches actually decreased by 4 percent last year. Another report from IBM Security found more than 4 billion records were leaked worldwide in 2016, a 566 percent increase from the previous year. [Gemalto]

US – Eight Companies Plan to Pay $5.3M to Settle Privacy Lawsuit

A group of eight companies could pay $5.3 million for a proposed privacy settlement. The payments from Instagram, Foursquare, Kik, Gowalla, Foodspotting, Yelp, Twitter, and Path would help settle a 2012 lawsuit surrounding the use of the “Find Friends” iOS feature. The feature allowed users to find out if their friends were using the same app, but the plaintiffs in the case allege the app makers violated their privacy by failing to alert users it would send their contact lists to company servers. A judge still needs to approve the settlement before it takes effect. If approved, only Apple and LinkedIn will be among the 18 original defendants still attached to the case. [Fortune]

Finance

US – Coalition of US Groups Push to Repeal Globally-Hated FATCA

A coalition of 23 taxpayer protection and grassroots organizations sent a letter today urging Congressional leadership to include repeal of the Foreign Account Tax Compliance Act (FATCA) as part of comprehensive tax reform. Co-authored by the Center for Freedom and Prosperity and the Campaign to Repeal FATCA. The letter makes 5 key points: 1) FATCA fails in its primary goal to catch wealthy tax cheats; 2) It ensnares innocent Americans with excessive reporting requirements and draconian penalties for the slightest oversights; 3) It makes U.S. citizens living and working abroad toxic assets in the eyes of both financial institutions and employers; 4) Its compliance costs far outstrip the revenue it collects; and 5) It encourages other nations and international organizations to pursue aggressive tax grabs that threaten American businesses and the global economy. [Freedom and Prosperity]

US-Born Canadian Citizens Allege FATCA Infringes on Their Right to Privacy

Virginia Hillis, Gwendolyn Deegan and Kazia Highton (“Plaintiffs”) filed a statement of claim against the Attorney General of Canada and the Minister of National Revenue (“Defendants”) arguing that the Foreign Account Tax Compliance Act (“FATCA”) violates their rights as Canadians under the Charter Of Rights And Freedoms: Defendants filed a response to Plaintiffs’ claims. Canadian financial institutions are required to disclose account information relating to US reportable accounts without notice to the individual, an opportunity for the individual to object, consideration of the usefulness of information, or sufficient restrictions on the use of the information; the government argues that reported information can only be disclosed for tax purposes, and FATCA is tailored to only collect required information. [Virginia Hillis et al v. Attorney General of Canada and the Minister of National Revenue – Amended Statement of Claim to the Defendants – Federal Court | Government Response]

US – IRS Seeks Bitcoin Exchange User Data, Raising Privacy Concerns

Privacy concerns have arisen as the Internal Revenue Service aims to obtain consumer information from popular bitcoin service, Coinbase. The IRS served a “John Doe” summons to Coinbase demanding transaction and user profile records on all of its U.S. users from 2013 to 2015 as part of a tax evasion probe. Coinbase has yet to turn over any of the data and is asking the government to narrow the scope of the information it is seeking. While Coinbase’s general practice states they will cooperate with law enforcement agencies, the company said it will fight back against the request unless the demands are scaled back. “It amounts to nothing more than asking for large amounts of hay in the hope they might find a needle,” said Internet Association CEO Michael Beckerman. [The Wall Street Journal]

CA –Canada’s First Commercial Blockchain Service Could Become the ‘Interac’ for Digital Transactions

With the announcement of a major commercial service with backing from Canada’s ‘Big 5’ banks and a new research institute driven by the Tapscotts, complete with government funding, it’s fair to say that blockchain is having its moment in emerging to the mainstream. “Banks haven’t done something like this since the formation of Interac in 1984” says Greg Wolfond, founder and CEO of SecureKey Technologies [see here] They are getting ready for a push to launch a new brand that is centered around enabling privacy-protected digital transactions Later this year. The service will be the first blockchain project with such a wide commercial launch in Canada, signaling that the digital ledger technology has moved on from its days as the stuff of cryptocurrencies bearing odd names and firmly into the establishment. The bottom line is that customers will just have more control over their privacy than they do today [says Chuck Hounsell, senior vice-president of payments at TD Bank]. Blockchain hasn’t just arrived in Canada, its commercial embrace is global. SecureKey [see here] plans to collaborate with IBM to take the work its done in Canada to other countries. It may be buoyed in part by its status as a Privacy by Design ambassador, showing it’s adopted former Ontario privacy commissioner Anne Cavoukian’s internationally-recognized privacy framework in its design. That helped facilitate a triple-blind model that ensures user privacy, Wolfond says. The provider of the attribute doesn’t know what you’re using it for, the receiver doesn’t know who’s providing it, and there’s no middle man in between to watch what you’re doing. [IT World]

US – FTC releases 2016 Annual Highlights, Cites Continued Efforts Toward Privacy

The Federal Trade Commission released its 2016 Annual Highlights, touting the agency’s efforts to protect consumers. Acting FTC Chairman Maureen Ohlhausen said, “2016 was a historic year for the FTC. We obtained almost $12 billion in redress for consumers, and took action in more than a dozen merger cases to preserve competition. The Commission’s enforcement, policy and consumer and business education work shows our strong commitment to protecting consumers and promoting competition and innovation.” The report also discusses the FTC’s continued efforts to make privacy and security a high priority. [FTC]

WW – Study Evaluates Top Companies’ Privacy Commitments

A new study examined 22 of the top global telecommunications, internet, and mobile companies on their public commitments to and disclosed policies on users’ freedom of expression and privacy. “The 2017 Ranking Digital Rights Corporate Accountability Index” measured the companies based on three sets of criteria: governance, freedom of expression, and privacy. Key findings include evidence that companies are not doing a proper job disclosing information to consumers, mobile ecosystems lack disclosure, freedom of expression “is getting shortchanged,” and handling of user data is opaque, among others. Among internet and mobile companies, Google had the best marks, while AT&T had the best score among telecommunications companies. [Ranking Digital Rights]

FOI

CA – Alta Gov’t Opposition Recommendations on Fixing FOI System

The Wildrose, Alberta’s Official Opposition party, made 10 suggestions for improving Alberta’s broken freedom of information system, including firing issues managers in the premier’s office and Public Affairs Bureau to free up cash for processing requests. [see PR here & pdf report here] Nathan Cooper, the Wildrose critic for democracy and accountability, said access to information is a critical tool for the opposition, media and the public to hold the government to account. He said the government needs to change its attitude.. Earlier this year, Alberta privacy and information commissioner Jill Clayton issued a scathing assessment of the government’s attitude towards the FOIP act. [see PR here & report pdf’s here & here] Clayton said the government has a “lack of respect” for freedom of information and needs a culture change that starts at the top. [CBC] See also: [Information commissioner slams Alberta government for poor state of freedom of information]

CA – Despite SK OIPC’s insistence, Gov’t does not Release GTH Info

Saskatchewan’s Highways minister is defending his ministry’s record of providing information on its projects, despite not following Information and Privacy Commissioner recommendations or even reading the commissioner’s reports on his ministry’s actions. “I just think that our ministry has been very responsible and respective of the FOIs,” Dave Marit said. That’s despite the fact he told CBC he hasn’t read any of the Information and Privacy Commissioner’s five reports condemning his ministry on its handling of requests for information about the Global Transportation Hub. The Ministry of Highways has consistently dragged its feet on information requests — a fact the commissioner has pointed out time and again after CBC filed complaints about the delays. See OIPC reports from Nov. 9, 2016, Nov. 10, 2016, Jan. 5, 2017 and Jan. 17, 2017 ] Here’s a summary of those reports:

  • Nov. 9, 2016: Commissioner recommends the ministry release a land sale agreement with CP for property at the GTH. The ministry refuses to release the document.
  • Nov. 10, 2016: Commissioner finds the ministry was more than three months late in responding to CBC’s requests related to the GTH. He described the delays as excessive and a violation of the law. “Highways must take their obligations under FOIP [Freedom of Information and Protection of Privacy] more seriously. The Legislative Assembly has passed FOIP and I expect that ministries will comply with the laws passed by it. Highways has failed to do so,” he wrote.
  • Jan. 5, 2017: Ministry proposes to charge CBC $70,000 for a series of 13 information requests. The commissioner found the ministry failed to consult with CBC as it is required to do. He also found the ministry’s “excessive fee was an unreasonable barrier to access.”
  • Jan. 17, 2017: Commissioner finds the ministry had delayed its response to information requests in a way that “was unnecessary, inappropriate and unauthorized under FOIP.”

When asked why he hadn’t read any of the commissioner’s reports, Marit responded, “I guess that’s where I trust my deputy minister and my ministry staff to look after the FOIs.” [CBC | 3 strikes: Sask. government chastised again for handling of GTH document requests]

CA – OIPC AB Requires Disclosure of Former Employee Records

The Office of the Information and Privacy Commissioner in Alberta reviewed a decision by Children’s Services to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. Disclosure of information relating to an Edmonton Police Service file involving the individual would not reveal information supplied in confidence by the police (the police service already disclosed some information to the individual), or harm relations between the public body and the police service. [OIPC AB – Order F2017-28 – Children’s Services]

CA – Unauthorized Disclosure of Images Penalized by Laws in Manitoba

A review of changes in common law and in statute in regards to cyber-bullying. Non-consensual sharing of intimate images creates a private right of action, empowering the courts to award damages to the plaintiff to amend humiliation and cyber-bullying acts; perpetrators can be held liable for invasion of privacy. A similar law in Nova Scotia has been found unconstitutional. [Cyberbullying and Revenge Porn – An Update on Canadian Law – Kristen thompson – CyberLex]

CA – BC OIPC Upholds Public Body’s Decision to Deny Parent Access to Child’s Records

The British Columbia Information and Privacy Commissioner reviewed an access request made to the Ministry of Children and Family Development pursuant to the Freedom of Information and Protection of Privacy Act and the Freedom of Information and Protection of Privacy Regulation. [OIPC BC – Order F17-04 – Ministry of Children and Family Development]

WW – Study: Large Teaching Hospitals More Likely To Suffer Data Breach

A study published by JAMA Internal Medicine found large teaching hospitals are more likely to suffer data breaches, SC Magazine reports. The study found 216 hospitals accounted for 257 of the 1,798 data breaches between Oct. 21, 2009 and Dec. 31, 2016. Most of the affected hospitals were discovered to be teaching hospitals. Larger teaching hospitals are more likely to be targets due to more individuals having access to private patient data and aging infrastructure. “Due to tight budgets, aging systems and rich confidential data, hospitals will continue to be victimized by targeted attacks in 2017,” Plixer International CEO Michael Patterson said. “To avoid falling prey, insured contractors should be leveraged to patch systems and audit cyber defenses.” [SC Magazine]

US – Twitter Sues DOJ Over Request For User’s Information

After receiving a summons from a Customs and Border Protection agent related to an account, Twitter is filing a lawsuit against the Department of Justice in order to protect the user from being revealed. The agent is ordering Twitter to turn over information regarding the @ALT_USCIS account, including usernames, account login, phone numbers, mailing address, and IP addresses. Twitter said revealing the user’s identity “would have a grave chilling effect.” Center for Democracy and Technology’s Emma Llansó said, “These tech companies have so much really personal information about all of us, and part of what we do when we give them this information is trust them to be stewards of it,” adding, “For Twitter to fight back against such a broad demand from the government to unmask is really significant.” [San Francisco Chronicle]

US – NY Attorney General’s Office Announces COPPA Settlement

The New York Attorney General’s office today announced a settlement with TRUSTe regarding its certifying of companies under the U.S. Federal Trade Commission’s COPPA safe harbor program. TRUSTe will pay a $100,000 fine and has agreed to make certain changes to its certification program. The case is a continuation of what the New York Attorney General calls “Operation Child Tracker,” which led to nearly $1 million in fines for four firms this past September. [IAPP.org]

Genetics

US – FDA Approves DNA-Test Company’s at-Home Genetic Diagnostic

The Food and Drug Administration has approved 23andMe to market its at-home genetic test allowing users to test their DNA for 10 diseases, like Parkinson’s or Alzheimer’s. While questions remain about the accuracy of these tests, proponents argue that they’re ultimately beneficial. “We’re moving as a society toward empowering people with health related information and this is, I think, a welcome step, along that journey,” said Harvard University geneticist, Dr. Robert Green. New York University bioethicist Art Caplan, however, who maintained the at-home tests could end up “frightening” consumers, said that “it’s also not clear what privacy people have and how well 23andMe could safeguard their test results, or even their actual samples,” the report adds. [NBC News]

Health / Medical

CA – Ontario Bill Amends FOI Legislation to Create Disclosure Exemptions for Medical Assistance in Dying

Bill 84, amending the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act and related to medical assistance in dying, is read and referred to the Standing Committee on Finance and Economic Affairs. The Freedom of Information and Protection of Privacy Act and Municipal Freedom of Information and Protection of Privacy Act are amended to provide that they do not disclose identifying information relating to medical assistance in dying; “identifying information” means information that identifies a person or facility or that could be utilized with other information, to identify a person or facility. [Bill 84 – Medical Assistance in Dying Statute Law Amendment Act, 2017 – 41st Legislature, Ontario]

CA – Retiring Doctors Must Notify Patients of Who Will Hold Their Health Records

The Information Protection Commissioner of Ontario has issued recommendations regarding medical records. To ensure the ongoing right of access, either before or shortly after their retirement, doctors and other health care providers must give patients notice indicating who will take over their practice or details on the specialized medical record storage facility where they will be transferred to. [IPC ON – Your Doctor Is Retiring – What You Should Know About Your Medical Records]

EU – OCR Leader: Agency Will Release Guidance on ‘Hot Button’ Privacy Issues

At the Health Care Compliance Association’s Compliance Institute, Iliana Peters of the Health and Human Services Office for Civil Rights said that the agency will prioritize guidance surrounding “hot button” privacy issues this year. She added that the OCR was wrapping up a round of audits and predicted that enforcement fines would increase in the future. In tandem with her talk, the HHS Office of Inspector General released “Measuring Compliance Program Effectiveness: A Resource Guide.” It covers the results of an “effectiveness roundtable” in collaboration with the Health Care Compliance Association in early 2017, and looks to “provide measurement options to a wide range of organizations with diverse size, operational complexity, industry sectors, resources, and compliance programs.” [WilmerHale]

Horror Stories

CA – McDonald’s Canada Jobs Web Site Hacked, 95,000 Affected

The home page of McDonald’s Canada .revealed that its career Web site — where job applicants leave their resumes — has been hacked. The personal information of approximately 95,000 restaurant job applicants has been compromised,” he company said in a statement.[see here] That covers anyone who applied online for a job between March 2014 and this month. “The personal information compromised was limited to applicant name, address, email address, phone number, employment background and other standard application information. Our application forms do not request highly sensitive personal information such as social insurance numbers, banking information or health information” the company said. Ann Cavoukian, head of Ryerson University’s Privacy and Big Data Institute, said “All sensitive documents that retain personal identification, especially in an employment context, should be encrypted In this day and age it is not a big deal to encrypt data. And it doesn’t matter that they don’t have the social insurance number [of applicants]. They have a lot of other sensitive information — their employment history, when they worked. Just because they don’t have your social insurance number or banking information doesn’t mean its not sensitive. Why not protect the data when you can do it so easily in this day and age?” In an interview Ira Nishisato, national leader of the cyber security and risk practice at the law firm Borden Ladner Gervais said Canadian law on an organization’s “standard of care” for personal information is still evolving. A court would likely look to best practices suggested by industry associations, he said. But he believes these days “encryption is expected” even if personal information doesn’t include social insurance numbers and the like. “If you fail to encrypt you’re at risk.” [IT World]

UK – Data From UK Parliament’s Staff Accidentally Published Online

The Independent Parliamentary Standards Authority has said that “extremely sensitive” information about an estimated 3,000 members of Parliament’s staff was accidentally published online for four hours before someone noticed the mistake, BBC reports. The information included salaries, work and vacation patterns and was accidentally uploaded to a version of the MP site soon to be archived, the report states. A Parliament spokesman said that a “small number” of people had viewed the information until the watchdog was alerted and the data removed. “An investigation is currently underway and we have notified the Information Commissioner,” the spokesman added. “We will be writing directly to all of those affected.” [BBC.com]

Identity Issues

US – NIST Extends Comment Period for Digital Identity Guidelines

The US National Institute of Standards and Technology (NIST) has extended by one month the deadline for public comment on part of its digital identity guidelines. Initially, comments were due by March 31, 2017, but the deadline has been extended to May 1, 2017 for the parent volume, SP 800-63-3 because of changes made to risk management and mitigation issues. http://trustedidentities.blogs.govdelivery.com | – https://gcn.com: NIST extends comment period for digital identity guidelines |

WW – ‘Internet Noise’ Website Helps Obscure Users’ Online Identity

Responding to Congress rolling back the Federal Communications Commission’s broadband privacy rules, a new website has launched to help make it difficult for anyone to collect browser data, Wired Reports. Internet Noise is a site designed to deliberately obscure a user’s online identity by repeatedly opening browser tabs going to random webpages. The site’s founder, Dan Schultz, accomplished this by Googling “Top 4,000 nouns” and implementing it into the site’s code. When a user clicks the “make some noise” button,” a new tab will generate every couple of seconds, functioning similar to Google’s “I’m Feeling Lucky” button. The site features another button to stop the process from occurring. While Schultz admits the site has been created mainly for awareness purposes, users have reached out to offer fixes in order to make it a more effective privacy tool. [Wired]

Law Enforcement

US – Prosecutors Post Data from Locked Phones of 100 Trump Protesters

Federal prosecutors are creating a cloud-based database full of personal data extracted from the locked phones of Trump protesters arrested on Inauguration day. Police seized the phones of more than 100 of those arrested. Although all of the devices were locked They want to make the data available to the lawyers of 214 defendants accused of felony rioting. According to court papers (PDF) prosecutors filed on Wednesday, the Feds are seeking an order from the court that would prohibit the defense lawyers from copying or sharing the information unless it’s relevant to defend their clients. If there’s one thing this case makes crystal clear, it’s that the authorities’ success in getting past Apple encryption [see here] goes well beyond the prolonged battle over the unlocking of Syed Farook’s iPhone following the San Bernardino shootings. In the case of the Trump protesters, government officials said they have search warrants to extract data from the phones. Arraignments are scheduled through early April. Follow-up hearings will start in mid-April. At that point, the judge will likely consider evidence-related issues and motions. [Naked Security]

US – ACLU Lawsuit Over Cop Confiscating Phone & Deleting Pics

ACLU of Louisiana filed a federal lawsuit [see 11 pg pdf here] alleging a Lafayette police officer improperly deleted cellphone photos a woman [Chelline Carter] had taken of her son in the back of police cruiser. The suit claims the officer told the woman she was breaking the law by taking pictures of “evidence,” then deleted those photos before handing the phone back to her ACLU of Louisiana Executive Director Marjorie Esman said citizens have a long-established First Amendment right to photograph police in a public place if they are not interfering with an officer’s duties and that law enforcement officers must have a warrant to access a cellphone. The lawsuit seeks damages, a court judgment declaring that the officer’s actions violated Carter’s rights and an injunction blocking police in the future from interfering with citizens who are photographing police and from seizing and searching their cellphones or other photographic equipment. [The Advocate]

CA – Fredericton Police Try on Body Cameras for 90-Day Test

Six Fredericton police officers started using body cameras Friday for a 90-day trial of the technology that could help increase public trust, the Deputy Chief Martin Gaudet says. He hopes the cameras will raise the public’s trust in the force, now that more police interactions with residents will be recorded. “We want to always continue to build public trust,” he said. “This is just another tool to help us in our investigations and in public transparency.” The Fredericton department also worked with the province’s privacy commissioner, the Office of the Attorney General and the city solicitor on the project. Once an officer hits record, the file is directly uploaded to encrypted cloud storage, where it can only be accessed by an authorized member of the force, which will be Staff Sgt. Paul Battiste. Battiste said he can only share a file with the courts if the person on the other end is authorized to receive it. The public can request access to footage by submitting a right to information request to the force by email. Battiste said the videos are stored based on the same policing standards that apply to any other information collected as part of an investigation. Officers cannot access the footage, edit or delete files, he said. People will be told that they are being recorded, and they cannot refuse, he said. To protect the privacy of people not connected to a case, videos will be redacted when necessary, “but the original file is always kept,” he said. [CBC News]

US – Taser to Provide Free Body Cameras To Police Nationwide

Stun gun company Taser has announced that it will offer free body cameras to all American law enforcement, and one year of access to the company’s cloud storage service. The organization added that it has changed its name to Axon to better reflect its range of products. “Our belief is that a body camera is to a cop what a smartphone is to a civilian,” said Axon CEO Rick Smith. “We believe, within 10 years, we can automate police reporting. We can effectively triple the world’s police force.” The move has raised some eyebrows, with University of California, Davis’ Elizabeth Joh speaking out against the “basic relationship” between a vendor and the police. “A tech vendor is making important decisions about policing,” Joh said. [Ars technica]

Location

US – Illinois Bill Restricts Processing of Geolocation Information by Private Sector

House Bill 3449, the Geolocation Privacy Protection Act, receives first reading: The Act takes effect upon becoming law. A private entity cannot generally process geolocation data from a location-based app unless the individual provides informed express consent; an aggrieved individual may file a civil action for damages. Exemptions from the consent obligation include location of a minor, a legally incapacitated person, or provision of emergency services; the general prohibition does not apply to healthcare or other providers subject to HIPAA, financial institutions or affiliates subject to GLBA, or a cable, Internet or telecom services provider. [House Bill 3449 – Geolocation Privacy Protection Act – 100th General Assembly, State of Illinois]

Online Privacy

US – Facebook Loses Appeal to Block Bulk Search Warrants

New York State’s highest court dealt a blow to Facebook and other social media companies seeking to expand privacy protections, ruling [see 74 pg pdf here] that Facebook had no right to ask an appellate court to quash search warrants ordering the company to hand over information from hundreds of accounts in a disability fraud case. The state Court of Appeals, in a 5-to-1 decision, with one judge recusing himself, upheld lower court rulings that New York law does not allow a social media company to appeal a judge’s decision to issue search warrants in a criminal case, even if the company believes those warrants violate the constitutional rights of its users. The Facebook case is part of a broader battle between the government and technology companies over the limits on law enforcement requests for data under the federal Stored Communications Act. Much of that fight is playing out in New York.. The case — known formally as In Re 381 Search Warrants Directed to Facebook Inc. — had been closely watched as a test as Facebook sought to expand its ability to fight what it sees as fishing expeditions by prosecutors. Several tech giants, including Google, LinkedIn, Amazon, Microsoft and Twitter, filed amicus briefs, as did the New York Civil Liberties Union. [NYT | New York’s top court rejects Facebook search warrant challenge]

US – NAI, DAA Launch New Version of Consumer Choice Tools

The Network Advertising Initiative and Digital Advertising Alliance have together launched new versions of consumer choice tools for interest-based advertising. Changes to the “NAI tool and DAA tool include an enhanced user experience, the ability for companies to easily disclose to consumers their use of both cookie-based and non-cookie technologies for digital interest-based advertising … and controls for users to opt-out of such use,” a press release states. “The tool is the first to offer a technology-based opt-out for both cookie-based and non-cookie technologies,” said NAI President and CEO Leigh Freund. “The improvements in this tool provide increased transparency into emerging data practices, regardless of technology,” added DAA Executive Director Lou Mastria. [NAI]

Other Jurisdictions

US – Pew Researches Future Of Online Anonymity, Fake News

The Pew Research Center has released a new report on the future of free speech, trolls, anonymity, and fake news online. “Many experts fear uncivil and manipulative behaviors on the internet will persist — and may get worse.” “This will lead to a splintering of social media into AI-patrolled and regulated ‘safe spaces’ separated from free-for-all zones. Some worry this will hurt the open exchange of ideas and compromise privacy.” The research also revealed that those surveyed believe anonymity has contributed to much of the “uncivil discourse” online, but such anonymity will likely get purged in the future, “setting the stage for governments and dominant institutions to even more freely employ surveillance tools to monitor citizens, suppress free speech and shape social debate.” [PEW Internet]

Privacy (US)

US – Data Localization Laws Tracked in USTR Trade Barriers Report

Barriers to digital trade have spread to such an extent that the Office of the U.S. Trade Representative analyzed how the topic is playing out in dozens of countries in its 2017 annual report on foreign barriers to trade. The 492-page U.S. Trade Representative annual report, released March 31, defined digital trade barriers as “restrictions and other discriminatory practices affecting cross-border data flows, digital products, Internet-enabled services, and other restrictive technology requirements.” The report tracked “data residency” laws, requiring companies to store certain types of data within a country’s borders, that have sprung up around the world. Two broad trends are emerging with data residency laws The first is the increasing emergence of data residency laws “that require private sector companies to store information locally”— with Russia’s law [see here] serving as the model for such private-sector aimed residency laws The second trend involves laws that require government data to be stored locally, Cohen said. Such laws can be found in China, Indonesia, Canada and Nigeria. Lothar Determann, a privacy partner at Baker McKenzie LLP in Palo Alto, Calif., told Bloomberg BNA that Data residency laws are often sold by government’s as “privacy and civil rights protection measures but they really have the opposite purpose and effect” in that they really just secure access to data for intelligence and law enforcement purposes [Data Residency Laws Tracked in Trade Barriers Report]

US – 4th Circuit Weighs in on “Injury-in-Fact” in Data Breach Cases

In Beck v. McDonald, the U.S. Court of Appeals for the Fourth Circuit joined at least five other circuits in analyzing whether mere allegations of future identity theft can establish injury-in-fact as required to confer Article III standing [see here]. There, the Court found that allegations of future harm were too speculative, particularly where there was no allegation or evidence that the confidential information was targeted or had been used fraudulently. The analysis aligns with distinctions made by other circuits between misplaced or stolen physical property cases, where the loss of confidential information is incidental, and cyberattack and hacking cases, where the thief’s intent to wrongfully use the information can be inferred. This ruling shows that district and circuit courts are looking at the allegations in data breach cases with care, and not simply assuming an injury just because plaintiffs’ confidential information has been compromised. Rather, the courts are looking at the particulars of the breach itself – physical property vs. data hack, allegations of actual fraudulent use or access vs. conclusory allegation of prospective harm – in determining whether plaintiffs have suffered injury-in-fact sufficient to confer Article III standing. [Data Protection Report | The Fourth Circuit Holds That Threat of Future Harm Is Insufficient To Confer Standing on Victims of a Data Breach]

US – Geek Squad Under Fire for ‘Cozy’ and ‘Extensive’ Links to FBI

When Best Buy customers need to retrieve lost data, stores from around the US send their computer equipment to a giant Best Buy repair shop in Brooks, Kentucky, for its Geek Squad techs to work on and, apparently, to search for child abuse imagery on behalf of the FBI. Unbeknown to customers, recent federal court documents claim, the [Best Buy] Geek Squad techs have been in a “cozy” secret relationship with the FBI, which over a few years has trained and paid them to search for child abuse imagery on computer equipment. Geek Squad employees have gone so far as to search unallocated space on hard drives – ie the place where forensics specialists use specialized software to find and retrieve deleted files. That’s what happened to Mark Rettenmaier. His house was subsequently searched, and Rettenmaier was indicted in November 2014 by a federal grand jury on two counts of possessing child abuse imagery. The case has dragged on. it’s looking like that image – and others like it – might not be permissible as evidence, given that the Geek Squad employees are accused of acting as government agents. That’s because government agents need to first get a warrant, based on probable cause, to search a computer. The government is facing multiple problems with its case against Rettenmaier. As pointed out by R Scott Moxley, a few weeks before Rettenmaier was arrested, federal judges ruled in a separate case that images found in unallocated space couldn’t be used to win a possession conviction, since there’s almost no way to figure out who put them there, who viewed them, or when/why they were deleted. A trial is tentatively scheduled to begin on June 6 in Santa Ana. [Naked Security]

US – Minnesota Police Obtain Warrant Asking Google to Identify People Who Searched for Man’s Name

Police in Minnesota are asking Google to identify people who searched for certain terms associated with a crime they are investigating. Edina police are working in a bank fraud case in which USD 28,500 was wired out of an individual’s account earlier this year. The perpetrator used a passport photo possibly obtained online. The warrant applies only to residents of Edina and only to searches conducted between December, 2016 and January 7, 2017. [Minn. Police seek data on who Googled a victim’s name | Minnesota judge signs a search warrant for personal information on anyone who Googled someone’s name | Judge Wants Google to Tell Cops Everyone Who Googled One Man’s Name]

US – Fourth Amendment Border Search Exception Should Not Apply to Digital Devices and a Probable Cause Warrant Should Be Required

Various advocacy group submit an amicus brief in support of an appeal by an individual (the “appellant”) of a denial of his motion to suppress evidence seized from his iPhone, which was searched at the U.S. border. The border search exception is intended to serve the narrow purpose of enforcing immigration and customs laws (which are enforced through inspection of physical documents, luggage, vehicles and persons); both manual and forensic searches of digital devices, containing vast amounts of highly personal information, are “non-routine” (in light of the CBP’s current use of sophisticated forensic tools that can be rapidly deployed at the border). [United States of America v. Hamza Kolsuz – Brief of Amici Curiae Electronic Frontier Foundation, Asian Americans Advancing Justice-Asian Law Caucus, Brennan Center for Justice, Council on American-Islamic Relations (CAIR), CAIR California, CAIR Florida, CAIR Missouri, CAIR New York, CAIR Ohio, CAIR Dallas/Forth Worth, and The National Association of Criminal Defense Lawyers in Support of Defendant-Appellant]

WW – Advocates Emphasize Risks of IoT and Request Algorithmic Transparency

Advocates submit their comments on cybersecurity to a U.S. Senate committee. IoT poses numerous risks to privacy (the vast quantity of data reveals a wealth of PI about consumers that can be used for secondary purposes, and many devices feature “always on” tracking technology) and security (current security risks are able to expand due to increasingly large array of networks in which to spread); algorithms are often used to make adverse decision about individuals (regarding employment, insurance and credit) who rarely know about the decisions, or whether those decision were fair or accurate. [Letter to U.S. Senate Committee on Commerce, Science, & Transportation’s Hearing on “The Promises and Perils of Emerging Technologies for Cybersecurity” – Electronic Privacy Information Center]

US – NY AG Settles with App Developers for Insufficient Privacy Notice

New York’s Attorney General has settled with Cardiio, Runstastic and Matis, three application developers for misleading marketing and privacy practices. The developers’ privacy policies were updated to request affirmative consumer consent to the privacy policy and to indicate the personal information that they process including, users’ GPS location, unique device identifier, possible re-identification of de-identified information. [A.G. Schneiderman Announces Settlements With Three Mobile Health Application Developers For Misleading Marketing And Privacy Practices – NY AG]

Privacy Enhancing Technologies (PETs)

WW – Splinter: Protecting the Privacy of Public Database Queries

Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have developed a system called Splinter that protects the privacy of users querying public databases by breaking the query into pieces to be handled by different but identical databases. As long as just one of the providers is trustworthy, the content of the query cannot be detected. Splinter employs a “cryptographic primitive” called Function Secret Sharing (FSS) that keeps the query private “unless all the providers collude” and does not make undue demands on system CPUs. The researchers presented a paper on Splinter at the USENIX Symposium on Networked Systems Design and Implementation in Boston earlier this week. [CompSci boffins propose scheme to protect privacy in database searches | Practical Private Queries on Public Data]

WW – Privacy Badger Surpasses 1M Users

The Electronic Frontier Foundation reports the Privacy Badger browser extension has surpassed 1 million users. The extension is designed to automatically block hidden third-parties tracking users’ browsing history. “With this milestone, the Privacy Badger team remains as committed as ever to end non-consensual browser tracking and promote responsible advertising. Although Privacy Badger blocks many ads in practice, it is more a privacy tool than a strict ad blocker,” the EFF blog post states. “Privacy Badger encourages advertisers to treat users respectfully and anonymously rather than follow the industry status quo of online tracking.” [EFF.org]

WW – Privacy-Focused AI Bot Warns Users When Posting Personal Data Online

A study published by researchers at the Max Planck Institute for Informatics in Germany outlines an AI-powered privacy tool designed to stop individuals from posting private information online. The Visual Privacy Advisor analyzes a user’s privacy preferences on their phone or computer, then alerts them whenever sensitive information, such as a medical prescription or bank account details, may be exposed when they post a picture onto social media. “Our model is trained to predict the user specific privacy risk and even outperforms the judgment of the users, who often fail to follow their own privacy preferences,” the researchers wrote in a recent paper. “In fact — as our study shows — people frequently misjudge the privacy relevant information content in an image — which leads to failure of enforcing their own privacy preferences.” [Vocativ]

US – If You Want a VPN to Protect Your Privacy, Start Here

On March 28 the House of Representatives voted to reverse FCC privacy regulations It’s a disappointing setback for anyone who doesn’t want big telecoms profiting off of their personal data. So what to do? Try a Virtual Private Network. It won’t fix all your privacy problems, but a VPN’s a decent start. A VPN is a private, controlled network that connects you to the internet at large. Your connection with your VPN’s server is encrypted, and if you browse the wider internet through this smaller, secure network, it’s difficult for anyone to eavesdrop on what you’re doing from the outside. VPNs also take your ISP out of the loop on your browsing habits, because they just see endless logs of you connecting to the VPN server. For a VPN to be any more private than an ISP, the company that offers the VPN needs to be trustworthy. That’s a very tricky thing to confirm. One solid indicator? Check whether the VPN keeps logs of user activity. Many privacy-focused VPNs are intentionally very up front about their no-log policies, because they want to make it clear to law enforcement groups around the world that even if they are served with a warrant or subpoena, they won’t have the ability to produce customer records. It’s worthwhile to specifically check a company’s Terms of Service to see what it says there about logging and scenarios where it would (or wouldn’t) disclose user information. A simple way to improve your chances of landing on a safe and well-meaning VPN is to pay for one. Free VPNs aren’t inherently bad, but all services have to make money somehow. [Wired | Post-FCC Privacy Rules, Should You VPN? | A VPN can protect your online privacy. But there’s a catch | Unblock-Us: Smart DNS And VPN For The Masses? | Protect your online privacy with the 5 best VPNs | VPN and maintaining corporate privacy | How to use a VPN: How to set up a VPN for secure, private browsing & access to blocked content | Make sure your VPN is setup correctly using a DNS Leak Tool | The actual privacy benefits of virtual private networks | Krebs on Security: To VPN or Not to VPN]

RFID / IOT

EU – Swedish Company Implanting Microchips in Employees

Swedish startup Epicenter has begun implanting microchips in employees’ bodies, allowing them to buy smoothies, open doors and manage printers via the device. Some employees are even hosting parties for those interested in getting chipped, the report states. However, the move is not without privacy worries, and some technologists warn that hackers can easily access the chips and gain a wealth of information from them. “Conceptually you could get data about your health, you could get data about your whereabouts, how often you’re working, how long you’re working, if you’re taking toilet breaks and things like that,” said microbiologist Ben Libberton. The ethical dilemmas will also grow, the more sophisticated chip programs become, the report adds. [The Associated Press]

WW – IoT Device Maker Shuts Down Customer’s Device After ‘Abusive’ Review

Denis Grisak, the creator of Wi-Fi-powered garage door opener Garadget, has come under fire after bricking a “toxic” customer who reviewed his product negatively after experiencing a technical difficulty. The consumer in question had posted to the Garadget message board seeking assistance for his difficulty over the weekend. Having not received an immediate response, he took to Amazon and gave the device a one-star review. Grisak responded, calling the poster’s language “abusive” and denying the user’s unit server connection. The dialogue sparked outrage on Twitter, leading Grisak to issue a statement arguing that the move wasn’t based off the review, but rather his desire “to distance from the toxic individual ASAP,” he said. [Ars Technica]

Security

US – If You Want to Stop Big Data Breaches, Start With Databases

Over the past few years, large-scale data breaches have become so common that even tens of millions of records leaking feels unremarkable. One frequent culprit that gets buried beneath the headlines? Poorly secured databases that connect directly to the internet. Any type of database can be left open or unprotected, a string of breaches over the last few years have all centered around one type in particular: open-source “NoSQL” databases, particularly those using the popular MongoDB database program. Memorable unprotected database breaches include the 2015 MacKeeper incident in which usernames, passwords and other data leaked for more than 13 million of the security scanner’s customers. In April 2016, security researcher Chris Vickery discovered an exposed database containing the full names, addresses, birthdays and voter registration numbers for all 93.4 million Mexican voters, which had been accessible online for seven months. Also in April, hackers stole user data for 1.1 million people from the insecure database of the dating website BeautifulPeople.com, and in October hackers compromised personal data from 58 million customers of the data storage firm Modern Business Solutions. And those are just some of the most publicized hacks. Unprotected databases are also trivial to find. Both criminals and researchers alike use network visibility tools like the search engine Shodan, which indexes internet-connected devices, to get a sense of how many exposed databases are out there. Currently searching “MongoDB” on Shodan reveals more than 50,000 exposed databases. They may or may not be vulnerable to attack, but simply being visible increases their risk. [Wired]

US – Pew Center Survey Finds Americans Lack Understanding of Cybersecurity Measures

According to a survey from the Pew Research Center, most Americans lack a basic understanding of online security measures. While most of the people responding to the survey were able to identify string passwords from a list and knew that public Wi-Fi is not safe, just one-third knew what HTTPS is and just one-tenth were able to identify two-factor authentication. The survey of 1,055 American adults consisted of a 13 question online quiz. The median score was 5.5. [Americans ignorant on cybersecurity, Pew poll shows | Most American Internet Users Have No Idea How to Protect Their Accounts | What the Public Knows About Cybersecurity ]

UK – Survey: UK Employees Among the Worst At Protecting Data

The Barclays Digital Development Index found U.K. employees were among the worst at protecting their data and devices. The survey placed the U.K. ninth out of 10 countries, finishing behind Brazil, China and South Africa. Among the issues cited by Barclays was the lack of digital skills in U.K. businesses. The survey found only 13% of U.K. employees use password-generating software, compared to 32% in both China and India, while only 41% change their passwords on a regular basis. Barclays found the majority of respondents store payment information on frequently visited websites. “Productivity and convenience are put above security,” said Glasswall Solutions Vice President Chris Dye. [Financial Times]

Smart Cars

US – Self-Driving Cars Will Collect Your Data — and Canada’s Privacy Commissioner is Concerned

At a hearing held by a Senate committee studying autonomous cars, Privacy Commissioner Daniel Therrien testified [see here] that cities, parking facilities, carmakers and other groups could be interested in data collected by vehicles. “There are probably hundreds of players, public or private, that can ultimately receive information from the car,” he told senators. He said his office is working on a Code of Practice for the automotive industry and also looking at online consent forms that Canadians tend to click through blindly. He said carmakers seem open to suggestions so far. Therrien said his office has received few complaints about autonomous or connected vehicles so far, as well as some complaints about GPS devices. Consumers generally don’t realize what they’ve agreed to in purchasing and setting up such devices, he said. “What we found in the investigation is that the consumer, the owner of the device, is rarely if ever well informed about who will get the information,” he said. [MetroNews | Appearance before the Senate Committee on Transportation and Communications (TRCM) on the Study on the regulatory and technical issues related to the deployment of connected and automated vehicles]

US – FTC and NHTSA to Explore Vehicle Privacy and Security Issues

The Federal Trade Commission (FTC) and National Highway Traffic Safety Administration (NHTSA) are co-hosting a workshop on June 28, 2017, to explore the privacy and security issues raised by automated and connected vehicle technologies. [see PR here] The agencies are looking to explore the types of data such technologies collect, store, transmit, and share; the potential benefits and challenges posed by the technologies; the privacy and security practices of vehicle manufacturers; the roles that federal agencies should play in regulating privacy and security issues; and how self-regulatory standards apply to connected vehicle privacy and security issues. In advance of the workshop, the FTC and NHTSA are seeking public comment on privacy and security issues. The workshop and the public comments present industry with a valuable opportunity to educate the agencies about the ways in which they have already been addressing privacy and security concerns and to provide the agencies with feedback regarding possible legislative and regulatory proposals.. Comments may be submitted through April 20, 2017. [HLDA]

US – For Privacy Sake Say No to NHTSA Vehicle-to-Vehicle Comms Rule

Comments on the National Highway Traffic Safety Administration‘s proposed vehicle-to-vehicle communications mandate are due on April 12. If approved, it will add around $300 dollars to the price of every car, or (at recent car sales rates) well over $5 billion per year. Despite the high cost, the NHTSA predicts the rule will save no more than 31 lives in 2025, mainly because it will do little good until most cars have it. The danger is not that it will cost too much per life saved but that mandating one technology will inhibit the development and use of better technologies that could save even more lives at a lower cost. All of the benefits claimed for the DSRC mandate assume that no other technology improvements take place. In fact, self-driving cars (which will work just as well with or without vehicle-to-vehicle systems) will greatly reduce auto fatalities, rendering the projected savings from vehicle-to-vehicle communications moot. A mandate that one technology be used in all cars also opens the transportation system to potential hackers. There is also a privacy issue: vehicle-to-vehicle also means infrastructure-to-vehicle communications, raising the possibility that the government could monitor and even turn off your car if you were doing something it didn’t like, such as drive “too many” miles per year. That’s a very real concern because the Washington legislature has mandated a 50% reduction in per capita driving by 2050. Oregon and possibly other states have passed similar rules. [CATO See also: Cars Would Be Required to Talk to Each Other Under U.S. Plan]

US – The Fourth Amendment and Access to Automobile ‘Black Boxes’

Most cars manufactured in the past three years come with event data recorders, sometimes known as “black boxes.” These devices are computers that record and store crash data in the event of an accident. A new Florida state court decision, State v. Worsham, considers an interesting question: How does the Fourth Amendment apply to government efforts to retrieve data from event data recorders? Worsham was in a terrible accident, and his car was impounded. Twelve days later, the police downloaded the data from the event data recorder without obtaining a warrant. Worsham has been charged with drunken driving and vehicular homicide, and the police want to use the data from the event data recorder to show Worsham’s guilt. The question is: Does the Fourth Amendment allow it? The Florida court divides 2-1. According to the majority, accessing the data is a search that requires a warrant. Because the police accessed the data without a warrant, the evidence must be suppressed. The dissent argues that people have no reasonable expectation of privacy in the data stored in event data recorders. Here’s my tentative take: This is a pretty tricky question based on current Fourth Amendment caselaw. Applying that caselaw, I would think that accessing the event data recorder was likely a search. On the other hand, it’s not obvious to me that it requires a warrant. [Washington Post]

Surveillance

CA – RCMP Reveals Use of Secretive Cellphone Surveillance Technology for the First Time

The RCMP for the first time is publicly confirming it uses cellphone surveillance devices in investigations across Canada. RCMP Chief Supt. Jeff Adam, who is in charge of technical investigations services, held an unprecedented technical briefing with reporters from CBC News, the Toronto Star and the Globe and Mail. The RCMP held the briefing in the wake of a CBC News investigation that found evidence that devices known as IMSI catchers may be in use near government buildings in Ottawa for the purpose of illegal spying. Public Safety Minister Ralph Goodale said the devices detected did not belong to any Canadian police or intelligence agency. Adam told reporters that while he isn’t “personally aware” of foreign agencies using the technology in Canada, “I can’t rule that out.” The RCMP and CSIS are now investigating. The RCMP says that MDIs — of which it owns 10 — have become “vital tools” deployed scores of times to identify and track mobile devices in 19 criminal investigations last year and another 24 in 2015. He says in all cases but one in 2016, police got warrants. The one exception was an exigent circumstance — in other words, an emergency scenario “such as a kidnapping,” said Adam, whose office tracks every instance where an MDI has been used by the RCMP. He said the RCMP’s devices are restricted in their use, with software that only allows them to identify a mobile device and to potentially track the location of that phone. “What the RCMP technology does not do is collect private communication,” Adam said. “In other words, it does not collect voice and audio communications, email messages, text messages, contact lists, images, encryption keys or basic subscriber information.” Adam conceded that until two months ago the RCMP itself failed to get express approval to use MDIs from Innovation, Science and Economic Development Canada (ISED, formerly Industry Canada), the government body responsible for regulating technology that might interfere with wireless communications. [CBC | RCMP acknowledges using phone trackers to collect Canadians’ cellular details | RCMP reveals its use of cellphone-tracking machines  | After years of secrecy, RCMP finally admits to using mass cell phone surveillance tools on Canadians | RCMP, CSIS launch investigations into phone spying on Parliament Hill after CBC story | Someone is spying on cellphones in the nation’s capital ]

US – Obama’s Rule Changes Opened Door for NSA Intercepts to Reach Political Hands

To intelligence professionals, the public revelations affirm an undeniable reality. Over the last decade, the assumption of civil liberty and privacy protections for Americans incidentally intercepted by the NSA overseas has been eroded in the name of national security. Today, the power to unmask an American’s name inside an NSA intercept — once considered a rare event in the intelligence and civil liberty communities — now resides with about 20 different officials inside the NSA alone. The FBI also has the ability to unmask Americans’ names to other intelligence professionals and policymakers. [in his final days in office, Obama created the largest ever expansion of access to non-minimized NSA intercepts, creating a path for all U.S. intelligence to gain access to unmasked reports by changes encoded in a Reagan-era Executive Order 12333.[see here] The government officials who could request or approve an exception to unmask a U.S. citizen’s identity has grown substantially. Executives in 16 agencies — not just the FBI, CIA and NSA — have the right to request unmasked information.] And the justification for requesting such unmasking can be as simple as claiming “the identity of the United States person is necessary to understand foreign intelligence information or assess its importance,” according to a once-classified document that the Obama administration submitted in October 2011 for approval by the Foreign Intelligence Surveillance Court. It laid out specifically how and when the NSA could unmask an American’s identity. [see here] But those directly familiar with the processes acknowledged the breadth of access today could be abused for political espionage or pure prurient interests, instead of just compelling national security interests. “There may be very good reasons for some political appointees to need access to a non-minimized intelligence reporting but we don’t know and given the breadth of unmasked sharing that went on, there is the strong possibility of abusive or excessive access that harmed Americans’ privacy,” said an intel source familiar with the data. Added another: “Wholesale access to unmasked incidental NSA intercepts essentially created the potential for spying on Americans overseas after the fact, which is exactly what our foreign intelligence arms are not supposed to be doing.” Perhaps the most consequential outcome of the new revelations is that it may impact the NSA’s primary authority to intercept foreigners: Section 702 of the Foreign Intelligence Surveillance Act is up for renewal at the end of the year. [Circa | See also: Obama Opens NSA’s Vast Trove of Warrantless Data to Entire Intelligence Community, Just in Time for Trump | National Security Agency Databases Open for Business | Obama Expands Surveillance Powers on His Way Out | E.O. 12333 Raw SIGINT Availability Procedures: A Quick and Dirty Summary | N.S.A. Gets More Latitude to Share Intercepted Communications | Trump to Inherit Vast Surveillance Powers ]

Telecom / TV

US – Legislators Vote to Undo FCC’s ISP Privacy Laws

The US House of Representatives has voted to undo the Federal Communications Commission’s broadband privacy rules, allowing Internet service providers to sell customers’ data, including browsing history, without obtaining their consent. This include browsing history. The Senate approved the change earlier this month. [House votes to repeal FCC privacy laws for ISPs]

US – Democrats Ask ISPs to Obtain Customer Consent Before Using Data

A group of senators have written a letter to seven broadband providers pressing them to obtain customers’ permission before using their data, despite the repeal of the Federal Communications Commission’s broadband privacy rules. The letter was sent by Sens. Ed Markey, D-Mass., Al Franken, D-Minn., Richard Blumenthal, D-Conn., Bernie Sanders, I-Vt., Ron Wyden, D-Ore., Patrick Leahy, D-Vt., and Chris Van Hollen, D-Md. In the letter, the senators ask the broadband providers to clarify whether they receive opt-in consent before using and sharing data and whether they use a pay-for-privacy strategy. “We … believe that broadband providers should follow strong privacy and security rules that give consumers control over how their information is used and shared, as well as confidence their information will be protected,” the senators wrote. [MediaPost]

WW – Ranking Digital Rights 2017 Corporate Accountability Index

The 2017 Ranking Digital Rights Corporate Accountability Index [see Index here, to watch the March 23 Index launch event see here] finds the world’s most powerful internet, mobile and telecommunications companies leave users in the dark, failing to disclose key information about policies affecting users’ rights. While some companies have improved since they were first evaluated in 2015, most of the world’s internet users do not receive adequate information about how companies’ policies affect what users can or cannot say online or who is tracking them. Ranking Digital Rights analyzed a representative group of 22 companies whose products and services collectively are used by over half of the world’s 3.7 billion internet users. It builds on the 2015 Corporate Accountability Index, which found widespread failure by companies evaluated to disclose key information about their policies and practices affecting freedom of expression and privacy. Selected findings are included below. [Ranking Digital Rights]

US Government Programs

US – Bipartisan Bill Aims to Rein in Warrantless Device Searches at Border

As promised by Sen. Wyden in February, a bill was introduced this week in Congress that would require U.S. Customs and Border Protection or other government agents to obtain a probable cause warrant before searching the digital devices of U.S. citizens and legal permanent residents at the border. Sen. Wyden (D-OR) and Sen. Paul (R-KY) are original sponsors of the Protecting Data at the Border Act in the Senate (S. 823), while Rep. Polis (D-CO), Rep. Smith (D-WA), and Rep. Farenthold (R-TX) are taking the lead on this issue in the House (H.R. 1899). US advocacy group EFF has been arguing for a while that the Fourth Amendment requires a warrant based on probable cause for border searches of cell phones, laptops, and other digital devices that contain gigabytes of highly personal information. EFF most recently made these arguments in an amicus brief before the U.S. Court of Appeals for the Fourth Circuit in the case U.S. v. Kolsuz. CBP unreasonably argues that the privacy interest travelers have in digital devices is no different than that of luggage or other physical items travelers may bring with them across the border, thus CBP applies to digital devices the traditional “border search exception” to the Fourth Amendment, which permits warrantless and suspicionless “routine” border searches. However, there is nothing “routine” about unregulated government intrusion into a device that contains, as the Supreme Court has said, “the sum of an individual’s private life.” As the bill’s findings state, the privacy interest in digital data “differs in both degree and kind from [the] privacy interest in closed containers.” In addition to the warrant requirement, the Protecting Data at the Border Act would prohibit the government from delaying or denying entry or exit to a U.S. person based on that person’s refusal to hand over a device passcode, online account login credentials, or social media handles to a border agent. [EFF] | Bill would block warrantless searches of Americans’ phones at borders | Lawmakers Move To Stop Warrantless Cellphone Searches at the U.S. Border | Lawsuit Seeks Transparency as Searches of Cellphones and Laptops Skyrocket at Borders | Digital Privacy at the U.S Border: A New How-To Guide from EFF]

US – Re-Introduced Federal Bill Would Require Vehicle Manufacturers to Protect Against Hackers

S.680, the SPY Car Act of 2017, was introduced in the US Senate and referred to the Committee on Commerce, Science and Transportation. Protection measures would include isolation of critical software systems from non-critical systems, evaluation of security vulnerabilities, and securing all driving data stored on-board or in transit; an opt-out from collection and retention of driving data must be provided to drivers without any impact on access to navigation tools, and information collected by vehicles cannot be used for marketing/advertising without express consent. [S.680 – SPY Car Act of 2017 – US Senate – 115th Congress]

US Legislation

US – GOP Votes to Destroy Online Privacy to Serve AT&T and Comcast

It’s hard to overstate what a blow to individual privacy this is. There is literally no constituency in favor of this bill other than these telecom giants. It’d be surprising if even a single voter who cast their ballot for Trump or a GOP Congress even thought about, let alone favored, rescission of privacy-protecting rules for ISPs. So blatant is the corporate-donor servitude here that there’s no pretext even available for pretending this benefits ordinary citizens. It’s a bill written exclusively by and for a small number of corporate giants exclusively for their commercial benefit at the expense of everyone else. But the inane idea that individuals should lose all online privacy protections in the name of regulatory consistency or maximizing corporate profits is something that is almost impossible to sell even to the most loyal ideologues. [The Intercept | Six Reasons FCC Rules Aren’t Needed to Protect Privacy | Clearing up the Senate’s confusion on FCC privacy rules]

US – Tennessee Bill Aims to Clarify Breach Notice Encryption Exemption

Tennessee’s 2005 breach notice law specifically provided an exception to providing notice if the breached data were encrypted. But in 2016, the law was amended to remove the specific exemption but still mentioned encryption as a means of protecting data. That change cast doubt for many on whether the breach notice encryption exception was still allowed under the Tennessee law. The new amendment [see S.B. 547 here] would reinstate the encryption language in the statute to remove any doubt that companies need not give breach notice of encrypted data, unless the encryption key was also breached. The bill helps remove a perceived disincentive to encrypt data, its sponsors said when introducing it. The bill would help harmonize Tennessee’s data breach notification standards with those of other states, Jason C. Gavejian, privacy attorney and principal at Jackson Lewis PC in Morristown, N.J., told Bloomberg BNA. In addition to exempting encrypted data from notification requirements, S.B. 547 would clarify that the 45-day time limit for providing notice of a breach could be extended “due to the legitimate needs of law enforcement.” [BNA]

US – New York’s ‘Unconstitutional’ Right to Be Forgotten Bill Sparks Concern

New York state politicians have introduced a right-to-be-forgotten bill that would require the removal of some online statements about others. To be exact, statements that are judged “inaccurate”, “irrelevant”, “inadequate” or “excessive.” New York Assembly Bill 5323 was introduced by David Weprin and as Senate Bill 4561 by state senator Tony Avella.. The bill would cover the following wide range of online publishers, running the gamut from search giants like Google all the way down to ordinary individuals like you and me: “search engines, indexers, publishers and any other persons or entities which make available, on or through the internet or other widely used computer-based network, program or service, information about an individual. Failure to comply would carry fines of at least $250/day, plus attorney fees. The bill contains no exception for materials of genuine historical interest Nor would it exempt autobiographic material, whether it’s found “in a book, on a blog or anywhere else.” Ditto for information on political figures or celebrities. How does the NY bill compare to Europe’s right to be forgotten? For one thing, the European Commission has made it clear that the courts meant for journalistic work to be protected when they passed the right to be forgotten judgment. In comparison, the NY bill is toddling into this contentious debate practically stripped of any exceptions at all for freedom of speech and with no signs that it’s been crafted to protect against censorship.[NakedSecurity | NY Legislators Looking At Installing A Free Speech-Stomping ‘Right To Be Forgotten’ | ‘Right to Be Forgotten’ Legislation Attempts Foothold in New York| N.Y. bill would require people to remove ‘inaccurate,’ ‘irrelevant,’ ‘inadequate’ or ‘excessive’ statements about others]

US – Dem Senators Reintroduce Cybersecurity Bills for Cars, Planes

Democratic Sens. Ed Markey (Mass.) and Richard Blumenthal (D-Conn.) are reintroducing two bills aimed at improving cybersecurity in automobiles and airplanes. “Whether in their cars on the road or in aircraft in the sky, Americans should be protected from cyberattack and violations of their privacy,” said Markey in a joint press release [see here] announcing the legislation on Wednesday. The Security and Privacy in Your Car (SPY Car) Act [see here] would require the National Highway Traffic Safety Administration and Federal Trade Commission to develop automotive cybersecurity and privacy standards. It also calls for a “cyber dashboard” rating system that would inform consumers how cars went above and beyond those standards. The Cybersecurity Standards for Aircraft to Improve Resilience (Cyber AIR) Act [see here] would introduce a bevy of new baseline standards for air carriers. [The Hill | Sens. Reintroduce Connected-Car Data Security, Privacy Bill]

Workplace Privacy

CA – Ontario Court Finds Company’s Substance Abuse Testing Practices Reasonable

The Court considers Amalgamated Transit Union, Local 113’s motion for an interlocutory injunction against random alcohol and drug testing by the Toronto Transit Commission. The policy requires all employees in safety sensitive positions (drivers and operators of the city’s public transportation), as well as senior management, to undergo random drug and alcohol testing; the procedure is non-invasive (includes a breathalyzer and cheek swab) and takes place in a secluded place, test results are not used in a manner inconsistent with the expectations of the person being tested, and there is little to no chance of flawed or false-positive results (a second swab is taken in the event of a dispute). [Amalgamated Transit Union Local 113 v Toronto Transit Commission – 2017 ONSC 2078 CanLII – Ontario Superior Court]

AU – Australian DPA Recommends Holding Employees and Contractors Liable for Data Breaches

The New South Wales Office of the Privacy Commissioner has issued recommendations to amend the Privacy and Personal Information Protection Act 1998 and Health Records and Information Privacy Act 2002. Proposed amendments to privacy legislation provide victims of privacy breaches with a right to complain against public or private employees and contractors, and to ensure organizations make contractual arrangements capable of binding contractors and any subcontractors for the proper handling of personal information; where organizations have adequate safeguards, employees should be added as respondents in the case. [DPA Australia – NSW informational Privacy Rights – Legislative Scope and Interpretation – Employer Employee and Agent Responsibilities]

+++

 

15-22 March 2017

Biometrics

CA – Canada Revenue Agency Can Collect Your Fingerprints

Did you know the Canada Revenue Agency can collect your fingerprints? Neither did the rest of us. All it takes now for someone to be fingerprinted is to be charged, but not necessarily convicted, of tax evasion. Toronto tax lawyer David Rotfleisch sees the CRA’s approach as problematic, for two reasons. First, “there are plenty of cases where someone accused of tax evasion will be acquitted.” Second, even when tax evasion charges are laid, they can be prosecuted either as a major or minor offence. The CRA’s approach means you’d get fingerprinted like a bank robber even if prosecutors decided your tax-dodging amounted to something more akin to getting caught with a bit of marijuana. Your fingerprints, taken by agencies like the RCMP and local police, would be recorded in Canada’s national police database at the Canadian Police Information Centre (CPIC). The CPIC database is accessible not only to all Canadian police officers but also some foreign law enforcement agencies, including the U.S. Department of Homeland Security and its border protection officers, said Rotfleisch. [Global News] See also: [ComputerWorld: It’s Time to Face the Ugly Reality of Face Recognition]

WW – Privacy-Enhancing Technologies Provide Advantages Over Traditional Biometric Systems

The International Working Group on Data Protection in Telecommunications has issued a paper on use of biometrics for online authentication. Biometric encryption and cancellable biometrics allow for the revocability of stored biometric data, and a remote biometric authentication protocol provides security if a user’s device or a server is compromised; organisations should ensure that systems securely store biometric templates locally, delete raw data once a template has been generated, and do not make biometric authentication a condition of service (non-biometric options should be available) [Working Paper on Biometrics in Online Authentication – International Working Group on Data Protection in Telecommunications – Guidance Document ]

US – House Oversight Committee Grills FBI Over Facial Recognition

The House Oversight Committee held a two-hour hearing exploring privacy and security issues around the deployment and use of facial recognition technology. Though the panel featured witnesses from government, industry, and civil society, much of the discussion turned on the FBI’s use of and access to nearly 412 million face images from various databases and its apparent difference of opinion with a Government Accountability Office report that was critical of the FBI program. Additionally, one specific concern among congressional lawmakers from both sides of the aisle was the FBI’s access to state driver’s license photos. [Privacy Tech]

WW – Beijing-Based Facial Recognition Startup Allows Users to Authorize Payments

MIT Technology Review released its list of 10 Breakthrough Technologies, including a startup located in a suburb of Beijing working on facial recognition technology used in several popular apps. Face++ technology allows Chinese citizens to make money transfers using only their face as credentials through the Alipay mobile payment app used by more than 120 million users. China’s most popular ride-hailing company, Didi, uses the Face++ software to allow passengers to confirm the person driving the vehicle is a legitimate driver. Face++, currently valued at roughly $1 billion, is gaining prominence as facial recognition technology becomes more popular within China, a country already possessing a large centralized database of ID card photos. “The face recognition market is huge,” said Peking University assistant professor Shiliang Zhang, adding, “Lots of companies are working on it.” [Technology Review]

Big Data

EU – MEPs Call for Stronger Considerations for Big Data Use

Members of the European Parliament are calling for stronger protections around the use of big data. The nonlegislative resolution was drafted by MEP Ana Gomes and discusses the increasing use of big data as well as the ways it impacts fundamental rights, specifically privacy and data protection. MEPs are hoping to minimize the amount of discrimination stemming from the use of big data, including in law enforcement investigations, and price differentiation among consumers. “It is not just a question of data protection. These algorithms do have a real impact on peoples’ private lives because they can actually provoke what is happening and they can actually call into question and put at risk our fundamental rights through social media,” Gomes said. The MEPs are also seeking better security measures, including privacy by design, mandatory privacy impact assessments and encryption. [Europarl]

UK – ICO Updates Big Data Advice for GDPR

In March 2017, the ICO issued an update to its 2014 Report on Big Data in light of the imminent implementation of the GDPR. The updated ICO report has added a focus on artificial intelligence and machine learning to its discussion of big data. The ICO argues it is the combination of the three that makes up ‘big data analytics’. The ICO looks at big data analytics from the GDPR perspective and provides practical guidance for compliance in its new report. Data accuracy and data quality are key issues raised in the updated Big Data report. If big data analytics is based on inaccurate data, machine learning algorithms may make decisions that are erroneous or unjustified. Businesses relying on big data analytics will need to ensure that they build discrimination detection into their machine learning systems to prevent discriminatory outcomes. The ICO provides six key recommendations for compliance with the GDPR: 1) anonymise personal data, where personal data is not necessary for the analysis; 2) be transparent about the use of personal data for big data analytics and provide privacy notices at appropriate stages throughout a big data project; 3) embed a privacy impact assessment process into big data projects to help identify privacy risks and address them; 4) adopt a privacy by design approach in the development and application of big data analytics; 5) develop ethical principles to help reinforce key data protection principles; and, 6) implement internal and external audits of machine learning algorithms to check for bias, discrimination and errors. [Global IP & Privacy Law Blog] [Out-Law] [Data protection report] See also: [National Magazine: The $4 trillion question: How can we protect online privacy without stifling innovation?]

Canada

CA – Federal Courts Extra-Territorial Application of PIPEDA

Earlier this year, a Canadian trial court ruled that Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) has extra-territorial application and restricts the dissemination of personal information of Canadians, even where the information is already public, and even though it is made available from outside Canada. In “A.T. v. Globe24h.com et al.”, 2017 FC 114, the Federal Court applied Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) expansively and granted declaratory and injunctive relief against a Romanian national operating a Romanian-based website. This decision underscores the broad application that Canadian courts will give to PIPEDA in order to prevent the use and dissemination of personal information of Canadians. While Globe24h.com’s scheme to profit from the misuse of personal information was particularly offensive, the implications of this decision extend beyond the particular facts. Companies, regardless of the jurisdiction in which they are operating, that possess personal information of Canadians can expect to have their use of that information scrutinized for compliance with PIPEDA. [Data Protection Report]

CA – Privacy Commissioner investigating CBSA Over Electronic Media Searches

The Office of the Privacy Commissioner is launching an investigation into the way the Canada Border Services Agency searches the electronic devices of travelers at the Canadian border. The inquiry comes as concerns have arisen over whether the CBSA’s U.S. counterparts are also downloading data when searching through the devices. CBSA spokeswoman Line Guibert-Wolff said the agency does not collect statistics on device searches and would only collect data for “customs purposes.” While the CBSA states it is committed to balancing privacy with national safety, some are concerned about the border procedures. “There’s an enormous amount of uncertainty in what feels like a no-privacy zone,” said University of Ottawa law professor Michael Geist. “There’s a sense that customs officials are empowered to do whatever they see fit … But the lack of transparency associated with these processes is enormously disturbing.” [National Post]

US – Organizations Must Implement Security Measures to Protect Information When Employees Travel Internationally

A law firm has reviewed the options available to employers for protecting company data on personal devices when employees travel internationally. Possible solutions include policy directives development, and providing employees with phones that are wiped of all company information and full encryption of the information (although employees may be asked to provide the key just like any other option. [Border Searches May Compromise the privacy and Security of Company Technology – Taylor A. Gast – Foster Swift Collins and Smith PC]

US – Border Check Methods Have Privacy Advocates Concerned

While the U.S. borders have long been considered a constitutional “gray area,” privacy advocates and some in Congress are concerned that more aggressive stances bolstered by the Trump administration could lead to increasingly egregious privacy violations for travelers and immigrants. Instances of travelers stopped for lengthy secondary security checks, coupled with comments from some officials like Homeland Security Secretary John Kelly acknowledging that the administration wants to ask for social media passwords as part of visa applications, have increased concern, the report states. “There’s been bad cases in terms of the scope of privacy rights,” said the American Civil Liberties Union. [CNN]

CA – SCoC Throws Out Conviction Over Warrantless Search/Seizure

Is the smell of marijuana emanating from a home enough evidence to allow police to enter without a search warrant and uncover a trove of guns and illegal drugs? The Supreme Court of Canada, in a strong defence of privacy rights in the home, said no, dismissing convictions against Langley, B.C., resident Brendan Patterson, who was caught with four loaded guns and large stashes of cocaine, methamphetamine and ecstasy. Although two of the seven judges disagreed, the majority ruled in favour of the sanctity of the home. Writing for the majority, Justice Russell Brown pointed out in his judgment, police can enter a home without a warrant if there are “exigent circumstances” that make it impractical to get a warrant, if there is a need for urgency, or if there is a risk of evidence being destroyed or a risk to officer or public safety. But in this case, the officers stated they intended to destroy the evidence anyway, thereby removing that urgency, according to the judgment. “The police conduct, while not egregious, represented a serious departure from well-established constitutional norms” Brown wrote. Caily DiPuma with the BCCLA says the case sets an important precedent. “The BCCLA is very pleased that the court has clarified the law around no-case seizures and affirmed the sanctity of Canadians’ homes when it comes to police searches of their property” [CBC]

CA – CSIS Failed To Give Updates On Data Spying: Privacy Commissioner

When intelligence-agency analysts reported to federal privacy officials about their budding data-mining efforts they conceded the scale and scope of the early efforts would surely snowball over time, [and] they vowed to give formal, written updates to the Office of the Privacy Commissioner of Canada. This has not happened in the seven years since CSIS submitted its first Privacy Impact Assessment (PIA) in 2010 ”It’s the only PIA that we have received,” Privacy Commissioner Daniel Therrien said in an interview with The Globe and Mail on Thursday. In 2006, CSIS launched an initiative known as the Operational Data Analysis Centre. Details have lately emerged about failed followups and curious omissions related to ODAC that the spy service has had with judges, ministers and federal watchdog bodies. The Globe recently reported that, in 2012, CSIS analysts circulated a PowerPoint where they mulled how much could they enhance the efficacy of ODAC by obtaining “bulk datasets.” [The Globe and Mail]

CA – Drew McArthur Re-appointed Acting BC IPC

British Columbia has had no information and privacy commissioner since Monday March 13 when the acting commissioner’s appointment expired. A special committee of the legislature has been seeking a new commissioner after Elizabeth Denham resigned a year ago to take a similar role in England. On Thursday that committee reported that it had failed to come to a unanimous agreement on a new commissioner, and recommended that a new committee be appointed following the May 9 election. The report, signed by chair Sam Sullivan, also said the committee would like to thank “Drew McArthur for his continuing service as Acting Information and Privacy Commissioner during this time of transition, ensuring strong leadership and continuity for the Office of the Information and Privacy Commissioner.” “It’s our understanding that Acting Commissioner’s term expired on Monday, March 13. As to when a new Acting Commissioner will be appointed, as s. 39 notes, that is the responsibility of the Lieutenant Governor and Council.” The spokesperson said the work of the office had not stopped and they expected McArthur to be reappointed via an order in council [This was done Friday March 17] [The Tyee]

E-Mail

US – Federal Judge Rejects Google Class Action Deal Over Email Scanning

San Francisco federal judge Lucy Koh rejected a legal settlement that proposed to pay $2.2 million to lawyers, but nothing to consumers who had the contents of their email scanned by Google without their knowledge or permission. ”This notice is difficult to understand and does not clearly disclose the fact that Google intercepts, scans and analyzes the content of emails sent by non-Gmail users to Gmail users for the purpose of creating user profiles of the Gmail users to create targeted advertising for the Gmail users,” Koh wrote in her March 15 opinion. Any future settlement will presumably also have to do more to inform email users about Google’s scanning practices and, possibly, direct some of the settlement money to consumers instead of only the lawyers. Under the deal Koh rejected, Google would have paid $2.2 million to the attorneys, plus up to $140,000 in online ads to publicize the agreement. [Fortune] [Google Privacy Settlement Draws Fire in 9th Circ] [Ninth Circuit Hears Critique of Cy Pres in Google Privacy Settlement

CA – Two Important CASL Changes in Effect July 1, 2017

Canada’s anti-spam law (CASL) came into effect on July 1, 2014. Almost three years later, Canadian businesses and their lawyers are still grappling with CASL compliance issues and trying to understand how CASL’s broad and often unclear provisions apply in practice. And, on July 1, 2017, two new things happen under CASL. These are: 1) When CASL came into force in 2014, it included a 3-year transition period that allowed organizations to rely on deemed implied consent for sending commercial electronic messages (CEMs) in certain circumstances. That transition period, and the implied consent, expire on July 1, 2017 meaning organizations can no longer rely on this implied consent, and will have to remove those recipients from their mailing lists; and, 2) CASL’s private right of action comes into effect on July 1, 2017 CASL creates a statutory cause of action under which persons who allege that they are affected by a CASL breach can apply to court for an order against the alleged violator. Available remedies include compensation in an amount equal to the actual loss or damage suffered or expenses incurred, and additional amounts for different CASL violations (each with a maximum amount). For example, the court can award statutory damages of $200 per day for each breach of section 6 (the CEM obligations), not exceeding $1 million for each day on which a breach occurred. [DLA Piper Publications]

Electronic Records

UK – Study: NHS, Deepmind Made ‘Inexcusable’ Errors In Health Care Partnership

An academic report published in “Health and Technology” contends that Google’s AI subsidiary DeepMind had made “inexcusable” oversight and transparency errors analyzing medical data during its partnership with the U.K.’s NHS Royal Free Trust. While DeepMind had said at the beginning of the project that it would only access certain data, it was in fact allowed access to a wide range of sensitive health information, in some cases going back five years. Both the Royal Free Trust and DeepMind denied the study’s allegations, arguing that they had taken steps to protect data and inform the public on its work. However, study authors Hal Hadson and the University of Cambridge’s Julia Powles contend those moves aren’t sufficient, calling for the two groups to respond to their criticisms in a public forum.  [The Verge | HNS Deal with DeepMind: How Tech Could Outgun Privacy Laws]

UK – ICO Close to Concluding Investigation Into Deepmind-NHS Partnership

The U.K. Information Commissioner’s Office said it is close to finishing its investigation into consent complaints stemming from the patient data-sharing agreement between Google’s AI subsidiary DeepMind and Royal Free NHS Trust. DeepMind agreed to create an app, called Streams, using an NHS algorithm to alert to the risk of a person developing acute kidney injury. The data used for the app was obtained without permission, while 1.6 million medical records were said to have gone through DeepMind under the agreement. “We continue to work with the National Data Guardian and have been in regular contact with the Royal Free and DeepMind who have provided information about the development of the Streams app,” an ICO spokesperson said. “This has been subject to detailed review as part of our investigation. It’s the responsibility of businesses and organisations to comply with data protection law.” [TechCrunch]

EU Developments

UK – National Surveillance Camera Strategy Encourages Voluntary Adoption of Code of Practice

The UK Surveillance Camera Commissioner launched a national surveillance camera strategy for England and Wales. The strategy applies to the entire surveillance camera sector, which includes CCTV, body worn video, automatic number plate recognition, vehicle borne cameras, and drones; strategy objectives include enabling certification for manufacturers, installers, designers, and system operators, and make training requirements freely available for organisations operating or supporting surveillance camera systems. [Surveillance Camera Commissioner – A National Surveillance Camera Strategy for England and Wales] | Executive Summary | Press Release]

Facts & Stats

WW – People Who Identify as ‘Tech Savvy’ Are 18% More Likely to Suffer ID Theft

IT training specialist CBT Nuggets carried out some research among more than 2,000 people in the US to find out, with some intriguing results. People who self-identified as ‘tech savvy’ are 18% more likely to be victims of online identity theft than those who didn’t. Additionally, respondents with PhDs are more frequently victims than high school graduates. Plus Apple users are 22% more likely than Windows users to be victims of ID theft. That flips around with mobiles though, with Android users 4.3 times more likely to suffer ID theft than iOS users. When asked why they fail to follow basic security recommendations, 40% of Americans say it’s because they’re too lazy, find it to be too inconvenient, or don’t really care. This attitude is strongest among millennials at 53% and lowest among baby boomers at 29%. You can read more about the results on the CBT Nuggets blog [Beta News]

US – More Than 300 Data Breaches to Date in 2017

The latest count from the Identity Theft Resource Center (ITRC) reports that there have been 312 data breaches recorded this year through March 14, 2017, and that over 1.3 million records have been exposed since the beginning of the year. The medical/health care sector leads all sectors in the number of records compromised so far in 2017. The sector posted 25.3% (79) of all data breaches. The number of records exposed in these breaches tops 740,000, or about 57.2% of the 2017 total. The business sector accounts for more than 470,000 exposed records in 155 incidents. That represents 49.7% of the incidents and 36.4% of the exposed records so far in 2017. The educational sector has experienced 54 data breaches since the beginning of the year. The sector accounts for 17.3% of all breaches for the year and nearly 40,000 exposed records, about 3% of the year’s total. The government/military sector has suffered 19 data breaches to date in 2017, representing about 3.4% of the total number of records exposed and 6.1% of the incidents. More than 43,000 records have been compromised in the government/military sector. [247 Wall Street] [New York suffered a 60-percent increase in data breaches last year]

Finance

CA – Agency Monitors Social Media of Citizens Making Large Financial Transactions

The Financial Transactions and Reports Analysis Centre is monitoring the social media accounts of Canadian citizens who make large cash transactions, international wire transfers, or even if they hit the jackpot at a casino for potential money laundering and terrorist financing. FINTRAC states rules coming from those governing the agency allow it to monitor social media posts, but others feel the agency is too invasive. “One of the things about social media right now is it’s kind of the Wild West, because the technology has moved a lot faster than regulation and a lot of Canadians may not realize that their social media account is being used and viewed in this way,” said New Democratic Party MP Daniel Blaikie. “So, it does make sense to have a look at that and to ask whether or not there ought to be rules around how government uses information that’s available on people’s social media accounts.” [CBC News]

CA – Canadians Should Be Told If Their Banking Info Shared with IRS, says MP

NDP’s revenue critic Pierre-Luc Dusseault says informing Canadian residents their information is being sent to the IRS could prevent others from landing in the same predicament as Jeffrey Pomerantz, a Vancouver area man facing a $1.1-million lawsuit for failing to file a form reporting his bank accounts outside the U.S. Canada’s Privacy Commissioner Daniel Therrien has already recommended that Canadian residents be notified when their bank account information is transferred, Dusseault pointed out. In September 2016, the CRA shared information about 315,160 bank accounts — double the number it shared a year earlier in the first year of the agreement. While the government has no plans to inform people whose bank account information has been shared, those who want to know can contact their financial institution or the CRA, the Revenue Minister’s spokesperson Chloé Luciani-Girouard said The CRA will respond to any request to confirm whether information relating to a particular individual or entity has been reported and provided to the U.S. under FATCA. To date, fewer than 10 such requests have been received by the CRA,” she added. [CBC News]

FOI

CA – OIPC NFLD Warns Use of Personal Email Accounts for Public Body Business May Violate FOI Legislation

This OIPC guidance advises the public sector about the use of personal email accounts for public body business pursuant to the Access to Information and Protection of Privacy Act, 2015. In the absence of a clear prohibition, FOI legislation applies to the use of personal email to conduct such business; all public bodies should create a policy requiring use of its own email system for work purposes and make it a condition of employment. A personal email account, often web-based, is unlikely to meet the statutory security requirements; the terms of service for personal accounts may allow third-party access to content in a way that contravenes the law, and security features for webmail services may be inadequate. [OIPC NFLD and Labrador – Use of Personal Email Accounts for Public Body Businesses]

CA – University of PEI Creates New Access to Information Policy

University of Prince Edward Island UPEI says it’s playing catch up with other universities in Canada, and adopting a new policy aimed at making accessing information easier. However, unlike in every other province, colleges and universities on P.E.I. don’t have to follow provincial freedom of information legislation. And while UPEI has had its own personal information and privacy policy in place since 2004, its stated purpose isn’t to help people access information, but solely to “provide for the protection and privacy of personal information held by the University.” In comparison, the new policy — which takes effect in May — lays out a process on how to apply for information, and the circumstances where the university can withhold it. It also gives the responsibility to enforce the policy to a newly hired access to information and privacy officer. UPEI’s Student Union said it’s pleased to see the university creating an access to information policy, but as it’s been demanding for a few years, the union still wants to see P.E.I. colleges and universities included under the province’s Freedom of Information and Protection of Privacy Act. At this point, it’s not clear whether the P.E.I. government plans to add colleges and universities to its freedom of information act. [CBC News]

CA – PEI Municipalities, Post-Secondary Under FOI: Commissioner

Privacy commissioner Karen Rose says many towns, cities and post-secondary institutions in P.E.I. do have policies that cover information disclosure and protection, but they lack oversight by an independent commissioner. She says she will likely make a formal recommendation to government to place them under access of information law. Rose is set to deliver a number of recommended changes and updates to the freedom of information act as part of the Communities, Land and Environment committee’s ongoing review of the legislation. The review was spurred by a unanimous motion passed by the legislature last fall. Premier Wade MacLauchlan has repeatedly stated he will not make towns, cities and post-secondary schools subject to access to information law, despite the fact this has drawn criticism. [The Guardian]

Genetics

New Federal Law Prohibits Mandatory Employee Genetic Testing

Bill S-201, the Genetic Non-Discrimination Act has passed the House of Commons and the Senate, and awaits royal assent. An employee’s refusal to undergo or disclose the results of a genetic test cannot be used to dismiss, suspend, demote or lay off an employee, impose any penalty on an employee, refuse remuneration, or threaten to take disciplinary action against an employee; no individual can disclose to an employer that an employee had undergone a genetic test or the results of an employee’s genetic test without written consent. [Bill S-201 – An Act to Prohibit and Prevent Genetic Discrimination – Senate of Canada]

US – House Bill Would Circumvent Genetic Privacy Protections

On March 2, Rep. Virginia Foxx, R-N.C., introduced to the U.S. House HR 1313, the Preserving Employee Wellness Programs Act. The bill “includes findings that Congress seeks to protect and preserve employee workplace wellness programs,” and considers them to be a means of reducing health care costs. What’s notably missing “are findings that wellness programs are in any way at risk and requiring preservation. Even so, the bill proposes means of preserving wellness programs while weakening employee rights to privacy and confidentiality with respect to their genetic information.” This overview of the bill’s provisions highlights the effect it would have on protections put in place by the Genetic Information Nondiscrimination Act, the Public Health Service Act and the Americans with Disabilities Act. [Privacy Tracker]

Health / Medical

CA – Ont. Grad Student Issued $25K Fine for a Health Privacy Breach

A Masters of Social Work student who was on an educational placement with a family health team in Central Huron, has been ordered to pay a $20,000 fine and a $5,000 victim surcharge for accessing personal health information without authorization. This is the highest fine to date for a health privacy breach in Canada. The student pled guilty to willfully accessing the personal health information of five individuals. As part of her plea, she agreed that she accessed the personal health information of 139 individuals without authorization between September 9, 2014 and March 5, 2015. This is the fourth person convicted under the Personal Health Information Protection Act (PHIPA). Previous convictions include two radiation therapists at the University Health Network and a registration clerk at a regional hospital. [Information and Privacy Commissioner of Ontario]

CA – CHEO Employee Breached Privacy; 300 Patients’ Info Shared With Students

A former part-time instructor at Algonquin College and CHEO [Children’s Hospital of Eastern Ontario] employee shared the private information of 283 patients with students, prompting the end of their employment at the college and a privacy investigation at the hospital. The instructor, a CHEO employee, disclosed the medical information on handouts distributed during classes on Feb. 1 and 2. The handouts listed an operating room schedule “meant as teaching resources during class time.” The handouts were distributed “to teach future health professionals how to support surgeries in a hospital setting.” They revealed patients’ names, dates of birth, their CHEO medical registration number, their surgical procedure, their allergies, gender, age and any other pertinent information related to the surgery they were scheduled to receive at the hospital, CHEO said. [Ottawa Citizen]

Horror Stories

UK – Security Breach Fears Over 26 Million NHS Patients

The medical records of 26 million patients are embroiled in a major security breach amid warnings that the IT system used by thousands of GPs is not secure. The Information Commissioner is investigating concerns that records held by 2,700 practices – one in three of those in England – can be accessed by hundreds of thousands of strangers. The investigation centres on one of the most popular computer systems used by GPs SystmOne, owned by TPP see here]. Unbeknown to doctors, switching on “enhanced data sharing” – so records could be seen by the local hospital – meant they can also be accessed by hundreds of thousands of workers across the country. Phil Booth, from privacy campaign group medConfidential said: “This is a truly devastating breach which involves millions of patients’ GP records – for some, the most deeply personal, sensitive and confidential data about them – being exposed to hundreds of thousands of people, with no mechanism to prevent them if any of them chooses to look.” A TPP spokesman said practices using SystmOne must either “fully inform patients about who might be able to see their records, what parts of the their records and in what circumstances” or “turn off record sharing”. [The Telegraph]

Identity Issues

CA – BC Tribunal Grants Application for De-Identified Wage Records

The British Columbia Human Rights Tribunal considered an application to compel the disclosure of documents and anonymize information relating to a third party. There is no public interest in knowing the identity of a non-party individual who was a newly hired supervisor at the time of the plaintiff’s termination (disclosure may hinder his ability to negotiate his compensation with future employees, and harm his reputation); disclosure of the wages earned by an anonymized individual does not constitute an invasion of privacy. [Preik v. Finning Canada – 2017 BCHRT 47 CANLII – British Columbia Human Rights Tribunal]

Internet / WWW

IS – Israel Enacts Landmark Data Security Regulations

Culminating more than six years of back and forth negotiations, the Israeli Parliament approved extensive, far-reaching data security regulations March 21. The Privacy Protection Regulations (Data Security), 5777-2017, gives expanded powers to the Israeli Law, Information and Technology Authority and includes requirements for breach notification to ILITA and, in some cases, data subjects; data minimization; an information security officer; and privacy training, among others. “The regulations set forth a long list of requirements practically unprecedented around the world for their scope, level of detail, and legal effect,” writes Tene, and they will surely pose compliance challenges for many organizations operating in Israel. [Full Story]

Law Enforcement

CA – Montreal Mafia Stayed Charges Raise Questions of Privacy

When the RCMP announced the first batch of arrests resulting from an investigation dubbed “Project Clemenza” back in 2014, it proudly boasted the force had intercepted more than a million private cellphone messages through the use of wireless signal interception techniques. But now federal prosecutors are set to seek a stay of proceedings in the cases, a decision that is being linked back to those intercepted cellphone messages. Though the Crown is not required to divulge why it will cease prosecuting a case, it’s believed one of the factors behind the decision is the RCMP’s refusal to disclose how it was able to intercept the Blackberry messages in the first place. ”If that is the core reason, it’s a really serious problem,” said Christopher Parsons, a research associate with the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. Across the country, Parsons said, law enforcement agencies are using devices known as “IMSI catchers” or as they’re called in Canada, “mobile device identifiers.” But police have been hesitant to release information about how the devices work, Parsons said. If the Project Clemenza cases had gone to trial, the Crown would have had to reveal the full extent to which the RCMP relied on the devices, exposing the technique to defence lawyers rightfully trying to determine exactly how accurate and reliable they are. [Montreal Gazette] [RCMP Fights to Keep Lid on High-Tech Investigation Tool]

Online Privacy

US – Twitter Releases Its Latest Transparency Report

Twitter released its 10th Transparency Report, highlighting a couple of new additions. One of the new sections in the U.S. report covers the social media network’s ability to shed light on national security letters after the FBI lifted the gag order on the requests. Twitter also added a section covering requests to remove content from journalists and other media and news outlets. “The need for transparency into government and company actions has never been more important given the current climate of continued crackdowns on freedom of expression and limitations on citizens rights around the globe,” the announcement read. “On the positive side, it has been encouraging to see transparency reports become a mainstay of the technology industry, with more than 60 reports now in existence.” [Full Story]

Privacy (US)

US – 3rd Circuit Upholds Contempt Ruling for Man Who Didn’t Unlock Devices

On March 20 the U.S. Court of Appeals for the Third Circuit held that a court order compelling a suspect to decrypt his laptop and hard drives did not violate his right against self-incrimination. The appeals court decision affirmed a civil contempt order against a John Doe defendant, who refused to provide law enforcement with passwords to some of his devices while doing so for others. Under the “foregone conclusion” doctrine, the Fifth Amendment didn’t come into play because much of the evidence law enforcement wanted they obtained themselves, according to the decision. That included images found on the devices Doe did provide passwords for, images uncovered through forensic investigations, and through testimony provided by Doe’s sister, who said he showed her hundreds of the images. Judge Thomas Vanaskie wrote in the Third Circuit’s opinion: “Based on these facts, the magistrate judge found that, for the purposes of the Fifth Amendment, any testimonial component of the production of decrypted devices added little or nothing to the information already obtained by the government. The magistrate judge determined that any testimonial component would be a foregone conclusion. The magistrate judge did not commit a clear or obvious error in his application of the foregone conclusion doctrine.” An attorney with the Electronic Frontier Foundation, Mark Rumold, said the Third Circuit’s ruling was a lost chance to dive deeper into the interplay between the Constitution and technology. “The court missed the opportunity to clarify that the Fifth Amendment prohibits the government from forcing someone to disclose a password to a device, whether that’s by announcing it in court or entering it into the device itself.” [Legal Intelligencer]

US – Drones: Advocacy Group Challenges FAA Order in Federal Court for Unlawfully Failing to Include Privacy Hazards

An advocacy group has submitted a petition for review of the Federal Aviation Administration’s June 2016 drone order. Privacy concerns were raised by 180 commentators prior to the issuance of the final order, and the FAA itself previously underscored the need for privacy protections in its letters to Congressional representatives, requests for public comment and comprehensive plan; there are substantial threats to privacy posed by increased drone operations in the U.S. (small drones are capable of widespread covert surveillance due to their small size and low flight path, and lack cybersecurity safeguards to prevent being hacked. [Electronic Privacy Information Center v. Federal Aviation Administration – On Petition for Review of an Order of the Federal Aviation Administration – Brief For Petitioner – In The United States District Court Of Appeals District Of Columbia Circuit]

US – FTC, NHTSA to Host Workshop on Connected Vehicles

The Federal Trade Commission will team up with the National Highway Traffic Safety Administration to host a workshop on the consumer privacy and security issues raised by automated and connected motor vehicles. The workshop, taking place June 28 in Washington, will feature opening remarks by Acting FTC Chairman Maureen Ohlhausen and bring together stakeholders, consumer advocates and government regulators. Topics will include the types of data collected, stored, transmitted, and shared by vehicles; the potential benefits and challenges posed by data collection; the privacy and security practices implemented by vehicle manufacturers; the FTC, NHTSA, and other government agencies’ role in monitoring the privacy and security concerns surrounding connected vehicles; and self-regulatory standards that could factor into those privacy and security issues. [FTC]

RFID / IoT

US – Secrets from Smart Devices / IoT Find Path to US Legal System

Vast amounts of data collected from our connected devices—fitness bands, smart refrigerators, thermostats and automobiles, among others—are increasingly being used in US legal proceedings to prove or disprove claims by people involved. Trying to come to grips with data collected, stored and analyzed by all these devices can be daunting. “When one looks at the expectation of privacy today it is radically different than it was a generation ago,” said Erik Laykin, a digital forensics specialist with the consultancy Duff & Phelps and author of a 2013 book on computer forensics. “Privacy is dead.” He said the “always on” nature of “internet of Things” devices means huge amounts of personal information is circulating among companies, in the internet cloud and elsewhere, with few standards on how the data is protected or used. “The net result of these technologies is that we are forgoing our personal privacy and our personal autonomy and even sovereignty as humans and relinquishing that to a combination of state, harvesters of big data, omnipresent institutions and systems.” John Sammons, a Marshall University professor of digital forensics and a former police officer He presented research on use of connected cars this year at the American Academy of Forensic Sciences, saying newer vehicles with improved connectivity offer “a significant new source of potential evidence” for both criminal and civil litigation. Privacy activists meanwhile worry that these devices can unleash new kinds of surveillance without the knowledge of users, and that the legal system must define limits for constitutional protections against unreasonable searches. Jay Stanley of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, said gathering data from connected speakers such as the Amazon Echo should face the same standard as wiretaps, which need a warrant from a judge based on probable cause of a crime, rather than a more streamlined law enforcement subpoena. “In your house you should have absolute privacy,” Stanley said. One gray area in the law is that conversations recorded on home speakers may be sent to the cloud; in that case the holding of the data by a “third party” may wipe away constitutional privacy protection. “We think there needs to be jurisprudential and legislative means of addressing these issues,” Stanley said. “The privacy invasions are so significant.” [Phys.Org] See also: [A deep dive into FTC’s first smart TV action]

Security

US – Advocates Provide Recommendations for Physical Destruction or Overwriting of Data

A U.S. Privacy advocacy group has issued guidelines on the safe destruction of personal information. According to the CDT guidelines, organizations should establish a data life-cycle that includes requirements for regular disposal of unnecessary data and review how often data has been accessed or used to determine what can be disposed (criteria include data that is redundant or owned by employees no longer with the company); deletion requests should be logged so regular audits of deletion practices can be performed to provide a basis for companies to modify their deletion schedules as necessary. [Should It Stay or Should It Go – The Legal Policy and Technical Landscape Around Data Deletion – – Centre for Democracy and Technology | Press Release]

US – Department of Defense May Require Physical Access to Cloud Computing Data Centers

The U.S. Department of Defense (“DoD”) issued updated FAQs on the implementation of the rules regarding network penetration reporting and contracting requirements for cloud services. Updated FAQs on security requirements for contracts involving “covered defense information” (e.g., unclassified information that requires safeguarding or dissemination controls pursuant to laws, regulations, or government-policy) state that such contracts must include a requirement that the DoD may physically access cloud computing data centers where necessary to conduct a forensic analysis; DoD will not normally require physical access if the cloud service provider captures, preserves and protects images and the state of all systems known to be affected by a cyber incident. [Network Penetration Reporting and Contracting for Cloud Services – FAQs – Department of Defense] See also: [FTC releases video on its alignment with the NIST Cybersecurity Framework]

Surveillance

UK – Surveillance Cam Commissioner Unveils New Three-Year Strategy

UK Public Faces Mass Invasion of Privacy As Big Data And Surveillance Merge: Surveillance camera commissioner, Tony Porter, has launched a new three-year strategy. He said he was alarmed by the way overt surveillance from CCTV, body cameras and drones could become even more invasive than intended as captured images of people are brought together with advances in facial recognition and then compared against other monitored data about individuals and their movements. “What most worries me is the impact of big data and integration of video surveillance” he said. As an example, he warned that the Metropolitan police was playing “fast and loose” with citizens’ data by its failure to delete number-plate records beyond a two-year limit. The database of millions of vehicle number plate records has been retained since the London Olympics in 2012. Porter’s new strategy points out that an overwhelming majority of people currently support the use of CCTV in public places. But he questions whether this support can continue because of the way surveillance is changing. Porter said part of his new strategy would set a “tripwire” to warn authorities about the privacy impact of new technology. In recent weeks Porter has expressed alarm about the proliferation of body-worn video, notably in hospitals, and by the way the security contractor G4S was using it in the homes of asylum seekers without their consent. [The Guardian] [New strategy to curb officials’ drone, phone and CCTV snoop jollies

US – Trump’s Wiretap Accusations Renew Debate About Privacy

Elizabeth Goitein, a director of the liberty and national security program at the Brennan Center for Justice who has no sympathy for Mr. Trump’s policies, believes his clumsy comments on wiretapping, even if not true, should be an opening for a broader discussion of government surveillance and American privacy. She is among the civil libertarians who believe Mr. Trump’s critics have been too quick to dismiss the real possibility that the National Security Agency or F.B.I. might actually have picked up Trump campaign communications under eavesdropping rules that civil libertarians see as too permissive. “I don’t think we can laugh it off,” she said. When the libertarian Senator Rand Paul, Republican of Kentucky, used the Trump claims to suggest a broader concern about privacy, Glenn Greenwald, a left-wing writer for the online publication The Intercept, backed him up in a column titled “Rand Paul Is Right.” “Paul’s explanation is absolutely correct,” Mr. Greenwald wrote. He said that the National Security Agency “is empowered to spy on Americans’ communications without a warrant,” calling current procedures a violation of the Fourth Amendment and “the dirty little secret of the U.S. Surveillance State.” What these odd political bedfellows were pointing out is a truism inside the intelligence world but less understood outside it: When the National Security Agency or the F.B.I. eavesdrop on foreigners’ communications, they often pick up the Americans who are talking to them. National Security Agency and F.B.I. officials call this “incidental” collection, but it can have serious consequences. There is also the possibility of what is called “reverse targeting” — say, eavesdropping on Mr. Kislyak, ostensibly to find out what the Russian ambassador is up to — but with the real goal of catching Mr. Flynn. Reverse targeting is prohibited by law, but Ms. Goitein points out that it is difficult to prove because it requires showing what was in the eavesdropper’s mind. The volume of communications available for searching can be mind-boggling. In 2011, the National Security Agency collected and stored 250 million internet communications from a single program, known as Section 702, according to a report from the government’s Privacy and Civil Liberties Oversight Board. In 2015, the same program targeted more than 94,000 foreigners — and carried out more than 23,000 searches of its data for “U.S. persons,” meaning citizens or permanent residents. Many Americans inevitably turn up in the data, either because they are communicating with a foreigner or are mentioned in a foreigner’s messages. [New York Times]

US Legislation

US – Indiana Proposes Restrictions on Automated License Plate Readers

House Bill 1558, an act to amend the Indiana Code concerning criminal law and procedures, and relating to the privacy of license plate information, was introduced in the General Assembly of Indiana: the Bill was referred to the Committee on Veterans Affairs and Public Safety. License plate data captured by an automated reader can only be used for law enforcement investigations and cannot be retained for longer than 30 days unless it was obtained under a warrant, or the investigation is ongoing; law enforcement agencies must maintain staff that is properly trained in the use and maintenance of all software and hardware related to captured data, and establish and implement protocols that allow for compliance with warrants, subpoenas, court orders, and written requests for disclosure. [House Bill No. 1558 – An Act to Amend the Indiana Code Concerning Criminal Law and Procedure – Legislature of the State of Indiana]

US – Kentucky Supreme Court to Weigh Privacy Concerns With License Plate Readers

The Kentucky Supreme Court will consider whether license plate readers can be used for traffic stops. A Burlington man contends he was unlawfully arrested when his plate was caught by a tracker. A police officer followed the man, despite the fact no moving violation had been made, after it was found he failed to appear for a misdemeanor charge for writing a bad check. The man was arrested for drunken driving. The cameras can capture up to 60 plates a second, across four lanes at speeds up to 150 mph. Law enforcement officials say the readers help police identify stolen cars and find missing people, while privacy advocates believe the readers are a potential tool for mass surveillance. [The Courier-Journal]

+++

 

 

 

01-14 March 2017

Big Data

US – Privacy Pros and the Ethics of Big Data Tech

Uber has created a controversial program to allegedly evade law enforcement and regulation of its services. Called “Greyball,” the program leveraged information collected by Uber’s app with several other techniques to identify potential law enforcement and regulatory officials, including by geofencing offices, scraping publicly available social media posts, and identifying credit card information linked to law enforcement. Though many of these practices might not have violated the law, they are, at the very least, ethically dubious. The news is part of a larger trend whereby technology, and its corresponding surveillance capabilities, has the power to isolate groups or individuals for exploitation. Privacy Perspectives looks into the trend and the important role privacy pros can play curbing these practices within their organizations. [Privacy Perspectives]

WW – MIT Researchers Create System to Protect Privacy in Data Analytics

A group of researchers from the Data to AI Lab at the MIT Laboratory for Information and Decision Systems released a paper detailing a machine learning system designed to create synthetic data to help data scientists access data without compromising privacy. “Once we model an entire database, we can sample and recreate a synthetic version of the data that very much looks like the original database, statistically speaking,” said Principal Research Scientist Kalyan Veeramachaneni. “If the original database has some missing values and some noise in it, we also embed that noise in the synthetic version. In a way, we are using machine learning to enable machine learning.” [MIT News]

US – FTC Hosts FinTech Forum on AI and Blockchain Technologies, Summary

The FTC hosted a forum on the consumer implications of recent developments in artificial intelligence (AI) and blockchain technologies. This is the second of two entries on the March 9 FinTech Forum. Today’s post focuses blockchain technologies. Coverage of the opening remarks and the AI discussion may be found here. The panel discussions on blockchain technologies reflected the nascent stage of the technology, with industry representatives expressing confusion over the applicability of current regulation, and regulators expressing a lack of clarity over jurisdictional questions. The panelists all agreed that there was a great need for education on blockchain technologies—for consumers, regulators, and even large financial institutions. The panelists urged interested parties to begin educating themselves now so that they could be positioned to develop effective policies and practices when appropriate. Video and transcripts from the forum will be available here. [HLDA Data Protection]

Canada

CA – OPC Writes to the Ministers of Justice, Public Safety and Defence Calling for Greater Protection of Canadians’ Privacy Rights in The U.S.

The Privacy Commissioner of Canada has been asked by concerned Canadians to consider the implications of President Donald Trump’s Executive Order excluding non U.S. citizens and lawful permanent residents from the protections of the U.S. Privacy Act regarding personally identifiable information. Commissioner Daniel Therrien concluded that Canadians have some privacy protection in the United States, but that protection is fragile because it relies primarily on administrative agreements that do not have the force of law. Therefore, the Commissioner has called on Canadian government officials to ask their U.S. counterparts to strengthen privacy protections for Canadians. In the following letter, the Commissioner urged the Canadian federal government to ask the United States for Canada to be added to a list of designated countries under the Judicial Redress Act, which would extend certain judicial recourse rights established under the U.S. Privacy Act to Canadians. [priv.gc.ca]

CA – Canada, U.S. Talk Data Sharing

Homeland Security chief, John Kelly met March 10, 2017 with his Canadian counterpart Ralph Goodale, minister of Public Safety and Emergency Preparedness [see here], in a follow-up to a cross-border preclearance and data-sharing agreement signed a year ago  They talked about two pieces of legislation making their way through parliament that would increase biographic data sharing [Bill C-21 see here] and establish more preclearance facilities [Bill C-23 see here] in each other’s countries. [FCW]

CA – Whether Sending Threatening Emails or Youtube Videos, There’s No Anonymity Online

Carmi Levy, a tech analyst for CTV Bell Media, said in an interview with the Montreal Gazette “I’d be surprised if it took the cops more than 15 seconds to pinpoint this suspect and send the cruisers his way Anonymity and privacy no longer exist online and this should be a case study that anyone should think twice about doing something similar. If you think you can go online and be completely anonymous, you’ve got another thing coming. Truth of the matter is that everything we do online can and will be tracked. It is ridiculously easy for law enforcement to find out where we are.” Levy stressed that even though threatening emails may have refocused the spotlight on the Internet’s lack of actual anonymity, that same spotlight shines on every computer 24/7 no matter what it’s being used for. [Montreal Gazette]

CA – Proposed Security Oversight Committee ‘Shadow’ of What it Should Be, Opposition Says

Bill C-22, “An Act to establish the National Security and Intelligence Committee of Parliamentarians and to make consequential amendments to certain Acts,” comes up for debate this week. The government has already given notice it will reject opposition amendments that would have given the new committee powers to subpoena information and to stay on top of ongoing police investigations, and to make it more difficult for ministers to refuse to turn over information. During the 2015 election campaign, the Liberals also promised to repeal the “problematic elements” of bill C-51, the previous government’s anti-terrorism bill and introduce legislation that “better balances our collective security with our rights and freedoms.” The new oversight committee was to be at the heart of that balancing act. While the government plans to reject the opposition amendments, it is amending the bill to increase the number of members from nine to 11. If the bill becomes law, the committee would consist of eight MPs and three senators. [CBC]

CA – Comment: Security-Agencies Oversight Legislation Lacking

Canada’s three core security and intelligence agencies spend nearly $4 billion a year, employ 34,000 people and, since Liberals and Conservatives voted to pass Bill C-51, wield unprecedented powers to investigate and disrupt suspected threats. And yet Canada stands alone amongst our G7 peers in lacking parliamentary oversight of these powerful agencies To plug this gap in oversight, a proposal [Bill C-22 see here ] now before Parliament would give a committee of Top Secret-cleared MPs and senators access to classified information to oversee and investigate the security and intelligence activities of any government agency. parts of this plan sparked controversy in Parliament and raised red flags for security experts [on issues like: lack of independent oversight, gov’ts prerogative to withhold information and gov’ts prerogative to shut down investigations entirely] Why pursue such a weak oversight model? Part of the answer is the government’s plan isn’t new: In fact, the bill is cut and pasted from a 2005 initiative of the Paul Martin government. [Times-Colonist | Make sure security oversight is strong: Editorial | Give Parliamentary committee a chance to shine | New National Security Oversight committee likely to cost more than any other House or Senate security committees | Real Oversight Needed for Law-breaking National Security Agencies | Appearance before the Standing Committee on Public Safety and National Security (SECU) on Bill C-22 An Act to Establish the National Security and Intelligence Committee of Parliamentarians ]

CA – Critivcs Say B.C. Government’s Proposed Duty to Document Law is ‘Inadequate,’ ‘Pathetic’

The B.C. government is proposing a law requiring public servants and politicians to write down the reasons for their decisions, but it falls well short of what was asked for by the province’s independent information watchdog. The change comes after a scathing report last year [see here & here] into how government officials were “triple-deleting” emails to scrub them permanently from systems so they wouldn’t turn up in responses to freedom of information requests by the public and media. De Jong consulted with B.C.’s acting information and privacy commissioner, Drew McArthur, who asked for the law to give him oversight powers into any “duty to document” rules. Instead, the proposed legislation gives oversight to the chief records officer, and makes the changes under an act that McArthur, an officer of the legislature, can’t oversee. Still, he [McArthur] called the bill “a good first step.” [The Province]

CA – Feds Set to Regulate Reporting of Digital Data Breaches

Canadian companies will soon be legally required to file a report with the Office of the Privacy Commissioner (OPC) when they experience a network breach that compromises personal data. Companies will also be required to notify all those affected by the breach: employees, customers and relevant third parties. Companies that fail to comply could face fines of up to $100,000. Breaches that require notification are, according to the Digital Privacy Act [see here ], instances that pose “real risk of significant harm to affected individuals.” This definition includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft. Many companies will have to update their systems and invest in new technologies to meet these standards. That might seem like a costly investment, but if you don’t have the right tools, tracking down a breach and figuring out what happened can take a massive financial toll, along with drawing resources away from more important projects. [Canadian Manufacturing]

CA – BC Liberals Spied on NDP Youth Meeting, Eby Charges

When the British Columbia NDP hosted a youth meeting [10 young people, many of them minors] on housing on the weekend, they had an unexpected guest recording the proceedings — a BC Liberal caucus researcher. These young people had organized a discussion about politics for youth in a multipurpose room at their local community centre, yet a government employee showed up posing as a young New Democrat She then secretly recorded these youths, using a cell phone she tried to hide on her lap” NDP housing critic David Eby said in the legislature Eby said he believes that for a government official to record the meeting without the participants’ knowledge was a violation of the Freedom of Information and Protection of Privacy Act. “It violated the privacy rights of these youth.” Eby said the NDP has confirmed the woman is a research officer in government caucus research in the legislature. [The Tyee]

CA – Judge Denies Request to Keep Details About Top-Billing Doctors Secret

The Toronto Star has been seeking the identities of highest paid fee-for-service doctors in Ontario since 2014. The identities of the province’s [Ontario] top-billing physicians must be disclosed to the court, a Toronto judge has ruled, adding that details about some of them must also be made available to the public. In a seven-page decision released this week, Superior Court Justice Ian Nordheimer denied a request to keep the court and public in the dark about the doctors, pending a judicial review of an order [see here] from the province’s privacy commissioner to make the names public.  His decision is the latest development in a three-year quest by the Toronto Star for information on the 160 highest paid fee-for-service doctors. In 2014, the Star filed a Freedom-of-Information request to the province’s Health Ministry about the largest billers to the taxpayer-funded Ontario Health Insurance Plan. Three separate groups of doctors are seeking a judicial review of the privacy commissioner’s order. It will be heard before a three-judge panel on June 19 and 20. Nordheimer concluded the court must have access to the same material that the privacy commissioner’s office used to reach its decision. The relevance of the information cannot be determined until the judicial review is conducted, he said. Nordheimer turned down a request from lawyers for two of three groups of doctors to proceed without revealing to the court the names of their clients or making public any details about them. [TorStar | Even judges shouldn’t know names of Ontario’s top-billing doctors, lawyer argues]

Consumer

US – Consumer Reports Will Evaluate Privacy and Data Security

The non-profit, product-testing organization Consumer Reports (CR) will start including evaluations of products’ online security and privacy features in its product reviews. CR is also part of a collective that is creating a standard to guide the development of digital products. “The goal [of the Digital Standard] is to help consumers understand which digital products do the most to protect their privacy and security, and give them the most control over their personal data.” [Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security | – Consumer Reports to test products for privacy, data security | CNET: Consumer Reports to factor cybersecurity into reviews | The Digital Standard]

WW – Consumer Reports to Score Privacy, Security in Product Reviews

The nonprofit group Consumer Reports will begin to consider privacy and cybersecurity in its reviews. The group has worked with several organizations to develop methodologies for identifying whether a product can easily be hacked and how well a product can secure consumer data. Consumer Reports Director of Electronics Testing Maria Rerecich said the organization will start to implement the new methodologies gradually on a limited number of products. “We want to rate products on measures such as security, in much the same the way we currently assess products for physical safety and performance. That will give consumers the power to make choices based on solid information,” the company said in a statement. “When consumers vote with their wallets and their clicks, we’ve seen that companies pay attention. We think companies will strive to outdo their competitors when it comes to privacy, security, and other consumer rights.” [Reuters]

WW – Mozilla Survey 90% Don’t Know How to Protect Themselves Online

Mozilla asked [see here] about 30,000 members of its community from Australia, Canada, France, Germany, the UK, and the US questions about security, encryption, and privacy & how they rate their ability to protect themselves online. Ashley Boyd, VP of advocacy at Mozilla, said the company launched the survey knowing that, even among the web-savvy, many people feel their privacy and security is eroding. “What was surprising was the high percentage of people who identified as truly feeling defenseless,” said Boyd. “Over 90% of survey respondents said they don’t know much about protecting themselves online. And nearly a third of respondents feel like they have no control at all over their personal information online.” Mozilla also reports that 8 in 10 respondents fear being hacked and that 61 per cent expressed concern about being tracked by advertisers. The survey also found that those who were the most knowledgeable about privacy were the most concerned about being tracked by governments and law enforcement. Chief business and legal officer at Mozilla, Denelle Dixon said such worries are not just the product of experts playing out theoretical problems. “Concern about surveillance and tracking is realistic, even if you are completely abiding by the law,” she said. “No one wants to feel like they aren’t in control of their data or their online life.” [The Register]

WW – ‘Smart Billboards’ May Be Coming to A Highway Near You

Synaps Labs is planning to test its targeted advertising model on digital billboards in the U.S. this summer. Synaps expects to be operating on 20 to 50 billboards in Russia this year. The company uses high-speed cameras to identify cars and its “machine-learning” system to recognize the type of car and what corresponding ads advertisers want to target the driver with, the report states. “Synaps won’t sell data on individual drivers.” Additionally, “out of safety concerns, license plate data is encrypted, and the company says it will comply with local regulations limiting the time this kind of data can be stored, as well.” [MIT Technology Review]

E-Government

WW – IA Leak Exposes Government Insider-Threat Problem

The disclosure this week of what appears to be documents detailing CIA hacking methods once again exposes the U.S. government’s failure to mitigate its insider-threat problem, if, as some U.S. officials and cybersecurity pros suspect, the source was from a government contractor. The CIA leak is the third major incident in recent years in which threat software and resource programs designed to prevent such threats did not work. Part of the problem, the report states, is the increased access government employees and contractors have to sensitive information — partly because of post-9/11 mandates that increased information-sharing. Agencies also tend to rely on contractors instead of permanent staff because of budget constraints. Meanwhile, UN Special Rapporteur on the Right to Privacy Joseph Cannataci has released a report on the need for civil liberties in light of growing surveillance in the digital world. [Reuters]

US – As Many as 7.5 Million Voter Records Involved in Georgia Data Breach

The Federal Bureau of Investigation opened an investigation at Kennesaw State University’s Center for Election Systems involving an alleged data breach. As many as 7.5 million voter records may be involved, according to a top state official briefed on the information but not authorized to speak on the record. Neither federal officials nor university officials would confirm the scope of the investigation or how many records had potentially been accessed. State officials found out about the breach after being notified by the university. The governor’s office said it asked the Georgia Bureau of Investigation to contact the FBI after learning about the scope of the problem. [MyAJC]

UK – More Than Half of UK Councils Give Body Cameras to Staff

More than half of UK councils have given body-worn cameras to their officials to snoop on minor offences such as littering, bad parking and dog-fouling. Two-thirds of the local authorities have also failed to conduct a privacy impact assessment before taking the controversial measure, according to research by Big Brother Watch. The civil liberties campaign group, which revealed its findings in a new report, claimed the “widespread filming” was not “proportionate” to the often trivial offences committed. The report found 227 local authorities (54%) were at least trialling the cameras, 3,760 cameras had been purchased and 150 local authorities (66%) did not know if they had completed a privacy impact assessment. Pensioner Sue Peckitt was fined £80 after a camera caught her pouring coffee down the drain in London. [Independent]

E-Mail

US – Apple, Amazon, and Microsoft Are Helping Google Fight an Order to Hand Over Foreign Emails

Apple, Microsoft, Amazon, and Cisco have filed an amicus brief in support of Google, after a Pennsylvania court [U.S. magistrate Judge Thomas Rueter in Philadelphia ruled February 3, 2017 that the company had to hand over emails stored overseas in response to an FBI warrant. [see 29 pg pdf here ] In the brief, the companies argue: “When a warrant seeks email content from a foreign data center, that invasion of privacy occurs outside the United States — in the place where the customers’ private communications are stored, and where they are accessed, and copied for the benefit of law enforcement, without the customer’s consent.” They claim that handing over foreign data “invites” other countries to demand emails from US citizens, stored on US soil, in the same way. They also referenced a similar case won by Microsoft in January. The company refused to hand over emails belonging to the non-US citizen stored on Irish servers, and the US government lost an appeal to have the case reheard. [Business Insider]

EU Developments

EU – EDPS Publishes Opinion on Border Screening System

European Data Protection Supervisor Giovanni Buttarelli released his opinion on the European Travel Information and Authorisation System, arguing that while it is important to secure borders, its equally important to ensure initiatives designed to strengthen them do not erode privacy rights. Buttarelli cautioned that screening techniques bring with them myriad privacy concerns, and stressed the need for a privacy assessment on the ETIAS’ proposal. Additionally, “as the information gathered will be used to grant or deny individuals access to the EU, based on the migration, security or health risks they may pose, it is vital that the law clearly defines what these risks are and that reliable methods are used to determine in which cases they exist,” Buttarelli said. [EDPS]

UK – ICO to Probe Use of Voters’ Personal Data in Political Campaigns

The U.K. Information Commissioner’s Office is launching an investigation into the collection and use of voters’ personal data in political campaigns. The move comes after a recent report from the Observer, which alleged U.S.-based technology company Cambridge Analytica played a role in the Brexit and Trump victories in 2016. “We are conducting a wide assessment of the data-protection risks arising from the use of data analytics, including for political purposes, and will be contacting a range of organisations,” an ICO spokeswoman said, adding, “We intend to publicise our findings later this year.” The ICO also said, “We have concerns about Cambridge Analytica’s reported use of personal data, and we are in contact with the organisation.” [The Guardian]

EU – Other EU Developments

  • A ruling from the Court of Justice of the EU is forcing the U.K. Home Office to delay the implementation of the Investigatory Powers Act. [Ars Technica]
  • The European Parliament announced Civil Liberties MEPs voted for stronger safeguards and a shorter period of data retention within the EU entry-exit system. [EuroParl]
  • In a blog post, 2 March, the U.K. Information Commissioner’s Office released its first specific GDPR implementation guidance, focusing on consent, for public consultation. [ICONewsBlog]
  • Germany’s interior ministry announced a draft law last month that would allow authorities to access personal data from electronic devices of asylum seekers without their consent. [The Verge]
  • After an inquiry, Australian Privacy Commissioner Timothy Pilgrim has said that “agency-specific laws” can override the Privacy Act, giving the heads of agencies the ability to access and release public information, iTnews reports. [Tnews]

Facts & Stats

WW – Verizon: 90% of Breaches Involve Phishing, Social Engineering

In Verizon’s newest “Data Breach Digest,” the companion to its annual breach report, researchers said that 90% of the data-loss incidents the team investigates have a “phishing or social engineering component” to them. User credentials are often the hot-ticket data for hackers, who sell the information on the dark web to those looking to masquerade as actual employees on company networks. “Because organizations don’t have multifactor [authentication] rolled out, it makes it trivial to get in.” [BankInfoSecurity]

FOI

CA – NFLD Court Finds Disclosure of Employee Names, Titles and Remunerations Unreasonable Invasion of Privacy

A Newfoundland and Labrador court reviewed the Newfoundland and Labrador English School District’s decision to disclose employee personal information, pursuant to the Access to Information and Protection of Privacy Act, 2015. A district school agreed to disclose the requested information to a member of the media (this was prior to legislation specifically designed for the release of “Sunshine Lists”); the records contained the names of the teachers in connection with their position and salaries, the information was held by the school for tax purposes, and the school did not supply any reasoning why the information should be released to the media. [Newfoundland and Labrador Teachers Association v. Newfoundland and Labrador English School District – 2016 CANLII 89960 NL SCTD – In the Supreme Court of NFLD and Labrador Trial Division]

CA – PEI Gov’t Redacts Information from Document It’s Already Made Public

The P.E.I. government says “human error” led it to redact information it had already made public from a document obtained under the province’s Freedom of Information legislation. CBC News filed a request in January 2017, seeking information on the province’s plans to implement a carbon tax. In response the province provided 228 pages comprised of various documents, with much of the information severed or redacted. The problem is, some of the information that was withheld had already been released to the public, and is freely available on the province’s website. [CBC]

CA – OPC Canada Finds Viewing Records Without Getting Copies Meets Organization’s Access Obligations

The Office of the Privacy Commissioner of Canada reviewed a complaint from a condominium owner, pursuant to PIPEDA. Organizations must respond to access to information requests at minimal or no cost to the individual; allowing individuals to view the records for free without also getting copies of them satisfies an organization’s access obligations under PIPEDA. [OPC Canada – Access to Personal Information Request Revised to Accommodate Both Requestor and Organization]

CA – OIPC BC Orders Disclosure of Law Enforcement Investigative Records

The Office of the Information and Privacy Commissioner of British Columbia reviewed the Insurance Corporation of British Columbia’s decision to withhold access to information, pursuant to the Freedom of Information and Protection of Privacy Act. Withheld records containing information that is not about identifiable individuals can be disclosed, such as time of the interview, date and place of the incident, insurance claim and SIU file numbers, and vehicle descriptions; consent was provided by the applicant’s spouse for the disclosure of her personal information, the applicant is already aware of details of the investigation, and it is unclear how disclosure of the information could unfairly damage the third party’s reputation. [OIPC BC – Order F17-06 – Insurance Corporation of British Columbia]

CA – OIPC AB Concludes Failure of Public Bodies to Timely Respond to Access Requests is Unacceptable

This OIPC report investigates the failure of Alberta Justice and Solicitor General to meet legislative timelines for responding to access requests pursuant to the Freedom of Information and Protection of Privacy Act. Reasons for delays include consultation within the government (despite no statutory requirement to do so), unnecessary application of discretionary exemptions to withhold access, an inefficient and unnecessary funneling of requests through the head of a public body, an increased volume of requests versus fewer staff to handle them, the need for judicious application of the “frivolous and vexatious” provision to some complex applicants, and a lack of respect for the FOI regime in some areas of government. [OIPC AB – Investigation Report IR-F2017-IR-01 – Alberta Justice and Solicitor General]

CA – OIPC BC Finds Disclosure of a City’s Job Evaluation Process Would Not Harm its Financial Interests

The Office of the Information and Privacy Commissioner in British Columbia reviewed a decision by the City of Nanaimo to deny access to records requested, pursuant to the Freedom of Information and Protection of Privacy Act. Information relating to the evaluation process did not contain any plans or proposals (only the raw materials on which they would be based), and would not lead to morale issues (employees have already filed grievances without the information); the City did not provide any details showing how disclosure would put it at a disadvantage in collective bargaining or would result in an increase in employee wages. [OIPC BC – Order F17-03 – City of Nanaimo]

US – California Top Court: Information on Personal Devices Dealing With Official

The California Supreme Court ruled that texts and e-mails sent by public employees on their personal devices are a matter of public record when they deal with official business. The court found in its unanimous opinion that communications must be disclosed to the public if they “relate in some substantive way to the conduct of the public’s business.” The court did not provide a clear balancing rule on where such a line should be drawn between employees’ privacy and public record. [Jurist]

US – FBI’s New Online FOIA Portal is Now Live

The FBI’s controversial changes to its FOIA request system are now fully implemented. [see here and FAQ here] For the FBI, a popular target for FOIA requests, the new online portal replaces the standard email system. According to the bureau, the new online portal transitions the agency from a manual system to an automated system that will help it handle its large volume of requests, though detractors argue that the new web portal creates additional barriers to those seeking information from the FBI and makes tracking the paper trail more difficult. Afraid of change? If you feel more comfortable doing things the really old fashioned way, you can just file your FBI FOIA request by fax or mail, though we wouldn’t exactly recommend it. [TechCrunch]

Genetics

CA – Debate Over Contentious Genetic Discrimination Bill Continues

The debate over the contentious Genetic Non-Discrimination Act continues through the House of Commons and could come down to a final vote. The legislation, also known as Bill S-201, would make it illegal for companies to require an individual to undergo or reveal the results of genetic testing in order to sign an insurance policy, or obtaining any other goods or services. The Canadian Life and Health Insurance Association believes health costs will rise if the bill passes, while the Canadian Coalition for Genetic Fairness’ Bev Heim-Myers said she supports the bill, as the fear of genetic discrimination could lead to people avoiding important diagnostic tests. [Global News]

CA – 100 Liberal MPs Defy Trudeau On & Vote for Genetic Privacy Law

The Genetic Non-Discrimination Act [Bill S-201] is aimed at preventing the use of information generated by genetic tests to deny health insurance, employment, and housing, or to influence child custody and adoption decisions. It calls for fines of up to $740,000 and prison terms of up to 5 years for anyone who requires any Canadian to undergo a genetic test, or to disclose test results, in order to obtain insurance or enter into legal or business relationships. The bill bars discrimination on the grounds of genetics, and the sharing of genetic test results without written consent (with exemptions for researchers and doctors). Trudeau’s Liberal Party cabinet also formally opposed the measure, with Justice Minister Jody Wilson-Raybould arguing that the bill is unconstitutional because it intrudes on powers given to Canada’s 13 provincial and territorial governments to regulate insurance. On 9 March, members of Parliament voted 222–60 to approve the measure. More than 100 Liberal members voted for the bill, taking advantage of a so-called free vote, which allows members to vote their conscience rather follow the party line. The result has prompted Trudeau’s government to consider extraordinary measures to block the legislation. To delay and potentially kill the legislation, Trudeau’s government is considering not sending the bill to the governor-general (a tactic that doesn’t appear to have been used since the 1920s), and instead asking Canada’s Supreme Court to rule on the bill’s constitutionality. That process could take up to 2 years. [Science Mag | Genetic non-discrimination bill unconstitutional: Trudeau | Liberal backbenchers defy cabinet wishes and vote to enact genetic discrimination law | | Does this genetic testing bill threaten the insurance industry? | Life insurers’ new genetic test policy called an 11th-hour stalling attempt | Canadian insurance industry pens rules on use of genetic test results | Genetic discrimination private member’s bill pits Grit backbenchers against cabinet | Canada: Genetic Discrimination And Canadian Law | Genetic testing bill perpetuates myths and fears]

CA – Google’s Montreal ‘Cloud Region’ Allows Data to Stay In Canada

Google Inc announces first Canadian ‘cloud region’ in Montreal, allows sensitive data to stay within borders. Located in Montreal, the new cloud region now lets customers such as large corporations move large amounts of information to online storage without having to leave Canadian borders It will not just store the information but also provide its algorithms to make more sense of the data. “Canadians always love to know that their data is still on this soil, especially as there is legislation in the U.S. that allows the government to go into data centres under the Patriot Act,” said Roland Gossage, chief executive of the Toronto-based e-commerce provider GroupBy Inc. Though Amazon.com Inc and Microsoft Corp has already offered cloud storage options in Canada, Google reiterates that what sets its services apart from others is the ability to gain insight from the large amounts of data being stored through machine learning and artificial intelligence. [Financial Post]

Health / Medical

WW – Medical Device Security Still a Major Problem

Health care organizations continue to face problems when trying to protect medical devices from hackers. U.S. hospitals average 10 to 15 connected devices per bed, and each of those devices create several points of exposure for hackers to compromise and implement ransomware and other types of network attacks. Security firm TrapX found hackers were specifically targeting medical devices connected to outdated software in order to avoid detection. The Food and Drug Administration is one of the first agencies to take a stand against medical device hacking. The FDA began to seriously examine device cybersecurity as a requirement for approval starting in 2013 and has continued to update the criteria to this day. [WIRED]

Horror Stories

US – Florida Senator Demands Answers from Spiral Toys After Cloud Hack

Sen. Bill Nelson, D-Fla., has written to the CEO of Spiral Toys, seeking answers on the company’s data protection practices in light of a breach affecting its CloudPets brand and more than 800,000 of its customers. Nelson said that incident called into question how well Spiral Toys was able to adhere to the Children’s Online Privacy Protection Act. Among his nine questions for the company were inquiries into the type of information Spiral Toys collects from its users via their products, if that information was sold to third-party vendors, and if the company provided notice of these collection practices, should they exist, to its customers, the letter states. He asked for a response from Spiral Toys by March 23. [ComputerWorld] [Is your IoT teddy bear safe? MondgoDB data breach allegedly leaks and ransoms millions of kid’s voice recordings | Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings | Banned In Germany: Kids’ Doll Is Labeled An Espionage Device | These Toys Don’t Just Listen To Your Kid; They Send What They Hear To A Defense Contractor | These Toys Don’t Just Listen To Your Kid; They Send What They Hear To A Defense Contractor | Talking Dolls May Spread Children’s Secrets, Privacy Groups Allege | You should probably still avoid toys that talk with your kids | Parents are worried about the new WiFi-connected Barbie, but should they be?]

WW – Spammer Accidentally Leaks 1.34B User Accounts

Email marketing group River City Media failed to protect its 1.34 billion user accounts, inadvertently making them available for anyone to see. MacKeeper security researcher Chris Vickery discovered the breach in January. He said that River City Media “masquerades as a legitimate marketing firm” when instead is a large-scale spamming organization. It’s accrued names, emails and IP addresses through emails advertising phony credit checks and sweepstakes. Vickery worked with CSO Online to verify the breach, ultimately finding that River City Media employees didn’t “properly configure its backup system.” The unsecured database is so vast that “chances are that you, or at least someone you know, is affected.” [Fortune]

Law Enforcement

US – DoJ Drops Child Porn Case to Protect Tor Hacking Technique

The US Department of Justice (DOJ) has asked a federal court to dismiss its case against an alleged suspect in a child pornography case because the department does not want to reveal the “network investigative technique” it used to discover identities of people on Tor who accessed a certain dark web site. Last spring, Mozilla filed a brief in the case asking the FBI to privately reveal the flaw the technique exploits because it affects users’ security. (The Tor browser uses much of the same code as Firefox.) [ZDNet: Justice Dept. drops Playpen child porn case to prevent release of Tor hack | To keep Tor hack source code secret, DOJ dismisses child porn case | Child porn case dropped to prevent FBI disclosure | U.S. drops child porn case to avoid disclosing Tor exploit | DoJ Wants to Keep Tor Hack Code Used Secret, Dismisses Playpen Child Porn Case]

Location

US – Mass. Lawmakers Push for Restrictions on Use of Sensitive Driver Data

Massachusetts lawmakers have filed a proposal to restrict the ways the state can use sensitive driver data collected by its new all-electronic tolling system. A pair of bills sent to the state House and Senate would prohibit the Massachusetts Department of Transportation from using the data, including driving speeds and travel history, for anything but collecting tolls. The bills would stop the agency from sharing the data unless a warrant was involved. Representative Marjorie C. Decker said if the data must be shared, strong privacy protections must be in place, and the state needs to be transparent about the way the data is used. “Many people don’t even realize that if you have an E-ZPass, it can track your whereabouts,” Decker said. “People have a right to know this is happening.” [The Boston Globe]

Online Privacy

US – ACLU Challenges Facebook Search Warrant

The American Civil Liberties Union has filed a motion challenging a warrant allowing police to search a Facebook community page for information on a group protesting the Dakota Access Pipeline, according to an ACLU press release. The ACLU argued in its motion that the warrant eroded both First and Fourth Amendment rights. Additionally, the warrant wasn’t “particularized” as the Fourth Amendment requires, meaning that it hadn’t indicated “in detail items for which the government has probable cause to search,” the report states. The ACLU also argued that “when searches involve broad intrusions, such as searches of computers or online accounts like Facebook, the need for such limitations on warrants is especially great, courts have found.” The challenge is scheduled to have its day in Whatcom County Superior Court on March 14. [ACLU]

Privacy (US)

US – Survey Rates States With Best Online Privacy Protections

Comparitech has developed a scoring system to find the states with the most online data protection laws. The system was based on 14 different laws, including laws to protect internet-of-things data, safeguard employee and children’s privacy, and mandate data retention time limits. Delaware scored the highest out of all 50 states, with a privacy score of 85.7%, only missing two of the 14 criteria. California finished with the second best score, with 78.6%, while Utah and Arkansas tied for third with 71.4%. There was a three-way tie for the worst states for online privacy, with Wyoming, South Dakota and Alabama all finishing with a 28.6% score. [Comparitech]

US – EFF Releases Guide to Help Travelers Protect Privacy at the US Border

The Electronic Frontier Foundation released a guide to help travelers protect their digital information when traveling across borders. “Digital Privacy at the U.S. Border“ helps travelers perform a risk assessment by evaluating personal details such as immigration status and travel history. By assessing those factors, travelers may be able to protect themselves by leaving certain devices at home or using encryption. “Border agents have more power than police officers normally do, and people crossing the border have less privacy than they usually expect,” said EFF. “Border agents may demand that you unlock your phone, provide your laptop password, or disclose your social media handles. Yet this is where many of us store our most sensitive personal information.” [EFF]

US – FPF, George Mason Law Seeking Paper Submissions

The Program on Economics & Privacy at George Mason University’s Antonin Scalia Law School and the Future of Privacy Forum have announced they are seeking paper submissions considering the development of a benefit-cost framework for privacy policy. Potential areas of special interest for the papers include “developing metrics to measure the costs and impacts of privacy controls; unpacking the economics of privacy using microeconomic tools; and calculating the value of privacy for consumers through analysis of competitive offerings.” Chosen submissions will be presented at the Fifth Annual Public Policy Symposium on the Law & Economics of Privacy and Data Security Policy in June, and will also be published in an issue of the Journal of Law, Economics & Policy. The deadline for submissions is April 15. [FPF]

US – Washington CPO Releases Open-Source Privacy-Law App

The state of Washington’s Office of Privacy and Data Protection has launched a “privacy modeling” web app, which allows government agencies aiming to roll out various programs and products to find relevant state and federal privacy laws and, ostensibly, make smart choices based on those parameters. Washington Chief Privacy Officer Alex Alben said the office will release the app’s source code sometime this week on GitHub so other state agencies can adopt their own versions. [Privacy Advisor]

US – Other Privacy News

  • As data collection has become more ubiquitous, technologies more advanced and consumer data more valuable, the definition of “personal information” within U.S. state data breach notification laws has expanded to include things like login credentials, biometric information and health data. [org]
  • Voting along party lines, the U.S. Federal Communications Commission voted 2-1 last Wednesday to halt data privacy measures that were slated to go into effect March 2. [IAPP]
  • A landmark case about metadata in Australia has challenged the scope of Australian privacy laws, overruled the privacy commissioner, and left practitioners with questions. [org]
  • All this month, Max Schrems is back in court in Dublin. Not content with bringing down Safe Harbor, Schrems is sticking to his guns and coming after standard contractual clauses and may even inadvertently demolish Privacy Shield. [org]
  • The U.S. House of Representatives Judiciary Committee held a hearing last week on Section 702 of the Foreign Intelligence Surveillance Act. Testimony suggested, with caveats, that s.702 be reauthorized. [org]
  • Federal Communications Commission Chairman Ajit Pai is planning to delay the implementation of the agency’s broadband privacy rules. [Reuters]
  • A California court has ruled electronic communications sent by public employees on their personal devices that relate to public business are public information. [Jurist]

Privacy Enhancing Technologies (PETs)

US – Design Jam to Focus on Privacy Solutions

“Privacy by design” has come to mean a lot of things. For many, it has boiled down to simply thinking about privacy and data protection from the outset of a project and all the way through to completion. It’s getting privacy in at the “whiteboard stage.” Lost, perhaps, in that way of thinking is the “design” piece. How do organizations literally design and engineer their products and services to emphasize privacy and bring user control over their data to the fore? That’s the question being presented to participants in an inaugural Design Jam in Berlin, Germany this week, March 10 through 12, hosted by Facebook, Ctrl-Shift, Work Play Experience, and the University of Southampton. The Privacy Advisor discusses the event’s goals and potential outputs. [Full Story]

WW – R3 Consortium Study Compares Blockchain Privacy Tools

The R3 consortium released a summary last November of the various schemes that software developers have devised for protecting privacy for blockchain-based transactions The study [“Survey of Confidentiality and Privacy Technologies for Blockchains“, which has not previously been made public, provides a comparison of the level of privacy offered by each approach. The study was done by Jack Gavigan [with Danny Yang & Zook Wilcox], a co-founder of Zcash, a cryptocurrency that uses zero-knowledge proofs, one of the methods evaluated in the report. Financial institutions are anxious to use the efficiency features of blockchain technology, but the lack of privacy has proven a stumbling block. Following is a summary of the different privacy technologies reviewed in the report: 1) Permissioned Ledgers; 2) Off-Chain Approaches; 3) Coin Mixing; 4) Ring Signatures; 5) Pederson Commitments; 6) Zero-Knowledge Proofs; and 7) Stealth Addresses [CryptoCoinsNews]

RFID / IoT

WW – Amazon Echo Data Shared With Authorities in Arkansas Murder Case

Amazon has ended its fight against an Arkansas court’s subpoena demanding access to the defendant’s Amazon Echo device. James Andrew Bates had plead not guilty to first-degree murder of a man found dead in his house, adding that he “wouldn’t mind” if Amazon shared information from the device to aid investigators with their case, the report states. While Amazon had initially pushed back against the subpoena, arguing in favor of Bates’ privacy rights, it handed over the Echo data to the court, after Bates granted permission. “A hearing had been set on whether any information gathered was even pertinent.” [The Associated Press]

WW – The Latest Iot Device? A ‘Smart Condom’

The “world’s first smart condom,” the i.Con Smart Condom, is now available for preorder. The device functions akin to a Fitbit and has a ring-like design that allows it to go over basic condoms, where it is able to measure sexual performance and other elements. Users can track these measurements in an app. On the privacy front, distributor British Condoms said that “all data will be kept anonymous, but users will have the option to share their recent data with friends, or, indeed the world.” [CNet]

Security

WW – WikiLeaks Releases Host of Alleged CIA Hacking Documents

In another leak with potentially massive implications for U.S. intelligence, WikiLeaks has released a trove of documents that appears to demonstrate the CIA’s hacking capabilities, The New York Times reports. The documents are said to show the agency’s ability to break into smartphones, computers and other internet-connected devices. The first release includes 7,818 web pages with 943 attachments. WikiLeaks claims the entire archive, which is dated from 2013 to 2016, includes several hundred million lines of code, the report states. WikiLeaks will not name the source of the documents but said the source “wishes to initiate a public debate about the security, creation, use, proliferation, and democratic control of cyberweapons.” [Full Story]

US – Tech Sector Scrambles in Wake of CIA-Hacking Leaks

As the dust begins to settle after Tuesday’s WikiLeaks data dump of the CIA’s hacking methods, the technology sector is scrambling to patch security fixes and warn users to update their software. The 9,000 pages of documents released by WikiLeaks, which security professionals believe are legitimate, reveal methods the CIA has developed to circumvent the hardware and software of some of the world’s top technology products, including exploiting smartphone operating systems, which allows agents to go around encryption apps. In this post for Privacy Tech, Jedidiah Bracy rounds up the latest reaction from several technology companies, comments from the CIA and FBI Director James Comey, and other developments since the leaks. [IAPP.org]

WW – CIA Hacking Disclosure Could Lead to Consumer Distrust of Iot Devices

Cybersecurity professionals believe the recent revelations about the CIA’s hacking efforts could affect the way consumers and companies view internet-of-things devices, Mashable reports. Professionals say consumers should take every measure they can to protect their privacy and inform themselves with what privacy protections companies will offer them. “I know that’s a big fear for a lot of these companies — they don’t want their product to be the one that is considered unsafe,” said the Center for Strategic and International Studies’ James Lewis. “There’s probably a competitive advantage to being more secure than your competitor.” The Atlantic Council’s Cyber Statecraft Initiative’s Beau Woods adds if consumers feel threatened by the vulnerabilities within smart technology, it could lead to an increased amount of distrust and a drop in sales. [Mashable]

WW – WikiLeaks Will Offer Tech Companies Access to CIA Hacking Tools

Julian Assange says that WikiLeaks will offer tech companies access to the technical details of hacking tools in the cache of leaked classified CIA documents so that the companies can address the vulnerabilities the tools exploit. Companies are wary of the offer because of the legal ramifications of accepting stolen classified data. [WikiLeaks promises to leak Vault 7 code archive to tech firms first | WikiLeaks: We will work with tech companies to fix CIA hacking holes | WikiLeaks Will Help Tech Companies Fix Security Flaws, Assange Says | Assange: WikiLeaks Will Help Tech Firms Defend Against CIA Hacking ]

EU – Risk Assessment: Proposed Guidelines Will Help Organisations Evaluate the Functionality and Effectiveness of Video Surveillance Systems

The CEN Workshop Agreement, based on the results of the Evaluation and Certification Schemes for Security Products (“CRISP project”), issues a final draft of guidelines for the evaluation of installed security systems based on STEFi dimensions. The STEFi approach (security, trust, efficiency, freedom infringement) applies to all types of security systems, but is specifically suitable for planned or installed video surveillance, and is intended to be used to establish a certification scheme; evaluation of a security system involves an assessment to identify conflicting criteria for the security system between the STEFi criteria, and resolving conflicts in consultation with relevant stakeholder and experts by negotiating solutions, and implementing technical changes to the system or operating procedures. [Guidelines for the Evaluation Process of Installed Security Systems Based on the S-T-E-Fi Criteria – CEN Workshop Agreement – European Committee for Standardization]

CA – A 5-Step Data Breach Risk Mitigation Plan for Boards & Directors

On January 19, 2017, the Canadian Securities Administrators (CSA) issued Multilateral Staff Notice 51-347 disclosure of cyber security risk and incidents. The Staff Notice only applies to reporting issuers, but it reflects a broader prevalence of, and heightened concern about, cyber security risks and the related liability exposure that all organizations, officers and directors face. Case in point: on February 3, 2017, the Québec Superior Court authorized a consumer privacy class action in Zuckerman v. Target Corporation seeking financial compensation for – you guessed it – a data / privacy breach. Here’s a five-step cyber security mitigation plan that organizations and their directors can and should implement now to minimize the growing liability risks of suspected and actual cyber attacks [including]: 1) Make it a (priority) corporate governance matter; 2) Get a good handle on your legal notification obligations; 3) And have a good handle on your risk and incident disclosure obligations too; 4) Assess your current situation; and, 5) Be well-prepared, well in advance. [McInnesCooper]

US Government Programs

US – DHS Issues Breach Notification Best Practices

The US Department of Homeland Security (DHS) is putting the finishing touches on breach notification guidance for agencies, state and local governments, and other organizations. The DHS Data Privacy and Integrity Committee approved a final draft of the best practices document last month. The guidance addresses deciding whether and how to notify affected individuals; the risks of over-notification; and offers suggestions for additional support for those affected by a breach. [DHS finalizing best practices for notifying victims of major cyber breaches | See ALSO: Best Practices for Notifying Affected Individuals of a Large-Scale Data Breach

US – The Data Tool Helping Enforce Trump’s New Immigration Policies

Immigration and Customs Enforcement has deployed a Palantir Technologies-developed intelligence tool, dubbed Investigative Case Management, to assist with the Trump administration’s potential immigration deportation plans, The Intercept reports. Documents indicate that ICE viewed the tool as “mission critical,” the report states, “meaning that the agency will not be able to properly function without the program.” The tool, which will hit “final operating capacity” in September of this year, allows users to access a vast “ecosystem” of information on a person from an array of federal agencies. “If President Trump’s rhetoric on mass deportations is going to be turned into reality, then we’re going to see these tools turned in that direction, and these documents show that there are very powerful and intrusive tools that can be used toward that end,” said the ACLU’s Jay Stanley. Earlier this week, several organizations sent letters to 50 data brokers asking them to not build any so-called “Muslim registries.” [Full Story]

US Legislation

US – Iowa Bill Imposes Restrictions and Limitations on Processing and Disclosure of Student Data

House Bill 48, adding a new section to Chapter 256 of Iowa Code and relating to student data collection policies and plans, has been introduced and referred to the Education Committee. The Department of Education, school districts and certain schools are prohibited from including certain data in student files of both the student and student’s family (such as income, certain personality traits, political/religious affiliations and criminal/juvenile justice records); student data must generally not be provided outside of the state and kept confidential (exemptions include a court order, the lawful custodian of the data, another authorized person, or for out-of-state student transfers. [House File 48 – An Act Relating to Student Data Collection – Iowa]

US – House Committee Forwards Bill That Would Give NIST Auditing Authority

The U.S. House Science Committee has passed (19-14) a bill that would place the onus of auditing government agencies’ cybersecurity on the shoulders of the National Institute of Standards and Technology (NIST). Those opposing the measure say that auditing is outside of NIST’s expertise. The bill calls for NIST to conduct an initial assessment of all agencies’ cybersecurity preparedness within six months. [NextGov: NIST as Enforcer? House Committee Passes Bill to Expand Agency’s Responsibilities | Full Committee Markup – H.R. 1224, the “NIST Cybersecurity Framework Auditing Act of 2017: “

US – Other Legislative Developments

  • Four U.S. lawmakers have proposed legislation to set up a cybersecurity grant program to help state, local and tribal governments more effectively fight cyber threats. [Augusta Free Press]
  • A Missouri Senate bill would require schools to notify affected individuals of a data breach. [KSPR]
  • In response to fears of a crackdown on legal marijuana by the new administration, a group of Oregon lawmakers has proposed legislation requiring marijuana businesses to destroy customer information within 48 hours. [CBS News]
  • A Utah bill aiming to protect voter-registration records has cleared committee and is now headed to the full House. [The Salt Lake Tribune]
  • The House Committee on Science, Space and Technology passed the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017. [The Hill]

+++

 

16-28 February 2017

Biometrics

CA – CRA to Record Fingerprints of Tax Evaders

The Canada Revenue Agency has started to record the fingerprints of every individual charged with tax evasion. “Introducing a mandatory fingerprinting policy would serve as a powerful deterrent to those considering committing a serious tax offence or those who may contemplate reoffending,” an internal CRA memorandum states. “The mobility restriction is an important deterrent, especially for people engaged in offshore tax evasion.” The fingerprints of all accused tax evaders will be stored in the Canadian Police Information Centre database. Nearly 70,000 Canadian police officers have admittance to the database, with foreign agencies such as the U.S. Department of Homeland Security having access as well. The move could end up affecting foreign travel for individuals who have been accused, but not convicted of a criminal tax offense. [CBC News]

CA – Parliamentary Press Gallery Pushes Back Against Plan to Fingerprint, Screen Reporters

The parliamentary press gallery is challenging a plan to impose RCMP security screening measures on new members, including fingerprinting for criminal record checks. The proposal from the House of Commons made public today recommends that all new members of the press gallery be subject to mandatory screening to access Parliament Hill, which would include the RCMP running the person’s fingerprints against a database to determine a match with anyone convicted of a criminal offence. The same measures are recommended for MPs’ staff, contractors, volunteers and interns. The proposed changes follow an independent security assessment and an internal audit of physical access to the Parliamentary Precinct carried out in 2015. It concluded that mandatory site access security screening should be conducted for all individuals who regularly access buildings within the Parliamentary Precinct, according to a fact sheet created by the House of Commons. [CBC |

US – Montana May Regulate ‘Faceprints

A proposed biometric privacy bill in Montana is drawing support from the digital rights group Electronic Frontier Foundation, which argues that new laws are needed to protect people from privacy threats posed by facial recognition technology. “Cameras are increasingly accurate at long distances, and facial recognition algorithms are increasingly able to match images against each other,” the organization wrote in a letter to Montana lawmakers. “Once captured, it is easy for someone to use our biometrics against us.” The potential Montana law (HB 518) would require companies to obtain people’s written permission before collecting, sharing or using biometric identifiers like faceprints, retinal scans and voice patterns. The measure excludes photos from the definition of biometric identifier, unless a company has collected the photos in order to use them as a source of biometric data. The definition means that Facebook and other Web companies would be required to obtain consumers’ consent before applying the kind of software that enables them to create faceprints, according to EFF. Montana isn’t the only state considering new biometric privacy protections. Lawmakers in Alaska, Connecticut, New Hampshire and Washington also have introduced similar measures. To date, only Illinois and Texas have passed laws specifically protecting biometric privacy. The Illinois law has been at the center of class-action privacy complaints against several companies, including Google, Shutterfly and Facebook. The case against Shutterfly has been resolved, but Google and Facebook are still fighting the lawsuits. [MediaPost Policy Blog] Outlines of biometric privacy bills being considered in U.S. states including Alaska, Connecticut, Illinois, Montana, New Hampshire and Washington. legislature is considering a biometric privacy bill similar to that of Illinois. [Find Biometrics]

UK – Police Told to Delete on Request Millions of Images of Innocent People

The home secretary has ordered police forces to delete on request millions of images of innocent people unlawfully retained on a searchable national police database. A Home Office review published this week found that police forces make extensive use of more than 19m pictures and videos, known as custody images, of people they have arrested or questioned on the police national database. Despite a high court ruling in 2012 that keeping images of innocent people was unlawful, police forces have quietly continued to build up a massive database without any of the controls or privacy safeguards that apply to police DNA and fingerprint databases. Renate Samson, of Big Brother Watch, said: “Whilst the opportunity for people to have their custody photo deleted from the database is welcome, we believe they shouldn’t have to ask, it should be an automatic process. The explanation as to why this can’t be done reveals a poorly designed IT system which is impacting innocent people’s right to privacy. A system should be created whereby those who are found to be innocent have their images deleted automatically, as is the case with DNA and fingerprints.” [The Guardian]

IN – India to Share World’s Largest Biometric Database With Tech Firms

India’s efforts to create the world’s largest biometric identity database and share that data with tech companies. The initiative, known as “India Stack,” is designed to standardize the exchange of digital data to help tech firms, health care providers, and app developers transfer official documents to help citizens get jobs, make financial transactions, and access government services, but the database has caught the eye of privacy advocates. “It’s the worst time for privacy policy in the country,” said Centre for Internet and Privacy Executive Director Sunil Abraham. “We are very caught up in technological exuberance. Techno-utopians are ruling the roost.”[The Wall Street Journal]

Canada

CA – CSIS Saw ‘No High Privacy Risks’ With Metadata Crunching: Internal Report

The Canadian Security Intelligence Service centre touched off a firestorm late last year when a judge said CSIS had broken the law by keeping and analyzing the digital metadata of innocent people.[see here ] The ruling also prompted debate about what future role the spy service should have — if any — in using such potentially revealing information in its work. But a privacy impact assessment of the [CSIS] Operational Data Analysis Centre prepared in August 2010 — and secret until now — offered little hint of such concerns. “The assessment process has identified no high privacy risks,” says the 62-page CSIS report. CSIS director Michel Coulombe testified that he hoped the spy service would be in a position within about six months to decide what to do with the associated metadata collected over the 10-year period. [CBC]

CA – US Border Guards Can Ask for Your Passwords

The BC Civil Liberties Association is warning people to think hard before deciding to take cell phones or other electronic devices across the border between Canada and the United States. Even if they have no grounds for suspicion, border guards can ask for them and might arrest a person who refuses to give them the passwords. The charge would be obstruction, but in Canada, such a case would probably violate the Charter of Rights and Freedom guarantees of privacy, says Micheal Vonn, policy director of the B.C. Civil Liberties Association. In the U.S., there is a document which clearly sets out the policy on border guards’ examination of electronic devices. But in Canada, there is not and the information has been pieced together through requests under the Access to Information Law. The Canadian Border Services Agency does believe it has the right to ask for passwords. Vonn would like the Canadian government to produce a clear policy for the public and have it reviewed by Canada’s privacy commissioner to ensure it conforms with the constitution. [Listen to the full interview is here] [RCINet | Are U.S. border agents allowed to search phones and other devices? | I’ll never bring my phone on an international flight again. Neither should you | If A Border Agent Asks You To Unlock Your Phone, Do You Have To Comply? | A Guide to Getting Past Customs With Your Digital Privacy Intact | A US-born NASA scientist was detained at the border until he unlocked his phone]

CA – Canadian Border Officials Can Search Your Cellphone, Confiscate Your Device

Canada Border Services Agency (CBSA) officers have the right to inspect your device. And if you don’t comply, they might even confiscate your phone. Devices such as cellphones and laptops are classified as “goods,” according to CBSA policy. Under the Customs Act, officers have the authority to examine them as part of a routine examination. The CBSA does not require a warrant, the Office of the Privacy Commissioner of Canada notes, and “Officers may examine devices for photos, files, contacts and other media.” What they do with those files — and whether the CBSA can make a copy of any or all the information found on your phone — is unclear. Travellers are really left few options. Anyone with concerns about their experience during a search at the border can file a complaint with the Office of the Privacy Commissioner. [Global News | Is The Border Safe? US Could Detain Canadians In Canada Under Bill | Pre-clearance bill would give U.S. border agents in Canada new powers | The Canada Border Services Is Getting Authority To Open All Cross-Border Mail | Looking for fentanyl: Should the government be able to open your letters? | Fentanyl fear drives police to push for greater power to search mail]

CA – Bill Letting U.S. Border Guards Detain Canadians Could Face Legal Challenges

A bill [C-23] proposing to bolster the powers American border guards yield in Canada – including the ability to strip search and detain Canadians – could lead to legal challenges against the federal government, immigration experts are warning. Part of a bilateral agreement with the U.S., the bill, when passed, will grant American customs agents the right to carry weapons within Canada, perform body searches and detain – but not arrest – them. It will also allow U.S. agents to force a Canadian in a preclearance area, who has decided not to travel to the U.S., to stay in the area for questioning. Right now, that same traveller has the right to simply turn around and leave the area without action or consequence. Howard Greenberg, an immigration lawyer in Toronto, agrees the bill could be open to court challenges [GlobalNews]

CA — British Columbia Privacy Commissioner Investigating Vigilante Group

The Office of the Information and Privacy Commissioner for British Columbia is investigating the controversial vigilante group, Surrey Creep Catchers. Creep Catchers is a group of organizations across Canada that aim to expose people they claim are sexual predators by posing as minors online, then setting up meetings in person to shame their targets. The group was allegedly involved in an incident involving an RCMP officer who was arrested and charged for attempting to meet an underage child. Law enforcement agencies have voiced their concerns about the groups, stating citizens could be in danger if a potential child predator was confronted in public. [CBC News]

CA – Privacy Issues Still Not Fixed on Gov’t Computers: B.C. Auditor General

A 2015 audit found social work case management system did not adequately protect personal info. B.C.’s auditor general says the government has made progress in addressing potential privacy issues with a problematic computer system, but there’s still work to be done. Carol Bellringer’s office first audited the $182-million Integrated Case Management System in 2015 and found it was incomplete and did not protect sensitive personal information. The system, used by the Ministry of Social Development and Social Innovation, dates back to 2008 and was meant to replace outdated computer systems used to deliver social programs including child protection, child-care subsidies and income assistance. [The Canadian Press]

CA – OPC Canada Identifies Best Options for VPN Access to Corporate Info

The Office of the Privacy Commissioner of Canada analyses what to look for when choosing between different Virtual Private Networks services. IPsec is an end-to-end security protocol (the data is only meant to be accessible by the device and the server that is being tunneled to) and SSL/TLS provides highly encrypted communications by relying on the same key exchange standards as HTTPS-secured websites (provided the software has been properly patched if based on open source software libraries); PPTP is an older method no longer recommended as it possesses a range of vulnerabilities that undermine the security and authentication process. [OPC Canada – Privacy Tech-Know Blog: The actual privacy benefits of virtual private networks | Make sure your VPN is setup correctly using a DNS Leak Tool | How to use a VPN: How to set up a VPN for secure, private browsing & access to blocked content | VPN and Maintaining Corporate Privacy]

CA – Alberta Court Refuses to Accept Photos from Locked Mobile Phone into Evidence

The Court considered the Crown’s application to enter photos from a locked mobile device into a main voir dire. Law enforcement failed to meet the standards of the Supreme Court’s decision in Fearon when determining what use to make of notifications displayed on a seized cellphone; the fact that an individual cellphone owner has locked the device but allowed notification of incoming communications to be displayed on the screen does not mean that the owner has waived his right to privacy, and the police failed to record what they did with the cellphone. [Her Majesty the Queen v. Trevor Leigh Millett – 2017 ABQB 9 – Court of Queen’s Bench of Alberta]

CA – Superior Court of Québec Authorizes Privacy Class Action in Zuckerman v. Target Corporation

Privacy class actions triggered by data breaches are growing in popularity in Canada, with more than 30 of them pending throughout the country. While none of these cases have yet been heard on their merits, some are being certified or authorized. In Québec, there are at least seven privacy class actions before the courts. The Superior Court of Québec recently rendered judgment on a motion to authorize a privacy class action in Zuckerman v. Target Corporation, in which the petitioner alleged damages as a result of a data breach involving an estimated 40 million credit and debit cards, as well as the personal information of up to 70 million customers. This case provides a number of takeaways for businesses on how to manage privacy breaches. [Mondaq]

CA – Secrecy Often Chokes Off Public Information from Tribunal Hearings

When attending a public hearing at the Ontario Labour Relations Board, lots of personal information, including names and employment history, is said out in the open. All of this can be reported by the media. But trying to access the same documents that are relied upon in those hearings is an entirely different matter. Case in point: Toronto Star reporters had been researching [ Laborers’ International Union of North America (LiUNA) and its Local 183 ], including possible connections with organized crime. But their quest for documents [from the Ontario Labour Relations Board] that were filed at a public hearing turned into a legal and bureaucratic nightmare, and ultimately sparked the Star’s much broader legal challenge launched last week against secrecy in Ontario’s tribunals. The tribunal system was created to take cases out of the overcrowded court system, and into a more efficient process. But as mentioned in an editor’s note published last week when the Star launched its legal challenge, “tribunals appear, on the surface, no different than traditional courts — with adjudicators, hearing rooms, dockets and generally open hearings — but they depart dramatically from open court rules when it comes to providing records.” [The Star]

Consumer

US – New CDT Study Examines Data-Deletion ‘Disconnect’

The Center for Democracy and Technology’s new research paper, “Should it stay or should it go? The legal, policy, and technical landscape around data deletion,” examines the “disconnect” between how companies delete data and how its consumers understand what deletion means, the CDT’s Michelle De Mooy writes. While some companies have viewed data removal in the past as unfathomable, now embracing the practice could improve data quality. “As the novelty of big data wears off, companies are faced with enormous data holdings that present huge risks and high costs for them and their customers,” she says. “Not only do huge data stores generate costs and liability, they damage customer trust and loyalty, and make it much harder to find the data diamonds among the slurry.” [CDT.org]

E-Government

AU – Rogue Public Servants Stealing Information to Use in Court Cases

ROGUE public servants are snooping on people’s private lives and stealing information to use in court cases and neighbourhood disputes. Bureaucrats have accessed confidential databases to pay their own parking fines and road tolls using other people’s names and addresses, the state’s privacy watchdog revealed yesterday. Australian Privacy Commissioner Elizabeth Coombs warned gaps in privacy laws let nosy public servants and government contractors get away with shocking invasions of privacy. She wants to let victims sue individual workers, as well government agencies. In a new report to state parliament, Dr Coombs revealed personal information had been accessed and leaked for neighbourhood disputes and court cases, while health information had been stolen to use in family law cases or inheritance disputes. Dr Coombs wants the state government to give victims the right to lodge complaints against government agencies and private companies — as well as the employee who stole or leaked data. Dr Coombs said government agencies and private businesses were not required to report data breaches but had voluntarily notified her office of 50 violations in the past seven months. She said notifications had almost doubled in each of the past three years. [The Daily Telegraph]

Encryption

US – 25% of Healthcare Orgs Not Encrypting Patient Data in Cloud

While more healthcare organizations are considering some form of cloud computing, they might be putting sensitive information at risk by failing to encrypt patient data, according to a recent survey. HyTrust found that even though healthcare entities list security as a top concern in cloud migration, 25% that are already utilizing the public cloud report that they are not encrypting patient data. Even with the lack of encryption, 82% of those surveyed said that security was their top concern. The Department of Health and Human Services (HHS) released updated HIPAA cloud computing guidance toward the end of 2016. The goal was to assist covered entities, business associates, and cloud service providers (CSPs) in understanding how properly utilize cloud computing while still remaining HIPAA compliant. The agency added that covered entities and business associates can also store or process ePHI in a cloud service. The guidance also did not specifically require encryption for cloud computing, but it noted that it can significantly reduce the risk of data exposure. [HealthIT Security]

WW – Cellebrite Announces Product That Can Crack Locked Phones

Cellebrite has announced its Advanced Investigative Service tool can “unlock and extract” locked iPhones’ full file system, including those from the 6 and the 6+. “These capabilities dramatically increase law enforcement’s ability to access critical digital evidence and solve cases faster, by providing forensically sound access and extraction capabilities not found anywhere else in the industry,” the company said. “Furthermore, we now make the world’s first ‘decrypted physical extraction’ capability a reality for key iPhone and Samsung Android devices.” Their announcement comes a little over a year after Apple and the FBI’s clash over decrypting the San Bernardino shooter’s locked iPhone, which the agency was able to eventually do without the help of Apple. Meanwhile, the Princeton University Center for Information Technology Policy’s Edward Felten has released a paper called “Nuts and Bolts of Encryption: A Primer for Policymakers.” [CyberScoop]

EU Developments

EU – WP29 Releases Privacy Shield Rules of Procedure and Complaint Form

The Article 29 Working Party has released two forms related to the EU-U.S. Privacy Shield agreement. The rules of procedure for the “Informal Panel of EU DPAs” provides a road map for handling complaints under Shield. “The panel is competent for providing binding advice to the US organisations following unresolved complaints from individuals about the handling of personal information that has been transferred from” the EU under Shield. According to the document, the panel will attempt to provide advice for a complaint within 60 days after receipt. The group also released a form for submitting commercial-related complaints to EU DPAs. Though the use of the form “remains optional,” the document requests all of the necessary data for completing a request. In related news, the high stakes Facebook-Ireland court case continues. A lawyer for Facebook argued the EU would face an “enormous” crisis if it does not trade with countries that do not match its data-protection standards. [Irish Tmes]

EU – Article 29 Working Party Still Concerned With Windows 10 Privacy Settings

The Article 29 Working Party is still expressing concerns about the privacy settings within Microsoft’s Windows 10 operating system. The Working Party’s questions come a year after the group wrote to Microsoft voicing concerns with Windows 10’s default installation settings. “In light of the above, which are separate to the results of ongoing inquiries at a national level, even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data,” the group said in a statement. The group said it is still unclear to what extent users will be informed about the specific data Microsoft will collect, despite the changes to the installation process. However, the group also said Microsoft has been cooperative, and in January, Microsoft announced a new web-based privacy dashboard for users to see and control what data is collected about them. [Reuters]

UK – Privacy Office to Issue Consent Standard Guidance

The U.K. privacy office will issue guidance for companies on obtaining consent from consumers to use their data. In order to be legally sufficient, consent “will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data.” A check the box approach won’t be sufficient to show valid consent. The ICO also plans to publish GDPR-relevant guidance on individual profiling once the Article 29 Working Party of data protection officials from the 28 EU countries has completed updating its profiling guidance. [BNA]

EU – Other Privacy News

  • Security Intelligence reports, The U.K. Home Office has stalled data collection plans under the new Investigatory Powers law after a European Court of Justice Ruling. [Ars Technica]
  • The Article 29 Working Party has released two forms related to the EU-U.S. Privacy Shield agreement. The rules of procedure for the “Informal Panel of EU DPAs” and a form for submitting commercial-related complaints to EU DPAs.
  • European Data Protection Supervisor Giovanni Buttarelli outlined his agency’s top three strategic areas of importance for 2017. [More]
  • The Article 29 Working Party discussed announced that it will publish amended guidelines for the DPO, lead authority and data portability provisions of the General Data Protection Regulation by April at the latest. [More]

Facts & Stats

US – Survey: 26% of US Consumers Had Health Care Data Compromised

An Accenture survey found 26% of 2,000 U.S. consumers have had their health care information exposed in a data breach. Of those compromised, 36 percent said it happened at a hospital, with 22 percent stating the breach occurred either at an urgent care clinic or a pharmacy. The study found half the victims detected the breach on their own, normally through anomalies on their credit card statements. Only a third of the victims were alerted by the organization suffering the attack. Accenture’s health practice Managing Director of Cybersecurity Reza Chapman said, “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.” [SC Magazine]

US – One in Four U.S. Consumers Victim of Healthcare Data Breach: Accenture

Just over one in four U.S. consumers (26%) have had their personal medical information stolen from technology systems, according to results of a survey from Accenture released on Monday. [see 14 pg pdf here] [the] survey of 7,580 consumers aged 18+ to assess their attitudes toward healthcare data, digital trust, roles and responsibilities, data sharing and breaches. The online poll included consumers across seven countries: Australia, Brazil, England, Norway, Saudi Arabia, Singapore and the U.S. The survey was conducted by Nielsen on behalf of Accenture. In the U.S., half (50%) of 2,000 consumers polled who experienced a breach were victims of medical identity theft and had to pay approximately US$2,500 in out-of-pocket costs per incident, on average, Accenture said in a press release. [See here] [Canadian Underwriter]

Filtering

US – Digital Copyright Holders Want US ISPs to Filter Out Pirated Content

The Recording Industry Association of America (RIAA) and other digital copyright groups are asking U.S. legislators to require Internet service providers (ISPs) to filter out pirated content. Currently, the Digital Millennium Copyright Act (DMCA) offers ISPs safe harbor as long as they remove identified pirated content “expeditiously.” The groups say that the current DMCA notice-and-takedown process is “burdensome – and ultimately ineffective.” Forget DMCA takedowns – RIAA wants ISPs to filter for pirated content | RIAA, Other Copyright Holder Want ISPs to Introduce Piracy Filters

Finance

EU – European Supervisory Authorities Issue Joint Discussion Paper on the Use of Big Data by Financial Institutions

The European Securities and Markets Authority, European Banking Authority and European Insurance and Occupational Pensions Authority have issued a joint discussion paper on the use of big data by financial institutions: Comments must be submitted by March 17, 2017. Under the forthcoming GDPR, organisations will need to acknowledge the wide range of rights that will be afforded to consumers by implementing mechanisms to comply with a request for human intervention in profiling, and objection to a decision based on profiling, or profiling for direct marketing purposes; financial institutions must implement appropriate technical and organisational measures at the time the processing system is designed, and during the data processing. [ESMA, EBA and EIOPA – Joint Committee Discussion Paper on The Use of Big Data By Financial Institutions ]

FOI

CA – OIPC AB Slams Government for Poor State of Freedom of Information

Alberta’s information and privacy commissioner says [see PR here] the government of Premier Rachel Notley needs a top-down culture change to address a “lack of respect” for freedom of information. In the preface to one of two scathing investigation reports issued Thursday [see pdf’s here & here ], Commissioner Jill Clayton said the investigations uncovered a troubling attitude toward freedom of information (FOIP). for years, delays in processing these requests have grown steadily worse. Last year, Clayton ordered investigations into delays in processing FOIP requests from the Wildrose Party by Alberta Justice and Solicitor General, the Public Affairs Bureau, and Executive Council, which includes the premier’s office. The investigations by senior information and privacy manager Catherine Taylor [found a] main factor in the delays was simply the unwillingness of program areas to respond to requests for records from FOIP staff within the legislated timeframes. Taylor said she heard from FOIP staff that one contributing factor to the delays was “a lack of respect for the FOIP Act itself across pockets of the (Government of Alberta).” [CBC | Alberta privacy commissioner blasts government for ‘lack of respect for the FOIP Act itself’ | Alberta Education using FOIP laws to ‘prevent disclosure’: privacy expert | Alberta Justice hires Ontario lawyer to represent ministry in FOIP investigation | Waits for access to information get longer in Alberta, report finds | Access to information in Alberta nearing ‘crisis situation,’ FOIP commissioner says | Alberta MLA says request for documents detailing opioid deaths was rejected | Reality of Right to Know Week in Alberta is grim | Opinion: Citizens have the right to know what governments know about them | Calgary presses ahead with ‘Orwellian’ freedom of information policy draft ]

US – EPIC Handed FBI’s PIAs and Threshold Analyses in FOIA Request

The Electronic Privacy Information Center was handed two legal victories involving public access to the FBI’s record-keeping systems and their impact on privacy. EPIC originally filed the Freedom of Information Act requests in 2014 seeking the FBI’s privacy impact assessments and privacy threshold analyses of its databases containing personal information. The agency handed EPIC approximately 2,200 pages of “heavily” redacted pages on grounds they involved sensitive investigatory data. But in an “unusual” ruling Tuesday, U.S. District Court Judge Amit Mehta said the FBI failed to demonstrate the redacted information met a threshold test for exemption. The legal victory for EPIC, however, may be short-lived, as Mehta will give the agency and Justice Department attorneys another chance to defend the redactions. [Politico]

Genetics

CA – Does This Genetic Testing Bill Threaten The Insurance Industry?

Bill S-201, the Genetic Non-Discrimination Act, seeks to revise the Canada Labour Code and the Canadian Human Rights Act to make it illegal for employers, insurance companies and anyone else entering into a contract or providing goods or services to require anyone to undergo genetic testing or to disclose the results of a genetic test. The insurance industry, however, disagrees with the bill. It argues the legislation would impede Canadians’ access to insurance and severely compromise the industry’s viability. Others argue that the bill’s potential impact is much less: the Office of the Privacy Commissioner of Canada, citing 2011 and 2012 studies, has concluded the legislation “would not have significant adverse impact on the viability of the life and health insurance industry,” and that premiums would likely rise about three per cent overall, an increase the industry could absorb. [Benefits Canada | Life insurers’ new genetic test policy called an 11th-hour stalling attempt | Canadian insurance industry pens rules on use of genetic test results | Genetic discrimination private member’s bill pits Grit backbenchers against cabinet | Canada: Genetic Discrimination And Canadian Law | Genetic testing bill perpetuates myths and fears]

Health / Medical

US – $5.5M HIPAA Fine Shows Importance of Audit

Memorial Healthcare System, of Hollywood, Florida, has settled with the U.S. Department of Health and Human Services for $5.5 million following a HIPAA violation. It must also institute “a robust corrective action plan.” While Memorial did have access control policies in place, a former employee of an affiliated physician’s office was still able to access protected health information repeatedly, without detection, for a year, affecting 80,000 individuals. Acting HHS Office for Civil Rights Director Robinsue Frohboese said the settlement shows “organizations must implement audit controls and review audit logs regularly.” [HHS.gov]

Horror Stories

WW – Breach of Smart Teddy Bear Data Leaks 800,000 Users’ Info

Smart toy manufacturer Spiral Toy’s CloudPets database of 800,000 customer credentials and more than two million users’ messages was stored for a little over two weeks on an unsecured server and discovered by security researchers and potentially hackers. Researchers said that the exposed data has been overwritten twice. However, the company has not yet publicly disclosed the breach or notified victims. “They were very irresponsible because they had to know about this,” GDI Foundation’s Victor Gevers said. “People make mistakes. It’s the action that follows up which defines your character. Handling serious data leaks like this proves a lack of the right personality and then you should not be in this industry or in any in which you are responsible for such data.” [Motherboard]

Identity Issues

US – NY Bill Restricts Unlawful Use of a Driver’s License or Identification Card

S00271, relating to the unlawful use of a New York driver’s license or identification card, and amending the General Business Law, has been introduced in the New York Senate and referred to the Consumer Protection Committee: The act will take effect immediately upon being passed. An individual’s driver’s license or identification card may be scanned to verify the identify of an individual making a purchase or returning or exchanging an item, prevent fraud, or transmit information to a consumer reporting agency, financial institution, or debt collector; unlawful collection and use of a license or identification card is punishable by a civil penalty of not more than $1,000. [Bill S00271 – Unlawful Use of a New York Driver’s License or Identification Card]

US – Philly’s Municipal-ID Plan on Ice Over Privacy Concerns

When Mayor Kenney committed to launching a municipal ID program, he argued that having a photo identification card would improve the lives of undocumented immigrants living in the shadows. A year later, his plans are on hold amid concerns that the program could actually put undocumented immigrants at risk. The programs have always faced controversy. Some critics see the cards as a stealth path to legal status for undocumented immigrants. Even some immigration advocates have opposed the efforts. The New York Civil Liberties Union did not endorse the municipal ID card there, saying the city had not done enough to protect application documents from being used by law enforcement. That issue is now being tested [in an] ongoing fight in New York over the applications of nearly a million people issued municipal ID cards in the last two years. A judge recently blocked Mayor Bill de Blasio’s attempts to destroy the personal information on those applications. A bill introduced to the state Senate goes one step further, requiring the city to hand over the information to the U.S. Department of Homeland Security. Philadelphia officials are watching cautiously. [Philly.com]

WW – Researchers De-Anonymise Your Web Surfing Using Twitter Handles

Researchers have found a way to de-anonymise web surfing records. What if you could deduce a person’s identity by matching their anonymous web surfing with their social media timeline? What if, instead of a customer ID, you could replace it with their Twitter handle? Academics from Stanford and Princeton have done just that. Their research relies on the idea that people are more likely to follow links showing up on their social media feed, and in particular the links from people they follow on Twitter that show up in their feed. They reasoned that because the set of links in a Twitter feed is often unique, you can match it against links in an anonymous surfing history. The researchers found that they could identify more than 70% of volunteers on average. This isn’t just a theoretical exercise. The team built a system to de-anonymise web browsing histories in under a minute using the concept, proving that it’s workable in practice. Who else might use this information? The NSA, for one. It already tracks Google ads to find Tor users. The research points out that well-resourced adversaries could eavesdrop on network traffic to work out which domains a particular device is visiting (although thankfully HTTPS makes that more difficult). How can you stop this from happening? Tracker-blockers such as Ghostery, uBlock Origin or Privacy Badger can help, the researchers say, while not revealing your real-world identity on social media profiles is a useful albeit cumbersome form of protection. Given the recent actions of US border guards, the latter might be a good idea anyway. [NakedSecurity]

CA – New Online Survey Platform Complies With Canadian Privacy Laws

Surveypal, a San Francisco, Calif.-based online survey platform, has launched a business-level survey solution designed to be compliant with Canada’s Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how organizations in the country collect, use and disclose personal information while doing business. In order to be compliant with these privacy regulations, all data collected by both public and private organizations must be stored within Canadian borders. Surveypal’s new data servers in Toronto guarantee that Canadian government agencies and businesses can collect data safely and legally. [ITWorld]

Internet / WWW

EU – ENISA Issues Guidelines for Digital Service Providers on Minimum Security Measures

The European Union Agency for Network and Information Security (“ENISA”) issues security guidance for digital service providers. Cloud providers, online market places and search engines are provided with 27 security objectives (e.g., information security policy, change management, and monitoring and logging), broken down by industry standard and state-of-the-art security measures to be implemented; by conforming to these security objectives, digital service providers will comply with ISO27001, BSI C5, CoBiT, NIST guidance and PCI-DSS, among other security frameworks. [ENISA – Technical Guidelines for the Implementation of Minimum Security Measures for Digital Service Providers]

WW – Cloudflare Bug Exposes Private Data

A bug discovered in Cloudflare’s software earlier in February accidentally exposed data like private messages on dating sites, frames from adult sites, and hotel bookings. “Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it,” said Cloudflare Chief Operating Officer John Graham-Cumming. The company has since fixed the issue, and Graham-Cumming said he wasn’t worried that the exposed data was misused. “I am not changing any of my passwords,” he said. “I think the probability that somebody saw something is so low it’s not something I am concerned about.” [BBC News]

Law Enforcement

US – Federal Court: Cops Can’t Just Walk Into a Building and Force Unlock iPhones With Fingerprints

Earlier this year, FORBES revealed a search warrant that allowed police to walk into a building and unlock all phones inside that could be opened with a fingerprint, including iPhones with Apple’s famous TouchID feature. Not long after, multiple other warrants allowing similar access were uncovered. At the time, lawyers declared the warrants overly broad. And now, in what may be a landmark decision, a federal court in Illinois has determined that feds could not proceed with such a search, saying the government needed to be more specific about the devices and data they wanted. [see here] Judge M. David Weisman wrote “This Court agrees that the context in which fingerprints are taken, and not the fingerprints themselves, can raise concerns under the Fourth Amendment. In the instant case, the government is seeking the authority to seize any individual at the subject premises and force the application of their fingerprints as directed by government agents. Based on the facts presented in the application, the Court does not believe such Fourth Amendment intrusions are justified based on the facts articulated,” He raised Fifth Amendment issues around self-incrimination too. Previously, courts had argued that fingerprints were not testimonial as they did not constitute a form of communication, so Fifth Amendment protections didn’t apply. “with a touch of a finger, a suspect is testifying that he or she has accessed the phone before, at a minimum, to set up the fingerprint password capabilities, and that he or she currently has some level of control over or relatively significant connection to the phone and its contents.” [Forbes | Judge: No, feds can’t nab all Apple devices and try everyone’s fingerprints | Minnesota court on the Fifth Amendment and compelling fingerprints to unlock a phone | Court rules against man who was forced to fingerprint-unlock his phone | Here’s Why Feds Are Winning The Fight To Grab iPhone Passcodes And Fingerprints | Cops Could Force Google Pixel Users To Voice-Unlock Their Phones | Feds Walk Into A Building, Demand Everyone’s Fingerprints To Open Phones | How the Feds Justify Collecting Fingerprints to Unlock Everyone’s Phones | Can warrants for digital evidence also require fingerprints to unlock phones? | For the First Time, Federal Judge Says Suspect Must Use Fingerprint to Unlock Smartphone | Search Warrants Could Force You to Unlock Your iPhone via Touch ID ]

UK – Proposed Legislation Would Allow Justice Secretary to Order the Use of IMSI Catchers Around Prisons

Legislation introduced in British Parliament would allow the use of IMSI catchers, or cell-site simulators, around prisons. The Justice Secretary would have the authority to order mobile networks to deploy the technology near prisons to prevent, detect, or investigate the use of mobile phones in prisons. Currently, the technology can be used only within prison walls and must be commissioned by prison governors. New prison law will let mobile networks deploy IMSI catchers | New bill to allow prisons to deploy IMSI catchers outside of prisons ]

Location

US – Legislators Introduce Bills to Curtail Access to Geolocation Data Without a Warrant

Bills introduced in the U.S. House and Senate aim to establish rules regarding law enforcement agencies’ access to geolocation data. The Senate’s Geolocation Privacy and Surveillance Act would establish rules for when law enforcement agencies may access geolocation data. The House’s Cell Location Privacy Act of 2017 would require law enforcement to obtain a warrant prior to the use of cell-site simulators with exceptions for certain emergencies. Proposed federal law demands probable-cause warrants for geolocation data | Legislation revived to curb warrantless geolocation tracking ]

Online Privacy

WW – Goodbye Privacy, Hello Personalisation

A new study of Millennials across four countries suggests that the future of digital devices, apps and services is going to be personal, public and artificially intelligent. Top of the list is greater personalization. Nearly 60% of respondents said they’d be happy to pay for services that exactly reflect their needs, and 71% said they’d be willing to sacrifice data anonymity in return for it. Taking customisation a step further, 53% of those polled said that they’d be willing to pay for a mobile service that doubled as a personal assistant or concierge service. Four-in-ten also want such services to be intuitive — whether it be setting up and inviting people to a meeting or automatically posting certain types of content to social media for instance. That level of intuition is only possible via artificial intelligence. [AFP Relaxnews]

Open Government

US – Harvard Issues Privacy Guide for Cities and Open Data Initiatives

For any city, open data is a double-edged sword; the most useful information can also be the most sensitive. To help officials balance the risks and benefits, researchers at Harvard University have created a playbook for open data, complete with best practices, examples of what has and hasn’t worked so far, and a thorough checklist of what to consider when embarking on a new data project. The playbook makes four main recommendations for technology officers in the municipal government, and each is broken down into “here’s what you need to know, here’s what you need to do, and then here’s how you do it.”

  1. Find the balance between risk and value: Zero risk is impossible. But according to the researchers, the trick is to find a level of risk that officials and the public are willing to accept. That can be done by conducting thorough risk-benefit analysis before designing any data sharing program. In determining the value, the key question to ask is who will use the data, who benefits from it, and how.
  2. Consider privacy at each stage of the data lifecycle: That lifecycle includes data collection, maintenance, release, and retirement—when unpublished data should be removed because it’s no longer relevant. It’s typical for cities to think about privacy only when data is about to be released, but those concerns should be considered at the very first stage.
  3. Develop a structure for privacy management: “The harder challenge is developing the internal and operational expertise, and valuing protecting privacy as an essential component of open data program,” The researchers call for cities to develop their own privacy standards and establish a formal process for releasing data.
  4. Keep the public informed: Nearly 80% of Americans are concerned about government surveillance, according to Pew surveys cited in the report. So the researchers stress the need for cities to engage the public, to earn its support by showing how open data has benefited the city and gaining trust by being transparent about the entire process. [citylab.com]

Privacy (US)

US – Sen .Wyden to Introduce Legislation Limiting Phone Searches at Border

“I intend to introduce legislation shortly that will guarantee that the Fourth Amendment is respected at the border by requiring law enforcement agencies to obtain a warrant before searching devices, and prohibiting the practice of forcing travelers to reveal their online account passwords,” Wyden wrote in a letter [see here ] to Department of Homeland Security Secretary John Kelly, condemning the practice. Wyden’s letter also requests that Kelly respond to questions about the legal authority and frequency of such searches by March 20, 2017. [Meritalk | Wyden objects to DHS password collection plan | Sen. Wyden Calls for Warrants for Tech Searches on the Border | A US-born NASA scientist was detained at the border until he unlocked his phone | Complaints Describe Border Agents Interrogating Muslim Americans, Asking for Social Media Accounts | Will US border officials demand social network handles from visitors? | Wyden Pushes for Warrants for Phone Searches at US Border ]

WW – What Makes A Great DPA?

The global population of privacy and data protection regulators is understandably diverse. Some data protection agencies are still in their infancy, established by brand-new laws. Others have robust histories of enforcement and deep, experienced staffs. But what makes a regulatory agency effective? Is it experience, approach, philosophy, the law that creates it? Such are the questions explored in a new report authored by the U.S. Chamber of Commerce and Hunton & Williams, “Seeking Solutions: Attributes of Effective Data Protection Authorities.” The 40-page white paper identifies seven key traits that effective DPAs share and offers examples of how those traits play out in the real world. [Full Story]

RFID / IoT

WW – Samsung Warns Customers Not To Discuss Personal Information in Front of Smart TVs

Samsung has confirmed that its “smart TV” sets are listening to customers’ every word, and the company is warning customers not to speak about personal information while near the TV sets. The company revealed that the voice activation feature on its smart TVs will capture all nearby conversations. The TV sets can share the information, including sensitive data, with Samsung as well as third-party services. The news comes after discovery of a troubling line in Samsung’s privacy policy: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.” Samsung has now issued a new statement clarifying how the voice activation feature works. The company added that it does not retain or sell the voice data, but it didn’t name the third party that translates users’ speech. [The Week]

Security

CA – CSA Publishes Expectations for Cyber Security Risk Disclosure

The results of the Canadian Securities Administrators’ (CSA) review of the cyber security risk disclosure of S&P/TSX Composite issuers were recently reported by the the Autorité des marchés financiers, the Ontario Securities Commission and the B.C. Securities Commission in CSA Multilateral Staff Notice 51-347 (the Notice). Focused particularly on risk factor disclosure and disclosure of cyber security incidents, the CSA’s review follows last year’s publication of CSA Staff Notice 11-332 Cyber Security, which reiterated that cybersecurity would continue to be one of the CSA’s priorities through 2019. With respect to risk factor disclosure, the CSA focused on three topics: 1) the disclosure of the risk itself; 2) the disclosure of potential impacts of a cyber security incident; and, 3) the disclosure of governance practices and cyber security risk mitigation. [Canadian Securities Law] New York’s mandated cybersecurity regulations for banking and financial services are set to go into effect March 1. [SC Magazine]

US – Data-Related Jobs See Huge Growth in January Hirings

The information technology sector added 1,200 data-related jobs in January, more than four times the average monthly gain for all of 2016. “An analysis of U.S. employment numbers by the Bureau of Labor Statistics reveals a net increase of 7,000 information technology jobs in January 2017 across four industry job segments commonly associated with technology professionals.” Those four job segments are: 1) Management/technical consulting services; 2) Computer systems design/related services; 3) Telecommunications; and, 4) Data processing/hosting/related. [Source]

US – Less Than 25% of Cybersecurity Job Applicants Are Qualified

According to a report from ISACA, fewer than 25% of applicants for cybersecurity positions are qualified for the job. More than half of available positions take from three to six months to fill. The report notes that hands-on experience is more important than training. [Fewer Than One Fourth Of Cybersecurity Job Candidates Are Qualified | Growing security skills gap raising fears of cyberattacks

CA – 50% of Canadian Executives Say Their Businesses Were Hacked Last Year

A new survey [see here ], conducted by Ipsos Canada found that nearly 60% of Canadian small business owners and C-suite executives either suspect or know for certain they were the victims of an external cyberattack during the last year, with 50% of C-suite executives indicating that they know for certain that their company experienced a breach. An additional three in 10 suspected their company was the victim of a breach in the past year, but didn’t know for certain. And despite the overwhelming evidence indicating otherwise, eight executives in 10 reported being confident in their business’s ability to prevent an external hacking attempt, while 93% of survey respondents indicated confidence in their ability to protect customer data. [ITWorld | Canadian infosec pros still too confident they can protect enterprise, says Accenture ]

Smart Cars

US – Privacy Makes IoT Toy Innovation Difficult, Say Developers

Smart toy developers must walk a “fine line” between technological innovation, protecting children’s privacy, and complying with the laws that regulate it. For many toymakers, privacy considerations are a considerable roadblock. “To take smart toys to the next level of engagement and give kids what they want, you have to take data and create an engaging experience that’s connected to their friends and based on their persona,” said Dynepic CEO Krissa Watry. She added that requirements for children’s privacy in the tech sphere were a “massive burden for toy companies.” She’s not alone. “Companies have been moving cautiously when it comes to smart toys because children’s privacy gets a great deal of scrutiny.” [CNet ]

US – Used Connected Cars Pose Security Risk: RSA

IBM’s Charles Henderson told an audience at the RSA Security Conference in San Francisco how he was able to remotely access systems on a car he had traded in several years earlier. Even though Henderson did a factory reset to remove all personal data from the car before he sold it, the car remained connected to the app on his phone. Even when the app is deleted from a phone, information still in the cloud is not as simple to delete. Connected car in the second-hand lot? Don’t buy it if you’re not hack-savvy | Warning on used on cars failing to forget old owners | IBM Reveals Security Risks to owners of Previously Owned IoT Devices | Android Phone Hacks Could Unlock Millions of Cars | Android apps create theft risk ]

Surveillance

US – Judge: FBI’s NIT Warrant Invalid, IP Addresses Have Expectation of Privacy, But No Suppression Granted

Thanks to the FBI’s one-to-many NIT [Network Investigative Technique see here] warrant, which was issued in Virginia but reached thousands of computers all over the world, yet another federal judge is dealing with the fallout of the feds’ efficiency. Michigan federal judge Thomas Ludington finds plenty he doesn’t like about the FBI’s malware and the DOJ’s defense of it, but still can’t quite find enough to warrant suppression of the evidence [PDF link]. That being said, the opinion does offer plenty of counters to the DOJ’s legal rationale. The court, like others, finds the FBI exceeded the jurisdictional limitations of Rule 41 [see here ] and no amount of creative phrasing is going to change that. In the future, the FBI won’t have to deal with nearly as many suppression hearings, thanks to changes to Rule 41. These decisions are becoming relics of statutorial limitations almost as soon as they’re issued. Even if courts find the malware deployment to be a search invasive enough to trigger Fourth Amendment protections, the lack of jurisdictional limits going forward will prevent them from being challenged. [Techdirt | Firefox users left feeling vulnerable as judge keeps Tor hack under wraps | Privacy Watchdogs Vow to Fight ‘Dystopian’ Rule 41 | This rule change just made it easier for the government to hack you, wherever you are]

UK – Cameras in Classrooms: Invasion of Privacy or Future of Teaching?

In a world-first, two British schools are trialling body-worn video cameras for teachers, triggering outrage among privacy campaigners. For their part the teachers have been kitted out with cameras that can be activated at the touch of a button to record “incidents” or bad behaviour among pupils in class. Footage is then securely stored online for a month, before being deleted. Privacy campaigners are already rallying against the cameras as yet another intrusion. However, surveillance has been shown to be effective in policing. Over 20,000 body-worn cameras have been given to Met police across London, with thousands more being rolled out across the UK. “We’ve noticed huge drops in complaints against police officers, because people knew their actions are recorded, people generally calm down quicker and become more apologetic because of the cameras… We’re expecting to see similar outcomes in education.” [The Memo]

Telecom / TV

WW – Mobile-Based Spyware for Consumers Is Powerful and Cheap

A Motherboard reporter tested spyware software that uses an SMS message to access the user’s camera, GPS and microphone, allowing the spy to hear the conversation of the person being surveilled. These types of software are easily available for both iPhone and Android users for $170 or less. These products are vastly unregulated and “can be extremely potent.” While governments use similar malware, this “consumer spyware is not marketed to governments. Instead, many of the companies explicitly gear products toward jealous lovers — especially men — who want to monitor their spouses.” [Motherboard]

US Government Programs

US – Homeland Security’s New Privacy Review Process to Tighten Programs

The Department of Homeland Security has issued an official policy on its new Privacy Compliance Review process, which aims to help improve the agency’s methods for documenting compliance efforts and their efficacy. A PCR might be used, for example, to revisit an already-conducted Privacy Impact Assessment to evaluate how things are working, examine any changes that may have taken place within the privacy program since the PIA was conducted, and ensure the program is still effective. [IAPP]

US – Legislators Question Use of Secure Messaging Apps at EPA

U.S. legislators are seeking an inquiry into reports that staff at the Environmental Protection Agency (EPA) are using end-to-end encrypted messaging apps to communicate. The legislators say that the use of the apps such as Signal runs afoul of federal record-keeping requirements, which demand transparency. In a related story, reports suggest that “numerous senior GOP operatives and several members of the trump administration” may be using the Confide app, which also uses end-to-end encryption. Confide messages self-destruct GOP demands inquiry into EPA use of encrypted messaging apps | House members: EPA officials may be using Signal to “spread their goals covertly | Republicans send anti-Signal signal to US EPA | Self-destructing messages won’t fly in government | Washington Elites Use Secure Messaging Apps to Keep or Leak Secrets]

US Legislation

US – Legislative news

  • U.S. House Judiciary Committee Chairman Bob Goodlatte, R-Va., has set the committee agenda for the year, underscoring the importance of the Email Privacy Act. [The National Law Review]
  • Sen. Ron Wyden, D-Ore., Rep. Jason Chaffetz, R-Utah, and Rep. John Conyers, Jr., D-Mich., introduced the Geolocation Privacy and Surveillance Act, designed to create rules for when agencies can track and access a citizen’s geolocation data. [More]
  • Republican lawmakers are preparing to make a legislative move to overturn the Federal Communications Commission’s broadband privacy rules following requests from ISPs to undo the legislation. [More]
  • Sen. Ed Markey, D-Mass., and five public interest groups are rallying against Republican lawmakers’ push to overturn FCC broadband privacy rules using the Congressional Review Act. [Broadcasting Cable]
  • U.S. Republican Reps. Justin Amash, R-Mich., and Thomas Massie, R-Ky., have introduced legislation to repeal the Cybersecurity Act of 2015. [The Libertarian Republic]
  • A Colorado bill to eliminate a loophole allowing government agencies to access certain emails without a warrant has died in committee. [The Durango Herald]
  • A Georgia state Representative has introduced the Social Media Privacy Protection Act, which would prohibit employers from demanding access to employees’ social media accounts. [More]
  • A Missouri bill that aims to help bring the state in compliance with the REAL ID Act passed the House. [St. Louis Post-Dispatch]
  • The Article 29 Working Party is planning to formally petition the Trump administration to clarify the executive order’s impact on Shield in the upcoming days. [BNA]
  • New Mexico’s Senate unanimously approved the Electronic Data Privacy Act, which would block the use of cell site simulators and ban law enforcement agencies from accessing electronic communications data from service providers without a warrant. [The Tenther]
  • A Florida court has struck down parts of a law restricting doctors from asking patients about gun ownership, saying it violates the doctors’ First Amendment rights. [More]
  • Georgia’s State Senate has passed a law that would make “upskirting” illegal in the state. It now goes to the House. [More]
  • A Massachusetts senator has introduced a bill to require law enforcement to get a warrant before accessing data collected through automatic tolls in the state. [More]
  • Massachusetts Rep. Kate Hogan, D-Stow, has introduced a bill that would protect confidential information from being shared when multiple people are on the same plan. [More]
  • JDSupra offers part two of its U.S. state privacy and data security laws. [More]

 

+++

4-15 February 2017

Biometrics

US – Fingerprinting for Federal Contractors Takes Effect Feb. 1

The RCMP is ending its old practice of checking criminal history using a person’s name. New contractors taking on work with the federal government will have to submit their fingerprints electronically to the RCMP as of Feb. 1, so the law enforcement agency can run a criminal record check in its database. Public Services and Procurement Canada said it needs to make the change because the RCMP is ending its old practice which sometimes led to problems because names could be misspelled, too common or swapped for nicknames. The new rules apply to all levels of clearance, from the basic “reliability status” to “top secret.” In some ways, it’s an expansion of a controversial new standard for public servants that is nearing the end of a three-year rollout that began in October 2014. That policy requires all federal employees to submit to an updated security screening, including credit checks and fingerprinting. [see here & here ] The Office of the Privacy Commissioner of Canada doesn’t have a problem with fingerprinting, in general. “I can tell you that our office believes that the use of fingerprints for a criminal record check is appropriate to ensure authentication,” wrote a spokesperson. “We understand that fingerprints submitted for security screening will be destroyed after the check is complete.” [CBC News]

CA – Feds Lobbying Against Trump Push for Biometric Screening for U.S. Visitors

Canada has launched a behind-the-scenes lobbying campaign against a push by Donald Trump to subject all visitors to the United States to biometric screening – such as finger-printing, retina scans or facial recognition tests – upon both entry and exit. Public Safety Minister Ralph Goodale raised the issue during a phone call with John Kelly, the new U.S. Homeland Security Secretary, Mr. Goodale’s office confirmed. The lobbying effort will likely be aimed not just at Mr. Kelly and other members of Mr. Trump’s administration but also at members of Congress, who would need to approve large related expenditures in order for implementation to proceed. To the extent the US has monitored who is exiting, other than a few biometric pilot projects, it has been through other measures – including an agreement with Canada, struck in 2011, in which the two countries inform each other when visitors return home. Ottawa appears optimistic that the success of that recent data-sharing will help it make the case that Canadians should be exempted from any new entry-exit measures. But it is also struggling with unpredictability of a new presidential administration that has thus far displayed very different priorities from any previous one. [G&M]

Big Data

WW – ACM Council Releases Seven Principles to Handle Algorithm Biases

The ACM US Public Policy Council released their “Statement on Algorithmic Transparency and Accountability,” including seven principles organizations should follow to address potentially harmful biases stemming from using algorithms. The seven principles include users of analytic systems maintaining awareness of biases arising within their design, institutions maintaining accountability for the decisions they make based on their algorithms, and ensuring all decisions are recorded in case an audit is conducted in the event harm is suspected. “Following these principles cannot guarantee that there will be no biased algorithms or biased outputs,” ACM US Public Policy Council Chair Stuart Shapiro said in a press release. “But they will serve to keep computing professionals on the lookout for ways biases could creep into systems and provide guidelines on how to minimize the potential for harm.” [Techpolicy]

WW – Pew, Elon Examine the ‘Age of Algorithms’

A newly released Pew Research Center and Elon University’s Imagining the Internet Center study on algorithms and the future hinges on the question, “Will the net overall effect of algorithms be positive for individuals and society or negative for individuals and society?” Pew Research Center reports that of 1,302 respondents, 38% answered algorithms would positively impact society, 37% answered they would have a negative impact, and 25% felt that their consequences could be evenly split. Among the potential pitfalls identified in the study is the way algorithms can create hyper-specific profiles of internet users, without those users having an ability to see how they were identified or targeted. “‘Algorithmic transparency’ should be established as a fundamental requirement for all AI-based decision-making,” said the Electronic Privacy Information Center’s Marc Rotenberg. “There is a larger problem with the increase of algorithm-based outcomes beyond the risk of error or discrimination — the increasing opacity of decision-making and the growing lack of human accountability.” [Pew Internet]

WW – Uber Is Making Ride-Booking Data Publicly Available

Uber recently debuted a new online tool called Movement, which provides data like ride durations between two points, based on GPS information. The tool is a dream for city planners and local governments, who can use it to learn more about commute patterns, and target infrastructure projects. And in the coming months, Uber wants to make Movement accessible to everyone. It’s a gift, for certain. But some privacy experts worry the new tool could be a Pandora’s box. “Key, of course, to all of this, is, ensuring that the privacy of individual user data will be protected,” says Marc Rotenberg, president of the Electronic Privacy Information Center.If it turns out that Uber’s ride information can’t be de-identified, for sure, Rotenberg says the data dump could open the door to a host of other serious concerns. “You have to be considering everything from surveillance, stalking, cyberhacking, credit card theft, identity theft, financial fraud,” he says. “There’s a long list of potential risk to the users of the Uber service, and that’s why you need to deal with a threshold problem, which is the de-identification issue.” [PRI.org]

Canada

CA – Court Awards Damages Against a Foreign Website Over PIPEDA

In a recent decision, A.T. v Globe24h.com, 2017 FC 114, Canada’s Federal Court asserted jurisdiction over a foreign-based website that republished Canadian court and tribunal decisions from Canadian legal websites and allowed them to be indexed and rendered searchable on Google and other search engines. The Court declared that the owner and operator of the website, based in Romania, contravened the provisions of the federal private sector privacy legislation (the Personal Information Protection and Electronic Documents Act – PIPEDA), by collecting, using and disclosing online personal information contained in publicly available legal decisions for inappropriate purposes, and without the consent of the individuals concerned. The Federal Court of Canada has previously determined that PIPEDA will apply to a foreign-based organization where there is evidence of a sufficient connection between the organization’s activities and Canada. The relevant connecting factors include: a) the location of the target audience of the website; b) the source of the content on the website; c) the location of the website operator; and, d) the location of the host server. The Court noted that Romanian authorities had cooperated with the Privacy Commissioner’s investigation, and had taken action to curtail Globe24h’s activities including by issuing a fine against it for contravening Romanian data protection laws. However, this fact did not prevent the Court from asserting jurisdiction over the matter, on the basis that the Court’s findings would complement rather than offend any action that taken in a Romanian court. While the monetary damages awarded in this case were modest, the Court sent a clear signal that damages will be awarded where the privacy rights of Canadians are disregarded in the pursuit of profit, in a manner that is non-compliant with Canadian privacy laws. The decision emphasizes that available exemptions under PIPEDA are limited and specific, and will be interpreted narrowly in order to afford maximum protection to individual privacy interests. [Gowling | PIPEDA’s global extra-territorial jurisdiction: A.T. v. Globe24h.com | When are public documents too public?: A.T. v. Globe24h.com tests the limits ] [PIPEDA’s global extra-territorial jurisdiction: A.T. v. Globe24h.com | When are public documents too public?: A.T. v. Globe24h.com tests the limits | Michael Geist: Canadian Court Makes ‘Landmark’ Ruling That Could Establish Its Own Right To Be Forgotten]

CA – The New U.S. Executive Order: Effects on Canadian Privacy Laws and Cross Border Data Transfers

President Donald J. Trump’s executive order issued January 25, 2017, contained one little paragraph with big words about Canadians’—and other non-U.S. citizens’—privacy: [see Section 14 here ] This paragraph has triggered alarm in some corners of the Internet. However, on closer inspection, it doesn’t appear to change much, at least legally speaking and from a Canadian private-sector perspective. The executive order has no direct impact on the treatment of personal information by the private sector. In particular, the order does not appear to change the circumstances in which US law enforcement or security agencies can compel private actors to disclose information about Canadians (or other non-U.S. citizens). The effect of the executive order on Canadian regulators’ views of cross border information transfers in the private sector is uncertain at this point in time. Canadian regulators generally require Canadian organizations to disclose the consequences of information sharing across national borders and it is currently unclear what, if any, effect, the executive order have on those disclosures. While President Trump’s executive order may not have altered substantive legal protections for personal information, it has clearly attracted public attention to the issue. Moving forward, it appears likely that the public will pay increased attention to cross-border information-sharing with the U.S.—a development of which organizations should remain cognizant. [Canadian CyberSecurity Law | Canadians’ personal data at risk thanks to U.S. executive orders | Canadians’ Internet Data Affected As Trump Cancels Privacy Rules | Trump’s Executive Order Eliminates Privacy Act Protections for Foreigners | One quarter of Canadian online traffic vulnerable to NSA sweeps: researchers

CA – Trudeau’s Bill C-23 Gives US Border Agents Spooky New Powers

U.S. border guards would get new powers to question, search and even detain Canadian citizens on Canadian soil under a bill proposed by the Liberal government. Legal experts say Bill C-23 [see here ] will give new powers to U.S. border guards to question, search and even detain Canadian citizens on Canadian soil. It could also erode the standing of Canadian permanent residents by threatening their automatic right to enter Canada. It takes away important rights found in the existing law and raises the prospect of a Canadian being arrested simply for deciding he or she has had enough with a certain line of questioning. Under the existing law, a strip search can only be conducted by a Canadian officer, though a U.S. officer can be present. Greene points out C-23 says if a Canadian officer is unavailable or unwilling, the U.S. officer can conduct the search. “So you could have a circumstance where the Canadian officer says, ‘No I don’t think a search is warranted here. I’m not willing to do it.’ But the U.S. officer just says, ‘Fine, we’re going to do it anyway.’” [CBC News See also: Your rights at the U.S. border: Three perspectives | Trump’s travel ban could run up against Canada’s pre-clearance agreement with U.S. | Is The Border Safe? US Could Detain Canadians In Canada Under Bill | A Guide to Getting Past Customs With Your Digital Privacy Intact | New border bill allows sharing of biographic data | New bill would allow border guards to collect biographic data on those leaving Canada | Op-Ed: Canada to share information with U.S. on land border crossers]

CA – Yukon IPC Believes Government ATIPPA Review Would Reduce Individuals’ Privacy Rights

The Information and Privacy Commissioner in the Yukon has commented on the review of the Access to Information and Protection of Privacy Act conducted by the Minister of Highways and Public Works. The review indicated that ‘personal information’ was defined too broadly; however, the definition is similar to other federal and provincial privacy laws, and it is unclear how the definition could be narrowed without a negative impact on individuals’ right to informational privacy. Any difficulties the public has in verifying what their information is being used for, or the accuracy of personal information held by public bodies can be resolved through better notice to individuals, and better procedures to ensure information collected is accurate. IPC Yukon – Comments on the ATIPPA Review Report Issued by Yukon Government in December 2016 | Press Release ]

CA – OIPC SK Issues Guidance on the Determining Who is a Trustee of Personal Health Information

A review by the Office of the Information privacy Commissioner of the trustee requirement under the Health Information Protection Act. The Trustee is the physician or organization that has custody (i.e. physical possession) and control (i.e. authority to manage use, disclosure and retention) of records containing PHI; to prevent confusion and disputes about who is the Trustee, physician associations or business corporations should have written agreements in place that clearly spells out which party (i.e. the entity or each physician) is considered the Trustee. [“A” Trustee vs. “THE” Trustee – Office of the Saskatchewan Information and Privacy Commissioner]

CA – OIPC NS Alarmed by Surveillance Camera Findings

The Office of the Information and Privacy Commissioner for Nova Scotia recently found 98 video surveillance cameras located on downtown streets in Halifax, Sydney, Kentville, Windsor, Digby and Yarmouth. Nova Scotia Privacy Commissioner Catherine Tully said about three-quarters of the cameras are owned by private businesses, while the others belong to the government, libraries, and Crown corporations. Tully’s office sent out a survey to 53 cities and towns in Nova Scotia, with 25 responding. Tully has expressed alarm with some of the findings. “It certainly heightened my concern, mainly because not only did they have cameras, very few had privacy policies,” Tully said. “Just six said they had privacy policies and none had conducted what we call a privacy impact assessment.” [CBC News]

CA – Class Action Lawsuit Granted in Quebec for Damages from Data Breach

The Court considered Target Corporation Inc.’s motion to dismiss a class action lawsuit filed by Evan Zuckerman for lack of jurisdiction. The expense incurred by an individual in Quebec for credit monitoring was sufficient for a Quebec court to establish jurisdiction; regardless of potential lawsuits in US courts, the lawsuit will proceed in a Quebec court because the plaintiff, his witness, and approximately 60,000 class members reside in Quebec. [Zuckerman c. Target Corporation – 2017 QCCA 110 CanLII – Superior Court of Quebec]

CA – BC Premier Clark: We’ll Fire Anyone Involved With Breach

A breach of PharmaNet, the system used to track information regarding prescription drugs, has British Colombia’s Premier Christy Clark “profoundly disturbed.” With 7,500 citizens affected, Clark said, “If anyone in the government, anyone in the employ of the public service, anyone who gets their fees from the government is found to be responsible for this, they will be fired immediately.” The issue, uncovered by a vendor contracted to identify unusual activity in the system, is being mitigated with help from the British Columbia Office of the Information and Privacy Commissioner. Acting Information and Privacy Commissioner Drew McArthur said he would liked to have seen quicker work: “It took them several months to get the notification letters out. We would have preferred that they notified people earlier, so that people can start to take action to protect their personal information.” [Global News] [PharmaNet breach compromises personal information of 7,500 B.C. residents, says province]

CA – BC Lib’s Consultation Effort Over Provincial Records Lampooned

The B.C. government is asking the public to weigh in on new rules for how the province handles its records. But critics say the exercise is meaningless without requiring the government to create records in the first place – a so-called “duty to document” that has been repeatedly recommended but ignored by the province. The former privacy commissioner, Elizabeth Denham, also called for a “duty to document” requiring government workers to keep records, after discovering that many Freedom of Information requests were coming back empty. In 2015 [she] released a scathing report on the government’s actions to frustrate public requests for information, including the deletion of records. A former government staffer was later charged and pleaded guilty. Ms. Clark appointed a previous privacy commissioner, David Loukidelis, to review the commissioner’s report. Mr. Loukidelis made 27 recommendations, including penalties for destruction of records. He, too, recommended a “duty to document.” [G&M]

E-Government

EU – Netherlands Will Count Ballots by Hand

The Dutch government has said that ballots in the country’s parliamentary election scheduled for March 15, 2017, will be counted by hand to assuage concerns that digital tabulation systems could be compromised. Intelligence agencies have cautioned that elections in France, Germany, and the Netherlands could be at risk of manipulation. Watch This Security Researcher Hack a Voting Machine | Paperless voting machines a hacking risk | Edward Snowden Demonstrates How Easy It is to Hack a Voting Machine – All for Just $30 | Dutch will hand count ballots due to hacking fears | Dutch revert to an all-paper ballot, fearing election hack | Netherlands reverts to hand-counted votes to quell security fears]

CA – DVD Containing Tax Info on 28,000 Yukon Citizens Lost

The Canada Revenue Agency announced a courier company has lost an encrypted DVD containing the tax information of nearly 28,000 Yukon taxpayers. The CRA released a statement saying it has been made aware of the lost DVD, but did not identify when the incident occurred. The CRA has notified the Office of the Privacy Commissioner of Canada, while the courier service has commenced a search for the missing DVD. “At this time, there is no indication that the data has been accessed or used,” the CRA release states. “And given the strong security measures in place, the risk is thought to be very low that the taxpayers’ information would be compromised even if an unauthorized individual were to gain possession of the DVD.” [CBC.ca]

CA – Windsor Councillor Calls for Drone Use Regulations

Windsor Councillor Irek Kusmierczyk is pushing for specific rules concerning drone use in city parks, citing privacy and safety concerns. Kusmierczyk said individuals using remote control airplanes and similar devices must get a permit from the city. Kusmierczyk wants to ensure drone use does not make citizens uncomfortable. “They don’t want to have somebody snapping their pictures, taking photographs of their children playing soccer or baseball or in festivals,” he said. “I just want to make sure we’ve got coverage in terms of finding that right balance, where we don’t dissuade people from using drones, but we do protect residents that do utilize the parks.” [CBC News]

E-Mail

US – Judge Breaks Precedent, Orders Google to Give Foreign Emails to FBI

A potentially major blow for privacy advocates occurred when a U.S. magistrate [Judge Thomas Rueter in Philadelphia] ruled against Google and ordered it to cooperate with FBI search warrants demanding access to user emails that are stored on servers outside of the United States. The case is certain to spark a fight, because an appeals court ruled in favor of Microsoft in a similar case recently. In the ruling against Google, Judge Rueter is arguing that even though “the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States.” It’s unclear if that decision means that evidence from a foreign server would be a violation of privacy if disclosed in a U.S. court of law. Clarity is what tech companies and privacy advocates have been pushing for over the years. Both the Microsoft and Google cases relied on warrants issued under the Stored Communications Act from 1986. The search giant released a statement today saying, “The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on overbroad warrants.” Gizmodo | Reuters | US judge orders Google to hand over data to the FBI from overseas emails | Google must turn over foreign-stored emails pursuant to a warrant, court rules | Microsoft’s cloud privacy battle may go to US Supreme Court | Court Declines to Reconsider Microsoft Email Seizure Ruling | Court Keeps Microsoft’s Irish Servers Safe From U.S. | US government wants Microsoft ‘Irish email’ case reopened  | Lawmakers question DOJ’s appeal of Microsoft Irish data case | Microsoft Cloud Warrant Case Edges Closer to Supreme Court | Reuters: Court Rules Google Must Turn Over Emails Located on Foreign Server]

Encryption

US – Minnesota State Court Upholds Compelled Unlocking of Criminal Defendant’s Cellphone

A Minnesota State court rules on a criminal Defendant’s appeal of his convictions partially based on evidence seized from his mobile phone. The Defendant’s Constitutional rights were not violated when a district court ordered him to provide his fingerprint so police could search his cellphone; the Defendant was not required to disclose any knowledge he might have (it was akin to standing in a lineup), and the district court did not ask Defendant whether his prints would unlock the phone or which print would unlock it (he asked which finger police wanted when he was ready to comply with the district court’s order, and he did not object at the time). [State of Minnesota v. Matthew Vaughn Diamond – A15-2075 – State of Minnesota In Court Of Appeals]

EU Developments

EU – Buttarelli Outlines EDPS’ Top Priorities for 2017

European Data Protection Supervisor Giovanni Buttarelli outlined his agency’s top three strategic areas of importance for 2017. The three areas include ensuring electronic communications receive the appropriate levels of privacy and protection, specifically within the context of the ePrivacy Directive; working toward a new framework for the EDPS; and contributing to a Security Union and stronger borders built upon respect for fundamental rights. “We aim to be accountable for our work across the range of our responsibilities, and in our priorities for advice you will find those European Commission proposals that, in our assessment, seem most likely to have implications for the fundamental rights to privacy and to the protection of personal data,” Buttarelli writes, adding his agency will be working with the Article 29 Working Party to make sure the EU has a consistent voice on data protection matters. [edps.eu]

EU – Facebook-Schrems Privacy Case Set to Begin

The highly anticipated privacy case that could determine the validity of standard contractual clauses is set to begin in the commercial division of Ireland’s High Court. Facebook and privacy campaigner Max Schrems are each part of the case. Ireland’s Data Protection Commissioner Helen Dixon wants the High Court to examine the validity of SCCs and to refer them to the Court of Justice of the European Union. Dixon has expressed concerns about the validity of the clauses in light of articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union and the CJEU’s ruling in the first Schrems’ case. SCCs allow businesses to transfer EU citizens’ personal data to countries outside of the European Economic Area. Joining Schrems and Facebook in the case as “friends of the court” are the U.S. government, the Business Software Alliance, Digital Europe, and the Electronic Information Privacy Center. [The Irish Times] [The Irish Times: Govt Concerned About ‘Sweeping’ Ramifications of Facebook-Schrems Case]

EU – EU Verifies Google’s Data Transfer Contractual Clauses

The Article 29 Working Party has ruled the contractual clauses used by Google to cover international data transfers for European users of its G Suite applications and cloud services are compliant with EU data protection requirements. Google said EU data protection authorities approved the language used in the company’s contracts for business customers in the EU and that they align with the European Commission’s “model contract clauses.” Google’s Head of Global Compliance Marc Crandall and its Head of Security and Compliance Matthew O’Connor wrote about the news in a blog post, noting the confirmation will help the company get similar certifications in countries with data protection requirements similar to the EU. Crandall and O’Connor also said the move will give EU businesses the needed legal protection to proceed with international data transfers without further authorizations. [blog.Google]

EU – French Man Wants $48 Million from Uber for Allegedly Breaking Up His Marriage

A French businessman from Côte d’Azur has sued Uber, asking for no less €45 million in damages. As French news site Le Figaro explains, a notification bug in Uber allowed his wife to spy on him without his knowledge. The man used her iPhone to order Ubers, and then he signed out of the app. However, notifications for his Uber account kept arriving on her phone after that, even though he was signed out. She may not have been able to track his location in real time or see the destinations, but she received plenty of information that would let her know when he was lying. For example, a “working late at the office” excuse doesn’t really work in your favor if you keep taking Uber rides all evening long, and someone can prove it. Le Figaro was able to replicate the bug, but only on iPhones and only using an Uber app version older than the December 15th update. That update apparently fixed the issue. The case should head to court next month. [BGR.com]

Facts & Stats

CA – Data Breach Reporting Expected to ‘Skyrocket’ in 2017

Following the Canadian government passing the Digital Privacy Act and the Canadian Securities Administrators taking measures to ensure businesses are more transparent about their cybersecurity practices, the number of reported data breaches is expected to skyrocket in 2017. The changes will result in companies not only having to disclose the incidents after they happen, they must also disclose specific risks potentially leading to other data breaches in the future. KPMG’s Kevvie Fowler said the increased reporting in data breaches will likely result in more companies facing lawsuits, but the transparency could also lead to stronger efforts to protect data and fewer data breaches in the long term. [CBC News]

US – The Worst Data Breaches in the U.S., Ranked State by State

15.2m Americans had confidential personal and financial information compromised last year. Researchers at Safetica USA have explored a vast database maintained by the US Government’s Department of Health and Human Services of every major data breach by a health clinic, doctor, dentist or hospital since 2009. Each entry chronicles how 500 or more confidential records were compromised in a single breach. There are two basic ways of looking at which states were worst affected by data breaches last year: by the number of cases, and by the number of individual records compromised. When it comes to the highest number of cases, the list of the worst-hit states closely follows population. Overall, the number of major breaches across the US increased last year to its highest level on record: 318 cases in 2016 compared to 270 in 2015. California, New York, Texas, Florida and Illinois were also the five worst affected states in 2015. A slightly different top 10 emerges if you look at the number of records compromised. A single hacking incident suffered by Banner Health revealed last summer affected 3.7m people and pushed Arizona to the top of the list. [Entrepreneur]

UK – 1.1M GBP Study to Examine Human Error and Breaches

A University of Surrey-led study is giving 1.1 million GBP to researchers to discover why human error is the cause of so many cyberattacks and why users don’t seem to learn from cybersecurity awareness initiatives. “The project’s overall aim is therefore to develop a framework through which we can analyze the behavioral co-evolution of cybersecurity/cybercrime ecosystems and effectively influence behaviors of a range of actors in the ecosystems in order to reduce human-related risks,” the researchers write. The project will take two years and begin in April, and will include contributors from multiple disciplines, like crime science, engineering, computer science, engineering, and behavioral science at University of Surrey, TRL, University of Warwick, and UCL. [CSO]

US – Breaches Snip $300M from Yahoo Price Tag

A new deal has been worked out for Verizon to buy Yahoo, at roughly $300 million less than Verizon’s original offer. The takeover deal was originally announced in July 2016, with a price of $4.8 billion. However, in the interim, Yahoo released information about two separate hacks that exposed the personal data of as many as a billion customers. Yahoo CEO Marissa Mayer said in January that the company has an “unwavering” commitment to security. [CNBC]

WW – App Extension Can Unveil Linkedin Users’ Email Addresses

Charlie, a free app that notifies users of forthcoming meetings and provides information on those in the meeting, now has a Chrome extension that gives users access to LinkedIn users’ emails. It also provides “the option to copy the email address, compose an email or request Charlie to research and send you information about that person.” “The research information is similar to what the app sends before a meeting, containing professional achievements and news.” Aaron Frazin, CEO of Charlie, explained that the tool will not override security measures that protect emails on LinkedIn, but rather uses algorithms to “take a guess,” at what the email address is. [CNET]

Filtering

WW – Privacy and Anti-Piracy Advocates Square Off On Browser Updates

The World Wide Web Consortium is considering standardizing the digital rights/restrictions management-enabling Encrypted Media Extensions, which protect media from piracy while reportedly limiting a browser’s security and damaging the internet’s open architecture. The potential move is a controversial one, with anti-piracy advocates supporting it while privacy proponents are critical. “DRM is a dangerous feature to standardise and have enabled across everyone’s browser because it essentially enforces a black box of code to be installed on your browser which cannot be audited or looked at or even talked about by security researchers,” said former W3C employee Harry Halpin. This “black box” is not accessible by internet users, either. [Ars Technica UK]

Finance

EU – Brussels Eyes Sweeping Cash Ban: Are Gold and Silver Next?

European Union officials just published a “Proposal for an EU Initiative on Restriction on Payments in Cash.” Predictably, the restrictions are being sold to citizens as a means of fighting terrorism – much like a host of other privacy and liberty-destroying power grabs in recent decades. This despite a telling admission contained in the proposal: “There remains the lack of readily available and solid evidence on legitimate versus illegitimate cash transactions.” Ban the use of cash first, ask questions later. In Germany, 79% of transactions are done in cash. Many there aren’t going to take restrictions lying down. Some see the war on cash for what it is – bureaucrats using the lever of fear to once again ratchet up controls and restrict privacy. Attempts to regulate the trade of physical gold and silver will not be far behind any restrictions on cash. Precious metals are an obvious target because they are a premier form of private, off-the-grid, and portable wealth. [GoldSeek See also: Who’s Powering the War on Cash? | Cashless Economy will lead to a Starving Economy | India’s Demonetization “Shock Therapy”: State Sponsored Financial Repression | Government Invades Privacy Under Money Bill ]

Health / Medical

US – HHS Imposes $3.2 Million Fine on Children’s Medical Center for Loss of Unencrypted Devices 

the Department of Health and Human Services, Office for Civil Rights has issued a notice of final determination against Children’s Medical Center of Dallas, a covered entity, for violations of the HIPAA Privacy and Security Rule. An unencrypted, non-password protected mobile device was lost at an airport, which contained PHI of 3,800 patients; the penalty was imposed due to lack of access controls ($923,000) and device/media controls ($772,000) and impermissible disclosure of PHI ($1,522,000). Aggravating factors taken into account when imposing the penalty included 5 prior separate thefts of laptops and mobile devices, and a previous externally-produced report highlighting the need to encrypt such devices. HHS – Notice of Final Determination – Children’s Medical Center of Dallas Press Release | Notice of Final Determination

US – NY Bill  Prohibits Making or Broadcasting  Visual Images of Patient Medical Treament Without Consent

Assembly Bill 1190, amending Public Health Law and Civil Rights Law and relating to making and/or broadcasting visual images of patient medical treatment, is introduced and referred to the Health Committee: the companion bill is Senate Bill 3696. The right to privacy requires obtaining prior written express consent from the patient (or legal representative) for such broadcasting; exceptions include broadcasting for the purposes of health care treatment of the patient, a quality assurance program, the education/training of health care personnel (about which the patient has the right to know and refuse broadcasting), and necessary security purposes. [Assembly Bill 1190 – Relating to Prohibiting the Making and/or Broadcasting of Visual Images of Individuals Undergoing Medical Treatment Without Prior Consent – New York State Assembly

Horror Stories

US – VIZIO to Pay 2.2 Million to Settle Consumer Tracking Charges

Vizio, one of the world’s biggest makers of Smart TVs, is paying $2.2 million to settle charges [see 12 pg pdf here ] that it collected viewing habits from 11 million devices without the knowledge or consent of the people watching them. In an e-mailed statement, Vizio officials wrote: “The ACR [automated content recognition] program never paired viewing data with personally identifiable information such as name or contact information, and the Commission did not allege or contend otherwise. Instead, as the Complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors.” The tracking started in February 2014 on both new TVs and previously sold devices that didn’t originally ship with ACR software installed. The software periodically appended IP addresses to the collected data and also made it possible for more detailed personal information—including age, sex, income, marital status, household size, education level, home ownership, and home values—to be associated. …The allegations are only the latest to raise troubling privacy concerns about Internet-connected TVs and other so-called Internet-of-things devices. In late 2015, security researchers found that Vizio TVs failed to properly validate the HTTPS certificates of servers they connected to when transmitting viewing-habit data. That made it trivial for anyone who had the ability to monitor and control the Internet traffic passing between the TV and the Vizio servers to impersonate the servers and view or tamper with the transmitted data. Smart TVs manufactured by LG have also been caught collecting potentially sensitive data, including a list of shows being watched, the names of files contained on connected USB. Vizio must also delete any data collected before March 1, 2016, implement a comprehensive privacy program, and undergo biennial assessments of that program. FTC Acting Chairman Maureen Ohlhausen issued a concurring statement to the unanimous decision. [FTC.gov | WilmerHale See also [Samsung warns customers not to discuss personal information in front of smart TVs: Samsung has confirmed that its “smart TV” sets are listening to customers’ every word, and the company is warning customers not to speak about personal information while near the TV sets.]

Identity Issues

CA – OPC Canada Outlines Different Methods of Secure Authentication

The Office of the Privacy Commissioner of Canada has issued guidance on authentication types. Context-based authentication examines an individual’s current behaviour and habits and compares it with known/expected behaviour (significant deviations, such as a change in device/location, would result in a challenge to present other credentials), proximity-based authentication uses a token to enable automatic access when close to a device (e.g. smartphone or watch), and software-based authentication uses smartphone apps to calculate pseudo-random access codes (instead of carrying a separate hardware token). [OPC Canada – Your Identity – Ways Services Can Robustly Authenticate You]

CA – Canada’s SecureKey Wins U.S. 800K Grant for Digital Identity Network

SecureKey Technologies and The Digital ID and Authentication Council of Canada (DIACC) have received a grant for up to $800,000 from Command Control and Interoperability Center for Advanced Data Analytics (CCICADA), a research center funded by the U.S. Department of Homeland Security, to help build a digital identity network. The aim is to build a national system that allows the public to access online services without memorizing dozens of passwords, or prove their identity, while still maintaining their privacy and security by using blockchain to create a “triple blind” privacy protocol that allow individuals to easily connect to partnering online services using an existing, trusted log in credential, while limiting the actual amount of data being transmitted for security. [Reuters See also: What Role Does Government Play in Blockchain Technology’s Future? | Bank of Canada’s blockchain tests spotlight challenges | Project Jasper: Lessons From Bank of Canada’s First Blockchain ProjectA Complete Beginner’s Guide To Blockchain]

US – Data Re-Identification Law Should Be Passed: Senate Committee

Overriding concerns about the scope, burden of proof reversal, criminalization, and retrospective application of the law, a Senate committee has recommended that the data re-identification Bill be passed in a report tabled in Parliament. Under the laws introduced to the Senate in October, intentionally re-identifying a de-identified dataset will become punishable by up to two years’ imprisonment, with the laws to be retrospectively applied from September 29, 2016. Senators from both the Labor and Greens parties dissented with the committee’s recommendations, saying that the Bill should not be passed because it is “disproportionate” to the aforementioned gap in privacy legislation, and also does not achieve its objectives. “The Bill adopts a punitive approach towards information security researchers and research conducted in the public interest. In contrast, government agencies that publish poorly de-identified information do not face criminal offences and are not held responsible,” Labor and Greens senators argued. Electronic Frontiers Australia (EFA) said “The proposed Bill creates no incentives for Australian government agencies or other organizations to increase their data security, or to adopt data austerity measures. Conversely, the proposed Bill creates (as intended) a strong disincentive for researchers to announce a real or potential vulnerability of re-identification.” [ZDNet See also: Clear-cut definition of de-identified data critical in legislation: Pilgrim | De-identification: the de-vil is in the de-tail | Brandis flags Privacy Act changes to protect anonymised data Brandis to criminalise re-identifying anonymous data under Privacy Act | Research work could be criminalised under George Brandis data changes | Fears that patients’ personal medical information has been leaked in Medicare data breach | NZ privacy commissioner recommends Australia’s data re-identification criminalisation lead]

Internet / WWW

WW – CISPE Announces 30 Services Comply with its Code of Conduct

The Cloud Infrastructure Services Providers in Europe announced more than 30 services comply with the CISPE Data Protection Code of Conduct. The CISPE, a coalition of cloud providers serving millions of European customers, states Amazon Web Services and UpCloud are among the services committing to the code of conduct. Cloud infrastructure services are operated in data centers in Bulgaria, Finland, France, Germany, Ireland, Italy, the Netherlands, Spain, and the U.K. The CISPE Data Protection Code of Conduct is designed to help customers ensure cloud providers are using the proper data protection standards consistent with both the current Data Protection Directive, and the upcoming General Data Protection Regulation. “Any customer will know that if their Cloud Infrastructure Provider is complying with the CISPE Code of Conduct, their data will be protected to clear standards,” said CISPE Chairman Alban Schmutz. “CISPE Code of Conduct provides Europeans with the confidence that their information will not be used for anything other than what they stipulate.” [CISPE.cloud]

WW – Private Search Browser Cliqz Acquires Ghostery’s Consumer Biz

Cliqz, a Mozilla-backed German startup, has acquired Ghostery’s consumer-focused product suite. Ghostery will now revert to its former name, Evidon, and focus on its B2B business, helping enterprises with privacy compliance, especially related to self-regulatory programs like AdChoices. Cliqz, which is currently building its own anti-tracking browser with a built-in private search feature, will take on Ghostery’s anti-tracking browser extensions and mobile apps. The acquisition will help Cliqz gain Ghostery’s 10 million active users, in hopes of spurring international growth. “We plan to launch in the U.S. and some Western European markets soon,” said a Cliqz spokesman. “The Ghostery acquisition will be a big help. Ghostery users around the world can opt-in to contribute anonymous statistical data via our Human Web technology.” [TechCrunch]

Law Enforcement

US – Bills to Limit Use of ‘Stingray’ Data Are Back

The influential chairman of a House committee is again putting his support behind two bipartisan bills that would curb law enforcement’s use of intercepted mobile-phone data without a warrant. The revival of the legislation comes after the House Oversight and Government Reform Committee published a yearlong investigation in December that delved into the devices agencies use to intercept wireless communications, called cell site simulators, IMSI catchers or “stingrays.” Chaffetz and two other [ Sen. Ron Wyden & Rep. John Conyers ] members of Congress reintroduced The Geolocation Privacy and Surveillance Act, which would make it illegal to intercept Americans’ geolocation information without their knowledge, or to use or disclose information collected that way, except after obtaining a warrant or in other specified circumstances. Chaffetz also reintroduced Wednesday the Cell Location Privacy Act [see here], which [requires] law enforcement to get a warrant before using devices known as “stingrays,” cell-site simulators or IMSI-catchers. His committee [House Oversight and Government Reform Committee] released a bipartisan staff report in December that found the departments of Justice and Homeland Security spent more than $95 million cumulatively on cell site simulators, as FedScoop reported at its release. [FedScoop See also: Chaffetz: Autonomous Cars, Drones, IoT on Oversight Committee’s Agenda | Bipartisan bill seeks warrants for police use of ‘stingray’ cell trackers | Stingray: A New Frontier in Police Surveillance | FCC Helped Create the Stingray Problem, Now it Needs to Fix It | Feds back police in FOIA fight over cell site simulators | Government use of surveillance devices must be restricted: privacy experts | Long-Secret Stingray Manuals Detail How Police Can Spy on Phones | Stingray documents offer rare insight into police and FBI surveillance

US – Taser to Bring AI to Police Bodycams

Taser International has made a pair of acquisitions as it attempts to help police departments sift through the large amount of footage obtained by body cameras. Taser is acquiring both Dextro and the computer vision team of Misfit to create Axon AI, a group that will use artificial intelligence to help police departments categorize and analyze all bodycam footage, making it easily searchable. Bodycam use has been welcomed as a way to boost police accountability, but privacy advocates are concerned adding AI to the process could lead to issues down the line. “We support bodycams on the condition that they serve as an effective police oversight tool and not as yet another set of government surveillance cameras,”American Civil Liberties Union Senior Policy Analyst Jay Stanley said. “The storing of video and running analytics on it does not strike the right balance between privacy, oversight and usefulness to the police.” [Forbes]

Location

US – Lawmakers Introduce GPS Act to Prevent Illicit Geolocation Tracking

Sen. Ron Wyden, D-Ore., Rep. Jason Chaffetz, R-Utah, and Rep. John Conyers, Jr., D-Mich., introduced a bill designed to create rules for when agencies can track and access a citizen’s geolocation data. The Geolocation Privacy and Surveillance Act is aimed at any law enforcement agencies looking to obtain geolocation information on any individual without their knowledge. The GPS Act will create penalties for anyone attempting to track any person without prior authorization, and prohibits commercial service providers from sharing geolocation data without the subject’s consent. “Outdated laws shouldn’t be an excuse for open season on tracking Americans, and owning a smartphone or fitness tracker shouldn’t give the government a blank check to track your movements,” Wyden said. “Law-enforcement should be able to use GPS data, but they need to get a warrant. This bill sets out clear rules to make sure our laws keep up with the times.” [Wyden.senate.gov]

Offshore

WW – 2017 A Big Year for The Hybrid Cloud

The idea “hybrid cloud,” where companies use a mix of private and public cloud services as part of their operations, will “likely” enter the mainstream in 2017. Cloud services are not optional tools for companies anymore, and the forthcoming General Data Protection Regulation will require businesses to question how they are using data, and in some cases overhaul how they manage it in order to comply. Such processes “in turn will result in additional benefits in terms of reduced data storage and management costs.” [ITProPortal]

Online Privacy

WW – Anonymous Web Browsing Doesn’t Mean You Stay Anonymous: Study

A study conducted by Stanford University and Princeton University researchers has found that anonymous browsing data can be frequently tied back to actual identities. After having users “donate” their browsing history, researchers attempted to connect the data with their Twitter accounts. “Seventy-two percent of people who we tried to deanonymize were correctly identified as the top candidate in the search results, and 81% were among the top 15 candidates,” researcher Jessica Su writes. “This is, to our knowledge, the largest-scale demonstration of deanonymization to date, since it picks the correct user out of hundreds of millions of possible Twitter users,” she adds. “In addition, our method requires only that a person clicks on the links appearing in their social media feeds, not that they post any content — so even people who are careful about what they share on the internet are still vulnerable to this attack.” [The Conversation]

WW – Researchers Create Cross-Browser Tracking Method

Researchers have developed a way to track users across multiple browsers. The method uses code to instruct browsers to perform numerous tasks in the background while users visit a webpage, with those tasks then drawing on operating system and hardware resources that create a unique profile. While cross-browser tracking has its benefits, it also possesses numerous privacy concerns, the researchers note. “From the negative perspective, people can use our cross-browser tracking to violate users’ privacy by providing customized ads,” said lead researcher Yinzhi Cao. “Our work makes the scenario even worse, because after the user switches browsers, the ads company can still recognize the user. In order to defeat the privacy violation, we believe that we need to know our enemy well.” The researchers released a website to demonstrate the technique. During a test run conducted over a three-month period, it was able to correctly identify users 99.2% of the time. [Ars Technica]

UK – Study: Low Data Quality Plagues UK Marketers

Royal Mail Data Services has found that U.K. organizations estimate that “poor-quality consumer data” costs them an “average of 6% of their annual revenues.” Additionally, 91.4% of marketers said their organizations have data-quality issues, while 58% expressed concerns about the compliance of their “in-house customer data.” Organizations must improve their data quality by the time the General Data Protection Regulation goes live in May 2018. Specifically, “untangling this web starts with recognising the proliferation of sources that capture a variety of customer data, which needs to be permissioned, validated, cleansed and managed.” [Information Age]

UK – Some UK Dating Apps Have Privacy Vulnerabilities, Research Finds

Some of the most popular dating apps in the U.K. are leaking personal information. “During testing, four of the free apps exposed customer information by not fully securing data sent from the app’s owners to customers’ phones.” “These were Happn, Hookup Now, AnastasiaDate, and AffairD. The analysis also highlighted the amount of personal data being collected by MeetMe and specific location data being gathered by Once.” The investigation was conducted with the help of an American security researcher who wished to remain anonymous. “It is pretty clear some of the apps have significant consumer privacy issues,” the researcher said. “I don’t think any of these apps have bad intentions but some of them have negligent security practices that would allow an attacker or a person who has bad intentions to find out information about users the app doesn’t intend.” [Wired]

UK – Dear IAC: Clarify your Data Usage On Dating Apps

Privacy International Executive Director Gus Hosein has written a letter to IAC, owner of more than 150 brands that include many popular dating apps like Tinder and OkCupid, asking the company to better explain how and if it shares data among its brands. In conjunction with the letter, PI launched its “Way too Mutch“ campaign in an effort to highlight how one company owns many of these dating apps. “We appreciate that the Privacy Policy of each of your dating websites may well indicate how sensitive personal data from users’ dating profiles might be shared with other brands and companies,” the letter states. “But we seriously doubt that most people who sign up to one of your dating websites are aware that they are potentially giving their sensitive personal data to literally dozens of other brands and companies owned by IAC.” PI suggested IAC put its logo on all of its dating websites. [Privacy International]

US – Apps Not Up to Privacy Snuff to Get The Boot from Google Play Store

Google has announced it will either “limit the visibility” or remove apps from its Google Play Store that do not have privacy policies. The company has sent notices to various offending apps, giving them until March 15 to “include a link to a valid privacy policy which submits to Google’s rules on their application’s Store Listing page, as well as within the app itself… Alternatively, developers can simply remove the permissions request to collect sensitive user information.” The move “may also be an indication that the tech giant is seeking to tighten control and improve standards in the congested Android app marketplace.” [ZDNet]

US – Golden State Warriors Privacy Lawsuit Over So-Called Spying App Dismissed

A federal judge dismissed a lawsuit against the Golden State Warriors alleging the basketball team used a free mobile app to listen to users’ private conversations. The lawsuit claimed the app used “beacon” technology to track the plaintiff and turn on her phone’s microphone whenever it was running, even if it was on in the background. The judge found the plaintiff failed to prove the app used the contents of her conversation, according to The Recorder. The plaintiff may amend her complaint and refile, but must identify a specific time when she was having a private conversation, and the topic of the conversation then resulted in a targeted ad delivered from the beacon technology. [SiliconBeat]

Other Jurisdictions

US – EFF urges Democratic Control for Smart City Proposal

The Electronic Frontier Foundation has written a letter to the San Jose City Council urging them to implement an ordinance to ensure democratic control as the city considers a proposal to install 39,000 “smart streetlights.” The EFF argues that democratic decision-making is important in order to prevent police chiefs and other agencies from unilaterally installing new surveillance tools. The organization also believes “privacy by design” is a crucial element for San Jose to consider to prevent the smart city proposal from turning into a surveillance tool. “A critical procedural measure is for cities to employ their own privacy officers,” the EFF said in a statement. “With the great power of smart cities tools comes the great responsibility to competently manage them. A privacy officer must have expertise in the technological, legal, and policy issues presented by these powerful tools.” [EFF.org]

AU – Australia Passes Mandatory Data Breach Notification Law

Australian Privacy and Information Commissioner Timothy Pilgrim issued an official statement welcoming the passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, establishing a mandatory data breach notification law across all of Australia. The bill requires government agencies or businesses covered by the Privacy Act to alert any individual affected by a data breach where serious harm is likely to occur. Pilgrim said his office will work with those organizations to ensure they are prepared for when the law is implemented next year. “The new scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches,” Pilgrim said in a statement. “It will also give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.” His office received 107 voluntary breach notifications in 2015-2016. [OAIC.gov.au]

Privacy (US)

WW – Travelers Wonder Whether to Bring Phone to US

Software engineer Quincy Larson’s widely shared blog post advised travelers to leave their mobile devices at home when traveling to the U.S. Larson’s argument was sparked by the airport detainment and subsequent demand for the smartphone password of American-born NASA engineer Sidd Bikkannavar’s phone. Larson viewed this incident as a “dangerous precedent.” In light of his suggestion, BBC News’ Rory Cellan-Jones reached out to U.K. and U.S. officials for their take. The U.K. Foreign Office said that while “their travel advice did not cover this subject because they had not received any calls about it,” they advised someone in a similar situation to Bikkannavar’s to call the British Embassy and arrange for a lawyer. Meanwhile, the U.S. Embassy said “they would need to speak to Washington” on the matter. The results led Cellan-Jones to perhaps consider taking a “burner” phone to the U.S. [BBC.com] [NASA scientist asked by CBP agents to hand over phone containing sensitive info]

Security

WW – Windtalker A Powerful Keystroke Inference Tool: Study

Researchers from Shanghai Jiao Tong University, University of Massachusetts at Boston, and the University of South Florida have released a paper on WindTalker, a “practical keystroke inference framework” that gives hackers the ability to “infer the sensitive keystrokes” on mobile devices through “WiFi-based side-channel information.” The paper, entitled “When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals,” details the researchers’ case study of the “practicality of the password inference towards Alipay,” ultimately finding that hackers can recover keys with a high rate of success. [Fermat’s Library]

EU – ENISA Provides Guidance for Developing Secure Mobile Devices

The European Network and Information Security Agency updated its previous guidance for developers of smartphone applications. App developers should identify and protect sensitive data on mobile devices (through encryption, verifications, permissions), authenticate users and sessions through password and cryptographic mechanisms, ensure authentication and authorization factors prevent unauthorised access, ensure sensitive data is protected in transit; privacy policies must explicitly notify users of personal data collected, purpose of collection, recipients of data, and data storage and length. [ENISA – Smartphone Secure Development Guidelines]

Smart Cars / IoT

WW – IoT is Expected to Include 8.4B Things This Year, Up 31%

The Internet of Things continues to gather steam. Research firm Gartner Inc. is forecasting that 8.4 billion connected things will be in use worldwide this year, up 31% from 2016, and will reach 20.4 billion by 2020. [see here ] From 2018 onward, cross-industry devices such as those designed for smart buildings will take the lead as connectivity is driven into higher-volume, lower cost devices. In 2020, cross-industry devices will reach 4.4 billion units, Gartner said, while vertical-specific devices will amount to 3.2 billion units. [Information Management]

US – FTC Issues Recommendations to Organisations Engaged in Cross-Device Tracking

The FTC has issued recommendations for cross-device tracking. Cross-device tracking allows companies to associate multiple devices with the same person, allowing advertisers to use the information to target ads to consumers; organizations should offer consumers choices about how their cross-device activity is tracked, truthfully disclose their tracking activities to both consumers and first-party companies, disclose limitations on how opt-outs are applied across devices, and refrain from tracking sensitive information (such as health, financial, children’s, or precise geolocation information). FTC – Cross-Device Tracking

UK – ICO: Ofgem’s Data Metering Plans Have Privacy Problems

The Information Commissioner’s Office has argued that Ofgem’s proposed “mandatory half-hourly settlement” in the U.K.’s new smart metering system violates the company’s data access privacy framework that it created “to govern how smart meter data can be used.” “Mandating half-hourly data be used for settlement directly contradicts that framework, and it is that framework that will have governed the access to consumption data when a large number of consumers will have made the choice to have a smart meter installed,” the ICO said in a response to Ofgem’s consultation on the matter. “Therefore changing the framework to allow for mandatory half-hourly settlement should not be taken lightly.” The ICO added that the DAPF should be amended to include mandatory half-hourly settlement. [Out-Law]

Surveillance

US – Washington Bill Outlines When Use of a Sensing Device Attached to a Drone Would Not Require a Warrant

House Bill 1102, relating to drones, and amending Chapter 9.73 of the Revised Code of Washington, has been introduced in the House and referred to the Committee on Public Safety: A previous version of this Bill was vetoed by the Governor Devices capable of remotely acquiring personal information can be operated without obtaining a warrant if personal information is not intended to be collected (environmental monitoring, surveys), an emergency situation exists that present immediate danger of death or serious physical injury, operation is for training purposes, or for emergency or disaster response; no efforts must be made to identify an individual from information collected, and personal information must be deleted within 30 days [House Bill 1102 – An Act Relating to Technology-Enhanced Government Surveillance – State of Washington]

Telecom / TV

US – Facebook, Manhattan District Attorney Clash Over Privacy

Manhattan District Attorney Cy Vance Jr. has challenged Facebook’s lawyers in New York’s Court of Appeals over the ability to perform bulk seizures of Facebook users’ accounts for criminal investigations. Facebook is attempting to block the move, citing privacy concerns. “The case is being closely watched by both law enforcement and the tech industry to see whether the very definition of search and seizure may have to change for the digital age.” Meanwhile, Washington, D.C., police have subpoenaed Facebook for data from users arrested while protesting President Donald Trump, Mashable | NY Post]

US Government Programs

US – CIA Guidelines Aim to Improve Public Trust in Handling of Citizens’ PI

The Central Intelligence Agency released its Executive Order 12333 Attorney General Procedures in order to improve public understanding and trust of the CIA’s protection of citizens’ personal information. The CIA has imposed restrictions on the querying of their data holdings (i.e. only for its authorized intelligence activities and queries of electronic communication contents require a statement of purpose); inadvertent collections of U.S. electronic surveillance information require limited access and special training. Electronic communications must generally be destroyed within 5 years, and unevaluated information must be destroyed within 25 years; CIA information systems must be designed to facilitate regular auditing of data queries. Release of the Updated Executive Order 12333 Procedures – Central Intelligence Agency Press Release | Statement of the Release | Detailed Overview | Guidelines]

US – CFPB Director May Have Violated Law by Failing to Store Text Messages

The Cause of Action Institute believes Consumer Financial Protection Bureau Director Richard Cordray may have violated federal records laws by failing to store text messages sent from his personal phone. The group states Cordray sent work-related text messages from his cellphone, but did not archive them according to federal regulations. According to federal law, government employees can work through their private devices, as long as all work is properly preserved with their employer. A CFPB spokesperson said all text messages sent between Cordray and CFPB employees were captured by the bureau’s electronic storage system and were produced to the public following a Freedom of Information Act request. The Cause of Action Institute still believes a violation may have occurred, as the text messages were only revealed after follow-up requests were made. [The Hill]

US Legislation

US – Lawmakers Prepare to Overturn FCC Broadband Privacy Rules

Republican lawmakers are preparing to make a legislative move to overturn the Federal Communications Commission’s broadband privacy rules following requests from ISPs to undo the legislation. Sen. Jeff Flake, R-Ariz., said he “plans to introduce a resolution that would roll back the FCC’s broadband privacy rules via the Congressional Review Act (CRA), which allows Congress to eliminate agency rules with a simple majority vote,” according to POLITICO. Flake claims to have several co-sponsors, but did not say when he will submit the resolution. The Chair of the Commerce Committee’s Subcommittee on Communications and Technology, Rep. Marsha Blackburn, R-Tenn., said she was speaking with Senate colleagues on a daily basis to properly use the CRA to revoke the broadband privacy rules. [Ars Technica]

US – Virginia Bill Requires Warrant for Law Enforcement Use of Surveillance Technology

House Bill No. 1657, amending and reenacting sections of the Code of Virginia relating to the Government Data Collection and Dissemination Practices Act, was re-introduced in the Virginia State Assembly: The Bill is referred to the Committee on Militia, Police and Public Safety. Law enforcement agencies are permitted to collect information from license plate readers, provided the information is not held for more than 7 days, not subject to any outside inquiries or internal usage, and purged from the system if it is not being used in an ongoing investigation; the bill prohibits the creation of a personal information system whose existence is secret, and information must not be collected unless the need for it has been clearly established in advance. [House Bill No. 1657 – A Bill to Amend and Reenact Sections of the Code of Virginia Relating to the Government Data Collection and Dissemination Practices Act – General Assembly of Virginia]

US – Nebraska Bill Permits Government Agencies to Use Automatic License Plate Reader Systems for Law Enforcement Purposes

Legislative Bill 93, the Automatic License Plate Reader Privacy Act, is introduced in the Nebraska Legislature and referred to the Judiciary Committee. Captured licence plate data can be used to compare plate data held by agencies for the purpose of identifying outstanding parking or traffic violations, unregistered or uninsured vehicles, or a vehicle registered to the subject of an outstanding warrant, or associated with a missing person; privately held plate data may be processed if it is no more than 14 days old, and subject to a criminal warrant or court order. [Legislative Bill 93 – Automatic License Plate Reader Privacy Act – 105th Legislature of Nebraska]

US – Minnesota Bill Prohibits Online Operators from Using Educational Data for Targeted Advertising to Minors and Students

House File 307, the Student Online Data Protection and Privacy Act, is introduced and referred to the House Education Innovation Policy Committee: The Bill would be effective for the 2017-2018 school year and later. Operators must not use information (including persistent identifiers) created or gathered by the operator’s site to create a student profile, or knowingly allow a third party to use a minor’s personal information to market or advertise products or services to a minor; the operator of a minor-directed service must notify any advertising service it uses that the operator’s service is directed to minors prior to ads being served. [HF 307 – Student Online Data Protection and Privacy Act – Minnesota House of Representatives]

US – Other Privacy News

  • U.S. Rep. Mark Sanford, R-S.C., has introduced a bill reforming the REAL ID Act to include privacy protections such as eliminating document archiving and to allowing states to decide opt out linking their databases nationwide. [Washington Times]
  • New Jersey Gov. Chris Christie has signed legislation making data transparency a requirement for all state agencies and codifying the chief data officer position into state law. [Govtech]
  • A New Mexico Senate Committee passed the Electronic Data Privacy Act, which would require police to obtain a warrant prior to the of stingrays and for accessing electronic communications from service providers. [Big Tenth]
  • Washington state legislators are working on efforts to keep state held data from being shared with the federal government for immigration enforcement or the creation of a Muslim registry. [Seattle Times]
  • The U.S. House of Representatives has once again passed the Email Privacy Act, and now the legislation makes its way to the Senate where it’s expected to continue facing resistance. [Reuters]
  • The Pennsylvania Superior Court has ruled that University of Pittsburgh Medical Center is not responsible for protecting employee data. [SC Magazine]
  • Following conflicting rulings in cases involving Google and Microsoft, cases involving law enforcement access to emails stored on servers outside the U.S. may continue to bounce back and forth until the U.S. Supreme Court makes an ultimate ruling. [Ars Technica]
  • A three-judge panel ruled New Jersey police officers can examine a suspect’s private social media messages without applying for an order under the state’s wiretapping laws. [NJ.com]

Workplace Privacy

US – Sensors Allows Employers to Track Workers Within Office Space

Employers are using sensors to monitor where their employees are within an office space. When used, sensors are often hidden from employees, whether in lights or ID badges. “Most people, when they walk into buildings, don’t even notice them,” said Enlighted CEO Joe Costello, whose company’s sensors are used at more than 350 companies, including 15% of Fortune 500 organizations. Advocates of the sensors say the technology helps create a more efficient work environment by tracking the ways employees move through an office, and to help maximize space. While some employees may feel the technology is invasive, employers ultimately have all the power. “Employers can do any kind of monitoring they want in the workplace that doesn’t involve the bathroom,” said National Workrights Institute President Lewis Maltby. [Bloomberg]

+++

 

 

 

21 January – 03 February 2017

Biometrics

AU – Biometric ID for 90% at Airports Raises Privacy Concerns

The Australian Department of Immigration and Border Protection is tendering for a company to provide it with an “automated processing solution” to allow for the automated processing of passengers using biometric identification. Tender documents say 90% of passengers would go through through automated processing points, which would rely on biometric capturing “including but not limited to facial, iris and fingerprints”. Biometrics Expert Prof Katina Michael said such technology had not been proven to have improved security or airport efficiency. Michael said the plan posed a risk to individual privacy and raised ethical dilemmas that had not been properly explained to the public. Michael said recent threats to the security of government-held data such as the census failure should raise real concerns about the storage of biometric data en masse. But others have played down concerns about the government’s plan. Information security expert and reporter Patrick Gray said airport passengers were already the subject of heavy surveillance and biometric testing. “Airports are already among the most surveilled places on the planet. The time to be worrying about this is when someone seriously proposes running live facial recognition against CCTV in public places like city streets and train stations with insufficient oversight on use. Then we’ve got a problem,” he said. “Better, highly-automated facial recognition is going to be a massive privacy issue one day, but the technology at least makes sense in airports.” [The Guardian]

US – Memo: New York Called for Face Recognition Cameras at Bridges, Tunnels

The state of New York has privately asked surveillance companies to pitch a vast camera system that would scan and identify people who drive in and out of New York City, according to a December memo obtained by Vocativ. which asks for surveillance at nine NYC ‘crossing points’ The call for private companies to submit plans is part of Governor Andrew Cuomo’s major infrastructure package, which he introduced in October. Though much of the related proposals would be indisputably welcome to most New Yorkers — renovating airports and improving public transportation — a little-noticed detail included installing cameras to “test emerging facial recognition software and equipment.” “This is a highly advanced system they’re asking for,” said Clare Garvie, an associate at Georgetown University’s Center for Privacy and Technology, and who specializes in police use of face recognition technologies. “This is going to be terabytes — if not petabytes — of data, and multiple cameras running 24 hours a day. In order to be face recognition compliant they probably have to be pretty high definition.” The proposed system would both scan drivers as they approached or crossed most of the city’s bridges and tunnels at high speeds, and would also capture and pair those photos with the license plates of their cars. “The biggest risk that comes with a system like this is its ability to track people, by location, by their face,” Garvie said. “So what needs to be put in place is a prohibition on the use of these cameras and the technology as a location tracking tool.” New York City wouldn’t be the first in the U.S. to have a network of facial recognition cameras for law enforcement. In 2013, for instance, the Los Angeles Police Department admitted it had deployed 16 cameras equipped with face recognition software, designed to search for particular suspects. [Vocativ]

Canada

CA – Secret Bans, Secret Trials: The Canadian ‘No-Fly’ Lists

First in a series to help you participate in the federal consultation on national security. Anti-Terrorism Act (Bill C-51) passed last year brought in the Secure Air Travel Act, which modifies the Canadian “no-fly” scheme People on one of the lists are not permitted to board airplanes (“no-fly”). People on another list are subjected to additional security scrutiny when they try to board airplanes (“slow fly”). Under the new law it is illegal to tell an individual if they are on the no-fly list or not. If you are denied boarding or delayed in security, neither the government nor the airline can confirm or deny listing. Travellers on these lists are deemed too dangerous to fly, and yet too harmless to arrest. They are restricted from boarding aircraft, but not trains, ferries, subways, or buses. The new scheme provides for an appalling and probably unconstitutional lack of due process for people listed. There is no timely and appropriate mechanism for appeal of the minister’s secret decision. Canada should repeal the Secure Air Travel Act and keep suspected terrorists away from airplanes using the existing tools under the criminal law. Micheal Vonn – September 22, 2016 – TheTyee.ca | Canada’s Secretive No-Fly List Is Only Getting Worse | Time to overhaul Canada’s no-fly program | Thousands flagged by Canada’s new air passenger screening system | Canada’s no-fly list is ‘very mysterious’ and leaves targets little recourse, say critics | . [CBC News: Kids Still Caught By No-Fly Lists Despite New Redress Office]

CA – Majority of Canadians Support Privacy Act Reform, Greater Transparency

Canadians want tougher privacy laws and for government institutions and private sector organizations to be more upfront about how they collect and use personal information, according to a new survey commissioned by the OPC that found a majority of Canadians support amendments to the Privacy Act, which covers the personal information handling practices of federal government institutions. Canadians broadly support requiring government institutions to properly safeguard the personal information they collect about Canadians (78%) and that the Privacy Act be expanded to the Prime Minister’s Office and the offices of cabinet ministers (71%). Another 69% of Canadians support granting the Privacy Commissioner order-making power to enforce recommendations made following an investigation, while 66% think government institutions should be required to take steps to assess the privacy risks of any new program or law. “Canadians agree it’s time to modernize the Privacy Act, which has gone largely unchanged since it was introduced in 1983,” says Commissioner Daniel Therrien, who recently proposed a series of amendments which were largely supported by a parliamentary committee. “This survey also confirms that Canadians are increasingly concerned about what happens to their personal information in the age of big data, biometrics and the Internet of Things. They want more transparency in their dealings with both business and government.” [Office of the Privacy Commissioner of Canada]

CA – 75% Canadians Want a National Inquiry into Surveillance of Journalists

According to a new national public opinion survey released by Canadian Journalists for Free Expression (CJFE), 70% support a new law that would allow journalists to protect the identity of confidential sources and whistleblowers. 70% of Canadians agree that placing journalists under surveillance undermines press freedom. Only 27% of Canadians agree that the CSIS or the police should use public resources to monitor organizations and advocacy groups which do not pose a known threat to national security. The potential monitoring of such groups was a core concern voiced by advocates when Bill C-51 was first introduced. The inability or unwillingness of CSIS to verify the precise number of journalists spied on in the course of federal national security investigations leaves serious questions about the state of press freedom nationwide. 72% of Canadians believe that there should be an independent crosscountry inquiry into the surveillance of journalists by police. CJFE is supporting the passage of Private Member’s Senate Bill S-231 [see here ], which would create legal protections for journalists and the sources, including whistleblowers, who allow them to undertake in-depth investigative work. 70% of Canadians support a press shield law such as Bill S-231, and 77% of Canadians feel that journalists should investigate public authorities such as the government, the police and state companies. [Canadian Journalists for Free Expression | See also: Hey Big Brother, are you listening in? How Canada is quickly becoming a surveillance nation | Canadian journalists push for ‘shield law’ to protect sources | Quebec announces details of inquiry into surveillance of reporters | ‘We were a bit naive’ about police surveillance, journalist panel says | Media surveillance highlights privacy risk to all Canadians | Canadian police spied on reporters, raising questions of press freedom | Quebec must uphold freedom of the press | Why spying on the press damages our democracy | How Montreal police were able to use legal means to track a journalist | Quebec to hold public inquiry into police surveillance of journalists | An unprecedented crisis’: Quebec government calls inquiry into spying on journalists by police | Quebec launches commission of inquiry into police spying on journalists | How Canada’s Anti-Cyberbullying Law Is Being Used to Spy on Journalists ]

CA – Govts Can Use Big Data Without Sacrificing Privacy: Ontario Commissioner

Though Brian Beamish believes that municipal, provincial, and federal governments alike have much to gain from big data, which he says could be used in sectors ranging from education to the environment to health care, it will require fundamental changes to privacy legislation involving government, citizens, and the private sector alike. Current legislation decrees that any personal information collected must be certified as “necessary,” while big data, which Beamish called “equal parts buzzword and concept,” tends to be indirectly obtained. Big data carries potential risks, Beamish acknowledged: since by definition it’s often collected automatically, and without a goal in mind, it may be inaccurate, lack information, disproportionately represent specific populations while excluding others, or be poorly collected, and applied based on pseudo-scientific insights confusing correlation with causation. The worst-case scenario, therefore, could be not only a surveillance state, but poorly delivered government services, he says. [ITBusiness.ca]

CA – OPC Investigating Complaints Around Sharing Economy

In documents obtained under access to information law, privacy commissioner Daniel Therrien’s office suggested sharing-economy companies such as Uber and Airbnb are creating a “growing risk” to Canadians’ private information. The key question, according to the documents, is who ultimately controls extremely sensitive personal information such as location data and financial information. “In the sharing economy, certain personal information — going well beyond that traditionally needed for reserving lodging and hailing taxis — is collected to establish identity and trust,” the documents read. “It is of great concern what might happen with (personal information) in the sharing economy in the event of a breach, especially given lack of clarity regarding accountability.” [The Star]

Consumer

UK – 75% Brits Afraid for their Personal Data Under President Trump

Four out of five Brits are afraid that the incoming [US] president will use their personal data for his personal gain. That’s according to a poll commissioned by digital rights group Privacy International to coincide with Trump’s inauguration. The online poll was carried out by YouGov, between January 15 and 16, with 1,645 adults surveyed and the data weighted to be representative of the UK population. Why should Brits be afraid of what the incoming president means for their personal data? Because of historical intelligence sharing links between the two nations. And the fact the UK recently passed expansive new surveillance legislation that cements bulk collection as a core state investigatory strategy, including hacking en masse. The vast majority (three-quarters) of respondents to Privacy International’s poll said they want the UK government to explain what safeguards exist against Trump misusing their personal data. Privacy International notes that the historical UKUSA agreement , which was  drafted shortly after World War II , allows UK and US agencies to “share, by default, any raw intelligence, collection equipment, decryption techniques, and translated documents” [TeckCrunch | Four in Five Britons Fearful Trump Will Abuse their Data

US – Privacy Worries Are on the Rise Among US Consumers: Survey

A recent IDC survey found 84% of U.S. consumers are concerned about the privacy of their personal information, with 70% saying their concern is greater today than it was a few years ago. “Consumers can exact punishment for data breaches or mishandled data by changing buyer behavior or shifting loyalty,” said Sean Pike, an analyst at IDC, in a statement. The survey, released last week, polled 2,500 U.S. consumers about their privacy concerns across four verticals: Financial services, healthcare, retail and government. The survey found that shoppers increasingly are willing to evaluate a store’s track record for protecting personal information. “It is in a retailer’s best interest to define what information they are tracking firmly and clearly, and to provide consumers methods to manage those preferences,” IDC’s report said. “Retailers who do not take consumer data protection seriously may find that they permanently lose customers to competitors that offer more transparency and manageability of their Personally Identifiable Information.” [CSO Online]

E-Government

CA – Privacy Experts Call for Rules on Gov’t Monitoring Social Media

Top privacy advocates are calling for rules to govern how government employees access Canadians’ social media posts, following the revelation that the Canada Revenue Agency checks posts on social media sites like Facebook to catch tax cheats. Privacy commissioner Daniel Therrien and former assistant commissioner Chantal Bernier say the Treasury Board should draft guidelines. Bernier, who now works as a lawyer with the firm Dentons, says it is “urgent” for the government to act. “It has become a normal manner to gather intelligence. So we absolutely must give it a framework. We absolutely must clarify what the limits are.” CBC News reported last week that the Canada Revenue Agency’s compliance section is scrutinizing the social media posts of Canadians it suspects are at “high risk” of cheating on their taxes. Among those the agency considers at high risk are wealthy individuals who have offshore bank accounts. In a 2013 report, the privacy commissioner’s office found the Justice Department and the department of Aboriginal Affairs and Northern Development Canada violated First Nations activist Cindy Blackstock’s privacy by monitoring her personal Facebook page. [CBC News See also: Canada Revenue Agency monitoring Facebook, Twitter posts of some Canadians | Twitter and Instagram ban London, Ont., company for helping police track protesters | Experts divided on social media surveillance  | Police Searches Of Social Media Face Privacy Pushback | Facebook, Instagram, Twitter block social media tool Geofeedia over protest surveillance | Facebook, Instagram, Twitter Block Tool For Cops To Surveil You On Social Media ]

AU – Govt Apologises After Thousands of Gun Owners’ Personal Details Released in Email Error

The Victorian Government has apologised to almost 9,000 gun owners after a “deeply concerning” data breach resulted in thousands of gun owners’ personal details mistakenly being emailed out. Customer service staff at the [Victoria] Department of Environment, Land, Water and Planning last month intended to email gun licence renewal forms, but uploaded the wrong attachment and accidentally sent the names, addresses and gun licence details of 8,709 people. The error occurred on eight separate occasions, with the attached files including between 800 to 1,900 names. The Shooters and Fishers Party said the mistake proves why gun registries should be dumped. On advice from the state’s Privacy Commissioner, the department is posting letters to each of the 8,709 people involved. The department has also contacted Victoria Police. [ABC.net]

EU Developments

EU – Privacy Shield Intact Despite Trump Executive Order

The Information Commissioner’s Office (ICO) says there is no indication that an executive order [ Enhancing Public Safety in the Interior of the United States ] introduced by President Donald Trump revoking protections in the country’s Privacy Act for information held by the state on non-US citizens will impact a major EU data sharing arrangement. the ICO said the US Privacy Act has never offered data protection rights to European citizens. A spokesperson for the European Commission reiterated that the Privacy Shield was one of two instruments introduced to try and safeguard personal information when transferred to the US by companies. The second mechanism, called the EU-US Umbrella Agreement, will come into force on February 1 under law adopted by the US Congress last year. It will be supported by the US Judicial Redress Act that extends benefits of the US Privacy Act to Europeans, allowing them access to the country’s courts to seek legal redress. [Government Computing Network See Also: Trump’s Executive Order Does Not Impact U.S. Privacy Shield Commitments – HoganLovells Chronicle of Data Protection | Privacy Shield: Impact of Trump’s Executive Order – Hunton & Williams | Trump’s executive order won’t destroy Privacy Shield, says EU | A White House Executive Order May Affect Validity of Privacy Shield | U.S.-EU Privacy Shield: Trump Executive Order Puts Privacy Agreement In Jeopardy | Trump order strips privacy rights from non-U.S. citizens, could nix EU-US data flows | Trump Is Killing Obama Plans For World Privacy Rights – Forbes | Trump Order Won’t Harm Privacy Shield Pact Say Attorneys | Trump’s Executive Order Does Not Impact U.S. Privacy Shield Commitments | EU Privacy Shield intact despite Trump executive order | Privacy Shield: Impact of Trump’s Executive Order | Trump’s executive order won’t destroy Privacy Shield, says EU

EU – Trump’s E.O. Doesn’t Impact US Privacy Shield Commitments

Trump’s Executive Order (EO) titled “Enhancing Public Safety in the Interior of the United States,” among other things, removed the ability of federal agencies to extend protections under the Privacy Act to anyone other than U.S. citizens or legal permanent residents. The EO does not impact any of the U.S. commitments under the Privacy Shield, nor does it revoke protections for EU citizens under the Privacy Act provided pursuant to the Judicial Redress Act. Under U.S. Constitutional law, the President cannot enact Executive Orders to overturn statutes duly enacted by Congress. Section 14 of the EO acknowledges this, stating that the EO can only be enforced “to the extent consistent with applicable law.” Therefore it cannot (and does not) revoke coverage from jurisdictions already designated as covered under the Judicial Redress Act or countries that could receive such designation in the future from the Department of Justice pursuant to the Judicial Redress Act. But even if coverage under the Privacy Act were affected by this EO—which it is not—it would not impact any explicit commitments made by the U.S. under Privacy Shield. This is for a simple reason: the Privacy Shield Framework and the European Commission’s official Adequacy Decision approving Privacy Shield did not rely on the Privacy Act’s protections. EU citizen rights under both Privacy Shield and the Privacy Act are not directly affected by this EO. However, going forward, it will be important to pay attention to European officials’ reaction to the EO. It will also be important to watch how the EO may impact the Attorney General’s designations of countries covered under the Judicial Redress Act or countries that could receive such designation in the future. [HL Chronicle of Data Protection (HoganLovells) Also See: Privacy Shield: Impact of Trump’s Executive Order | Trump’s executive order won’t destroy Privacy Shield, says EU | A White House Executive Order May Affect Validity of Privacy Shield | U.S.-EU Privacy Shield: Trump Executive Order Puts Privacy Agreement In Jeopardy | | Trump order strips privacy rights from non-U.S. citizens, could nix EU-US data flows | Trump Is Killing Obama Plans For World Privacy Rights

EU – Collecting Info from Kids, a Comparison of US law and GDPR

In the United States the Children’s Online Privacy Protection Act (“COPPA”) requires that a website obtain parental consent prior to collecting information from children under the age of 13 Historically the European Union’s Directive on data protection did not explicitly mention the privacy rights of minors, but applied the same data protection principles to children and adults alike. The EU’s new General Data Protection Regulation (“GDPR”), which goes into force in Spring 2018, specifically recognizes that “children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights ….” the GDPR also requires that a company obtain the consent of a parent if it offers an information society service to a child The following analysis provides a snapshot of information concerning fines. [Bryan Cave]

Facts & Stats

US – Data Breaches Increase 40% in 2016: ITRC Report

The number of U.S. data breaches tracked in 2016 hit an all-time record high of 1,093, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout (formerly IDT911). This represents a substantial hike of 40% over the near record high of 780 reported in 2015. This raises the question: are there actually more breaches or is it because more states are making this information publicly available? In 2016, the business sector, healthcare/medical industry, education sector and banking/credit /financial sectors led the list of data breach incidents. “For businesses of all sizes, data breaches hit close to home, thanks to a significant rise in CEO spear phishing and ransomware attacks. With the click of a mouse by a naïve employee, companies lose control over their customer, employee and business data. In an age of an unprecedented threat, business leaders need to mitigate risk by developing C-suite strategies and plans for data breach prevention, protection and resolution,” said CyberScout and Vice Chair of ITRC’s Board of Directors. [Identity Theft Resource Center PR | ITRC Breach Package | Overview 2005 – 2016 See also: OCR Settles First Enforcement Action for Untimely Reporting of a Breach | The White House’s Revisions to its Breach Response Policy For Federal Agencies and Departments Also Affect Contractors | U.S. Promotes Risk-Based Data Breach Response Model | OMB Publishes Memorandum on Responding to Data Breaches | White House Issues Data Breach Guidance for Federal Agencies | White House issues gov’t-wide breach notification protocols ]

Finance

CA – CRA Transfer Bank Records to US Tax Agency Doubled Last Year

The Canada Revenue Agency transmitted 315,160 banking records to the IRS on Sept. 28, 2016 — a 104% increase over the 154,667 records the agency sent in September 2015. The transmission of banking records of Canadian residents is the result of an agreement worked out in 2014 between Canada and the U.S. after the American government adopted FATCA. The U.S. tax compliance act requires financial institutions around the world to reveal information about bank accounts in a bid to crack down on tax evasion by U.S. taxpayers with foreign accounts. Prime Minister Justin Trudeau, Treasury Board President Scott Brison and Public Safety Minister Ralph Goodale have dropped calls to scrap the deal, which they had made before the Liberals came to power. Privacy Commissioner Daniel Therrien has raised concerns about the information sharing, questioning whether financial institutions are reporting more accounts than necessary. Therrien has also suggested the CRA proactively notify individuals that their financial records had been shared with the IRS. However, the CRA has been reluctant to agree to Therrien’s suggestion. Lynne Swanson, of the Alliance for the Defence of Canadian Sovereignty, which is challenging the information sharing agreement in Federal Court [says] “A foreign government is essentially telling the Canadian government how Canadian citizens and Canadian residents should be treated. It is a violation of the Charter of Rights and Freedoms.” [CBC News See also: FATCA has Americans renouncing citizenship, tax lawyer says | So now the CRA is going after infants? | Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Transfer of Information to the United States Internal Revenue Service (IRS) | The Liberal privacy campaign that died with the election | Liberals flip-flop on privacy rights | Brison, Garneau endorse deal to share Canadian banking records with IRS | Trudeau Liberals reverse position on controversial IRS information sharing deal ]

US – Financial Industry Reg. Authority Seeks Comment on Blockchain

On Jan. 18, 2017, the Financial Industry Regulatory Authority (FINRA) published a report examining the impact of blockchain [distributed ledger technology (DLT)] on the financial services industry. While DLT’s development and implementation across industries are evolving at different rates, a recent World Economic Forum report predicts that, by 2025, 10 percent of GDP will be stored on blockchains or blockchain-related technology, and finds that over the past three years the financial services industry has invested more than $1.4 billion in DLT. According to FINRA, there are several regulatory issues financial service institutions should consider while exploring DLT, including customer data privacy, record keeping, know your customer, and anti-money laundering. More specifically, FINRA recommends that firms participating in a DLT network evaluate and update their procedures and security measures to ensure compliance with customer data privacy rules. FINRA is encouraging all interested parties to provide comments on all aspects of the report by March 31, 2017. Information on how to comment is provided at the end of the report. [Data Privacy Monitor (BakerHostetler) | Chain Previews New Blockchain Privacy Tech ‘Confidential Assets’ See also: A Complete Beginner’s Guide To Blockchain | Blockchain’s brilliant approach to cybersecurity | Crypto-Currency Software Emerges as Tool to Block Cyberattacks | Power Arrangements in Identity Systems | Why Etherium is the most promising Blockchain technology | Privacy fix for blockchain from Blythe Masters | How blockchain can help fight cyberattacks | Using Blockchain to Protect Against Data Tampering | Legal implications of expanded use of blockchain technology ]

Health / Medical

US – HHS Modifies Drug and Alcohol Abuse Confidentiality Regulations, Proposes Additional Revisions

On January 18, 2017, the U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (SAMHSA) released the Final Rule modifying the federal regulations governing the confidentiality of drug and alcohol abuse patient records. Largely following the changes that SAMHSA introduced in the 2016 Notice of Proposed Rulemaking (Proposed Rule), the Final Rule may have fallen short of many providers’ desire for less complexity in the rules and a more practical balance between patient privacy and facilitating the provision of care. The authors consider, these 11 points: 1) Background; 2) Effective Date; 3) New and Expanded Definitions; 4) Patient Consent – Designating the Recipient of Information; 5) List of Disclosures; 6) Additional Modifications to Form of Consent; 7) The Notice to Patients of Federal Confidentiality Requirements; 8) Security for Electronic Records; 9) Re-disclosure Requirements; 10) Additional Disclosures; and, 11) Additional Guidance on Disclosures for Payment and Operations to Follow [Bass, Berry & Sims | Also See: Research Data Privacy Regulations Updated in Final Federal Rule | Researchers, privacy experts clash on new human research rule | Patient advocacy groups worry about lax consent requirements in Common Rule]

CA – Yukon Gov’t Workers’ File Complaint over Privacy of Health Info

The Yukon Employees Union (YEU) says it’s worried about how the government handles sensitive medical information of its 3,700 workers. “Basically what we wanted to find out was, when a department gets some medical information, where does it go, who has custody of it, how long is kept, that type of thing. We couldn’t get a straight answer from anybody,” [Union president Steve] Geick said. Geick said the complaint filed with the Yukon privacy commissioner has triggered what he calls a “government-wide privacy impact assessment.” [CBC See also: Yukon gov’t vows privacy not at risk after commissioner raises concerns | Act doesn’t need overhaul: privacy commissioner | Yukon privacy commissioner sounds alarm over gov’t review | Yukon government releases scathing review of access-to-information laws | Health department, psychiatrist lock horns over sharing of private medical information | Yukon gov’t denies asking doctors for sensitive medical files | Yukon gov’t routinely demands to see patients’ private medical records, doctors say | | Northern Ontario doctors rebel over Health Canada rules that breach First Nation patient’s privacy | Health Canada breaches Indigenous patients’ privacy, MDs say ]

UK – Gov’t Refuses to Enforce Privacy Code on NHS Staff Using Video

The government has rejected a request by the surveillance camera commissioner Tony Porter to monitor CCTV and body-worn video cameras in hospitals. The body cameras are deployed in hospitals in an effort to tackle abuse of frontline health service staff. It emerged that Porter had warned ministers last year that the privacy of millions of NHS patients was put at risk by the unchecked use of the cameras. Porter recommended adding NHS trusts to a list of public bodies required to comply with a code of practice on the use of surveillance A letter to Porter sent last week from the home office minister Brandon Lewis, and released by the government on Wednesday, said the recommendation was unnecessary as: “We had not exhausted the possibilities of increasing voluntary compliance.” Porter said the government’s decision to allow surveillance to go unchecked in the NHS raised a series of questions about the privacy of patients. [Guardian]

Identity Issues

CA – Canada’s ‘Pre-Crime’ Model of Policing Is Sparking Privacy Concerns

In cities across Canada, police are partnering with social service agencies that work in housing, addictions, mental health, and child welfare to identify and intervene with people who they believe are at risk of harming themselves or others. Proponents say this pre-crime approach, called the Hub and COR, is the future of law enforcement and social service delivery. But some experts warn that taking a data-driven approach to solving social problems can lead to discrimination. Hubs rely on public health agencies and social services to share unprecedented amounts of information about their clients with police. The disclosure of personal health information is tightly regulated by provincial law, and while Hub guidelines encourage agencies to get consent before sharing it, agencies can get around these requirements thanks to language in health privacy laws that lets them share an individual’s personal information if a “probability of harm” exists. Hubs inspired by the Prince Albert model have been rolled out in more than two dozen Canadian cities, including Toronto, Ottawa, Surrey, Edmonton and Halifax, with participation from police at the local, provincial and federal levels. Ontario’s IPC hasn’t conducted a formal privacy assessment of Hubs in the province. Beamish said that his office worked with the provincial Ministry of Community Safety and Correctional Services (MCSCS) to develop information sharing guidelines for Hubs, but they’re not necessarily mandatory. Risk-driven policing also involves storing and analyzing the data gathered by Hubs. In Saskatchewan, every Hub in the province has access to a centralized database of information. MCSCS spokesperson Brent Ross said that Ontario Ministry maintains a Hub database that does not contain personally identifying information. Valerie Steeves, a professor of criminology, said that while Hubs have good intentions, the information used to assess young people often doesn’t tell the whole story. “One of the things being used to identify risk of suicide or depression is the posting of ‘emo’ lyrics [online].” said Steeves. She also noted the rise of companies that train school staff how to surveil students on social media to identify risk factors. “This surveillance makes it tough for [kids] to develop relationships of trust with people in the real world who might be better placed to help them.” [Motherboard] Also See: [Calgary police to launch terrorism intervention program | NHS Tayside scraps data sharing form after Named Person court ruling | Health board scraps leaflet after Named Persons ruling | Supreme Court rules against Named Person scheme

CA – Putting A Dollar Figure on Breach of Privacy In Canada

Section 16 of PIPEDA authorizes courts to award damages, including damages for humiliation that a complainant has suffered, arising from a breach of the legislation. Over the past few years there has been an evolution towards courts awarding greater damages amounts. In the notable case of “Chitrakar v. Bell TV” [see here], involving a non-consensual credit check the Federal Court awarded the applicant $10,000 in damages, $10,000 in exemplary damages, plus $1,000 in costs. The court acknowledged the difficulty of assessing damages absent evidence of direct loss, but in a marked departure went on to say “there is no reason to require that the violation be egregious before damages will be awarded”. Nevertheless, given the PIPEDA requirement that a complaint assessment by the Privacy Commissioner be completed prior to an application being filed with the Federal Court, it has been difficult to envision how the statutory damages regime could be leveraged in support of a class action lawsuit. In June of 2014 the first Ontario class action was certified based on the tort of intrusion on seclusion in the case of “Evans v. The Bank of Nova Scotia” [see here ] (there have subsequently been other intrusion on seclusion based class actions certified both in Ontario and elsewhere in Canada). The Evans case was settled in 2016 when the bank agreed to pay each of the identity theft victims an additional amount of approximately $7,000 (giving rise to a total payout of approximately $1.1M plus actual losses suffered) in return for a full release. The settlement in Evans involving a deep-pocketed and well-advised defendant should be seen as important additional evidence that the activist stance taken by Canadian courts in response to innovative lawsuits launched by individuals seeking redress for alleged breaches of privacy rights must be accommodated and that policies, procedures and technologies aimed at minimizing the risk of privacy breaches are to be proactively implemented by organizations operating in this fast changing enhanced risk exposure environment. [Mondaq]

Law Enforcement

CA – Why Police Services Are Not Adopting Body Cameras

Thousands of law enforcement agencies in the U.S. have already implemented BWC technology. Conversely, only a handful of agencies in Canada have adopted body cameras. Among the larger services, only Toronto, Calgary, Edmonton, and Montreal have tested or are currently studying the technology. The only police service in the country to standardize BWCs for its officers is the Amherstburg Police Service — a small agency in southwestern Ontario. Why is body camera adoption in Canada moving at a snail’s pace compared to that of the U.S.? One reason is because of the cost. However, the most important reason agencies in Canada are not rushing to adopt BWCs is because of policy concerns. Creating an effective policy may be one of the most challenging issues regarding this technology. There has yet to be a definitive discussion around privacy, officer discretion over recording, access to footage, and storage. The Office of the Privacy Commissioner of Canada published a guide in 2015 for the use of BWCs by law enforcement agencies. The document addresses the issues around privacy, access, and storage, but it only serves as a guideline for agencies wishing to adopt BWCs. Thus, local agencies are responsible for creating and enforcing a BWC policy. For most police services in Canada, and for the communities they serve, it may be wiser to spend money on necessary resources or invest it back into the communities rather than take a risk on something that has yet to be proven. [Huffington Post Canada | See also: Technical hurdles mean no body-worn cameras for Mounties, for the time being | RCMP decides not to outfit officers with body-worn cameras | Police body cams not ‘worthwhile’ if officers can turn them off, lawyer says | Calgary police say body cameras unreliable in the field; possible legal battle ahead | Mounties wearing video cameras told to record use of force | Canadian police forces moving towards costly body cameras

Online Privacy

US – FTC Extends Privacy Principles to Cross-Device Tracking

Ad-tech companies that track consumers across their smartphones, laptops and other devices should inform consumers — as well as publishers and app developers — about the practice, the Federal Trade Commission recommends in a new report. The agency adds that companies engaged in cross-device tracking should allow consumers to opt out of the practice, and should only track “sensitive” data, including some health and financial information, with consumers’ opt-in consent. The new staff report also advised companies that they should not refer to information that can be linked to users — or their devices — as “anonymous. “Often, raw email addresses and usernames are personally identifiable, in that they include full names,” the report states. “Even hashed email addresses and usernames are persistent identifiers and can be vulnerable to reidentification in some cases.” [MediaPost | Not Much Fresh Advice in FTC Cross-Device Tracking Report | FTC Releases Cross-Device Tracking Report | FTC Staff Report Details Best Practices for Cross-Device Tracking | FTC Staff Issues Long-Awaited Cross-Device Tracking Report | FTC Extends Privacy Principles To Cross-Device Tracking | FTC’s Cross-Device Study Reveals Opacity of Data-Sharing Practices]

WW – Facebook Revamps ‘Privacy Basics’ User Guide

Facebook updated [see here ] its Privacy Basics [introduced in 2014] user guide to make it easier for people to learn how to protect their personal information on its platform. the guide has been updated to answer the most frequently asked questions and reorganized to make it even easier for people to find answers. Facebook said Privacy Basics now has 32 interactive guides available in 44 languages, which should allow many of its 1 billion users to learn how to limit what they share on the social network. Privacy Basics also explains how people can control their ad experience and bolster their account’s security. Facebook said the updated Privacy Basics are part of a broader push to educate people about their privacy The updated Privacy Basics can be found on Facebook’s website. The company also released a short video about the new guide. [Tom’s Hardware]

Other Jurisdictions

AU – Landmark Australian Ruling on What Counts as ‘Personal Information’

A full bench of the Federal Court has served a rebuff to Australian Privacy Commissioner Timothy Pilgrim, who has been fighting to secure a broad definition of personal information in the courts, to ensure that everything that could reasonably be used to identify an individual will fall under the protection of the Privacy Act. But federal court judges dismissed the commissioner’s appeal, siding with Telstra and the Administrative Appeals Tribunal over whether the telco needs to hand a full suite of telecommunications metadata over to Telstra customer and former Fairfax journalist Ben Grubb, under the personal information access provisions of the Act. The case has hinged on whether metadata stored by Telstra is information “about” Ben Grubb or “about” the service delivered to him. Privacy Commissioner Pilgrim warned earlier this year that the case would set the parameters for “arguably the most important term in the Privacy Act”. Today’s ruling establishes a narrower definition of personal information than the Privacy Commissioner would like. [itNews (Australia) See also: Australia’s privacy laws gutted in court ruling on what is ‘personal information’ | The Australian “Ben Grubb” decision and its link to Canada | Federal Court interprets ‘personal information’. What’s it all about people? | Landmark Australian ruling on what counts as ‘personal information’ | Australia’s privacy laws gutted in court ruling on what is ‘personal information’ | [Federal Court interprets ‘personal information’. What’s it all about people? ]

CH – Beijing Clamps Down Tighter On Web Use With New VPN Ban

The Chinese government has announced new restrictions on operating VPNs that in effect make it illegal to offer them without approval to anyone other than large organisations. The officials who run the so-called Great Firewall of China have been experimenting with VPN-blocking for a couple of years, but this is the first time a formal legal clampdown has been put into effect. The best-known providers include VyperVPN (Golden Frog), StrongVPN, Astrill, and ExpressVPN, all of which are based outside China. This raises the obvious question of how China can stop them. With the effect on providers uncertain – disruption has been reported but it’s hard to say how much – this could be another case of a cat chasing an unexpectedly large mouse. According to Golden Frog’s co-CTO, Phil Molter: “China has targeted VPN providers in the past but VyprVPN has been able to quickly and effectively update our service to defeat these blocks.” The VPN clampdown comes only days after China announced a similar tightening of restrictions on mobile app stores, which must now register with the country’s Cyberspace Administration. [Naked Security See also: China Orders Registration of App Stores

Privacy (US)

US – Court Declines to Reconsider Microsoft Email Seizure Ruling

A split U.S. Court of Appeals for the Second Circuit denied rehearing a July decision the Justice Department says handicaps investigators by making it easier for criminals to move incriminating data outside their reach, and that Microsoft defended as a victory for privacy rights. The vote leaves the Supreme Court as the last resort for U.S. investigators trying to get data from Microsoft and other internet service providers who poured into the case as amici. All four of the judges who wanted en banc rehearing issued dissents slamming the July decision [which] explored the limits on extraterritorial application of U.S. laws outlined by Morrison v. National Australia Bank Ltd. , 561 U.S. 247 (2010), and held Congress did not explicitly authorize the offshore reach of the Stored Communications Act. Judges Susan Carney, Robert Katzmann, Peter Hall and Denny Chin voted to deny, with Carney answering the dissents. Carney said the focus of the privacy protections in the SCA is at the place of data storage, so “the execution of the warrant would have its effect when the service provider accessed the data in Ireland, an extraterritorial application of the SCA.” [New York Law Journal] See also: Court Keeps Microsoft’s Irish Servers Safe From U.S. | US government wants Microsoft ‘Irish email’ case reopened | Lawmakers question DOJ’s appeal of Microsoft Irish data case | Microsoft Cloud Warrant Case Edges Closer to Supreme Court | Government Seeks Do-Over On Win For Microsoft And Its Overseas Data | Microsoft’s cloud privacy battle may go to US Supreme Court | Court Declines to Reconsider Microsoft Email Seizure Ruling | Court Keeps Microsoft’s Irish Servers Safe From U.S.  | US government wants Microsoft ‘Irish email’ case reopened ]

US – New Privacy Report Already Removed from White House Site

Following the inauguration of President Donald Trump, the “Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation” report was removed from the White House website (It can still be found here.) the irony seemed particularly fitting. Civil liberties advocates worry about potential privacy infringements that could emerge under an administration that has promised to strengthen law enforcement, enhance surveillance efforts and monitor immigrant groups, steps that could very well involve increased data collection by the U.S. government, some of it derived from the same commercial sources advertisers use. Pam Dixon, executive director of World Privacy Forum, calls this moment a defining one. “The privacy movement has to mature right now,” she said. “The concern that I have is we are going to have very aggressive implementations of technology that are not preceded by policy.” Ms. Dixon cited her most immediate concern, national identity cards. [Adage]

US – Mississippi Attorney General Sues Google Over Student-Data Privacy

Last week, Mississippi state attorney general Jim Hood filed a lawsuit alleging that Google’s policies and practices regarding online tracking of students remain unclear, despite the company’s public pledge to not collect and use student data for commercial purposes, such as targeting advertisements to students. The suit seeks to force Google to be more transparent about its free, web-based G Suite for Education service, used by tens of millions of students worldwide, including more than half of the roughly 500,000 K-12 students in Mississippi. In its lawsuit, the state alleged that Google uses student GSFE accounts to track Mississippi K-12 students in order to build profiles that can be used for advertising. The state also accuses Google of failing to abide by its own privacy policies, terms of service, contracts, and agreements, as well as the public commitment it made in signing the Student Privacy Pledge. Some observers expressed skepticism about the suit. The Future of Privacy Forum, the industry-affiliated Washington think tank responsible for the Student Privacy Pledge, reiterated its belief that “Google’s practices are consistent with its obligations under the pledge.” In a blog post, the group noted that Google clearly states that no ads are served to students using G Suite for Education services. It also pointed out that school administrators must choose to let students use their school accounts to access Google’s consumer services. As a result, the suit’s legal prospects are unclear. [Edweek.org | See also: Mississippi sues Google for allegedly violating student privacy

Privacy Enhancing Technologies (PETs)

WW – Protonmail Combats ‘Totalitarian’ Govt Surveillance With Tor

ProtonMail, the popular Switzerland-based encrypted email provider, has announced it is now offering users the ability to log in to their accounts via the Tor network, a platform favoured by privacy advocates, journalists and activists to surf the web anonymously. the move is aimed at “countering actions by totalitarian governments around the world that are cutting off access to privacy tools”. In a blog post, the outspoken email provider provided users with an “onion” link, which is the term used to describe the Tor network’s version of a traditional website domain. Once Tor is downloaded and installed, it can be found here. [IBTimes]

Security

US – NIST Updates Cybersecurity Framework Guidance

In the past month, the National Institute of Standards and Technology (NIST) has issued a draft update to its flagship cybersecurity framework as well as new standalone guidance on how organizations can plan to recover from cybersecurity events. The publication of these documents demonstrates NIST’s ongoing focus on providing substantive guidance to the private and public sectors alike on cybersecurity risk management. In this post we summarize the highlights of each of these new NIST publications. On January 10, 2017, NIST issued draft version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity (Framework). On December 21, 2016, NIST issued Special Publication 800-184, Guide for Cybersecurity Event Recovery (NIST SP 800-184). Together, these documents signal the United States government’s ongoing substantive focus on the Framework as a vehicle for communicating cybersecurity risk management expectations. [Global Media and Communications Watch]

US – NIST Releases Internet of Things (IoT) Security Guidance

Late last year, the National Institute of Standards and Technology (“NIST”) released  Special Publication 800-160 (the “Guidance”) on implementing security in Internet-of-Things (“IoT”) devices. The Guidance is intended to provide a framework for software engineers to better address security issues and to develop more defensible and survivable systems in a sustainable manner throughout the life cycle of these devices. [It] is designed to help prevent the vulnerabilities that lead to their exploitation and to facilitate “a disciplined, structured, and standards-based set of systems security engineering activities.” To accomplish this, the Guidance focuses on assessing the trustworthiness of various internet-connected devices and their impacts through a series of processes governed by the life cycle of each device. From a legal perspective, the Guidance can be seen as a double-edged sword for organizations that manufacture or use IoT devices. [Data Protection Report see also: NIST Issues Internet of Things (IoT) Guidance | Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress | White House and Homeland Security Publish Cybersecurity Guidelines for IoT Devices | NIST unveils Internet of Things cybersecurity guidance | DHS Release Principles For Securing Internet Of Things Amid Expanding Cyber Attack Vectors | Ambassador Sepulveda Urges Technology Industry to Ensure the Security and Interoperability of the Internet of Things | Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers | NIST scientists ‘nervous’ about lightweight crypto for IoT | FTC’s Latest Enforcement Action Signals Scrutiny of IoT Industry | D-Link fights back against ‘baseless’ data security lawsuit | FTC vs D-Link: The legal risks of IoT insecurity | Cause of Action Institute to Defend D-Link Systems Against FTC’s Baseless Data Security Charges | FTC sues D-Link for ‘insecure’ routers and IP cameras | FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras | FTC IoT privacy and security push points out D-Link router and webcam flaws | D-Link Calls The FTC’s Router And IP Camera Security Allegations ‘Baseless’ | The FTC Brings Section 5 Charges Against Internet-of-Things Companies | [Pacemaker data used to help indict alleged arsonist | Murder case will test privacy rights of Amazon Echo users | Police mull gathering crime evidence from smart home devices ]

WW – Blockchain Enhances Cybersecurity

Hackers can shut down entire networks, tamper with data, lure unwary users into cybertraps, steal and spoof identities, and carry out other devious attacks by leveraging centralized repositories and single points of failure. The blockchain’s alternative approach to storing and sharing information provides a way out of this security mess. The same technology that has enabled secure transactions with cryptocurrencies such as Bitcoin and Ethereum could now serve as a tool to prevent cyberattacks and security incidents. Blockchains can increase security on three fronts: blocking identity theft, preventing data tampering, and stopping Denial of Service attacks. [Venturebeat | See also: | A Complete Beginner’s Guide To Blockchain | Crypto-Currency Software Emerges as Tool to Block Cyberattacks | Power Arrangements in Identity Systems | Why Etherium is the most promising Blockchain technology | Privacy fix for blockchain from Blythe Masters | How blockchain can help fight cyberattacks | Using Blockchain to Protect Against Data Tampering | Legal implications of expanded use of blockchain technology ]

Smart Cars

WW – FPF & NADA Launch Guide to Privacy in the Connected Car

The Future of Privacy Forum (FPF) and the National Automobile Dealers Association (NADA) released a first-of-its kind consumer guide, Personal Data In Your Car [see 8 pg pdf here https://fpf.org/wp-content/uploads/2017/01/consumerguide.pdf ] . The Guide will help consumers understand the kind of personal information collected by the latest generation of vehicles, which use data to further safety, infotainment, and customer experience. “The release of this Guide is a critical step in communicating to consumers the importance of privacy in the connected car, as well as the benefits that car data can provide,” said FPF CEO Jules Polonetsky. As vehicles become more connected, it will be increasingly important to communicate with consumers how their information is collected and shared. For further information about technology in the car, consumers should contact their local dealer and review their vehicle’s owner’s manual. [Future of Privacy Forum See Also: My pal the car: emotionally intelligent vehicles a technology dream but potential privacy nightmare | Cars Would Be Required to Talk to Each Other Under U.S. Plan | ENISA Jumpstarts Connected Car Cybersecurity Study for EU | Data Privacy, Security, and the Connected Car | European Multi-Stakeholder Group Releases Connected Vehicles Report | Smart cars share revealing personal data, raise privacy concerns ]

CA – The Data You Leave In a Rental Car Could Threaten Your Privacy

Information not deleted from onboard infotainment systems in vehicles is a ‘considerable problem’ CBC checked several cars in Fredericton and found contact information on both rental and pre-owned cars, leaving breadcrumb trails of information visible to the next person who sits behind the wheel. It’s information car rental companies and resellers are often not deleting, leaving a digital footprint that can threaten the privacy of those unsuspecting drivers. “It’s a considerable problem, actually,” said Rajen Akalu, an assistant professor at the University of Ontario Institute of Technology. Akalu did a report for Canada’s privacy commissioner on infotainment platforms in vehicles and their implications for privacy. Ultimately, if you are going to pair your phone, experts suggest finding out how to reset the car to its factory setting. In the case of car rental companies, “they check whether or not the car has a full tank of gas when you return it,” Akalu said. “They can equally ensure that the data is wiped from the unit, right?” [CBC News See also: My pal the car: emotionally intelligent vehicles a technology dream but potential privacy nightmare ]

Surveillance

US – Twitter Reveals FBI NSLs that May Have Infringed On Legal Guidelines

Twitter has for the first time disclosed that it received two national security letters (NSLs) from the FBI. [one in September 2015 and one in June 2016] The firm said that the disclosures mark the first time it was allowed to publicly reveal the NSLs. However, the FBI’s request for Twitter data may have reportedly gone beyond the scope of current legal guidelines. Twitter said in a blog post, “We have provided each of the account holders with copies of the relevant NSLs (certain information redacted to protect privacy) as well as the account data we were compelled to produce. Twitter remains unsatisfied with restrictions on our right to speak more freely about national security requests we may receive. We continue to push for the legal ability to speak more openly on this topic in our lawsuit against the U.S. government, Twitter v. Lynch.” [International Business Times UK See: Did FBI overstep its bounds in requesting information from Twitter? | FBI request for Twitter account data may have overstepped legal guidelines | Cloudflare’s In-House Lawyers Open Up About Privacy Fight With FBI | Progressive Phone Company Discloses Legal Battle Over FBI’s National Security Letters | Google Publishes Eight Secret FBI Requests | What Happens When My Company Receives a National Security Letter? A Primer | Freed From Gag Order, Google Reveals It Received Secret FBI Subpoena | EFF Urges Senate Not to Expand FBI’s Controversial National Security Letter Authority | Senate Intelligence Committee Expands FBI NSL Powers With Secret Amendment To Secret Intelligence Bill | Requests for data rise sharply under secretive U.S. surveillance orders ]

CA – Privacy & Winnipeg’s New TMC With 70 Zoomable Street Cams

The City of Winnipeg unveiled its splashy new Transportation Management Centre and launched its Waze traffic app. City staff at the hub will look to a wall of big screens hooked up to a network of data feeds and 70 cameras already installed at busy intersections. The cameras can zoom in as far as three kilometres from where they’re mounted, said a city engineer. But questions about privacy remain as the city has yet to push through an associated privacy protocol to prevent the unintended use of the network of data and cameras. Mayor Brian Bowman said privacy concerns over the potential misuse of the system by police for surveillance purposes are valid, but he’s been assured the sole purpose of the system is to gather information for traffic management. [CBC | Winnipeg’s traffic centre opens ]

Telecom / TV

CA – Canadians’ Internet Data Affected As Trump Cancels Privacy Rules

Activists and academics are calling on Canada’s privacy commissioner to investigate after an executive order [ see here https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-executive-order-enhancing-public-safety-interior-united ] signed last Wednesday by Donald Trump which declared that federal agencies “shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” Ronald Diebert of the University of Toronto’s Citizen Lab estimated that some 90% of Canadian Internet traffic is routed through the United States. Many have wondered whether any privacy protections really exist for Internet traffic in the U.S. the Obama administration expanded the ability of intelligence agencies to share surveillance data, shortly before leaving office. Trump’s new executive order “has real life implications,” consumer activist group OpenMedia said in a statement. “Everything from your financial status, to your medical history, your sexual orientation, and even your religious and political beliefs are exposed.” [It is] calling for “a reassessment of what information our government chooses to share with the U.S.” [Huffington Post Canada Also See: Trump’s Executive Order Eliminates Privacy Act Protections for Foreigners

+++

 

 

 

14-20 January 2017

Biometrics

US – Court Rules Against Man Forced to Fingerprint-Unlock His Phone

Unlocking a phone like this “is no more testimonial than furnishing a blood sample.” A Minnesota appellate court ruled against a convicted burglar who was forced by a lower state court to depress his fingerprint on his seized phone, which unlocked it. This case, State of Minnesota v. Matthew Vaughn Diamond, marks the latest episode in a string of unrelated cases nationwide that test the limits of digital privacy, modern smartphone-based fingerprint scanners, and constitutional law. As has been reported before, under the Fifth Amendment, defendants cannot generally be compelled to provide self-incriminating testimony (“what you know”). But giving a fingerprint (“what you are”) for the purposes of identification or matching to an unknown fingerprint found at a crime scene has been allowed. It wasn’t until relatively recently, after all, that fingerprints could be used to unlock a smartphone. The crux of the legal theory here is that a compelled fingerprint isn’t testimonial, it’s simply a compelled production—like being forced to hand over a key to a safe. Had the defendant been forced to disclose his passcode (instead of depressing his fingerprint) to his phone, the constitutional analysis likely would have been different. [Ars Technica | To beat crypto, feds have tried to force fingerprint unlocking in 2 cases | Apple’s Touch ID blocks feds—armed with warrant—from unlocking iPhone | Woman ordered to provide her fingerprint to unlock seized iPhone | Minnesota court on the Fifth Amendment and compelling fingerprints to unlock a phone | Here’s Why Feds Are Winning The Fight To Grab iPhone Passcodes And Fingerprints | Cops Could Force Google Pixel Users To Voice-Unlock Their Phones | Feds Walk Into A Building, Demand Everyone’s Fingerprints To Open Phones | How the Feds Justify Collecting Fingerprints to Unlock Everyone’s Phones | Can warrants for digital evidence also require fingerprints to unlock phones? | For the First Time, Federal Judge Says Suspect Must Use Fingerprint to Unlock Smartphone | Search Warrants Could Force You to Unlock Your iPhone via Touch ID]

WW – Researchers Extract Fingerprint Data from Digital Photograph

A pair of Japanese researchers have copied the fingerprint data from a digital picture of an individual making a peace sign. “One can use it to assume another identity, such as accessing a smartphone or breaking and entering into a restricted area such as an apartment,” Japan’s National Institute of Informatics professor Isao Echizen said. Working with fellow researcher Tateo Ogane, Echizen’s fingerprints were extracted from a digital photograph taken three meters away. [Reuters]

CA – Gemalto Wins Privacy Design Award for Biometric ID Verification Solution

Gemalto announced that it has won the ACT Canada IVIE Award in the “Privacy by Design” category for its ID Verification solution. As banks and mobile operators look to provide more convenient services through digital and self-service channels, the need to validate a customer`s identification becomes even more necessary. Gemalto`s ID Verification enables this new convenience while maintaining security by allowing customers to scan their picture ID remotely on their device. The service helps to comply with anti-money laundering and Know Your Customer regulations by providing a way to verify ID documents, such as drivers licenses or passports, across customer service channels – online, face-to-face, ATM or mobile app. Gemalto`s technology validates legitimate IDs, flags counterfeits, and provides a trust score in real time. In a face-to-face scenario, for example, to open a bank or mobile phone account, a representative will use a tablet to scan the customer`s ID, which the system verifies against a database of document templates from 180 countries for visual integrity, data consistency, and ID security features. In a self-service scenario, customers first scan their driver`s license or ID and then take a selfie. The system uses facial biometrics to verify that the picture on the card matches the selfie, and if so, can automatically fill out the name, address and other fields in the bank`s online forms. The award was presented by Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario and now Executive Director of the Privacy and Big Data Institute – Where Big Data meets Big Privacy at Ryerson University. [Yahoo]

Canada

CA – Canada Revenue Agency Monitoring Facebook, Twitter Posts of Canadians

The Canada Revenue Agency is scrutinizing the Facebook pages, Twitter feeds and other social media posts of Canadians it suspects could be cheating on their taxes.  The agency is increasing its focus on what it can learn by collecting and analyzing many kinds of data — both its own internally generated information and what it calls “publicly available information.” “The CRA does practice risk-based compliance, so for taxpayers identified as high risk, any relevant, publicly available information relating to the specific risk-based factors for the taxpayer may be consulted as part of our fact-gathering processes,” said a spokesperson. Among those considered high risk are wealthy Canadians with offshore bank accounts. Tobi Cohen, spokesperson for the privacy commissioner, said CRA notified it of its plan to collect publicly available information from social media in connection with “tax fraud and non-compliance risk analysis, audits and investigations.” However, David Christopher, of the advocacy group Open Media, said his organization opposes government agencies monitoring what Canadians are saying on social media. “When Canadians post something on Facebook, they believe that they are sharing that with their friends and with their family. They don’t believe that they are sharing that with some government bureaucrat in Ottawa… Unfortunately, Facebook’s privacy settings are notoriously complex and many people might think that they are posting something to their friends and it ends up getting shared with the whole world.” The revelation that the Canada Revenue Agency is checking social media posts comes as the agency is also expanding its use of cutting-edge technology and data analysis to better catch tax cheats, to target people for audits and to improve its service for Canadians. Business intelligence, also known as big data, is a rapidly growing area within CRA. In 2016 alone, the agency posted three separate privacy impact assessments centred on its plans to use business intelligence techniques in its operations. [CBC News]

CA – Waterloo Rolls Out Licence Plate Scanner, Approves Privacy Rules

The licence plate recognition software the city has been interested in since 2011 will finally be implemented. A review was conducted to find out if bylaw officers taking photos of parked cars will have a negative impact on privacy. “The Licence Recognition Program is supplementing an existing manual process and doesn’t really increase the amount of information being collected. We now have an electronic database and information that includes photographs and GPS location of the vehicle. Other than that, the information we collect is the same” said Julie Scott, deputy city clerk. The new system [has] camera equipment loaded onto the front and back of the clearly marked City of Waterloo vehicle [that] will capture parked cars’ licence plates and tire valves, to see if cars were moved and re-parked. A computer will log the plate numbers, GPS locations of vehicles, dates and times. Non-violator information will be purged immediately, said Scott. Violator information will be housed on secure city servers at city facilities and will be transferred using secure encrypted methods. Any personal information collected accidentally when a picture is taken will be redacted. “Officers who use the system don’t, by virtue of the system, have access to personal information,” said Julie Scott, deputy city clerk. As part of the licence plate recognition software privacy impact assessment, the city collaborated with legal, legislative and enforcement services. It also had guidance from the information privacy commissioner’s office. [Waterloo Chronicle | New tech modernizing parking enforcement in Waterloo | Waterloo approves privacy rules for licence plate scanner]

CA – Manitoba Scraps Plan to Combine Health Cards with Driver’s Licenses

Manitoba will not be going forward with a plan to combine health cards with driver’s licenses. Health Minister Kelvin Goertzen said concerns about additional costs, the work needed to change legislation, and the impact on storing health information were the primary reasons for why the idea will not proceed. Goertzen said if Manitoba wants to revive the idea of a single personal information card, it will need to be done correctly from the start. “We also have to determine how to assess privacy legislation compliance,” said Goertzen. “The work compiled to date will be used to develop and implement a strategy for identity management that can be applied across government.” [The Canadian Press]

CA – MPI Will No Longer Publish Home Addresses on Vehicle Registrations

Privacy concerns are pushing Manitoba Public Insurance to remove home addresses from noncommercial vehicle registrations this spring. “Vehicle registration cards are often left inside the vehicle, which makes them susceptible to being taken should the vehicle be broken into,” Crown Services Minister Ron Schuler said. “Removal of the registered owner address will ensure the privacy, confidentiality and security of registered vehicle owners is maintained in these cases.” As of March 1, anyone renewing their registrations will no longer have their home addresses on the documentation, with the Crown corporation planning to issue the new cards at no extra cost. [CBC News]

CA – Alberta Orgs Push for More Data Sharing in Vulnerable Children Cases

Several organizations called for more information sharing and transparency when handling the data of vulnerable children. Alberta School Boards Association’s Jim Gibbons cited a case where data sharing could have helped in a case where a child had died. Gibbons said the death could have been avoided had all the present information been shared. “We need to protect privacy but also share information, particularly when it pertains to an at-risk child or youth. It could mean the difference between living and dying,” said Gibbons during a review of the Child and Youth Advocate Act. [Edmonton Journal]

CA – OIPC SK: Trustees Can Rely on Deemed Consent

The Office of the Saskatchewan Information and Privacy Commissioner has issued guidance on deemed consent under the Health Information Protection Act. Deemed consent means that the data subject has given no signal that they have consented to, and there is no mechanism to opt-out of, the collection, use or disclosure of personal health information; trustees can forgo express or implied consent only when an individual is unable to give consent, unconscious, or in emergency circumstances. [OIPC SK – Deemed Consent in HIPA – What Is It?]

CA – Full Bell Aliant Contract Should Be Public: PEI Privacy Commissioner

P.E.I.’s privacy watchdog has ordered Bell Aliant to release its telephone services contract with the P.E.I. government in its entirety. Privacy commissioner Karen Rose disagreed with Bell Aliant’s argument that releasing the full document would harm the business interests of the company. “The goals of transparency and accountability would be futile if public bodies were permitted to form contracts whose terms were kept secret from Islanders,” Rose says in her ruling. “Businesses who contract with government should be mindful of government’s accountability to the public. This accountability is especially applicable to government’s expenditure of public funds.” The ruling comes in response to a freedom of information request asking for the full Bell Aliant contract. [The Guardian]

Consumer

WW – Companies Should Shoulder Most of the Data Protection Efforts: Report

A report from Gemalto finds a majority of consumers believe organizations holding their data are responsible for protecting their information. Surveying 9,000 people from around the world, respondents said 70% of the data protection efforts should fall on the companies, with the remaining 30% going toward consumers. “Consumers have clearly made the decision that they are prepared to take risks when it comes to their security, but should anything go wrong they put the blame with the business,” said Gemalto Chief Technology Officer for Data Protection. “The modern-day consumer is all about convenience and they expect businesses to provide this, while also keeping their data safe.” [ZDNet]

US – Mississippi AG Sues Google for Allegedly Violating Student Privacy

Mississippi Attorney General Jim Hood is suing Google for allegedly violating student privacy. Hood is accusing the tech company of violating the state’s consumer protection law by selling ads using data it collects from services it provides to schools, specifically citing a test involving student accounts from the state-run Mississippi School of Math and Science in Columbus. During the test, targeted ads have appeared from previous searches, and Hood is asking a judge to force Google to stop the practice. “They’re building a profile so they can advertise to them,” Hood said. “They expressly stated in writing that they would not do that.” Hood’s lawsuit said Google could be fined $10,000 per student account, with the total penalties possibly exceeding $1 billion. [The Associated Press]

US – It’s Grades, Not Privacy, That Matter to Generation Z: Study

For generations of students, the prospect of their lecturers prying into their study habits would have been anathema, but for Generation Z it’s not privacy but grades that matter. Three quarters of students would welcome closer monitoring of their study habits as a way to cut drop-out rates, while almost half said it could help them get better grades, according to a new survey. The findings turn on its head the widely-held assumption that students jealously guard their privacy and are highly resistant to efforts to monitor their behaviour outside of the lecture hall. In 2015 Google was forced to defend itself from accusations that it was snooping on students by harvesting data on students using Chromebooks, in order to generate target advertisements. [Forbes]

E-Government

EU – Institution Web Services Shouldn’t Assume User Consent Is Valid Forever

The European Data Protection Supervisor has issued guidance focusing on specific aspects of web services provided by EU institutions. The processing of personal data on the server side and through tracking and profiling should give the user the possibility to review their decision; periodically remind users that they gave their consent to tracking and of what they consented to, which could be done at least every 6 months, and more frequently in the case of profiling. [EDPS – Guidelines on the Protection of Personal Data Processed Through Web Services Provided by EU Institutions]

EU Developments

EU – New A29WP Guidelines on Data Protection Officers

The EU’s Article 29 Working Party has published new Guidelines on the role of Data Protection Officers under the General Data Protection Regulation. Data Protection Officers are seen as a cornerstone of data protection compliance, and many businesses will be subject to a mandatory obligation to appoint a Data Protection Officer. The Guidelines provide businesses with useful information on the appointment and role of Data Protection Officers. The GDPR will introduce significant new obligations which will require many businesses to appoint DPOs. The GDPR will also implement a much more formal framework around the roles and responsibilities of DPOs. [White & Case]|

UK – CJEU Ruling in Tele2, Takeaways & Impact on Snooper’s Charter

The CJEU’s recent decision in the Tele2/Watson case contains interesting guidance on the rules around the retention of communications data and the safeguards that must be in place to protect it. It may also call the viability of the new Investigatory Powers Act into question. The key issue in the case was whether legislation in Sweden and the UK, which imposed an obligation on public communications providers to retain traffic and location data, was compatible with EU law. The UK legislation required public telecommunications operators to retain all such communications data for a maximum of 12 months where required to by the Secretary of State. The CJEU gave guidance on the aspects of national legislation that would be deemed unlawful under EU law. Here are the most important takeaways from the judgment:

  1. The intrusiveness of traffic and location data;
  2. The purpose for retention must be limited to fighting serious crime;
  3. Retention must be targeted to what is “strictly necessary” to fight serious crime;
  4. Access to the data must be subject to prior review by a court or independent authority;
  5. Data subjects must be informed as soon as possible; and,
  6. Retained data must stay within the EU.

It is clear that many aspects of the new Investigatory Powers Act 2016 (IPA) still fall short of satisfying the CJEU’s criterion above. The UK will need to consider carefully what amendments, if any, it will make to the IPA to bring it into conformity with EU law. [Privacy, Security and Information Law Blog | CJEU holds that mass surveillance must not be general and indiscriminate | The CJEU Gives the UK Government Another Brexit Dilemma | The Court of Justice of the European Union Limits the Scope of National Data Retention Laws | EU court ruling on ISP data retention may influence Canada | In Major Privacy Victory, Top EU Court Rules Against Mass Surveillance | EU’s highest court delivers blow to UK snooper’s charter | EU ruling means UK snooper’s charter may be open to challenge ]

US – Switzerland and US Regulators Agree to Privacy Shield Framework

The Switzerland Government has reached an agreement with the US Department of Commerce on a new Swiss-U.S. Privacy Shield framework (“Swiss Shield”). The Framework is needed for secure, efficient transfers of personal data to the US (which does not have an adequate level of protection), and is similar the EU-US Framework, guaranteeing the same conditions for individuals and businesses in Switzerland; US companies that obtain certification will be recognised as having adequate data protection standards, and Swiss companies will be able to transmit data to these companies without requiring additional contractual guarantees. [Switzerland Federal Council – Swiss-US Privacy Shield – Better Protection for Data Transferred to the USA]

EU – Swedish Government Provides Protection for Whistleblowers

The Swedish Ministry of Employment issued Act 216-749 on Special Protections Against Victimisation of Whistleblowing Employees, which is effective on January 1, 2017. Employees can report incidents to union representatives, using internal reporting procedures, to the employer, or to the public (if the employer does not take reasonable action in response to reporting, or inform the employee of measures taken); employees that incriminate themselves when reporting an incident do not have protections under the law, and employers are prohibited from retaliation against whistleblowing employees (e.g dismissal, redundancy. [Act 2016-749 on Special Protection Against Victimisation of Whistleblowing Workers – Sweden Ministry of Employment]

Finance

EU – Mobile Payments Provide Multiple Threat Opportunities

The European Network Information Security Agency has issued guidance on mobile payments and digital wallets applications. Threats includes those from users (phishing), devices (lost/stolen), apps (reverse engineering), merchants (relay attacks on near field communication enabled POS contactless terminals), payment service providers (data connectivity compromise), acquirers (repudiation of mobile payment authorization), payment network providers (token services provider services & servers compromise), issuers (payment fraud), servers & cloud services (DDoS attacks), and digital wallets enrolment (potentially immature code may have security weaknesses. [ENISA – Security of Mobile Payments and Digital Wallets | Press Release]

Genetics

WW – Study Applies Game Theory to Genomic Privacy

A new study presents an unorthodox approach to protect the privacy of genomic data, showing how optimal trade-offs between privacy risk and scientific utility can be struck as genomic data are released for research. The framework can be used to suppress just enough genomic data to persuade would-be snoops that their best privacy attacks will be unprofitable. [ScienceDaily]

Health / Medical

WW – New Report Assesses State of Data Sharing for Healthcare Analytics

A new report from Privacy Analytics, in collaboration with the Electronic Health Information Laboratory, summarizes the key findings from a survey that assessed the state of data sharing in healthcare and the challenges in disclosing data for secondary use. Secondary use of health data applies to protected health information that is used for reasons other than direct patient care, such as data analysis, research, safety measurement, public health, payment, provider certification or marketing. Key findings:

  • There is a lack of total confidence in the ability to protect privacy: More than two out of three respondents lack complete confidence in their organization’s ability to share data without putting privacy at risk.
  • The demand for data is growing as fast as the amount of data being collected. More than half of the respondents plan to increase the volume of data stored or shared within 12 months and two-thirds currently release data for secondary use.
  • Individuals lack familiarity with advanced methods of de-identifying data. As a result, they release information that has been stripped of its usefulness or share data in a way that puts them at an unacceptably high risk of a breach.
  • Most organizations use approaches that can result in high risk datasets. More than 75% of respondents said that their organization uses one or more of the following: data-sharing agreements, data masking or Safe Harbor.
  • Healthcare organizations are slowly starting to monetize data assets. One in six says they share data with other organizations for profit. [Source]

US – Health Data Breaches Doubled in 2016, but Fewer Records Lost: Report

A Protenus report reveals data breaches nearly doubled in health care organizations last year, but far fewer patient records were lost in the cyberattacks. The report found 27.3 million records were compromised in 2016, down from 113 million in 2015. Health care suffered 450 breaches in 2016, up from 253 in 2015. “While it may seem that there is a significant drop between the total patient records affected by health data breaches from 2015 to 2016, most of that difference is attributable to a single event. Anthem was the largest health data breach of 2015, affecting 80 million patient records. Once this single breach is removed, the side-by-side comparison between 2015 and 2016 isn’t drastically different, 33 million vs. 27 million respectively.” [SC Magazine]

Horror Stories

AU – Accident Leads to Breach of 8,709 Gun Owners’ Details

Staff at the Victorian government’s Department of Environment, Land, Water and Planning accidentally emailed out the personal details of 8,709 gun owners. “The error occurred on eight separate occasions, with the attached files including between 800 to 1,900 names,” the report states. “It really was a simple case of human error,” the department said. “The [staff] concerned are horrified … and have been counselled.” The department contacted the recipients of the eight emails and confirmed that they were either deleted or not received. Additionally, “on advice from the state’s privacy commissioner, the department is posting letters to each of the 8,709 people involved… The department has also contacted Victoria Police.” [ABC]

Identity Issues

EU – UN Free Speech Advocate Criticises UK Plan to Curb Access to Online Porn

The UN’s free speech advocate has warned that British government plans to enforce age verification and some censorship of pornographic websites risk breaking international human rights law and would contribute to a “significant tightening of control over the internet”. David Kaye, the special rapporteur on the promotion and protection of the right to freedom of opinion and expression, called on ministers to conduct a comprehensive review of the digital economy bill, which he said facilitated state surveillance and lacked judicial oversight. The bill, intended to regulate a range of issues relating to the internet and electronic records, also includes measures to increase data sharing between government departments and protect intellectual property. But it is the measures to control pornography that have sparked an outcry amid fears that they will create a database of internet users’ sexual proclivities and roll back Britain’s censorship regime to the pre-internet era. If the bill passes it will outlaw the depiction online of a range of legal-to-perform sex acts. Its passage is highly likely, with support in parliament from both Labour and the Conservatives, and only the Liberal Democrats indicating they will oppose it. Kaye’s objections focus on the risk posed by age verification requirements to individuals’ privacy. In a letter to the UK’s ambassador to the UN, he says he is concerned that the new rules “fall short of the standards of international human rights law”. [The Guardian]

Law Enforcement

CA – Federal Officials Approved Winnipeg Police Purchase of Spying Devices

Federal public safety officials approved a licence that would enable the Winnipeg Police Service to purchase devices from an undisclosed company designed to intercept the private communications of citizens. The licence, was approved for a 12-month period by the assistant deputy minister of Public Safety Canada’s national security branch on June 23, 2016. Approvals were also signed for Durham Regional Police, Ontario Provincial Police, RCMP and the Canadian Security Intelligence Service, according to the records. The records also showed evidence of 93 occasions dating back to 2008 of licence requests processed by Public Safety Canada. Often referred to as IMSI (international mobile subscriber identity) catchers, these covert tools masquerade as conventional cellular towers, causing mobile phones to transmit signals to the rogue device, rather than directly to towers operated by wireless providers. [CBC | Application form for selling spyware in Canada | ATIP release from Public Safety Canada | Winnipeg Mayor & Privacy Lawyer A-OK with Cops Using IMSI | ‘Shady, secretive system’: Public Safety green-lit RCMP, CSIS spying devices, documents reveal | Ottawa should tell the truth about ‘stingrays’: Editorial | Government use of surveillance devices must be restricted: privacy experts | Long-Secret Stingray Manuals Detail How Police Can Spy on Phones | Vancouver police admit using StingRay cellphone surveillance, BCCLA says | Local Police In Canada Used ‘Stingray’ Surveillance Device Without a Warrant | Privacy watchdog to investigate RCMP over alleged ‘stingray’ cellphone surveillance | StingRays breach cell phone privacy]

UK – Police Should Need Warrants to Search Mobile Phones: Campaigners

Police use of data extraction equipment to download information from suspects’ mobile phones should require a search warrant, according to privacy campaigners. The practice is becoming increasingly routine across most forces but is inadequately regulated and being carried out by insufficiently trained officers, Privacy International claimed. Digital forensic equipment has been used under counter-terrorism powers at ports and airports to download data from mobile phones for several years. Concerns over the practice were first raised by the independent reviewer of terrorism legislation, David Anderson QC, in 2012. The technology has now spread to other police forces. Mobile phone data can contain an enormous amount of private information, including photographs. [The Guardian]

Online Privacy

WW – Startup Allows Users to Control Data When Signing Up for Websites

A new startup is working to create a product allowing users to have more control over their data when signing up for websites. Blockstack will be releasing software later this year allowing users to control their digital identity. Whenever a user signs up for a website needing personal information, users will have the ability to grant access under a profile they control. If they wish to stop using a service, the user can revoke the access to the profile and data. Blockstack plans to accomplish this functionality by using blockchain technology to track usernames and associated encryption keys. “We’re trying to turn the existing model on its head,” says Blockstack CEO and co-founder Ryan Shea. “You can try to work with the existing model from within, but sometimes it’s easier to step outside of it and build s something new from a clean slate.” [MIT Technology Review]

EU – Proposed Reputational Profiling Not Compliant with Data Protection Code

The Italian data protection authority considered a request for approval for personal data processing to produce a “reputation rating” by Mevaluate Holdings, Ltd., Mevaluate Italy, and Mevaluate Onlus Association pursuant to the Data Protection Code. Such profiling via web platform would violate multiple statutory requirements; the processing implicates sensitive data that impacts personal dignity, and is not subject to guarantees of impartiality and independence (i.e. the decisions are automated). There are concerns with the reliability of the data (documents used for profiling can be forged), possible misuse (i.e. blacklist purposes), inadequate security measures (encryption only for judicial data), and consent is not freely given (due to the potential for adverse effects of the profiling on individuals. [DPA Italy – Decision No. 488/2016 – Web Platform for Development of Reputational Profiles | Summary available in Italian]

Other Jurisdictions

AU – Pilgrim Cautions Senate Committee Against Drone Deregulation

Australian Privacy and Information Commissioner Timothy Pilgrim has warned against deregulating commercial drone use in a submission “to the Senate committee investigating the safety implications of the new rules that allow commercial operators to fly without a license, drones weighing less than 2 kg.” While drones have economic impact, they also have privacy concerns as well, Pilgrim said. “Privacy risks presented by drone use range from inadvertent privacy breaches through the collection of personal information, such as photographs of individuals and their activities, to potential conduct that meets criminal-offence thresholds such as stalking” Pilgrim said he would “support increased training and education to inform drone pilots of their responsibilities and to protect the privacy of individuals.” [The Australian]

Privacy (US)

US – Obama Releases Report on Privacy, Surveillance and Innovation

In the last week of his presidency, former President Barack Obama released a report summing up his administration’s work on privacy, surveillance and innovation. The report includes the administration’s work on domestic and international privacy initiatives, including the Privacy Shield and APEC frameworks as well as reforms to national surveillance. [Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation]

Privacy Enhancing Technologies (PETs)

US – NIST Publishes Guidance on Privacy Engineering and Risk Management in Federal Systems

This document from NIST provides an introduction to the concepts of privacy engineering and risk management for federal systems. These concepts establish the basis for a common vocabulary to facilitate better understanding and communication of privacy risk within federal systems, and the effective implementation of privacy principles. This publication introduces two key components to support the application of privacy engineering and risk management: privacy engineering objectives and a privacy risk model. [NISTIR 8062 An Introduction to Privacy Engineering and Risk Management in Federal Systems]

Smart Cars / IoT

US – Smart City Prevalence to Increase by 2019: Study

Research firm Gartner has estimated half the citizens within million-people cities will voluntarily fuel smart city enterprises with their data by 2019. “As citizens increasingly use personal technology and social networks to organize their lives, governments and businesses are growing their investments in technology infrastructure and governance,” said Gartner. “This creates open platforms that enable citizens, communities and businesses to innovate and collaborate, and ultimately provide useful solutions that address civic needs.” While machine-readable data is already generated in bulk, “the city becomes ‘smart’ when data is collected and governed in such a way that can produce valuable real-time streams, rather than simply backward-looking statistics or reports,” Gartner’s said. [FZDNet]

AU – Internet-of-things Tools With Augmented Reality Worry Australians: Study

ISACA research has found that 70% of Australians are concerned that internet-of-things devices with augmented reality pose a threat to their privacy, increasing a chance of a breach. “With the proliferation of IoT-enabled devices and the drive to provide enhanced user experiences, IoT and AR have the power to become a source of unprecedented value and opportunity, as well as significant risk,” said ISACA. “Individuals and enterprises should focus on rapidly getting up to speed on these technologies while learning how to manage risk so they do not compromise their company’s ability to innovate.” [iTWire]

Surveillance

UK – Britain’s Draconian Surveillance Laws Called “Disproportionately Dangerous” by New Amnesty International Report

The Investigatory Powers Act, which legalised the bulk surveillance of everyone’s internet activity “threatens to have devastating consequences for privacy and other human rights in the UK and beyond”, according to Amnesty International. The damning verdict on Britain’s surveillance state comes as part of the human rights group’s new “Disproportionately Dangerous” report, which looks at the Europe-wide trend towards more draconian laws that threaten our rights – like the IP Act, which is also known as the Snooper’s Charter. After describing the powers that the law enables, Amnesty concludes that “Such provisions, lacking any requirement for individualized, reasonable suspicion, are contrary to human rights law. Even the allegedly targeted ‘thematic’ warrants are so broad that they will undermine privacy rights well beyond what human rights law allows.” “The last two years, however, have witnessed a profound shift in paradigm across Europe: a move from the view that it is the role of governments to provide security so that people can enjoy their rights, to the view that governments must restrict people’s rights in order to provide security. The result has been an insidious redrawing of the boundaries between the powers of the state and the rights of individuals.” [Gizmodo]

US – Privacy Threat from Always-on Microphones Like the Amazon Echo: ACLU

A warrant from police in Arkansas seeking audio records of a man’s Amazon Echo has sparked an overdue conversation about the privacy implications of “always-on” recording devices. This story should serve as a giant wakeup call about the potential surveillance devices that many people are starting to allow into their own homes. The Amazon echo is not the only such device; others include personal assistants like Google Home, Google Now, Apple’s Siri, Windows Cortana, as well as other devices including televisions, game consoles , cars and toys. We can safely assume that the number of live microphones scattered throughout American homes will only increase to cover a wide range of “Internet of Things” (IoT) devices. Overall, digital assistants and other IoT devices create a triple threat to privacy: from government, corporations, and hackers. We fear that some government agencies will try to argue that they do not need a warrant to access this kind of data. We believe the Constitution is clear, and that, at a minimum, law enforcement needs a warrant based on probable cause to access conversations recorded in the home using such devices. But more protections are needed. Unfortunately the existing statutes governing the interceptions of voice communications are ridiculously tangled and confused and it’s not clear whether or how data recorded by devices in the home are covered by them. Digital assistants, like smart meters and many other IoT devices, split open a contradiction between two legal doctrines that both sit at the core of privacy law: 1) The sanctity of the home; and 2) The third-party doctrine. The contradiction arises when devices inside the home stream data about activities in that home to the servers of a third-party corporation. If microphones are going to be part of our daily lives in our intimate spaces, we need broader awareness of the issues they raise, and to settle on strong protections and best practices as soon as possible. [ACLU | Devices sprout ears: What do Alexa and Siri mean for privacy? | The battle to use Siri as a key witness | Mozilla: ‘IoT will be the first big battle of 2017,’ calls for responsible IoT | Tips on protecting your privacy on Amazon Echo and Google Home | Murder case will test privacy rights of Amazon Echo users | Police mull gathering crime evidence from smart home devices |  ‘IoT will be the first big battle of 2017,’ calls for responsible IoT]

US – Documents Reveal 15 Years-Worth of ‘Cartapping’ Surveillance Efforts

Court documents reveal 15 years-worth of law enforcement requests to vehicle technology providers for handing over real-time audio and location data to aid in investigations. The surveillance actions, known as “cartapping,” include New York police demanding SiriusXM to provide location information to target a car in an alleged illegal gambling ring, and General Motors handing over OnStar data from a Chevrolet Tahoe rented by a suspected crack cocaine dealer. Attempts to have the evidence thrown out of court are normally not successful, as the government possesses a solid argument stating drivers’ right to privacy does not hold up when using services such as OnStar. “I could make an argument to the contrary, which is based on the fact that we are increasingly surrounded by embedded interactive, broadcast technologies and therefore can tend to forget the fact that we may be broadcasting as we hold what we think are private conversations,” said University of Dayton, Ohio, law professor Susan Brenner. [Forbes]

Telecom / TV

AU – Australian Federal Court Sides With Telstra in Metadata Case

The Federal Court of Australia has sided with telecom company Telstra in a case about whether all metadata constitutes personal information. The court ruled Telstra did not need to hand over its telecommunications metadata to former Fairfax journalist Ben Grubb under the Privacy Act. The case rested on whether metadata held by Telstra is information “about Ben Grubb,” or if it’s “about the service delivered to him.” The Administrative Appeals Tribunal sided with Telstra. The appeal filed by Australian Privacy Commissioner Timothy Pilgrim was denied by the Federal Court. “I think the Privacy Commissioner’s lawyers played a high stakes game with a narrow approach to this appeal, and it backfired on them,” said Salinger Privacy’s Anna Johnston. “The Federal Court did not clearly answer the question of what defines personal information because they were not asked to.” [iTnews]

US Government Programs

US – Obama Opens NSA’s Vast Trove of Warrantless Data to Entire Intelligence Community

The Obama administration announced new rules [Executive Order 12333] that will let the NSA share vast amounts of private data gathered without warrant, court orders or congressional authorization with 16 other agencies, including the FBI, the Drug Enforcement Agency, and the Department of Homeland Security. The new rules allow employees doing intelligence work for those agencies to sift through raw data collected under a broad, Reagan-era executive order that gives the NSA virtually unlimited authority to intercept communications abroad. Previously, NSA analysts would filter out information they deemed irrelevant and mask the names of innocent Americans before passing it along. The last-minute adoption of the procedures is one of many examples of the Obama administration making new executive powers established by the Bush administration permanent, on the assumption that the executive branch could be trusted to police itself. Under 12333, the NSA taps phone and internet backbones throughout the world, records the phone calls of entire countries, vacuums up traffic from Google and Yahoo’s data centers overseas, and more. The new rules still ostensibly limit access to authorized foreign intelligence and counterintelligence purposes — not ordinary law enforcement purposes — and require screening before they are more widely shared. But privacy activists are skeptical. [The Intercept | National Security Agency Databases Open for Business | Obama Expands Surveillance Powers on His Way Out | E.O. 12333 Raw SIGINT Availability Procedures: A Quick and Dirty Summary | N.S.A. Gets More Latitude to Share Intercepted Communications | Trump to Inherit Vast Surveillance Powers | Trump to inherit vast surveillance system | Commander-In-Chief Donald Trump Will Have Terrifying Powers. Thanks, Obama]

US – Border Agents Demanding Americans’ Social Media Accounts

Customs and Border Protection agents have been invasively questioning Muslim-Americans at U.S. border crossings about their political and religious beliefs, asking for their social media information, and demanding passwords to open mobile phones, according to a set of complaints filed by the Council on American-Islamic Relations (CAIR). The complaints deal with the cases of nine people who have been stopped at various U.S. border crossings, eight of whom are American citizens, and one Canadian. They were filed to the Department of Homeland Security, Customs and Border Protection and the Department of Justice. While warrants are normally required for federal authorities to search cellphones, this requirement does not apply at border crossings. The complaints filed by CAIR allege that CBP agents have been asking travelers questions including, “are you a devout Muslim”, “what do you think of the United States”, and “what are your views about jihad?” The complaints also say that people have reported being asked whether they attend a mosque and what their opinions are about various terrorist groups. The complaints also allege that border agents have asked American citizens to provide their social media information at the border. The ACLU notes that, although they may suffer delays, “U.S. citizens cannot be denied entry to the United States for refusing to provide passwords or unlock devices.” [The Intercept | See also: Revealed: The FBI’s Secret Methods for Recruiting Informants at the Border | U.S. Border Questionnaire: Is Anyone in Your Family a “Martyr”? | With Power of Social Media Growing, Police Now Monitoring and Criminalizing Online Speech | Will US border officials demand social network handles from visitors? | Surveillance of Everyone: Europe’s “Smart Borders” Would Automatically Monitor Individuals | Op-Ed: Canada to share information with U.S. on land border crossers | New border bill allows sharing of biographic data | New bill would allow border guards to collect biographic data on those leaving Canada | Government must face scrutiny over hacking of migrants’ phones by UK border guards]

US Legislation

US – State Bill Permits Automatic License Plate Readers for Investigations

New York Senate Bill S00023, amending the General Business Law and Executive Law and relating to the use of automatic license plate reader systems, is introduced in the New York Legislature and referred to the Committee on Consumer Protection. Law enforcement agencies may use automated license plate readers for immediate comparisons of captured data held by other government agencies, for the purposes of identifying outstanding parking or traffic violations, violations of vehicle registration or inspection requirements, and stolen vehicle and license plates; operators of ALPRs must preserve captured plate data upon request from law enforcement, and must destroy the data after 14 days or if an application for a disclosure order is denied.[SB S00023 – An Act to Amend General Business Law and the Executive Law in Relation to the Use of Automatic License Plates Reader Systems – State of New York]

US – Bill Increases Public Transparency of Use of Surveillance Technologies

California Senate Bill 21, adding Chapter 15 to Division 2 of Title 5 of California Government Code and relating to law enforcement use of surveillance technology, is introduced and referred to the Committees on Public Security and the Judiciary. Agencies must, as of July 1, 2018, submit to their governing body a policy regarding their use of surveillance technologies (e.g. drones, license plate readers, CCTV, IMSD trackers, GPS, RFID, and biometrics-ID/facial-recognition); the policy must include the types of technologies and authorized purposes, a description of privacy compliance and security measures, restrictions on use/disclosure, any public access to collected data, the data retention period, and the destruction process. [Senate Bill 21 – Relating to Law Enforcement Agencies – California]

Workplace Privacy

US – Court Rules UPMC Under No Obligation to Protect Employee Data

The Superior Court of Pennsylvania ruled workers from the University of Pittsburgh Medical Center had no reasonable expectation their employee data would be secure following a data breach resulting in their information having been used to file phony tax returns. The decision states the UPMC workers turned over their information as a condition of their employment, not for protection. The court also ruled UPMC is not responsible for paying for stolen data resulting in economic loss, and the law should not require employers to take on the costs of enhancing employee data security. “We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether,” the decision states. [Network World]

EU – Deutsche Bank Prohibits Texting, Comms Apps on Company Phones

Deutsche Bank AG will no longer allow employees to send text messages and use communication apps on company-issued phones as the organization attempts to improve compliance standards. Deutsche Bank’s Chief Regulatory Officer Sylvie Matherat and Chief Operating Officer Kim Hammonds sent a staff memo stating the functionality will be turned off this quarter. The policy will also apply to employees’ private phones used for work purposes and includes communication apps such as WhatsApp, Google Talk and iMessage. The move comes as Deutsche Bank works to improve its compliance efforts, as data compiled by Bloomberg found the bank has been slapped with more than $13.9 billion in fines and legal settlements since 2008. [Bloomberg]

US – Federal Privacy Council Launches Hiring Toolkit

The U.S. Federal Privacy Council has launched a new toolkit aimed at assisting federal agency human resources staff and hiring managers in understanding the new world of U.S. government privacy, making decisions about which types of positions they should use in their privacy offices, designing federal privacy positions, and then conducting recruitment and selection activities. [IAPP.org]

+++

Big Data

CA – Ontario Privacy Commissioner Hosting Event on Big Data and Government

The Information and Privacy Commissioner of Ontario is hosting a Privacy Day Event on government and big data. The IPC event, titled “Government and Big Data: Privacy Risks and Solutions,” will discuss the benefits and risks of big data analytics, the potential for bias, and appropriate safeguards. “How can we ensure that the privacy rights of Ontarians are respected and personal information is managed appropriately and fairly in a big data world? How do we ensure transparency and that results and findings are accurate and nondiscriminatory? How can we protect an individual’s right to challenge findings that are based on these powerful analytical tools?” This free event will take place on Jan. 26, at the Toronto Reference Library. [ipc.on.ca | See also: Big data and insureds: A conundrum?]

US – Hintze, Lafever Release White Paper on The GDPR and Data Analytics

Hintze Law’s Mike Hintze and Anonos’ Gary LaFever have released a white paper on balancing General Data Protection Regulation requirements with data analytic abilities. Entitled “Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics: Balancing the Interests of Regulators, Data Controllers and Data Subjects,” the 24-page paper covers topics like “controlled linkable data and the GDPR” and the “benefits of processing controlled linkable data.” [anonos.com] See also: Big Brother collecting big data — and in China, it’s all for sale

Canada

CA – Feds Need Help Tackling Cyberthreats, Internal Report Warns

The Canadian government is “simply not up to the overall challenge” of fending off cyberthreats on its own and must partner with the private sector and the United States to tackle the problem, warns a federally commissioned report on cyberthreat information-sharing protocols and policies in Canada and the United States obtained under the Access to Information Act. The report comes amid growing concern about damaging intrusions into computer systems that expose personal information, commercial secrets and sensitive government data — endangering everything from credit ratings to national security. The report, prepared for Public Safety Canada by consulting firm PricewaterhouseCoopers, found the government information-technology community is already overwhelmed with challenges such as aging systems and a move to cloud computing. [CNEWS]

CA – CSIS Assessing ‘Bulk Data’ Collection, Records Show

Canada’s domestic spy service has been trying to figure out ways of obtaining “bulk data” to better feed the holdings of its secretive analytics centre. A 2012 memo by the Canadian Security Intelligence Service speaks of an intelligence-agency pivot with profound implications for privacy and security. Details about the kinds of data being sought by CSIS, and even what exactly it considers bulk data to be, have not been disclosed. But the language used by the spy agency is reminiscent of other so-called bulk-data programs embraced by polarizing U.S. and British intelligence agencies since revealed to have been amassing records relating to the everyday transactions of millions of ordinary people. The Canadian government’s collection practices have never been revealed or debated publicly, even as the closest counterparts of CSIS now openly assert they need bulk data to function. The memo urged all of CSIS to figure out how to better contribute to holdings of the Operational Data Analysis Centre. This secretive facility, known as ODAC, was first publicly exposed by a scathing Federal Court ruling released in the fall of 2016. When the Federal Court of Canada exposed ODAC last year, it urged CSIS to stay mindful that “strictly necessary” is a term that remains the law. Parliament put this limitation on what records CSIS can collect to prevent “an overly expansive interpretation of the agency’s mandate,” the court said in a written ruling. The 14 specially cleared judges who approve CSIS intelligence officers’ wiretap warrants complained that no one ever told them about ODAC during its 10 year of operations. [Globe & Mail]

CA – Snowden Urges UW to Build Tools to Protect Privacy

Edward Snowden urged the University of Waterloo to help develop new technology to defend privacy, to fend off hackers and defeat the government surveillance that he exposed. A campus audience of more than 500 gathered in a theatre to watch him speak and hear his challenge. Snowden said hackers and watchers are using technology to go on the offence against vulnerable citizens who can’t defend their privacy. He’d like to see scholars and university students put their minds to turning that around. “The world needs you to come up with ideas of mixing these communications in ways that not only protects the content of communications … but it protects the fact that communications occurred at all.” Snowden made several Canadian references, about Montreal police spying on journalists, about Canada’s spy agency possibly spying on journalists, and about federal anti-terrorism legislation. The Record | Snowden inspires Waterloo audience]

CA – Clinic Video and Audio Recordings Unauthorized and Excessive: OIPC BC

The Office of the Information and Privacy Commissioner in British Colombia conducted an audit of a private medical clinic’s privacy management program, pursuant to the Personal Information Protection Act. The clinic had 8 cameras located throughout its facility (the lobby, hallways, back exits, workout room); patients, employees and others entering the clinic had not provided express or deemed consent for the surveillance (signage at the entrance was insufficient), there was no evidence monitoring/recording was necessary for safety, security or any other significant issue, and the personal information collected was used for purposes beyond security (liability protection, staff monitoring, internal loss auditing. [OIPC BC – Audit and Compliance Report P16-01 – Surveillance and Privacy Compliance in a Medical Clinic]

Consumer

WW – Microsoft Announces Privacy Updates for Windows 10

The Windows 10 Creators Update will include a “web-based privacy dashboard“ for users to better understand and control the information Microsoft collects on them. “From the page, Microsoft account holders will be able to clear their browser, Bing search and location activity,” along with digital assistant Cortana-saved information. “On the other side of the equation, Microsoft is trying to help people who install Windows with their data-sharing preferences, guiding them through virtually every data-sharing option, including location, speech recognition and diagnostics.” While the updates aren’t slated until spring 2017, Windows Insiders may download a beta version of the dashboard to test now. Coming later this year in the Windows 10 Creators Update is a reworking of the operating system-level privacy controls. The main thing these will do is to make the choice more explicit. As such, this moves the Windows 10 privacy settings from a model of tacit consent to explicit affirmation. Still missing, however, is the ability for most Windows users to disable telemetry entirely.  [Mashable | Ars Technica: Windows 10 Creators Update to Rejig Privacy Settings in a Move Unlikely to Please Anyone | Windows 10’s privacy settings will be simpler but more limited with Creators’ Update]

WW – The Future of Artificial Intelligence Becoming Top of Mind

A new $27 million fund is designed to promote research into artificial intelligence in the public interest. The Ethics and Governance of Artificial Intelligence Fund aims to support a “cross-section of AI ethics and governance projects and activities” in the U.S. and around the world. Meanwhile a supplementary paper from the World Economic Forum — which just released its Global Risks Report 2017 — raises concerns about weaponized AI, cyberattacks through internet-of-things devices, and the use of biotechnology. Researchers from Oxford University have released a report detailing how the General Data Protection Regulation could heavily impact the rollout of AI and machine learning. Separately, the European Parliament’s Legal Affairs Committee has urged the European Commission to create rules around the ethical use and liability of robotics. [TechCrunch]

E-Government

US – Minneapolis Settles More Lawsuits Over Snooping in Driver Database

The long list of lawsuits against Minnesota governments for employees improperly snooping into the state driver’s license database is slowly shrinking. A flood of lawsuits hit governments across the state several years ago after it became clear the state’s driver and vehicle services database was being misused. The database contains photographs, addresses and driving records of Minnesotans with a license. A number of those cases have been dismissed or severely narrowed by court decisions regarding the statute of limitations and which lookups will be considered improper. Minneapolis City Attorney Susan Segal said about a half-dozen cases remain active against the city, down from a peak of about 40. Some were settled. [Star Tribune]

E-Mail

CA – Private Right of Action under CASL Coming July 2017

Canada’s Anti-Spam Law came into force on July 1, 2014. Since then, all eyes have been on the CRTC for decisions concerning CASL violations. In the cases made public to date, monetary penalties or settlement payments have ranged from $48,000 to $1.1 million. Whatever steps Canadian and foreign companies have taken to date, 2017 will be the time to revisit CASL compliance. On July 1, 2017, the private right of action (PRA) comes into force under CASL. An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly. While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group. Where the court finds a violation, it may order not only compensation for the applicant’s damages, but also monetary payments. When the court sets the amount to be paid, it must consider the purpose of the payment order – which “is to promote compliance and not to punish”, the nature and scope of the violation, the history of compliance, any financial benefit or compensation from the conduct, ability to pay, and “any other relevant factor”. CASL also provides for extended liability. Directors, officers, agents or mandataries of a corporation may be liable if they directed, authorized, assented to or participated in the contravention. Where an employee’s conduct in the course of his or her employment breaches CASL, the employer may be vicariously liable. [Privacy and Security Law | Why the Private Right of Action afforded by Canada’s Anti-Spam Legislation should concern Insurers who underwrite Risks in Canada | Strap on your Helmet …CASL: The summer of 2017 is going to be brutal | Related: Lessons Learned: E-Learning Company Faces $50K Spam Fine | CRTC Enforcement Advisory – Records to Show Consent | Privacy Law and Anti-Spam – Guidance from the Office of the Privacy Commissioner | Canada’s Anti-Spam Law: Not just for Canadians | CASL Applies to Software January 15 2015 | New CASL Compliance and Enforcement Guidelines |

Encryption

US – FBI Releases Censored Documents on San Bernardino Encryption Case

The FBI released 100 pages of highly censored documents covering its agreement with an anonymous vendor to hack into the iPhone used by one of the San Bernardino, California, shooters. The censored documents did not show the amount the FBI paid the vendor, the identity of the vendor, or the way the phone was unlocked. The information did include portions of the FBI’s nondisclosure agreement with the vendor and at least three inquiries from companies looking to create a product to unlock the phone. The three companies could not create the solution fast enough for the FBI to use. The records were produced in response to a federal lawsuit filed against the FBI by The Associated Press, Vice Media and Gannett under the U.S. Freedom of Information Act. [The Associated Press]

US – DARPA Announces Plans to Develop Data-Sharing Technology

The Department of Defense’s research branch, the Defense Advanced Research Projects Agency, has begun a project that would allow U.S. troops around the world to securely send and receive “sensitive information” from their own devices. “The program, dubbed SHARE, for Secure Handhelds on Assured Resilient networks at the tactical Edge, would be used on handheld devices, laptops or tactical radios.” “The vision of SHARE is to develop software that moves the multilevel security management function from a handful of data centers down to trusted, handheld devices on the tactical edge,” said DARPA’s Joe Evans. DARPA scheduled a Proposers Day for the initiative on Jan. 31. [ComputerWorld]

EU Developments

EU – EU Releases Proposed e-Privacy Regulation Repealing e-Privacy Directive

The European Commission officially released its proposed draft regulation concerning privacy in electronic communications – the Regulation:

  • enters into force on the 20th day following its publication in the Official Journal;
  • will apply from May 25, 2018; and
  • repeals the e-Privacy Directive from May 25, 2018.

The Regulation applies to OTT providers, does not contain any specific data retention provisions (Member States may create national targeted data retention frameworks, taking into account case-law of the Court of Justice on the interpretation of the ePrivacy Directive), and the Regulation imposes calling line identification requirements (including on calls to third countries originating in the EU and vice-versa); infringements can be subject to administrative fines (up to €20,000,000) or up to 4% of total worldwide financial turnover. [European Commission – Proposal for a Regulation of the European Parliament and of the Council Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (‘Regulation on Privacy and Electronic Communications’)

EU – Commission Proposes High Level of Privacy Rules

The Commission is proposing new legislation to ensure stronger privacy in electronic communications, while opening up new business opportunities. The measures presented today aim to update current rules, extending their scope to all electronic communication providers. They also aim to create new possibilities to process communication data and reinforce trust and security in the Digital Single Market – a key objective of the Digital Single Market strategy. At the same time, the proposal aligns the rules for electronic communications with the new world-class standards of the EU’s General Data Protection Regulation. The Commission is also proposing new rules to ensure that when personal data are handled by EU institutions and bodies privacy is protected in the same way as it is in Member States under the General Data Protection Regulation, as well as setting out a strategic approach to the issues concerning international transfers of personal data. The proposed Regulation on Privacy and Electronic Communications will increase the protection of people’s private life and open up new opportunities for business:

  • New players: 92% of Europeans say it is important that their emails and online messages remain confidential. However, the current ePrivacy Directive only applies to traditional telecoms operators. Privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber.
  • Stronger rules: By updating the current Directive with a directly applicable Regulation, all people and businesses in the EU will enjoy the same level of protection for their electronic communications. Businesses will also benefit from one single set of rules across the EU.
  • Communications content and metadata: Privacy will be guaranteed for both content and metadata derived from electronic communications (e.g. time of a call and location). Both have a high privacy component and, under the proposed rules, will need to be anonymised or deleted if users have not given their consent, unless the data is required for instance for billing purposes.
  • New business opportunities: Once consent is given for communications data, both content and/or metadata, to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services. For example, they could produce heat maps indicating the presence of individuals to help public authorities and transport companies when developing new infrastructure projects.
  • Simpler rules on cookies: The so called “cookie provision”, which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.
  • Protection against spam: Today’s proposal bans unsolicited electronic communication by any means, e.g. by emails, SMS and in principle also by phone calls if users have not given their consent. Member States may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, for example by registering their number on a do-not-call list. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
  • More effective enforcement: The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.

Source: European Commission – Press release | Stronger privacy rules for electronic communications – Questions and Answers | Communication on Exchanging and Protecting Personal Data in a Globalised World – Questions and Answers | Regulation on Privacy and Electronic Communications | Regulation on data protection rules applicable to EU Institutions | Communication on Exchanging and Protecting personal data in a globalised world | More information on ePrivacy | See also: IAPP.org | EU is failing to deliver Digital Single Market, says techUK | EU suggests certification schemes and codes of conduct could offer data transfer tools of the future, says expert | Plans for new e-Privacy Regulation published by European Commission | Facebook, Google face strict EU privacy rules that could hit ad revenues | New Notice and Consent Rules under Proposed EU e-Privacy Regulation | EU privacy proposal could dent Facebook, Gmail ad revenue]

EU – Hogan Lovells, Panthéon-Assas Create First DPO Degree Program

Panthéon-Assas University and Hogan Lovells have teamed up to create the first university degree for training Data Protection Officers under the General Data Protection Regulation. The program will include courses in law, cybersecurity, data analytics, management, and ethics, and will be taught by faculty including law school professors, practicing DPOs, information security specialists, lawyers CNIL regulators, and representatives from major companies, such as Google and Microsoft. [HL Data Protection]

EU – Every French Citizen Presumed to Be Organ Donor Under New Law

France has passed a law making every citizen an organ donor, unless they opt out by registering with a national refusal registry. The presumed consent law, which came into effect on Jan. 1, was passed in hopes of increasing organ and tissue donation. According to France’s national agency for biomedicine, individuals who do not wish to be an organ or tissue donor can either officially register their refusal or express their wishes to family who will be consulted before a donation is made. According to The Guardian, in a matter of one day, 150,000 citizens signed up for the refusal registry. In Canada, organ donation registration is managed provincially or territorially. Registration in Saskatchewan is the lowest in the country with less than one per cent of the province’s eligible residents having registered. In November, Saskatchewan Premier Brad Wall sought to implement the presumed consent model. The province’s Standing Committee on Human Services opposed the plan, but provincial Health Minister Jim Reiter said last month that they were still hoping to pass presumed consent in the province. Ronnie Gavsie, president and CEO of Ontario’s organ donation agency, Trillium Gift of Life, said presumed consent seems like a silver bullet but research shows it’s not. Citing Spain and Singapore as examples of where presumed consent alone didn’t have a dramatic impact on donation rates, Gavsie said implementing better policy and infrastructure to encourage more organ donation has seen increased rates. In Ontario, 30% of eligible donors are registered, up from around 24% in the last five years. Gavsie said new data being released in the next few months indicates a positive trajectory year over year. [Global News]

UK – Report: Children Do Not Comprehend Privacy Policies, Terms of Service

A report from the U.K. Children’s Commissioner revealed young internet users do not understand the privacy policies and terms of service of the social networks they join. Schillings law firm partner Jenny Afia rewrote the terms of service for Instagram in child-friendly language for the report. “One-third of internet users are children, but the internet wasn’t created for children,” Afia said. The report found the only people who could properly comprehend Instagram’s terms of service were people who had postgraduate levels of education. The report offered several suggestions, including rewriting the General Data Protection Regulation in terms children can understand and offering a “digital citizenship” program to teach young children about protecting their privacy online. [Quartz]

UK – Advocacy Group Spearheads Crowdfunding Campaign Against Investigatory Powers Act

Civil liberties group Liberty has started a CrowdJustice funding campaign to fuel a U.K. High Court challenge of the Investigatory Powers Act. Liberty takes particular umbrage with the act’s provision allowing internet service providers to log users’ internet use, calling the records “a goldmine of valuable personal information for criminal hackers and foreign spies.” The group has further called for the High Court to review the act’s “bulk interception, bulk hacking and bulk personal data sets… We’re very confident the High Court will rule that the powers we’re challenging are unlawful,” said a Liberty spokeswoman, who added that depending on the courts, the group could have a decision within the year. [TechCrunch]

EU – Paper Shows EU Affection for New Data-Transfer Mechanisms

Pinsent Masons’ Marc Dautlich has argued that a newly released paper from the European Commission indicates “the EU body’s appetite for new mechanisms for transferring personal data to emerge from certification schemes and codes of conduct provided for by the General Data Protection Regulation.” “Dautlich said that legal uncertainty over the future of some data transfer tools, including to EU model contract clauses, could help encourage the development of alternatives based on GDPR certification schemes and codes of conduct.” He added that a way for organizations to “engage and exercise some control over their international data transfers” is to embrace certification schemes and codes of conduct as ways to establish “more legal certainty over such transfers.” [Out-Law.com]

EU – Commission Unsatisfied With US Reasoning for Yahoo Email Scanning

After asking for clarification on the matter, the European Commission is not satisfied with the U.S. government’s explanation of Yahoo’s email scanning practices for intelligence purposes. The U.S. promised not to participate in bulk surveillance in order to secure the EU-U.S. Privacy Shield. “While Yahoo is not signed up to the Privacy Shield and the scanning took place before the framework existed, the issue is a first test case of how the new system and the U.S. commitments on spying work in practice.” “I am not satisfied because to my taste the answer came relatively late and relatively general, and I will make clear at the first possible opportunity to the American side that this is not how we understand good, quick and full exchange of information,” said EU Justice Commissioner Věra Jourová. [Reuters]

EU – European Commission Clarifies Ad Blocker Detection’s Legality

In a proposed reform of Europe’s privacy law, the European Commission has said that websites’ detection of ad blockers is legal. “To combat the rise of ad blocking technology, which stops online adverts from showing up on websites, many publishers have opted to ban users who refuse to see advertising.” Previously, the move was largely seen as living in a “legal gray area.” EU digital policy head, Andrus Ansip, acknowledged the move might irk privacy advocates and those “people who want free access and couldn’t care [about] editorial costs,” he said. “But legal clarity is needed.” Publishers were pleased with the announcement. “It is vital that we retain the right to protect our content from those who wish to circumvent that value exchange,” said Dennis Publishing Chief Technology Officer Paul Lomax. [Financial Times]

EU – Draft German Law Pushes Private Video Surveillance in Public Areas

The German Government has presented a draft law that facilitates video surveillance for private operators of public areas and public events. The Federal Data Protection Law will be amended to introduce a legal basis for video surveillance. According to the draft law, the protection of life, health and freedom shall be regarded as a “particularly important public interest” that allows video surveillance. Private operators will not be obliged to install cameras. However, the government hopes that they will make more use of them. The German Association of Judges considers that the draft law conflicts with the German Constitution. [Global IP & Privacy Law Blog]

Finance

Study: Online Debt Lists Often Go Unencrypted

A Consumer Financial Protection Bureau study has found that lists of debts sold online to “would-be collection companies” are easily available and often unencrypted, including personal information like Social Security numbers and birthdates and other sensitive personal information of the purported debtors. “The Bureau is working to clean up abuses in this industry, and to see that all consumers are treated with fairness, decency, and respect,” CFPB Director Richard Cordray said. The study “expands public understanding of debt collection in the U.S. by providing the first comprehensive and nationally representative data on consumers’ experiences with a multibillion-dollar industry that includes more than 6,000 collection companies.” The bureau will host an event on debt collection in Washington this week. [USA Today]

FOI

CA – Nova Scotia’s New FOIPOP Website Welcomed, but ‘Systemic Problems’ Persist: Critics

Nova Scotia is making it easier for people to request and access government information. The government launched a new website with a warm welcome from people who make those requests but critics say more needs to be done to improve transparency. When requests are fulfilled, the applicants’ materials will be posted on the website after seven calendar days for anyone to access. The materials will stay on the website for three years. “These changes are cosmetic in nature, they’re positive, but they’re a small step forward,” said Kevin Lacey, Atlantic director for the Canadian Taxpayers Federation. [Global News]

CA – $180K for GTH Documents ‘Excessive’ and ‘Unreasonable’ –OIPC SK

Saskatchewan’s Information and Privacy Commissioner has rebuked the provincial government for demanding $180,000 for documents about the Global Transportation Hub land deal. In reports directed to each agency, commissioner Ron Kruzeniski concluded “this excessive fee was an unreasonable barrier to access.” In March, CBC filed 13 requests to the ministry and 15 to the GTH related to various aspects of the GTH land deal. Both agencies responded by lumping all the requests together and assessing the massive fee. Kruzeniski found they had “inappropriately issued one estimate of costs to respond to the applicant [CBC].” [CBC | Privacy commissioner calls for GTH land deal documents to be released; province not compelled to do so | Is the Sask. government hiding stuff behind huge info fees? | GTH won’t release land deal appraisal because it could ‘harm the reputation’ of preparer Province worried disclosure of appraisal could affect government negotiations

Genetics

CA – Life Insurers to Limit Genetic Test Disclosure

Canada’s life insurance industry has announced new measures aimed at protecting consumers from genetic discrimination. Insurance companies have agreed to a voluntary pledge stating they will no longer ask individuals applying for life insurance up to $250,000 for genetic testing information, or incorporate any information from previous genetic tests. The companies may still use tests for any person applying for higher amounts, but won’t inquire for results if the tests were done for medical purposes. Advocates for a federal bill (Bill S-201) making genetic discrimination illegal say the insurance industry’s pledge doesn’t go far enough and will still make citizens vulnerable to insurers, employers and other entities who may discriminate based on genetic testing results. [The Globe and Mail] [The Canadian Press]

Health / Medical

US – OCR Announces First HIPAA Settlement for Untimely Data Breach Reporting

The U.S. Department of Health and Human Services’ Office for Civil Rights announced Presence Health will pay $475,000 for the first HIPAA settlement based on the untimely reporting of a data breach involving unsecured protected health information. Presence Health sent a breach notification to the OCR in January 2014 stating it had discovered paper-based operating room schedules containing the PHI of 836 individuals had gone missing in October 2013. An OCR investigation found Presence Health did not notify the affected individuals, prominent media outlets, and the OCR within 60 days of discovering the breach. “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said the OCR Director. [Full Story]

US – OCR Releases FAQ Clarifying PHI Disclosures Within HIPAA Privacy Rule

The U.S. Department of Health and Human Services’ Office for Civil Rights released a FAQ clarifying aspects of personal health information disclosure policies with patients’ family members and other loved ones under the HIPAA Privacy Rule. The release of the FAQ is partially a response to the confusion surrounding the disclosure of health information following the 2016 Pulse nightclub shooting in Orlando, Florida. “In either circumstance, the person can be a patient’s family member, relative, guardian, caregiver, friend, spouse, or partner,” the FAQ reads. “The Privacy Rule defers to a covered entity’s professional judgment in these cases and does not require the entity to verify that a person is a family member, friend, or otherwise involved in the patient’s care of payment for care.” [HealthITSecurity]

US – Court Rules Reporting Patients Who View Child Porn Does Not Violate Privacy

An appellate court ruled a California law mandating psychotherapists report patients looking at internet child pornography is not a violation of patients’ privacy. The ruling also covers teenagers involved in any form of sexting. “The privacy interest of patients who communicate that they watch child pornography is outweighed by the state’s interest in identifying and protecting sexually abused children,” Division Two of the Second Appellate District ruled. The ruling came after several counselors aimed to block the Child Abuse and Neglect Reporting Act. CANRA required certain professionals to report any patients who made or exchanged child pornography. In 2014, the law was updated to include downloading child porn electronically. While the counselors said the act would scare off patients needing treatment, the three-judge panel said patients cannot expect privacy rights to cover child pornography, as viewing the material is illegal. [Courthouse News]

US – Joint Commission Reinstates Ban on Physicians Texting Patient Orders to Hospitals

The Joint Commission, which accredits and certifies healthcare organizations and programs in the US, issued a statement reinstating its ban on the use of text messaging to send healthcare orders. Privacy and security concerns remain about transmitting text orders even when a secure text messaging system is used; health care organizations should immediately suspend the process and revise their policies and procedures to prohibit the use of unsecured text messaging (computerized provider order entry systems remain the preferred method for electronically transmitting patient care orders. [TJC – Clarification – Use of Secure Text Messaging for Patient Care Orders is Not Acceptable | MWE.com]

US – FDA Discovers Security Vulnerabilities in St. Jude Health Tech

The U.S. Food and Drug Administration has discovered cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and its Merlin@home Transmitter, the agency reports in a safety communication. After FDA review, the agency “confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter… The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks.” While no reports of manipulated devices exist, St. Jude issued a patch to fix the technology’s vulnerabilities. [FDA.gov]

Horror Stories

US – 900 GB of Cellebrite Data Stolen and Released

Hackers have accessed and released 900 GB of data from Cellebrite, a “mobile phone hacking” company “popular with U.S. federal and state law enforcement” and potentially with governments like Russia and Turkey. The released information includes customer data, databases and information on Cellebrite’s products, and some appears to be from servers related to the company’s website. “The breach is the latest chapter in a growing trend of hackers taking matters into their own hands, and stealing information from companies that specialize in surveillance or hacking technologies.” After Motherboard informed Cellebrite of the breach, the company launched an investigation and advised Cellebrite users to change their passwords as a precaution. [Motherboard]

US – Big Law, Big Data, Big Problem

2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions exposing everything in the law firm’s network. Law firms are warehouses of client information and how that information is protected is being increasingly regulated and scrutinized. Annually, the ABA conducts a Legal Technology Survey (Survey) [see here] to gauge the state of our industry vis-à-vis technology and data security. The Survey revealed that the largest firms (500 or more attorneys) reported experiencing the most security breaches, with 26% of respondents admitting they had experienced some type of breach. This is a generally upward trend from past years and analysts expect this number only to rise. This is likely because larger firms have more people, more technology and more data so there is a greater exposure surface and many more risk touch-points. The 2016 Survey shows that while many law firms are employing some safeguards and generally increasing and diversifying their use of those safeguards, our industry may not be using common security measures that other industries employ. [Polsinelli on Privacy | Chinese hackers of NY law firms charged | Chinese Traders Charged With Trading on Hacked Nonpublic Information Stolen From Two Law Firms | U.S. Charges Three Chinese Traders With Hacking Law Firms | Chicago Law Firm Accused of Lax Data Security in Lawsuit | Chicago’s Johnson & Bell First US Firm Publicly Named in Data Security Class Action | Law Firms’ Security Cross-Examined | Exclusive: China Stole Data From Major U.S. Law Firms]

Identity Issues

US – REAL ID Warning Signs Appear at Airports

Signs are sprouting up at many airports to alert travelers that beginning Jan. 22, 2018, the Transportation Security Administration will begin strict enforcement of the REAL ID requirements at airport security checkpoints. As it does now, TSA will continue to accept alternate forms of ID at airports, such as a passport, military ID or permanent resident card. But next year, driver’s licenses and state-issued ID cards from the nine states that don’t yet have REAL ID-compliant driver’s licenses and IDs — Kentucky, Maine, Minnesota, Missouri, Montana, Oklahoma, Pennsylvania, South Carolina and Washington — won’t be accepted. While DHS emphasizes that REAL ID “is a national set of standards, not a national identification card,” opponents argue that the act creates a national identity card and allows the federal government to gather and store too much personal information. Citing costs and other issues associated with implementing the standards, many states have opposed the REAL ID Act as well. [USA Today | Our Opinion: Maine shouldn’t cave on Real ID law | DHS: Even-handed Enforcer or Punisher of Select States? | Feds Ramp Up REAL ID Bullying Tactics | Yes, Michael, REAL ID Is a Nationwide Data-Sharing Mandate | REAL ID, Rumor Control, and You] See also: [Power Arrangements in Identity Systems]

Internet / WWW

WW – ‘Datak’ Online Game Looks to Educate Players On Data Privacy

Radio Télévision Suisse has released “a serious game about data protection and privacy” in four languages on its website. The game, “Datak,” looks to “raise awareness of data collection in all areas of life and how it is used,” Radio Télévision Suisse said. The goal is to provide an educational tool but more importantly a fun and informative game that raises awareness without lecturing,” said On en Parle’s Julien Schekter. The online game is recommended for players ages 15 and up, and additionally doesn’t collect users data, Radio Télévision Suisse said. [Infomaniak]

Law Enforcement

CA – Street Checks by Halifax Police Are Unacceptable Says Privacy Lawyer

On Monday, Halifax Regional Police (HRP) released the preliminary analysis of data on “street checks” by patrol officers from 2005-2016. This came as a direct result of an investigative article by CBC, which found black people are three times more likely to be stopped by police in HRM than white individuals. [Halifax privacy lawyer David] Fraser says he was impressed to see HRP’s research coordinator, Chris Giacomantonio, taking a closer look at street checks. Still, he sees the practice as “inherently coercive” if police aren’t advising people that they don’t have to go along with it. He compares the issue to the act of “carding” in Toronto, as well as the more invasive “stop-and-frisk” practices in New York. Although HRP chief Jean-Michel Blais insisted during and after Monday’s board of police commissioners’ meeting that the cases in Halifax and Toronto aren’t the same, Fraser doesn’t see much of a difference. [The Coast | Tory MLA demands Alberta government stop police carding | City police reviewing street data collection amid civil liberties concerns over “carding” | Police stops based on racial profiling a reality, say Calgarians | Support for ‘bold’ Black Lives Matter carding data proposal | Trump Would Expand Stop-and-Frisk Program to Inner Cities Across U.S. | Donald Trump Embraces Wider Use of Stop-and-Frisk by Police | DNA Dragnet: In Some Cities, Police Go From Stop-and-Frisk to Stop-and-Spit ]

CA – Ontario Police Force May Post Names of Alleged Drunk Drivers Online

A major southern Ontario police force is considering naming and shaming alleged impaired drivers on social media, following one of the worst years on record for such offenses and few signs that current efforts will be sufficiently effective in 2017. York Regional Police tweeted about the possible policy change on Monday, following the arrest of a driver found passed out at the wheel in the middle of a busy intersection. “We’ve been discussing posting the names of all charged with impaired driving,” the force tweeted. “More to follow on that one” Impaired driving charges have been on the rise in the region north of Toronto for the past five years. While the practice of identifying those facing criminal charges online is by no means new, York Regional Police Const. Andy Pattenden said individuals charged with impaired driving offences would be listed on a separate page for 30 days and their names would be made public on social media. The strategy would also take aim at those who breach the automatic 90-day licence suspension that comes with an impaired driving charge in Ontario. York Region isn’t the first police force to put an extra spotlight on alleged impaired drivers. Const. Pattenden said Niagara Regional Police Service and Durham Regional Police Service, as well as other in the province, have implemented similar strategies. [CTV News]

Location

US – Uber Makes Urban Traffic Data Available to City Officials, Researchers

As more cities seek access to Uber’s data, the ride-hailing company announced it is making its urban traffic data accessible to city officials and researchers, with future plans to make the information available to the public. Officials can access the data on a website called Uber Movement, allowing users to access Uber’s large amount of traffic information. Uber posted blog entries designed to show the ways urban planners and city officials can use the company’s data. Uber ensured all the information on the website will be private. The data will not include individual rides, but rather the travel times between specific locations. In areas where trips are not prevalent, maps will be grayed out to protect consumer privacy. [The Hill]

Online Privacy

US – TV Anchor Says Live On-Air “Alexa, Order Me A Dollhouse” – Guess What Happens Next

A San Diego TV station sparked complaints after an on-air report about a girl who ordered a dollhouse via her parents’ Amazon Echo caused Echoes in viewers’ homes to also attempt to order dollhouses. Telly station CW-6 said the blunder happened during a morning news package about a Texan six-year-old who racked up big charges while talking to an Echo gadget in her home. According to her parents’ Amazon account, their daughter said: “Can you play dollhouse with me and get me a dollhouse?” Next thing they knew, a $160 KidKraft Sparkle Mansion dollhouse and four pounds of sugar cookies arrived on their doorstep. During that story’s segment, a CW-6 news presenter remarked: “I love the little girl, saying ‘Alexa ordered me a dollhouse’.” That, apparently, was enough to set off Alexa-powered Echo boxes around San Diego on their own shopping sprees. The California station admitted plenty of viewers complained that the TV broadcast caused their voice-controlled personal assistants to try to place orders for dollhouses on Amazon. Voice-command purchasing is enabled by default on Alexa devices. [The Register] See also: [Servant or spy? Law enforcement, privacy advocates grapple with brave new world of AI assistants]

CA – Experts Divided on Social Media Surveillance

Experts are divided on whether actions taken against Media Sonar of London, Ont. [losing access to Twitter], were justified, but are united in the view that the case highlights the elusive balance between public safety and basic privacy rights. Media Sonar touts its social media monitoring software and algorithms as ideal tools for police and corporations to aggregate and filter data to improve safety and protect corporate assets. Twitter cut off the company’s access to its application program interface (API), saying its policies explicitly state that no third party can make use of Twitter data for surveillance purposes. [Waterloo Record | Twitter cuts off third surveillance firm for encouraging police to spy on activists | How Despots Use Twitter to Hunt Dissidents | Police Searches Of Social Media Face Privacy Pushback | Facebook, Instagram, Twitter block social media tool Geofeedia over protest surveillance | Police Use Surveillance Tool to Scan Social Media, A.C.L.U. Says | Facebook, Instagram, and Twitter Provided Data Access for a Surveillance Product Marketed to Target Activists of Color | Social media companies rescind access to Geofeedia, which fed information to police during 2015 unrest | Facebook, Instagram, Twitter Block Tool For Cops To Surveil You On Social Media

US –FTC Study Examines Depths of Cross-Device Tracking

In a paper penned by the FTC Office of Technology Research and Investigation (OTech for short) [see FTC PR here], it was revealed that the majority of Alexa’s 100 most popular websites have policies that reserve the right to allow for third-party tracking and data collection, including browser data. According to the findings only three of the 100 sites tested linked to a privacy policy that clearly acknowledge enabling third-party cross-device tracking. [Read the full report here.] While the report acknowledged several benefits related to cross-device tracking – saving credit card information, past purchase history, shipping information, et cetera – it’s also possible for companies to match cross-device data to offline data without the consumer being aware. Privacy policies were resoundingly mum on whether this was happening or to what extent. [AdExchanger | Advertising Age | FTC’s Cross-Device Study Reveals Opacity of Data-Sharing Practices]

Privacy (US)

US – LabMD Files Review Petition Against Data Breach Allegations

LabMD filed a petition for review on December 27, 2016, following a U.S. federal appeals court granting a stay of an FTC order in the continuing battle between the two parties over data breach allegations. The U.S. Court of Appeals for the 11th Circuit ruled that there was a low possibility of consumer risk or injury from the emotional harm and acts from the security issue. Additionally, the judges maintained that the FTC claims of “unfairness” did not meet the standards of the law that the agency was citing. In its petition for review, LabMD claimed that there had been “significant issues of statutory and constitutional interpretation” from the FTC. The agency overstepped its bounds in authority and “destroyed a small medical testing company.” The agency also did not prove that the document exposure was in any way connected to LabMD being able to “reasonably protect data maintained on its computer network” and it was not proven if those documents were even maintained on or taken from the network. The judge added that the “probability” that a health data breach would occur due to LabMD’s action was not proven. [Health IT Security | FTC Overstepped Data Security Authority: Appeal Briefs | Leaders from medical, business, tech rally around LabMD appeal of FTC ruling | LabMD’s 11th Circuit FTC Appeal: The Opening Shot | LabMD challenges scope of FTC’s cyber authority | The FTC Faces an Embarrassing Set-Back in its Data Security Enforcement Authority as the LabMD Saga Continues | LabMD Presses Appeals Court on FTC Data Security Case | Did the FTC Just Rewrite its Statute? What LabMD Means for Data Security Cases Going Forward]

US – U.S. Promotes Risk-Based Data Breach Response Model

The exiting Obama administration has embraced a risk-based approach to data breach preparation and mitigation for federal agencies in an Office of Management and Budget memorandum Although aimed at agencies, official OMB guidance carries weight in the private sector. The endorsement of a risk-based approach is an acknowledgment that breaches are inevitable and resources should be directed at where the risk of breaches are more likely, the cybersecurity pros said. In addition, the report supports efforts to limit breach notices. The OMB Jan. 3 memo to federal agencies’ senior privacy officials outlined a “framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach as well as guidance on whether and how to provide notification and services to those individuals.” The OMB memo said that agencies should assess “whether and when to notify individuals potentially affected by a breach.” Agencies should “balances the need for transparency with concerns about over-notifying individuals” as notifications may not always be helpful. [BNA.com | OMB Publishes Memorandum on Responding to Data Breaches | White House Issues Data Breach Guidance for Federal Agencies | White House issues gov’t-wide breach notification protocols]

US – Labor Department Sues Google Demanding More Detailed Employee Data

The U.S Department of Labor is suing Google to obtain more detailed employee compensation data, but the Web giant says the agency’s demand is too broad and would reveal personal information. The request for the “compensation snapshot” was sent in September 2015 and Google was supposed to have responded with the data by June 2016. The requested information included job and salary history for certain employees including their starting salaries, starting job levels, starting organization within Google and all changes to their jobs and salaries since being hired by the company. In a statement, the company denied that it was resisting the government’s request to turn over the data to the Department of Labor and said that its actions were based on the fact that the requested data was far too broad and intrusive. [eWeek]

US – D-Link Fights Back Against ‘Baseless’ Data Security Lawsuit

Suing companies for the potential of a data security breach would stifle IoT innovation, the firm representing D-Link against the FTC’s lawsuit has argued. Cause of Action Institute has announced that it will be defending D-Link against the FTC’s “unwarranted and baseless” lawsuit claiming that the technology company put thousands of customers at risk of unauthorised access by failing to secure its IP cameras and routers. [See here ] The FTC should not be able to “bring a lawsuit on the mere potential of a data security breach”, Cause of Action Institute assistant VP Patrick Massari argued, as this would stifle innovation and uptake of the Innovation of Things (IoT). “This lawsuit is another instance of the FTC’s unchecked regulatory overreach nearly every company will be subject to unconstrained and unexplored data security liability. Such limitless liability coupled with FTC’s history of unrelentingly litigious oversight will no doubt have a chilling effect on innovation in the Internet of Things.” D-Link Systems chief information security officer William Brown said the company is committed to fighting the FTC’s “false allegations” alongside Cause of Action Institute, which also represented LabMD in its successful data security suit against the FTC in 2015. [ZDNet | FTC vs D-Link: The legal risks of IoT insecurity | FTC sues D-Link for ‘insecure’ routers and IP cameras | FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras | FTC IoT privacy and security push points out D-Link router and webcam flaws | D-Link Calls The FTC’s Router And IP Camera Security Allegations ‘Baseless’ | The FTC Brings Section 5 Charges Against Internet-of-Things Companies]

WW – Your Data Is Being Held for Ransom. Now What?

Ransomware is an old topic in information security circles. Attackers have been hijacking computers and holding files hostage for years now, typically demanding that ransom be paid in bitcoins. Some might expect that a majority of people are well aware of the threat by now and that they’re taking the appropriate precautions. It’s therefore reasonable to assume that online thieves have moved on to new tactics. Sadly, according to a survey Sophos recently conducted, that’s not the case. According to a survey Sophos recently conducted [which asked 1,250 consumers in five countries about their biggest safety fears, where they sought advice for keeping their computers safe and how much they know about ransomware and other malware.] Consumers still feel in the dark about how ransomware works and how to guard against it. One of the toughest questions is what to do if your data is in fact hijacked. Do you pay the crooks or tell them to take a hike? As always, the best defense is not to get infected in the first place, so we’ve published a guide entitled How to stay protected against ransomware that we think you’ll find useful. [Naked Security] [Extortionists Wipe Thousands of Databases, Victims Who Pay Up Get Stiffed]

US – More States Moving to Include Usernames & Email Addresses as PII

A key issue in determining whether notification is required following a data breach is whether “personal information” (PI) was acquired by an unauthorized person. US states vary significantly in defining what information qualifies as PI. Some data breach notification statutes have been expanding the definition of PI, by adding usernames and email addresses. Illinois, Nebraska, and Nevada are the latest Three other states (California, Florida, and Wyoming) had previously enacted laws mandating that either a username or email address constitutes PI when combined with a password or security question and answer that would permit access to an online account. Private and government entities should also be aware that different jurisdictions apply varying standards to the collection of such information. Under European and many other international data privacy laws, PI includes any information that identifies an individual or from which an individual can be identified when aggregated with other information. [Lawfish]

US – States Making Lists of Breached Companies Public

All but three U.S. states require organizations that experience security breaches affecting their residents to report those breaches. While this information is available if people know to ask for it, four states – California, Indiana, Washington, and Massachusetts – have begun making the information publicly and freely available. [Wired: A Few States Now Actually Help You Figure Out if You’ve Been Hacked]

US – Cybersecurity Law Initiative Opens at GW Law

The George Washington University Law School has announced its Cybersecurity Law Initiative. The initiative aims “to bring together the law school’s nationally recognized strengths with expertise from across the university.” Located in Washington, it hosts “regular events on cybersecurity law and technology that are open to GW students as well as members of the public.” Directed by Orin Kerr, affiliated faculty include Daniel Solove and Jeffrey Rosen. [law.gwu/edu]

RFID / IoT

US – Montana Bill Prohibits Government Use of License Plate Scanners

Montana introduced House Bill No. 149, amending Montana Code Annotated Title 46, Chapter 5, Part 1 and relating to the use of license plate scanners by State and local government. Exemptions to the prohibition include use of a scanner for planning purposes (subject to anonymisation of vehicle, owner and passenger identity), state regulations concerning weight requirements for vehicles at ports of entry and weight stations, or on the State’s own vehicles; the data may only be accessed by a state employee for the purpose of providing customer service or necessary government statistical, administrative, or legal activities, and may only be retained for a maximum of 18 months. [House Bill No. 149 – An Act Generally Prohibiting the Use of a License Plate Scanner by the State or a Local Government – 65th Legislature, Montana]

EU – ENISA Issues Assessment Criteria for Privacy Enhancing Technologies Used in Online and Mobile Applications

The European Network and Information Security Agency (“ENISA”) has issued a paper on parameters that can be used to assess privacy enhancing technologies for secure messaging applications. The criteria aim to provide a general understanding of how applications take user privacy and security into consideration through assessment of maturity and stability (maintenance, community support, audits/reviews), usability (difficulty of use, personal data when installed, user support), privacy policy implementation (types of data stored, number of times data is accessed, profiling), secure messaging (type of encryption used, security of stored data, user/client server/message authentication), anti-tracking tools (mechanisms used, data recipients, known performance issues), and VPNs (firewalls/kill switches used, type of logs used, protection/mitigation methods). [ENISA – PETs Controls Matrix – A Systematic Approach for Assessing Online and Mobile Privacy Tools]

EU – Institutions Should Ensure Applications Processing Personal Data Comply with Data Protection Principles

The European Data Protection Supervisor issued guidelines on protection of personal data in mobile devices developed and provided by EU institutions. Assessments should be done prior to use of mobile applications, taking into account the nature of the personal data to be processed, specific risks identified, and targeted data protection/security features of the operating system; users should be provided with an easily accessible and high visible layered notice, and must provide specific, freely given consent before installation of the applications, data collected and/or transferred must be strictly necessary, and appropriate risk and vulnerability management processes must be implemented. [EDPS – Guidelines on Protection of Personal Data Processed By Mobile Applications Provided by EU Institutions]

Security

CA – Survey: Organizations Overconfident in Cybersecurity Efforts

An Accenture survey found 65% of cybersecurity and IT executives in Canadian organizations are confident their cybersecurity efforts produce valuable results, but the professional service companies says security pros should not be as assured. Of the 124 respondents, more than three-quarters feel their top strategies are achieving desired business outcomes, but one-third also said they have discovered successful data breaches in the last 12 months. The results indicate “that (Canadian) companies have become and remain complacent,” Accenture’s Canadian Cybersecurity Lead Russell Thomas said. “There’s an over-confidence in the marketplace… We really need a wake-up call. Companies need to pay attention to security. Security is at the heart of systems today, supporting an enabling secure business and trusting business.” [IT World Canada]

US – Cyber-Risk Oversight Guide Aims to Inform Boardroom Decisions

The National Association of Corporate Directors at a press conference in Washington yesterday released guidance for directors struggling to manage cyber risks in the boardroom, Angelique Carson reports. Government officials from the Department of Justice and Department of Homeland Security joined the Internet Security Alliance and the NACD in releasing the “Director’s Handbook on Cyber-Risk Oversight,” and took the opportunity to encourage private-sector businesses to collaborate with the government before a data incident occurs. “Opening the kimono is not just good for one entity, but for everyone involved,” said Danny Toler, acting assistant secretary for cybersecurity and communications at DHS. [The Privacy Advisor]

Surveillance

US – NSA Given Expanded Power to Share Intercepted Communications

The Obama administration has given the National Security Agency expanded power to share globally intercepted personal communications with the other 16 government agencies before any privacy protections are implemented. Privacy advocates are concerned the move will harm the rules in place to protect the privacy of American citizens. “Rather than dramatically expanding government access to so much personal data, we need much stronger rules to protect the privacy of Americans,” American Civil Liberties Union lawyer Patrick Toomey said. “Seventeen different government agencies shouldn’t be rooting through Americans’ emails with family members, friends and colleagues, all without ever obtaining a warrant.” [The New York Times] See also: Best Buy technicians flagged customers’ computers with signs of child porn for FBI, lawyers say.

WW – Researchers: China Knows What Citizens Are Doing at ‘Micro Level’

Researchers from the Citizen Lab at the University of Toronto’s Munk School of Global Affairs contend there is a network inside China’s “Great Firewall” designed to collect information on hundreds of millions of individuals everyday in addition to private and state-owned organizations designed to exploit such data. The lab has used popular messaging apps like WeChat, which serves more than 800 million people in China. Citizen Lab’s Ronald Deibert said Chinese authorities “have a wealth of data at their disposal about what individuals are doing at a micro level in ways they never had before.” He adds, “What the government has managed to do, I think quite successfully, is download the controls to the private sector, to make it incumbent upon them to police their own networks.” [CBC News]

US – Oakland Privacy Commission Passes First-of-Its-Kind Surveillance Ordinance

A local privacy committee has sent a proposed surveillance oversight ordinance to the city council. This is a rare example of a major American city set to impose stricter controls on the acquisition, use, and evaluation of spy gear. The “Surveillance and Community Safety Ordinance“ unanimously passed out of Oakland’s Privacy Advisory Commission, formally moving it to the Oakland City Council. Passage of the ordinance was roundly applauded by local civil liberties advocates and legal scholars, some of whom spoke at the meeting. For years, American cities have often accepted federal, state, or regional grant money to obtain various surveillance equipment for their local law enforcement agencies. Lawmakers often don’t ask questions as to how and in what circumstances such gear will be used, neither do they typically evaluate after the fact whether those tools have been actually effective in reducing crime. Catherine Crump, a law professor at the University of California, Berkeley, and a former ACLU attorney, told the commission that the ordinance it has drafted “is thorough, clear, comprehensive, and has the potential to be adopted nationwide.” The draft ordinance may still be subject to minor changes before being adopted by the city council, particularly as to how it will be enforced. [Ars Technica | Oakland Privacy Commission Holds Hearing on ‘Stingray’ Cell Phone Surveillance Devices | Committee vote on police heat sensors signals cooperation between police, privacy activists | We know where you’ve been: Ars acquires 4.6M license plate scans from the cops | Oakland Poised to Lead in Protecting Privacy]

US – Baltimore Police Use Military Technology to Secretly Track You

When protesters took to the street after police shot and killed Michael Brown in Ferguson, Missouri, they were greeted by law enforcement in full body armor, flanked by armored vehicles. In the two and a half years and countless shootings since, militarized police have become an all too familiar sight. In response, citizens have overwhelmingly begun to film these interactions on their smartphones, making the technology the eyes of our nation. But as we watch the police, they also watch us – only they don’t use an iPhone. Often, they use military grade surveillance equipment that gives them a much broader view than simple cell phone cameras ever could. “They view people as enemy combatants,” says activist, as cops adopt surveillance, tracking, facial recognition programs designed for war zones. The city of Baltimore has, in many ways, become ground zero for the military surveillance technology that is slowly making its way from the battlefields into the hands of police departments across the country. The Baltimore Police Department has used surveillance technology such as large-scale aerial surveillance, advanced cell phone tracking and facial recognition technology on Baltimore’s citizens, yet these technologies have had little to no oversight from city government, and most have a disproportionate impact on communities of color. Examined together, these surveillance technologies demonstrate an extended record of secret surveillance by the Baltimore Police Department. [RollingStone | Baltimore surveillance plane documents reveal ignored pleas to go public, who knew about the program, and differing opinions on privacy | Eye in the sky: the billionaires funding a surveillance project above Baltimore | Secret aerial surveillance by Baltimore police stirs outrage | Secret Cameras Record Baltimore’s Every Move From Above | Baltimore police accused of illegal mobile spectrum use with stingrays | Potential FCC Probe of Police Cellphone Trackers Could Serve as Proxy for Congressional Battle]

CA – Vancouver Using Heat-Vision Camera to ID Poorly Insulated Homes

A new pilot project has been announced that will use a heat-vision camera to help Vancouver homeowners cut down on their energy bills. The images will help pinpoint places that heat is escaping, such as poorly insulated doorways, windows and roofs, but won’t show anything that’s happening inside, said Sean Pander, manager of green buildings for Vancouver. “Privacy is well-protected,” Pander said. “[The camera] can’t see anything inside the house, it just sees the surfaces and the temperatures of the surfaces.” .Imaging capturing could start as early as Jan. 15 if the weather is cold and dry enough for the thermal camera, and is expected to last several weeks. Before that begins, however, the city has promised four public information sessions where people can learn more about the program. People can also opt-out if they’re uncomfortable having a thermal image taken of the outside of their home. [Source]

Telecom / TV

US – Google Wins App Data-Sharing Case Against Customer

A U.S. district judge sided with Google in a case between the tech company and a customer alleging it had illicitly shared her information with an app developer. Illinois resident Alice Svenson bought an app designed to convert SMS messages to emails. Svenson alleged Google shared her personal information with the app’s developer, YCDroid, and in doing so, broke its contract by sharing her information with a third party and lessened the value of her personal data. U.S. District Judge Beth Labson Freeman said in her ruling Svenson did not adequately show she had suffered any damages. “Consequently, Svenson has failed to show the existence of a triable issue of material fact with respect to her claim of injury in fact based on diminution in value of her personal information.” Google also successfully argued there was no evidence YCDroid actually viewed Svenson’s data. [MediaPost]

US Legislation

US – Email Privacy Act Reintroduced in Congress

A bipartisan group of lawmakers has reintroduced the Email Privacy Act [see here]. This law would update the 1986 Electronic Communications Privacy Act (ECPA). ECPA is the main statute governing law enforcement access to email. If passed, government agents would have to get a warrant to look at your emails. Current law allows law enforcement and government agencies to obtain your messages from email service providers without a warrant if they are older than 180 days. Federal agencies, which have heavily relied on keeping the old and outdated ECPA law, have also pushed for there to be no changes to the law. Mary Jo White, head of the Securities and Exchange Commission (SEC), has told the head of the Senate Judiciary Committee that the warrant requirement would block the SEC from obtaining digital content from service providers. Therefore, she asked that the government grant the SEC the power to compel email providers without a warrant. By extension, this would also give such agencies as the Internal Revenue Service (IRS) the right to demand your emails from your provider, say Google Gmail or Microsoft Outlook.com, without a warrant. [ZDNet | Bipartisan House Group Re-Introduces Email Privacy Bill | Email Privacy Act Revived for Another House Vote]

US – Washington Bill Prohibits Operators from Flying Over Private Property Without Consent

House Bill 1049, relating to unmanned aircraft, and adding new sections to Chapter 47.68 and Chapter 4.24 of the Revised Code of Washington, was introduced and scheduled for public hearing in the House Committee on Technology & Economic Development. An owner or occupant of the property may bring an action for trespass if the drone has been flown over the property on at least one previous occasion, and the operator has been previously notified that flight over the property is prohibited; damages can be recovered of up to $500 without proof of special damages, or an injunctive relief may be awarded. [House Bill 1049 – An Act Relating to Unmanned Aircraft – 65th Legislature of the State of Washington]

Workplace Privacy

WW – Departing Employees Greatest Threat to Data Protection: Study

The number one data protection problem faced by organizations – cited by 69% – is the loss of data or knowledge suffered when employees leave the company. That is the finding of a new study by IT research and consulting firm, Osterman Research, entitled, “Best Practices for Protecting Your Data When Employees Leave Your Company“. Many of these problems are related to employees actually taking data with them when they depart, or leaving it in locations that are unknown or inaccessible to corporate data managers. [Information Management | How companies can deal with insider data theft | Thousands and thousand of times: a tale of an insider data breach | Heal Thyself: Insider Threats to Heed, Especially for Industries with Large Amounts of Personal Information | Insider Threats Behind a Sharp Rise in Data Theft

WW – Privacy Third-Highest Concern When Employers Surveil Mobiles: Study

A TSheets study of 1,000 employees in various industries “where monitoring is most prevalent” has found a majority of workers are more concerned with how employer snooping affects battery life and data allotment than privacy, Fortune reports. “From a worker perspective, it apparently doesn’t feel like Big Brother is overreaching… According to TSheets, the majority of workers tracked by GPS said the technology gave them greater ability to track mileage and time, more accountability, and ensuring they got paid what they are owed.” Roughly two-thirds of respondents said that GPS tracking “built trust with employers, and promoted efficiency and safety.” [Fortune]

WW – BYOD a Threat to Business: Study

Bring Your Own Device (BYOD); the concept of allowing employees to work in the office or remotely using their own devices, rather than company owned, has been around for a while now and really makes the most of this ‘personal device era’. It’s convenient for employees to use their own devices, reduces burden on IT admin and saves Capex costs for the business. But, could BYOD end up being the company’s biggest threat? According to the Crowd Research Partners BYOD & Mobile Security 2016 Spotlight Report, it finds that: 72% of respondents are concerned with data leakage and loss, 56% with unauthorized access to company data and systems, 52% with downloading unsafe apps or content by users and 52% with malware. The areas of highest concern within the enterprise are: data leakage and loss, unauthorized access to company data and systems, downloading unsafe apps or content and malware. [Unfortunately] there are no universal set of guidelines for employers and employees to work too. But there are some best practices that security experts recommend. [Beta News | Striking the balance between employee productivity and data security | 6 Best Practices for Managing BYOD Technology | How should companies deal with data security when they have a BYOD policy? | BYOD can pose privacy risks to employees | 72 per cent of organisations support BYOD despite privacy and security concerns

+++

 

22 Dec 2016 – 06 Jan 2017

Biometrics

SG – Iris Scans Now a Part of Singaporean Registration Process

The Singapore government has begun collecting iris scans for citizens and permanent residents as part of its registration process. Amendments to the National Registration Act legalized the move, and according to the Ministry of Home Affairs, “was part of efforts to improve the ‘effectiveness and efficiency’ of operations undertaken by the Immigration and Checkpoints Authority.” [ZDNet]

Canada

CA – Security, Spy Agencies Will Follow ‘Letter and Spirit’ of the Law: Trudeau

Prime Minister Justin Trudeau said the government will make sure security and spy agencies obey the country’s laws following concerns the groups have abused the privacy rights of the country’s journalists. Trudeau said the Liberal government will “make sure that our security agencies and intelligence agencies obey the letter and the spirit of the laws that frame them.” The concerns sprung from the revelation of law enforcement agencies tracking the communications of several journalists. Trudeau spoke on the subject as the Liberal government finished a national consultation on federal security policy. [The Canadian Press]

CA – La Presse Asks Court to Stop Warrants Monitoring Journalist

La Presse is asking a court to stop the 24 warrants allowing Montreal’s police force to monitor its reporter, Patrick Lagacé. The newspaper argues the judicial orders were issued to stop leaks rather than as a part of a legitimate investigation. La Presse also states the Montreal police force went further than other law enforcement agencies in history to discover a journalist’s confidential sources. “In this matter, the Montreal Police Service deliberately created a complete registry of telephone communications by a reporter who was not under investigation, giving itself the means to identify all of the confidential sources that he contacted over a period of many months,” La Presse said in its request for judicial review. [The Globe and Mail]

CA – OIPC BC Issues Guidance to Organizations on the Use of Video Monitoring

The Information and Privacy Commissioner of British Columbia has issued guidance to organizations on the use of video surveillance. Video surveillance should only be used as a last resort after other less privacy-invasive alternatives have been exhausted (such as improved workplace supervision and financial controls), and cameras should not monitor private areas such as change rooms, washrooms, or into windows; organizational needs should be regularly reviewed to ensure that using video surveillance is still required for the original purpose, and monitoring should only take place during the time period that meets the specific purpose. [OIPC BC – Guide to Using Overt Video Surveillance] See also: A Minnesota judge has ordered that prosecutors and defense attorneys must follow guidelines of a law classifying police body camera footage as non-public information, with certain exceptions.

CA – Majority of Manitoba Organizations Do Not Offer Data Breach Training

A survey conducted by Manitoba Ombudsman Charlene Paquin found the majority of institutions within the province do not train their staff on handling data breaches. The survey was sent to 238 organizations, including universities, municipalities, health authorities, and boards, but only 118 organizations fully completed the questionnaire. Of those respondents, 78 percent said they do not offer training on what to do during a data breach, while 29% said they have suffered an incident within the last three years. The survey found the most common form of data breaches involved losing paper records, while 24% of respondents said they suffered a breach due to a stolen computer or other device. [CBC News]

CA – OIPC SK Finds Ministry Was Authorized to Collect Personal Information Directly from Third Parties

The Office of the Saskatchewan Information and Privacy Commissioner reviewed a complaint that the Ministry of Social Services allegedly over collected personal information, pursuant to The Saskatchewan Assistance Act; and the Freedom of Information and Privacy Act. The ministry was authorized to collect the bank statement of a social services applicant directly from the bank for the purpose of verifying the eligibility in a government program when the applicant failed to provide the information herself; although appropriate authorization was obtained in a consent form, it is recommended that the ministry analyze the types of information generally required during the application and review process to more clearly define the types of information being collected, and from where it will be collected. [OIPC SK – Investigation Report 212-2016 – Ministry of Social Services]

Consumer

UK – Taskforce Finds Half of UK Kids Agree to Murky Social Media Terms

Children’s Commissioner Anne Longfield’s Growing Up Digital taskforce has found that “almost half” of eight- to 11-year-olds have agreed to “impenetrable” terms of and conditions for social media sites. “The yearlong study found children regularly signed up to terms including waiving privacy rights and allowing the content they posted to be sold around the world, without reading or understanding their implications.” Longfield recommends a special ombudsman for children “to represent their rights to social media companies” as well as an obligatory “digital citizenship program” in all schools for students ages four through 14. [The Guardian] See also: [Office of the Australian Information Commissioner – Teens, Privacy and Social Media]

E-Government

HK – Honest Shanghai App Gives Citizens Public Credit Score

Shanghai’s city government has released a new voluntary app called Honest Shanghai that uses a combination of facial recognition and government data to assign citizens with a “public credit” score. “We want to make Shanghai a global city of excellence,” said Shanghai Municipal Commission of Economy and Informatization’s Shao Zhiqing. “Through this app, we hope our residents learn they’ll be rewarded if they’re honest. That will lead to a positive energy in society.” The app has caused some unease, however. “You’re wrong if I say so,” said Tongji University’s Zhu Dake. “You have bad credit if I say so. Where will this lead? They could easily expand the criteria and start judging people on moral or ideological grounds. They’re using modern technology to create a vision of Orwell’s 1984.” [NPR.org]

CA – CRA Employees Continue to Illicitly Access Confidential Tax Information

Canada Revenue Agency workers are continuing to illicitly access the confidential tax files of businesses, acquaintances and others. The breaches continue despite the CRA spending at least $10.5 million since 2013 to prevent its employees from continuing to access the personal data. CBC News discovered nine major cases since Jan. 1, where tax workers used the government’s electronic records to gather sensitive private information on income, deductions, benefits, payments, and employment. Privacy Commissioner Daniel Therrien wrote in his annual report his office was assured the CRA had implemented nearly all the safeguards it recommended from a 2013 audit. “The agency reports that it has made several important improvements to its management of personal information including introducing new policies, increasing corporate oversight and ensuring more timely assessment of privacy and security risks.” [CBC News]

Encryption

US – Congressional Encryption Working Group 2016 Year-End Report

According to a report from the Encryption Working Group, weakening encryption by requiring backdoors is contrary to the country’s national interest, yet acknowledges law enforcement’s need to access communications for investigations. The Encryption Working group was created when the FBI and Apple were unable to come to an agreement over the government’s demands that Apple decrypt a shooting suspect’s iPhone. It is composed of members of the US House Judiciary Committee and Energy and Commerce Committee. The Encryption Working Group report argued that there isn’t a “one-size-fits-all” solution to whether or not “data encryption should be utilized by organizations or the government.” “There is no ‘us versus them,’ or ‘pro-encryption versus law enforcement,’” the bipartisan study states. “This conversation implicates everyone and everything that depends on connected technologies — including our law enforcement and intelligence communities.  [HealthITSecurity | eWeek | ZDNet | Encryption Working Group Releases Year-End ReportYear-End Report]

US – Not All Federal Agency Websites Have Met HTTPS Migration Deadline

Roughly 30% of federal government agency websites have not yet implemented HTTPS. The Office of Management and Budget (OMB) mandated that “all publicly accessible federal websites and web services” transition to HTTPS by December 31, 2016. Agencies were instructed to prioritize domains that are used to exchange sensitive data or that receive large volumes of traffic. [FCW.com]

EU Developments

EU – CJEU Rules Against ‘General and Indiscriminate’ Data Retention

EU law unequivocally precludes the “general and indiscriminate retention of traffic data and location data.” This is clear following the judgment of the Court of Justice of the European Union in Tele2, which affirms that Court’s previous judgment in Digital Rights Ireland, from 2014. In that judgment, the CJEU held that the EU’s Data Retention Directive was invalid. Some EU member states, such as Sweden and the U.K., then continued to oblige telecommunications providers to generally retain data under their national laws. This week the EU held that such national laws must similarly comply with EU data protection rules and are thus similarly invalid. [IAPP.org]

EU – EU Regulators Say More Big Data Rules May Be Necessary

European Union regulators believe additional rules could be required to examine the growth of big data. EU banking, insurance and market regulators are concerned big data may lead certain customers to become classified as “undesirable” as companies gather more personal information. The regulators launched a public consultation on the benefits and risks of big data for both consumers and financial firms in order to determine if more “regulatory or supervisory” actions are needed. “For example, consumers seeking household insurance for properties located in areas exposed to high risks such as floods, earthquakes or crime may have to pay very high premiums or might not be offered an insurance coverage,” the regulators said in a joint statement. [Reuters]

EU – German Privacy Laws to Obscure Face of Terrorist Suspect in Photo

As Germany searches for the individual who authorities believe is responsible for the terrorist attack on a Christmas market in Berlin, a photo of the suspect has been released by the German media. The photo of the suspect obscures the man’s face, and police have only identified him as “Anis A.” Photos of the suspect appearing in the U.K.’s press, show the man’s face without any form of obstruction. Journalist David Meyer said Germany’s strict privacy laws are the reason why the country’s media outlets have blocked out the suspect’s face, and why only the initial of his surname has been published. Meyer notes German investigators detained an innocent man earlier in the manhunt, leading to more caution when publishing photos. [Fortune]

EU – A Common Risk Identification and Classification System Should Be Developed for Data Protection Impact Assessments

Hunton & Williams examines risk assessments and data protection impact assessments under the General Data Protection Regulation. Organisations must assess the likelihood and severity of risks to individuals associated with processing activities (taking into account the nature, scope, context, and purpose of processing); an identification and classification system should have a repeatable and consistent framework to identify risks in multiple scenarios and over time, include material and non-material harms, and enable organisations to define the scope of risk management. [Risk, High Risk, Risk Assessments and DPI Assessments under the GDPR – Centre for Information Policy Leadership – Hunton and Williams LLP See also: the European Commission published the results of the public consultation on the ePrivacy Directive and a Eurobarometer survey.

Facts & Stats

UK – CFC Underwriting Sees 78% Increase in Data Breach Claims in 2016

CFC Underwriting handled more than 400 claims on its data breach policies in 2016. CFC Underwriting Chief Innovation Officer Graeme Newman said data breach claims were up 78% from 2015. CFC stated the most common types of attacks involve privacy breaches and the theft of cash. Newman said a “disproportionate” amount of claims were made by British firms. “This is largely down to the fact that on the whole, UK businesses have a lower level of security maturity than their US counterparts,” Newman said, who also added 90% of the claims by volume were made by businesses with less than 50 million GBP in revenue. [BBC]

Finance

US – FINRA Fines 12 Financial Institutions $14.4M for Illicit Data Storage

The Financial Industry Regulatory Authority fined 12 financial institutions a total of $14.4 million for improperly storing electronic broker-dealer and customer records. FINRA found the 12 firms did not store the business-related electronic records in a “write once, ready many” format. FINRA’s news release on the penalties stated “each of these 12 firms had WORM deficiencies that affected millions, and in some cases, hundreds of millions, of records pivotal to the firms’ brokerage businesses, spanning multiple systems and categories of records.” The fines ranged from $500,000 to $4 million. “These disciplinary actions are a result of FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records,” said FINRA. [Hunton & Williams’ Privacy and Information Security Law Blog]

FOI

CA – OIPC NS Issues Guidelines to Councillors on Disclosure of Municipal Records and Applying Privacy Rules to Personal Information

The Office of the Information and Privacy Commissioner in Nova Scotia has issued guidelines to Councillors on providing access to public records pursuant to the Municipal Government Act and applying privacy rules to personal data. Councillors must understand which municipal records can and cannot be disclosed, as certain reports, minutes and correspondence may be protected from disclosure (such as legal advice, personal information, and confidential business or government information); councillors should use the municipality’s secure email system when conducting municipal business, employ strong passwords (that change regularly and are not shared with others), and encrypt laptops and cellphones. [OIPC NS – Access and Privacy Rules – A Councillor’s Guide Councillor’s Q&A | Brochure]

Health / Medical

US – Majority of Patients Unwilling to Disclose All Medical Information: Survey

A Black Book survey found a majority of patients are skeptical of the use of health IT and are not divulging as much information as they had in the past. Of the 12,090 survey participants, 57% of those who had interacted with technology in a health care setting said they are unsure of the overall benefits of health IT technology. Other findings include 87% of patients were unwilling to disclose all of their medical information in detail during the fourth quarter of 2016, up from the 66% in 2013. The survey revealed 89% of respondents who visited a provider in 2016 withheld health information during visits, with 93% expressing concern regarding the security of their financial information. [Becker’s Hospital Review]

US – FDA Medical Device Postmarket Cybersecurity Guidelines

The U.S. Food and Drug Administration (FDA) has released the final version of security guidance for network-connected medical device manufacturers. The guidelines, which are not mandatory, address post-market cybersecurity issues and are a companion to pre-market guidelines issued in 2014. The FDA believes that “medical device manufacturers should implement a structured and comprehensive program to manage cybersecurity risks,” which would ideally include ensuring a means to monitor and detect vulnerabilities; assessing the risks vulnerabilities pose to patients; establishing a process for vulnerability disclosure; and releasing fixes in a timely fashion.[Govinfosecurity | FDA Postmarket Management of Cybersecurity in Medical Devices]

Identity Issues

CA – Ontario Police No Longer Allowed to ‘Card’ Individuals in Certain Situations

A new law in Canada prohibits Ontario police officers from carding individuals in certain situations. The rule stops officers from collecting identifying information based on a person’s race or presence in a high crime area, or if they are investigating possible criminal activity. The new rule does not apply during traffic stops, executing a warrant, or when an individual is arrested. “These new rules protect the rights of people who are not under investigation while also laying the foundation for more positive, trusting and respectful relationships between police and the public,” said the Ontario Community Safety and Correctional Services Minister. [CBC News]

CA – Mail-Forwarding Fraud Up More Than Seven Times in 2016

The Canadian Anti-Fraud Centre received more than seven times the amount of mail-forwarding fraud complaints in 2016 than in the previous year. The centre handled 479 complaints in 2016, up from 63 in 2015, with centre officials stating the number of complaints are only a fraction of actual fraud activity. Mail-forwarding fraud normally involves an individual impersonating someone and rerouting that person’s mail through Canada Post, either to a different residence or a business address. [CBC News]

US – Massachusetts’ Scanning of ID Cards Raises Privacy Concerns

Privacy advocates are raising concerns about a Massachusetts facial recognition program that uses photos from state-issued driver’s licenses and other ID cards to help law enforcement track down criminals. Those opposed to the practice say the ID scanning is a privacy violation and could lead to false matches that result in investigations of innocent people. Law enforcement agencies in other states are also employing similar programs. “When you go to the DMV to get your license, you do not expect your photo to be part of what has essentially become a law enforcement database used for criminal investigations,” said the ACLU. State officials defended the practice and have said proper measures are in place to address privacy concerns. [The Boston Globe]

US – Privacy Concerns Keeping Maine from Real ID Law Compliance Deadline

Should Maine not comply with the federal Real ID law by Jan. 22, its state licenses will neither function as formal commercial airline nor federal building entrance identification. Maine is one of the five U.S. states to forgo compliance with the law, citing privacy concerns. “This is a tightly aggregated set of data on every single citizen,” said Maine Secretary of State Matthew Dunlap. “That eastern European (Communist Bloc) show-me-your-papers-at-the-border thing, that really turned people off.” Regardless, Democratic Sen. Bill Diamond, is fighting to get the state to comply with the law, as other U.S. states prepare to. “I understand and believe privacy is very important, but we are talking about some minimum standards here.” [Portland Press Herald]

WW – Carnival to Incorporate Smartband Technology on Future Cruises

Carnival Corporation is planning to introduce smartband devices designed to allow customers to customize their vacation. The app, called Ocean Compass, is paired with a small medallion customers can use to pay for food, drinks and merchandise, gamble, and enter rooms without having to remove it from their person. Carnival executives Arnold W. Donald and John Padgett took the idea from a similar system used at Walt Disney World, where they both worked before joining Carnival. Padgett said he expects some customers will have questions regarding the system’s “creepiness factor,” but still expects the majority of visitors to participate. “As long as you benefit the guest, they don’t mind sharing” personal information, Padgett said. [The New York Times]

Law Enforcement

US – Court: Abandoned, Locked Phones Still Have Privacy Protections

A Florida court of appeals ruled abandoned cellphones with a passcode still maintain the user’s privacy expectations. The case involved a teen leaving his phone behind after fleeing a traffic stop. Law enforcement were able to unlock the phone and retrieve information without a warrant. The court determined phones are not locked containers, but are closer to locked houses. Since law enforcement cannot search a locked house without a warrant, the same standards should be held for phones. “While we acknowledge that the physical cell phone in this case was left in the stolen vehicle by the individual, and it was not claimed by anyone at the police station, its contents were still protected by a password, clearly indicating an intention to protect the privacy of all of the digital material on the cell phone or able to be accessed by it,” the court’s ruling stated. [Techdirt | Florida Appeals Court Upholds Decision to Suppress Evidence Obtained By a Warrantless Search of a Cell Phone | State of Florida v. K.C. – No. 4D15-3290 – District Court of Appeal of the State of Florida]

US – Police Ask Amazon for Echo Data in Murder Investigation

Police officers in Arkansas are asking Amazon to produce data from one of the company’s Echo devices for possible evidence in a murder investigation. The police are not sure what information is available on the Echo device, but are hoping for any conversations it may have overheard. The case has raised several privacy concerns. “I think about the fuzzy line of where the privacy of data is out there in the cloud… The question is, will governments or other people be able to access data that you have on request? Will companies comply? How does that work? How does it work in a criminal investigation? Where’s that line — because that’s — that’s the part that is a little mysterious.” MIT Technology Review reports on what Amazon’s role should be in the investigation. [NPR.org]

Location

CA – British Columbia to Allow Drone Use for Search and Rescue

Emergency Management BC approved a pilot program permitting teams across British Columbia to use drones for search and rescue efforts. The drones will be used in situations where helicopters are not available, or the area cannot be reached by aircraft. Coquitlam Search and Rescue Manager Mike Coyle said privacy concerns have limited the widespread use of drones, but the British Columbia privacy commissioner has formally reviewed the drone project. “Even in the wilderness, I think it’s just a way people have seen [drones] as an invasion of privacy,” Coyle said. “Our intent is to just use them to look for missing people in the wilderness and not fly over built up areas, and that’s why I think the privacy commissioner said it’s a good use.” [CBC News]

US – Sen. Franken Asks Uber to Clarify Its Location Data Collection Practices

Sen. Al Franken, D-Minn., has written to Uber requesting it clarify its policies surrounding its storage of users’ location data, “three weeks after the ride-hailing company updated its app to restrict privacy options for sharing location information.” “Franken asked the company to take steps to ‘restore users’ control over their sensitive location information,’ and update its privacy policy to ‘reflect the company’s public assurances and justifications related to the most recent app update,’” in his letter to Uber CEO. He cited “renewed allegations” of Uber employees’ “past abuse of customer data” as part of the reason for his letter. [PCMag]

Online Privacy

WW – Facebook Buying Detailed Data on Users, Advocates Say

ProPublica and other privacy advocates maintain Facebook buys more detailed information about its users from commercial data brokers, such as users’ “income, the types of restaurants they frequent and even how many credit cards are in their wallets.” Facebook doesn’t additionally “show users any of the often remarkably detailed information it gets from those brokers.” The Center for Digital Democracy’s Jeffrey Chester said “Facebook is bundling a dozen different data companies to target an individual customer, and an individual should have access to that bundle as well.” Facebook said “that it doesn’t tell users about the third-party data because it’s widely available and was not collected by Facebook.” [ProPublica]

US – Advocacy groups Ask FTC to Review Google’s Privacy Policy Changes

Consumer Watchdog and Privacy Rights Clearinghouse filed a complaint with the FTC concerning the changes Google made to its privacy policy in June. Google has been able to build profiles of individuals by requesting users to opt-in to the new privacy settings permitting the tech company to merge its browsing history with its search history to generate more personalized ads. The two privacy groups claim the privacy settings violate deceptive- practices laws and a prior FTC order. Google said in a statement it changed the policy “to match the way people use Google today: across many different devices,” and “it is 100% optional — if users do not opt-in to these changes, their Google experience will remain unchanged.” Google also stated it informed regulators around the world about the new policy and incorporated their feedback. [The Wall Street Journal] [In re Google Inc.’s Change in Data Use Policies – Complaint,Request for Investigation, Injunction and Other Relief – Consumer Watchdog and Privacy Rights Clearing House]

Other Jurisdictions

AU – Australian Govt to Extend Data Retention Law to Civil Litigation Information

The Australian Attorney-General’s Department is accepting submissions through 27 Jan., on a government review to potentially extend the Data Retention Act to allow warrantless access of “retained metadata to lawyers acting for clients in civil litigation.” On 13 April, “it will be legally impossible to access data retained by telcos in connection with civil proceedings,” and the government is worried about the potential consequences. However, critics feel this proposed step is one in the wrong direction. “Opening up the data retention scheme to civil matters flies in the face of the government’s claim that it was urgently needed in the fight against terrorism and its assurances that its use would be tightly controlled,” said Internet Australia. [The New Daily | The Australian government is considering making metadata available to courts for civil lawsuits.

US – FTC Settles with Ad-Tech Firm Turn

California-based digital-advertising company Turn has agreed to settle FTC charges that it deceived customers when it used persistent identifiers to track them online and on their mobile apps, even when those customers opted out, according to an FTC press release. The FTC’s complaint and investigation involved Turn’s use of Verizon’s unique, un-deletable identifiers, or so-called “zombie cookies,” and alleged lack of transparency about that use. [IAPP.org]

Privacy (US)

US – LabMD Receives Support in Appeal of FTC Ruling

Several groups have filed amicus briefs in support of LabMD’s appeal against the Federal Trade Commission. The briefs, filed by a group of doctors, cybersecurity professional Gary Miliefsky, TechFreedom, the International Center for Law and Economics, the National Federation of Independent Business Small Business Legal Center, and the National Technology Security Coalition, back the now defunct LabMD, stating the FTC operated outside of its authority when it went after the company for allegedly violating Section 5 of the FTC Act. “I am heartened that leaders from business, healthcare and technology are so supportive of LabMD,” said LabMD President and CEO. “They understand how this case will impact their own compliance efforts.” [SC Magazine]

US – House Committee Presses Congress for Stingray National Standards

The House Oversight and Government Reform Committee released a bipartisan report calling for Congress to pass laws creating national standards for law enforcement’s use of Stingrays. The committee seeks clear rules for government and private entities using the devices, designed to mimic cellphone towers in order to force all phones within range to identify themselves. The report found the Justice Department has 310 devices, while the Department of Homeland Security has 124. Until the standards are created, the committee contends the DOJ and DHS should not fund technology for local law enforcement unless they agree to certain privacy standards. The report concludes the technologies “represent a valuable law enforcement tool, but their domestic use has obvious and serious implications for citizens’ Constitutional rights … There must be a universal and well-understood standard by which these technologies are deployed.” [The Wall Street Journal]

US – Consumer Groups Push Amazon, Wal-Mart to Stop Selling ‘Spying’ Doll

Several consumer groups are asking top retailers such as Amazon and Wal-Mart to stop selling My Friend Cayla due to privacy concerns. The doll, created by Genesis, is designed to listen and respond to children’s questions, and uses a Bluetooth microphone and a mobile app requiring access to a child’s or parent’s devices. The groups are concerned the doll could be compromised by hackers, lead to privacy violations, and other problematic incidents. “My Friend Cayla poses significant security risks that could place children in physical danger,” Campaign for a Commercial-Free Childhood Executive Director Josh Golin wrote in a letter to Amazon CEO Jeff Bezos. “Genesis fails to require basic authentication mechanisms to prevent unauthorized Bluetooth connections between the doll and a smartphone or tablet.” [CBS News]

US – White House Issues Gov’t-Wide Breach Notification Protocols

The U.S. administration may be turning over this month but the Office of Management and Budget is churning out policies even while the boxes are being stuffed with Bubble Wrap. OMB released both a guidance on how government agencies must prepare-for and respond-to data breaches as well as how to comply with the Privacy Act in these modern times. OMB Senior Privacy Advisor Marc Groman said the breach-notification guidance updates a 10-year-old document, revising it to require that agencies take a risk-based approach, and responds to a new, more dangerous threat-landscape. “But it’s important to highlight every breach is different and very context-specific, and therefore the memo must allow for flexibility,” Groman said. [IAPP.org]

US – NYC, Uber Face Off in Privacy Public Hearing

Uber is gearing up to fight against the New York City government in a public hearing on the city’s December-born proposal requiring ride-hailing companies to share more data on their users. “Regulators said it was an effort to combat driver fatigue and help enforce caps of 60 hours a week.” “Uber described the requirement as an invasion of privacy.” Uber has “an obligation to protect our riders’ data, especially in an age when information collected by government agencies like the [NYC Taxi and Limousine Commission] can be hacked, shared, misused or otherwise made public,” said Uber spokeswoman Alix Anfang. The hearing comes on the heels of the company’s own privacy controversy, spurring a letter from Sen. Al Franken, D-Minn. [Bloomberg Technology] See also: [For-hire vehicle base reporting rules a privacy problem, advocates argue in letter]

RFID / IoT

US – FTC Announces IoT Security Challenge

The US FTC is holding a contest that will award a prize of up to USD 25,000 for the best technical solution to Internet of Things (IoT) security for home networks. The tool could be a physical device that connects to a home network and checks for updates for other connected IoT devices; it could also be an app, a cloud-based service, or a user interface. Registration forms will be available on or about March 1, 2017. The deadline for submissions is May 22, 2017; winners will be announced at the end of July 2017. [KrebsonSecurity | Darkreading | FTC.gov: IoT Home Inspector Challenge]

US – OTA Releases Updated IoT Trust Framework

The Online Trust Alliance released a new version of its IoT Trust Framework. The updated framework is designed to help internet-of-things developers, purchasers and retailers develop products, while offering a risk assessment guide. The framework includes 37 principles, including entries on security, user access, and ensuring companies are compliant with the General Data Protection Regulation and the Children’s Online Privacy Protection Act. “Recent IoT attacks like those which compromised hundreds of thousands of connected devices to take websites like Amazon, Twitter and Netflix offline were just a ‘shot across the bow.’ The next incident could create significant safety issues. While most IoT devices are safe and secure, many still lack security safeguards and privacy controls placing users and the Internet at large at risk,” said OTA Executive Director and President Craig Spiezle. [OTA Alliance]

Security

WW – DDoS Attacks, Ransomware Among Biggest Security Threats in 2017

Wired reports on the biggest security threats coming in 2017. The most pressing concerns in the privacy realm include the increased spread and use of ransomware, a growing divide between the intelligence community and President-elect Donald Trump, and another encryption battle between law enforcement and device makers. “It’s only a matter of time until the FBI or other cops make another legal demand that an encryption-maker assist in cracking its protections for users, setting the conflict in motion again.” Cyberattacks will also continue to be a problem in 2017, as more distributed denial of service attacks appear to be on the horizon. [Wired]

US – Cybersecurity Pro: Carelessness Often to Blame for Breaches

Company carelessness is often to blame for breaches, said cybersecurity professional and BitSight Technologies co-founder Stephen Boyer. “A lot of these breaches happen because somebody had a very obvious detail that they overlooked or a well-known vulnerability that was exploited,” he said. “You think about other controls that [companies] need to put in place such as good password control, multifactor authentication. They need to be able to monitor, protect, not only look at their own systems but their supply chain and monitor and watch that very diligently.” For consumers, it doesn’t come down to avoiding smaller businesses and solely working with larger ones, he said. “It’s not necessarily small versus large, it’s just somebody who’s put in the proper protections to protect the consumers.” [CNBC]

WW – Hackers Can Easily Manipulate Travel Booking Systems: Study

Security Research Labs has found that major travel booking systems like Sabre, Amadeus and Travelport lack the ability to authenticate travelers, allowing hackers to easily manipulate or steal travel details via Passenger Name Records. “While the rest of the Internet is debating which second and third factors to use, [global distribution systems] do not offer a first authentication factor,” the researchers said. “Given only passengers’ last names, their bookings codes can be found over the Internet with little effort,” added SRLabs’ Karsten Nohl. Meanwhile, the Guardian reports that the U.S. government has begun requesting select foreign travelers to disclose their social media activities. [Reuters] See also: [Privacy a casualty of password storing on shared devices?]

US – FTC Suing D-Link Over Unsecure Routers and Cameras

The U.S. FTC has initiated legal action against D-Link for “fail[ing] to take steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access.” The security issues could be exploited to steal information and to spy on consumers. [arstechnica | computerworld | Thehill | Ars Technica: FTC Complaint | FTC.gov]

EU – ‘Find My Phone’ Documentary Uses Decoy Mobile to Spy On Thief

Dutch film student Anthony van der Meer has made a 22-minute documentary, “Find My Phone,” from footage gleaned after downloading security software onto a decoy phone that he got stolen. His inspiration for the film came after having his personal phone pickpocketed and his subsequent frustration with police assistance. “The documentary offers a valuable lesson in cybersecurity (if not also an ethically gray commentary on surveillance).” “Our smartphones often contain our most sensitive data, including photographs, emails and bank information, that can be exploited by thieves in any number of harmful ways.” [The Verge]

UK – EU’s Network and Information Security Directive to Get UK Implementation

The U.K. government will implement the EU’s Network and Information Security Directive, regardless of the Brexit vote. “The NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure… “It will apply to operators of such ‘essential services’ and to ‘digital service providers.’” EU countries have through 9 May 2018 “to implement the Directive into national law,” and the U.K. government added that it was “considering whether additional regulation might be necessary for critical sectors, including in the context of the NIS Directive due to be implemented in 2018 as well as wider national infrastructure considerations.” [Out-Law.com]

US – NIST Publishes Cyber Attack Recovery Guidebook

The US National Institute of Standards and Technology (NIST) has published the Guide for Cybersecurity Event Recovery. The document describes the two phases of recovery: tactical and strategic. Tactical recovery is based on procedures established prior to a cyber attack; strategic recovery involves identifying lessons learned from the event and using those lessons to plan for recovery from future events. Recovery is one of five aspects of NIST’s Cybersecurity Framework. The others are identification, protection, detection, and response. [Federal News Radio | http://nvlpubs.nist.gov: Guide for Cybersecurity Event Recovery]

US – NIST Publishes Report on Privacy Engineering and Risk Management

The National Institute of Standards and Technology has published its Internal Report 8062, “An Introduction to Privacy Engineering and Risk Management in Federal Systems.” In a blog post announcing the report, the authors describe the report as a “document that we believe hardens the way we treat privacy, moving us one step closer to making privacy more science than art.” They continue: “NISTIR 8062 introduces the concept of applying systems engineering practices to privacy and provides a new model for conducting privacy risk assessments on federal systems.” NIST has a history of providing guidance on information security risk management, “but there is no comparable body of work for privacy.” The guidance attempts to bridge the communications gap between the security and privacy fields “and produce processes that are repeatable and could lead to measurable results.” [NSTIC]

Surveillance

AU – Government Considering Allowing Metadata from Retention Laws

The Australian government is considering making metadata stored under the country’s data retention laws available to courts for civil lawsuits. “The bill itself prohibits the use of the data in civil cases, but it includes the ability for the government to make exceptions — through regulations — for ‘appropriate’ cases… The government tweaked the bill after the parliamentary committee on intelligence and security recommended it include the ability to make a regulation allowing for the data to be used in appropriate civil cases.” Initial critics of the data retention law expressed concern that the government would use it for these purposes. The Attorney-General’s Department is seeking public comment on the potential move until 13 Jan. [iTnews]

WW – Media Sonar Tools Used to Surveil American Protests

An American Civil Liberties Union investigation has found that U.S law enforcement used technology from London, Ontario company Media Sonar to monitor protests. Although the company describes the tool as one that scours social media for public safety threats, the ACLU found that police used it to track hashtags like “#BlackLivesMatter, #DontShoot, #ImUnarmed and #PoliceBrutality, to name a few.” “Law enforcement should not be using tools that treat protesters like enemies,” the ACLU said in a blog post on the issue. “The utter lack of transparency, accountability and oversight is particularly troubling.” [National Post]

Telecom / TV

CA – Quebec Court Finds Cell Phone Data Unlawfully Extracted by Law Enforcement Can Be Admitted at Trial

The search of cell phones involved in a telemarketing fraud scheme used sophisticated forensic methods to scour the devices and extract data (which required specific authorization, separate from the warrant issued to seize and search the phones); the extracted data should not be excluded because law enforcement had grounds to justify the search, specific authorization would have been granted if requested, the search did not go further than what was authorized by the warrant, and the evidence is reliable and pivotal to prove the individuals’ offences. [Kamaldin et al. v. USA – Quebec Superior Court – 2016 QCCS 5818 CanLII]

CA – Court Finds Arrest and Warrantless Search by Law Enforcement Breached Individuals’ Charter Rights

The Supreme Court of Newfoundland and Labrador considers whether evidence obtained by law enforcement breached the Charter rights of Luke Wiseman and Ibrahim Nassar. The arresting officer did not have reasonable grounds to arrest 2 individuals suspected of trafficking a controlled substance (a hunch was relied on which lacked any reference to previous drug activity by the individuals, there was no tip of an imminent drug transaction), the officer could have sought a warrant (the address and phone number of the individuals were on the boxes believed to contain drugs), and the individuals were arrested and the boxes searched in a public parking lot. [HMQ v. Luke Wiseman and Ibrahim Nassar – 2016 CanLII 78004 NL SCTD – Supreme Court of Newfoundland and Labrador]

CA – Yukon IPC Issues Advisory on Ransomware

The Yukon Information and Privacy Commissioner has issued an advisory about ransomware. Preventative measures against ransomware include regularly backing up information and system files, testing those backups, installing internet security software and patches, and educating users about phishing attacks (including how to respond in the event of an attack); during a ransomware attack, the affected device or system should be disconnected from the rest of the network and notification to affected individuals should be considered if the intrusion presents a risk of significant harm. [IPC Yukon – Ransomware Advisory]

US Government Programs

US – US Government Shuts Down Registry for Foreigners

The Department of Homeland Security has announced it is canceling an inactive registry system that would require visitors from countries with extremist groups to participate. Dubbed the National Security Entry-Exit Registration Systems program, it began “a year after the Sept. 11, 2001, al-Qaida attacks on the United States” and “expanded within a year to require registration from visitors from 25 countries, most of them with majority-Muslim populations.” In the years since, “DHS concluded that the program, which was suspended in 2011, was redundant and inefficient and did not provide increased security.” The government will publish the change in the Federal Register on Friday, and the dissolution of the registry “takes effect immediately.” [Reuters]

US Legislation

US – California Ransomware Bill Goes into Effect

A new law that took effect in California on January 1, 2017 punishes conviction of distributing ransomware with a prison sentence of up to four years. In the past, ransomware cases were tried under existing extortion statutes. According to the bill’s sponsor, California State Senator Bob Hertzberg, “This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware.” [SCMagazine | Ars Technica | sd18.senate.ca.gov: Gov. Brown Signs Legislation Punishing Ransomware]

Workplace Privacy

WW – Anonymous Plaintiff Sues Employer Over Confidentiality Agreement

A Google employee has sued the company over its confidentiality agreement, contending that its provisions violate California labor laws. “Rules prohibit employees from writing about potential illegal activity within the company, and even from writing works of fiction based on their experiences there.” “The unnecessary and inappropriate breadth of the policies are intended to control Google’s former and current employees, limit competition, infringe on constitutional rights, and prevent the disclosure and reporting of misconduct,” the lawsuit reads. While the identity of the plaintiff is unknown, a person familiar with the matter said he or she “is the same person who filed a similar complaint with the National Labor Relations Board earlier this year.” Google pledged to fight the suit. [PCMag]

EU – French Employees Win ‘Right to Disconnect’ From Work Emails

A new employment law now requires French companies to guarantee their employees do not need to check their emails after hours. The law states any organization with more than 50 employees will have to define the rights of employees to step away from their smartphones when they are not at work. The goal of the law is to stop burnout, while ensuring work does not intrude on employees’ private lives. “There’s a real expectation that companies will seize on the ‘right to disconnect’ as a protective measure,” said Aristat Director Xavier Zunigo. “At the same time, workers don’t want to lose the autonomy and flexibility that digital devices give them.” [Guardian] See also: Illinois’ amended Right to Privacy in the Workplace Act is now in effect, meaning employers may not request access to prospective employees’ social media accounts.

CA – OIPC AB Finds Society Had Reasonable Purpose and Methods for Conducting Employee Background Check

The Office of the Alberta Information and Privacy Commissioner investigated a complaint against REDI Enterprises Society for the alleged unauthorized collection of personal information (“PI”), in violation of the Personal Information Protection Act. The Society screens for previous criminal activity because employees work with vulnerable individuals, and it seeks to ensure a safe and secure environment for those clients; a written, signed account of prospective employees’ criminal activity is collected (applicants have the choice not to provide this information), and current employees may refuse to provide this information without threat to their employment. [OIPC AB – Order P2016-07 – REDI Enterprises Society]

+++

 

10–21 December 2016

Canada

CA – Make Federal Data Protection And Breach Reporting The Law, Mps Say

A group of MPs is advocating for new legislation requiring federal agencies to properly protect personal data and be required to report breaches in a timely manner. The recommendations come from the Commons Committee on Ethics, Information and Privacy and urge updates to the 33-year old Privacy Act. The committee cited the Health Canada breach in 2013, when 41,000 letters housed in windowed envelopes were sent to recipients taking part in the department’s medical marijuana program. The agency, at the time, did not report the incident to the Office of the Privacy Commissioner of Canada. [CBC]

CA – Op-ed: SCISA Statute Greatly Harms Privacy Rights

In an op-ed for the Toronto Star, former Privacy Commissioner of Ontario Ann Cavoukian and British Columbia Civil Liberties Association Policy Director Michael Vonn speak out against the Security of Canada Information Sharing Act statue within Bill C-51. The SCISA allows personal information to be shared among numerous government entities for analysis if it potentially impacts the country’s security. “There is no question that SCISA is a fiasco from the perspective of Canadians’ privacy rights, leaving only the question of whether it is nonetheless necessary for security. While information sharing is necessary for national security purposes, the previous law already made provisions for that.” “We join every privacy commissioner in the country in saying that no compelling explanation has ever been provided as to why our previous laws were inadequate for national security purposes, let alone why a ‘blowing-open-the-barn-door’ approach is the appropriate remedy.” [The Toronto Star]

CA – Quebec Commissioner Recommends Reforms to the Private Sector Act

The Commission d’accès à l’information has proposed recommendations to the Act respecting the protection of personal information in the private sector. It should be prohibited to collect, use and communicate personal information for any purpose other than medical, scientific or legal purposes, or genetic information for employment-related reasons, and express consent should be required for sensitive data processing (consent can be withdrawn at any time); transfers outside Quebec should be assessed for impacts and risks to personal information protection, and implementation of biometrics should require a risk assessment, storage measures, mandatory destruction of original characteristics, and localized databases. [Important Recommendations From the Quebec Privacy Commissioner on the Protection of Personal Information – Eloise Gratton and Raphael Girard – Borden Ladner Gervais LLP]

CA – Ontario Public Institutions Should Implement RIM Practices to Improve Records Access

The OIPC ON has provided guidance to assist institutions in understanding the relationship between good records and information management practices and the ability to meet obligations under FIPPA and MFIPPA. Information that is appropriately created (through proper classification), managed (by assigning responsibility), stored (using appropriate organizational, technical and physical safeguards), and destroyed (consistent with specific retention schedules) is easier for staff to find and use; access to records will then be processed with greater efficiency (staff time associated with searching for records is reduced, and risks from failing to provide records or meet response timelines are reduced. [OIPC ON – Improving Access and Privacy with Records and Information Management]

CA – OIPC SK Issues Privacy Breach Guidelines for Trustees

The Office of the Saskatchewan Information and Privacy Commissioner has issued guidance to health trustees regarding privacy breaches, pursuant to The Health Information Protection Act. Trustees must contain the breach (cease the unauthorized practice and shut down breached systems), investigate the breach (consider what PHI was involved, who was involved, who is affected, and the root cause), and prevent future breaches (determine additional safeguards and training, and whether a policies and procedures are being followed; when employee snooping is suspected, the employee’s access should be suspended, and an interview given to establish if their login information has been shared or if they regularly log off the account. [OIPC SK – Privacy Breach Guidelines for Trustees]

CA – NWT Supreme Court Finds No Harm from Disclosure of Public Body’s Agreement With Third Party

The Supreme Court of the Northwest Territories considered whether the Department of Industry, Tourism and Investment of the Government of the Northwest Territories erred in deciding to release records related to Deepak International Ltd. Release of monitoring, trademark licence and certification agreements would not harm the third party’s business interests; sensitive business information contained in the agreements was redacted by the public body, and the remaining content does not contain information that could impact the third party’s bargaining position, or result in a foreseeable negative impact or loss. [Deepak International Ltd. v. NWT and Hilary Bird – 2016 NWTSC 66 – Supreme Court of the NWT]

CA – Other Privacy News

Consumer

US – Forrester Offers New Research on Consumer Privacy Expectations

Forrester Principal Analyst Fatemeh Khatibloo discusses how Forrester wanted to create a way for businesses to assess their customers’ feelings toward privacy in order to better implement the privacy frameworks Forrester has created. Khatibloo writes about Forrester’s Consumer Privacy Segmentation, which defined four groups of consumers based on their attitudes and behaviors toward personal data collection and use. The report finds older, less tech-savvy consumers feel helpless to protect their data online, while younger customers tend to hold companies to higher standards. “It turns out that Millennials aren’t as cavalier about their personal data as some people would like to believe. And the moment they hit some key milestones in life — parenthood or homeownership, for example — their privacy attitudes change dramatically. But it’s not just data ethics they care about: they expect the companies they do business with to ‘give back,’ too.” [Forbes]

E-Mail

US – Gmail Scanning Case Reaches Settlement

Google has agreed to change its email processing procedures in order to settle a class action alleging that it scanned non-Gmail users’ messages in violation of state and federal wiretapping laws, The Recorder reports. The Tuesday-released settlement outlines Google’s promise to “eliminate any processing of emails to target ads or build marketing profiles until after messages have arrived in a Gmail users’ inbox” for at least three years, the report states. “Though the technical changes hardly seem to resolve the privacy concerns that spurred the litigation, plaintiffs’ lawyers … deemed them ‘substantial,’“ the report adds. The firms have asked for $2.2 million in fees. U.S. District Judge Lucy Koh, who is overseeing the suit, will either approve or deny the deal. [The Recorder]

Encryption

WW – New Site Checks News and Media Sites’ Use of Encryption

A new website launched by the Freedom of the Press Foundation (FPF), scans media websites and checks for their use of encryption, including their support of HTTPS. FPF’s Secure the News project checks to see if the sites implement encryption by default and whether the sites are susceptible to HTTPS downgrade attacks, in which browsers are tricked into downloading unencrypted versions of the site. Such attacks can be guarded against through the use of the HTTPS Strict Transport Security (HSTS) feature. Just four of the 104 sites listed received an A while 75 received Ds and Fs. [Wired]

WW – Filmmakers and Photojournalists Want Encrypted Cameras

More than 150 documentary filmmakers and photojournalists have signed an open letter from the Freedom of the Press Foundation asking camera makers to add encryption to the still photo and video cameras so that if the devices are stolen or seized by authorities, they will not immediately offer up sensitive information. Most smartphones encrypt stored data by default, and encrypted storage software is readily available for PCs, but cameras lack similar protections. [Wired.com | The Register | CNet.com]

EU Developments

EU – WP29 Releases Guidance on DPOs, Data Portability, One-Stop Shop

The EU’s Article 29 Working Party emerged from its December plenary meeting with a number of GDPR application guidance documents, including explanations for the mandatory DPO role, the mechanisms for data portability, how a “lead authority” to lead the one-stop shop enforcement mechanism will be established, and some notes on enforcement and the EU-U.S. Privacy Shield. The WP29 welcomes comments on the guidance from stakeholders through January 2017. Feedback can be directed to just-article29wp-sec@ec.europa.eu and presidenceg29@cnil.fr. [IAPP.org] [Guidelines on the Right to Data Portability – Working Paper 242]

EU – New France Law Requires Companies with Over 50 Employees to Implement Whistleblower Procedures

The French legislature has approved the Law on Transparency, the Fight against Corruption and Modernization of Economic Life (“Law”): the Law will come into force after publication of an administrative decree. Companies must implement internal alert procedures to allow employees to disclose criminal offenses, serious and obvious violations of an international commitment, and threats or serious risks to the general interest; companies can be liable for a criminal fine of up to €75,000 for restraining employees from alerting about a crime, and up to €50,000 for revealing information that could lead to identification of a whistleblower. [Law No. 2016-1691 of 9 December 2016 on Transparency and the Fight Against Corruption and Modernisation of the Economy Available in French | Related Article]

Facts & Stats

US – 4% of Americans Are Revenge Porn Victims: Report

A report from the Data & Society Research Institute and the Center for Innovative Public Health Research states 4% of internet users in the U.S. have been victims of nonconsensual pornography. The report found 3% of Americans have had someone threaten to post explicit photos of them online, with 2% stating a photo of them was posted online without their permission. The combined total of revenge porn victims equals roughly 10.4 million Americans. “Nonconsensual pornography can have a devastating and lasting impact on victims, so it’s vital that we understand how common this is and who is affected.” [DataSociety.net See also: The first person was sentenced to jail under Oregon’s recently enacted revenge porn law | New South Wales Attorney General Gabrielle Upton has called for national revenge porn law as state version garners support]

WW – 1.6B Records Compromised in 2016: Report

IT Governance has compiled a list of every data breach in 2016, estimating more than 1.6 billion records were compromised. The number is up from the 480 million breached records in 2015. June and November were the two worst months for data breaches in 2016. Voter breaches in June propelled the number of compromised records to 289,150,000, while 456,403,757 records were compromised in November, one of the worst months for security on record. More than 412 million of the records breached in November came from adult websites. [The Daily Dot]

US – Data Breach Insurance Claims Up in 2016

According to data from CFC Underwriting, the company handled more than 400 cyber breach policy claims in 2016. The majority of claims are from cases involving data breaches and money transfer schemes. [Insurers handling ‘hundreds’ of breach claims | The Register: Cyber insurance brokers: If it makes you feel any better, 2016 was not our year either]

Filtering

US – Bill Requires Porn Filters on New Computers

A bill introduced in South Carolina would require companies making and selling computers in that state to install filters to prevent users from accessing porn and other sexual content. The goal is to prevent access to sites facilitating prostitution and human trafficking. The South Carolina House Judiciary Committee will consider the bill when legislators reconvene in January. [New state bill wants to put porn blocks on new computers | South Carolina will debate bill to block porn on new computers]

Finance

US – Banks Finding Middle Ground for Data Portability

Many banks have resisted calls from data aggregators to make users’ financial data portable, a feature favored by many millennials. Banks have argued the practice is filled with risk and can lead to identity theft, but aggregators contend banks oppose the practice because of competition with other banks. According to a new report, some financial institutions are finding a middle ground by partnering with third-party providers that offer consumers some portability options. Wells Fargo is partnering with data-sharing platform Xero for this purpose. “Anytime a customer shares banking credentials, there’s risk involved,” said Wells Fargo’s Brett Mills. “Because of this, it’s imperative we work toward implementing ways to share information with third parties that don’t require our customers to provide their confidential login credentials.” [American Banker]

FOI

US – Google Publishes 21 National Security Letters

Google has released the content of eight National Security letters it received from the FBI between 2010 and 2015. In October, Google received permission from the FBI to publish the documents, which were all accompanied by gag orders when originally issued. The eight letters request information from a total of 21 accounts. [- CSMonitor | – Computer\World |- blog.google: ]

Health / Medical

EU – ENISA Issues Best Practices for Smart Hospitals

ENISA has published a study on information security in EU hospitals, surveying information security officers in more than 10 hospitals across the EU. Hospitals should implement BYOD controls on patient and employee devices, monitor how Internet of Things components interact with medical systems, implement whitelisting for application installation onto the hospital’s system, and ensure high level executives understand the compromise between cyber security measures and the impact on provision of services; industry and the EU should apply medical device regulation to critical infrastructure components, adapt information security standards to healthcare, and involve third parties in testing activities. ENISA – Smart Hospitals | Press Release | ENISA – Smart Hospitals Study]

US – Study: Privacy Concerns Keep Teens and Young Adults from Seeking Sexual Health Assistance

A U.S. National Center for Health Statistics report has found that an estimated 7% of teens and young adults would not seek sexual health assistance due to privacy concerns. “The youngest teens expressed the greatest reluctance… Almost one in five 15- to 17-year-olds said they would not seek that care because their parents could find out. There were also gender-based disparities. While the percentage of females with privacy concerns aged 18-25 and those without differed by 20%, “there were no large differences in the percentages receiving sexual and reproductive services based on confidentiality concerns” for males. “It’s important that we monitor any barriers that youth may experience to obtaining health care,” said the NCHS. [U.S. News & World Report]

US – ONC Creates Contest to Update Model Privacy Notice

The Office of the National Coordinator for Health Information Technology has created a new challenge for health care privacy professionals, software developers, and other stakeholders to enhance the voluntary Model Privacy Notice in order to have them better represent the current mobile health environment. The ONC wants contestants to draw from the existing Model Privacy Notice template “to create an online tool that can generate a user-friendly snapshot of a product’s privacy practices.” The ONC will award $35,000 in prizes and are asking for all entries to be submitted to Challenge.gov by April 10, 2017. [Health Data Management]

US – NGA Releases Report to Help Navigate Medical Privacy Laws

The National Governors Association has released a report designed to help states navigate around conflicting medical privacy laws and policies affecting the flow of health data. The NGA report covers challenges providers face when sharing patient information and highlights examples of states successfully developing strategies for distributing data. Recommendations from the NGA include creating a team of state government officials who have the authority to make policy decisions and an advisory group that can discuss the practical considerations for policy change. The report cites four states the passed legislation to supplant state laws to allow providers and hospitals to share patient information. “There are hundreds and hundreds and hundreds of state medical privacy laws, and the ugly truth is that it’s not possible to comply with all of them” said one attorney. [The Hill]

Horror Stories

WW – Yahoo Confirms 2013 Data Breach Affecting 1B Users, Biggest in History

Following its confirmation of a data breach in 2014 affecting 500 million users, Yahoo said it discovered another cyberattack from 2013, compromising more than 1 billion accounts. Yahoo believes the two incidents are connected and said the breaches are “state-sponsored,” Yahoo CISO Bob Lord wrote in a blog post. The attackers used “forged cookies” to access user accounts without passwords. While using these cookies, hackers could misidentify themselves as the primary user of the account. Yahoo said the compromised information could have possibly included names, email addresses, telephone numbers, dates of births, hashed passwords, and in certain cases, encrypted or unencrypted security questions and answers. Yahoo said no financial information was affected. The company is notifying affected users and asking them to change their passwords. The announcement has prompted Sen. Mark Warner, D-Va., to call for an investigation. [The Guardian | Wired | The Register | ZDnet | Krebsonsecurity]

US – Ashley Madison Settles FTC, State Data Breach Charges

The Federal Trade Commission announced the operators of AshleyMadison.com have agreed to settle FTC and state charges alleging the dating website deceived customers and failed to protect user information following the 2015 data breach affecting 36 million users. Ashley Madison will pay a total of $1.6 million in the settlement and will have to implement a comprehensive data security program, including assessments from third parties. “This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said FTC Chairwoman Edith Ramirez. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.” [FTC.gov | Press Release | Order]

Identity Issues

US – Virginia State Court Rules License Plate Info is Not Personal Information

A Virginia State court considered cross-motions for summary judgment in a complaint against Defendants Fairfax County Police Department and Colonel Edwin C. Roessler, Jr., Fairfax Chief of Police pursuant to Virginia law. License plate numbers do not refer to an individual person, there is no privacy interest in information that is publicly disclosed (even if such disclosure is required by law), and U.S. case law provides that no Fourth Amendment search has occurred when a law enforcement officer runs a check of a license plate; Virginia may therefore deploy and use automatic license plate readers and subsequently store license plate numbers for 364 days under existing State law. [Harrison Neal v. Fairfax County Police Department et al. – Opinion – Nineteenth Judicial Circuit of Virginia]

EU – DPA Iceland Recommends Government Review Mandatory Disclosure of Personal ID Numbers for Health Purposes

The Icelandic data protection authority addressed a query concerning the proportionality of data collection by the Director of Health pursuant to the Data Protection Act. The Medical Association opposes the Directorate of Health’s ongoing request for extensive identifiable patient data, authorized by law, as disproportionate and unnecessary; the DPA advises that it is the courts (not the government) that must consider the constitutionality of the law, a data subject’s objection to processing under the Data Protection Act should be respected, and the Directorate may wish to examine whether changes to the legislation would be appropriate (in light of public opposition in other Nordic countries to such compelled disclosures. [DPA Iceland – Case No. 2016/766 – Directorate of Health]

US – Differential Privacy Integral to Harvard Privacy Tools Project’s Newest Research

A Harvard’s Privacy Tools Project team is developing a privacy tool that uses differential privacy to both share data like disease diagnoses or political leanings to researchers and protect the privacy of the subjects. “The differential privacy tool that the project is developing is a computational tour de force that achieves anonymity for individuals by introducing random noise into the way statistics about the data are computed… The amount of noise is carefully calibrated to hide the contribution of each individual person, but still reveal larger effects,” said Principal Investigator Salil Vadhan. “And so there is a trade-off… You get greater privacy protection the more noise you introduce.” [Harvard Magazine]

Law Enforcement

US – Federal Appeals Court Upholds Law Enforcement’s Use of GPS for Investigation of Minor at Risk

A federal court considered an appeal by an individual convicted of crimes based on evidence obtained through warrantless GPS tracking. Exigent circumstances involving the potential exploitation of a minor justified the tracking of appellant’s cell phone without a warrant (based on discussions with the minor’s birth mother, foster mother and social worker); there was significant risk of bodily injury as the minor may have been forced into prostitution. [United States of America v. Jabar Gilliam – 2016 U.S. App. LEXIS 21448 – United States Court Of Appeals For The Second Circuit]

Location

US – Congressional Report : Use of Stingrays May Be Unconstitutional

According to a report from the US House Committee on Oversight and Reform, the use of cell site simulators, also known as Stingrays, by law enforcement may be unconstitutional. “Absent proper oversight and safeguards, the domestic use (of Stingrays) may well infringe upon the constitutional rights of citizens to be free from unreasonable searches and seizures.” The report recommends that state and local police follow US Justice Department and Department of Homeland security policies, which require that law enforcement agents obtain a warrant prior to using the surveillance technology. It also asks that state and local law enforcement be forthright with the courts regarding the use of Stingrays. [Stingray use could be unconstitutional, House report finds | House.gov: Law Enforcement Use of Cell-Site Simulation Technologies: Privacy Concerns and Recommendations]

Online Privacy

US – Children Uploading YouTube Videos Poses Potential Issues

There is a growing trend of young children posting their activities online and the issues parents potentially face. Popular YouTube channels featuring children can receive millions of views per video. Those channels could result in millions of dollars in revenue, but children are also exposed to online commenters and channels where creators upload videos featuring popular characters performing adult acts. “For the youngest members of the next generation, sometimes called Generation Z, the line between the online world and real life is fading. Parents are having to explain to their toddlers that the children whose whole lives they see on the screen aren’t actually their friends.” [Washington Post]

WW – 45% Don’t Have Expectation of Privacy Online: Study

Auckland University of Technology’s 2015 World Internet Project in New Zealand survey has found that 45% of the 1,377 respondents do not believe privacy exists online. 11% of the surveyed said they had their privacy violated online. A University of Auckland professor in computer sciences thinks the responses indicate a changing attitude about what privacy means on the internet. “They’re shifting so rapidly now… I think many people are starting to become aware of the risks but don’t accept privacy has gone, it’s just that the boundaries are different.” [Stuff.cco.nz]

US – Twitter to Limit What’s Shared With Government Fusion Centers

In an ongoing effort to curb the amount of law enforcement access to its users, Twitter announced it will no longer provide government intelligence centers — also known as fusion centers — access to tools that can be used for bulk surveillance. Dataminr, a company partially owned by the social network, granted law enforcement access to real-time feeds of public posts and tools for filtering the content. Twitter’s decision comes after an ACLU of Northern California investigation found law enforcement used the tool to track activists and protests. [Mashable]

WW – Twitter Terminates Partnership With Third Surveillance Firm

Following its decision to terminate its contracts with Geofeedia and Snaptrends, Twitter has cut ties with a third social network surveillance firm. Twitter stopped Media Sonar from accessing its public API in October. Media Sonar is known for selling surveillance software to police departments across the U.S. Twitter’s partnership with Media Sonar was finished after it was discovered the surveillance firm was encouraging police departments to observe African-American protesters. The social media network ended its relationship with Geofeedia and Snaptrends for similar actions. Twitter said if Media Sonar attempts to create any other API keys, it will delete those as well, and will take further action against the firm. [Daily Dot]

Privacy (US)

US – FTC Releases Agenda for Second Annual Privacycon

The Federal Trade Commission released the agenda for PrivacyCon 2017. The event, taking place in Washington on Jan. 12, is designed to join together leaders from academia, research, consumer advocacy, and industry to discuss the privacy and security implications of new technologies. The public forum will cover five major topics, including the internet of things and big data, mobile privacy, consumer privacy expectations, online behavioral advertising, and information security. PrivacyCon will feature 18 research presentations on consumer privacy and security issues and a closing panel moderated by FTC Bureau of Consumer Protection Director Jessica Rich. [FTC.gov] See also: [FTC organizing privacy researcher meet up in January]

US – Cybersecurity Challenges at the US State Level

A study from the Pell Center for International Relations and Public Policy last year found that of the eight most populous US states, none was “cyber ready,” or adequately equipped to defend its systems against and recover from cyber attacks. A September 2016 study from Deloitte-NASCIO found that while some states are gaining a keener awareness of the importance of cybersecurity, the systems that states have been introducing in the name of helping constituents actually introduce additional cyber risks. [Are states ill-equipped to manage cybersecurity?: | State of the States on Cybersecurity (November 2015) | 2016 Deloitte-NASCIO Cybersecurity Study]

US – Evernote Backtracks on Changes to Privacy Policy After Outcry

Evernote, a popular note-taking app, has announced it will hold off on changes to its privacy policy after users and the media started raising privacy concerns. The proposed change would have allowed employees to read users’ notes to help train the company’s machine learning algorithms. At first, the company defended the changes, but, in a written statement, Evernote CEO later said, “We announced a change to our privacy policy that made it seem like we didn’t care about the privacy of our customers or their notes. This was not our intent, and our customers let us know that we messed up, in no uncertain terms. We heard them, and we’re taking immediate action to fix it.” [PCWorld]

WW – Evernote Changes Policy: Employee to Review User Notes

In a blog post, Evernote said it would have employees reading user notes beginning in early 2017, as a way to ensure its machine learning technologies were functioning properly. While its “computer systems do a pretty good job, sometimes a limited amount of human review is simply unavoidable in order to make sure everything is working exactly as it should.” While the company announced various controls for the process, many customers are frustrated with the changes. While there was speculation the move may be connected to Evernote’s adoption of Google’s cloud computing service, the company denied it. “We want to improve the service and see the advent and availability of many machine learning tools as very promising.” [Fortune]

US – Journal of Intellectual Freedom and Privacy’s First Issue Available

The American Library Association’s Office for Intellectual Freedom has released the first issue of its official publication, the Journal of Intellectual Freedom and Privacy. “JIFP is an expansion of The Newsletter on Intellectual Freedom, published between 1952 and 2015… Ever mindful of serials librarians’ woes, we hereby state that this new publication is a continuation of NIF, but begun over with vol. 1, no. 1.” The journal includes news, features, reviews and an editorial section, and is available in PDF format on the ALA’s website. [ALA.org]

US – Court Grants FTC Order Penalizing Data Brokers for Selling Consumer PI

This Court order settled FTC allegations that Corporate Defendants Sequoia One and Gen X Marketing unfairly sold consumer personal information in violation of the FTC Act. The 2 companies obtained PI from consumers who thought they were applying for payday loans online, and then sold the PI to a scam that withdrew funds from consumers’ bank accounts without their consent; Defendants must pay $45,000 (at which point the remainder of a $7.1 million judgment will be suspended), and are prohibited from disclosing sensitive (financial) PI, and making misrepresentations relating to financial products and services. [Federal Trade Commission v. Sequoia One, LLC, et al. – Default Judgment and Order for Permanent Injunction as to Defendants Sequoia One, LLC and Gen X Marketing Group, LLC – United States District Court District Of Nevada | Press Release | Judgment]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

US – NIST Seeks Tech Collaborators for Privacy-Enhanced ID Project

The National Cybersecurity Center of Excellence, a public-private collaborative initiative under the National Institute of Standards and Technology, has announced it is seeking technology collaborators for a privacy-enhanced identity federation project. The new project will analyze how privacy-enhancing technologies can be implemented within identity federation solutions to help maintain the privacy of users and organizations. The goal of the project is to produce a NIST Cybersecurity Practice Guide, which will be publicly available and include “practical steps needed to implement a cybersecurity reference design,” the NCCoE website states. Questions or suggestions for the project can be sent to petid-nccoe@nist.gov. [NCCOE] [Federal Register Notice | Privacy-Enhanced Identity Federation project description.

Security

WW – 42% of Companies Do Not Have Cyberattack Communications Plans

An EY report finds many companies do not have a plan for communicating with the public following a cyberattack. EY’s annual Global Information Security Survey revealed 50% of the 1,735 participating organizations said they were confident they could detect an attack, but 42% did not have a communications strategy in place if an attack took place. Another 48% said they would not notify impacted customers within the first week. “It’s imperative to address if any weaknesses or failures in the recovery plans become known, because the longer these problems continue, the worse the situation will get. In fact, many of the proposed regulations or laws around reporting of cyberattacks say that companies must notify customers within a certain number of days,” said the report’s author. Blanco Technology Group released a report revealing delays companies face in breach detection and notification and the regulatory challenges this causes for data protection. [CNBC]

Smart Cars / IoT

US – FTC, FCC to Focus on IoT Security in 2017

The Federal Trade Commission and the Federal Communications Commission will focus on internet-of-things security in 2017. The agencies commitment to IoT security comes after the massive DDoS attack affecting large parts of the United States this past October. “As we see the rise of mobile and the internet of things, we’re seeing a multiplicity of actors in the ecosystem,” said the FTC, “There’s going to be a lot of questions about the liability of these various actors.” [AdExchanger]

US – DOT Proposed Rules Would Require Cars to Share Information

The Department of Transportation has proposed a new set of rules requiring the auto industry to have technology allowing vehicles to share information with one another. The National Highway Traffic Safety Administration said the plans could reduce 80% of non-impaired crashes, but privacy advocates are concerned about the plans. “Vehicle-to-vehicle communications must be secure as Fort Knox,” said a the Consumer Union. “Automakers must be required to meet baseline, enforceable standards to protect both privacy and security as they roll out this technology. Communications should be protected through strong encryption, and security measures should be seamlessly updated so that consumers don’t have to worry about getting into a crash because their car has been hacked.” Sens. Edward J. Markey, D-Mass., and Richard Blumenthal, D-Conn., are pressing the DOT to implement strong cybersecurity and privacy protections before the rules are implemented. [Consumer Reports]

US – Study: Privacy Safeguards for Wearable Devices Are Insufficient

A study from the Center for Digital Democracy and the School of Communication at American University states the growing wearable device market raises a number of privacy concerns. Wearable manufacturers collect large amounts of personal data and share the information with other companies. The study finds existing privacy laws do not normally apply to wearable manufacturers, and the “weak and fragmented” U.S. health privacy regulatory system does not give consumers proper privacy safeguards. “Many of these devices are already being integrated into a growing Big Data digital health and marketing ecosystem, which is focused on gathering and monetizing personal and health data in order to influence consumer behavior,” the study says. [PC World]

SG –’City Brain’ Tech to Make Singapore an Internet of Things-Powered Hub

Singapore’s plan to embrace “city brain” technology, utilizing 100 million smart objects in five years, is both groundbreaking and rife with privacy questions. “In theory, a city brain could be used by municipal administrators to check on a wide variety of conditions,” such as weather, elderly housing and transportation issues, the report states. The program may additionally use “the estimated five million smartphones carried by Singaporeans” to make it happen. “Of course, there will be loss of privacy or, worst case, the chance of data being hacked,” said Gartner. “This is not just a Singapore problem; it’s a global problem… any government must still enforce certain laws to prevent misuse.” [Computerworld]

Surveillance

US – U.S. to Release Estimate of Americans Monitored Under Surveillance

A letter from U.S. lawmakers states the country’s intelligence community is planning to disclose the number of American citizens whose electronic communications have been intercepted through online surveillance programs designed for foreigners. The letter, sent to National Intelligence Director James Clapper, said the estimate was requested by the U.S. House of Representatives Judiciary Committee and should be released publicly as early as next month. The estimate would come as Congress is expected to commence the debate over whether to revamp the surveillance provision Section 702, which was added to the Foreign Intelligence Surveillance Act in 2008 and is set to expire Dec. 31, 2017. “ [Reuters]

US – Ex-Employees Claim Uber Continues Unauthorized Surveillance

After stating it had policies preventing employees from accessing trip and geolocation information, five former Uber security professionals reveal the company continued to allow its workers to access sensitive information. The revelation comes two years after Uber was first found using its internal “God View” to track users’ whereabouts in real time without permission. Some of the most recent allegations state Uber deleted files it was legally obligated to hold onto and for encrypting files during law enforcement investigations in its foreign offices. In response to the report, Uber’s Chief Information Security Officer sent an email to the company’s staff reminding them of their privacy obligations. [Reveal News]

Telecom / TV

US – FTC Publishes Do Not Call Registry Data Book for 2016

The Federal Trade Commission has released its National Do Not Call Registry Data Book for Fiscal Year 2016. “Now in its eighth year of publication, the Data Book contains a wealth of information about the Registry for FY 2016 (from October 1, 2015 to September 30, 2016), including: State rankings for National Do Not Call registry” as well as “the number of active registrations and consumer complaints since the Registry began in 2003.” The Data Book states that the Registry contained more than 226 million registered numbers at the end of the 2016 fiscal year, an increase from the 223 million reported at the end of fiscal year 2015. The Florida Record reports. [FTC.gov]

US Government Programs

US – Court of Appeals Upholds Warrantless FISA Surveillance of US National

Mohamed Osman Mohamud appealed from his conviction from use of weapons of mass destruction, in violation of 18 U.S.C. § 2332a(a)(2)(A). Acquisition of the individual’s email communications was lawful, since it resulted from contact with a foreign national being targeted for promoting terrorism (warrantless surveillance of non US persons is permitted); even if a warrant was required, the government’s search of the individual’s emails was reasonable since US persons have a limited expectation of privacy in information revealed to a third party, and applicable FISA procedures to safeguard the individual’s privacy interests were followed. [USA v. Mohamed Osman Mohamud – Opinion – US Court of Appeals for the Ninth Circuit]

US – California Educational Tech Providers Cannot Sell or Disclose Student Information

The Future of Privacy Forum provides an overview of obligations under the California Student Online Personal Information Protection Act. Providers that design and market sites, services and applications used primarily for K-12 school purposes can use student data to conduct legitimate research, and use deidentified information for product improvement, marketing and development; providers cannot sell or disclose student information (except for legal purposes, user safety, for K-12 school purposes), use student information to amass a profile, or use student information to engage in targeted advertising. [FPF Guide to Protecting Student Data Under SOPIPA – For K-12 Administrators and Ed Tech Vendors]

Workplace Privacy

US – Hiring Algorithms Are Not Neutral Sources: Op-Ed

In an op-ed for the Harvard Business Review, Gideon Mann and Cathy O’Neil explain why using algorithms in human resource departments cannot be considered a neutral source. Algorithms are created to mimic human decision making, meaning existing biases will become part of their makeup. “In other words, algorithms are not neutral. When humans build algorithmic screening software, they may unintentionally determine which applicants will be selected or rejected based on outdated information — going back to a time when there were fewer women in the workforce, for example — leading to a legally and morally unacceptable result.” The authors offer suggestions for working around this flaw, including ensuring hiring decisions aren’t based solely on algorithms, and conducting reviews to remove any hiring trends possibly appearing to be biased. [HBR.org]

US – Companies Look to Publicly Report Employees’ Health

A group of companies, including IBM, PepsiCo and Johnson & Johnson are working to find a way to publicly report and measure the health of their employees. The ratings, currently under consideration by a coalition of employers and insurers called the Health Metrics Working Group, would offer shareholders and other high ranking company officials a look into a company’s efforts to improve employee health and whether the efforts are working. The health information will be presented in the aggregate in order to comply with health privacy laws. “All the working group members support the concept of reporting on employee health metrics, but if and how that gets implemented will vary quite widely.” [The Wall Street Journal]

+++